Your Anti Virus Won’t Save You Now…

In the last week, two of our clients got hit with the latest variant of CryptoLocker. CryptoLocker (and it’s variants) is the notorious malware that encrypts all your data and holds the decryption key to ransom, sometimes for thousands of dollars.

There is no way to decrypt the data. The malware will scan your personal computer first, appearing to start with your Desktop, working through your My Documents folder and then scanning through any mapped network drives you have. This all appears to be done in alphabetical order. (This is based on our observation of the two incidents.)

If you get hit, you have two options – restore from a backup, or pay the ransom!

The scariest part of all this is that one of these clients had implemented a good anti virus program on every computer, all emails go through a cloud based spam and malware filter, and they have an advanced firewall that scans all internet traffic for malware.

The good news is that this client also had our Back-Up and Disaster Recovery (BUDR) solution in place, which backs up their data every hour – so it was a trivial matter of restoring their data to the hour before the incident; although the time between infection and data restoration was 4 hours. Half a day of business that was lost, which could have otherwise been avoided.

How did this virus get in?

The 2nd client told me she had received a speeding infringement in her email, and even though she was dubious – she clicked it.

Ironically as I sat down to write this email I got a notification from our spam filter that an email from the “Australian Federal Police” with subject “Driving infringement notice” had been held in spam, I like to live on the edge, so I went ahead and released it from the spam quarantine so I could take a closer look.

NOTE: Don’t try this yourself. I used an isolated computer in a quarantined network. And this is the email that hit my Inbox shortly after.

It looks rather legit, although if you look closely the Engrish isn’t great and some of the words are spelt wrong. (“You’ve got been recently given having a drive intrusion” and at the bottom “Austrlian……”)

Taking a deep breath and clicking the link brought up the following website.

And lo and behold, entering the captcha (it actually did check to see if it was correct) allowed me to download a ZIP file called notice_262897.zip, which contained a single file. The file inside the ZIP archive has a display icon that mimics the icon used by PDF documents (Adobe Acrobat/Reader).

And here’s where the wheels fall off the cart….

At some point in the last 10 years, Microsoft wanted to make Windows “tidier” and thus hides the extensions of “known file types” by default. We as Users are so used to identifying a file type by the little picture, and this little sucker preys on that.

With “show file extensions” turned on, we realise that this PDF is not a PDF, but actually an EXE (Executable Program File).

And because I’m crazy like this. I ran it.

And sure enough, CryptoLocker strikes!

I didn’t have much on the computer, but whatever data files I had (Word, Excel, ZIPs, PDFs, etc) were all now encrypted (extension .encrypted). Attempting to rename them didn’t resolve the issue.

That computer has now been blown away. I don’t trust that the malware didn’t install something in the background to come back and attempt further malicious activities.

Why are we losing the war on modern threats like CryptoLocker?

I was at the Queensland Police “Fraud & Cyber-Crime” symposium last year and got chatting to an Iranian white-hat hacker (they’re the good guys). He basically told me that anti virus software as we know it is useless to modern attacks.

Why is that?

Cyber-Crime, the billion dollar industry it is, sells software that allows cyber-criminals to create new variants of the virus/malware at every run. The problem here is that even if they only created one new variant every 24 hours, for your anti virus to be able to detect the threat, the virus companies have to get their hands on a copy of the virus, analyse it, identify it’s unique signature, update their anti virus databases, AND THEN your computer has to download those updates.

That process generally takes longer than 24 hours, even if your anti virus software updated itself every hour.

So by the time your computer can detect the threat, it’s already been changed several times over. It’s a never ending game and you, the end user, aren’t going to be the winner.

That’s the first problem.

The second problem is that these attacks prey on our fear.

Since when did the AFP send out traffic infringement notices? I’m not intending to make you feel stupid. The bottom line is that the people sending out these attacks are extremely clever and they have worked out that if they focus on people’s fears they will get a better hit rate.

My own accounts lady got a number of emails that appeared to come from ME, asking her to organise a wire transfer. When she hit reply the return email address was [email protected] (not @insane.net.au). She very nearly replied to the email, except she was quick enough to notice the email address had changed!

So how do you protect yourself against modern threats like CryptoLocker?

You can have all the advanced defenses in the world – anti virus software; anti malware software; email filtering; internet scanning/filtering firewall; even lock the computers down so no one can change a thing or install anything and yet these threats can still hit you.

The #1 defense in this war is Education.

Your team need to better understand these threats, where they come from, how they target them, and how to work more safely.

We can help you with this. We can provide your business with a group training session designed to educate you and your team on these threats, how they attack you and how to be more vigilant. And this is information you can then go on and help educate your own clients with – which helps raise your profile as the “Trusted Advisor”, which is especially valuable in Business 2 Business relationships.

If you’re interested in a group training session for your business on the topic of Computer Security, give us a call on (07) 5539-6116. Group sessions are $240ex per hour and must be booked in advance.

What about the fundamentals? Do we still need anti virus?

Even if modern threats are not detectable by current anti virus software, there are still a lot of viruses, malware and spyware that cause problems for your computers that are detectable, by so no means should you give up on having the best protection you can afford for your business.

Our best practice for our clients is to have:

  • Up to date Anti Virus software on every computer.
  • Unified Threat Management (UTM) firewall scanning all internet traffic, limiting Internet access to approved, work related websites. (And blocking access to anything that is unknown or not approved!)
  • Spam and Virus filtering for Email.
  • Show file extensions for ALL file types and educate your team on what each of them means!
  • Block access to staff installing software themselves.
  • Block access to staff making changes to their computers.
  • Block access to USB sticks (Yes, I know everyone uses these for real business reasons).
  • Block ZIP, RAR, EXE, VBS, TAR.GZ and other email file attachments.
  • Use DropBox* or some other system to transfer files to and from clients/other businesses.
  • A reliable backup strategy that will allow you to recover your files quickly in the event of an outbreak.

And if you get hit, TURN THE COMPUTER OFF IMMEDIATELY.

Don’t leave it sitting there. Most of these attacks install other malicious code that try and use your computer as a launch point for their next attack, or leave something around that they can re-activate later or use in a BotNet to launch a distributed attack on someone else.

NOTE: The other day I got sent a link to an attachment that was hosted by a DropBox account. The file was a ZIP file, with an executable program in it. I didn’t run this one, but my money is on it being another threat.

If you’re wondering how protected your business is, give us a call on (07) 5539-6116 and we will come out and provide you with our proprietary 90-Point Network Assessment, which looks at all aspects of your business technology, and not just the physical equipment!

css.php