Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Ruby Security IT

Clipboard Hijacking Malware Found in 725 Ruby Libraries (zdnet.com) 22

Security researchers from ReversingLabs say they've discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users' clipboards. From a report: The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts -- JimCarrey and PeterGibbons. The 725 libraries, which are listed here in full, have been removed two days later, on February 27, after the ReversingLabs team notified the RubyGems security team. All the Ruby libraries were copies of legitimate libraries, used lookalike names, worked as intended, but also contained additional malicious files. The extra file inserted into each package was named aaa.png. However, ReversingLabs say this file wasn't a PNG image, but instead was a Windows PE executable.
This discussion has been archived. No new comments can be posted.

Clipboard Hijacking Malware Found in 725 Ruby Libraries

Comments Filter:
  • by mspohr ( 589790 ) on Friday April 17, 2020 @01:50PM (#59959460)

    I am shocked, shocked, I say, to see that Windows has another vulnerability!

    • Nope. If you intentionally download and run code from an untrusted source there's not much Windows can do. The difference between an open platform like your PC and a locked down platform like an iPhone is who has final say over what can be done with it. Considering many people like yourself are quick to blame Microsoft or other hardware/software creators it's no surprise they figured as long as they were being blamed anyway they might as well actually take control to protect devices from their owners.

      A good AV might stop the aaa.png from running but it depends what exactly it does and if heuristics would be expected to catch it... if it's JUST monitoring the clipboard it might be able to avoid detection. If an AV definition file is released to scan for it specifically then things get a bit better.

      • by raynet ( 51803 )

        This wouldn't happen in better OSes that support execute bit, or in DOS where the executable needs to have .com or .exe to be executable.

        • by AleRunner ( 4556245 ) on Friday April 17, 2020 @02:16PM (#59959592)

          This wouldn't happen in better OSes that support execute bit, or in DOS where the executable needs to have .com or .exe to be executable.

          Bullshit; I mean, I think my posting record shows quite clearly that I think the Devil is the spawn of Microsoft, but I still think you are unfair here. Gems are designed to install code which is then executed. On any operating system, if you can get your malware gem installed, then it's game over. Especially since gems are often installed by the administrator / root.

        • "gem install" is fully capable of doing that on any OS.

        • You know we're talking about downloading libraries for a programming language, right?

          The execute bit doesn't matter in the slightest, because this is being called by something that is supposed to have an execute bit already.

      • Opening an image file as an executable isn't Microsoft's fault?

        • by aix tom ( 902140 )

          Well, if the "packaging system" allows the equivalent of a "bash aaa.png", then, no, really.

          That's why you usually have NO live produrction systems that pull any fancy "framework of the week" dependencies live from the internet, right? No matter if the run Windows, Linux, or TempleOS.

        • You're utterly screwed at "gem install mybadgem"

          That will run as your user id, and have access to everything you do. Yes, including chmod u+x aaa.png; ./aaa.png, or more likely jacking with your shell profile settings, your PATH, your LD_LIBRARY_PATH, god knows what else at that level, or even deep inside your desktop config you'd never look. When you launch a browser, what path is executed, you sure? How often do you check that it isn't "aaa.png; chrome"? This stuff is just script kiddy level.

          If any pa

        • by vbdasc ( 146051 )

          If a file has a PE signature, then it's an executable, not an image.

      • by bn-7bc ( 909819 )
        the solution is for ms to change the defaults to show fill extensions by default (all extensions) or mayby go the unix/linux way only execute files that have an attribute thet tells theos it's in fact executable trusting an arbitrary part of the file name is imho a recipe for disaster

After all is said and done, a hell of a lot more is said than done.

Working...