ZIP Attachments in Email

dreamstime_xxl_94708677

If you’re like me, you occasionally receive the odd spam, or phishing email that wants you to open a zipped attachment pertaining to hold some invoice or information that you need to see. Unfortunately, if you do manage to open the zipped file from an email that you weren’t expecting, you could be opening up your system or systems to a particularly nasty piece of malware, called ‘Locky’ which is a ‘ransomware’ type of malware. Unfortunately, not all variants of Locky have been decrypted and you may end up paying for access to your own files. The ransom is currently set to 0.25 bitcoin, which at recent market prices is around $ 1,250 USD. I won’t go into the actual analysis of the Locky file, but will explain how the infection works.

VBS Scripting

The file uses a rather simple VBS script (Visual Basic Scripting) to infect a Windows based system. Parts of the code are actually ‘filler’ and don’t really do anything but the line in the code that does all the damage is this. Note that this line is modified to mask the actual site to prevent the accidental download of the ransomware file.

krapivec = Array("site**********.3g76fh?",
"site****************/p66/3g76fh",
"site**************/3g76fh?")

What this snippet of code does is queries the sites looking for a file named 3g76fh
and then downloads it to your system, and executes it. This runs the actual encryption routine and encrypts all your files on your system, plus propagates through your network as well, infecting other systems.

Locky Variants

This is one variant of Locky. Others will download files with different names, but the results are always the same, complete encryption of your drive, and all other mounted drives, such as thumb drives, network shares, and can infect Windows, Linux, OSX as well although the main infection requires VBS macros to be enabled. Typically, if you open the attachment, it will appear as just ‘gobble gook’ and it will ask you to enable macros in order to see the file correctly. NEVER enable macros for any file that you were not expecting nor know the sender of.

Note that earlier versions, and some new ones, will use javascript instead of VBS, but the message is always the same – do not open any attachments from any email received, especially if not expecting anything, or you do not recognize the sender.

Unfortunately in our connected world, there will always be someone who has malicious intent and with the case of Locky, can do some serious harm to both personal and corporate systems. As always, pay attention to the emails you receive and if in doubt, delete the email.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s