Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com)

← Back to Stories (view on slashdot.org)

Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com)

Posted by BeauHD on Friday November 25, 2016 @11:45AM from the sneak-attack dept.

An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.

36 comments

Min score:

Reason:

Sort:

But... Does it run on Linux? by mspohr · 2016-11-25 11:52 · Score: 3, Insightful

... or OSX ... or ChromeOS ... or iOS ... or Android?
We really need to know these things.
Or should we always just assume it's Windows all the time?

--
I don't read your sig. Why are you reading mine?
What do you mean by access? by Anonymous Coward · 2016-11-25 11:52 · Score: 0

What I have to run it myself? What if I happen to be a downloads folder 0 type of guy? ctrl+a shift+delete.
1. Re:What do you mean by access? by ArmoredDragon · 2016-11-25 15:13 · Score: 2
  
  It mostly takes advantage of naive users, but really it was incredibly stupid of Microsoft to hide file extensions by default all those years back. It's been a major security pain point for a very long time, and yet still it remains.
Damnit by JustAnotherOldGuy · 2016-11-25 11:57 · Score: 3, Interesting

Damnit, I don't have a Facebook account so I never get to enjoy all these new malware strains.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Damnit by Anonymous Coward · 2016-11-25 12:04 · Score: 0
  
  Would you believe it's dammit?
  How is this done?
  naked_girls.svg.exe?
2. Re:Damnit by Anonymous Coward · 2016-11-25 15:12 · Score: 0
  
  It can be damnit, dammit or damn it.
"maliciously coded image file"? by Anonymous Coward · 2016-11-25 12:01 · Score: 4, Insightful

the two social networks allow a maliciously coded image file to download itself to a user's computer.
WTF is a "maliciously coded image file"?
What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun? And WHICH image viewer has a vulnerability to the offending image? That is a key point, so that we can avoid the vulnerable software. Certainly not all of them would be vulnerable.
Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems? If so, then why not say so, rather than pretend this is some utterly inexplicable sequence of events?
And while we're at it, what does "download itself to a user's computer" mean?
1. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-25 12:17 · Score: 0
  
  Sounds to me like it's fundamentally an OS security issue rather than FB/LinkedIn being to blame.
2. Re:"maliciously coded image file"? by jbmartin6 · 2016-11-25 12:27 · Score: 1
  
  From the article, it seems that is pretty much the problem "Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA"
  
  In other words, somehow the user is made to think an image file has been downloaded, but it is something else.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
3. Re:"maliciously coded image file"? by rudy_wayne · 2016-11-25 12:51 · Score: 3, Informative
  
  WTF is a "maliciously coded image file"?
  What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?
  
  Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.
4. Re:"maliciously coded image file"? by TechyImmigrant · 2016-11-25 14:14 · Score: 4, Insightful
  
  >today i learned that you can embed Javascript code into an SVG image file
  And today I learned that from you.
  It's like people just can't stop themselves from making declarative things executable in full knowledge that it will lead to a fresh source of attack vectors that will be exploited for years to come. I expect there is no switch, defaulted to 'off' to prevent the execution of javascript in places it shouldn't be, like in SVG in any browser I use. I can't find such a thing in Chrome.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
5. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-25 15:56 · Score: 0
  
  Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems?
  O, if only we were all as learned, experienced, wise, cynical, entitled and uncaring as you, anon. then we could laugh in the victim's faces before sending them an emoji of poop, knowing they're too stupid to read their email and they won't get it.
6. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-25 19:02 · Score: 0
  
  JavaScript code in SVG is ignored if it's referenced using an img tag, and executed if referenced using the object tag. For example GitHub allows SVG graphics in project documentation, but uses img tags to avoid executing any code in them.
7. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-25 22:41 · Score: 0
  
  In the video, I don't see any image related links being clicked. All I see is someone clicking on a .hta link, and then a .hta file being downloaded, as you'd expect.
  So at best, the video shows a .hta HTML Application vulnerability, but nothing image related.
8. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-25 22:42 · Score: 0
  
  FYI, the video demo from the Check Point blog - https://youtu.be/sGlrLFo43pY
9. Re:"maliciously coded image file"? by Anonymous Coward · 2016-11-26 01:38 · Score: 0
  
  Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA
  Just your average M$ JScript based malware.
10. Re:"maliciously coded image file"? by xkenny13 · 2016-11-26 05:17 · Score: 1
  
  WTF is a "maliciously coded image file"?
  What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?
  Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.
  In the first link from the summary, there's a video embedded a bit down. At 0:27, there's a screen shot containing a "Notepad" dump of the HTA file, here you can see that the opening bytes represent a standard JPEG (JFIF) format image. When I worked in Imaging and ECM (FileNet Corp.), I knew many programs that relied on the "magic number" (opening bytes) of a file to identify the format; ignoring the file extension which can sometimes be wrong.
  So (I'm guessing) Facebook assumes it's a regular ol' JPEG image based on the header bytes, when in reality it's an HTA (HTML Executable). When Facebook tries to serve it to the user, the web browser knows it's not a JPEG and forces the download so Windows Explorer can handle it. The user then double-clicks on the HTA and that's when the exploit takes place. If you still have file extensions hidden in Windows, you'd never know it wasn't a JPEG to begin with.
  One wonders why Microsoft still clings to the idea that hiding file extensions is a good idea. It's still the default behavior even in Windows 10.
11. Re:"maliciously coded image file"? by johannesg · 2016-11-26 14:21 · Score: 1
  
  What I find interesting is why apparently this exploit is only possible on Facebook and LinkedIn. Is there something unique about the way they handle images that doesn't occur on other websites?
Show file ectensions ... by CaptainDork · 2016-11-25 12:08 · Score: 1

How to show File Extensions in Windows 10 / 8 / 7
http://www.thewindowsclub.com/show-file-extensions-in-windows

--
It little behooves the best of us to comment on the rest of us.
1. Re:Show file ectensions ... by Szeraax · 2016-11-25 15:44 · Score: 1
  
  This is good advice... but totally wrong for this topic.
  The ransomware is running by being embedded in the actual picture file. It will usually have a downloaded embedded so that AV stuff doesn't actually flag the image for ransomware. so.... if your browser randomly downloads a picture file that you didn't opt to receive, you should probably stop browsing on Facebook and go double check your backups.
2. Re:Show file ectensions ... by CaptainDork · 2016-11-25 16:44 · Score: 1
  
  Here's some totally wrong information from TFA:
  
  Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA— though benign-looking images could exploit the way Windows hides file extensions by default .
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:Show file ectensions ... by Szeraax · 2016-11-25 17:00 · Score: 1
  
  mmmm, summaries are too hard... Thanks
4. Re:Show file ectensions ... by CaptainDork · 2016-11-25 17:14 · Score: 1
  
  No problem.
  Also, I dislike not proof reading before I post, as in "ectensions," in the Subject line.
  
  --
  It little behooves the best of us to comment on the rest of us.
Who cares by Anonymous Coward · 2016-11-25 12:16 · Score: 0

If you're stupid enough to get suckered you deserve it.
Now back to my bong
1. Re:Who cares by CaptainDork · 2016-11-25 12:27 · Score: 1
  
  You deserve it.
  
  --
  It little behooves the best of us to comment on the rest of us.
Granting blind permission by fred911 · 2016-11-25 12:20 · Score: 1

to your OS to execute unknown code is just plain stupid. Clicking on a file without knowing what it consists of is even more stupid.

--
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
1. Re:Granting blind permission by CaptainDork · 2016-11-25 12:30 · Score: 2
  
  Stupidity and ignorance may yield the same results, but one is voluntary; the other isn't. ~ © 2016 CaptainDork
  
  --
  It little behooves the best of us to comment on the rest of us.
2. Re:Granting blind permission by Anonymous Coward · 2016-11-25 12:57 · Score: 0
  
  to your OS to execute unknown code is just plain stupid.
  Except for the fact that every time you go to just about any web page, no matter what OS you use, your browser executes unknown code, aka Javascript.
3. Re:Granting blind permission by Anonymous Coward · 2016-11-25 15:00 · Score: 0
  
  Except for the fact that every time you go to just about any web page, no matter what OS you use, your browser executes unknown code, aka Javascript.
  Err...no, mine certainly does not do anything that idiotic.
  Speak for yourself.... and enjoy your browser based malware and spyware.
Pics... by nuckfuts · 2016-11-25 13:55 · Score: 1

or it didn't happen.
Gifar by manu0601 · 2016-11-25 13:58 · Score: 2

This looks like the ancient Gifar attack: inject some executable content identified as an image.
The way stuff works by Anonymous Coward · 2016-11-25 18:16 · Score: 0

I'm guessing when the little critter downloads it shows up in the browser download window. Horny perv that was browsing fake hot chick account gets what he thinks is a private pic. In his horny eagerness he clicks and accepts. Sees a pic and continues his goofy day.
Re:But... Does it run on Linux? by davester666 · 2016-11-25 21:38 · Score: 2

who cares? I don't use facebook or linkedin, and my computer blocks resolving those domains.

--
Sleep your way to a whiter smile...date a dentist!
Re:But... Does it run on Linux? by Anonymous Coward · 2016-11-26 08:12 · Score: 0

fully locked down macos wouldn't run an unsigned executable from the download folder