True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

Windows 8 Tricks: Creating a Picture Password

Standard

 

When Microsoft released Windows 8 they were targeting the tablet population. So naturally, with a tablet, they have built in some pretty neat tricks with hand gestures. One of the coolest tricks introduced is the addition of picture passwords.

In the past, when locking a machine, you would have to use a standard keyboard password that included letters, numbers, symbols, or any combination of those. With Windows 8 you can now choose a Picture Password. What this means is that you choose a picture, draw up to three gestures on the picture, and this will unlock your machine.

To turn on this feature, go to “Sign-In Options” under the Users tab (found under Change PC Settings). There will be an option for “Create a Picture Password.”

secure_Windows_8_2You are limited to what gestures you can put onto your picture. They can only be circles, lines, or taps. When logging in, you will have to use the same three gestures in the same three areas on the picture to get into the machine. But otherwise, it’s as simple as that.

One thing to note: researchers at Arizona State University and Delaware State University believe this method of authentication can be cracked rather easily. You can read about their study here. Consider that when creating your picture password. (To understand how secure passwords are and how easily they can be cracked, check out my previous blog post detailing that information here. While the picture password option is a very neat idea, and can work in safe, internal situations, nothing beats the standard text password.)

To understand all of your options, and see some cool tips and tricks for Windows 8, feel free to reach out to our engineers at Everon: 1-888-244-1748. We’re here for you 24/7, 365.

 

Tech Tips for Techs: Easy method to access Integrated Lights Out (iLO) on an HP server

Standard

 

HP servers have a feature called the remote access card, or Integrated Lights Out (iLO). Integrated Lights Out is a way for techs to remotely access a server. In the event of a power-outage, for example, iLOs are a way for remote techs to restore power to a downed server.

There are many ways to access iLO, but the easiest, using the default, is by secure shell. I use PuTTY (www.putty.org) for this. Use this telnet tool to access public IP or private IP of the iLO card. When you have authenticated properly, you will have a prompt that looks like this </>hpiLO->, with a blinking cursor (see pic).

Type POWER (hit enter) and this will give you current status of server power. POWER  ON (hit enter)will power on the server, and POWER OFF will power server off. When powering on, you can get the POST boot text by typing TEXTCONS (hit enter) to make sure server is powering up correctly. Once the GUI loads for the server, you then lose your telnet connection.

power

Classic Shell: The COOLEST Windows 8 Software Yet

Standard

 

If you are like me, Windows 8 threw you for a loop. With Windows 7 and earlier, you could fly around in the OS, and life was simple. But Windows 8 forced you to think about where you needed to go. It also introduced the Metro design, in which you now had tiles. Tiles are great for anyone with a tablet, but not always convenient for office employees. 

StartMenu

Windows 8.1

Last year the highly publicized Windows 8.1 update came out, which added in a new-and-improved Start Menu. It was nice, but tiles were still a big part of that feature. Tiles are utilized in areas that are frequented by everyday users (Documents, Control Panel, Administrative Tools, etc).

For those who dislike the tile feature, I introduce to you… Classic Shell.

win7

Classic Shell

Classic Shell is software that can be installed on your Windows 8 or 8.1 machine, and get the look and feel you have been wanting. The nice thing about Classic Shell is its customization. You can make it look like a few variants of the Windows 7 start menu and you can also tell Classic Shell to boot to the desktop, so you are not defaulted to the Metro design.

Classic Shell also works on its Windows 8 server equivalents, such as Server 2012 and Server 2012 R2.

Give Classic Shell a try, and if you need help in customizing it, feel free to call our experts here at Everon at 1-888-244-1748. (Or email us at info@everonit.com.) We’re here for you.

 

 

It’s a Bird, It’s a Plane, It’s a…. Superfish? What this is and how you might already be protected

Standard

Humpback_Anglerfish_(Melanocetus_Johnsonii)

You may have heard of a trending topic called Superfish. No, it’s not some kind of giant squid or aquatic vigilante. In fact, it’s something with malicious potential that could live on your very hard-drive.

What is Superfish? Well, it’s a type of adware, the likes of which you have probably seen before: unwanted ads, additional pop-ups when browsing, or highlighted text that links you to online shopping results.

How is Superfish different? Superfish was recently discovered pre-loaded on some computers. Most adware is user-installed, inadvertently, when people visit sites and pick up “cookies” that track their shopping habits, etc. While normally harmless, and intended to enhance the online shopping experience, this particular adware has been found to have unfortunate, greater implications — ones that made users vulnerable to hacking. What was created as a partnership to enhance online shopping, in this case, unwittingly turned into a much larger security issue. Superfish had a back door that could allow hackers to access credentials, passwords, or any items they put into their browsers. If a Superfish-carrying computer is used over open-access portals, such as public WiFi, a user could be at risk. This exposure creates a potential security loophole.

Fortunately, Windows was quick to update its Windows Defender anti-malware program to detect and automatically remove the compromised adware. Computer manufacturers have also provided their own set of tools and source code to help others look for any issues that might have been missed.

At Everon, we routinely strip all of the computers we set up for any of our clients. We then reload the hard drives with only the software and systems our clients want and need — leaving out what they don’t. As a precaution, though, as soon as we became aware of the Superfish issue, we immediately assessed all of our Managed Customers’ computers. Because of our standard due diligence in doing set-ups, our customers could breathe-easy: we uncovered only one instance of Superfish, out of over a thousand Managed Customer computers. (We immediately removed the adware on the isolated machine, without the client having to do anything.)

But what if you’re not an Everon Managed Customer? How do you fix this problem?

Well, here is a step-by-step guide to removing Superfish from your computer. However, if you would just feel more comfortable, feel free to contact one of our Everon techs at 888-244-1748. Or contact us at info@everonit.com. We’ll be happy to assist you.