A novel approach to crimefighting...
I'm sure they can solve other crimes by handing the criminals wads of money too. Think of the reduction in burglary if they just paid everyone thinking of doing a B&E job.
Massachusetts cops have admitted paying a ransom to get their data back on an official police computer infected with the devilish Cryptolocker ransomware. Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key …
Equally embarrassing for the police to admit they had no other way of recovering the data. Hopefully the "investigation" will cover backups and user training/discipline.
And the best possible publicity for the CryptoLocker villains - being able to cite the police as a reference site. "See, you can trust us to restore your data - as soon as you pay the Idiot Tax"
@ " Yet Another Anonymous coward" & tfewster
I think they where maybe chasing the paper trail, but it is strange how things like this just gives them another reason to kill bitcoin, and any other "anonymous" money transfer, and anyway these things make it easier for these "LICE" that export "cryptolocker" etc, to extort Morons/Halfwits for money, I can't see why anyone supports "bitcoin ETC" anonymous currency ...
@ Big-nosed Pengie
I have a joke for you !
Windows Security .....
Although it belittles java's role in this mess.....
"I have a joke for you !
Windows Security ....."
Erm, but you know it has a better security model than say Linux? For instance drivers and kernel run separately - and has far fewer vulnerabilities than a desktop Linux distribution - or say OS-X - It's a market share issue....Just look at the malware fest that is Android for a good example....
Honest question - how would other operating systems avoid the problem, if such a virus were to be targetted at them? Wikipedia says "A ZIP file attached to email contains an executable file with filename and icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension.", but other operating systems don't use the extension for file types anyway, so the user would be no more aware (and Windows would report it as an application when trying to run it - at least, I always get warned, I don't know if there's a way round this in some email programs that this has exploited?)
If the user is warned about running an app, but decides to run it anyway, it's unclear there's much you can do - you can make it harder with a password, but people will get used to doing that anyway. Indeed, Apple and its fans have been taking the piss out of Windows for asking users to confirm ("I'm a PC" etc), so god knows how insecure that platform is (or if OS X does ask for confirmation, then that just shows them up as hypocritical in their arguments). You could avoid it by saying all apps must be distributed by a single site, which is what Apple and MS want for their OSs, but I don't think anyone here would think that was a good thing either...
One way round might be to say apps must always be installed, but users would get used to clicking okay to that too, and it would limit the use of "portable" apps (which are possible on other OSs anyway, I believe).
The files affected are documents, i.e., in user space, so would be expected to have user permissions, not admin permissions.
Standard rules apply: don't run apps you don't trust (especially from email attachments), and backup your data.
> other operating systems don't use the extension for file types anyway, so the user would be no more aware
[vic@fortyniner ~]$ ls -l really_bad_file_that_is_obviously_malware
-rw-rw-r-- 1 vic vic 3770976 Nov 21 16:34 really_bad_file_that_is_obviously_malware
[vic@fortyniner ~]$ ./really_bad_file_that_is_obviously_malware
bash: ./really_bad_file_that_is_obviously_malware: Permission denied
Vic.
Because clearly average user who can't even follow "don't run untrusted applications" knows how to run Linux commands!
Windows will inform that it is an application when they try to run it anyway (unless this one has found a way round that, or there is some loophole for some email programs?)
In what circumstances will the executable return permission denied?
> average user who can't even follow "don't run untrusted applications" knows how to run Linux commands!
It's a little easier pasting the output from a terminal into a forum page that trying to do a screencast. The idea was to show that the OS doesn't run stuff that isn't explicitly marked as executable.
> Windows will inform that it is an application when they try to run it anyway
But users have been conditioned to agree to any popup that is placed in front of them. There is an "OK" button to push.
What I was demonstrating is that if the executable bit isn't set by default - and NTFS does support that[1], although I'm not sure I've ever actually seen it in the wild - there is no way to agree to such an action; the file cannot be executed because it just isn't executable.
If you want to make it executable, you have to go out of your way and deliberately make it so.
> In what circumstances will the executable return permission denied?
In the circumstances where the file does not have the executable bit set by default. *nix platforms do this by default. Windows can, but generally doesn't.
Vic.
[1] http://technet.microsoft.com/en-gb/magazine/2006.01.howitworksntfs.aspx
nice try, but I'm not going to an unverified website posted in an article about cryptolocker, any more than I will be opening attachments which I haven't requested or are expecting.
footnote: I know you're probably trying to help, but think about it - what are you teaching here? How to stop one virus or how to remove a major infection vector entirely?
"Erm, I did that rare thing -- Googled 'cryptoprevent'."
Erm, I did that rare thing - practiced what security experts preach.
If we can get across to people that you don't click on files that you don't 100% trust (I know that even this isn't a given) then we remove a major vector of infection <- I was just trying to highlight that this is probably more important than a single remedy for a single virus.
So your computer has been shown to be compromised and your solution is to demonstrate to the people who now own it that you have the means and willingness to pay up on demand?
Nope. That computer is toast. Wipe it to the metal and re-image it as if it was new. If you've lost data that wasn't backed up, then it might prove sufficient motivation to actually set up a backup system now...
...it's indeed a sort of service / education. As much as I'd hate to be the target of such a scam, I have to objectively admit this thing isn't doing anything to you that a Plain Old J. Random Hardware Failure couldn't do as well, except in that case you quite likely won't get the chance to buy back your data at all. Learning that Backups Are Important is a really, really valuable lesson IMHO.
... the advice about not opening attachments is not helpful. Sometimes there's nothing in the email but the attachment and sender addresses can be spoofed, so unless you have a policy that all incoming email has to be digitally signed (in which case no unsigned mail should never be delivered to the user, so they can't open it anyway) you are, at some stage, going to have to open attachments. I mean, honestly, who can say with a straight face that you shouldn't open attachments unless you are sure of their contents? If you are sure of their contents you don't need to open them at all!
The problem is in the helper applications. Adobe's PDF Reader is a particular culprit. There is no way that viewing any kind of document should EVER allow any executable code to run without further explicit confirmation from the user. We are far too lenient about applications that allow remote execution exploits.
"Adobe's PDF Reader is a particular culprit."
Well, yes, but I thought a lot of this stuff was good, old badfile.pfd.exe or e.g. invoice.zip being extracted to an executable. I've been getting a lot recently but it's stopped by my ISP so I only see it in the spam folder if I use web access to my account
Always nice to read comments and articles from people who've clearly never seen the thing they're writing about!
"The problem is in the helper applications. Adobe's PDF Reader is a particular culprit. There is no way that viewing any kind of document should EVER allow any executable code to run without further explicit confirmation from the user. We are far too lenient about applications that allow remote execution exploits."
Except it's not an actual PDF attachment, it (at least with the variant I've seen in the wild) is an executable, with its icon set to be the standard PDF document icon and a file extension of .pdf.exe, so on machines with the default "hide extension of known file types" option enabled it looks like a pdf file. The example I saw even displayed as having come from another member of staff (a valid address) rather than some government agency.
Surprised there's been no mention in the articles about this of how it also attacks mapped drives, so it's not just the local system at risk. The client that got this had not just that users machine infected, but also every file that could be accessed via his mapped drives. Fortunately we had backups of the server data, but the client machine's data was less fortunate. Served as a valuable explanation of why we kept telling them to store their data on the server!
Sorry Keith, you're right - for Cryptolocker the documented cases are executables. It should certainly not be possible to one-click an executable from an email and have it run. In this case it is not a helper application but the email client itself which is at fault. However, I think my point - in general - still holds. One SHOULD be able to open non-executable attachments in emails, that really are PDFs, JPEGs etc, with no other risk than the content not displaying, or the user not really liking the content that is displayed - and absolutely without the risk that one's machine will be compromised.
The advice that attachments should never be opened unless you know what they contain is logically meaningless as I have already said; the advice that you should not open them unless you are expecting them gives a false sense of security when you *are* expecting an attachment; and the advice that you check the identity of the sender is (in the absence of a digital signature) is meaningless. And even if one were sure about the originator, who is to say the originator is not compromised?
So I'm sticking to my guns about helper applications, but accept that in this case I'm off topic. However, Many thanks for the heads-up about mapped drives - that is an important point.
... John
So, I have the choice of not opening emails of unverifiable provenance, consisting of only attachments, in which case my bank, my doctor, and my boss (back when I was employed) get angry with me, and get even...
... or ...
opening such attachments and having my computer owned by criminals.
Nice choice there.
Mike 16,
Much better expressed than my earlier ramble. It is simply not acceptable to say to people that they should not open attachments. If it were, it would be perfectly acceptable to configure the destination mail server to reject any mail with attachments. The business would put up with that for exactly 1 second before screaming to IT to change it back.