Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1518178 23-Mar-2016 09:40
Send private message

bjorn:

 

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

 

 

 

 

Really? Then isn't this a severity 1 security hole in the web browser?

 

How such a major security hole can be unfixed for so long? 

 

It is almost as bad as the worm that was going around in 2004'ish -- you only needed to be connected to the internet to be infected. 


gzt

10311 posts

Uber Geek
+1 received by user: 1584


  Reply # 1518182 23-Mar-2016 09:43
One person supports this post
Send private message

Could be Adobe Flash is not updated.

Also ad blocking may be another way to close that one.

 
 
 
 


18748 posts

Uber Geek
+1 received by user: 5376

Trusted
Lifetime subscriber

  Reply # 1518183 23-Mar-2016 09:43
3 people support this post
Send private message

freitasm:

 

What endpoint protection are you using?

 

 

 

 

It won't matter to be honest. We have quite a variety, of up to date products across our sites, pretty much all of them have been breached at one point or another. AV is pretty much useless at this point in our experience. 

 

The only policies which have worked are Group Policies preventing apps from executing in temp directories, but they soon worked that out, and now extract into folders off the root, or in unrestricted folders. 

 

User Vigilance is pretty much the best weapon. We are making more use of gateway protection products that block or quarantine or digest attachments.

 

We have spent a LOT of time educating the users we look after about attachments in emails and links on websites, and how to detect spoofing attacks.

 

Ultimately however, your last line of defense is Backups. 

 

 


2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1518221 23-Mar-2016 09:59
Send private message

We are currently going through this now.

 

We have found that old versions of flash (n-1) have been responsible for the last 3 infections. This is a major change as previously it was email attachments (AusPost etc). It requires 0 user interaction and to be perfectly honest I would have been hit in the same way as the last user was. Perfectly legit looking site - invisible flash file - pulls down dropper.

 

We are using McAfee (VSE 8.8) and their recommended access protection rules to prevent execution from dodgy locations. We are also implementing TIE (reputation based stuff with some clever heuristics).

 

Signature based AV will do absolutely nothing against the 0 day crypto stuff that is coming out daily.

 

First step is figure out how the initial malware drop is happening:

 

Flash - check you are absolutely up to date and you are updating as soon as new versions come out.

 

Adobe Reader - the same

 

Java - unless you require it, remove it. Otherwise same as above

 

IE/Browsers - enable the protected modes/recommended security settings (after testing any custom apps).

 

Then you move on to your gateways:

 

Mail - what scanning is done - what are policies on attachments

 

Web - Are you at least logging? This helps enormously with diagnosis.

 

Firewall - can you use a subscription based service to block known bad C & C servers?

 

 

 

In short - there is no easy fix. Just ensure you have backups.

 

It also helps when a helpful admin doesn't give their standard user account local admin to a file cluster - then get hit by Crypto.

 

 


2902 posts

Uber Geek
+1 received by user: 312


  Reply # 1518222 23-Mar-2016 10:05
Send private message

bjorn:

 

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

 

 

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.

 

 

 

 

This. Good ol drive-by malware.

 

The last 4 experiences we have been pulled into have been people browsing during a break (or not) and an advert presented on the page that has been compromised. Its the very same reason Firefox and Chrome dropped NAPI flash support until flash fixed it. They've enabled it again but those using IE and old flash are still the highest risk.


2464 posts

Uber Geek
+1 received by user: 735

Trusted
Lifetime subscriber

  Reply # 1518227 23-Mar-2016 10:12
Send private message

wasabi2k: It also helps when a helpful admin doesn't give their standard user account local admin to a file cluster - then get hit by Crypto.

 

I'll wager someone's little brown starfish caved in when they realised this.  How long did that cleanup take?  Just restoring that volume of data may have been a mission (unless you were lucky enough or have the equipment to have been able to roll back to a recent snapshot).





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

gzt

10311 posts

Uber Geek
+1 received by user: 1584


  Reply # 1518234 23-Mar-2016 10:37
Send private message

Oblivian: Its the very same reason Firefox and Chrome dropped NAPI flash support until flash fixed it. They've enabled it again but those using IE and old flash are still the highest risk.

Chrome dropped NPAPI forever some time ago at v45 forward. It cannot be enabled.

2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1518238 23-Mar-2016 10:44
Send private message

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.


BDFL - Memuneh
61787 posts

Uber Geek
+1 received by user: 12442

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1518239 23-Mar-2016 10:44
Send private message

surfisup1000:

 

bjorn:

 

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

 

 

Really? Then isn't this a severity 1 security hole in the web browser?

 

How such a major security hole can be unfixed for so long? 

 

It is almost as bad as the worm that was going around in 2004'ish -- you only needed to be connected to the internet to be infected. 

 

 

Drive-by malware has been around for years. Vulnerabilities have also been around for years - one is fixed another one shows up. Some are not even in the browser - the usual culprits are Java applets and Flash.





3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1518277 23-Mar-2016 11:11
Send private message

freitasm:

 

Drive-by malware has been around for years. Vulnerabilities have also been around for years - one is fixed another one shows up. Some are not even in the browser - the usual culprits are Java applets and Flash.

 

 

True but usually if you have the latest updates you were ok. 

 

In the past, generally the worst exploits require you to open a file (assuming one is applying OS updates). 

 

The OP seems to be saying it has recently become difficult to protect against this cryptolocker software. Just opening a webpage can infect your computer, even with latest patches installed. 

 

And, I think java applets have been disabled in most browsers anyway....the last time i tried to use the Mount wavecam website i got java security errors and it was not a trivial process to disable them. 

 

So, this leaves flash -- which is on the way out too so surely you could just disable flash completely. 

 

 

 

 


2464 posts

Uber Geek
+1 received by user: 735

Trusted
Lifetime subscriber

  Reply # 1518278 23-Mar-2016 11:11
Send private message

wasabi2k:

 

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.

 

I would have thought the volume of data changed might exceed the % disk space allocated to VSS snapshots.  Just my musings.

 

We've generally had no issues restoring shares from backup.  Just an annoyance for the client to lose X amount of work.

 

We have had a (very casual) client infect their server from the console in the past.  They had not been managing their own backups properly and the best available backup was 2 weeks old.  Unsurprisingly they agreed to let us manage their server and backups after that.





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

1597 posts

Uber Geek
+1 received by user: 369


  Reply # 1518287 23-Mar-2016 11:19
Send private message

lNomNoml:

 

Decent Anti-virus: ESET Endpoint

 

 

Will...not...help...in..the..real..world  smile  (cypto can past it , somehow, has happened on 2 companies I know of )
Also , zero day or new variants will get past any AV

 

Install Ghostery browser addon, set it to Block everything . Not perfect solution, but its a start . It can be disabled on certain websites if need be.
https://www.ghostery.com/try-us/download-browser-extension/

 

 

 

quote
"Each time the user has been searching something in Google, clicked on a search result and been infected."

 

I have to ask, just what were they searching for. Are they not giving you the complete story of what they were up to
online ? Perhaps they were in their personal webmail & that caused the issues ? Do you have any firewall logs to check where they have been online ?
I do google searches every day, but have yet to have this sort of issue. In fact, even when Ive been to some dodgy/suspect sites at home
I still dont have issues .

 

 


18748 posts

Uber Geek
+1 received by user: 5376

Trusted
Lifetime subscriber

  Reply # 1518328 23-Mar-2016 12:07
Send private message

We also have seen 4 instances of ESET not catching crypolocker. Symantec which was on one of the sites we don't actively manage caught cryptolocker. It was a 4 year old version of endpoint security with 1 year old defintions. Customer got cryptolocker because he "wanted" the file and turned off the AV so he could have it! Didn't identify it by name, but said it was dangerous and blocked it. 


18748 posts

Uber Geek
+1 received by user: 5376

Trusted
Lifetime subscriber

  Reply # 1518329 23-Mar-2016 12:08
Send private message

Also AV protection on Sonicwalls have multiple times allowed zero day exploits (Not crypto) in.

 

 


2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1518348 23-Mar-2016 12:27
Send private message

Dynamic:

 

wasabi2k:

 

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.

 

I would have thought the volume of data changed might exceed the % disk space allocated to VSS snapshots.  Just my musings.

 

 

 

 

We have dedicated VSS drives for each data drive. Obviously then we have regular backups with offsite Tape etc behind it.

 

Regarding infection via browser - I can almost guarantee it is flash. The last flash update (20->21) addressed 23 critical vulnerabilities.

 

Unless you have something like Flashblock stopping flash from loading you go from nothing to malware executing with 0 user interaction. It is scary to see in action (which we did with a PC on an isolated network). Suffice to say we are addressing this vector with aggressive update policies and locking down IE.

 

With regards to ESET/Sonicwall/Random vendor not catching it - the vast majority of these threats are variants that are being released daily or more often. Anything that uses signature based recognition (almost all traditional AV) will not catch them when they are out there. The standard timeframe for McAfee is:

 

1. We find a new threat when it starts breaking stuff

 

2. Submit malware to McAfee

 

3. New DAT or EXTRA.DAT released (3 hours - 3 days)

 

4. Server Repository pulls new DAT (0-1 days later)

 

5. Endpoints pull new definitions (0-1 days later)

 

By which time there are already another 65 new variants. The only way to catch this stuff is advanced heuristics/machine learning/realtime signature checking which is what McAfee claims to deliver with TIE.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.