Apple Virtual Machine Security
Malware Alert
Ping!
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Posted on 12/07/2015 4:46:21 AM PST by rarestia
Our team has recently monitored and analysed a new stack of drive-by campaigns which aim to spread the Angler exploit kit by injecting malicious code into compromised web pages.
Because of the mechanisms involved and the attackers’ objectives, the campaign is prone to achieve large distribution and affect a big number of PCs and their users.
The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.
The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.
In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.
The Angler exploit kit will then scan for vulnerabilities in popular third party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.
(Excerpt) Read more at heimdalsecurity.com ...
Ping to your lists
Can we “retore” our systems to an earlier date to remove the “infection”? (I’m no computer whiz”)
You shouldn’t rely on the capabilities of the operating system’s restore functionality. That goes for Apple’s time machine or Microsoft’s system restore. These infections are becoming more sophisticated and compromising the operating system AND associated backups if they’re online with the system.
If you’re doing regular offline backups, you can recover from those, but since most people don’t do this, it’s a problem.
I saw a laptop with 3.0 over the weekend. I didn’t have any of my stuff with me to analyze it further, but a preliminary read from the internet says they use real encryption so it will be hard to recover the files except maybe some fragments on disk.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Thanks to rarestia for the ping!!
And don't forget those of us with Macs sporting BootCamp dual-boot Windows installations, too!
It’s sad, because from a Windows perspective, it’s actually very easy to prevent this. There are numerous Crypto prevention websites out there that will update your registry. Granted, the fixes will affect functionality of installs in some cases, but the AppData folder area used in Windows is fast becoming one of those bugaboos that Microsoft will eventually need to address.
Does it make a website use funny characters instead of apostrophes?
LOL, no. That’s an encoding issue in the FR code.
The Angler exploit kit will then scan for vulnerabilities in popular third party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.So it is worth repeating:
keep your system updated and always install the latest updates available for the apps you useThis is the most important principle of all; more important even than running any kind of anti-virus software.
Thankfully, I deleted my windows partition last year. Forever.
And it’s important to reiterate: you are NOT SAFE ON XP! This is one of the many reasons to stop using XP.
Yes, my company fought multiple attacks by cryptowall by restoring snapshots to network shares. Of course not everyone has that capability.
keep your system updated and always install the latest updates available for the apps you use
This is the most important principle of all; more important even than running any kind of anti-virus software.
While true, almost, but not quite... The primary operating principle here is to always get the data off the machine and out of the loop. It may be a PIA to reload the box, but it is doable - Data loss is forever.
Just ran into cryptowall with a client - Took her out. I have two automated chains of backup on her LAN... Didn't matter - by the time she realized her infection, both automated backups had run...
I also had a persistent reminder installed in her laptop (the machine she uses the most) to pester her to back up to a USB drive once a week - If she doesn't do it, my reminder will nag the crap out of her till she does. This really wasn't a real part of my backup design... She travels a lot, and her laptop is often away from the LAN, so this was more of a plan to make sure she backed up her critical data while she was away from home. It turned out to be that semi-manual backup that saved the day.
We were able to save her data from that USB drive, and her music and movies from the machine that runs her guest bedroom TV, which had not been running during the infection period... Her calendar, contacts, and mails were easy enough, sync'd to the web and her various devices...
In this time of massive data, it is really, really easy for IT tech to overlook the primary golden rule - get the data backed up off the system. OFF the system.
Ouch! Good one. Do you have any idea how she got infected?
No, not really - I believe she caught it on her laptop, probably while she was in California, in the two days after her last USB backup - She lost the data for those two days, and everything thereafter... When she got home, her laptop knew it was home and ran it's automated backup, and sync'd to her desktop - I know the infection was present then because my client commented that the backup seemed to be shipping more data than normal - Evidently because the infection encryption changed the file date - and that overwrote everything local with her infected data (or maybe the other way around).
Another thing pointing to the laptop is that she lost corp access in California the last day she worked there - It wasn't resolved, because she was leaving too soon to resolve it, but the big iron refused her.
Never did get a notice out of Crypto - I suspect the bug was malformed and caused the malfunction that took the laptop out... But the infection was live in every machine that had been running on her local LAN, and the box on the living-room TV crapped out too, by the time I got out there... Whether and where were not my concern, but for everything to be carrying the bug means it traveled locally on the LAN shares.
It was really more luck than sense that I could restore her data - and this experience rattled me pretty badly - My long-standing theory on backup has been challenged by it, and found to be left wanting. How to better formulate backups to protect against this in the future has been on my mind for the past few weeks, and I still don't have a solution that gives me confidence.
And even after I find a better solution, implementation will be a nightmare. I serve SOHO and Residential... Not at all like a corporate environment where I have immediate control and distribution....
All of that is what prompted my message to you. : )
Wow, that sounds bad. Nasty worm. Thanks for the explanation!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.