UMMMM!
Java needs to be executed!
Not by rope,guillotine,cyanide or lethal injection but bludgeoning to death by all it has compromised.
The cybercrooks behind ransomware Dridex and Locky have started distributing a new file-scrambling software nasty dubbed Bart. Bart has a payment screen just like Locky's, and encrypts documents without first connecting to a remote command-and-control server to receive its orders. Bart may therefore be able to encipher Windows …
Excepting that this is Javascript which is executed by web browsers and the Windows Script Host...
Sun/Oracle Java doesn't need to be installed on the system for this to operate, it's not Java Byte Code.
Honk if you love Jesus and understand the difference between Java and JavaScript!
Yup, I just don't get why anything outside of C:\Windows and C:\Program Files (x86) etc. have the execute permission enabled by default. I had a quick gander (being mostly a Linux admin) and Windows does seem to support this... so I don't see why it's not being utilised.
It would absolutely wreck the randsomware market if users had to extract files from the zip, right-click, properties > security > tick excute, then re-launch the file.
In a lot of cases, it isn't a zip file being opened and then an executable inside it being run, but rather an executable that looks like a zip file.
The problem is that the zip file specification was too clever by a half and added in the ability to fork to embedded code before / during file extraction. The intention was to allow things such as a proprietary decryption function to control access, implement a non-standard compression routine, extracting specific files based on external variables, grabbing data from another source, etc. Very few companies ever took advantage of it, but you'll still see it sometimes (which is preventing developers from removing support for it).
Issues like this make me wish that Windows natively support the tar/tgz file formats...
"In a lot of cases, it isn't a zip file being opened and then an executable inside it being run, but rather an executable that looks like a zip file."
Exactly my point. If the OS refuses to execute it because it doesn't have execute permission (regardless of whether it's a zip, exe), forcing the user to go in and give it execute permission in order to run it, problem solved. I'm pretty confident 90% of my users wouldn't know how to do this and would hope the remaining are smart enough to realise a zip, PDF or whatever shouldn't need execute permission.
It would certainly be more secure than allowing anyone to execute anything they randomly save to their personal documents (which IMO should never allow executing anything from).
The article doesn't say in what language the instructions are. I'm assuming the Russian programmers had them translated to French etc from Russian, because that's what they speak. Or from Ukrainian etc.
But the writer of the article assumes that I will automatically assume English is the base language. It's not my first language, so why would I assume that?
This post has been deleted by its author
In spite of all the talk about auto-executing zip files, it looks like this spreads by people deliberately opening the zip, then deliberately running the js file. Actually, given the source, I suspect that it's a three step process already:
Click to open the zip.
Click to open the js
Click to to tell Windows to run it anyway.