Cryptolocker

[mechBgon]

I wasn't able to identify the source. Didn't see any bogus emails.

IIRC, drive-by exploits of Java, and weak Remote Desktop passwords, are a couple of the attack vectors used by Cryptolocker.

Practical countermeasures:

1. if possible, ditch Java entirely. If not, disable it in your browsers if that'll work. If it's needed for just specific websites, enable it strictly for those sites and disable it everywhere else. Furthermore, enable SRP and slam shut all the loopholes using the AccessChk auditing routine.

2. if RDP is enabled and you need it, use best practices. Use really strong passwords, only allow non-Admins to connect, make sure UAC is maxed out, make sure elevation prompts require credentials on the Secure Desktop, ensure Network-Level Authentication is required, and SSL protocol required (that one's in Group Policy, along with encryption level). And [broken record] enable SRP and slam shut all the loopholes [/broken record]. And ditch Java


In the end, what saves a lot of people is backups, so anyone who's gearing for battle with Cryptolocker should evaluate their backup strategy, and remember mapped drives are part of Cryptolocker's target list. Something like Windows Home Server backup would be a good idea. At work, that's my trump card if I need it. I recently updated all the boxen to Win8.1 and that did call for a re-audit of the SRP loophole rules, there's some new ones.

 

[John Connor]

I use an add-on in Firefox called Quickjava that allows me to turn off Java when I don't need it. But I also keep plugins updated. http://www.mozilla.org/en-US/plugincheck/

 

[mechBgon]

Along Java's trail of destruction, some of its noteworthy recent failures haven't been due to vulnerabilities, but logic loopholes. "It's not a bug, it's a feature" type of thing. So updating it is certainly a good idea if you have to have it, but limiting it only to specific, necessary sites is definitely worthwhile.

Of course, if one of the necessary sites gets pwned, then... well, there's always SRP I guess

 

[Peroxyde]

Sorry for the silly question. I have read some articles about that CryptoLocker virus. Users got caught because they clicked on an attachment which contains a zip or a PDF or a song. How come a data/content file could be able to execute a code ?!?

 

[postmortemIA]

Sorry for the silly question. I have read some articles about that CryptoLocker virus. Users got caught because they clicked on an attachment which contains a zip or a PDF or a song. How come a data/content file could be able to execute a code ?!?

it looks like pdf as exe can contain icon within itself - it was really never pdf file but exe with pdf icon.
Besides, PDF supports javascript, so it can execute 'stuff'

 

[John Connor]

Sorry for the silly question. I have read some articles about that CryptoLocker virus. Users got caught because they clicked on an attachment which contains a zip or a PDF or a song. How come a data/content file could be able to execute a code ?!?

That's one vector another is via plugins. Keep flash and Java, etc updated. I just installed the beta Hitman Pro Alert Cryptolocker.

 

[fleshconsumed]

Is anyone weary trusting Hutman Pro Alert? Not to sound paranoid, but how do we know if we can trust it not to be a front to cryptolocker?

 

[lxskllr]

Is anyone weary trusting Hutman Pro Alert? Not to sound paranoid, but how do we know if we can trust it not to be a front to cryptolocker?

HitmanPro has been doing security software for awhile. I haven't personally used their products, but they're a known name.

Edit:

Hitman Pro was developed in 2004 by Mark Loman from The Netherlands. As system administrator / security specialist he felt the need for an automated tool that would be able to effectively clean computers that were infected by spyware. In those days, spyware was still pretty new and except for a few specialized companies, there were no tools to remove spyware.

The first version of Hitman Pro was a simple script that downloaded and executed a couple of anti spyware programs, such as SpyBot, Ad-Aware, Spy Sweeper, Spyware Doctor, NOD32. Hitman Pro became very popular, especially in The Netherlands with more than 3 million users.
In later versions, the automation of the abovementioned programs became more complex as the vendors expanded the features of their software, making it more complicated to automate the execution of the program. Plus an increase in the number of false positives caused by these programs, resulted in the decision to develop a completely new version from scratch.

Mark Loman founded SurfRight B.V. in The Netherlands in 2006, and hired a few security experts and software developers for the development of new and innovative security products.
The first project in 2006 was a research project to study the common characteristics of malware using behavioural analysis (fuzzy logic). The results of this research would be the foundation for the new anti malware product Hitman Pro 3.

Caretaker Antispam was released in 2007, the first product of SurfRight using their own technology.
Caretaker Antispam's filter is trained centrally, not by the user so when spammers find a new spamming method, the filter is updated automatically by the team of SurfRight experts. This mechanism ensures that Caretaker Antispam continuously filters out more than 99% of all spam messages, while the number of false positives (genuine messages that are classified as spam) is virtually zero.

Hitman Pro 3 was released in 2008. The Hitman Pro 3 client is based completely on SurfRight technology.
Hitman Pro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.). Hitman Pro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer (except for the few minutes it is scanning). Hitman Pro 3 does not need to be installed. It can be run straight from a USB flash drive, a CD/DVD, local or network attached hard drive

http://www.surfright.nl/en/home/about

 

[fleshconsumed]

Did not know that, thanks for the info. Is there a reason it's beta right now? Is it like google, i.e. perpetual "beta" or are they planning to release stable version later? And if they do, is it going to remain free or will they sell it?

 

[ringtail]

Obviously SRP isn't "Salt River Project" or 'Suggested Retail Price" or "Soldier Readiness Processing" so . . .
What does "SRP" mean and,
where is the control for that accessible in Windows 7?
Link

IIRC, drive-by exploits of Java, and weak Remote Desktop passwords, are a couple of the attack vectors used by Cryptolocker.

Practical countermeasures:

1. if possible, ditch Java entirely. If not, disable it in your browsers if that'll work. If it's needed for just specific websites, enable it strictly for those sites and disable it everywhere else. Furthermore, enable SRP and slam shut all the loopholes using the AccessChk auditing routine.

2. if RDP is enabled and you need it, use best practices. Use really strong passwords, only allow non-Admins to connect, make sure UAC is maxed out, make sure elevation prompts require credentials on the Secure Desktop, ensure Network-Level Authentication is required, and SSL protocol required (that one's in Group Policy, along with encryption level). And [broken record] enable SRP and slam shut all the loopholes [/broken record]. And ditch Java


In the end, what saves a lot of people is backups, so anyone who's gearing for battle with Cryptolocker should evaluate their backup strategy, and remember mapped drives are part of Cryptolocker's target list. Something like Windows Home Server backup would be a good idea. At work, that's my trump card if I need it. I recently updated all the boxen to Win8.1 and that did call for a re-audit of the SRP loophole rules, there's some new ones.

 

[mechBgon]

Obviously SRP isn't "Salt River Project" or 'Suggested Retail Price" or "Soldier Readiness Processing" so . . .
What does "SRP" mean and,
where is the control for that accessible in Windows 7?
Link

Software Restriction Policy, a versatile Windows feature for blacklisting and/or whitelisting. I have a setup guide at mechbgon.com/srp that shows how to set it up, how to find and fix loopholes, and what some of the gotchas are. It's configured using Group Policy. It won't win any awards for mindless ease-of-use, so it's for the person who prioritizes security ahead of simplicity.

The Home versions of Windows don't have a Local Group Policy, so I also touched on the Family Safety option for Home versions, which could be used to whitelist all the legit .EXEs on the system and block others until Admin approval is given. For the purposes being discussed here, that would still help against Cryptolocker and a lot of malware in general.

The beauty of either of these, is that they work arbitrarily and with no appreciable performance impact. You might need to re-audit your SRP loopholes after installing new software, but beyond that, you don't need updates, renewals, etc to keep the protection up.

 

[babcom]

mechBgon, Can you confirm that if the Security Level in SRP is set to disallowed, that in the Additional Rules you do not need to specifically add in a folder or exe to be disallowed as the Security Level will take care of this? Although I have added in the following folders to be disallowed just to be safe as apparently windows allows a standard user to write and execute from them:

Windows\PCHEALTH\ERRORREP
Windows\debug\
Windows\Registration\
Windows\System32\catroot2\
Windows\System32\com\dmp
Windows\System32\FxsTmp
Windows\System32\spool\PRINTERS
Windows\System32\spool\drivers\color
Windows\System32\spool\SERVERS
Windows\System32\Tasks
Windows\SysWOW64\com\dmp
Windows\SysWOW64\FxsTmp
Windows\SysWOW64\Tasks

 

[mechBgon]

mechBgon, Can you confirm that if the Security Level in SRP is set to disallowed, that in the Additional Rules you do not need to specifically add in a folder or exe to be disallowed as the Security Level will take care of this? Although I have added in the following folders to be disallowed just to be safe as apparently windows allows a standard user to write and execute from them:

Windows\PCHEALTH\ERRORREP
Windows\debug\
Windows\Registration\
Windows\System32\catroot2\
Windows\System32\com\dmp
Windows\System32\FxsTmp
Windows\System32\spool\PRINTERS
Windows\System32\spool\drivers\color
Windows\System32\spool\SERVERS
Windows\System32\Tasks
Windows\SysWOW64\com\dmp
Windows\SysWOW64\FxsTmp
Windows\SysWOW64\Tasks

The anti-loophole rules are indeed necessary for full protection. On the bright side, a rule that forbids C:\Windows\Temp (for example) will also cover the subfolders like C:\Windows\Temp\Evil_Thingie.

My current set of disallowed Path Rules on a fresh 64-bit Win8.1 installation is shown below.

C:\Windows\debug\WIA
C:\Windows\PCHEALTH
C:\Windows\Registration\CRMLog
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons
C:\Windows\System32\Com\dmp
C:\Windows\System32\FxsTmp
C:\Windows\System32\inetsrv\config
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\Tasks
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\TasksC:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I have a few additional ones that relate to my specific software, like StartIsBack start-menu software, and there's also the tough decision of how to deal with Steam and Origin, since they don't work if their loopholes get set to Disallowed. One kludge is to fix their Path loopholes and then override SRP by using Run As Administrator when I want to play a Steam or Origin game. Not exactly risk-free. I may try the suggestion here, later this week: http://www.wilderssecurity.com/showpost.php?p=2240771&postcount=6

 

[PliotronX]

Update: group policy SRP did the trick this morning for a user on a network that has been hit twice before by Cryptolocker. He opened the very convincing looking email and subsequently boobytrapped ZIP files but Cryptolocker did not pass go and did not collect three hundred dollars. Good stuff, great thread thanks guys.

Next question: tracing emails with forged senders addresses and IP's? Also how to locally block emails with certain characteristics in Exchange without interrupting legitimate ZIP attachments.

 

[Chiefcrowe]

Excellent PliotronX! Glad it worked for you.

I don't know about the exchange question but as far as I know, tracing forged senders and IPs is very difficult since they are changed so frequently - so i'm not sure it's even worth trying that.

 

[ringtail]

I accidentally came across this free app that may help some people:

CryptoPrevent

 

[mechBgon]

Update: group policy SRP did the trick this morning for a user on a network that has been hit twice before by Cryptolocker. He opened the very convincing looking email and subsequently boobytrapped ZIP files but Cryptolocker did not pass go and did not collect three hundred dollars. Good stuff, great thread thanks guys.

Next question: tracing emails with forged senders addresses and IP's? Also how to locally block emails with certain characteristics in Exchange without interrupting legitimate ZIP attachments.

If your Exchange server is running its own antivirus/anti-Spam software, maybe there's some options in there? Great to hear SRP got the job done for him :thumbsup:

 

[jolancer]

EDIT: oh yeah, just fyi also... I found, for me anyway, some of the applications i had in /program files for example that came up as loopholes. I did not need to create a SRP rule to restrict them, you can just modify the permissions in Advanced Security settings for the application directory and remove the offending entry. As long as the app didn't need exclusive access, in which case if it does read further bellow. The apps that happened to me with were i could save the resources and just modify security settings were mostly portable type apps, that don't use an installer. /EDIT

EDIT again: sorry mechBgon, I didn't read ur link.. looks like u can just modify permissions like i had to for a few apps, and it'l still work. will leave bellow info tho could help elseware /EDIT

I have a few additional ones that relate to my specific software, like StartIsBack start-menu software, and there's also the tough decision of how to deal with Steam and Origin, since they don't work if their loopholes get set to Disallowed. One kludge is to fix their Path loopholes and then override SRP by using Run As Administrator when I want to play a Steam or Origin game. Not exactly risk-free. I may try the suggestion here, later this week: http://www.wilderssecurity.com/showpost.php?p=2240771&postcount=6

I'm not familiar with what was mentioned in this thread, so for various reasons i looked around. and here's a link i found usefull.

http://technet.microsoft.com/en-us/library/bb457006.aspx

With the info found there, it seams you can probably solve your steam issue and the like. by simply specifing multiple rules ontop of each other, and any similar rule with higher specifity toward a specific exacutable rules the policy for that specific exacutable. I had to do this also for some programs i had that needed write access when testing, like emulators for example...

Loophole (with both rules enforced only "progX.exe" will be allowed from that loc)
# Path rule= %PROGRAMFILES%\example - Disallowed
# Path rule= %PROGRAMFILES%\example\progX.exe - Unrestricted
or
# Hash rule= progX.exe - Unrestricted
same for .dll's if you enforced them

Like that the app will still work without issue, while any other exacutable without that exact file name will fail to exacute in that directory. or even better, same exacutable with different file hash will fail. I had to specify more than one exacutable in my situation. I got a list for easy entries in the loop hole by:

# dir /b /s "C:\Program Files\example\*.exe" >"D:\path\example.log"
same for .dll's if you enforced them

On a similar note. outa curiosity, might anyone know how critical it maybe to Enforce restriction on DLL's by default? I ask cause of DLL restriction drawbacks listed on the link. Granted they don't apply to me but outa curiosity for tho's that may have substantial troublesome loopholes or multiple user logon startup items(not boot startup items)

i didn't see a win7 or above article for that link, so not sure if everything stated still applies. but here are some of the titles from the link i found very helpfull along with there examples.

Path rule precedence
Rule precedence
DLL Checking
Commonly Overlooked Rules
Scope of Software Restriction Policies

 

[mechBgon]

Yeah, there is significant value in applying SRP to DLLs along with the other affected file types. For example, one real-world malware tactic is to abuse the Windows DLL search-path behavior, e.g. ZeroAccess: http://nakedsecurity.sophos.com/zeroaccess3/ SRP's DLL option would apply there. Those of you who are into extra security hardening can also restrict the DLL search path, as mentioned at the very bottom of the SRP page:

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm. Before running the FixIt, first install the update from the Update Information section on that page.

The FixIt restricts some types of DLL-preloading attacks. But you can enable DLL-preloading protection at maximum strength on a system-wide basis by setting the value FFFFFFFF (that's eight Fs) in the SessionManager Registry key described in the article if you wish (it'll show 0xffffffff once entered). If this causes a problem for a specific program, such as crashing when you launch it, then you can add a Registry key for that program to grant it an exception; the article shows you how.

Be prepared to create exemptions for programs that suddenly will not launch, or experience glitches.

Anyway, I've been applying the DLL option in SRP for years, and the only hangup I've specifically noticed is a glitch with QuickBooks Pro 2011, which wants to run a .DLL from the user's profile. As you showed, a guy can overcome that with a Hash Rule, as long as it's the same file every time (which it was for QuickBooks).

 

[jolancer]

I like the info, but don't think its worth my while to use CWDIllegalInDllSearch on my own computer. Sounds useful though for those who download or click all willynilly. Personally i probably would use it anyway, however it requires an update to use?that puts me off a little..I'm always paranoid ms will break shit with updates lol.

I am curious tho on a couple things for my own reference or incase I ever implement it, everything sounded strait forward except
. what does the "current working directory (CWD)" mean/refer to exactly?in ref to LoadLibrary API and the LoadLibraryEx API for the CWDIllegalInDllSearch function?
. how exactly do you figure out the /<application binary name> for the reg key you'd need to create for exceptions

seems like its setup style just like SRP, but CWDIllegalInDllSearch sounds more like a second layer of defense after an exacutable has already been executed. Good to know even if i dont personally end up using it tho

 

[mechBgon]

I am curious tho on a couple things for my own reference or incase I ever implement it, everything sounded strait forward except

. what does the "current working directory (CWD)" mean/refer to exactly?in ref to LoadLibrary API and the LoadLibraryEx API for the CWDIllegalInDllSearch function?
. how exactly do you figure out the /<application binary name> for the reg key you'd need to create for exceptions

I'll use Adobe Reader as an example. If Adobe Reader's executable file needs a .DLL file, then Windows will (by default) look for that .DLL file in the same folder that the executable file is in. Seems legit so far, right?

The problem is that an attacker could arrange to put a legit copy of Adobe Reader (or whatever) in the same folder as a malicious .DLL file, then use Adobe Reader to launch the .DLL file. That article at Microsoft is focused on the scenario where this is being done over the network, like in a share on a server on your network, but that writeup about ZeroAccess shows the bad guys using it locally.

In the example I mentioned above, my implementation of SRP should block execution of that copy of Adobe Reader (or whatever) if it's in a location like a flash drive, a network share, or a Temp folder in the user's home directory. But let's say SRP was set to allow execution of any file digitally signed by Adobe, and now you see how a legit .EXE could be used to run a malicious .DLL.

So for those who want to harden their Windows installation against that, you can just carpet-bomb the problem by setting that Registry entry to FFFFFFFF, then run your programs and see what freaks out. I have all my systems at work set that way and haven't had any issues with the software we use (Win8.1 Pro, some Office 2010, IE11), except my image-editing software mentioned below.

. how exactly do you figure out the /<application binary name> for the reg key you'd need to create for exceptions

It's just the name of the executable file that stops working normally. If you try to launch the program and it doesn't run, look in Task Manager for its executable name, make an exception in the Registry, then test again.

For example, I have an image-editing program that won't launch with CWDIllegalInDLLSearch set to FFFFFFFF, so I create an exception with its filename (Iedit.exe). On the next test I found that another executable also needed an exception, named _Iedit.exe, so I created a second exception for that one, and the program began working normally again.

 

[jolancer]

Thats what i would of guessed 4 the binary name but wasn't sure because I see apps in registry sometimes under vendor names instead of the actuall app or executable name.

Thx for the explination, however i think i wasn't descriptive enough lol cause my question was actually refering to something much simpler and strait forward. If the answers right in fronta me and i missed it like an idiot feel free to point it out lol..

what im not quite clear on is.. they list the hierarchy for the dll search path algorithms. they have the app directory at #1 and the CWD at #5 so they cant be refering to the same directory. and the CWDIllegalInDllSearch restriction is only refering to #5 right? so wouldn't most applications work without exception rules anyway kinda like SRP because the application directory and system root take higher precedence and restrictions only affect #5(CWD)?

ms quote truncated:

The following is the DLL search order for LoadLibrary/LoadLibraryEx:

1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

CWDIllegalInDllSearch Behavior of the DLL search path
FFFFFFFF - Removes the current working directory(CWD) from the default DLL search order.

 

[mechBgon]

Thats what i would of guessed 4 the binary name but wasn't sure because I see apps in registry sometimes under vendor names instead of the actuall app or executable name.

Thx for the explination, however i think i wasn't descriptive enough lol cause my question was actually refering to something much simpler and strait forward. If the answers right in fronta me and i missed it like an idiot feel free to point it out lol..

what im not quite clear on is.. they list the hierarchy for the dll search path algorithms. they have the app directory at #1 and the CWD at #5 so they cant be refering to the same directory. and the CWDIllegalInDllSearch restriction is only refering to #5 right? so wouldn't most applications work without exception rules anyway kinda like SRP because the application directory and system root take higher precedence and restrictions only affect #5(CWD)?

ms quote truncated:

Good point, I never noticed that! A program can change its CWD on the fly, so the location where the program ran from won't necessarily remain the CWD. But in the event that it didn't change it, it looks like they'd be synonymous. Given that some of my old software does stop working when CWDIllegalInDLLSearch is set to FFFFFFFF, when the program and its DLLs are in their folder in Program Files, I *think* it has the effect I described. But if it doesn't... well, there's always SRP's DLL enforcement I guess :sneaky:

Looping back to the main topic of Cryptolocker, these guys made quite a load of money and I wouldn't be surprised if they level up with a revised approach to bypass incomplete implementations of SRP that are currently out there in a couple of forms, such as the aforementioned CryptoPrevent or the equivalent cherry-picked SRP rules in BleepingComputers' guide. Time will tell.

 

[jolancer]

previously didn't come up with something obvious on a quick search but i just tried here(which i probably should of started with lol but didnt)
https://en.wikipedia.org/wiki/Current_working_directory

and it would seem the (CWD) is in reference to the user's profile folder. so any app that requires a dll in %USERPROFILE%\Application Data ..or similar would require exemption.
___________________

yeah ina business environment seems like it has the potential to be a PITA for times to come. but it may not, you never know. Im not to worried on a personal level tho because i don't expose myself to unknown exacutables, but since SRP has no apparent ill side affects and is already built in it would be stupid not to use it, on a personal level, or as long as its in an easily manageable environment.

unsafe habbits or being duped has the potential for disaster on any system IMO. but in this instance the widespread windows implementation and success of bitcoin is IMO what probably spawned cryptolocker.. otherwise there would be much more risk trying to collect payments. the Dev's idea may have been around for decades but not had a vehicle to feasibly make it profitable till now.

side note - i heard of bitcoin but didn't care what it was or look into it till now, and LOLZ. perhaps cryptolocker did the world a favor?

 

[makegood]

I heard that virus before. It will encrypt all files on the infected computer until it's paid. Even the virus is removed, the files are still encrypted. I haven't found this virus sample for a test