PDA

View Full Version : Warning: CryptoWall is very dangerous !!!



NewsArchive
11-22-2015, 05:11 AM
On my end, I am always prepared for the worst. Today it happened.

I am writing to you from my Apple MacBook Pro. VMWare Fusion 8 is always
running up-to-date copies of virtual machines from my main development
machine (Dell Precision Workstation). The Dell machine is running Windows 7
Ultimate Edition and VMWare Workstation 12 with 22 VMs. All my "real" work
is done in VMs. The host is protected by Microsoft Windows Defender and
normally I do not even open Internet Explorer on this machine. But this
morning, I made a mistake (too much coffee or not enough) and checked a web
site from that host. And the damn web site infected my UAC-enabled and
Windows Defender protected host system with a brand new version of
CryptoWall. Ouch! The FBI is right, this thing is dangerous. It
immediately started to encrypt all my files on the host.

I shutdown the system and ordered a new SSD from Amazon (same-day delivery,
should be here in 7 hours). So I'll have a busy weekend installing Windows
10 Enterprise and VMWare on my Dell Precision Workstation.

To the developers of CryptoWall, you can rot in hell and I really wouldn't
care.

And to my friends, "LOOP always always always END" have a current backup of
your data.

Friedrich

NewsArchive
11-22-2015, 05:13 AM
sorry to hear that Friedrich, happened to me 2 years ago

Dan

NewsArchive
11-22-2015, 05:14 AM
Mean people suck.

BTW - what host are you talking about? I use FF and I'm not impressed
at all with the new Edge (formerly known as IE).

--

Russ Eggen
RADFusion International, LLC

NewsArchive
11-22-2015, 05:14 AM
Hi Friedrich,

> site from that host. And the damn web site infected my UAC-enabled and
> Windows Defender protected host system with a brand new version of
> CryptoWall. Ouch! The FBI is right, this thing is dangerous. It
> immediately started to encrypt all my files on the host.
Nasty :-(

Using AVG here but even with that installed I never access the Web
directly.

I use SandboxIE http://www.sandboxie.com/ .
So all Web access changed files, downloaded bits and pieces etc etc
goes into the Sandbox and at the end of a session I simply terminate
all programs running in the Sandbox and delete all files.
If I notice _anything_ suspicious whilst browsing I terminate all
programs from the SandboxIE control window and then delete all files in
the sandbox.

It's called SandboxIE from I(nternet) E(xplorer) but you can set it to
work with Chrome, FireFox etc etc

Graham

NewsArchive
11-22-2015, 05:15 AM
Hi Friedrich,

> site from that host. And the damn web site infected my UAC-enabled and
> Windows Defender protected host system with a brand new version of
> CryptoWall. Ouch! The FBI is right, this thing is dangerous. It
> immediately started to encrypt all my files on the host.

Those things are nasty! My brother got one of those couple of years
ago. Lost several thousand photos.

> And to my friend, "LOOP always always always END" have a current backup of
> your data.

*AND make sure it can be restored!!!!! *

I have both image and file backups of all important files, as well as
having all code and related data (help files, website, whatever) in
version control, which is backed up in quadruplicates, local, online and
off site!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
11-22-2015, 05:16 AM
Hi Friedrich -

Sorry that happened to you.

How could you have prevented this if it were possible to prevent?

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
11-22-2015, 05:17 AM
Interesting!

> Hi Friedrich,
>
> I use SandboxIE http://www.sandboxie.com/ .
> So all Web access changed files, downloaded bits and pieces etc etc goes
> into the Sandbox and at the end of a session I simply terminate all
> programs running in the Sandbox and delete all files.
> If I notice _anything_ suspicious whilst browsing I terminate all
> programs from the SandboxIE control window and then delete all files in
> the sandbox.
>
> It's called SandboxIE from I(nternet) E(xplorer) but you can set it to
> work with Chrome, FireFox etc etc
>
> Graham

--

Russ Eggen
RADFusion International, LLC

NewsArchive
11-22-2015, 05:17 AM
> How could you have prevented this if it were possible to prevent?

I'd like to understand this better too.

>> morning, I made a mistake (too much coffee or not enough) and
checked a web
>> site from that host. And the damn web site infected my UAC-enabled and

Stupidly, I was wondering "what site"?

Thanks for not posting a link :)

Simon Kemp

NewsArchive
11-22-2015, 05:19 AM
I wonder if this could also infect the BIOS or UEFI in such a way that
replacing the hard disk is not enough. Kinda like this:

http://www.pcworld.com/article/2948092/security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
11-22-2015, 05:19 AM
I'm so naive about this stuff. So despite the fact you're running virus
protection (Friedrich mentioned WD) your machine can go tits-up if you
touch the wrong site?

I seem to have got lucky for years...

Simon Kemp

NewsArchive
11-22-2015, 05:20 AM
From what I understand, Simon, Windows Defender on Windows 7 is only
anti-spyware, not antivirus.
https://en.wikipedia.org/wiki/Windows_Defender#Conversion_to_antivirus

I've seen Friedrich say he uses ESET as an antivirus on his working virtual
machines. No idea whether that would have blocked the contaminated website.

jf

NewsArchive
11-22-2015, 05:21 AM
That soooo totally sucks, Friedrich !!! :-(

So wonderful that you're so good about backups and keeping your real work in
VMs!

Leads me to think of the moral/political divide in this country - between
those who think that bad people are merely "there but for fortune go you and
I" and those who think that some people are genuinely evil.

Hope you can take a walk and smell the flowers whilst waiting for the new
SSD to arrive.

Jane

NewsArchive
11-22-2015, 05:21 AM
Hi Jane,

> That soooo totally sucks, Friedrich !!! :-(
>
> So wonderful that you're so good about backups and keeping your real
> work in VMs!

VMs fail too and are just as vulnerable. I do image backups of my VMs
as well as file backups/version control. I don't use VMs very much any
more except for work I need to do in C6 and for testing.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
11-22-2015, 05:22 AM
From what I understand from articles like this one, network drives can
be affected too.
https://community.spiceworks.com/topic/627159-our-cryptowall-2-0-experience?page=2

So, if that is true, all of the VMs and hosts are on a local network,
it could really cause a lot of damage.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
11-22-2015, 05:22 AM
Absolutely.

At the work environment I described, they've configured group policy so that
users are very limited in what can be launched from a web browser. Most
can't even join a webex without an administrator's help. Sucks, but was
necessary after several users got crypto-ed. Fortunately, with their
limited credentials the infection wasn't able to spread.

Jane Fleming

NewsArchive
11-22-2015, 05:23 AM
To each his own, Arnor.

I do all my work in VMs.

The health center where I work also has all its servers (including the 600
GB SQL database) running on VMs. And for that matter, almost all of its
discrete workstations. And the Citrix servers that push out VDI to our 700
employees.

Makes resource allocation and disaster recovery enormously easier.

Jane

NewsArchive
11-22-2015, 05:24 AM
Jane,

>I do all my work in VMs.

I have installed VirtualBox on a 2.5 GHz Quadcore and everything in there feels
so sticky and viscouuuuuuus, so I really wonder why so many of the colleagues
are working in virtual machines.


Is that stickiness the price for maximum versatility or is it just a matter of
sheer power?


Wolfgang

Regards,
Wolfgang Orth
www.odata.de

NewsArchive
11-22-2015, 05:24 AM
This is scary as hell. I visited an infected website (searched for
SetupBuilder on "warez" sites), I did not click any button. Problem was
that I did not notice I was on my Win7 host, thought I was in my Windows 7
"warez" virtual machine. BANG. Major damage. BTW, I tried it again from a
VM on my MacBook and ESET32 detected and killed CryptoWall immediately.
I'll post more information tomorrow. The new SSD arrived and I have to
install the host machine, then install VMWare and copy the VMs back.

Friedrich

NewsArchive
11-22-2015, 05:26 AM
Hi Jeff,

> From what I understand from articles like this one, network drives can
> be affected too.

I just know those things are nasty! My brother had something like this
lock his drive and then they wanted $500 to "fix" it. He told them to
f... off, except he wasn't quite that polite<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
11-22-2015, 10:24 AM
> I have installed VirtualBox on a 2.5 GHz Quadcore and everything in there feels
> so sticky and viscouuuuuuus, so I really wonder why so many of the colleagues
> are working in virtual machines.
>
>
> Is that stickiness the price for maximum versatility or is it just a matter of
> sheer power?

Hi Wolfgang,

I run Virtualbox on an AMD 6 core with WD Black hard drives. The BIOS does
support hardware virtualization.

Performance in any of my VM's is just as fast as it is on the host.

I'd never dream of working outside a VM again!

It is the single most productive thing I have done in years (THANKS
FRIEDRICH - for getting me into it!).


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
11-22-2015, 10:25 AM
The host matters. I run Virtualbox VMs with a Linux host. The windows VM
feels so close to a native one I really don't see any difference.
Having said that - running program off a shared folder can be
significantly slower then the VM drive.

I have and AMD 8 core 3.6GHz 8GB RAM and I've had 5 VMs running at once
in a little virtual network for testing purposes (Win2000 server + 4 XP
stations) and it all ran fine.


Sean H

NewsArchive
11-23-2015, 03:10 AM
I use VMWare, am not personally familiar with VirtualBox.

Bu two things, Wolfgang,

One is to be sure that your BIOS is set up to enable hardware
virtualization. (So the hypervisor runs in "ring minus one", not in "ring
zero".)
Second is that I do development work on drives that the VM sees as local,
not as network shares on the host or elsewhere.

And a fast hard drive on the host (I'm using SSD) helps a lot.

I give 2 "processors" and 8GB to my development VMs. Generate and compile
is very fast.

jf

NewsArchive
11-23-2015, 03:11 AM
>One is to be sure that your BIOS is set up to enable hardware
>virtualization. (So the hypervisor runs in "ring minus one", not in "ring
>zero".)

ahhh, okay!

Not sure what is on mine, will have a look


>Second is that I do development work on drives that the VM sees as local,
>not as network shares on the host or elsewhere.

hmmmm, okay.

I think all drives are local to the virtual machine. I rarely use a network
share for something different rather than copying files between machines.

>And a fast hard drive on the host (I'm using SSD) helps a lot.

The next machine will likely have a SSD too.

>I give 2 "processors" and 8GB to my development VMs. Generate and compile
>is very fast.

yeah, sheer power isn't bad at all.

Thanks for pointing to the BIOS,
Wolfgang

Regards,
Wolfgang Orth
www.odata.de

NewsArchive
11-23-2015, 03:12 AM
Hi Wolfgang,

> I have installed VirtualBox on a 2.5 GHz Quadcore and everything in there feels
> so sticky and viscouuuuuuus, so I really wonder why so many of the colleagues
> are working in virtual machines.
>
> Is that stickiness the price for maximum versatility or is it just a matter of
> sheer power?

Don't know. My experience is that I lose about 10% of power in a VM
compared to the host. Not worth it for me if I don't have to. I do all
of my product development in a VM (Windows 7 32) as I still work in C6,
but most of my client work is out of VMs as it's moved out of C6.

I run a i7 quadcore with HT, un-clocked that normally runs around 4GHz
with 32GB RAM. I run the VMs on a SATA-III drives and they are pretty
fast. I'm paranoid about backups<g>

I started VM on i5 3.xGHz with 16GB back in Vista and I have always
experienced noticeable slowdown in a VM compared to the host. I'd hate
to run Photoshop or Lightroom in a VM.

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
11-23-2015, 03:13 AM
Hi Jane,

> To each his own, Arnor.
>
> I do all my work in VMs.

Sure:) I'm just saying that VMs can fail too. I've had that happen and
that was before I had image backups of the VMs and I'm not sure if it
would have helped. Something went belly up with the drive in the VM
machine. Restoring the VM files from backup did not help. Had to
rebuild it. Fortunately I had file backups of all the important files
so it was easy to get going again.

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
11-23-2015, 03:14 AM
Arnor,

My primary development is on a 3 year-old sager laptop with i7 and 32 GB.
Last summer, its power switch broke. I had to ship it back to Momma for
repairs.

So nice during the week it was gone that I could just mount my VMs on
another machine I have and keep working without losing a beat.

Jane

NewsArchive
11-23-2015, 03:14 AM
My VMWare "host server" is back (running Windows 10 Enterprise Version 1511
now). More information tomorrow! I need a break <g>.

Friedrich

NewsArchive
11-23-2015, 03:14 AM
Take the rest of the day off, Friedrich!

Jane Fleming

NewsArchive
11-23-2015, 11:12 AM
>
> sorry to hear that Friedrich, happened to me 2 years ago
>

Thank you, Dan. This is a very dangerous and criminal Trojan :-(

Friedrich

NewsArchive
11-23-2015, 11:12 AM
Hi Russ,

> Mean people suck.
>
> BTW - what host are you talking about? I use FF and I'm not impressed at
> all with the new Edge (formerly known as IE).

The host server was Windows 7 and I have used Internet Explorer to visit the
"warez" site. I have updated the "host" to Windows 10 Enterprise Edition
Version 1511 now. Today I tried the same (from my Windows 7 VM) and Windows
Defender detected the Trojan.

Friedrich

NewsArchive
11-23-2015, 11:17 AM
Hi Graham,

> Nasty :-(
>
> Using AVG here but even with that installed I never access the Web
> directly.
>
> I use SandboxIE http://www.sandboxie.com/ .
> So all Web access changed files, downloaded bits and pieces etc etc goes
> into the Sandbox and at the end of a session I simply terminate all
> programs running in the Sandbox and delete all files.
> If I notice _anything_ suspicious whilst browsing I terminate all programs
> from the SandboxIE control window and then delete all files in the
> sandbox.
>
> It's called SandboxIE from I(nternet) E(xplorer) but you can set it to
> work with Chrome, FireFox etc etc

I have used Sandboxie some years ago and never had any problems with it.

But today, I normally access the Web through a ESET NOD32 protected virtual
machine. Except on last Saturday morning <g>.

Friedrich

NewsArchive
11-23-2015, 11:18 AM
Arnor,

>> And to my friend, "LOOP always always always END" have a current backup
>> of your data.
>
> *AND make sure it can be restored!!!!! *

I agree 100% <g>

Friedrich

NewsArchive
11-23-2015, 11:19 AM
Hi Jeff,

> Sorry that happened to you.
>
> How could you have prevented this if it were possible to prevent?

Thank you!

My virtual machine with ESET NOD32 detected it immediately. In this
specific case it was a typical OSI "Layer 8" issue where the user (me)
caused the problem <g>. On Saturday morning, I checked some "warez" sites
for SetupBuilder and did not notice that I was doing this from the host
server -- I thought I was using a (nonpersistent enabled) Windows 7 VM.
Windows Defender did not detect it. On a Windows 10 VM today, the built-in
security feature detected it.

But this thing is a very scary virus/trojan.

Friedrich

NewsArchive
11-23-2015, 11:20 AM
Hi Simon,

> Stupidly, I was wondering "what site"?
>
> Thanks for not posting a link :)

It was one of the various "warez" sites :)

Friedrich

NewsArchive
11-23-2015, 11:21 AM
Hi Jane,

> From what I understand, Simon, Windows Defender on Windows 7 is only
> anti-spyware, not antivirus.
> https://en.wikipedia.org/wiki/Windows_Defender#Conversion_to_antivirus
>
> I've seen Friedrich say he uses ESET as an antivirus on his working
> virtual machines. No idea whether that would have blocked the
> contaminated website.

I think you are right. With Windows 8, Microsoft smartened up and decided
to expand its functionality to include virus detection and removal. In
Windows 7 (SP1?) it is AntiSpyware.

The built-in security solution in Windows 10 detected it immediately.

Friedrich

NewsArchive
11-23-2015, 11:22 AM
Hi Jane,

> That soooo totally sucks, Friedrich !!! :-(
>
> So wonderful that you're so good about backups and keeping your real work
> in VMs!
>
> Leads me to think of the moral/political divide in this country - between
> those who think that bad people are merely "there but for fortune go you
> and I" and those who think that some people are genuinely evil.
>
> Hope you can take a walk and smell the flowers whilst waiting for the new
> SSD to arrive.

Murphy's Law hit me. I decided to install Windows 10 Enterprise Edition as
my "host server" software but found out that Microsoft decided to disable my
MSDN last Friday (the day before "it" happened). Microsoft Customer Care
(the guys do not care at all) are still working on it.

Amazon was amazing. They delivered the new SSD within six hours.

Friedrich

NewsArchive
11-23-2015, 11:23 AM
Update: why "CryptoWall" didn't bring me down.

This is my computer environment: my main development machine is a Dell
Precision M6600 Mobile Workstation. 32GB RAM with internal Samsung SSD 850
1TB and SanDisk SSD Extreme Pro 960GB drives. Then one external Transcend
SSD370 512GB drive for fast backups and seven external non-SSD drives
(Western Digital and Seagate) for "rotating-backups".

The Dell M6600 *was* powered by Windows 7 Ultimate x64. Only two 3rd-party
programs were running on the "host server": Intel Rapid Storage Technology
and VMWare Workstation 12. No 3rd-party anti-virus, no nothing. This Dell
machine is rock solid, military grade, with excellent performance.

I have three VM's for software development and 18 VM's for software testing
purposes. My development VM's have three virtual disk drives. Virtual
drive "C" is always the Operating System drive (with no "data" files on it;
just the system stuff). Virtual drives "E" and "F" are my data file drives.

Performance in any of the VM's is just as fast as it is on the host server.
One "Corpdata" folder on the server host is "shared" and all VM's have a
mapped drive "Z" to the host. But the host has no write access to the VM's!

My Security Rule #1 is to NEVER do anything on the host server. NEVER! Do
not surf the Internet, do not install software, do nothing! The host server
is the underlying hardware that provides computing resources to support
virtual machines (guest VM's).

On Saturday morning, I accidentally broke my Security Rule #1. I checked
some "warez" sites for SetupBuilder and did not notice (too much coffee or
not enough) that I was doing this from the host server -- I thought I was
using a (nonpersistent enabled) Windows 7 VM. One web site infected my
UAC-enabled and Windows Defender protected host system with a brand new
version of "CryptoWall". The FBI has issued a warning to all U.S Companies.
Cryptowall is a Trojan horse that encrypts files on the compromised
computer. It then asks the user to pay to have the files decrypted.
Because I am using hyper-fast SSDs, encryption was very fast. I shutdown
the system and ordered a new Samsung SSD from Amazon (with same-day delivery
on a Saturday).

Because the host server was dead and history, I decided to rebuild the
system with the latest Windows 10 Enterprise Edition Version 1511. Hmmm,
but my Dell is more than 3 years old. What about drivers? To cut a long
story short, it took some time (36 hours) to find the required software but
I am now running Windows 10 with up-to-date drivers on my Dell "March 2012"
computer. That is amazing.

To 'breathe life' back into my development machine, I did the following:

1. Create a bootable Windows 10 USB stick, install Windows 10 and drivers
(20 minutes)

2. Install VMWare Workstation 12 (1 minute)

3. Restore all 21 VMs (10 minutes)

That's it <g>

BTW, I was never "out-of-business" because I have a second backup
development machine. An Apple MacBook Pro Retina (16GB RAM / 1TB 4-channel
PCIe SSD) running VMWare Fusion 8. I can copy the VMWare Workstation
virtual drives to the Apple MacBook Pro (takes 2 minutes) and I am back.
This is brilliant.

Virtual Machines are the best thing since sliced bread.

Friedrich

NewsArchive
11-24-2015, 02:39 AM
Sliced bread is overrated ;-)

Jane Fleming

NewsArchive
11-24-2015, 02:40 AM
http://www.gettyimages.com/detail/photo/girl-holding-traditional-braided-challah-high-res-stock-photography/90200111

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
11-24-2015, 02:41 AM
> Sliced bread is overrated ;-)

<BG> ;-)

Friedrich

NewsArchive
11-25-2015, 07:27 AM
Your machines are SF for me.

Cikic Nenad