Defense Against Crime

16/12/2014

Wait…Don’t Open that PDF!

Filed under: Cyber Crimes — peppereyes @ 7:55 PM
Tags: , ,

Now that I have your attention, please gather around while I tell you a story. It’s a story about a lady, a computer and a thief. cyberattack_1805164bThe best part, or worst part is that this story actually happened, and is happening to thousands of unsuspecting computer users who just clicked on an innocent looking PDF attachment in their e-mail box that looked legitimate.

On day a very clever computer thief sent our millions of e-mails that stated that they were medical invoices and he attached a very cleaver file that looked like an ordinary PDF document.  He knew that there were unsuspecting people who would think that this email was read and that a PDF couldn’t harm them.  He was counting on it.  Several days later Nancy (not her real name), got the e-mail and thinking that it was an invoice for her mother who had been ill for the last few months. So she click on it and followed the instructions. However it wasn’t a PDF.  It was a Trojan horse that she let into her front door.  This thief was a very clever computer malware (bad software) called ransomware.  We discussed ransom ware previously. The name of this virus was called Cryptowall 2.0 (A new improved version of Cryptowall, and CryptoLocker)

What Happened Next?

While Nancy’s computer was on CryptoWall started doing what it was designed to do, infect her computer.  This infection is REAL NASTY. The infection process began by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS of Nancy’s computer.

Next, the remote server will generate a random 2048-bit RSA key () pair that’s associated with Nancy’s computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions (Text files, word documents, images, music..etc). As a copy is created, it’s encrypted using the public key, and the original file we deleted from the Nancy’s hard drives.

This process continued until all the files matching the supported file types have been copied and encrypted. This included files that are located on other drives, such as external drives and network shares — basically, any drive that’s assigned a drive letter was be added to the list. Also, cloud-based (such as DropBox or Microsoft, Amazon Cloud,  storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud, and down to the other connected location as the files are changed.

Finally, once the encryption process completed, CryptoWall 2,0 executed some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the ransomware stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.  Yes this was bad news for Nancy

Her Files would Not Open .. Now What?

Nancy went to open one of her Word Documents, and they were gibberish.  Nancy thought she has gotten a virus and went to the store to get some virus software. While I encourage everyone to get a nice software package to scan for viruses and Malware and a host of other security measure, and keep them updated, you should do these things prior to going on line.  Also as a word of warning many of the new viruses won’t be detected because they haven’t been identified, or the creator is clever enough to make them currently undetectable.  After lots of frustration Nancy called me as I know a few things about computer.  After doing some work to speed up her computer I saw some interesting files:

  • DECRYPT_INSTRUCTION.txt
  • DECRYPT_INSTRUCTION.html
  • DECRYPT_INSTRUCTION.url

Clicking on any of these files will provide the victim to step-by-step instructions necessary to carry out the ransom payment. The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD) in bitcoins, and the countdown timer provides for a period of three days in which to get payment to the requester.

cryptowall-2-0-update-ransomware-message

After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) in bitcoins and the timer will provide a cutoff date and time. Usually, the time frame is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.

0057cryptowallhero

So what could she do?

At this point Nancy had two option

  1. Pay The Ransom
    If she had taken the choice to pay the ransom then there is a slight chance that these thieves would honor the ransom and release the unencrypted version of Nancy’s files. However, remember these are  Who says that once they have your money they will do anything.
  2. Not Pay the Ransom
    By Not paying you are saying you really don’t care about this data, and you can live without it (sorta the same fate has having your hard drive crash). If you take this route, you will need to reformat your hard drive, re-install your operating system, and software There is the possibility of using a File Recovery software to restore the files deleted by CryptoWall.20, but the more you use your computer after being attacked, the harder it will be to undelete the original files.

Protecting Yourself from being the victim

  • If you get an attachment that you were not expecting from a friend or company contact the friend before opening.
  • The best way to survive a ransomware attack is to keep up-to-date backups of your important files off site (like Carbonite) or onto a portable drive that you don’t connect to your computer unless you are doing a backup. A ransomware infection, which encrypts all of your files, is similar to a drive failure, except that for a small fee you have the chance to get your files back.
  • As mentioned above have an active and up-to-date anti-virus and malware detection program install on your computer. Make sure you so a full system scan once a week.
  • Learn all the things you should and should not do on the internet concerning file sharing, viruses, and malware. This blog has lots of resources, because there are new and creative threats happening all the time.
  • Viruses, regardless of whether they’re creating harmless pop up screens, attacking your files or stealing your personal or financial information, are a major annoyance. As a society, will need to continue to contend with them as digital divides slowly shrink and our connected lives stretch further out and the criminal element exists.
  • While there may be little recourse once infected, there’s a lot in the realm of possibilities that can be done to limit our exposure to infection and subsequent loss of data. You just need to be proactive enough to ensure that these fail-safes are in place and check on them from time to time.

“Out here, it’s better safe than sorry, because generally speaking, too much of the time sorry means you’re dead.”  ― Patricia C. Wrede, Across the Great Barr

Technical Things To do

  • Block downloads of executable files from the web without specific user consent from your web browser settings.
  • Employ an advanced detection system  to analyze all incoming executables, PDF files, and Microsoft Office Documents.
  • Consider blocking the Tor application completely within your network.
  • Ensure that only necessary users have write-access to network shares.CryptoWall will encrypt all files in network shares if the share is mounted at the time of infection and accessible to the logged-in user.
  • Disconnect or unmounts back-up drives when they aren’t being used, as CryptoWall can also encrypt your backups.

 Beware Geeks Bearing Gifts

As I mentioned above the CryptoWall 2.0 is a Trojan horse that is disguised to look legitimate and gain your trust to allow it onto your system. The majority of these types of malware have come through e-mails with executable attachments, sometimes contained in .zip files and in this case disguised PDF.Most of the e-mail attacks used fake invoice, fax and voicemail themes with attachments named like the following:

  • Complaint_IRS-Id-12839182.scr
  • fax00415741732781728.scr
  • VOICE387-778-3454.zip
  • CH_Import_Information.exe

A computer expert I know received an e-mail campaign pretending to be a fax report that carried a .zip attachment with a PDF inside. The PDF exploits CVE-2013-2729 to download a binary which also installed CryptoWall 2.0.

 

PepperEyes.com Self-Defense is dedicated to providing you with the best and most affordable self-defense products, and safety products on the market to meet the security needs of you, your family members or your business, by assisting anyone who is unwilling to become a victim of crime.  If you want to take personal responsibility for protection, home security, business security, purchase our high quality discount self-defense products and arm yourself with the knowledge about self-defense and security products and information of the best way to stay secure in an ever-increasing violent world. In today’s society, being equipped mentally and physically is no longer an option.

Advertisements

Create a free website or blog at WordPress.com.

%d bloggers like this: