Tag Archive | antivirus

Exorcising CTB Locker from your Computer: What you Need to Know

Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.

CTB Locker Encrypted File message

CTB Locker Encrypted Files message

CTB Locker Encrypted File

CTB Locker Encrypted File

CTB_Locker_TS_Detection1

CTB Locker Total Security Detection

CTB_Locker_Main_Screen_DE CTB_Locker_Main_Screen_IT CTB_Locker_Main_Screen_NE CTB_Locker_Req_Priv_Key CTB_Locker_Test_Decrypt_Files CTB_Locker_Test_Decryption

The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.

FAQ

  • How do you prevent your computer from becoming infected by CTB Locker?

Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.

The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.

 

This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.

If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.

The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.

CTB_Locker_Main_Screen_NE

CTB Locker Main Streen Dutch

CTB_Locker_Main_Screen_DE

CTB Locker Main Streen Deutch

 

CTB_Locker_Main_Screen_IT

CTB Locker Main Streen Italian

 

This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.

  • What should you do when you discover your computer is infected with CTB Locker?

If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi

CTB Locker executable files

CTB Locker executable files

 

 

Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.

First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.

Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:

  1. updating your product
  2. rebooting into Safemode
  3. performing an on-demand scan on your computer
  4. removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’

 

CTB_Locker_TS_Detection1

CTB Locker detected by K7 Total Security

 

  • Is it possible to decrypt files encrypted by CTB Locker?

The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.

CTB_Locker_Test_Decrypt_Files

 

However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.

 

CTB_Locker_Req_Priv_Key

  • How to restore files encrypted by CTB Locker?

It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it is possible to recover the contents of many of your folders to a recent restore point before the infection took place.

The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.

  • Will paying the ransom actually decrypt your files?

We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.

  • Why did K7 not detect and remove CTB Locker?

At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.

Samir Mody
Senior Manager, K7TCL

Re-published by K7 Computing Ireland and K7 Computing UK

Free 30 day trial for K7 antivirus security software available at: K7 Computing Ireland or K7 Computing UK

February New K7 antivirus products build release

 

New K7 Enterprise Security build 2.5.0.35

K7 Computing is happy to announce new build for its endpoint security product.

K7 Enterprise Security

Main new software improvements includes:

  • Improved Rip and Replace feature for installation over previous security software product.
  • Filter option introduced (with the status of Pending / Dispatched/ Completed)under Task Details to know the task completion on each endpoint.
  • Task status of a client can be viewed by selecting the relevant computer under Clients list.
  • “All Groups” option has been introduced under Group selection UI when you create any new Task. Easily allowing to replicate it to the whole network.

K7 Enterprise Security screenshot 1

K7 Enterprise Security current installations will receive these updates within upcoming days automatically.

Trial licences for your sites and new customers are available by request. Please contact sales@k7computing.co.uk


New K7 Home antivirus security products 14.2.0.249

K7 Computing has released improved versions of its home / small office security products:
K7 Antivirus, K7 Total Security and K7 Ultimate Security
K7 Home security antivirus products
Some of the newly updated features:

Permanent Data Deletion

  • Erase sensitive data permanently, which you don’t want others to discover.

Secure Transaction

  • Online monetary transactions protection with anti-screen capture and anti-key logging function.

USB Protection

  • Auto scans USB media for concealed threats and vaccinates USB devices from getting infected.

All versions are available for 30 days free trial at: K7 UK Website or K7 Ireland Website.

Current installations are updated automatically with regular updates.

Editor of World-Renowned Security Magazine Appreciates K7 Speakers

November 7th, 2014

In a nice gesture, the editor of the acclaimed Virus Bulletin magazine has blogged about the presentation of our reserve speaker duo who were meant to present a paper and a short demo, in the event of an absent speaker at the 2014 Virus Bulletin International Conference held recently in Seattle, USA.

VB2014 has already been discussed, highlighting the presentation by K7’s Gregory Panakkal. Nevertheless, this post is dedicated to the reserve speakers from K7 Threat Control Lab, Samir Mody, Senior Manager and V.Dhanalakshmi, Senior Threat Researcher.

Their paper, “Early launch Android malware: your phone is 0wned”, demonstrates the difficulties in
removing an active Android ransomware, “’Koler/Simple Locker”, infection that prevents a user from
uninstalling it. It also proposes a new framework which Google could induct to help mobile security vendors defeat Android malware strategies.

View the full presentation and demo at K7 YouTube channel.

Archana Sangili
Content Writer

K7 Computing Ireland: www.k7computing.ie

K7 Computing UK: www.k7computing.co.uk

K7 Enterprise Security and Enterprise Antivirus new version release

K7 Computing is happy to announce latest version 2.5 of K7 Enterprise Security.

New upgrades and improvements in compatibility with Windows Server operating systems K7 Enterprise Security and K7 Enterprise Antivirus are all types of Microsoft Server OS using now only one installation file to deploy K7 security console and endpoints.

What’s new in K7 Enterprise Security (2.5)

  • Database storage size has been increased to 10 GB
  • ‘Allow’ option is introduced for blocked applications under Application Control
  • New Desktop icon introduced for Admin Console
  • Short cut icon removed for endpoints, but sys-tray icon and start menu icon will remain
  • Detection and Removal added for more 3rd Party AV products

What’s new in K7 Enterprise Security (2.4)

  • Activity Log – The recent update and scan status of a computer can be viewed from Clients » Computer Details.
  • Notification (email & Dashboard) for schedule scan interruption.
  • Password protection for device control
  • Enhancements on Task Details – Scan Summary and Update Summary added.
  • Purging introduced to remove Not Reported computers, older Applications & Tasks automatically.
  • Subnet search on Clients filter.
  • Subscription expiry notification through email and Dashboard (Paid License: 30 days, 15 days & 3 days interval, 30 days Trial License: 15 days, 10 days & 3 days).
  • Multiple selections now allowed to remove the Quarantined files, if the files are not required.
  • Client’s computers list can be exported as a Report.

K7 Enterprise Security and K7 Enterprise Antivirus are available for trial at:

K7 Computing Ireland or K7 Computing UK

_JZ_

K7 Computing IE

K7 released new version 14.2 for home edition antivirus products

K7 Computing has released new version 14.2 of it’s home edition antivirus products K7 Antivirus Plus, K7 Total Security and K7 Ultimate Security.

New improvement includes faster scanning speed and easier integration with new Windows 8.1 operating system. This was a challenging task for K7 developers, due to the remarkable K7 speeds in previous versions.

Products also received improved scan of other AV products prior installation with option to automatically uninstall them. This prevents possible conflicts and system performance and instability problems.

New version has been also tested by Softpedia with very good results: Full article in Softpedia

For free trial visit:

United Kingdom: Free 30 day trial

Ireland: Free 30 day trial

K7 Ultimate Security 2014 options

-JZ-

K7 Computing Ireland and UK August 2014

K7 Supports Windows 8.1

K7 Computing released the latest build for K7 antivirus home edition products with enhanced features and support for the latest Windows 8.1 operating system.

Release Notes:

1. Microsoft Windows 8.1 upgrade support added

2. Parental Control/Web filtering support added for Internet Explorer 11 and the latest Google Chrome versions

3. New Scan Engine included as a part of regular speed performance and detection quality enhancements

4. Safe search support added for Internet Explorer 10 and Internet Explorer 11

 

New build version of K7 Ultimate Security, K7 Total Security and K7 Antivirus plus version 13.1.0205 onwards is delivered to K7 users via regular update.

For a free 30 day trial visit:

United Kingdom: http://www.k7computing.co.uk/free_trial_download.php

Ireland: http://www.k7computing.ie/free_trial_download.php

K7 Total Security secured yet another VB-100 award

K7 Total Security 13.1 product has earned the latest VB100 award for the Windows XP SP3 platform.

VB-100 awardWe are pleased to say that we have passed yet another VB-100 award. Constant research and development for K7 antivirus products are gaining on recognition among the professionals and end -users.

Latest K7 Total Security in a version 13.1 reached higher positioning among the previous testing results.

The test result shows that:

  • K7 have made big improvements in proactive and reactive detection rates for antivirus protection.
  • The Virus Bulletin organisation has praised the new look and feel of K7 Total Security.
  • K7 Total Security is rated as ‘Solid’ which is the best rating for product stability.

Full test results: https://www.virusbtn.com/vb100/archive/test?recent=1

K7 Enterprise Security 2.0 released

K7 Computing is proud to announce the release of version 2.0 of K7 Enterprise Security and K7 Enterprise Antivirus.
The latest version implements new functions and improved performance for its already great performing antivirus engine for endpoint protection..

Products are reflecting the need for new security features and enhanced protection tools for business and organisation networks.
Thanks to feedback from the clients administrators and constant research and development were the most crucial improvements addressed in version 2.0

Products are focusing on easy implementation and management capabilities while maintaining low system footprint that products from K7 are known for.

Change log:

  • Admin Console (Server)

1.       Multi-Package Support – unique client setup can be created for each groups, so clients will be added automatically to the relevant group(s) after installation
2.       Update Settings under Policy (to configure, from where the clients can get updates)
3.       Offline Update Support (where server and clients not connecting to internet regularly)
4.       New Report type – Blocked Website Category – introduced
5.       Enhanced third party endpoints removal

  • Endpoint Security (Client)

1.       New version 13 client has been integrated
2.       Windows 8 / Windows Server 2012 compatible
3.       Improved Scan Engine for better Scan speed and performance
4.       Enhanced Firewall filtering with IPv6 network support
5.       Enhanced Application Control to support 64 bit network applications
6.       Enhanced Browser Protection
K7 Enterprise Security 2.0

K7 Enterprise Security and K7 Enterprise Antivirus version 2.0 are available immediately for download.
Current client’s installations will be upgraded automatically via regular updates within upcoming weeks.

Evaluation license is available through K7 resellers or directly:

Z-Rated

Zero-Access is one of the more prevalent and sophisticated pieces of malware observed in recent times. Similar to other malware in its class, it is able to infect both 32-bit and 64-bit Windows operating systems with kernel mode root-kit components.
Recently it has become apparent that Zero-Access evolved, some would call it ‘regressed’, from a kernel mode root-kit into a user mode patcher. Closer inspection reveals that this latest version infects Microsoft’s Service Control Manager (services.exe) on 64-bit systems. Strangely, the original host bytes don’t appear to be stored in the patched executable, making disinfection non-trivial. Given the importance of the OS application affected, it is advisable to replace the infected binary with an exact copy of the original file. Please note that restoration of the file is best left to the experts.

Distribution methods for Zero-Access include both social engineering tactics & drive-by-downloads. It pretends to be software updates using file names like [Removed]_update_for_Win.exe or pornographic material using file names like animal_[Removed].avi.exe, to lure its potential victims.

K7 security products not only prevents access to the malicious URLs involved in spreading this malware, but also pro-actively detects components of this malware in real time.

Lokesh Kumar/Samir Mody
K7 TCL