back to article Don't touch that mail! London uni fears '0-day' used to cram network with ransomware

University College London is tonight tackling a serious ransomware outbreak that has scrambled academics' files. It is feared the software nasty may be exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time, we're told. Eggheads at the UK uni are urged to …

Silver badge
Facepalm

Oh dear...

...I had expected better from my alma mater.

1
0
Silver badge
Unhappy

Re: Oh dear...

But thinking back to when I was there (87-90), all the academic work was done on various UNIX boxes, and the only PC's were a couple of horrible Olivettis kept up in the attic to transfer files for personal use. These were so ridden with viruses, that you had to bring your own DOS floppy with you.

Remembering even more, the UNIX boxes for undergraduate use were so over subscribed as to be unusable (mainly Sun 3/50's with no local discs), so I ended up porting my 3rd year project to RISC OS to get it finished and then porting it back to UNIX. They also expected the dissertation to be written with nroff, but my pre-release copy of Impression desktop publishing software was a lot easier, and produced a lot better results when it came out of their postscript printers.

3
1
Silver badge

Re: Oh dear...

They also expected the dissertation to be written with nroff, but my pre-release copy of Impression desktop publishing software was a lot easier, and produced a lot better results when it came out of their postscript printers.

Really? I would've expected LaTeX.

2
0
TRT
Silver badge

Ah.

Well it can happen all so easily. The servers should have anti-encryption defences... Test files in every folder that are monitored etc etc.

I worked there for many years, and I know university research systems well at many places. They have no defences at all once something is in.

2
1
Anonymous Coward

Re: Ah.

I know university research systems well at many places. They have no defences at all once something is in.

Yup. AFAIK, most of them are still based on the "hard shell, soft centre" principle, and with email and messaging every terminal is now a potential gateway for Internet malware.

I'll give them a ring later and see if they can do with some help (and, more importantly, if they want help because outsiders trying to tell you your job can be irritating, however well intended)

3
2
Bronze badge

"The AV didn't catch it so it must be a 0day!"... Very funny!

Duh, obviously malware authors check their stuff against all relevant AVs before sending out a spam campaign or serving up drive-by-downloads. And if there are any detections, they make sure they go away before proceeding - I'd expect that there are very well established procedures for this.

9
1
Anonymous Coward

The college dont seem to know the difference between the terms "zero day exploit" and "malware"

Either that or I dont.

A 0day , as i understand it it a vulnerability that has only just been discovered - a security hole.

That is totally different from the payload delivered.

And "Hey click on this email - its fun" is not a 0day exploit , its probably the oldest exploit of them all.

2
0
Anonymous Coward

Has anyone got detail of subject line etc. so we can check for it?

2
0
Anonymous Coward

It's an email with a URL download link to a malware java script (DONT EXECUTE IT obviously):

https://streamlinedmigration-my.sharepoint.com/personal/claire_streamlinedmigration_com_au/_layouts/15/guestaccess.aspx?docid=0229331213d7849729357bef5dc9f9a4a&authkey=AeX0SseHqafVbHh8Ocob5as

I have uploaded it to Kaspersky, Microsoft and Sophos.

Title of email in my case was "Copy of K9b Form assessed by : James Eley-Gaunt"

With blurb telling me in an email to click on the link.

9
0

I got one with the same subject line but the link to the javascript is different. I'm not at a university, just a small business so this looks like it's broadcast rather than targeted.

Mind you, I would have thought that "Copy of K9b Form assessed by : James Eley-Gaunt" would pretty much flag this as suspicious in most intelligent people's minds. Eggheads my arse.

5
0

I got this one several times yesterday (several different email accounts) and I've had a lot of similar ones over the last month or so, all from (apparently) compromised Australian Sharepoint Online accounts....

I didn't click on it, obviously, because I'm not a total fucking retard. All the ones I received yesterday had the same name, James Eley-Gaunt. Did all these 'eggheads' think that sounded like someone they knew?

2
0
Silver badge

"Mind you, I would have thought that "Copy of K9b Form assessed by : James Eley-Gaunt" would pretty much flag this as suspicious in most intelligent people's minds. Eggheads my arse."

To be fair, there doesn't appear to be any suggestion that it was actually anything to do with any "eggheads". Indeed, they specifically mention "students and staff", which means this could have been caused by literally any person on campus with an email account, including drunken teenagers and the janitorial staff. That said, the stereotype of the eccentric professor exists with good reason; just because someone is intelligent in some respects doesn't mean they're not a complete idiot in other ways. Given that many academic staff can be quite elderly and in non-technical disciplines, there's no reason to expect them to be any more competent with computers than the general population - if you struggle to explain these kinds of issues to your grandmother, why expect a 70 year old lecturer on Abyssinian pottery to be any different?

0
1
Bronze badge

Still not detected by all relevant AVs... 13/54 at VirusTotal: https://www.virustotal.com/en/file/45cc669418d18143368870539a9efc348e0b0f380b8d2d6109fd24c309f10ec4/analysis/1497531940/

0
0
Silver badge

" if you struggle to explain these kinds of issues to your grandmother, why expect a 70 year old lecturer on Abyssinian pottery to be any different?"

Usual ageism - apart from the fact that a lecturer would be unlikely to have reached 70 before being retired.

http://www.bbc.co.uk/news/business-40286280 should give you food for thought: the biggest rise in victims was in the under 21s.

1
2

I tried to report it to abuse@sharepoint.com - but it was (eventually) returned undelivered.

0
0
Silver badge

"I tried to report it to abuse@sharepoint.com"

These days only reports on social meeja work. You can't expect millennials to use something as last century as email.

2
0
Silver badge
Linux

Academic malware strain

The only solution is to ban that socialist Linux software and only allow the use of the industry standard Microsoft Windows.

7
10
Silver badge

Re: Academic malware strain

No it's these people creating their own content. You should only use computers to view paid for content - and keep paying for the same content over and over.

Creating your own content for free is commie-terrorism

11
0
Anonymous Coward

Re: Academic malware strain

The only solution is to ban that socialist Linux software and only allow the use of the industry standard Microsoft Windows.

Substandard trolling. Too obvious and no capital letters, spelling mistakes or swear words. Worse, it's not even funny.

That's a downvote from me.

19
3
Anonymous Coward

Re: Academic malware strain

UCL have released an update to staff and students, it includes:

"no reports of the malware impacting Mac or Linux machines"

7
2
Silver badge
Facepalm

Re: Academic malware strain

> Substandard trolling. Too obvious and no capital letters, spelling mistakes or swear words. Worse, it's not even funny. That's a downvote from me.

It's called satire, drawing attention to the lack of mention of the relevant operating system.

1
0
TRT
Silver badge

Re: "no reports of the malware impacting Mac or Linux machines"

Excepting where research groups used shared folders and one group member had a Windows machine.

0
0
Silver badge
Windows

URL link to malware java script

For those of you on Windows, this is a partial listing of the javascript:

<script type="text/javascript">// <![CDATA[

var g_SPOffSwitches={"350DFCB0-8735-4C62-A504-B3F751C54F40":1,"16F97A90-2979-4779-B2C1-178AF354D811":1,"61F90157-BA7A-4386-9442-CB7513E105EA":1,"B27BAAAF-A1DC-4B11-91D4-EBF072E685D7":1,"D273A190-A2AD-4F20-AB86-EFDF33FBB0C2":1,"8ACA3A4B-B9CD-41C4-AEAD-0952D43D7A24":1,"A8D1C7D3-4BA4-437B-A379-58BD8E3C5C69":1,"CC732967-7700-4EDC-B0FF-000465F8A2D9":1,"F6339084-35C6-43C7-B4DE-2E8AE9051702":1,"33EAE85C-F23E-409A-913A-6C2DB6CB8817":1,"80D62D4D-E941-47D4-BABE-E43AA1701554":1,"3CD6C7C7-8BCF-4634-ADCC-E0EE021A9094":1,"9E182783-C0E0-42F8-9A1B-F5BBB6C3EEA6":1,"639A3330-B627-4EEF-8E44-2609DAA054BA":1,"D41CA9C0-307F-4AB5-9E57-F9615C3B06B2":1,"83D1A9C3-BA00-43EA-8ACB-7BA8A6E9F692":1,"C0A36CB6-0CC9-4A23-ACFD-34EC71A61B8B":1,"34198365-010E-4169-B902-3456E04CAC98":1,"219F4128-A6AB-409D-B265-4E506ABAF44B":1,"2E379257-AD77-45EB-98D6-784AADC1B616":1,"BFAF40B7-C716-4EA9-9B0E-3D829CBF6847":1,"A28D5B9D-7748-4967-9681-4CAB6D0CA11A":1,"7BE8DA39-C2E2-4709-819D-35B4AA3A1148":1,"82E2BE28-D346-4CAA-B095-42BA038A00A8":1,"A7EC3D5D-8B87-43A9-BEDC-EC276053CE91":1,"C592B7D2-C328-4CA0-B4DE-6AB373AFD514":1,"AFBC03CF-E4B3-4CC1-9CAE-E0AFDDE398E1":1,"DA96E8BA-1B98-4482-B26B-37D4C03A8E48":1,"D08588A0-8DDC-44CC-B2AE-157C4BA52D3F":1,"03CE89AC-9BE8-41E4-9670-3AE8BAAF0A66":1,"8E66E602-670D-4A96-B460-3F414D01C0FE":1,"D5055E85-C5EA-442F-AFE1-A8B40E755F79":1,"DEAE93A3-913F-4609-A15D-EE758397C5E5":1,"B3DA56E3-91BA-486D-ACD7-9D4DB4F8FF3A":1,"8BAE39E9-236F-41AA-B049-05B2362A2ED3":1,"687A7B5B-456E-45F1-919F-D9E97E33DB4A":1,"FCE5A8EB-364B-4F12-AB0C-106ABCEEB63F":1,"0B8DBCEA-DE3D-462F-9959-1807C1D7613C":1,"97BB8786-5899-4D25-9237-30B1AD7BE0FF":1,"BA949553-5957-433B-97CA-7FFD11B2F1C9":1,"4755A573-FEFC-41BC-B32C-ACE4AE422870":1,"1355480B-0B98-493A-B431-B3B80594B385":1,"88BCAC35-24B3-4BCD-91FE-7BFC47A05767":1,"6FDF5600-CA5D-4006-A36B-DC0FFF24A706":1,"30C37442-4B09-4D63-B42C-7F4AFEC7D321":1,"13F52080-0D7E-4AF4-B3ED-061EAFE6DF52":1,"4D814B83-7ED7-4464-98A1-4C7A8738031D":1,"AFD83DC4-CDE4-4E17-A990-453828FA7765":1};

// ]]>

</script>

0
0
Silver badge
Paris Hilton

Re: java script

re D9E97E33DB4A":1,"FCE5A8EB-364B-4F12-AB0C-

wtf is that?

0
0
Anonymous Coward

Link is now blocked - hopefully some nice person at Microsoft got that SharePoint online killed...

1
0
Silver badge

Bah. Goat, chicken and sheep farming in the boondocks are getting more and more attractiver.

10
0
Anonymous Coward

When I was at Uni

It was "don't inhale"

Now it's "don't click"

Kids today eh..

5
0
Silver badge

Fundamental problem in vulnerable OS protected by AV

If AV is your primary defense against this type of attach, then you've got a problem.

There will always be a lead time between the appearance of this type of attack, and AV systems identifying and blocking it and becoming effective when it is deployed. This will be unlikely to be less than 24 hours, and probably much longer as organizations rarely provide daily AV updates.

It really surprises me that we have not seen more sophisticated malware, with constantly changing content and delivery vectors. I know that AV systems are trying to become heuristic to avoid that type of threat, so they make an attempt to programmatically identify suspicious traffic, but this can lead to false positives.

OS and application writers (of any flavor) should make sure that easily exploited vulnerabilities (like allowing mail attachments to be able to execute code) are either not present (preferably) or patched very quickly, and administrators should make sure that access to data is controlled and segregated to limit the scope of any encryption attack (at this point, running your MUA in a sandbox looks good!).

Whenever I see "Avoid messages with a subject line of..." then it is clear that the malware writers just aren't really trying very hard. Fortunately. Maybe they don't have to because the attack surface is so large.

7
0
Anonymous Coward

Re: Fundamental problem in vulnerable OS protected by AV

yep. Hence why we've just purchased SOPHOS InterceptX

1
1
Silver badge

Re: Fundamental problem in vulnerable OS protected by AV

Just checking, but isn't this a browser executing code via a URL embedded in an email?

So mail client not to blame, nor OS?

0
0
Silver badge

Re: Fundamental problem in vulnerable OS protected by AV

@Peter

You're not offering any solutions there , just restating the eternal battle lines.

Mail attachments cannot execute code - it takes a person to get the file out of the email and run it.

Administrators *do* make sure access to data is limited.

3
0
Silver badge

Re: Fundamental problem in vulnerable OS protected by AV @Ptsr.V Jeltz

Unfortunately, many of the organizations I've worked at recently have nearly wide-open file-shares, such that my account would have been able to damage a significant proportion of the data.

As a long-term UNIX admin, I'm used to have files locked down by individual user ID, with group permissions to allow individuals to access those extra files they need, at the appropriate access level. With some skill, it is possible to devise a model where by default you have minimal access, and you acquire additional access as and when you need it, with additional access checks along the way (think RBAC with you having to add roles to your account as you need them).

The windows permissions model is much more flexible than UNIX, so not using it properly to protect information is almost criminal. Too many organizations (but not all, I admit) do not use it to it's fullest capabilities.

There have been several vulnerabilities published where just displaying an HTML mail can execute code. In addition, launching an application to handle an attachment is merely one click in many mail systems, especially when the actual attachment type can be obscured. Thus, building a sandbox for the mail system and applications that handle attachments (what I was aiming at) is do-able, History indicates that vulnerabilities like this have happened in the past, and I do not have confidence that there are not more to find. Ease of use always seems to have triumphed over security in much software.

The recent attacks appear to hinge around being able to launch client-side code without sufficient control, in an environment where the users credentials are sufficient to do significant harm. The results appear to suggest that sufficient care had not been taken to segregate data access, contrary to your assertion that administrators do, If they had, the results would not have been nearly as bad as reported.

IMHO, security should be paramount in this day and age, and usability should always be secondary.

2
2
Silver badge

Re: Fundamental problem in vulnerable OS protected by AV @Prst. V. Jeltz

Here is a on-the-back-of-a-napkin solution for you.

Each user can only access their own files, which are stored in a small number of well defined locations (like a proper home directory).

Store the OS as completely inviolate to write access by 'normal' users. Train your System Administrators to run with the least privileges they need to perform a particular piece of work.

Any shared data will be stored in additional locations, which can only be accessed when you've gained additional credentials to access just the data that is needed. Make this access read-only by default, and make write permission an additional credential. This should affect OS maintenance operations as well (admins need to gain additional credentials to alter the OS).

Force users to drop credentials when they've finished a particular piece of work.

If possible, make the files sit in a versioned filesystem, where writing a file does not overwrite the previous version.

Make sure that you have a backup system separate from normal access. Copying files to another place on the generally accessible filetree is not a backup. Make it a generational backup, keeping multiple versions over a significant time. Allow users access to recover data from the backups themselves, without compromising the backup system.

Make you MUA dumb. I mean, really dumb. Processing attachments should be under user control, not allowing the system to choose the application. The interface allowing attachments to run should be secured to attempt to control what is run. Mail can be used to disseminate information, but by default it should be text only, possibly with some safe method of displaying images.

Run your browser (and anything processing HTML or other web-related code) and your MUA in a sand-box. There needs to be some work done here to allow downloaded information to be safely exported from the sandbox. Put boundary protection between the sand-box and the rest of the users own environment.

Applications should be written such that all the files needed for the application to function, including libraries should be encapsulated in a single location, and protected from ordinary users. The applications should be stored centrally, not deployed to individual workstations and run across the network with credentials used to control the ability to run the applications. The default location that users will save data to in all applications should be unique to the user (not a shared directory), although storage to another location should be allowed, provided that the access requirements are met.

Use of applications should be controlled by the additional credential system described for file access.

Distributed systems should not allow storage of local files except where temporary files are needed for performance reasons, or they are running detached from the main environment. These systems should be largely identical, and controlled by single-image deployment, possibly loaded at each start-up. This allows rapid deployment of new system images. The image should be completely immune to any change by normal users, and revert back to the saved image on reboot.

For systems running detached (remote) from the main environment, allow a local OS image to be installed. Implement a local read-only cache of the application directories which can be primed or sync'd when they are attached to home. Store any new files in a write-cache, and make it so these files will be sync'd with the proper locations when they are attached to home. Make the sync process run the files through a boundary protection system to check files as they are imported.

OK, that's a 10 minute design. Implementing it using Windows would be problematic, because of all of the historical crap that windows has allowed. A Unix-like OS with Kerberos credential system would be much easier to implement this model in (I've seen the bare-bones of this type of deployment using Unix-like systems already, using technologies such as diskless network boot and AFS).

Not having shared libraries would impact system maintenance a bit, because each application would be responsible for patching code that is currently shared, but because the application location is shared, each patching operation only needs to be done once, not for all workstations. OS image load at start-up means that you can deploy an image almost immediately once you're satisfied that it's correct.

Users would complain like buggery, because the environment would be awkward to use, but make it consistent and train them, and they would accept it.

BTW. How's the poetry going?

2
2
Bronze badge

Re: Fundamental problem in vulnerable OS protected by AV

There are lots and lots of constantly changing malware. Down to new variants generated every couple of minutes.

As to heuristics, it's basically as useless as signature scanning when applied at the AV/file scanning level. The same principle applies - malware author tests his code against AVs, if it's detected then follow various procedures until it's no longer detected. At most you can hope to increase the time taken to get rid of detections by making them less deterministic during testing.

0
0
Bronze badge
Facepalm

Re: windows permissions model is much more flexible than UNIX

setfacl/getfacl -- obviously you never heard about them? grsec/gradm, no? apparmor/selinux, still no trace of recognizing anything?

0
1
Silver badge

Re: windows permissions model is much more flexible than UNIX

Unix != linux, just in case you can't read. Plus, there is no one ACL system that spans all UNIX-like OSs.

What I wrote is totally true. You've just responded to a different statement, one that I did not say, The original UNIX permission model is weaker than current Windows without any question,

Even on Linux, ACL support largely depends on the underlying filesystem, and both apparmour and SELinux can be, and often are, disabled.

Oh, and because I am a long-term AIX system admin, I've actually been aware of filesystem ACLs since before Linux went mainstream (JFS implemented them on AIX 3.1 which was released in 1990), and RBAC since AIX 5.1 (sometime in 1999 or 2000). I've also used AFS and DCE/DFS, both of which has ACL support and used Kerberos to manage credentials since about 1993,

At the risk of being confrontational, when did you start using computers?

0
0
Silver badge

Re: Fundamental problem in vulnerable OS protected by AV

Yes, it's a download link to a zip file that contains an executable Java Script file.

0
0
Silver badge

Re: windows permissions model is much more flexible than UNIX

" grsec/gradm, no? apparmor/selinux, still no trace of recognizing anything?"

Still nothing close to what Windwos can do with features like Discretionary Access Control

0
1
Silver badge
Meh

Wouldn't have happened in my day

My first uni (Warwick 98), in order to get access to your email, first you rebooted the Windows PC in the lab to a DOS terminal emulator, which then allowed you to log in to one of the servers and run pine.

This wasn't just CompSci students - everyone had to get email like this. Very weird seeing all these 'regular' people tapping away in consoles, and suddenly being slightly in demand as the guy who can get your email back working again by typing "pine" in the shell after they quit accidentally.

If only people today would reward me for fixing IT issues with alcohol and vague promises of sexual encounters. Actually, considering the people I work with now, I'd be OK with just the alcohol.

11
0

Re: Wouldn't have happened in my day

Pfft. Youngster. When I was a Warwick student (94 graduate), there was a single room of Windows PCs in the basement of CSV. Unless you had access to the small number of Sun workstations, you read your email the same way as almost everyone else: on a VT220 (or on an ADM3e if you were in DCS).

1
0
Silver badge

Re: Wouldn't have happened in my day

At university and in my first job (also at a uni) is was normal for "normal" undergraduates and staff to log in via telnet* and use Pine. I suspect that if you showed them a terminal now they'd refuse to use it as it's "too hard".

*Showing my age here, wasn't it nice to not have to care about security as much

0
0
Bronze badge
Pint

Re: log in to one of the servers and run pine

it's called alpine nowadays. Still works though. mutt also does.

0
0
Silver badge

Re: Wouldn't have happened in my day

Pine? Piffle!

mailx or if that was not available or not a UNIX system, mail. Or maybe *MAIL on MTS.

Youngsters!

0
0

I'm not shocked!

I spent far too many years of my life working the email at London's top engineering and science uni... One of the biggest problems was that we could put all the security we wanted, but academic's are the very definition of special snowflakes. We could not dictate to them which clients they used (we had fellows who refused to upgrade from pine to alpine and this was 4 or 5 years after the final release of pine....) We also had the ridiculous situation where every system had to have a corresponding MX record because academics liked to run to their own mail servers (which we had 0% control over)

I'm more shocked that this hasn't happened more frequently.

5
0
Anonymous Coward

Re: I'm not shocked!

With systems that old maybe the malware was aiming too high?

0
0
Anonymous Coward

Re: I'm not shocked!

You'll be happy to know that department mail servers have been mainly shut down and all UCL email now goes through outlook.com. Which is fun on the days when it doesn't work. Why it should matter what client someone uses (universities being large organisations with users with quite a variety of needs) so long as it can talk IMAP/SMTP is less clear.

2
0

Re: I'm not shocked!

Client mattered when it came to integrating other services and maintaining support. Which led to headaches in other projects (hello archiving and stubbing of mails..) Not to mention the people complaining when Eudora wasn't formatting mails correctly or kept crashing, like it was my problem they were still using a buggy client 2 years after support and development stopped (answer to which was, "they are academics, of course it was my problem!") Not to mention the inconsistent handling of attachments, especially the way that macmail dealt with inline attachments at the time...) I'm just glad I no longer have to touch clients with a bargepole :)

1
1
Silver badge

Re: I'm not shocked!

"I'm just glad I no longer have to touch clients with a bargepole"

Email or human?

0
0
Silver badge

Re: I'm not shocked!

"We could not dictate to them which clients they used (we had fellows who refused to upgrade from pine to alpine and this was 4 or 5 years after the final release of pine....) We also had the ridiculous situation where every system had to have a corresponding MX record because academics liked to run to their own mail servers (which we had 0% control over)"

I wonder who develops some of the clients and servers. It could even have been some of your users.

1
0
Silver badge

Re: I'm not shocked!

"Client mattered when it came to integrating other services and maintaining support."

Possibly in more ways than you realise.

One of my clients (that's client as in customer) had a system where files were emailed for processing and I had a specific client configured to feed into the remainder of the processing pipeline. You could have had a similar situation where one of your users was receiving files from a remote telescope or particle physics experiment. Universities are apt to use computing to much more varied ends than a commercial business.

It could also, of course, have been the case that your users didn't trust you. I'm sure anyone on KCL who didn't trust their computer services to store data felt vindicated.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017