True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

Can my phone get a virus? Should I use an antivirus on my Android device?

Standard

download

Hello to everyone reading this, and welcome to another “brain dump” of Tony! :) Today we are going to talk about viruses, malware, and Android devices — how they play together, and my thoughts on antivirus/anti-malware software. This is something quite a few people are curious about: “Can I get a virus on my phone? How would I know if I did have a virus or malware? How would I get rid of said infection? How do I protect myself going forward?”

I have wondered all this myself, honestly, and not until recently had I done research on it. Once I did the research, it really all made sense to me, so I am going to relay my findings, in my own words, and put it into perspective. Like anything else, technology is ever-advancing. With that, so are viruses and malware. When something new comes out, there is always someone breaking apart its code and creating infections that makes everyone’s lives that much harder. That will never change! Since I am a heavy Android user, that’s what I am going to talk about.

When it comes to viruses and malware on phones, is it possible? Yes, it is very possible and is becoming more and more common. When you think of a virus, you think of it in the sense of what you’d experience on a computer. While they have some things in common, they do differ a little bit in behavior. If you happen to get malware on your phone, it would more than likely be in the form of applications that look and act like legitimate apps — they might even look like ones you use on a daily basis. These are the targets, because if people think they’re on their normal apps, then they are more comfortable putting in their personal information. That’s really the sole purpose of malware: stealing information. Also, like Internet browsers on PCs, malware on your phone can come in the form of those pesky popups. And also page redirects. One moment you are browsing your favorite news website, and the next thing you know you are taken to a website trying to sell you something (or worse, an “adult” page).

How would I get this on my phone? That’s a good question. In most instances the Google Play store is the biggest culprit, as that is the easiest way to target most Android users. Google Play is not as regulated as one would think. The process of getting your self-made app into the market is not that extensive. If you have ever just browsed the app store, you can see there are a ton of apps and different versions of the same thing. When you are downloading free apps or purchasing apps, make sure they are from a company that you know, or from the company itself. For example, if you were going to download the Facebook app, make sure it is published by Facebook and not some 3rd party vendor. Beware, some of these apps to which you give permission to use your phone-resources can, in the end, cost you a fortune. They have the ability to do things such as sending out texts without you even knowing. They can send texts to certain numbers that cost more and can rack up a huge bill.

Now that that is out of the way, lets talk about prevention. Of course, the best prevention is always being cautious of what you are downloading and opening. This, ultimately, is best but can also be difficult (because when applications look and act like real apps it’s hard to tell the difference). Next, some people utilize and antivirus/anti-malware software. When it comes to using software like that, my suggestion would be to use a paid version and not a free version. Just as with programs on a PC, the free versions are limited and are lacking in the things that are most important. Also, when using such a program on your phone, be aware of the performance issues that you may face, as well. They tend to run frequently, which slows down your processing power, eats up your battery, and the notifications can become annoying.

In all of this, there are many options to help protect yourself, but the biggest tool you have is knowledge. And a company, such as Everon, to help educate you. If you have any questions about security on your devices, or have a question about an app before you download it, please feel free to reach out to us (888-244-1748 or [email protected]). We are always more than happy to help!

 

Five Things You Should Do to Clean Your Computer This Weekend

Standard

 

tree computer pic

Fall cleaning? Don’t forget your computer!

There’s no time like now to get in all that fall cleaning you want to do before the holiday season kicks in. So why leave your computer out of all the fun? I asked the techs at Everon what they would do to clean their own computers. Here are their top five responses:

1.      Run a virus and/or malware scan. If you don’t want to spend the time running both, pick one and do the other later. You can get good virus removal programs, like Avast, AVG, Symantec, or Malwarebytes, a malware removal program, for free. Each of these scans could take several hours. A good idea is to start the scan before you go to bed and let it run all night, while you sleep.

2.      Get rid of extra programs that you don’t need. A lot of times, when you download or install new software, you’re also saddled with extra programs you neither asked for nor need. Those can be a real memory-suck. Look for ones that redirect your browser. (Any extra toolbars on your Internet browser?) Now is a good time to uninstall these pieces of baggage. Also, bloatware – preinstalled software on a device – is another nuisance. Check out this blog, by James, for one way to get rid of it. This process should take around 30-45 minutes.

3.      Blow the dust or lint out of your system, especially the fans. This can be done with one of those handy cans of compressed air, available at just about any store that sells office supplies, or with an air compressor. If you haven’t done it in a while there will be a lot of dust, so you may want to take your computer outside. Remove the outer casing and blow away. (Note: do not use your breath! The moisture from your mouth can damage the microprocessor. Plus, if you get too close to all that dust you will probably sneeze.) Pay particular attention to getting those dust bunnies out of the fans. If they stay clogged up, your computer can overheat.

4.      Clean your keyboard. While you’re taking your computer outside to power-blow it, unplug and bring along your keyboard. Tilt it upside down, and blow it out, too. You will be both grossed out and amazed at what falls out of there. But all of that stuff can build up between the keys and make them stick or not work properly.

5.      Clean your screen, mouse, and keyboard (again). As long as we’re doing a proper cleaning, let’s do it right. You can get out the isopropyl (rubbing) alcohol and cotton swabs, or you can just buy pre-moistened, disposable electronic wipes (my preference). Wipe down your computer screen and your mouse. Pay attention to the buildup on the mouse’s underside. Also, before you plug your keyboard back in, give the keys a good wipe down. These last three steps will take you 30 minutes or less.

There, all done. This entire process can take an hour or so (not including the scan that ran while you were asleep), but once done your computer will run more efficiently. You can add years on to the life of your machine with regular maintenance like this. Not to mention how good it feels to have a sparkly-clean desktop. ;)

Tech Tips for Techs: Little-known, extra steps for CryptoWall and Cryptolocker cleanup

Standard

html-file-thmb

Hello all! Today I would like to contribute some information to something we had previously put out when talking about CryptoWall and CryptoLocker. The previous blog posts talked about the virus itself and what actions to take if you become infected with it. In addition to that, I would like to provide instructions on what further actions to take.

Today I received a call from a client, on whose system I had recently cleaned up an infection and restored their data from a backup. She told me that the computer that had been the original culprit was popping up once again with the decrypt instructions, and she was concerned that it was infected again. She took the actions I told her to take, to disconnect the network drive so it wouldn’t spread. I jumped on that machine and, sure enough, the web page had returned.

I scanned the computer with a malware removal tool, but, to my surprise, nothing showed up. Then I started rifling through the “My Documents” directory. Voila! I found the three “decrypt instructions” that get put in every directory that gets infected. (These are files that Crypto loads on to infected machines and servers, telling victims where to send their money, etc. But they are text files — not harmful in and of themselves.) At this point, I just shook my head.

When I’d performed the original cleanup, and every cleanup I have done since then, I did NOT remove these files. When I’d done the scans for the malware and deleted the malware itself, I’d assumed that those files were part of it and would get removed, as well. With the scan coming back clean and the data restored, I’d sent them on their merry way. But those files are not malware and obviously would not show up on the scans.

Moral of the story, ALL those files need to be deleted or they will pop up from time to time, with 1 of the 3 being an HTML file. Once you have scanned and cleaned up the malware, do a search of the C drive and every other data drive for *decrypt and find/delete all the decrypt instruction files. In this case I made a wrongful assumption that caused widespread panic.

However, sometimes you just have to learn as you go. ;)

If you need help from truly experienced techs, give us a call at 888-244-1748. We treat your technology as though it’s our own.

Tech Tips for Techs (Intermediate Level): Analyzing Questionable Emails

Standard

 

CAUTION: Some of the following steps are above the level of beginners. If you are unsure about anything you read here, please call us at Everon (888-244-1748) and we can help you through it.

Sooner or later everyone receives an email that looks legitimate, but you have a feeling it could be a scam or a virus waiting to attack. Here are a few examples of questionable emails:

  1. From someone you know, but off topic.
  2. From a Company/Vendor warning of a problem with your account.
  3. Announcing you have a voicemail/fax waiting for you.
  4. Official-looking email from your bank requesting you to login.

It is always a difficult choice. If this is a legitimate email I need to follow through, but if it is a hoax it can cause a lot of problems I don’t need right now. What to do…?

First, do not open the any attachments or click on any links in the email. Now, if your Company has any procedures in place to address questionable emails, follow the recommended steps. Otherwise I recommend that you contact the sender and question the email.

  • From an individual: create a new email to them expressing your concern.
  • From a known Company/Vendor: call them and question the email.
  • From a new/unknown source, notify you supervisor – do not open, do not click inside the email, and do not forward.
  • From a Company/Bank regarding a personal matter: call them or login to the site AS YOU NORMALLY WOULD – do not use the link in the email.

I know, I know, none of this is new to you. That being the case, let’s take a questionable email and break it down.

NOTE: It is important you are familiar with the Windows feature “Hovering.” When you place the mouse over an object WITHOUT CLICKING, a popup will show you additional details. This is known as Hovering. Do not click when Hovering, as this will initiate the code associated with the object.

ATT1

Here is an email I recently received in my Hotmail account. At first glance everything seems okay. But let’s take a closer look at a few problems:

 

 

 

Wrong “From” email address

At the top of this email you can see that “From” is A T & T <hc6DqrJv.yiTuN.com>. Because I have configured my email to display both the label and actual address, I can see the actual email address.

You may only see the A T & T if you received this email. In that case, just hover over the A T & T and the popup will show you <hc6DqrJv.yiTuN.com>.

When you send an email, you can display your name in the “From” field (instead of displaying your email address). This is a very common and useful feature, but in this case it is being used to hide things from you. So now we know this is not really from AT&T but from some cryptic email address. This alone is enough to let you know to just delete this email.

Embedded links do not take you to AT&T

Now let’s take a look at the actual email. Really, everything looks fine: a known AT&T image, standard formatting and wording – nothing to lead you to believe this is a scam. That is, nothing until you hover over the links.

ATT2

 

The hover-text tells us that if we click on this link we will NOT be sent to an AT&T website. We will end up at  http://masefieldsaidelqd…. All the links in this email go to the same location. Again, this alone is enough to let you know to just delete this email.

Email Header Analyzer

Every email that is sent has embedded information that describes the path it took from the sender to you. This is called the Email Header and it’s not very easy to read. Here is the actual Email Header for our sample.

x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=pass (sender IP is 87.124.110.208)
[email protected]; dkim=none header.d=yiTuN.com; x-hmca=none
[email protected]
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info:
c21WZ1hAltI9DuizMAEE2QECpxSZUGZG4j2P0KvnFQ5Oq/wSiAiPSbOCWW7QmZMDONMEcOBjWMXYV9Dk2G3eyZRiTxZAdBpO5E1Xr5SqiAWdiuxGlA3k5kj+R//OvPfE4Jw5jOmv8EAwIUCNmc79xJKcP4737N1Q+CskaetIvY9RRY9PhyoYAHA+325kAM7Fj2b6LXibNlbSbtyWUAyW2QNDR/0bZpc
Received: from lzZGq2WEGeQ.com ([87.124.110.208]) by COL004-MC3F55.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
Thu, 10 Jul 2014 01:25:28 -0700
From: =?utf-8?b?QSBUICYgVA==?=  <[email protected]>
Message-ID: <[email protected]>
Subject: XXXXXXXX, =?utf-8?b?TGltaXRlZC10aW1lIG9ubHk6IFNlZSBvdXIgRiBSIEUgRSBwaG9uZXMh?=
Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html; charset=”utf-8″
Content-Transfer-Encoding: 7bit
Bcc:
Return-Path: [email protected]
X-OriginalArrivalTime: 10 Jul 2014 08:25:28.0568 (UTC) FILETIME=[81AB7780:01CF9C18]
Date: 10 Jul 2014 01:25:28 -0700

That’s a lot of very obscure data. But don’t worry, there are free online tools that will break this down for you. One of my favorites is http://www.iptrackeronline.com/email-header-analysis.php. Just paste the header into the box and press submit header for analysis. Scroll down and you will see the following:

ATT3

Very interesting, the email originated from somewhere in the United Kingdom. Once more, this alone is enough to let you know to just delete this email.

Blacklisted Domains and URLs

If you are still not sure, you can use another free service call Blacklist check. One of my favorites is http://mxtoolbox.com/blacklists.aspx (which also has an Email header Analyzer). Just enter the first part of the email address we got from hovering (http://masefieldsaidelqd.com/) and press Blacklist Check.

ATT4

No surprise, the address is blacklisted (identified as a known source of spam and malicious emails). So now we have more than enough evidence to delete the email and notify our supervisor.

Always keep in mind that the best thing to do is alert you supervisor and / or your IT team immediately when you suspect you have a malicious email. It is always better to be safe than sorry.