Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.
The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.
- How do you prevent your computer from becoming infected by CTB Locker?
Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.
The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.
This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.
If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.
The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.
This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.
- What should you do when you discover your computer is infected with CTB Locker?
If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi
Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.
First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.
Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:
- updating your product
- rebooting into Safemode
- performing an on-demand scan on your computer
- removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’
- Is it possible to decrypt files encrypted by CTB Locker?
The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.
However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.
- How to restore files encrypted by CTB Locker?
It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it is possible to recover the contents of many of your folders to a recent restore point before the infection took place.
The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.
- Will paying the ransom actually decrypt your files?
We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.
- Why did K7 not detect and remove CTB Locker?
At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.
Senior Manager, K7TCL
Zero-Access is one of the more prevalent and sophisticated pieces of malware observed in recent times. Similar to other malware in its class, it is able to infect both 32-bit and 64-bit Windows operating systems with kernel mode root-kit components.
Recently it has become apparent that Zero-Access evolved, some would call it ‘regressed’, from a kernel mode root-kit into a user mode patcher. Closer inspection reveals that this latest version infects Microsoft’s Service Control Manager (services.exe) on 64-bit systems. Strangely, the original host bytes don’t appear to be stored in the patched executable, making disinfection non-trivial. Given the importance of the OS application affected, it is advisable to replace the infected binary with an exact copy of the original file. Please note that restoration of the file is best left to the experts.
Distribution methods for Zero-Access include both social engineering tactics & drive-by-downloads. It pretends to be software updates using file names like [Removed]_update_for_Win.exe or pornographic material using file names like animal_[Removed].avi.exe, to lure its potential victims.
K7 security products not only prevents access to the malicious URLs involved in spreading this malware, but also pro-actively detects components of this malware in real time.
Lokesh Kumar/Samir Mody
Malware authors work round the clock to serve up mouth-watering malware to an unsuspecting victim.
What we have on today’s menu is a small but effective tweak that malware authors incorporated into their “software” that makes %AppData% the prime real estate on your system’s hard drive for malware and their families.
The Application Data area of the current user, to be more specific. This is one location on your hard drive that stands exposed to multiple hits of various malware families.
For starters let’s look at where this folder is found on your machine. In WinXP it’s at <root>\Documents and settings\%Current_User%\Application Data and<root>\Documents and settings\%Current_User%\Local Settings\Application Data. For Vista and Windows 7 it’s at<root>\Users\<username>\AppData\Roaming and <root>\Users\<username>\AppData\Local. (Please feel free to do a quick check in these areas on your computer to find out if you have something suspicious lurking…)
It wasn’t always this way. It was only recently that most of the file-copy actions moved from the Windows, System32, and Program Files directories to the %AppData% directory.
So, “Why move away from the system areas?”, you might ask. Well, that’s the main course. The basic answer could well be that relatively recent flavours of Windows, i.e. Vista and Windows 7, with their more strengthen security measures, have succeeded to a certain level, in forcing malware authors out of the system areas to the %AppData% areas.
System areas are now protected and require Administrator privileges to effect a modification. So why worry about putting in extra code when it’s not needed, the malware authors might have thought. Malware families with a legacy, like ZBot, have moved out of the system directories. Yes, gone are the days of %System%\SDRA64.EXE, %System%\NTOS.EXE etc. It’s now just random folders and random filenames in the AppData path. Rogue AVs that ‘Installed’ under proper program directories, viz. %Program Files%\Antivirus 2008\Antvrs.exe, have now become ‘xyz123.exe’s in %AppData%.
And, finally, for dessert. We would only say that the system directories haven’t been deserted entirely but have just been relegated to second choice. AppData is the new “system area” for malware authors. Note, under Windows XP you don’t require administrator privileges to copy any file into a system area and masquerade as a system file.
In tales of yore, circa 2007, DNSChanger malware, which modify certain network settings to point to a rogue server, were as prevalent as the Stegosaurus. Fast forward almost four years, to the present day, their legacy still remains. They say the FBI, having discovered the rogue DNS servers, decided to clean them up and allow them to serve the public good. That is, only until the 8th of March, 2012.
According to much hyped reports in recent weeks, the 8th of March was to be the day the internet died, as the FBI would have been forced to lay to rest those servants of the public weal. If you are still reading this post then your computer didn’t fall victim to the supposed blackout. There are at least two possible reasons for this:
- The FBI has an extension on the deadline. Apparently the dreaded Death Of Internet Day (DOID) has been postponed to the 9th of July, 2012
- Lo and behold, you are not infected with DNSChanger malware and never have been
If you have been a K7 customer for a while, point 2 applies to you. Just to be on the safe side, K7 Security products sniffs for the erstwhile rogue DNS entries and snuffs them out if found, thereby ensuring that our brand new customers too are free from DOID.
Samir Mody/Lokesh Kumar
One of the items on a malware authors checklist while distributing malicious code is to make sure that their malware (virus, trojan, backdoor, keylogger, phishing tool, etc.) remains undetected, for as long as possible. Scanning their creation using a multiple Anti-Virus scanning system is one among the many techniques in their arsenal which ensures just that.
Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.
For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:
Then there are tools which incorporate multiple scanners & are distributed for free. For example one such a tool for multiple AV engines scanning:
If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors reacts quickly and change their binary.
While traditional checksum MD5 based detections alone might be ineffective against such files, a combination of several detection methods, which include a behavior based approach will prove far more effective.
R.V Shyam Charan