[meteorite-list] OT- Security Alert Issued- CryptoLocker Warning

Jodie Reynolds spacerocks at spaceballoon.org
Sat Nov 16 01:14:02 EST 2013 

Hi Dirk and List,

FoolishIT has a locker that prevents CryptoLocker from running,
called CryptoPrevent.  It's a pretty nice little piece of code.

That said:  Backups.  If one hasn't learned to keep backups of files
they care about by this point, CryptoLocker is probably a cheap
lesson.

CryptoPrevent can be had free here: http://www.foolishit.com/vb6-projects/cryptoprevent/

The premium version offers auto-updating.

--- Jodie

Friday, November 15, 2013, 2:01:03 PM, you wrote:

> OT- Security Alert Issued- CryptoLocker Warning

> List,  This is important because we dont need this infection within
> our list.  Please read carefully.  Thank you. Dirk Ross...Tokyo  

>  CryptoLocker Warning
> NEVER open attachments you are not expecting. Cryptolocker is a  

> particularly bad nasty that you never want to see. Microsoft issued a 
> critical alert about it, and today CERT issued a second alert. I've  
> already had to deal with two small infestations at work, and every  
> affected machine had to be wiped because this malware brings along a  
> bunch of 'friends' to party on the infected machine.


> On Wednesday, Nov 13, 2013, at 15:55 

>> Ghu
> knows I hate the "sky is falling" notes that say "Read This!!!
>> Important!!!.  Well, this actually IS a "Read This!!! Important!!!"  I  
>> just
>> got this from the folks that host my Citrix system.  They are good  
>> (heck, my
>> son worked for 'em for 5 years!).  When they say "this is nasty" they  
>> know
>> of what
> they speak.  I was in Hot Spring, Arkansas, a couple of weeks  
>> ago
>> talking with an IT guy.  He was in the middle of rebuilding a  
>> customer's box
>> that got hit.  If you ARE hit, and you DON'T have appropriate backups,  
>> and
>> you DON'T pay the ransom guys you are, to put it bluntly, screwed.
>>
>> Do NOT open an attachment you are unsure of, even if it comes from  
>> someone
>> you trust.  Emails can be spoofed.

>>
>> ==================================
>> CryptoLocker is Trojan horse malware which surfaced in late 2013, a  
>> form of
>> ransomware targeting computers running Microsoft Windows. CryptoLocker
>> disguises itself as a legitimate attachment; when activated, the  
>> malware
>> encrypts certain types of files stored on local and mounted network  
>> drives
>> using RSA
> public-key cryptography, with the private key stored only on  
>> the
>> malware's control servers. The malware then displays a message which  
>> offers
>> to decrypt the data if a payment (through either Bitcoin or a pre-paid
>> voucher) is made by a stated deadline, and says that the private key  
>> will be
>> deleted and unavailable for recovery if the deadline passes. If the  
>> deadline
>> is not met, the malware offers to decrypt data via an online service
>> provided by the malware's operators, for a significantly higher price  
>> in
>> Bitcoin.
>>
>> CryptoLocker typically propagates as an attachment to a seemingly  
>> innocuous
>> e-mail (usually taking the appearance of a legitimate company e-mail),  
>> or
>> from a botnet. The attached ZIP file contains an executable file with
>> filename and icon disguised
> as a PDF file, taking advantage of Windows'
>> default behaviour of hiding the extension from file names to disguise  
>> the
>> real .EXE extension. Some instances may actually contain the Zeus  
>> trojan
>> instead, which in turn installs CryptoLocker.[1][2] When first run, the
>> payload installs itself in the Documents and Settings folder with a  
>> random
>> name, and adds a key to the registry that causes it to run on startup.  
>> It
>> then attempts to contact one of several designated command and control
>> servers; once connected, the server then generates a 2048-bit RSA key  
>> pair,
>> and sends the public key back to the infected computer.[1][3] The  
>> server
> may
>> be a local proxy and go through others, frequently relocated in  
>> different
>> countries to make tracing difficult.[4][5]
>> The payload then
> proceeds to begin encrypting files across local hard  
>> drives
>> and mapped network drives with the public key, and logs each file  
>> encrypted
>> to a registry key. The process only encrypts data files with certain
>> extensions, including Microsoft Office, OpenDocument, and other  
>> documents,
>> pictures, and AutoCAD files.[2] The payload then displays a message
>> informing the user that files have been encrypted, and demands a  
>> payment of
>> 300 USD or Euro through an anonymous pre-paid cash voucher (i.e.  
>> MoneyPak or
>> Ukash), or 2 Bitcoin in order to decrypt the files. The payment must  
>> be made
>> within 72 or 100 hours, or else the private key on
> the server would be
>> destroyed, and "nobody and never will be able to restore files."[1][3]
>> Payment of the ransom allows the user to download the decryption  
>> program,
>> which is pre-loaded with the user's private key.[1]
>> In November 2013, the developers of CryptoLocker launched an online  
>> service
>> which claims to allow users to decrypt their files without the  
>> CryptoLocker
>> program, and to purchase the decryption key after the deadline  
>> expires; the
>> process involves uploading an encrypted file to the malware site as a
>> sample, and waiting for the service to find a match, which the site  
>> claims
>> would occur within 24 hours. Once a match is found, the user can pay  
>> for the
>> key online; if the 72-hour deadline has passed, the cost increases to  
>> 10
>>
> Bitcoin (which, in early November 2013, was valued at over $2000
>> USD).[6][6][7]
>>
>> Security software might not detect CryptoLocker, or detect it only  
>> after
>> encryption
> is underway or complete. If an attack is suspected or  
>> detected in
>> its early stages, it takes some time for encryption to take place;  
>> immediate
>> removal of the malware (which itself is a relatively trivial process)  
>> would
>> theoretically limit its damage to data.[8][9] Experts instead suggested
>> precautionary measures, such as using software or other security  
>> policies to
>> block the CryptoLocker payload from launching at all.
>> ==================================
>>
> ______________________________________________

> Visit the Archives at http://www.meteorite-list-archives.com
> Meteorite-list mailing list
> Meteorite-list at meteoritecentral.com
> http://six.pairlist.net/mailman/listinfo/meteorite-list



-- 
Best regards,
 Jodie                            mailto:spacerocks at spaceballoon.org

More information about the Meteorite-list mailing list