The CryptoLocker virus is spreading!!!

Published November 11, 2013

There’s a new type of malware that has been spreading like wildfire over the past couple of months called CryptoLocker. Most security researchers are claiming that this is one of the nastiest and most successful computer viruses ever: CryptoLocker is currently infecting Windows operating systems all across the United States and in other parts of the world. The virus is part of a generically named family of malware called “ransomware,” and its main function is to encrypt your files and “hold them hostage” until you pay a fee to have them decrypted.

How does CryptoLocker infect computers?

The CryptoLocker virus is passed around in emails that include attachments. The criminals send emails claiming to be from well-known companies like UPS, USPS, PayPal or FedEx in order to trick users in to thinking that they are legitimate and safe to open, but of course they aren’t safe at all. Instead, when a user attempts to open up the attachment, the computer becomes infected and the virus locks files on the system until the ransom request is paid. Most often the attachments will be disguised as JPEG images, ZIP files, PDF files and various types Microsoft Office files (mostly Excel and Word documents).

After a computer becomes infected, users are given 100 hours to pay a fee between $100 and $700 to get the files decrypted. The version of the virus that we’ve been seeing on infected machines have been asking $300 dollars for the decryption key. So far, it appears that the virus only encrypts data files with certain extensions, including Microsoft Office, OpenOffice and other documents, pictures, and AutoCAD files.

How to prevent your computer from becoming infected by CryptoLocker

The file paths that have been used by this infection and its droppers are:

• C:\Users\\AppData\Local\.exe (Vista/7/8)
• C:\Users\\AppData\Local\.exe (Vista/7/8)
• C:\Documents and Settings\\Application Data\.exe (XP)
• C:\Documents and Settings\\Local Application Data\.exe (XP)

In order to block the CryptoLocker and Zbot infections, certain Path Rules have to be implemented within the system so that they are not allowed to execute. There is a manual process to create these Software Restriction Policies easily, but thankfully a company called FoolishIT has created a utility called “CryptoPrevent” that automatically adds the appropriate series of Software Restriction Path Policies to a computer in order to prevent CryptoLocker and Zbot from being executed.

If you get an email that includes any type of attachment, use extreme caution and make sure you know who the sender is BEFORE opening it. If you don’t know who the sender is, or if it appears to be from one of the companies mentioned earlier DO NOT OPEN IT!!! Just delete the email. If you start seeing the CryptoLocker demand screen, please shutdown your machine immediately and call your IT administrator for further assistance. If you’re a current New River Computing client, please contact us ASAP if you see the CryptoLocker message on your screen.

Below is an example of what the CryptoLocker demand screen looks like.

How to use the CryptoPrevent Tool

One important feature to make use of in CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.

It is available from the CryptoPrevent download page.

Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then remove the Software Restriction Policies that were added by clicking on the Undo button.

More Information:

For a detailed analysis of the CryptoLocker virus please check out this excellent Bleeping Computer CryptoLocker article .

Detailed information on the CryptoPrevent tool developed by FoolishIT's CryptoPrevent page.

Cyber Crime vs. Cyber Defense

Published June 03, 2013

After reading an article on the Huffington Post the other day, I started thinking about the fact that we really ARE now living in a world where BIG DATA = BIG BUSINESS = BIG MONEY. With more and more people paying bills, shopping, banking and socializing on the internet, there are going to be obvious financial losses to individuals and organizations. The article prompted some further sleuthing, which led to some eye-opening statistics.

Below is a brief summary of data showing the difference between what cyber criminals are estimated to steal in a given year and the money being spent to protect against their digital crimes.

Cyber Crime:

Fake Antivirus - $97M

Users get a message warning them that their computer has been infected with malware. When they click on a link to download antivirus software, their machine is infected. An analysis of financial records from three criminal gangs found that from 2008 to 2010 they collectively earned $97 million annually.

Stranded Traveler - $10M

Hijacked e-mail accounts are used to ask friends for money, claiming to be stranded traveling abroad. According to an analysis from several major e-mail service providers, criminals receive between 1-5 payments a day, on average.

Online Banking Fraud: Malware - $370M

Cyber criminals target businesses and individuals using malware to capture passwords, account numbers, and other data to get into online banking accounts. As of September 2011, the FBI was investigating 400 cases of “corporate account takeover” where criminals stole $85 million.

Online Banking Fraud: Phishing - $320M

Online banking fraud is sometimes carried out in a phishing attack, in which criminals impersonate websites to get unsuspecting users to provide their login credentials.

Cyber Defense:

Bank Countermeasures - $1,000M

Banks often hire companies to conduct penetration testing to ensure that their IT infrastructure is up to the standards of being secure. They also many times pay companies to search for and eliminate bogus websites used in phishing attacks. There are also additional internal security costs, such as authentication programs, UTM appliances, Firewalls, AV software and systems for generating one-time passwords.

Antivirus - $3,400M

It’s currently estimated that between 74-88% of all households with a broadband subscriptions use some form of antivirus protection.

Patching Vulnerabilities - $1,000M

Software companies constantly patch their products against vulnerabilities that can be exploited by malware. Some evidence suggests that the development cost of a single patch for key enterprise software can run up to $1 million. Deploying that patch is equally costly.

User Cleanup - $10,000M

When antivirus programs fail, aren’t updated regularly or are just used incorrectly (if at all), users often times have to call on the help of a professional computer technician to clean up their PC. This type of service usually costs between $99-$300 dollars depending on the severity of the infection.

Business Security - $10,000M

Companies use a variety of tools to fight cyber-crime including firewalls, intrusion detection systems, software maintenance/patching, deployment, and user training.

Law Enforcement - $400M

The U.S. spends nearly $200 million a year to fight cyber-crime. This accounts for half the law enforcement work worldwide.

These number are staggering to say the least. I think it’s extremely important for end users and organizations to work together with security experts and IT professionals to put all of the necessary security measures in place to combat against system vulnerabilities. Also, it’s important that folks “in the know” educate other users on how to stay safe online. Through collaborative efforts and commitment to deploying aggressive multi-layered security policies, there is hope that the cyber-crime epidemic can one day be contained.

‘Microsoft tech support’ scam captured on video

Published April 11, 2013

For those of us working in the IT industry, we get used to removing viruses and malware from plenty of machines on a regular basis. Malware is a huge problem that seems to only be getting worse. Part of the problem is a lack of education for the end users. It’s easy for the less tech savvy to get tricked into downloading a piece of software that disguises itself as legitimate piece of software (Java, Flash, Adobe etc.) While browsing the internet, users can also get tricked or scared into downloading and installing “Fake AV” programs that look legit, most times copying the GUI (graphical user interface) of popular Anti-Virus programs (AVG, Norton, Microsoft Security Essentials, ESET etc.) by thinking that their computers are infected.

I can understand how confusing all of this is for end users. Being bombarded with ads and scams online constantly can be overwhelming for the casual computer user. Luckily, places like New River Computing able to help folks clean their machines and equip them with software to thwart off these attacks by using good, reputable AV programs, such as VIPRE and Malwarebytes, and using managed service software to keep machines patches and up-to-date. We also recommend users operate under a “user account” instead of an “admin account”.

Having a good AV program installed is certainly important, as well as being mindful of pop-ups and shifty websites. But, one thing AV software can’t protect a computer from is a fake Microsoft technical support phone call scam. These types of scams have been going on for several years but, seem to be increasing in popularity. Criminals are finding that, while more and more people are becoming educated on how to avoid scams on the computer, they are succeeding in scamming people over the phone in to downloading malicious software. Having someone call your house and act like a Microsoft Representative, telling you that your machine is infected and at risk can be pretty alarming. The purpose of these calls is to get an easy $299 (or whatever amount they choose) by scaring you into thinking there’s something really wrong with your computer and that they can fix it for you.

Fortunately, the methods used by some of these criminals to dupe users were recently captured by Jerome Segura, a senior security researcher at anti-malware company Malwarebytes. The video demonstrates the kinds of tactics used by these scammers to trick users into allowing them to remote in to your machine and take it over. Segura played along with the caller and recorded the entire interaction in a YouTube video. These scams usually start off with the alleged Microsoft representative asking you to turn on your computer to perform some checks for errors. They essentially ask you to open different applications which aren’t typically known by regular users, then tell you that the files you are looking at are malicious viruses and spyware. Usually, these are just event log files and/or temp files—neither of which pose any threat to your computers’ security.

I highly recommend watching this video. Pay attention to what the scammers asks Jerome to do and notice how strange the callers are act when he asks questions. And also, just for the record, Microsoft will NEVER call a user to let them know that their machine is infected…NEVER! That’s not how they operate. To avoid being the next victim, don’t ever take a phone call from someone who claims to be from Microsoft tell you that your machine has a problem. And also, make sure that your computer is up-to-date, remove unwanted software and also use a good anti-virus solution.

Stay safe and be skeptical!