Crypto Prevent - How to block the Cryptolocker infection

vbimport

#1

I see there’s now a prevention tool CryptoPrevent (link), which also can also protect against something that most virus checkers fail to do - launching EXE files inside ZIP attachments - While it doesn’t quarantine ZIP attachments containing executable files, it can prevent launching the executable file inside. The catch is that this setting can block legit software installations, but the protection can be temporarily disabled.

This tool claims to prevent most other malware also, since it blocks executable files from running within paths malware generally hide in, such as the Program Data, Recycle Bin, user profile and Appdata paths which rarely contain legitimate executable files.

The following video they posted shows the tool in action:

//youtu.be/M4dNuZYGgMM


#2

Hi Sean, I have been using Crypto Prevent for a while now and I love it, it e-mails me when it blocks something and tells me exactly where and what it is.

TEST EVENT

Time (UTC): 11/9/2013 3:24:21 PM
Event Log: Application
Event Type: Warning
Event ID: 866
Source Name: Microsoft-Windows-SoftwareRestrictionPolicies
Message: Access to C:\Users\alans3960X\AppData\Roaming\HelloWorld2.exe has been restricted by your Administrator by location with policy rule {F519E15A-F7AC-4732-BF2E-B06FDBA4E2EC} placed on path C:\Users\alans3960X\AppData\Roaming*.exe.

This message sent by CryptoPrevent v4.1.5


#3

I haven’t installed CryptoPrevent yet.
Are y’all using the portable or installed version ?


#4

[QUOTE=cholla;2708184]I haven’t installed CryptoPrevent yet.
Are y’all using the portable or installed version ?[/QUOTE]

Installed version, but I paid 15.00USD for it so I can get auto updates, and e-mails when something is blocked, I really like this program but its seems when I bring something to peoples attention , it seems like I am biased and I am not. It just works.


#5

I didn’t see any bias just that you like it & it is working for you.
I like portables so I wanted to know what members that were using CryptoPrevent are using.
I’m sure I will be using one or the other as I sure wouldn’t want to get this virus.
I try to be careful but it could slip by me.

I would like to see the government track down these virus creators & do something.
It seems obvious to me that the creators of the virus are the same people as the software company that offers to decrypt an infected OS.
Maybe use a CIA assassin squad to take care of the “problem” .


#7

Looks like it comes in on computers mainly through fake emails with attachments.


#8

[QUOTE=cholla;2708184]Are y’all using the portable or installed version ?[/QUOTE]

I used the portable version. It simply applies group policy settings so that Windows enforces these like it would enforcing restrictions on a PC in a corporate network. The portable utility doesn’t install or run in the background. Instead, the user just needs to run it if they wish to turn on/off the restrictions or apply updated settings with a newer version.

I’m going to give its setting “Block Temp Extracted Executables in Archive Files” a try for a while. Obviously I’m not going to start test launching EXE files in ZIP attachments from suspicious e-mails, but am more interested in seeing what effect this has on legitimate software or if it affects my use in any way. This setting prevents executable files running from inside a ZIP, RAR, 7z, etc. file. The catch is that this setting also blocks legitimate setup files in Zip-compressed downloads from launching, but it’s just a matter of extracting the ZIP file into a temporarily folder and running the setup file from there.

Even if it means having to temporarily turn off the protection to install certain software or updates, this would be just a minor inconvenience if it means preventing someone accidentally launching an executable file from a ZIP file in a fake DHL, Complaint, Amazon, etc. e-mail.


#9

I’m trying to think of the last time I sent an EXE out. I think I’ve sent some DVDFAB EXE’s along - older ones. And then the self-created EXE’s that were ZIPs which copied themselves to certain specific folder-structures so Users didn’t need to test their oft-imprecise browsing skills.

The one situation I’d like to see tested is receiving a renamed EXE file - DOTHIS.EEE, for example, which the recipient would receive, save and then browse and rename to .EXE. I wonder if these programs would detect the Executable without the exact name-suffix?

I have dealt with a dozen episodes of hijacker viruses over the last few years. That’s all I’ve seen, actually - hijacker types, stealing rights away. But nothing that destroyed files themselves. In a way, I’m rather pleased that the extortionists have stepped out from behind their pretenses of being anything BUT extortionists.


#10

Thanks Seán and alan1476,
CryptoPrevent is just what I was looking for, I’ve just downloaded it and paid the $15 for auto updates. I looks excellent, what a great idea.

I have two neighbors that have had this type of extortion malware on their machines. One actually paid $30 to clear it, nothing happened, except she lost her money, her machine was stuffed and I got lumbered rebuilding it. The other was also stuffed but she had more sense not to pay the ransom, I still got the rebuild job, but luckily that laptop had a backup disc supplied with it and nothing important was lost.
I will get them both to use this, you never know, lightening can strike twice.


#11

Christine, I am wondering too how the CryptoPrevent would react on my computer.
I downloaded both the install and portable version but haven’t tried either one yet.

I’d like to know…I think cholla might run into the same thing too… in that (and I am sure this is somewhat unique) I have a lot of portable programs, most of them reside on a partition but I have 3 portable programs presently setting on the desktop (of the laptop).
I wonder if CryptoPrevent will try to block everytime I launch one of the portable programs when I double click on their .exe’s.
If it does then I would have to disengage it a lot.

I only have 6 launch-able installed programs presently on my laptop right now, the rest are portable…well, actually I do have other installed programs but they are on other OSs on the same laptop.

Anyway, I for one want this thread to keep going and anyone interested with information to join in so we all will be better informed about this malware.

One thing for sure, if this virus goes “viral”, it will have me rethinking how I interchange removable drives between my laptop (I use for browsing, light computing) and my desktop computer.

It seems Sean may have answered my question about CryptoPrevent…since all my portable programs that I regularly use are all in extracted folders so CryptoPrevent shouldn’t be interested in them?


#12

I have been looking and I haven’t found any clear positive reports of an infection of a Linux machines. However, I have read where a Linux box connected to a Windows machine via network or a Windows virtual machine could be infected by CryptoLocker.

So as I understand it, CryptoLocker hides in e-mail attachments with ZIP or pdf files? I’m just wondering if it can infect other files before it locks everything up and spread by USB sticks/keys.

I"m going to have to try installing Cryptoprevent on my remaining Windows box and my g/f’s computer. It might even cut down on the infections on her computer. Which reminds me its time for the weekly sweep…


#13

This program, even though it has a free version, is only 776 kbs, yes that’s ri[I]ght, less than 1 mb. I personally bought the paid vers[/I]ion because for 15.00USD it e-mails you when something is blocked, tells you exactly where it is so you can delete it and you can use this on as many computers as you own. The updates are free for life. I mean how much more can you ask from a 15.00USD dollar program. It absolutely protects you from this new malware and updates when it finds other things that are not supposed to be there. You can also unblock things you know are safe if it happens to block an executable. :wink: I have extensively tested this program and found it to be more than adequate for protection that can cripple you. Do not hesitate to ask if anyone has anymore questions.


#14

alan1476,
I can’t agree more, for $15 it’s more than a bargain. Thanks again Guys for posting this little gem.


#15

[QUOTE=voxsmart;2708314]alan1476,
I can’t agree more, for $15 it’s more than a bargain. Thanks again Guys for posting this little gem.[/QUOTE]

Lucky for me I don’t open unknown emails or click on links that I don’t know. And I keep my computer secure daily and MSE updating constantly. It is all based on one internet usage watch what your reading downloading and that will stop even the nasty malware unless it attacks the O/S or the A/V program itself but then again with users nowdays clicking on things they don’t even know would be those asking for the attack as well.


#16

Yoj’s mention of “hides in PDF” possibilities sends particular shudders because I have shop-neighbors that deal in PDF-receipts extensively.

I wonder what ‘executable’ is normal for a PDF, though? “Execute a Viewer-Call, Execute a Fill to Display Memory”? I guess that’s the two ‘executable’ actions that a PDF generates. I can only wonder if PDF standards allow a sub-call from one of those actions, though. Sheesh. So many hooks dangling around.

I’ll dig around more and see if I can locate episodes of PDF-based attacks and THEN pray Alan’s good find can handle those, too. I wonder how many virus-attack strategies are born out of ex-MS employees - as opposed to AV employees who simply followed MS guidelines for OS usage (and then perverted those into mis-usage)?


#17

[QUOTE=ChristineBCW;2708324]Yoj’s mention of “hides in PDF” possibilities sends particular shudders because I have shop-neighbors that deal in PDF-receipts extensively.

I wonder what ‘executable’ is normal for a PDF, though? “Execute a Viewer-Call, Execute a Fill to Display Memory”? I guess that’s the two ‘executable’ actions that a PDF generates. I can only wonder if PDF standards allow a sub-call from one of those actions, though. Sheesh. So many hooks dangling around.

I’ll dig around more and see if I can locate episodes of PDF-based attacks and THEN pray Alan’s good find can handle those, too. I wonder how many virus-attack strategies are born out of ex-MS employees - as opposed to AV employees who simply followed MS guidelines for OS usage (and then perverted those into mis-usage)?[/QUOTE]
[B]Here is a bit more knowledge about the .exe files[/B]

[B]Fake File Extension Executables: (ex. [I]document.docx.exe[/I])[/B]

[ul]
[li][B][I]*.x.y[/I] where: [/B][/li][LIST]
[li][B][I]x[/I] = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4[/B][/li][li][B][I]y[/I] = exe, com, scr, and pif.[/B][/li][/ul]
[li][B]with v4.1, now includes [/B][B]RLO (Right to Left Override) exploit[/B][B] protection.[/B][/li][/LIST]
[B]Temp Extracted Executables in Archive Files:[/B]

[ul]
[li][B]%temp%\rar* directories[/B][/li][li][B]%temp%\7z* directories[/B][/li][li][B]%temp%\wz* directories[/B][/li][li][B]%temp%*.zip directories[/B][/li][/ul]
[B]The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox.))[/B]


#18

[QUOTE=Steve33;2708290]I’d like to know…I think cholla might run into the same thing too… in that (and I am sure this is somewhat unique) I have a lot of portable programs, most of them reside on a partition but I have 3 portable programs presently setting on the desktop (of the laptop).[/QUOTE]

As long as the portable applications are not inside a Zip, Rar, etc. archive, CryptoPrevent will not cause an issue, even on with all the options ticked.

When a malicious executable is run, the first thing it tries doing is hiding itself somewhere. In the past, this was easily done - Just copy itself to the Windows or System32 directory. However, with the UAC feature of Vista onwards and most business employees not having admin access anyway, an infection has only a few places to hide. So what most Malware does now is it tries placing itself in a hidden directory where a non-Admin account can write to, usually the Appdata, Temp or Recycle Bin folders. Once a copy is made in a suitable location, the Malware then runs its copy, so even if the user deletes the original file after noticing it won’t open or do anything, the Malware is still running from its hidden location. From my testing with Malware files in a virtual PC, some that came from fake DHL e-mails even throw up Notepad with random delivery details to give the impression that the user simply received a wrong delivery notice.

Unlike Malware, a legitimate portable application does not go about trying to run a hidden copy, so it simply runs from its existing location. So in theory, CryptoProtect shouldn’t stop any legitimate portable applications from from running.

The main exception is if the portable application is still inside a Zip file, as Windows will extract the executable to the Temp directory before it tries running it. This will fail, as CryptoProtect prevents executables from running in the temp directory.


#19

Thanks everyone for the good words on CryptoPrevent! I hope I can continue to keep the program relevant against future threats, and part of that means listening to feedback and suggestions on improvements, SO…

[QUOTE=ChristineBCW;2708324]Yoj’s mention of “hides in PDF” possibilities sends particular shudders because I have shop-neighbors that deal in PDF-receipts extensively.

I wonder what ‘executable’ is normal for a PDF, though? “Execute a Viewer-Call, Execute a Fill to Display Memory”? I guess that’s the two ‘executable’ actions that a PDF generates. I can only wonder if PDF standards allow a sub-call from one of those actions, though. Sheesh. So many hooks dangling around.

I’ll dig around more and see if I can locate episodes of PDF-based attacks and THEN pray Alan’s good find can handle those, too. I wonder how many virus-attack strategies are born out of ex-MS employees - as opposed to AV employees who simply followed MS guidelines for OS usage (and then perverted those into mis-usage)?[/QUOTE]

Actually that you mention PDF exploits, I’ve been toying with the idea of adding a feature to CryptoPrevent that disables Javascript within PDF documents (at least in Adobe Reader.) The suggestion was actually made to me by a researcher at sanesecurity.com (a maker of 3rd party anti-virus definitions for ClamAV) and I figure they probably know enough about it to warrant consideration.

Part of me feels however that this may impede legitimate PDF usage in some situations. Any thoughts on the matter (or any other suggestions) are most welcome!


#20

Welcome to our forum Nick, I am very glad to see you here.:wink:


#21

Welcome aboard Nick. :slight_smile:

To me, the JavaScript prevention idea in PDFs seems like a good idea, as I can’t even think of one past example of where I viewed a PDF that used Javascript.

I also wonder what JavaScript would be used for in a PDF, since a PDF file is effectively an electronic printout. In fact, the vast majority of PDF files are created by printing the source document to a virtual PDF printer. From what I’ve read after a few Google searches, JavaScript is used to assist form filling in PDFs. Even still, for any forms I’ve ever received in PDF format, I’ve always printed them to fill out and mail off in the post. Generally any website that uses online form filling would do so through the browser instead of by filling out a PDF file.

Then again, recently a lady called me for help with her PDF file as she kept being asked for payment. At first I assumed she must have accidentally downloaded PDF creation software, but when she showed me her laptop, it turned out that she was trying to convert a PDF form into a Word document so that she could fill it out! It was partially the fault of Adobe here, as it was displaying an advertisement for a tool to edit the document, so she thought she had to purchase this to fill out the form. So the simple fix her was to show her how to print it out, so she could fill it out by pen and mail it off. :slight_smile:

In my opinion, if the PDF JavaScript restriction can be easily toggled like with for preventing executables running in the data/temp paths, I’d say it’s worth implementing.