Slashdot Mirror
New Ransomware Written Entirely In JavaScript (scmagazine.com)
An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user's files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information."
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.
You have to disable your internet connection and turn off the machine.
https://it.slashdot.org/story/...
Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.
Bye!
What has it been, maybe three decades of this kind of thing? At some point, do we expect people to develop enough technical literacy to avoid this kind of problem?
Note that I'm not saying it is the user's fault. It is the fault of the people writing the ransomware, pure and simple. But it's like walking through the bad part of Philly at night flashing bling all over and being visibly drunk. Yes, it's the muggers fault when you get mugged... but it is still worth pointing out that maybe your choices made your risk be higher than it had to be.. That is not "victim blaming". It's victim helping.
Since malware has been around for a long time, it's pure wishful thinking to imagine it's going away any time soon. So, you have to protect yourself.
Running executable and/or scripted email attachments from NigerianPrice204@notmalware.ng or ThisIsBeckyFromAccounting@No.Really is not how you protect yourself. It's been 30+ years of this. The details change, but the problem remains. Maybe it's time for people to start learning.
there are more and more internet users every day, not everyone knows not to open that .js email attachment
Can someone please just kill the damn shit already? Javascript has always been shit and will always be shit. People who write javascript are shit and will always be shit.
Support your local school shooter, give them your firearms.
This is a modern appy app app apped in AppScript, NOT LUDDITE software! Modern app appers know that ONLY apps can app apps, so it's great to see new appy apps like this app! Apps!
Give it a few days. This is the last place I go to for actual news.
Only the State obtains its revenue by coercion. - Murray Rothbard
A Star Trek actor died, and there's no post?
Did you submit a story about it? That's how Slashdot works...
#DeleteChrome
back off you jerk!!! we're all in pain here
it's technical difficulty
his tears have disabled the ability to submit the story
But Walter Koenig is still alive... You don't seriously consider these new films "Star Trek", do you?
Walter Koenig is alive and well.
You're right, who cares about computer security when we could be talking about actors and showbusiness. Sounds like news for nerds to me.
But does it run on Linux?
Looks like JScript (Windows only).
I don't read your sig. Why are you reading mine?
... of doing something like this in JavaScript if it isn't even going to be cross platform?
File under 'M' for 'Manic ranting'
Stories hit reddit 3 days before they are posted here. You just have to filter the fiction and bs onion style ones.
Surely Javascript gets sent to the browser. And doesn't the browser prevent it accessing the file system?
Some drink at the fountain of knowledge. Others just gargle.
> not everyone knows not to open that .js email attachment
Windows 'helpfully' hides the actual filetype because that is too complicated for Windows users to cope with. They see 'tennisknickers.jpeg' when the actual attachment is 'tennisknickers.jpeg.js'.
Thank you, Microsoft.
So ... stupid question, what's stopping people from obtaining the ransomware, and messing around with it, modifying it?
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
At some point Node.js installs might also get used somehow. Once you have access to that, downloading a bunch of other stuff is only an npm command away.
That's it, I'm calling for the arrest of *all* JavaScript developers. Haven't we suffered enough? Also we should arrest whoever did whatever they're talking about in this article because that sounds bad too.
Either the mail client executes JS with access to full filesystem, or it passes it to the browser that does it.
Clearly there is a sin here: executing non trusted JS with filesystem access. What are the faulty softwares that do this? No names are given here.
Look up how many ransomwarez have ever happened to Linux or FreeBSD users.
Maybe 1 because her password was password.
This isn't entirely true. The initial dropper uses Javascript. This dropper contains a second-stage in base64-encoded form. The initial dropper than loads the second-stage on the target machine. The second-stage is not in JavaScript, only wrapped in it. This is merely FUD.
Comment removed based on user account deletion
It is actually Another reason to hate Windows
Is Linux or OSX not capable of running Javascript?
Comment removed based on user account deletion
Outlook not so good.
Clicking on the subject is enough to open the email and "helpfully" run the script via Internet Explorer.
Absolute fucking insanely bad software design is why we are living knee deep in a malware swamp beyond the dreams of bad science fiction.
I'm sorry,but while I USE web browsers, most of my code is operating in critical environments ranging from deep sea to aero where faults are intolerable, so I am shocked to see this. Perhaps it's more-widely known than I was aware of, as I don't spend much time on the more trivial and/or pop-culture-related stuff like internet related apps; I just expect a web browser to be a solid dependable tool and did not think these were coded quite as foolishly as they apparently are.
Who writes an internet-connected application that allows a chunk of code imported across the internet to run in anything other than a completely isolated sandbox?!?!?!?!?!?!? Have these people ever actually written a stable piece of code they would be willing to stake their life or the life of a close relative on?????
I'm sorry, but I would have thought it the most basic level of common sense and the absolute minimum level of security that a browser would never expose the actual file system of its host computer to Java or Javascript or any other loadable code or loadable plugin. Any file system accessible to such code, for example to be used as a resource cache, should be a virtual filesystem contained entirely within an actual file without the app/plugin knowing or even having any way to detect that this is the case.
It's bad enough that so many amateurish would-be coders are being treated (and sometimes paid) as "experts" while creating code with such basic idiocy as the possibility of a buffer overrun. Such people should not be considered to be competent programmers. Once you get past the minimal level of competency of observing buffer sizes, it ought to not be much of a leap to assume a sandbox is required for plugins/loaded code (sigh).
Perhaps we should all go back to punch cards and FORTRAN.... it might filter out all the pretend programmers. (Hey, you KIDS, git offa my LAWN! (I saved my first computer program on paper tape)).
does it load "the second-stage on the target machine"?
Who allowed JavaScript to load ANYTHING onto the local machine?
Code embedded in a web page should be entirely incapable of touching the local platform.
Does the term "sand box" mean ANYTHING?
As Js is sandboxed on every major browser in every major OS.
most of the Paramount Trek portfolio.
I saw the original Star Trek stuff the long before there were any Trek movies, so I probably have an older perspective on this. I thought the STTNG series was a mixed bag with some eps very good, and some rather cringe-worthy. I expected to dislike the new JJ Abrams version, preferring to wait for the DVD rather than blow cash on a theater ticket, so I'm no "anything with the Star Trek name is good" fanatic. I think the reboot is actually quite good for what it is and in the current Hollywood/scifi environment.
It suffers from many of the crimes of pop culture scifi - like a young crew rapidly promoted from civilian or cadet to commanding officer. A movie has to move fast to satisfy an audience with any prologue, story,and epilogue in only 90 minutes to 3 hours. A reboot, by necessity, has to do all the usual plus provide more intro to explain the rebooting.
It also suffers from easy access to CGI which helps reach an audience who have become almost anesthetized to plots by recent spate of over-the-top comic book films. If you rolled-out new Trek movies today with the very limited effects of the original Trek TV shows, few average people would pay to see it. The lens flares are JJ Abrams - a style. The new ship design and particularly on the interiors actually fit. When the original Trek aired on TV the bridge was "shiny" and futuristic compared to the rest of TV (like Western TV show Gunsmoke) which gave it a bright, clean, futuristic feel. To compete with the atmosphere of so many modern shows and try to be similarly shiny and futuristic for the current audiences, the JJ version needs to be that much more bright and glossy. Hopefully they will not fall into the modern Trek spiral of death which masks a missing plot: Blow up the Enterprise in every movie. How often did THAT happen on the original show? (writers of the original episodes generally were good enough to find other plot mechanisms to introduce jeopardy.
On the upside, The actors did a surprisingly good job of bringing their own game and yet touching the original characters well enough to be quite recognizable. Zachary Quinto does a scary-good Nimoy/Spock. I thought Pine a bad choice for kirk until at several moments in the first film where he channeled a bit of Shatner. I did not get Keith Urban at all when I heard he'd been cast (having seen him in the LoTR films) but actually think he's quite good as bones and will likely shine in the role should it continue. Simon Pegg just does not work for me as Scotty, but I am open enough that I just accept him as "alternate scotty" and try to appreciate his quirky take on the part - hope he gets better.
Ultimately, people just need to lighten-up and remember that it's just entertainment. Lots of people have played Hamlet. Lots of people will play Hamlet in the future. It's pure snobbery to claim that only Olivier did it right (sorry, but I think others did much better that Olivier... it's a matter of taste). Similarly, the hate that some people heap onto the new Trek reboot is just tiresome. Could YOU do better? If so, then prove it by doing it, otherwise just watch something else or fire-up the popcorn.
Personally, I like the older "hard" SciFi... stuff like Asimov, Clarke, Pohl, and Heinlein wrote. But that stuff largely either never gets put onto film, or if it does it does in a horrifically mangled and completely-misunderstood-by-hollywood style (like the Starship Troopers film, which has to be the single worst conversion of a book to a film in human history, yet can be watched with a bucket of popcorn).
Will turn browser into an OS and Windows as a poorly debugged set of device drivers.
How does the marco run considering autorun macros were disable by default on Microsoft Word and how does the rest of it execute without the user providing the admin password. Sounds to me like a veersion of any old word macro virus.
A long white back, for a PhD project, a guy named Alexia (or previously Henry, the name the thesis was submitted under) Massalin, wrote an OS kernel called Synthesis. The aim there was to improve efficiency by using runtime code synthesis. In the modern world, along with sandboxing using processes and memory protection, given that we now have LLVM, it would be worth someone exploring an OS where binaries are more akin to the LLVM representation (or some high level representation), and importantly, there is no static list of kernel syscalls: rather at install time, a list of required syscalls is compiled, and possibly custom versions synthesised so that the process is restricted, at the binary level, to what it can access. Something like that. If you look at the system calls a process makes, how many of the available ones does it use? And of the calls that modify files, or use network sockets, how much of the potential of those calls actually gets used? What I am suggesting is basically using LLVM to enforce something close to the principle of least authority at the kernel syscall level using code synthesis.
John_Chalisque
Have these people ever actually written a stable piece of code they would be willing to stake their life or the life of a close relative on?????
If "mother-in-law" counts as a close relative...
Linux/osx is not dumb enough to make it easy to run an attached javascript file. It can be done, but those who knows how, also knows not to run any sw they get from strangers in the mail.
Seriously, nobody need ability to easily execute stuff that came in the mail. Especially not those who don't understand the implications. So it is not made easy.
Also, even when you succeed in tricking a linux user, the software can't reliably take over the machine. It may still ransom stuff in his account, but the infection does not spread like it does on windows.
A solution that would greatly reduce those kind of problems:
All installable programs should be only available thru a signed repository or store.
The only process able to install programs should be the Store application
No code should be allowed to execute if it hasn't been installed using the Store app.
All app should be sandboxed
That would solve tousand of security problem. But that would also break security software industry. Look at iOS and how many antimalware, antivirus and such exists? None. The process of running signed code in an arbitrary way is so complex that such code (excep proof of concept and jailbreak software) almost doesn't exists.
Of course, malware would still exists and try other infection vector like infect the store itself, but it has been proven up to now that even it this threat exists, it stay marginal and at least is far less spread that current classical virus/malware/spyware.
I can't see that many people paying into it... I mean, if a criminal promised to give me X back if I payed them $Y, I'm not sure I'd trust them. Wouldn't it be more effective to create a worm that secretly installs some software to mine bitcoin for the author or something?
We need a computer that can easily be discarded when it is too much trouble to clean, like plastic forks.
“Common sense is not so common.” — Voltaire
good, now websites will be forced to present a version of themselves which is still usable without JavaScript.
What did that poll say, a quarter of /. readers surf with JavaScriopt disabled by default. God knows I do.
Sad to say, at some point around 2013 it became less about what the web could do for me and more about what the web could do to me.
aka VMware, Virtual Box, or KVM.
In Microsoft smart-enough-to-code but not-smart-enough-to-reject-management is the hiring range. Management is forced to incorporate weak security for the sake of remote access by the USA government.
On one hand they create terror and on the other they claim to defend you from it. They feel the need to monitor the entire population for the sake of their own actual lack of controlling everything.
Control freaks, hypocrites, liars.
Look for the Slashdot story where Microsoft made the X close dialog box to install Windows 10 actually start the install instead of aborting it. Read the comments where a guy was pissed his 9 year old son woke up with Windows 10 on his computer.
Fuck Microsoft every which way and loose.
also: your reasoning made me smile. There is actual intelligence out there.