Skip to content

Welcome to ACES

Alamo Colleges Education Services is a secure portal connecting Faculty, Staff & Students to Academic Resources, Email, and other Online Resources.

Support Contacts Helpdesk (210) 485-0555 Weather Line (210) 485-0189

Vertical_Bar 

Click Here to Login

Having Problems Logging In? Click Here

Close
Library Info

SAC Library Info

Location:
1001 Howard St.
San Antonio TX, 78212
(210) 456-0554
Hours:
Mon - Thu 7:30am - 8:00pm
Fri 7:30am - 4:00pm
Sat 9:30am - 5:00pm
Vertical_Bar
Close
Selected Log File:

Alamo PC User Name:
Alamo PC Password

Log MessageTypeAuthorPost DateExpiration Date

Security Alert!

 

Crypto Malware/Ransom ware Infections!

 

NOTE: If you no longer wish to receive these alerts, send a reply with “disable”

 

National Cyber Awareness System:

TA14-295A: Crypto Ransomware

10/22/2014 05:28 PM EDT

 

Original release date: October 22, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References

Revision History

  • Initial Publication, October 22, 2014

Information Onlymrosado610/23/201410/30/2014 9:00:00 AM

Security Alert!

 

Beware of Ebola Phishing and Malware Campaigns!

 

NOTE: If you no longer wish to receive these alerts, send a reply with “disable”

 

National Cyber Awareness System:

Ebola Phishing Scams and Malware Campaigns

10/16/2014 04:31 PM EDT

 

Original release date: October 16, 2014

US-CERT reminds users to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system.

Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:


This product is provided subject to this Notification and this Privacy & Use policy.

Information Onlymrosado610/17/201410/24/2014 9:00:00 AM

Security Alert!

 

Client-Side Vulnerabilities – Adobe Malware attacks targeting sensitive information!

 

NOTE: If you no longer wish to receive these alerts, send a reply with “disable”         

 

 

 TLP: WHITE

CIS CYBER ALERT

 

TO: All Members

 

DATE ISSUED: October 16, 2014

 

SUBJECT: Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan

 

CIS recently became aware of a massive spam campaign targeting users in various sectors. Phishing emails used in the campaign contains a PDF attachment named Invoice621785.pdf. This attachment is a weaponized PDF document exploiting a vulnerability in Adobe Reader (CVE-2013-2729). After successful exploitation, user’s system will download additional malware from hxxp://rlmclahore.com/Resources/Search/1510out[.]exe. This is a banking trojan similar to Zeus/Citadel that it targets sensitive user information including banking credentials.  As of this writing, all of the major AV products are detecting this malware as Tojan Dyre/Zbot/Fondu. 

 

Phishing Email Characteristics:

Subject:  "Unpaid invoic” [Please note the typo in the subject line]

Attachment: Invoice621785.pdf

 

System Level Indicators (If successful in exploitation):

Copies itself under C:\Windows\[RandomName].exe

Created a Service named ""Google Update Service” by setting the following registry keys:

HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"

HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service" 

Network Level Indicators:

 

First Stage Download:

rlmclahore\.com/Resources/Search/1510out[.]exe

Second Stage C2

stun\.rixtelcom\.se

stun\.sip\.telia\.com

stun\.puhe.sonera\.com

stun\.voipbuster\.com

stun.rixtelecom.se

stun.sipgate.com

stun.ideasip.com

37.59.48\.138

62.71.2\.168

188.165.227\.37

77.72.174\.163

77.72.174\.161

77.72.174\.165

77.72.174\.167

217.10.68\.152

208.97.25\.20

 

Please note that the Domain and IP indicators above were observed during our analysis and the list does not represent all network indicators for this campaign.

 

We also noted that the network communication is using a certificate with organization name “internet widgits pty ltd”.

 

Recommendations:

Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

Do not open email attachments from unknown or untrusted sources.

Limit user account privileges to those required only.

Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.

Ensure that systems are hardened with industry-accepted guidelines.

Make sure all AV products are up-to-date with their signatures.

Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

 

 

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

 

Center for Internet Security (CIS)

Multi-State Information Sharing & Analysis Center (MS-ISAC)

31 Tech Valley Drive

East Greenbush, NY 12061

Phone: (518) 266-3485

7x24 SOC: 1-866-787-4722

Email: soc@msisac.org

Information Onlymrosado610/17/201410/24/2014 9:00:00 AM