2015-02-02 WTKM Talking Points (February 2nd 2015)

Confirmed sensation: Microsoft will allow all Win 7 & 8 users to upgrade to Win10 for free – for one year (only?). But then the licensing will kick in? A rented operating system? Home user be careful! Microsoft does not give anything away for free; that is the first concrete step to get us all to accept a licensing model, that means yearly payments. This way Microsoft will in the medium and long run make oodles of money more than by selling the software.

New dangerous bug in Adobe Flash Player is exploited via Facebook! Current version is 16.0.0.296!The catch: Many fake updates around! Mostly the user is tricked to download/install a fake plugin that then installs a keylogger to collect log in info & passwords. User beware!

Renewed warning: CryptoWall (new CrypotoLocker variant) spread through advertising networks.

When you see advertisements your computer is already infected!It is more important than ever to have a backup routine in place AND TO DO IT!

Finally: Microsoft takes on scam tech support phone call organizations (PDF).
If MS succeeds I expect the crooks to move off-shore and do the same from India.
Microsoft Digital Crimes Unit attorney Courtney Gregoire has an article and a video about these scams on this blog.

If anyone calls you and claims to be in any way affiliated with Microsoft IT IS A SCAM!
Here is Microsoft's own advice for such a case:

• Do not purchase any software or services.
   
• Ask if there is a fee or subscription associated with the “service.” If there is, hang up.
   
• Never give control of your computer to a third party unless you can confirm that it is a legitimate person you personally know and trust and/or are already a customer or when you personally  initiated a support call with Microsoft.
   
• Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.
   
• Take the caller’s information down and immediately report it to your local authorities.

EBKAC errors are the most common ones and no program protects against that!

The supposed hack attack on French news media after the Charlie Hebdo shooting was no attack at all. It was a simple server cockup.

In Canada it is now illegal to install computer programs without consent. Why not in the US?

375 of the 500 largest companies do not protect their web sites from typosquatters. That causes real danger when you mistype a web address in your browser. Be careful!

As usual I welcome suggestions right here in the blog.

Click here for a categorized Table Of Contents.

Details on CryptoWall

This article assumes that you are familiar with my previous article CryptoLocker - Revisited.

Detailed information was released about CryptoWall, one of the CryptoLocker variants.

Between mid-March and late August CryptoWall infected almost 625,000 systems; on these systems it encrypted more than 5.25 billion files.

The US seems to have the most CryptoWall infections: 253,521 (or about 40 percent), followed by Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.

The US likely got targeted more often because CryptoWall's got distributed through spam emails sent from the Cutwail botnet which targets English language computer users.

Researchers collected data directly from CryptoWall's  payment server such as the exact number of paying victims and the amount of payments. Of nearly 625,000 infections and over about six months 1,683 victims (0.27%) paid the ransom for a total of $1,101,900.

CryptoWall seems to have  a home-made problem by accepting payment of ransom by Bitcoin only. Many average computer users will have problems paying with Bitcoin and reseachers assume that this is part of the reason that only 0.27% of CryptoWall's victims paid compared to 1.3% of CryptoLocker victims; CryptoLocker allowed payment by MoneyPak as well.

As sad as it is, these numbers clearly show that cyber crime pays.


As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

CryptoLocker - Revisited

In December 2012 I wrote for the first time about the back then new relatively virus CryptoLocker.
In October 2013 I wrote again about new variants of this virus. Now I have new information that warrants to visit CryptoLocker again.

This family of viruses is by now one of the most destructive threats I have seen. Much of the news regarding CryptoLocker is rather negative but there is at least a bit of positive news as well.

CryptoLocker has evolved

Very shortly after the original CryptoLocker had appeared the first variant was discovered; on first glance it appeared to be similar to the original version. It almost was a look-alike, the method of infection was the same, the encryption seemed the same and the message on the infected computer's screen was very much like the original's. There were only two obvious differences: The original CryptoLocker demanded $100 for information to decrypt the user's files and it offered two payment methods (MoneyPak or Bitcoin); the “look alike” demanded $300 and accepted Bitcoin only.

Time consuming and detailed analysis uncovered significant internal differences. Specialists found that the second version most likely was written by a different programmer or even programming team. It was written in a different programming language and many other internal differences were discovered as well.

In the meantime we know of at least six other virus programs that work similar to CryptoLocker. They are called “encrypting ransom ware” (in the following ERW), they are actively distributed, modified and improved. Most likely they were created and are being run by different groups of malware creators and distributors. Some names I have run across:

• CryptoLocker (the original)
• CryptoLocker 2 (the first imitator referenced above, my naming))
• Critroni
• CryptoDefense
• CryptorBit
• CryptoWall (see this new article for details)
• CTB Locker
• PrisonLocker or PowerLocker
• TorLocker

The newer versions of ERW viruses have become increasingly sophisticated, hard to detect and difficult to remove.

How these infections spread

Many infections happen when the user attempts to opens an e-mail attachment that then in turn launches the ERW. By now almost any file type can be abused in this way; you just can't trust so called “safe” file types any longer.

Over time I have received many emails about supposedly failed deliveries of goods. Some of these emails were made professionally and looked at first glance almost authentic. It made no difference whether the email seemed to be from DHL, FedEx, UPS or the US Postal Service; there always seemed to be some legitimate sounding reason to open the attachment.

In all cases attention to detail and applied common sense protected my computer better than any security program could have done; I simply avoided that one fatal click to open an attachment.

Another increasingly often encountered way for ERWs to spread are “drive-by downloads”. They come from compromised websites and compromised web servers. These sophisticated attacks take advantage of known vulnerabilities in almost ubiquitous software like Windows, Adobe Flash, Adobe Reader, Java and so on. Since these vulnerabilities are known there is only very little excuse to get caught by a drive-by download. To get the computer infected by a drive-by download is very unlikely if the user keeps all software up to date.

Protection?

On the positive side we have to my knowledge three options, some free and some with premium versions for a charge. These programs do not interfere in or conflict with common anti virus or security software. I warn against running any two of these programs concurrently due to the likelihood of conflicts with each other.

1. CryptoPrevent
2. MalwareBytes Anti-Exploit
3. HitmanPro Alert with CryptoGuard

If you are interested to learn more please follow the links.

To make it perfectly clear: I am convinced that the best protection is our own attention to detail, caution and applied common sense. No software in the world can replace our watchfulness!

ERWs on non-Windows computers

To make a bad situation even worse there are reports of ERWs on other, non-Windows platforms like tablets and smart phones with the Android operating system. There was talk about a popular NAS system (Network Attached Storage) being targeted as well. Only Apple systems seem to be not affected, so far at least; as we all know that can change any moment.

A bit of good news

Fairly recently, I believe it was in early August 2014, two software companies announced that they have jointly developed a method to decrypt at least some of the files that were encrypted by the original CryptoLocker. The companies and their web sites are The companies offer their program free of charge to people who still have files encrypted by the original version of CryptoLocker who wants to attempt to recover them.

The companies are FireEye (www.fireeye.com) and Fox-IT (www.fox-it.com). These companies apparently did not crack the encryption, they gained access to some of the command and control servers where some private keys were stored that the original CryptoLocker virus had used.

Much detailed sleuthing, dis-assembling, re-engineering and analysis of the original virus enabled them to write a program called DecryptCryptoLocker that can decrypt affected files when the were encrypted using any of the recovered private keys. At https://www.decryptcryptolocker.com/ you can read how this works. There is a decent chance that this program will recover encrypted files but there is no guarantee.Some so far encountered obstacles that may prevent decryption are:

• It works only on files encrypted by the original version of CryptoLocker infections; it may or may not work on files encrypted by later versions of ERW.
   
• Nobody knows if the servers accessed by FireEye and Fox-IT contained all private keys CryptoLocker had used.
   
• The original CryptoLocker was effectively eliminated late in May, 2014; any later infections will most likely have used different sets of private keys.

Despite these obvious limitations of the procedure FireEye and Fox-IT deserve a lot of credit and big kudos. Anybody who still has files encrypted by the original CryptoLocker should try the procedure and see if it works for them.

My personal conclusion

It is primarily user behavior that protects the computer by always keeping Windows and all other regularly used programs up to date. If all this is accompanied by attention to detail and applied common sense then the computer will most likely remain “healthy” and safe.

In the worst case scenario, that is after your computer got hit by CrypyoLocker or a look-alike having a recent clean backup will be the best medicine against sleepless nights.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

 

Warning - W A R N I N G - Warning

On October 23rd 2013 I wrote about a really, really bad new virus called CryptoLocker.

Back then, only three and a half weeks ago, CryptoLocker was an acute danger mainly in the UK, parts of continental Europe and in some Asian countries.

This has changed dramatically. Computer users in the USA get hit with this virus increasingly often. Since a few days I receive about five emails every day that offer me "free money" or pre approved credit cards "ready to be shipped" my way. Would I ever click on a link in such an email? Would I ever be tempted to open one of the attachments? You bet not!

A free(!) protection method is available but it will interfere to some degree with normal computer operation. When this happens the computer user needs a certain amount of technical know-how to correctly diagnose the reason for the interruption and the to create an exception; this has to happen every time when it happens. If you can do that you should look at CryptoPrevent.

For everybody else I shout as loud as I can:

Disconnect your external backup drive when the backup is done!

If you don't disconnect the backup drive your backup files will be encrypted as well! They are totally useless once encrypted.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

Warning: Old Fiend With New Muscle

In the title I say "old fiend" and it is an old adversary in new clothes and with significantly more muscle. 

Instead of repeating the background story please first head over to my September 2012 article and come back here after you have read it.

So what's new?  Besides the new name, Crypto Locker, a couple of major improvements have been made to that nasty piece of maliciuos software:

• The encryption is now "NSA grade", meaning there is no way out! Your data files most likely will remain lost!
   
• The ransom has been raised in some variants of this malware  to close to $1000.
   
• Now even files on other than the system drive C: will be encrypted. That renders restore partitions useless.
• Is your backup disk permanently connected to the computer? Then the files on this drive get encrypted as well and all your backups are totally useless!
   
• Now even files on network connected other computers can get encrypted.
   
• Many victims that actually did pay the ransom got a decryption key that did not work! Their files remained inaccessible and were totally lost.
   
• To pay ransom in some instances credit card information was given to the obviously wrong people; credit cards got maxed out in minutes! That is much more trouble than the loss of years of pictures, emails and other files!
   
• Many attempts to save files turned out to be more expensive than a brand new computer would have been, Even with a new computer your files remain lost!

So far, and that may change soon, CryptoLocker 

• arrives on victims computers in an email from an arbitrary sender they often don't know.
   
• arrives on victims computers as an email attachment; this requires the victim to explicitly execute the attachment, that is double click on it and eventually even ignore the warning from Windows about running a downloaded program.
   
• arrives on victims computers after the victim clicked on a link in an email without first checking the link and it's real target.

You say you don't do either of these arguably fairly dumb and dangerous things? Good for you! Are you 100% certain that everybody who eventually uses your computer is as careful, as attentive and as cautious? Think about your sweet teenage granddaughter, your kid's friends, visitors and so on.


You ask why your anti virus program did not catch the bad program? Simply because this form of CryptoLocker is new. It requires time and quite some effort to design detection methods and find secure ways to neutralize these modern and very sophisticated threats.

As of this writing we all are unprotected and need to use due diligence. Always wear your common sense hat!

The only currently known "protection" against damage by CryptoLocker is to have a recent image backup of your system drive and/or to have a set of restore DVDs that were created when the system was still functioning correctly.

If you need to use either of the aforementioned a System Repair disk is required. Did you already create one?

If you need help to set up a sensible backup routine and/or to create the disks mentioned above please contact me. You find a useable email address in the left sidebar at the end of the text titled "Welcome".

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.