Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took some time to do. What I want to do is go over what happened and see what approaches other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out that their files had been mashed. Here's a few examples of what the files got changed to: /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h /data/admin/misc files/fi19fgq2r.69t /data/admin/misc files/fjs6r76n.8gup /data/admin/misc files/h2c0ew6pr.1gpd /data/admin/misc files/h8jgb.c4v9 /data/admin/misc files/Halls Fashion/535p0e.ugc5a /data/admin/misc files/Halls Fashion/halorr3vet.s9 /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp /data/admin/misc files/hs93hlb9.9p /data/admin/misc files/hxplu62l.mc9 /data/admin/misc files/i4jden.y7kx7 /data/admin/misc files/jaiytu55s.w2 /data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that person had gone home on the Thursday and was not due back until the Tuesday. Restored data and when the user got back we booted the machine up (not connected to network!) and have since done scan using AVG, Superantispyware, Avira, spybot search and destroy, kaspersky and malware bytes and still found nothing. We don't know if the virus was just memory resident or how it worked but obviously want to find out. Scanned all his emails and nothing (his files stored in IMAP folders). Nothing obvious in internet logs. Checked all processes running, startup programs, network setup etc etc. We'll probably just wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random users (pretending to be say DHL or some other company) with say an attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) which will turn out to be infected but not at the time the email was received. I.e the virus is too new to be detected. We have run lots of these through our own virus scanner (AVG) and say https://www.virustotal.com/ and they have come up with nothing until hours later (which could be too late). Some show infected a couple of hours later and some maybe next day. This latest development is very difficult to defend against if you cannot scan the file and confirm it is infected. Our mail server as AV software which scans files but didn't pick these up and even if users are really conscientious and scan before opening it does not show up as infected. We have now started implementing a white list of people who can send in invoicexxx.doc files. Anyone not on the list then the attachment is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin rights being infected.
What is important is to be able to detect ASAP when files are starting to get renamed. I have just developed a standalone APP that will scan network drives and look at file names. I got a list of known extensions off the internet and put them in a table. The app compares the file extension with the list and emails you anything different. If these files are safe you can load them into an exclusion table. If you run this regularly it should pick up these names very quickly.
What other security approaches are you using?
TIA
On Wed, 10 Feb 2016, at 11:40 AM, Peter Cushing wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took
Bitlocker is Microsoft's on-the-fly disk encryption, I didn't think it was *that* bad :)
The podcast here might give you some ideas:
https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-ga...
On 10/02/2016 16:38, Alan Bourke wrote:
Bitlocker is Microsoft's on-the-fly disk encryption, I didn't think it was *that* bad :)
Must have heard the name bitlocker and assumed it was a bad guy :-)
The podcast here might give you some ideas:
https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-ga...
confirmed a lot of the things we do anyway but the biggest problem for us is not being able to detect a virus in some of these new attachments and still not detected anything on the suspect machine.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
I am seeing these attachments every day in my Google Mail; so far, all have been flagged as spam and often have a 'malicious content' warning.
Years ago, when folks found you could include malware in Word macros, the guidance was:
1. Do not open untrustworthy attachments. 2. There are no trustworthy attachments.
Do you understand the mechanism within the DOCX files that's deliverying the payload?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-...
NB: For a long time now, there's been no practical difference between documents and executables. Documents (docx, xls, pdf) can contain code and that code can run without user actions. Acrobat and Office are just runtimes, running without a sandbox. Mail filters that block EXEs but let through docs are just performing security theater, and giving users a false sense of security.
On Wed, Feb 10, 2016 at 6:40 AM, Peter Cushing pcushing@whisperingsmith.com wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took some time to do. What I want to do is go over what happened and see what approaches other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out that their files had been mashed. Here's a few examples of what the files got changed to: /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h /data/admin/misc files/fi19fgq2r.69t /data/admin/misc files/fjs6r76n.8gup /data/admin/misc files/h2c0ew6pr.1gpd /data/admin/misc files/h8jgb.c4v9 /data/admin/misc files/Halls Fashion/535p0e.ugc5a /data/admin/misc files/Halls Fashion/halorr3vet.s9 /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp /data/admin/misc files/hs93hlb9.9p /data/admin/misc files/hxplu62l.mc9 /data/admin/misc files/i4jden.y7kx7 /data/admin/misc files/jaiytu55s.w2 /data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that person had gone home on the Thursday and was not due back until the Tuesday. Restored data and when the user got back we booted the machine up (not connected to network!) and have since done scan using AVG, Superantispyware, Avira, spybot search and destroy, kaspersky and malware bytes and still found nothing. We don't know if the virus was just memory resident or how it worked but obviously want to find out. Scanned all his emails and nothing (his files stored in IMAP folders). Nothing obvious in internet logs. Checked all processes running, startup programs, network setup etc etc. We'll probably just wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random users (pretending to be say DHL or some other company) with say an attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) which will turn out to be infected but not at the time the email was received. I.e the virus is too new to be detected. We have run lots of these through our own virus scanner (AVG) and say https://www.virustotal.com/ and they have come up with nothing until hours later (which could be too late). Some show infected a couple of hours later and some maybe next day. This latest development is very difficult to defend against if you cannot scan the file and confirm it is infected. Our mail server as AV software which scans files but didn't pick these up and even if users are really conscientious and scan before opening it does not show up as infected. We have now started implementing a white list of people who can send in invoicexxx.doc files. Anyone not on the list then the attachment is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin rights being infected.
What is important is to be able to detect ASAP when files are starting to get renamed. I have just developed a standalone APP that will scan network drives and look at file names. I got a list of known extensions off the internet and put them in a table. The app compares the file extension with the list and emails you anything different. If these files are safe you can load them into an exclusion table. If you run this regularly it should pick up these names very quickly.
What other security approaches are you using?
TIA
-- Peter Cushing IT Department WHISPERING SMITH
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email. www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715 London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-...
Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
I always use a program called SandBoxie that allows you to either run sandboxed web sessions or in fact run any program in a sandbox. You can then examine the changes that it WOULD have made to a live system. The software is has Free evaluation use at SandBoxie.com (the demo version simply makes you wait 10 seconds on loading after asking you to buy the program but it is fully featured).
Because it integrates into windows explorer you can right click a program and run it sandboxed in either standard user mode or Administrator mode without having to worry about any PC corruption.
I have used this now for about 4-5 years and it is in my toolbox now for every installation.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Peter Cushing Sent: 11 February 2016 13:22 To: profox@leafe.com Subject: Re: [NF] Phishing and security in general.
On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-O ffice-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12
Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
Oh, I forgot to add, available for download:
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Dave Crozier Sent: 11 February 2016 14:23 To: ProFox Email List profox@leafe.com Subject: RE: [NF] Phishing and security in general.
I always use a program called SandBoxie that allows you to either run sandboxed web sessions or in fact run any program in a sandbox. You can then examine the changes that it WOULD have made to a live system. The software is has Free evaluation use at SandBoxie.com (the demo version simply makes you wait 10 seconds on loading after asking you to buy the program but it is fully featured).
Because it integrates into windows explorer you can right click a program and run it sandboxed in either standard user mode or Administrator mode without having to worry about any PC corruption.
I have used this now for about 4-5 years and it is in my toolbox now for every installation.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Peter Cushing Sent: 11 February 2016 13:22 To: profox@leafe.com Subject: Re: [NF] Phishing and security in general.
On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-O ffice-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12
Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
On 11/02/2016 14:34, Dave Crozier wrote:
Oh, I forgot to add, available for download:
Dave
Will check it out Dave, cheers.
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
Here is an example of Sandboxie in action when Cryptolocker virus is encountered as an example of how to use it.
https://www.youtube.com/watch?v=aMtyGNviiRY#t=12
and a general overview/review of Sandboxie:
https://www.youtube.com/watch?v=iVdY2cMTjPA
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Peter Cushing Sent: 11 February 2016 14:49 To: profox@leafe.com Subject: Re: [NF] Phishing and security in general.
On 11/02/2016 14:34, Dave Crozier wrote:
Oh, I forgot to add, available for download:
Dave
Will check it out Dave, cheers.
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
Oops, The second video should have been this one, sorry!!
https://www.youtube.com/watch?v=GueXMq-Vyi8 This is one of 3 Reviews.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Peter Cushing Sent: 11 February 2016 14:49 To: profox@leafe.com Subject: Re: [NF] Phishing and security in general.
On 11/02/2016 14:34, Dave Crozier wrote:
Oh, I forgot to add, available for download:
Dave
Will check it out Dave, cheers.
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
Wonder why it is difficult to email a new exe to a customer? I put it in a zip file.
On Thu, Feb 11, 2016 at 7:21 AM, Peter Cushing <pcushing@whisperingsmith.com
wrote:
On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-...
Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email. www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715 London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]
On 10 Feb 2016 16:19, "Peter Cushing" pcushing@whisperingsmith.com wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we
have good backups so were able to restore, although 3gb of data took some time to do.
Was that 3gb on a DVD or a USB stick? I hope you mean 3tb :-)
By the way, some of these spread via open Windows shares, so check your network security.
Tuesday Microsoft patches included a patch for the Windows PDF reader, as well as an Office patch that addresses "Remote Code Execution" among (apparently MANY) other things.
https://isc.sans.edu/forums/diary/Microsoft+February+2016+Patch+Tuesday/2071...
On Wed, Feb 10, 2016 at 12:50 PM, Paul Hill paulroberthill@gmail.com wrote:
On 10 Feb 2016 16:19, "Peter Cushing" pcushing@whisperingsmith.com wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we
have good backups so were able to restore, although 3gb of data took some time to do.
Was that 3gb on a DVD or a USB stick? I hope you mean 3tb :-)
By the way, some of these spread via open Windows shares, so check your network security.
-- Paul
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html
[excessive quoting removed by server]
Peter,
I've been using CryptoBlocker, which is supposed to block the methods used by the Cryptolocker trojan. You can read about the methodology here... https://www.foolishit.com/cryptoprevent-malware-prevention/
It looks good to me and I've been installing it on all of the systems I manage for a couple of years now.
I did have 1 client who experienced an attack/infection, paid the ransom and got his files back. I think it was $600 US. That's the first encounter I've had with it and I came across CryptoBlocker -after- that occurrence.
From what i could tell, the infection came from a zip-file attachment sent to my client, supposedly by a business contact. As it turned out, the website that the email originated from had been compromised and actually was the source.
Since then, I send out a "do not open any email attachment" warning to my clients about every 6 months. So far, knock on wood...
I hope this helps.
Mike Copeland
Peter Cushing wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took some time to do. What I want to do is go over what happened and see what approaches other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out that their files had been mashed. Here's a few examples of what the files got changed to: /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h /data/admin/misc files/fi19fgq2r.69t /data/admin/misc files/fjs6r76n.8gup /data/admin/misc files/h2c0ew6pr.1gpd /data/admin/misc files/h8jgb.c4v9 /data/admin/misc files/Halls Fashion/535p0e.ugc5a /data/admin/misc files/Halls Fashion/halorr3vet.s9 /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp /data/admin/misc files/hs93hlb9.9p /data/admin/misc files/hxplu62l.mc9 /data/admin/misc files/i4jden.y7kx7 /data/admin/misc files/jaiytu55s.w2 /data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that person had gone home on the Thursday and was not due back until the Tuesday. Restored data and when the user got back we booted the machine up (not connected to network!) and have since done scan using AVG, Superantispyware, Avira, spybot search and destroy, kaspersky and malware bytes and still found nothing. We don't know if the virus was just memory resident or how it worked but obviously want to find out. Scanned all his emails and nothing (his files stored in IMAP folders). Nothing obvious in internet logs. Checked all processes running, startup programs, network setup etc etc. We'll probably just wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random users (pretending to be say DHL or some other company) with say an attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) which will turn out to be infected but not at the time the email was received. I.e the virus is too new to be detected. We have run lots of these through our own virus scanner (AVG) and say https://www.virustotal.com/ and they have come up with nothing until hours later (which could be too late). Some show infected a couple of hours later and some maybe next day. This latest development is very difficult to defend against if you cannot scan the file and confirm it is infected. Our mail server as AV software which scans files but didn't pick these up and even if users are really conscientious and scan before opening it does not show up as infected. We have now started implementing a white list of people who can send in invoicexxx.doc files. Anyone not on the list then the attachment is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin rights being infected.
What is important is to be able to detect ASAP when files are starting to get renamed. I have just developed a standalone APP that will scan network drives and look at file names. I got a list of known extensions off the internet and put them in a table. The app compares the file extension with the list and emails you anything different. If these files are safe you can load them into an exclusion table. If you run this regularly it should pick up these names very quickly.
What other security approaches are you using?
TIA
On 11/02/2016 05:00, Mike Copeland wrote:
Peter,
I've been using CryptoBlocker, which is supposed to block the methods used by the Cryptolocker trojan. You can read about the methodology here... https://www.foolishit.com/cryptoprevent-malware-prevention/
Going to put this on all machines as we come to them. Thanks,
Since then, I send out a "do not open any email attachment" warning to my clients about every 6 months. So far, knock on wood...
Not really an option for us as we have attachments coming in and out all day.
Thanks,
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
-
Alan Bourke -
Dave Crozier -
Mike Copeland -
Paul Hill -
Peter Cushing -
Stephen Russell -
Ted Roche