StageFright Exploit Awareness : What You Need to Know

Standard

Screen-Shot-2015-07-27-at-10.32.45-1940x1271

Do you think sending and receiving video text is risk free? Believe it or not, it is now as easy as getting a common computer virus. There is a new exploit called ‘stagefright’ that is sent via video within a text message. The virus uses the android process named ‘libStageFright’ (which is built into every android device) to steal information. Android Central states, “the gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the “Stagefright” name), which helps Android process video files. Many text messaging apps — Google’s Hangouts app was specifically mentioned — automatically process that video so it’s ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.”

Since it is exploiting a function on the device, a high number of android devices are vulnerable, but for the most part, there is a built in defense on about 95 percent of all devices as long as they are using Android Version 4.0 or higher. This protection is called ‘Address Space Layout Randomization’ and allows for software to not store its data in the same places so finding data is random. This is not a perfect fix, but does help.

Some good news is that this was not discovered by hackers so many are not exploiting it. Many large cell phone providers, such as HTC, Motorola, and Google, are working to release patches and updates to fix this vulnerability.  There are also a few free detector apps that are available on Google Play that help detect vulnerabilities. You can install the StageFright Detector App here.

If you have any questions about virus vulnerabilities, give Everon a call at 888-244-1748. We’re happy to help!

Datto vs Cryptolocker

Standard

alto2box

A few months ago, I wrote about my love for Datto (found here), but it was never more apparent than when I had to go up against the dreaded Cryptolocker virus – head to head.

Cryptolocker has become one of the most notorious pieces of malware that our generation has ever seen. The malware infiltrates a network through various means (usually through Java exploits) and immediately searches out network shares. It encrypts the files, holding them ransom until you pay a VERY hefty fee to recover them. The encryption done by Crytolocker is very secure and it is always changing.

Most recently, I dealt with a case of this virus with a client who was exposed through a Java exploit. Although our antivirus (Webroot Secure Anywhere) picked up the virus and quarantined it,  Cryptolocker found shares and went to work immediately. This caused the client’s main share to become encrypted – with over 34,000 files affected. This could have potentially become a nightmare, but because we have dealt with this before and we had the comfort of a Datto, we sprang into action!

The first step was to assess the damage and determine the culprit. We went to our main console for Webroot Secure Anywhere and found a machine that was reporting the issues. We immediately pulled that machine from the network and left it unplugged. We always wipe the host machines as a precaution. We know that in most instances we can wipe the virus from a simple scan from Webroot or Malwarebytes, however, due to Crytolocker changing the malware so frequently, we don’t like to take chances. Cryptolocker is very easy to wipe from machines, as it doesn’t put anything overly complicated on the machines to infect the network. Its devastation is done in the encryption of the files.

Once the host machine was found, we disabled the affected share from the network, and began full scans of ALL machines in the network. We wanted to ensure no other machines were infected at this time, and disconnecting the share prevents further encryption from happening. With the share disconnected, we then went through the share and gathered up all of the files with the Cryptolocker extension. Because this changes on a regular basis, you just need to identify what is being used for you. In this instance, the extension was .trslcla (they keep making the extensions weirder and weirder). Once we have identified all files encrypted in the share, we then mounted our Datto restore point, ready to move the appropriate files back over.

Because encryption was random, and covered over 34,000 files, we used another product (one of my all-time favorites) called Syncback, made by 2BrightSparks. We installed this tool on our server and pointed the source to the Datto restore and the destination to the share. Syncback allows you to compare two directories, determine the differences, and do whatever necessary to rectify those differences. We deleted all encrypted files, and then asked Syncback to tell us what was missing from the share that Datto had in place. Syncback told us the various files (which came out to being only around 18 files off of our original estimate) and we proceeded to restore the files to the share.

Because of Datto’s ease in which you can do restores, pointing to its directory and simply comparing was so quick and easy. We had the client up and running in around 3 hours from when the initial infection was identified, and the client hardly missed a day’s worth of work. This is a shining example of why I will always support the Datto product. It allowed us to take, what could have been an absolute disaster, and turn it into a huge win.

There are certainly no shortages of Crytolocker blogs that we have written in the past. See herehere and here for more information on Cryptolocker. As always, if you find suspicious files on your computer, give Everon a call at 888-244-1748 or email us at help@everonit.com. We’re here for you.

True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

Can my phone get a virus? Should I use an antivirus on my Android device?

Standard

download

Hello to everyone reading this, and welcome to another “brain dump” of Tony! :) Today we are going to talk about viruses, malware, and Android devices — how they play together, and my thoughts on antivirus/anti-malware software. This is something quite a few people are curious about: “Can I get a virus on my phone? How would I know if I did have a virus or malware? How would I get rid of said infection? How do I protect myself going forward?”

I have wondered all this myself, honestly, and not until recently had I done research on it. Once I did the research, it really all made sense to me, so I am going to relay my findings, in my own words, and put it into perspective. Like anything else, technology is ever-advancing. With that, so are viruses and malware. When something new comes out, there is always someone breaking apart its code and creating infections that makes everyone’s lives that much harder. That will never change! Since I am a heavy Android user, that’s what I am going to talk about.

When it comes to viruses and malware on phones, is it possible? Yes, it is very possible and is becoming more and more common. When you think of a virus, you think of it in the sense of what you’d experience on a computer. While they have some things in common, they do differ a little bit in behavior. If you happen to get malware on your phone, it would more than likely be in the form of applications that look and act like legitimate apps — they might even look like ones you use on a daily basis. These are the targets, because if people think they’re on their normal apps, then they are more comfortable putting in their personal information. That’s really the sole purpose of malware: stealing information. Also, like Internet browsers on PCs, malware on your phone can come in the form of those pesky popups. And also page redirects. One moment you are browsing your favorite news website, and the next thing you know you are taken to a website trying to sell you something (or worse, an “adult” page).

How would I get this on my phone? That’s a good question. In most instances the Google Play store is the biggest culprit, as that is the easiest way to target most Android users. Google Play is not as regulated as one would think. The process of getting your self-made app into the market is not that extensive. If you have ever just browsed the app store, you can see there are a ton of apps and different versions of the same thing. When you are downloading free apps or purchasing apps, make sure they are from a company that you know, or from the company itself. For example, if you were going to download the Facebook app, make sure it is published by Facebook and not some 3rd party vendor. Beware, some of these apps to which you give permission to use your phone-resources can, in the end, cost you a fortune. They have the ability to do things such as sending out texts without you even knowing. They can send texts to certain numbers that cost more and can rack up a huge bill.

Now that that is out of the way, lets talk about prevention. Of course, the best prevention is always being cautious of what you are downloading and opening. This, ultimately, is best but can also be difficult (because when applications look and act like real apps it’s hard to tell the difference). Next, some people utilize and antivirus/anti-malware software. When it comes to using software like that, my suggestion would be to use a paid version and not a free version. Just as with programs on a PC, the free versions are limited and are lacking in the things that are most important. Also, when using such a program on your phone, be aware of the performance issues that you may face, as well. They tend to run frequently, which slows down your processing power, eats up your battery, and the notifications can become annoying.

In all of this, there are many options to help protect yourself, but the biggest tool you have is knowledge. And a company, such as Everon, to help educate you. If you have any questions about security on your devices, or have a question about an app before you download it, please feel free to reach out to us (888-244-1748 or info@everonit.com). We are always more than happy to help!

 

Five Things You Should Do to Clean Your Computer This Weekend

Standard

 

tree computer pic

Fall cleaning? Don’t forget your computer!

There’s no time like now to get in all that fall cleaning you want to do before the holiday season kicks in. So why leave your computer out of all the fun? I asked the techs at Everon what they would do to clean their own computers. Here are their top five responses:

1.      Run a virus and/or malware scan. If you don’t want to spend the time running both, pick one and do the other later. You can get good virus removal programs, like Avast, AVG, Symantec, or Malwarebytes, a malware removal program, for free. Each of these scans could take several hours. A good idea is to start the scan before you go to bed and let it run all night, while you sleep.

2.      Get rid of extra programs that you don’t need. A lot of times, when you download or install new software, you’re also saddled with extra programs you neither asked for nor need. Those can be a real memory-suck. Look for ones that redirect your browser. (Any extra toolbars on your Internet browser?) Now is a good time to uninstall these pieces of baggage. Also, bloatware – preinstalled software on a device – is another nuisance. Check out this blog, by James, for one way to get rid of it. This process should take around 30-45 minutes.

3.      Blow the dust or lint out of your system, especially the fans. This can be done with one of those handy cans of compressed air, available at just about any store that sells office supplies, or with an air compressor. If you haven’t done it in a while there will be a lot of dust, so you may want to take your computer outside. Remove the outer casing and blow away. (Note: do not use your breath! The moisture from your mouth can damage the microprocessor. Plus, if you get too close to all that dust you will probably sneeze.) Pay particular attention to getting those dust bunnies out of the fans. If they stay clogged up, your computer can overheat.

4.      Clean your keyboard. While you’re taking your computer outside to power-blow it, unplug and bring along your keyboard. Tilt it upside down, and blow it out, too. You will be both grossed out and amazed at what falls out of there. But all of that stuff can build up between the keys and make them stick or not work properly.

5.      Clean your screen, mouse, and keyboard (again). As long as we’re doing a proper cleaning, let’s do it right. You can get out the isopropyl (rubbing) alcohol and cotton swabs, or you can just buy pre-moistened, disposable electronic wipes (my preference). Wipe down your computer screen and your mouse. Pay attention to the buildup on the mouse’s underside. Also, before you plug your keyboard back in, give the keys a good wipe down. These last three steps will take you 30 minutes or less.

There, all done. This entire process can take an hour or so (not including the scan that ran while you were asleep), but once done your computer will run more efficiently. You can add years on to the life of your machine with regular maintenance like this. Not to mention how good it feels to have a sparkly-clean desktop. ;)