I recently tried to email someone a .tar.gz of some .py files, and their academic email (large US university, hosted gmail) refused to let it pass. I was left to wonder what kind of research they do there.
I still believe you should be able to send files through email. Why should I setup a git server( static ip + domain name) to share a piece of code? What's next? "Modern tooling" like Google Docs instead of local apps?
Apart from the invididual victims, ransomware seems like it should have a good effect on computer security overall since it actually harms the people who get infected and motivates them to do security better. Most viruses keep quiet so people don't know or care if they're infected and contributing to DDOSs or spreading to others. I sometimes use computers that have obvious viruses on them, and it the people running them just let it happen because it doesn't stop their work.
Yes. I can't wait until self-driving car ransomware appears.
The amount of rage the customers will feel towards the makers of whatever non-secure self-driving or "connected" cars receive the ransomware should give those car makers a nice kick in the behind to get their act together.
Then we'll see how quick the car makers will be about implementing features such as "unlocking your car remotely from the beach."
I wouldn't say I "can't wait" for car viruses, but I do worry about all the stupid remote/automated features being advertised these days. You just know it's going to be exploited, and cars are at the top of my list of things that should be as safe and secure as possible.
That mostly boils down to lowering the attack surface.
Individual cars doing their own thing, no problem. Cars talking to cloud, big privacy problem, potential security problem. Cars talking to each other locally, smaller privacy problem, but bigger security problem.
It seems like very few viruses are "obvious" these days - aside from ransomware. How do you know what you're doing on these computers isn't affected or compromised in that case?
Usually just printing. I find the viruses on my USB drive after printing from it on other people's computers. I keep that drive for one-way use and never get files back off it because they're all potentially infected.
Note that that the pendrive itself is potentially "infected" too, sometimes there are OS and file manager bugs resulting in code execution without the user clicking anything.
I don't do step 3. Viruses hardly ever work that way. An infected computer can infect a USB drive, but not the other way around for an up-to-date OS and if you're careful not to run mystery programs you find on it.
USB sticks that can use firmware-level filesystem tables and/or multiple host-visible partitions, pretend to be a hub that is hosting multiple devices (HID mouse+keyboard, etc) in addition to an autorun, etc.
Not only can you trivially make such a thing with an arduino but there are also some commercial USB sticks which have a persistent "background" filesystem that cannot be formatted away.
Anything that is run automatically in the background, like the thumbnail services.
However, this is rather theoretical. All that common malware does is hide/delete all your existing directories, and put EXEs (or LNKs) with folder icons and the names of the original directories in their place. Plus maybe some autorun tricks.
For a fake HID device, you'd see cmd windows or whatever else it uses popping up. Other data hidden on it isn't a problem by itself. It can only passively sit there without some other attack vector.
Except that is not true, there's BadUSB (https://github.com/brandonlw/Psychson), which updates the firmware of some common USB drives to make it do whatever your want (such as emulating a mouse/keyboard).
"it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry." - Not a security person but that seems pretty clever, and incredibly worrying. I presume we'll see more of this type of attack in the future - but curious if this has been a popular vector of compromising in the past? Also curious about what a / how a killswitch domain works?
You stopped before the next sentence which completely changes the context:
> In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.
This is not really any different from Blaster from 2003.
In that case, it was supposedly because of the patch:
> According to court papers, the original Blaster was created after security researchers from the Chinese group Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack
The patch was
ms03-026: Buffer Overrun In RPC Interface Could Allow Code Execution
Published: July 16, 2003
(could, hah)
> The worm was first noticed and started spreading on August 11, 2003
It was a huge problem at college campuses well into September. Students would arrive with their brand new laptops running XP and get hit with the worm 30 seconds after connecting to the network.
Really the main difference is blaster was just an annoyance and mostly just broke random things like the DHCP service, but was easily fixed.
Or, "less commonly discussed". Why would worms be less prevalent today when the density of targets has increased one-hundred fold? Many systems may be inoculated but there are lots and lots of non-patched machines in the World.
In large part they are less common because of NAT's popularity.
Back in 2003, most people were on dialup or had a single machine plugged directly into the Internet. Microsoft had no firewall out of the box. So by default you exposed all your Microsoft networking services to the whole Internet.
NAT changed that, it made it so no one could directly connect to all the vulnerable machines floating around. Your phone is unable to infect other phones on your providers network or the wider internet in this same way.
No one is out mass exploiting those IOT light bulbs with default telnet passwords because they're not exposed directly to the Internet. There are a few however exploiting vulnerable NAT routers... probably the only sort of worm to see widespread success in recent years.
Exactly this. MSBlast was so prevalent that ISP's would prevent infected computers from accessing the internet, by redirecting them to a page which described how they could remove the infection and patch themselves up.
I don't remember that happening with any other type of infection.
And I don't think we'll ever see that again. Even if there are big vulnerabilities in Linksys, DLink, Netgear or common ISP shipped modem/router combos - there are just too many different devices to see it on the same scale.
> Also curious about what a / how a killswitch domain works?
From the article:
The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.
Why does it do it? To avoid triggering in many sandbox environments, as they often are not connected to the internet and track and respond with generic yes/"correct data" formats
I've seen a few mentions of something along the lines of "The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption."
I'm not super well versed in crypto, but is this possible? I assume they use symmetric encryption and then RSA encrypt the symmetric keys?
Phewww! Good thing I'm using .tex to write my thesis and write most of my code in .py... lol