Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com) 36
An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.
But... Does it run on Linux? (Score:4, Insightful)
... or OSX ... or ChromeOS ... or iOS ... or Android?
We really need to know these things.
Or should we always just assume it's Windows all the time?
Re: (Score:2)
who cares? I don't use facebook or linkedin, and my computer blocks resolving those domains.
Re: (Score:3)
It mostly takes advantage of naive users, but really it was incredibly stupid of Microsoft to hide file extensions by default all those years back. It's been a major security pain point for a very long time, and yet still it remains.
Damnit (Score:4, Interesting)
Damnit, I don't have a Facebook account so I never get to enjoy all these new malware strains.
"maliciously coded image file"? (Score:4, Insightful)
the two social networks allow a maliciously coded image file to download itself to a user's computer.
WTF is a "maliciously coded image file"?
What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun? And WHICH image viewer has a vulnerability to the offending image? That is a key point, so that we can avoid the vulnerable software. Certainly not all of them would be vulnerable.
Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems? If so, then why not say so, rather than pretend this is some utterly inexplicable sequence of events?
And while we're at it, what does "download itself to a user's computer" mean?
Re: (Score:2)
In other words, somehow the user is made to think an image file has been downloaded, but it is something else.
Re:"maliciously coded image file"? (Score:4, Informative)
WTF is a "maliciously coded image file"?
What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?
Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.
Re:"maliciously coded image file"? (Score:5, Insightful)
>today i learned that you can embed Javascript code into an SVG image file
And today I learned that from you.
It's like people just can't stop themselves from making declarative things executable in full knowledge that it will lead to a fresh source of attack vectors that will be exploited for years to come. I expect there is no switch, defaulted to 'off' to prevent the execution of javascript in places it shouldn't be, like in SVG in any browser I use. I can't find such a thing in Chrome.
Re: (Score:2)
WTF is a "maliciously coded image file"?
What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?
Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.
In the first link from the summary, there's a video embedded a bit down. At 0:27, there's a screen shot containing a "Notepad" dump of the HTA file, here you can see that the opening bytes represent a standard JPEG (JFIF) format image. When I worked in Imaging and ECM (FileNet Corp.), I knew many programs that relied on the "magic number" (opening bytes) of a file to identify the format; ignoring the file extension which can sometimes be wrong.
So (I'm guessing) Facebook assumes it's a regular ol' JPEG ima
Re: (Score:2)
What I find interesting is why apparently this exploit is only possible on Facebook and LinkedIn. Is there something unique about the way they handle images that doesn't occur on other websites?
Show file ectensions ... (Score:2)
How to show File Extensions in Windows 10 / 8 / 7
http://www.thewindowsclub.com/show-file-extensions-in-windows [thewindowsclub.com]
Re: (Score:1)
This is good advice... but totally wrong for this topic.
The ransomware is running by being embedded in the actual picture file. It will usually have a downloaded embedded so that AV stuff doesn't actually flag the image for ransomware. so.... if your browser randomly downloads a picture file that you didn't opt to receive, you should probably stop browsing on Facebook and go double check your backups.
Re: (Score:2)
Here's some totally wrong information from TFA:
Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA— though benign-looking images could exploit the way Windows hides file extensions by default .
Re: (Score:1)
mmmm, summaries are too hard... Thanks
Re: (Score:2)
No problem.
Also, I dislike not proof reading before I post, as in "ectensions," in the Subject line.
Re: (Score:2)
You deserve it.
Granting blind permission (Score:2)
to your OS to execute unknown code is just plain stupid. Clicking on a file without knowing what it consists of is even more stupid.
Re: (Score:3)
Stupidity and ignorance may yield the same results, but one is voluntary; the other isn't. ~ © 2016 CaptainDork
Pics... (Score:2)
or it didn't happen.
Gifar (Score:3)