back to article Eat my reports! Bart ransomware slips into PCs via .zip'd JavaScript

The cybercrooks behind ransomware Dridex and Locky have started distributing a new file-scrambling software nasty dubbed Bart. Bart has a payment screen just like Locky's, and encrypts documents without first connecting to a remote command-and-control server to receive its orders. Bart may therefore be able to encipher Windows …

  1. Baldy50

    UMMMM!

    Java needs to be executed!

    Not by rope,guillotine,cyanide or lethal injection but bludgeoning to death by all it has compromised.

    1. gollux

      Re: UMMMM!

      Excepting that this is Javascript which is executed by web browsers and the Windows Script Host...

      Sun/Oracle Java doesn't need to be installed on the system for this to operate, it's not Java Byte Code.

      Honk if you love Jesus and understand the difference between Java and JavaScript!

      1. Haku
        Coat

        Re: UMMMM!

        JavaScript is what Java reads when it's being religious.

      2. james.aka.damingo

        Re: UMMMM!

        Honk

    2. Baldy50

      Re: UMMMM!

      OK! scribbled before engaging brain again.

      I have nothing against Indonesia at all and the coffee is fantastic.

      I have a lovely hand crafted chocolate fire guard in my living room too.

      1. Danny 14

        Re: UMMMM!

        Just disassociate .js problem solved.

  2. AustinTX

    It's Twenty Sixteen

    ...and opening a zip file still results in it's contents being executed automatically?

    WTF

    1. Haku

      Re: It's Twenty Sixteen

      I can still remember nearly 20 years ago there was a joke going round about getting a virus from simply opening an email...

      Oh how we laughed.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's Twenty Sixteen

      Yup, I just don't get why anything outside of C:\Windows and C:\Program Files (x86) etc. have the execute permission enabled by default. I had a quick gander (being mostly a Linux admin) and Windows does seem to support this... so I don't see why it's not being utilised.

      It would absolutely wreck the randsomware market if users had to extract files from the zip, right-click, properties > security > tick excute, then re-launch the file.

    3. Crazy Operations Guy

      Re: It's Twenty Sixteen

      In a lot of cases, it isn't a zip file being opened and then an executable inside it being run, but rather an executable that looks like a zip file.

      The problem is that the zip file specification was too clever by a half and added in the ability to fork to embedded code before / during file extraction. The intention was to allow things such as a proprietary decryption function to control access, implement a non-standard compression routine, extracting specific files based on external variables, grabbing data from another source, etc. Very few companies ever took advantage of it, but you'll still see it sometimes (which is preventing developers from removing support for it).

      Issues like this make me wish that Windows natively support the tar/tgz file formats...

      1. Anonymous Coward
        Anonymous Coward

        Re: It's Twenty Sixteen

        "In a lot of cases, it isn't a zip file being opened and then an executable inside it being run, but rather an executable that looks like a zip file."

        Exactly my point. If the OS refuses to execute it because it doesn't have execute permission (regardless of whether it's a zip, exe), forcing the user to go in and give it execute permission in order to run it, problem solved. I'm pretty confident 90% of my users wouldn't know how to do this and would hope the remaining are smart enough to realise a zip, PDF or whatever shouldn't need execute permission.

        It would certainly be more secure than allowing anyone to execute anything they randomly save to their personal documents (which IMO should never allow executing anything from).

  3. Locky

    Locky is doing the BartMan

    One for the kids there

    1. Anonymous Coward
      Anonymous Coward

      Re: Locky is doing the BartMan

      Eat my shorts...

    2. Crazy Operations Guy

      Re: Locky is doing the BartMan

      Funny enough, the "Bartman" album was (and probably still is) the best selling rap album worldwide, due to world-wide appeal versus the regionalism with standard rappers.

  4. MotionCompensation

    Translations

    "It has translations of these instructions available in Italian, French, German, and Spanish"

    That's a big part of Europe, but why no English? I'm assuming these were all translated from Russian, Ukrainian or Belorussian.

    1. Anonymous Coward
      Anonymous Coward

      Re: Translations

      "That's a big part of Europe, but why no English?"

      Because with Brexit, English is no longer an official language of the EU

      (Too soon?)

      1. agurney

        Re: Translations

        "Because with Brexit, English is no longer an official language of the EU"

        I'll leave you to break news to the Irish..

    2. Anonymous Coward
      Happy

      Re: Translations

      'm assuming these were all translated from Russian, Ukrainian or Belorussian.

      Why would they put the instructions in a language the don't infect?

      Hint: The instructions ARE in English

      1. MotionCompensation

        Re: Translations

        The article doesn't say in what language the instructions are. I'm assuming the Russian programmers had them translated to French etc from Russian, because that's what they speak. Or from Ukrainian etc.

        But the writer of the article assumes that I will automatically assume English is the base language. It's not my first language, so why would I assume that?

  5. Neil Alexander

    Someone please tell me

    "contains malicious JavaScript code that, when opened, fetches the Bart executable via HTTPS and installs it."

    Why in fresh hell is JavaScript able to install or execute anything?!

    1. Danny 14

      Re: Someone please tell me

      Beacuse MS thought it would be great to let .js be associated with WSH by default.

  6. Rory B Bellows

    To quote Homer

    "Trusting every aspect of our lives to a giant computer was the smartest thing we ever did!"

    - Homer Simpson

  7. This post has been deleted by its author

  8. david 12 Silver badge

    Already marked by Windows as non-executable source?

    In spite of all the talk about auto-executing zip files, it looks like this spreads by people deliberately opening the zip, then deliberately running the js file. Actually, given the source, I suspect that it's a three step process already:

    Click to open the zip.

    Click to open the js

    Click to to tell Windows to run it anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like