Beware of Geeks
bearing Gifts
The UK’s National Crime Agency has warned people have just two weeks to protect themselves against the Cryptolocker ransomware and a strain of the ZeuS password-slurping malware – before both return from the dead. The alert comes after the cops "disrupted" the systems remotely controlling the software nasties – which could …
If it's CryptoLocker it'll be able to infect any Windows system running Win2k+. I believe there's a less prevalent OSX version floating around too, but don't quote me on that.
CryptoLocker is nasty. Someone here has a virus on their home computer that has been sending out malicious emails containing it to their entire contact list (so about 50 or 60 of our users) a couple times a week for the last couple months. Everyone's wise to it now thanks to liberal use of a metaphorical cluebat*, but we must have had 15 CryptoLocker infections the first couple weeks as people fell for it and opened the "account summery" (sic) or "scanned document" that came in with them. Seriously, I had to pull the same files from backups 7 times in two weeks because of Cryptolocker infections, and that was just me (I'm not the only backup administrator) and for just one network share.
*They won't let me use my literal cluebat.
Now, I'm probably going to risk downvotes here but ... I firmly believe you should be able to click a link without worrying. Otherwise what is the point of QR codes? URL shorteners? The reason why clicking some links causes problems is because there are still far too many vulnerabilities in browsers.
I should be able to point a pdf reader, graphics program, word processor or *browser* at any input whatsoever in perfect safety. The fact that I cannot tells me that software writers have been pissing away their time tweaking the interfaces and adding nice-to-have features rather than addressing the real purpose of these programs.
"QR codes are like telephone numbers.
You might not like what you hear when you call them - but it shouldn't be able to blow up your phone"
Sorry, but QR codes aren't really like telephone numbers. You can read a telephone number before you dial it. See that nice poster advertising a thing you are interested in? Just... check that QR code isn't a sticker taking you to a hijack site with the real QR code from the advertiser hidden under it.
Better yet, don't use 'em.
"Are you saying you don't look at the URL you get from a QR code before following the link?!"
No, I'm not, I'm saying I don't use them. Are you saying your superpower is automatically knowing what the URL was supposed to be? There are plenty of advertising types who'd use http://bit.ly/1ilCEh5 instead of http://www.theregister.co.uk.
Suspicious enough, and in possession of the time and the resources to safely probe that short cut on your phone? Good for you, but basic common sense should tell you that Joe Punter, will point, click and browse without a moments thought. And given the 'instant gratification' intent of QR codes, what would be the bloody point?
"No, on the rare occasions I scan a QR code I look at the resultant URL and decide if I want to hit "go" or "delete"."
And again, the point remains. There are probably a sizeable minority (maybe even a sizeable majority) of people outside the IT world who'd use a Smartphone as a QR reader despite not knowing what an URL is, never mind whether it 'looks' safe or not.
That is why they are a problem.
"I can see a QR code before I use it. I don't see how reading the phone number in digits rather than seeing it as an image has anything to do with whether it will blow up my phone."
You don't? Ignoring the issue of it being a metaphor, I'd venture you're the sort of chap who'd favour a leisurely stroll about town the day after a full-scale nuclear exchange. "Well... I can't see anything that might harm me"...
How?
Some QR apps just load the destination without a confirmatory URL display.
The QR code may be a link shortening service.
Most users get Malware because they always click on "OK" on dialog boxes.
I agree one should be able to click on anything safely. But today you can't. If a link doesn't have expected domain for the context the likely situation is that it leads to evil. So I don't Click.
Number of virus infections / Trojans etc on my own computers since 1979 = Zero.
I do check with specialist tools that I'm as clean as I think.
one good one is at silentrunners.org
"The fact that I cannot tells me that software writers have been pissing away their time tweaking the interfaces and adding nice-to-have features rather than addressing the real purpose of these programs."
It also tells you that governments have consistently refused to enforce normal rules of "fitness for purpose" to software and users have consistently kept buying crapware that has a long track record of failure. So the free market delivers what the free market always delivers: a de facto monopoly churning out low grade product for huge profits.
@gazthejourno:
Except we all know that that's Fantasy Capitalism (tm) Gaz. Otherwise we wouldn't have had the Comodo or DigiNotar hacks, the RSA hack, the endless list of (often Blue Chip) companies threatening infosec researchers with legal action rather than engaging in public interest disclosure and fixing their "premium" crapware, an so on ad nauseum.
On the contrary while Open Source is no more free of security flaws there are far fewer of the commercial imperatives to behave badly when these are discovered. So no, it's not hard, when you disengage your prejudices and use your brain.
If it was a monster then this two week window would make some sense: "We've put it to sleep - quick! run for safety while you can! it will wake up soon!" But it isn't - Cryptolocker doesn't wait for you to try to uninstall it, then try to ask the mothership "the user is coming after me! should I scramble the files now?" The moment it starts executing it does whatever harm it can, so while running an instance now might be safer (presuming it does lie dormant if it can't get a key from the C&C server, rather than generating a local one anyway and mailing it to a collection of backup email addresses), late May was also a very good time to update protective software and July will be an awesome month for running the browser from a low capability browser-only user account, and so on.
The "monster" in this case is the owners of the botnet. They'll be working right now to establish a new command and control server so they can start receiving keys and funds from Cryptolocker.
Right now their money making system is offline with the main server seized. But they'll have other channels of communication to get the infected systems communicating with a new server. Soon as they do that, the game's back on.
hang on havent we been told for the last 18 years that we should be carefull of what we click and always check that you know the sender and you are expecting this email. last virus i got was on the amiga. last malware was just the usual stuff thats detected by avg free and malwarebytes. i think this is just a ruse to make you not look into the NSA or GCHQ revelations. i think our hardware has a better chance of hiding the main threat to privacy and online safety and probably is. paranoia rules.
You should have heard the 10 o'clock news. I really thought I had been transported back almost 2 decades. All over simplified explanations and making it sound new and scary; very little on how this threat isn't new although the scale may or may not be; and nothing on how to actually protect your stuff or how the attack is going to be held off for two weeks.
On the plus side, I've now remembered why I don't watch TV news :)
we should be carefull of what we click and always check that you know the sender and you are expecting this email.
We have a user here who got hit by someone last week. It came from a user he knew. It said it was a government GMail account and a document had been shared. Document title looked appropriate for an ongoing discussion he's having with the sender. Clicked on the link and ....
Not sure how the security incident is being resolved because I'm not part of it. But users talk, especially when they get hit while doing everything the IT Security Training courses tell them to do. Could he have picked up the phone and confirmed the document was actually sent by the user? Sure. But in your standard office environment, is it reasonable to expect every user to call the sender each time they receive a document? Because sending an earlier email saying you are about to send a document won't necessarily help in this instance.
With 90+% market share, it's the same thing.
I don't see people mention specifically Windows when they release other kinds of software - it's just "PC"; same with mobile software, should they list the operating systems if it turns out they don't support Windows Phone?
But no, don't let that stop with your tin-foil-hat conspiracy theory.
we've been beating this one off (as it were) since September last year.
get crypto prevent (free from foolishit - yes really) and protect your users. for you corporate types, yes, you already have gpols in place to prevent things executing from temp locations and zip files. for us in the sole trader/sme world who dont have the ability to lock down customers pc's to that extent, this easily sets gpols for them at the click of a button. and its free.
also,as im sure you already know, make sure they have a versioning backup system. carbonite works a treat and they have a dedicated backup team who will help you roll back the infection till before it happened.
According to the link in the story, its compression followed by XORing with a 32 bit secret which is sent in plaintext by the server. Hardly rocket science. I can't understand when good encryption libraries are available free or even built in to their target OS, why these peoplechildren insist on reinventing the wheel and succeed in making it wonky.
I suppose there's an opportunity to offer an alternative 'decryption' service for half a bitcoin.
"compression followed by XORing with a 32 bit secret which is sent in plaintext by the server"
Wow, that is truly weird, after all the apparent effort in setting up botnets and C&C servers. So I'm guessing you would only need one unencrypted copy of any of the encrypted files, use a few different compression algorithms on it, and you'd soon have the key, even if they'd sent it securely.
I'd have paid up or given up, as I'd have been expecting to crack AES256 or something of that ilk.
We actually got caught out by this virus. If nothing else it has helped highlight some shocking gaps in our security. (Anon out of shame for obvious reasons...)
@ John H: One source I found seemed to do exactly that (comparing an unencrypted source with encrypted) - but the tool didn't seem to work; luckily we have backups ^_^
Link for anyone else enduring miseryof clearing up right now: http://malwarefixes.com/remove-cryptowall-ransomware/
(Not sure how effective this is going to be!)
The article reads: "According to the NCA, ZeuS is responsible for nicking hundreds of millions of pounds globally."
Nicking* is taking some chips from my mate's plate, there's a better word "stealing", please use it.
* actually I believe the word originates from a legal process for taking possession of an apparently abandoned lead mine. Witnesssed by representatives of the barmote court a nick would be made in the wooden stowe (windlass) at the top of the mine shaft by the claimant on 3 consecutive weeks. If the original miner had not objected then the mine had been nicked and the title was transferred.
Like another commenter mentioned below - it's business as usual, or rather a nice two week bit of respite, isn't it?
Many people are panicking about what's going to happen in two weeks, thanks to these reports.
Am I missing something? All we've done is pull out the network lead as we might do during a cleanup anyway, right?
Of course it's not a bad idea to run a zbotkiller or malwarebytes periodically anyway, but the message here seems to be way wrong and out of context to me.
Here is what I sent to a customer who asked if they needed to take any urgent drastic action.
Am I off the mark? See below:
"No.
Nothing is any different to how it has been for the last couple of years.
Zeus/zbot and cryptolocker have been on/off people's computers for years and sometimes I am removing it from two different customers in the same week. In the last couple of months, having got increasingly fed up with it, I have set policies of blocking all .zip and executable attachments on email servers since this is the most common source of infection (.zip attachments on fake emails from amazon/tax/payroll/sage/sky/fed-ex/ups/etc.).
Usually it becomes apparent that a computer is infected because it tends to get straight on with the CryptoLocker part of things, files become inaccessible, and a ransom is demanded. I then have to restore data from a backup. This is the thing that Fiona got onto her computer a few months ago.
All I would say is that I have noticed the occasional attempt to distribute it through a dropbox link, so you could tell the staff not to open any "You have been sent a file through dropbox" email links, without first confirming legitimacy, since I can't block that. The other way is popups that tell you you have to update your Adobe Flash or similar. They're often on dodgy websites, but also sometimes legitimate websites get hacked and have these popups injected. This is nothing to do with the two week window thing though and is just general advice. I have wondered about some kind of safe-computing training to show people what these popups and other dodgy things look like when they come in, but for now the above advice basically covers the current trends.
From a banking point of view, some were particularly susceptible in the past (HSBC & First Direct.. you sign in once with your code, then you can freely add new payees and transfer out money to them, without having to enter any new codes from the security device/dongle). HSBC & FD have changed their systems now, and do require re-entering a code from the keypad/card every time a new payee is added or amended. Obviously this would only matter if you were infected, but it has been a source of stolen bank funds in the past (screen gets blanked after you log into the bank.. money gets transferred out in the background), but it's a bit of extra peace of mind anyway.
All that has changed is this they have disconnected the controlling systems (command & control servers), and they expect that it'll get going again in two weeks. I'm not sure why they would use the words "two weeks to prepare for massive attack", as all they mean is it's been switched off, and it'll probably get going again in two weeks. Unless I'm missing something... I don't think am though. The command/control servers being disconnected doesn't make it any easier to detect or remove from a computer. It just means it can't be commanded to do harm."