CryptoLocker Ransom Virus Cleanup

In case you haven’t discovered the CryptoLocker virus, it is a particularly nasty virus that sits unannounced on your computer and basically encrypts a whole variety of useful files that you would save with the following file extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

The virus encrypts the files using a Public AND a Private key.  The only way to decrypt the files is to pay the $300 ransom asked of you which basically provides you with the Private Key to decrypt your files.  The virus gives you a countdown warning that if you don’t pay the ransom within the ever diminishing time, then the Private key will be destroyed and your data will be toast!

Having been called to deal with another CryptoLocker virus discovered on a new customer’s computer recently, the damage to the server was overcome by restoring all data from a recent backup but I was now looking at cleaning up the infected client’s computer (which had been removed from the LAN and switched off).

To stop the warning message appearing, I used Rkill (the iexplore.exe version – I find this works more often that using the rkill.exe version) to highlight the random .exe file that is running, but as there are usually two copies of the file running, once Rkill identifies the name of the file, it will kill one of the processes, but the 2nd will spawn another version of itself and so you find that the processes are still running.

A quick DOS TASKKILL command will kill both processes off at the same time (taskkill /f /im randomexefilename.exe)

Once the processes have been stopped, I then use Roguekiller to identify and clean up the computer, noting the name of the two .dll files that are created in c:\users\USERNAME\appdata\roaming and then scour the registry for those .dll files and the original randomexefilename, removing any traces that are found.  I also check to make sure the .dll and .exe files are removed too – you can’t be too careful.  The .exe file usually resides in c:\users\USERNAME\appdata\roaming\randomfoldername.

Once the registry is clean, you can then look at recovering local files from the Shadow Copies.  There is a good write up on BleepingComputer on how to do this, so I won’t expand on what’s written there.

During my cleaning of the computer today, I noticed that the folder that contained the randomexefilename.exe file was created back in July 2012 and the two .dll files in appdata\roaming were created on the 1st October 2013.  As I had a vague idea the infection came in via Email, I looked for odd emails on the 1st October in the users mailbox and noticed that there were several emails with the Subject: “Your Amazon.co.uk order #” which all contained attachments and were all .ZIP files.  Having deleted all those emails and checked the Anti-Spam logs on the server, the emails appeared to come from Hotmail.com accounts, so I tweaked the filters on the Anti-Spam Software on the server (Vamsoft ORF Fusion) to block all .ZIP file attachments (except from trusted sources).

So it would appear that this particular virus, or at least the origins of it may have been hiding dormant in the customer’s computer since July 2012 and then the opening of the .ZIP file attachment on the 1st October added more to the virus and then it finally completed its encryption of files a week or two later at which point it popped up its ransom demand.

This particular customer was lucky because they backup their files nightly and Shadow Copies were enabled on the client computer, so encrypted files could be recovered completely, but if you are reading this now and you have the warning and don’t have a backup, then you will need to pay the $300 ransom to get your files back.  If you kill the virus off and tidy up after it and don’t have a backup, you can kiss your files goodbye permanently.

Alan

How we recovered a stolen laptop with help from GFI Remote Monitoring, Prey Project, a dash of cunning and a little bit of luck!

A customer of ours recently called us up to request a quote for a replacement laptop because the one we had bought them only a few months earlier had been stolen in a burglary and they didn’t expect to ever see it again. The laptop (running Windows 7) was configured with Office 365 and the password was cached, so we reset the password for the account to prevent anyone abusing the account and at that point we thought we couldn’t do anything else to help.

The thought of getting the laptop back was the furthest thing from our minds (and our customers) because there was no software on it that we could use to gather information that could be used to recover it (or so we thought). We therefore started to search for a suitable replacement laptop and passed on the prices to our customer accordingly.

It was only after having a discussion in the office that Mark, my business partner mentioned about PreyProject and what a shame that it wasn’t already installed on the laptop. He did a bit of digging around on their website and found that there was a batch file that could silently install the software if only we could get the software on to the laptop.

We currently use GFI Max RemoteManagement to monitor our customers servers, computers and laptops and we could see that the laptop had been connected to the Internet on a new IP Address, so we started to record the IP Address (screen-shots of the laptop in the GFI Control Panel) and passed the information on to the Police. The Police would then be able to use the IP Address to trace the user at the date/time we recorded it and from that, trace the address and hopefully the laptop. That would all take time though and it was possible that the laptop would be moved to a different location and therefore getting the laptop back would take time and might not happen at all. GFI also records a multitude of information about the hardware including the Serial Number, Make and Model and I also passed this information to the Police to identify the laptop should they eventually get the opportunity to recover it.

Thinking more about GFI and what was available to us, one of the options available is to use a Script Check to perform remote commands. If only we could somehow come up with a script to remotely download and install PreyProject then we might be able to do more than just trace the IP Address, we could possibly get some web-cam pictures of the person using the laptop, some screen-shots of what they were doing and local Wi-Fi networks that were in the vicinity of the laptop. If only……..

So I set about writing a script that could download the .exe file and the batch installation file using FTP from my Draytek router (with memory stick plugged into it) and tested this locally, which worked very well. Testing the same script at a different location unfortunately didn’t work and so I gave up on the FTP route and searched for an alternative. The alternative that I came up with was to use BITSADMIN (Background Intelligent Transfer Service), which is used by Windows to download files for things like Windows Update and was of course installed on the laptop by default. After uploading the PreyProject .exe file and their installation batch file to our website, I wrote a script to download the files to the laptop and then run the installation. I then tested the script out on my laptop and it worked successfully.

My script which I eventually used looked like this:
@echo off
md c:\temp
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/preyinstall.bat c:\temp\preyinstall.bat
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/prey-0.5.3-win.exe c:\temp\prey-0.5.3-win.exe
c:
cd c:\temp
preyinstall MY_Prey_API_Key

(any script writers out there please forgive the very basic nature of the script – I am no batch-script writer – but it works!)

Having uploaded the script to GFI, I then assigned the script check to the stolen laptop and waited.

After a short while, the script came back with a Timeout Error. At that point I was disappointed because I had scheduled the script with the maximum timeout value of 150 seconds and it must have taken longer to run that the 150 seconds. I then set about checking the script to make sure all was well and couldn’t see a problem. I even started timing the downloads and for me it all worked well within the 150 seconds. So presumably the current laptop user was using a slower connection.

I decided to login to the Prey Project Control Panel to make sure there was space for the stolen laptop to be installed (on a free account you get 3 free spaces to monitor devices and I knew that I had one space left). I was very surprised at that point to see the stolen laptop appear in the list of Devices I could monitor and so I reported it as stolen, configured the settings to geo-location information, grab web-cam shots, screen-shots, Wi-Fi networks and anything else it could to help me locate the laptop. There are additional options available to lock the device, have the device make a noise, display a warning message on the screen and to hide emails, delete browser cookies and stored passwords, but I decided to leave those alone for now as I didn’t want to scare off the laptop user, I wanted to get the laptop back.

I set the PreyProject monitoring interval to the smallest interval available and waited to see what came back into the 10 available reporting slots available on a free account (this can be increased for a paltry $5.00 a month to a 2 minute interval and 100 reporting slots).

What initially came back was a very dark image of the laptop user playing games and their location was reported as being in Central London (it was night-time so the lighting wasn’t brilliant). I flagged my laptop as being stolen and waited for the first report back from that and when it came back, I was reported as being right next to the stolen laptop, which clearly wasn’t the case, so I didn’t pay much heed to the geo-location information and eventually turned it off.

I sat back and waited for more reports to come in and was rewarded the next time with a slightly clearer picture of the laptop user who was busy watching porn!

After a while, it seemed that the laptop user was aware of the webcam being used and the images then came back completely black, so I turned off the web-cam setting and continued to grab screen-shots and wi-fi networks etc.

The next day (during daytime), I turned the web-cam back on and ended up getting a very clear picture of the laptop user which I then passed along to the Police.

I continued to enable / disable the web-cam option and as my available slots for reports were filling up, decided I didn’t want to lose any good images of the laptop user, so upgraded my account and then increased the monitoring interval.

After several not very exciting reports with no new information, I then received the most interesting screen-shot that was to give the laptops location away precisely. They were writing a letter and had put their address and telephone number at the top of the letter and I had a screen-shot of the letter. The location wasn’t too far away from my own location, so I decided to pay the address a visit and took my iPhone with me to verify the Wi-Fi networks that were shown in the report.

Standing outside the address in the letter I turned on my Wi-Fi on my iPhone and took some screen-shots of the available networks and 5 of the networks that were captured using PreyProject matched the networks I could see. The laptop HAD to be close and thus the address on the letter had to be the laptop users address. I excitedly passed this information on to the Police and they then arranged for a Search Warrant from the Courts the next day and then paid the address a visit the following morning.

I then received a phone call from my customer to say that they had been contacted by the Police and that they could collect their laptop from them (with some proof of their identity) the following day, which they did. We are now restoring the laptop back to a pre-stolen date to remove traces of software that was installed during its absence and we heard that the insurance company was not going to pay out for the laptop because it was a work laptop and was not therefore technically covered on the household insurance from the house it was stolen from, so it was just as well we got it back.

So – if you don’t already have PreyProject installed on your iPad, iPhone, Laptop, Computer, Android phone, Apple Mac, Linux PC or anything else that it can be installed from, then what are you waiting for. If it gets stolen without PreyProject installed, you had better be one of our customers with Monitoring software installed or you can kiss it goodbye!

Fake Security Software Hits Macs – MAC Defender / MAC Security

MAC users need to beware of fake security software that is similar to the fake Anti-Virus software that can easily find it’s way onto a PC.

If you unwittingly download the program (MAC Defender / MAC Security), which appears very high up in search listings, you may find your MAC screens littered with pornographic images and no doubt the usual demands for money to download some other software to get rid of the ‘problem’.

MAC’s have long been considered much safer than Windows PC’s when it comes to security because the target size was so small (about 5% of the Market-place), and Virus-writers thus focussed on the bigger target as the impact would be much greater, but now it seems that the tables have been turned and MAC users need to be just as careful as PC users.

Constantcontact.com Mail Servers Cannot Send mail to servers using Greylisting!

We have recently started using Constantcontact.com to keep our customers up-to-date with the goings on at our company and have been very happy with the service until today when we looked at the number of invalid email addresses that were being reported. Upon investigation, we even discovered that the emails to our own servers that use Vamsoft ORF for Anti-Spam filtering, with Greylisting configured, was not receiving any of the emails being sent from Constantcontact.com.

For those of you that don’t know what Greylisting is, it is a method used by Anti-Spam software to reject the first send attempt from an email address that the server has not received mail from before. Because most spammers will only try to send a message once, then move on to the next target, they don’t usually come back to try again. As an anti-spam tool, this technique is incredibly effective. If the sending mail server tries to send the message again, then the receiving server using Greylisting will not reject the second connection attempt unless it has other issues with the sender, the sending server or the sender’s IP Address etc.

Getting back to Constantcontact.com – having contacted their support team, it was determined that their servers only ever send a message the once and if they encounter a server that uses Greylisting, their servers cannot distinguish between an invalid email address rejection message (550 5.1.1 Unknown User Error) and a Temporary Rejection Message (451 4.7.1 Temporary Rejected – Try Again Later), so they fail the send attempt and class this as an invalid email address. They advise that an email will get tried again 16 days later, but most Greylisting software has a timeout of 24 hours, by which time if they haven’t heard back from the sending server, they then temporarily reject the next connection attempt and then start the 24-hour countdown again. With a 16-day retry interval, the mail from Constant Contact will NEVER reach a mail server using Greylisting.

The support team at Constant Contact’s advice was to contact the recipients and request that they Whitelist (expressly allow mail from their mail servers) the Constant Contact IP Addresses. Considering that we had about 150 “Invalid Email Address” rejections out of about 500 messages, we didn’t find the suggestion that we should contact every customer who they couldn’t email to ask them to Whitelist the Constant Contact mail server addresses a very helpful or indeed practical solution.

As an Exchange Administrator – I am reluctant to Whitelist IP Addresses / mail servers as this can open up the receiving server to problems should the sending server that is Whitelisted become infected. As the problem would appear to be an issue with the mail server configuration at Constant Contact not retrying an email, we have decided to look for an alternative provider that can work properly with servers using Greylisting.

If you send out messages using Constant Contact and have plenty of “Invalid Email Addresses” in your mailing list, then you need to think about using a different provider until they change their working practises because the chances are your email addresses are perfectly valid, but you won’t ever be able to send them emails using Constant Contact.

You have been warned.

****** UPDATE *******

Further to the above information, it now appears that Constant Contact can work happily with Greylisting servers, but the bigger problem that they face at the moment is being blacklisted on pretty much all their servers by UCEProtect Level 1.

Increase in Hacker attempts on Windows / Exchange Servers – One Way to Slow Them Down!

In an earlier post I advised about an increase in hacking attempts that I had been seeing on Experts Exchange and also on the servers that we support for our customers.

My Earlier Post:
https://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Having recently been alerted to yet another round of sustained attacks on a couple of servers we receive daily alerts for, I started to dig a little deeper and came up with an interesting thought. A lot of the hackers seems to be passing random usernames such as 1234 / 123 / Claire etc and because these users don’t exist on any of our servers, the Account Lockout Policy does not kick in after x many invalid login attempts. As a result – they just keep on trying in vain!

So – what to do?

Well – it seems that lots of the hackers seem to be trying to use SMTP to attempt to hack a username / password, so I got thinking. On the majority of servers, the SMTP Virtual Server / Receive Connector has Anonymous Authentication / Basic Authentication / Integrated Windows Authentication enabled.

Anonymous Authentication is required if you want to receive emails from other servers around the world, so disabling that is not an option because you would not receive any email at all!

Basic Authentication is required if you want users to send mail with Usernames / Passwords but don’t want to send them securely (why would you?)

Integrated Windows Authentication is required if you want your domain users to to be able to use SMTP and supply their credentials from their Windows accounts to verify access to the server.

As the vast majority of our Server we manage have RPC over HTTPS / Outlook Anywhere configured on them – the Basic / Integrated Windows Authentication is not required in the slightest, so I disabled them both on the servers that were receiving unwanted attention.

Two days later – no more hacker attempts are being reported / logged in the Security Event Logs!

So – if you want a more secure server and don’t have users with SMTP / POP3 accounts sending via your own Exchange Server and have not already disabled Basic & Integrated Windows Authentication on your SMTP Virtual Server / Receive Connector – what are you waiting for?

One less point of attack for hackers is good news in my books.

Active Your New Adobe Acrobat Reader (Hoax) Part II

Further to my earlier post about the “Active Your New Adobe PDF Reader” entry, the spam mail is also doing the rounds using the above Subject line.

The Body of the message is as follows:

ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION

This is to remind that a new version of Adobe Acrobat Reader with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released.
To upgrade your application:

+ Go to http://www.2010-adobe-download.com
+ Get your options, download and upgrade.

DOWNLOAD ADOBE ACROBAT READER

Thanks and best regards,

John Brian
Adobe Acrobat Reader Support

Copy rights Adobe 2010 © All rights reserved
102 Marrinbird Rd | Merryton | CA | 96521 | USA

Want to unsubscribe or change your details?

If you click on the link, it takes you to a fairly convincing site with testimonials about how great the software actually is, further convincing the unsuspecting email recipient to download the free software.

The site looks like this:

Hoax Adobe Reader Website

Adobe’s response to this hoax can be read here:
http://blogs.adobe.com/psirt/2010/09/alert-adobe-reader-upgrade-email-spamphishing-scam.html

Activate Your New Adobe PDF Reader (Hoax)

There are emails doing the rounds at the moment asking you to Upgrade Adobe PDF Reader which are completely bogus and should be ignored / deleted immediately as no doubt there is an unwanted element to clicking on the link that you are presented with.

Adobe are not in the habit of emailing customers advising them of newer version of their software, just as Microsoft and most of the other big companies don’t. Beware such messages claiming to come from well-known companies and always look upon such emails as suspicious.

If you have Anti-Spam software that can be customised to reject messages based on Subject or Content, you would be highly advised to add a new rule to block this type of message from coming through.

The Subject of the Email is: Activate Your New Adobe PDF Reader

The body of the email is:

ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION

This is to remind that a new version of Adobe Acrobat Reader with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released.

To upgrade your application:

+ Go to http://www.adobe–upgrade.com

+ Get your options, download and upgrade.

DOWNLOAD ADOBE ACROBAT READER

Thanks and best regards,

John Brian

Adobe Acrobat Reader Support

Copy rights Adobe 2010 © All rights reserved

1005 Marrinbird Rd | Merryton | CA | 96523 | USA

Website: http://www.adobe–upgrade.com

If you no longer wish to receive similar emails please click here.

Here is Adobe’s response on their blog: http://blogs.adobe.com/psirt/2010/09/alert-adobe-reader-upgrade-email-spamphishing-scam.html

Increase in frequency of security alerts on servers from hackers trying brute force password programs

Over the past few months I have seen a noticeable increase in the number of servers that I look after that have alerts raised due to large number of Hacker Attempts trying to pass Usernames and Passwords to the server in the vague hope of eventually finding a combination that actually works.

Once a combination of Username and Password is successfully found, the server will invariably be used to send out vast amounts of spam, which will ultimately result in the innocent victim having problems sending mail because the fixed IP Address that they have will be listed on one or more Blacklist websites.

One such server that I was called to that had suffered from such an attack had been sent about 380,000 spam emails to send out in a very short space of time. Identifying the problem account and cleaning up the mess caused can be a tricky process, but with the right information to hand, an understanding of why this has happened and the optional use of software such as Vamsoft ORF which has excellent logging capabilities, the problem can quickly and easily be identified, the account being used either disabled or the password changed and the SMTP service restarted.

What can you do to prevent such an attack from hitting your server?

Well, there are several preventative measures that you can take to reduce the risk:

1. Configure Passwords to be complex (to include Uppercase letters, Lowercase letters, Numbers and Special Characters e.g., !”£$%^&*()_+}{][#’@~?></.,)
2. Make sure passwords have a minimum length – the longer the better but at least 7 or 8 characters as a minimum.
3. Force passwords to be changed regularly (at least every 30 – 60 days)
4. Enable account lockouts after a low number of invalid login attempts (between 3 and 5 invalid attempts). Make sure the accounts are locked out for approx 15 minutes to slow down the hacker.
5. Make sure your firewall is configured to only allow the protocols that you need allowed through and close off any others that are not needed.
6. Regularly review your firewall settings to verify the open ports are needed.
7. Make sure your firewall logs all access to your systems so that you can track down the source IP Address that requests are coming from. The logs will be invaluable in determining the source of multiple login attempts.
8. When the firewall logs get full, make sure you have them emailed to you and keep them in a safe place.
9. Setup alerts for the Security Log and make sure you get notified of multiple invalid login attempts. The sooner you act, the less chance the hackers have to probe your security, usernames and passwords.
10. Make sure you don't have an account called Administrator on your server that is active. If you do, create a new Server Admin account, copying the Administrator account and then disable the Administrator account – it is an obvious target account and hackers will try this account almost every time.
11. Regularly review your user accounts and make sure you either disable or delete ones that are no longer needed.
12. Make sue that all your server user accounts are easily located in Active Directory, ideally in a single OU, so that you don't have to hunt around for accounts and thus can easily overlook and account that is located in an obscure OU that you never look at.

If you currently don't implement any form of password security, you may meet stiff resistance from staff to enforcing the above changes to passwords, but the first time you are hacked and suffer problems sending mail as a result of being hacked in this way, your users might actually understand why these settings are needed.

If you implement some or all of the above, you should limit the possibilites of being hacked and used as a spammers relay to spew forth their rubbish. If you don't – then you can't say I didn't warn you : )

Beware bogus telephone support calls claiming to come from Microsoft

A customer of mine just rang me to advise me that a member of their staff at a remote branch office had received a call claiming to come from Microsoft saying that their machine had been sending out spam or similar and that they could connect remotely and deal with the problem.

They declined saying that they could not do it right now, but could tomorrow and the call ended.

Microsoft are not in the business of phoning their customers to resolve their problems over the phone, so the calls were clearly bogus.

The calls were apparently very convincing and I am sure that there will be lots of people that will fall for the scam and no doubt end up with bigger problems on their hands.

If you receive such a call, please decline any offers of remote support and hang up.