Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Facebook Security Communications Network Networking Privacy Software The Internet

Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.
This discussion has been archived. No new comments can be posted.

Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts

Comments Filter:
  • by mspohr ( 589790 ) on Friday November 25, 2016 @06:52PM (#53362135)

    ... or OSX ... or ChromeOS ... or iOS ... or Android?
    We really need to know these things.
    Or should we always just assume it's Windows all the time?

  • Damnit (Score:4, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Friday November 25, 2016 @06:57PM (#53362159) Journal

    Damnit, I don't have a Facebook account so I never get to enjoy all these new malware strains.

  • by Anonymous Coward on Friday November 25, 2016 @07:01PM (#53362179)

    the two social networks allow a maliciously coded image file to download itself to a user's computer.

    WTF is a "maliciously coded image file"?

    What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun? And WHICH image viewer has a vulnerability to the offending image? That is a key point, so that we can avoid the vulnerable software. Certainly not all of them would be vulnerable.

    Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems? If so, then why not say so, rather than pretend this is some utterly inexplicable sequence of events?

    And while we're at it, what does "download itself to a user's computer" mean?

    • From the article, it seems that is pretty much the problem "Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA"

      In other words, somehow the user is made to think an image file has been downloaded, but it is something else.
    • by rudy_wayne ( 414635 ) on Friday November 25, 2016 @07:51PM (#53362453)

      WTF is a "maliciously coded image file"?

      What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?

      Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.

      • by TechyImmigrant ( 175943 ) on Friday November 25, 2016 @09:14PM (#53362843) Homepage Journal

        >today i learned that you can embed Javascript code into an SVG image file

        And today I learned that from you.

        It's like people just can't stop themselves from making declarative things executable in full knowledge that it will lead to a fresh source of attack vectors that will be exploited for years to come. I expect there is no switch, defaulted to 'off' to prevent the execution of javascript in places it shouldn't be, like in SVG in any browser I use. I can't find such a thing in Chrome.

      • WTF is a "maliciously coded image file"?

        What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?

        Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.

        In the first link from the summary, there's a video embedded a bit down. At 0:27, there's a screen shot containing a "Notepad" dump of the HTA file, here you can see that the opening bytes represent a standard JPEG (JFIF) format image. When I worked in Imaging and ECM (FileNet Corp.), I knew many programs that relied on the "magic number" (opening bytes) of a file to identify the format; ignoring the file extension which can sometimes be wrong.

        So (I'm guessing) Facebook assumes it's a regular ol' JPEG ima

    • What I find interesting is why apparently this exploit is only possible on Facebook and LinkedIn. Is there something unique about the way they handle images that doesn't occur on other websites?

  • How to show File Extensions in Windows 10 / 8 / 7

    http://www.thewindowsclub.com/show-file-extensions-in-windows [thewindowsclub.com]

    • This is good advice... but totally wrong for this topic.

      The ransomware is running by being embedded in the actual picture file. It will usually have a downloaded embedded so that AV stuff doesn't actually flag the image for ransomware. so.... if your browser randomly downloads a picture file that you didn't opt to receive, you should probably stop browsing on Facebook and go double check your backups.

      • Here's some totally wrong information from TFA:

        Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA— though benign-looking images could exploit the way Windows hides file extensions by default .

  • to your OS to execute unknown code is just plain stupid. Clicking on a file without knowing what it consists of is even more stupid.

    • Stupidity and ignorance may yield the same results, but one is voluntary; the other isn't. ~ © 2016 CaptainDork

  • or it didn't happen.

  • by manu0601 ( 2221348 ) on Friday November 25, 2016 @08:58PM (#53362773)
    This looks like the ancient Gifar attack [wikipedia.org]: inject some executable content identified as an image.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...