It is currently Tue Sep 26, 2017 3:48 pm


All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Sun Oct 27, 2013 7:24 pm 

Joined: Sun Oct 13, 2013 7:37 pm
Posts: 31
Hey everyone, I'm sure you may have heard of something called Cryptolocker. This is a very nefarious, evil, and yet amazingly creative piece of malware. Basically,When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

2. It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your "CryptoLocker ID."

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

→ Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

→ Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a "pay page," giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.)


This was taken from http://nakedsecurity.sophos.com/2013/10 ... the-loose/

Beware people! Only Windows users look to be vulnerable! There's much more to the article than what I have copied here, so please do read!


Top
Offline Profile  
 
PostPosted: Sun Oct 27, 2013 10:47 pm 

Joined: Mon Sep 16, 2013 10:06 pm
Posts: 60
Great post, I have not heard of this piece of malware, but ransomware is not new. As the article states that in 1989 a virus was released which encrypted your hard drive. However, it was a fairly simple encryption which was implemented the same across all who were infected so data was recoverable. This new piece of ransomeware is much more sophisticated and uses public key encryption which a random sever somewhere on the internet. As of now research have not been able to find a fix or any backdoor. The only way to recover your data, besides maybe paying the money(probably not though), would be to use a backup that hopefully you made before getting infected. I find ransomware so interesting, it truly shows you how creative criminals can be.


Top
Offline Profile  
 
PostPosted: Mon Oct 28, 2013 10:21 am 

Joined: Sun Oct 13, 2013 7:37 pm
Posts: 31
What's also so devious about this, is that if the police try to intervene and remove the server if they locate it, it destroys the key in he process, so the person's data being held ransom is really lost.


Top
Offline Profile  
 
PostPosted: Mon Oct 28, 2013 3:07 pm 

Joined: Mon Sep 16, 2013 10:06 pm
Posts: 60
The program only gives you 72 hours to pay or the key will be destroyed anyways so police intervention will not matter for many that have been infected. The cybercriminals are holding your data for ransom, it truly is an ingenious plan.


Top
Offline Profile  
 
PostPosted: Thu Oct 31, 2013 7:34 pm 

Joined: Sun Oct 13, 2013 7:37 pm
Posts: 31
So the only preventions I can see are A. Don't use windows. and B. have a good routine backup. Where you're back up file is done and not linked to any sort of drive letter in windows ( C, or D). The backup must be, obviously before the attack hit yourself. You may lose recent works, but at least you have your files from earlier intact.


Top
Offline Profile  
 
PostPosted: Fri Nov 01, 2013 12:19 am 

Joined: Mon Sep 16, 2013 10:06 pm
Posts: 60
I don't think the prevention should be to not use windows. That is not a viable solution for this problem. In my opinion the best preventative measure is to keep your system up to date, download programs from trusted sources, only open trusted links, and of course back up your information (making sure backups are kept in a separate location)! This "ransomeware," has two know attack vectors. One being through email, which is easily avoidable if the user has knowledge and common sense...(many users lack this common sense/knowledge combination). The other attack vector being through a botnet. This is much more difficult to prevent because users usually are not aware that their computers are "zombies" taking part in a botnet.


Top
Offline Profile  
 
PostPosted: Fri Nov 01, 2013 8:51 pm 

Joined: Sun Oct 13, 2013 7:37 pm
Posts: 31
Of course it's a viable solution. Updates can only do so much, and are naturally a reactionary tactic. Updates are done after something has happened. After people have gotten infected.


Top
Offline Profile  
 
PostPosted: Sat Nov 02, 2013 2:11 pm 

Joined: Mon Sep 16, 2013 10:06 pm
Posts: 60
I agree with you that updates can only do so much and are reactive in nature, but I completely disagree with your stance on not using windows. For one thing keeping a system patched with the latest updates along with AV can prevent a majority of the malware out in the wild. Second, a significant amount of businesses today are using windows. Telling them to just stop using windows wont go over so well and is not realistic. Furthermore, if everyone were to stop using windows then criminals/hackers/exploiters would no longer work on window exploits but move towards exploiting the new dominant OS. This would not solve the problem because ransomeware would only need to find a new attack vector for the new OS. This would result in the exact same problem. I believe that keeping backups, as we have both mentioned, is a great solution to ensure that infection from this malware will not result in the loss of your data.


Top
Offline Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron

© 2013 Center for Information Protection, NJIT