EnCrypt Lock and Buy It
November 7, 2013 8:29 AM   Subscribe

A recent strain of malware called Cryptolocker (technical description from BleepingComputer) has been infecting computers across the Internet. It's of the Ransomware (wiki) genre of attack, and searches a computer's drive for critical files by browsing their extensions (for example, focusing on word processing documents, images and music) and encrypts them with its own key that you can then buy back from the hacker for a fee of $100 to $300 dollars payable in Bitcoins. More information about the virus and how to avoid it is available at Krebs On Security, and the Malwarebytes Blog, with more recent developments on Naked Security.
posted by codacorolla (169 comments total) 57 users marked this as a favorite
 
So - bitcoins aren't an anonymous transaction, correct? I assume they're doing the bitcoin end via some sort of botnet as an extra layer of obfuscation? But at some point, unless they are able to bitwash it, won't they eventually be able to be tracked?

Has anyone actually purposely gotten infected, paid to decrypt it, and see how that process goes?

Interesting MAD application here. If you take the key server down, you fuck over all the victims, so you have to figure out how to take down the "bad guys" while leaving their infrastructure intact so hopefully victims can get their shit back.

I am going to make sure all my shit is backed up and I see they have some tools for protection across a domain - time to read up for both home and work! Ugh.
posted by symbioid at 8:41 AM on November 7, 2013 [1 favorite]


symbioid: " Has anyone actually purposely gotten infected, paid to decrypt it, and see how that process goes?"

According to the Bleeping Computer link, some people have paid the ransom to decrypt their files and the decryption did not work.
posted by zarq at 8:42 AM on November 7, 2013


All the the links imply this is Windows-only...but none said directly. Are Macs at risk? Also it sounds like you (or someone on your network?) has to actively click on an email link/video player, yes?
posted by emjaybee at 8:49 AM on November 7, 2013


Backup, Restore, then Backup again.
posted by blue_beetle at 8:49 AM on November 7, 2013 [1 favorite]


FOAF got hit. Lessons:

1. BACKUP. In the end, this is no worse than your hard disk going down. For all the scary malware bitcoin woo.
2. Windows only. (Run something else, if you can)
3. Don' go clicking on no links you didn't ask for (hacked Twitter accounts of your pals included)
4. Did I say BACKUP?

And by backup - do it regularly, make sure you can get your stuff back before you need to find out for real, and make sure you have one backup offline at all times. Copies in the cloud also a good idea, but if you can get to your data from your desktop, so can Mr Nasty.
posted by Devonian at 8:49 AM on November 7, 2013 [1 favorite]


Looks like a Windows-only issue, yes.
posted by svenni at 8:50 AM on November 7, 2013


According to the Bleeping Computer link, some people have paid the ransom to decrypt their files and the decryption did not work.

I'm surprised that they even bothered with the encryption part.
posted by indubitable at 8:50 AM on November 7, 2013 [2 favorites]


This only needs a couple of Jihadis, a few Russian gangsters, an MI6 agent, a Hungarian hacker and a bunch of game developers to basically become the plot of REAMDE.
posted by gkhan at 8:51 AM on November 7, 2013 [14 favorites]


Anybody got CryptoPrevent linkage? It keeps giving me gatorhost 500 errors :\
posted by symbioid at 8:54 AM on November 7, 2013


So can someone describe, in less vague language than the links, what you'd have to do to get this? Accidentally run an .exe mail attachment? Go to the wrong website...with any browser? With an out of date browser? What?
posted by straight at 8:55 AM on November 7, 2013 [2 favorites]


An interesting development with Cryptlocker recently has been that the bad guys realized that the average Joe didn't have a clue as to how to come up with $FOO in bitcoins or MoneyPaks within the original 48-hour deadline. So they've adjusted their ransom demand with more flexible terms, like any good business. You can track your "order" and everything.

svenni: "Looks like a Windows-only issue, yes."

Only for now.
posted by jquinby at 8:55 AM on November 7, 2013 [1 favorite]




Oh god.

Just went through a little outbreak at my workplace:

We're a MS shop with about 130 machines across a few states. Mostly Win 7, but still some XP. Within 10 minutes a Win 7 user and an XP user got hit. Game over. We're not paying to decrypt. Legal worries, ect.

The crypto worked it's way into the share drive and encrypted what limited things that user had access to, forcing a full restore of that section of the drive. If we hadn't increased our snapshot abilities on the share, this could have FUCKED us rather hard.

This is a whole new level of scary. In the midst of this outbreak I thought for the first time, "The internet is no longer safe for most people." I mean, this is clearly a 1st gen virus. The delivery system and malware itself is actually much less advanced than a lot of other crap I've dealt with. Easy to remove, pretty easy to spot. When they see the amount of money being raked in (and I personally know of at least $2000 paid by other companies) this is going to get horrifying.

Also, I now totally understand the "persecution" of bitcoin by the feds. TOR and bitcoin are totally horrifying when viewed through this prism. Anonymous ransom and untraceable services. Fuck.....


PS for admins out there, we instituted these GPO rules after review. Be aware: the guy put a desktop shortcut for his company in there that will push to every machine. I think the logic is, "If you blindly push this out, you deserve to have an ad on every users machine displaying your incompetence."
posted by lattiboy at 8:55 AM on November 7, 2013 [8 favorites]


Ditto on the backup; $100 for an external 1, 2 or 3 tb drive, $35 (or less) for TrueImage Home. Schedule weekly or monthly full-disk images with say 6 month expiring historical versions. Combine with same thing for daily file backups of your my docs and stuff.

Covers your ass in case of blown drives, oops-deleted-that-file, things like that.

But just not clicking on shit is still the best action.
posted by Old'n'Busted at 8:55 AM on November 7, 2013 [2 favorites]


Majorgeeks has a mirror
posted by defcom1 at 8:55 AM on November 7, 2013 [2 favorites]


On one hand, this is horrible and annoying, and I would be pissed off if it happened to me. On the other hand, there's a weird kind of thrill at seeing the dystopian computer wars from science fiction gradually becoming reality.
posted by Pater Aletheias at 8:55 AM on November 7, 2013 [5 favorites]


And if you Apple folks think you're going to avoid this in the medium/long term..... ha.
posted by lattiboy at 8:56 AM on November 7, 2013 [4 favorites]


I'm surprised that they even bothered with the encryption part.

It it a straightforward way of making the files inaccessible - whilst leaving the door open so that people might believe they could get them back. Actually sending back a key to allow the files to be de-decrypted does not really serve their interests however: they already have your money and the response could only increase their chance of being tracked.
posted by rongorongo at 8:57 AM on November 7, 2013 [1 favorite]


My office server was infected due to our office manager opening an email attachment that was made to look like a government mileage reimbursement form. After two days we were able to restore from a days-old backup and avoid having to pay. We dodged a bullet, but now our IT manager has restricted incoming and outgoing attachments such that we can't send or receive zip or executable files. We got lucky though, not having 7 years' worth of our entire business lost forever or questionably secure.
posted by maximum sensing at 8:58 AM on November 7, 2013


1. BACKUP. In the end, this is no worse than your hard disk going down. For all the scary malware bitcoin woo.

According to this reddit thread, if you have backups stored on a disk attached to the infected PC or a networked drive, the virus will encrypt those files as well.
posted by Fidel Cashflow at 8:58 AM on November 7, 2013 [2 favorites]


straight: "So can someone describe, in less vague language than the links, what you'd have to do to get this? Accidentally run an .exe mail attachment? Go to the wrong website...with any browser? With an out of date browser? What?"

The infection vectors vary wildly - could be an email attachment, could be the second-stage of another infection. This reddit article covers some of it.

In the interest of full disclosure, I work for an anti-malware company that specializes in this sort of thing.
posted by jquinby at 8:58 AM on November 7, 2013 [3 favorites]


jamaro: "What's a MAC?"

00:1D:D8:B7:1C:00
posted by zarq at 8:58 AM on November 7, 2013 [32 favorites]


this could have FUCKED us rather hard - posted by lattiboy

Looks like that's one down, gkhan
posted by tigrrrlily at 8:59 AM on November 7, 2013


lattiboy: "The crypto worked it's way into the share drive and encrypted what limited things that user had access to, forcing a full restore of that section of the drive. "

Fucking hell. That would seriously fuck over many companies.
posted by zarq at 9:00 AM on November 7, 2013


Pater Aletheias: "On one hand, this is horrible and annoying, and I would be pissed off if it happened to me. On the other hand, there's a weird kind of thrill at seeing the dystopian computer wars from science fiction gradually becoming reality."

I just wish that the ultimate "good guys" with the most power (i.e. access to funds and manpower) were actually good guys that I could actually trust.
posted by symbioid at 9:04 AM on November 7, 2013 [1 favorite]


Wow, I can basically start a countdown now for ~10 days until some idiot in my office infects everything we have with this shit. I cannot begin to count the number of times that mysterious files have been wantonly clicked and downloaded, that blatantly suspicious emails have been responded to in good faith or have links within clicked heedlessly. No amount of staff meetings or IT training sessions or mass emails have been able to stop it and it is exhausting.

im gonna go live in a treehouse with cats
posted by elizardbits at 9:05 AM on November 7, 2013 [27 favorites]


Save me a spot.
posted by Optamystic at 9:07 AM on November 7, 2013 [2 favorites]


So I guess this is why every company should use SharePoint for important files?

* ducks *
posted by blue_beetle at 9:08 AM on November 7, 2013 [1 favorite]


You're only as secure as the stupidest person on your network.
posted by symbioid at 9:08 AM on November 7, 2013 [26 favorites]


One of my coworkers does some consulting for a lawyer who got hit with this. He lost all of his files and will lose some big clients over this.

maximum sensing: "...but now our IT manager has restricted incoming and outgoing attachments such that we can't send or receive zip or executable files."

WTF were zip files allowed in your corporate emails in the first place? That's akin to not locking the doors when the place closes for the night.
posted by double block and bleed at 9:09 AM on November 7, 2013 [3 favorites]


We're pretty good on backups, but not good enough that I feel safe with this running around. Gonna go home, do a full backup on my mac, and disconnect my backup drive. Thankfully the husband is a paranoid musician who has lost too many files to plain old crashes/corruption to not backup to a separate drive periodically.

But man, I am not feeling good about the stuff on my work computer...we have a pretty small and overburdened IT dept., and we get viruses come through now and then.

Sheesh.
posted by emjaybee at 9:10 AM on November 7, 2013


You're only as secure as the stupidest person on your network.

We're all basically laying facedown in the gutter nude and smeared with feces then.
posted by elizardbits at 9:11 AM on November 7, 2013 [31 favorites]


Have you tried to deal with ever getting anything done without it allowing zips? Unless you allow an easy login service for all people (and especially if you work with multiple providers), it's a real PITA. How do you work around dealing with a shit ton/collection of files that need to be sent without setting up sftp?
posted by symbioid at 9:11 AM on November 7, 2013 [1 favorite]


If you're depending on Dropbox to save you from this, you might want to reconsider. Dropbox will happily upload your corrupted files as they are corrupted, replacing your good copies.
posted by double block and bleed at 9:12 AM on November 7, 2013 [1 favorite]


The infection vectors vary wildly - could be an email attachment, could be the second-stage of another infection. This reddit article covers some of it.

The Reddit link mentions these vectors:

1. Hidden .exe files (often a fake .pdf file in a .zip file)

2. Being part of the Zeus botnet

3. infection through Java, using the .jnlp file as a dropper to load the executable

So, if I'm not part of a botnet and don't click on .exe files am I safe? Is that Java hole a vulnerability for everyone, or just people who have out-of-date browser plugins? (Which plugins?)
posted by straight at 9:13 AM on November 7, 2013


I am just waiting until Neal Stephenson's T'Rain actually gets made and then I'll have proof that this creepy feeling that we are all living in a sprawling cyberthriller isn't just my imagination.
posted by polywomp at 9:13 AM on November 7, 2013 [1 favorite]


To reinforce the comment made by Fidel Cashflow, you really need a remote backup, and one including snapshots. Simply keeping a backup in an attached device won't cut it because this mess will reach out to all the attached devices it can find.

I'm not entirely clear on whether a basic web-based backup like Mozzy or Carbonite will suffice either; if the encryption is happening at the file level instead of the disk or OS level, you'll just end up backing up encrypted files.

This is a hard problem.
posted by Ickster at 9:13 AM on November 7, 2013


I'm not a huge fan, but Sharepoint would work for that and has high corporate acceptance.
posted by double block and bleed at 9:14 AM on November 7, 2013


If you're depending on Dropbox to save you from this, you might want to reconsider. Dropbox will happily upload your corrupted files as they are corrupted, replacing your good copies.

But couldn't you just logon to Dropbox.com and get the clean copies?
posted by Elementary Penguin at 9:14 AM on November 7, 2013


Huh, I just assumed that *everyone* has blocked exe, dll, and etc files (bare or in zips) from the email servers. Ours has been configured like that since day one - do people still expect to send files like this?

(of course doesn't prevent click-and-drool downloaders, but...)
posted by Old'n'Busted at 9:15 AM on November 7, 2013


What's a MAC?

MAC (an acronym consisting of three capital letters) is "A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet."

Mac (a contraction of 'Macintosh') is a family of computers and operating systems from Apple.

It drives me crazy when people use the wrong spelling for these terms.
posted by Multicellular Exothermic at 9:16 AM on November 7, 2013 [9 favorites]


Dropbox mirrors your computer's dropbox folder. If it's corrupt, the cloud version will be, too. There's a "pack rat" option, but I think many people would run out of space in the cloud, with all of their files being replaced. I could be wrong about that last part.
posted by double block and bleed at 9:17 AM on November 7, 2013


Ooo!

I can speak to this first hand.

I got a call from my boss about this on Friday. He was travelling and was like, "Hey, my computer has this weird message..."

And I, at first, was like, "Oh, well, I'm sure it's just some generic malware that's claiming to encrypt your files.."

But then I started to do some research and holy shit. My jaw hit the floor.

All his data. All his network shares. His Dropbox shares. His Box shares. All of it. Totally, totally encrypted with 2048-bit encryption and he had absolutely no backups.

In the end, he refused to fork over the $300 - just on principle. But yikes. This is some serious, nasty fucking business.

It's gaining some serious traction.

US-CERT and DHS encourage users and administrators
experiencing a ransomware infection NOT to respond to extortion attempts by
attempting payment and instead to report the incident to the FBI at
the Internet Crime Complaint Center (IC3) .

posted by kbanas at 9:17 AM on November 7, 2013


Also, to that end, with early versions you could get some of your files back via the WIndows System Restore utility by getting into the system shadow volume.

New versions (and in my case) - completely wipe all System Restore points.

So just fuck all.

CLOUD! BACKUPS!

Go get a fucking Crashplan subscription.
posted by kbanas at 9:18 AM on November 7, 2013 [3 favorites]


We had this infect someone's Win7 in Parallels on a Mac. It churned through about 150GB of stuff on a share mounted on the Mac side before we noticed. It seems to stick to one filesystem at a time, so none of the local files were touched.

I had backups of everything, so after an rsync from the previous day's snapshot, I used Malwarebytes to clean up.

Parallels, by default will mount any disk mounted on the Mac as a share. It also turns on bi-directional app-sharing, so if you double-click an .exe with the exploit in it on the Mac, it will run in the Windows side, infecting the machine.

Couple these features with Parallels' transparent integration of the Windows GUI with the Mac, and you can easily and surreptitiously get your Windows side infected if you only ever browse the web and use e-mail on the Mac side.
posted by tomierna at 9:18 AM on November 7, 2013 [1 favorite]


I just assumed that *everyone* has blocked exe, dll, and etc files (bare or in zips) from the email servers

Right, but blocking them as attachments does not block them from being an automatic download link in a SUPER!! URGENT!! SERIOUS!! email from paypa1.biz or 1R5.com or whatever seems the most urgent, does it?
posted by elizardbits at 9:18 AM on November 7, 2013


elizardbits: "No amount of staff meetings or IT training sessions or mass emails have been able to stop it and it is exhausting. "

I've gotten a few emails at my work address that were obviously spear phishing attempts and when I forwarded them to IT with a note like "hey, just in case you haven't seen this particular bit of malicious spam getting sent to people you might want to know about it," and the "oh my lord THANK YOU for not being a FUCKING MORON about this" tone that their replies tend to have tells me that my department suffers from a similar affliction.
posted by invitapriore at 9:21 AM on November 7, 2013 [3 favorites]


I've long been in favor of not only using good spam filtering, but also not allowing end users to see what has been shunted to spam.
posted by double block and bleed at 9:21 AM on November 7, 2013


straight: "So, if I'm not part of a botnet and don't click on .exe files am I safe? Is that Java hole a vulnerability for everyone, or just people who have out-of-date browser plugins? (Which plugins?)"

The trick is that you wouldn't necessarily know that your PC is part of a botnet. Botnet nodes are only useful to the operators if they're stealthy, and they're very good at hiding their activities. The nodes are easily monetizeable. Herds of them are easily sold in various dark market forums. Need access to a few thousand machines? Prices are rock-bottom any more.

So what to do?

Turn off Java. Don't use Acrobat to read PDFs. Use noscript or something similar to control how javascript runs on your browser.

Avoid clicking links in e-mail. Especially "unsubscribe" links unless you're savvy enough to comb through the mail source and determine if the link is legit.

Never plug in a USB thumb drive that you happen to find.

If someone sends you something - a file, exe or anything like that - and your AV says it's clean, but you want to vet it anyway, submit it to VirusTotal which will at least show how how the other 40-odd AV vendors responding to the file.

Stay up-to-date on your AV and your system updates. Back up your data, then back it up again. Don't pay these assholes a nickel.
posted by jquinby at 9:24 AM on November 7, 2013 [11 favorites]


Dropbox mirrors your computer's dropbox folder. If it's corrupt, the cloud version will be, too. There's a "pack rat" version, but I think many people would run out of space in the cloud, with all of their files being replaced. I could be wrong about that last part.

Dropbox keeps a 30 day version history - the packrat service and Dropbox for Business keep unlimited backups.
posted by zamboni at 9:25 AM on November 7, 2013 [4 favorites]


One of my customers got it as an exe file masked as a PDF. They're a printing company, so PDF is their lifeblood. Lots of mapped network drives. Thank $higher_power for shadow copies and backups.

Another customer got a variant with a slightly different take on unencrypting if you've already removed the main Cryptolocker app (and thereby lost your copy of the key): pay 10 bitcoins, then you can upload an encrypted file, they'll match the key and send it back to you to complete the unencryption process.

10 bitcoins is roughly what, $2,100?

Across the board for all my clients, I've implemented the GPOs to prevent apps running in %appdata% and blocked any and all .zip files and executables. It's a matter of time before the assholes come up with more vectors, and I'm continually reading up on the new variants.

Backup early, often, and consistently. NEVER open email attachments where you don't know the source. If you're not expecting a file from someone, consider it suspect.
posted by disclaimer at 9:26 AM on November 7, 2013 [1 favorite]


odinsdream: regarding backups, many that have a scheduled job are going to end up backing up the encrypted files because it waits awhile before telling you to fork over money. In our experience the delay was about 4 days.

Nice touch, that.
posted by RedOrGreen at 9:27 AM on November 7, 2013


Don't think that only the idiots fall for stuff like this. I got an email in Portuguese that didn't land in my spam folder. I actually went through all of the trouble to run it through Google translate, in anticipation of writing them back to tell them that they had the wrong address. I felt like a fool when I discovered that it was an ad for male enhancement!
posted by double block and bleed at 9:27 AM on November 7, 2013 [2 favorites]


Fucking A.
It seems like this is the worst outbreak I've seen. I don't think I've ever seen this many comments in a single thread on the blue talking about this many personally known infections.
posted by symbioid at 9:29 AM on November 7, 2013


Easier to just google the email address + scam , no?
posted by elizardbits at 9:29 AM on November 7, 2013


According to the Bleeping Computer link, some people have paid the ransom to decrypt their files and the decryption did not work.

I read a Reddit thread about this thing a few weeks ago, and some IT guys in there said that their key did work after paying the ransom, so who knows. Enough time has passed that there are almost certainly multiple outfits doing it at this point.
posted by Steely-eyed Missile Man at 9:30 AM on November 7, 2013 [1 favorite]


www.bit9.com worth every penny.
posted by Annika Cicada at 9:31 AM on November 7, 2013 [1 favorite]


The Ars forums has a lot of IT guys who said they just paid the ransom. Which I guess isn't surprising -- even if the kidnapped files aren't utterly critical, it is important to show your employer that you can fix the problem or you might get fired. And besides, you can just use your corporate card so it's not YOUR money.

I wonder when we'll see something like this that threatens to broadcast your personal data, rather than steal it. How much would you pay to keep photos surreptitiously taken by your phone every few minutes from the past month from getting sent to all your contacts? Anything is possible with the combination of buggy software and anonymous payments.
posted by miyabo at 9:32 AM on November 7, 2013 [1 favorite]


Here are a relevant account from the subReddit, Tales From Technical Support, and the follow-up.
posted by Multicellular Exothermic at 9:34 AM on November 7, 2013


But are the people reporting that they paid up and received a functional key actually real people who did this thing or are they other scammers? Are they evil robots? What if you click on their profile links and download a thing?

im so fucking paranoid i don't even want to click any links in this fpp
posted by elizardbits at 9:35 AM on November 7, 2013 [9 favorites]


miyabo: "I wonder when we'll see something like this that threatens to broadcast your personal data, rather than steal it. How much would you pay to keep photos surreptitiously taken by your phone every few minutes from the past month from getting sent to all your contacts? Anything is possible with the combination of buggy software and anonymous payments."

Jesus Christ, that's evil. And totally within reasonable possibility.
posted by double block and bleed at 9:35 AM on November 7, 2013 [3 favorites]


disclaimer: "It's a matter of time before the assholes come up with more vectors, and I'm continually reading up on the new variants."

This is my favorite one in recent memory: TIFF files.
posted by jquinby at 9:35 AM on November 7, 2013


Is there any legal risk/penalty to paying the ransom? Can the Feds come back and say you engaged in illegal activity if you do it?
posted by emjaybee at 9:35 AM on November 7, 2013


What does this do to the value of bitcoins? All these people making a run? Might this increase the influence over bitcoin by the perps?
posted by symbioid at 9:35 AM on November 7, 2013


Really, sometimes I just want to roll back to pine (now alpine!) and elinks. Go totally paleo for my Internet access.
posted by jquinby at 9:37 AM on November 7, 2013 [4 favorites]


That's it - I'm designing a modern variant of the SETUN architecture system to run my shit on.
posted by symbioid at 9:38 AM on November 7, 2013 [1 favorite]


What does this do to the value of bitcoins? All these people making a run? Might this increase the influence over bitcoin by the perps?

Bitcoins have doubled in value over the last month. From 137 USD on October 7th, to 310 USD today.
posted by Fidel Cashflow at 9:38 AM on November 7, 2013


jquinby: "Don't use Acrobat to read PDFs"

This would probably be difficult for anyone who uses Acrobat for more than just reading PDFs. The software allows you to create forms, edit / create pdfs from web pages, or from documents in multiple formats. Many businesses still rely heavily on those functions, including mine.

Acrobat is still the best tool I've found for all of that on a Mac. Changing the default file association away from Acrobat to Preview or another, lesser program would be destructive to productivity at my office.
posted by zarq at 9:39 AM on November 7, 2013


I was just wondering the last time bitcoin came up why there'd been such a climb since the beginning of October. This seems... not-inconceivably related. On preview--yeah, that.
posted by Sequence at 9:39 AM on November 7, 2013


You know, the deeper we get into this cyberpunk future, the less I enjoy my once cherished sense of nihilistic glee.
posted by double block and bleed at 9:39 AM on November 7, 2013 [28 favorites]


I'm more terrified of this shit than I ever was of bin Laden. Still don't trust the NSA though.
posted by symbioid at 9:40 AM on November 7, 2013


zarq, that's a fair point. PDFs are still very high on the list of infected files these days and for rank and file users, an alternate viewer would at least move the goalposts for the bad guys a bit.
posted by jquinby at 9:43 AM on November 7, 2013


double block and bleed: "Don't think that only the idiots fall for stuff like this. I got an email in Portuguese that didn't land in my spam folder. I actually went through all of the trouble to run it through Google translate, in anticipation of writing them back to tell them that they had the wrong address. I felt like a fool when I discovered that it was an ad for male enhancement!"

But you didn't double click on the attached caralho_muito_grande.exe right?
posted by invitapriore at 9:43 AM on November 7, 2013


We use .pdfs a great deal, and so do our clients. There's no way we could stop using them without huge amounts of disruption.
posted by emjaybee at 9:46 AM on November 7, 2013 [1 favorite]


Multicellular Exothermic: "Here are a relevant account from the subReddit, Tales From Technical Support, and the follow-up."

I probably shouldn't laugh but that's pretty amusing: "The owner has been blowing up my phone, desperately hoping there's some way to crack the 1024-bit encryption. All I can suggest is that she tell the NSA that Edward Snowden sent her these files and ask what should she do with them."
posted by exogenous at 9:47 AM on November 7, 2013 [10 favorites]


Company I work for is a MSP franchise with 130+ locations around the US, we've been discussing this on our internal mail list for about a month now. Yea, scary as shit when I first heard about it. Unless you're running some kind of local backup with some type of rotation or bi-weekly schedule, you're fucked. Windows Server backup and some of these other that only keep one archive (BackupAssist, Carbonite) will just upload the encrypted files after they're changed. Most of my clients are either using Crashplan or Acronis with a two-week rotation, and we haven't had any problems yet. (***knocks on wood).
posted by daHIFI at 9:50 AM on November 7, 2013


One of my customers got it as an exe file masked as a PDF.

So is this an actual infected .pdf? Or is at foobar.pdf.exe file that's visible if you've set Windows to show you extensions?

I'm a little freaked out by the lack of specificity in all these articles. Is it that people don't actually know, that there are too many vectors to enumerate, or are they just really bad at explaining what's going on?
posted by straight at 9:52 AM on November 7, 2013 [5 favorites]


If you have a day job: buy two external hard drives. Back up your computer on both, bring one to work and leave the other at home. On Monday morning, bring the home drive to work. On Monday evening, bring the work drive home and back up your computer. Lather, rinse, repeat.

As for those without a day job: pick a friend or family member and regularly swap drives, so that there's always an offsite, not-attached-to-a-computer backup of your stuff less than a few weeks old. Same process, except that you have to coordinate the handoffs.
posted by davejay at 9:54 AM on November 7, 2013


What's a MAC?

$2,000, same as in town.
posted by Kabanos at 9:54 AM on November 7, 2013 [13 favorites]


You can also do it with one drive, bringing it home Mondays, doing the backup overnight, and bringing it back to the office Tuesdays, to save a bit of money while accepting a bit more risk.
posted by davejay at 9:55 AM on November 7, 2013


invitapriore: "But you didn't double click on the attached caralho_muito_grande.exe right?"

No, but my point is that unless you are a hardened paranoiac living in a bunker with a tinfoil hat and an air-gapped computer running NetBSD no computer, there will always be some way to fall prey to something like this, whether it be through a social exploit or technological deficiency.

People don't change. There have always been con-men and their marks. The only difference is that today, the con-men don't have to leave the comfort of their mother's basement.
posted by double block and bleed at 9:55 AM on November 7, 2013


According to this reddit thread, if you have backups stored on a disk attached to the infected PC or a networked drive, the virus will encrypt those files as well.

Which is why I said you should always have one backup offline- ie, not connected to your computer - and that if you can see your data from your desktop, so can the bad guys.

This is standard, good practice. This isn't the first data-scrambling malware, and there are other things that can go wrong that mess up data, and one day something will happen to you. If you have a decent backup strategy, then you're golden.

What bothers me particularly is that I don't know a decent backup strategy for mom+pop. I have my own parents system on Acronis automated backups, but I don't like the interface and I particularly don't like the way the company keeps trying to force updates on me.

What I want, and what I can't find, and what I will kiss the blue for if it knows, is a backup system that does proper journaling - so you can go back to the first non-bad version easily - proper automation and proper reporting. Ideally, I'd like it to run on something basically hack-proof like a RaspPi or an old Linux laptop burbling in the corner, scooping stuff up from Windows shares and depositing it on a big old hard disk that nothing else on the network can see, in a format that's easy to restore from.

Not much to ask, but I feat I'll have to write it myself. And getting journaling right, is hard.
posted by Devonian at 9:58 AM on November 7, 2013 [1 favorite]


Is it that people don't actually know, that there are too many vectors to enumerate, or are they just really bad at explaining what's going on?

To be honest, the specifics don't really matter. I mean, yes, people are getting all worked up about the encrypt-and-ransom part, but the delivery mechanism is no different than the one that's been used to infect computers with other trojan horses, and trojan horses that simply delete files (with no encrypt-and-ransom part, but with the same end result of you losing your files) has been around for a very long time. So the same mechanisms for avoiding disaster (don't click on links in emails, backup regularly, etc.) still apply in exactly the same way.

It's like finding out there's a worldwide ring of people breaking into houses, stealing your stuff, then extorting a ransom from you to return your stuff -- it's not like they found a new way to break in, and people breaking in and taking it without the ransom option has been happening for a very long time.
posted by davejay at 9:58 AM on November 7, 2013 [2 favorites]


There's some questions as to whether or not this video is faked, but the tools, techniques and scale of what's depicted are all pretty real. (NSFW warning: the camera follows its subject into a strip club about 2/3rds of the way through).
posted by jquinby at 9:59 AM on November 7, 2013 [6 favorites]


the con-men don't have to leave the comfort of their mother's basement.

And one of the world's laziest stereotypes lives on. Apropos of the REAMDE reference earlier in the thread, I would not at all be surprised to learn that Russian gangsters are behind this, or at least behind V1.0.
posted by Steely-eyed Missile Man at 10:00 AM on November 7, 2013 [3 favorites]


For people who aren't in the business of IT and network administration, your most clear indication that this is a serious threat is how freaked out some of us are. This is the first generation type attack and it isn't trivial to avoid infection. This new threat marks a new layer in the end of innocence in computing because the same facilities that make it convenient for end users to access and work with networked data files also permits any single user to hose the data for everyone if they get infected.

I'm conducting regular reminder sessions with staff to educate them about safe habits and doing my best to instill a healthy fear in everyone. All the same, I'm frankly quite alarmed.
posted by dgran at 10:02 AM on November 7, 2013 [1 favorite]


I've been wondering about something.

In Mac Mail, if you get an email with a link it gives you a little context pulldown. It looks like it'll give a menu of options (I'd expect, e.g., Open link and Copy link location) but it actually goes out immediately to the webserver immediately to retrieve a preview, with at least some scripting enabled.

I've already "used" this to accidentally let spammers know I got their email (wanting to look at where an unsubscribe link would go.)

Is this more dangerous than that, though? Can I expose myself to any serious damage, spear phishing or otherwise, by letting Mail contact a web server in that way? (Sounds like this particular attack is coming by attachment, but I'm wondering more generally.)
posted by spbmp at 10:02 AM on November 7, 2013


It's not that I think that the people behind this are actually trolls in basements. I just hold them in the same level of contempt.
posted by double block and bleed at 10:02 AM on November 7, 2013 [1 favorite]


In Russia, mother's basement lives in you.
posted by meadowlark lime at 10:03 AM on November 7, 2013 [4 favorites]


Devonian: there are plenty of rsync scripts out there that do backup rotation (and will take care of unchanged files and the like).
posted by edd at 10:03 AM on November 7, 2013 [2 favorites]


The first time this thing gets loaded up onto an internal, mass-shared googledrive instance and encrypts all connected endpoints across the enterprise will be a very bad day indeed.
posted by Annika Cicada at 10:05 AM on November 7, 2013


Is there any legal risk/penalty to paying the ransom? Can the Feds come back and say you engaged in illegal activity if you do it?

I think this could be a possibilty? Like if the end point of your ransom is a group that has ties to terrorism, and you have sent a good chunk of money from a personal account tied to your legit identity into a flagged account somewhere, for example.
posted by elizardbits at 10:08 AM on November 7, 2013 [1 favorite]


Oh - with regard to bitcoin, in particular, I am referencing this news via Cornell Researchers...
posted by symbioid at 10:09 AM on November 7, 2013


Annika Cicada: "The first time this thing gets loaded up onto an internal, mass-shared googledrive instance and encrypts all connected endpoints across the enterprise will be a very bad day indeed."

...or finds its way into, say, a hospital's network. The only saving grace there might be that patient records today are stored in some rather esoteric database formats (M) and highly vendor-specific schemas in those databases. All the same, it'd be a bad day all around.
posted by jquinby at 10:10 AM on November 7, 2013


double block and bleed: "No, but my point is that unless you are a hardened paranoiac living in a bunker with a tinfoil hat and an air-gapped computer running NetBSD no computer, there will always be some way to fall prey to something like this, whether it be through a social exploit or technological deficiency."

I agree. I don't think that falling victim to a cleverly-delivered trojan or what have you implies that you're being stupid about computer security, but so many of these things are not delivered in anything approaching a subtle way. Given that, it makes defending against the subtle ones a pretty hopeless proposition.
posted by invitapriore at 10:10 AM on November 7, 2013 [3 favorites]


My wife says one of her coworkers got this.

Seems like a pretty big deal. Removing my mac book's mic and speaker and barricading myself in a closet with a copy of Aristotle's Ethics. See you on the other side brothers.
posted by Potomac Avenue at 10:14 AM on November 7, 2013 [6 favorites]


Ah - I use rsync for something else already, which did lead me through a few script hunts and that wasn't an entirely pleasant process. I'll go back in...

Ta
posted by Devonian at 10:14 AM on November 7, 2013


Potomac Avenue: "Removing my mac book's mic and speaker and barricading myself in a closet with a copy of Aristotle's Ethics."

Hope you're not using an unpatched version of the Ross translation, it's got some major vulnerabilities.
posted by invitapriore at 10:21 AM on November 7, 2013 [20 favorites]


If you're depending on Dropbox to save you from this, you might want to reconsider. Dropbox will happily upload your corrupted files as they are corrupted, replacing your good copies.

Dropbox keeps iterated backups of files, which saved my bacon with the wife's checkbook just last year. I'd think that they're one of the safer places to keep your stuff, even if the most recent iteration were encrypted by this thing.

Yeah, and if you don't have it twice, you don't have it. I keep a mirror of everything unplugged in a physically remote location, too.
posted by Devils Rancher at 10:22 AM on November 7, 2013


Yes - never think you're too clever to be hit by something. It's a form of hubris, no? Funny Potomac mentions Aristotle, eh?

What I don't get is why, if:

1) Ransomware has been around before..
2) These are just your plain old boring vectors...

Why is this
1) getting spread so far if it's not any different vector wise, or is it spread just as far, but the public key crypto is what makes it different? I haven't heard anything else about other ransomwares taking off, nor any other common-vector malwares hitting this heavy.

So what's up with this, that's what I don't get...
posted by symbioid at 10:25 AM on November 7, 2013


I have a professional colleague, not at my institution, who had a user get infected. They paid the ransom, and received a working decryption key.

He did it in one of our labs, taking RAM and packet captures continuously, working with one of our forensics PhDs. They haven't published what they found, yet, but I am very keen to see if it yields anything.
posted by sandettie light vessel automatic at 10:31 AM on November 7, 2013 [9 favorites]


So what's up with this, that's what I don't get...

I think the difference is mostly that you couldn't try to ransom before bitcoin made anonymous payment viable; now that you can, we have malware brazen enough to screw up your computer and digital life in an obvious way.

The best previous uses of malware were essentially parasitic: they had a vested interest in the continued viability of the host, because killing the host killed their own utility (e.g., making your computer part of a botnet, rewriting all your advertising, stealing your information for eventual credit card fraud or identity theft.)
posted by Zed at 10:38 AM on November 7, 2013 [4 favorites]


I've got our computers behind firewalls, got proper anti-virus software (not McAffee or Norton), and have unconnected external drives. But I also have an addiction to downloading concerts off Dimeadozen and Trader's Den. I've been using these sites forever without a single problem but I am beginning to wonder when the next previously unreleased Who show will bring my whole digital world down. Time to go to the bunker and reread John Varley's "Press Enter".
posted by Ber at 10:47 AM on November 7, 2013 [1 favorite]


odinsdream: "Getting encryption right is very, very hard. I'm hoping some academics come through with an analysis soon. Maybe they made some rookie mistake like insufficient randomness."

The sample I've looked at makes use of the Windows encryption APIs, so the hard work has already been done.
posted by jquinby at 10:48 AM on November 7, 2013 [1 favorite]


never think you're too clever to be hit by something. It's a form of hubris, no?

This will become clear when Kevinmitnikos, the god of computer security, punishes the snarky IT people for their contemptuous attitude by transforming them into helpless lusers, visiting upon them PEBKAC after PEBKAC, and sending a great eagle to tear out their backup drives anew every day, as they cry out in shame for all eternity.

But yeah seriously the victim-blaming in this thread is pretty out of control.
posted by RogerB at 10:48 AM on November 7, 2013 [1 favorite]


Personal Strategy for avoiding the effects of this and all other nastygrams at home:

Once Weekly:
1. Run scan on PC to make sure I don't have any viruses.
2. Plug in my 750 gb external hard drive, backup my machine using Windows Backup.
3. Unplug hard drive, store in a drawer.

During the week:
1. If working on an important document (a big presentation, a report) email it to myself as a gmail attachment after every significant edit.

Other random times: put backups of important projects on a DVD or (dedicated) thumb drive, etc, "just in case."

Can anyone suggest how to improve Step 1 of my weekly process? I always worry about my security program not catching these things and then copying them onto my external drives.
posted by ProtoStar at 10:51 AM on November 7, 2013


As others have said, Malwarebytes Pro is a fantastic complement to MSE.
posted by sandettie light vessel automatic at 10:59 AM on November 7, 2013 [1 favorite]


My neighbor got hit with a piece of Ransomware last month, that mimicked an antivirus program. When her netbook was turned on, a popup would come up from "Antivirus Security Pro" declaring that it had detected a dangerous (fake) file. Any application that was opened would be shut down or blocked by the program, including her browser and task manager. It kept rapidly generating popups with scary warnings, making the netbook completely unusable.

The malware kept demanding money for full activation with a registration key.

Tried opening in safe mode or a command prompt. Didn't work. The netbook she was using refused to boot from any of my emergency usb sticks. She didn't have System Restore running (huge facepalm) and I was going a little nuts. Was getting ready to open the drive on a linux computer using an external enclosure, but searching the net for info on the program turned up this page which provides the program's registration code: AA39754E-715219CE.

The code turns off all the popups. so you can operate your computer, and manually erase and uninstall the program.
posted by zarq at 11:09 AM on November 7, 2013 [11 favorites]


jquinby: "zarq, that's a fair point. PDFs are still very high on the list of infected files these days and for rank and file users, an alternate viewer would at least move the goalposts for the bad guys a bit."

*nod* Makes sense. It's frustrating, though. In an ideal world we wouldn't have to worry about this stuff.

Honestly, if there were ANY great alternative to Acrobat available, we'd use it.
posted by zarq at 11:15 AM on November 7, 2013


And if you Apple folks think you're going to avoid this in the medium/long term..... ha.

This would be an interesting wager. OS X has been around for twelve years and there hasn't been much in the way of viruses, and Apple has figured out with iOS that giving away the system encourages faster adoption of the newest security fixes and enhancements. I'd bet they will stay mostly ahead of the game on this one.

Anyway, this hit my employer's research institution a few weeks ago, and the University of Pennsylvania not long after. I wonder if academia was targeted first as a trial run. We also tend to have decentralized IT support, ie., few or no backups, running older versions of Windows with less likelihood of being patched, etc. So it seems like a juicy target.
posted by Blazecock Pileon at 11:29 AM on November 7, 2013


I wonder if academia was targeted first as a trial run.

I work at a university, and I've been getting a lot of these emails, so that might well be true. I haven't heard of anybody being affected, but I'm not really in the loop for that.
posted by Horace Rumpole at 11:33 AM on November 7, 2013


I've been getting a lot of these emails

What do you mean by "these" emails? Do you have specific subject lines as examples? I haven't seen any yet but they could be in my spam filter - I'd love to take a (careful) look.

No, don't Memail me a live one. Thanks.
posted by RedOrGreen at 11:37 AM on November 7, 2013


So on reddit I saw *this*:

You are correct that Cryptolocker runs as normal user. However, later versions are reported to trick you into accepting a UAC prompt since it intercepts it from another request. For example, if you were opening up Malwarebytes (which requires UAC) Cryptolocker would trick you into accepting its OWN UAC elevation before the Malwarebytes one. Otherwise, Cryptolocker does nothing to attract attention while its working.

Wonder if this is true or hearsay. Hard to know facts when so many things change on the ground...

CERT's post on the matter.... Off to read...
posted by symbioid at 11:47 AM on November 7, 2013 [1 favorite]


OS X has been around for twelve years and there hasn't been much in the way of viruses

We all know why that is.
posted by Steely-eyed Missile Man at 11:47 AM on November 7, 2013


We all know why that is.

Is it Freemasons?
posted by sandettie light vessel automatic at 11:48 AM on November 7, 2013 [4 favorites]


"exe masked as something else" is exactly the reason I always, always, ALWAYS turn off the stupid default "Hide known file extensions" option in Windows. If it's an .exe, I want people to be able to see that.

I'd rather have someone clueless change filetype on accident during a rename than allow that clueless person to open a "pdf" that is actually a virus.
posted by caution live frogs at 11:49 AM on November 7, 2013 [7 favorites]


Stonecutters.
posted by symbioid at 11:49 AM on November 7, 2013


aka: lithographers.
posted by symbioid at 11:49 AM on November 7, 2013


It's totally Freemasons.
posted by Steely-eyed Missile Man at 11:49 AM on November 7, 2013


Mod note: This is not a thread about OSX ffs, don't make it one please. Thank you.
posted by jessamyn (staff) at 11:50 AM on November 7, 2013 [4 favorites]


THERE IS NO CABAL! ;)
posted by symbioid at 11:52 AM on November 7, 2013


This is not a thread about OSX ffs, don't make it one please. Thank you.

Well of course it's not. Some people here probably aren't even running XCode.
posted by zombieflanders at 11:53 AM on November 7, 2013 [1 favorite]


I will say that the anecdotes in this thread about Windows guests encrypting drives mounted by Parallels are genuinely useful to me.
posted by sandettie light vessel automatic at 11:55 AM on November 7, 2013 [5 favorites]


1. Run scan on PC to make sure I don't have any viruses.
2. Plug in my 750 gb external hard drive, backup my machine using Windows Backup.
3. Unplug hard drive, store in a drawer.

... Can anyone suggest how to improve Step 1 of my weekly process? I always worry about my security program not catching these things and then copying them onto my external drives.


The next step you could take in security/paranoia would be to boot from a USB stick (or even better, a read-only CD) before connecting your backup drive. The concern is not that you'll copy malware onto the backup drive as part of the backup; that's relatively harmless if you're already running malware anyway. The concern is that the malware will infect/encrypt/erase your existing backups while you have the drive connected, so you can't roll back to a pre-infected state once you find the infection. If you boot from a CD, the malware is guaranteed to never actually be running while you have the backup drive connected.
posted by jhc at 12:05 PM on November 7, 2013 [4 favorites]


sandettie light vessel automatic: "I will say that the anecdotes in this thread about Windows guests encrypting drives mounted by Parallels are genuinely useful to me."

Same. I know we don't want the thread to devolve into a "who's got the better OS" crapfest, but the knowledge that my all-mac office is not necessarily safe from this virus is quite helpful.
posted by zarq at 12:08 PM on November 7, 2013


From: UPS Quantum View | Subject: UPS Ship Notification*
From: Mauro Maldonado | Subject: My Resume
From: Administrator | Subject: Last Month's Remit
From: Intuit Administrator | Subject: Payroll Received by Intuit
From: ADP Payroll | Subject: ACH Notification


Ah, damnit. Too generically similar to the rest of the items in our torrent of spam, and I have no specific examples that match.

The idea that someone cross-mounting a server disk can allow the Trojan to encrypt it is obvious in retrospect, but scary as all hell.
posted by RedOrGreen at 12:17 PM on November 7, 2013


When BleepingComputer is sweating over this, that alone's enough to give me the runny shits. They've helped me get rid of a wide variety of crap on relatives' machines.

As the Guy In The Family Who Knows Computers, I've already had A Talk about this with my in-laws. This, of course, was me going "Blah blah blah vector blah blah ransom blah blah bibble bibble" from their perspective, but when they show up a month from now and their laptops are locked down I will at least have ten seconds of that I Told You About This on my face.

A friend of mine got a larval version of this some time ago -- I want to say it was a year ago, approximately. One of the FBI Moneypak variants (since he was in the UK, it thoughtfully was Scotland Yard Moneypak instead), but it had encrypted files on both his HD and on an attached drive. Luckily, a working decryptor for that very early version existed as long as you had an unencrypted copy of an encrypted file, and he was fumigated without paying the ransom.

Never plug in a USB thumb drive that you happen to find.

I really, really don't want to meet the person who would do this.

"Hey, Bob! There's something brown on the street, it might be poop but it might be a Cuban cigar! Stick it in my mouth and help me light it!"
posted by delfin at 12:47 PM on November 7, 2013 [1 favorite]


like finding out there's a worldwide ring of people breaking into houses, stealing your stuff, then extorting a ransom from you to return your stuff -- it's not like they found a new way to break in, and people breaking in and taking it without the ransom option has been happening for a very long time.

I'd say it's more like someone found a way to monetize what had previously been pointless vandalism.
posted by paper chromatographologist at 12:48 PM on November 7, 2013 [3 favorites]


delfin: "I really, really don't want to meet the person who would do this."

Somewhere along a sidewalk? Maybe not. Found outside the office, near the steps? Pretty likely that whoever picks it up will plug it in to see what's on it and who might own it.
posted by jquinby at 12:58 PM on November 7, 2013 [2 favorites]


I really, really don't want to meet the person who would do this.

Happens more often than you think. Ever been to a trade show? People walk around handing out all kinds of swag. Including promotional USB drives.
posted by indubitable at 1:21 PM on November 7, 2013 [2 favorites]


Never plug in a USB thumb drive that you happen to find.

I'm too lazy to look up the citation, but someone did an experiment in which they dropped USB sticks in the parking lot of a $company office building. The USB sticks contained software that reported back to the experimenters if they were mounted. Yes, people picked them up in the parking lot and plugged them into their $company computer, and more often if the USB stick had the $company logo printed on it.
posted by Multicellular Exothermic at 1:29 PM on November 7, 2013 [7 favorites]


Just want to say thank you, Metafilter and codacorolla, for the heads-up and discussion about this. I had no idea.
posted by treepour at 1:31 PM on November 7, 2013 [1 favorite]


I really, really don't want to meet the person who would do this.

Why? This strikes me as a really irrational victim-blaming attitude — there's no sense in faulting users when they're victimized by exploits on the underlying technical faults of the systems they use. If I found a music CD on the street, I could presumably take it home and put it in my stereo without having to worry that my speakers would explode or that I'd have to pay a ransom to be allowed to listen to my other music ever again. Why should I expect a USB stick to be any different? A reasonable person who wasn't already socialized to take Windows (or pathologically bad security for end-user systems in general) for granted wouldn't see using a random bit of media as a contemptibly stupid thing to do. If USB drives really need to be wrapped in complicated software condoms before insertion, it's an argument that computers are mostly terrible, not that their users are unaccountably stupid.
posted by RogerB at 1:31 PM on November 7, 2013 [7 favorites]


I'd say it's more like someone found a way to monetize what had previously been pointless vandalism.

Yeah, but that doesn't mean the vandalism is any worse from a technical perspective. Same steps to prevent vandalism, whether it's pointless or monetized; ditto same steps to prevent getting viruses/trojan horses, doesn't change just because someone figured out how to monetize it.
posted by davejay at 1:41 PM on November 7, 2013


This is a real discussion and people are genuinely being affected by this stuff in bad ways. But I also wanted to chip in with my conspiracy-theory type paranoia, to wit: if I were a government that really, really wanted to get the public behind me about reducing net neutrality and making the web safe for democracy and all that fun reducing-internet-freedom type of stuff, this is exactly the kind of stunt I'd engineer. If I wanted to sex up my plans to invade yr internet, I'd make sure that you were afraid of malware of mass destruction like these. Of course, these malware actually exist... Apologies for my derail here, but as this takes hold, I can easily see politicians piping up with "See, this is why we need to control stuff more." (Not that it'd help, but it'll play well.)
posted by aesop at 1:51 PM on November 7, 2013 [6 favorites]


jquinby: "submit it to VirusTotal which will at least show how how the other 40-odd AV vendors responding to the file."

+1 for VirusTotal

It's a great service, integrates into explorer for RMB context menu submissions of files and they also offer extensions for various browsers so you can check links for drive-by stuff before clicking on them.
posted by Hairy Lobster at 1:57 PM on November 7, 2013


To be honest, the specifics don't really matter...So the same mechanisms for avoiding disaster (don't click on links in emails, backup regularly, etc.) still apply in exactly the same way.

It matters to me! And you (like every other article I can find) again just glossed over the specifics assuming we know this stuff already. Never click any links in e-mails (or, presumably, anywhere)? Are you just hosed if you go to the wrong webpage or does stuff like No-Script give you protection? Are actual .jpg and .pdf files dangerous, or just the ones that are actually .jpg.exe and .pdf.exe?

Maybe part of the education problem is that too many IT people have just thrown up their hands and given up and aren't even trying to educate people anymore -- or maybe they suck at explaining things. I'm pretty darn experienced on the internet, and I genuinely can't find detailed answers about this stuff. Is there a way to find out if your computer is part of a botnet? Google doesn't seem to know.
posted by straight at 2:16 PM on November 7, 2013 [4 favorites]


If Google doesn't know if it's part of a botnet, then we really _are_ screwed.
posted by delfin at 2:18 PM on November 7, 2013 [1 favorite]


It matters to me! And you (like every other article I can find) again just glossed over the specifics assuming we know this stuff already. Never click any links in e-mails (or, presumably, anywhere)? Are you just hosed if you go to the wrong webpage or does stuff like No-Script give you protection? Are actual .jpg and .pdf files dangerous, or just the ones that are actually .jpg.exe and .pdf.exe?

Maybe part of the education problem is that too many IT people have just thrown up their hands and given up and aren't even trying to educate people anymore -- or maybe they suck at explaining things. I'm pretty darn experienced on the internet, and I genuinely can't find detailed answers about this stuff. Is there a way to find out if your computer is part of a botnet? Google doesn't seem to know.


Rules:

1) NEVER open attachments without scanning them with A/V, and then only if you KNOW it's something you're expecting.

2) Run Firefox with NoScript add-on. Only allow scripts on pages you trust. Chrome has something similar and is (IMHO) a better, faster browser. I'm stuck in my ways now, so FF for me.

3) Purchase Malwarebytes PRO running in tandem with Windows Defender.

4) DO NOT INSTALL JAVA (or, if you must, make SURE to disable Java in the browser through control panel)

5) Don't click links in email. Just google what you're looking for and log in that way (PayPal, banks, ebay, ESPECIALLY). Phishing is still the most common form of attack.

6) Use Carbonite or Dropbox for automated backup. Make sure you have at least 30 days of revision history available.

7) Use LastPass to randomize and save passwords in a safe fashion.

8) Stay away from seedy sites like pron, gambling, warez, ect.

9) Check your "installed programs" list on Friday. Make sure nothing you're unfamiliar with is on there.

10) Run CCleaner weekly. This is more for maintenance, but it has a great startup auditing tool.

11) Avoid using Outlook. If you can't, TURN OFF AUTO PREVIEW!

that's the specifics I can offer.
posted by lattiboy at 2:43 PM on November 7, 2013 [9 favorites]


Suppose one has more than one computer syncing with a Dropbox/Box etc folder. Can the malware be spread between the syncing computers via the cloud? Or do the files just get encrypted and unusable for both computer 1 (the infected one), and number 2, which shares the folder, but hasn't yet been infected?
posted by aesop at 2:53 PM on November 7, 2013 [1 favorite]


To lattiboy's suggestions, I'd add:

12) Download and run Microsoft's Malware Removal Tool.

On the Macs around casa quinby, I run Sophos AV and will probably register my copy of Little Snitch (firewall/network activity reporting tool) before a whole lot longer.

The Windows VM I use for testing and other things runs the free version of AVG, which isn't too bad, but I'm constantly restoring it from a known good snapshot and there's nothing of consequence on there anyway.

straight: "Is there a way to find out if your computer is part of a botnet? Google doesn't seem to know."

The malware tool I mention above should detect the most common malware, unless you're in the crosshairs of a nation-state and rate something custom built.
posted by jquinby at 3:10 PM on November 7, 2013 [1 favorite]


Dropbox is an executable on your system that enumerates a drive. I assume if an elevated privileges vulnerability is exploitable within the dropbox exe, then yeah, malware could be written that could infect all the attached systems. It's exactly what I pondered upthread in regards to google drive. It's able to locally execute, it's attached to potentially hundreds of devices, it's a tasty vector of attack.

The thing would be to limit your dropbox folder to write not execute, but that assumes the dropbox app itself can't write outside that directory, or other processes.

It's tricky. It's why I'm looking seriously at bit9's solution.
posted by Annika Cicada at 3:20 PM on November 7, 2013 [1 favorite]


Use noscript or something similar to control how javascript runs on your browser.

This is difficult these days. Even Metafilter makes copious use of AJAX.

Purchase Malwarebytes PRO

Not everyone has the money to buy all kinds of anti-malware products. Unfortunately the word is that Microsoft Security Essentials/Defender has become less useful lately. Thanks a heap, Microsoft.

DO NOT INSTALL JAVA

And if you want to play Minecraft? It should be sufficient to disable those Extensions in Firefox.

Use LastPass to randomize and save passwords in a safe fashion.

Something that's been worrying me -- what is to keep malware from corrupting your password store? Or encrypting that and asking a ransom to be reconnected with your online life?
posted by JHarris at 3:23 PM on November 7, 2013 [3 favorites]


the con-men don't have to leave the comfort of their mother's basement.

And one of the world's laziest stereotypes lives on. Apropos of the REAMDE reference earlier in the thread, I would not at all be surprised to learn that Russian gangsters are behind this, or at least behind V1.0.


That's right. No self-respecting vor lives with his mother.

His mother lives with him.
posted by griphus at 4:03 PM on November 7, 2013 [1 favorite]


The malware tool I mention above should detect the most common malware,

Thanks for all the tips, lattiboy. All the websites I could find on the botnet subject say things like, "Well, of course any decent botnet will disable or fool your antivirus software." But presumably if you download the latest Malware Removal Tool from the Microsoft website that will catch everything but the NSA?

Do you really need to scan every attachment? Are .jpeg files safe?
posted by straight at 4:14 PM on November 7, 2013


After reading this stuff this morning, I thought maybe I'd do a double-check of my digital premises. I've got Java disabled in my browser, but I thought I'd download the latest version, and then disable THAT--and also uninstall all the old versions that are still on my machine, while I was at it.

And what do I see while I'm installing the latest version of Java? "Java recommends that you install the ASK toolbar!"

When a nasty virus is making the rounds, anybody who's the least bit savvy is shocked that people are dumb enough to fall for it. "God, everybody in my office opened the attachment... why would you DO that?" Well, maybe it's because it doesn't look any sketchier than the crapware that Java is trying to force-feed you, and the Java vendors are supposed to be trustworthy.

You can't train people to be skeptical and circumspect while you're ALSO trying to sucker them into installing your shitty toolbar...
posted by Sing Or Swim at 4:37 PM on November 7, 2013 [11 favorites]


If I found a music CD on the street, I could presumably take it home and put it in my stereo without having to worry that my speakers would explode or that I'd have to pay a ransom to be allowed to listen to my other music ever again. Why should I expect a USB stick to be any different?

Because music CDs don't have decades of history of viruses and other malware like computer programs do?

If USB drives really need to be wrapped in complicated software condoms before insertion, it's an argument that computers are mostly terrible, not that their users are unaccountably stupid.

There's a difference between 'any USB drive is potential poison' and 'picking a random USB drive off the sidewalk and plugging it into your PC,' which is what my comment was discussing. There's acceptable risk in everyday activities and then there's just dumb.
posted by delfin at 4:42 PM on November 7, 2013


Because music CDs don't have decades of history of viruses and other malware like computer programs do?

Decades of history, for which the rules constantly change.

Picking up a floppy disk, putting it in your drive, and seeing what's on it never was a risky behavior. You wouldn't run any strange executables, but documents were fine, and certainly a simple dir was harmless.

Doing things that way made perfect sense. Why would your computer be built to execute code from removable media without you telling it to? Why would a document viewer (like Acrobat) even be built such that a malformed document could make it execute arbitrary code?

People can learn-- but they can't relearn, and relearn, and relearn, when the rules keep changing. And let's just admit it, the rules are unrealistic for many people. No exploring the web-- only visit known sites. Known sites that can't do anything fancier than you could in 1995, at that. No porn, which is the killer app as far as a lot of people are concerned. No sharing files with people you don't know well. In fact, no sharing at all, since maybe the people you know well were hacked.
posted by nathan v at 5:02 PM on November 7, 2013 [4 favorites]


The October 30 episode of the Daily Show seems apropos:
(News clip plays with voiceover describing allegations of attempted spying at the recent G-20 summit:)
"Delegates were given USB memory sticks, and phone chargers equipped with spyware..."

Jon Stewart:
"If you're a world leader, and you put the USB stick Russia gave you into your computer, you deserve to have them at least fuck with your screen saver."
posted by ceribus peribus at 5:18 PM on November 7, 2013


And what do I see while I'm installing the latest version of Java? "Java recommends that you install the ASK toolbar!"

Yeah, that's sickening. So is Adobe recommending you install McAfee with Flash updates.
posted by JHarris at 5:38 PM on November 7, 2013 [2 favorites]


So what extensions should you be running in Chrome and Opera? I loathe FF and only use it as a side-run where necessary. Currently there's one site (the toast, for my sadness) that insistently pops up a cleanapp redirect pop up on Chrome, nowhere else so I'm wondering wtf is going on.
posted by geek anachronism at 6:12 PM on November 7, 2013


If you can believe Microsoft's page Microsoft Security Essentials will detect it on definition: 1.157.1563.0 and higher.
posted by Grimgrin at 6:17 PM on November 7, 2013 [1 favorite]


davejay: "To be honest, the specifics don't really matter. I mean, yes, people are getting all worked up about the encrypt-and-ransom part, but the delivery mechanism is no different than the one that's been used to infect computers with other trojan horses, and trojan horses that simply delete files (with no encrypt-and-ransom part, but with the same end result of you losing your files) has been around for a very long time. So the same mechanisms for avoiding disaster (don't click on links in emails, backup regularly, etc.) still apply in exactly the same way.
"

Except regular malicious malware was about the thrill of being an "elite" cracker. This extends that by adding a fairly lucrative financial motive. Shit people farm gold in WOW and other MMOs; this has to be hugely more lucrative.

lattiboy: "8) Stay away from seedy sites like pron, gambling, warez, ect. "

Come on, we might as well just unplug the internet if that is the price.
posted by Mitheral at 6:34 PM on November 7, 2013 [3 favorites]


There's a difference between 'any USB drive is potential poison' and 'picking a random USB drive off the sidewalk and plugging it into your PC,' which is what my comment was discussing. There's acceptable risk in everyday activities and then there's just dumb.

Still not seeing why that should be a user error. It's ridiculous that computers are made so you can't look at removable storage with zero chance of executing anything.
posted by straight at 6:39 PM on November 7, 2013 [2 favorites]


True, but even then are you willing to swear on pain of death that the key won't be constructed to overrun a buffer in the filesystem or the USB stack? If you're in a GUI, are you totally confident that the file browser won't start reading files and get a buffer overflow? Not probable, but times being what they are, caution mayn't hurt.
posted by wotsac at 7:18 PM on November 7, 2013 [1 favorite]


Breaking from the tech side to look at the human side:

The "boots on the ground" doing the dirty work typically are people who have very poor existences in eastern bloc countries. The alternative to working on a phishing and ransomware ring is backbreaking labor and multi-generational poverty. A father can exploit a few hundred, maybe several thousand people in a year's time, make a few hundred thousand dollars for his family and set them up for several generations. 10-15 years time in prison is easily a price worth paying for the payoff.
posted by Annika Cicada at 9:01 PM on November 7, 2013 [2 favorites]


wotsac: true enough, but a buffer overflow that does anything useful needs to be tailored to a particular binary layout. To know if a user is vulnerable to an overflow in Windows, you can ask one question: "are you running Windows". There is likely only one build that shipped for the app or library targeted by the exploit you are using. How many questions do you need a Unix user to answer before you know if a specific build of a specific version of a specific program is running on their machine? Hell, good luck even targeting the right GUI toolkit or Desktop, not to mention build versions. One of the suckiest things about the Unix world is the non-uniformity and pathological levels of variety and customization. But that fault also makes spreading malware very hard.
posted by idiopath at 10:00 PM on November 7, 2013 [1 favorite]


There's some questions as to whether or not this video is faked yt , but the tools, techniques and scale of what's depicted are all pretty real. (NSFW warning: the camera follows its subject into a strip club about 2/3rds of the way through).

"I'm not really a hacker, but an actor."
posted by anemone of the state at 10:11 PM on November 7, 2013 [1 favorite]


odd feeling because my adobe password turns out to be one of the ones compromised. On the other hand, I didn't even have a password hint for it, so I guess it was something like "password", which I use as a gesture of contempt on sites which demand a password for access to nothing that anyone would want to steal, if you see what I mean. Stuff that I care about gets proper, unique and non-dictionary passwords, sometimes generated with lastpass. Google accounts get >12 character passwords with two factor authentication as well. But now Adobe has been hacked I wonder what possible harm could be done by the loss of a password that I know doesn't protect anything important.
posted by alloneword at 11:26 PM on November 7, 2013


This is yesterdays news, now its all about badBIOS. Its a virus that crosses airgaps via ultrasonic transmission picked up by microphones.

maynotbetrue
posted by Admira at 12:01 AM on November 8, 2013 [1 favorite]


JHarris: "Use noscript or something similar to control how javascript runs on your browser.

This is difficult these days. Even Metafilter makes copious use of AJAX.

Purchase Malwarebytes PRO

Not everyone has the money to buy all kinds of anti-malware products. Unfortunately the word is that Microsoft Security Essentials/Defender has become less useful lately. Thanks a heap, Microsoft.

DO NOT INSTALL JAVA

And if you want to play Minecraft? It should be sufficient to disable those Extensions in Firefox.

Use LastPass to randomize and save passwords in a safe fashion.

Something that's been worrying me -- what is to keep malware from corrupting your password store? Or encrypting that and asking a ransom to be reconnected with your online life?
"

I regularly export my LastPass password store, reencrypt, then store on a cloud service I barealy use.
posted by Samizdata at 4:44 AM on November 8, 2013


For a long time now, I've regarded my Windows desktop as essentially disposable, ready to be nuked and repaved as the need arose.

I shudder to think what could have happened to all the precious data on my Linux fileserver. Oh and the two levels of backups I had kept mounted.

Backup to somewhere offline, people! There is no middle ground between laughing it off and total disaster.
posted by whuppy at 6:22 AM on November 8, 2013 [1 favorite]


And another thing to re-emphasize: Don't get all smug because the initial vectors required user stupidity. This one's gonna keep coming, better and better. There'll be a drive-by variant soon.

Be ready.
posted by whuppy at 6:26 AM on November 8, 2013 [2 favorites]


It's almost tempting to start browsing only in a minimal Linux VM with only enough libraries and such installed to run Chrome and/or Firefox, and with the VM completely walled off from the local filesystem. Not as good as an air gap, but perhaps the next best thing.

Perhaps this is the next logical step for ChromeOS / FirefoxOS. Make easy-to-use containers for the masses as a replacement for native browsers.
posted by honestcoyote at 6:51 AM on November 8, 2013


Admira: "This is yesterdays news, now its all about badBIOS. Its a virus that crosses airgaps via ultrasonic transmission picked up by microphones."

There was actually a thread started on that last week.
posted by exogenous at 7:57 AM on November 8, 2013 [2 favorites]


A person I know said that ever since the Great Data Disaster of 2005 they've kept regular backups, but I told them to be pro-active and get the tool to at least try to prevent it in the first place. Backups are important, yes, but why go unprotected, at least minimize your harm. I hope he listens... I installed the prophylactic software on work and my home comp last night, I'm going to buy a solid backup device for home, as well (which I failed to learn about the linking Windows does when you re-assign the "My Documents" folder. Turns out if you wipe a drive with "my documents" pointing to a directory on another drive, it doesn't get delinked.... (soft-link(?)) but actually deletes that data. Wish I would have known that in the first place :\ Ever since ~2006 or so, I haven't had many problems with Windows being terribly unstable/wiping my drive, so I've gotten lax. This is a good reminder to back dat shit up.
posted by symbioid at 9:37 AM on November 8, 2013


Back Data(ss) up.
posted by symbioid at 9:37 AM on November 8, 2013 [4 favorites]


USB sticks are not quite as critical if you disable autoplay in Windows, and you should really disable autoplay in Windows.
posted by theora55 at 8:55 AM on November 9, 2013


Picking up a floppy disk, putting it in your drive, and seeing what's on it never was a risky behavior.

For those who remember classic Mac viruses: oh yes it was.
posted by We had a deal, Kyle at 11:11 AM on November 9, 2013




« Older Stuffed.   |   I contradict myself Newer »


This thread has been archived and is closed to new comments