CryptoLocker hits

schmidthouse · 2015-07-10T20:19:23.000Z

Yes very scary and as pointed out almost impossible to stop new variants

mchain · 2015-07-10T20:28:46.000Z

Thank you Para-Noid for the link:
https://blog.malwarebytes.org/malvertising-2/2015/07/directrev-malvertising-uses-self-sufficient-flash-0day/?utm_source=Gplus&utm_medium=social

bob3160 · 2015-07-10T20:41:15.000Z

ItsAllGoodMan post:12:

This malware made me redo my entire computer, and I still have a long, long way to go to get everything setup to close to what I had.
— snip —

Always having a fairly current image backup available is the only viable restore method short of paying if you’re infected.
There is no perfect protection so being prepared for a disaster needs to be done before the disaster happens.
[b]https://youtu.be/hZy5in3WNe4[/b]

Rednose · 2015-07-10T22:32:34.000Z

Hi ItsAllGoodMan, welcome to the forum

ItsAllGoodMan post:12:

So, Avast failed me tremendously. I am 1000% disappointed it didn’t prevent this virus/malware from getting so far out of hand. It has blocked all sorts of things over the years, but this failure is so bad that I am going to look into other anti-virus software.

You should realise that another AV will have the same problem, as Essexboy pointed out :

essexboy post:10:

The bottom line is no as the droppers change on a daily basis, no AV as far as I am aware can block this until the variant is probably two days old
http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-30/page-14

Bob3160 is right, that making regular image backups is essential !

Greetz, Red.

ItsAllGoodMan · 2015-07-11T00:37:09.000Z

The main thing was that what I was using to protect my computer gave me a false sense of security. Avast did give pop-up warning messages to show some things were being blocked, but it might as well have announced “Your computer is going to be extremely messed up, and there’s nothing Avast can do to stop it.”

I’m still not exactly sure what malware/virus was installed (it seemed different than what was described: https://blog.malwarebytes.org/exploits-2/2015/07/neutrino-ek-leverages-latest-flash-0day/ ), but it had something to do with CryptoWall 3.0 and explorer.exe… as I was trying to clear things off, I did notice a file displayed Asian (probably Korean) text in the Windows Explorer description area. I should have written down the 2 IPs that were being blocked over and over by Avast… I remember one started with 33.?.?.?, but that could pretty much point to anything.

The only thing I really would use Adobe Flash for is to watch videos or play Flash games. The time and aggravation of going through the “computer redoing” process doesn’t make either of those activities worth it, and I’m not going to reinstall Adobe Flash. I used to create simple, website animations using Flash while doing website development, but I’m no longer going to use Flash for anything. While it isn’t perfect yet, HTML5 is good enough for videos (like on YouTube) and some of the things Flash could do. While it could’ve been other things that caused the malware/virus problem, it definitely sounds like Adobe Flash created the security hole. There used to be tons of plug-ins back in the Netscape browser days… most of their usefulness disappeared as browsers improved. Just like the Java plug-in, the Adobe Flash plug-in will be uninstalled from most users’ browsers because of the constant security problems the plug-ins create.

After I’m all done with the reinstall/reconfiguration/setup, I’ll look into making a clone (ghost image) of the drive (any suggestions on the best application to use for this would be appreciated)… then, if something major happens, the redoing process shouldn’t take nearly as long… just the updates for Windows 7 took hours to download and install… that was something like 180 Windows 7 updates. I did already have most of my files already backed-up off of my computer, so I can just transfer things over when things are finally setup.

I’m curious what others would try if this happened to your computer… what steps would you take and what programs would you use to try and fix the problem (remove the virus/malware and restore the computer to how it was before the infection)?

bob3160 · 2015-07-11T02:20:39.000Z

Simple answer is to format the drive that contained the malware and restore the most recently created Image prior to the infection.
What to use for creation of an image already comes with windows.

ItsAllGoodMan · 2015-07-13T00:28:09.000Z

I finally have the computer set pretty much how I had it before. There is no way I am going to install Adobe Flash again. I also read there are two more security holes in Adobe Flash that haven’t been patched yet:
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/

I just ordered a USB Flash drive for back-ups. I also downloaded and burned Redo Backup & Recovery (http://redobackup.org/). So hopefully, no other problems come up before I get a chance to actually make a back-up.

I recommend uninstalling the plug-in for Adobe Flash (and Java if you haven’t already). Definitely make a back-up of your hard drive.

bob3160 · 2015-07-13T11:42:09.000Z

If you intend to make an image backup, you’ll need more than a USB flash drive.
You’ll need an external hard drive to hold a full image backup.

Rednose · 2015-07-13T13:08:54.000Z

You definitely need an external harddrive.

I recommend to make an image of a fresh, clean and updated Windows installation, and to keep that as a starting point for a next time.
Also keep images from the last 6 - 8 week before you delete them, just in case.
And definitely keep them when you participate in Beta testing etc.

Greetz, Red.

schmidthouse · 2015-07-13T14:49:32.000Z

ItsAllGoodMan post:19:

I finally have the computer set pretty much how I had it before. There is no way I am going to install Adobe Flash again. I also read there are two more security holes in Adobe Flash that haven’t been patched yet:
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/

I just ordered a USB Flash drive for back-ups. I also downloaded and burned Redo Backup & Recovery (http://redobackup.org/). So hopefully, no other problems come up before I get a chance to actually make a back-up.

I recommend uninstalling the plug-in for Adobe Flash (and Java if you haven’t already). Definitely make a back-up of your hard drive.

So did you install ‘CryptoPrevent’ ? ???

ItsAllGoodMan · 2015-07-13T16:57:14.000Z

My hard drive is 80GB, and I’m currently only using about 20GB of space. The 20GB includes all of the software I wanted to install and personal files. I really try not to store much on the hard drive just in case there is a problem. I also use CCleaner and PrivaZer, and that helps remove things that just waste space. The USB Flash drive I ordered holds 128GB, so the full disk image should fit. Are the backup disk images the exact since of the drive’s capacity or just about the size of what is stored on the drive?

I’ve looked at the CryptoPrevent website (https://www.foolishit.com/cryptoprevent-malware-prevention/), but I have not installed the software yet. I will look more into what the software does to prevent CryptoWall. I try not to have additional applications running all the time, and if there are security settings/changes I can manually make instead of installing the software I’d prefer to make them. Is CryptoPrevent that much better than following the steps mentioned here to manually secure the computer: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent

I think the best thing to do was to just not install Adobe Flash. Software requiring regular updates because of potential security holes and is a regular target for malicious software attacks is not a good thing to install in the first place. So at the moment, it is pretty much just Windows and IE that have the potential for problems while using the Internet.

essexboy · 2015-07-13T17:44:53.000Z

Cryptoprevent does not run … It makes policy changes in the registry

schmidthouse · 2015-07-13T18:19:49.000Z

ItsAllGoodMan post:23:

My hard drive is 80GB, and I’m currently only using about 20GB of space. The 20GB includes all of the software I wanted to install and personal files. I really try not to store much on the hard drive just in case there is a problem. I also use CCleaner and PrivaZer, and that helps remove things that just waste space. The USB Flash drive I ordered holds 128GB, so the full disk image should fit. Are the backup disk images the exact since of the drive’s capacity or just about the size of what is stored on the drive?

I’ve looked at the CryptoPrevent website (https://www.foolishit.com/cryptoprevent-malware-prevention/), but I have not installed the software yet. I will look more into what the software does to prevent CryptoWall. I try not to have additional applications running all the time, and if there are security settings/changes I can manually make instead of installing the software I’d prefer to make them. Is CryptoPrevent that much better than following the steps mentioned here to manually secure the computer: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent

I think the best thing to do was to just not install Adobe Flash. Software requiring regular updates because of potential security holes and is a regular target for malicious software attacks is not a good thing to install in the first place. So at the moment, it is pretty much just Windows and IE that have the potential for problems while using the Internet.

CryptoPrevent does not consume resourse in space or CPU.
As essexboy stated it only changes/add Reg Entries.

But hey, your security decision.

edit

ItsAllGoodMan · 2015-07-13T19:28:24.000Z

I decided to just try out the manual Software Restriction Policies update described here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#manual

The only difference I noted was that for Windows 7 you can just go to Administrative Tools->Security Configuration Management instead of typing in Local Security Policy in the Start Menu search.

The steps to add the 8 new rules were very easy. I’m not sure how the changes will impact my system, but we’ll see how things go.

essexboy · 2015-07-13T19:33:46.000Z

The attached text file shows the elements that cryptoprevent changes

ItsAllGoodMan · 2015-07-13T20:53:53.000Z

Thanks for posting the file that shows what Cryptoprevent creates rules for.

It looks like the majority of the restrictions are on files that can run/execute (.bat, .cmd, .com, .exe, .js, .jse., .pif, and .scr), are in locations where programs should not be running, or are of files that appear to be named as multimedia/compression/MS Office files but are actual files that can run/execute. There also are restrictions on svchost.exe running in odd locations. And, cipher.exe, lsassvrtdbks.exe, lsassw86s.exe, scsvserv.exe, syskey.exe, and vssadmin.exe are restricted… it looks like all of these except ciphere.exe and vssadmin.exe are malware programs… does Avast already block all of these malware programs?

I’m not sure what this restriction does:
HKLM Group Policy restriction on software: ** <====== ATTENTION

ItsAllGoodMan · 2015-07-14T05:34:50.000Z

Exactly what I was saying… no more Adobe Flash:
http://www.cnet.com/news/gone-in-a-flash-facebook-says-adobes-plug-in-is-a-security-risk-no-longer-worth-taking/
https://twitter.com/alexstamos/status/620306643360706561

mchain · 2015-07-14T18:21:18.000Z

Adobe Flash gone from my Windows system for more than two months now:

HTML5: https://en.wikipedia.org/wiki/HTML5 No recommendation as to which browser HTML5 player to use.

midnight · 2015-07-14T18:51:13.000Z

http://www.zdnet.com/article/adobe-fixes-flash-zero-day-found-in-hacking-team-cache/

ItsAllGoodMan · 2015-07-14T22:21:07.000Z

Adobe may have fixed the current security holes, but who knows how many other, unreported ones there are.

From what I’ve noticed so far, most of the major video websites already use HTML5 video players. There were a few websites I had used that still only use Adobe Flash, so I contacted them and suggested that they drop Adobe Flash and just use HTML5. Hopefully, many more of them drop Adobe Flash.

As far as websites that are fully Adobe Flash-based, they need to have someone redevelop their website so that it doesn’t need any plug-ins, but I know that can be costly depending on the website. But, after they notice an increasing amount of people not being able to use their website because the users do not have Flash installed, they’ll end up have to spend the money on the redevelopment… redeveloping the website now would be a wise investment.

I’m not sure what can be done about the Adobe Flash/Shockwave game websites, but I did see there are some game websites that use HTML5. I’m surprised that any of these websites alternatively suggest installing the Java plug-in to play the games.

Announcements