Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security Data Storage Operating Systems Privacy Software News Build Hardware Technology

Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features (softpedia.com) 71

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.
This discussion has been archived. No new comments can be posted.

Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features

Comments Filter:
  • by Anonymous Coward on Monday May 30, 2016 @07:57PM (#52214051)

    They're the king of ransomware, forcing Windows 10 installations.

    • Why mod troll? It is a well documented fact that Microsoft will change your computer operating system through subterfuge, which for many users has caused software and/or hardware to malfunction.

  • Ahhhh (Score:3, Funny)

    by Adambomb ( 118938 ) on Monday May 30, 2016 @07:58PM (#52214059) Journal

    Good old retro boot sector viruses.

  • I heard (Score:1, Funny)

    by Anonymous Coward

    It disguises itself as the Windows 10 upgrade notification.

  • by Anonymous Coward on Monday May 30, 2016 @08:10PM (#52214121)

    and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

    Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

    • The issue stays the same. If you have data in the file that gets interpreted a certain way ( say, for formatting, a malformed URL, weird characters, ...), but the interpretation is buggy and prone to buffer-overflows or other when reading the wrong data, you're still at risk.
    • and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

      Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

      By default the latest Office programs save files in a format that prevents macros from running. You have to specifically change the file type to allow macros. When you open macro enabled office files, it will, by default, disable active content and show a warning box. You have to actually click on the box to allow macros and vbscript.

      • by yuna49 ( 905461 )

        At one client's site an enduser got such a document. It requested that the recipient click the button to enable active content. Of course someone did just that and promptly got infected. Now we just block all macro-enabled documents with clamd.

    • After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

      Except by default "they" do not allow it. You must enable macro support after clicking through warnings. You may also download whatever binary you want and click through the warning advising you the certificate, issued to "Skripty and the Kidz" is not trusted.

    • by yuna49 ( 905461 )

      At one of my clients, we use MailScanner plus clamd to scan incoming mail. Clamd has a switch to treat all Office files with macros as viruses so they get sent to quarantine. At this particular client no one has the need to exchange macro-enabled Office files so this is an effective defense. Of course, other organizations might have valid uses for such files. I'd solve that by whitelisting particular senders while continuing to ban any other macro-enabled Office documents.

  • by Lumpy ( 12016 ) on Monday May 30, 2016 @08:20PM (#52214157) Homepage

    More proof that everyone should be using an adblocker to keep their computer and friends computers safe.

    Dear website owners.... WAHH about your lost revenue. start hosting the ad's on your own servers and VET THEM to be safe and not an attack vector.

  • by millertym ( 1946872 ) on Monday May 30, 2016 @08:37PM (#52214225)

    This stuff is nasty.

    1- Have spotless offline backups of everything
    2- Lock down share permissions
    3- Lock down admins on permissions domain level
    4- Lock down admins on local machine level
    5- Pray

    I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.

    • But does it run on Linux?

    • Re: (Score:2, Funny)

      by Anonymous Coward
      There is an additional step you want to consider in an enterprise. Notice from the write-up that this one adds itself to the RUN key to ensure persistence. Most malware / crapware that isn't root kit style does this. The key "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run" should be set to require administrator access to change. That simple change prevents this from getting persistence (and, depending on how the author wrote it, may cause it to fail to encrypt - as you notice the writeup s
      • Oh, good catch! That can also be disabled entirely via group policy, though I forget exactly what it's called. 'Disable access to classic run' or somesuch.
    • How about just whitelisting applications on your network to locations that user's don't have write access to?

  • a VM can be contained pretty well. I was used to installing office on my local pc, but now I'm starting to think its going to be safer inside a VM and I'll just run the VM for the few times I have to actually edit word docs. viewing them is ok on libreoffice or similar, but I would not use the free versions to edit ms docs (sigh).

    • by campuscodi ( 4234297 ) on Monday May 30, 2016 @09:04PM (#52214311)
      Or use OpenOffice or LibreOffice instead. Heck, even Google Docs is better now.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      How does this help, if the malware spreads via network shares? If the Office has access to the shares, which is quite handy for editing files in them, it is also possible for it to spread the malware.

    • That's been my preference for the last year. KVM on Linux now has snapshot support built-in, and OS X Parallels has had it for a while. So about once a month, I'll make a snapshot and label it "good" with some notes. If there's ever trouble, I can rollback to that snapshot.

      For the host operating system, files get written to a backup location via SSH, using a SSH key that can only run the backup program (borg-backup) on the destination server. I have yet to see anything that targets backup software tha
  • by Anonymous Coward

    BREAKING NEWS: Microsoft warns about a new self-installing malware called "Windows 10"

  • Yet another reason (Score:5, Informative)

    by FrozenGeek ( 1219968 ) on Monday May 30, 2016 @09:49PM (#52214501)
    not to use flash. I understand that there are many companies with a significant investment in flash-based code. But flash has proven to be a persistent security hole. HTML 5 is a viable alternative to flash. time for those companies to suck it up.
  • Given the number of viruses out there that use Microsoft Office documents as a transmission vector, why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

    Web browsers sandbox JavaScript code these days to prevent exploits and improve security, why not do the same for Office documents?

    That way, rogue macros can't download and install further malware or access data files all over the disk or mess with Windows system folders/files/data.

    • by gnupun ( 752725 )

      why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

      My guess would be (a) the high cost of redesigning the macro subsystem and (b) users bitching and moaning when new macro language breaks their old scripts -- it would be Y2K all over again.

  • This one tries to propagate almost as hard as the Windows Update.

    Past proper propagation probably plethoras of problems perceived.

    They that out loud three times.

  • Good thing that Microsoft's strongarm tactics trying to force Win 10 upgrades resulted in some people permanently disabling Windows Update on their boxes.

    Not only will those people get owned, but their machines can act as distribution centers to attack other machines, including distributing future malware even if MS releases a patch to help protect against this.

    500 Rupees have been deposited into Satya Nadella's account care of the Russian malware alliance.

  • Have Microsoft ever considered looking at their own Source Code. Considering Microsoft is primarily responsible for the malware infestation. That would be like describing Dr. Hannibal Lecter as a food nutritionist researcher.
    • Not really anymore. The primary infection vector today are rather third party software packages that are so omnipresent that they can as well be considered part of the OS while having a WAY worse security record than MS. Adobe being probably the worst offender, the currently biggest infection vector being Flash and Acrobat Reader.

news: gotcha

Working...