Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker and Svchost.exe


  • Please log in to reply
3 replies to this topic

#1 Scottsad

Scottsad

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 21 April 2014 - 01:40 PM

Hello All,

Recently joined after finding the community useful for quite a while. I have a question with regard to CryptoLocker, and was hoping the vast amount of experience out there might prove helpful.We are a McAfee shop, with their VSE product as our primary AV. Some time back, we got hit with CryptLocker, but were able to recover due to timely backups. At the time of the infection, I put in place several rules in the McAfee policy to block the creation of executables in the various locations CryptoLocker is known to use.

 

Also, to alert me when this ruleset gets fired, I created an automated response to send out an email. Unfortunately, the rules fire far more than I expected. In the past couple weeks, I have about 700 instances of the rule being triggered, and we have about 1400 computers in the environment. In looking through the alerts, it looks as if a majority of them are false positives for svchost.exe. After reading through the details for CryptoLocker, it seems that the malware uses a randomly generated name in most cases. In trying to balance this ruleset out a bit, I was thinking of removing svchost.exe from triggering. I am aware of the role this file/process plays in malware, but I want to strike a balance in these rules. When 99% or so of triggers are false positives, the rules don't do much good because there is too much chatter.

 

So, I was looking for anyone to add their experience with CryptoLocker. Does it utilize svchost.exe in any noticeable way during creation? Any thoughts or opinions on this? Any information provided will be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 21 April 2014 - 07:30 PM


A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoLocker Ransomware does and provide information for how to deal with it and possibly recover your files.

There is also a lengthy ongoing discussion in this topic: Cryptolocker Hijack Program. Since this infection is so widespread, rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Scottsad

Scottsad
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 22 April 2014 - 09:39 AM

Thanks for the reply. I will post there. I just didn't want my question to get lost in the back end of a thread or something like that.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 22 April 2014 - 01:28 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users