Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Hijack program


  • Please log in to reply
3063 replies to this topic

#61 rsiadmin

rsiadmin

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 09 September 2013 - 04:55 PM

no fun today! we are suffering from this dastardly ransom ware. to top it off my variant wants 300 us dollars. getting rid of the bug appears easy enough but same as others what about the encrypted files. paying is a last resort , we'll exhaust all other avenues before that happens. luckily we have good back ups and should be ok , but I'm like others, what to do to avoid it again? we were hit with it sometime after Friday at a station that the end user was not even working at since Tuesday of last week. Apparently something already existed on that station but the thought of others getting hit with it is a little un-nerving. Not Cool.



BC AdBot (Login to Remove)

 


#62 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 September 2013 - 05:44 PM

Yeah the ones I have seen are all $300 ea as well.  I have had one client choose the pay option so far, am there now, waiting on the payment to go through.  praying this goes well, as its a law firm and they just have a may 2013 backup of the server stuff.



#63 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 09 September 2013 - 06:47 PM

So does anyone have any vector information?  How is this contracted?  What can we do to prevent it?  Its a game changing virus and if it cant be prevented and cant be stopped except by a backup... who wants to have to do a full server restore every damn time an end user gets some damn spyware?
 
Whoo, this thing has my stomach in knots.


Great post, and great point. Any ideas how this is getting in? I too am stumped. Id love to point a finger at TrendMicro!

#64 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 September 2013 - 07:06 PM

No Man, I use the commtouch (old command.com or authentium.com) package at most of my clients, and eset at others and TM at others... its across the board.  With the infection rate I am seeing I am genuinely puzzled as to the extremely quiet reception here and across the web on this game changer.

 

MS/major a/v vendors will have to do something drastic if it "goes viral" and gets alot of distribution.  I am wondering if we are seeing a test launch or something similar, just to test their infrastructure. 



#65 screwloose

screwloose

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 09 September 2013 - 07:39 PM

We have a customer that may have been hit by this virus / scam. I have a copy of all the files the AV picked up and a file thats encrypted and one thats not. IF this is any help to anyone please let me know where to send the files. 



#66 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 September 2013 - 08:30 PM

So chalk another one up to payment working.  One client decided to pay (against advice) and be damned if it isnt decrypting.

 

It gave me chills as it took a cpl hours to process the payment, but its going to town.  I isolated it to just the machine in question and the encrypted files from the server (on a NAS mapped so it looked like it was still on the server), and it decrypting them now. 

 

SOMETHING has to be done about this long term.  and its above my pay grade to know what.  I cant be doing restores (2 other clients) and paying ransom every other week on my clients, I just cant sleep at night knowing crap like this is going on.  Gotta find a way to PREVENT this infection, not just mitigate its impact (all my other contract and a few non-contract I called and talked into putting the server shares as read only for a few days till we get a handle on this thing to mitigate the damage). 

 

I wonder what weakness they are exploiting to deploy this crap onto end-user PCs.  Gotta figure this out.  Praying to the computing Gods to help out on this one, I am not enough of a hacker/programmer to tackle this.



#67 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 09 September 2013 - 08:54 PM

no fun today! we are suffering from this dastardly ransom ware. to top it off my variant wants 300 us dollars. getting rid of the bug appears easy enough but same as others what about the encrypted files. paying is a last resort , we'll exhaust all other avenues before that happens. luckily we have good back ups and should be ok , but I'm like others, what to do to avoid it again? we were hit with it sometime after Friday at a station that the end user was not even working at since Tuesday of last week. Apparently something already existed on that station but the thought of others getting hit with it is a little un-nerving. Not Cool.


Whoooa.... a $300 variant?!

Ours was $100...

Anyone else see a $300?

#68 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 September 2013 - 08:55 PM

yep ours was $300, and the customer didnt bat an eyelash at paying it. 



#69 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 52,423 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 10 September 2013 - 07:01 AM

As announced by Fabian:

Here are a few notes that I just published over at KernelMode. 
CryptoLocker (or Crilock) has been active for the past 2 - 3 days. Here are a few notes that I gathered so far in a quick reverse engineering run. I am currently sick with the flu so take these information with a grain of salt:

  • Connection with the C&C server is established through either a hardcoded IP (184.164.136.134, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org are both active and point to 173.246.105.23.
  • The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.
  • On first contact the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return it receives a RSA public key. In my case this has been:
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQBZgSk3NNo54cxwl3nS
    zZHMhFI4oU0ygX81IFsktcaCAIUrMSnUVQEcFvhcidh/5JuE+piQY5Z3iuDcKqiF
    0yWZ7rck+xC1i/xaY5nNxJnh/clEqO8qRNg9DTe6qDlVO8PAHgr882dUHTzZgdAN
    OWR8+5rWxck9LxtB8+DSE8cWy
  • The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on CryptStringtoBinaryA.
  • The malware targets files using the following search masks:
    *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe 
    encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been replaced with "?". I haven't looked into the meaning of the DWORD value yet.
All systems I have looked at were infected through social engineering. Victims got emails with alleged customer complaints containing attachments that were infected with a malware downloader. The downloader then downloaded and installed the actual CryptoLocker malware. Based on the targeted file types list, it is also clear that the malware is specifically targeting business users. Crypto malware targeted towards home users, will target music, picture, and video files. This malware though primarily targets file formats used by companies, completely ignoring common home user file types.

To recover the AES keys used to encrypt the files, you will require the private half of the RSA key that was generated by the server. Without access to the server, decryption is impossible.

Here is the link to my KernelMode.info post, just in case someone from there adds anything:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2945 

 
The same info can also be found here.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#70 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 10 September 2013 - 07:31 AM

Good information.  The social engineering aspect is why I am seeing lower than feared penetration.

 

What are your thoughts on whether or not this is a "game changer" and that something will have to be changed at a system level to stop this sort of thing?

 

Any ideas on a systemic way to prevent this?



#71 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:39 AM

Posted 10 September 2013 - 08:19 AM

Good information. The social engineering aspect is why I am seeing lower than feared penetration.

What are your thoughts on whether or not this is a "game changer" and that something will have to be changed at a system level to stop this sort of thing?

Any ideas on a systemic way to prevent this?


Education is really the only way to prevent this unfortunately. Without education people will continue to open email attachments they shouldn't, use weak passwords, and provide little or no network security.

These types of encrypting malware are the new breed of moneymakers for malware developers, especially as they be created by individuals, or small groups, rather than larger organizations. In the past it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that method was pretty much eliminated. Ransomware, such as this Cryptolock, ACCDFISA, and DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now BitCoins.

As always, I suggest noone pay them if they can avoid it as it just encourages them to continue. On the other hand, I know that not everyone has a backup of their data for whatever reason and that it is necessary to get this data back by any means.

#72 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:39 AM

Posted 10 September 2013 - 08:27 AM

If you are using a newer version of Windows and have system restore enabled, has anyone tried restoring their previous versions from the files properties tab?

#73 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 10 September 2013 - 11:12 AM

I was able restore the files fine from VSS (Previous Versions)..



#74 leerendell

leerendell

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2013 - 11:32 AM

Hi,

 

We have been able to remove this by creating a Kaspersky Rescue Disk: http://support.kaspersky.com/viruses/rescuedisk#downloads

 

Once booted into this you can use the File Manager and register editor to remove the start up entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate the random file (this will also show you where on the system this is loading from. Remove this reg entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

 

Once the reg entry is deleted the use the File Manager function to browse to where this file is located and delete this file.

 

Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker screen appears, you should then run a scan with your current AV software or download Malwarebytes:  http://www.malwarebytes.org/ and run a scan with this. It maybe best to run this scan with the computer in safe mode.



#75 PeteSLMorgan

PeteSLMorgan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 September 2013 - 11:35 AM

Unfortunately, unable to do a restore with Windows XP.  Was able to use shadow copy to recover server shared folders successfully.






7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users