Wednesday, April 29, 2015

TeslaCrypt, another malware family in the list of "lockers" that have come out (Cryptolocker, Cryptwall, etc) is being dropped constantly in several methods, infecting, and generally making people's lives terrible.

That being said, a couple of researchers here on the ClamAV team at Talos took a look at this malware, broke it down for an explanation, and even released a tool to decrypt TeslaCrypt locked drives yourselves.

We've released the tool on our blog post, to include the source code (Open Source, GPLv2), and will be placing the code on our Github page soon.

Please take a look at this blog post if you've been a victim of TeslaCrypt, and if you have comments please leave them on the blog post over on our Talos blog!

Thanks!

ClamAV 0.98.7 is here! This release contains new scanning features
and bug fixes.

    - Improvements to PDF processing: decryption, escape sequence
      handling, and file property collection.
    - Scanning/analysis of additional Microsoft Office 2003 XML format.
    - Fix infinite loop condition on crafted y0da cryptor file. Identified
      and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
    - Fix crash on crafted petite packed file. Reported and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
    - Fix false negatives on files within iso9660 containers. This issue
      was reported by Minzhuan Gong.
    - Fix a couple crashes on crafted upack packed file. Identified and
      patches supplied by Sebastian Andrzej Siewior.
    - Fix a crash during algorithmic detection on crafted PE file.
      Identified and patch supplied by Sebastian Andrzej Siewior.
    - Fix an infinite loop condition on a crafted "xz" archive file.
      This was reported by Dimitri Kirchner and Goulven Guiheux.
      CVE-2015-2668.
    - Fix compilation error after ./configure --disable-pthreads.
      Reported and fix suggested by John E. Krokes.
    - Apply upstream patch for possible heap overflow in Henry Spencer's
      regex library. CVE-2015-2305.
    - Fix crash in upx decoder with crafted file. Discovered and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
    - Fix segfault scanning certain HTML files. Reported with sample by
      Kai Risku.
    - Improve detections within xar/pkg files.

As always, we appreciate contributions of bug reports, code fixes,
and sample submissions from the ClamAV community members:

Sebastian Andrzej Siewior
Minzhaun Gong
Dimitri Kirchner
Goulven Guiheux
John E. Krokes
Kai Risku

ClamAV 0.98.7 is always available from ClamAV.net on the downloads page.