1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Bah, its being a bitch - I can't "masquerade" as freenas\system from another server.

    I guess its time to learn how to roll out windows permissions from FreeBSD...

    *edit* worked it out

    from the Root Console;

    Code:
    find /mnt/pool0/shares/users/FolderRedirections/ -type d -exec setfacl -m g:"domain\group":rwxpDdaARWcCo-:fd----:allow {} \;
    Bonus on BSD vs Windows? you don't have to take ownership from the user to add the permissions... root == system.

    as an MSP - our admin account on clients is only run when we interact with their systems. Other software vendors get their own account to do things in.

    Internally well... I mean we could cut back to normal user accounts, and probably will when i rebuild it (currently we're SBS 2010 internally, which needs to go...).
     
    Last edited: May 27, 2015
  2. person

    person Member

    Joined:
    Mar 7, 2003
    Messages:
    344
    Location:
    Brisbane
    I'm not sure its cryptolocker, but I just saw a macro virus in a word document "email_attachment.doc" walk right through Office 365's filters (without advanced safe attachments security)...

    The email was pretty convincing too -

    and the attached file was "email_attachment.doc" which had this text explaining to click enable on the security bar... not as good as Great Guru's example but still pretty convincing to newbies:

    Click to view full size!


    Inspection of the Macro indicates that it's a base64 decoder that decodes the virus from the word document, dumps it out as tmp.exe and executes it with wscript.

    I'm glad we blocked all macro's in word company wide a few months ago when I first saw this example, so there's no security prompt bar at all for people to accidentally click.

    Next financial year I finally have budget to seriously look into whitelisting applocker alternatives (e.g. Lumension, Viewfinity etc.)
     
    Last edited: Jun 25, 2015
  3. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,797
    Location:
    Mackay, QLD.
    Finally got hit with this nasty bit of work, this little bastard managed to get past the Spam Filter, AV, Group policy executable lockdowns, file type locks in exchange, file type locks at the proxy.

    I do however appreciate that it has left a calling card in every directory it tampered with, made recovery from backup so much easier. :thumbup:

    Backup Backup Backup people, we were infected last Friday and I've only just cottoned onto it today.
     
  4. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    What were your SRP rules?
     
  5. Great_Guru

    Great_Guru Member

    Joined:
    Sep 5, 2001
    Messages:
    1,225
    Location:
    Australia
    So you found the culprit? can you upload it to virustotal?

    What was the file extension?

    Some newer nasties are actually plain old exploit laden word/excel docs that crash (nasty deployed) and then open up a decoy word doc so the user just dismisses what has happened. I haven't seen that particular scenario with my own eyes yet, hopefully I don't.

    Or they will use "on-close" macros rather than on-open again to bypass runtime detection of scanners or those more advanced "detonation chamber style" appliances. This also has the effect that users dismiss the occurrence as a software crash.

    Macro's are making a come back :thumbdn:
     
  6. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,123
    Location:
    Sydney
    I set some FSRM on our fileservers as well to email/block when it detects certain files created

    for example like you mentioned quite a few of them create a file like DECRYPT_INSTRUCTIONS.txt etc so if a file with that name gets created we get emailed straight away

    so far its helped us stop an infection quickly a couple of times, and limited the scope to only a couple of folders that i can restore from shadow copy
     
  7. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Our mail filter (for us internally - and our clients) is stripping out all executable and script files (including inside archives).

    And has been for some time.


    ICANN is apparently doing this... http://gnso.icann.org/en/issues/raa/ppsai-initial-05may15-en.pdf

    However the reasoning is based on Software/Media piracy.
     
    Last edited: Jun 29, 2015
  8. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,804
    Location:
    Brisbane
    Welcome to UNIX. :)

    You're on a slippery slope, my friend. Give it a few years, and you'll soon be ranting on forums about how difficult Windows makes things that can be done so simply in UNIX. :leet:
     
  9. Great_Guru

    Great_Guru Member

    Joined:
    Sep 5, 2001
    Messages:
    1,225
    Location:
    Australia
    Who let's JS files into their mail system :Pirate: *you're gonna have a bad time, mkay.

    We've setup extended filters in O365 (inbound and outbound) on top of the default ones on offer. We have a shared mailbox that these get dumped to for review. A) end user gets a notice saying "that didn't happen buddy, rethink your life" and B) we have a copy of the email+attachments so we can enhance our user training.

    The above has helped greatly as a major contributor has been some of the SMB entities we have acquired in the past 12 months. Bit of a culture shock for them, "you mean I can't email 30MB executable access database on your email platform" :o

    Btw these filters do work with multi-layer compressed files. i.e. .js within a zip with within a zip etc.

    We don't allow executable content through our mail system including url *lnk* files etc. With that said we do allow macro enabled content, wish we didn't even do that.
     
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Office provides good tools for limiting/restricting macro progress in most of it's flavours.

    We have a trusted network location where things with macros live, any macros outside of this location are denied.

    As whitelisting becomes more and more the 'standard' I expect to see more and more macro viruses to come back (WhatYearIsThis.jpg)

    Office will always be targetted, but as users become aware, I can see other applications that provide a scripting interface to become targets as well. I can't wait for AutoLISP or Python to become popular as an attack vector. :).
     
  11. Great_Guru

    Great_Guru Member

    Joined:
    Sep 5, 2001
    Messages:
    1,225
    Location:
    Australia
    Well when I say we allow macro enabled content I mean they have to click through the "enable this content" buttons etc but I feel as though if you have that' you've already lost the battle as users don't do anything above the absolute bare minimum to reach their goal.

    I really like the idea of pushing a policy in the same vein as yours, it's this trusted network location or its denied.

    The above would present varying degrees of difficulty dependent on business processes because I'm sure you haven't just said "S:" is safe i.e. root of all things company.
     
  12. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    There is such thing as legitimate script files - and your email solution should be nailing this.

    THE ONLY REASON YOU NEED TO REPLACE YOUR MAIL FILTER IS THAT YOU HAVE TO INTERACT WITH IT ON A DAILY BASIS FOR 20 USERS.

    We are using SMG (a virtual cluster) and whilst we had to write a rule for it, it was reasonably simple to do.
     
  13. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,797
    Location:
    Mackay, QLD.
    Block exe's from running anywhere in user home paths for non-admin users, which is pretty much everyone except a select few.

    No idea yet, lost interest in tracking it down ('twas saturday, I only went into work to chase up some paperwork) - just set our two servers to audit file creations and we'll wait for it to strike again. I'm a full time electrician and part time (~1 hour a week ish) computer technician for our company, can't justify wasting anymore time trying to chase this ghost, i'll wait for it to come to me.
     
  14. darkbastard

    darkbastard Member

    Joined:
    Sep 17, 2004
    Messages:
    967
    Location:
    Labrador 4215
    my mother got infected with a cryptolocker of some kind - she is 200k from me and I know not what it is exactly.

    BUT is there any hope of an unlock either by paying cash or giving the files to someone.

    Biggest problem is she was using the grandsons computer as they are in the midst of a move and backed up to her dropbox and the freakn thing has gone right thru her dropbox account.
     
  15. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Dropbox will have versioning - you can roll it back.
     
  16. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Was it an Admin, or did it execute from outside the UserProfile space? if so where did it launch from?
     
    Last edited: Jul 1, 2015
  17. darkbastard

    darkbastard Member

    Joined:
    Sep 17, 2004
    Messages:
    967
    Location:
    Labrador 4215
    This worked

    Thanks

    Wiped the rest of the laptop and all is good
     
  18. metamorphosis

    metamorphosis Member

    Joined:
    Feb 25, 2002
    Messages:
    2,125
    One thing I found in the process of cleaning up a crypto-locker-infested system was this useful tool:

    https://www.foolishit.com/cryptoprevent-malware-prevention/

    The free version doesn't update ( and they picked the dumbest URL imaginable for their company name - foolish IT ) but it basically auto-sets group policy rules for program execution, stops programs running from the majority of locations that crypto-scripts do, while whitelisting legit programs.
     
  19. Pepito

    Pepito Member

    Joined:
    Apr 4, 2003
    Messages:
    971
    Location:
    Melbourne
  20. person

    person Member

    Joined:
    Mar 7, 2003
    Messages:
    344
    Location:
    Brisbane
    The latest version of these macro viruses received as several targeted emails today are mildly amusing...


    Click to view full size!


    We are trialling Office 365 exchange advanced threat protection, while stupidly overpriced for something that should be included by default, I can report that it actually stopped these, while they weren't detected by anything else according to virustotal! Yay its useful for something.
     

Share This Page

Advertisement: