Hi,

Here's nasty virus to watch out for, very pernicious

http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/

(It's a safe link) I'm going to try out the "Local Software Restriction Policies under the Security Settings heading". If I find out anything useful I'll report in :thumbsup:

Cheers

GeoffW1,

Here is a link (safe) to probably the best info on Cryptovirus from bleeping computer:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Here is another link (safe) for the free software (referred to in the above article) that will prevent the Cryptovirus:

http://www.fooli****.com/vb6-projects/cryptoprevent/

For those who don't know, this virus will encrypt your files, then demand a ransom ($100 to $300) to get a key to de-encrypt them. They give you 96 hours or the files will remain encrypted permanently. No current virus protection program appears able to block it.

Hope this helps,

Jim

This link is not complete ??

Without going to extremes there are a few ways to avoid infection in the first place:

1_ don't open zip files in emails from unknown senders.
2_ make sure you keep your Java platform updated.
3_ watch out for video drivers updates notifications

Also if you have back ups you can get your files back. A disk image should do the trick.

Only if your backup disk is not connected to your PC otherwise it will be encrypted too....

Backups should always be external and only connected during back up or retrieval. If you're infected then I don't think it can be cleaned. The only alternative would be to a bare metal restore with a blank drive.

See the trouble they cause? Damned pests ;)

Use Linux! :D

hmm... that's not a solution. That's a punishment. :P

I have myself one of these, now it will remove the virus, but if your files are encrypted, you are basically stuffed.

http://store.fixmestick.com/fixmestick


I emailed them last night and this was their reply:

The FixMeStick will remove the Cryptolocker virus off your computer if in the case you do accidentally get it. However, if the virus encrypts your files the FixMeStick (or anyone) will not be able to decrypt your files without the key from the author of Cryptlocker. Which means you would have to pay them. I strongly suggest to keep back-ups of your files regularly and also have system restore points. That way if you do get the virus then the FixMeStick will remove it and you will have either a copy of your files or be able to go back to a restore point before you got the virus and still have them.
This is one particularly nasty virus..:mad2:

If there is a cleansing agent for this nasty, there should also be some sort of vaccine.. or not?
Once half of your files are gone, it's already too late.

More on this:
http://news.techworld.com/security/101947/kaspersky-finds-workaround-for-crypto-virus/
http://www.networkworld.com/news/2008/060508-crypto-virus.html

This malware (it's not a virus) is similar to file encryption programs that people use to ensure privacy of their files. Since the latest version uses strong encryption you need to know the original key to decrypt the data. If the bad guys didn't leave that key lying around on your computer then you're almost certainly out of luck.

The only chances for a "vaccine" are attacking potential weaknesses in the malware. Perhaps the key it uses is predictable, or perhaps the NSA knows how to break RSA encryption and will tell us :lol:

Cheers,
Rick.

Encrytion of files

Decrypting of encrypted data on a digital storage device relies on being able to read it back un-encrypted.

This places some limitations on how you can scramble the file. eg it will be a standard byte with a start and stop bit (or two) even if these are also encrypted.

The simple method of encryption is to generate a key using one of the key generating algorithms and adding it algebraicly to the unencrypted data stream.

These keys will normally have a finite length so that when the sequence gets to a given point it reverts to the start.

The secret is to know the point on the key that is the start point for the encryption.

This can be found from a plain copy of a file that has been encrypted

If you know the algorithm, decryption without the key involves feeding the key stream to the encrypted data in a set of registers and add them together again.

Step the key forward one bit at a time to the file and when the key is in sync the output will be your decrypted file.

One way we used to sync the two streams was to look for a sequence of 15 start stop bits in the correct place. This also works if the file is double encrypted.

Big Brother has all the gear to decrypt encrypted files so don't think encrypting data on your HDD will save you if you get caught with something you should not have! ;):P:question::D

Barry

Barry,

Start and stop bits are only used on serial data during transmission. They are not stored in data files.

I think you'll find that modern day encryption and cryptanalysis techniques have moved on a little from what you're describing. You won't be breaking a system that uses a unique 2048 bit RSA key pair each time with a plain text attack or a brute force key search.

Cheers,
Rick.

Yes I would be surprised if they had not. However I did not want to get too far into encryption. The point I was trying to make is that a code that is electronically generated must follow some rule and the key to decryption without a key is to know exactly what has been encoded. A data stream on a HDD does not use start and stop bits on each byte but it does use markers to know where the the data starts and stops.

Barry

It is true that there are a variety of headers and trailers at the physical disk and the filesystem level which you could consider analogous to start and stop bits but they are irrelevant here. CryptoLocker encrypts at the file level and it's not hard to tell what has been encrypted.

Cheers,
Rick.

:lol::lol::lol:

Adrian

Not good.sounds bad.

A lady at a lab said her work friend got it,he apparently had a bad habit off opening everything,and screen went black,said it was federal police,and pay up.

As has been previously mentioned,avoid opening any unknown emails etc.I delete a lot of messages,on the spot,always when I never know the sender.

Good to see IIS putting these threads up,I do not go on other forums of a computer nature

Anyone know where i can find the virus?

The .exe attachment you get on emails is actually just a small trojan downloader which will download Cryptolocker and drop the destructive payload.

I want to sniff out where the trojan downloads cryptolocker and create a DNS loopback on our server.

EDIT: Nevermind, turns out DNS sink-holing attempts have failed. The downloader has a domain generating algorithm which creates and finds 1000 new locations (everyday) to download cryptolocker from. What a nightmare.

And always right click on any links and check what the address *really* is before opening them.

It is times like this I am glad I'm not running windows though. All other arguments aside, Windows is getting too problematic for any of my critical workflows, we are transitioning to OSX and Linux at work now as well. The security may in theory be as good in Windows as in anything else, but the insane amount of malware/viruses etc. that target the Windows platform make it not viable for us any more. The attached image is the percentage of Operating Systems infected last month, with Windows accounting for 99.93% of infected computers.

This month's AV report makes interesting reading:
http://lavasoft.com/mylavasoft/securitycenter/whitepapers/lavasoft-security-bulletin-october-2013

Very good to be aware of this dangerous threat.

Working in IT support I am making sure all computers have the latest version of Java. Also trying to see how we can help prevent it!

I refuse to install Java on any of our machines, the security holes just never end.

We sent out a memo to all staff to be extra careful. Crypto will infect mapped network drives meaning file servers are at high risk. As far as i know it cant touch shadow storage which is good.

If you use Firefox, there is an add-on called NoScript, that allows you to choose which Java scripts to run. Very effective for allowing only trusted domain scripts to run.

Jim

Hi,

Another news article, nothing brand new. I notice too Malwarebytes, for one, is saying their product will block it.

http://www.abc.net.au/news/2013-12-20/rising-tide-of-ransomware/5170422

Cheers

Beware of this scam - AFP email scams: beware of fake Australian Federal Police subpoena viruses - http://soft2secure.com/knowledgebase/afp-email-scam

Some info on cryptolocker, at least the variant I had to deal with at work.

Ours was not a virus, there was however a trojan component that installs and attempts to continue it's dirty work.

The cryptolocker "virus" in our case was exectuted as a script and had nothing to do with zipped files or email attachments.

In our case, one if the office staff clicked on a link to an Australia Post delivery site.

The staffer was expecting some parcels but didn't stop to think of how AP happened to know this particular email address.

Ironically, on the wall beside the desk was a half page note in which I explained the dangers of cryptolocker and how best to avoid it.

The decryption is not as simple as comparing identical files and generating a key, earlier variations of cryptolocker could be decrypted with some success but successive iterations have proven to be uncrackable at least to the general computing community.

I used the comparison method and it did successfully recover the encrypted version of the file I compared but the recovered key wouldn't decrypt any other files.

Some bright spark (who's name I can't recall) wrote a nice analysis explaining where the flaws were in the cryptolocker code and encryption process, giving the authors of cryptolocker expert advice on where to tighten up their code and make it virtually uncrackable.

Having an up to date anti virus and anti spyware and the latest browser updates won't necessarily help either.

In our case the AV recognised the cryptolocker code and stopped the resident installation of the virus but failed to prevent the scripted code from locking thousands of files. The resident component is basically there to delete your data should you elect not to pay the ramsom demand. The cryptolocker process went on for over 2 hours, and encrypted shared network resorces, the staffer blindly continued working on the PC despite the fact that the Anti-virus was going absolutely crazy.

Our antivirus definitions were up to date, as was Java and the browser in use. The Anti-Virus engine was not, there had been no notification that the AV engine needed update.

Whether that would have stopped the cryptolocker is debatable. Sometimes encrypted data can be recovered by utilising the windows shadow volume but in our case the cryptolocker irretrievably deleted the shadow volume.

In the final analysis we lost nothing of importance despite the cryptolocker having almost 3 hours to do it's dirty work. The reason was that we had good backups.
The same week, one of our customers with a large Australia wide network was clobbered, once again all AV's, operating systems etc were up to date, again good backups saved the day.

Many of the previously mentioned precautionary measures won't offer the slightest protection agains the cryptolocker, at least based on our experience.
In our case the following steps would have prevented the infection.

1. As peter said, check email links or web links by hovering over the link and identifying the destination, that is the single most effective preventative measure. If the link looks dodgy don't click on it. Think before you blindly click. Question the source of the email or link.

2. Make sure you have backups of your important data (i.e. anything you can't afford to lose) and that the backup destination is not available as a shared resource. Data such as accounting, invoicing etc should have multiple backups, don't rely on just one source as that source could fail. In our case accounting files were backed up each day on individual memory sticks, a weekly backup taken off site and our other backups had no network shares.

3. If your AV detects anything abnormal, disconnect from your network and power off immediately before taking any further measures. Had our staffer simply turned off the PC at the first AV warning the damage would have been minimal.

4. If you need to share network files make those shares read only where possible, cryptolocker can't encrypt a file that it has no write access to.

5. You could set up your browser to execute scripts only with permission, but given the nature of current web design the browsing experience would be tedious.

That's all bull dust from authorities. I mean if someone asks for money to be paid to, they must know where that money goes and to who. Just watch if this happens to big firm or famous person how quickly that moron will be found and prosecuted regardless which country he comes from.

Like this one for example:

http://www.msn.com/en-au/news/world/uk-police-arrest-man-in-pippa-middleton-royal-photo-hack/ar-BBwAFIL?li=AAgfYrC&ocid=mailsignout

The trouble is once money goes out of the country into hackers control your local law has no power and the hacker isn't going to listen anyway.

FWIW The currency demanded is Bitcoin, like most scams they are often running for only a couple of days so they can be long gone before they're traced.