Tienda Wifi

Tienda Wifi
CiudadWireless es la tienda Wifi recomendada por elhacker.NET

Buscador

Entradas Mensuales

Suscripción

¿Quieres recibir las últimas novedades del blog en tu correo?

¡Suscríbete al feed!

Foro de elhacker.net - Noticias

elhacker.NET en Facebook

Entradas populares

PostHeaderIcon El creador del ransmoware Tox decide vender su negocio de creación de malware




En un comunicado en Pastebin, el creador del kit de creación de ransomware Tox, una herramienta para crear ransomware personalizado afirma ser un adolescente asombrado por el rápido crecimiento y el éxito de su ransomware, tan de moda ahora con los casos como el CryptoLocker, alias el Viurs de Correos,  el TeslaCrypt, CryptoWall 3.0, entre otros.





La utilidad TOX, que permite en TOR crear ransomwares a “gusto del usuario”.

La creación del ransomware TOX es tan fácil que se puede hacer en pocos pasos. Un usuario interesado en Tox puede suscribirse al servicio de crear su propio virus. Los autores explican que es muy fácil crear un ransomware en unos sencillos pasos:

  • Decidir la cantidad rescate (dinero)
  • Escriba su "causa"
  • Escribir el captcha 

El modelo de la delincuencia-as-a-service implementado por Tox autor es tan simple como efectivo, el constructor de malware genera un ejecutable de alrededor de 2 MB que se disfraza como un archivo  con extensión .scr.  Los archivos cifrados se les añades la extensión .toxcrypt


El malware generado por Tox se compila en MinGW y utiliza  el cifrado Advanced Encryption Standard  (AES) para cifrar los archivos del cliente a través de la biblioteca Crypto ++. La API de Microsoft "CryptoAPI" se utiliza para la generación de las llaves.

Los ramsonware son un tipo de virus que cifra los datos de nuestro ordenador y nos pide que paguemos un rescate para volver a acceder a ellos. Una especie de "secuestro virtual" que puede resultar de lo más eficiente, y que no todos los antivirus logran evitar.

Las buenas noticia es que Tox no elimina las instantáneas de volumen de los archivos comprometidos, y por lo tanto, las víctimas pueden utilizar "Restaurar sistema" de programas como Shadow Explorer para recuperar el control de sus archivos. 

A Tox se puede acceder en la deep web, la parte oscura de Internet de la que ya te hemos hablado, usando Tor, un programa para volver anónima nuestra navegación. En principio Tor estaba pensado para la disidencia política y la libertad de expresión extrema, pero ahora se ha llenado de todo tipo de contenido "oscuro".

Cuando accedemos a la web de Tox nos solicitan indicar la cantidad del rescate queremos pedir, un mensaje para la víctima y una dirección para recibir los pagos en Bitcoins. Los responsables de esta herramienta para crear virus se quedan el 30% de cada rescate que recibamos.

Una vez terminemos el proceso de creación, nos llega un archivo ejecutable de 2 MB bajo una inofensiva extensión.scr. Ahora, si estamos convencidos de iniciarnos en el mundo de la ciberdelincuencia, debemos mandar el archivo (lo más efectivo, por email) para que otros usuarios lo abran y se infecten.

Cartel del Negocio ilegal puesto a la venta:



Herramientas para crear  virus personalizados en la Deep Web

 Con Tox – Viruses, y evidentemente no explicaremos el cómo, crear un virus del tipo ransomware es realmente sencillo, tanto que no hacen falta conocimientos técnicos en materia de software, en cuanto a programación. La herramienta ha sido creada por un equipo de desarrolladores de malware para que, cualquiera que llegue a la misma, pueda crear sus virus de forma gratuita. Aunque, ¿qué interés podrían tener entonces sus desarrolladores?



Con la herramienta que nos ocupa, el beneficio económico lo decide el usuario, el propio atacante, pero los desarrolladores de Tox – Viruses se quedan con un 30% del importe. Los creadores de Tox -Viruses han aprovechado la red Tor para mantenerse a salvo de posibles consecuencias legales, una suerte de la que no protegen a sus usuarios, que utilizan para su lucro poniéndoles en riesgo, así como a las posibles víctimas que sufren el ataque de un ransomware.

Mensaje para los usuarios secuestrados:



Attention - The files in your PC are now encrypted. The only way to have them back, is to pay a file. How to pay - You have to pay the ransom in bitcoins to the address which has been reserved for you. Please not that the value of bitcoins is unstable and may change in the near future. The current amount of bitcoin to pay is 0.64 (75.00$). How to buy bitcoins - 1. register, 2. deposit funds with credit card of bank transfer, 3. withdraw 0.64 bitcoins to address, 4. wait the transaction to be completed (it usually takes less than two hours). 5. if your files are not decrypted automatically, please write to toxsupport(at)sigaint.com with the subject HELP, sending the bitcoin address you paid to. You can also spam this mailbox with useless stuff or wishing me death, so that mail sent from real people who actually need help won’t be read.




La presentación de Tox en inglés dice así:

What is Tox? - We developed a virus which, once opened in a Windows OS, encrypts all the files. Once this process is completed, it displays a message asking to pay a ransom to a bitcoin address to unlock the files. How do I make money with Tox? - You can subscribe (no mail or other shit needed) and create your virus. You will have to decide the ransom to unlock the files. Once you have downloaded your virus, you have to infect people (yes, you can spam the same virus to more people). How? That's your part. The most common practice to spam it as a mail attachment. If you decide to follow this method be sure to zip the file to prevent antivirus and antispam detection. - The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we'll get 30$, isn't this fair?

F.A.Q. - Are you serious? - Yes, why not? This is the best way for us to infect a lot of people and make a lot of money. Am I safe? - Sure, as long as you use tor and don't use personally identifiable information: we don't need to know you, and you don't need to know us. The only thing we'll ask you is the bitcoin address to withdraw your part. Are you going to steal my profit? - Nope, why should we? The best way for us to make money is having you helping us. Also, you will be shown the btc address your victims have to pay to, so you'll be sure we're not hiding anything from you. Then why aren't you spreading the virus yourself? We are! But with you, we're going to have a bigger income. Why is the file a .scr? - Because in this way people will not suspect anything (who knows what is a .scr?). If you wish, you can change it to .exe it'll work the same. How does the virus look? - Sexy. The virus has a .src extension (same as .exe files) and it has the icon of a word document, so the victim wont be suspecting anything. Will you actually decrypt the files once the ransom is paid? - Yes, we will. We want people to trust us, so that more people will pay the ransom. How dow I withdraw the money? - In the virus section you can monitor the status of all your viruses. When you have bitcoins to withdraw, just enter your address and press the Withdraw button.


Análsis técnico del malware Tox por parte de McAfee


https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us 


%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\tox.html
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Tox.scr
%AppData%\tor\
%AppData%\tor\cached-certs
%AppData%\tor\cached-microdesc-consensus
%AppData%\tor\cached-microdescs.new
%AppData%\tor\lock
%AppData%\tor\state
%AppData%\tox.log
%AppData%\tox_tor\
%AppData%\tox_tor\Data\
%AppData%\tox_tor\Data\Tor\
%AppData%\tox_tor\Data\Tor\geoip
%AppData%\tox_tor\Data\Tor\geoip6
%AppData%\tox_tor\Tor\
%AppData%\tox_tor\Tor\libeay32.dll
%AppData%\tox_tor\Tor\libevent-2-0-5.dll
%AppData%\tox_tor\Tor\libevent_core-2-0-5.dll
%AppData%\tox_tor\Tor\libevent_extra-2-0-5.dll
%AppData%\tox_tor\Tor\libgcc_s_sjlj-1.dll
%AppData%\tox_tor\Tor\libssp-0.dll
%AppData%\tox_tor\Tor\ssleay32.dll
%AppData%\tox_tor\Tor\tor.exe
%AppData%\tox_tor\Tor\zlib1.dll
%AppData%\tox_tor\tor.zip


Las extensiones de ficheros que cifra el virus son:

.txt, .odt, .ods, .odp, .odm, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .indd, .cdr, .jpg, .jpe, .jpeg, .dng, .3fr, .arw, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .crt, .pem, .pfx, .p12, .p7b, .p7c, .pdf, .odc, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .png, .xml, .sql, .php, .asp, .aspx, .js, .css, .cs, .cpp, .hpp, .java, .class, .py, .pl, .veg, .aep, .aepx, .blend, .prproj, .cad, .tif, .sitx, .sit, .rmvb, .bmp, .pps, .pub, .qbb, .swf, .asf, .dss, .qxd, .3gp, .cdl, .mswmm, .ss, .eml, .csv

Mensaje en Patebin

http://pastebin.com/FfdDSbBh

Dear users,

Just one month ago, in one instant, all what I've studied for months fused in one brilliant idea, which was then named Tox. I knew it was something new, something that was completely different from what was already there. I started designing the whole thing in my mind, then I started coding, reading documentations, testing software.

After two weeks of non-stop hard work, the platform was online.

A little more than a week ago, I started posting links around the deep web, in the hope somebody would have given Tox a try.
Things exploded.

Even before the website was ready to host users, the McAfee blog was featuring the article about this platform. The the number of the users started growing. From 20 to 50, from 50 to 100, it was doubling every day. Infections, with a little delay, started growing too.

In just one week, the platform counted over one thousand users and over one thousand infections, with an average of more than two hundreds of polling viruses per half-hour.

Yesterday, 2nd June 2015, I decided to quit.

Plan A was to stay quiet and hidden. Well, I think I screwed up.

It's been funny, I felt alive, more than ever, but I don't want to be a criminal.

The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I'm not a team of hard core hackers.

I'm just a teenager student.

Some have said I think out of the box, others said I'm a skid who just developed the worst ransomware ever. I think that both opinions may be true, but one thing is objectively true: with Tox, I opened a door for a whole new way of thinking. I'm sure that others will try to replicate what I did. Not just for bad reasons, maybe somebody (maybe myself?) will find out how to do something good based on all this.

One last thing: if I really was a team of hard core hackers, with time and resources, this would have become one the greatest viruses ever.

In these days, in the chat, people helped me testing and debugging the virus, but the most interesting part is that they suggested me how to improve it. I don't think that such a great brainstorming has ever happened in the process of designing a virus. Users were spurred to help me improving the platform, for their own good.

What's next? I'm selling all this out because even if I didn't, somebody would have developed his own Tox-like version.

I'm asking my users to be patient, I'm not going to scam you. In a few days I'll ask you a bitcoin address in the case somebody pays some of your ransoms. I'll forward you your part.

If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked.

My choices are not linked to the recent external events, I pondered all these choices on my own, for my own good.

Sincerily, Tox


Fuentes:
http://www.adslzone.net/2015/05/31/tox-una-herramienta-gratis-para-ganar-dinero-creando-tus-propios-virus-2/
http://www.elgrupoinformatico.com/tox-una-herramienta-para-crear-virus-ganar-dinero-facil-t23541.html 
http://www.pcrisk.com/removal-guides/9052-tox-ransomware

0 comentarios :

Publicar un comentario

Los comentarios pueden ser revisados en cualquier momento por los moderadores.

Serán publicados aquellos que cumplan las siguientes condiciones:
- Comentario acorde al contenido del post.
- Prohibido mensajes de tipo SPAM.
- Evite incluir links innecesarios en su comentario.
- Contenidos ofensivos, amenazas e insultos no serán permitidos.

Debe saber que los comentarios de los lectores no reflejan necesariamente la opinión del STAFF.