[Lug-nuts] Re: Another day another attack vector

Quoting Linus Sphinx (sphinxtar(a)gmail.com): There are only two (closely related) questions about "malware" that are even remotely interesting, and this Bleepingcomputer article is typical in being a bit unclear on, and failing to emphasise, those questions and their answers: 1. How does the code get executed? 2. How (if this happens) does process privilege then get escalated? The article's _extremely_ vague about key question #1. Just an "encryptor" gets run. How and by whom and why? The article has zero to say about that. For the Linux version analyzed by ReversingLabs, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines. One gathers that this particular "malware" doesn't bother to escalate to system privilege -- or is assumed to have been run as root. The implication of this rather shoddily written article is that GwisinLocker is not an attack vector at all. It is a post-attack tool used by bad guys who have entered and cracked root on your machien through other means entirely. So, the gist of this article is: _If_ bad guys can find a way to enter your machine and crack root authority, _they_ can do bad things with root authority. Here's an article about one of the myriad variety of bad things they can then do. For _that_, we need an _article_? On the other hand, Ahnlab and ReversingLabs got some free publicity, by writing a report that Bill Toulas of Bleepingcomputer copied-and-pasted into an alleged IT news article. Everybody wins, except the reader.