More Than Meets the Eye – FireEye, Cylance and Kaspersky have all begun to issue their reports on BadRabbit and some surprising points have been discovered. It has been found that the ransomware skips encryption if it detects Dr. Web anti-virus software or some McAfee products. This is most likely due to the way Dr. Web and McAfee protects the master boot record of the devices they are installed on. This is the first sign that BadRabbit may not be the straightforward criminal ransomware spawn of NotPetya that we were all happy to believe. Also, Kaspersky revealed that some lucky victims will be able to recover files locked by the ransomware due to a small operational mistake the authors of BadRabbit made. Apparently, it doesn’t delete shadow volume copies, a technology within Windows OS that creates snapshots of files while in use. This will not guarantee all users but will allow some to get back their files as shadow files are copies of the original files and kept on disk for undetermined periods of time based on available free space.
The second flaw relates to the decryption passwords and is not as easy to exploit as the first flaw. The way BadRabbit works is by encrypting the victim’s files, encrypting the Master File Table and replacing the Master Boot Record with a custom boot screen. On the custom boot screen a personal installation key value is presented, which must be entered on a Tor site after they have paid the ransom to receive the decryption password. Kaspersky were able to extract that password during a debugging session and bypass the custom boot loader. However, files still remain encrypted but is a similar flaw found in the WannaCry ransomware.
The Computers are Getting Smarter – A team of four computer scientists from University of Maryland have developed a new automated system that can break Google’s reCAPTCHA challenge with an accuracy of 85%. Dubbed unCAPTCHA, it targets the audio version of the challenge that Google has added rather than the image based tests. unCAPTCHA downloads the audio puzzle and feeds it to six text-to-speech systems, aggregating the results and feeding the most likely answer back to Google’s servers. This is not the first time that reCAPTCHA puzzles have been broken with ‘ReBreakCaptcha’ doing the same thing in March this year and it was announced last week that an AI bot that works similarly to the human eye can break the various CAPTCHA systems with a high accuracy.
Should we Fear the Reaper? – As we reported last week, the Reaper botnet is not as large as first thought. Currently around 20,000 – 30,000 bots in total according to most security researchers bots, it has the potential to rise to nearly two million but so far, its makers have not subsumed these identified nodes. Yet, I may add. So far the botnet remains quiet with researchers seeing signs of amateur missteps by the developers of Reaper. The main theory is still that the botnet is being built for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market. Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone. Again, we are left to wait and see as to which direction the botnet takes.