[HN Gopher] First Node.js-Based Ransomware: Nodera
___________________________________________________________________
First Node.js-Based Ransomware: Nodera
Author : el_duderino
Score : 43 points
Date : 2020-01-22 17:27 UTC (5 hours ago)
(HTM) web link (blogs.quickheal.com)
(TXT) w3m dump (blogs.quickheal.com)
| asdfasgasdgasdg wrote:
| One of these modules' owners should update their modules to check
| if they are running as part of the ransomware, and kill the
| program if so. That would certainly be an interesting turn of
| events.
| jlv2 wrote:
| "The sample received in our lab was vbs script which has multiple
| embedded js scripts. On execution, it creates a directory
| "GFp0JAk" at location "%userprofile%\AppData\Local\"."
|
| Why is this even possible?
| carlmr wrote:
| Can't everybody write to their own user's AppData folder?
| penagwin wrote:
| If applications can't write to the Application Data folder then
| what's the point of an application data folder?
|
| > Why is this even possible?
|
| Well they said "on execution" so that's what made it possible.
| Now if it could install to that location without being
| explicitly executed (say on download or via a browser bug) then
| THAT would be a much bigger deal.
| duxup wrote:
| So as I read it this is ransomware that was built using nodejs...
| not a compromised npm package or anything like that. Is that
| right?
| grammarxcore wrote:
| That's what I took away from the article as well. It's
| installed via a VBScript file.
|
| Edit: I'm also not able to find any other record of it (yet).
| Everything links to the OP link or analysis on the OP link.
| fludlight wrote:
| Most languages, distros, large applications, etc have their own
| packaging system. Some are more laissez-faire than others.
|
| Does someone know a good article from the POV of the maintainer
| of a packaging system ecosystem that describes the tradeoffs made
| by different approaches over the past ~30 years?
| asdfasgasdgasdg wrote:
| To be clear, as far as I can tell, the ransomware is built
| _using_ nodejs. It is not a ransomware that 's installed via a
| compromised package. Although if you happen to be a bad guy, it
| seems like building a quality bitcoin-related package, waiting
| until you have a big installed base, and then owning all your
| users, might be an effective way to set yourself up for life.
| carlmr wrote:
| I thought Bitcoin can't effectively be mined on CPUs anymore,
| only some AltCoins that are too difficult to compute with
| ASICs
| asdfasgasdgasdg wrote:
| I'm not talking about a miner. I'm talking about a wallet
| or some utility module. You'd wait until you have a big
| installed base then change your module to silently steal
| coinbase credentials. Wait a few weeks until you have
| enough of them and then own all the accounts at once.
| Something like that. The Bitcoin aspect of the module is
| just to target effectively.
| Wowfunhappy wrote:
| Well, yes, but "effective" is context-dependent.
|
| If you have a million computers mining for you, and you're
| not paying their electricity, it doesn't really matter how
| individually efficient they are.
| hiccuphippo wrote:
| There was a few articles about go's search for a new package
| system from 2018.
|
| Edit: See https://blog.golang.org/versioning-proposal and
| related articles at the bottom.
| robertkrahn01 wrote:
| Site is currently down;
| https://web.archive.org/web/20200122181519/https://blogs.qui...
|
| The article mentions the ransom message with the date March 1
| 2018. This probably means this malware is two years old?
| grammarxcore wrote:
| > This ransomware seems to be in development phase and has some
| flaws as mentioned below:
|
| > ...
|
| > Hard code destruction time of Private Key "March 1 2018".
|
| Quite possibly. I'm not sure what that language means and they
| don't provide more analysis of the HTML page that comes from.
| If it's in development maybe some dude has been sitting on this
| idea for a few years and their virus scanner just picked it up
| recently.
| ecmascript wrote:
| Ironically, the archive link you provided also doesn't load for
| me.
| msla wrote:
| If it's just a blank screen, it's a longstanding issue nobody
| seems to acknowledge:
|
| https://news.ycombinator.com/item?id=21765389
|
| > There's a problem with the Wayback Machine in specific
| which can kill your ability to access it quite silently,
| unless you know how to use the browser's development tools
| and interpret headers.
|
| > It has to do with cookies: Somehow, the Wayback Machine
| sets cookies... and sets cookies... and keeps setting
| cookies, until it overflows its own ability to _accept_
| cookies. At that point, your browser tries to access a
| Wayback Machine page, handing the server all of the cookies
| it currently has, and the server refuses to deal. It
| absolutely denies everything, sending an error header and a
| blank page. You have to clear all web.archive.org cookies to
| get anything at all, at which point it works perfectly.
|
| > I've completely solved this problem by blacklisting
| web.archive.org in browser cookie blacklists. I haven't had
| it happen since then. As far as I'm concerned, the problem is
| diagnosed and just needs to be solved. At _their_ end.
| [deleted]
___________________________________________________________________
(page generated 2020-01-22 23:01 UTC)