1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. Sledge

    Sledge Member

    Joined:
    Aug 22, 2002
    Messages:
    9,501
    Location:
    Adelaide
    Been on holiday, get back to find out we had 2 infections last week :)
    one of them after a warning email went out saying NOT to open certain types of emails...
     
  2. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
    The example a few posts up which links of to some blokes personal sysadmin blog in the .VN space, this is a great example of this person being irresponsible and not patching and allowing a 'hacker' to compromise the site so that it serves up malware.

    In this case the owner of the site still prolly has no idea he's participating in some pretty serious malware distribution, most likely his ISP is only just catching on.

    In this case, the security knowledge lacking sysadmin should get a stern talking to for allowing malware to operate on his site, but, himself isn't responsible for the relay.

    Multiple parties are at fault but there intent wasn't malicious. It was the opportunistic hacker who placed the malware there using unethical, and most likely, illegal methods, who needs to be put in jail.
     
  3. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
     
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I'm not a firewall guy, so I apologise if this is a stupid question, but is tor traffic hard to identify/block? I wouldn't think that many Businesses have business that needs to be conducted via it?
     
  5. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    TOR commonly communicates over 443 so its not going to be the easiest thing to detect and block on standard firewall.

    From memory Palo Alto has a product which does application inspection which would probably be your best bet at blocking TOR related traffic.
     
    Last edited: Nov 27, 2014
  6. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    353
    Location:
    Melbourne
    It's not hard but it's also not free. That type of control falls under NGFW (Watchguard/Fortigate/PaloAlto etc) which allows for a huge amount of control in terms of what application can run over your network and control (allow/deny) the type of behaviour of the application.

    Example 1: allow login to dropbox but block access to download/upload.
    Example 2: allow authority to access Facebook, Facebook Media but deny Facebook applications, Facebook Comments, Facebook Games, Facebook dating, Facebook Posts etc etc

    Can't say we've had any outbreaks of crypto locker but we do actively stop at least a dozen per day
     
    Last edited: Nov 27, 2014
  7. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Again, my post is still pertinent. You clearly have no idea at the scope of it all. It's as silly as thinking spammers can be beaten easily. You need to think before you post sometimes, you're still stuck in the small IT support mindset.

    There are millions of hacked and exploited websites around at the world at any one time. There are many thousands of new ones hacked each day. Thinking you're somehow going to make a difference by contacting the host manually is about as effective as trying to dam a fast flowing river by bucketing dirt out.

    You really do miss the scale of which these things occur. If every person on OCAU reported 100 sites a day then you'd still make no measurable difference. There were over 1/2 a million users affected by the original variant, yet alone the dozens of other variants which have now replaced it.

    The guys running these ransomware scams aren't fools. You need to either be much bigger than them (magnitudes bigger, even the FBI struggles) or much smarter than them. When you think you're smarter, remember that they're managing to get past AV platforms who each have dozens (if not hundreds) of people trying to stop them.
     
  8. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,421
    Location:
    Narrabri NSW
    I was reading the other day about a variant that used a static bitcoin account to collect the "donations" - over $AU40,000 on that one version. And I would assume they switched it around every week or so, which makes it quite a good little earner. And there's the reason we won't stop them.
     
  9. cbb1935

    cbb1935 Guest

    Ahhh gotcha now.

    I'm still contacting web hosts/domain registrants for places that are spreading this infection. At least it gets one host taken down, thus nullifying the spread to anyone else who got that exact email.

    Small steps, but its better than no steps at all.

    Also advising the webmaster their site is compromised, means hopefully a more tech savvy and heavy handed approach to security in the future.

    Less exploitable hosts, less chance of spreading an infection.
     
  10. HSV

    HSV Member

    Joined:
    Jun 15, 2003
    Messages:
    496
    Location:
    Newcastle
    Nasty variant going around here that is a legit looking email from the NSW office of state revenue saying you've got a speeding fine, click here for photo - this will get a lot of people, beware!
     
  11. OhFoRkMe

    OhFoRkMe Member

    Joined:
    Apr 27, 2005
    Messages:
    3,423
    Location:
    Joyner 4500
    Dad got hit with the NSW OSR email this morning. He was expecting a speeding fine anyway and just assumed the government had got with the times and the Internet.

    Anyone know if this site still works with the new variants? Wanted to know before I make the 3hr drive down to see him - https://www.decryptcryptolocker.com/
     
  12. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    I don't want to discourage you, but your efforts are wasted. The hackers are still smarter than you. The warning message after things like Cryptowall have taken effect have multiple domains and links listed. So blocking one of these won't have made any difference.

    I manage infrastructure with thousands of webservers, so again you're just not getting the scale of the problem. We block hundred of thousands of exploit attempts a week, and they're just the known ones which can be defined by a IPS rule.

    Many clients who are hacked don't comprehend what they need to do security wise unless they've lost everything. Even then, we've seen clients hacked multiple times. There's masses of malware targeting end user machines to get FTP passwords, so even if the server is 100% secure they'll find a way.

    For every one you take down, there's another thousand ready to go. You can "buy" a list of 10,000+ hacked sites for less than $100 on a regular basis if you're too lazy to run a script yourself. The scale at which sites are hacked and at which those running randomware scams get access to them will never be beaten by small IT guys reporting them. It's akin to thinking you'll beat Ebola by washing the hands of one individual.

    The time you spend reporting these things would be far better off on your own infrastructure. Ensure you have a working, multi-layer defence and continue to expand and evolve the system. Educate users. Ensure you have regularly tested backups. If every small business did this then we wouldn't have a 13 page thread of horror stories.
     
  13. Swathe

    Swathe (Banned or Deleted)

    Joined:
    Mar 23, 2007
    Messages:
    2,508
    Location:
    Rockhampton
    Sums it up nicely.
     
  14. STINGA

    STINGA Member

    Joined:
    Mar 16, 2003
    Messages:
    439
    Location:
    West Sydney
    I tried this on a PC on Monday and it says something like "This file does not appear to be infected by Cryptolocker."
     
  15. Sledge

    Sledge Member

    Joined:
    Aug 22, 2002
    Messages:
    9,501
    Location:
    Adelaide
    And 2 more infections since i posted this...
    Multiple emails getting sent out saying DO NOT OPEN anything from someone you don't know..
    And now spam messages are not being released unless specifically asked... so much lol
     
  16. grades

    grades Member

    Joined:
    Feb 1, 2003
    Messages:
    124
    Location:
    Central Coast NSW
    Try this software, http://www.shadowexplorer.com/downloads.html

    you can use it to explore your Volume Shadow points, I have used this a few times with cryptolocker and it's worked out great. I did use it on Win 7 PC's, it didn't work on XP machine. Remember to run Malwarebytes to clean the virus

    hope this helps
     
  17. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    How stupid are your users? Incredible. :tongue:
     
  18. OhFoRkMe

    OhFoRkMe Member

    Joined:
    Apr 27, 2005
    Messages:
    3,423
    Location:
    Joyner 4500
    Cheers guys, will have a look. Its already past the 72hrs or whatever timeframe but hoping it will work. Worse case, I restore from backup.
     
  19. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Have you done Example 1 or 2, if so, with what platform?
     
  20. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,925
    Location:
    Sydney
    Palo Alto can do ex 2, haven't tried ex 1
     

Share This Page

Advertisement: