Image and video hosting by TinyPic

Saturday, November 16, 2013

Worst virus yet?

The latest malware monster is called Cryptolocker (usually, though not always, spelled with no space between "Crypto" and "Locker"), which encrypts your data and holds it ransom unless you pay $700. Apparently, in this age of Bitcoin, authorities cannot track these transactions.

There's one simple way to prevent infection. I'll discuss this tactic toward the end of this post. First, let's learn about more about our enemy:
More specifically, the Crypto Locker virus is typically spread through emails that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails contain a zip attachment that when opened will infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
This description is slightly wrong: Cryptolocker is a trojan, not a virus. But let's not be pedantic. Most people allow for a fairly elastic definition of "virus."

The insidious thing about Cryptolocker is the fact that you can get rid of it easily -- but your data files will remain encrypted. The only way to decrypt your stuff is to pay the money.

None of your drives are safe. Even files "in the cloud" will be encrypted if you have an "always on" link to your cloud storage. Cryptolocker can reach anything that Windows Explorer can reach.

Here's more from the UK's the Register:
The software nasty is particularly fiendish: The malware first contacts its master's control server, which generates a new public-private 2048-bit RSA cryptographic key pair and sends the public half to the malware.

Then for every file discovered on the computer, Cryptolocker generates a new 256-bit key and uses it to encrypt that document using the virtually unbreakable AES256 algorithm. That AES key is then encrypted using the RSA public key and stored with the obfuscated document.

Only when the victim pays up does the Trojan download the private half of the RSA key, which is used to decrypt the per-file AES keys and ultimately restore all the protected documents. Targeted files include anything with .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dwg, .dxf, .dxg and .jpg extensions and plenty more.
From the Wikipedia article (which says that the ransom may be as low as $300 -- such a bargain!):
Security software might not detect CryptoLocker, or detect it only after encryption is underway or complete. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (which itself is a relatively trivial process) would theoretically limit its damage to data.
According to this article, the Christmas season may see a flurry of fake emails from shopping sites like Amazon. Be extremely paranoid about all attachments and downloads.

The Cryptolocker malefactors are very businesslike. They've even come up with a user-friendly app for people who are having trouble figuring out how to use Bitcoin:
“This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at,” Abrams said.
The Sophos Virus Removal tool can get rid of Cryptolocker. I've used free apps from Sophos for years and can recommend that company's products without reservation.

Alas, you may not know that you have the trojan until after it has encrypted your files. At that point, removing the malware from your system could be harmful: Once the trojan is gone, you won't be able to decrypt your files, even if you pay.

However, Sophos says that Cryptolocker may "piggyback" atop malware already on your system, so it behooves you to use every reliable tool available to keep your system clean.

PCtuneup claims to have a method of removing the virus in safe mode. (When I tried out Windows 8 -- which I hated, of course -- I was dismayed to find out that 8 doesn't have a safe mode. Has that situation changed?)

You may also want to look into this Cryptolocker prevention kit. And this fellow has an app called CryptoPrevent.

One excellent preventative measure is very simple: Refrain from opening any attachments -- however innocuous -- from people you do not know very well.

Obviously, security experts would advise you to keep backups on non-attached external drives of everything important. But even in these days of cheap hard drives, backing up several terrabytes of data is pricey.  And routinely backing up to drives that are normally not attached your system can be annoying.

Here's one simple preventative measure that few people are talking about: Although Windows hides file extensions by default, it is easy to change this behavior and show your file extensions at all times.

When you can see the extension, you'll be able to see at a glance whether or not that "pdf" file really is a pdf file.

On Windows 7, just open up Windows Explorer, hit "Organize" (way to the left), scroll down to "Folder and Search Options," hit the "View" tab, then go down until you see the words "Hide extensions for known file types." Make sure the box does NOT have a check.

And that's it. You are now much safer. I've had my system thus configured for years, because I like to see exactly what I'm dealing with.

Another tip: Make sure that no other computer on your home network can access your data. You don't want to lose your stuff simply because your kid got sloppy about computer security.

Some of you will consider this post your cue to moan the familiar moans about how awful Windows is. Look at it this way: If all Windows installations were to disappear tomorrow, then some other OS would be the most popular. And that OS would then become the primary target of hackers, bringing us right back where we started. So complaining about Microsoft is pointless -- and annoying.

(But you're going to do it anyways, aren't you?)
I'm sure nothing can go wrong with installing a user friendly app from people holding your data to ransom. Or, for that matter, the likes of Crypto Prevent, from people who want to get you using their pointless programme instead of using due care and attention.

As for Windows, all too often the supposedly user-friendly OS hides away options that should be defaults, like showing file extensions, so you have to be an expert to use it safely. If it was replaced then it's replacement would be the new big target, but that doesn't mean it would be as easy a target as Windows is. Of course nowadays the cool kids are using TAILS live systems run in virtual machines hosted on OpenBSD, but Windows, which is aimed specifically at t
those who don't know better, should be engineered with those in mind.
I've been online since 1983 using MS-DOS and Windows machines almost exclusively, and in that time I've gotten one (1) virus unintentionally. (On occasion I'd *intentionally* infected myself, either to figure out how the virus did what it did or as part of a Devil's Bargain for access to a certain file or site.) For the first 25 years, I never ran an active antivirus application -- that is, I might have an AV program installed, but I only ran it manually. After the hassle of cleaning and disinfecting following the sole hit in 2008 (a 'drive-by' infection from visiting a malware-infected site that took advantage of a zero-day exploit of ironically enough, Apple Quicktime) I bit the bullet and began tolerating active AV protection at least part of the time.

Admittedly, I've had to clean out a number of infestations during those three decades -- always as a result of letting friends use my PC. (One fellow in particular was a magnet for them; I'd leave him alone for 5 minutes, come back, and the PC would be already slowed to a crawl.) Still, given I've probably been online at least 5 days a week, for anywhere from 1 to 24 hours a day, since October 1983, I think I've done pretty well.

For the most part, I did so by following two rules: First, although I might open a suspicious attachment, I'd do so only if I had a good reason. (That is, if someone wrote to tell me they'd deposited $5.3 million USD in an account for me, and I could find the instructions on how to access it in an attached file, I'd take a pass. If someone unknown wrote to say she was sending images of herself to see if I'd be interested in photographing her, but she didn't tell me who'd told her about me or given her my email address, I'd probably bite, as long as the message didn't set off any other alarms.)

More important, though, was Rule 2: Unless I was pretty damn sure an attachment was valid and safe (and sometimes even then), I *never* opened attachments directly from my mail program -- you know, by double-clioking on the attachment (or right-clicking on it and selecting 'open'). Instead, I always saved the attachment first (right-click, 'save as') and scanned it manually with my AV app. Only then -- assuming it came back as clean -- would I open the saved attachment.

We're not talking a lot of time and effort to do so: Most AV programs install a hook to themselves in the Windows shell either automatically or as an option, so scanning a file is as simple as right-clicking on it and selecting "Scan for viruses using [AV app]." I follow the same procedure for any infectable file I download, as well as for any non-infectable file where I have reason to suspect it may be of a different filetype than it claims. (In other words, unless I know something is a PDF, and not an executable file renamed "[something].pdf," I'm either going to AV scan it or right-click it and select 'open using Adobe Reader'; I'm not going to double-click it directly.) Oh, and for a long time I refused to use Eudora as a mail client, as it automatically saved all incoming attachments as individual files within an attachments folder, which made it too damn easy to click on the wrong file by mistake.

Computer science isn't rocket science -- and this isn't even computer science, just common sense. But common sense is often enough to keep one safe online without having to sacrifice performance (cutting video on a Windows 98 PC was near-enough impossible without some overly large and underly intelligent app trying to match op code against a data stream) or nervously layer AV and firewall and adware apps. (Oh, yeah: I have never used a software firewall. Nearly every broadband router already provides the same protection -- faster, better, and more cheaply.)
Maz, you have played the game dangerously. I'm glad things worked out for you. But I strongly advise everyone to use a free firewall (there are several options), a well-reviewed free antivirus (Avira, Panda, AVG, etc.) and on-demand anti-spyware (Malwarebytes, Emsisoft, etc.). If you are on a desktop, then teimaging the C drive on a regular basis is also a good idea.
I can't see why anyone would want to hide file extensions. But even if someone hasn't followed the ultra-simple steps to stop Windows from doing this, they can always use a proper email client, e.g. Turnpike, which will show them.
I also live dangerously for the most part. I don't have any active AV on my Windows system, but I will boot into a linux partition and use Clam antivirus to scan everything. I think Maz is right about a certain user sense keeping a system safe, though I wouldn't call it common. I like to think that I have a pretty good sense for spotting dangerous situations and files, because so far I've never had a malware or virus infection. There are also some core concepts like never automatically allowing websites to run things on your computer which while obvious to me aren't that obvious to everyone else.
Yeah, I have one simple rule......I NEVER open any attachment EVER. If someone wants to send me an attachment, they must notify me first that they are sending one. Then, I will save it, scan it (with anti-virus and anti-malware). Only then will I open it. If an attachment shows up from someone I know well, without them telling me, I send them an email asking if they sent it to me and to please send it again, as I delete the first email as soon as it drops in my inbox. This has kept me pretty safe. Of course, there are other ways to get virus' and trojans, so I keep an active AV program going, use software AND hardware firewalls, and scan periodically with free anti-malware software. None of this takes much time at all, and I have never noticed any slowdowns with my system (except when I've used paid AV apps, which nowadays come with all sorts of extra crap that is usually on by default that slows down systems noticeably). Things were different in the Win 95 and 98 days, but since XP, even active anti-malware apps (again, free ones) don't slow my system down at all. Of course, I build my own systems, so I have more than enough RAM and motherboard and processing power to handle with ease just about any configuration I throw at it.

I've had one infestation with a virus since I got my first computer in 2001, and that was entirely my own fault (downloading a screen saver from a questionable site and not scanning it with anything before installing it.....stupid all around, and resulted in my system that has worked ever since).

The best way to surf the web, is frankly to use a free Linux distribution installed in a virtual machine on your system (all of which is free and pretty simple to set up, even for non-tech people). I don't actually do this myself, because I just haven't gotten around to it and because I don't feel I need to. But for most people, this will prevent any infection (as long as you check your email there as well).
Post a Comment

<< Home

This page is 

powered by Blogger. 

Isn't yours?

Image and video hosting by TinyPic

Image and video hosting by TinyPic