CryptoPrevent v6 is no longer based solely on Windows software restriction policies, and now includes a real-time filter and definitions files/updates! New ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!) New...
Just a quick heads up, today a new vulnerability was discovered with opening RTF files in MS Word. Microsoft has released a patch, which is already included in d7II v1.4.6 on the Tweaks tab under MS Office. http://thehackernews.com/2014/03/microsoft-word-zero-day-vulnerability.html https://support.microsoft.com/kb/2953095
Here’s an interesting email I just received by Chief-01 from deviantart.com: “My friend’s company got hit by Cryptolocker and they bought the key, but their computers got moved around before they paid and not all the files got decrypted because the registry paths to the files were no longer valid. I wrote a python script to take care of the missed files for them. As long as you have the private key this program will...
First on the list is protection from executables running from inside the Recycle Bin – you know that pesky type of malware that likes to hide in nested subfolders in there… Protected. Next on the list is the new optional CryptoPrevent Automatic Updates service for home users! ’nuff said.
With all this mess about Cryptolocker going around, a lot of folks are looking to immunize themselves from this nasty bit of malware which will encrypt user files and hold them for ransom. Removal of the malware is easy with d7, but there is no known method to decrypt the files except by paying the ransom, so prevention is crucial. There is a Cryptolocker Prevention Kit here: http://msmvps.com/blogs/bradley/archive/2013/10/15/cryptolocker-prevention-kit.aspx however the kit is for domains and professional...
The latest variant as discussed by Sophos is a user mode only variant (for 64bit OS compatibility) which is quite different in the removal process from previous versions. Fortunately, it’s easier! So I wrote a quick removal tool. Download the Removal Tool and Check out our Youtube Video and one from Britec09 here. The tool first scans the appropriate registry values for the infection, and if found it will extract the paths of the malware from...
Still ISO a complete ZeroAccess malware sample… But thought I would share a few spots I’ve found to pick up various malware samples for others in their search… A lot of people know of www.malwaredomainlist.com a site listing infected domains. Unfortunately all but the most recent entries on the site are usually already taken down or no longer spread infection. Then there is http://www.offensivecomputing.net/ where you can directly download samples. I have several notes for you on this site....
Please email me your COMPLETE samples (I want a nice full infection here, no stubs!) Prefer you compress in 7z format, and password protect the archive. Then rename to a non-standard file extension. I don’t need my email provider rejecting important mail! Trying to collect good samples with which to make some new Youtube vids demonstrating removal techniques with D7. Thanks!
D7 v4.6.4 now includes special methods related to deleting the reparse point created by this malware on the Tweaks tab > NTFS Junctions. The new function is “Destroy Junction” which will be able to delete the junction point on top of the directory where the malware hides, allowing you to then delete that directory. Haven’t seen this malware before? I’m talking about what some call “zeroaccess” and it can be easily identified because you will...
