Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Tips to avoid being bit by CryptoLocker (and what to do if you are)

Kim Crawley | Dec. 4, 2013
InfoSec Institute's Kim Crawley details CryptoLocker, the latest in scareware, and offers suggestions for avoiding infection.

Lawrence Abrams at Bleeping Computer has written an excellent guide to getting rid of CryptoLocker. Unfortunately, he offers paying CryptoLocker as one of the options for removing it. He even goes so far as to explain how to put CryptoLocker back on your PC if a legitimate AV shield has quarantined it, in order to make the payment. Although users have reported that CryptoLocker actually does decrypt files and goes away after payment, I strongly discourage you from paying them. As I've said about rogue AVs, it only encourages the bastards. If an organized crime member showed up at my apartment, demanding money to stop his gang from burning my building down, I wouldn't pay the gangster, I'd call the cops.

Now, the cops can't help you prevent or get rid of CryptoLocker, so I'll offer my two cents, a tiny fraction of a Bitcoin.

To prevent CryptoLocker, you've got to know how users acquire it in the first place. CryptoLocker's victims have reported that it usually starts by them receiving an email that appears to be from UPS or FedEx. Keep in mind, it's really easy to spoof emails if you know how to do it. I've done it myself. Depending on your email program, whether it's a client that runs in your OS, such as Microsoft Outlook or Mozilla Thunderbird, or webmail such as Gmail or Yahoo! Mail, the "from" field could very likely contain "@ups.com" or "@fedex.com" even though the sender doesn't have legitimate use of either domain name. The spoof email could be all text, with very official looking wording, or an HTML email, with very official looking graphics.

The spoof emails make it sound like they're related to tracking a package you're sending or receiving. For that reason, users get fooled most frequently as it gets closer to Christmas, hence CryptoLocker debuting in September 2013. The email will have a .zip archive attached to it, that the body of the email insists you open. When the archive is unzipped, the user will get a double extension file, .pdf.exe has been reported. The file will open in a PDF reader like Adobe Reader or Foxit Reader, but at the same time, a Windows executable will launch on the user's machine, which is the CryptoLocker malware. UAC (user account control) may or may not be triggered. The user's AV shield may or may not catch it. Even if UAC and the user's AV shield do something, the malware may still be installed on the user's machine.

The only thing about CryptoLocker that surprises me, a jaded malware expert, is why the makers bother to create a ZIP file containing a double extension Windows executable. The ZIP file is obviously to escape security components in email clients and webmail that blocks .exe files to prevent malware infection. But it's much easier to file-bind. I've done it myself. There are "skiddie" programs that will take your malware executable, for any platform, and merge it with a seemingly innocuous media file or document, such as a .pdf, a .jpg, or a .doc. If it's bound to a graphic, such as a .jpg, .png or .gif, it can open in an email client or webmail application as a picture in an email; if it's another type of file, like a .mp3, .doc or .pdf, it will launch in the user's default program for the file type in a perfectly normal way. The malicious executable will launch and run in the background, and the user won't notice that anything's wrong until their PC, smartphone, or tablet starts experiencing a problem.

 

Previous Page  1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.