Workplace hit by cryptolocker virus

( |-| |2 ][ $;29401636 said:
Please could someone explain how whole LANs can become infected. How can code run on a machine without someone executing it?

Machine to shared directory
Shared directory to server
Server to whole network
 
When not manually executed usually malware code is able to run via a flaw or misconfiguration in software - one common method is what is known as a buffer overrun whereby code can be injected into memory being used for instruction execution via a flaw in the way data is handled in a program.

The most basic way of spreading is the malware looks for network shares and then tries to inject itself into executable programs stored on those shares which then spreads the infection when executed by someone else on another machine. These days though it can be more complex with things like sniffing around for passwords/bruteforce attacks against servers, using flaws in routing hardware or installing remote desktop software to open a backdoor for someone to access remotely, etc.
 
Last edited:
( |-| |2 ][ $;29401636 said:
Please could someone explain how whole LANs can become infected. How can code run on a machine without someone executing it?
The code is usually deployed via an infected file. Extension doesn't really matter from what I've seen. .Zip, .Rar, .Exe, whatever.

The exploits typically hit the local machine's %appdata% path and start encrypting files on any mapped drives.

It can be delivered via any vector which runs unsigned code, e.g. adverts on a website.
 
So in a hypothetical situation of a PC plugged into an infected LAN and with a drive mapped to an infected machine, but without any programs actively using that share and without a user running anything from that share, could said PC get infected?
 
( |-| |2 ][ $;29401693 said:
So in a hypothetical situation of a PC plugged into an infected LAN and with a drive mapped to an infected machine, but without any programs actively using that share and without a user running anything from that share, could said PC get infected?
None as far as I'm aware.

The aim of the attack is to encrypt data on any directly mapped volumes and extract a ransom from the victim.
 
Yes. That is exactly how 4 of our desktops were infected (and had to be wiped). They were switched on at the time of the infection. No one was using them as it was late at night, but they got hit.....big time.
 
I'm sceptical that viewing a PDF would be enough. If it were possible, surely it would rely on an exploit in the PDF reader?

Good reason to keep your PDF viewer up to date I suppose.
 
I'm sceptical that viewing a PDF would be enough. If it were possible, surely it would rely on an exploit in the PDF reader?

Good reason to keep your PDF viewer up to date I suppose.

Yes, but have you seen the number of security patches for Adobe Reader over the years?

https://helpx.adobe.com/security/products/reader.html

eg

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0932, CVE-2016-0934, CVE-2016-0937, CVE-2016-0940, CVE-2016-0941).

These updates resolve a double-free vulnerability that could lead to code execution (CVE-2016-0935).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946).
 
I'm sceptical that viewing a PDF would be enough. If it were possible, surely it would rely on an exploit in the PDF reader?

Good reason to keep your PDF viewer up to date I suppose.

Good example of why keeping software like that up to date in situations like that is a good idea yeah.

One of the issues is the way those kind of trojans are wrapped up which might seem obvious to us but some users will ignore the warning and click yes no matter how many times you try to tell them not to.
 
None as far as I'm aware.

The aim of the attack is to encrypt data on any directly mapped volumes and extract a ransom from the victim.

The most recent version of Locky goes looking for any shares on a LAN and will encrypt on unmapped shares.

If anything, the malware which renames files in some (eg Locky or Tesla) makes spotting them easier. The earlier versions which left the file names untouched might send you looking at a few corrupt Office documents until the penny dropped. Now once you see .locky files, you know it's time to start restoring...

On a Windows file server, you can configure File Server Resource Manager to deny writing of certain file extensions (with e-mail alerts) eg

http://olivermarshall.net/using-file-screening-to-help-block-cryptolocker/
 
Account departments are often sent emails will invoices attached as .pdf files.
How does one stop this?
If one scans the attachment or email will this be picked up upon before opening?

Asking as we legitimately want some sort of defence, half these crypolockers are reported as zero day variations.

There's restrictions you can place on the appdata folder or you can set up a form of watchdog alert service that can prevent scenarios like this happening but they're not the easiest to do for large companies and, in the case of the appdata folder restrictions come, with their own headaches.

I would not like to come in on a Monday morning and find everything encrypted. Don't know how we've gotten away with it recently, as the company I work for has been spam bombed for the last while with a heap of cryptovirus attachments. Some users have lost their data but thankfully none of them were routinely connected to the server so damage was fairly limited.
 
Out of interest can anybody provide me with one if these viruses. I'm running a security talk at work in May and wanted to live demo some ransom ware In a sandbox. Reply in trust is sensible. Cheers chaps.

If you do manage to get hold of one I wouldn't even try running it in a sandbox. From some of the reports I've been reading these things are (in some circumstances) can make its way onto the host machine.

If you really want to demo this then I'd be putting it on a PC not connected to anything, run it as a demonstration and then nuke the pc it from orbit once you're done...just to be sure!
 
Last edited:
If you do manage to get hold of one I wouldn't even try running it in a sandbox. From some of the reports I've been reading these things are (in some circumstances) can make its way onto the host machine.

If you really want to demo this then I'd be putting it on a PC not connected to anything, run it as a demonstration and then nuke the pc it from orbit once you're done...just to be sure!

Agreed.

I'd take an offline laptop in with a fresh install and create some test files for demonstration.

Then I'd be formatting the hell out of that drive afterwards!
 
This thread has reminded me to sort out the permissions on my network shares.
My plan is to basically have all network shares in my house read only as its mostly for media, then to have 1 share which has rw on it this share will then have a cron job (or similar) to move the files dropped in there to a backup area.(I also sync to the cloud for my offsite backup). This should stop my shares from being hit I would guess and if I need to move files I will do it in ssh/scp I guess, or temp mount with a different user/password.
 
If you do manage to get hold of one I wouldn't even try running it in a sandbox. From some of the reports I've been reading these things are (in some circumstances) can make its way onto the host machine.

If you really want to demo this then I'd be putting it on a PC not connected to anything, run it as a demonstration and then nuke the pc it from orbit once you're done...just to be sure!

AFAIK it can't directly infect the host (assuming VM rather than basic sandbox where it might manage to elevate privileges) unless you have shared folders but it can potentially go the roundabout route via infecting something on the network if you don't isolate it's LAN access.

Agreed.

I'd take an offline laptop in with a fresh install and create some test files for demonstration.

Then I'd be formatting the hell out of that drive afterwards!

Don't think any are sophisticated enough to write themselves into the HDD firmware like some rootkits but some do mess with the MBR.
 
Last edited:
Yes, but have you seen the number of security patches for Adobe Reader over the years?

That's Adobe reader for you.

I tend to use Evince or Okular on Linux. Neither have had a CVE assigned since 2011 from what I can tell.

If I were a sysadmin I'd be very keen to migrate people from Adobe reader.
 
So if staff are checking personal email on work machines there is a risk of being locked out?

I am not sure how you could avoid opening pdfs
Not opening zip or exe I understand

So presumably the best thing to do is to ask staff not to open personal email on work machines, is that correct?
 
At my workplace, introducing a virus onto a PC and/or onto the network would be a disciplinary. Ignorance wouldn't be a defence because we have to read up on the various company policies, of which one of them is internet usage during work hours.

So company policy is to delete all attachments no matter who they are from.... Harsh but secure
 
Back
Top Bottom