Published October 05, 2015
Supreme Systems IT put together this infographic about the “most destructive” computer viruses of all-time. It gives a broad overview and history of computer viruses and malicious software.
Published February 27, 2015
Reports of "Craigslist résumé" viruses have skyrocketed in recent months. Some of our clients here at New River Computing have unfortunately fallen victim to this recent outbreak. Thankfully, we've been successful at cleaning up the aftermath, but often the remediation process is long and arduous due to the sophistication of the malware.
This particular malware campaign has been enjoying a fair bit of success because the attacks are specifically aimed at businesses that use Craigslist for job recruitment. Cyber-criminals search for job postings, then send a fake response to the ad with the attached résumé (often in the form of a Word document) which serves as the delivery method for the virus. Once the message is read, the user, thinking the sender is a legitimate job applicant, opens the attached “fake résumé” file, triggering the malware to install and compromise the computer. This particular virus associated with this malware campaign is called "Trojan-Downloader:W32/Wauchos."
Trojan-Downloader:W32/Wauchos is known to be distributed as disguised executable files attached to spam e-mail messages. If the attachment is run, the malware will attempt to contact multiple remote servers. If successfully contacted, it will then download additional malware onto the system, such as Trojan:W32/Cridex or Trojan-Spy:W32/Zbot.
No antivirus software can keep businesses 100% safe from all forms of viruses and malware. Unfortunately it takes antivirus companies an average of about six hours to update their malware definitions, once they know about the malware. Recent catch rates from top antivirus software run at best between 80% – 90%. This means that user education still remains the BEST first line of defense against malware. Be cautious and NEVER open a file that you aren’t 110% positive is from a trusted source.
Published November 11, 2013
There’s a new type of malware that has been spreading like wildfire over the past couple of months called CryptoLocker. Most security researchers are claiming that this is one of the nastiest and most successful computer viruses ever: CryptoLocker is currently infecting Windows operating systems all across the United States and in other parts of the world. The virus is part of a generically named family of malware called “ransomware,” and its main function is to encrypt your files and “hold them hostage” until you pay a fee to have them decrypted.
The CryptoLocker virus is passed around in emails that include attachments. The criminals send emails claiming to be from well-known companies like UPS, USPS, PayPal or FedEx in order to trick users in to thinking that they are legitimate and safe to open, but of course they aren’t safe at all. Instead, when a user attempts to open up the attachment, the computer becomes infected and the virus locks files on the system until the ransom request is paid. Most often the attachments will be disguised as JPEG images, ZIP files, PDF files and various types Microsoft Office files (mostly Excel and Word documents).
After a computer becomes infected, users are given 100 hours to pay a fee between $100 and $700 to get the files decrypted. The version of the virus that we’ve been seeing on infected machines have been asking $300 dollars for the decryption key. So far, it appears that the virus only encrypts data files with certain extensions, including Microsoft Office, OpenOffice and other documents, pictures, and AutoCAD files.
The file paths that have been used by this infection and its droppers are:
In order to block the CryptoLocker and Zbot infections, certain Path Rules have to be implemented within the system so that they are not allowed to execute. There is a manual process to create these Software Restriction Policies easily, but thankfully a company called FoolishIT has created a utility called “CryptoPrevent” that automatically adds the appropriate series of Software Restriction Path Policies to a computer in order to prevent CryptoLocker and Zbot from being executed.
If you get an email that includes any type of attachment, use extreme caution and make sure you know who the sender is BEFORE opening it. If you don’t know who the sender is, or if it appears to be from one of the companies mentioned earlier DO NOT OPEN IT!!! Just delete the email. If you start seeing the CryptoLocker demand screen, please shutdown your machine immediately and call your IT administrator for further assistance. If you’re a current New River Computing client, please contact us ASAP if you see the CryptoLocker message on your screen.
Below is an example of what the CryptoLocker demand screen looks like.
One important feature to make use of in CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
It is available from the CryptoPrevent download page.
Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then remove the Software Restriction Policies that were added by clicking on the Undo button.
For a detailed analysis of the CryptoLocker virus please check out this excellent Bleeping Computer CryptoLocker article .
Detailed information on the CryptoPrevent tool developed by FoolishIT's CryptoPrevent page.
Published October 13, 2012
ZeroAccess is a very large botnet, infecting millions of computers globally. According to researchers at Sophos Labs, ZeroAccess has been installed on computers over nine million times with the current number of infected PC’s topping out at over 1 million. That is a staggering number. Below are some images that will give you a visual sense of just how widespread the infection is, not only in the United States but, globally. The largest numbers of infected computers are found in the USA, Canada and Western Europe.
Map of the United States generated by F-Secure Labs:
Global map generated by Sophos Labs:
Research is showing that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining. With the high level of worldwide infections, this particular botnet is capable of making an incredible amount of money: in excess of $100,000 a day.
Since cybercriminals are able to quickly make large sums of money using malware attacks that are getting harder to detect, you can count on the problem becoming much worse before it starts getting better.