Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Ransomware Written Entirely In JavaScript (scmagazine.com)

Posted by EditorDavid on from the ECMA-emails dept.

An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user's files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information."
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.

49 of 96 comments (clear)

  1. very OLD to be first by NotInHere · · Score: 4, Informative

    https://it.slashdot.org/story/...

  2. Sand fucking box by ADRA · · Score: 5, Interesting

    Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

    --
    Bye!
    1. Re:Sand fucking box by Anonymous Coward · · Score: 2, Interesting

      What you want is already available. Meet Apparmor.

      That people don't use the available tools is a separate problem. There are a range of things from apparmor to lightweight paravirtualizers like lxc. The right place to address this isn't in every single individual tool like an emailer or web browser that can connect to the nextwork, it's in orthogonal tools to solve the problem in one place.

      Do one thing, and do it well.

      If people don't use the tools they have, that's not the fault of the tools.

    2. Re:Sand fucking box by Billly+Gates · · Score: 1

      Because at work the client and my coworkers will complain their Cisco secured mail which requires TLS 1.0 turned on! ... will not work without java and javascript with insecure encryption enabled for security apparently.

      --
      http://saveie6.com/
    3. Re:Sand fucking box by The+MAZZTer · · Score: 1

      If the e-mail application cannot handle a particular file type, it needs to deliver it to an external application. Sandbox will not help since nothing is running inside of the e-mail application; you have to sandbox the user's chosen third-party app (good luck).

    4. Re:Sand fucking box by cluening · · Score: 1

      What if I want to attach a file to a piece of email?

      --
      Posted from the wireless couch.
    5. Re:Sand fucking box by Lennie · · Score: 1

      Not sure why you think this applies here.

      This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

      Which means in this case it would use Windows Scripting Host to execute the Javascript (could have been VBscript as well). Could have been a Powershell file or whatever, exe-file, it doesn't matter.

      Kind of expected they included an encryption library, if it's running in Windows Scripting Host they could probably just have used existing Windows API to do encryption, right ?

      --
      New things are always on the horizon
    6. Re:Sand fucking box by axewolf · · Score: 1

      no, it's a sign that they profit from delivering their customers to criminals

    7. Re:Sand fucking box by F.Ultra · · Score: 1

      Main problem is just that i.e the Apparmor profile for Firefox is disabled by default. This of course because users wants to be able to download and upload files to/from anywhere and not just to $HOME/Downloads (which also is problematic since that folder is named differently in non English locales).

    8. Re:Sand fucking box by Eravnrekaree · · Score: 2

      AppArmor is a bit of a pain in the ass since it is mostly a whitelist thing, when it might be better to be able to do something more like IPCHAINS. Currently it creates an allow set and then subtracts the entire deny set from the allow set. What is really needed is an ideny or inline deny type rule for ascending or descending precedence of allow and deny rules. Sometimes you might want to alternate permit and deny permissions in descending or ascending precedence. Believe me, lacking this makes it much harder to use in many situations. AppArmor could do this by adding an inline deny or ideny rule rather than change the behaviour of the existing deny rule.

    9. Re:Sand fucking box by flyingfsck · · Score: 1

      Dude, switch to http://www.slackware.com/ and relax.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    10. Re:Sand fucking box by jbmartin6 · · Score: 1

      It comes in as an attachment, once pulled from the email it is just like any other file.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    11. Re:Sand fucking box by jbmartin6 · · Score: 2

      Windows can tag files based on their origin, in the metadata. They could maybe implement a 'restricted mode' for scripts downloaded from the Internet, or from emails. Of course, the user would probably just ignore or disable any warnings.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    12. Re:Sand fucking box by Bengie · · Score: 1

      Believe it or not, but I like to download files off the Internet. Of course the browser could be designed in a way that downloads are a separate process that is heavily locked down to basic function. Possibly even creating a whitelist of which directory is can even access.

    13. Re:Sand fucking box by Lisias · · Score: 1

      Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

      You missed the point. They *ARE|* concerned about the problem: they need to keep it a problem, so they can sell a solution to corporations.

      Believe me, they are deeply concerned about the survival of their business model.

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
  3. technical literacy is lacking. by Anonymous Coward · · Score: 4, Insightful

    What has it been, maybe three decades of this kind of thing? At some point, do we expect people to develop enough technical literacy to avoid this kind of problem?

    Note that I'm not saying it is the user's fault. It is the fault of the people writing the ransomware, pure and simple. But it's like walking through the bad part of Philly at night flashing bling all over and being visibly drunk. Yes, it's the muggers fault when you get mugged... but it is still worth pointing out that maybe your choices made your risk be higher than it had to be.. That is not "victim blaming". It's victim helping.

    Since malware has been around for a long time, it's pure wishful thinking to imagine it's going away any time soon. So, you have to protect yourself.

    Running executable and/or scripted email attachments from NigerianPrice204@notmalware.ng or ThisIsBeckyFromAccounting@No.Really is not how you protect yourself. It's been 30+ years of this. The details change, but the problem remains. Maybe it's time for people to start learning.

    1. Re:technical literacy is lacking. by jbmartin6 · · Score: 4, Insightful

      It's not always clear to the user what constitutes "Running executable and/or scripted email attachments", especially when the OS helpfully hides the extensions and allows assignment of arbitrary icons supplied by the attacker.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  4. things change, things stay the same by suxorzomg · · Score: 1

    there are more and more internet users every day, not everyone knows not to open that .js email attachment

  5. Another reason to hate javascript by Quzak · · Score: 1, Troll

    Can someone please just kill the damn shit already? Javascript has always been shit and will always be shit. People who write javascript are shit and will always be shit.

    --
    Support your local school shooter, give them your firearms.
    1. Re: Another reason to hate javascript by jhoger · · Score: 1

      Nothing to do with JavaScript. It might as well have been vbscript.

      The problem is the MUA allowing you to launch executable Windows script host attachments.

    2. Re: Another reason to hate javascript by Oligonicella · · Score: 1

      Hush. He's a nerd with an axe to grind against a certain language. Don't pop his delusional bubble.

  6. Re:Where's the Chekov article? by 93+Escort+Wagon · · Score: 1

    A Star Trek actor died, and there's no post?

    Did you submit a story about it? That's how Slashdot works...

    --
    #DeleteChrome
  7. But does it run on Linux? by mspohr · · Score: 1

    But does it run on Linux?
    Looks like JScript (Windows only).

    --
    I don't read your sig. Why are you reading mine?
  8. What is the point... by mark-t · · Score: 1

    ... of doing something like this in JavaScript if it isn't even going to be cross platform?

    --
    File under 'M' for 'Manic ranting'
    1. Re:What is the point... by flyingfsck · · Score: 2

      Write once, debug everywhere.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  9. Okay but what executes js externally to mail? by goombah99 · · Score: 1

    Surely Javascript gets sent to the browser. And doesn't the browser prevent it accessing the file system?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Okay but what executes js externally to mail? by stoborrobots · · Score: 1

      HTML gets sent to the browser. Javascript gets sent to WScript.exe...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    2. Re:Okay but what executes js externally to mail? by hattig · · Score: 1

      And so we get to the cause of the problem.

      Windows and Microsoft.

      Why isn't the downloaded file tagged as "downloaded from the internet". This seems to be a capability that Windows has.

      Why doesn't wscript.exe look for that and refuse to run the script or run the script in a locked down sandbox. Although I guess Windows would just pop up a "Run this malware as administrator? Yes / Yes" UAC box anyway.

      The sooner that operating systems containerise every application the better. Limit the damage - I'd rather erase a malware-encrypted container of an app and its data than my entire system.

  10. Squpid Q by Travelsonic · · Score: 2

    So ... stupid question, what's stopping people from obtaining the ransomware, and messing around with it, modifying it?

    --
    If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
  11. We need to arrest all JavaScript developers by Early+Six+Digit+UID · · Score: 1

    That's it, I'm calling for the arrest of *all* JavaScript developers. Haven't we suffered enough? Also we should arrest whoever did whatever they're talking about in this article because that sounds bad too.

  12. Faulty software by manu0601 · · Score: 1

    Either the mail client executes JS with access to full filesystem, or it passes it to the browser that does it.

    Clearly there is a sin here: executing non trusted JS with filesystem access. What are the faulty softwares that do this? No names are given here.

  13. FUD - Not Entirely True by Anonymous Coward · · Score: 1

    This isn't entirely true. The initial dropper uses Javascript. This dropper contains a second-stage in base64-encoded form. The initial dropper than loads the second-stage on the target machine. The second-stage is not in JavaScript, only wrapped in it. This is merely FUD.

  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  16. Re:Disabling attachments is not enough by CaptainDork · · Score: 4, Funny

    That will help, but a more effective strategy is to find the breaker box and flip them all off and stuff.

    However, be aware that the FBI can, and does, monitor the water flowing up to your house for subtle vibrations caused by voices and footsteps.

    They do the same thing with natural gas.

    They even put vibration sensors on the cable, telephone, and electrical lines that physically attach to your home from that pole out there.

    The only real solution is to move out.

    They will know you did, though.

    --
    It little behooves the best of us to comment on the rest of us.
  17. Not as complex as you suggest by dbIII · · Score: 1

    This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

    Outlook not so good.
    Clicking on the subject is enough to open the email and "helpfully" run the script via Internet Explorer.

    Absolute fucking insanely bad software design is why we are living knee deep in a malware swamp beyond the dreams of bad science fiction.

  18. Javascript is the new Emacs by prasadsurve · · Score: 1

    Will turn browser into an OS and Windows as a poorly debugged set of device drivers.

  19. A new form of ransomware .. by khz6955 · · Score: 1

    How does the marco run considering autorun macros were disable by default on Microsoft Word and how does the rest of it execute without the user providing the admin password. Sounds to me like a veersion of any old word macro virus.

  20. Revisit synthesis by John+Allsup · · Score: 2

    A long white back, for a PhD project, a guy named Alexia (or previously Henry, the name the thesis was submitted under) Massalin, wrote an OS kernel called Synthesis. The aim there was to improve efficiency by using runtime code synthesis. In the modern world, along with sandboxing using processes and memory protection, given that we now have LLVM, it would be worth someone exploring an OS where binaries are more akin to the LLVM representation (or some high level representation), and importantly, there is no static list of kernel syscalls: rather at install time, a list of required syscalls is compiled, and possibly custom versions synthesised so that the process is restricted, at the binary level, to what it can access. Something like that. If you look at the system calls a process makes, how many of the available ones does it use? And of the calls that modify files, or use network sockets, how much of the potential of those calls actually gets used? What I am suggesting is basically using LLVM to enforce something close to the principle of least authority at the kernel syscall level using code synthesis.

    --
    John_Chalisque
    1. Re:Revisit synthesis by Lisias · · Score: 1

      They already tried that. It was J2ME - and each mobile builder locked the thing the way they could in order to protect their lawn.

      On the Desktop, J2SE and J2EE tried something like that, but the outcry from the userbase that suddenly saw they poorly configured servers breaking down, even after years of advices about what would be coming killed the concept.

      The security problems we have nowadays are not a technical problem. It's a human problem. "We" *WANT* things as we have nowadays.

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
  21. Re:um, are web broswers written by absolute MORONS by 6Yankee · · Score: 1

    Have these people ever actually written a stable piece of code they would be willing to stake their life or the life of a close relative on?????

    If "mother-in-law" counts as a close relative...

  22. Re:Another reason to hate Windows by Anonymous Coward · · Score: 1

    Linux/osx is not dumb enough to make it easy to run an attached javascript file. It can be done, but those who knows how, also knows not to run any sw they get from strangers in the mail.

    Seriously, nobody need ability to easily execute stuff that came in the mail. Especially not those who don't understand the implications. So it is not made easy.

    Also, even when you succeed in tricking a linux user, the software can't reliably take over the machine. It may still ransom stuff in his account, but the infection does not spread like it does on windows.

  23. Re: Disabling attachments is not enough by jbmartin6 · · Score: 1

    Ransomware is a simple concept, other OSes are not immune to it. All it needs is some way to get the user to execute a script or binary.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  24. Simple solution by olahaye74 · · Score: 1

    A solution that would greatly reduce those kind of problems:

    All installable programs should be only available thru a signed repository or store.
    The only process able to install programs should be the Store application
    No code should be allowed to execute if it hasn't been installed using the Store app.
    All app should be sandboxed

    That would solve tousand of security problem. But that would also break security software industry. Look at iOS and how many antimalware, antivirus and such exists? None. The process of running signed code in an arbitrary way is so complex that such code (excep proof of concept and jailbreak software) almost doesn't exists.

    Of course, malware would still exists and try other infection vector like infect the store itself, but it has been proven up to now that even it this threat exists, it stay marginal and at least is far less spread that current classical virus/malware/spyware.

    1. Re:Simple solution by olahaye74 · · Score: 1

      One can imagin an open solution.
      If I take the example of Linux, repositories could be signed by distro vendors, then SELinux could be configured to only allow the package manager to install software in system-tree. /opt or /usr/local could still be used by developpers for testing their app.
      and (for linux at least), the enforcement could be disabled by experienced users.

      Why the hell on widown, no software repository exists yet? We had a few attempts in the past like google updater, but all have disapeared since.
      Even worse, windows update doesn't include all microsoft software. If you run windows update, no update for visual studio? A joke?

  25. Why is Ransomware the new thing? by wardrich86 · · Score: 1

    I can't see that many people paying into it... I mean, if a criminal promised to give me X back if I payed them $Y, I'm not sure I'd trust them. Wouldn't it be more effective to create a worm that secretly installs some software to mine bitcoin for the author or something?

  26. Disposable operating systems - landfills be damned by OrangeTide · · Score: 1

    We need a computer that can easily be discarded when it is too much trouble to clean, like plastic forks.

    --
    “Common sense is not so common.” — Voltaire
  27. Re:This shouldn't work... by OrangeTide · · Score: 1

    There is a hole in the sandbox. It only requires the user to save the file to disk and agree to run it locally.

    --
    “Common sense is not so common.” — Voltaire
  28. Good by WOOFYGOOFY · · Score: 1

    good, now websites will be forced to present a version of themselves which is still usable without JavaScript.

    What did that poll say, a quarter of /. readers surf with JavaScriopt disabled by default. God knows I do.

    Sad to say, at some point around 2013 it became less about what the web could do for me and more about what the web could do to me.