Archive for Security

Analysis of a Ransomware

Ransonware (often referred to as Cryptolocker) is a malicious virus threat in today’s environment.

If the virus gets onto your computer, it will begin locking down files on your computer by writing a hidden secured password to those files. It will then display a message that you have XX number of hours or days to pay the ransom to get the password to unlock your files.

Unless you have solid backup, your two options are: pay the ransom or lose all your files. The ransom could be in the hundreds of dollars. For a California hospital, that ransom was to the tune of $17,000 dollars!

MalwareBytes has a blog post on their site dated March 1, 2016 which gives an in-depth analysis of how such a ransomware virus works.

I found it an interesting read, and thought I would pass it along.

You can go directly to the blog post and read it, or I saved it as a PDF file that you might find easier to read.

Kudos to MalwareBytes!

New Ransomware Prevention Kit Coming Soon

Back HomeAmy Babinchak, President of Third Tier, has announced that they will be releasing an updated version of their Ransomware Prevention Kit next week.

http://www.thirdtier.net/2015/11/the-new-ransomware-kit-is-coming-soon/ 

Two years ago (October 2013), Amy and her team led the way in providing a solution to help block the CryptoLocker attacks that were causing havoc worldwide (see blog post).

A lot has changed in the past two years, and such threats can still do great harm and damage for both individuals and businesses. Thanks to Third Tier, I sleep better knowing that my systems are protected.

Finally, Third Tier wants to reach out and encourage more women to get certified and work in the I.T. field, and is using this new Prevention Kit to raise money for this effort!

Flash Player Action Script Warnings on IE11

After Tuesday August 11, 2015, many users began to report receiving Flash Player alerts or warnings when using Internet Explorer 11 (IE11) on Windows 8.1 or Windows 2012R2. These popups warn about action scripts and other flash features.

The good news is that there is nothing to worry about. Your computer was NOT hacked or infected.

What happened was that in the August 2015 Windows updates, Microsoft accidentally updated the embedded flash player in IE11 with the “debugger” version of flash player instead of the normal version.

Microsoft has updated the notes for KB3087916 to reflect this known issue, which Microsoft says should be fixed by August 18th.

Ransomware Still Causing Havoc

Nearly two years ago (October 2013) I wrote a blog post titled “Beware Cryptolocker Malware Madness”, a warning about a new strain of ransomware called “Cryptolocker”.  At that time, I immediately implemented new protection software and strengthened security policies on the servers and workstations that I manage.

The Detroit Free Press recently ran an updated article about ransomware attacks on computers:

image

During these past two year, there have been several new variations of this malware threat. It has found its way into home computers as well as multi-national companies. Unfortunately, it is not easily detected by security or anti-virus programs. I have had to cleanup a ransomware attack only three times. In all three cases, we had backups available to restore those files that had been encrypted.

When a computer has been attacked, the virus begins to put a highly secured password on all your files. Suddenly, you find that you cannot open up letters, pictures, spreadsheets, as well as data files (Quicken, QuickBooks, etc.). And, if your computer is on a home or business local network, this ransomware can quickly spread to other computers or servers.

The reason it is called “ransomware” is because you generally have 72 hours to pay their ransom, which can range from $200 to thousands of dollars, to unlock your files. Unless you have a backup of those files, you either pay the ransom or lose those files for good.

In the near future I will be communicating with my clients on additional security precautions I will be recommending to minimize the threat and damage caused by this malware.

MaxFocus Releases BitDefender Support for Their RMM Solution

MaxFocus (formerly GFI) formally released today a new AV engine, powered by BitDefender, for their Remote Management (RMM) platform. You can read the details on their blog site.

Their current AV engine (Vipre) will be supported for the near future, which will allow us to test and transition customers to BitDefender in an orderly manner.

For MSPs, like myself, there are several new things that will make managing AV easier and better:

  1. imageThere are only three policies (server, desktop and laptop) with BD, versus separate policies for different O/S and Server versions
  2. Snooze feature allows you to temporarily disable the Managed Antivirus (MAV) for up to one hour when doing system maintenance on a device. Previously, you would need to create a “Disable AV” policy and then move a device or system to that policy.
  3. Direct communication from the dashboard to MAV managed devices is now available. This means that scanning and update commands are sent instantly, rather than waiting for the next time the device checks in with the system.

Customers and users may ask why a new AV engine?

The threat landscape in today’s environment is constantly changing. So it is critical that we offer the best solution for antivirus and malware protection . Some of the benefits for customers are;

  1. BitDefender has been shown to be more effecting against fighting malware and viruses, with less false positives
  2. Behavioral (heuristic) scanning is added, along with Active Protection, provides another layer of defense

For your reading pleasure:

image

Quickbooks dbdata11.dll and Vipre/MAV

Friday morning (6-26-2015) I started receiving calls from several of my customers saying that they could not run Quickbooks, and that they were getting an alert that the file “dbdata11.dll” has been quarantined.

image

With the help of other members of The ASCII Group, we quickly determined that it was a false positive due to a bad definition file update from Vipre (or the RMM version called MAV).

Soon after, MAXFocus (previously GFI) sent out a service status alert of the issue, and that it had been resolved with definition version 41468 and above. It was recommended to add the file (dbdata11.dll) to the Vipre/MAV exception list, before updating systems with the newer definition file.

Note: make an exception only for the file, and not the folder and file, as the folder name is randomly generated by QuickBooks.

That should have been it. Right? … Wrong!

I received a call from one of my users saying that one of their systems with QuickBooks installed on it had locked up. At about the same time they reported this issue, I received an email alert from the RMM service I use saying that the C: drive of this system had dropped to below 20% free space.

Once we got the system rebooted, I logged in and discovered that there 44,175 folder taking up nearly 62GB of disk space. The location of these folders were in C:\Users\QBDataServiceUser22\appdata\local\temp. Each of these folders contained a single file: dbdata11.dll.

It turns out that every time Vipre/MAV quarantined this file, QuickBooks created a new temp folder with the same file!

So once I had the A/V definition file updated, and we rebooted the system, I went in and safely deleted all 44,175 folders! 

What a fun way to spend a Friday!

Watch Out for Malicious Flashlight Apps

Who would have thought that the flashlight app on your smartphone could be malicious?

According to this cyber-security company, SnoopWall, there are at least ten flashlight apps that are malicious, and can steal and send personal data. They published a threat assessment report back in October, 2014.

If your phone has one of these listed apps, the recommendation is to backup your contacts and personal files from your phone, and then do a factory reset your phone. Deleting the app is not enough, as these apps are storing malicious information  in hidden places on your phone.

Here is a 6 minute video from Fox News interviewing SnoopWall’s CEO, Gary Miliefsky, on this subject.

Vipre creating thousands of SBS_STDRL temp files

Over this past weekend, I started seeing a buildup of temp files in the C:\Windows\Temp directory. Temp files were named SBS_STDRL_*. My immediate and natural fear was of a virus/hack attack.

The only thing in common with all the systems in question was that they all were running MaxFocus (formerly GFI) Managed AntiVirus program (Vipre). As soon as I stopped MAV from running, the temp files stopped accumulating. Looking at the file dates, this all started on Thursday Jan-15-2015.

image

I contacted MaxFocus Sunday evening and submitted a support ticket. By then I had systems as few as a hundred files, up to systems with over 100,000 temp files created. Fortunately, the size of these files was only 1K.

For the most part, this issue did not cause a lot of problems. However, I did have several customer servers that were negatively impacted by this issue. They started calling Monday morning reporting of poor performance.

On Monday Jan-19-2015 Threat Track Security (formerly Vipre) released a Notice on temp file issue in their forum acknowledging the issue, plus indicating that these files could be deleted.

We are currently investigating an issue where the SBS_STDRL files in C:\Windows\Temp are not being deleted automatically. These files are generated by Active Protection and through VIPRE scans. This may cause increased scan times depending on system specifications. You can delete these files by running command prompt as admin then entering the following command: del %windir%\temp\SBS_STDRL*

Later that day they posted a follow up indicating that the issue was caused by a bad definition file, and that it had been fixed with definition version 36798.

This issue has been fixed in definition version 36798. Please make sure you have updated your definitions to the latest version to stop this issue from happening. Please note, this will not delete the SBS_STDRL files that are already created, so the instructions in the first part of this should be followed if you wish to remove these files.

By Tuesday morning, all systems were running fine. I utilized a built in script of MaxFocus RMM to schedule a cleanup of system temp files, which included checking the C:\Windows\Temp folder.

Microsoft’s EMET 5.0

In case you missed it, Microsoft rolled out version 5.0 of their Enhanced Mitigation Experience Toolkit (EMET) in July 2014. This follows on the heels of EMET 4.0 (Nov 2013) and EMET 4.1 (May 2014).

image

What is EMET?

You may be asking yourself What is EMET? Why should I install it? Where or when should I install it? Susan Bradley has written an in-depth article on EMET, covering all of these questions. I highly recommend reading her article.

EMET helps defend against zero-day threats. It is a standalone security application, but that does not mean that it should be installed on every workstation. The basic guideline is to install EMET on this systems where you do any online tasks that involve sensitive personal information, purchases and online banking.

EMET: A Customer’s Perspective

Installing EMET

EMET can be installed standalone, which is what I am showing here. The EMET manual offers additional information and guidance for businesses and domain-based networks.

If you have a previous version of EMET installed, you will need to uninstall it first and reboot before installing EMET 5.0.

If you wish, go ahead and download and install EMET 5.0 now! Installation is straightforward, and does not require a reboot of the workstation. EMET 5.0 supports Window clients Vista SP2, Windows 7 SP1, Windows 8/8.1, as well as Windows Server 2008 SP2, 2008 R2 SP1, 2012 and 2012 R2.

The only suggestion I would make when installing EMET 5.0 is to select “Use Recommended Settings”:

image

After installing EMET 5.0, you will find a new Padlock icon in your list of notification-area icons in your taskbar.

image

Right click on the Padlock icon, and select Open EMET to view the EMET Settings.

image

New Crypto-Locker with DropBox attachment

There has been a rush of reports on newer strains of the Crypto-Locker (Ransomware) type of virus. If it gets on your computer, it will begin encrypting your data files and make them unusable. More importantly, your screen will display a message saying that you must pay $1,000 if you want to restore access to your files.

Now comes word that some of these newer strains are being delivered by dropping files from a rogue DropBox account to your computer via a link in an email.

In fact, I just identified the first of these type of emails myself. On further investigation, I found that, indeed it was associated with DropBox. Fortunately, my spam filter blocked the email.

The email appeared to be a harmless email saying that I had received a fax from a company called J2.com. Here’s the email, as viewed from my spam filter:

image

The red arrows indicate the two links in the email. If I hover (but don’t click) over either link, this is the URL that it displayed:

image

Here is a blog from MXLab on the same exact issue.

So, please — be very careful with emails and attachments.