First Node.js-Powered Ransomware Discovered (softpedia.com)

← Back to Stories (view on slashdot.org)

First Node.js-Powered Ransomware Discovered (softpedia.com)

Posted by samzenpus on Sunday January 3, 2016 @06:55AM from the protect-ya-neck dept.

An anonymous reader writes: A security researcher from Emsisoft has discovered a new ransomware family coded via NW.js (formerly Node-WebKit). Why is it unique? Because it is the first of its kind to use JavaScript for the ransomware's source code, it provides cross-OS support (we may see the first universal Windows-Linux-Mac ransomware in the future), and because the security researcher describes it as "successor of CryptoLocker" when it comes to encryption quality. The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable.

39 of 69 comments (clear)

Min score:

Reason:

Sort:

So glad we "got rid of Flash" by Anonymous Coward · 2016-01-03 06:59 · Score: 1

Not only do I still need to bend over for Adobe. Now open source can screw me too!
1. Re:So glad we "got rid of Flash" by epyT-R · 2016-01-03 08:25 · Score: 1, Insightful
  
  Yeah we replaced actionscript with javascript. How is this really an improvement? We still have an insecure virtual machine facing the internet whenever the browser makes a request.
2. Re:So glad we "got rid of Flash" by exomondo · 2016-01-03 11:20 · Score: 1
  
  We still have an insecure virtual machine facing the internet whenever the browser makes a request.
  Plenty of them are open source, if you find vulnerabilities get to fixing it or fund fixes to it.
3. Re:So glad we "got rid of Flash" by dos1 · 2016-01-03 11:36 · Score: 3, Informative
  
  Okay, but how is that related? Using JavaScript with Node.js is no different than using Python with CPython, or any other interpreted language using their interpreter. The fact that browsers happen to use the same syntax for their in-page scripting doesn't mean anything here.
4. Re:So glad we "got rid of Flash" by epyT-R · 2016-01-04 07:29 · Score: 1
  
  Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`
5. Re:So glad we "got rid of Flash" by exomondo · 2016-01-04 09:33 · Score: 1
  
  Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`
  No the best fix is to properly sandbox the VM. Otherwise every interactive website needs to have a system binary for iOS, Android, Windows, OSX, Linux, etc.
6. Re:So glad we "got rid of Flash" by dave420 · 2016-01-04 21:41 · Score: 1
  
  "This virtual machine is too insecure! Give me a binary I can run instead!". You've really not thought this through, have you grandpa?
Attack vector? by mark-t · 2016-01-03 07:12 · Score: 3, Interesting

Specifically, what is the actual attack vector for this? All it seems like to me is that they've made a cross-platform trojan.... one that still needs to be explicitly executed by the end user. since the only self-executing js that I know of is within a web browser, and the javascript running inside of that can't even see the local filesystem, can it?

--
File under 'M' for 'Manic ranting'
1. Re:Attack vector? by Anonymous Coward · 2016-01-03 07:24 · Score: 1
  
  NW.js removes the javascript limitation and can interact with the OS's filesystem.
2. Re:Attack vector? by mark-t · 2016-01-03 07:28 · Score: 1
  
  The javascript that executes inside a mail reader can't see the filesystem either.
  
  --
  File under 'M' for 'Manic ranting'
3. Re:Attack vector? by fuzzyfuzzyfungus · 2016-01-03 07:32 · Score: 1
  
  They are using the NW.js javascript environment, packaged in their executable, to provide javascript interpretation without the browser limitations; but according to the article it is just being used in social engineering attacks at present, not coupled with an exploit.
  
  Presumably having the guts of the application in javascript will make the developer's life easier if he wants to produce a version for another platform and nothing prevents this being used as a payload for some other exploit that allows the attacker to execute something for you; but the current version appears to be all payload and not much delivery mechanism.
4. Re:Attack vector? by mark-t · 2016-01-03 08:07 · Score: 1
  
  So... trojan?
  
  --
  File under 'M' for 'Manic ranting'
5. Re:Attack vector? by mark-t · 2016-01-03 08:28 · Score: 1
  
  That's not a javascript limitation, that's a limitation imposed by the web browser. To my understanding, NW.js gives access to node.js from inside DOM, and has nothing to do with the OS's filesystem. To my understanding, the node.js filesystem api is for accessing permanent storage, and has about as much to do with the real filesystem as ~/.wine/drive_c has to do with the native file system.
  
  --
  File under 'M' for 'Manic ranting'
6. Re:Attack vector? by Anonymous Coward · 2016-01-03 09:17 · Score: 1
  
  Node.js is a stand-alone Javascript environment. It has access to OS facilities like filesystem, processes and FFI.
  NW.js is "batteries included" Node.js where Webkit is used as GUI toolkit. PopcornTime is written in NW.js, AFAIK.
7. Re:Attack vector? by dos1 · 2016-01-03 11:38 · Score: 2
  
  Download and run it. Just like lots of other trojans/ransomwares. It could have been written in Python, Ruby, Perl, whatever, there would be no difference. Someone just thought that the fact that it uses the same language that browsers happen to use for their scripting is somehow remarkable and news-worthy. It really isn't.
8. Re:Attack vector? by phantomfive · 2016-01-03 12:14 · Score: 1
  
  As a hack, it's nothing interesting. Anyone can build one of these, in basically any language.
  
  The article is interesting because it shows the trends that are going on in the malware world. Used to be malware was all C or assembly.
  
  The screenshots in the article are worth a look too. All commercialized and everything. Reminds me of the book McMafia.
  
  --
  "First they came for the slanderers and i said nothing."
9. Re:Attack vector? by requerdanos · 2016-01-04 03:17 · Score: 1
  
  Hmm. I get
  
  File not found: Iceweasel can't find the file at /c:/.
10. Re:Attack vector? by mark-t · 2016-01-04 03:25 · Score: 1
  
  My point is that as a trojan, the end user still needs to explicitly launch the executable... so the only techniques that will work to propogate it are the same ones as what are used to propogate any trojan. The overall experience of using the web is not altered by this as it would be if the exploit were runnable inside of a browser window.
  
  --
  File under 'M' for 'Manic ranting'
Good argument for using Chrome by 93+Escort+Wagon · 2016-01-03 07:17 · Score: 1

Since V8's randomization is flawed, anything encrypted with it should be reversible!
(I kid, I kid...)

--
#DeleteChrome
Re:A First for Cross-OS Support? by fuzzyfuzzyfungus · 2016-01-03 07:25 · Score: 1

And Java's predecessors were old enough to drink when Java was laid out. In fact, given that computers used to be a great deal rarer than mathematicians, it may well be argued that we've had architecture-independent programs longer than we've had architectures and certainly longer than we've had OSes.
Re:Pure HTML by mark-t · 2016-01-03 08:13 · Score: 1

Where did you see that it ever claimed to work inside of web browser?

--
File under 'M' for 'Manic ranting'
Re:A First for Cross-OS Support? by Holi · 2016-01-03 08:16 · Score: 1

Javascript is not Java

--
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
How is it platform independent? by goombah99 · 2016-01-03 08:21 · Score: 3, Informative

So it's installing a server for node JS. but that does not make it platform independent. the script side of it may be but not the backend and it has to install that too.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:How is it platform independent? by exomondo · 2016-01-03 11:35 · Score: 1
  
  but that does not make it platform independent.
  Which is why he said cross-platform rather than "platform independent". There are many platforms that you can install a server for nodejs on.
2. Re:How is it platform independent? by goombah99 · 2016-01-04 03:47 · Score: 1
  
  whoo hooo. By that distinction if it ran in python, or C, or Wolfram we could call it cross platform. In fact that's true of any language short of powershell or dos batch files and even there you could run them in a VM so they too are cross platform if you are willing to install a heavy weight interpreter like nodeJS.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
Re:Pure HTML by Anonymous Coward · 2016-01-03 09:33 · Score: 2, Informative

Node-webkit stuff will definitely NOT run inside a browser. That was the entire point of node-webkit. It's a node environment fused with a webkit environment.
Which, editors, is not "node.js"; it's a fork.
First universal Windows-Linux-Mac ransomware .. by Marcomasino · 2016-01-03 09:51 · Score: 1

"The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable."

How does this ransomware get loaded and executed on Linux and Macs?
1. Re:First universal Windows-Linux-Mac ransomware .. by Anonymous Coward · 2016-01-03 09:59 · Score: 1
  
  You infect the user via a trojan that downloads the actual ransomware, which is a NW.js binary (which can easily get cross-platform support in future versions because NW.js is cool like that), which can then be automatically launched into execution in the background via multiple OS vulnerabilities that allow privilege escalation or remote code execution in older (or even newer) Mac or Linux versions. It's not that hard... but it takes a lot of effort into piecing all the code together.
2. Re:First universal Windows-Linux-Mac ransomware .. by AC-x · 2016-01-03 10:25 · Score: 1
  
  How does this ransomware get loaded and executed on Linux and Macs?
  chmod +x
  :)
3. Re:First universal Windows-Linux-Mac ransomware .. by Lennie · 2016-01-03 11:35 · Score: 1
  
  As I understand it, this ransomware is only the part that handles all the encryption and uploading the key, etc.
  So this depends on an exploit, the Windows exploit will probably be different from the Mac or Linux version.
  Windows desktops have a larger marketshare so that is why they are targeting that platform first ?
  
  --
  New things are always on the horizon
4. Re:First universal Windows-Linux-Mac ransomware .. by dos1 · 2016-01-03 11:41 · Score: 1
  
  Just like any other trojan.
Re:Pure HTML by dos1 · 2016-01-03 11:41 · Score: 1

Aside of the fact that it has browser engine built-in and probably uses HTML for its UI, it's absolutely unrelated to browsing or HTML in any other way.
I've seen this by JThundley · 2016-01-03 11:49 · Score: 5, Insightful

I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.
The biggest shock in all this is that Windows will execute a .js file when you double-click it. How fucking retarded is that? I'm looking at changing the default program for .js files to be notepad instead of the Windows Scripting Host.
1. Re:I've seen this by Anonymous Coward · 2016-01-03 12:24 · Score: 1
  
  I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.
  Thanks for this. I found this result - https://lgscout.com/malicious-resume-from-sammy-fields-a-less-than-ideal-candidate/
  Here is a search with more info: http://www.bing.com/search?q=resume.zip%20resume.js%20%20ransom&qs=n
  Your attacker may not be the same as what's reported there, considering these guys use kits based on standards... malicious open source, if you will....
2. Re:I've seen this by DigiShaman · 2016-01-03 15:49 · Score: 1
  
  I know i've seen it! You can thank the bastards behind Cryptowall 3.0 and 4.0 for that. Just block all attachments containing the file name resume.zip from the email server side. If anyone needs to send a resume, have HR or the hiring manager instruct them as to the proper file name and format to use.
  
  --
  Life is not for the lazy.
Re:A First for Cross-OS Support? by Junta · 2016-01-03 13:04 · Score: 2

Note that in the debian.org set, Java won on cpu speed in one benchmark, lost on all in terms of resource utilization compared to C. So compared to C, it seems to back the assertion that Java on a JVM is disadvantaged cpu/memory wise compared to a compiled C application. Of course this is a selection of benchmarks that has had the world to think about it and probably does not represent what the average developer will achieve with the respective languages.
Of course, there are a lot of languages whose runtime are as slow if not slower than Java, yet Java does continue to be the whipping boy for people wanting to talk about bad performance.
The short of it is that in the real world, the differences in the languages pale in comparison to what the developer can do. On a typical application I've encountered, generally optimizations within the way the code runs can yield given the same runtime can see an order of magnitude difference without even thinking about the relative contribution of the runtime differences from porting to another language. So it's a fascinating academic discussion, but comfort with the languages is far more important in reality. Java has suffered in practice because it's where all the developers went to churn out their dubious code...

--
XML is like violence. If it doesn't solve the problem, use more.
Curious by VernonNemitz · 2016-01-03 13:28 · Score: 1

If a system is set up to require administer approval for installation of software, can this ransomware actually install the core utilities it needs to interact with the Operating System, without the user noticing? I'm quite willing to never install NW.js if that's all I need to, to protect myself from this.
1. Re:Curious by dos1 · 2016-01-06 12:46 · Score: 1
  
  If the existence of that ransomware would prevent you from installing Node, then you should also uninstall Python, Ruby, Visual Basic, Perl etc.
  The only difference is that with node-webkit you usually get the interpreter bundled together with the application - and that actually, from user PoV, makes it no different than all the other apps written in C, C++, Rust, Delphi, Go etc.
Re:A First for Cross-OS Support? by TheDarkMaster · 2016-01-03 22:41 · Score: 1

The new kids only knows Javscript, so...

--
Religion: The greatest weapon of mass destruction of all time