Post by jetjock Post by jetjock
I watched "Homeland" the other day--the one where Carrie picks up
Ransomware by clicking on a .jpg file. Started me thinking which led
1. I didn't think a .jpg file could be infected. Don't know where that
idea came from, but I seem to remember reading it quite some time ago.
Can they be the vector for such a program (Ransomware), or could the
ransomware file just be named as a .jpg.
2. If Carrie would have had a backup image of her drive, which, since
she is supposedly a hotshot CIA agent, she most likely would have had,
would just recovering the backup have solved her problem? If not, why?
In all that has been written about the scourge of ransomware, I have
never read anything that would answer these questions. Would be nice
info to have.
I figured this would be right up Paul's alley, but I guess not.
Thanks to all for the info. So far, (almost) everyone has confirmed
what I thought to be true.
A .jpg, a .tif, and a .png can be infected. We had a good scare
about this, a long time ago.
It takes older versions of libjpeg to be vulnerable though.
I don't remember all the history, but for some reason
Microsoft gdiplus was also involved.
Older software didn't do good bounds checking. There were
actually languages with built-in bounds checks, but they
weren't involved. With the C language, you can fall off
the end of an array as easy as can be.
And one of the crimes committed, was the lack of "software review"
for FOSS libraries. Many commercial companies re-used the libraries
on the assumption that "one of my competitors has already reviewed
this library and given the developers shit for their bad practices".
When in fact, nobody had reviewed the software. Shock and long
faces all around, when they later find out what is inside.
"You mean Apple didn't review this? I thought Apple used this."
Some software is not properly reviewed, because no third-parties
can actually read the source and make sense of it. And this is why
such a library got rewritten a couple of times. One company
felt it was in their best interest, to write their own version. As
Ripley would say "nuke it from space, to be sure" :-) That
was software that involved crypto, and the code was
uncommented. While people could spot stack smashing attacks
on something like that (i.e. spot the occasional bad programming
practice), they couldn't spot the logical errors in the code.
And there are some software we never get right, because
the spec was so poorly written. Try and find two implementations
of the AVI2 software, that do exactly the same thing. No amount
of review helps with that problem, because every reviewer looks
at the spec, and the spec isn't precise enough to make comments
possible. "It could be this way, or it could be that way, and
according to the spec, both are OK." When you play your AVI2
video, maybe the shuttle controls don't work right, and you
can't move backwards and forwards in the movie without problems.
Maybe you move backwards once, and when you push play, there is no
sound. You can thank a rushed spec for some of these issues.
Reviewing the code won't help. Recognizing the spec needs to
be fixed is fine, but *nobody owns the standard for it* :-)
Ransomware is the "payload". It's the bad thing delivered by
any available exploit.
In fact, for ransomware, the preferred method is to just
put a fake invoice as an attachment to an email. If you're
a guy who does a lot of business, gets a lot of invoices
delivered to a certain email box, you probably just
double-click the attachments like there is no tomorrow.
All they have to do, is make the filename invoice.pdf.exe
(you glance at it and see the invoice.pdf part),
and you click, and kaboom, your disk is encrypted and a
red banner says "we'd like 0.3 bitcoins please, sent
to this address". One of the people in my other groups
had this happen, and that's exactly how they did it.
It was a "GoDaddy invoice" attachment, a fake one. Never
be in too much of a rush to click shit in your email client :-/
Detach the attachment. Scan it. Examine it under a microscope.
Let your dog sniff it. Did your dog growl ?