Archive for Malware – Page 2

Cloud-based Web Protection from GFI now available

imageGFI recently rolled out their new Web Protection solution allowing KW Support & Consulting to deliver web security, web filtering and web bandwidth monitoring to its clients. Web Protection is integrated into the GFI RemoteManagement dashboard and is based on GFI’s award-winning GFI WebMonitor product.

Features include:

  • Web security – stop client’s end-users from accidentally visiting malicious sites pushing malware, phishing, proxies, spyware, adware, botnets, etc.
  • Web filtering – help end-suers stay productive with common-sense web browsing policies designed for the workplace. Protects the business from legal liability and reduce the risk of a security breach through proactive internet access controls.
  • Bandwidth Monitoring – automatic alerts when excessive bandwidth activity on a network is identified, so you can remediate quickly and maintain productivity.

With Web Protection integrated into the GFI RemoteManagement platform, there is no software to install at the client site, no DNS name records to create or modify, and all settings and policies are managed right from the RMM dashboard.

If a user goes to a malicious web site, this is the type of warning screen they will receive:

image

New Crypto-Locker with DropBox attachment

There has been a rush of reports on newer strains of the Crypto-Locker (Ransomware) type of virus. If it gets on your computer, it will begin encrypting your data files and make them unusable. More importantly, your screen will display a message saying that you must pay $1,000 if you want to restore access to your files.

Now comes word that some of these newer strains are being delivered by dropping files from a rogue DropBox account to your computer via a link in an email.

In fact, I just identified the first of these type of emails myself. On further investigation, I found that, indeed it was associated with DropBox. Fortunately, my spam filter blocked the email.

The email appeared to be a harmless email saying that I had received a fax from a company called J2.com. Here’s the email, as viewed from my spam filter:

image

The red arrows indicate the two links in the email. If I hover (but don’t click) over either link, this is the URL that it displayed:

image

Here is a blog from MXLab on the same exact issue.

So, please — be very careful with emails and attachments.

Microsoft includes XP in fix for recent IE security issue

Microsoft has released today (May 1, 2014) a security update (MS14-021 / 2965111) that addresses the recent Internet Explorer (IE) issue that was first discussed in Security Advisory 2963983. More importantly, Microsoft has decided to make this patch available for Windows XP users, although XP is officially no longer a supported operating system.

If your computers are set to receive automatic Windows updates from Microsoft, then this patch will be automatically installed.

Read more here:

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

https://technet.microsoft.com/library/security/ms14-may 

https://technet.microsoft.com/library/security/ms14-021

Unregister VGX.DLL for IE Zero-Day workaround

Post revised 4/30/2014

Over this past weekend (April 27, 2014), there have been numerous reports of another zero-day security flaw with Internet Explorer. Some sites have gone so far as to say :”stop using Internet Explorer” completely until this flaw is fixed.

But given that the vulnerability exists in a now deprecated VML vector graphics format, there is an easy workaround solution that is recommended by Microsoft and others — simply unregister the VGX.DLL system file that is associated with this deprecated format.

To unregister VGX.DLL manually

These instructions should work for XP, Vista, Windows 7, and Windows 8 computers. Before starting, you will need to know if you are running a 32-bot or a 64-bit version of Windows.

  1. Press “WIN“+R keys to display the Run window.
    WIN” = Windows key next to the ALT key. Press the “WIN” key like a Shift key, and then press the letter “R“)
  2. Type (or copy and paste) the following command into the Window, including the double quotes:
    “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
  3. Wait for a response window to appear telling you that the command was successful.
  4. If you are running a 32 bit version of windows, you are done.
  5. If you are running a 64 bit version of Windows, you need to repeat steps 1-2-3, but using the following command instead:
    “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll”

For more information:

https://technet.microsoft.com/en-us/library/security/2963983.aspx

http://nakedsecurity.sophos.com/2014/04/27/microsoft-acknowledges-in-the-wild-internet-explorer-zero-day/

Microsoft Security Essentials Crashing on XP

Microsoft Security Essentials (MSE) is Microsoft’s free anti-virus program for personal use, and for businesses with 10 or less computers. Microsoft has indicated that is you already have MSE installed on Windows XP, then it will be supported and updated for another year, given that XP is no longer a supported platform.

To my surprise, I was at a client’s office on Wed April 16th and powered up two XP workstations. Both of them hung for the longest time right after logging in. Once they did come up, I was presented with various error messages about MSE. With no time to investigate, I went ahead and uninstalled MSE and then installed a different anti-virus program.

Today, I heard that the a bad definition file might have been the cause.

CryptoLocker Group Policy Exceptions

In recent posts (here) I’ve addressed the process of creating Group Policy rules for securing your workstations from attacks like the CryptoLocker ransomware. These rules will prevent random executable files located in your local Application Data folder (AppData) from running.

The vast majority of programs that you may use should not put .exe files in the AppData folder, but every so often we come across an exception. In my case, I tried running Join.Me this morning and was greeted with this pop up window:

image

The process of adding an exception to the Software Restriction Rules we previously created is very straightfoward:

  1. From the server, open up Group Policy Management console
  2. Drill down Your_domain.local –> MyBusiness –> Computers –> SBSComputers

    Modify the XP rule

  3. Right click on the Prevent CryptoLocker XP rule, and click Edit
  4. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  5. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  6. Click OK

    Modify the Vista and higher rule

  7. Right click on the Prevent CryptoLocker Vista and higher rule, and click Edit
  8. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  9. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  10. Click OK

You may now wait the appropriate time (somewhere around 90 minutes, I believe) for Group Policy changes to be broadcast to all workstations, or, if you are in a hurry:

  1. From the server, open up an elevated command prompt and run: gpupdate /force
  2. Then from your workstation, open up an elevated command prompt and run: gpupdate /force

You may now test out your application

Testing your CryptoLocker Group Policy

I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.

Someone asked me: “How do I know if the group policy rules are working?”

Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.

Here are the steps if doing this from a Vista / Win7 / Win8 workstation:

  1. Open up an elevated command prompt window.
    By default, it should put you into the C:\Windows\System32 folder
  2. Enter the following commands, pressing Enter after each:
    copy notepad.exe %localappdata% 
    cd %localappdata%
    notepad.exe
  3. If you receive an error message: “This program is blocked by group policy.” – then your group policy rules are working.
    Congratulations!

image

Block Executables from AppData folder

The SMB Kitchen team from Third Tier has made available (for free) a CryptoLocker Prevention Kit that includes a 20 page document that includes step by step instructions on how to lock down your servers and workstation using Group Policy settings to minimize future attacks.

The purpose of this post is to summarize those steps down to a single page. These steps are specific to SBS 2008/2011, but should be applicable to Windows 2008/2012 servers.

GOAL: create Software Restriction Policies within Group Policies to block executables (.exe) from running when they are located in the AppData folder or subfolders therein.

CREATE POLICIES FOR XP

  1. Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
  2. Right click on SBSComputers and select ‘Create a GPO in this domain and link…
  3. Title this policy Prevent CryptoLocker XP and click OK
  4. Right click on this policy and select Edit
  5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Right click on Software Restriction Policies and click on ‘New Software Restriction Policies
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    Path = %AppData%\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    Path = %AppData%\*\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. From the Prevent CryptoLocker XP policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows XP

CREATE POLICIES FOR VISTA / WIN7 / WIN8

  1. Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
  2. Right click on SBSComputers and select ‘Create a GPO in this domain and link…
  3. Title this policy Prevent CryptoLocker Vista and higher and click OK
  4. Right click on this policy and select Edit
  5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Right click on Software Restriction Policies and click on ‘New Software Restriction Policies
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    Path = %localAppData%\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    Path = %localAppData%\*\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. From the Prevent CryptoLocker Vista and higher policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows Vista

Beware Cryptolocker Malware Madness

The past few weeks have been filled with reports of workstations and servers being hacked with the Cryptolocker / Ransomware malware. It is being called one of the worst malware attacks ever seen. And these attacks are occurring even when anti-virus and anti-spam filters are in place.

image

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Please do not treat this lightly!

The result of this attack is that files on your computer will be encrypted with a high-level 128-bit encryption key. And it will quickly spread to any mapped drives or USB drives that are attached. And even worse — there is no known tool to unencrypt these files.

This malware often comes in through rogue emails that appear to be from FedEx, UPS, Amazon or other similar purchasing sites. It may be a link in the email, or an attachment. But clicking on the link or the attachment is all that it takes.

SHUTDOWN YOUR COMPUTER IMMEDIATELY

You will know if you have been infected with the Cryptolocker malware, because you will see a large message on your screen telling you to pay a ransom to get your data files back.

Do not attempt to run any anti-virus or anti-malware utilities. If you see the ransom message, turn off your computer immediately. Power it off and disconnect your network cable.

BACKUP – BACKUP – BACKUP!!!!

The best advice anyone will give you is to make sure you have up-to-date backup of your servers, workstations and your data. Because if you get caught by this malware, you will need to restore your data from backup. It primarily seeks out office files (Word, Excel, etc.), but will also look for database files (Access, FoxPro, etc.)

Cryptolocker can be removed using well know malware removal tools, such as MalwareBytes. But these tools CANNOT unencrypt your infected files.

DO NOT PAY THE RANSOM!

The Cryptolocker malware will display a large warning message that your computer has been compromised, and that you can recover your files if you pay the required ransom (anywhere from $100 to $300). But they say that you only have a limited amount of time to pay this ransom, generally 72 hours.

Even though there are some people who have reported paying the ransom and getting their files unencrypted, I cannot condone such actions. Not only is there is no assurance that the cleanup will take place if you pay the money, it still remains that your system has been compromised.

REFORMAT and RELOAD

I strongly advise to reformat infected systems and restore Windows, either from backup or as a clean install.

List of Malware Tools I use

I’m sure everyone has their own personal “go to” list. I’d be interested in what others have found to be indispensable in their arsenal of malware-fighting utilities.I’m only focusing on SOHO and very small businesses or residential workstations.

For day-to-day protection, for residential sites (family and friends),  I will suggest they install, at a minimum, these three FREE utilities:

image  image   image

For Small businesses (less than 10 workstations), I use the same three tools. MSE is now licensed for use in small businesses. MalwareBytes and CCleaner can be purchased for use in a business environment, and provide additional features over their free version counterpart.

For workstations that need further cleaning up, I will use one or more of the following tools:

image   image   image   image