Why Users Fall For Ransomware

Published: 2016-03-21
Last Updated: 2016-03-21 19:17:53 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

We got the following message from our reader Steven:

"Yesterday I received an email regarding "STEVEN, Notice to Appear in Court on March 28", which included a ZIP folder attached. I am actually scheduled to appear in court on March 28th, so I assumed it was legit. I scanned the ZIP folder with Avast, and it said there was no problem.

I
un-zipped the folder and scanned the .doc.js file with Avast, and it said there was no problem. So I double clicked on the .doc.js file. Nothing happened. I then changed the file name, removing .js from the extension. I clicked on the file and it opened in Word. Upon seeing the mess of text letters, I became alarmed and then found your webpage: https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
"

I think the message does make some important points: Malicious spam does work. It just has to hit the right person. Just like Steven had a court appointment, others may be waiting for a shipping confirmation or are waiting for an airplane ticket they just booked. Attacks do not have to work every time, and even a relatively small success rate is still a "win" for the attacker.

In this case, I ran the script in a Windows 8.1 virtual machine. Windows Defender blocked it (the only anti-Malware I have on the system). The javascript then as expected downloaded crypto-ransomware. The ransomware went ahead and renamed various files by adding the .crypted extension, and went ahead encrypting files. 

Anti-Virus coverage was pretty decent for the unzipped attachment according to Virustotal. But it looks like Steven's copy of Avast did let this sample slip past. 

Doing a quick analysis of the PCAP, it looks like the actual malware was downloaded from 

http://wambofantacalcio.it / counter/?ad=1N....[long string]&dc=[6 digit number]

Anti-Virus coverage on the binary is mixed, with Symantec identifying it as Cryptolocker: 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)

Comments

[quote]I un-zipped the folder and scanned the .doc.js file with Avast, and it said there was no problem. So I double clicked on the .doc.js file. Nothing happened.[/quote]

OUCH!
Windows XP SP2 (released about 11.5 years ago) introduced the "attachment manager": files downloaded from the internet as well as attachments saved from mail are stored with an NTFS alternate datastream "Zone.Identifier".

Not only Internet Explorer, Outlook [Express], Windows [Live] Mail, Windows' Explorer's ZIP shell extension, but every self-respecting browser, mail client and "ZIP" program sets or propagates the Zone.Identifier too.

And Windows Explorer (precisely: the ShellExecute*() functions) warns users when they open such files.

So: "Nothing happened" is either wrong, or Steven's un-zipper (most probably 7-Zip) is crapware!
Users fall prey for such ransomware because

1. 22+ years ago Microsoft made a bloody beginner's error and choose to let the Win32 API create files with execute permission on NTFS;

2. their administrators missed to remove the execute permission from all user profiles, either via adding the NTFS ACE "(D;OIIO;WP;;;WD)" or via SAFER alias Software Restriction Policies.

3. they still rely on anti-virus, despite that this snakeoil is completely useless.

To quote Eva Chen, CEO of Trendmicro: "In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file.
In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there's no way to detect them."

Source: http://www.zdnet.com/article/trend-micro-antivirus-industry-lied-for-20-years/

Or read what Symantec wrote: "The best kind of desktop is a secure desktop. As you all know, hackers are a tricky bunch. You have to go beyond Symantec Antivirus and actually lock Windows down if you want to make sure your computing environment is actually secure."

Source: http://www.symantec.com/connect/articles/securing-xp-desktop-part-1
Two reasons why our users click on links and open attachments, straight from their mouths:

"I am so busy and receive so many emails that I do not have time to read through them all. If it has attachments or links I figure that's the important part so I open them."

and my all-time favorite:

"You know me, I'm a clicker!"

Diary Archives