Post by Steve Hayes Post by Paul
1) Real threat arrives as an email attachment.
Employee clicks attachment. Weapon is armed.
2) Now, the malware is inside the network, on the LAN
side of the router. Port 445 is open on other machines
on the LAN, allowing a worm-like attack. So now it
spreads to all your machines, like it was Sality.
This threat really isn't all that much different than
some other Ransomware, which can encrypt any file shares
that it can discover. Existing Ransomware could do a lot
of damage in any case. The new vector will just be
doing a much-more-complete exploitation. You still
have to do (1) to let them in.
If you are the sole occupant of your home LAN, and
have half-a-clue about email attachments, your risk
is low. And the NAT IPV4 router you use with your broadband
connection should be enough.
Thanks for that.
None of the articles I've read said how it was delivered, and someone
in a comment on Facebook said it was not delivbered by e-mail
attachment but by a backdoor.
Well, it has to get *in* somehow. And most people, by "luck"
will not have port 445 facing outwards. If you were doing
that, something probably would have happened to you over
the years anyway.
Even the router itself is not bulletproof. At one point,
there was an exploit that affected 70 different models of
home routers. The reason for that, is the firmware used
was written by one company, so the same bug was present
across a broad range of products. Your router is a
computer too, and the quality of the code running in
there is just as important.
A buddy at work one day, comes running over to my desk at
about 4PM in the afternoon and says "hey, I'm on someones
hard drive [on the Internet], I can see all their
files and their email - should I email them a warning?". Now,
the first question that comes to mind is "what the hell have
you been doing?". Since I don't have time on a given day,
to discover what my fellow monkeys are up to, I had
no trouble answering "yes, of course, email them and
tell them to fix it". Was it a honey pot ? My guess is,
it's someone just as stupid as my buddy :-) So if
you did connect your PC directly to the ADSL modem
(no router), and then shared C: to "Everyone", that's
what happens. If that machine was still operational today,
somewhere on the Internet, it probably has a Ransomware dialog
on the screen.