Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Security Social Networks The Internet

New Ransomware Written Entirely In JavaScript (scmagazine.com) 96

An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user's files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information."
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.
This discussion has been archived. No new comments can be posted.

New Ransomware Written Entirely In JavaScript

Comments Filter:
  • very OLD to be first (Score:5, Informative)

    by NotInHere ( 3654617 ) on Sunday June 19, 2016 @03:42PM (#52348557)
  • Sand fucking box (Score:5, Interesting)

    by ADRA ( 37398 ) on Sunday June 19, 2016 @03:44PM (#52348561)

    Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      What you want is already available. Meet Apparmor. [wikipedia.org]

      That people don't use the available tools is a separate problem. There are a range of things from apparmor to lightweight paravirtualizers like lxc [wikipedia.org]. The right place to address this isn't in every single individual tool like an emailer or web browser that can connect to the nextwork, it's in orthogonal tools to solve the problem in one place.

      Do one thing, and do it well.

      If people don't use the tools they have, that's not the fault of the tools.

      • Main problem is just that i.e the Apparmor profile for Firefox is disabled by default. This of course because users wants to be able to download and upload files to/from anywhere and not just to $HOME/Downloads (which also is problematic since that folder is named differently in non English locales).
      • AppArmor is a bit of a pain in the ass since it is mostly a whitelist thing, when it might be better to be able to do something more like IPCHAINS. Currently it creates an allow set and then subtracts the entire deny set from the allow set. What is really needed is an ideny or inline deny type rule for ascending or descending precedence of allow and deny rules. Sometimes you might want to alternate permit and deny permissions in descending or ascending precedence. Believe me, lacking this makes it much hard

    • Because at work the client and my coworkers will complain their Cisco secured mail which requires TLS 1.0 turned on! ... will not work without java and javascript with insecure encryption enabled for security apparently.

    • If the e-mail application cannot handle a particular file type, it needs to deliver it to an external application. Sandbox will not help since nothing is running inside of the e-mail application; you have to sandbox the user's chosen third-party app (good luck).
      • Surely Javascript gets sent to the browser. And doesn't the browser prevent it accessing the file system?

        • HTML gets sent to the browser. Javascript gets sent to WScript.exe...

          • by hattig ( 47930 )

            And so we get to the cause of the problem.

            Windows and Microsoft.

            Why isn't the downloaded file tagged as "downloaded from the internet". This seems to be a capability that Windows has.

            Why doesn't wscript.exe look for that and refuse to run the script or run the script in a locked down sandbox. Although I guess Windows would just pop up a "Run this malware as administrator? Yes / Yes" UAC box anyway.

            The sooner that operating systems containerise every application the better. Limit the damage - I'd rather eras

    • by cluening ( 6626 )

      What if I want to attach a file to a piece of email?

    • by Lennie ( 16154 )

      Not sure why you think this applies here.

      This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

      Which means in this case it would use Windows Scripting Host to execute the Javascript (could have been VBscript as well). Could have been a Powershell file or whatever, exe-file, it doesn't matter.

      Kind of expected they included an encryption library, if it's running in Windows Scripting Host they could probably just hav

      • This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

        Outlook not so good.
        Clicking on the subject is enough to open the email and "helpfully" run the script via Internet Explorer.

        Absolute fucking insanely bad software design is why we are living knee deep in a malware swamp beyond the dreams of bad science fiction.

      • Windows can tag files based on their origin, in the metadata. They could maybe implement a 'restricted mode' for scripts downloaded from the Internet, or from emails. Of course, the user would probably just ignore or disable any warnings.
    • no, it's a sign that they profit from delivering their customers to criminals

    • Comment removed based on user account deletion
    • It comes in as an attachment, once pulled from the email it is just like any other file.
    • by Bengie ( 1121981 )
      Believe it or not, but I like to download files off the Internet. Of course the browser could be designed in a way that downloads are a separate process that is heavily locked down to basic function. Possibly even creating a whitelist of which directory is can even access.
    • by Lisias ( 447563 )

      Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

      You missed the point. They *ARE|* concerned about the problem: they need to keep it a problem, so they can sell a solution to corporations.

      Believe me, they are deeply concerned about the survival of their business model.

  • by Anonymous Coward on Sunday June 19, 2016 @03:49PM (#52348583)

    What has it been, maybe three decades of this kind of thing? At some point, do we expect people to develop enough technical literacy to avoid this kind of problem?

    Note that I'm not saying it is the user's fault. It is the fault of the people writing the ransomware, pure and simple. But it's like walking through the bad part of Philly at night flashing bling all over and being visibly drunk. Yes, it's the muggers fault when you get mugged... but it is still worth pointing out that maybe your choices made your risk be higher than it had to be.. That is not "victim blaming". It's victim helping.

    Since malware has been around for a long time, it's pure wishful thinking to imagine it's going away any time soon. So, you have to protect yourself.

    Running executable and/or scripted email attachments from NigerianPrice204@notmalware.ng or ThisIsBeckyFromAccounting@No.Really is not how you protect yourself. It's been 30+ years of this. The details change, but the problem remains. Maybe it's time for people to start learning.

  • there are more and more internet users every day, not everyone knows not to open that .js email attachment
  • Can someone please just kill the damn shit already? Javascript has always been shit and will always be shit. People who write javascript are shit and will always be shit.
    • Nothing to do with JavaScript. It might as well have been vbscript.

      The problem is the MUA allowing you to launch executable Windows script host attachments.

  • But does it run on Linux?
    Looks like JScript (Windows only).

  • ... of doing something like this in JavaScript if it isn't even going to be cross platform?
  • by Travelsonic ( 870859 ) on Sunday June 19, 2016 @05:58PM (#52349107) Journal
    So ... stupid question, what's stopping people from obtaining the ransomware, and messing around with it, modifying it?
  • That's it, I'm calling for the arrest of *all* JavaScript developers. Haven't we suffered enough? Also we should arrest whoever did whatever they're talking about in this article because that sounds bad too.
  • Either the mail client executes JS with access to full filesystem, or it passes it to the browser that does it.

    Clearly there is a sin here: executing non trusted JS with filesystem access. What are the faulty softwares that do this? No names are given here.

  • by Anonymous Coward

    This isn't entirely true. The initial dropper uses Javascript. This dropper contains a second-stage in base64-encoded form. The initial dropper than loads the second-stage on the target machine. The second-stage is not in JavaScript, only wrapped in it. This is merely FUD.

  • Will turn browser into an OS and Windows as a poorly debugged set of device drivers.
  • How does the marco run considering autorun macros were disable by default on Microsoft Word and how does the rest of it execute without the user providing the admin password. Sounds to me like a veersion of any old word macro virus.
  • A long white back, for a PhD project, a guy named Alexia (or previously Henry, the name the thesis was submitted under) Massalin, wrote an OS kernel called Synthesis. The aim there was to improve efficiency by using runtime code synthesis. In the modern world, along with sandboxing using processes and memory protection, given that we now have LLVM, it would be worth someone exploring an OS where binaries are more akin to the LLVM representation (or some high level representation), and importantly, there is no static list of kernel syscalls: rather at install time, a list of required syscalls is compiled, and possibly custom versions synthesised so that the process is restricted, at the binary level, to what it can access. Something like that. If you look at the system calls a process makes, how many of the available ones does it use? And of the calls that modify files, or use network sockets, how much of the potential of those calls actually gets used? What I am suggesting is basically using LLVM to enforce something close to the principle of least authority at the kernel syscall level using code synthesis.

    • by Lisias ( 447563 )

      They already tried that. It was J2ME - and each mobile builder locked the thing the way they could in order to protect their lawn.

      On the Desktop, J2SE and J2EE tried something like that, but the outcry from the userbase that suddenly saw they poorly configured servers breaking down, even after years of advices about what would be coming killed the concept.

      The security problems we have nowadays are not a technical problem. It's a human problem. "We" *WANT* things as we have nowadays.

  • A solution that would greatly reduce those kind of problems:

    All installable programs should be only available thru a signed repository or store.
    The only process able to install programs should be the Store application
    No code should be allowed to execute if it hasn't been installed using the Store app.
    All app should be sandboxed

    That would solve tousand of security problem. But that would also break security software industry. Look at iOS and how many antimalware, antivirus and such exists? None. The process

  • I can't see that many people paying into it... I mean, if a criminal promised to give me X back if I payed them $Y, I'm not sure I'd trust them. Wouldn't it be more effective to create a worm that secretly installs some software to mine bitcoin for the author or something?
  • We need a computer that can easily be discarded when it is too much trouble to clean, like plastic forks.

  • good, now websites will be forced to present a version of themselves which is still usable without JavaScript.

    What did that poll say, a quarter of /. readers surf with JavaScriopt disabled by default. God knows I do.

    Sad to say, at some point around 2013 it became less about what the web could do for me and more about what the web could do to me.

If all else fails, lower your standards.

Working...