ESET's WeLiveSecurity blog has released details of Win32/Potao malware attack campaigns on high-value targets in Ukraine, Russia, Georgia and Belarus:
We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyber-espionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.
Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.
[...] An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt. We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren't of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia's domain was also used as a C&C server for the malware. The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims' systems in a number of cases. FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims' encrypted drives.
From The Register.
(Score: 3, Touché) by takyon on Friday July 31 2015, @05:58PM
Spudnik jokes not admitted.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by broggyr on Friday July 31 2015, @06:25PM
PO-TA-TOES!
Taking things out of context since 1972.
(Score: 2, Funny) by Runaway1956 on Friday July 31 2015, @06:41PM
Are these ones alright?
1
A Gentleman comes to the shop and asked,
Give me a bottle of vodka and a bottle of Coca-cola.
After Half an hour he comes again and asked again,
Give me a bottle of vodka and a bottle of Coca-cola.
After one hour he comes again and asked to the shopkeeper
Give me a bottle of vodka and a bottle of... of Sprite. It seems Coca-cola makes me sick! :)
2
A patient went to a doctor. Patient was suffering from insomnia, nervous breakdown and Depression. After some checking the doctor said,
Doctor: This medicine is for insomnia, this one is for nervous break-down, and also take this one for depression.
Patient: Thank you very much, doctor, but do you have any other medicine besides vodka?
3
Tell us, what forces you to drink vodka every day?
Nothing. I'm a volunteer.
4
The Traffic police stops a car.
Policeman asked the man, Have you drunk vodka today?
Driver: No.
Policeman: Breathe into the tube... Well, no alcohol is detected... Maybe the tube is broken… (breathes into the tube himself) No, it's working!
5
Two Russian friends Went in a bar and ordered beer vodka.
One of them adds: - Make sure the mug glass is clean!
After a minute the waiter brings two beer mugs vodka glasses and asks: - Which of you ordered beer vodka in a clean mug glass?
Courtesy: http://www.flowingevents.com/2012/01/5-best-russian-jokes-about-vodka.html [flowingevents.com]
(Score: 2) by goodie on Friday July 31 2015, @06:53PM
Damn. I though there was some super fast worm eating potatoes and that the world supply of chips was threatened.
(Score: 1) by Pino P on Friday July 31 2015, @08:08PM
Especially because potato is from August 2000 [debian.org]. If you haven't had a woody by then, you're way behind.
(Score: 2) by VortexCortex on Friday July 31 2015, @07:15PM
The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims' systems in a number of cases. FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims' encrypted drives.
Or, more correctly. Win32/FakeTC is a Trojan that creates a backdoor into systems it's installed upon, rather than just having a vulnerable exploit vector which is later leveraged. An exploit vector may merely be a bug that allows remote code execution if exploited, whereas a Trojan is that which appears beneficial but was designed to fuck you in the end.
(Score: 2) by MichaelDavidCrawford on Friday July 31 2015, @11:15PM
The Hell is the Ukrainian military downloading windows BINARIES from a Russian server?
Trucrypt is Open Source.
Let this be lesson to you: verify hashes and signatures, but only after you verify that you have the correct hashes and signatures.
Yes I Have No Bananas. [gofundme.com]
(Score: 2, Insightful) by Anonymous Coward on Friday July 31 2015, @11:39PM
This is one reason I think more effort needs to be put in to reproducible builds in general. That way, you can verify that even their hashes are correct by compiling it yourself.
(Score: 3, Informative) by gnuman on Saturday August 01 2015, @03:56AM
Let this be lesson to you: verify hashes and signatures, but only after you verify that you have the correct hashes and signatures.
This doesn't save you if signatures are faked too. How many people verify that signature is valid *AND* made by correct key? No one. You didn't meet the developer and got their key in person. You can't then be sure that the key is correct key. You can only *assume*
(Score: 2) by MichaelDavidCrawford on Saturday August 01 2015, @06:10AM
The only time I ever asked anyone to sign my key, I asked two friends who should have known the difference. They downloaded my key from my website, signed it then mailed me their signed copies.
Eventually someone pointed out why I should sign my own key. I did so then uploaded it to the keysevers.
After a while I fetched my own key from a server only to find that two complete strangers had signed it. I expect they did so because they think well of me but how did that know that was _my_ key?
I'm getting ready to revoke my key then issue a new one, but because my key is so very old anyone with half a brain could have factored it by now.
I once mailed around an invite to a key signing party. My friend Richard Reich, also a consulting software engineer, replied that there was no point to it unless my party was attended by "a ballerina, a fisherman, a venture capitalist, a journalist, a refugee, a philanthropist and a NAZI".
That is if a whole bunch of people who all hang out together anyway sign each other's keys, well they can trust each others' sigs but no one else can. For that you need diversification.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday August 01 2015, @12:13PM
After a while I fetched my own key from a server only to find that two complete strangers had signed it. I expect they did so because they think well of me but how did that know that was _my_ key?
That doesn't matter. Revoking key is only needed if you lose it, or *you* sign things that turned out to be fake ;)
(Score: 3, Touché) by MichaelDavidCrawford on Saturday August 01 2015, @01:15PM
Suppose you yourself trusted the keys of the two complete strangers who signed mine.
You want to send me a ciphertext, or validate my own sig on a cleartext mail, so you ask gnupg to verify that my sig is within your own web of trust.
It will be, because you trusted the two right chaps who signed the key of a complete stranger that they found on a keyserver.
But in reality, that key belongs to petergunn@cia.gov.
Does that work for you?
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday August 01 2015, @06:38AM
As it does not comply with http://opensource.org/definition [opensource.org]
Don't spread misinformation.
(Score: 2) by MichaelDavidCrawford on Saturday August 01 2015, @07:07AM
... in what way is it not Open Source?
If it's a problem with licensing that would fail the test, but is the full source available?
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Informative) by Anonymous Coward on Sunday August 02 2015, @07:27AM
I believe that is correct. I never studied it further after noticing the bad license.
So you are right about how this would/could/should've been but apparently wasn't avoided.