Posted on 01/03/2016 11:16:43 PM PST by Utilizer
A new type of ransomware has been spotted, the first of its kind, a ransomware that uses JavaScript to infect its users, being coded on top of the NW.js platform.
NW.js, formerly known as Node-WebKit, is a powerful platform that allows developers to create desktop applications via Node.js modules. The platform lets programmers use JavaScript in the same way, and with the same power and reach inside the underlying operating system's guts, as other more powerful languages like C++, Delphi, Java, ActionScript, and C#.
If the name hasn't tipped you off yet, NW.js uses a stripped down version of WebKit, the same layout engine used in Chrome, Safari, and Opera, but without many of its limitations. While browsers limit what JavaScript code can do, NW.js removes these limits and allows JS developers to interact with the OS itself.
NW.js can run on all three major operating systems, meaning that ransomware coded to work on top of it would theoretically be able to target all operating systems at once.
(Excerpt) Read more at news.softpedia.com ...
bookmark
Modern websites, like FR, don’t need no steekin’ Yava Script....
It's not necessary to turn off Javascript in your browser.
This "attack" is nothing more than running a desktop type app on your computer. It doesn't involve the browser at all.
So, DON'T PANIC! :-)
Also, don't execute (click on) any email attachments. That's how this is distributed, not via website.
(BTW, even though this is billed as "cross platform", any individual instance of it will be for a specific platform like Windows or Mac. That's because there's a bundled runtime that uses native code.)
Sorry, should have pinged everyone on this thread the first time.
See my previous message for the real scoop on this malware.
Thanks to Utilizer for the ping!!
Ransomware typically doesn't need admin authority. It works by encrypting your working files, and then they offer to sell you the key to get them decrypted. Since it's running under your credentials, it can encrypt any file you have write access to.
I am not certain of that at this point. If it can use Javascript, there is no reason it cannot exist as a script on a webpage as it also links through Webkit. Until I see positive proof this new version of ransomware is not capable of coming through that means, I'd rather be safe than sorry. It's a small sacrifice for a short time to assure safety.
(BTW, even though this is billed as "cross platform", any individual instance of it will be for a specific platform like Windows or Mac. That's because there's a bundled runtime that uses native code.)
As the article says, although right now it is only written for Windows PCs, it is a short step to build a version that carries code for all platforms, Precious Liberty, so that is not quite true.
For anyone who is really paranoid about losing their data or having passwords stolen, I would recommend:
1) Set up two computers.
2) The first computer is isolated and never connected to a network or the Internet. Keep your data and applications there. That machine can safely use whatever OS you prefer.
3) The second computer is intended for browsing and other internet activities (such as web mail). It has no hard drive (but lots of RAM) and is booted up from a Linux boot disk. There is nothing that malware can corrupt. Every time you turn this computer off, all cached files, browsing history, session passwords, and any malware goes “poof”.
I am certain. Read the following carefully:
NW.js, formerly known as Node-WebKit, is a powerful platform that allows developers to create desktop applications via Node.js modules. The platform lets programmers use JavaScript in the same way, and with the same power and reach inside the underlying operating system's guts, as other more powerful languages like C++, Delphi, Java, ActionScript, and C#.NW.js is distinct from the Webkit embedded in browsers. The browser version is sandboxed, preventing it from accessing local resources in the fashion a desktop app would, like acessing local disk files. If the Javascript sandbox for any major browser were broken, there would be a major security alert across the industry - which this is not.
"As the article says, although right now it is only written for Windows PCs, it is a short step to build a version that carries code for all platforms, Precious Liberty, so that is not quite true."
The article says:
but we may be one update cycle away from seeing the first truly cross-OS ransomware family.A "cross-OS ransomware family" is different from a single program that runs on the various OS. It potentially wouldn't be that hard to target particular OS users with a particular attack email anyhow.
If you want to read about the involved (and very different for each target OS) packaging process, I refer you to:
https://github.com/nwjs/nw.js/wiki/how-to-package-and-distribute-your-apps
Sigh...once again forgot to include “All”. Please read my last post for more information on this malware.
Set up a virtual machine and use it to browse and do email.
“Set up a virtual machine and use it to browse and do email.”
That would probably be sufficient, but I would always have a nagging doubt whether a virtual machine would be immune to any exploit. I have more faith in the air gap between physical machines!
It would get exploited but would be segregated from all other data. You just delete the virtual drive and rebuild.
Thanks for that information, PreciousLiberty.
Malware operators place a malicious file inside emails masquerading as unpaid invoices, delivery notifications, and such, which when downloaded and launched by unsuspecting victims go on to contact a C&C (command and control) server, where the malware operator tells it to download a particular type of malware (Ransom32 in this case).To get infected, you have to open an attachment in a spam email, which you should never do in the first place. When you do, and the malicious code runs, it downloads a certain Javascript runtime and executes malicious code that uses it. The Javascript in your browser has nothing to do with any of this.
bttt
Nice snarky response... except that one of the dangers of a js exploit is that it won’t necessarily be picked up by antivirus software...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.