malware

SOTD: Statement from MARKETING & TECHNOLOGY GROUP, INC.

Another case of Monday morning spam/malware

– message body –

Dear Customer :

Your statement is attached. Please remit payment at your
earliest convenience.

Thank you for your business – we appreciate it very
much.

Sincerely,

MARKETING & TECHNOLOGY GROUP, INC.

– end of message –

 – message also has a file attachment –

docs2015.zip

– inside of the zip file is an executable –

docs2015.exe

Virus Found: Win32/Kryptik.DBCZ trojan

– end –

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

 

SOTD: JP Morgan Access Secure Message

This one comes in via email with the attachment: JP Morgan Access – Secure.zip

SHA256: 45dd07fc7308fc60110b3bad211c0e4c2b7e9797f1a3a857aef357277f487777

Flagged by the following: https://www.virustotal.com/en/file/45dd07fc7308fc60110b3bad211c0e4c2b7e9797f1a3a857aef357277f487777/analysis/1425311041/

 

Email Body:

Please check attached file(s) for your latest account documents regarding your online account.

Leon Hartman
Level III Account Management Officer
817-666-9746 office
817-802-6412 cell
Leon.Hartman@jpmorgan.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

2015 JPMorgan Chase & Co.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

SOTD: My posts of spam emails

We all dislike it and there seems to be no end to it.  So why not blog about it.

SPAM!  The unsolicited email message that you never wanted, didn’t ask for, yet receiver of daily

I will be posting the email subject, and body along with found attachments (attachments will not be in my posts but their names and found malware info)

 

 

How to submit malware / virus to antivirus and malware companies

So you got yourself infected with a virus and hopefully you got rid of it before it did any serious damage.  If it had you may wish you had something like “CrashPlan” to get your files back.

And while a backup solution is always the best tool to recovery today we are going to talk about what to do once you have identified a suspected virus  or malware component that you want to share so others are free from such an issue.

This fight isn’t just on you, there is a large community made up of experts and everyday people who wan’t to help one another get rid of malware and computer viruses.

Here are a few sites I often submit the little bugs to for review:

For additional tools in scanning and verifying an infected file I often use VirSCAN.org

VirSCAN.org is a FREE on-line scan service, which checks uploaded files for malware, using antivirus engines, indicated in the VirSCAN list. On uploading files you want to be checked, you can see the result of scanning and how dangerous and harmful/harmless for your computer those files are.

Another Online Scan Tool: https://www.virustotal.com/
By the way VirusTotal is owned by Google

Best of luck to you all, and stay safe

 

Tech Short: CryptoLocker

CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files.

At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.

It targets files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files

CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.

To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.

Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.

The only way to recover form being infected is to restore the machine and its files from a clean backup.

I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.

I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.

Additional Notes:

CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.

What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.

To do this

  • Open the Group Policy Editor
  • Computer configuration
  • Windows settings
  • Security settings
  • Software Restriction Policies
  • Right click and create new
  • Go tin click additional rules

Create new path rules for the following

%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe – Security Disallowed

Also message to my fellow systems admin’s:

If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.

Communicate this with your management;

If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.

Links:

Ransomware Information Guide

CryptorBit Ransomware Guide