[meteorite-list] OT- Security Alert Issued- CryptoLocker Warning

From: drtanuki <drtanuki_at_meteoritecentral.com>
Date: Fri, 15 Nov 2013 14:01:03 -0800 (PST)
Message-ID: <1384552863.46246.YahooMailNeo_at_web141401.mail.bf1.yahoo.com>

OT- Security Alert Issued- CryptoLocker Warning

List, ?This is important because we dont need this infection within our list. ?Please read carefully. ?Thank you. Dirk Ross...Tokyo ?

?CryptoLocker Warning
NEVER open attachments you are not expecting. Cryptolocker is a ?

particularly bad nasty that you never want to see. Microsoft issued a?
critical alert about it, and today CERT issued a second alert. I've?
already had to deal with two small infestations at work, and every?
affected machine had to be wiped because this malware brings along a?
bunch of 'friends' to party on the infected machine.


On Wednesday, Nov 13, 2013, at 15:55?

> Ghu
knows I hate the "sky is falling" notes that say "Read This!!!
> Important!!!.? Well, this actually IS a "Read This!!! Important!!!"? I?
> just
> got this from the folks that host my Citrix system.? They are good?
> (heck, my
> son worked for 'em for 5 years!).? When they say "this is nasty" they?
> know
> of what
they speak.? I was in Hot Spring, Arkansas, a couple of weeks?
> ago
> talking with an IT guy.? He was in the middle of rebuilding a?
> customer's box
> that got hit.? If you ARE hit, and you DON'T have appropriate backups,?
> and
> you DON'T pay the ransom guys you are, to put it bluntly, screwed.
>
> Do NOT open an attachment you are unsure of, even if it comes from?
> someone
> you trust.? Emails can be spoofed.

>
> ==================================
> CryptoLocker is Trojan horse malware which surfaced in late 2013, a?
> form of
> ransomware targeting computers running Microsoft Windows. CryptoLocker
> disguises itself as a legitimate attachment; when activated, the?
> malware
> encrypts certain types of files stored on local and mounted network?
> drives
> using RSA
public-key cryptography, with the private key stored only on?
> the
> malware's control servers. The malware then displays a message which?
> offers
> to decrypt the data if a payment (through either Bitcoin or a pre-paid
> voucher) is made by a stated deadline, and says that the private key?
> will be
> deleted and unavailable for recovery if the deadline passes. If the?
> deadline
> is not met, the malware offers to decrypt data via an online service
> provided by the malware's operators, for a significantly higher price?
> in
> Bitcoin.
>
> CryptoLocker typically propagates as an attachment to a seemingly?
> innocuous
> e-mail (usually taking the appearance of a legitimate company e-mail),?
> or
> from a botnet. The attached ZIP file contains an executable file with
> filename and icon disguised
as a PDF file, taking advantage of Windows'
> default behaviour of hiding the extension from file names to disguise?
> the
> real .EXE extension. Some instances may actually contain the Zeus?
> trojan
> instead, which in turn installs CryptoLocker.[1][2] When first run, the
> payload installs itself in the Documents and Settings folder with a?
> random
> name, and adds a key to the registry that causes it to run on startup.?
> It
> then attempts to contact one of several designated command and control
> servers; once connected, the server then generates a 2048-bit RSA key?
> pair,
> and sends the public key back to the infected computer.[1][3] The?
> server
may
> be a local proxy and go through others, frequently relocated in?
> different
> countries to make tracing difficult.[4][5]
> The payload then
proceeds to begin encrypting files across local hard?
> drives
> and mapped network drives with the public key, and logs each file?
> encrypted
> to a registry key. The process only encrypts data files with certain
> extensions, including Microsoft Office, OpenDocument, and other?
> documents,
> pictures, and AutoCAD files.[2] The payload then displays a message
> informing the user that files have been encrypted, and demands a?
> payment of
> 300 USD or Euro through an anonymous pre-paid cash voucher (i.e.?
> MoneyPak or
> Ukash), or 2 Bitcoin in order to decrypt the files. The payment must?
> be made
> within 72 or 100 hours, or else the private key on
the server would be
> destroyed, and "nobody and never will be able to restore files."[1][3]
> Payment of the ransom allows the user to download the decryption?
> program,
> which is pre-loaded with the user's private key.[1]
> In November 2013, the developers of CryptoLocker launched an online?
> service
> which claims to allow users to decrypt their files without the?
> CryptoLocker
> program, and to purchase the decryption key after the deadline?
> expires; the
> process involves uploading an encrypted file to the malware site as a
> sample, and waiting for the service to find a match, which the site?
> claims
> would occur within 24 hours. Once a match is found, the user can pay?
> for the
> key online; if the 72-hour deadline has passed, the cost increases to?
> 10
>
Bitcoin (which, in early November 2013, was valued at over $2000
> USD).[6][6][7]
>
> Security software might not detect CryptoLocker, or detect it only?
> after
> encryption
is underway or complete. If an attack is suspected or?
> detected in
> its early stages, it takes some time for encryption to take place;?
> immediate
> removal of the malware (which itself is a relatively trivial process)?
> would
> theoretically limit its damage to data.[8][9] Experts instead suggested
> precautionary measures, such as using software or other security?
> policies to
> block the CryptoLocker payload from launching at all.
> ==================================
>
Received on Fri 15 Nov 2013 05:01:03 PM PST