New CryptoLocker Spreads Via Removable Drives

[aztony]

We recently came across a CryptoLocker variant that had one notable feature—it has propagation routines.

Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants.

Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.

 

[Deleted member 178]

You dont need any activator for photoshop lol

 

[Exterminator]

Nasty stuff,it's everywhere now.Staying away from activators is a good idea unless you made it.

You dont need any activator for photoshop lol

Agree 127.0.0.1 thats localhost speaking of course

 

[TwinHeadedEagle]

I've tested this crap, USB spreading routine is nothing new, it just infects exe files, nothing else...

 

[Plasmadragon]

I've tested this crap, USB spreading routine is nothing new, it just infects exe files, nothing else...

So what you are saying is, don't use .exe files? Sweet... gotta get right on that.

No seriously though, if it is spreading into removable drives, as well as with any propogational routine malware, is there any particular tried and true method of:

1) Locking any and all communication with removable media (media side protection) unless authorized by encryption keys and user verification using administrator privileges (hosting system side) FOR EACH INDIVIDUAL TRANSFER, NOT GENERAL UNLOCK.

2) Ensuring all existing files, ghost volumes, hidden or not, are ALWAYS shown on removable media? There isn't all that much space to hide files on with USB drives for instance, so they are typically just cloaked really well. Would like opinions on how to keep this hazard at bay.

3) Useful tools for removable media protection / whitelisting of only the approved PID auto initiating functions which detect and recognize removable media in the first place (host system side & media side).

Personally, I think a serious discussion on shielding both the host system and removable media from either side communicating with one another without the express permission of the user needs to be held. At the very least, I can with certainty say it would greatly interest me in learning more about.

 

[Littlebits]

Just connecting an infected USB device to your system will not infect your system on modern Windows since the USB autorun feature is disabled unless you manually enabled it by registry tweaks. You are required to manually run the infected exe in order for it to infect your system. If you pay attention, scans all exe files with VirusTotal and utilize UAC prompts (never approve unknown processes) then the infected exe will not be able to infect your system. You don't need to do anything else to block USB infections.

Most users infect their on system by ignorantly running the infected exe file without checking it first, then ignore UAC prompts and click approve.

Just never manually run any exe files located on USB devices unless you know for sure it is safe and you will not have an infection.

Enjoy!!

 

[Plasmadragon]

Actually I'm not all that interested in the safety of the host system so much as the removable media to be honest. Host systems are connected to the internet for home users, which means that one day, some way, you are nearly garaunteed to catch something you don't want. However, removable media can be protected from the insecurities of being connected to the web, by simply not being connected to it. If one were to, say, regularly reinstall their OS using a 'pure' removable device often enough, worms, malware, spyware, most low level rootkits, all get wiped away. I would prefer the absolute assurance that every scrap of data ever transferred onto removable media is approved by a user. Not some algorithm. In truth, one could do such a thing with an isolated network as well, so the same could be said in extension to systems which are designed to never receive internet traffic but transfer sensitive data between a private network which is only connected when a user physically connects them.

Don't get me wrong, networking security is important, however to me the cold hard fact is that every single moment that we connect our devices into a global network, we are exposing that equipment to an environment which will never be secure. No matter how far into encryption we get, how deep security protocols run, how lovely the software... there will always be someone that can and will prove to the world they aren't safe.