back to article Don't touch that mail! London uni fears '0-day' used to cram network with ransomware

University College London is tonight tackling a serious ransomware outbreak that has scrambled academics' files. It is feared the software nasty may be exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time, we're told. Eggheads at the UK uni are urged to …

  1. druck Silver badge
    Facepalm

    Oh dear...

    ...I had expected better from my alma mater.

    1. druck Silver badge
      Unhappy

      Re: Oh dear...

      But thinking back to when I was there (87-90), all the academic work was done on various UNIX boxes, and the only PC's were a couple of horrible Olivettis kept up in the attic to transfer files for personal use. These were so ridden with viruses, that you had to bring your own DOS floppy with you.

      Remembering even more, the UNIX boxes for undergraduate use were so over subscribed as to be unusable (mainly Sun 3/50's with no local discs), so I ended up porting my 3rd year project to RISC OS to get it finished and then porting it back to UNIX. They also expected the dissertation to be written with nroff, but my pre-release copy of Impression desktop publishing software was a lot easier, and produced a lot better results when it came out of their postscript printers.

      1. Down not across

        Re: Oh dear...

        They also expected the dissertation to be written with nroff, but my pre-release copy of Impression desktop publishing software was a lot easier, and produced a lot better results when it came out of their postscript printers.

        Really? I would've expected LaTeX.

  2. TRT Silver badge

    Ah.

    Well it can happen all so easily. The servers should have anti-encryption defences... Test files in every folder that are monitored etc etc.

    I worked there for many years, and I know university research systems well at many places. They have no defences at all once something is in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah.

      I know university research systems well at many places. They have no defences at all once something is in.

      Yup. AFAIK, most of them are still based on the "hard shell, soft centre" principle, and with email and messaging every terminal is now a potential gateway for Internet malware.

      I'll give them a ring later and see if they can do with some help (and, more importantly, if they want help because outsiders trying to tell you your job can be irritating, however well intended)

  3. patrickstar

    "The AV didn't catch it so it must be a 0day!"... Very funny!

    Duh, obviously malware authors check their stuff against all relevant AVs before sending out a spam campaign or serving up drive-by-downloads. And if there are any detections, they make sure they go away before proceeding - I'd expect that there are very well established procedures for this.

    1. Anonymous Coward
      Anonymous Coward

      The college dont seem to know the difference between the terms "zero day exploit" and "malware"

      Either that or I dont.

      A 0day , as i understand it it a vulnerability that has only just been discovered - a security hole.

      That is totally different from the payload delivered.

      And "Hey click on this email - its fun" is not a 0day exploit , its probably the oldest exploit of them all.

  4. Anonymous Coward
    Anonymous Coward

    Has anyone got detail of subject line etc. so we can check for it?

    1. Anonymous Coward
      Anonymous Coward

      It's an email with a URL download link to a malware java script (DONT EXECUTE IT obviously):

      https://streamlinedmigration-my.sharepoint.com/personal/claire_streamlinedmigration_com_au/_layouts/15/guestaccess.aspx?docid=0229331213d7849729357bef5dc9f9a4a&authkey=AeX0SseHqafVbHh8Ocob5as

      I have uploaded it to Kaspersky, Microsoft and Sophos.

      Title of email in my case was "Copy of K9b Form assessed by : James Eley-Gaunt"

      With blurb telling me in an email to click on the link.

      1. Dr Who

        I got one with the same subject line but the link to the javascript is different. I'm not at a university, just a small business so this looks like it's broadcast rather than targeted.

        Mind you, I would have thought that "Copy of K9b Form assessed by : James Eley-Gaunt" would pretty much flag this as suspicious in most intelligent people's minds. Eggheads my arse.

        1. Cuddles

          "Mind you, I would have thought that "Copy of K9b Form assessed by : James Eley-Gaunt" would pretty much flag this as suspicious in most intelligent people's minds. Eggheads my arse."

          To be fair, there doesn't appear to be any suggestion that it was actually anything to do with any "eggheads". Indeed, they specifically mention "students and staff", which means this could have been caused by literally any person on campus with an email account, including drunken teenagers and the janitorial staff. That said, the stereotype of the eccentric professor exists with good reason; just because someone is intelligent in some respects doesn't mean they're not a complete idiot in other ways. Given that many academic staff can be quite elderly and in non-technical disciplines, there's no reason to expect them to be any more competent with computers than the general population - if you struggle to explain these kinds of issues to your grandmother, why expect a 70 year old lecturer on Abyssinian pottery to be any different?

          1. Doctor Syntax Silver badge

            " if you struggle to explain these kinds of issues to your grandmother, why expect a 70 year old lecturer on Abyssinian pottery to be any different?"

            Usual ageism - apart from the fact that a lecturer would be unlikely to have reached 70 before being retired.

            http://www.bbc.co.uk/news/business-40286280 should give you food for thought: the biggest rise in victims was in the under 21s.

      2. Chris Long

        I got this one several times yesterday (several different email accounts) and I've had a lot of similar ones over the last month or so, all from (apparently) compromised Australian Sharepoint Online accounts....

        I didn't click on it, obviously, because I'm not a total fucking retard. All the ones I received yesterday had the same name, James Eley-Gaunt. Did all these 'eggheads' think that sounded like someone they knew?

        1. David 140

          I tried to report it to abuse@sharepoint.com - but it was (eventually) returned undelivered.

          1. Doctor Syntax Silver badge

            "I tried to report it to abuse@sharepoint.com"

            These days only reports on social meeja work. You can't expect millennials to use something as last century as email.

      3. patrickstar

        Still not detected by all relevant AVs... 13/54 at VirusTotal: https://www.virustotal.com/en/file/45cc669418d18143368870539a9efc348e0b0f380b8d2d6109fd24c309f10ec4/analysis/1497531940/

  5. Anonymous Coward
    Linux

    Academic malware strain

    The only solution is to ban that socialist Linux software and only allow the use of the industry standard Microsoft Windows.

    1. Yet Another Anonymous coward Silver badge

      Re: Academic malware strain

      No it's these people creating their own content. You should only use computers to view paid for content - and keep paying for the same content over and over.

      Creating your own content for free is commie-terrorism

    2. Anonymous Coward
      Anonymous Coward

      Re: Academic malware strain

      The only solution is to ban that socialist Linux software and only allow the use of the industry standard Microsoft Windows.

      Substandard trolling. Too obvious and no capital letters, spelling mistakes or swear words. Worse, it's not even funny.

      That's a downvote from me.

      1. Anonymous Coward
        Facepalm

        Re: Academic malware strain

        > Substandard trolling. Too obvious and no capital letters, spelling mistakes or swear words. Worse, it's not even funny. That's a downvote from me.

        It's called satire, drawing attention to the lack of mention of the relevant operating system.

        1. TRT Silver badge

          Re: "no reports of the malware impacting Mac or Linux machines"

          Excepting where research groups used shared folders and one group member had a Windows machine.

    3. Anonymous Coward
      Anonymous Coward

      Re: Academic malware strain

      UCL have released an update to staff and students, it includes:

      "no reports of the malware impacting Mac or Linux machines"

  6. Anonymous Coward
    Windows

    URL link to malware java script

    For those of you on Windows, this is a partial listing of the javascript:

    <script type="text/javascript">// <![CDATA[

    var g_SPOffSwitches={"350DFCB0-8735-4C62-A504-B3F751C54F40":1,"16F97A90-2979-4779-B2C1-178AF354D811":1,"61F90157-BA7A-4386-9442-CB7513E105EA":1,"B27BAAAF-A1DC-4B11-91D4-EBF072E685D7":1,"D273A190-A2AD-4F20-AB86-EFDF33FBB0C2":1,"8ACA3A4B-B9CD-41C4-AEAD-0952D43D7A24":1,"A8D1C7D3-4BA4-437B-A379-58BD8E3C5C69":1,"CC732967-7700-4EDC-B0FF-000465F8A2D9":1,"F6339084-35C6-43C7-B4DE-2E8AE9051702":1,"33EAE85C-F23E-409A-913A-6C2DB6CB8817":1,"80D62D4D-E941-47D4-BABE-E43AA1701554":1,"3CD6C7C7-8BCF-4634-ADCC-E0EE021A9094":1,"9E182783-C0E0-42F8-9A1B-F5BBB6C3EEA6":1,"639A3330-B627-4EEF-8E44-2609DAA054BA":1,"D41CA9C0-307F-4AB5-9E57-F9615C3B06B2":1,"83D1A9C3-BA00-43EA-8ACB-7BA8A6E9F692":1,"C0A36CB6-0CC9-4A23-ACFD-34EC71A61B8B":1,"34198365-010E-4169-B902-3456E04CAC98":1,"219F4128-A6AB-409D-B265-4E506ABAF44B":1,"2E379257-AD77-45EB-98D6-784AADC1B616":1,"BFAF40B7-C716-4EA9-9B0E-3D829CBF6847":1,"A28D5B9D-7748-4967-9681-4CAB6D0CA11A":1,"7BE8DA39-C2E2-4709-819D-35B4AA3A1148":1,"82E2BE28-D346-4CAA-B095-42BA038A00A8":1,"A7EC3D5D-8B87-43A9-BEDC-EC276053CE91":1,"C592B7D2-C328-4CA0-B4DE-6AB373AFD514":1,"AFBC03CF-E4B3-4CC1-9CAE-E0AFDDE398E1":1,"DA96E8BA-1B98-4482-B26B-37D4C03A8E48":1,"D08588A0-8DDC-44CC-B2AE-157C4BA52D3F":1,"03CE89AC-9BE8-41E4-9670-3AE8BAAF0A66":1,"8E66E602-670D-4A96-B460-3F414D01C0FE":1,"D5055E85-C5EA-442F-AFE1-A8B40E755F79":1,"DEAE93A3-913F-4609-A15D-EE758397C5E5":1,"B3DA56E3-91BA-486D-ACD7-9D4DB4F8FF3A":1,"8BAE39E9-236F-41AA-B049-05B2362A2ED3":1,"687A7B5B-456E-45F1-919F-D9E97E33DB4A":1,"FCE5A8EB-364B-4F12-AB0C-106ABCEEB63F":1,"0B8DBCEA-DE3D-462F-9959-1807C1D7613C":1,"97BB8786-5899-4D25-9237-30B1AD7BE0FF":1,"BA949553-5957-433B-97CA-7FFD11B2F1C9":1,"4755A573-FEFC-41BC-B32C-ACE4AE422870":1,"1355480B-0B98-493A-B431-B3B80594B385":1,"88BCAC35-24B3-4BCD-91FE-7BFC47A05767":1,"6FDF5600-CA5D-4006-A36B-DC0FFF24A706":1,"30C37442-4B09-4D63-B42C-7F4AFEC7D321":1,"13F52080-0D7E-4AF4-B3ED-061EAFE6DF52":1,"4D814B83-7ED7-4464-98A1-4C7A8738031D":1,"AFD83DC4-CDE4-4E17-A990-453828FA7765":1};

    // ]]>

    </script>

    1. Prst. V.Jeltz Silver badge
      Paris Hilton

      Re: java script

      re D9E97E33DB4A":1,"FCE5A8EB-364B-4F12-AB0C-

      wtf is that?

  7. Anonymous Coward
    Anonymous Coward

    Link is now blocked - hopefully some nice person at Microsoft got that SharePoint online killed...

  8. Anonymous South African Coward Bronze badge

    Bah. Goat, chicken and sheep farming in the boondocks are getting more and more attractiver.

  9. Anonymous Coward
    Anonymous Coward

    When I was at Uni

    It was "don't inhale"

    Now it's "don't click"

    Kids today eh..

  10. Peter Gathercole Silver badge

    Fundamental problem in vulnerable OS protected by AV

    If AV is your primary defense against this type of attach, then you've got a problem.

    There will always be a lead time between the appearance of this type of attack, and AV systems identifying and blocking it and becoming effective when it is deployed. This will be unlikely to be less than 24 hours, and probably much longer as organizations rarely provide daily AV updates.

    It really surprises me that we have not seen more sophisticated malware, with constantly changing content and delivery vectors. I know that AV systems are trying to become heuristic to avoid that type of threat, so they make an attempt to programmatically identify suspicious traffic, but this can lead to false positives.

    OS and application writers (of any flavor) should make sure that easily exploited vulnerabilities (like allowing mail attachments to be able to execute code) are either not present (preferably) or patched very quickly, and administrators should make sure that access to data is controlled and segregated to limit the scope of any encryption attack (at this point, running your MUA in a sandbox looks good!).

    Whenever I see "Avoid messages with a subject line of..." then it is clear that the malware writers just aren't really trying very hard. Fortunately. Maybe they don't have to because the attack surface is so large.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fundamental problem in vulnerable OS protected by AV

      yep. Hence why we've just purchased SOPHOS InterceptX

    2. David Roberts

      Re: Fundamental problem in vulnerable OS protected by AV

      Just checking, but isn't this a browser executing code via a URL embedded in an email?

      So mail client not to blame, nor OS?

      1. TheVogon

        Re: Fundamental problem in vulnerable OS protected by AV

        Yes, it's a download link to a zip file that contains an executable Java Script file.

    3. Prst. V.Jeltz Silver badge

      Re: Fundamental problem in vulnerable OS protected by AV

      @Peter

      You're not offering any solutions there , just restating the eternal battle lines.

      Mail attachments cannot execute code - it takes a person to get the file out of the email and run it.

      Administrators *do* make sure access to data is limited.

      1. Peter Gathercole Silver badge

        Re: Fundamental problem in vulnerable OS protected by AV @Ptsr.V Jeltz

        Unfortunately, many of the organizations I've worked at recently have nearly wide-open file-shares, such that my account would have been able to damage a significant proportion of the data.

        As a long-term UNIX admin, I'm used to have files locked down by individual user ID, with group permissions to allow individuals to access those extra files they need, at the appropriate access level. With some skill, it is possible to devise a model where by default you have minimal access, and you acquire additional access as and when you need it, with additional access checks along the way (think RBAC with you having to add roles to your account as you need them).

        The windows permissions model is much more flexible than UNIX, so not using it properly to protect information is almost criminal. Too many organizations (but not all, I admit) do not use it to it's fullest capabilities.

        There have been several vulnerabilities published where just displaying an HTML mail can execute code. In addition, launching an application to handle an attachment is merely one click in many mail systems, especially when the actual attachment type can be obscured. Thus, building a sandbox for the mail system and applications that handle attachments (what I was aiming at) is do-able, History indicates that vulnerabilities like this have happened in the past, and I do not have confidence that there are not more to find. Ease of use always seems to have triumphed over security in much software.

        The recent attacks appear to hinge around being able to launch client-side code without sufficient control, in an environment where the users credentials are sufficient to do significant harm. The results appear to suggest that sufficient care had not been taken to segregate data access, contrary to your assertion that administrators do, If they had, the results would not have been nearly as bad as reported.

        IMHO, security should be paramount in this day and age, and usability should always be secondary.

        1. Ramazan
          Facepalm

          Re: windows permissions model is much more flexible than UNIX

          setfacl/getfacl -- obviously you never heard about them? grsec/gradm, no? apparmor/selinux, still no trace of recognizing anything?

          1. Peter Gathercole Silver badge

            Re: windows permissions model is much more flexible than UNIX

            Unix != linux, just in case you can't read. Plus, there is no one ACL system that spans all UNIX-like OSs.

            What I wrote is totally true. You've just responded to a different statement, one that I did not say, The original UNIX permission model is weaker than current Windows without any question,

            Even on Linux, ACL support largely depends on the underlying filesystem, and both apparmour and SELinux can be, and often are, disabled.

            Oh, and because I am a long-term AIX system admin, I've actually been aware of filesystem ACLs since before Linux went mainstream (JFS implemented them on AIX 3.1 which was released in 1990), and RBAC since AIX 5.1 (sometime in 1999 or 2000). I've also used AFS and DCE/DFS, both of which has ACL support and used Kerberos to manage credentials since about 1993,

            At the risk of being confrontational, when did you start using computers?

          2. TheVogon

            Re: windows permissions model is much more flexible than UNIX

            " grsec/gradm, no? apparmor/selinux, still no trace of recognizing anything?"

            Still nothing close to what Windwos can do with features like Discretionary Access Control

      2. Peter Gathercole Silver badge

        Re: Fundamental problem in vulnerable OS protected by AV @Prst. V. Jeltz

        Here is a on-the-back-of-a-napkin solution for you.

        Each user can only access their own files, which are stored in a small number of well defined locations (like a proper home directory).

        Store the OS as completely inviolate to write access by 'normal' users. Train your System Administrators to run with the least privileges they need to perform a particular piece of work.

        Any shared data will be stored in additional locations, which can only be accessed when you've gained additional credentials to access just the data that is needed. Make this access read-only by default, and make write permission an additional credential. This should affect OS maintenance operations as well (admins need to gain additional credentials to alter the OS).

        Force users to drop credentials when they've finished a particular piece of work.

        If possible, make the files sit in a versioned filesystem, where writing a file does not overwrite the previous version.

        Make sure that you have a backup system separate from normal access. Copying files to another place on the generally accessible filetree is not a backup. Make it a generational backup, keeping multiple versions over a significant time. Allow users access to recover data from the backups themselves, without compromising the backup system.

        Make you MUA dumb. I mean, really dumb. Processing attachments should be under user control, not allowing the system to choose the application. The interface allowing attachments to run should be secured to attempt to control what is run. Mail can be used to disseminate information, but by default it should be text only, possibly with some safe method of displaying images.

        Run your browser (and anything processing HTML or other web-related code) and your MUA in a sand-box. There needs to be some work done here to allow downloaded information to be safely exported from the sandbox. Put boundary protection between the sand-box and the rest of the users own environment.

        Applications should be written such that all the files needed for the application to function, including libraries should be encapsulated in a single location, and protected from ordinary users. The applications should be stored centrally, not deployed to individual workstations and run across the network with credentials used to control the ability to run the applications. The default location that users will save data to in all applications should be unique to the user (not a shared directory), although storage to another location should be allowed, provided that the access requirements are met.

        Use of applications should be controlled by the additional credential system described for file access.

        Distributed systems should not allow storage of local files except where temporary files are needed for performance reasons, or they are running detached from the main environment. These systems should be largely identical, and controlled by single-image deployment, possibly loaded at each start-up. This allows rapid deployment of new system images. The image should be completely immune to any change by normal users, and revert back to the saved image on reboot.

        For systems running detached (remote) from the main environment, allow a local OS image to be installed. Implement a local read-only cache of the application directories which can be primed or sync'd when they are attached to home. Store any new files in a write-cache, and make it so these files will be sync'd with the proper locations when they are attached to home. Make the sync process run the files through a boundary protection system to check files as they are imported.

        OK, that's a 10 minute design. Implementing it using Windows would be problematic, because of all of the historical crap that windows has allowed. A Unix-like OS with Kerberos credential system would be much easier to implement this model in (I've seen the bare-bones of this type of deployment using Unix-like systems already, using technologies such as diskless network boot and AFS).

        Not having shared libraries would impact system maintenance a bit, because each application would be responsible for patching code that is currently shared, but because the application location is shared, each patching operation only needs to be done once, not for all workstations. OS image load at start-up means that you can deploy an image almost immediately once you're satisfied that it's correct.

        Users would complain like buggery, because the environment would be awkward to use, but make it consistent and train them, and they would accept it.

        BTW. How's the poetry going?

    4. patrickstar

      Re: Fundamental problem in vulnerable OS protected by AV

      There are lots and lots of constantly changing malware. Down to new variants generated every couple of minutes.

      As to heuristics, it's basically as useless as signature scanning when applied at the AV/file scanning level. The same principle applies - malware author tests his code against AVs, if it's detected then follow various procedures until it's no longer detected. At most you can hope to increase the time taken to get rid of detections by making them less deterministic during testing.

  11. Tom 38
    Meh

    Wouldn't have happened in my day

    My first uni (Warwick 98), in order to get access to your email, first you rebooted the Windows PC in the lab to a DOS terminal emulator, which then allowed you to log in to one of the servers and run pine.

    This wasn't just CompSci students - everyone had to get email like this. Very weird seeing all these 'regular' people tapping away in consoles, and suddenly being slightly in demand as the guy who can get your email back working again by typing "pine" in the shell after they quit accidentally.

    If only people today would reward me for fixing IT issues with alcohol and vague promises of sexual encounters. Actually, considering the people I work with now, I'd be OK with just the alcohol.

    1. Nick Gibbins

      Re: Wouldn't have happened in my day

      Pfft. Youngster. When I was a Warwick student (94 graduate), there was a single room of Windows PCs in the basement of CSV. Unless you had access to the small number of Sun workstations, you read your email the same way as almost everyone else: on a VT220 (or on an ADM3e if you were in DCS).

      1. Korev Silver badge

        Re: Wouldn't have happened in my day

        At university and in my first job (also at a uni) is was normal for "normal" undergraduates and staff to log in via telnet* and use Pine. I suspect that if you showed them a terminal now they'd refuse to use it as it's "too hard".

        *Showing my age here, wasn't it nice to not have to care about security as much

    2. Ramazan
      Pint

      Re: log in to one of the servers and run pine

      it's called alpine nowadays. Still works though. mutt also does.

    3. Peter Gathercole Silver badge

      Re: Wouldn't have happened in my day

      Pine? Piffle!

      mailx or if that was not available or not a UNIX system, mail. Or maybe *MAIL on MTS.

      Youngsters!

  12. nick turner

    I'm not shocked!

    I spent far too many years of my life working the email at London's top engineering and science uni... One of the biggest problems was that we could put all the security we wanted, but academic's are the very definition of special snowflakes. We could not dictate to them which clients they used (we had fellows who refused to upgrade from pine to alpine and this was 4 or 5 years after the final release of pine....) We also had the ridiculous situation where every system had to have a corresponding MX record because academics liked to run to their own mail servers (which we had 0% control over)

    I'm more shocked that this hasn't happened more frequently.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm not shocked!

      With systems that old maybe the malware was aiming too high?

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm not shocked!

      You'll be happy to know that department mail servers have been mainly shut down and all UCL email now goes through outlook.com. Which is fun on the days when it doesn't work. Why it should matter what client someone uses (universities being large organisations with users with quite a variety of needs) so long as it can talk IMAP/SMTP is less clear.

      1. nick turner

        Re: I'm not shocked!

        Client mattered when it came to integrating other services and maintaining support. Which led to headaches in other projects (hello archiving and stubbing of mails..) Not to mention the people complaining when Eudora wasn't formatting mails correctly or kept crashing, like it was my problem they were still using a buggy client 2 years after support and development stopped (answer to which was, "they are academics, of course it was my problem!") Not to mention the inconsistent handling of attachments, especially the way that macmail dealt with inline attachments at the time...) I'm just glad I no longer have to touch clients with a bargepole :)

        1. Korev Silver badge

          Re: I'm not shocked!

          "I'm just glad I no longer have to touch clients with a bargepole"

          Email or human?

        2. Doctor Syntax Silver badge

          Re: I'm not shocked!

          "Client mattered when it came to integrating other services and maintaining support."

          Possibly in more ways than you realise.

          One of my clients (that's client as in customer) had a system where files were emailed for processing and I had a specific client configured to feed into the remainder of the processing pipeline. You could have had a similar situation where one of your users was receiving files from a remote telescope or particle physics experiment. Universities are apt to use computing to much more varied ends than a commercial business.

          It could also, of course, have been the case that your users didn't trust you. I'm sure anyone on KCL who didn't trust their computer services to store data felt vindicated.

    3. Doctor Syntax Silver badge

      Re: I'm not shocked!

      "We could not dictate to them which clients they used (we had fellows who refused to upgrade from pine to alpine and this was 4 or 5 years after the final release of pine....) We also had the ridiculous situation where every system had to have a corresponding MX record because academics liked to run to their own mail servers (which we had 0% control over)"

      I wonder who develops some of the clients and servers. It could even have been some of your users.

  13. Anonymous Coward
    Anonymous Coward

    I'm sure anyone on KCL who didn't trust their computer services to store data felt vindicated.

    The End User Services made a special point of sharing the pain with anyone who had survived their datapocalypse. You'd think they'd be more sensitive about things if they, say, came across of box of backup tapes in a hidden corner of a store room during a clear out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like