Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails Recruiters are known to be a bit of a pain in the ASCII in the tech world – but how about these ones: bogus headhunters attempting to infect GitHub-using software developers. The miscreants have harvested email addresses for active GitHub accounts, and spammed the inboxes with booby-trapped job offers. These malicious messages …
Viruses that rely on macros often have helpful instructions on how to turn macro execution back on (for example).
I'm not sure how well that would work on the developers that this malware seems to be going after though.
I must be some sort of Luddite.
After playing with computers for, what, forty years now, I *still* am unable to fathom why anyone, ever, thought it was a good idea to build software that allows this kind of thing. A word processor is for tangling/mangling words, not for downloading random software.
Since Joe Public (and probably most Reg readers) lack the time, inclination, or ability to see what a macro is going to do once it's opened, they're going to click 'allow' anyway. It's not that Joe is stupid, it's that he doesn't expect what he gets: in his eyes, getting something like this from opening a document is on the same order of things as sticking bread in the toaster and getting a fried egg back. It's not something that should even be able to happen.
"Fortunately"...the surge in ransomware attacks has given many people a sharp poke to be wary of Word files, particularly, and Excel files to a lesser extent.
Most developers (not *all*) are more savvy than your typical paper-shuffler, and will recognize legit offers will *not* come in an easily-edited form like a Word doc...it will come as a read-only PDF, so you can't bump the offered rate up a few points and then accept the more-agreeable offer.
Macros just seem to me to be a bad idea from the outset...probably looked good on paper ("Your document can go out to the servers, or the Internet, and update the data in various cells so the results displayed are real time, not moment-in-time!"). And when it was dreamed up, the Internet wasn't really the omnipresent thing it is now. Credit to Microsoft for having the sense to disable it by default...but enabling it should be WAY harder than it is...or Microsoft should remove it entirely and make macro support an add-on.
"...sticking bread in the toaster and getting a fried egg back."
Butbutbut! I've always cracked eggs into the toaster & gotten the magic smoke to escape, so why shouldn't I get eggs from my toast?
*Crossed arms & comical hurrumph*
Next you'll be telling me I'm not supposed to put puffer fish into the microwave so I get a nifty toy surprise in return!
BAH!
*Shakes a palsied fist*
Let me keep those macros so I can eat my eggs!
*Cough*
I'll get my coat, it's the one with the frog pills in the pockets...
* Before opening the doc, does the Macro / PowerShell payload run covertly in the background til reconnect, or does it fall over and fail?
* Do PowerShell scripts run silently & invisibly?
* Is it all done inproc in Word, if not what's the process name?
Your Qs can be answered by reading the linked-to blog post.
1. You have to enable macros or run the macro. If you think this is a major hurdle, you haven't worked with people. The payload runs covertly out of sight. It waits (blocks) until the download is complete - google WebClient.DownloadFile().
2. Yes.
3. margin2601_onechat_word.exe
C.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
