back to article Ransomware scum build weapon from JavaScript

New ransomware written entirely in JavaScript has appeared encrypting users files for a US$250 (£172, A$336) ransom and installing a password-stealing application. Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA. Bleeping Computer malware man Lawrence Abrams described the ransomware noting it is …

  1. Anonymous Coward
    Anonymous Coward

    How exactly does this execute?

    Does it ship with a Javascript interpreter? Or is it compiled down to a .EXE? In either case, the fact it was written in Javascript is pretty irrelevant, it's the fact that the user clicked on a binary executable that matters.

    Otherwise: it sounds like it requires a Javascript environment which (a) executes outside a browser, and (b) has the ability to read and write files directly on the host filesystem. Surely most PCs don't have this by default?

    1. John Tserkezis

      Re: How exactly does this execute?

      Otherwise: it sounds like it requires a Javascript environment which

      Yes.

      (a) executes outside a browser,

      Yes.

      (b) has the ability to read and write files directly on the host filesystem.

      Yes.

      Surely most PCs don't have this by default?

      Aside from the JVM which is sometimes optional, Otherwise, shockingly, yes.

      1. joeW

        Re: How exactly does this execute?

        What has the JVM got to do with Javascript?

      2. Destroy All Monsters Silver badge
        Holmes

        Re: How exactly does this execute?

        Aside from the JVM which is sometimes optional

        My dear fellow!

        It is 2106 and some people of the esteemed commentariat still are unsure about the difference between Java (or, more precisely, JVM bytecode) and JavaScript.

        Previously under the impression that the incontinent moaning of the employers complaining of the lack of any adequate skills in IT was down to not being able to keep the cake that would be eaten, I am starting to understand their viewpoint.

        I say!

        1. davidp231

          Re: How exactly does this execute?

          I'd be worried if we were still using Java in the 22nd century...

        2. Anonymous Coward
          Anonymous Coward

          Re: It is 2106

          Not sure if it was a typo -- I bet in 90 years some people will still be unsure about the differences...

    2. Anonymous Coward
      Anonymous Coward

      Re: How exactly does this execute?

      Nothing to do with a JVM. Windows helpfully comes with Windows Scripting Host, which provides an environment for JavaScript to execute in. Quite handy for creating batch files or other automation tasks, but why this is enabled by default in consumer versions of Windows is beyond me.

      1. Mike 125

        Re: How exactly does this execute?

        Create a .js file containing:

        WSH.Echo("Hello world");

        WSH.Quit();

        and just click on it in Windows Explorer. The rest follows.

        'Windows Script Host' execution environment is enabled by default because it lets people 'do stuff'.

        1. Anonymous Coward
          Anonymous Coward

          Re: How exactly does this execute?

          > just click on it in Windows Explorer. The rest follows.

          Thank you.

          I did not imagine that Microsoft would be so stupid as to ship the equivalent of node.js preinstalled, *and* bind all .js files to auto-run, *and* not make use of the trust zones to block this.

          I stand corrected.

          1. Boris the Cockroach Silver badge
            Windows

            Re: How exactly does this execute?

            Yes it does

            I got inflected with a virus because the script held the virus as a file where all bytes had been rotated 1 bit left,

            So the JS executed a rotate right 1 on all the virus bytes to make the virus back into an executable file , then used SVCHost to get the virus to run.

            Since then I've never used IE on a windows PC........

            And that was 2008 or so

          2. martinusher Silver badge

            Re: How exactly does this execute?

            >I did not imagine that Microsoft would be so stupid as to ship the equivalent of node.js preinstalled, *and* bind all .js files to auto-run, *and* not make use of the trust zones to block this.

            Its their MO. They can't help it, its what they do. If their system designers had half a grain of commonsense then most malware vendors would never have got off the ground.

      2. Notas Badoff
        Flame

        Re: How exactly does this execute?

        This kind of non-informative CRAP ARTICLE really pisses me off! The two linked articles don't say diddly either as to just how this Javascript code runs.

        Is this running via Windows Script Host using the association ".js=JSFile" ??

        Could one de-associate .js using "assoc .js=" from the command line to disable the threat?

        (Oh, gee, now I get message "Windows Script Host: There is no script engine for file extension ".js"" Done fixed perchance?)

        Is this too fucking hard for someone "in the know" to accidentally blab to the rest of us? Security researchers my ass - attention hungry security obfuscaters more like it. Wank it good fellas!

        1. Prst. V.Jeltz Silver badge
          Thumb Up

          Command line

          using "assoc .js=

          Fantastic Notas , I was unaware of this assoc command ! next time a user associates their spreadsheets with adobe reader I can just send a link saying click on this.bat!

          Cheers!

          I do appreciate the irony of postulating that solution on a story about idiots clicking on random email attachments :)

          1. MrKrotos

            Re: Command line

            "Fantastic Notas , I was unaware of this assoc command ! next time a user associates their spreadsheets with adobe reader I can just send a link saying click on this.bat!"

            Nope, unless your users have admin access (in which case you got bigger issues)!

          2. Geoff May

            Re: Command line

            There is another useful one you may want to know about:

            ftype jsfile

            Default returned value is:

            jsfile=C:\Windows\System32\WScript.exe "%1" %*

            So you can break the link either by removing the ASSOC or the FTYPE values. I tend to replace the default FTYPE and point it to NOTEPAD:

            ftype jsfile=%SystemRoot%\system32\NOTEPAD.EXE %1

            Then you can see what the evil thing is doing and decide if you want to let it run or not.

            1. Extra spicey vindaloo
              Thumb Up

              Re: Command line

              Nice, while I was at it I did this too

              ftype vbsfile=%SystemRoot%\System32\notepad.exe %1

        2. lawrence.abrams

          Re: How exactly does this execute?

          Agreed...should have added more info to my article at BleepingComputer. Sorry about that! I updated the article at BC to add more information on how it executes and how to prevent it from executing.

  2. J. R. Hartley

    Say what you like

    But these things always impress me.

    1. James 51

      Re: Say what you like

      They don't impress me any more than someone stepping out of a dark alley does. There is just less risk for the criminals this way.

      1. J. R. Hartley

        Re: Say what you like

        Pfft. Anyone can do that dark alley shit.

  3. Anonymous Coward
    Facepalm

    Method of infection.

    How exactly does this JavaScript ransomware infect your computer in the first place. What steps would I need to take to prevent this?

    1. itzman
      Boffin

      Re: Method of infection.

      you download (directly, or as email attachment) and attempt to open a .js file

      Yo prevent it by not opening files with a .js suffix, or installing linux

      1. sabroni Silver badge

        Re: or installing linux

        Or, if you don't want to change OS's just to stop javascript autorunning, associate .js files with notepad or your favourite text editor. Takes a couple of seconds.

        Of course, if there were linuxes that autoran js, the fault would be with the user stupidly opening unsolicited attachments not the OS.

    2. Anonymous Coward
      Anonymous Coward

      Re: Method of infection.

      Step 1: Don't run windows

  4. Mark 85

    One tiny step, MS... one tiny step and you blow it.

    Make extensions visible by default, dammit. If this had been done decades ago, users might be educated just a tad and not click on this crap. Then again, there are the curious ones..."I wonder what this file is... let's see...<clickety>".

    1. Lyndon Hills 1

      Re: One tiny step, MS... one tiny step and you blow it.

      Make extensions visible by default, dammit. If this had been done decades ago,

      Decades ago file extensions _were_ visible by default. Then MS decided to hide them.

      1. GrumpenKraut
        Facepalm

        Re: One tiny step, MS... one tiny step and you blow it.

        > Then MS decided to hide them.

        Last time I looked, one extension was hidden.

        So a file "innocent.pdf.exe" was shown as "innocent.pdf". BRILLIANT!

        1. Anonymous Coward
          Facepalm

          Re: One tiny step, MS... one tiny step and you blow it.

          Yep, and the icon for a .exe file is embedded in the .exe itself. No I don't see a problem with this at all!

          (Bring back Windows 3.1 and its File Manager; the UI in Windows 10 is almost half-way there already!)

    2. veti Silver badge

      Re: One tiny step, MS... one tiny step and you blow it.

      Yep, this was the big one, the time they failed security forever. And why? What possible gain is there in hiding extensions?

      The only - only - half-way plausible answer I can think of is, to make the computer's action less transparent to users. So instead of ".doc files open in Word", now the user is trained to know "files with a Word icon open in Word". How the computer knows to show a Word icon - is deliberately obfuscated.

      Either because MS didn't want to burden the poor user's brain with technical details - or because they wanted Windows to look "smarter" than it really is. I know which one I'd bet on as the larger reason.

    3. Anonymous Coward
      Anonymous Coward

      Re: you blow it.

      Without going into so much detail, I stand by what I said.

    4. kahalid

      Re: One tiny step, MS... one tiny step and you blow it.

      I wonder what this file is... let's see... = "We have to pass this bill to see what's in it". Indeed.

    5. Charles 9

      Re: One tiny step, MS... one tiny step and you blow it.

      "If this had been done decades ago, users might be educated just a tad and not click on this crap."

      You ever thought that maybe the average user is simply too stupid and is more likely to erase or change the extension, break the file, and cry for help? That's the kind of clientele Microsoft has to cater, remember: the kind incapable of learning. Yet they'll use their computers anyway, so yeah, the baby treatment is necessary; otherwise we're going to need to figure out a way to establish a licensing system for computers the way we do cars.

      1. Anonymous Coward
        Anonymous Coward

        Re: One tiny step, MS... one tiny step and you blow it.

        Soon "Clippy" (nowadays, it's called "Cortana" I think) will come with a final solution bottle to be mounted on screen.

        "DINGDING"

        "?"

        "It seems you are incapable of learning. Take a deep breath!"

  5. Winkypop Silver badge
    Joke

    As Billy Clinton might have said:

    I did not have click with that file!

  6. clocKwize

    I don't think the problem is something that executes when you a file.. there are a lot of file types that do this, not just js files.. people just need to not be idiots and download and run files when they don't trust them.

    1. el_oscuro

      Of course in *nix based systems, files must be explicitly marked as executable by the user before they can run. An the the current directory is not in the path, making accidentally executing something difficult.

      Windows on the other hand seems to make it as easy as possible to execute malicious code, with that stupid "hide extensions of known file types", *everything* being executable and the random directory you are in being the first entry in your path.

    2. Anonymous Coward
      Anonymous Coward

      Trusting files

      I think the problem is that people put trust in files and sources that they really shouldn't.

      1. Charles 9

        Re: Trusting files

        And I think the real real problem is that Users Are Stupid, and because You Can't Fix Stupid, it's going to be hard to fix that problem (apart from requiring a license to use a computer, but that would kill anonymity).

        1. Anonymous Coward
          Anonymous Coward

          Re: Trusting files

          apart from requiring a license to use a computer, but that would kill anonymity

          Good god no! They'll appoint a semi-competent half-wit that managed to cram his/her way through a basic-level Microsoft course and thinks a serial port is a place sailors go for breakfast!

      2. robidy

        Re: Trusting files

        ...or the put trust in their systems and sysadmins.

  7. Stevie

    Bah!

    Ah, javascriptkiddies, feel the Cobol professional programmers' outrage.

    What, "Y2K=Cobol's Fault" is a completely different case?

    8op

    Nice one, El Reg. Easy target over facts every time for a lively batch of posts. With this and the CIA Encryption story you should get lots of traffic today.

  8. brym

    I wonder how long

    Before crims start taking advantage of the likes of Electron.

  9. fidodogbreath
    Facepalm

    Technical explanation of how this exploit works

    "Oooh, lookie! Someone with a weird email address sent me a file attachment with a weird name. I better double-click on it right away!!!"

    Malicious email attachments have been around for decades now, but the wetware remains unpatched and vulnerable.

  10. Old Handle

    Anyone who opens a file called mgJaXnwanxlS_doc_.js deserves what they get. Even if they don't know how to turn off hidding file extensions, mgJaXnwanxlS_doc_ is an obviously suspect name.

    1. LaeMing
      Facepalm

      But it might contain diamonds!

      1. Anonymous Coward
        Anonymous Coward

        Diamonds on Miss Kardashian's clit piercing!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like