Tuesday, August 26, 2014

CryptoLocker - Revisited

In December 2012 I wrote for the first time about the back then new relatively virus CryptoLocker.
In October 2013 I wrote again about new variants of this virus. Now I have new information that warrants to visit CryptoLocker again.

This family of viruses is by now one of the most destructive threats I have seen. Much of the news regarding CryptoLocker is rather negative but there is at least a bit of positive news as well.

CryptoLocker has evolved

Very shortly after the original CryptoLocker had appeared the first variant was discovered; on first glance it appeared to be similar to the original version. It almost was a look-alike, the method of infection was the same, the encryption seemed the same and the message on the infected computer's screen was very much like the original's. There were only two obvious differences: The original CryptoLocker demanded $100 for information to decrypt the user's files and it offered two payment methods (MoneyPak or Bitcoin); the “look alike” demanded $300 and accepted Bitcoin only.

Time consuming and detailed analysis uncovered significant internal differences. Specialists found that the second version most likely was written by a different programmer or even programming team. It was written in a different programming language and many other internal differences were discovered as well.

In the meantime we know of at least six other virus programs that work similar to CryptoLocker. They are called “encrypting ransom ware” (in the following ERW), they are actively distributed, modified and improved. Most likely they were created and are being run by different groups of malware creators and distributors. Some names I have run across:
  • CryptoLocker (the original)
  • CryptoLocker 2 (the first imitator referenced above, my naming))
  • Critroni
  • CryptoDefense
  • CryptorBit
  • CryptoWall (see this new article for details)
  • CTB Locker
  • PrisonLocker or PowerLocker
  • TorLocker
The newer versions of ERW viruses have become increasingly sophisticated, hard to detect and difficult to remove.

How these infections spread

Many infections happen when the user attempts to opens an e-mail attachment that then in turn launches the ERW. By now almost any file type can be abused in this way; you just can't trust so called “safe” file types any longer.

Over time I have received many emails about supposedly failed deliveries of goods. Some of these emails were made professionally and looked at first glance almost authentic. It made no difference whether the email seemed to be from DHL, FedEx, UPS or the US Postal Service; there always seemed to be some legitimate sounding reason to open the attachment.

In all cases attention to detail and applied common sense protected my computer better than any security program could have done; I simply avoided that one fatal click to open an attachment.

Another increasingly often encountered way for ERWs to spread are “drive-by downloads”. They come from compromised websites and compromised web servers. These sophisticated attacks take advantage of known vulnerabilities in almost ubiquitous software like Windows, Adobe Flash, Adobe Reader, Java and so on. Since these vulnerabilities are known there is only very little excuse to get caught by a drive-by download. To get the computer infected by a drive-by download is very unlikely if the user keeps all software up to date.


On the positive side we have to my knowledge three options, some free and some with premium versions for a charge. These programs do not interfere in or conflict with common anti virus or security software. I warn against running any two of these programs concurrently due to the likelihood of conflicts with each other.

1. CryptoPrevent
2. MalwareBytes Anti-Exploit
3. HitmanPro Alert with CryptoGuard

If you are interested to learn more please follow the links.

To make it perfectly clear: I am convinced that the best protection is our own attention to detail, caution and applied common sense. No software in the world can replace our watchfulness!

ERWs on non-Windows computers

To make a bad situation even worse there are reports of ERWs on other, non-Windows platforms like tablets and smart phones with the Android operating system. There was talk about a popular NAS system (Network Attached Storage) being targeted as well. Only Apple systems seem to be not affected, so far at least; as we all know that can change any moment.

A bit of good news

Fairly recently, I believe it was in early August 2014, two software companies announced that they have jointly developed a method to decrypt at least some of the files that were encrypted by the original CryptoLocker. The companies and their web sites are The companies offer their program free of charge to people who still have files encrypted by the original version of CryptoLocker who wants to attempt to recover them.

The companies are FireEye (www.fireeye.com) and Fox-IT (www.fox-it.com). These companies apparently did not crack the encryption, they gained access to some of the command and control servers where some private keys were stored that the original CryptoLocker virus had used.

Much detailed sleuthing, dis-assembling, re-engineering and analysis of the original virus enabled them to write a program called DecryptCryptoLocker that can decrypt affected files when the were encrypted using any of the recovered private keys. At https://www.decryptcryptolocker.com/ you can read how this works. There is a decent chance that this program will recover encrypted files but there is no guarantee.Some so far encountered obstacles that may prevent decryption are:
  • It works only on files encrypted by the original version of CryptoLocker infections; it may or may not work on files encrypted by later versions of ERW.
  • Nobody knows if the servers accessed by FireEye and Fox-IT contained all private keys CryptoLocker had used.
  • The original CryptoLocker was effectively eliminated late in May, 2014; any later infections will most likely have used different sets of private keys.
Despite these obvious limitations of the procedure FireEye and Fox-IT deserve a lot of credit and big kudos. Anybody who still has files encrypted by the original CryptoLocker should try the procedure and see if it works for them.

My personal conclusion

It is primarily user behavior that protects the computer by always keeping Windows and all other regularly used programs up to date. If all this is accompanied by attention to detail and applied common sense then the computer will most likely remain “healthy” and safe.

In the worst case scenario, that is after your computer got hit by CrypyoLocker or a look-alike having a recent clean backup will be the best medicine against sleepless nights.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.


Tuesday, August 12, 2014

How to Use Malwarebytes Anti-Malware

In my article 2014 Update On Malicious Programs I promised to write about how to correctly use Malwarebytes Anti-Malware (MBAM). Here it is.

Allow me to repeat the short installation instructions:

MBAM is a time proven product and available in a totally sufficient free version. You have to watch during the original install and when you install a program update. The last window of the installer looks like this:

Please pay attention to the marked entry; it's check box is preselected! That means the “trial version” will be activated and after the trial period ends you would have to pay for using the program.

You have to uncheck this check mark.

Eventually the program itself needs to be updated; the installer will run again and again you have to pay attention to this little detail to avoid the for-pay version!

And now to what the title promises.

After you start MBAM you see this window:

I recommend to always click on Update Now; this is where the cursor points in the screen shot. Let the program work until you see that the database has been updated:

Do you see the check mark by Database Version (see the cursor).

Then you click on the big green button labeled Scan Now.

The program window will show the progress:

When MBAM finishes scanning it may either show that no traces of malware were detected:


Or it shows this window listing encountered traces of malware (a real life example from a customer's computer):

The free version of MBAM does not allow to select different action(s). Experience has shown that the program's suggested action is appropriate.

My recommendation is to follow MBAM's suggested actions and to click on Apply Actions. When that action has finished you can close MBAM.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents. 

Friday, August 8, 2014

2014 Update On Malicious Programs

As far as malicious software is concerned much has changed since I last wrote about it. So here is an updated report on the current situation (summer 2014) ans my personal advice on how to stay safe on the Internet. I will talk about
  • Definitions
  • Protective tools for the home user
  • How to avoid these troubles and a
  • Conclusion


Malware: Short for malicious software. It is a general term used to describe all viruses, worms, spyware, and pretty much anything that is specifically designed to cause harm to your PC, steal your information or throw never ending torrents of advertisements at you.

Virus: A program that copies itself and infects a PC, spreading from one file to another, and then from one PC to another when infected files are copied or shared.

Spyware: Any software that collects your information without your knowledge and usually sends that information back to the creator(s) so they can use that personal information in some nefarious way.

Scareware: A relatively new type of attack, where a user is tricked into downloading what appears to be an antivirus application, which then proceeds to tell you that your PC is infected with hundreds of viruses, and can only be cleaned if you pay for a full license. Of course, these scareware applications are nothing more than malware that holds your PC hostage until you pay for the “full” version. In many cases you can't uninstall them and/or the render the PC unusable.

Trojan horses: Applications that look like they are doing something innocuous, but secretly have malicious code that does something else. In many cases, trojans will create a backdoor that allows your PC to be remotely controlled, either directly or as part of a botnet—a network of computers also infected with this trojan and/or other malicious software. The major difference between a virus and a Trojan is that trojans don't replicate themselves—they must be installed by an unwitting user.

A computer worm uses a network to send copies of itself to other PCs, usually utilizing a security hole to travel from one computer to the next, often automatically without user intervention and often via email.

Ransomware usually encrypts your files that then are useless to you and some even “lock” your computer. The software requests an often quite substantial payment for the means to restore your files into usable form – which even after payment sometimes fails. 

Protective tools for the home user

You will always want to run a specialized anti virus program and a specialized on-demand only malware removal tool. I will recommend the only two programs I have learned to trust over the years – and that are easy enough to handle for the home user.

Anti virus: The release of Microsoft Security Essentials has changed the landscape of antivirus software. We finally have a completely free application that protects against viruses, spyware, and other malware without killing system performance like some of the "suites" tend to do. In my extensive personal experience it barely slows down even relatively slow machines and it's user interface is the easiest to use of all I know.

Don't only take my word for it. AV-Test.org found that it detects 98% of their enormous malware database and AV-Comparatives (a widely known anti-malware testing group) found that MSE was one of only three products that did well at both finding and removing malware.

Anti malware: Modern malware, mostly called PuP (potentially unwanted program), is very different from classic viruses. Most anti-virus programs can not detect PuPs and thus do nothing about it. And, as if to add insult to injury, most of them come on the computer because the user got tricked into allowing their installation.

I recommend Malwarebytes Anti-Malware (MBAM for short). Please download it from these two links only (they both go to the same destination).

MBAM is a time proven product and available in a totally sufficient free version. You have to watch during the original install and when you install a program update. The last window of the installer looks like this:

Please pay attention to the marked entry; it's check box is preselected! That means the “trial version” will be activated and after the trial period ends you would have to pay for using the program.

You have to uncheck this check mark.

Eventually the program itself needs to be updated; the installer will run again and again you have to pay attention to this little detail to avoid the for-pay version!

See this article on how to correctly use MBAM.

How to avoid all these troubles

When it comes to protecting yourself, it's laughable how many people install multiple antivirus applications but don't keep their system updated with the latest patches for the operating system.

If everybody would simply keep their system and all programs up to date, we wouldn't have to worry so much about these problems. If the constant rebooting action of Windows Update has you frustrated, you can always temporarily delay the reboot; remember, only after the reboot the patches are completely installed and active to protect your computer..

Keeping your applications updated is critically important to protect your computer's security. Your firewall won't protect you, and an antivirus software is unlikely to help if you're using an old, vulnerable version of Adobe Flash or Adobe Reader.


In the end, good browsing habits and common sense should be your first line of defense against any kind of malware. I recommend to always run a good security suite like MSE and additionally to use MBAM as an on-demand scanner. That way you're as well protected as easily possible and you can scan your system for malware whenever you want.

So here's the bottom line: In my not so insignificant experience MSE and the on-demand free version MBAM work very well together . Coupled with good browsing habits and common sense this a good combination of security tools and judiciously using them should keep you well protected.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Monday, August 4, 2014

2014-08-04 WTKM Talking Points (August 04 2014)

Linksys and Cisco routers unsafe! Updating does NOT help.
Cisco comment: “There are currently no known workarounds available for this vulnerability."
You could possibly switch your router to safer firmware by installing OpenWRT or the EFF's OpenWireless Router. Beware: This is not for the faint of heart!

Bitdefender enterprise endpoint security is unsafe!
Where does that leave the home user?
Remember, the company and their support are in Romania!

Cloud Storage: Another example of lost access and no recourse.


InfectiousUSB drives on the horizon. So far only drives with a certain type of controller affected.
That will change!

New RAT (Remote Access Trojan) targets Bank of America, Citibank, Natwest, RBS and Ulsterbank (last three in GB) but there may be more.

AVG search revenue from freebie scanners dries up. Significant drop in income from search!

14 antivirus apps have security problems. After finding basic boo-boos in security software researcher says vendors just don't care. Avira, BitDefender, ESET and Panda (among others) in “hall of shame”.The skinny: The more a security app does the bigger the attack surface –  and the more it slows down the computer.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.