October in Review

October 28, 2013 | by Fred Touchette | Adobe, AppRiver, blackhole, CryptoLocker, Digital Degenerate, Month in Review, SecureSurf, securetide, Silk Road, TOR


What we saw in October


Certainly some of the biggest news from the past month has been the growing buzz from one of this year’s most concerning pieces of malware known as CryptoLocker. If you haven’t heard yet, CryptoLocker belongs to a type of malware known as Ransomware. If a victim becomes infected with CryptoLocker, the malware first encrypts all files with certain extensions with a locally stored 2048-bit RSA key and then again asymmetrically with a 256-bit AES encryption key which it obtains from its command and control server. After all of the encryption takes place, the malware offers the newly infected with a pop-up demanding a ransom for the now un-viewable files. The cost for which is roughly $300 dollars U.S. The victim is also given a time limit for which to pay which seems to vary slightly depending on certain factors but is right around 100 hours. If the payee offers up incorrect payment information within that time, their time to pay is cut in half, if they don’t pay at all, the malware uninstalls itself and takes with it the registry entry that contains the public RSA key leaving all files encrypted and unusable. There are many reports of people paying up and receiving the necessary private key and successfully unencrypting their files, but because the malware utilizes a domain name generating algorithm to locate and communicate with its C&C server, the actual time it takes to receive this key can take a very long time, days in fact.

Most recently CryptoLocker has been paired with the Zeus Trojan which is a family of malware that excels at stealing banking credentials. Initially a downloader will exploit a vulnerability on the victim’s machine and download Zeus when it gains a foothold, and following that, Zeus will then download CryptoLocker to create an eloquent yet dangerous one two punch. CryptoLocker will go to work and do its thing and if the victim tries to pay, Zeus is there to steal their credentials.

While paying the ransom has worked for some, this is a really ill-advised route to take especially now that Zeus has gotten involved. The only way to make sure you or your organization is not affected by CryptoLocker is to keep proper backups. Removing CryptoLocker is trivial, but removing the encryption is not. Having the ability to simply revert to a healthy backup is the key to winning this particular battle.

Here are some of the other highlights from the month of October:

618px Silkroadmain1 resized 600Ross Ulbricht, the owner/creator of The Silk Road, an online illegal drug and contraband website only accessible via the TOR network was arrested early in October along with several others who were big time vendors on the site. Officials were able to locate and seize the domain as well as the servers that housed The Silk Road which then allowed them to see private messages to and from the domain to its vendors and customers thereby defeating the anonymity of the “anonymous” network.

adobe.logo .2clr.lg copy resized 600At the beginning of October Adobe announced that it had suffered a major breach in which criminals were able to access customer data including logins, encrypted passwords, and credit card information along with around 40GB of Adobe source code which could allow those who stole it the ability to easier create zero-day exploits in Adobe products, although this has yet to be proven or disproven.

black hole 300x241 resized 600 The creator of the Blackhole Toolkit has been arrested this month. Blackhole has been the most prevalent of all toolkits utilized by internet crime rings since early 2012. It seemed that the majority of the large malware bursts during this time linked to the Blackhole Exploit Kit. Almost immediately following the arrest of its author and his partners, the criminal landscape discontinued its use and migrated quickly over to a new exploit kit known as Magnitude.

A look at metrics:

In the past 30 days we have quarantined 56.6 million emails containing a virus as an attachment. This rate increased for the fourth consecutive month and was the highest total amount we have seen since March of this year.

virus resized 600