Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trend Micro distributing a GPL-violating TeslaCrypt decryptor!


  • Please log in to reply
4 replies to this topic

#1 Googulator

Googulator

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 PM

Posted 28 December 2017 - 12:13 AM

Trend Micro has released a multi-ransomware decryptor a while ago, aptly named Trend Micro Ransomware File Decryptor.

It doesn't seem to be very popular on this forum, but other ransomware-related sites and forums often link to it, including NoMoreRansom.

 

This tool only supports decrypting TeslaCrypt 3.x and 4.x; Trend Micro's site states that a separate "TeslacryptDecryptor 1.0.xxxx MUI" tool is available for earlier versions. Trend Micro strangely refuses to link to this tool, and instead it's only offered on request by their technical support staff. Nevertheless, the download link is quite easy to find with some Google-fu.

 

I have downloaded this mysterious "TeslacryptDecryptor" to test on some of my TeslaCrypted samples (the ones I originally wrote TeslaCrack for), and I was in for a surprise.

The tool comes as a self-extracting archive, and inside is a wrapper exe, and some precompiled Python files (*.pyc). Opening unfactor.pyc revealed some familiar strings. In fact, it's a compiled version of unfactor-ecdsa.py from TeslaCrack! Likewise, another pyc file turned out to be teslacrack.py in disguise.

 

Trend Micro included an extensive list of 3rd-party software copyright notices and open-source licenses applying to various code used in the tool, but no acknowledgement is made of TeslaCrack, and no mention of GPLv3. Moreso, the pyc files in question are claimed as "proprietary and confidential information of Trend Micro Incorporated" in the tool's clickwrap license.

Some GPLv2'd components are properly acknowledged, but no sources are published.

 

Needless to say, this is not the kind of behavior I would have expected from a major player in the PC security market like Trend Micro.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 AM

Posted 28 December 2017 - 09:24 AM

Trend Micro's Ransomware File Decryptor has been mentioned several times in the various TeslaCrypt support topics and elsewhere on this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 al1963

al1963

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 29 December 2017 - 07:17 AM

according to my observations, Trend Micro updates its complex decoder, but usually after the decoding solution was obtained by other researchers.

the last example: the decoder of the classic Petya RED / Green / Gold



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 AM

Posted 29 December 2017 - 07:39 AM

Kaspersky, avast AVG and ESET also periodically update their decrypters.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 29 December 2017 - 10:22 AM

I have downloaded this mysterious "TeslacryptDecryptor" to test on some of my TeslaCrypted samples (the ones I originally wrote TeslaCrack for), and I was in for a surprise.
The tool comes as a self-extracting archive, and inside is a wrapper exe, and some precompiled Python files (*.pyc). Opening unfactor.pyc revealed some familiar strings. In fact, it's a compiled version of unfactor-ecdsa.py from TeslaCrack! Likewise, another pyc file turned out to be teslacrack.py in disguise.
 
Trend Micro included an extensive list of 3rd-party software copyright notices and open-source licenses applying to various code used in the tool, but no acknowledgement is made of TeslaCrack, and no mention of GPLv3. Moreso, the pyc files in question are claimed as "proprietary and confidential information of Trend Micro Incorporated" in the tool's clickwrap license.
Some GPLv2'd components are properly acknowledged, but no sources are published.


Using copyrighted tools without an attribution to the author, let alone permission, is highly unethical.

Have you contacted them, and if so, have you received a response?

Can you share the link to this executable?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users