Ransomware for Haiku

rjzak · 2024-10-20T15:13:53.159Z

Someone’s done it. Yay?

GitHub - HydraDragonAntivirus/HaikuRansomware: World's First Haiku Ransomware/Malware

World's First Haiku Ransomware/Malware

HydraDragonAntivirus · 2024-10-20T15:47:48.756Z

Yes, I did but it seems like it’s too destructive and causing system unusable. Normal Ransomware shouldn’t do that except for bootkit ransomwares.

humdinger · 2024-10-20T17:26:09.084Z

A reminder not to download/install anything “some guy” linked to on the interwebs…

Anyone want to check if ClamAV finds this thing?

HydraDragonAntivirus · 2024-10-20T18:50:56.064Z

fileTypes = ['.pyd', '.elf', '.ps1', '.bas', '.bat', '.chm', '.cmd', '.com', '.cpl', '.dll', '.exe', '.msc', '.ocx', '.pcd', '.pif', '.reg', '.scr', '.sct', '.url', '.vbe', '.wsc', '.wsf', '.wsh', '.ct', '.t', '.input', '.war', '.jspx', '.tmp', '.dump', '.pwd', '.w', '.cfg', '.psd1', '.psm1', '.ps1xml', '.clixml', '.psc1', '.pssc', '.www', '.rdp', '.msi', '.dat', '.contact', '.settings', '.odt', '.jpg', '.mka','shtml', '.mhtml', '.oqy', '.png', '.csv', '.py', '.sql', '.mdb', '.html', '.htm', '.xml', '.psd', '.pdf', '.xla', '.cub', '.dae', '.indd', '.cs', '.mp3', '.mp4', '.dwg', '.rar', '.mov', '.rtf', '.bmp', '.mkv', '.avi', '.apk', '.lnk', '.dib', '.dic', '.dif', '.divx', '.iso', '.7zip', '.ace', '.arj', '.bz2', '.cab', '.gzip', '.lzh', '.jpeg', '.xz', '.mpeg', '.torrent', '.mpg', '.core', '.pdb', '.ico', '.pas', '.db', '.wmv', '.swf', '.cer', '.bak', '.backup', '.accdb', '.bay', '.p7c', '.exif', '.vss', '.raw', '.m4a', '.wma', '.flv', '.sie', '.sum', '.ibank', '.wallet', '.css', '.js', '.rb', '.xlsm', '.xlsb', '.7z', '.cpp', '.java', '.jpe', '.ini', '.blob', '.wps', '.wav', '.3gp', '.webm', '.m4v', '.amv', '.m4p', '.svg', '.ods', '.bk', '.vdi', '.vmdk', '.accde', '.json', '.gif', '.gz', '.m1v', '.sln', '.pst', '.obj', '.xlam', '.djvu', '.inc', '.cvs', '.dbf', '.tbi', '.wpd', '.dot', '.dotx', '.xltx', '.pptm', '.potx', '.potm', '.xlw', '.xps', '.xsd', '.xsf', '.xsl', '.kmz', '.accdr', '.stm', '.accdt', '.ppam', '.pps', '.ppsm', '.1cd', '.3ds', '.3fr', '.3g2', '.accda', '.accdc', '.accdw', '.adp', '.ai', '.ai3', '.ai4', '.ai5', '.ai6', '.ai7', '.ai8', '.arw', '.ascx', '.asm', '.asmx', '.avs', '.bin', '.cfm', '.dbx', '.dcm', '.dcr', '.pict', '.rgbe', '.dwt', '.f4v', '.exr', '.kwm', '.max', '.mda', '.mde', '.mdf', '.mdw', '.mht', '.mpv', '.msg', '.myi', '.nef', '.odc', '.geo', '.swift', '.odm', '.odp', '.oft', '.orf', '.pfx', '.p12', '.pls', '.safe', '.tab', '.vbs', '.xlk', '.xlm', '.xlt', '.xltm', '.svgz', '.slk', '.dmg', '.ps', '.psb', '.tif', '.rss', '.key', '.vob', '.epsp', '.dc3', '.iff', '.onepkg', '.onetoc2', '.opt', '.p7b', '.pam', '.r3d', '.pkg', '.yml', '.old', '.thmx', '.keytab', '.h', '.php', '.c', '.zip', '.log', '.log1', '.log2', '.tm', '.blf', '.uic', '.widget-plugin', '.regtrans-ms', '.efi', '.rule', '.rules', '.yar', '.yara', '.yrc', '.inf', '.ini', '.ndb', '.cvd', '.cld', '.ign2', '.dmp', '.conf' '.config', '.pyc', '.386', '.3gp2', '.3gpp', '.3mf', '.a', '.a2s', '.aac', '.ac3', '.accessor', '.accountpicture-ms', '.adt', '.adts', '.aif', '.aifc', '.aiff', '.androidproj', '.ani', '.ans', '.appcontent-ms', '.application', '.appref-ms', '.aps', '.arc', '.ari', '.art', '.asa', '.asax', '.asc', '.asf', '.ashx', '.asp', '.aspx', '.asx', '.au', '.avci', '.avcs', '.avif', '.avifs', '.bcp', '.bkf', '.blg', '.bsc', '.camp', '.cap', '.cat', '.cc', '.cda', '.cdmp', '.cdx', '.cdxml', '.cgm', '.chk', '.cjs', '.cls', '.cod', '.coffee', '.compositefont', '.config', '.coverage', '.cppm', '.cr2', '.cr3', '.crl', '.crt', '.crw', '.csa', '.csh', '.cshader', '.cshtml', '.csproj', '.cts', '.cur', '.cxx', '.datasource', '.dbg', '.dbs', '.dcs', '.dct', '.dctx', '.dctxc', '.dds', '.def', '.der', '.desklink', '.deskthemepack', '.devicemanifest-ms', '.devicemetadata-ms', '.diagcab', '.diagcfg', '.diagpkg', '.diagsession', '.disco', '.diz', '.dl_', '.dng', '.doc', '.docx', '.dos', '.drf', '.drv', '.dsgl', '.dsh', '.dshader', '.dsn', '.dsp', '.dsw', '.dtcp-ip', '.dtd', '.dvr-ms', '.ec3', '.edmx', '.eip', '.emf', '.eml', '.eps', '.epub', '.erf', '.etl', '.etp', '.evt', '.evtx', '.exp', '.ext', '.ex_', '.eyb', '.faq', '.fff', '.fif', '.filters', '.fky', '.flac', '.fnd', '.fnt', '.fon', '.fx', '.generictest', '.ghi', '.gitattributes', '.gitignore', '.gitmodules', '.gmmp', '.group', '.grp', '.gsh', '.gshader', '.hdd', '.hdp', '.heic', '.heics', '.heif', '.heifs', '.hh', '.hhc', '.hif', '.hlp', '.hlsl', '.hlsli', '.hpp', '.hqx', '.hsh', '.hshader', '.hta', '.htc', '.htt', '.htw', '.htx', '.hxx', '.i', '.ibq', '.icc', '.icl', '.icm', '.ics', '.idb', '.idl', '.idq', '.igp', '.iiq', '.ilk', '.imc', '.imesx', '.img', '.inl', '.inv', '.inx', '.in_', '.ipp', '.itrace', '.ivf', '.ixx', '.jav', '.jbf', '.jfif', '.job', '.jod', '.jse', '.jsonld', '.jsproj', '.jsx', '.jxr', '.k25', '.kci', '.kdc', '.label', '.latex', '.less', '.lgn', '.lib', '.library-ms', '.lic', '.local', '.lpcm', '.lst', '.m14', '.m2t', '.m2ts', '.m2v', '.m3u', '.m4b', '.mak', '.man', '.manifest', '.map', '.mapimail', '.master', '.mef', '.mfcribbon-ms', '.mid', '.midi', '.mjs', '.mk', '.mk3d', '.mlc', '.mmf', '.mod', '.mos', '.movie', '.mp2', '.mp2v', '.mp4v', '.mpa', '.mpe', '.mpv2', '.mrw', '.ms-windows-store-license', '.msepub', '.msm', '.msp', '.msrcincident', '.msstyles', '.msu', '.mts', '.mtx', '.mv', '.mydocs', '.natvis', '.ncb', '.netperf', '.nettrace', '.nfo', '.nls', '.nrw', '.nvr', '.nvram', '.oc_', '.odh', '.odl', '.oga', '.ogg', '.ogm', '.ogv', '.ogx', '.opus', '.orderedtest', '.ori', '.osdx', '.otf', '.ova', '.ovf', '.p10', '.p7m', '.p7r', '.p7s', '.pal', '.partial', '.pbk', '.pch', '.pcp', '.pds', '.pef', '.perfmoncfg', '.pfm', '.php3', '.pic', '.pkgdef', '.pkgundef', '.pko', '.pl', '.plg', '.pma', '.pmc', '.pml', '.pmr', '.pnf', '.pot', '.ppkg', '.ppt', '.prc', '.prf', '.printerexport', '.props', '.psh', '.pshader', '.ptx', '.publishproj', '.pubxml', '.pxn', '.pyo', '.pyw', '.pyz', '.pyzw', '.qds', '.raf', '.rat', '.razor', '.rc', '.rc2', '.rct', '.res', '.resmoncfg', '.resw', '.resx', '.rgs', '.rle', '.rll', '.rmi', '.rpc', '.rsp', '.rul', '.ruleset', '.rw2', '.rwl', '.s', '.sbr', '.sc2', '.scc', '.scd', '.scf', '.sch', '.scp', '.scss', '.sdl', '.search-ms', '.searchconnector-ms', '.sed', '.settingcontent-ms', '.sfcache', '.sh', '.shproj', '.shtm', '.shtml', '.sit', '.sitemap', '.skin', '.slnf', '.snd', '.snippet', '.snk', '.sol', '.sor', '.spc', '.sr2', '.srf', '.srw', '.sr_', '.sst', '.stvproj', '.suo', '.svc', '.svclog', '.sym', '.symlink', '.sys', '.sy_', '.tar', '.targets', '.tdl', '.testrunconfig', '.testsettings', '.text', '.tgz', '.theme', '.themepack', '.tiff', '.tlb', '.tlh', '.tli', '.tod', '.tpsr', '.trg', '.trx', '.ts', '.tsp', '.tsv', '.tsx', '.tt', '.ttc', '.ttf', '.tts', '.tvc', '.tvlink', '.tvs', '.txt', '.udf', '.udl', '.udt', '.uitest', '.user', '.usr', '.uvu', '.vb', '.vbhtml', '.vbox', '.vbox-extpack', '.vbproj', '.vbx', '.vcf', '.vcproj', '.vcxitems', '.vcxproj', '.vhd', '.vhdpmem', '.vhdx', '.viw', '.vmac', '.vmba', '.vmpl', '.vmsd', '.vmsn', '.vmss', '.vmt', '.vmtm', '.vmx', '.vmxf', '.vsct', '.vsglog', '.vsh', '.vshader', '.vsix', '.vsixlangpack', '.vsixmanifest', '.vsmdi', '.vsp', '.vsprops', '.vsps', '.vspscc', '.vsscc', '.vssettings', '.vssscc', '.vstemplate', '.vsz', '.vxd', '.wab', '.wax', '.wbcat', '.wcx', '.wdp', '.weba', '.webp', '.webpnp', '.website', '.wll', '.wlt', '.wm', '.wmd', '.wmdb', '.wmf', '.wmp', '.wms', '.wmx', '.wmz', '.wpa', '.wpapk', '.wpl', '.wri', '.wsdl', '.wsz', '.wtv', '.wtx', '.wvx', '.x', '.x3f', '.xaml', '.xbap', '.xdr', '.xht', '.xhtml', '.xix', '.xlb', '.xlc', '.xls', '.xproj', '.xrm-ms', '.xsc', '.xslt', '.xss', '.z', '.z96', '.zfsendtotarget', '.zoo', '._bsln140', '._bsln150', '._sln', '._sln100', '._sln110', '._sln120', '._sln140', '._sln150', '._sln160', '._sln170', '._sln60', '._sln70', '._sln71', '._sln80', '._sln90', '._vbxsln100', '._vbxsln110', '._vbxsln80', '._vbxsln90', '._vcppxsln100', '._vcppxsln110', '._vcppxsln80', '._vcppxsln90', '._vcsxsln100', '._vcsxsln110', '._vcsxsln80', '._vcsxsln90', '._vjsxsln80', '._vw8xsln110', '._vwdxsln100', '._vwdxsln110', '._vwdxsln120', '._vwdxsln140', '._vwdxsln150', '._vwdxsln80', '._vwdxsln90', '._vwinxsln120', '._vwinxsln140', '._vwinxsln150', '._wdxsln110', '._wdxsln120', '._wdxsln140', '._wdxsln150', '.all', '.amr', '.appinstaller', '.appx', '.appxbundle', '.c5e2524a-ea46-4f67-841f-6a9465d9d515', '.conf', '.daq', '.dpl', '.fbx', '.fd', '.fh', '.fud', '.glb', '.gltf', '.ids', '.iss', '.list', '.m3u8', '.m4r', '.md', '.mdc', '.mpg4', '.ms-lockscreencomponent-primary', '.msix', '.msixbundle', '.nupkg', '.one', '.oxps', '.ply', '.reputation', '.rwz', '.sample', '.sig', '.solitairetheme8', '.stl', '.thumb', '.winget', '.winmd', '.wsb', '.xvid', '.yaml', '.zpl', '.boe', '.cwp', '.jar', '.jnlp', '.jxl', '.lfm', '.lpi', '.lpk', '.lpr', '.oetpl', '.ovpn', '.pp', '.soe', '.tbz2', '.txz', '.tzst', '.wdq', '.zst', '.cnf', '.d', '.data', '.f4a', '.fluid', '.hdmp', '.kdmp', '.lastbuildstate', '.loop', '.mdmp', '.mxf', '.ndmp', '.note', '.opdownload', '.pyx', '.qt', '.recipe', '.rm', '.rmv', '.rmvb', '.run', '.tlog', '.whiteboard', '.yuv' ]

I have list of this things. I was going to create anti ransomware or too many files access thing for haiku to detect malware from scratch instead of porting YARA rules etc. That would be more interesting. Just add one line to ClamAV, then it can detect this malware. Currently ClamAV and other engines can’t detect it. I going to use fileTypes to detect ransomware. For now I don’t going to use driver.

waddlesplash · 2024-10-20T19:24:37.999Z

It looks like this same “ransomware” would run on Linux and encrypt your home directory there with only a few changes. So Haiku isn’t uniquely vulnerable here.

Androsio · 2024-10-20T21:03:27.815Z

This is one of those occasions when multi-user is necessary: the normal user is root all the time, and it doesn’t help at all.

I also want to take this opportunity to suggest a containerized package system. Imagine something similar to Cannonical’s Snap.

roiredxsoto · 2024-10-20T21:16:03.347Z

Good day,

I was just thinking about cointainerizing software, but was thinking about firejail. Though snap, flatpak or appimage translation to Haiku would do. Whatever the tech, Haiku needs it. Also multiuser. Being root all the time is not that good.

Regards,
RR

Cell · 2024-10-21T05:02:56.994Z

What would be the point, so only user accssible files gets encrypted? People just shouldn’t run random files of the 'net, root acces wouldn’t make a diffference here. Also this is my personal opinion, but ubuntu’s implementation of snaps is the most annoying aspect of it.

extrowerk · 2024-10-21T06:06:37.454Z

authorization

ilfelice · 2024-10-21T06:24:34.138Z

https://www.desktoponfire.com/haikuos/667/haiku-os-reaches-new-milestone-first-ransomware-confirms-system-maturity/

win8linux · 2024-10-21T06:51:14.344Z

The malware uses the advanced AES-256-GCM encryption algorithm to encrypt victim files, a choice that highlights the availability of robust cryptographic libraries in the system.

Cryptographic libraries are common across most OSes, even in niche OSes. This ransomware is possible from Windows to AROS and everything in between.

An interesting aspect of the ransomware is the use of the “.utkudorukbayraktarheckledi” file extension for encrypted files, a detail that demonstrates the flexibility of Haiku’s file system in handling unconventional file names.

Most file systems are more advanced than FAT16, even in hobbyist OSes; many just use ext2 or FAT32.

The functionality of placing a ransom note in each encrypted folder reveals the ease with which applications in Haiku can navigate and manipulate the directory structure. This aspect could be positively leveraged to develop powerful file management and backup tools.

This is just basic file management!

Developers can now analyze the techniques used and implement effective countermeasures, making the system even more robust.

It just encrypts the home folder. This type of ransomware can happen even on macOS.

Was this article written with an LLM? It’s a lot of words that don’t say anything.

HydraDragonAntivirus · 2024-10-21T14:31:44.141Z

I released v0.2 with some small and big updates. It seems like UEFI/MBR payload didn’t get triggered but Ransomware working, after you restart you can see encrypted files.

damoklas · 2024-10-21T14:53:21.207Z

Haiku needs some sort of root access “sudo” command to restrict important/dangerous operations from such “apps” and other foolishness.

HydraDragonAntivirus · 2024-10-21T17:01:32.107Z

World’s First Haiku Ransomware Destruction - YouTube
Here is the destruction

Cell · 2024-10-21T19:23:48.542Z

Did you try having multiple processes running to prevent the user from killing it. It seems far to easy to just power + alt + del and kill process.

HydraDragonAntivirus · 2024-10-21T21:43:36.613Z

After he starts, he cause too many crashes and lags so you can’t do anything if you don’t quick.

HydraDragonAntivirus · 2024-10-22T11:38:49.852Z

If user use this maximum one file going to be encrypted from desktop but you can’t see .txt log file for some reason HaikuRansomware/HydraRansomCheck/HydraRansomCheck at main · HydraDragonAntivirus/HaikuRansomware

HydraDragonAntivirus · 2024-10-22T12:33:40.082Z

HaikuOS Ransomware vs HydraRansomCheck - YouTube
VirusTotal - File - 0d47e5dc3362b5826dde8ee9f694c291149c0fd4db8152669bb9a4943a1d95f4

LianBg · 2024-10-22T17:29:41.844Z

I am going to go against the grain here and just throw in that I don’t think that this changes anything.
Being a single-user all-privileged home user system is part of the core concept of Haiku and this shouldn’t be changed just because of a proof-of-concept piece of malware.

In the real world, ransomware and other cybercrime these days are hitting corporations and nations, because that is where the big insurance and corporate money is; institutions that wouldn’t and shouldn’t use Haiku anyway.
The average personal computer user who is the target audience for Haiku has nothing worth stealing or ransoming on the scale that cybercriminals want. Why risk cybercrime prison time for ransoming 200€ out of an arbitrarily chosen poor person so they can get their family pictures back, when you can risk the same prison time on potentially getting a 20.000.000€ ransom payout by a telecom service?

Cybercriminals do not target the average Haiku user, therefore malware will not be a real world problem outside of esoteric experimental projects like this.

It’s a really cool proof-of-concept but I don’t think we should panic about this, lest change Haiku’s core design for a faux sense of security. GNU, Linux, the BSDs, Windows - they all are used by governments and corporations who actually have to worry about cybercrime. Your average home PC user who uses Haiku does not.

Cell · 2024-10-22T19:13:21.034Z

LianBg:

The average personal computer user who is the target audience for Haiku has nothing worth stealing or ransoming on the scale that cybercriminals want. Why risk cybercrime prison time for ransoming 200€ out of an arbitrarily chosen poor person so they can get their family pictures back, when you can risk the same prison time on potentially getting a 20.000.000€ ransom payout by a telecom service?

You’ll have to trust me on these statement, but every device has value. Of course not for ransacking money from with ransomware since those only work if you:

A. Really spread it en masse
B. A big coorporation fell for it and is desprate

Just because someone is poor doesn’t mean the data has no value. A single mother of three children also has money, it isn’t much and not worth it, but it is there for those desprate to cash out. It is stupid though.

Real value comes in the computer’s bandwidth and cores. Botnets aren’t cheap. Most botnets do focus on infecting larger Linux servers (especially Debian) since those have the most bandwidth, but consumer computers also often are the target, especially outdate Windows installs, but also modern Windows installs. Every core counts.