1C.Drop.1 uses 1C to execute malicious code

Yesterday, Doctor Web reported the appearance of the first of its kind cipher virus. The uniqueness of this malware lies in the fact that it is written in the 1C programming language and is, in fact, external processing for the 1C: Enterprise 8 client application. The good news is that if 1C is not used in your environment, then there is no threat. The bad news is that if you, like hundreds of thousands of companies in Russia and abroad, still use 1s, then the threat is more than real.





')

In fact, as the name implies, 1C.Drop.1 is not an independent cryptographer, but a dropper that arrives at the victim’s computer by e-mail. You should read about the effect of the virus on Doctor Web , but in a nutshell, the following happens. Attached to the letter is a file with the .epf extension, which is an external 1c processing. If the user follows the instructions from the letter and performs the processing, he will be able to enjoy a funny picture from the beginning of the topic, during the display of which the virus will try to send itself to counterparties from the database around the e-mail field. Well, after that, a real encryption Trojan.Encoder.567 is launched.



A lazy administrator will now say “pffff, SRP / Applocker will not allow the executable file to start” and will be right. Indeed, Trojan.Encoder.567 will not cause destructive actions and in the worst case you will be guilty of mailing malware to your counterparties. Reputation is definitely not add, but even so, a little blood. Although ... wait a moment to relax. This is just the first version that uses an external component to encrypt files, and what will happen when the cryptographer itself is written in 1c? And here it becomes really uncomfortable. No SRP will help, because 1c is a completely allowed application and will be executed without problems, and what it does there is a tenth thing. In fact, external processing can be compared with MS Office macros. It turns out that when (not if, but when), a cipher on 1c will be released, then an air barrier in the form of a single antivirus will come up on its way, which, as we know, is far from a panacea. Well, to rely on the consciousness of users in matters of information security is a special degree of stupidity.



A fundamental solution may be a ban on the interactive opening of external processing, but in real life it is rare. To reduce risks, at the moment, only work in 1c on a terminal server through an application server with the maximum restriction of rights to the file system and network resources comes to mind. Naturally, not everyone can afford it, but there are no other ideas yet. Maybe you will have?



I will add:

For BP3 / ZUP3, the right to interactively launch external processing is given by:

- System Administrator (not selected in the profile, assigned to users included in the predefined access group / Administrators profile)

- Interactive Opening of External Reports and Processing

- Reporting OperatorRepresented by the RepresentativeRedefinable



The roles “Full rights” and “Administration” do not, in themselves, allow the launch of treatments.



Accordingly, in order to prohibit the interactive launch of the processing, a new profile should be created in which to remove the rights Interactive opening of external reports and processing and the Operator to send reports through a representative (override) . The “Administrator” right can be left, since without it, some necessary butts will not be available, for example, setting up an exchange with banks, but in this case the user will be able to set himself the rights.