From owner-freebsd-questions@freebsd.org Fri Nov 20 00:21:38 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BA84A33686 for ; Fri, 20 Nov 2015 00:21:38 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E67581FE6 for ; Fri, 20 Nov 2015 00:21:37 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wmec201 with SMTP id c201so867565wme.1 for ; Thu, 19 Nov 2015 16:21:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=8aI7ONq65r/pvUTMS4XrzQgX0dsXgumiMFXOXWy1T5c=; b=xvkDDUC8Ol+ZSbH0lDBdmStnXJ9XGfskE31P4tKgcqoqfZm5Gz+gb/0G/r8t2UKA3Z oXB46lDOsoqRiAJVfk0vzYJfJyJka0q/DKyKEiPpLlIFcwmwivgNK/LH3NOl6c+OHxZd KnQJpM1Prs+m76y6VldNOjaoGn0wgfhxA86Rdy6KlUwOx21T4DbET7JKaM/SgGqVing2 KTc6gbVUOgnhjR0d+Eq1EpTqUC7ptbqZAl5oEgT3wf8NZlOTvMewLtKJpRzRcEyyxHs5 njDARKonGwl4gP4Uf7ql1TlcnizcrJ8XG8b/CjyAVawXs9a53QbYVhYSeAR+9UkZ6Oxs DsIg== X-Received: by 10.28.65.213 with SMTP id o204mr487817wma.83.1447978895785; Thu, 19 Nov 2015 16:21:35 -0800 (PST) Received: from gumby.homeunix.com ([94.8.70.38]) by smtp.gmail.com with ESMTPSA id he3sm10165308wjc.25.2015.11.19.16.21.34 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Nov 2015 16:21:35 -0800 (PST) Date: Fri, 20 Nov 2015 00:21:32 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: ransomware virus on Linux Message-ID: <20151120002132.7a4e3a82@gumby.homeunix.com> In-Reply-To: <86y4dtiqc3.fsf@WorkBox.Home> References: <20151119064434.GB1925@c720-r276659.oa.oclc.org> <86y4dtiqc3.fsf@WorkBox.Home> X-Mailer: Claws Mail 3.13.0 (GTK+ 2.24.28; amd64-portbld-freebsd10.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 00:21:38 -0000 On Thu, 19 Nov 2015 16:20:28 -0600 Brandon J. Wandersee wrote: > From what I've been able to glean, this seems a little bit overblown. > I don't doubt the effects are significant for the people experiencing > them, but it seems extremely limited. The program is said to "take > advantage of" an outdated, running instance of the Magento e-commerce > software, so I have to think that it can only be executed via > Magento. It also encrypts only directories that would absolutely > require root privileges to modify--e.g., it specifically > encrypts /home, not individual user directories, so even if you > deliberately executed it as a regular user it would have no effect. I would guess it would recurse from /home into whatever it can access - it probably just encrypts the files in place. What worries me is that the next version might target Linux workstations where there's a lot of very complex software running as the owner of the user data.