Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker - can it spread from External


  • Please log in to reply
4 replies to this topic

#1 djmtek

djmtek

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 13 July 2015 - 02:45 PM

Can the Cryptolocker virus or its more recent MM variation spread from an infected hdd that has been removed from the computer and attached to another computer?  


Edited by Chris Cosgrove, 13 July 2015 - 02:59 PM.
Moved from Win 7 to 'General Security'


BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 13 July 2015 - 02:55 PM

I don't think so because cryptolocker sample usually destroys itself after accomplished mission. It's not like W32.Sality which spreads on all drives connected to infected computer and patching them.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 13 July 2015 - 03:44 PM

The original Cryptolocker infection does not exist anymore and hasn't for over a year. Any references to CryptoLocker and retrieving keys for it will not work anymore. There are several copycat and fake ransomware variants which use the CryptoLocker name but those infections are not the same.

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become on of the most prolific tactics for distribution of malware, identity theft and fraud.

Crypto malware can also be delivered via exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A): Crypto Ransomware. There have been reports that some victims have encountered crypto malware following a previous infection from botnets (such as Zbot (Zeus)) which downloads and executes the ransomware as a secondary payload from infected websites. US-CERT also advises crypto malware has the ability to find and encrypt files located within shared (or mapped) network drives, USB drives, external hard drives, network file shares and even some cloud storage drives...see US-CERT Alert (TA13-309A). This typically occurs when such devices are connected when the initial infection is encountered and executing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 djmtek

djmtek
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 13 July 2015 - 05:44 PM

In this case it was a variation of the original Cryptolocker that twas spread to the the merchant as a  resume (pdf).   It did not change the file extensions as in the original, but did encrypt the files including on an attached USB drive.  I could have tried to clean the drive either manually or with Mbam, stinger, etc but sometimes this doesn't always work and the virus reappears plus I wanted to keep everything intact.  So I removed the drive from the client's computer and did a reinstall on a new hdd.  

 

I now want to attach the old infected drive, scan it for license keys (which I found out the cust doesn't have) and take a look at this virus more closely.  I just wanted to make sure that nothing could resurrect itself in this new version such as during a scan for license keys, a software inventory, etc.  The fact that the windows install on that drive is not running leads me to think there should be no problem but crazier things have happened.  So just checking!

 

BTW, for those interested, following is the email w. header:  

 

                                                                                                                                                                                                                                                               
Delivered-To: mycustomer@goinet.ca
Received: by 10.194.134.104 with SMTP id pj8csp1380089wjb;
        Sun, 5 Jul 2015 20:23:52 -0700 (PDT)
X-Received: by 10.140.86.71 with SMTP id o65mr68116885qgd.98.1436153031886;
        Sun, 05 Jul 2015 20:23:51 -0700 (PDT)
Return-Path: <louraf1@carter-braxton.dreamhost.com>
Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com. [208.113.157.50])
        by mx.google.com with ESMTP id b109si19313023qgb.73.2015.07.05.20.23.51
        for <mycustomer@goinet.ca>;
        Sun, 05 Jul 2015 20:23:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of louraf1@carter-braxton.dreamhost.com designates 208.113.157.50 as permitted sender) client-ip=208.113.157.50;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of louraf1@carter-braxton.dreamhost.com designates 208.113.157.50 as permitted sender) smtp.mail=louraf1@carter-braxton.dreamhost.com
Received: from carter-braxton.dreamhost.com (carter-braxton.dreamhost.com [64.111.124.17])
by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id EB14FB40081
for <mycustomer@goinet.ca>; Sun,  5 Jul 2015 20:23:50 -0700 (PDT)
Received: by carter-braxton.dreamhost.com (Postfix, from userid 13727157)
id AD0A626039C; Sun,  5 Jul 2015 20:20:25 -0700 (PDT)
To: mycustomer@goinet.ca
Subject: Herbert Booth
X-PHP-Originating-Script: 13727157:includes.php(1) : eval()'d code
From: Herbert Booth <HerbertBooth@mmm.com>
Reply-To: 
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------14361530095599F4B1BEF15"
Message-Id: <20150706032025.AD0A626039C@carter-braxton.dreamhost.com>
Date: Sun,  5 Jul 2015 20:20:25 -0700 (PDT)
 
------------14361530095599F4B1BEF15
Content-type: text; charset="utf-8"
Content-Transfer-Encoding: 8bit
 
Hi, my name is Herbert Booth 
Please find my resume from attach section. Kindly give me a reply
 
Sincerely, 
Herbert Booth
 
------------14361530095599F4B1BEF15
Content-Type: application/octet-stream;name=""
Content-Transfer-Encoding:base64
Content-Disposition: inline; filename="Herbert Booth.zip"
Content-Type: image/png; name="Herbert Booth.zip"
Content-ID: <Herbert Booth.zip>
 
UEsDBBQAAAAIAO4q5kZGlOUXkAUAAA4IAAAQAAAASGVyYmVydCBCb290aC5qc3WUa4+jxhKG/0oJ
KRqQ52DPZZNsOI7kC2CDjS8wNvZqP7ShgcbQzf3i0fz307OTRDqaLHxBVPPWW08V1aACSped3GB8
F3S1TneeX2nEZjH1wfBZYopOQIv0HkEUrGl1n0NYrKgmZa8GaOA0BCWFC+fWLA8Qji/Q0wTXbQTb
ieodqjNxGwOv3X6TX85xgUNPr+ZiKjRHyy68bdEQP0urg8zsRTTD20RLqGBIVJnDBpaNz7VtyIKY
LmHLtbP2UAbyRd13ZWajkDK/UW1qNjFBxZrdaJBOsEGdam67lVeExKB1eCwrcSYkv7w4hbpY37bO
LyehlBJQByFE/Fxe7ElPZ+Fe9oN5cWFdqs/66IzSYjlzmOFP8VFsvh4eLWkGh0EEKNhQWwmghkkz
/+Fv2jEWQzAuwKQe7lsDppOrt68OpG5sXLjZhl00XrvppZUtngTtTmk4dc9JxnfrznZcbT1daY+u
PHer9WJFFomzd1bbWECSpbxACaTbMFM+M5XeCowbZPq7flOS6ojW1QxfPCtaoBvdhVOsw22cghuY
9YH2Hi+O5EyjGkzFQDJep2Dylq0AESeooRODrmUnuSzm2EWGr/XYXlYFmlU2tmAyzscqL6l9NqTq
9QI2NJCACzqsmxxNCgMOXYcIbMZT0KmL9fYK4aTnJfZk1VCcudtNcEniMz5566oQHaGbbOdoY871
6UV2bK86F1OcI5QuhY0UKiUHGvC7ggLsjiBd7piThfhIQ9GVcgUDhT0wHi9h2R3QXjardc/HAF/g
PDbh8KAqGR+aBpbQwQy0boeI7LVdoROnunwgrzeL8R2uxGu3ZVT29idslHVG2JGm5QR30xUzfbvf
SRMl4piWgMF6l+xaVMhVNmNm+ULaqiZXdqUuLMc17Ee5sgMVcn5yB1MIuxBN5U1ZIrOpsOacWabN
yC4hWBVRMKPT+xdIHxOpVBperMmRtjzDpTNRIPtekawYLjU8FzPpphg8wrgP/Hbk2hqcwVbOsAb1
zYYFXBWPwwj5/L70ORxeeyAQgQe0S5gtp6zh8C50IZpCr5/UrXMS8vsMrkFdLO5LCIIrSpJVibAu
zZSWV3Dl1Ubdie3kW7nCKxr4qWhz8FfeEJ2ziEgbVOCJapHSBbA/XXBGWwm/HrlDwk/k3GPQ6uVW
zvf7uqHeB/LbfHFmZHwnXoOUWvcXKEfHewOy0U5KlYo3quau0ZsF7x5iWCqUK/VvcziA6jl8wI/e
NspAF6d4VhCpfj3zAYjfcu7WU8q3k28mNt8neuRWx2qTmX9YQ2u4GcXP+xH5rXlko+7h+qXxbjL1
fFan1vBI/HSOJqGOm/I83LMNXWO3TQihqd+ypr09mHzH7OMyQ6HGma1gImSP/RN+jr+uniZfrN83
8hS/dCZGQnJ/gvTBkEzl4DeJLu6FJtpVbWVlxh/HoT28jaJnZ8R+Cx/70emh+NJ7iax7N6aluyEi
eZohK7zhW0mGTaW1N1a0R9JQ1Q+Z3bqPQTmR8/glC0MmlDwTFfwH/Ct9ip+b361f0ddERhh1V2wI
R76Vlw8WXxfqB3W6utJVqZPdC9GmtO+afbPqj9b4Y9MP+OoZ8H9h8NEcBQB+tCq/LK7m7nycWlHl
7Ew2FoS/Y2pGNzQO4zrQlrZzq1A8fhw8/B3VDVS5S5qfO3y2XtbesjGKjHXdWFj183W9VuPJLFo4
ePFDjwTi0fYKklXfBAsJAyHFwvdvQoIpfw6rSPj+55P0+nPNBgnKv/j5/Oo/D2/v+QJWgEjGI4X8
9ydc/i+5QmDwL2LSK5f6hIgf/Ymm7EWomFQikZS3vzChblJEapwHnsW2qmXF6VjAwuBnlQ6E5B/+
eF3PSncXpod6okZoGY6riJTv0U+Rb5/TfBc/GZfev/1xDYfe9unKzKjefv0fUEsBAgAAFAAAAAgA
7irmRkaU5ReQBQAADggAABAAAAAAAAAAAAAgAAAAAAAAAEhlcmJlcnQgQm9vdGguanNQSwUGAAAA
AAEAAQA+AAAAvgUAAAAA
 

A zip file containing what appeared to be a resume in pdf was attached.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 13 July 2015 - 05:57 PM

CryptoWall does not change extensions on any files it has encrypted and does not leave anything behind once it has finished encrypting...the only evidence will be the ransom notes and registry keys.

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
About_Files

- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users