Jump to content

Quick qustions about cryptolocker & other ransomware


Baldape
 Share

Recommended Posts

So if understand correctly its possible to undue the effects of something like cryptolocker by doing a system restore is this true? :unsure:

And about how long does it take on average for ransomware to activate?

And how well can MBAM Pro defend against it (excluding the website blocking shield) ?

Link to post
Share on other sites

  • Root Admin

One needs to be very careful on how you go about trying to restore your data.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

We block all known droppers but new ones come out every day.  Having your system fully up to date with all security update and all old exploited programs such as old Java, Flash, etc removed will help to keep the system safe.  One should also have a good solid backup of their data in today's digital World we live in.  If using an external drive for data backup it should not be left plugged in as it to would be susceptible to attack.  Only plug the drive in while doing backups and when done unplug it.  Never plug it in if you suspect the computer may be infected until you're certain it is clean.

 

 

Link to post
Share on other sites

One needs to be very careful on how you go about trying to restore your data.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

We block all known droppers but new ones come out every day.  Having your system fully up to date with all security update and all old exploited programs such as old Java, Flash, etc removed will help to keep the system safe.  One should also have a good solid backup of their data in today's digital World we live in.  If using an external drive for data backup it should not be left plugged in as it to would be susceptible to attack.  Only plug the drive in while doing backups and when done unplug it.  Never plug it in if you suspect the computer may be infected until you're certain it is clean.

 

6gfuwz.jpg   I'm a cloner and that has provided me with a complete recovery mode where I was running again within a few minutes.

 

In my opinion, that's the best plan, either routine cloning or imaging since it provides a total recovery option with everything restored since you're removing 100% of any malware, PUP, virus, etc.

 

The last 2 times that I was affected by an intrusion, I didn't spend any time trying to clean, recover, repair.  I plugged in my cloned HDD and I was running within minutes.

 

There's only one scenario where I wonder about, and that's if I'm hit with some kind of a delayed, deeply-hidden infection where I don't see any symptom of its presence, and it's not detectable with 2 scanner tools:  My AV and MBAM daily full scans.

 

So far, in 9 years of home 'net surfing, I haven't seen that occur,  delayed triggering, stealth infections where I don't see any indication of an infection present.

 

I've asked about this at other forums, ie, what's the percentage of home 'net users that get hit with something like this, but I haven't as yet read about anyone that's been through that scenario.

 

In every case for me, which I like since I always have that complete tested HDD on the shelf, I've always known almost immediately when something penetrated my AV'S or MBAM frontline protection tools.

 

I'd much rather know about a hit as I'm sure everyone would prefer, vs getting hit by some kind of delayed reaction days or weeks later.

Link to post
Share on other sites

So if understand correctly its possible to undue the effects of something like cryptolocker by doing a system restore is this true? :unsure:

And about how long does it take on average for ransomware to activate?

And how well can MBAM Pro defend against it (excluding the website blocking shield) ?

 

Absolutely not.

 

The System Restore service only works on Executable files and OS Structure files.  It does not act upon user data files.  Malware in the form of cryptovirology, who's payload encrypts data files, can not be fixed by restoring to a previous System Restore break point state.  Since the System Restore service does not act upon data files it will not restore the encrypted files to an unencrypted state.  If the data is held for a ransom fee then the malware is a type of ransomware.  While it is possible that a virus could have a ransomware payload, the malware presently seen is in the form of trojans and not viruses.

 

If one has been hit by this form of ransomware, with the payload being the encryption of data files, the only course of action would be to either clean the PC of the malware or wipe and reinstall the OS or restore a previously created image of the platform.  Then one can restore data that had been backed-up to offline storage.  An external hard disk who has a mirror of one's data can not be considered, for this discussion, as offline storage unless data is copied to the external drive and the drive is mostly kept disconnected.  If an external hard disk is kept connected to the system during a ransomware event, it is probable that these files will be encrypted as well.  If one is in a Local Area Network (LAN) where one maps a drive letter (such as "K:") to a NT Share then it is probable that data stored on the mapped drive will also be encrypted.

 

Offline storage, for this discussion, is defined as a backup media that is on removable media and is removed after a backup is performed.  Additionally media such as a tape can be considered offline storage.  If a backup program is used and it creates one large compressed file that represents a backup set, it is possible that this too can be encrypted.  While it is not a a "data file format" it is conceivable that a ransomware trojan could encrypt (target) the files types known to be used by backup software (example:  QIC and BKF).

 

There is no quick fix.  If one is hit by this form of ransomware, consider the data to be non-existent and lost and after the PC is cleaned, OS reinstalled or computer re-imaged, data can then be restored from offline storage.

 

Remember...

Hardware is cheap, data is expensive.

Link to post
Share on other sites

One needs to be very careful on how you go about trying to restore your data.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

We block all known droppers but new ones come out every day.  Having your system fully up to date with all security update and all old exploited programs such as old Java, Flash, etc removed will help to keep the system safe.  One should also have a good solid backup of their data in today's digital World we live in.  If using an external drive for data backup it should not be left plugged in as it to would be susceptible to attack.  Only plug the drive in while doing backups and when done unplug it.  Never plug it in if you suspect the computer may be infected until you're certain it is clean.

 

 

6gfuwz.jpg   I'm a cloner and that has provided me with a complete recovery mode where I was running again within a few minutes.

 

In my opinion, that's the best plan, either routine cloning or imaging since it provides a total recovery option with everything restored since you're removing 100% of any malware, PUP, virus, etc.

 

The last 2 times that I was affected by an intrusion, I didn't spend any time trying to clean, recover, repair.  I plugged in my cloned HDD and I was running within minutes.

 

There's only one scenario where I wonder about, and that's if I'm hit with some kind of a delayed, deeply-hidden infection where I don't see any symptom of its presence, and it's not detectable with 2 scanner tools:  My AV and MBAM daily full scans.

 

So far, in 9 years of home 'net surfing, I haven't seen that occur,  delayed triggering, stealth infections where I don't see any indication of an infection present.

 

I've asked about this at other forums, ie, what's the percentage of home 'net users that get hit with something like this, but I haven't as yet read about anyone that's been through that scenario.

 

In every case for me, which I like since I always have that complete tested HDD on the shelf, I've always known almost immediately when something penetrated my AV'S or MBAM frontline protection tools.

 

I'd much rather know about a hit as I'm sure everyone would prefer, vs getting hit by some kind of delayed reaction days or weeks later.

 

 

Absolutely not.

 

The System Restore service only works on Executable files and OS Structure files.  It does not act upon user data files.  Malware in the form of cryptovirology, who's payload encrypts data files, can not be fixed by restoring to a previous System Restore break point state.  Since the System Restore service does not act upon data files it will not restore the encrypted files to an unencrypted state.  If the data is held for a ransom fee then the malware is a type of ransomware.  While it is possible that a virus could have a ransomware payload, the malware presently seen is in the form of trojans and not viruses.

 

If one has been hit by this form of ransomware, with the payload being the encryption of data files, the only course of action would be to either clean the PC of the malware or wipe and reinstall the OS or restore a previously created image of the platform.  Then one can restore data that had been backed-up to offline storage.  An external hard disk who has a mirror of one's data can not be considered, for this discussion, as offline storage unless data is copied to the external drive and the drive is mostly kept disconnected.  If an external hard disk is kept connected to the system during a ransomware event, it is probable that these files will be encrypted as well.  If one is in a Local Area Network (LAN) where one maps a drive letter (such as "K:") to a NT Share then it is probable that data stored on the mapped drive will also be encrypted.

 

Offline storage, for this discussion, is defined as a backup media that is on removable media and is removed after a backup is performed.  Additionally media such as a tape can be considered offline storage.  If a backup program is used and it creates one large compressed file that represents a backup set, it is possible that this too can be encrypted.  While it is not a a "data file format" it is conceivable that a ransomware trojan could encrypt (target) the files types known to be used by backup software (example:  QIC and BKF).

 

There is no quick fix.  If one is hit by this form of ransomware, consider the data to be non-existent and lost and after the PC is cleaned, OS reinstalled or computer re-imaged, data can then be restored from offline storage.

 

Remember...

Hardware is cheap, data is expensive.

 

 

Generally speaking it is often possible to restore previous files versions in a non encrypted state using the volume shadow copy but again this should be done under the guidance of an Expert for most users.

 

 

OK I guess its kind of a myth then, alright so one way to know if you've been hit by crypto locker is look under the %AppData% folder and look for a random file-name at least this is what I read on the Bleeping Computers forums. http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383

 

So how effectively could NoScript prevent this type of exploit?

 

And it sounds like cloning my system&personal files could help with removing the ransomware and reversing the encryption, so if use AOMEI Backupper to clone my system/files could it effectively help reverse the effects of crypto locker?

Link to post
Share on other sites

  • Root Admin

You cannot reverse the affects.  You can restore files - not the same thing as you could have new files that are encrypted and not on that restore disk.
 
NoScript is a great tool but there is much more to keeping your computer safe than NoScript.
 
 
 
A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Link to post
Share on other sites

OK I guess its kind of a myth then, alright so one way to know if you've been hit by crypto locker is look under the %AppData% folder and look for a random file-name at least this is what I read on the Bleeping Computers forums. http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383

 

So how effectively could NoScript prevent this type of exploit?

 

And it sounds like cloning my system&personal files could help with removing the ransomware and reversing the encryption, so if use AOMEI Backupper to clone my system/files could it effectively help reverse the effects of crypto locker?

 

Executables in %AppData% *may* be indicative of a crypto trojan or other malware but it not conclusive or decisive.  Different versions or variants can and will alter both the loading points within the OS and the location the dropped files are located.

 

You said "...prevent this type of exploit?"

"This" has not been defined.  There are two major kinds of exploits being used to get victims infected.

The first is Social Engineering which is the Human Exploit.  Their are many ploys being used.  One is Spear Phishing.

The second is the software vulnerability/exploitation vector.  NoScript may help in this case where the prospective infection vector is a web site using exploitation code but with limited efficacy

 

You said "...cloning my system&personal files could help with removing the ransomware and reversing the encryption"

No, you misconstrue.

 

Cloning and data backups help mitigate the effects of a ransomware or any other infection.  It is not a process for removal.

 

Assuming a crytographic trojan has encrypted a user's data files, there are two ways to go about rectification. 

 

The first is cleaning the PC or what may be deemed as malware removal.  They are trojans and are not viruses and so they don't "infect" other files or spread to other media.  It is not that they can't do it, it is that the present batch just do act like an AutoRun Worm or a File Infecting Virus.  Therefore an affected user may go the route of malware removal.  After a thorough quantitative and Operating System analysis, an affected computer may be deemed "clean".  At that point one can look at the data file aspect.  That's simple.  For all intents and purposes, they're gone.  Yes a file with their original name may exist but it a false front.  That DOC, PPS, PDF or XLS file is now "garbage".  If the malicious actor had malware just delete the files, there could be no "ransom" ploy to have a monetary gain.  However from the POV of the infected user, they may have as well been deleted.  Therefore the *ONLY* option is to restore data from a trusted backup.  This isn't perfect but restoring from baclup is the best countermeasure.  Yes there can be cases where a give XLS file has old data or the DOC isn't the latest revision but that is far better than not having it at all.

 

The second option concerns a case where the affected user can not "trust" the PC and the idea of cleaning or removing the malware is not an option.  In this case the affected user user can opt to reinstall the OS from scratch.  That means wiping the hard disk and reinstalling;  the OS, hardware drivers, applications and various hotfixes and patches.  For some that may be their only option or that is what they prefer to do.  However there is another option with appropriate software such as CloneZilla and Symantec Ghost. That is to have an image made of the PC in question.  This is something that needs to be in advance and done in a "what if" scenario.

 

It is a lot of trouble to perform a wipe of the hard disk and reinstalling;  the OS, hardware drivers, applications and various hotfixes and patches.  Easily a 4 ~ 8 hour quest.  One can do that once and then create an image of the system.  A snapshot of the system of that day and time.  If the hard disk fails, you get a new hard dosk and restore the image then update the system thus saving much time and aggravation.  In the case of a ransomware crypto trojan, one might say F**K IT, I'll just restore my image.

 

Images and backups are not the same but they share some similarities.  Images may be made on occasion.  For example when the OS was first installed and then a new image after Service Pack 1 was installed and maybe another after Service Pack 2 was installed.  Or it can be based upon other criteria but images are not created as often as one may do backups.  One of the major differences between an image and a backup is that extracting a singular file or folder from an image can range from not possible to very difficult.  On the other hand extracting a singular file or folder from a backup is designed to be easier (depending on the software used). 

 

In the case of one restoring an image to mitigate the ransomware event, the PC that is restored will be in a "time warp" of the moment that image was made.  Then the affected user will restore the data that is part of a backup set.  Since backups are done more often than images, the data restored be b e "more current" with its currency depending on backup frequency.

 

In my case, I image every single drive of my computers monthly.  I use Veritas BackupExec to backup data to DVDRW disks weekly (rotating 6 DVDRW disks) and I make regular data "mirrors" to a Flash Drive.

 

In short you can NOT "reverse" encryption.  You can however 1overwrite the encrypted files with originals that was restored from a backup.

 

One last note.  I don't suggest AOMEI software.  They are Usenet (Google Groups) spammers and thus using their software is contraindicated.

 

--

1.  I actually believe that the encrypted files should be just deleted and then data restored from backup media.

Link to post
Share on other sites

To help clarify my previous post about cloning, my routine will effectively reverse time if, and that's the catch, if I see observable signs of an infection, intrusion, etc.

 

For example, here's what has enabled me to recover from a couple of previous intrusions:

 

In this example, my last clone was done on 09/21/13.  I clone every 4 weeks.  If I get hit with an intrusion where I see the effects of the intrusion, popups, locked out of my browser, Desktop icons dis-associated, bogus icons appearing in my System Tray, etc,

 

Then all I need to do is remove my affected HDD, install my cloned HDD and I'm running without any previous effects of the intrusions. 

 

I will have to run updates (Windows, MBAM AV) and the # of updates depends on when my replacement HDD was cloned.

 

Then I recover a few of my must-have items from an external HDD.  I backup those must-have items daily (overnight unattended with "Acronis" backup software tool).

 

The question that I would have about cryptolocker is, if the user is infected, will they see a symptom of the presence of the infection?

 

I read some of the "Bleeping Computer.com" link and I see where a member posted this:

 

"After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files."

 

If I'm reading this right, I'd know when I'm infected by cryptlocker.

 

If I know I have this infection or any other infection/intrusion on my HDD, then I'm ok with it since I can pull the HDD and run on my other HDD. 

 

Then I'd format the infected HDD and clone back to that one with my working Source HDD.

 

SInce I also have a 3rd HDD that's several months old since it was last cloned, I have another alternative to recover.

Link to post
Share on other sites

David,  I just read your post when I was posting mine.

 

Great points.  Thanks for helping clarify for Baldape.  I didn't want to confuse anyone here that may have thought the cloning (or imaging) process would in of itself reverse affects of infections.

 

I've read a lot of discussions about the old "cloning vs imaging" debates.  I see both as good backup/full recovery tools.

 

One reason that I like my cloning scheme is that I can verify my newly-cloned Target HDD as a working bootable tested HDD in a short period of time.

 

At another forum, I wasn't reading posts from imaging proponents that were verifying that their full-disc images had been tested, ie, they did a test-recover to a spare HDD and verified a complete bootable working spare image.

 

I've read elsewhere that there are "verify/checksum" tools that should suffice in authenticating images, which is a good idea.

 

I guess for me, there's something about seeing my spare cloned HDD boot up and run normally as a way to insure that it's a plug-play spare if needed.

Link to post
Share on other sites

DHL : "Cloning and data backups help mitigate the effects of a ransomware or any other infection.  It is not a process for removal."

 

this would be akin to blowing out a tire on your car , running down the road until the tire peels off the rim and goes sailing off into oncoming traffic with sparks flying from the rim running on the pavement and *finally* getting the car pulled over to the shoulder ...

there is no doubt about it ... at this time the tire and rim are toast ; absolutely worthless .

the fastest/best/most sensible fix is to grab the spare tire and rim out of the trunk , swap it out and go on down the road .

 

and so it goes with the encrypted HD and grabbing the back-up off the shelf .

Link to post
Share on other sites

David,  I just read your post when I was posting mine.

 

Great points.  Thanks for helping clarify for Baldape.  I didn't want to confuse anyone here that may have thought the cloning (or imaging) process would in of itself reverse affects of infections.

 

I've read a lot of discussions about the old "cloning vs imaging" debates.  I see both as good backup/full recovery tools.

 

One reason that I like my cloning scheme is that I can verify my newly-cloned Target HDD as a working bootable tested HDD in a short period of time.

 

At another forum, I wasn't reading posts from imaging proponents that were verifying that their full-disc images had been tested, ie, they did a test-recover to a spare HDD and verified a complete bootable working spare image.

 

I've read elsewhere that there are "verify/checksum" tools that should suffice in authenticating images, which is a good idea.

 

I guess for me, there's something about seeing my spare cloned HDD boot up and run normally as a way to insure that it's a plug-play spare if needed.

 

 

DHL : "Cloning and data backups help mitigate the effects of a ransomware or any other infection.  It is not a process for removal."

 

this would be akin to blowing out a tire on your car , running down the road until the tire peels off the rim and goes sailing off into oncoming traffic with sparks flying from the rim running on the pavement and *finally* getting the car pulled over to the shoulder ...

there is no doubt about it ... at this time the tire and rim are toast ; absolutely worthless .

the fastest/best/most sensible fix is to grab the spare tire and rim out of the trunk , swap it out and go on down the road .

 

and so it goes with the encrypted HD and grabbing the back-up off the shelf .

 

 

So typically how does it take for this type of malware to take effect?

And if you suspect you've been infected ransomware or anything else doing a system restore from a restore point that was made sometime before the suspected infection could wipe/remove the infection correct? Of course I understand that this depends on your OS 32 or 64 bit and if its a rootkit or anything else that might embed itself in the MBR, the last I heard if you have a 64 bit version of Windows your less prone to these type of infections.

Link to post
Share on other sites

Basically the originally file drops either a copy of itself such as a DAT file or creates a DLL file somewhere where the user has full rights to write a file which is usually in the user's Profile.  The Registry is modified to load the DAT or DLL or EXE upon reboot.  This could be a process where it is chained loading the OS shell (typically explorer.exe and malware.file) loads a complex REGSVR32 command line loading the DLL or a simple RUNDLL32 malware.dll, etc.  One that is done it will create a Registry key that holds the binary information of a certificate.  Once that is done it may upload the certificate to a web site along with information on the infected computer.  While that is happening it may be encrypting the data using the certificate as a key employing the Windows Crypto API.  On or around that point it will download some kind of graphic or text to flag the user that the affected person's data is being held for ransom.

 

Since the the malware is in the form of executable files and the loading points are stored in the Registry it is possible that by using the System Restore service you will undo the actual infection because the the executables will be removed along with the loading points.  However, the data will still be encrypted.  While I have not seen the crypto trojan screw with the System Restore service, malware in general may screw with the System Restore service and corrupt it as a "self preservation technique.  Additionally the malware may block the execution of RSTRUI.EXE which is the end user GUI for selecting a System Restore points for restoration.

 

There is, at this time, no association with RootKit activity by or for a ransomware payload.

Link to post
Share on other sites

Since the the malware is in the form of executable files and the loading points are stored in the Registry it is possible that by using the System Restore service you will undo the actual infection because the the executables will be removed along with the loading points.  However, the data will still be encrypted.  While I have not seen the crypto trojan screw with the System Restore service, malware in general may screw with the System Restore service and corrupt it as a "self preservation technique.  Additionally the malware may block the execution of RSTRUI.EXE which is the end user GUI for selecting a System Restore points for restoration.

 

There is, at this time, no association with RootKit activity by or for a ransomware payload.

 

 

OP : "the last I heard if you have a 64 bit version of Windows your less prone to these type of infections."

where did you "hear" this ?

 

 

Yep that's 'possibly' remove the infection, which is still better than no hope at all. Thanks. :)

 

Well what I've been told from various technicians I've spoke with, that typically rootkits & bootkits are usually designed for 32bit kernels, but times are changing and 64bit is quickly becoming the norm heck even iOS and very soon Android are going 64bit so I wouldn't be surprised if there's already a influx of 64 rootkits/bootkits.

 

But how long does it take on average for ransomware to hijack your system? The little I've heard it sounds like around 24 hours (give or take) regardless the size of your HDD or how many files you have. 

Link to post
Share on other sites

32 bit processes can run under a 64bit OS.  It is true that some won't work.

No 64 bit process can however run under a 32bit OS.

 

How long varies.  It could be dependent on the user's reboot cycle,  Once rebooted it could be minutes to an hour or two depending if the malware has a delay function.  However once the PC is rebooted it is now a moot point.

Link to post
Share on other sites

32 bit processes can run under a 64bit OS.  It is true that some won't work.

No 64 bit process can however run under a 32bit OS.

 

How long varies.  It could be dependent on the user's reboot cycle,  Once rebooted it could be minutes to an hour or two depending if the malware has a delay function.  However once the PC is rebooted it is now a moot point.

 

 

Hmm makes sense Gimp, Firefox, VLC, & Audacity are 32bit apps and of course they work just fine on 64bit systems, but here's a different question can a 32bit rootkit/bootkit embed itself inside of a 64bit OS's MBR?

 

So after the first reboot if you don't notice anything after twelve hours then your probably safe, agree?

 

 

Final question, from what I read on this site the targeted file extensions that crpto locker encrypts are:

 

  3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

 

 

 

 

So does it only encrypt these file extensions and nothing else?

Link to post
Share on other sites

That I am not sure about "can a 32bit rootkit/bootkit embed itself inside of a 64bit OS's MBR" I believe there are constructs within the OS that will will inhibit that.  However I am not sure so I must say, "I don't know".

 

It is possible that is a subset of trageted files types.  I have not seen any lists of what's targeted and I don't know if the list was compiled based upon observed activity or extracted from some forensic analysis of a crypto trojan executable.  Additionally different variants may have a super-set and some a sub-set.

 

If crypto trojan variants encrypt "cer, crt, pfx, p12, pem, p7b, der" files then that's interesting because they are all X.509 Digital Certificate File Types and I did not know that X.509 certificates were being targeted.

Link to post
Share on other sites

That I am not sure about "can a 32bit rootkit/bootkit embed itself inside of a 64bit OS's MBR" I believe there are constructs within the OS that will will inhibit that.  However I am not sure so I must say, "I don't know".

 

It is possible that is a subset of trageted files types.  I have not seen any lists of what's targeted and I don't know if the list was compiled based upon observed activity or extracted from some forensic analysis of a crypto trojan executable.  Additionally different variants may have a super-set and some a sub-set.

 

If crypto trojan variants encrypt "cer, crt, pfx, p12, pem, p7b, der" files then that's interesting because they are all X.509 Digital Certificate File Types and I did not know that X.509 certificates were being targeted.

 

 

Well as I mentioned earlier even mobile devices are slowing moving to 64bit architectures and logically hackers will start developing more 64bit exploits in order to keep up, and a 64bit rootkit/bootkit would diffidently be able to access the MBR.

 

Just look the Crypto Locker on the MBAM blog. So since .jpg is covered then naturally .gif, .png, .tif and other image formats would also be included & likely many other common/popular media formats as well.

 

Well thanks everyone for sharing your knowledge and taking the time to help inform me further about this type of malware. :)

Have a wonderful weekend and thanks again. :D

Link to post
Share on other sites

Well as I mentioned earlier even mobile devices are slowing moving to 64bit architectures and logically hackers will start developing more 64bit exploits in order to keep up, and a 64bit rootkit/bootkit would diffidently be able to access the MBR.

 

Just look the Crypto Locker on the MBAM blog. So since .jpg is covered then naturally .gif, .png, .tif and other image formats would also be included & likely many other common/popular media formats as well.

 

Well thanks everyone for sharing your knowledge and taking the time to help inform me further about this type of malware. :)

Have a wonderful weekend and thanks again. :D

 

 

2yv1geu.jpg  and 2z9ifc1.jpg

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.