Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

Oh it's another one of those

Sounds like a Windows problem.

Another satisfied Microsoft customer?

Re:Oh it's another one of those

It sounds like an improvement over systemd.

Re:Oh it's another one of those

[bondsbw]

Sounds more like a problem where the author of the article doesn't know the difference between DOS and "not GUI".

This changes the Master Boot Record and encrypts files while it displays the skull logo and warning message. From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

Re:Oh it's another one of those

[hey!]

Some jokes never get old.

Other ones...

Re:Oh it's another one of those

I think he used DOS as to describe the OS preboot state. I've seen many people use that term, regardless if its correct or not.

Re:Oh it's another one of those

[is7s]

I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?

Re:Oh it's another one of those

No, it is the windows Kernel, ms dos is long gone. Windows GUI that you see is actually a subsystem implemented on top of that.

Re:Oh it's another one of those

[U2xhc2hkb3QgU3Vja3M]

Some jokes never get old.

Other ones... get integrated into the next version of systemd.

Re:Oh it's another one of those

Only if you are using Win 95/98/ME.

Re:Oh it's another one of those

I thought systemd *was* ransomware.

Re:Oh it's another one of those

[Antique+Geekmeister]

No, it's mostly VMS. Take a look at the extensive lawsuits when David Cutler was hired from DEC, and took a lot of his old VMS developer team with him to create the kernel for Windows NT.

Re:Oh it's another one of those

Is this a serious question here, in /.?

Re:Oh it's another one of those

[Vlad_the_Inhaler]

Did you not RTFA? It only claims to encrypt the data, but does not actually do it.

Re: Oh it's another one of those

So, if you were a bad guy, wanting to make money off some innocents grandma, you would attack the most secure? The least used systems? Or a widly used business program?
I thought that was known years ago, or is this a new variant?

Re: Oh it's another one of those

[bondsbw]

Yes I did. But the article took a quote from its source and summarized it a bit differently. Here is the original quote from the source:

As of this writing we assume that only the file access is blocked but the files themselves are not encrypted. Experts at the G DATA SecurityLabs are still analyzing this new type of ransomware.

That is a bit less confident than TFA states.

Re:Oh it's another one of those

[LocalH]

That's as much a misconception than "text mode = DOS".

This is neither. This is malware that installs code to the MBR that loads before any OS. In fact, it's sort of it's own OS, running on bare metal.

This file is an EXE file. What Year is This???

[mpapet]

I thought Windows[7,8,10,9999] was supposed to fix this? Was the user "warned" about opening a file for the 10th time that day?

What happens when I open it with WINE?

Re: This file is an EXE file. What Year is This???

Yeah... WTF? I thought they got rid of GUI over DOS around Windows 98.

Re: This file is an EXE file. What Year is This???

[ihtoit]

98 used COMMAND.COM, ME used VMM32.VXD (hence real-mode DOS applications couldn't run without some serious tweaking).

Re: This file is an EXE file. What Year is This???

You can't fix stupid.

"portfolio-packed.exe, seems legit. I'll just double click it and ignore the warning that pops up, I'm sure Windows Defender will keep me safe, that keeps viruses away, right?"

Also encrypts files

[Megahard]

According to the update in TFA, so just repairing the MBR will not solve the problem.

It's a tax on the stupid

I love malware. It makes stupidity more painful. Never seen this shit happen to someone who has a clue. Probably never will.

Stupidity must always be made painful or else it grows out of control and the clueful can no longer shoulder its burden. The bad guys did good this time. If only there were more meatspace equivalents.

Re:It's a tax on the stupid

[david_thornley]

I've seen some pretty intelligent people fall prey to email viruses, mostly in the older days when email viruses were effective. More recently, I know a very sharp woman who used the New York Times website without adequate defenses.

Re:It's a tax on the stupid

When's the last time you saw a stupid person pay for this kind of mistake?

What happens is some manager starts surfing sites they shouldn't be and finds a 0day that the company AV product doesn't have a definition for yet. Cue the screaming at IT when manager's laptop get's fucked up with this cryptolocker variant.

Re:It's a tax on the stupid

You mean book smart? Yeah, no doubt they got caught by this shit because they don't have any common sense, all they're good at is reading thick books and absorbing everything so they can regurgitate it on an exam.

Re: It's a tax on the stupid

Here's the obligatory, small business, no it, running XP, with Inuit, business account, banking all done by a 76 year old guy. It pops up as an update, to a part of the program he uses. What is he supposed to do.... Remember, it's his business program, he needs for that to run, the next thing you know, he is getting calls from India, help, support, to cure the problem... As soon as the payment clears he can get to the banking program.... O pay, ain't it so cute...not a major business, so no harm? Right. So, what else has been slid into the machine? They got rights into the machine, what did they change, so you reset permissions, but you are not allowed to redo the machine? Are they watching or syphoning?

Re:It's a tax on the stupid

[david_thornley]

I mean intelligent and thoughtful people who are competent in the real world and do have common sense. I'm not impressed by the sort of "book-smart" people you describe. Been there, done that, learned better.

Re:It's a tax on the stupid

You're forgetting one thing. You're stupid.

What is a DOS screen?

Sorry, a DOS screen?

Re:What is a DOS screen?

The Orginal dos Resolution of 320x240 x 8 bit color's Where Old School Dos Game's Like DooM Are Made :3

Re:What is a DOS screen?

[MobileTatsu-NJG]

Actually it was 320 by 200, and "DOS Screens" were actually in text-mode that was measured in characters and not pixels.

Re:What is a DOS screen?

[sunderland56]

It stands for "Denial Of Service". It's a nasty bit of software designed to prevent you from making full use of your computer.

Re:What is a DOS screen?

Yep. 40 columns or 80. Freaking newbs. ;)

Re:What is a DOS screen?

1) There was no "8 bit color" in original "dos". If you're going to put capital letters at random, at least use them for DOS!
2) color's? What belongs to the color?

Re:What is a DOS screen?

I think it's Disk Operating System ... but I suppose either would be correct here.

Re:What is a DOS screen?

You're talking about BIOS graphics mode 13, MCGA 320x200 x256 colors onscreen pallet with an available color selection for those 256 palette entries of 24bits per R,G, or B.

It was not the only mode used for MSDOS / DRDOS and etc. DOSes. The EGA mode by the same resolution at 16 colors onscreen, 64 available colors to select from and (crucially) 4 or 8 pages of display memory to switch between were very popular, and used longer. The CGA mode of the same resolution supported 4 onscreen colors and one of two palettes, [black, cyan, magenta, white] or [black, red, brown, green], one of these colors being possible to override with one of the available 16 colors.

CGA 80x25 text mode is what people mean when they say, "DOS screen". Disk Operating Systems had a myriad of graphics modes available to them depending on the hardware they're connected to. I've mentioned only a few graphics adapters for the IBM PC / "clones".

Re:What is a DOS screen?

[Gaygirlie]

You're talking about BIOS graphics mode 13, MCGA 320x200 x256 colors onscreen pallet with an available color selection for those 256 palette entries of 24bits per R,G, or B.

Minor nitpick: the colour-palette only had a depth of 18 bits, ie. 6 bits per channel, not 24 bits.

Re:What is a DOS screen?

[ihtoit]

720x400 is 80x25 textmode with the 9x16 system typeface. Doom was 320x200 CGA graphics mode (specifically IBM mode 13h, 256 colours). Both use the same amount of video memory (IIRC 16kB).

Re: What is a DOS screen?

[the_humeister]

Actually, DOOM was 320x240. 320x200 was Duke Nukem 3D. The reason to use 320x240 is because the pixels were square. However, the screen was split into banks of four because 320x240 pixels is too large to fit in a 64 KiB segment (ie pixels 0,4,8,⦠are in bank 0, pixels 1, 5,9,⦠are in bank 1, etc.) which makes accessing the framebuffer more complicated and slower. 320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

Re: What is a DOS screen?

[ihtoit]

Would you like to revise your information? DOOM engine renders at 320x200 (16:10 aspect ratio). You'll also find that the memory space for 320x240 is the SAME (it's a VGA mode which uses a more efficient algorithm) as the CGA 320x200 mode (which in 1993 was STILL the most common graphics mode available to MOST PC users hence the denominator for developers). Also, the only reason to split the screen was during multiplayer mode on console (eg Saturn, N64). It makes absolutely no sense to bank the screen quadrants when you're using the same amount of memory to render and MORE memory (and processor clocks) to stitch the quadrants.

Re: What is a DOS screen?

[hvdh]

320x240x8bit is 76800 bytes, more than 64KB. It required bank switching, but it was easier than the GP wrote. VRAM was still linear, but you needed a VESA BIOS call to change the 64KB VRAM bank accessible in the 64KB video memory segment. Of 320x240, 204.8 lines fit in the first bank, the remaining ones in the second bank. As a display line split in two banks is very unhandy, you could increase the virtual resolution to 512x240 an had 128 full lines in bank 0 and the other 112 lines in bank 1.

Re: What is a DOS screen?

[One+With+Whisp]

(Score:4, Insightful)

No, please.

The reason to use 320x240 is because the pixels were square.

I would agree with you, except DOOM actually did use 320x200, and indeed the pixels were rectangular. It's a common problem that forks (known in DOOM circles as "source ports") face when they try to change up the rendering engine. Many of the graphics in the game were even designed with the knowledge that the screen would be stretched due to the non-square pixels, meaning that unstretching would degrade them.

320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

Yeah, except doom uses DPMI, so this doesn't even matter.

Re:What is a DOS screen?

"onscreen pallet "

Man, how big was the screen? Pallets tend to be pretty large, I've worked in warehouses. I've never noticed them being on a screen, however.

Re:What is a DOS screen?

Not As Much as the Sega Genises Which use 512 Color's. Sonic Games are more colorful Then DooM. Sonic Robo Blast 2 Is Proove

Still Dos Games are god's Gift to Furry's

Re:What is a DOS screen?

Wrong again. DooM uses VGA mode 13h 320x200. It had no support for CGA or EGA modes.

Re: What is a DOS screen?

[MTBaldwin]

Brings back memories. I remember when i got my first IBM PS2 MODEL 30....1024 kilobytes of memory. 12 screaming MEGAhertz of CPU power. MS-DOS 3.3. That cost me about $2000.00, way back in 1987.

So what. Repartion & format.

[MuthaFukka]

What's to lose?
I can always download more porn.

I can re-install Lubuntu in half an hour (including customizations).

Re:So what. Repartion & format.

[KGIII]

If you can get away with it, preserve ~/ and you won't even have to do much in the way of customization. That's not applicable this time, theoretically, but none of it is applicable as this doesn't appear to impact Linux users.

However, avoiding reformatting /home or ~/ are both awesome ways to do a "repair" install in a lot of cases so it is worth mentioning it. As for your use of Lubuntu, I agree with your OS choice. Lubuntu is my favorite distro - even on bleeding edge hardware. If folks think LXDE is fast on older hardware, they should see it fly on new hardware.

Dead serious answer

[DrYak]

What happens when I open it with WINE?

The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

Re:Dead serious answer

[david_thornley]

Sigh. Yet another thing WINE won't run.

Re:Dead serious answer

[Rutulian]

I'm pretty sure you would need to at least pass the UAC panel on Windows as well. I can't believe Windows would allow access to the MBR without permissions. So how does this really work?

Re:Dead serious answer

[Rutulian]

Found another article,
http://sensorstechforum.com/re...

After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.

This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! Cryptolocker I could understand because it just used the current user's credentials, but there is no excuse for getting infected by this.

Re:Dead serious answer

[roman_mir]

How can it? Petya is a diminutive of the Russian name Petr or Peter for the English speakers. Petya is a little boy, running him on wine is illegal even in Russia ;)

Re:Dead serious answer

[Antique+Geekmeister]

> This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! C

Because they're HR. The field has high turnover and is noted for poor security practices "in order to get their job done".

Re:Dead serious answer

[Skuld-Chan]

This is actually true for Windows as well - need local admin to write to the mbr.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

Re: Dead serious answer

[cyber-vandal]

I'm surprised a standard user would have the required security permissions to alter the MBR.

Re: Dead serious answer

[Rutulian]

I'm surprised a standard user would have the required security permissions to alter the MBR.

That's Windows security for you. Decades of established security practices where everyday users run unprivileged and only become root for administrative tasks, plus very user friendly implementations by Apple for OS X that nobody has complained about AFAIK, but nope, Microsoft has to come up with UAC instead. It is an improvement over XP, but it is still far too easy to inadvertently hose your system. The first thing I do when I install Windows is create an unprivileged user and set a password for the administrator. This instantly gets rid of 99% of the problems. The remaining 1% is training users when it is appropriate for an application to be asking for admin rights (almost never), but if you tell them to just never enter their password unless they are making a deliberate change to their system, or to ask if they are unsure, this is usually sufficient. I've never had malware problems on the boxes I administer.

Re:Dead serious answer

[thegarbz]

but why the f$#%k would you click ok to a UAC warning to read a CV?

Because we're conditioned to know if you click no then the thing we want to do doesn't work. It's gotten to the point where I've seen software installed that actively elevates user privileges so they aren't burdened by the UAC prompt. We're just used to knowing something won't work if we click No, not necessarily that this has nothing to do with the ability to read a CV.

Infection Vector

"HR employees are sent an email with a link to a file stored on Dropbox, where an applicant's CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death."

How does this scenario even occur? Why didn't HR just tell them to attach an appropriate file instead of going out of their way to download the "CV" and unpacking it? This is insanity.

Re:Infection Vector

[david_thornley]

They probably did, and the "applicant" disregarded that. Personally, I think that if you have to trim the pile of resumes/CVs, removing the ones that broke the submission rules and the ones that have serious spelling and/or grammatical mistakes is a good start.

Re: Infection Vector

Probably because everyone is afraid of opening email attachments now.

Re:Infection Vector

[KGIII]

I taught college maths for three semesters after retiring. The lack of longevity should be an indication of how much I enjoyed it. I only taught two different classes and then just one class for the final semester. I sort of enjoyed it but it was a "teacher's college" where they graduate future teachers. (It was UMF.) I'd had some decent instructors and borrowed/modified this entrance exam. It tells you a lot about the student's abilities.

At any rate, I did the tried and true exam at the start of two of those semesters. I did not bother doing so for the third. This was our second day class and I'd given them some instructions on the first day. I told everyone to not flip the paper over until they were told to do so. Anyone who turned the exam over prior to being told to do so was quietly marked as a failure. There were no questions asked and I let them keep going. I then told them the exam's rules.

The exam was to be done in black or blue pen. They'd been instructed to bring one on the first day of class.
I told them to read all of the exam questions and instructions completely before answering any of them.
The top of the exam also included the instructions to read all of the questions/instructions thoroughly prior to answering any of them.

The third to last "question" was instructions that said to finish reading the exam, sign the top of the page in blue or black ink, not to mark anywhere else on the front of the exam, but to continue pretending to work or to answer the bonus question. The bonus question, I forget how it was worded, was the last question and the bonus was to draw an impressionist's sketch of pi on the back of the exam.

Most people wrote their name in first. Many did all the questions until they got to #7 (? - I think it had ten questions - buggered if I remember all the details). In both of the years that I did it, only a few people actually got it right. It wasn't my original idea or anything.

However, I did fail (for that exam) those who failed it. It was a simple pass/fail exam where failure counted as a zero. It was not a mathematics test, it was a test to see how well they would follow instructions in my class. If they can't follow instructions then they'll need to learn how and we can start there.

For the most part, it worked out well. It did not work out well for everyone. After doing it a second time, I got an angry phone call from a parent (seriously, who has their parent's call their professor at a university about failing a test?) who was really unhappy that I'd given their brilliant daughter a failing score on the exam. She'd already failed it when she flipped it over before being told to but she failed it when she did the work in pencil and she failed it again when she completed the problems up until #7.

I refused to remove the grade. She, and her parents (her mother, specifically) were livid. She didn't drop the course. She passed but just barely. It seems she'd been to a private school and was considered very bright. She barely passed an introduction to collegiate mathematics... Who the hell has their parents call their professor because they legitimately failed an exam? It didn't even count for much. They expected me to not re-test but to just change the grade.

I did not change the grade. She even showed up after class with fake tears - not even good fake crying. Some of the folks who failed it were a little pissed but they got the point - and did well, most of them. I can only imagine what this person must have lead for a life to get to that point. It must have been pretty inept if they were used to being able to get stuff like that "fixed" by calling the parental units or pretending to cry. Presumably, she's out there teaching someone today - probably in some public school somewhere in Rural America.

At any rate, that's just one of the many reasons why I simply did the one more semester that I'd said I'd do. I'd have not even done that semester but I had said I would do it and I try to do what I say I will do. She was one

Re: Infection Vector

[Opportunist]

But following a link and downloading&executing arbitrary crap from somewhere on the internet is better?

Just how stupid are people really?

Re:Infection Vector

I taught college maths for three semesters after retiring.

[...]

She was one of the more memorable students. She was also definitely in the cute category but sexing up the students would be bad form so I avoided that.

You were, what, 40 years her senior or so?

Re: Infection Vector

Pretty stupid. Especially with so many people already sharing company stuff via dropbox, i coupd totally see someone thinking "it cant be bad if its on dropbox..."

Re:Infection Vector

[ihtoit]

I had a similar test for potentials when I ran my law firm. Five pages of questions (about 70 of them, some multiple choice, some short answer), the first instruction being: "Read the entire paper before you begin answering any of the questions", the penultimate being "Do not answer any question on this test but carry out the next instruction", the very last one being and I quote: "Sign your name in the box below, break your pencil in half and step away from the desk."

Only one person ever passed, out of probably 500 applicants. Some of the responses on the short answer questions were hysterical.

Re: Infection Vector

[ihtoit]

no, it's called teaching your students to arm themselves with the maximum amount of information BEFORE they act. It's not as if the information they require isn't RIGHT THERE IN FRONT OF THEM.

Re: Infection Vector

[ihtoit]

because if you don't bother to read through a simple test paper before chickenscratching your way to a frycook job, how the fuck do you expect to be entrusted with a complex set of instructions which could potentially injure or kill you or someone else if you get it wrong?

Re:Infection Vector

[david_thornley]

Doesn't stop him from looking.

Re:Infection Vector

So you taught them how to play the memory game?

Re:Infection Vector

Hopefully your stupid test taught you something about how people aren't going to waste much of their time being tricked. Dumbfuck

Re:Infection Vector

[ihtoit]

actually my "dumb test" weeded out the fools who just waded right on in and FUCKED UP as surely as they would have FUCKED UP CASE AFTER CASE.

Shithead.

Re:Infection Vector

[djinn6]

Following rules doesn't get you very far in life. At best you'll be just another cog in the global market, soon to be replaced by a computer, whose low cost is only matched by its ability to follow rules, however stupid those rules are.

Re: Infection Vector

[dryeo]

It doesn't help that Windows actively hides the fact that it is an executable. I got one the other day, named something like foo.pdf.exe and a PE binary, Windows would just show foo.pdf and happily run it.

Re: Infection Vector

The giant red flag in that situation is that the foo.pdf file is the ONLY one on your entire filesystem that shows the filetype. If you consistently use windows with filetypes hidden (which is the default, sadly) then you should notice an immediate discrepancy when there IS one. If you don't have filetypes hidden then it is just as easy to spot.

Re:Infection Vector

[Cederic]

Doing that in the UK would break the law. You're clearly discriminating against people with specific learning disabilities - including ones that wouldn't preclude them from being a lawyer.

But go right ahead, be clever and feel good about your own superiority.

Re:Infection Vector

WTF? So in UK I'm supposed to hire a moron ... erm, a person with specific learning disabilities instead of a normal person?

Re: Infection Vector

When I was in college, I would weed out the professors. If I couldn't understand the professor, or their syllabus struck me the wrong way -- I immediately walked out of class and headed straight to the nearest Drop/Add workstation to find a better professor for the course.

I would've been walking out of the above (parent poster) class within five minutes: dropped.

College is much too costly to deal with asshole or incompetent professors.

Re:Infection Vector

[ihtoit]

I've never come across a lawyer with specific learning disabilities. The nature of the work actually precludes the possibility of such a person even getting a toe in the door.

Re:Infection Vector

[Cederic]

No you fuckwit. Just avoid discriminating against them.

Re: Infection Vector

[KGIII]

That would have been the proper choice for you. You're too special to follow directions.

Re:Infection Vector

[KGIII]

Two things. That sounds good and is a nice pithy thought but we both know better. The second is that... Ah, screw it. You'll only want to argue anyhow. Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue. Have a nice day.

Re:Infection Vector

[KGIII]

Pretty much. It's not like these kids were going to go on to be mathematicians. They were going to be (many of them) physical education teachers. (I kid you not.)

The grade didn't impact a whole lot but it did go into the books. Follow directions. 'Snot hard. Just follow 'em. If you don't understand the directions - stop and ask. The importance of following instructions and asking if they did not understand any of them was stressed on day one. Day two, we found out if you paid the least bit of attention on day one.

Re:Infection Vector

[KGIII]

I am just getting to read the responses. There are a few to mine (and then to yours) that indicate they would not have passed the exam. I'd already stressed the importance of following instructions - including the importance of bringing a pen with blue or black ink.

Re: Infection Vector

[KGIII]

Oh you silly child. No, the students who remained loved my class. I hated it because I could not devote enough time to actually teach them all. I wanted to teach them mathematics, not rote mathematics. I hated it. There is not enough time in my day, or in their day, to do so.

On the other hand, yes I am an asshole. I fully admit, accept, and intend it.

Re:Infection Vector

[KGIII]

Do they think us old folks don't notice the cuties? Hell, sometimes we get to sleep with 'em.

I've a girlfriend at the moment but there's a certain special quality about a marginally insane crazy college chick with daddy issues. I did not sleep with any of my students. I have not slept with any of my former students - but I have gotten wasted with a couple of them back when I used to drink. They were no longer my students and were over the age of 21 as far as I know.

Re:Infection Vector

[ihtoit]

yeah, I kinda noticed that too.

Oh, found the archived videos, they're on a stack in a server I'm actually rebuilding. Should be up again in the next week.

Re:Infection Vector

I would hope that for something like a job interview I would take the instructions seriously enough to follow them even if that's not how I would normally do something.

I'd be less likely to for an exam, however the other guy did repeat a couple of times how following instructions was important so maybe I would have gotten it.

We are often conditioned to blow such things off though. Ever buy anything that told you to read the safety warnings or instructions before using your new toy or device or whatever? Normally, I'd say screw that. I have common sense and I'll look at the instructions if I have trouble. /obviously a different AC, here.

Re:Infection Vector

[thegarbz]

A few points:

1. We give students competing goals: Do something in a limited time, but waste time reading an entire paper in full despite the bulk to the assessment being assigned to answer questions.

2. You set something that was highly out of the ordinary for an exam. Even more out of the ordinary for a maths exam.

3. You set something that has nothing to do with the course.

4. You were attempting to teach people to blindly follow rules rather than attempt to get through what is typically tough questions using a method that has worked best for them.

Quite frankly I'm glad you're not teaching anymore. This is something you can use as a joke in class, but not something that should be set in an exam, EVER. If you try that in the legal field (doing something truly out of the ordinary in a contract, the contract becomes unconscionable.

Also you're lucky. I've seen the student's parents actually come in to the university... if my mother did that I would have just died of embarrassment on the spot.

Re:Infection Vector

[KGIII]

Sweet. Lemme know when they're available for me to view 'em. Funny enough, I almost posted a reminder in the response I'd written but I figured it hadn't been long enough to need a reminder. (I imagine anyone reading this is now officially lost or confused.)

At any rate, I'm quite curious to see them. Maybe they'll give me some inspiration to write about 'em. I'm officially working on a site, technically a network of sites, to prove a point and win a bet - but also because it's an interesting thing to do. The first of them is up and running but incomplete. It's *close* to complete but not quite there. I've a few more kinks to work out, I keep finding small bugs, and there's a few more tweaks to be made.

The best thing is, I'm doing it all for the low cost of absolutely zero dollars. That's part of the bet. If you're curious, click here and be even more confused. *sighs* It's a long story. ;-) Aren't they always?

Re:Infection Vector

[david_thornley]

Blindly not following rules is worse than blindly following rules. Know what the rules are, and why you're breaking them. My standard rule: never break a rule you don't understand. (Self-reference not only intentional, but vital to understanding the rule.)

Re:Infection Vector

[djinn6]

What you call an argument, I call a discussion. Why else come to slashdot?

I've basically followed a few rules in life and I've done great:
1. Do what you love and do it really well
2. Focus on your life goal
3. Treat others kindly

Every other rule is either a more specific (and therefore less useful) version of the above, or a moronic rule made by some asshat authoritarian to keep you down.

Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue.

So is this a dick-measuring contest now?

Re:Infection Vector

[KGIII]

It became a dick measuring contest, and nothing more, when you stated that it wouldn't get you very far in life.

Re:Infection Vector

[ihtoit]

OK. Mobile version is here (and I apologise in advance for the sound quality, you probably need some noise-cancelling headphones to hear it properly), I'll get the SD (which has better sound quality) up on a torrent because I don't have the space on my GDrive for a 14GB upload.

Re:Infection Vector

[ihtoit]

addendum: soon's the torrent's done I'll drop it into the SD folder on the previous link.

(and my wife says netbooks with flat batteries are useless... they're great for chucking up torrent boxes)

Re:Infection Vector

Following rules doesn't get you very far in life.

Show everyone how independent of spirit you are by running out into a busy road. That'll show 'em.

Re: Infection Vector

So was it a math class or a do-what-it-says-on-this-bit-of-paper class? You probably confused people who thought it was a math class, rather than a do-what-it-says-on-this-bit-of-paper class.

Re:Infection Vector

[cwsumner]

And the next job was in a manufacturing plant, where there was a set of steel steps with a light at the top. The sign said "Do Not go down the steps until the light goes out". The one who did not learn from the class, made a terrible mess. But they never actually found the body.

The rest lived! 8-)

Re:Infection Vector

[cwsumner]

Breaking human rules is one thing, it will only get you in trouble.

Breaking Mother Nature's rules is different. Most of her punishments are death, and Mother Nature has no pity.

Be sure you know the difference!

Re:Infection Vector

[KGIII]

Far too many people understand the value of following directions. There's a time and a place to not do so. That's a rarity. Usually, you're far better off by following the directions.

Re:Infection Vector

[KGIII]

I got to thinking... It will fit here:
https://mega.nz/

I boot from non-writable media

[davidwr]

Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.

Oh, by the way, a comment at this Trend Micro write-up suggests that the initial program that infects the system won't work unless the user has administrative privileges.

Re:I boot from non-writable media

[Opportunist]

In what company do computer illiterates like HR have admin privs on their computers?

Re:I boot from non-writable media

[dbIII]

One where the inhouse developers demand admin access for all users of their almighty VB application because they have admin access and don't have the patience to test it on a machine that does not. It used to be a very common problem and it still lurks in a few places. It took about two years to convince a developer in my workplace that it was a really bad idea despite it being part of the cause of a pile of virus incidents.

Re:I boot from non-writable media

[Opportunist]

There's an easy fix for that. Sit down with your CISO and have him demand that any and all virus incidents that could have been avoided by not having admin privs on accounts that have no reason to have them be tacked to the cost center said dufus wannabe programmer is in.

That problem will soon clean up itself.

Re:I boot from non-writable media

[dbIII]

Workplace politics is often more complicated - I was the "CISO" but the developer was outside of my chain of command since he did it more or less as a hobby on the side of his real job.

The real issue is for developers to wake up to bad practices instead of just thinking they are being bullied by the head of a different department.

All that is aside from the point - such bad practices were very common not long ago and still exist in many places.

Re:I boot from non-writable media

[Opportunist]

Then you weren't the CISO.

Re:I boot from non-writable media

[dbIII]

Thanks a lot for calling me a lair for a very trivial reason. Meanwhile back in reality the problem was that I was not the CEO so it meant dealing with the very non-technical boss of the guy with the application instead of dealing with him myself.
It's a side issue of the example so I really don't get why you are arguing and why you are going so far as to call me a liar. You also seem to be acting as if you have been asked to solve a problem when with that example it was solved years ago, but it won't be the case for similar situations of identical stupidity.
So many developers are still stuck on the single user, 32 bit, single threaded, non-networked, trust be default mentality of MSDOS and that shows with software that needlessly runs as admin.

Re:I boot from non-writable media

[Opportunist]

What I mean is that the title is pointless if you don't get the power to go with it. If you are responsible for the security in your company but have no power to make the relevant decisions, they have not CISO, all they have is a scapegoat.

Re:I boot from non-writable media

[Maritz]

I'm unreasonably interested in the thinking behind the scare quotes.

Why do they say "OS"? Windows-Only!

[rsborg]

This won't impact a Mac, nor will it impact Linux (it's an .exe file). The TFA referred to Windows, so should the summary.

Just like as usual - most rampant exploits and malware are Windows-only.

Re: Why do they say "OS"? Windows-Only!

[GoodNewsJimDotCom]

Black hat virus writers are a bunch of bad guys, but it would be some next level evil to turn a Macintosh computer to boot into Dos or Windows.

Re:Why do they say "OS"? Windows-Only!

[nmoore]

It says "prevents your OS from starting". If your machine triple-boots Linux, OS X, and Windows, and a Windows trojan overwrites the boot loader, it's going to keep you from booting into all three OSes.

Re: Why do they say "OS"? Windows-Only!

Not with UEFI where the loader is in each OS partition and only the boot manager in firmware

Re:Why do they say "OS"? Windows-Only!

[Maritz]

Security through obscurity is on your side.

Re: Why do they say "OS"? Windows-Only!

I expect that any day we'll see a Mac worm that pops up a box asking:
- "Microsoft recommends upgrading to Windows 10! Do you want to? Pretty please?"

Okay, I lied

[davidwr]

I don't *always* boot from non-writable media.

Re:Okay, I lied

But when you do, you boot from DOS XX.

Only HR departments?

[Bing+Tsher+E]

If we all volunteer to kick in a little to the ransom gang, is it possible we could spread it to all HR people worldwide? A world full of hamstrung HR people would allow us to all get direct-hire jobs.

Re:Only HR departments?

That's actually not a bad idea :)))))))))))

Re:Only HR departments?

And cancel all the "sensitivity training" seminars? Puh-leez????

If I hear one more "Binary is for *computers*, not people!" presentation of Social Justice Warrior drivel masquerading as workplace ethics.... it's not going to be pleasant.

Re:Only HR departments?

[ericloewe]

"Ransom gang" has such a negative connotation.

How about calling them "workplace productivity enhancement team" or "employee happiness consultancy"?

Re:Only HR departments?

Sadly all those direct Hire jobs would be unpaid jobs as it is usually HR that has to put you on the payroll system.

Re:Only HR departments?

[CanadianMacFan]

Stop thinking small. Let's put it to where it can do some real good. Send it to the lawyers!

Corporate machines should have exe whitelisting

There is no reason anybody should be able to run unknown exes on a work computer without notifying IT first.
It's the only way to combat this kind of lack of basic IT knowledge that afflicts most office workers.

I work with people who have used PCs for over a decade who still lack basic IT knowledge and would still fall for this trick in a heartbeat. You cannot drill it into your staff to not open stuff like this, you have to actively prevent it happening.

Re:Corporate machines should have exe whitelisting

[HiThere]

At one point that was a reasonable position. Unfortunately operating systems now execute lots of things they shouldn't automatically. I've heard of jpg viruses.

Re:Corporate machines should have exe whitelisting

AppLocker is a useful tool, but you start using it, people scream, run to management about how they are unable to do their jobs, and the Powers That Be tell you to disable it, as having a malware issue is cheaper than a salesperson who can't run some no-name game while on a flight not closing on a sale.

The trick is to roll it out department by department. The call center is usually the easiest, then work to receiving, HR, and the places where the programs they run don't change. Just so people can have their own web browsers and such, have VDI functionality to a locked down RDP or Citrix server so people have their own VM to do what they want in, and if they hose it, who cares.

Your PC is now Stoned!

[Bigbuzzman]

Your PC is now Stoned!

Task Ring

What if the editors misheard and it's really a case of being locked into a Task Ring?

4 years old is new?

https://www.youtube.com/watch?v=6MkwiJ_rZh4

Not new.

So...

[JustAnotherOldGuy]

So just boot from a CD or USB drive and then fix the MBR.

Re: So...

All your files are still encrypted and you just removed the decrypting tool.

Re: So...

What amazes me is that people don't realize that if some malware can encrypt files, it can destroy files. If one assumes files are destroyed, then life is simple... reformat, reload, restore.

Computing has advanced so much... but backups are still in the 70s era, with the exception of deduplication technology. In fact, I'd say that backups are actually harder to do in a decent manner than 20+ years ago. Back then, one could buy a tape drive, use some form of Backup Exec, and be sure that their files were backed up, changing out (and write-protecting) tapes. Now, with people just copying files to cloud storage (which is basically a file share), entire companies can be easily wiped out by something that just looks at all mounted filesystems and rms the contents.

The only real way to protect data is via pull backups... and the tech is there. Windows Server Essentials or MS DPM can easily save on an image/snapshot basis, with malware only able to crash backups, and not tamper with existing images. On UNIX, even a low-end NAS can ssh into machines, slurp off home directories and application directories, and stash that data out of reach.

The second way is to back up shares. NAS "A" has shares, which get backed up to another storage medium. This way, if malware destroys the share, it can be restored.

I miss when even desktops had built in tape drives. Once you backed the stuff to tape, pulled the tape out, you knew subsequent infections couldn't touch the stored data. There is no medium (optical just doesn't have the capacity) that even compares.

Re: So...

[luther349]

you can still get tape drives i fact they hold alot of data its still used in server farms.

^^ Pls, pls somebody upvote this comic gem !!

- msg in subject

The Flash could do it in time, but he's fiction

[dbIII]

From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

I looked at the timestamps of the files of a cryptolocker attack victim once - it's worth remembering that computers are very fast these days and it did quite a few GB per minute.

DOS?

Initial text console level lock screen is what that should read.

Re:DOS?

[pjbgravely]

QDOS AKA MSDOS went away with the NT Kernel, the last Microsoft OS running on MSDOS was Windows ME. Windows Vista (NT 6.0) added to the BSOD with a more critical R(ed)SOD but the B(lue)SOD was still there. I don't know if the RSOD survived into Windows 7 NT6.1.

portfolio-packed.exe

Anyone who supplies an exe as a resume/CV, even if it doesn't contain any malicious software, should be summarily dumped into the trash and dismissed out of hand.

Re:portfolio-packed.exe

[Maritz]

I think that's kinda the point. You only do that if you're in the biz of ransoming data. Literally no applicants ever turn their word doc resume/CV into a .exe just 'cos

DOS?

[Sir+Holo]

I thought QDOS, and thus the BSOD, went away with Windows Vista. At least, that's what the ads told me.

Are you implying that Microsoft might have lied to me? :cry emoji:

Microsoft Windows strikes again!

[khz6955]

Hey, slashdot, the technical site how about telling us the name of the Operating System and the Hardware Platform this ransomware runs on? hint Windows and Intel ..

UEFI + Secure Boot

[Microlith]

Or boot using UEFI, which probably breaks this. Toss in Secure Boot, and even if they wrote a UEFI bootloader they wouldn't be able to intercept the boot process.

Cue idiots who make inaccurate comments about UEFI and betray their technical ignorance.

Ummm, a "DOS screen"? "DOS level"?

[aussersterne]

I honestly entered this story hoping to read lots of merciless ridicule of these phrases.

Where is it? Or have all the geeks finally left Slashdot?

Re:Ummm, a "DOS screen"? "DOS level"?

We've simply become desensitized to technical illiteracy.

Re:Ummm, a "DOS screen"? "DOS level"?

[pjbgravely]

The /. geeks are gone, replace by cowards and lusers that think a PC has to run Microsoft Windows and a Hacker is a bad person. I only post about it when I think my karma is getting too high.

Re:Ummm, a "DOS screen"? "DOS level"?

The geeks are the new jocks. Psuedo-libertarians and trumptards, historical revisionists and educated idiots, dominate /. for quite a while now. Geeks as social outcasts had some unique insights into culture and society beyond their tech-obsessions. The only relationship most ./'ers have to the outcast nowadays is being the ones who cast out others. Anything people actually care and feel passionate about is disinformation according to the corporate tech-jocks/shills which dominate all the threads here. Geeks were always a bit anti-social due to their nature, not due to ideological brainwashing and freetard(*people who believe in American(TM) freedom) attitudes.

may the snarkiness be with you ;)

/. is dead

I was hoping for exactly the same, there's a brief mention of it followed by someone(user 4,496,745, yikes) seriously asking

"I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?"

That, a day or so after some prick from the gadget show made it to the front page pontificating on things we all know he has absolutely no grasp of, this just isn't my slashdot any more and it's sad.

Sign us up for the UEFI version

You know, just so that it runs on not the older computers.

Petya

[dimko]

In Russian, Petya - is variation of name Peter. A childish way to say that name. That makes me wonder...

Privilege ; UEFI

[DrYak]

This is actually true for Windows as well - need local admin to write to the mbr.

The difference is that wine will simply refuse and fail.

Whereas, on windows, this will open an UAC prompt which user have taken the habit (...have been pavlovian-trained...) to click okay to get anything done due to countless badly designed pieces of software.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

That's a bit more complicated.

If the disk is partitioned in Legacy mode, this will fry the partition table.

The UEFI firmware won't be able to locate the special FAT32 boot partition ("EFI system partition") with the bootloader .EFI executable used by the OS.
The system is left in an unbootable state, and the few next available boot options will be taken in turns, eventually reaching legacy boot, which will load the booter code of the malware.

If the disk is partitioned in GPT mode, things will get a little bit more complex.

Some UEFI firmware implementation DO require an appropriate "Guarding DOS partition" to boot in UEFI mode (some are even picky about whether the ms-dos "BOOT" flag should be set on that guarding partition). Of course, none of which is standardised.
Because of this, and because the partition table is hosed, some UEFI firmware won't detect the availability of the EFI system partition and won't boot in UEFI mode, again degrading to next available modes, eventually reaching the point they attemps a legacy MBR boot.

Some other UEFI implementation completely ignore the MBR and go straight for the GPT.

Then it depends on the malware. I can't find reliable sources whether the malware does encrypt files on the disk or not.
If it doesn't, then MBR-ignoring UEFI firmware will boot as usual. No problem noticed beyond the initial bluescreen crash.

If the malware does encrypt files, the boot process will fail at some point (depending on the encrypted fils).

The only difference that "Secure booting" brings, is that it refuses to run .efi executables (like bootloader) which weren't signed by Microsoft's key or any key that an admin has loaded into the system (for Linux users that do use it, but don't use the shim and load their own keys instead).

The system will refuse to boot all the same as above (except for the single exception), and simply won't fall back to displaying the skull. But the system is hosed all the same.

I can't find relliable information about what exactly is encrypted, so it's impossible to know if simply rebuilding the partition table using a USB boot stick (like System Rescue CD) is enough, or whether a decryption tool will be eventually needed to rescue important files from the drive.

FIXMBR

There, took care of that for you.