|
I'm not going to say this is a 100% cure or anything, but OpenDNS is blocking cryptlocker very well in testing. I have 8 samples of different versions of the virus, including a new one from this week, and in all cases every entry in it's server lookup is blocked from communicating with it's C&C by OpenDNS. As a result, the exe sits idle in memory and doesn't encrypt. It's slightly useless advice in that an up-to-date AV is a near 100% prevention strategy as well, and you assume if someone can change the DNS, they'd have one, but there you are. If you have a small cluster of computers sharing a server, it'd be worth having that server serve DNS requests for them all, and have that fed by OpenDNS. Plenty of hardware firewalls, routers, Watchguard, etc, can be configured in a similar way. e: every known-bad site that's feeding cryptlocker via java exploits seems to be in their database too.
|
#
?
Nov 6, 2013 00:06
|
|
|
|
| # ? Jun 7, 2024 11:14 |
|
|
Ars Technica article for today: Install fix to stop in-the-wild Windows and Office exploit, Microsoft warns Just download and install EMET already: https://www.microsoft.com/en-us/download/details.aspx?id=39273
|
|
#
?
Nov 6, 2013 01:42
|
|
|
Just to double check, is NOD32 still considered a very good scanner? I noticed it's on sale today on Newegg, $15 for a year. Or would I be better going for Avast or something else these days?
|
|
#
?
Nov 6, 2013 16:02
|
|
|
The only AV that's anything better than a percentage point here and there than Avast would be Kaspersky; it's the only one which consistently beats it on the trio of detection/system impact/false positives. The rest are close enough that you'd very rarely get any extra performance for your money. Trend micro is usually #1 on all "real world" detection scenarios. ESET usually beats Avast! on raw detection rates. If that's all you're looking for then you'll have to decide if the money is worth it to you.
|
|
#
?
Nov 6, 2013 18:26
|
|
|
We got hit by Cryptlocker in mid October and we just had another few users somehow get it this week even after company wide warning and tightening of polices. gently caress me, it's a brilliant bit of ransomware. Thank the Lord for good versioning cold backups that we keep tested, servers are fine. The odd laptop that never touches the corporate network and the users get it via private email..... well they learnt a nasty lesson. Cant help but admire how well it's been done.
|
|
#
?
Nov 7, 2013 13:37
|
|
|
Cat Terrist posted:We got hit by Cryptlocker in mid October and we just had another few users somehow get it this week even after company wide warning and tightening of polices. gently caress me, it's a brilliant bit of ransomware. Thank the Lord for good versioning cold backups that we keep tested, servers are fine. The odd laptop that never touches the corporate network and the users get it via private email..... well they learnt a nasty lesson. The new variant I played with this week finds and destroys previous versions, too. Does your company not have any resident AV protection, or how are executables that are detected with something like a 99.9% success rate running?
|
|
#
?
Nov 7, 2013 21:31
|
|
|
Khablam posted:The new variant I played with this week finds and destroys previous versions, too. The places that didnt get hit do. But then you have BYOD and sub companies that insist on not allowing main IT touching their desktops cause (insert dumb reason here) until things go bang..... Not a lot of sympathy from us as a result.
|
|
#
?
Nov 8, 2013 05:16
|
|
|
Cat Terrist posted:We got hit by Cryptlocker in mid October and we just had another few users somehow get it this week even after company wide warning and tightening of polices. gently caress me, it's a brilliant bit of ransomware. Thank the Lord for good versioning cold backups that we keep tested, servers are fine. The odd laptop that never touches the corporate network and the users get it via private email..... well they learnt a nasty lesson. Heard a third hand story about an older chap in a small law office who brought Cryptolocker into his office, nuked his machine, a mapped network drive and then a non-write-protected backup external HDD when he connected it in an attempt to restore the network drive files. 
|
|
#
?
Nov 8, 2013 06:56
|
|
|
Apparently GCHQ is using MITM attacks at GRX mobile exchanges and internet exchanges. Here, they used MITM attacks on LinkedIn and Slashdot to drop malware onto the computers of engineers for the GRX router system. From there, they can perform other attacks, like monitoring users or using a MITM to drop malware onto smartphones. This apparently includes the capability of remote microphone activation. And their end goal is to be able to deploy malware ("implants") when they only know the MSISDN. http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html Pretty impressive stuff, people swore up and down that most of that stuff was impossible earlier this year. Paul MaudDib fucked around with this message at 22:20 on Nov 12, 2013 |
|
#
?
Nov 12, 2013 17:19
|
|
|
My boss is finally going to take cryptolocker as a threat. I don't think she believed it was real. We just got an email from another company talking about it and unplugging machines from the wall that you think are infected they sent it to a mailing list with all the department managers and now people are in a panic about one thing being wrong and yanking the cord. We just need to block app data exe files right? I want to lock this down. We're having an IT meeting tomorrow about preventing it.
|
|
#
?
Nov 12, 2013 17:27
|
|
|
pixaal posted:We just need to block app data exe files right? I want to lock this down. We're having an IT meeting tomorrow about preventing it. Bleeping computer has a growing list of gpo examples.
|
|
#
?
Nov 12, 2013 17:47
|
|
|
Paul MaudDib posted:Apparently GCHQ is using MITM attacks at GRX mobile exchanges and internet exchanges. This is some Batman-esque poo poo. Would using encrypted voice-communications apps help, or are they literally picking up everything your microphone records (ie: before the app itself can even get a chance to encrypt it)?
|
|
#
?
Nov 12, 2013 17:48
|
|
|
Paul MaudDib posted:Apparently GCHQ is using MITM attacks at GRX mobile exchanges and internet exchanges. It's impressive if its accurate. The article is full of 'the presentation says', ' Apparently, the agencies use high-speed servers'.At no point do they explain how GCHQ managed to spoof the SSL cert for linkedin which uses https by default. All of the claims are really vague and rely on 'we've seen it in "secret documents"'; The linked article on the Guardian website about the "quantum" injection technology by Bruce Sneider is quite interesting. http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity e: quote:Would using encrypted voice-communications apps help, or are they literally picking up everything your microphone records (ie: before the app itself can even get a chance to encrypt it)? The microphone enabling stuff is when they install malicious firmware on your phone that allows them to turn on the microphone and listen in anytime you have the phone switched on and in range of a phone tower whether you are calling or not. jre fucked around with this message at 16:00 on Nov 13, 2013 |
|
#
?
Nov 13, 2013 15:58
|
|
|
I actually have the opposite to say. Altering a site like this via SSL spoofing is actually, sadly, really quite trivial, or only marginally complex. Often times employers or universities do it as a matter of course. Without saying anything that would be dodgy in any way, one simply: - Sets up a system on the same LAN - Uses ARP ~~trickery~~ to have another machine identify it as the gateway (this is if you're hacking, if the gateway itself is set up to do this, you can skip this step) - Intercepts SSL certificates and issues a fake one in it's place (not trivial, but frequently implementations are not robust against it) - Changes a few elements of the page in-transit to serve the malware. A simpler method where possible is to: - Do a - Do b - Route secure parts of the site unchanged - Take unsecure elements of the page (ads, images, etc) change them in-transit to serve the malware. This is why browsers will warn you some parts of the site might not be secure if every element isn't transmitted over SSL. Spoofed SSL certs look completely valid to a browser (since they literally have no alternative but to simply trust the issuer is legit) so the user isn't warned in any fashion. If they actually checked who is signing the certificate, they would spot the forgery - but who exactly checks this when they're checking their social media pages? Linked-in doesn't use Extended Verification (EV) - that thing banks use which makes your address bar go green, so users won't even spot the absence of those. For what it's worth there's no known way to spoof EV. Whether this could be done in collusion with a government isn't something I will speak to, except to say it wouldn't be needed; people don't tend to spot the lack of it, or you could simply use one of the 99.9% of all websites that don't anyway. What made this attack "hard" was the fact it was done illegally and unknowingly to a whole telecomms company, rather than on a local network. There's a lot to say about that, which isn't good. After that's all out of the way, the malware as described isn't doing anything common rootkits aren't, it's just very well engineered from the ground up to perform a specific task.
|
|
#
?
Nov 14, 2013 00:12
|
|
|
Khablam posted:Spoofed SSL certs look completely valid to a browser (since they literally have no alternative but to simply trust the issuer is legit) so the user isn't warned in any fashion. If they actually checked who is signing the certificate, they would spot the forgery - but who exactly checks this when they're checking their social media pages? You missed the bit where the 'fake' certificate has to be issued by a trusted certificate authority otherwise it will raise an error. It's trivial to do if its a corp network because you already have your CA cert in all the browsers on work pcs and can do whatever you want. There's not many ways they could do it other than 1. compromise the computers by spear phishing or actually breaking in to the building with the target computer. 2. Order a CA company to issue them with a cert for linkedin. Both of these seem far fetched even for the security services and I would like to actually see proof of any element of this before I go all 
|
|
#
?
Nov 14, 2013 12:36
|
|
|
Ur Getting Fatter posted:Would using encrypted voice-communications apps help, or are they literally picking up everything your microphone records (ie: before the app itself can even get a chance to encrypt it)? It totally depends on the particular attack vector. Sure, they can pick up anything you send in an unencrypted over-the-air conversation, they don't even need to compromise your phone to do that. If they get a process running in the background, or push a phony update for something that runs in the background, they could turn on your microphone and hear everything around you before it hits encryption. Or they could force an update that breaks the encryption or reduces the entropy or something like that. On the other hand they don't even necessarily need to be doing this from user-facing OS. Like the firmware viruses we were discussing above, there is firmware in the other chips in your phone, like the radio stack/baseband chip (which runs a full-on RTOS). These are standardized (who wants to write their own radio stack?) and like most code it's done on the cheap. There's no security in there, it's just assumed that anyone who can run their own tower is legitimate and wouldn't try to attack you (an absolutely preposterous idea in a world of open source base software). quote:The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave. There's actually at least one more OS running inside the SIM card by the way. (see pp10-13 for a summary) Paul MaudDib fucked around with this message at 22:52 on Nov 14, 2013 |
|
#
?
Nov 14, 2013 22:47
|
|
|
jre posted:You missed the bit where the 'fake' certificate has to be issued by a trusted certificate authority otherwise it will raise an error. It's trivial to do if its a corp network because you already have your CA cert in all the browsers on work pcs and can do whatever you want. SSL/TLS is pretty thoroughly broken at this point. SSL 2 and 3 are toast, many sites allow use of the weaker modes/ciphers that are outright broken or creaking dangerously and many sites aren't using sufficiently long certificates for the ones that aren't. Other slides show that the NSA considers "decrypting all VPN starts from Country X so I can identify users" to be a reasonable request within the capabilities of their systems. So it's either broken or the NSA's Key Provisioning Service has enough keys that they can decrypt the majority of traffic. It's certainly possible that they could order the CA to issue them a certificate, or even hand over the signing certificate. Or they could have straight up stolen the CA or Slashdot's certificates, they have a hacking team called the Key Recovery Service that specializes in that. Paul MaudDib fucked around with this message at 23:34 on Nov 14, 2013 |
|
#
?
Nov 14, 2013 22:58
|
|
|
jre posted:You missed the bit where the 'fake' certificate has to be issued by a trusted certificate authority otherwise it will raise an error. It's trivial to do if its a corp network because you already have your CA cert in all the browsers on work pcs and can do whatever you want. New and properly implemented SSL is unspoofable without these issues, yes, but what someone doing a MITM attack does is make the browser think it's having issues and rolls back to using an older version, many of which can be broken, either on a decryption of traffic level, or a passable spoof. Internet explorer itself has an issue where it can be told which sites to sign as though they were signed-EV certs, which leaves a door open to attack. e: many people are used to signing exceptions for / ignoring SSL issues because they a: don't know what it means b: are used to needing to do this to get into lovely corporate exchange webmail As a result most people will click accept and then look at the page once it's loaded. If it looks right, they ignore anything happened. Khablam fucked around with this message at 20:56 on Nov 15, 2013 |
|
#
?
Nov 15, 2013 20:53
|
|
|
Khablam posted:New and properly implemented SSL is unspoofable without these issues, yes, but what someone doing a MITM attack does is make the browser think it's having issues and rolls back to using an older version, many of which can be broken, either on a decryption of traffic level, or a passable spoof. Do you have a link to any articles on the spoofing a cert bit ? The only vulns I'm aware of are stuff like Crime and beast where you could potentially decipher parts of encrypted content if you have an improbable amount of control over the traffic being sent. Well that and the md5 collision thing from 2008 but there's not been a browser with that enabled for years.
|
|
#
?
Nov 16, 2013 02:17
|
|
|
jre posted:Do you have a link to any articles on the spoofing a cert bit ? The only vulns I'm aware of are stuff like Crime and beast where you could potentially decipher parts of encrypted content if you have an improbable amount of control over the traffic being sent. Well that and the md5 collision thing from 2008 but there's not been a browser with that enabled for years. Now this won't give you a CA certificate, but that's rarely an issue as people click through it, or social engineering can make them do so. Large companies are apt to own digital certificates anyway, and I don't think any browser complains when the CA cert is trusted, but non-matching. If you absolutely need a CA (spoofed) cert for your attack, there's been many instances of digital certificate frauds occurring, so though it wouldn't be common for a rogue CA cert to be used, it would be a long way from impossible - and certainly not even difficult if you have the resources. e: I should also mention, several pieces of malware previously have been designed to change your locally-installed certificates so that forged webpages will look wholly legitimate to the compromised machine. An example: http://nakedsecurity.sophos.com/2010/06/23/trojbhoqp-verisign/ As a two-factor attack, you could edit the non-secure page in transit to install the malware, such that on the 2nd visit the compromised browser will then allow transparent access to an intercepted secure page. e2: You can't capture SSL/TLS stream data and then find some way of decrypting that, if you want to capture SSL packets and read them in plain-text you need to setup a MITM attack and act as the certificate provider; it's the only way to know the decryption key. e3: Like with the just-click-through issue of non-CA certs, another attack vector is to simply not bother re-encrypting the data. You do the basic MITM attack, but the version of the site served to the user isn't using SSL. Most times people just won't notice, and there's no alert for it. A couple of years back someone did this over a Tor exit node, and he collected countless logins from people not noticing the non-SSL page. One assumes as a sample of users, 'people who use Tor' would be more likely than your average user to know to check. Khablam fucked around with this message at 03:07 on Nov 16, 2013 |
|
#
?
Nov 16, 2013 02:50
|
|
|
Khablam posted:e3: Like with the just-click-through issue of non-CA certs, another attack vector is to simply not bother re-encrypting the data. You do the basic MITM attack, but the version of the site served to the user isn't using SSL. Most times people just won't notice, and there's no alert for it. A couple of years back someone did this over a Tor exit node, and he collected countless logins from people not noticing the non-SSL page. One assumes as a sample of users, 'people who use Tor' would be more likely than your average user to know to check. Yeah, this attack has been at "script kiddie" level difficulty for quite a while now. http://www.thoughtcrime.org/software/sslstrip/
|
|
#
?
Nov 16, 2013 03:50
|
|
|
E: Wrong window and section! I'm doing well!
H1KE fucked around with this message at 02:55 on Nov 19, 2013 |
|
#
?
Nov 18, 2013 04:19
|
|
|
H1KE posted:A machine came in today, filled to the brim. Nothing unusual. Qvo6, Yontoo, ZeroAccess, GoonSquad, Winweb-wait what? you'll edit this post if you know what's good for you
|
|
#
?
Nov 18, 2013 10:56
|
|
|
mindphlux posted:you'll edit this post if you know what's good for you Was reading multiple windows while sleep depraved and head cold influenced. My bad. 
|
|
#
?
Nov 19, 2013 02:59
|
|
|
H1KE posted:Was reading multiple windows while sleep depraved and head cold influenced. My bad. He was just joking, it was a good post 
|
|
#
?
Nov 19, 2013 03:12
|
|
|
No harm, no foul. I get the joke now.  I'm still coming down off whatever this poo poo is, so my perception is still all screwed up. And it really was the wrong window and section! Speaking of which though, thanks to the OP I managed to repair a 'no format' business laptop that had this bullshit today. SAS picked it up and removed it while the drive was on the cradle. Now to contact the client and have a chat about what their employees have been up to...
|
|
#
?
Nov 19, 2013 03:54
|
|
|
Goddamn Moneypak got on my computer this morning. All I've been doing is job hunting, surfing forums, and going to my university's website. Guess I better put MBAM on a USB stick and give it a go.
|
|
#
?
Nov 27, 2013 16:37
|
|
|
Carl Seitan posted:Goddamn Moneypak got on my computer this morning. All I've been doing is job hunting, surfing forums, and going to my university's website. Wasn't there a case where one of the ads on SA was serving some dumb drive-by malware?
|
|
#
?
Nov 27, 2013 17:04
|
|
|
Actually, some time after the Windows 8 launch happened, Google Brazil's homepage was hacked, and suddenly any site with Google adsense(Including SA) started redirecting me to a site that malwarebytes blocked. I had to do a PC refresh to fix it. I never get malware on my PC so it kinda came as a shock. E: for the record, I am not in Brazil
|
|
#
?
Nov 27, 2013 17:58
|
|
|
Carl Seitan posted:Goddamn Moneypak got on my computer this morning. All I've been doing is job hunting, surfing forums, and going to my university's website. Update your java. Or, remove it if you don't need it.
|
|
#
?
Nov 28, 2013 17:06
|
|
|
Holy poo poo Cryptolocker is like a tropical frog. Beautiful to look at but deadly to get near. As poo poo of a thing as it is, I'm in awe of it at the same time. Had a business desktop come in and at first, from what they described, I thought it was UKash bullshit, since we've been getting that come in at least twice a month nearly all year. Turns out this clients machine has the latest CL variant but there seems to be a pretty easy way around it with Win 7. I cradled the disk, cleaned it with anti-mal and AV progs first, and then replugged it into the machine and used 'Restore previous versions' on "c:\users\username" folder.  I opened a copy from four days ago and the files all open fine, so copying over and overwriting everything in there, but for a while there I was sweating artillery while racking my brain on how I was going to get these files back. I'm not sure they have backups, and this is their main machine, so it could have literally destroyed their business in one hit.Going to hard sell them on a 2 x 2TB externals and Acronis, and teach them about offsite backups.
|
|
#
?
Dec 12, 2013 04:40
|
|
|
They're lucky as gently caress, as that isn't the latest version. The latest version locates the 'previous versions' backups, and encrypts them as well. They'd have had no recourse at all.
|
|
#
?
Dec 12, 2013 16:32
|
|
|
There is some news brewing that a Java ad on Yahoo sites may have infected a few hundred thousand computers.
|
|
#
?
Jan 6, 2014 05:33
|
|
|
Three-Phase posted:There is some news brewing that a Java ad on Yahoo sites may have infected a few hundred thousand computers. And this is why you always turn Java off when you're not using it.
|
|
#
?
Jan 6, 2014 06:29
|
|
|
Alkanos posted:And this is why you always turn Java off when you're not using it. Or use a browser/extension/add-on that only lets it run after asking you. e: Christ, does IE still just loving run Java no questions asked? (I guess it does.)
|
|
#
?
Jan 6, 2014 09:18
|
|
|
Alkanos posted:And this is why you always turn Java off when you're not using it. Yahoo games are Java IIRC
|
|
#
?
Jan 6, 2014 18:48
|
|
|
I just wish every piece of networking equipment in existence didn't require Java to use the interface. Hell, flash would be preferable at this point. It doesn't help that Sun is pushing out updates to java like crazy to try to fix the reputation and end up putting breaking changes in as a result. I've had to disable all updating of java on my machine because the last time I did it completely broke everything I use Java for and took me half a day to straighten out finally.
|
|
#
?
Jan 6, 2014 19:12
|
|
|
bull3964 posted:I just wish every piece of networking equipment in existence didn't require Java to use the interface. Hell, flash would be preferable at this point. You should be sandboxing Java then.
|
|
#
?
Jan 6, 2014 19:17
|
|
|
OSI bean dip posted:You should be sandboxing Java then. I'm not worried about Java from a security perspective at this point since I only allow the Java plugin in browsers that I don't use on the general web. It's just a pain in the rear end because applets only work with specific versions of java and the constant whack a mole approach that Sun is taking right now isn't helping anything. They've completely abandoned Java 6 and make it difficult to find and download, but I still need Java 6 to interface with some equipment. Other things only work under Java 7, but only up to a certain patch level. I would kill for a native app that loaded up different versions of java depending on what was necessary and paired them to a bookmarked list of devices all packaged up in a nice sandboxed executable.
|
|
#
?
Jan 6, 2014 19:32
|
|
|
|
| # ? Jun 7, 2024 11:14 |
|
|
Someone posted instructions (earlier this thread, I think) on how to make multiple installs of Java and set up the shortcut for legacy app so that it calls on only that version. I had a screen shot but it is gone now :/ Edit - found it: http://forums.somethingawful.com/showthread.php?threadid=3031934&pagenumber=80&perpage=40#post415690600 Does this help you? Ceros_X fucked around with this message at 22:44 on Jan 6, 2014 |
|
#
?
Jan 6, 2014 22:33
|
|
