Pages

Tuesday 27 June 2017

More ransomware

This one is called "Petya". And it's a bit cunning; instead of encrypting the files, it encrypts the Master File Table (MFT), which is the equivalent of the File Allocation Table in Dos.

That's slightly good news, because it means that it can't affect files that you access on a server, because the client can't access the MFT.

It looks like it gets in via an attachment to an email, which a user clicks on (you *cannot* rely on all users refraining from clicking on tempting attachments, and it only needs one to click) and then spreading within the LAN using the same SMB loophole that Wannacry used. And, of course, your firewall doesn't keep out incoming emails, and your firewall doesn't block accesses within your LAN, only accesses from outside.

So you're relying on A) your users being canny enough not to click on even the most tempting attachments, and good luck with that, or B) your antivirus.

Copies of the virus have been submitted to online testing systems that check if security software, particularly anti-virus systems, were able to spot and stop it.

"Only two vendors were able to detect it so many systems are defenceless if they are unpatched and relying on anti-virus," he said.
 
"Online testing systems" probably means virustotal.com, and that means that only two out of 55 antivirus products would flag it.

That should be no surprise to readers of this blog; I've been saying for a long time now that antivirus products, although great for viruses (which stopped being a threat a decade or two ago), do pretty much nothing against today's threat, which is malware arriving via email. And the reason is obvious.

If you're about to spam out your ransomware, you first make sure that the 50 leading antivirus products don't flag it, and you keep tinkering with it until that's the case, by testing each of your attempts against those top 50 products (you can do this using Virustotal.com). Then you spam it out to a zillion email addresses, because if only one in a thousand users click on it, you're in the money. And at that point, the antivirus companies start to see this new thing, and write detection for it, and test their new update, and broadcast it out to their users, by which time it's too late.

So what can you do?

Well, backups are always a good idea. But restoring yesterday's backup is not going to be a popular action. If I've spent the day typing in billings for 100 people, I A) don't want to do that again, and B) I don't want them to be double-billed.

I've said this before, and I'll say it again. It's easy to run your own mail server. And it's easy to tell whether an email originated from within your local network, or from outside. And if it came from outside, it's easy to detach any attachment. If it's a ZIP or RAR file, unpack it to see what it contains. If it's an EXE file, a JS file or a SCR file or something like that, then you don't pass it on to the user. If it's a DOC file or an XLS file, you sanitise it by removing the macros before passing it on (and keep a copy, in case the user really did need those macros, in which case it came from someone they actually know, and you can check that it really was sent by a colleague). If it's a PDF file, you sanitise it by converting it to HTML then back to PDF (which would leave behind any nasty inserted in it. And so on.

In other words, don't expect the users to do the job that should be done, almost automatically, by the mail server.

And just in case you think that this is difficult to do, I spent a few minutes writing a demonstration. This is running on a Raspberry Pi; on a real server, it would be a lot faster.
It shows how a DOC file can be converted to PDF, RTF and a text file. It also checks it against virustotal.com, which is what takes most of the time.

And I'll just repeat, in case repeating helps.

"Only two vendors were able to detect it so many systems are defenceless if they are unpatched and relying on anti-virus," he said.


3 comments:

  1. Michael Abraham6 July 2017 at 09:16

    The issue is that this solution will result in lazy users doing something like uploading their files to Dropbox or another hosting site and just sending a link instead of an attachment to ensure that things get through smoothly, macros and all.
    This in turn results in opening another vector for the malware makers to get in.
    So next you start stripping links from external emails
    So users start posting the link in a way that gets around this (such as typing 'dot' instead of '.').

    Ultimately, it's a losing battle against less techy savvy users who just want to get on with their life and the malicious malware writers looking to take advantage of human nature.

    ReplyDelete
  2. Yes, you're right. Depressing, isn't it.

    ReplyDelete
    Replies
    1. The only true solution is to just not let anyone use a computer.

      Delete