Posted on 12/25/2013 6:51:56 PM PST by Nachum
A virulent form of ransomware has now infected about quarter of a million Windows computers, according to a report by security researchers. Cryptolocker scrambles users´ data and then demands a fee to unencrypt it alongside a countdown clock. Dell Secureworks said that the US and UK had been worst affected. It added that the cyber-criminals responsible were now targeting home internet users after initially focusing on professionals. The firm has provided a list of net domains that it suspects have been used to spread the code, but warned that more are being generated every day. Ransomware has existed since at least 1989,
(Excerpt) Read more at bbc.co.uk ...
“Have you attempted a reflash of the bios?”
Not yet. I want to take my time to do it right as a step by step experiment. I have ten of these computers to repair, ranging including a netbook, laptops, and desktops.
There was a time when "the code breakers" worked for the American people - they were respected and revered. Today their NSA offspring are could be the people behind this scam... If they'll spy on us illegally what would stop them from stealing from us?
Please keep me updated of your progress with this. We haven’t run across any ransomware infected PC’s yet at my work and there’s 1800 Windows machines in our environment. We’ve either been very fortunate thus far or something in either Iron Port our group policy is preventing it.
I have reason to believe we are being specifically targeted. The crackers even went so far as to telephone from overseas (Pakistan or India to judge by the accents and telephone quality) another of our locations in another state where the client computer was being used at the time. They had obviously harvested some informaton off of the client, but not the secure SSL information. That was why they telephoned and posed as a Microsoft security contractor to request permission to “repair” the malware with a remote session (LOL). They no doubt needed to use some social engineering to gain access to the accounts secured by the SSL encryption.
There have been a number of other incidents which appear to indicate participation in various political fora such as FR has attracted a variety of attacks over the years.
A denial of service attack against multiple e-mail attacks occurred about ten years ago. The ISP e-mail server for the affected e-mail accounts were being bombarded with more than a thousand e-mail messages per second. They attacked a cellphone by posting a fake classified advertisement selling puppies in an out of state newspaper, and they used my cellphone number as the contact. It’s still a mystery how they got the cellphone number, because it was never entered anywhere on the computer, but they did associate it with the address for the temporary location of the computer. It was amazing how many people called in response to the advertisement and wanted to buy the non-existant puppies.
I would be quite curious to find out exactly what method was used to initiate the attack. Windows executables can NOT run on Linux or Apple machines. It does not matter if you rename them or not, with either a ".txt" extension or any other, or even with no extension at all as in Linux. The calls to the underlying OS are to dissimilar areas in the fundamental instructions necessary to run the computer.
The only way I can see that a successful or even partially succesful attack could be launched is by the useage of some manner of common second-party program calls, such as java, javascript, or flash files. At the very least, any computer that is allowed to run such files should be entirely separate from more critical machines, since the vulnerabilities in those types of files are well-established.
If it is in the boot sector of the drive, I would set up the optical drive to be the first in the bootup sequence if it is not already, then boot from a live disk with rescue tools (I use System Rescue CD) and look at the system that way. GnuParted (gparted) can examine the hard drive and give you a graphical display of its useage. I have not run into that particular problem you describe, but on one or two refurbished drives that I was repartitioning to run Linux on, I did notice a partition that was labeled "unused" or "unknown". Been awhile so not certain which one exactly. Used GnuParted to delete all partitions, then reformatted the drive as all hpfs, then again as ext2, then deleted all partitions entirely and booted from a prestamped 'doze install cd and had it do a hard format and clean install. THEN repartitioned again, installed Linux, and immediately created image files using Partimage from the SRCD. Worked quite well.
If you can not get into the BIOS for some reason, disconnect all drives except the optical disc, and that way the system has no choice but to boot from it. Optionally, you can boot from a USB device instead and take it from there, simply remember to reformat the hard drive from an external USB case first before reinstalling it in the machine.
Worst comes to worst, and the BIOS chip itself is corrupted (hard to imagine, actually, considering how difficult it is to reprogram the things to begin with) there are companies available that will sell you a replacement chip for situations such as this.
I'll look into it, but if you keep your system reasonably up to date, I don't really see it as much of a threat. You have to purposefully make a file executable before you run it, (with Linux at least). I strongly suspect that most people who run Linux will be somewhat less susceptible to just randomly running software than your average Windows user.
You can't install software into system directories without root. I have a few programs that I've installed as a regular user to subdirectories of $HOME. They are mostly java thinglets, but not always.
True but the script would need to know the directory name under $HOME to do the install.
What type of data do you guys deal with? Anything important enough that cyber cells would repeatedly go after you guys?
In Linux, it does not matter if you make the file "executable" or not. The underlying instructions will go nowhere because the underlying hardware calls and system instructions are not the same or even if similarly functioned, are not processed the same way by the basic subsystems.
You can make a text file that has nothing in it but the words:
"Printtoscreen: THIS MACHINE BELONGS TO pMSNBC ctrlA&endline
EndPrinttoscreen" and make it an executable.
Nothing is going to happen. The correct machine codes are simply not there.
“What type of data do you guys deal with? Anything important enough that cyber cells would repeatedly go after you guys?”
I hardly think so, at least from our point of view and not theirs. There is no accounting for the irrational hatred and viciousness of the people who perpetrate these crimes.
All it takes to attract their criminal attention is the defense of the Republic, opposition to totalitarianism, and opposition to the Global Warming aka Climate Change hoax. Some of the pre-Internet and post-Internet attacks seemed to scale up in frequency during some SOURCE, Compuserve, USENET, and blogging posts.
You are assuming the Cryptolocker variant attacking a Linux system was not crafted specifically to be native on a Linux kernal. Cryptolocker malware targeting the Linux kernal would of course be crafted to operate in the Linux environment. Malware access to Linux might be gained with an as yet undefended privilege escalation to root vulnerability for one hypothetical example. Once the malware has gained root access, the malware can introduce the rest of the software needed to implement a Cryptolocker function or other ransomware. Fortunately, it is normally substantially more difficult to compromise the security of a Linux system.
Indeed I am. Despite Linux taking over more and more desktops as time goes by, the fact of the matter is that most people just settle for the 'default' OS and never bother to look beyond that and see what else might be possible. So, with very few exceptions the majority of malware is designed to exploit a 'doze system, and if that also happens to work through a java, javascript, flash file, or a ".net" extension which is also runnable in a Linux environment, well then all the better for the exploiter. That does not mean it has been deliberately crafted to run on Linux, however.
Cryptolocker malware targeting the Linux kernal would of course be crafted to operate in the Linux environment.
True, but realistically how many coders would deliberately concoct a Linux-only piece of software when Linux is so inherently difficult to crack? The 'doze cracks are much easier and affect more systems for the effort.
Malware access to Linux might be gained with an as yet undefended privilege escalation to root vulnerability for one hypothetical example.
I suppose that is possible, but then again, how often do you think a general user with no admin priveleges is going to gain access to the root account and system files? Not only is it incredibly difficult to accomplish, there is an entire world of Linux coders that would quickly track down the vulnerability and publicly issue a patch that would very quickly be added to the Critical security repos along with a public notification in all available media concerning it. After all, the 'nix coders are the ones who historically have discovered faults to begin with, along with developing fixes for them which MS has been quite reluctant or in some cases outright ignoring the problems discovered or pointing to the patches. If it was that simple then simple users would have been passing along patches to hack into admin privileges and system files long ago.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.