Monday, July 23, 2012

Anti-Malware Vendors - here we go again with another round of FUD...

Over the years, I've been periodically plagued by false positives reported for AxCrypt by various anti-malware vendors. These small-time, opportunistic, shady vendors like Microsoft, ESET, McAfee, Avast et. al. have a long history of just flagging anything they please as malware, and be damned the consequenses.

I am a small one-person operation providing free strong encryption software for personal privacy and security. I have over a decade and perhaps 20 million downloads of faultless operation on record. Nevertheless, at least once a year, these companies start reporting my software as malicious, causing me and my users no end of grief.

Why will not a single one of them just for once take repsonsibility for their actions? I have not received as much as one single communcation from them. Not once. Not when they flag my software falsely as malicious. Not when they rescind that flagging, as they inevitably do when enough users get suspicous and start questioning the reports.

Now, in 2012, it's starting again. This time because I'm trying to make some small revenue using bundled advertisments for other software with the installer in order to be able to spend some more thousands of hours developing free software. For more specifics about that particular choice read here.

As a current example, a recent report from Microsoft concerning the adware bundle AxCrypt uses that is at the time of writing actually a disclaimer of a recent false positive may serve. This causes uncertainty and fear for my users, but what does Microsoft care? Did they ask before flagging? Did they report when they removed the flag?

A different example are some recent reports about my site and my software  from virustotal.com which is even worse, because these guys hide behind the additional screen of being an aggregator - so they don't even have to take any responsibility at all, they're just forwarding information uncritically. This is a free service, so you can't even complain.

What can you as a user do? I don't really know, miss out on great, safe and free software because of fear, uncertainty and doubt seems the most likely case. Or, you may start to at least make your voice heard when these situations arise.

When your Anti-Malware software reports a false positive - demand your money back!

What can I do? I don't know that either. If you have any ideas on how I can protect my reputation and continue to provide free, safe security software - do let me know.

I'm getting tired of this. How much cr*p must I take to write and publish free software for your security and integrity?

AxCrypt used for ransom attacks

In October 2011 I got an e-mail from a Turkish corporation, claiming that someone had hacked their server to the extent of getting full administrator access. Thereafter the hacker had installed AxCrypt and encrypted all or most of the files on the server, and subsequently demanded a ransom from the company owning it.

At first I was very sceptical - how could someone get that kind of access to a server, and then hit on the idea to use AxCrypt to encrypt the files (for which it is workable, but not really well suited since it for example requires full administrative permissions to install etc, not just write permission to the files). On top of that - no backups, the only copy of the files were apparently the files on the server.

It seemed just to bad to be true. A file server wide open to remote login with administrator permissions and a guessable password with no backup routines? My first guess was that this was some kind of scheme to see if I would respond that, "Sure, there's a backdoor into AxCrypt - just pay me a small amount and promise not to tell anyone and I'll help you out.". Sorry, no such (bad) luck. AxCrypt does not have any backdoors, and I can't be of help.

Now, in July 2012, I've had an additional few similar e-mails and even a few phone calls, in total about 10. All of them from Turkey. Strangely enough the contacts have escalated, at start it was only e-mails which were not responded to when answered, then the e-mails started getting answered, then english speaking persons were calling from Turkey - now most recently Swedish-speaking persons are calling from Sweden, still referring to problems orginating in Turkey.

I'm still at a loss to really explain the phenomen, but I'm now tending towards actually believing that the basic facts are true. Servers and perhaps also personal computers are being hacked (it's not entirely clear just what kind of computers have been hacked). That so far every single incident has been in Turkey, is I believe due to the simple fact that the hacker is likely to be Turkish. A significant number of these hacks seems to occur during the weekend, so it's also likely that the hacker has a day job too which is somewhat comforting since it implies that the 'business' is not very profitable.

If you happen to be the victim of a ransom attack, in Turkey or elsewhere, I am very sorry for your sake but please understand that I cannot be of any help whatsoever. You must contact your local police authorities and get them to investigate. They should be motivated to do so, since apparently this is not that infrequent - once again assuming that the stories I hear are actually true as told.

I've tried to come up with some way to make AxCrypt even less suitable for the purpose of ransoming, but I really can't think of anything. It's just a tool, and if you let the hacker into your system with full administrator permissions, I don't think there's anything anyone can do - except you and that is to have backups!

This is not an AxCrypt issue. This is a security policy issue at the vicitims site.

The hackers are even not that smart to use AxCrypt. To perform the attack they don't really have to install anything - all they have to do is to encrypt the file system with EFS, Encrypting File System which is an integral part of all modern Windows editions, export a recovery certificate and then reset the administrator password. Done. No need for extra tools such as AxCrypt. On top of that, there are literally hundreds of alternative encryption tools out there, all of them potentially 'useful' in this context. I guess in a twisted kind of way I should regard it as a compliment that AxCrypt is so easy to use and secure that even hackers want to use it!

Remember that backups are your final protection against data loss, regardless of the cause. Go check your backup routines now - and validate that you actually can read the backups regularily as well!