[meteorite-list] OT- Security Alert Issued- CryptoLocker Warning
From: Jodie Reynolds <spacerocks_at_meteoritecentral.com>
Date: Fri, 15 Nov 2013 22:14:02 -0800 Message-ID: <1723028556.20131115221402_at_spaceballoon.org> Hi Dirk and List, FoolishIT has a locker that prevents CryptoLocker from running, called CryptoPrevent. It's a pretty nice little piece of code. That said: Backups. If one hasn't learned to keep backups of files they care about by this point, CryptoLocker is probably a cheap lesson. CryptoPrevent can be had free here: http://www.foolishit.com/vb6-projects/cryptoprevent/ The premium version offers auto-updating. --- Jodie Friday, November 15, 2013, 2:01:03 PM, you wrote: > OT- Security Alert Issued- CryptoLocker Warning > List, ?This is important because we dont need this infection within > our list. ?Please read carefully. ?Thank you. Dirk Ross...Tokyo ? > ?CryptoLocker Warning > NEVER open attachments you are not expecting. Cryptolocker is a ? > particularly bad nasty that you never want to see. Microsoft issued a? > critical alert about it, and today CERT issued a second alert. I've? > already had to deal with two small infestations at work, and every? > affected machine had to be wiped because this malware brings along a? > bunch of 'friends' to party on the infected machine. > On Wednesday, Nov 13, 2013, at 15:55? >> Ghu > knows I hate the "sky is falling" notes that say "Read This!!! >> Important!!!.? Well, this actually IS a "Read This!!! Important!!!"? I? >> just >> got this from the folks that host my Citrix system.? They are good? >> (heck, my >> son worked for 'em for 5 years!).? When they say "this is nasty" they? >> know >> of what > they speak.? I was in Hot Spring, Arkansas, a couple of weeks? >> ago >> talking with an IT guy.? He was in the middle of rebuilding a? >> customer's box >> that got hit.? If you ARE hit, and you DON'T have appropriate backups,? >> and >> you DON'T pay the ransom guys you are, to put it bluntly, screwed. >> >> Do NOT open an attachment you are unsure of, even if it comes from? >> someone >> you trust.? Emails can be spoofed. >> >> ================================== >> CryptoLocker is Trojan horse malware which surfaced in late 2013, a? >> form of >> ransomware targeting computers running Microsoft Windows. CryptoLocker >> disguises itself as a legitimate attachment; when activated, the? >> malware >> encrypts certain types of files stored on local and mounted network? >> drives >> using RSA > public-key cryptography, with the private key stored only on? >> the >> malware's control servers. The malware then displays a message which? >> offers >> to decrypt the data if a payment (through either Bitcoin or a pre-paid >> voucher) is made by a stated deadline, and says that the private key? >> will be >> deleted and unavailable for recovery if the deadline passes. If the? >> deadline >> is not met, the malware offers to decrypt data via an online service >> provided by the malware's operators, for a significantly higher price? >> in >> Bitcoin. >> >> CryptoLocker typically propagates as an attachment to a seemingly? >> innocuous >> e-mail (usually taking the appearance of a legitimate company e-mail),? >> or >> from a botnet. The attached ZIP file contains an executable file with >> filename and icon disguised > as a PDF file, taking advantage of Windows' >> default behaviour of hiding the extension from file names to disguise? >> the >> real .EXE extension. Some instances may actually contain the Zeus? >> trojan >> instead, which in turn installs CryptoLocker.[1][2] When first run, the >> payload installs itself in the Documents and Settings folder with a? >> random >> name, and adds a key to the registry that causes it to run on startup.? >> It >> then attempts to contact one of several designated command and control >> servers; once connected, the server then generates a 2048-bit RSA key? >> pair, >> and sends the public key back to the infected computer.[1][3] The? >> server > may >> be a local proxy and go through others, frequently relocated in? >> different >> countries to make tracing difficult.[4][5] >> The payload then > proceeds to begin encrypting files across local hard? >> drives >> and mapped network drives with the public key, and logs each file? >> encrypted >> to a registry key. The process only encrypts data files with certain >> extensions, including Microsoft Office, OpenDocument, and other? >> documents, >> pictures, and AutoCAD files.[2] The payload then displays a message >> informing the user that files have been encrypted, and demands a? >> payment of >> 300 USD or Euro through an anonymous pre-paid cash voucher (i.e.? >> MoneyPak or >> Ukash), or 2 Bitcoin in order to decrypt the files. The payment must? >> be made >> within 72 or 100 hours, or else the private key on > the server would be >> destroyed, and "nobody and never will be able to restore files."[1][3] >> Payment of the ransom allows the user to download the decryption? >> program, >> which is pre-loaded with the user's private key.[1] >> In November 2013, the developers of CryptoLocker launched an online? >> service >> which claims to allow users to decrypt their files without the? >> CryptoLocker >> program, and to purchase the decryption key after the deadline? >> expires; the >> process involves uploading an encrypted file to the malware site as a >> sample, and waiting for the service to find a match, which the site? >> claims >> would occur within 24 hours. Once a match is found, the user can pay? >> for the >> key online; if the 72-hour deadline has passed, the cost increases to? >> 10 >> > Bitcoin (which, in early November 2013, was valued at over $2000 >> USD).[6][6][7] >> >> Security software might not detect CryptoLocker, or detect it only? >> after >> encryption > is underway or complete. If an attack is suspected or? >> detected in >> its early stages, it takes some time for encryption to take place;? >> immediate >> removal of the malware (which itself is a relatively trivial process)? >> would >> theoretically limit its damage to data.[8][9] Experts instead suggested >> precautionary measures, such as using software or other security? >> policies to >> block the CryptoLocker payload from launching at all. >> ================================== >> > ______________________________________________ > Visit the Archives at http://www.meteorite-list-archives.com > Meteorite-list mailing list > Meteorite-list at meteoritecentral.com > http://six.pairlist.net/mailman/listinfo/meteorite-list -- Best regards, Jodie mailto:spacerocks at spaceballoon.orgReceived on Sat 16 Nov 2013 01:14:02 AM PST |
 StumbleUpon del.icio.us reddit Yahoo MyWeb
|