Update to the new Ransomware

For the original post see: http://www.cc-computers.com/?p=241

In the original post I talked about the new ransomware that it taking hold all over the world. It has even hit a police station in America that had to pay the “fee” to get back their data.

The latest version of this virus now takes advantage of all the help that has been available on line to “improve their product”. Now if you thought that you could get your data back through shadow copies (Also known as previous versions), think again. The virus now encrypts those too.

Here is what it does now, which is the same as before but better.

Currently the infection vector is through email as an attachment; usually a zip file or pdf that is actually an exe file but as most people have the “Hide extension of known file types” ticked on you would not normally see it. You will see filename.pdf when the actual filename is filename.pdf.exe. I expect that this will change or be improved on as well with links in email and other file types, etc.

When you open this file it infects your computer and immediately contacts a server from a list of around 1000 possible domain names generated through an algorithm. When it finds a live server it exchanges details with it and starts the encryption process. At this point it doesn’t let you know that you have been infected and is not picked up by most antivirus software. The first version would finish its work without interruption of antivirus software.

It encrypts all user content that it can find on your PC, mapped network drives and any shares that it can find on the network and file sharing programs data such as box.net and drop box. It also encrypts any shadow copies and backups that it can get to. When it has finished its work it pops up a message to tell you what it has done, it even gives you a list of the files that it has encrypted so that you can verify that they are your files. It then gives you a countdown timer starting around 72 hours. You have this amount of time to pay the fee and get your files back. Now where the old version used to just delete the key if you didn’t pay up in time the new version will give you a discount for paying within the time frame. Currently it is 1/2 bit coin (which is now about £500). If you fail to pay in time then it goes up to 10 bit coin (About £5000). This “service” is available for an extended amount of time.

In short get yourself protected and keep offline backups and redundant copies.

CritchCorp Computers Ltd.

 

New ransomware takes hold

New ransomware has been taking hold of businesses and households around the world. Be very careful with the email attachments that you open, although this is probably only the first wave; they will find other ways to get to you.

What’s new about this virus then? This virus; actually it is a malware strain named ransomware, named that for a very good reason, is an example of modern encryption done right. They have created a perfect system that can encrypt your data using public key technology that cannot be cracked!!

How does it work? Well, at the moment you get an email about something that is relevant to you (that’s how they trick you in to opening the attachment, or clicking the link). Once the software is running, it quickly establishes a connection to its command and control server, where it generates a random encryption key specifically for your system. This type of encryption is particularly cleaver as the key that encrypts it cannot be used to decrypt it without the other part that is held on the command and control server (it never gets sent to your computer, so there is no record of it for you to find). it then searches your computer and network, any backup drives you have access to, in fact, any resource that contains user created or user data and encrypts them all! Any evidence of the key locally is then destroyed and a page pops up to inform the user that they have been robbed! It can show you a list of the files you once had so that you can verify the threat is real and then gives you the ultimatum of pay $300 or 300 of your local currency or lose your data, you have 72 hours to make your mind up. After 72 hours have passed the only key that could decrypt your data, which is on the command and control server, is deleted, permanently!

If you do not have any backups of your data and you need it, then you have no choice but to pay up, and thousands of people and businesses have done so. They have also been very cleaver with the payment method as they cannot be tracked through the payment either. When law enforcement find the servers and take them offline, the only people hurt are the people who now cannot get their data back. The ad guys have their command and control servers moving around and are not needed for the payment loop; they just create and hold the keys to your data.

The other point on this is that they seems to have written the encryption part exceptionally well, not so good is the decryption side of the program with reports that not all and in some cases none of the data is returned and there is nothing you can do to get it back.

Be careful and watch this space as it will only get worse!!

Viruses and you

Viruses. This tends to be incorrectly used for all types of malicious software. There are in-fact several categories of this evil software: Virus, Mal-ware, Ad-ware, Spy-ware, Root-kit and Trojan Horses. I am not going to explain what all of these do or what makes them different to each other in any great detail, there is a great article in Wikipedia that has a very detailed and technical explanation of all this: http://en.wikipedia.org/wiki/Computer_virus – Read it for more information and some great trivia on early viruses. Some of the first viruses from 1971, before the Internet we know today! I will just explain some real life facts about viruses today and what they are used for and some ways they get in. With some basic knowledge of what they are after you can be more prepared when online or looking at email.

Beware the email virus. Someone you know sends you a link or attachment, or it comes form someone you consider reputable. When you open or click the link, it doesn’t always show you anything, sometimes you open the attachment and it just says there was an error accessing the file and sometimes there is nothing, just a blank page, or there is a document that just doesn’t make any sense or appears to not be for you. In all these cases the virus may well have been delivered silently in the background and you are now infected with one of thousands of different virus’. Many more of them will come in through web sites that do not know they are infected yet. (Some statistics suggest that 1000 website get infected every day!) In all cases the goal tends to be the same: Take control of your computer to extort money from you or someone else.

There are many different types of virus and they will all have a different part to play in the overall scheme. A few of the worst and their general purpose are noted here.

Trojan Horses (Trojans) – they will get in to your system and not necessarily do any damage except for disabling antivirus software, hiding itself and opening your computer up for other nasty things to come in. Often selling space on your computer to other virus manufactures (or programmers). They are often included with a root-kit. (See below).

Root-kits – These are a particularly cleaver type of virus. They hide themselves from Windows and everything else. The will usually get in to your system and load before Windows loads. They will then be sitting there behind Windows so that, for instance, if you view all the files in a folder you will not see the virus files there. This is because when Windows is enumerating (making the list) of files in the folder the Root-kit is watching and when Windows reaches one of its files the Root-kit will block Windows from seeing it. The Root-kit can also do this with system services so that when you look in Task Manager it’s services do not appear there either, making it very difficult to detect. This will be the same if your antivirus software is looking for it, because it has a position in the root it can hide itself from anything. The only way to detect their presence is in the very small added delay between file names when enumerating a folder (or directory). By looking at the time between each item to be enumerated any added delay of millionths of a second can be detected and then you can presume the existence. To actually find them and remove them requires very special techniques.

Self hiding/restoring viruses – These types of virus are often confused and also labeled by antivirus companies as root-kits but they tend to lack the hiding effects in the same way and use other methods to hid themselves. They will, as many do, also replace themselves when discovered. Firstly, they will often tell Windows that their files are part of the system and should be protected by the system. This has the effect of hiding them from normal users and can get Windows to replace any files that are removed. They sometimes also mark themselves as needed for Safe Mode, the special start-up mode to help remove virus’ and fix other issues with Windows. When Windows starts up in this mode it only start those programs which are essential to the system starting up. There is usually more than one part to this type of virus as well. It is the job of each to look after the other parts, so when you find one of them and remove it one of the other parts will put it back again, sometimes with a different name!

Bot-Nets. These are little viruses that are controlled by someone else and use your system resources like your computer processor, memory, Internet connection. They tend to be quiet, just sitting there not doing much until they are told to attack. Most commonly they are used to take down Internet sites for some kind of monetary gain. They can be hired to take down a competitors site at a critical time or by the organised crime syndicates to extort money out of companies in the old fashioned “protection racket”.

For Example, someone says to a betting site, “wouldn’t it be a shame if your website was not available for the big match coming up? If you pay a fee of £50,000 we can make sure you will be online at that time, otherwise we can not guarantee it!” If the site doesn’t pay first time round they will next time because at the time of the big game your computer and tens of thousands of others received instructions to attempt to connect to the betting site servers at the same time and to continue trying until the stop time, typically after the match/race has finished. With all this additional traffic going to the site and not doing anything the legitimate traffic cannot get through so the site then appears “offline” with a “404 page cannot be displayed” error or an error saying that the site cannot be reached. The site will not want the bad publicity; allowing people to find out that they have been compromised is very bad for business, so they end up paying. Your computer was used to help criminals extort money from someone else!

Another type of virus, actually mal-ware or increasingly know in the industry as ransom-ware, that comes in, often through a PDF or Adobe Flash exploit, is the current and very common one that will hold you to ransom. There are several different variants to this one depending on who is controlling it but they all do essentially the same thing and that is try to take your money off you with a type of protection racket or threat of some bad thing happening.

You will first notice a pop-up box that says you have hundreds or even thousands of viruses on your system (in some cases it is a corrupt hard drive/memory, porn or some other thing is very wrong with your computer) it will state that you need something in order to fix this. You are usually presented with a dialog box to confirm you want it or not. which ever button you press the answer is yes, go ahead and install the virus. The only way to get round this is to cancel the box (best done by using Task Manager to kill the program and everything to do with it). Another common one is a page that says that the FBI are stopping you from using your computer due to inappropriate content on your computer. You are then instructed to pay a fine or risk jail if it goes to court. Once you have install the virus you will be held to ransom, not able to use your computer at all in some cases, until you pay or remove the virus.

Worms. These are more commonly used as a method of transport. They are used to get their payload to your computer in any number of ways. They self replicate, usually to many different forms of media and methods. IE Across the Internet directly to your computer, through floppy disks, USB pen drives, external drives, emails, through the network to other computers on your local network. Once in they will begin to look for the next computer to infect, some also phone home to pickup instructions, such as what payload to deliver to the computers at the moment.

Viruses are a very very big money these days, both for the virus manufacturers and the antivirus manufacturers and on all forms of operating systems.  Although Windows is still the majority platform, Apple Macs are gaining market share and so now present a nice target with people who are not so use to viruses so are more susceptible to being infected. So which ever platform you are on, be careful, even phones, which are small computers, can be infected with things that cost you money!

Beware the antivirus that is a virus! Know which antivirus you use on your system and what it looks like to help reduce the chance of getting stung by a fake one, which will then hold you to ransom as above.

When surfing the Internet remember this: If you didn’t ask for it, don’t install it! many viruses will come packaged as something nice and appealing but, if you were not looking for that exact thing then do not be tempted to install it!

A good computer maintenance regime is to not install something unless you absolutely need it. If you think you need it, make sure you check it our fully before installing it, and make sure you download it from a known good source. Where possible go to the manufacturer’s website to get it, not from someone else offering it, unless directed there by the manufacture. If it turns out that you do not need or want it, then remove it. Although removing something is not as good as not installing it in the first place, it is better than leaving it there.

Watch out for viruses, they will come and get you any way they can. It is up to you to be careful, not your antivirus, after all you can override your antivirus if the virus is cleaver enough to trick you in to believing it is good for you.

Chris.