back to article Oh no, that James Webb Space Telescope snap might actually contain malware

Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way. The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft. More specifically, the obfuscated code is Base64- …

  1. Pascal Monett Silver badge
    Facepalm

    Again, a bloody attachment

    If you don't open it, you're fine.

    When will people learn ?

    On top of the fact that you hardly need to click on an attachment to view that particular pic. It's all over the Internet at this point.

    1. alain williams Silver badge

      Re: Again, a bloody attachment

      Yes, b b but I thought that the JWST pic was of some cute kittens!

      1. Anonymous Coward
        Anonymous Coward

        Re: Again, a bloody attachment

        Kittens in spaaaaace?

        :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Again, a bloody attachment

      If just opening an attachment could infect my computer, I'd use a different OS.

      It's not the 90's any more.

  2. GidaBrasti
    Devil

    VBA macros, see icon

    From the article ...

    "...The infection starts with a phishing email that contains a Microsoft Office attachment named Geos-Rates[.]docx that, when opened, downloads a malicious template file that contains an obfuscated VBA macro..."

    Once again Microsoft Office is what allows things to happen... sigh...

    1. Phil O'Sophical Silver badge

      Re: VBA macros, see icon

      People opening random documents with no concern for their contents is what allows things to happen. In this case Office is just a tool, which can be [ab]used. It's the tool who opens the attachment that's the real problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: VBA macros, see icon

        Really?

        "View a document" allows invisible downloading of code from the internet that is executed locally?

        That's a software / OS problem.

        1. Anonymous Coward
          Anonymous Coward

          Re: VBA macros, see icon

          And is why execution of macros is off by default.

      2. John Brown (no body) Silver badge

        Re: VBA macros, see icon

        I'd have thought the real problem here is that simply opening a document can execute something that claims to be a security certificate. Why? If it's meant to be a certificates,then at most the system should be reading its data and doing something with that data to verify it. Not treating it as binary executable code and actually executing it.

        1. that one in the corner Silver badge

          Social engineering as part of the exe chain?

          As I read the article, I think you have just fallen into a trap the bad guys set:

          "There is a certificate involved, blame the OS for not protecting you"

          or similar feelings expressed about the use of a JPEG...

          The "certificate" was just used as a wrapper, so that if you spotted the download you'd not be suspicious. Then you'd see certutil.exe run: ok, what else would you use with a certificate? But it was just used to extract the next link in the chain.

          (Similarly, the JPEG, abused to innocently carry a link in the chain)

          At no point is the "certificate" intended to be handed 'properly' to the OS and hence, as you hoped, be validated: to the OS it is just another piece of downloaded stuff.

          Now, you *could* demand that the OS examine every bit of data and validate it before letting any other process access it: now you have either invented the malware scanner or have effectively switched on autorun for everything that is ever downloaded (because you know full well that, for example, detecting that a file is "a certificate" and then running some autovalidation on it means another vulnerability will be found and the fake certs designed to exploit that).

          But because of your reaction to the fact one link used a certificate, the bad guys now have you wasting time and energy talking about that - and, who knows, enough people follow suit and pressure OS writers, who add in the autorun scenario "as an extra precaution" (aka to be seen to be doing something) and bingo, attack surfaces grow and grow...

  3. Umbracorn

    exfiltrate data through unusual DNS queries

    This reminded me of automated collect calls in the 90's, and trying to save money as a college student -

    (Prerecorded operator voice): You have a collect call from "HiMomitsBob,myplanelands8pmWednesday". Do you accept the charges?

  4. Winkypop Silver badge
    Alien

    Aliens

    Definitely aliens!

    1. TJ1
      Alien

      Re: Aliens

      Who needs UFOs when you can hitch a ride on a JWST image from just after the Big Bang (or should that be the Insipid Flatulence -IFO )?

  5. Ian Johnston Silver badge

    What sort of system attempts to execute an image file?

    1. Anonymous Coward
      Anonymous Coward

      If you read the article, it doesn't.

      It's an office macro that does that - the image file is just used to hide the malware code. The office macro runs code that pulls the payload out of the image file and runs that.

      Still, it's still an issue.. Modifying your comment:

      What sort of system attempts to execute code that downloads invisibly a payload from the internet and executes that, simply because the user tried to "view a document"

      1. This post has been deleted by its author

    2. Norman Nescio Silver badge

      Architecture

      What sort of system attempts to execute an image file?

      A Von Neumann architecture system as opposed to a Harvard architecture system

      Old dlls, not written with security in mind can be used to process old and/or esoteric image formats. Abuse of the image format allows malformed data to be presented to the dll, which can end up executing bits of memory it shouldn't, including data that can be carefully constructed parts of the image file.

      I'm not saying Harvard architecture is the solution to all security ills, but it would make certain exploit methods pretty much unavailable.

      McAfee: Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+

      Or for an older issue, where executable instructons are part of the WMF image format:

      Wikipedia: Windows Metafile vulnerability and CVE-2005-4560 Detail

  6. disgruntled yank

    Infamous

    "the infamous deep field image taken from the James Webb telescope"

    In what way is the image infamous, except maybe among the unwary who clicked on it?

  7. Eclectic Man Silver badge

    Is nothing sacred?

    After the 7th July bombings in London (the day after the announcement that London would host the 2012 Olympic Games), there were some people who tried to use the it to obtain donations for families of the victims. I don't doubt that after the horrendous flooding in Pakistan there will be scam attempts on the Internet to similarly obtain donations to help the victims. In the UK you can donate safely through the Disasters Emergency Committee web site, just make sure it is the right one.

  8. Will Godfrey Silver badge
    Facepalm

    Doh

    Who was it that thought being able to run code embedded in an image was a good idea?

    Oh, and who designed an image file type that was capable of including embedded code without being flagged as corrupted?

  9. Anonymous Coward
    Facepalm

    Haven't people heard of NASA?

    All the best and famous (not infamous) photos from JWST (and others) are available at NASA - free, no ads, no trackers, no logins - science as it's supposed to be.

  10. saif

    Perl malware probably harder to detect...

    If you want an obscure language, naturally obfuscated, which nobody below retirement age has heard of... seems ideal to me.

    1. Francis Boyle

      I consider all Perl to be malware

      based on what it does to my brain.

  11. tracker1

    Language FUD

    I just hope that talking about some of these languages and some of these types of articles don't discourage the use of those languages. Going roster actually very capable in gaining in popularity. P The fact that they are used for malicious purchases should not discourage anyone.

  12. Twanky
    Black Helicopters

    "By looking at the URL strings we can determine that the binary file was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server."

    So therefore DNS over HTTPs/TLS won't protect you from this. Given that it's trivial to set up a few SOA name servers for temporary domains, the DNS requests can be split across multiple domains and recombined once logged. Requesting unique TXT or other records from your DNS over HTTPS provider will happily pass those requests straight to the malicious/compromised SOA DNS servers.

    Intercepting DNS requests by DNS relay servers within the LAN at least allows local logging or filtering of requests to unauthorised domains. DNS/HTTPS bypasses this potential control.

    1. keith_w

      I think you are misunderstanding what was being said. Data was being sent to a server disguised as a DNS query. These were not actual DNS queries.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like