Posted by Austin Morris on  UTC 2017-06-16 11:21

Another day, another ransomware attack. This time not WannaCry and not spread through publicly exposed file-sharing ports. Just a web page, possibly with a click-away popup that executed the malicious code on the user's machine, or possibly just a link to that page in an email. The situation is not completely clear at the time of writing.

The victims are not just any users, either, but the great brains in University College London (UCL), which also happens to host one of the leading computer science faculties in the UK.

It was thought at first that around mid-day on Wednesday 14 June a number of people in UCL each opened an email and triggered the ransomware payload carried in an attachment. The infection spread from there and encrypted a number of local and network drives.

It now turns out that the infection was started by one or more users visiting a website that had been compromised; just visiting the site may have been enough, or visitors may have had to click on a link or dismiss a popup. The link to this website seems to have been distributed via email.

Fortunately the sysadmins seem to have been quick off the mark and shut down the system, thus preventing a catastrophic spread and enabling an orderly recovery (although some data will have been lost). Despite the apparent rapid response by UCL, the consequences of the attack were not trivial. They are still being tackled two days later.

We can only assume that UCL has top people running its system and that it has state-of-the-art virus detection that would be expected to block the execution of a malware package, whether from an email attachment or a browser. How did this happen, then?

Either because of simple incompetence – the antivirus system was not loaded with the latest definitions – or the malware was as yet unknown to the antivirus system, in which case it will pass all checks. This phase of initial ignorance is the Achilles heel of all antivirus software. Only after the malware has spread to enough victims and has been identified by the producers as a threat, analysed and its 'signature' put on the blacklist used by the antivirus software are users finally protected – assuming, of course, that they have kept their anti-virus sofware up to date.

The UCL report on the incident suggests the latter, of course, but goes on to talk darkly of a 'zero-day attack'. The very use by UCL of such nonsensical terminology points us back to incompetence as the reason for the failure.

A 'zero-day' exploit or vulnerability is a security weakness in a software that has just been discovered but not yet fixed. From the moment of its discovery the clock is ticking for the authors of the software to issue a patch that removes the vulnerability. We might change the rather peculiar term 'zero-day vulnerability' into 'known but unpatched vulnerability', to make it completely clear.

What the incompetents at UCL really mean is '[t]he virus checkers did not show any suspicious activity', which has nothing really to do with zero-day attacks. The infection is just a malware mutant with a new signature that was invisible to their virus checkers. If this really were a 'zero-day attack' alarm bells should be ringing throughout the computer world.

Such muddled thinking means that our assumption that UCL has top people running its system seems to be wrong.

Lessons learned

Time to repeat the key lessons from our piece on WannaCry:

  1. Back up your data to offline storage frequently. That is your only serious form of protection.
  2. Don't rely on anti-virus software: it protects you against historical malware, not new attackers.
  3. Be suspicious of all emails and extremely suspicious if the email contains links (any links at all) and/or attachments.

Website-launched malware

If you surf on the wild side of the web you are at great risk from malicious websites. But even legitimate websites can be compromised without their owners' knowledge. You don't necessarily need to do anything specific to be infected.

If there is the slightest doubt, before you click on a link hover over it and check the real destination, usually shown in the browser's status bar. Surely every browser user knows by now that the text of the link displayed on the screen has no necessary relationship to the destination of the link.

Never click on a link that runs a JavaScript program. About 20 years ago web designers liked to show how smart they were by handling links and navigation with JavaScript code. A few idiots and some elderly websites still do this, though.

There is a current plague of displaying popups that nag users to subscribe to emails, sign up as a registered user or buy t-shirts or coffee mugs, particularly on US websites. This practice is not just annoying but foolishly dangerous.

Except for the most credible popups, never assume that the cancel button or even the X at the top right will do what they are supposed to. Some wicked sites even display the popup as a modal window, which means that nothing more can be done in the browser until you have clicked the response. The only escape is to open Task Manager by right-clicking on the taskbar then terminating the browser completely. Task Manager is your friend.

An up-to-date antivirus program may save you, but don't bank on it. The only reliable solutions are the three listed above.

0 Comments UTC Loaded:

Input rules for comments: No HTML, no images. Comments can be nested to a depth of eight. Surround a long quotation with curly braces: {blockquote}. Well-formed URLs will be rendered as links automatically. Do not click on links unless you are confident that they are safe. You have been warned!

Name  [max. characters: 24]
Type   into this field then press return:
Comment [max. characters: 4,000]