NSA Monitors Google, Yahoo, Microsoft's Data Centers

 

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top-secret accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, the Government Communications Headquarters . From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.

The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

In a statement, the NSA said it is “focused on discovering and developing intelligence about valid foreign intelligence targets only.”

“NSA applies Attorney General-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination,” it said.

In a statement, Google’s chief legal officer, David Drummond, said the company has “long been concerned about the possibility of this kind of snooping” and has not provided the government with access to its systems.

“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he said.

A Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”

Under PRISM, the NSA gathers huge volumes of online communications records by legally compelling U.S. technology companies, including Yahoo and Google, to turn over any data that match court-approved search terms. That program, which was first disclosed by The Washington Post and the Guardian newspaper in Britain, is authorized under Section 702 of the FISA Amendments Act and overseen by the Foreign ­Intelligence Surveillance Court (FISC).

Mac OS X Mavericks REVIEW

Everyone running a MAC has probably seen the FREE UPGRADE by now.  Take a look at the review posted on THE VERGE.

Experian Sold Consumer Credit Information to ID Theft Service

The information below was gathered and researched by KREBS ON SECURITY.

 

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
In November 2011, this publication ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.

That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.

READ MORE....

Apple is misleading people on iMessage security

A security researcher has suggested that Apple's claim that its iMessage app is spook-proof and secure is "just basically lies".

Cyril Cattiaux, who works at the research firm QuarksLab, made his claims during a speech to the Hack in the Box conference, which were quoted by PC World – the tech news site, rather than the British retailer.

In a detailed blog post, Cattiaux said that the public key cryptography used by Apple in its iMessages made them vulnerable to snooping.

He said: "The weakness is in the key infrastructure, as it is controlled by Apple. They can change a key any time they want, thus read the content of our iMessages."

However, there is no suggestion that Apple wilfully misled its customers and it has not been accused of actually reading fanbois' iMessages.

In June, Apple released the following statement which discussed the security of iMessage:

Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

Apple's iMessage is a text-messaging service which allows users to send free messages over Wi-Fi.

Microsoft Remote Desktop for Tablets RELEASED

Many of our clients are using Remote Desktop in some form, while there are several 3rd party applications for iOS and ANDROID for this purpose, the utility released by Microsoft is second to none and is FREE! With that stated majority of our clients can enjoy their stationary desktop/laptop with the compatible VPN Client software. Our custom VPN implementations also come with FREE client software for both iOS and ANDROID.

iOS: https://itunes.apple.com/us/app/microsoft-remote-desktop/id714464092

Android: https://play.google.com/store/apps/details?id=com.microsoft.rdc.android

On the iPhone and Android version (for phones) it's a little tricky to navigate the desktop on such a small screen. The iOS and Android versions also support iPads and Android tablets, and it's a lot more useful controlling a PC from a tablet. Microsoft has built in options to scroll around a machine at its native resolution as well as an onscreen keyboard with buttons to trigger function, shift, ctrl, alt, esc, tab, and even the Windows key.

While these apps are mainly designed for business users who want to quickly remote back to their PC, they'll come in useful for enthusiasts who want to access Windows PCs natively on the go.

CryptoLocker Ransomware

CryptoLocker


We recently dealt with a local business that was infected with this dangerous piece of software. While this business was not a client or managed customer we received a call from them for malware removal.

 

The Facts:

  • Windows XP Professional.
  • Machine was infected with several known backdoor infections not just cryptolocker.
  • CryptoLocker alerted user via popup letting them know their files were encrypted and to decrypt they must send 2 bitcoins or $300 via MoneyPak.
  • 28,000 files encrypted/useless.


We discovered sure enough their documents and pictures were encrypted.  We then went to their backup and found that this too was encrypted.  We discovered that any mapped shares accessible (write access) via the infected machine were also encrypted.  It did not however encrypt network shares not mapped but accessible.  We immediately began research into the software.  In this case (worst case) the conclusion was made to gamble on making payment, after all there was nothing really more to lose after discovering their backup was also bad. Once payment was made the software took a few hours then started decrypting all the files it originally encrypted.  Obviously many measures have since been taken to aid in this sort of "ransomware" instance, including the most basic, a working backup.  At this time Malwarebytes claims to catch this however with the machine being infected with other known viruses we conclude cryptolocker was passed via backdoor trojan or RAT. It is likely most AV software would have alerted to the prior infections.


Basic pro-active advice to anyone else that encounters this software:

 

  1. Consider becoming a managed client!!
  2. A working backup both offsite and onsite with rotation. Not just a simple file based backup.  The backup location should not be mounted to any one system and should contain EVERYTHING, not just user locations. Encrypted IMAGE backup.
  3. Stop running Windows XP, this is going out anyway next April 2014. In this case, had it been a Windows 7+ machine we likely would have been able to "restore previous version" of the encrypted files avoiding payment to them.
  4. Always run more than a single instance of anti-virus/antimalware software. Not one solution will catch everything.
  5. UPDATE UPDATE UPDATE, this includes 3rd party software along with Microsoft updates.
  6. Consistently educate/remind best practice regarding web/email usage.
  7. Enable SHOW file extensions for ALL files. The more someone sees the extensions for their files such as a PDF or DOCX they may be inclined to question something via email purported to be a doc with an extension ZIP or EXE.
  8. And finally again..consider becoming a managed client!!

 

Up to date information:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383

http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402/

 

We have posted some specific information below to possibly aid in the takedown of this software. The "privatekey" does not appear in the registry until payment is made.

 

[HKEY_CURRENT_USER\Software\CryptoLocker]
"VersionInfo"=hex:2a,30,9c,81,c3,37,d2,d3,b4,3a,ce,d3,f4,5e,f6,f8,c7,56,f1,f4,\
  c1,51,ff,f6,dc,4b,ed,af,c0,56,e8,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,b0,96,5a,d9,fb,98,02,\
  ab,c5,c1,77,ec,b9,ed,7d,cd,d4,d7,4a,ee,eb,ed,50,df,b6,f6,70,db,c5,c8,06,cf,\
  d7,cc,33,d1,81,c1,33,f2,81,cb,33,e5,81,fe,33,fd,81,c5,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,aa,81,9e,33,a4,81,98,\
  33,ad,81,96,33,ad,81,9c,33,a4,81,98,33,aa,81,9a,33,a5,81,9a,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,9d,33,ac,81,9e,33,bc,81,fb,33,cf,81,ea,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,9d,0b,ff,b4,ca,00,f9,b5,9e,07,fa,b0,cc,52,\
  a5,e0,9f,00,fa,b2,cb,51,a4,b9,99,04,fd,e4,9d,05,f9,b8,c8,0b,f9,b6,9d,51,fa,\
  b0,ae,33,9c,81
"PublicKey"=hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00,00,01,00,01,00,6b,\
  4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,be,\
  35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,fb,\
  a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,f7,\
  52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,3a,\
  b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,83,\
  6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,df,\
  af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,00,\
  56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,d3,\
  20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,86,\
  ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,9e,\
  0d,b1,73,4e,e4
"Wallpaper"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,\
  00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,\
  67,00,73,00,5c,00,55,00,73,00,65,00,72,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
  00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,\
  70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,\
  00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,\
  57,00,61,00,6c,00,6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,\
  00,70,00,00,00,92,84,e1,b9,f9,f1,4e,80,20,50,d7,8a,20,e7,70,8a,20,e7,70,8a,\
  9e,f0,ee,b9,38,7a,da,8a,18,99,de,8a,b0,02,d5,8a,e0,8a,d3,8a,20,e7,70,8a,00,\
  00,00,00,ff,ff,ff,ff,00,00,00,00,08,00,00,00,2c,2c,71,a7,f9,f1,4e,80,e8,8e,\
  d3,8a,20,e7,70,8a,00,a9,d5,8a,59,94,ed,b9,68,2c,71,a7,70,2c,71,a7,80,2f,de,\
  8a,ed,b6,54,80,00,00,00,00,20,e7,70,8a,c8,2c,98,89,18,99,de,8a,30,e7,70,8a,\
  00,7a,da,8a,94,2c,71,a7,00,22,de,8a,ed,b6,54,80,00,00,00,00,b0,2c,98,89,00,\
  00,00,00,10,38,a1,8a,10,38,a1,8a,00,2c,98,89,38,2d,98,89,00,00,00,00,00,00,\
  00,00,98,00,00,00,73,10,5c,80,00,00,00,00,05,00,00,00,b4,2c,71,a7,d7,10,5c,\
  80,a8,2c,98,89,46,69,6c,e5,00,a9,e0,8a,00,00,00,00,a8,2c,98,89,a8,2c,98,89,\
  cc,2c,71,a7,e6,b4,5b,80,00,00,00,00,b0,2c,98,89,c8,2c,98,89,00,a9,e0,8a,fc,\
  2c,71,a7,e2,67,52,80,c8,2c,98,89,00,00,00,00,cc,02,00,00,b0,2c,98,89,00,00,\
  00,00,b3,c3,5b,80,88,c6,88,89,20,6a,f4,e6,20,b0,58,89,00,a9,e0,8a,44,2d,71,\
  a7,49,c4,5b,80,20,6a,f4,e6,c8,2c,98,89,cc,02,00,00,01,00,00,00,9f,01,12,00,\
  00,00,00,00,64,2d,71,a7,2c,f5,42,01,64,c5,5b,80,c8,2c,98,89,70,9c,00,00,02,\
  00,00,00,00,00,00,00
"PrivateKey"=hex:07,02,00,00,00,a4,00,00,52,53,41,32,00,08,00,00,01,00,01,00,\
  6b,4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,\
  be,35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,\
  fb,a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,\
  f7,52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,\
  3a,b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,\
  83,6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,\
  df,af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,\
  00,56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,\
  d3,20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,\
  86,ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,\
  9e,0d,b1,73,4e,e4,e1,1f,66,6a,df,96,03,4d,d8,c5,11,89,97,dd,a2,7e,c7,45,27,\
  f6,b6,21,dd,61,b8,ed,cf,c5,e4,cf,3a,da,d8,16,09,62,e9,e4,f2,7e,02,f5,d3,38,\
  21,9b,ee,95,4f,ab,4f,9a,89,7b,28,4c,37,7a,68,5d,b7,07,f8,a0,24,ff,62,97,7f,\
  e4,64,c4,e0,f8,c9,91,c6,e5,c4,84,6c,20,e9,4b,08,d9,13,f8,f6,6b,bd,3a,29,69,\
  16,2a,e0,74,98,87,de,7a,c6,45,d9,23,05,72,9e,81,bd,80,a8,57,dd,07,20,96,aa,\
  88,8f,91,2f,84,cb,fc,52,f5,cb,e7,74,08,42,cd,2b,2b,1a,52,fa,62,30,6d,f4,a6,\
  72,76,62,35,b1,63,1c,03,a1,98,86,57,1e,78,f3,94,ec,9a,3e,f5,4b,40,93,53,eb,\
  18,a8,d7,b8,d8,d0,a3,b1,24,21,de,8b,5e,9f,e8,95,be,ab,d3,dd,8e,5c,1c,b4,6f,\
  c3,76,31,62,45,68,93,c8,6f,8c,22,f0,49,f2,46,64,7c,14,ac,17,c2,2f,0f,25,3a,\
  12,88,dd,b1,75,8f,13,95,96,06,98,e6,a1,69,90,01,1f,17,c8,a4,84,6e,ee,cc,2b,\
  9a,36,cf,28,3e,9b,81,ca,4a,e1,3d,ee,a1,ba,1f,49,6e,4f,68,5e,de,a4,13,0f,c1,\
  88,7a,74,3f,91,cb,e8,e5,a1,39,96,01,84,22,c2,3e,86,ac,4e,ee,6c,53,ec,2b,d8,\
  04,c4,ae,e7,a4,85,b3,69,7e,2b,ea,14,ef,54,20,e8,3f,44,ce,b5,0b,9c,17,a6,2a,\
  bd,4f,b3,23,39,a2,92,9e,4d,cb,08,a8,44,e1,6f,c3,a0,f3,48,eb,ba,30,71,13,56,\
  c4,ed,66,27,af,0b,da,a9,83,60,4a,f6,28,bf,9d,10,53,f0,f5,46,42,4c,68,8f,8c,\
  0c,c7,18,3b,c0,80,85,e6,a4,39,68,53,30,f3,32,ef,8f,96,d3,b7,d3,59,09,24,6b,\
  fd,8f,a6,81,2d,be,51,10,3a,e7,64,d7,e7,e6,b7,d2,c3,cb,8d,26,e4,0c,a1,fa,d1,\
  4d,aa,6c,33,da,f2,4e,eb,ae,9a,69,fa,e7,84,c4,7a,62,27,0c,84,12,12,bf,1d,ab,\
  04,f6,27,27,d1,ae,58,3a,7a,85,2b,c1,bc,ad,a1,bf,bc,76,47,1c,ca,88,a6,10,c6,\
  c7,6d,ab,d5,70,df,18,72,11,8e,b7,07,b6,01,5e,ec,55,ab,36,af,b9,be,05,6d,2c,\
  55,4a,99,90,e0,7e,21,97,8f,86,ea,a0,4b,ad,68,90,34,06,a9,2d,7c,46,a5,04,6b,\
  58,02,d9,0c,a6,22,74,58,b7,ec,c5,f4,9b,9d,5e,1d,33,ba,65,a2,e2,52,41,92,9a,\
  04,1a,65,57,8d,a8,8c,ac,93,43,1e,47,09,27,69,31,d2,f1,5d,8d,93,36,da,28,7a,\
  47,79,46,92,df,80,fe,28,29,05,7a,9d,b8,35,68,8b,13,81,00,73,9c,b0,22,04,4a,\
  c0,e6,db,49,7e,05,dd,df,99,73,c4,a3,b5,50,b2,34,5c,bb,32,d9,81,7d,8d,06,91,\
  e1,a0,0c,54,b5,98,e9,13,5c,15,9f,7f,f4,b0,80,5c,df,c9,af,f5,7f,81,3b,1c,36,\
  b7,16,fd,7d,73,12,35,06,0c,72,2c,ea,73,fd,db,be,2e,11,61,85,b3,b6,59,83,ff,\
  31,b5,e9,48,11,94,97,3e,16,be,cb,f1,00,10,3f,71,aa,a9,fb,f0,35,1c,3c,aa,56,\
  33,4a,72,79,c3,a9,7c,64,d9,1c,dc,86,51,a1,91,97,72,15,fc,3e,c7,56,c2,04,bc,\
  33,27,34,16,44,5f,6f,f0,51,e6,74,fc,bd,84,79,4b,a1,c8,56,5e,29,12,75,94,01,\
  0e,59,a5,ac,b6,c0,bb,78,70,e2,22,73,d0,d9,e9,33,0c,b9,c3,d4,c4,86,db,ee,a4,\
  e4,f9,f0,71,c3,c1,e6,15,6b,d1,74,90,3f,47,b7,ba,c4,1d,57,20,63,f0,ae,3a,aa,\
  47,c3,56,c7,d7,87,7a,bb,65,4d,a0,1b,39,bd,f1,74,7a,af,7f,a0,1f,67,00,60,4d,\
  ae,5f,51,2a,68,dc,c9,fa,2f,35,09,aa,28,48,95,b4,b6,af,2e,e2,6d,f6,d0,c8,72,\
  7e,07,ea,0d,7b,04,b1,81,d3,12,c3,b7,c1,f1,e9,52,3e,9e,96,00,6e,85,1f,23,6e,\
  ff,16,db,32,28,db,ef,03,8f,79,19,42,0e,31,4d,09,36,4e,d0,8b,1a,b8,05,66,df,\
  48,6e

 


More information from INFOSECURITY, Posted October 14th 2013.

A ransomware threat known as CryptoLocker is making the rounds, scrambling files in the process. And once it’s triggered, there is no way to recover them.

 

Ransomware has adapted over the years, becoming more difficult to thwart. “Malware that encrypts your data and tries to sell it back to you, or else, is not new,” noted Paul Ducklin, a researcher at Sophos Labs, in a blog. “In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.”

That bug used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available, Ducklin noted. Not so with the CryptoLocker next-gen ransomware, which uses a public key to encrypt a variety of file types such as images, documents and spreadsheets. The malware searches for files to encrypt on all drives and in all folders it can access from the compromised computer, including workgroup files shared by colleagues and resources on company servers.

“The more privileged your account, the worse the overall damage will be,” Ducklin said.

CryptoLocker installs itself in the Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically when the user logs on. It then produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru – and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds. Once it has found a server that it can reach, the server generates a unique public-private key pair and sends the public key part back to the computer.

“Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them,” said Ducklin. “You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.”

The malware offers to trade money for the private key to unlock the encrypted files. “It pops up a pay page, giving you a limited time, typically 100 hours, to buy back the private key for your data, typically for $300,” Ducklin said. Then a warning comes that the server will destroy the key after a time specified, meaning that the files will never be able to be recovered.

The picture doesn’t get better. “SophosLabs has received a large number of scrambled documents via the Sophos sample submission system,” he said. “These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back. But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.” In other words, unlike other ransomware, there is no remediation.

Worse, the infection vectors make it difficult for consumers to avoid. CryptoLocker arrives via email attachments and botnet – the former is easy to avoid by being wary of unsolicited attachments. Botnets though are a different story.

“Most bots, or zombies, once active on your computer, include a general purpose ‘upgrade’ command that allows the crooks to update, replace, or add to the malware already on your PC,” said Ducklin. “So take our advice: make it your task today to search out and destroy any malware already on your computer, lest it dig you in deeper still.”

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed

 
NON-MANAGED=REACTIVE
MANAGED=PROACTIVE
 
 

ourprivacy.org

US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles