What do you think the biggest malware fail was?

  • Thread starter Deleted Member 333v73x
  • Start date

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
I think you mean Radamant? The real fail is, that they tried to fix their broken crypto scheme and made decryption actually more reliable, because they put their stupid "##### Emsisoft and Fabian Wosar" messages into some buffers that were previous uninitialized, allowing me to determine 100% reliably whether I determined the correct key or not, without having to rely on file format recognition.

They still do the same mistake last time I checked, but they are "kinda" saved by the fact that they encrypt the first 240 bytes of the file properly, which makes guessing the key a lot more difficult, as there rarely are predictable bytes 240 bytes in to see if you got the key right. Of course they still haven't fixed the bug in their malware that causes encryption to completely fail in about 1 - 2% of all systems, when the CryptoAPI for some reason doesn't want to work as they do. Looks like error checking is an unknown concept in Russia.

But there are bigger fails to be honest. This one just has to be the most amazing, as it involves two idiots on both the VX and AV side of things:

CryptoDefense: The story of insecure ransomware keys and self-serving bloggers

Malware author forgets that the CryptoAPI creates a copy of generated keys under some conditions and leaves the private key behind on the system. Then have some marketing drone at Symantec point out the error in a detailed blog post so the malware author fixes the bug merely 24 hours later.
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Read once about a malware that bundled PUP together with it. Among the PUP was an AV which in turn killed the rest of the malware and PUP :p
 
D

Deleted Member 333v73x

Thread author
I think you mean Radamant? The real fail is, that they tried to fix their broken crypto scheme and made decryption actually more reliable, because they put their stupid "##### Emsisoft and Fabian Wosar" messages into some buffers that were previous uninitialized, allowing me to determine 100% reliably whether I determined the correct key or not, without having to rely on file format recognition.

They still do the same mistake last time I checked, but they are "kinda" saved by the fact that they encrypt the first 240 bytes of the file properly, which makes guessing the key a lot more difficult, as there rarely are predictable bytes 240 bytes in to see if you got the key right. Of course they still haven't fixed the bug in their malware that causes encryption to completely fail in about 1 - 2% of all systems, when the CryptoAPI for some reason doesn't want to work as they do. Looks like error checking is an unknown concept in Russia.

But there are bigger fails to be honest. This one just has to be the most amazing, as it involves two idiots on both the VX and AV side of things:

CryptoDefense: The story of insecure ransomware keys and self-serving bloggers

Malware author forgets that the CryptoAPI creates a copy of generated keys under some conditions and leaves the private key behind on the system. Then have some marketing drone at Symantec point out the error in a detailed blog post so the malware author fixes the bug merely 24 hours later.
Yes, I meant Radamant - Instead of Emsisoft they called you Emisoft :p They really need to work on spelling.
 
  • Like
Reactions: Rishi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top