Jump to content

Cryptolocker - few questions ....

kyssling

By kyssling
in General Discussion

 Share

Recommended Posts

kyssling

kyssling 0

Posted
Posted

Hello,
I had a few questions about the Cryptolocker attack  ...
a) Cryptolocker encrypts data on all mapped drives? If I have a mapped network drives will they also encrypt, but
only if the user has sufficient rights to override counting ?
b) Encrypts and connected flashdisc ? But if the flashdisc write- protected I count not at the moment have a chance?
c) If you synchronize your data to DropBox or GoogleDrive, I suddenly connected so will encrypt on these cloud storage?
Alternatively, at the moment already encrypted files have the same extension (?) And therefore a risk that simply synchronize with cloud storage and cloud are already some synchronized data encrypted?

Generally, this is exactly the reason why I wanted to back up data from the NAS via FTP to GoogleDrive / DropBox via FTP, which unfortunately does not go without any type services Mover, NetDrive ...

Thanks for the answers!

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

I'd say it depends on particular variants and what holds true for older or current variants may not hold true for future variants. If a Cryptolocker runs in the account of a user who has write access to a network share that is mapped as a drive, then it would encrypt files in the remote share as well.

As for write-protected flash discs, of course if writing is not permitted by hw means it'd not be possible to encrypt files on them. If they are protected somehow by software means, there's still chance that malware authors would attempt to circumvent write protection if it'd pay off.

Regarding syncing data with cloud services, if files got encrypted locally then they would also be replaced in cloud the next time the files were synced.

Link to comment
Share on other sites
yongsua

yongsua 16

Posted
Posted

I have a off-topic question though. May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted (edited)

About the cloud service I'd like to add that there are many cloud services which also store older versions of a file, so you maybe would also be able to get this older (unencrypted) version.

 

About your heuristics question: Yes it's more or less a heuristic detection, it's a generic signature. More information you can find in this a bit old, but (I think) still valid PDF file: hxxp://static2.esetstatic.com/us/resources/white-papers/Understanding_Heuristics.pdf

 

A normal signature detection is of course without this "a variant of...".

 

Edit: Because of Marcos reply - Okay call them "smart signatures" or DNA signatures - it seems as it was previously called "generic signature".

Edited by rugk
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

Link to comment
Share on other sites
yesnoo

yesnoo 1

Posted
Posted

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted (edited)

 But smart/dna signatures are disabled in the setup for realtime protection?

Yes, that's quite strange... :wacko:

 

However I think these kind of signatures are also used there. There is even no checkbox in the ThreatSense settings regarding the "traditional" virus signatures, so this is a bit confusing. But maybe they are just always used and you can't deactivate them.

Edited by rugk
Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted

 

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

 

Yes, as they can affect the system performance in some cases on some systems, but users can of course enable them for real-time scanning as well if they want to. But they are enabled by default for "on execution" which IMO is enough.

 

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

Link to comment
Share on other sites
yongsua

yongsua 16

Posted
Posted

ESET heuristic indeed has very good detection on new variants of malware. However, IMHO, I do believe that no AV can really detect a wholly and newly created malware since it is something out of the knowledge of the AV, this is where human analysis is needed to "teach" the AV.

Link to comment
Share on other sites
yesnoo

yesnoo 1

Posted
Posted

 

 

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

 

Yes, as they can affect the system performance in some cases on some systems, but users can of course enable them for real-time scanning as well if they want to. But they are enabled by default for "on execution" which IMO is enough.

 

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

 

Ok, thanxx for the info.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

 

Marcos ?

 

What is the difference (if any) between these detections ?

 

1. "a variant of....."

 

2. "probably a variant of....."

 

Thank you.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

"A variant of..." is reported on malware that is very similar to the one from which a signature was made while "probably a variant of..." is less similar.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

Ah I see, thank you.  :)

 

@rugk, Yes, I thought it would be great to know, as I wasn't sure about it even after all these years of using the products.  :D

Edited by SweX
Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted (edited)

Yeah, SweX, no problem. (Do you man "years of using the product"?) Sometimes there is such a simple answer behind a mystery ;), so it's good to know that it's so easy to explain.

 

Edit: Okay, SweX' post is corrected now.

Edited by rugk
Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

Yeah, SweX, no problem. (Do you man "years of using the product"?) Sometimes there is such a simple answer behind a mystery ;), so it's good to know that it's so easy to explain.

Yes, that's what I mean  :D  ;) . (I edited my post so it makes sense now.)

 

Yes, especially since it wasn't what I thought it was. But now we know for sure  :)

Edited by SweX
Link to comment
Share on other sites
khairulaizat92

khairulaizat92 9

Posted
Posted

Another victim fallen to the crypto, i wonder how did they get it in the first place, Maybe less education on safety on the internet anyway.

 

Victim also posted the payment page where he has been redirect to. Who knows maybe it usefull to somebody in the research of cryptolocker.
 

here the link:

 

hxxp:// 7oqnsnzwwnm6zb7y.icepaytor.com/m97wtQ

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...