Category Archives: Malware

Nightmare malware: CryptoLocker

CryptoLocker is a particularly nasty piece of malware that has been terrorizing computer users since early September, 2013. It’s similar to other kinds of ‘Ransomware’ in that once it infects a computer, it offers to undo its effects if the perpetrator is paid.

Ransomware has been around for years, but CryptoLocker adds a new twist: it encrypts your data files – making them inaccessible – until you pay. So it’s not just annoying: it can effectively destroy your data. Without the proper key, the encrypted files cannot be decrypted. After you pay the ransom, CryptoLocker decrypts the encrypted files, making them usable again.

Other factors can exacerbate a CryptoLocker infection. IT workers who are able to remove the malware after data files have been encrypted may actually make things worse: without the malware in place, paying the ransom will have no effect – the files will stay encrypted.

CryptoLocker typically installs itself when an unwitting user opens an attachment in an email that appears to be from a legitimate business, such as a courier company. The attachment often looks like a PDF file, and appears harmless. But the attachment is actually executable, and it installs CryptoLocker. Once CryptoLocker is running, it will try to contact one of its control servers, from which it receives an encryption key. CryptoLocker then starts encrypting your files: it looks for files with specific extensions, on local and mapped network drives. It then displays its ‘ransom note’, which describes what has been done and how to pay the ransom, which is typically $300. You have four days to pay, after which the encryption key will be deleted and your files will be inaccessible forever.

I recently encountered CryptoLocker on a client’s PC. Luckily, the client’s anti-malware software detected the infection and prevented it from doing much damage. Among other things, it prevented CryptoLocker from contacting its control servers, so it never received an encryption key and didn’t encrypt any files. I was able to locate and remove the malware.

If you are hit with this malware, your best protection is a good backup. Without a backup, your only option is to pay the ransom. But don’t feel bad: you’re not alone. Plenty of other people have paid the ransom already.

So this is a good time to issue those familiar warnings to all computer users: back up your data, install good anti-malware software, and do not open email attachments or click email links unless you know the sender and what the email is expected to contain.

Ars Technica has additional information, and Bleeping Computer has an excellent FAQ for CryptoLocker.

NSA-Themed Ransomware

Any time something catches the attention of huge numbers of Internet users, there’s a possibility that nefarious persons will try to make money from it. A famous actor has their phone hacked, a celebrity dies, or a whistleblower exposes the extent of NSA snooping, and the spam in your inbox suddenly has a new flavour… or worse.

Zscaler and other security researchers are reporting an increase in ransomware threats that are built on recent revelations of the NSA’s activities.

Ransomware works like this: you visit a web site that has been compromised and is serving malicious code. The code infects your computer, after which it becomes impossible to use your computer. Instead you see a full page threat from what appears to be the NSA, claiming that you have participated in unlawful activities (usually downloading copyrighted materials). You are told that you can pay up or face legal action.

If this happens to you, do not follow any of the instructions shown by the ransomware. Hire a professional to remove the malware or reinstall your operating system.

How to determine whether a warning is fake and ransomware:

  • No legitimate agency would use this tactic (at least not yet).
  • Awkward language and spelling mistakes in the warning.
  • Payment methods use third-party services.

Techdirt has additional details.

More malicious email and web site warnings

As if you needed more reasons to be cautious when using email or browsing the web, here are two new warnings, from CERT and Malwarebytes.

According to CERT and the FBI, a new, active spear-phishing campaign is sending email to targeted recipients. This particular email purports to be from “National Center for Missing and Exploited Children” and its subject line is “Search for Missing Children”. Do not open this email or any of its attachments, which contain malware.

Malwarebytes, a respected anti-malware software vendor, recently posted a warning about fake Flash player updates that appear on some (mostly pornographic) web sites. Users are tricked into clicking a link that supposedly updates the Flash player, but actually installs malware. Once the malware is installed, legitimate web-based advertisements will be replaced by ads served by the perpetrators. The new ads are often pornographic in nature, and can appear over ads on any web site.

Web advertising networks: the next malware attack vector?

Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.

Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.

It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.

How your login credentials can be stolen

An excellent post over at Duo Security reviews the seven methods used to steal your user IDs and passwords.

Unfortunately, aside from using strong, unique passwords, running anti-malware software, and being generally careful in one’s online activities, there’s not much an individual can do to protect oneself from these techniques. Most of the responsibility for protecting users is in the hands of the people who run the web sites that use your credentials. When they make mistakes, we all lose.

Actually, there is one sure-fire way to avoid these problems: just don’t use any online service that requires a password. Not too practical, but still better than getting rid of all your computers.

Microsoft teams up with Symantec to take down another botnet

Microsoft and Symantec, working with law enforcement authorities in the US and Spain, have disabled another botnet. The Bamital botnet first appeared in 2009, and at its height, included as many as 1.8 million computers.

User computers became infected with the Bamital malware through drive-by web-based infections (often from porn sites) and corrupted software downloads.

Infected computers were used to generate revenue for the perpetrators by generating or redirecting traffic to specific web sites.

Latest Java still vulnerable, new exploits in the wild

A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.

The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.

Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.

For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.

Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.

And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.