CryptoLocker Question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a question about the CryptoLocker "virus." I have Windows 7 x64. I  
figure if I am successfully attacked (I have taken other measures...), my  
personal files are toast. That's not a big problem because my HDD is backed  
up every night to an external USB drive, with several night's worth kept  
around. What worries me is if it access the external drive and encrypts the  
backup file.

In all the demonstrations I have seen, it appears to run under the current  
user's context. Since I can set up my backup software to run as  
Administrator (or any account), I gave modify permission to the backup  
directory and all within to only the Administrators local.group. This mean I  
can't modify or move them without answering an LUA. So I think they are  
protected.

QUESTION: Does anyone know if this thing can elevate its Integrity? Anyone  
seen a case of that? I haven't.

TIA..

--  
Jim

"Be right back!" - Godot  



Re: CryptoLocker Question

Jim Nugent pretended :
Quoted text here. Click to load it

From what I understand about it, it can 'see' external drives if they  
are mapped to drive letters. Then it looks for files of a type  
indicated by filename extension (I didn't see *.tib or *.mrimg which I  
use for image backups) so if the list includes the filename extension  
used on your backups it could 'see' them.
Quoted text here. Click to load it

I don't know about that aspect. I do know (or rather have read or heard  
somewhere from a reliable source) that Microsoft doesn't consider  
Mandatory Integrity Control based LUA to be a security boundary - so if  
it gets circumvented they won't consider it to be a big deal. Perhaps  
it is not a good idea to depend upon MIC based LUA as much as one  
depends upon ACL permissions which *do* represent a security boundary.

Upon re-reading your 'question', perhaps you meant to ask about  
'privilege escalation' and not 'integrity elevation'?



Re: CryptoLocker Question

Quoted text here. Click to load it

You're right. Thanks for clarifying. Top level backup directory's ACL gives  
write permission only to the Local Administrators Group. and this is passed  
on to children. My concern was, Could this thing starting out running as me,  
a standard user (a member of the Admin group but defaulting to standard user  
rights), find a way to elevate its privilege to write those files?

I've still gotta figure out this whole Integrity thing.
--  
Jim

"Be right back!" - Godot  



Re: CryptoLocker Question

Jim Nugent wrote :
Quoted text here. Click to load it

I don't think so, because if it did there would be a vulnerability  
(CVE-number) associated with it that it exploits to achieve that end.  
It should be noted however that in some cases this malware is delivered  
through an exploit kit that puts a bot on the machine and that bot  
downloads that ransomware. In such a case the exploits in the kit may  
have done the escalation.

Quoted text here. Click to load it

This may help:

http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx

...and there's another by the same person that does go in to some  
detail.

http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx



Re: CryptoLocker Question

Quoted text here. Click to load it

FromTheRafters,
Thank you for your insight and for the references to Mark's articles. They  
were very helpful.
--  
Jim

"Be right back!" - Godot  



Re: CryptoLocker Question

Jim Nugent explained :
Quoted text here. Click to load it

You're welcome. I always liked Mark's articles and videos - very  
informative.



Re: CryptoLocker Question

FromTheRafters presented the following explanation :
Quoted text here. Click to load it

[...]

Quoted text here. Click to load it

Followup to this Exploit Kit connection.

http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-emergence-connected-to-blackhole-exploit-kit-arrest/



Re: CryptoLocker Question


Quoted text here. Click to load it

It isd a not a virus and does nolt infect other files to to spread nor use  
AutoRun or networking protocols to spread.

It does run in the context of the user with the priveledges the user has.  
Thus if the system is setup such that each user on an infected computer is a  
LUA and has to login with a password, the person's account which bore the  
brunt of the infection is affected and most possibly not other accounts.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: CryptoLocker Question

On 2013-11-10 10:24 AM, Jim Nugent wrote:
Quoted text here. Click to load it

Regardless of whether or not CryptoLocker can see and mess up external  
drives, I am no longer leaving them attached after current backup is  
completed. I'm also disconnecting from the web during backup. May be a  
clumsy workaround, but until I'm sure that my shields can prevent it  
doing its dirty work, that's the plan.

HTH

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: CryptoLocker Question

wrote:

Quoted text here. Click to load it



As I understand it - you only get this if you are either surfing or
click on a e-mail with attachment.

So if your backup up hard drive is powered externally, then put this
on a timeclock - to come on say 10 minutes before your scheduled task
is to run, you should know how long it takes to backup, so in your
task scheduler use a program that ejects the usb drive  ( google for
that ) at a time when you know your backup is done, then set the time
clock to turn off the power to the drive after that - with some
leeway.


You can  power your drive up for checking when you want.

Re: CryptoLocker Question


Quoted text here. Click to load it

That's not a good idea as the OS may use the drive and when the clock turns off the power  
for the drive the OS cache may not be flushed and data not written and corrupted data may  
be the result.

That's why there is a "Safely Remove" utility to make sure the cache is flushed to the  
drive and there are no open File Handles.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: CryptoLocker Question

On Mon, 11 Nov 2013 07:33:43 -0500, "David H. Lipman"

Quoted text here. Click to load it


win7 and similar in XP

Device -properties - policies - select quick removal - this diables
writecaching and you can safely disconnect without going through the
Safely Remove Hardware Notification.

Re: CryptoLocker Question

Quoted text here. Click to load it

To be fair, Bob L, did say:

Quoted text here. Click to load it

He later pointed out another option:

Quoted text here. Click to load it

To be honest, I'm paranoid, and would probably implement both.

The bad news is that I've got other stuff besides backups on that drive  and  
right now it's plugged into a UPS, so there would be some re-thinking to do.

THE FINAL SOLUTION

In a couple of weeks, I plan to do The Right Thing: get two Western Digital  
Passport Drives, do a full backup of my own and my wife's computer to disk  
#1 and take it to the safe deposit box. A few days later, do a back up to  
disk #2, and swap it with disk #1, etc.

I haven't heard any reports of Crypto-Locker gaining access to a drive  
that's locked in a bank vault. Anyone?
--  
Jim

"Be right back!" - Godot  



Re: CryptoLocker Question

On Tuesday, November 12, 2013 10:10:58 PM UTC+8, Jim Nugent wrote:  
Quoted text here. Click to load it

Muaahahahahaha!  WE WILL FIND YOU.

THE CRYPTO-LOCKER TEAM.

Site Timeline