ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Cryptolocker .RTF

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cryptolocker .RTF

    Hi All:

    We have numerous procedures which create .RTF documents from spool files.
    In many scenarios the .RTF is merged with our logo before being sent to our accounts.

    We have been informed by our security folks that because of the Crptolocker virus NOONE will be able to open an .RTF document.
    As a result we are searching for a method of generating a .DOC file type.

    Is anyone dealing with this at your shop?
    Any advice or direction would be appreciated.

    Thanks
    GLS
    The problem with quotes on the internet is that it is hard to verify their authenticity.....Abraham Lincoln

  • #2
    Re: Cryptolocker .RTF

    Doesn't it affect .doc ?

    fwiw I would have thought you'd have more luck creating a LibreOffice document rather than a Microsoft document. Just a thought.

    Comment


    • #3
      Re: Cryptolocker .RTF

      AFAIK, Cryptolocker has no problems messing up .DOC among other file types. The basic defenses are not to allow Cryptolocker into the network and to ensure that backups are up to date and in secure locations off of the network. I have not heard of any successful recovery other than restores to a cleaned network.
      Tom

      There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

      Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

      Comment


      • #4
        Re: Cryptolocker .RTF

        While it can encrypt anything, I didn't think Cryptolocker *propogated* via RTF files, so I don't know what the issue would be. In fact, I thought it was an executable, but masked its icon so it looks like another kind of document.

        Though I haven't used it, I believe the Apache POI project includes support for creating MS Word documents, similar to their support of MS Excel spreadsheets. I'd be more inclined to move to PDF documents for reports as I wouldn't expect anyone to need to change the contents as could easily be done with other document types. There are various ways to turn reports into PDFs, incuding OVRPRTF and CPYSPLF.

        --Bryan

        Comment


        • #5
          Re: Cryptolocker .RTF

          It's not all that difficult to generate a .DOCX document. .DOCX is just a set of XML files in a directory structure that have been zipped together. You could create that structure in the IFS, put your data into it (as an XML document) and then use a tool like info-zip or JAR to zip up the result into a .DOCX file.

          To get started, try creating a document in MS-Word and save it as a .DOCX. Then, on your PC, rename it from .DOCX to .ZIP and double-click it and you'll see what I mean.

          The older format (.DOC) is not so simple, alas. That format uses Microsoft's OLE2 Compound Document format instead of .ZIP, and the internals of a Word document were a binary file that's hard to generate, and isn't especially well-documented anywhere. Since this format is deprecated at this point, anyway, I'd advise using .DOCX.

          Or, PDF might be another good choice (depending on what you plan to do with it.)

          I don't understand why .RTF would be any more of a problem than these other formats, though...

          Comment


          • #6
            Re: Cryptolocker .RTF

            As it turns out an html doc can be processed with word.
            We happen to have the E-Send product from Help Systems which has a cpysplifs command with an *HTML type conversion.
            We just place the html document in the ifs named xxxxxx.doc and word has no problem opening and copying and doing anything you can do with an .rtf file.
            I don't understand why .RTF would be any more of a problem than these other formats, though...
            According to our network guys the virus can be embedded in an .RTF file but not any of the others.
            I don't know that to be fact but that's what they are telling me.


            Thanks to all
            GLS
            The problem with quotes on the internet is that it is hard to verify their authenticity.....Abraham Lincoln

            Comment


            • #7
              Re: Cryptolocker .RTF

              At least a partial list of file types known to be subject to Cryptolocker encryption as early as October 2013:

              3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odc, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pdf, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, sr2, srf, srw, wb2, wpd, wps, x3f, xlk, xls, xlsb, xlsm, xlsx

              There have been and will probably continue to be variants as it evolves. No doubt other file types will be included.

              AFAIK, so far, the files (including *.rtf) are not "infected"; they are encrypted. Cryptolocker is not a "virus", though at least one "worm" variant is known.

              If a reliable source can be cited to show that any file type can become "infected", it would be helpful to us to see a reference.
              Tom

              There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

              Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

              Comment


              • #8
                Re: Cryptolocker .RTF

                @Tom:
                This is the doc my peeps pointed me to.
                http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000590.aspx


                It does not specificly reference cryptolocker.

                The bottom line is the same. We are no longer able to reference .rtf files.
                The work-around we came up with was the *html export.....named xxxx.doc
                So far the fix is running well.

                GLS
                The problem with quotes on the internet is that it is hard to verify their authenticity.....Abraham Lincoln

                Comment


                • #9
                  Re: Cryptolocker .RTF

                  Originally posted by GLS400 View Post
                  This is the doc my peeps pointed me to.
                  Ah, okay. That makes a little sense. It's effectively unrelated to Cryptolocker, though.

                  So, does that mean that .RTF was the last Microsoft Office document type you were allowed to use and now it's been crossed off the list, too? Essentially everything else done by Word has had the same or similar problem in the past (including during the past week). Singling out .RTF seems odd unless other file types have previously been called out.

                  It's a challenge trying to keep up. The best protection is always the first line of defense: Users should know good practices such as not opening unexpected files or links.
                  Tom

                  There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

                  Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

                  Comment

                  Working...
                  X