Do people just run anything they get emailed?

[TheAnimus]

So a mate of mine was infuriated to find out a client he supports had run a executable they had been emailed..... However this particular one takes advantage of the fact you don't need admin privs to piss off the user.

The lady in question was using her home laptop for work, so had no backups when:
http://arstechnica.com/security/2013...0-in-bitcoins/

struck.

It's a crypto-ransom-thing. Basically a $300 mistake, as all your document files (that you have write access too) become encrypted, the only way to get the access is to pay the ransom. Or you know, use the backup plan you have which of course involves cold versions right? Right?!

The main thing here is because it doesn't install itself in any dodgy ways, it doesn't trigger UAC, after-all your restricted user can write the document files you work on....

Well we figured we should do a little audit, I made a quick dummy virus, basically it looped:

And pressing CTRL+ALT+DELETE would be enough to stop it.

Turns out my farther had it up on screen for 25 min, before rebooting the PC. He then proceeded to run the same phising email again. ergh.

[wasabi]

Email .exes are a pain. Even bigger are email .zips, Most places I've worked we've blocked them as they might contain an .exe. This causes an ongoing trench war with irritated users.

But yes, a very large percentage of users will just run them. Even if they don't know the sender and the filename on the exe is blatantly suspicious.

I'm beginning to think whitelisting executables for end users is the way forward, although I only principle hate the walled garden approach.

[Gerrard]

Also, don't leave your computer unlocked when TheAnimus is around...

Can't remember whose computer it was that got "Hoffed" at a LAN once.

[TheAnimus]

oooh I should set it as their wallpaper... What, What!

[peterb]

Worse are the xxxx.pdf............................................................................................ .................................................................................................... .........exe

files - the exe is usually hidden by most e mail clients, so the user opens what they think is a pdf file - but is an exe.

I had a new twist today - purportedly from dropbox telling me my password had expired.

If I am uncertain about an e mail, I usually examine it on a linux machine, in a directory that doesn't have execute privileges - some measure of protection.

[OilSheikh]

Did your client pay the $300 ransom ?

[noodles2k]

NOD32 should be made mandatory.

[TheAnimus]

Did your client pay the $300 ransom ?

Not my client. A buddies'

NOD32 should be made mandatory.

That wouldn't have helped, it was at least 2+ days before most anti-virus vendors updated their profiles to detect it.

[TheAnimus]

If I am uncertain about an e mail, I usually examine it on a linux machine, in a directory that doesn't have execute privileges - some measure of protection.

No. Use a VM or something easily wipeable.

There is absolutely no technical reason why this kind of attack wouldn't work on most linux distributions, some vectors included packing the executable in text documents n such.

The main issue is that this attack works in user mode. Most users have write privilege to the files they are working on, all you need is a mechanism to trick the user. A drive by user mode exploit in a web browser is also kinda common.

[wasabi]

The main issue is that this attack works in user mode. Most users have write privilege to the files they are working on, all you need is a mechanism to trick the user

Like Google Chrome installs you mean?

[kompukare]

CryptLocker is possibly the most scary virus yet*. Lots of small business who though they had backups (but who really only had multiple copies spread over various drives and shares) are going to get into serious trouble with this.

I know, if their business depends on their files they really should have proper backups with revisions, but the fact is lots of places do not and this will really bring that fact out.

The old "Look at Celebrity.JPG.EXE" trick has been around for ages though and I think we can pretty much blame Microsoft for that one. In their quest to make Windows easier, they introduced that feature (Windows XP or was it even 98?. Unlike on the mac with its embedded filetypes that didn't really work. And since people still have at least a vague idea about file extensions (hence the ".JPG" bit) this has been happening ever since.

*The other would be (so far mostly proof of concepts) BIOS rootkits. But I guess, the exploit the concept ones used was mainly piggybacking off the actual BIOS (can't remember the vendor) and UEFI should have put a stop to that.

[peterb]

No. Use a VM or something easily wipeable.

There is absolutely no technical reason why this kind of attack wouldn't work on most linux distributions, some vectors included packing the executable in text documents n such.

The main issue is that this attack works in user mode. Most users have write privilege to the files they are working on, all you need is a mechanism to trick the user. A drive by user mode exploit in a web browser is also kinda common.

I said examine - not run - and if the execute bit isn't set on the file, linux won't run it - and while the attack is possible on a linucx machine, it is unlikely that an attack written for windows would run on linux. (I meant file rather than directory)

But I'd agree that a VM or live disk would be even safer.

[Agent]

I just block attachments on the parents machine. Any images and such I need to send just get uploaded somewhere and linked.

It doesn't stop a standard hyperlink attack, but these seem to be filtered out very quickly now by AV and browsers blocking the URL.

[noodles2k]

I knew there was a good reason for XP Mode!

That wouldn't have helped, it was at least 2+ days before most anti-virus vendors updated their profiles to detect it.

Eset are usually pretty quick, they added the signature on the 7th September. When'd this happen?

[wasabi]

I said examine - not run - and if the execute bit isn't set on the file, linux won't run it - and while the attack is possible on a linucx machine, it is unlikely that an attack written for windows would run on linux. (I meant file rather than directory)

But I'd agree that a VM or live disk would be even safer.

This kind of attack isn't for people like you. It is for people who will seriously read through an email purported to be from Barclays even though they don't have an account with Barclays.

[Lucio]

We've had a spate of those infections at work, what makes that virus particularly nasty is the presence of shared folders and it targeting DBF files, taking out an entire company via one employee making a mistake.


I'm interested in people's opinions on this thought, should someone get fired for being stupid enough to click on a virus attachment? After all, the cost of the action could run to tens of thousands of pounds in a small company, and for those improperly prepared, actually take the company out of business.