Author Topic: CryptoLocker latest  (Read 20591 times)

0 Members and 1 Guest are viewing this topic.

Telegraph_Sam

  • Guest
CryptoLocker latest
« on: November 29, 2013, 02:11:22 AM »
Am I right in believing that Avast has yet to come up with a built-in shield to prevent this ransomware from installing itself?  There is a little dedicated CryptoPrevent tool in www.snicpa.com/10690 which I have downloaded and installed but there appear to be some problems in getting it to work (in my case).

thekochs

  • Guest
Re: CryptoLocker latest
« Reply #1 on: November 29, 2013, 05:14:15 AM »
Kaspersky says they protect against this: http://blog.kaspersky.com/cryptolocker-is-bad-news/
http://forum.kaspersky.com/index.php?s=03714328a1131498c4c68be54e9d76c6&showtopic=273487
Not sure it is true.

Of ALL the Malware out there this is the one that scares me the most. :(

Good article from MalwareBytes: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
« Last Edit: November 29, 2013, 05:21:01 AM by thekochs »

Telegraph_Sam

  • Guest
Re: CryptoLocker latest
« Reply #2 on: November 29, 2013, 01:47:41 PM »
I read through the MWB article blog.  Not easy for the layman to follow some of the arguments, counter-arguments and comments (proper grammar would be a help!!).  Having read through the lot what do you consider on balance to be the most convincing lines of action to pursue?  I am intending to uninstall my dodgy CryptoPrevent app and download the equivalent zip file from majorgeeks as recommended to me in another forum. 
If Avast could come up with a proven effective shield - why can't they emulate CryptoPrevent as part of the next version??? - it would be a major advance and comfort.

Offline kls490

  • Sr. Member
  • ****
  • Posts: 209
  • Queen of the house
Re: CryptoLocker latest
« Reply #3 on: November 29, 2013, 02:20:58 PM »
Hello Telegraph_Sam,

     Another on-going article of interest about the Cryptolocker malware can be seen at the Bleeping Computer website via the link below:

http://www.bleepingcomputer.com/forums/t/512668/cryptolocker-developers-charge-10-bitcoins-to-use-new-decryption-service/#entry3196844

Best regards.
kls490

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CryptoLocker latest
« Reply #4 on: November 29, 2013, 02:52:52 PM »
Deepscreen and hardened mode appear to catch a test version which was run when I installed the Foolishit tool

 However, with the way the  malware mutates on a daily basis I still installed it

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CryptoLocker latest
« Reply #5 on: November 29, 2013, 03:18:19 PM »
In theory, using Hardened Mode (Aggressive) should prevent all the ransomware malwares...
Visit my webpage Angry Sheep Blog

thekochs

  • Guest
Re: CryptoLocker latest
« Reply #6 on: November 29, 2013, 04:25:23 PM »
CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Essexboy, you've helped me (and so many others) in the past I first want to say thanks for all your efforts....to say "above and beyond" is an understatement.  I'd like your opinion on CryptoPrevent. 
I assume it is for real since you are recommending but what does it do ?
Can you explain the install, use, maintenance ?...you mention mutation of CryptoLock type malware, does a static solution work ?
I am paranoid this can cause issues ?.....example, if it is "locking things down" does that mean other things may have issue ?...example other recovery efforts by MS O/S tools ?
How about A/V tools, will they see this CryptoPrevent as a virus and removal with muck up the very files I'm protecting ?

My plan now is to do daily backups (already do) of "copying" MyDoc files to SD Card that I now "pull" from laptop (used to leave in) and also "pull" the USB HDD after it's morning receipt of image (Macrium Reflect) of my PC.  My biggest concern is that this CryptoPrevent is locking down the very files I'm trying to prevent being "locked" by CryptoLock and if something else goes wrong I'm locked from these files not only on my PC but in my backups.

Also, I'm super paranoid on downloads and installs of these "utils"......so many places put other crud in the installer.....some not seen.
Thus, can you provide a link of a clean installation version of CryptoPrevent ?....I run W7 64-bit.
« Last Edit: November 29, 2013, 04:27:12 PM by thekochs »

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: CryptoLocker latest
« Reply #7 on: November 29, 2013, 04:43:22 PM »
Telegraph-Sam wrote:  "there appear to be some problems in getting it to work (in my case)... I am intending to uninstall my dodgy CryptoPrevent app and download the equivalent zip file... "

If CryptoPrevent is having an issue on your system, and if the alternative zip file is truly an equivalent, I would expect it to produce the same results.

After checking into it, I have deployed CryptoPrevent on numerous systems (mostly Win7, one XP) and have not encountered any problems.   The only rare issue people are expected to face would be if they have a legitimate program running from one of the restricted directory locations.  And if that's the problem, you should be able to handle it via CryptoPrevent's whitelisting mechanism.

On my main/personal PC, I am also running MBAM PRO, which separately offers real-time protection against CryptoLocker.

"If Avast could come up with a proven effective shield - why can't they emulate CryptoPrevent as part of the next version??? - it would be a major advance and comfort.
No program is going to catch everything... we need to rely on layers of protection.   As for avast "emulating" CryptoPrevent, I see two issues:
1) The critical research in battling CryptoLocker was done by Lawrence Abrams of Bleeping Computer.   There may be an issue of intellectual property rights if avast were simply to include it.  CryptoPrevent was written with permission from --- and acknowledgement to --- Mr. Abrams.
2) If, as you report, CryptoPrevent is "buggy" on your system... and if avast were to emulate the same mechanism... you might find yourself in the position of having to disable avast itself --- rather than just the separate CryptoPrevent --- in order to make your system work again.   Surely, you wouldn't want that.
« Last Edit: November 29, 2013, 05:31:36 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: CryptoLocker latest
« Reply #8 on: November 29, 2013, 04:49:34 PM »
CryptoPrevent can be downloaded from http://www.foolishit.com/vb6-projects/cryptoprevent/
(download links are toward the bottom of the page).

Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information



Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CryptoLocker latest
« Reply #9 on: November 29, 2013, 04:52:43 PM »
There is nothing bundled with the programme, you can get it either direct from Foolishit or MajorGeeks
What it does is put in a group policy to disable files running from appdata or any double extensions 

In most instances I have come across it is an e-mail attachment with a  PDF.EXE double extension so the usual rules of scanning any attachment before you even think of opening it apply

But as usual there are several look alike programmes so do not download from anywhere bar certified sites

I have installed it on my 8.1 system so it does work.  There was a recent update to the programme but a manual check every few weeks should suffice using the programme updater

A little explanation here http://krebsonsecurity.com/tag/cryptoprevent/ and here http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

FoolishIT appears to be down at the moment, not sure why

thekochs

  • Guest
Re: CryptoLocker latest
« Reply #10 on: November 29, 2013, 05:18:54 PM »
Great link.....thx: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below


So how many programs did you guys find that you had to add good programs to ?
What happens when you try to run something that is not permitted ?....on-screen error or do you have to go into Event Viewer ?
I'm an IT guy but this seems like there would be a lot manual entries ?
Also, when you install a new program is there only a problem if not in Program Files ?
New Path Rule.... You should then add a Path Rule for each of the items listed below.
Can you expand on the how-to of the above........doesn't really lay it out on what you enter for a new program...perhaps couple examples.

Thx !

P.S Because of the severity of this to all Windows PCs it would seem Microsoft would be working on a security update to block this...any rumors or threads on this in the O/S forums ?
« Last Edit: November 29, 2013, 05:24:29 PM by thekochs »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CryptoLocker latest
« Reply #11 on: November 29, 2013, 05:25:10 PM »
As it stands in the two weeks that I have had the programme on my system I have not had to do anything at all..  All my normal programmes, plus a few specialist ones run perfectly 

Although with the foolishit programme an easier way is to undo cryptoprevent
Run the affected programme and then re-apply cryptoprevent and it will automatically add that programme

thekochs

  • Guest
Re: CryptoLocker latest
« Reply #12 on: November 29, 2013, 05:28:51 PM »
On my main/personal PC, I am also running MBAM PRO, which separately offers real-time protection against CryptoLocker.

Can you run "real time" MBAM PRO with real time Avast ?......I thought having two A/Vs was a big NO-NO ?
I know MBAM is MW & Avast A/V.....but those lines are real cloudy now-a-days.

thekochs

  • Guest
Re: CryptoLocker latest
« Reply #13 on: November 29, 2013, 05:30:18 PM »
As it stands in the two weeks that I have had the programme on my system I have not had to do anything at all..  All my normal programmes, plus a few specialist ones run perfectly 

Although with the foolishit programme an easier way is to undo cryptoprevent
Run the affected programme and then re-apply cryptoprevent and it will automatically add that programme

Thx, now if their Server would come up I could get the installer....any chance to attached in ZIP to this thread ?

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: CryptoLocker latest
« Reply #14 on: November 29, 2013, 05:45:16 PM »
MBAM is anti-MALWARE, and its authors have taken great pains to make it compatible with just about any anti-VIRUS program.   If you check our signatures here, you'll find many people happily running MBAM PRO along with avast.

I have run the PRO (realtime) version along with avast8 on both WinXP and Win7.   I did NOT have to set-up any exclusions in either program... they're running just fine together for me.

Having said that, MBAM does offer a detailed suggestion (setting up mutual exclusions in each program), SHOULD you find there's a conflict or slow-down:  https://forums.malwarebytes.org/index.php?showtopic=10138&page=1&#entry417798
« Last Edit: November 29, 2013, 05:58:07 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]