CryptoLocker hits

bob3160 · 2015-07-09T19:49:29.000Z

I can recommend the following:
https://www.ublock.org/

mchain · 2015-07-09T19:57:08.000Z

As for why CryptoLocker came in, file was modified to evade all a/v detection. Also, if running adobe flash, suggest removing and uninstalling it for now.

system · 2015-07-10T08:31:50.000Z

SpeedyPC post:3:

schmidthouse post:2:

CryptoPrevent

www.foolishit.com/cryptoprevent-malware-prevention/]https://www.foolishit.com/cryptoprevent-malware-prevention

I’ve used CryptoPrevent as well and I highly recommended you should include this software

Sorry, if this is off topic, but I don’t know how to Quote from one thread into a new one. I have gone onto the linked site at FoolishIT a number of times to download CryptoPrevent, and each time been worried by the appearance and reaction. It almost feels like an archetypical trap site. It freezes, responds unreliably and generally feels unsafe, so each time I have crashed out and scanned my machine afterwards. It has not up till now given any problems, but has anyone else been disturbed when visiting the site? I believe that it is what it says, but am never confident in it when I enter.

k.

PhilipFu · 2015-07-10T14:10:53.000Z

Hi MCHAIN,
Are u suggesting Cryptolocker came in as AD or AdobeFlash?
From what I read, Cryptolocker usually came in by email with ZIP file, but in my cases I believe came in through a site, either by some AD or flash.

Would you mind suggesting some reading link about this Cryptolocker.

Back to my original question; Is AVAST not good enough to detect and stops Cryptolocker?

essexboy · 2015-07-10T14:51:25.000Z

The bottom line is no as the droppers change on a daily basis, no AV as far as I am aware can block this until the variant is probably two days old
http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-30/page-14

mchain · 2015-07-10T18:22:31.000Z

As essexboy says:
https://en.wikipedia.org/wiki/CryptoLocker
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Removing avenues of attack and exploitation is a sound strategy. So removing Adobe Flash plug-in or disabling it to run only as needed would be a part of that strategy. Especially since authors are known to specifically target commercial businesses or institutions as files lost are more valuable to them than average consumer.

What modifying the CryptoLocker dropper means is that no antivirus can detect and block until a definition is created for it, not just Avast.

ItsAllGoodMan · 2015-07-10T19:58:09.000Z

This malware made me redo my entire computer, and I still have a long, long way to go to get everything setup to close to what I had.

I had the most recent updates to Avast. I had all of the security updates for Windows 7. I have a hosts file to help filter out a variety of bad websites. I’m not sure if this made a huge difference, but I had the second to most-recent version of Adobe Flash… I’m not sure if the most recent version would’ve made a difference.

All I did was visit a regular website that had at least one of these injecting ads (I don’t know if it was caused by Adobe Flash, JavaScript, or some other security flaw in Windows or IE). I didn’t click on any links or install anything… it just went off by visiting the website. Avast gave some pop-up warnings, and then I saw downloading activity. I then disconnected my Internet connection, but it was too late. I was able to go through the browser cache in IE to delete out everything, but the files were in a few different locations.

Explorer.exe seemed to be infected, and I couldn’t to anything to look through files and directories using it because the whole computer was very slow… it seemed like it was almost out of memory.

I used HijackThis to remove the bad entries and then rebooted, but that didn’t help. I ran a full scan with Avast… nothing. I scanned the computer with Windows Defender… nothing. I installed and scanned the computer with Malware Bytes… nothing. I ran TDSSKiller… nothing. I ran Microsoft’s Malicious Software Removal Tool… nothing. I ran ComboFix… nothing. Running in Safe Mode made no difference.

I looked into regedit and saw there was an entry for CryptoWall 3.0. It did list some of the files it supposedly compromised, but they appeared to be fine… possibly because I stopped the program before it had a chance to encrypt the files. I think the payment listing was to paypaymentto.com. I have no idea if just CryptoWall 3.0 was installed or if additional things were installed.

I was able to get the command prompt to come up, and I deleted out at least some of the files (as mentioned here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information)… they were all named something like 1a1vasd.exe. This did nothing. It is also a huge pain to navigate around via the command prompt.

I thought I’d try the Internet again, so I reconnected… same problem as before… downloading and Avast alerting me with all these pop-up blocks that were ads being served from the a couple of IP addresses.

Because the computer was so slow and I did everything I could think of to fix this with no avail, I just gave up.

At least I had another PC to access the Internet and look things up with. I also have most of my files backed-up… luckily, the majority of them are unimportant.

So, Avast failed me tremendously. I am 1000% disappointed it didn’t prevent this virus/malware from getting so far out of hand. It has blocked all sorts of things over the years, but this failure is so bad that I am going to look into other anti-virus software.

It is also terrible that so many websites still use Adobe Flash. I’m not sure I will ever reinstall it.

schmidthouse · 2015-07-10T20:19:23.000Z

Yes very scary and as pointed out almost impossible to stop new variants

mchain · 2015-07-10T20:28:46.000Z

Thank you Para-Noid for the link:
https://blog.malwarebytes.org/malvertising-2/2015/07/directrev-malvertising-uses-self-sufficient-flash-0day/?utm_source=Gplus&utm_medium=social

bob3160 · 2015-07-10T20:41:15.000Z

ItsAllGoodMan post:12:

This malware made me redo my entire computer, and I still have a long, long way to go to get everything setup to close to what I had.
— snip —

Always having a fairly current image backup available is the only viable restore method short of paying if you’re infected.
There is no perfect protection so being prepared for a disaster needs to be done before the disaster happens.
[b]https://youtu.be/hZy5in3WNe4[/b]

Rednose · 2015-07-10T22:32:34.000Z

Hi ItsAllGoodMan, welcome to the forum

ItsAllGoodMan post:12:

So, Avast failed me tremendously. I am 1000% disappointed it didn’t prevent this virus/malware from getting so far out of hand. It has blocked all sorts of things over the years, but this failure is so bad that I am going to look into other anti-virus software.

You should realise that another AV will have the same problem, as Essexboy pointed out :

essexboy post:10:

The bottom line is no as the droppers change on a daily basis, no AV as far as I am aware can block this until the variant is probably two days old
http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-30/page-14

Bob3160 is right, that making regular image backups is essential !

Greetz, Red.

ItsAllGoodMan · 2015-07-11T00:37:09.000Z

The main thing was that what I was using to protect my computer gave me a false sense of security. Avast did give pop-up warning messages to show some things were being blocked, but it might as well have announced “Your computer is going to be extremely messed up, and there’s nothing Avast can do to stop it.”

I’m still not exactly sure what malware/virus was installed (it seemed different than what was described: https://blog.malwarebytes.org/exploits-2/2015/07/neutrino-ek-leverages-latest-flash-0day/ ), but it had something to do with CryptoWall 3.0 and explorer.exe… as I was trying to clear things off, I did notice a file displayed Asian (probably Korean) text in the Windows Explorer description area. I should have written down the 2 IPs that were being blocked over and over by Avast… I remember one started with 33.?.?.?, but that could pretty much point to anything.

The only thing I really would use Adobe Flash for is to watch videos or play Flash games. The time and aggravation of going through the “computer redoing” process doesn’t make either of those activities worth it, and I’m not going to reinstall Adobe Flash. I used to create simple, website animations using Flash while doing website development, but I’m no longer going to use Flash for anything. While it isn’t perfect yet, HTML5 is good enough for videos (like on YouTube) and some of the things Flash could do. While it could’ve been other things that caused the malware/virus problem, it definitely sounds like Adobe Flash created the security hole. There used to be tons of plug-ins back in the Netscape browser days… most of their usefulness disappeared as browsers improved. Just like the Java plug-in, the Adobe Flash plug-in will be uninstalled from most users’ browsers because of the constant security problems the plug-ins create.

After I’m all done with the reinstall/reconfiguration/setup, I’ll look into making a clone (ghost image) of the drive (any suggestions on the best application to use for this would be appreciated)… then, if something major happens, the redoing process shouldn’t take nearly as long… just the updates for Windows 7 took hours to download and install… that was something like 180 Windows 7 updates. I did already have most of my files already backed-up off of my computer, so I can just transfer things over when things are finally setup.

I’m curious what others would try if this happened to your computer… what steps would you take and what programs would you use to try and fix the problem (remove the virus/malware and restore the computer to how it was before the infection)?

bob3160 · 2015-07-11T02:20:39.000Z

Simple answer is to format the drive that contained the malware and restore the most recently created Image prior to the infection.
What to use for creation of an image already comes with windows.

ItsAllGoodMan · 2015-07-13T00:28:09.000Z

I finally have the computer set pretty much how I had it before. There is no way I am going to install Adobe Flash again. I also read there are two more security holes in Adobe Flash that haven’t been patched yet:
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/

I just ordered a USB Flash drive for back-ups. I also downloaded and burned Redo Backup & Recovery (http://redobackup.org/). So hopefully, no other problems come up before I get a chance to actually make a back-up.

I recommend uninstalling the plug-in for Adobe Flash (and Java if you haven’t already). Definitely make a back-up of your hard drive.

bob3160 · 2015-07-13T11:42:09.000Z

If you intend to make an image backup, you’ll need more than a USB flash drive.
You’ll need an external hard drive to hold a full image backup.

Rednose · 2015-07-13T13:08:54.000Z

You definitely need an external harddrive.

I recommend to make an image of a fresh, clean and updated Windows installation, and to keep that as a starting point for a next time.
Also keep images from the last 6 - 8 week before you delete them, just in case.
And definitely keep them when you participate in Beta testing etc.

Greetz, Red.

schmidthouse · 2015-07-13T14:49:32.000Z

ItsAllGoodMan post:19:

I finally have the computer set pretty much how I had it before. There is no way I am going to install Adobe Flash again. I also read there are two more security holes in Adobe Flash that haven’t been patched yet:
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/

I just ordered a USB Flash drive for back-ups. I also downloaded and burned Redo Backup & Recovery (http://redobackup.org/). So hopefully, no other problems come up before I get a chance to actually make a back-up.

I recommend uninstalling the plug-in for Adobe Flash (and Java if you haven’t already). Definitely make a back-up of your hard drive.

So did you install ‘CryptoPrevent’ ? ???

ItsAllGoodMan · 2015-07-13T16:57:14.000Z

My hard drive is 80GB, and I’m currently only using about 20GB of space. The 20GB includes all of the software I wanted to install and personal files. I really try not to store much on the hard drive just in case there is a problem. I also use CCleaner and PrivaZer, and that helps remove things that just waste space. The USB Flash drive I ordered holds 128GB, so the full disk image should fit. Are the backup disk images the exact since of the drive’s capacity or just about the size of what is stored on the drive?

I’ve looked at the CryptoPrevent website (https://www.foolishit.com/cryptoprevent-malware-prevention/), but I have not installed the software yet. I will look more into what the software does to prevent CryptoWall. I try not to have additional applications running all the time, and if there are security settings/changes I can manually make instead of installing the software I’d prefer to make them. Is CryptoPrevent that much better than following the steps mentioned here to manually secure the computer: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent

I think the best thing to do was to just not install Adobe Flash. Software requiring regular updates because of potential security holes and is a regular target for malicious software attacks is not a good thing to install in the first place. So at the moment, it is pretty much just Windows and IE that have the potential for problems while using the Internet.

essexboy · 2015-07-13T17:44:53.000Z

Cryptoprevent does not run … It makes policy changes in the registry

schmidthouse · 2015-07-13T18:19:49.000Z

ItsAllGoodMan post:23:

My hard drive is 80GB, and I’m currently only using about 20GB of space. The 20GB includes all of the software I wanted to install and personal files. I really try not to store much on the hard drive just in case there is a problem. I also use CCleaner and PrivaZer, and that helps remove things that just waste space. The USB Flash drive I ordered holds 128GB, so the full disk image should fit. Are the backup disk images the exact since of the drive’s capacity or just about the size of what is stored on the drive?

I’ve looked at the CryptoPrevent website (https://www.foolishit.com/cryptoprevent-malware-prevention/), but I have not installed the software yet. I will look more into what the software does to prevent CryptoWall. I try not to have additional applications running all the time, and if there are security settings/changes I can manually make instead of installing the software I’d prefer to make them. Is CryptoPrevent that much better than following the steps mentioned here to manually secure the computer: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent

I think the best thing to do was to just not install Adobe Flash. Software requiring regular updates because of potential security holes and is a regular target for malicious software attacks is not a good thing to install in the first place. So at the moment, it is pretty much just Windows and IE that have the potential for problems while using the Internet.

CryptoPrevent does not consume resourse in space or CPU.
As essexboy stated it only changes/add Reg Entries.

But hey, your security decision.

edit

Announcements