1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Appdata is a different directory for XP/2000.


    Deletion of shadow copies has been standard fare for the last few generations of Cryptolocker/wall etc.
     
  2. Fresh79

    Fresh79 Member

    Joined:
    May 29, 2006
    Messages:
    7,310
    Location:
    Gold Coast
    We were going to send this out to try and get people to think twice before clicking links / opening attachments.

    https://phishingquiz.mcafee.com/
     
  3. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I only got 13 out of 14... false positive on the Xfinity one... because I don't keep up with what services US cable companies are offering :)
     
  5. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,421
    Location:
    Narrabri NSW
    %appdata% isn't though. Might point differently, but that's the whole reason you have environment variables.

    We're just cleaning up our 3rd customer - this time a business, where the manager decided to check his speeding fine. He's now promised to drive more carefully so he knows they're fakes :D

    Also looks like they're installing it for all users if they have admin rights and UAC isn't enabled. We found the exe in the windows directory, and a registry entry in the HKLM run key.

    Something we noticed with this one is the crafty buggers are even using a suitable icon on the exe files - NSW government logo in this case. They really are targeting NSW pretty hard.
     
  6. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    This variant must have been hardcoded which is surprising considering the level of effort put into obfuscation you would think they would have nailed the variables.
     
  7. Jarwedy

    Jarwedy Member

    Joined:
    Nov 22, 2003
    Messages:
    1,007
    Location:
    Rockhampton, QLD
    Got hit this morning, source was the standard Aust Post email (possibly a older varient) - I've seen 2 versions of the same email today. Only 1 PC infected but in the space of 30mins cleaned up 15k files, luckily it was only isolated to the departments folder and a few global folders for in-house apps.

    Had a user report issues accessing some reports and they also noted a *.encrypted file extension.

    I hastily threw up a passive file screen for *.encrypted and DECRYPT*.* and managed to nail the PC in a few mins, but by then it had already done enough damage.

    Time to roll that Cryptolocker GPO forward out of the test group now.
    User education has got us pretty far in most respects, this event has been the first infection in maybe 3 years. Just this time one slipped through.
     
    Last edited: Nov 25, 2014
  8. cbb1935

    cbb1935 Guest

    Yeah its f**king Russian hackers that are the source of it BTW.

    Came within a bees dick of an infection this morning when the company director opened an Aus Post link.

    Thank fark for my decent SEP configuration, because it grabbed and nuked the attachment via Threat Protection before it could even download, let alone launch a payload.
     
  9. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    FYI - New one disguised as a Whats App message just dropped tonight.


    [​IMG]
     
  10. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Gee that might as well say "click here for a virus". :tongue: Surely people are smart enough to realise it's fake.
     
  11. BurningFeetMan

    BurningFeetMan Member

    Joined:
    Apr 22, 2003
    Messages:
    9,826
    Location:
    A Place of Tubers
    Aww I feel loved! I noticed this in my spam email this morning. If only I knew it was the crypto virus, I would have virtulised it and watched it do its thing.
     
  12. cbb1935

    cbb1935 Guest

    LOL "If you can't play move into "Inbox"...

    Hahaha sly bastard programmer "Hmm what if it lands in Junk Mail... Ah HA I got it!!!"

    Authorities need to do more to catch these guys.

    Surely it can't be hard, when you have to give information as to the IP/URL you are hosting a payload on.

    Track the Domain registrant back, sent details to local Police cybercrime unit, and let them go knocking.

    I really can't see why more of thiem aren't getting caught.

    It's not rocket science. Make it worldwide rule that you can't privacy protect Domain registrant details, and that you need 100 points of ID to register a domain.

    FWIW, most of the ones I have seen through (e.g Aus Post), the email contains a link to a WordPress PHP file (so must be a vulnerability or code injection going on there). That PHP includes a redirection script to another URL, which is normally something like http://auspost-australia.net/blah/dodgyasfuck/1234.com or 1234.exe or 1234.docm or 1234.xls

    Anything capable of code execution.

    In our case Symantec Proactive Threat Protection nabbed it at the point it redirected from the PHP file, and blocked access not only to the file, but to the process iexplore.exe until the threat was neutralized automatically by SEP.
     
  13. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    You really don't live in the same world as the rest of us do you?
     
  14. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,185
    Location:
    NSW
    yeah that stuff is going to end up in their digital bit bucket :)
     
  15. DJ Fusion

    DJ Fusion Member

    Joined:
    Mar 7, 2003
    Messages:
    4,947
    Location:
    Sydney
    Hey Pablo, are you able to expand on these points for me or answer a few noobish questions?

    What kind of edge filtering (is this referring to an Edge Transport?) could be applied to stop new variations of TorrentLocker emails getting through?

    And same for network filtering, would that be ingress or egress filtering? Are we blocking the payload coming in or the request to encrypt going out? What sort of rules could be applied here? Thanks heaps in advance. Unfortunately locking down appdata isn't really an option for us as some of our internal apps are clicktorun from that dir.
     
  16. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,185
    Location:
    NSW
    You can exclude certain apps so they can run with appdata blocks.
     
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Edge Transport is a specific role in an Exchange Org, while you could do local filtering there, I was thinking more along the lines hosted services like zscaler or symantec.cloud, These can do signature and reputation based filtering on incoming email, and have a massive volume of traffic to build and tune their filters from and to generate trending data.

    As far as network filtering... Like the Taco girl said... "Why Not Both".

    You recieve e-mail requesting you go to www.auspost.dodgy.com - URL filtering can catch it.... If it doesn't

    auspost.dodgy.com tries to loads its payload and remote exec stuff - your IDS should pick it up stop it... if it doesn't

    your outbound filtering should pickup the request to a C&C server, and stop it.

    If it doesn't a file screen on your file server should pickup irregular activty (liek the creation of a bunch of .encrypted files, and drop connections or at least identify the source.

    ---

    Just layers... but like others have said, you can whitelist apps for running from appdata, while still blocking everything else.
     
  18. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Surely managing servers and backups can't be hard, it's just point and click via the GUI!
    Surely being a chef can't be hard, all you do is chop the things up and cook them!
    Surely running a spam network can't be hard, all you do is sign up to a hosting company direct with all your personal details and your personal credit card!

    :thumbup:
     
  19. cbb1935

    cbb1935 Guest

    Missing the point as usual.

    My point is that there is ALWAYS an endpoint, hosting a malicious file.

    That endpoint has to be registered to an owner somewhere along the line (either as a static or dynamic IP), or as a registered domain.

    At the end of the day someone is personally responsible for the endpoint hosting malicious content.
     
  20. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    The new variants communicate to the C&C server over TOR.

    The malicious file itself is often hosted on public file sharing servers and picked up via compromised PHP in unpatched ipboards/forums.
     
    Last edited: Nov 27, 2014

Share This Page

Advertisement: