Ransomware – a real and present danger

A few weeks ago, I had one of our clients open an email from a legitimate sender that contained a .zip file.

This wasn’t exactly normal correspondence, but it also wasn’t unusual to be contacted via email by this contact.

Shortly after, I was called and informed it appeared they had a virus. They said a strange pop-up warning message came up and they couldn’t get rid of it.

“Please don’t click anything anymore” I replied. I asked if it resembled their antivirus alerts or had any reference their web filter. They told me that less than a minute after the .zip file was opened, they got the 72-hour countdown screen from CryptoLocker stating that they needed to purchase the $300 encryption key or all data would be encrypted and useless.

I told the person to unplug the PC from the network and cut off the power. They would have to work from another station until we could send over someone to take care of it.

I walked out with the infected piece of hardware under my arm.

I got back to my office and started researching CryptoLocker while I allowed scans on the machine with no network connections. I downloaded the latest version of Malwarebytes to an empty flash drive and loaded that to the machine as the first scan finished with no results. I started a full system scan with Malwarebytes and went back to researching what I could about this particular virus, and testing nodes of shared files and drives.

It looked like it favors user-modified documents with MS Office, Adobe, and .txt type extensions. I followed file paths he had rights to and BAM every single document would produce the same error message: “This file cannot be opened because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.”

If I forced a file to display contents it was a massive garbled mess of displayed encryption. I had to restart the Malwarebytes scan two times before I decided it was a waste of time. I needed to re-image the machine and move on to backups.

In that short amount of time while the machine was connected to the network, it had infected all of the documents on the PC and nearly 80 percent of the public drive the user had read/write access to, which was highly relied upon by employees of all types at that client.

This being Monday, I decided to restore from Friday. I wanted to skip any chance of reviving a virus I presumed dead on this one machine and stopped all current backup tasks.

I ended up copying the 214Gb backup file to a different location and gave a new service account access to it. It worked. I was able to browse the backup file tree and restore the portion that was corrupt.

All in all, the ransomware spread incredibly fast and all documents — be it Office file types, or .txt, .pdf, — were unreadable even if they did open. Lesson to everyone – pull that computer off the internet and network as soon as you can. Otherwise massive encryption for all network drives and cloud stored files are destroyed.


Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.

New, sneakier Flashback malware infects Macs

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.   But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.   The hackers responsible for Flashback appear to be making money through click fraud, where large numbers of people are redirected to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from shady intermediaries for each ad clicked.   The Java flaw used by both Flashback.S and the earlier Flashback.K was patched by Oracle in mid-February, but Apple, which maintains its own edition of Java for OS X and so is responsible for patching Java bugs, did not issue its fix until April 3, seven weeks later.   Users are infected by Flashback.S when they browse to compromised or malicious sites; the tactic is called a “drive-by” to reflect the lack of required user action beyond steering to a URL.

Because Flashback.S uses different names for the files it drops on a Mac, and installs those files in a different location than Flashback.K, it’s possible that the malware seek-and-destroy tool Apple released April 12 won’t eradicate the variant.

It wouldn’t be a surprise if Apple’s tool did not eliminate Flashback.S: Last year, cyber criminals and Apple went several rounds over MacDefender, a family of fake antivirus programs that wriggled onto a large number of Macs. Several times, the hackers responded to Apple moves by modifying their tactics or code to sidestep just-deployed defenses.   Flashback is easily the most widespread and pernicious malware Mac owners have yet faced.


Ten Ways to Dodge CyberBullets, Part 8

8. Antivirus isn’t total security

This is the eighth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t expect antivirus alone to protect you from everything.

Use additional measures such as a personal firewall, antispam and anti-phishing toolbars, but be aware that there is a lot
of fake security software out there. This means that you need to take care to invest in reputable security solutions, not
malware, which claims to fix nonexistent problems, or toolbars that are designed to divert you away from the sites you want to visit and toward the ones that generate revenue for adware providers.

Apart from that, even the best protection might not protect you as well as common sense and caution do. There is no silver bullet in protection in malware, which is why we always advocate multilayering or defense in depth. Specifically, don’t fall for the “I can do anything and click on anything because my antivirus will protect me” trap. There seems to be a temptation for people to cluster at one of two extremes.

  • Some people have such touching faith in their AV that they assume it will catch everything malicious that’s thrown at their system, so they don’t run anything else and are convinced that they don’t need to think about their own security. When they eventually find that their system has been infected, whether it’s by something they’ve clicked on incautiously or something a little more subtle like a zero-day vulnerability or a drive-by download, they feel betrayed and angry. That’s understandable, but it comes from a misunderstanding of the limitations of all security software. For every technical solution (not just AV), there is at least one way of getting around it.
  • Others take the view that antivirus is no use at all because it “only detects malware it already knows about.” That isn’t the case; only the most primitive modern antimalware relies purely on signatures of known malware variants. Good antimalware products incorporate tools like generic detection, advanced heuristics, sandboxing, whitelisting and so on into an integrated product that catches a high percentage of all malware, not just viruses.

The danger in both scenarios is that the individual is tempted to substitute one partially successful solution for another. (Some marketing departments may overstate the effectiveness of a product, but that isn’t a problem restricted to the antimalware industry, or even the security industry!)

The trick is not to rely solely on one solution at all. A diverse spread of partially successful solutions may be more successful… However, note that word diverse. For most people, half a dozen antivirus packages on a single desktop machine are likely to cause more problems than they solve… By multilayering, I mean using a diversity of product types. Using multiple antivirus products may catch more specific malicious programs, but the increased detection may not be worth the additional strain on resources and risk of program conflicts, false positives and so on.

Also, please bear in mind that malware gangs spend a lot of development time tweaking binaries so that they will evade specific scanners. The more effective a scanner is, the likelier it becomes that it will be targeted in this way.

This is why we recommend supplimenting your antivirus program with two scanners for malware – Malwarebytes and Spybot Search & Destroy. These last two programs have a free license to use them, however they do require manual updates and manual scanning. Only the paid versions will offer automatic updates and scanning.