Craigslist resume scam spreads Trojan virus

Published February 27, 2015

Reports of "Craigslist résumé" viruses have skyrocketed in recent months. Some of our clients here at New River Computing have unfortunately fallen victim to this recent outbreak. Thankfully, we've been successful at cleaning up the aftermath, but often the remediation process is long and arduous due to the sophistication of the malware.

This particular malware campaign has been enjoying a fair bit of success because the attacks are specifically aimed at businesses that use Craigslist for job recruitment. Cyber-criminals search for job postings, then send a fake response to the ad with the attached résumé (often in the form of a Word document) which serves as the delivery method for the virus. Once the message is read, the user, thinking the sender is a legitimate job applicant, opens the attached “fake résumé” file, triggering the malware to install and compromise the computer. This particular virus associated with this malware campaign is called "Trojan-Downloader:W32/Wauchos."

Deep Dive:

Trojan-Downloader:W32/Wauchos is known to be distributed as disguised executable files attached to spam e-mail messages. If the attachment is run, the malware will attempt to contact multiple remote servers. If successfully contacted, it will then download additional malware onto the system, such as Trojan:W32/Cridex or Trojan-Spy:W32/Zbot.

Words of Wisdom:

No antivirus software can keep businesses 100% safe from all forms of viruses and malware. Unfortunately it takes antivirus companies an average of about six hours to update their malware definitions, once they know about the malware. Recent catch rates from top antivirus software run at best between 80% – 90%. ​This means that user education still remains the BEST first line of defense against malware. Be cautious and NEVER open a file that you aren’t 110% positive is from a trusted source.

Safe Surfing!

The CryptoLocker virus is spreading!!!

Published November 11, 2013

There’s a new type of malware that has been spreading like wildfire over the past couple of months called CryptoLocker. Most security researchers are claiming that this is one of the nastiest and most successful computer viruses ever: CryptoLocker is currently infecting Windows operating systems all across the United States and in other parts of the world. The virus is part of a generically named family of malware called “ransomware,” and its main function is to encrypt your files and “hold them hostage” until you pay a fee to have them decrypted.

How does CryptoLocker infect computers?

The CryptoLocker virus is passed around in emails that include attachments. The criminals send emails claiming to be from well-known companies like UPS, USPS, PayPal or FedEx in order to trick users in to thinking that they are legitimate and safe to open, but of course they aren’t safe at all. Instead, when a user attempts to open up the attachment, the computer becomes infected and the virus locks files on the system until the ransom request is paid. Most often the attachments will be disguised as JPEG images, ZIP files, PDF files and various types Microsoft Office files (mostly Excel and Word documents).

After a computer becomes infected, users are given 100 hours to pay a fee between $100 and $700 to get the files decrypted. The version of the virus that we’ve been seeing on infected machines have been asking $300 dollars for the decryption key. So far, it appears that the virus only encrypts data files with certain extensions, including Microsoft Office, OpenOffice and other documents, pictures, and AutoCAD files.

How to prevent your computer from becoming infected by CryptoLocker

The file paths that have been used by this infection and its droppers are:

• C:\Users\\AppData\Local\.exe (Vista/7/8)
• C:\Users\\AppData\Local\.exe (Vista/7/8)
• C:\Documents and Settings\\Application Data\.exe (XP)
• C:\Documents and Settings\\Local Application Data\.exe (XP)

In order to block the CryptoLocker and Zbot infections, certain Path Rules have to be implemented within the system so that they are not allowed to execute. There is a manual process to create these Software Restriction Policies easily, but thankfully a company called FoolishIT has created a utility called “CryptoPrevent” that automatically adds the appropriate series of Software Restriction Path Policies to a computer in order to prevent CryptoLocker and Zbot from being executed.

If you get an email that includes any type of attachment, use extreme caution and make sure you know who the sender is BEFORE opening it. If you don’t know who the sender is, or if it appears to be from one of the companies mentioned earlier DO NOT OPEN IT!!! Just delete the email. If you start seeing the CryptoLocker demand screen, please shutdown your machine immediately and call your IT administrator for further assistance. If you’re a current New River Computing client, please contact us ASAP if you see the CryptoLocker message on your screen.

Below is an example of what the CryptoLocker demand screen looks like.

How to use the CryptoPrevent Tool

One important feature to make use of in CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.

It is available from the CryptoPrevent download page.

Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then remove the Software Restriction Policies that were added by clicking on the Undo button.

More Information:

For a detailed analysis of the CryptoLocker virus please check out this excellent Bleeping Computer CryptoLocker article .

Detailed information on the CryptoPrevent tool developed by FoolishIT's CryptoPrevent page.