AND WE FOUND A NEW RANSOMWARE!!!

TODARIUS

Hi, it’s been a while, hope you all doing good. 💓

So today’s article is about a new ransomware. 😱

Yes. We found a new one. Todarius is its name.

Let’s look into this with more information.

First of all what is this TODARIUS? 

It’s a Crypto virus. Crypto viruses are among the most malignant and problematic forms of malware that can be attacked. Its main objective is to encrypt your files and that will allow the people behind them to blackmail you for the access to the encrypted data. If you do not have any important files or a value stored on your computer, the attack of the Ransom ware crypto virus attack may not be such a huge issue. But however most of us have at least little amount of important data in our personal computers. Aren’t we?

How it can be infects to my computer and what does it do?

Simply it encrypts all of your files. J 

It is currently unconfirmed how exactly this malware get spread. However this ransomware infects through emails often that carry malicious email attachments or web links. The main idea behind them is to get users to download and execute files or click on the link. Emails can make it clear that what a user receives is a legitimate type of message, and its main purpose is something important. The attachments can be an invoice, receipt or other important document.

Another form of distribution that can be used by this Ransomware is probably caused by third party software download sources, fake software updaters/cracks and Trojans. Freeware download websites, free file hosting sites, peer-to-peer (P2P) networks, and other unofficial download sources present malware as legitimate software. These way users get tricked into downloading and installing malware manually, by themselves


When Ransomware encrypts files, it searches for the most commonly used file types to encode. The encrypted files are usually documents, videos, images, audio and other file formats. Encrypted files contain bytes of your data that are changed to a point that can no longer be opened. The data is encrypted using advanced encryption cipher that generates the decryption key. The files are also appended the .todarius file extension and begin to appear like this:

When Todarius Ransomware arrives at your computer, it can recognize by the _readme.txt, which contains the following text:

Readme message after the encryption

Once on your PC, STOP ransomware may drop its payload files in the following Windows directories:

1. ·         %AppData%
2. ·         %Local%
3. ·         %LocalLow%
4. ·         %Roaming%
5. ·         %Temp%

Once the files are dropped on the computers of victims, the ransomware virus could perform the following malicious activities:

1. ·         Create mutexes.
2. ·         Perform checks if it’s running on a real PC or a virtual drive.
3. ·         Scan for files to encrypt.
4. ·         Create registry entries.
5. ·         Obtain system information from your computer. 

The ransom payment – is it worth paying for?

In general, the way in which users first learn about the existence of Ransom ware in their systems and the demand for money issued by hackers is through an emerging banner that appears on their computer screens. This logo is created immediately after the end of file encryption, and before that, you cannot see actual infection symptoms. The message inside the sign usually indicates that the victim must issue the payment within a specific period of time, usually two days. There are usually detailed instructions provided you explain how to pay the money. The usual condition is that the currency used to make a payment is the Bitcoin currency (or a similar currency).

If you are currently in this horrible situation and are wondering if it is really good to pay, know that sending your money will not guarantee the unlocking of encrypted data because nothing can guarantee that hackers keep their word. Therefore removing this is the best solution. 

How to remove it? 

1.  Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on your PC. If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there. Even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

2.Open the Start Menu and type msconfig. If you see any sketchy/shady looking entries in the list           with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a         link between them and .Todarius, disable those programs and select OK.

3. Get the Regedit and search for (Ctrl+f) anything name under TODARIUS. If found anything               delete them.

4.Type each of the following locations in the Windows search box and hit enter to open the locations:

1. ·         %AppData%
2. ·         %LocalAppData%
3. ·         %ProgramData%
4. ·         %WinDir%
5. ·         %Temp%

Delete everything you see in Temp linked to .Todarius Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. 

However these solutions may not work in some situations. 

Since this is a very recent ransomware a clear solution is not yet deployed. 😕

But you can always refer internet to get more details about this. And hopefully, a solution will rise to solve this nasty ransomware completely. 

Until then 🙋

Oh! Almost forgot to tell you. If you search about this on internet you'll find various solutions that saying 'install this and that if you want to remove this ransomware completely'. But my friend most of those solutions are not working  (sad reacts only 😒). So please don't get caught to these false products and moreover use internet carefully these days and always check whether your anti - virus is up-to-date. Happy browsing peeps. 👏👏

Cheers!
Keep up the good work 💋

References

https://sensorstechforum.com/remove-todarius-ransomware-stop/

https://malwarecomplaints.info/remove-todarius-file-virus/

https://howtoremove.guide/remove-todarius-file-virus/

https://www.pcrisk.com/removal-guides/14943-todarius-ransomware

Fed up on Encryption?

Fed up on Encryption?

As we all know encryption is a hectic process. We have to maintain a key in both encrypting and decrypting and if we lost the key there’s no way to decrypt the ciphertext into plain text and also cost is high in encrypting. Therefore encryption is known as a bit of a chaotic work even though the security is high. Most of the time people tend to use this method only for critical information because of these drawbacks. 

What is data encryption? 

Data encryption translates data into another form, or code so that only people with access to a secret key or password can read it. Encrypted data is commonly referred to as ciphertext. All encryption algorithms are reversible

As we know there are two types of encryptions as Symmetric key encryption and asymmetric key encryption. I’m not gonna go into details about encryption algorithms in here. ☺

In real world, it’s not impossible to break the encryption key. By using a brute force attack, we can try all possible key combinations and break the encryption algorithm. It is the key size that makes breaking the encryption algorithm harder. Algorithms such as RSA, AES consider as more secure in contrast DES, 3DES are easy to break. 

Disadvantages of encryption

1. Need to maintain a key.
2. What if key got forgot, stolen ☹
3. It needs cooperation.

What is data masking?


                                                               

                     Fig [2] – Masking vs. Encryption  

Data masking is a method of creating a structurally similar but inauthentic version of a particular data set. In here it’s not necessary to reconstruct original data from any intermediate data. When it comes to encryption, being reversible is a must but in data masking reversible is hard (not possible). If a masking algorithm is reversible then it considers as a weak algorithm. From the data security point of view, the best masking solution is random generation since it is independent of original data.

Some erroneously identify both encryption and data masking is the same. Data masking and encryption are two precisely different processes though both of them designed to ensure data protection. 

When comparing to encryption masking is an easy process. It does not encrypt data. We can see data in its’ local format. It just replaced some information only. Even though the best ciphers can be cracked someday masked data cannot be unmasked. That makes it totally ineffective for the attacker and totally safe for the consumer. 

Conclusion

• If the data is critical and important we can use encryption.
• If it’s about production data in a test environment, where the genuine data is worthless then its better go with masking. 
• However, efficiency wise Masking Wins.

https://blogs.informatica.com/2015/10/05/data-masking-and-encryption-are-different/#fbid=MYsXd_IWKmM

https://blogs.informatica.com/2015/09/16/differences-between-encryption-and-masking/#fbid=MYsXd_IWKmM

Incognito is not very Incognito

Hi There!!!

So Today's post is about a habit of all of us, which is Surfing through incognito mode 🙊🙊🙊

Almost all of us use incognito mode to search for some stuff that we don't wanna keep recorded in history😉

But Porn isn't the only reason you may wanna cover yourself up when searching for information. Perhaps you wanna get information about a medical condition, and you don't want it to pop up later on the family PC. Maybe you're shopping for a surprise gift and you don't want anyone to find out what you are up to. When it comes to booking tickets online you may find rather cheap prices when comparing to normal browsers because when you're browsing through normal search engines they track your interests and remember what you’ve searched for, and they try to manipulate prices based on your interests. So, using incognito mode is safe during these kinds of activities. 

When using Incognito mode, your browser history won't be saving, and when the Incognito window is closed, all the cookies that have been created during that session will also get deleted. 

But have you ever thought whether this incognito mode is actually safe, that it makes you invisible in cyberspace??????? 🤔🤔

Actually, the answer is NO 😔. Will see how it works. ✌

So, as we all know in normal web browsers, it stores browsing history, cookies and it also saves your download history, searches entered into the address bar, passwords, and pieces of web pages so they will load faster in the future (cache)

Then there is something called Super Cookies. Some websites use this to track you down.

Super Cookie 

A supercookie is a type of browser cookie that is designed to be permanently stored on a user’s computer. Supercookies are generally more difficult for users to detect and remove from their devices because they cannot be deleted in the same fashion as regular cookies. 

[https://www.techopedia.com/definition/27310/super-cookie]

Porn websites use these Super cookies to keep track of you down. When you return to a particular website that you visited before they can get the user's entire history between two visits. 

Try login into your email by an incognito tab. You can see data like your username and password are filled up despite the Incognito mode.

Incognito mode does not hide your IP address, so information such as your location, your browser, your operating system, and even your physical address might still be seen by the public and even your ISP (Internet Service Provider) can track you down and monitor all your activities, and if you are using devices from your workplace certainly your employer is capable of tracking you down. As an example, Facebooking at work in incognito mode when you’re not supposed to be on Facebook isn’t hiding your activity. Your employer can still log you. So Sad! 👦

So, if you want actual security, the recommended method is using TOR Browser or a VPN. Also, you can encrypt data to be sure what goes through your VPN or Tor is secured. 

Download tor browser from here ->  https://www.torproject.org/projects/torbrowser.html.en

References

https://www.hotspotshield.com/resources/can-ip-addresses-be-tracked-in-incognito-mode
https://secureswissdata.com/incognito-mode-safe/


Since I'm still an undergraduate who's learning stuff please do let me know if there are any mistakes I've made in my post. 😁😁

Exploit Metasploit 2 using Oracle Linux

Normally, in exploitations, we use Kali Linux.

To exploitations, we need some tools like Nmap, Nessus, Postgresql, Msfconsole. In Kali,PostgreSQL and msfconsole come as inbuilt tools.

But when we use other OSs like Oracle, Fedora we need to install those tools first.
In this post, I'm going to show you how to install PostgreSQL and Msfcosole tools in Oracle and exploit Metasploit 2 Linux. 💁

What is PostgreSQL?

PostgreSQL, often simply Postgres, is an object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. As a database server, its primary functions are to store data securely and return that data in response to requests from other software applications. It can handle workloads ranging from small single-machine applications to large Internet-facing applications (or for data warehousing) with many concurrent users; on macOS Server, PostgreSQL is the default database; and it is also available for Microsoft Windows and Linux (supplied in most distributions).

What is Msfconsole?

The msfconsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF. msfconsole may seem intimidating at first, but once you learn the syntax of the commands you will learn to appreciate the power of utilizing this interface.

As you can see PostgreSQL service is not installed in Oracle.

So let's begin the installation.

1)Install Postgresql ->done!

yum install PostgreSQL-server

As you can see we are getting an error saying failed to start Postgresql database server

To avoid this problem we need to first start the PostgreSQL service first.

Now service is successfully running.

2)Start the PostgreSQL service. -> Done!

systemctl start postgresql
systemctl status postgresql

3)Enable the PostgreSQL service. -> Done!

Now we need to install the msf to Oracle

4)Install msf ->Done!

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

In here we also add the repository and install the Metasploit Framework package.

we have successfully installed the msf.

Now you can run the msfconsole in Oracle.

After that, you can exploit the system as same as in the Kali Linux.
In here I used the Vsftpd backdoor vulnerability.

• In this link, you can find out how to exploit Metasploit 2 using Kali Linux.

https://www.hackingtutorials.org/metasploit-tutorials/exploiting-vsftpd-metasploitable/

Other Useful Links

https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework

Bad Rabbit Ransomware Attack

Bad Rabbit is a latest ransomware attack that was spread mainly in Russia in 2017. Especially it targeted organizations and consumers, it was falling on the media outlets in the country. Servers were down during this time due to this attack. It encrypts end device’s files and demands a payment to decrypt them. Specifically, Malware operators asked for 0.05 BTC to decrypt those affected files. This ransomware used DiskCryptor software to encrypt files on attacked computers.

This was distributed using drive-by attacks.

Drive-by attacks

install a malicious code into HTTP or PHP code on one of the pages in insecure websites. It can install malware directly into the end device.

How to Detect the Ransomware

It used a fake adobe flash installer while end user visits an insecure website. The victim has to execute the malware unwittingly by himself to the end device. After doing so malware can self-propagate across a network. In Ukraine, Bad Rabbit ransomware attacked core infrastructure of transport side. There were airport delays at Odessa airport because all the passenger details had to processed manually also it affected subway systems due to payment delays on customer service terminals.

After dropper has been installed, files will get encrypted then above message will display on the screen of the end device. It directs the user to access the particular website. Then victim will warn by giving a countdown of a time that he should pay the asked price before the time to get the key to decrypt files.

How the exploitation happens

Bad Rabbit exploitation is done by using the EternalRomance RCE exploitation method. This method takes advantages of a flaw in Microsoft’s Windows Server Message Block (SMB). By this, it can transfer data between connected computers and thereby activate remote code execution. It also has a code that allows remote hackers to easily propagate to another computer from an infected computer. Bad rabbit can exploit both windows management instrumentation command-line (WMIC) and Server Management Block.

As mentioned earlier malicious dropper needs to be manually installed by the end user. After that malicious DLL (Dynamic Link Library) will be saved as ‘infpub.dat’. Then it will install the malicious file ‘dispci.exe’ into windows and create a task to launch the ransomware and also it finds the invaded computer’s data files and encrypt them using public RSA-2048 key, On the other hand, it will install a modified bootloader to victim’s computer to prevent it from running the normal boot process. DiskCryptor driver ‘dcrypt.sys’ encrypt the partitions of the infected computer’s disk using the AES cipher in XTS mode.

How to Prevent the ransomware

• Keeping the system’s antivirus software up-to-date (If the system does not have one installed in it, install one first.)

• Avoid downloading or executing any updates from Adobe Flash because of the source of this ransomware lies in Adobe Flash updates. Make sure to download Adobe updates and software directly from the service provider of Adobe.

• As a safeguard make sure to back up all the data in the system (regularly). 

• Use a web filtering mechanism to block any malicious courses. Make sure to check emails received twice before opening any files attached to them. Moreover, to avoid receiving such emails implementing multilayered security solutions is a way of preventing bad rabbit.

How to take actions after the attack

• To stop distribution of this attack over the network, try disabling the WMI service.

• If the fake updates of Adobe Flash were accidentally downloaded, avoid executing any files that have the path c:\windows\cscc.dat and c:\windows\infpub.dat. To block execution of these files better user GPO or any other method. The other thing is creating fake file paths i.e. c:\windows\cscc.dat and c:\windows\infpub.dat in the machine because it will look for the existence of these two files before infecting the system.

• As mitigations to SMB, vulnerability US-CERT recommends users to disable SMBv1 and block any of these versions of SMB i.e. 137,138,139,389,445,901 and other service-related ports. In case of a need for a SMB service, it is necessary to use strong passwords and make sure to change the password time to time.

• In addition, remember not to store credentials as cookies.

This particular article previously done as a survey to a university(SLIIT) by me and another colleague as undergraduates. All the information are genuine and not cited as it is from any website.

How to use Facebook login on your Website - OAuth 2.0 framework

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

[www.digitalocean.com]


This is a sample page that you can use as a test run to log in to Facebook.

When we click the button Log In With Facebook it will redirect you to the Facebook Login page.

After that, You will redirect to the Facebook and it will grab details that required to your site.


So as the 1st step you need to create FB app in https://developers.facebook.com site.

Then you have to complete the settings

Under the Settings of the Facebook Login, you need to provide the Redirection URL. (Valid OAuth redirect URLs).

You have to Provide a Valid Site URL under Settings. 

You have to mention your redirect URL in the Code also.

Now the app is registered on Facebook. In the Dashboard, you can see the App ID and the App Secret
After Giving the Correct details to settings your Facebook app can go live.

You have to provide the app id and the app secret in your coding to access the Facebook app.

then we need to get the authorization code

To do that we need to send an HTTP GET request to the Authorize Endpoint of Facebook, which is https://www.facebook.com/dialog/oauth.

Here I have used

• response_type                       = code
• client_id (same as App ID ) = 2205707049656941 . [app ID] 
• redirecti_uri                          =  https://generalinternetsecuritystuff.blogspot.com/2018/05/how-to-use-facebook-login-on-your.html
• scope                                       =  public_profile 

Sample request

https://www.facebook.com/dialog/oauth?response_type=code&client_id=2205707049656941&redirect_uri=https://generalinternetsecuritystuff.blogspot.com/2018/05/how-to-use-facebook-login-on-your.html/&scope=public_profile

Once you Continue, Facebook will redirect the browser to the Redirection URL 

https://generalinternetsecuritystuff.blogspot.com/2018/05/how-to-use-facebook-login-on-your.html/

?code=AQCTl2MLMQ38zLqYWbbs8mFj0W99x86yFwvwXL-uihDNsVZ99VH6bse8idIroA7SzUndgEUBsC4_xWz2D0dDPjnWUk6Sr9CJslCFUah5ktOj6dnRUi71AJv2YWmVVBMG6f6w9wazyX5c7vLG-hD5rdFp70tzYSiAPRgSSVLXNuQxOFh5DdmmKG1ZGmtq97XXFvud6DGGj7EY4mOhZJzrlzG5kWVriUrX2AeHQkdbzEK-t9B315bE95YpGpURNe5t-Rm67yjNwf5e_8lQjNqWDgJi7wQZC0OGxBXmK1UDnXHny1_Z_fHS-Ny3isCjzV7EExUtGPz69Si1qjWyh_pozNZkBPQ9NjUgnnEMM16sWv6hiA#_=_

The bold part is the value of the code parameter.

Then we need to grab the Access Token.

For that, the client web application has to send an HTTP POST request to the Token Endpoint of facebook sending the authorization code received in the previous step.

When sending the request we can use  RESTClient.

Now you have the Access Token.

After completing these steps you can Login to Facebook within any website.