CryptoLocker hits

Am using Avast Pro on workstations, this particular Windows 7 Pro workstation has Avast-Pro 9 running auto-definition update every four hours.
First hit by Cryptolocker on June 24. so changed to ANOTHER CLEAN Win7 workstation, second hit on July 7, same user same sites visited.

For those familiar with Cryptolocker, there would be four HELP_DECRYPT.* files copied to folders on the inflected computer (and network folders). Base on the IE temporary files time stamps, it was during the same time the user was browsing on MSN.com, so at this moment I believe it was came from a link within MSN.com site. But that is not my concern.

Two main concerns here;

  1. Why Avast not able to completely stop this one year old Cryptolocker in 2015.

  2. When I try black listing the four known bad domains related to this Cryptolocker on two Netgear routers, it both have no effect! (sites entered but not being blocked!)

Any one could comment on any thing special on these four sites?
payoptvars.com
payforusa.com
paywelcomefor.com
payemarateslines.com

Your valuable experience to share is highly appreciated.

CryptoPrevent

https://www.foolishit.com/cryptoprevent-malware-prevention/

I’ve used CryptoPrevent as well and I highly recommended you should include this software :wink:

Thanks guys,
In fact after the first hit on 6/24, I added the CryptoPrevent on the replacement computer.
The only excludesion is the startup folder.

Base on the event log, I could tell the Avast service was stops by the virus at time of inflection as it was logged as event 7031.

Anyone has some idea about those four PAY* domains?

Thank you for making the urls non-clickable.

Only one of the four is a valid url: http://urlquery.net/report.php?id=1436470261302 Note origin in Russia.
https://sitecheck.sucuri.net/results/www.payforusa.com
https://sitecheck.sucuri.net/results/payemarateslines.com
http://zulu.zscaler.com/submission/show/a5adc330dad360b35f4645ad05f59ccc-1436470508
http://zulu.zscaler.com/submission/show/e8e86d27a2b5ff42c08b2887984a405e-1436470789
http://zulu.zscaler.com/submission/show/136d4a5404c65e72db4f8fb78e242f9e-1436470923
http://zulu.zscaler.com/submission/show/e5ba2c14d103c1275781b5b739685a97-1436470992

Last three zulu reports are result of blacklisting status.

Suggest installing and running an ad-blocker in your browser(s) as an user cannot click what they cannot see: https://duckduckgo.com/?q=browser+ad-blocking+software

I can recommend the following:
https://www.ublock.org/

As for why CryptoLocker came in, file was modified to evade all a/v detection. Also, if running adobe flash, suggest removing and uninstalling it for now.

Sorry, if this is off topic, but I don’t know how to Quote from one thread into a new one. I have gone onto the linked site at FoolishIT a number of times to download CryptoPrevent, and each time been worried by the appearance and reaction. It almost feels like an archetypical trap site. It freezes, responds unreliably and generally feels unsafe, so each time I have crashed out and scanned my machine afterwards. It has not up till now given any problems, but has anyone else been disturbed when visiting the site? I believe that it is what it says, but am never confident in it when I enter.

k.

Hi MCHAIN,
Are u suggesting Cryptolocker came in as AD or AdobeFlash?
From what I read, Cryptolocker usually came in by email with ZIP file, but in my cases I believe came in through a site, either by some AD or flash.

Would you mind suggesting some reading link about this Cryptolocker.

Back to my original question; Is AVAST not good enough to detect and stops Cryptolocker?

The bottom line is no as the droppers change on a daily basis, no AV as far as I am aware can block this until the variant is probably two days old
http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-30/page-14

As essexboy says:
https://en.wikipedia.org/wiki/CryptoLocker
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Removing avenues of attack and exploitation is a sound strategy. So removing Adobe Flash plug-in or disabling it to run only as needed would be a part of that strategy. Especially since authors are known to specifically target commercial businesses or institutions as files lost are more valuable to them than average consumer.

What modifying the CryptoLocker dropper means is that no antivirus can detect and block until a definition is created for it, not just Avast.

This malware made me redo my entire computer, and I still have a long, long way to go to get everything setup to close to what I had.

I had the most recent updates to Avast. I had all of the security updates for Windows 7. I have a hosts file to help filter out a variety of bad websites. I’m not sure if this made a huge difference, but I had the second to most-recent version of Adobe Flash… I’m not sure if the most recent version would’ve made a difference.

All I did was visit a regular website that had at least one of these injecting ads (I don’t know if it was caused by Adobe Flash, JavaScript, or some other security flaw in Windows or IE). I didn’t click on any links or install anything… it just went off by visiting the website. Avast gave some pop-up warnings, and then I saw downloading activity. I then disconnected my Internet connection, but it was too late. I was able to go through the browser cache in IE to delete out everything, but the files were in a few different locations.

Explorer.exe seemed to be infected, and I couldn’t to anything to look through files and directories using it because the whole computer was very slow… it seemed like it was almost out of memory.

I used HijackThis to remove the bad entries and then rebooted, but that didn’t help. I ran a full scan with Avast… nothing. I scanned the computer with Windows Defender… nothing. I installed and scanned the computer with Malware Bytes… nothing. I ran TDSSKiller… nothing. I ran Microsoft’s Malicious Software Removal Tool… nothing. I ran ComboFix… nothing. Running in Safe Mode made no difference.

I looked into regedit and saw there was an entry for CryptoWall 3.0. It did list some of the files it supposedly compromised, but they appeared to be fine… possibly because I stopped the program before it had a chance to encrypt the files. I think the payment listing was to paypaymentto.com. I have no idea if just CryptoWall 3.0 was installed or if additional things were installed.

I was able to get the command prompt to come up, and I deleted out at least some of the files (as mentioned here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information)… they were all named something like 1a1vasd.exe. This did nothing. It is also a huge pain to navigate around via the command prompt.

I thought I’d try the Internet again, so I reconnected… same problem as before… downloading and Avast alerting me with all these pop-up blocks that were ads being served from the a couple of IP addresses.

Because the computer was so slow and I did everything I could think of to fix this with no avail, I just gave up.

At least I had another PC to access the Internet and look things up with. I also have most of my files backed-up… luckily, the majority of them are unimportant.

So, Avast failed me tremendously. I am 1000% disappointed it didn’t prevent this virus/malware from getting so far out of hand. It has blocked all sorts of things over the years, but this failure is so bad that I am going to look into other anti-virus software.

It is also terrible that so many websites still use Adobe Flash. I’m not sure I will ever reinstall it.

Yes very scary and as pointed out almost impossible to stop new variants

Thank you Para-Noid for the link:
https://blog.malwarebytes.org/malvertising-2/2015/07/directrev-malvertising-uses-self-sufficient-flash-0day/?utm_source=Gplus&utm_medium=social

Always having a fairly current image backup available is the only viable restore method short of paying if you’re infected.
There is no perfect protection so being prepared for a disaster needs to be done before the disaster happens.
[b]https://youtu.be/hZy5in3WNe4[/b]

Hi ItsAllGoodMan, welcome to the forum :slight_smile:

You should realise that another AV will have the same problem, as Essexboy pointed out :

Bob3160 is right, that making regular image backups is essential !

Greetz, Red.

The main thing was that what I was using to protect my computer gave me a false sense of security. Avast did give pop-up warning messages to show some things were being blocked, but it might as well have announced “Your computer is going to be extremely messed up, and there’s nothing Avast can do to stop it.”

I’m still not exactly sure what malware/virus was installed (it seemed different than what was described: https://blog.malwarebytes.org/exploits-2/2015/07/neutrino-ek-leverages-latest-flash-0day/ ), but it had something to do with CryptoWall 3.0 and explorer.exe… as I was trying to clear things off, I did notice a file displayed Asian (probably Korean) text in the Windows Explorer description area. I should have written down the 2 IPs that were being blocked over and over by Avast… I remember one started with 33.?.?.?, but that could pretty much point to anything.

The only thing I really would use Adobe Flash for is to watch videos or play Flash games. The time and aggravation of going through the “computer redoing” process doesn’t make either of those activities worth it, and I’m not going to reinstall Adobe Flash. I used to create simple, website animations using Flash while doing website development, but I’m no longer going to use Flash for anything. While it isn’t perfect yet, HTML5 is good enough for videos (like on YouTube) and some of the things Flash could do. While it could’ve been other things that caused the malware/virus problem, it definitely sounds like Adobe Flash created the security hole. There used to be tons of plug-ins back in the Netscape browser days… most of their usefulness disappeared as browsers improved. Just like the Java plug-in, the Adobe Flash plug-in will be uninstalled from most users’ browsers because of the constant security problems the plug-ins create.

After I’m all done with the reinstall/reconfiguration/setup, I’ll look into making a clone (ghost image) of the drive (any suggestions on the best application to use for this would be appreciated)… then, if something major happens, the redoing process shouldn’t take nearly as long… just the updates for Windows 7 took hours to download and install… that was something like 180 Windows 7 updates. I did already have most of my files already backed-up off of my computer, so I can just transfer things over when things are finally setup.

I’m curious what others would try if this happened to your computer… what steps would you take and what programs would you use to try and fix the problem (remove the virus/malware and restore the computer to how it was before the infection)?

Simple answer is to format the drive that contained the malware and restore the most recently created Image prior to the infection.
What to use for creation of an image already comes with windows. :slight_smile:

I finally have the computer set pretty much how I had it before. There is no way I am going to install Adobe Flash again. I also read there are two more security holes in Adobe Flash that haven’t been patched yet:
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/

I just ordered a USB Flash drive for back-ups. I also downloaded and burned Redo Backup & Recovery (http://redobackup.org/). So hopefully, no other problems come up before I get a chance to actually make a back-up.

I recommend uninstalling the plug-in for Adobe Flash (and Java if you haven’t already). Definitely make a back-up of your hard drive.

If you intend to make an image backup, you’ll need more than a USB flash drive.
You’ll need an external hard drive to hold a full image backup. :slight_smile: