Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features (softpedia.com)

Posted by BeauHD on from the mind-of-its-own dept.

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.

41 of 71 comments (clear)

  1. Microsoft would know by Anonymous Coward · · Score: 4, Funny

    They're the king of ransomware, forcing Windows 10 installations.

    1. Re:Microsoft would know by DeathElk · · Score: 1

      Why mod troll? It is a well documented fact that Microsoft will change your computer operating system through subterfuge, which for many users has caused software and/or hardware to malfunction.

  2. Ahhhh by Adambomb · · Score: 2, Funny

    Good old retro boot sector viruses.

    --
    Ice Cream has no bones.
  3. I heard by Anonymous Coward · · Score: 1, Funny

    It disguises itself as the Windows 10 upgrade notification.

    1. Re: I heard by cbiltcliffe · · Score: 3, Funny

      Angry much?

      Of course he is. He got force upgraded to Windows 10.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    2. Re: I heard by Opportunist · · Score: 1

      Yes, but back then I clicked it away so it had to return in disguise again and now I can't decide if closing it would just close or install it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. They still don't get the difference between code.. by Anonymous Coward · · Score: 4, Insightful

    and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

    Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

  5. Block all Adverts now to protect yourself. by Lumpy · · Score: 5, Insightful

    More proof that everyone should be using an adblocker to keep their computer and friends computers safe.

    Dear website owners.... WAHH about your lost revenue. start hosting the ad's on your own servers and VET THEM to be safe and not an attack vector.

    --
    Do not look at laser with remaining good eye.
    1. Re: Block all Adverts now to protect yourself. by Opportunist · · Score: 1

      ...which is fine until there is a bug in either of them that allows an exploit to run...

      Which is in 99% of infections actually the case. What did you think was happening? Duh!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Pray to whatever god you worship by millertym · · Score: 5, Interesting

    This stuff is nasty.

    1- Have spotless offline backups of everything
    2- Lock down share permissions
    3- Lock down admins on permissions domain level
    4- Lock down admins on local machine level
    5- Pray

    I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.

    1. Re: Pray to whatever god you worship by mspohr · · Score: 1

      But does it run on Linux?

      --
      I don't read your sig. Why are you reading mine?
    2. Re:Pray to whatever god you worship by Anonymous Coward · · Score: 2, Funny

      There is an additional step you want to consider in an enterprise. Notice from the write-up that this one adds itself to the RUN key to ensure persistence. Most malware / crapware that isn't root kit style does this. The key "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run" should be set to require administrator access to change. That simple change prevents this from getting persistence (and, depending on how the author wrote it, may cause it to fail to encrypt - as you notice the writeup says that setting this key is the first thing it does).

    3. Re:Pray to whatever god you worship by sabbede · · Score: 1

      Oh, good catch! That can also be disabled entirely via group policy, though I forget exactly what it's called. 'Disable access to classic run' or somesuch.

    4. Re:Pray to whatever god you worship by The-Ixian · · Score: 1

      How about just whitelisting applications on your network to locations that user's don't have write access to?

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Pray to whatever god you worship by Anonymous Coward · · Score: 2, Insightful

      Let me tell you what it's like working in infosec in a large organization.

      Me: We need to remove some of these global admin accounts, they can access literally everything, change group policy, delete all 500+ of our file servers around the globe.
      Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
      High level manager: I'm not giving up my access to everything
      Manager: okay so Anonymous Coward you can remove all of the 'extra' global admin accounts besides the ones on this list
      (Some giant disaster happens because some Director of Finance or something downloaded malware and then logged into the domain with his global admin account)
      Manager: WHAT THE FUCK ANONYMOUS COWARD, HOW COULD YOU HAVE LET THIS HAPPEN?

      Me: we need to implement security policy X (example: no badge access to data rooms unless you're a sysadmin or otherwise need it)
      Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
      High level manager: What do you mean I won't have badge access to the server room? I'm the warehouse manager, my job has nothing to do with IT or servers, but my badge HAS to work on that door because I AM THE MANAGER!
      Manager: okay so Anonymous Coward you can remove badge access to all the 'extra' badges besides the ones on this list
      (Some giant disaster happens because the Warehouse Manager badged into the server room, unplugged all four network cables on the production server and then drove home while everything had a meltdown)
      Manager: WHAT THE FUCK ANONYMOUS COWARD HOW COULD YOU HAVE LET THIS HAPPEN?

    6. Re: Pray to whatever god you worship by Opportunist · · Score: 1

      Not if you don't run Samba so your Windows box can access files...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. maybe its time to put msoffice into a VM? by TheGratefulNet · · Score: 2

    a VM can be contained pretty well. I was used to installing office on my local pc, but now I'm starting to think its going to be safer inside a VM and I'll just run the VM for the few times I have to actually edit word docs. viewing them is ok on libreoffice or similar, but I would not use the free versions to edit ms docs (sigh).

    --

    --
    "It is now safe to switch off your computer."
    1. Re:maybe its time to put msoffice into a VM? by campuscodi · · Score: 4, Informative

      Or use OpenOffice or LibreOffice instead. Heck, even Google Docs is better now.

    2. Re:maybe its time to put msoffice into a VM? by Anonymous Coward · · Score: 2, Funny

      How does this help, if the malware spreads via network shares? If the Office has access to the shares, which is quite handy for editing files in them, it is also possible for it to spread the malware.

    3. Re:maybe its time to put msoffice into a VM? by tgharold · · Score: 1

      That's been my preference for the last year. KVM on Linux now has snapshot support built-in, and OS X Parallels has had it for a while. So about once a month, I'll make a snapshot and label it "good" with some notes. If there's ever trouble, I can rollback to that snapshot.

      For the host operating system, files get written to a backup location via SSH, using a SSH key that can only run the backup program (borg-backup) on the destination server. I have yet to see anything that targets backup software that operates in that fashion (it would need to understand that backups happen via SSH and find a vulnerability in the backup software command on the target).

      And the final layer of defense, backups that are on encrypted external drives that go offsite weekly.

  8. BREAKING NEWS by Anonymous Coward · · Score: 2, Funny

    BREAKING NEWS: Microsoft warns about a new self-installing malware called "Windows 10"

  9. Disable Flash too by duke_cheetah2003 · · Score: 1

    That convinced me to disable Flash forever. No way I want that kind of crap sneaking onto my PC.

  10. Yet another reason by FrozenGeek · · Score: 5, Informative

    not to use flash. I understand that there are many companies with a significant investment in flash-based code. But flash has proven to be a persistent security hole. HTML 5 is a viable alternative to flash. time for those companies to suck it up.

    --
    linquendum tondere
  11. Re: A permanent solution by mspohr · · Score: 3, Informative

    Might be easier to just install Linux.

    --
    I don't read your sig. Why are you reading mine?
  12. Re: A permanent solution by NewtonsLaw · · Score: 1

    Why would I want to install Linux - it's already installed and running on my machines :-)

  13. Re: A permanent solution by mspohr · · Score: 1

    Then why are you going full agro?

    --
    I don't read your sig. Why are you reading mine?
  14. Re: A permanent solution by perryizgr8 · · Score: 1

    And end up in a situation like Android Linux, which has more malware than Windows ever had.

    --
    Wealth is the gift that keeps on giving.
  15. Why not sandbox Office and Office macros? by jonwil · · Score: 1

    Given the number of viruses out there that use Microsoft Office documents as a transmission vector, why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

    Web browsers sandbox JavaScript code these days to prevent exploits and improve security, why not do the same for Office documents?

    That way, rogue macros can't download and install further malware or access data files all over the disk or mess with Windows system folders/files/data.

    1. Re:Why not sandbox Office and Office macros? by gnupun · · Score: 1

      why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

      My guess would be (a) the high cost of redesigning the macro subsystem and (b) users bitching and moaning when new macro language breaks their old scripts -- it would be Y2K all over again.

  16. Re:They still don't get the difference between cod by tommeke100 · · Score: 1

    The issue stays the same. If you have data in the file that gets interpreted a certain way ( say, for formatting, a malformed URL, weird characters, ...), but the interpretation is buggy and prone to buffer-overflows or other when reading the wrong data, you're still at risk.

  17. Propagation by ACE209 · · Score: 1

    This one tries to propagate almost as hard as the Windows Update.

    Past proper propagation probably plethoras of problems perceived.

    They that out loud three times.

    --
    "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
    1. Re:Propagation by Opportunist · · Score: 1

      I did.

      'scuse me, gotta find wipes for the screen.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. Re:They still don't get the difference between cod by David_Hart · · Score: 1

    and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

    Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

    By default the latest Office programs save files in a format that prevents macros from running. You have to specifically change the file type to allow macros. When you open macro enabled office files, it will, by default, disable active content and show a warning box. You have to actually click on the box to allow macros and vbscript.

  19. Good thing MS spooked folks into disabling updates by Anonymous Coward · · Score: 1

    Good thing that Microsoft's strongarm tactics trying to force Win 10 upgrades resulted in some people permanently disabling Windows Update on their boxes.

    Not only will those people get owned, but their machines can act as distribution centers to attack other machines, including distributing future malware even if MS releases a patch to help protect against this.

    500 Rupees have been deposited into Satya Nadella's account care of the Russian malware alliance.

  20. Re:They still don't get the difference between cod by myowntrueself · · Score: 1

    I'm curious, what exactly would the difference in a document be between code and data, or preferably how would your implementation look like to prevent executing malware?

    Because the word processor or spreadsheet doesn't have any ability to execute anything outside of its own document?

    Why the fucking fuck would a word processor or spreadsheet need to execute anything or operate in any way outside of their own document? What could possibly go wrong? Oh... wait...

    --
    In the free world the media isn't government run; the government is media run.
  21. Microsoft the security researcher by khz6955 · · Score: 1

    Have Microsoft ever considered looking at their own Source Code. Considering Microsoft is primarily responsible for the malware infestation. That would be like describing Dr. Hannibal Lecter as a food nutritionist researcher.

    1. Re:Microsoft the security researcher by Opportunist · · Score: 1

      Not really anymore. The primary infection vector today are rather third party software packages that are so omnipresent that they can as well be considered part of the OS while having a WAY worse security record than MS. Adobe being probably the worst offender, the currently biggest infection vector being Flash and Acrobat Reader.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  22. Re:They still don't get the difference between cod by chispito · · Score: 1

    After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

    Except by default "they" do not allow it. You must enable macro support after clicking through warnings. You may also download whatever binary you want and click through the warning advising you the certificate, issued to "Skripty and the Kidz" is not trusted.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  23. Re:They still don't get the difference between cod by yuna49 · · Score: 1

    At one of my clients, we use MailScanner plus clamd to scan incoming mail. Clamd has a switch to treat all Office files with macros as viruses so they get sent to quarantine. At this particular client no one has the need to exchange macro-enabled Office files so this is an effective defense. Of course, other organizations might have valid uses for such files. I'd solve that by whitelisting particular senders while continuing to ban any other macro-enabled Office documents.

  24. Re:They still don't get the difference between cod by yuna49 · · Score: 2

    At one client's site an enduser got such a document. It requested that the recipient click the button to enable active content. Of course someone did just that and promptly got infected. Now we just block all macro-enabled documents with clamd.

  25. Candidates for Darwin Award by CmdrTamale · · Score: 1

    It's evolution in action.