Jump to content

Recommended Posts

Hi,

 

At $parentcompany, we've been hit by Cryptolocker a second time. MalwareBytes Pro seemed to recognize a lot of the files & remove them successfully & I was able to restore from backup without any issues. My issue is - why didn't MalwareBytes do anything to stop this in it's tracks? I know MalwareBytes is pretty good about blocking communication to outside IP Addresses from malicious, unknown, or suspicious executables; but both times I've been infected by this malware, it did no such thing. Is it due to the relevant executables that being MalwareBytes database, or does MalwareBytes block based on what IP address a program is talking to? I feel like this part of MalwareBytes needs some work, or perhaps some detailed explaining for those of us in a System Administrator role.

Link to post
Share on other sites

  • Root Admin

In most cases a computer running outdated plugins such as Java, Flash, Acrobat Reader can easily become victims of a Drive-by download as older versions of the code have been exploited.  Windows itself as well as Internet Explorer and other Browsers also often contain code that has been exploited.  The installers for these infections change very rapidly and often may not have a tell-tale signature or name to detect and block for their installers. We have someone working around the clock from different locations in the World searching, testing, adding, and updating rules for the our program to try and prevent these as well as other attacks but one should also be following good computer practices to help prevent such attacks. Make sure that all security updates from Microsoft are applied to all systems and that live up to date antivirus protection is enabled. Setup MBAM updates for at least once every 4 hours so that as soon as we find new entries and add them your system will get those updates as well.

Please see the following link which will provide more information on this attack as well as some additional options you can take to help prevent this attack.
Cryptolocker Hijack program
 
 
As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to help prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

 

 

 

 

Resetting the Malwarebytes Anti-Malware schedules from the command line.

There is a 15 minute randomized delay in the scheduler for the MBAM  updates so + or - 15 minutes is normal for updates with the scheduler. Scans will run at the time set for though.

From an elevated admin command prompt please do the following.
How to Open an Elevated Command Prompt in Windows 7

Please type the following and press the Enter key at the end of the line.
You can check here if you're not sure if your computer is 32-bit or 64-bit

On Windows XP and Windows 7 x86
CD "%ProgramFiles%\Malwarebytes' Anti-Malware"

On Windows 7 x64
CD "%ProgramFiles(x86)%\Malwarebytes' Anti-Malware"

Please type the following and press the Enter key at the end of each line. There will not be any feedback normally unless you type it wrong.


mbam.exe /unschedule /all
mbam.exe /schedule /update /silent /hourly /every 4 /starting 10/04/2013 16:15:00 /recover 2
mbam.exe /schedule /scan -quick -log -silent -remove -reboot /silent /daily /every 1 /starting 10/04/2013 17:30:00 /recover 23

Now open the MBAM program and go to the Protection tab and click on the Scheduler button
If completed correctly it should look very similar to the image below.

scheduler_settings_zps5f895d05.png

Link to post
Share on other sites

Hi,

 

At $parentcompany, we've been hit by Cryptolocker a second time. MalwareBytes Pro seemed to recognize a lot of the files & remove them successfully & I was able to restore from backup without any issues. My issue is - why didn't MalwareBytes do anything to stop this in it's tracks? I know MalwareBytes is pretty good about blocking communication to outside IP Addresses from malicious, unknown, or suspicious executables; but both times I've been infected by this malware, it did no such thing. Is it due to the relevant executables that being MalwareBytes database, or does MalwareBytes block based on what IP address a program is talking to? I feel like this part of MalwareBytes needs some work, or perhaps some detailed explaining for those of us in a System Administrator role.

 

One has to determine the attack vector.

 

If you have experienced this twice, the defenses need to be strengthened and the layers of protection from border gateways to email servers need to be re-examined.

 

Was this received in email ?  For example Spear Phishing.

Was this a case of a download by a naive employee ?

Was this a case of a Social Engineering ploy ?

Was this a case of a vulnerability and exploitation ?

 

These talking points must be examined and the source of infection pin-pointed with the security holes plugged.

 

Just asking "Why didn't MalwareBytes do anything to stop this in it's tracks?" is not enough.  That infers that your protection schemas rely on this software.  They can't.  Anti malware software is only one part of multiple layers of protection.

Link to post
Share on other sites

In most cases a computer running outdated plugins such as Java, Flash, Acrobat Reader can easily become victims of a Drive-by download as older versions of the code have been exploited.  Windows itself as well as Internet Explorer and other Browsers also often contain code that has been exploited. 

 

Ron -

 

Regarding scheduling in MalwareBytes - is there any advanced logging that can be turned on to determine if & when it runs, and why it fails? I use PDQ Inventory at my organization to run that update command across all of the machines in my organization & I've walked up to some machines & I see MalwareBytes complaining it's out of date by a few days, maybe more even though it's scheduled to update everyday. It's been an issue previously & MalwareBytes support wasn't really able to resolve it.

Link to post
Share on other sites

Was this received in email ?  For example Spear Phishing.

 

David -

 

I'm pretty sure this was due to an e-mail phishing (if you could call it that...) where users would open attachments arbitrarily just because who it comes from seems important. The first time it happened, the user had already clicked on the attachment & I didn't see anything unusual on the machine. After the machine was infected, MalwareBytes picked up some things after the fact. It must've been a new variant -- I believe it's the same one I went you from my work address coincidentally.

 

The second time, I believe the attack vector was the same, sad to say. Different user. The variant was different & I don't have a copy of the executable in question. I don't know how it got on their machine. As a safeguard from the previous time we blocked zip attachments at our spam filter level so I'm not quite sure how this one got through. It's disappointing, to say the least. In this case, I'm not sure how MalwareBytes active protection didn't do anything as, as soon as I disconnected the network jack on the computer, MalwareBytes flipped out & detected Cryptolocker. It's unusal to say the least.

Link to post
Share on other sites

  • Root Admin

I use PDQ Inventory at my organization to run that update command across all of the machines in my organization

Can you please be a bit more specific what it is you're doing as it sounds like you're not letting the built-in scheduler actually do the updates.

If you're concerned about bandwidth issues then there is an offline updater for Business that you can contact corporate support and work with them to download and setup. By not using the built-in scheduler as I'm sure you're aware we're certainly going to point an update failure at a 3rd party solution (which may or may not be true) and why again I'd like to get more details of what's going on.

Now, that said... Please re-read what I've posted as one should not be relying upon any single piece of security software to block and prevent all infections.  One cannot simply run their computers with old outdated and exploited code and expect any product to over come that.  Granted us along with your antivirus software might be able to stop many things but again one should ensure that all parts of the system that are known to pose potential threats or avenues of incursion should be updated.

The complexity of finding, preventing, and cleanup from malware

I can certainly try to assist you with getting our product to update regularly if in fact you are having an issue.  Yes there were updating issues with the program but that was well over a year ago and we rarely see updating issues except on infected or otherwise damaged computers.  If you'd like me to assist you please let me know what you're currently doing with the updates and then we'll run some tests on one or more of your systems.

 

Thanks

 

Ron

Link to post
Share on other sites

Spear Phishing is a direct targeting of the subject or subject's organization using text and verbiage associated with said organization as well as forging email of said organization in such a way that one is goaded into believing it is an Internal related email rather than an External related email.

 

For example.  I was discussing a similar occurrence with a representative of the Sac and Fox nation who's gov't counsel was hit.

 

Email Subject:  "Annual Form - Authorization to Use Privately Owned Vehicle on State Business"

 

The body of the email

 

All employees need to have on file this form STD 261 (attached).  The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.

Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file.  Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

 

The sending email was forged to "look like" it came from within their governmental system.

 

Attached to the email was a ZIP file and in the ZIP file was "Form_20130810.exe".

 

The email Headers show the email emanated from Greece.

 

That is Spear Phishing.

 

There were multiple layers of failures.  The email client was MS Outlook and the email system was MS Exchange.

 

1.  A ZIP with an EXE file should have been stripped from the email before it was delivered.

2.  The file is well recognized - VT Report and should have been detected by the anti virus application on the MS Exchange Server

3.  The Workstation running MS Outlook should have had a MAPI compliant anti virus solution (different from the anti virus used on the email server) and should have been detected there

4.  The user who received this email was NOT properly trained on the concept of Phishing and Spear Phishing.  They should NEVER have opened the attachment and executed the file.  At the very least should have attempted to contact the forged sender and ask "Did you send me the email on Privately Owned Vehicle on State Business ".

 

Being that this was Spear Phishing the email should NEVER have delivered a ZIP with and EXE and should have had an anti virus application scan the email and its attachment.  It was not a password protected ZIP file either.

 

A "good" defense is to block receipt of ANY/ALL email that contains a ZIP file (by file extension) for email that comes from the Internet POV. 

 

My organization implemented that policy and client and subcontractors were instructed to rename the ZIP file to PIZ and attach the PIZ file to email and in the body of the email explain that the attachment is a ZIP file renamed to PIZ.

Link to post
Share on other sites

A "good" defense is to block receipt of ANY/ALL email that contains a ZIP file (by file extension) for email that comes from the Internet POV. 

 

My organization implemented that policy and client and subcontractors were instructed to rename the ZIP file to PIZ and attach the PIZ file to email and in the body of the email explain that the attachment is a ZIP file renamed to PIZ.

 

I just want to re-emphasize this as it is an active protection scheme that is used, it does work and it eliminates one attack vector without even using anti malware software. 

Link to post
Share on other sites

  • 1 year later...

Programs that work well with Malwarebytes and most antivirus that can stop crypto from executing is Cryptoguard and Hitman Pro Alert. There is also Malwarebytes Anti-Exploit to help protect against drive-by installation using outdated Java and browsers. Free version is limited to home usage only for likely all 3 programs I mention.

Link to post
Share on other sites

Programs that work well with Malwarebytes and most antivirus that can stop crypto from executing is Cryptoguard and Hitman Pro Alert. There is also Malwarebytes Anti-Exploit to help protect against drive-by installation using outdated Java and browsers. Free version is limited to home usage only for likely all 3 programs I mention.

CWEric, You have replied to a very old topic Posted 15 October 2013 - 05:40 PM with info that was based on an older version of Malwarebytes....

 

It is usually frowned upon to reply to topics that are this old, and more than likely the OP is no longer following this topic.

 

If you have issues or need help please open your own topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.