MrWrighty 6 Posted October 22, 2013 Posted October 22, 2013 One of our users opened an email supposedly containing a voicemail but was in fact and executable. He says it did not run it, but this morning a different user was unable to open a range of .doc and .xls files in a mapped drive. I managed to restore the folder from a shadow copy. It turns out that the original user had unleashed CyrptoLocker on the network and a random named bitmap I found on his desktop informed me of what had happened. His laptop has had a large number of malicious hits and Eset has picked them up, but I am concerned as to how easy it was for this CrtyptoLocker to run and effectively avoid detection. The Laptop is running version 5.0.2126 of Eset AntiVirus
Arakasi 549 Posted October 22, 2013 Posted October 22, 2013 (edited) If the threat came down in an email, was the user utilizing a software mail client like Outlook? I would check that Eset is setup to monitor mail traffic and the plug in is loaded in the mail client. I am pretty sure Eset would have caught and flagged this ransomware if it was email or attachment and plug in loaded with definitions up to date. Is your version 5 a valid license ? I would strongly recommend upgrading to a stricter version 7 If yer sub is good you should have up to date definitions. I would suspect if it got thru the mail client , and hopped to a network drive, im not sure if ESET would be watching that mapped drive as closely as your own system. The hosted server should of caught it at that point. Server have Eset endpoint installed ? Edited October 22, 2013 by Arakasi
Arakasi 549 Posted October 22, 2013 Posted October 22, 2013 Mr wrighty ; another thread for you : https://forum.eset.com/topic/1085-files-corrupted-by-unidentified-virus-server-protected-with-nod32/ Last post suggests a policy edit. I know most large networks with exchange block archives and exes in mail. May be something to look into.
Administrators Marcos 5,455 Posted October 22, 2013 Administrators Posted October 22, 2013 I'd add that Endpoint should have blocked this downloader since yesterday, 15:30 GMT.
MrWrighty 6 Posted October 22, 2013 Author Posted October 22, 2013 Hi All thanks for the update We have a current subscription and our Virus signatures are updated 3 or 4 times a day. Marcos, the damage I believe happen on Friday last week so yesterday would have been too late. We Have Eset Endpoint AV on the clients and Eset Endpoint File Server Security on our SBS2011 server and our Server 2003 SQL Server. The treat came via an email through Outlook 2010. Outlook has the Eset plugin installed and running, and Eset. Arakasi, what is this version 7 you mention, Eset only goes to 5.0.2214
Janus 210 Posted October 22, 2013 Posted October 22, 2013 (edited) Hello MrWrighty It was a tiny "slip" from Arakasi :-)). Version 7 belong to home editions, and you are right, Version 5.0.2214 is the latest in Eset endpoint security. Regards, Janus Edited October 22, 2013 by Janus
ESET Insiders PodrskaNORT 17 Posted October 22, 2013 ESET Insiders Posted October 22, 2013 @MrWrighty Without access to logs I can not claim this, but - I *think* that an e-mail contained just a link, customer clicked on the link which opened web page with Java exploit that allows download and execution of .exe file; that exe encrypted files (could be any of dozens of perfectly legal utilities); it could also download an additional .exe which overwrote original documents (again, this could be one of hundreds perfectly legal tools for secure deleting files). So *i believe* there was no malware in game at all - just plain old application-exploit attack, which IMHO usually have the nastiest payload than malware. Should other types of security software be as effective as antivirus, it would be much prettier world :-) Maybe you could check browser history and/or logs, mail logs, etc. for further details. Upgrade Java, all browsers and applications! Tomo
MrWrighty 6 Posted October 22, 2013 Author Posted October 22, 2013 @MrWrighty Without access to logs I can not claim this, but - I *think* that an e-mail contained just a link, customer clicked on the link which opened web page with Java exploit that allows download and execution of .exe file; that exe encrypted files (could be any of dozens of perfectly legal utilities); it could also download an additional .exe which overwrote original documents (again, this could be one of hundreds perfectly legal tools for secure deleting files). So *i believe* there was no malware in game at all - just plain old application-exploit attack, which IMHO usually have the nastiest payload than malware. Should other types of security software be as effective as antivirus, it would be much prettier world :-) Maybe you could check browser history and/or logs, mail logs, etc. for further details. Upgrade Java, all browsers and applications! Tomo As far as I can tell, it was an email that supposedly contained a voicemail which was zipped, then the user clicked on the content thinking they were going to listen to a voicemail but instead ran the exe. I have implemented the Group Policy Exe lockdown as suggested by Arakasi to see if that helps.
Arakasi 549 Posted October 22, 2013 Posted October 22, 2013 Sorry wasnt sure if you had endpoint on client desktops or not.
Administrators Marcos 5,455 Posted October 23, 2013 Administrators Posted October 23, 2013 Marcos, the damage I believe happen on Friday last week so yesterday would have been too late. I was referring to the latest variant spammed under the name voice*.exe. It was blocked within a few minutes after it was first reported via LiveGrid, long before other AVs did. A detection for another Voice_Mail_Message.exe variant was added in update 8935 (20131018), released on Friday, 12:35 CET. The best would be if we could get the file from your quarantine to find out when the detection was exactly added and when ESET's products started blocking it.
Arakasi 549 Posted October 24, 2013 Posted October 24, 2013 (edited) Live grid is awesome. " ...before other AV's did" I just manually cleaned this exact virus off a clients computer today ! Very easy to remove. Recovering the data..... not so easy haha *They had backups though. Backup, backup, backup ...... or else ..... Edited October 24, 2013 by Arakasi
DGMurdockIII 1 Posted October 27, 2013 Posted October 27, 2013 (edited) hxxp://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information info on cryptolocker from bleeping computer more info on the virus here lots lots lots lots lots lots more for eset hxxp://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/ Edited October 27, 2013 by DGMurdockIII
RNFolsom 5 Posted October 30, 2013 Posted October 30, 2013 The odd thing about the CryptoLocker experiences described here is that no one has reported that CryptoLocker is a virus (maybe I should use a broader term) that encrypts a large variety of documents AND offers to decrypt the documents after payment.My information source is the Windows Secrets Newsletter (to which I subscribe), Thursday 24 October 2013, in an article by Susan Bradley (a regular contributor to the newsletter). But the article is available at Windows Secrets Lounge, where it can be read (and probably downloaded or at least copied) by Windows Secrets subscribers and by anyone else, at:hxxp://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/Ms. Bradley's judgment is that "AV software probably won't protect you." She then lists a set of actions to reduce the risk, probably with at least some information overlap with the links given here in the preceding post.I am following her suggestion to backup data frequently, to an external disk that is not connected to my computer, except when receiving backups (and, I would add, internet access is temporarily turned off, so new malicious emails can't arrive during the backup). I'm doing daily backups.My next step is to prevent Windows7 from automatically opening zip files. I don't think I have any other zip-opening programs on my computer, but I will do a search for famous programs such as WinZip.Ms. Bradley reports that "Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss."In my opinion, her article is worth reading, as are the sources in the preceding post.I am running Eset NOD32 v6.0.316.0. I hope that Eset's new v7.x will be able to deal with CryptoLocker. Preventing encryption might be one way to do it --- but that's just a guess by someone (me) who is not a computer programmer.R.N. (Roger) Folsom
Arakasi 549 Posted October 30, 2013 Posted October 30, 2013 (edited) Roger. Its good that your interested. Backing up data is paramount these days. Offsite backup or cloud back up are best options. Here is a quick rule of thumb on defense. You can encrypt your drive yourself using bitlocker or a third party like truecrypt or my personal favorite Pointsec. If your data is already encryted, the cryptolocker wont be able to encrypt over the top. As far as software defensive , Eset will detect and block certain variants of cryptolocker already. Afaik the carrier method by email or website thats common is a flag, usually jscript is involved and the method of delivering the payload is also blocked by Eset. I think im on par but please wait for an official response from ESET on the defense against crypto in their product. You must have up to date definitions, an expired lincense will not be up to date. Edited October 30, 2013 by Arakasi
ESET Moderators Aryeh Goretsky 394 Posted October 30, 2013 ESET Moderators Posted October 30, 2013 Hello, Here is the write-up on the most prevalent version of Cryptolocker (or at least, what was the most prevalent version as of a few days ago--I haven't checked to see what the latest stats are): ESET Virus Radar - Win32/FileCoder.BQ Description There have also been several recent posts about CryptoLocker and ransomware in general on ESET's We Live Security blog: New ransomware uses webcam and Homeland Security threat to scare victims Remote Desktop (RDP) Hacking 101: I can see your desktop from here! Filecoder: Holding your data to ransom Nymaim: Browsing for trouble Don’t pay up! How to avoid ransomware threats – and how to fight back These should help with both general aware of this class of threat, as well specific information about malware family in question. Ms. Bradley (aka "Mom") is correct in that Cryptolocker is not a virus (e.g., a recursively-replicating program that can create a (possibly evolved) copy of itself), but rather it is broadly categorized as a trojan horse (or simply "trojan," for short, these days) with a subclassification as ransomware. These days, perhaps around 10% (or slightly less) of the malware anti-malware companies see on a daily basis is actually viral in nature. The majority are various kinds of trojans, and that is something that anti-malware software does protect against. However, the criminals behind these ransomware schemes are diligent about updating their malicious code to avoid detection, so the race is always on, as my colleague Marcos noted, to update anti-malware software to protect against this class of threats. Interestingly enough, ransomware is not a particularly new scheme, but rather a very old one dating back to the earliest days of computer viruses, worms and trojans--the late 1980s--and I actually wrote up a bit about my experience with the the very first piece of ransomware, the AIDS Introductory Information Trojan House, which occurred in 1989, here (PDF, 980KB), starting around page 5. It sounds like your precautions are reasonable, especially with regards to backups, however, I'd just like to provide a reminder that you should periodically test backups by restoring some (or even all) data, preferably to a different machine, in order to verify they work. For more information, well, we also happen to have a paper (PDF, 861KB) on backups, too. Regards, Aryeh Goretsky The odd thing about the CryptoLocker experiences described here is that no one has reported that CryptoLocker is a virus (maybe I should use a broader term) that encrypts a large variety of documents AND offers to decrypt the documents after payment. My information source is the Windows Secrets Newsletter (to which I subscribe), Thursday 24 October 2013, in an article by Susan Bradley (a regular contributor to the newsletter). But the article is available at Windows Secrets Lounge, where it can be read (and probably downloaded or at least copied) by Windows Secrets subscribers and by anyone else, at: hxxp://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/ Ms. Bradley's judgment is that "AV software probably won't protect you." She then lists a set of actions to reduce the risk, probably with at least some information overlap with the links given here in the preceding post. I am following her suggestion to backup data frequently, to an external disk that is not connected to my computer, except when receiving backups (and, I would add, internet access is temporarily turned off, so new malicious emails can't arrive during the backup). I'm doing daily backups. My next step is to prevent Windows7 from automatically opening zip files. I don't think I have any other zip-opening programs on my computer, but I will do a search for famous programs such as WinZip. Ms. Bradley reports that "Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss." In my opinion, her article is worth reading, as are the sources in the preceding post. I am running Eset NOD32 v6.0.316.0. I hope that Eset's new v7.x will be able to deal with CryptoLocker. Preventing encryption might be one way to do it --- but that's just a guess by someone (me) who is not a computer programmer. R.N. (Roger) Folsom
siljaline 57 Posted November 6, 2013 Posted November 6, 2013 From US Cert https://www.us-cert.gov/ncas/alerts/TA13-309A
Arakasi 549 Posted November 6, 2013 Posted November 6, 2013 Apparently you can just use EFS on some of your more important docs and put the key somewhere else and be shielded from crypto. You could turn this on and off at will when checking emails if according to US Cert its the majority attack vector.
bob ford 0 Posted November 13, 2013 Posted November 13, 2013 However, Sandboxie, our old friend Sandboxie, is effective in containing CryptoLocker. It's been verified that, if you were to put your email client and your web browser in Sandboxie, if you were to Sandboxie those two things, and we've talked about - we did a podcast on Sandboxie [sN-172]. Anybody could, like, google "Sandboxie Security Now!," I'm sure you'll find it, or go to GRC.com/sn, and I've got a search field that I pay Google handsomely for, and put Sandboxie in, and you'll find the podcast where we explain it. What happens is, if you get a CryptoLocker infection through email or web browsing, and you have employed Sandboxie, then an encrypted copy of your files are created in the sandbox, but nothing gets out of the sandbox. So your original files are all fine. And all you do is empty the sandbox, and CryptoLocker and all of its damage it tried to do is gone.
siljaline 57 Posted November 14, 2013 Posted November 14, 2013 Please see: ESET KB hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3433 Does ESET protect me from Filecoder (CryptoLocker) malware?And: hxxp://www.virusradar.com/en/Win32_Filecoder.BQ/descriptionESET is constantly updating it's virus signature database on emerging threats.
Recommended Posts