Replies

Java has been the major gateway for infections for the last 2-3 years.

This, and Bruce’s pareto above, amount to a rather inconvenient truth for some people I fear.

It’s not just web-based Java threats; there are plenty of other vectors for a malicious Java applet to be launched. In my opinion, if the OP absolutely must have Java then he should turn it off in the browser as a minimum, but far better not to have it installed in the first place.

Personally, I won’t allow Java anywhere near machines that I’m responsible for unless I absolutely must. I’ve come across just one line-of-business application this year which required Java to run – it’s a proprietary tool that establishes a secured communications channel used to access and control remote equipment, and has no alternatives.

The users of the machines that require this software are given the tools that they need to do their jobs, but I don’t like having a potential a backdoor in my network.

I would say an unequivocal Yes…..but perhaps not in the way you mean.

An attacker might not be able to past the NAT without human interaction, but assuming for one moment that they do get in then they can most certainly can get out.

Anyone attempting to compromise a system will go for the low hanging fruit so to speak: so think about spear phishing, drive by downloads, system and process vulnerabilities etc. Attacking the NAT and firewall will be low on the priority list in my opinion.

An often used trick in penetration testing is to leave a compromised USB device or CD with a presentation in the car park and wait until it phones home. The results are often frightening.

In other words it’s much easier to get a compromised system to phone home than the break down the front door.

Only when I’m right…..

:rolleyes:

I tend to agree with Paul on this. If you install 2008R2 or 2012 and then get stuck into learning AD, you could be diverting your learning resources and / or capacity away from learning how to manage SQL instances in order for you to master AD. By the time you realise it you will have trained yourself to be a SysAdmin rather than a DBA.

Yes, there are some commonalities – but the people that can master both at the same time are talented and highly experienced.

While working as a SysAdmin, I encounter and work with various SQL databases daily, but I often have to refer to my documentation, or other sources. I don’t consider myself to be a DBA, rather a SysAdmin that can keep a lid on the SQL when needed.

My experience of DBA colleagues is likewise: they can manage a server and can interact with AD if needed, but usually only venture far enough to get their task at hand done.

There is no harm in running through some of the Technet virtual labs in AD to familiarise yourself, but if you are interested in becoming a DBA, I would recommend not to get too bogged down in Domain Administration tasks at the outset.

A few random thoughts:

The problem exists over three machines, so it is something common to all of them, rather than on one machine.

Could the ISP be blocking access to that location? Do you have the same antivirus, firewall and security settings on all PC’s (check rather than assume). Is your router configured to reject certain sites? These are all common to each machine.

Regarding the Hosts file: this simple text file is used to map IP addresses against hosts (PC’s webservers, FTP servers or any other host). These hosts could be internet based hosts or local hosts – locally based programs for example. Sometimes malware attacks the hosts file and injects entries that redirect normal websites to malicious IP addresses.

You cannot turn off the hosts file – it is a file that exists or doesn’t exist. It is not an active component that you can turn on or off. You can however adjust Internet Explorer and other browsers to either lookup the hosts file or not. If you use Hosts redirection via your browser, this will be in addition to using DNS requests to your router and ISP (I think this also can affect NETBIOS lookups but not sure). But even if you do use Hosts redirect, nothing will occur unless there is an entry in the hosts file.

The Hosts file is located at %windir%system32driversetc and can be edited using notepad.

A clean Hosts file looks like this:

Code:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

If you have any other entries in the hosts files on all three machines, consider how those entries could have got there. Due to the inherent dangers of having malicious entries in a Hosts file, any program that makes changes to the Hosts file should always do so at your specific request or with your explicit approval.

If for example, you have an entry that says something like

Code:

127.0.0.1   aweber.com

then all traffic destined for that location will be redirected to you the local host , i.e. your PC, and you will not be able to browse to the location on the web.

As a side comment, running machines from an administrator account makes it easier for malware to inject entries into the Hosts file because that malware already has the same privilege as the user and does not need to elevate privileges to make changes to this protected file. It makes sense to routinely operate a machine at the lowest level of privileges necessary to get the job done.

Hello Steve,

the free version of Find an Mount is limited to 512kb/s during recovery. See here: http://findandmount.com/pfm/, so you could buy the Pro version which will significantly speed up recovery.

Alternatively, you could use the free partition recovery tool from MiniTool here : http://www.minitool-partitionrecovery.com/recoverymore.html

Once you have the data recovered, take an image based backup and store it offline.

Not fair, writing in languages not everybody can read ;).

No fankle: some don’t have a scoobie, but yer ken.

Translation: Relax, everyone can read it, but it only “the chosen ones” can understand it.

:whisper:

I did some more digging around. It seems the Crypto Prevent tool injects software restrictions directly into the registry and does not use local policies at all. I guess that makes sense, since it is designed for pro and home versions of the OS so can’t rely on group policy editor being present.

I then searched the registry, for various entries and did find a couple of keys related to Foolish IT (the developer), but didn’t have time to locate any kind of table that might indicate which applications are being blocked and which are whitelisted. If I had time I could take a clean install of Crypto Prevent and one with a single app added to the whitelist and run a file compare on the saved registries to find out where and how.

But I din’t have time and for the purposes of this discussion I think it is a mute point because of the following reasons:

In a limited deployment of similar blocking techniques, some genuine software was tripped up. Thus, to address the question from Bobprimak earlier, in my opinion that means MS would have a pretty hard time developing and updating a blocking algorithm that is anywhere near responsive enough for all the apps that at some point in time might want to execute from there.

Foolish IT can do it because they are a small shop offering a standalone patch with caveats and are open about the hazards. MS couldn’t do it because countless hundreds of millions of users would pick up the patch and goodness knows how many apps would break.

I think this goes back to closing the door after the horse has bolted. The problem does not appear in hardened OS’s, but does in Windows because of historical design choices that were made well over a decade ago.

In some cases (for example my work environment) it makes sense to deploy software restriction policies, but that is not necessarily proven to be the best solution for home situations where a behavioural firewall (i.e. a HIPS) could provide a better option.

HIPS costs money, Crytpo Prevent is free. Perhaps that’s the differentiation?

Something very odd….

On a XP Virtual Machine, with Crypto Prevent v4.3 installed, Office 2010 installs without error.

However, if I run RSOP on the machine there are no software restriction policies set. Crypto Prevent appears to be passing its own self test because I can see an even 866 in the event logs when I use it’s self test:

35646-Crypto-Prevent-self-test

but RSOP shows no restrictions:

35643-RSOP-Computer-Config
35644-RSOP-User-Config

My manually set software restriction policies pushed by GPO do indeed cause Office Installation to fail by blocking ose0000.exe :

35645-event-866

This is not what I had expected from Crypto Prevent. I had expected it to apply the restriction policies in the same way as the bleepingcomputer article previously referred to. So now I’m not sure where Crypto Prevent is applying these policies and whether it has a white list entry for ose0000.exe.

Sorry, I think the waters just got even murkier:huh:

Agreed.

I’ll try make time to install Office on a fresh VM with Crypto Prevent installed and feedback the results. Or maybe somebody else could verify and add their experience?

You mean CryptoPrevent prevents Office from installing?

Yes, if my understanding and implementation of the Crypto Prevent mechanism is correct.

I use the same generic rules that Crypto Prevent uses, but pushed through GPO to our machines on a domain based network. Installation of Office 2010 and Office 2013 were both blocked on two new machines I recently setup. I don’t have the details of the blocked application to hand right now, but I’ll see if I can dig it out later and update.

The event log was quite explicit recording the software restriction policy being triggered.

After dropping the machines off the domain therbye implementing default group policies, Office installed without a hitch. After installation, both versions of Office run just fine on the domain with the restriction policies implemented.

I’m torn between blaming MS for deploying the Office installer to execute from within %appdata%/temp and Crypto Locker for giving me a headache I didn’t have before.

However, every cloud has a silver lining and Crypto Locker has given me reason to review security at work and at home with a fresh pair of eyes.

Definitely get rid of potential duplicated computer accounts in AD, otherwise it will get very confused.

Another thought: make sure you are using the FQDN. For example test.local rather than test.

Good luck!

Lest my point be lost, I am still wondering why the protections which the Windows Secrets article suggests, or which Crypto Prevent supplies, could not be rolled into a patch and applied as a critical Security Patch by Microsoft? Would too much software crash if this were done? Are there any other side effects which would make people wish Microsoft hadn’t issued such a patch?

Bob, Microsoft probably wouldn’t care about breaking Spotify, or Foxit Reader Updater, but they probably would care about breaking Microsoft Office Installation. All three have been tripped by the recommended software restriction policies that I pushed to my users by GPO.

Spotify shouldn’t run in my environment, so that was left blocked. Foxit was fixed by whitelisting.

However, the Office Installation was a nightmare at first. I tried several variations of whitelisting, but eventually cheated. I dropped the machine off the domain to run it as a local machine with default group policy, installed office, and then rejoined it to the domain. In a home environment with Crypto Prevent installed the quick way would be to back out the restrictions, install office, then re-install the restrictions.

I’m sure MS could figure out a full fix for that, but I didn’t have the time to work the problem for something that I’ll probably do infrequently on a machine already domain joined.

You would also need to ensure you are running a supported version of Office and PDF reader plus lock down USB/Optical drives.

The latter can be used for sneakernet, while Office has many vulnerabilities that will continue to be patched. If you collect a compromised Office document or PDF, you could just as easily be compromised.

However, with a HIPS and no network route to the outside world any damaged caused though the vectors mentioned should be fairly small.

As I read the way Cryptolocker works, the list of file types that it encrypted didn’t include back files like True Image Backups. (.tib files). That’s not to say a future variant won’t but for now, it seems image backup is one form of protection even if the drive is permanently attached.

Jerry

That’s right Jerry, but I wouldn’t bank on it for ever. These guys surely have it in their capability to attack .tib, .spi, .v2i etc.

For home use, in addition to local software restriction policies, I’m thinking about building a powershell script to be called before my backups run each night. Hopefully, it will reconnect the USB ports that my backup drives are connected to, then a second script that will disconnect them after the backups have run. I also have a NAS connected via a UNC path that I use for archiving but haven’t figured how to prevent it being discovered…even if Crypto Locker can’t see it right now.

For work, backups are offsite.