True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

Tech Tips for Techs: Little-known, extra steps for CryptoWall and Cryptolocker cleanup

Standard

html-file-thmb

Hello all! Today I would like to contribute some information to something we had previously put out when talking about CryptoWall and CryptoLocker. The previous blog posts talked about the virus itself and what actions to take if you become infected with it. In addition to that, I would like to provide instructions on what further actions to take.

Today I received a call from a client, on whose system I had recently cleaned up an infection and restored their data from a backup. She told me that the computer that had been the original culprit was popping up once again with the decrypt instructions, and she was concerned that it was infected again. She took the actions I told her to take, to disconnect the network drive so it wouldn’t spread. I jumped on that machine and, sure enough, the web page had returned.

I scanned the computer with a malware removal tool, but, to my surprise, nothing showed up. Then I started rifling through the “My Documents” directory. Voila! I found the three “decrypt instructions” that get put in every directory that gets infected. (These are files that Crypto loads on to infected machines and servers, telling victims where to send their money, etc. But they are text files — not harmful in and of themselves.) At this point, I just shook my head.

When I’d performed the original cleanup, and every cleanup I have done since then, I did NOT remove these files. When I’d done the scans for the malware and deleted the malware itself, I’d assumed that those files were part of it and would get removed, as well. With the scan coming back clean and the data restored, I’d sent them on their merry way. But those files are not malware and obviously would not show up on the scans.

Moral of the story, ALL those files need to be deleted or they will pop up from time to time, with 1 of the 3 being an HTML file. Once you have scanned and cleaned up the malware, do a search of the C drive and every other data drive for *decrypt and find/delete all the decrypt instruction files. In this case I made a wrongful assumption that caused widespread panic.

However, sometimes you just have to learn as you go. ;)

If you need help from truly experienced techs, give us a call at 888-244-1748. We treat your technology as though it’s our own.

Why is CryptoLocker still a threat?

Standard

 

It has been over 9 months since CryptoLocker started encrypting systems and demanding a ransom. In most cases, when a new threat starts attacking computers, a fix or patch that will effectively nullify the threat is released within weeks. It is estimated that over $40 million dollars have been paid to the hackers so far, with no end in sight.

CryptoLocker

The dialogue box that appears on victims’ screens, once it is too late.

 CryptoLocker is currently accepting payments via Bitcoin and MoneyPak. Since bitcoins are not regulated, it is impossible to trace anything beyond into which account the coins were deposited. As for MoneyPak, it is basically an international prepaid card into which people (in this case, victims) can transfer funds.

Is there any way I can protect myself?

Currently, the most common infection method is via email. Here is a list of some of the emails subject lines used to trick the user into opening the message.

Frank - cryptolocker post 2

*Thanks to BleepingComputer.com for this chart

By opening the email, the user is effectively granting permission for the virus to install.
There are a few things that will help prevent infection and minimize its impact:

  1. Prevent applications that exist in the known location from running. This works because most applications that are downloaded from the internet are stored in common locations. This will not only prevent CryptoLocker from running, it will also prevent you from running any application you download, good or bad.
  2. Do not open attachments, in any email, that seem out of place or suspicious. This is a good rule of thumb in general, but it is not a complete method of prevention. This is because they are very clever in getting you to believe the email is valid.
  3. Backup, Backup, Backup. Although sometimes you can get your files back via Shadow Copies, this is not always available — and is being circumvented in later releases of CryptoLocker. By backing up your files and storing them offline, you will only lose data since that last, good backup. (This also means that you should keep several older versions of files in case you accidentally backup encrypted files.)

One important note: CryptoLocker will ONLY encrypt files on drives (local and mapped network). This means if you do not have a drive letter for it, it will not be encrypted. In technical terms, CryptoLocker cannot follow UNC paths.

Like most viruses, it is only a matter of time before a reliable method to block, remove, or decrypt files is discovered and made available. It is taking longer-than-your-average-virus-time to “crack” ransomware. But sooner or later it will be cracked.

Guess What: The FBI Is NOT Emailing You (but some viruses are trickier than that)

Standard
virus blog (2)

Click for photo credits

Recently I received an email from my boss warning me about a resurgence of the FBI virus. This is one where the user receives an email alert, supposedly from the FBI, about “someone” the user knows, who the FBI is investigating. When the user clicks on the link within the email, the computer becomes infected. However, there’s an easy way to spot and circumvent this virus. According to the Federal Bureau of Investigation, on their website:

“The FBI does not send unsolicited e-mail.”

So follow the golden rule: don’t click on links or attachments in unsolicited emails. Problem solved.

Or is it?

Since I was already on the FBI’s website, I decided to do a search for “FBI virus.” Several links came up, some of which were of more concern than simple don’t-click-on-the-email-link remedies. Like Reveton. According to the FBI, Reveton (which has been around since at least 2011), is considered “ransomware” because it makes its victims pay to make it go away. And, unlike viruses that insert themselves when users click on an email attachment or on a link within an email, this one starts when a user clicks on a seemingly innocuous, but already-infected website. At that point the user’s computer locks up with a message accusing the user of illegal activity.

“The bogus message goes on to say that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service.”

Short of paying the ransom, which some people have done, what could someone do to get out of something like this? The FBI says to contact your tech support for more advice.

So I got up and walked back to the Everon Tech Pit.

(Okay, not exactly what the FBI had in mind, but not everyone is as fortunate as me to work at a tech support company.)

The guys had a lot of thoughts on the subject of viruses – not all of them reassuring. Tony Cooper and Crash, two of our L2s, referenced the Porn virus, a pesky one that installs itself and attaches the label “porn.exe” to all of your files, making it look as though your computer is full of that stuff. Jesse Wood, one of our L1s, piped up with a reference to a new type of virus that can infect a computer through sound waves. Really? “Yup, it’s real,” James Schaffer, an L2, nodded. “It’s not widespread, and the opportunities for this type of virus to spread are not great, but it can get into computers through open mics, for example.”

Tim Woodworth, our Senior L2 — not someone who clicks on questionable links — said he was once infected by Reveton, and to this day he can’t figure out how he got it. “It was a few years ago,” he said. “I just turned my computer on one day, and there it was, all locked up. I wasn’t going to pay them any money, but it took me forever to rebuild my hard drive.”

L1 Supervisor Frank Lindsey said that the newer, more dangerous version of Reveton is called Cryptolocker. “There are a variety of ways you can get it – clicking an email link is only one of them – and it encrypts all of your files. Then, if you don’t pay the ransom in a certain number of days, the files can’t be decrypted and are lost. The thing that makes it so dangerous, though, is that it’s such well-written code there’s no antivirus for it.”

So what’s the best defense?

L2 Jeff Woods said first and foremost you should try to only click on reputable sources. By that, he means sites that have less ads. He likes surfing with Chrome because of its speed and because it has an ad-blocking extension. Also, Woods recommended that users install a 2-step protection: a daily quick-scan and weekly full-scan of a good anti-virus software, like Vipre, AVG, or Symantec (his favorite), and a monthly scan with anti-malware software, like Malwarebytes.

If all of that fails, and you still get infected, then what?

“Unless you’re really tech-savvy, don’t try to deal with it yourself,” Woods said. “Call your support company. We deal with this stuff so often, we can probably get rid of it quickly, depending on the virus, or help restore your hard drive, which you’ve hopefully had us back up for you on offsite storage.”

Yup, it’s a scary world out there, folks. But I feel much better about dealing with it, knowing I’ve got my Everon crew. Oh, and the FBI, of course.

virus blog (1)

MIB 3, Columbia Pictures, 2012