Jump to content

Archived

This topic is now archived and is closed to further replies.

kyssling

Cryptolocker - few questions ....

Recommended Posts

Hello,
I had a few questions about the Cryptolocker attack  ...
a) Cryptolocker encrypts data on all mapped drives? If I have a mapped network drives will they also encrypt, but
only if the user has sufficient rights to override counting ?
b) Encrypts and connected flashdisc ? But if the flashdisc write- protected I count not at the moment have a chance?
c) If you synchronize your data to DropBox or GoogleDrive, I suddenly connected so will encrypt on these cloud storage?
Alternatively, at the moment already encrypted files have the same extension (?) And therefore a risk that simply synchronize with cloud storage and cloud are already some synchronized data encrypted?

Generally, this is exactly the reason why I wanted to back up data from the NAS via FTP to GoogleDrive / DropBox via FTP, which unfortunately does not go without any type services Mover, NetDrive ...

Thanks for the answers!

Share this post


Link to post
Share on other sites

I'd say it depends on particular variants and what holds true for older or current variants may not hold true for future variants. If a Cryptolocker runs in the account of a user who has write access to a network share that is mapped as a drive, then it would encrypt files in the remote share as well.

As for write-protected flash discs, of course if writing is not permitted by hw means it'd not be possible to encrypt files on them. If they are protected somehow by software means, there's still chance that malware authors would attempt to circumvent write protection if it'd pay off.

Regarding syncing data with cloud services, if files got encrypted locally then they would also be replaced in cloud the next time the files were synced.

Share this post


Link to post
Share on other sites

I have a off-topic question though. May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

Share this post


Link to post
Share on other sites

About the cloud service I'd like to add that there are many cloud services which also store older versions of a file, so you maybe would also be able to get this older (unencrypted) version.

 

About your heuristics question: Yes it's more or less a heuristic detection, it's a generic signature. More information you can find in this a bit old, but (I think) still valid PDF file: hxxp://static2.esetstatic.com/us/resources/white-papers/Understanding_Heuristics.pdf

 

A normal signature detection is of course without this "a variant of...".

 

Edit: Because of Marcos reply - Okay call them "smart signatures" or DNA signatures - it seems as it was previously called "generic signature".

Share this post


Link to post
Share on other sites

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

Share this post


Link to post
Share on other sites

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

Share this post


Link to post
Share on other sites

 But smart/dna signatures are disabled in the setup for realtime protection?

Yes, that's quite strange... :wacko:

 

However I think these kind of signatures are also used there. There is even no checkbox in the ThreatSense settings regarding the "traditional" virus signatures, so this is a bit confusing. But maybe they are just always used and you can't deactivate them.

Share this post


Link to post
Share on other sites

 

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

 

Yes, as they can affect the system performance in some cases on some systems, but users can of course enable them for real-time scanning as well if they want to. But they are enabled by default for "on execution" which IMO is enough.

 

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

Share this post


Link to post
Share on other sites

ESET heuristic indeed has very good detection on new variants of malware. However, IMHO, I do believe that no AV can really detect a wholly and newly created malware since it is something out of the knowledge of the AV, this is where human analysis is needed to "teach" the AV.

Share this post


Link to post
Share on other sites

 

 

 

May I know what does it mean when ESET detects the malware as "a variant of ...."? Is that a heuristic detection indicator? How do I know if the detection comes from heuristic instead of signature? Thank You.

 

Heuristic detection would be indicated by the name "NewHeur_PE virus", however, these are not usually seen nowadays. Instead, smart signatures and dna signatures are used to cover variants of malware.

 

But smart/dna signatures are disabled in the setup for realtime protection?

 

Yes, as they can affect the system performance in some cases on some systems, but users can of course enable them for real-time scanning as well if they want to. But they are enabled by default for "on execution" which IMO is enough.

 

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

 

Ok, thanxx for the info.

Share this post


Link to post
Share on other sites

We also have the "probably a variant of..." detections that I see sometimes. I have always thought that they were some type of heur/behavior detection due to the name "probably" but I might be wrong, Marcos ?

 

Marcos ?

 

What is the difference (if any) between these detections ?

 

1. "a variant of....."

 

2. "probably a variant of....."

 

Thank you.

Share this post


Link to post
Share on other sites

Great question, @SweX. I have never thought about it but it may be interesting to know this.

Share this post


Link to post
Share on other sites

"A variant of..." is reported on malware that is very similar to the one from which a signature was made while "probably a variant of..." is less similar.

Share this post


Link to post
Share on other sites

Ah okay. Comprehensible... :D

Share this post


Link to post
Share on other sites

Ah I see, thank you.  :)

 

@rugk, Yes, I thought it would be great to know, as I wasn't sure about it even after all these years of using the products.  :D

Share this post


Link to post
Share on other sites

Yeah, SweX, no problem. (Do you man "years of using the product"?) Sometimes there is such a simple answer behind a mystery ;), so it's good to know that it's so easy to explain.

 

Edit: Okay, SweX' post is corrected now.

Share this post


Link to post
Share on other sites

Yeah, SweX, no problem. (Do you man "years of using the product"?) Sometimes there is such a simple answer behind a mystery ;), so it's good to know that it's so easy to explain.

Yes, that's what I mean  :D  ;) . (I edited my post so it makes sense now.)

 

Yes, especially since it wasn't what I thought it was. But now we know for sure  :)

Share this post


Link to post
Share on other sites

Another victim fallen to the crypto, i wonder how did they get it in the first place, Maybe less education on safety on the internet anyway.

 

Victim also posted the payment page where he has been redirect to. Who knows maybe it usefull to somebody in the research of cryptolocker.
 

here the link:

 

hxxp:// 7oqnsnzwwnm6zb7y.icepaytor.com/m97wtQ

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...