A nasty piece of work in C:\ProgramData\WindowsWork

I encountered a nasty bit of malware today which wasn’t being seen by antivirus. Malwarebytes was popping up every 5 seconds with a warning that some executable file on Windows 10 was trying to reach a blocked web site… tektonit.ru

A quick Google search made it clear that the domain being contacted is associated with the Troj/RemAdm-AG and Backdoor.Gussdoor trojans, the second of which opens a backdoor to the domain in question. The attacker then has access to read and write files, access the registry, spawn processes and even take screenshots. In our case, they also installed keylogger.bestfreekeylogger.a which lets them record keystrokes like passwords, credit card numbers, emails, or any other content entered via the computer.

Nasty.

The user had both a McAfee antivirus product and Avast Free installed. Neither of which were really complaining about the threat, yet Malwarebytes continued its little dance in the corner “Website blocked – Domain: tektonit.ru” and variants thereof.

Malwarebytes also did something else nice for me: it showed the process location. It was running a file in C:\ProgramData\WindowsWork, which to an end-user appears to not exist if you try to navigate to it.

I installed ESET Internet Security, which picked up and removed the keylogger (two variants) that the other applications left behind, but the malware reaching out to the attacking server was not detected.

Jumping into an admin terminal, the directory doesn’t show since its attributes are set to +s +h (system, hidden). Within the folder, the files themselves are also hidden and set with the system attribute, making them pretty much invisible to end users. And strangely, antivirus also did not see it.

Removing the attributes, I was now able to see and open the files. One such file was the installer used to deploy the malware.

Here’s how it installed itself:

Interesting, in that this now sheds some light on why antivirus isn’t picking it up… it’s likely not even a virus. And to boot, UAC would have stopped this script from running, which means the end user had to have allowed it. Once again proves my point that Windows UAC is useless because novice users will just say yes to any stinking dialogue you throw at them!

So the script, as you can see, destroys legitimate Windows services and replaces them with itself. That makes it tough to detect.

I killed the services, deleted the services, and then purged all the files in the C:\ProgramData\WindowsWork\ and removed the folder. Instantly, Malwarebytes went to sleep.

A reboot and full system scan as administrator with ESET Internet Security, and all looks well. Hopefully the firewall in EIS will do a better job of keeping the user from answering “Yes” to the wrong questions… but ultimately it’s up to educating users to think, and understand, before clicking.

The malware is gone. However, there’s no way to know how far the attacker got. It appears as though the service files were not viruses at all, but rather basic programs that reach out to tektonit.ru to obtain legitimate malware and install it. Basically, the stuff in C:\ProgramData\WindowsWork\, which the user authorized being installed, was benign from an antimalware standpoint. It was not a virus: it was a tool being used by an attacker to propagate their tools, malware and possibly viruses/trojans. But because of the nature of it, it also worked as a bit of a smokescreen.

In this instance, had Malwarebytes’ Premium version not been installed (which does active protection, not just on-demand scanning), the user would have been wide open to the smokescreen application and its desire to install all kinds of unknowns on the user’s system.

ESET Internet Security is now installed, along with Malwarebytes Premium. These two products combined should provide about the best level of protection available to Windows users today.

Get ESET Internet Security: https://cat5.tv/esetus

Get Malwarebytes Premium: http://amzn.to/2x2HCz2

Why support may ask for your backup.nems file, and why you should never share it with others

During support sessions I often request either SSH access or a copy of the user’s backup.nems file. SSH access, it should be obvious, should not be shared with just anyone. Also, you should never, ever, ever, open SSH to the world on your NEMS server if you have not yet initialized it. This is because there are botnets that look for Raspberry Pi computers which use the default “raspberry” password, and then compromize them. Continue reading

WordPress 4.3 is here!

WordPress 4.3 has been released, and our Managed WordPress subscribers are already enjoying the benefits of this major release. The rollout to 4.3 to all our subscribers has begun and will be complete within 24 hours. The next time you login, you will benefit from these great new features.

If you are not yet experiencing the benefits of our Managed WordPress 4.3 Deployment and Hosting service, make sure you contact us today.

Here’s an overview of what’s new in WordPress 4.3

Easier In-line Text Formatting

WordPress 4.3 Editor

One of the key focuses of this upgrade has been on simplifying the process of formatting your content. This means the improved ability to format your text as you type, without ever having to stop and click with the mouse. A hyphenated list intelligently becomes a bullet list, a blockquote can be created with a > and ## lets you enter a heading. These are just a couple of examples how WordPress 4.3 is improving your workflow, helping you get things done quickly and easily.

Improved Customize Feature

Another way WordPress 4.3 improves the user experience is to enhance the “Customize” feature, allowing you to take control of your site or blog.

Site Icon CustomizerSite Icons / favicon

Upload your logo and let WordPress do the rest. Your site icons and favicon will be automatically generated and included in browser tabs, bookmark menus, and even on the home screen of mobile devices as the icon for your site. You no longer have to add a special module or hack up your theme code only to lose the settings after an update. Site Icons are now part of WordPress 4.3.

Customizer Menu FeatureMenus With Live Preview in Customizer

Now, you can preview your menu in Customizer as you add or edit items. The streamlined interface allows menu revision to easily take place on either desktop or mobile devices. Navigation creation continues to get easier and faster with WordPress 4.3.

Improved Security

WordPress 4.3: Better PasswordsPassword System Enhancements

A feature that has been sorely lacking from WordPress is password strength enforcement. WordPress 4.3 now generates strong passwords, and gives visual feedback to the user when they change their password as to whether their choice is weak or strong. In addition to this, plain-text passwords are no longer emailed to users, further protecting you. Now, if you forget your password, WordPress 4.3 will instead send you a password reset link. The password itself will not be revealed.

And That’s Not All

This is only an overview. Further refinements have been made to provide a smoother admin experience across all your devices, and overall the intuitiveness of WordPress 4.3 is a step in the right direction. From a more technical perspective, 180 bugs were fixed, and a final point worth mentioning is that WordPress 4.3 makes way for the upcoming PHP7 release by deprecating some old PHP4 style constructors. WordPress is now ready for the upgrade when it arrives later this year.

All in all, WordPress 4.3 is another great update from the WordPress team. Positive E Solutions Inc. keeps our customers current and protected through our Managed WordPress services.

Enjoy the new version! We look forward to hearing your feedback.

-Robbie

— Update Wednesday August 19, 2015 4:43pm —
All customer web sites on our Managed WordPress service have been upgraded to WordPress 4.3.

The Secure Connection Trap: Why Emailing Your Credit Card Number is Never Safe

“We’ll err on the side of caution and suggest that you never trust email with confidential information.”

A surefire way to make tech-savvy people shudder is to email them your credit card number to pay a bill.

It’s not that they don’t appreciate the transfer of funds to their account, but they understand that with email, you’re not just sending it to them. Any number of people in between (or computers, called “bots” in this context) can intercept, read, store, and potentially use that data.

When you send an email directly to a person, it’s not going directly to them.

We tend to think in terms of “sender” and “recipient” but forget to consider all the points in between. When you send an email, it has to go from your computer to your Internet Service Provider, and then from there, it is passed through possibly several other servers before it reaches the sending server. Once at the sending server, it is passed through the world wide web until it arrives at the recipient’s computer. Because it happens so quickly, we’re tempted to think it’s a direct connection, but let’s think about the origins of the term “world wide web” for a moment and consider what that might look like visually: many thousands of computers all connected together, passing data amongst each other. When you send an email, it is passed through many systems before it reaches the recipient.

Email is not encrypted.

Here’s the trap: when you login to your email, be it through an installed application or webmail service (Gmail for example), you’ll likely see that they are “secure.” Email applications typically require encrypted authentication, and webmail services are actually secure sites themselves, much like online banking.

Email is transmitted in plain text, and can be read, analyzed and stored by any one of the computers it touches along the way.

With your email application, encryption happens during authentication. This means your username and password are encrypted (generally not readable by the systems it passes through), but the email itself is not (because email is not encrypted).

When you login to a webmail service, you may see the “secure connection” notifier–usually a little “lock” icon in your address bar–which may present the illusion that your email itself is secure, but it is not. Only the current browser session is secure. Your username and password are encrypted, and the data being shown on your screen is also encrypted for that session (the connection between the receiving server and your computer). However, all that email in your inbox had to be delivered to your service provider, meaning it went from the sender out to the world wide web in plain text through many computers before reaching your inbox. Similarly any email you send through that service leaves the secure session through email and enters the world wide web to be delivered to the recipient. Since your connection to the service itself is encrypted, what you see on the screen cannot be read directly by someone intercepting the data, however as soon as you hit “send,” it’s anyone’s guess how many people could potentially see it as it shoots out over the web in its unencrypted form.

Regardless of your trust for the recipient, there is no way to know whose servers the email is passing through, nor whether you can trust them. We’ll err on the side of caution and suggest that you never trust email with confidential information.

It’s not necessarily the service providers.

We like to believe service providers are honest and not skimming through emails to find people’s credit card numbers, and hopefully the bulk majority are. But the compromise doesn’t need to come from the provider themselves.

Viruses on infected servers could be monitoring email traffic passing through the server, software tools can be used by “hackers” to sniff unencrypted data as it passes through the coffee shop wifi, and shady “companies” have even been known to setup servers on the web specifically to collect this type of data as it passes through, which they may either use or sell.

The safe alternatives…

I can’t speak for all companies, but I would expect most connected companies offer some way to pay a bill electronically in a safe fashion.

Picking up the phone and calling in your card number is much safer than email, because it is a much more “direct” connection to the recipient.

For our customers, we offer a secure payment gateway at secure.positiveesolutions.com — this can be accessed via the “Pay Online” button on our web site. It is secure, encrypted, and no confidential data is transmitted or stored in an unencrypted form.

Regardless of the how or why, the simple fact remains: email is not secure.

Write your credit card number on a piece of paper and pass it around a full room of strangers. Surely, you would never do such a thing. That’s essentially what you do when you type it into an email and press “send.”

Be educated, be safe.

-Robbie

Multi-Factor Authentication to be added to @PasswordBox within the next few weeks.

PasswordBoxPasswordBox will be stepping up their own security with multi-factor authentication in under a month.

In an interview on Category5 Technology TV held Tuesday May 13, 2014, François Proulx, Security Engineer for PasswordBox, revealed that the popular cloud-based password management system will be introducing sophisticated multi-device multi-factor authentication in June 2014.

While no specific date was given, Mr. Proulx’s statements make it clear that the important security feature will be coming soon.

“It is literally a few short weeks away from now, I would say our goal is to put it in production in our products in June [2014],” says Mr. Proulx. “We’ve pretty much completed the design aspects of it. I’ve reviewed the security. We are just right now dispatching the various tasks to each and every team. Obviously we don’t want to rush things too fast because we want to ensure the quality of our product. But it is coming very, very soon.”

“One thing we’ve announced recently is integration with the new Samsung S5, which has a fingerprint scanner. So that already exists for the Android version of our app. Also, we’ve announced integration with the NYMI bracelet which detects your heartbeat,” explains Mr. Proulx. “Biometrics as an area of research is something we’re putting a lot of focus on.”

Mr. Proulx didn’t go into a lot of details as to the available options that will be coming to PasswordBox in order to provide multi-factor authentication, but stated, “Let me just say that it will be very, very similar to what Google does. So if you look at the way Google does it, or Yahoo, it will be modeled in a very similar fashion.”

The interview, which was geared toward advanced viewers, covered a wide gamut of topics surrounding the functionality of PasswordBox and how it ensures your passwords are safe from hackers and even Government agencies such as the National Security Agency (NSA).

“What is stored in our database for each and every user’s accounts is only encrypted data,” explains Mr. Proulx. “The critical assets, such as the password assets and also all the wallet items … those are all encrypted in a blackbox manner. So what we receive on the server side is an opaque blob that we then store and then later sync across all the devices.”

He further explains in excellent detail that due to the architecture of the PasswordBox system, only a person with your master password can then decrypt this blob of information. Therefore, nobody at PasswordBox, nor the NSA or any other government agency has access to your data.

PasswordBox recommends using a very strong master password to ensure this is the case.

You can watch the full interview on YouTube:

Edit: May 22, 2014 – Added quotes about the methods of multi-factor authentication (such as the fingerprint scanner or NYMI).

CryptoLocker malware destroys your personal and business files. Protect yourself with these tips.

As a computer and security specialist, I see a lot of viruses and malware. But more often than not, the removal of the malicious code from a computer system repairs the issue. A new ransomware application has popped up however that raises some real concern, because it in fact destroys your data in a seemingly unrecoverable way, and removal of the malware simply leaves your files in an inaccessible state with no chance at recovery.

What is it?

CryptoLocker leaves your files inaccessible and unrecoverable.

CryptoLocker leaves your files inaccessible and unrecoverable.

CryptoLocker is a new and cunning piece of ransomware discovered last month. Its spread is increasing, and we’re starting to see infections in a growing number of unrelated networks here in Ontario.

CryptoLocker needs to be taken very seriously, because it can result in the total and irreversible destruction of all your personal and company files.

What Does It Do?

CryptoLocker places itself on a Windows machine, easily circumventing even the best antivirus protection, at least at the time I write this. It appears to get in by way of an infected web site or possibly an infected email attachment masquerading as a seemingly legitimate file such as tracking data for a courier shipment, a money transfer or other fake electronic money transaction.

Once infected, the malware crawls through all mounted volumes (hard drives, network shares, USB drives, camera cards, etc.) for a variety of filetypes, mostly documents, spreadsheets, PDF files, pictures, etc., and encrypts them. This means the files on your own hard drive, your network mapped drives, and even cloud-based drives are encrypted (destroyed, made unreadable). Because the decryption key is not known, recovery is not an option.

CryptoLocker Alert WindowOnce the encryption process is complete, the software then launches an application window displaying a message that all your files have been locked, and you must pay the ransom ($300 is common right now) in order to recover your files.

Current, up to date antivirus tools detect the trojan and remove the malware software after the damage is done to your files.  This results in the permanent inability to recover your files.

Perhaps the best way to explain the devastating effects of CryptoLocker is with a couple of fictitious scenarios:

Scenario 1

A small business has a two-drive RAID mirror unit in their server as a form of backup. They have one extra drive, and the system features a removable tray caddy. This allows them to swap one of the hard drives each day and take it off-site.

One staff member was working on the system that morning and received an alert that their data had been encrypted after they opened a suspicious email attachment. They closed the alert and left the room.

The manager arrived an hour later and removed the second hard drive from the array, replacing it with the one they brought from home: their morning routine. The drive rebuilt based on the first drive, which now contains only encrypted data, and now all three drives are corrupt.  All files are lost, including their backup.

Scenario 2

A business office with a shared folder on the server uses that share for all their company data.  Every workstation in the office has the share mounted to their Q: drive. This contains Excel spreadsheets, Word documents, PDF catalogues, product pictures and more.

The company feels this is a good way to manage their internal files since it gives all staff access to the files, is a RAID 1 mirrored drive (so if a hard drive crashes, they lose nothing) and it allows them to backup one single folder to the external backup drive on a nightly basis, resulting in the backup of all critical files.

One staff member is wrapping up their shift and quickly uses their computer to search for discounted tickets for an upcoming concert. They do a search in Google and start clicking on all the results to see which one offers the best deal, unconcerned about the fact that they do not recognize even one of the web sites as a reputable ticket source. Unbeknownst to the user, one of those sites is infected with CryptoLocker, which installs itself in the background while they search.

CryptoLocker silently goes through C: and corrupts every document, every spreadsheet, practically every personally-created file. It then finds the Q: drive and gets to work doing the same: corrupting all user files on the network share.

The following morning the user returns to work and finds an alert on their screen saying all files have been encrypted, and they immediately recognize it as being a virus of sorts. They run their virus scanner and it removes the infection without any problem. They go about their day.

All the while, other users on the network start to complain that they can’t access their Q: drive. IT has a look and finds that all files are corrupt and unreadable. They look at the backup drive connected to the server, and it too has been corrupted due to the previous night’s backup. All files are lost, including their backup.

What Can You Do?

If you have already been infected with CryptoLocker and do not have an unaffected backup, unfortunately there is nothing that can be done. It is not recommended that you pay the ransom, nor is there any guarantee that the hacker responsible will actually unlock your files if you do pay (some users have reported having paid the ransom and yet never got their files back).

So it all comes down to preventative measures: protecting yourself from this malware before you get infected.

Backup, backup, backup

I’m not just saying it three times for emphasis. I really mean it: you should have more than one backup solution in place.

Realistically the only true protection against the effects of CryptoLocker and similar viruses is to have a multi-tier backup system protecting the integrity of your files at all times.

Since the files on your drives and network are basically destroyed by CryptoLocker—possibly including your backup—the easiest, safest, and most assured way to recover from an infection should it occur, is by having a detached, unaffected copy of your files.

An off-site backup solution is likely the best option. It means your files are safely stored elsewhere, and if done right, they are stored incrementally. This means if you get an infection and CryptoLocker destroys all your files, and then your backup runs, your good backup does not get overwritten, as would be the case with both scenarios listed above. With an incremental backup, you can in fact restore from days gone by—from before the infection took place.

There are many off-site backup services out there, and I don’t want this to seem like a sales pitch—I genuinely just want you to be safe—so feel free to shop around. But all I ask is that you please include Positive E Solutions in your list of companies to check out.  They have a very good, fully encrypted off-site backup service with hosting entirely in Canada.  It can be used in conjunction with your existing backup infrastructure to leverage its effectiveness and further protect your critical data. It’s very affordable for either business or home use, and I can even let you try it for free for 30 days to see if it meets your needs. http://positiveesolutions.com/try-now.php

Enable Volume Shadow Copy

Volume Shadow Copy may help you recover from a CryptoLocker attack if it is enabled on the affected folder prior to the corruption taking place

Volume Shadow Copy may help you recover from a CryptoLocker attack if it is enabled on the affected folder prior to the corruption taking place

Windows 7/Server 2008/Vista/Server 2003 have a feature called Volume Shadow Copy. It’s not to be mistaken for a backup, but it is a helpful tool in recovering from this type of infection: essentially a duplicate of the files found on volumes you specified to have shadowed. In the event of a CryptoLocker attack, your files are destroyed from their original locations, but the Volume Shadow Copy is untouched by the current incarnation of CryptoLocker, due likely to the special permissions required to write to the Volume Shadow Copy itself. Therefore, following the removal of CryptoLocker, you can right-click on the affected files or folders and revert to an earlier snapshot.

There are a ton of tutorials out there which teach how to enable Volume Shadow Copy, so I’ll avoid making this one of them. Activating Volume Shadow Copy helps reduce recovery time should a CryptoLocker infection take place.

It is a good idea, I think, to enable Volume Shadow Copy at the server level, directly on the volume containing your network share folders. In Scenario 2 above, this would be the RAID 1 which contains the contents of their Q: drives.  That way, the shadow copy could be used to quickly restore to a previous set of files. If that doesn’t work, the backup can be used.

Update Flash and Java, But Disable Java in your Browser

I had a discussion with malware expert Adam Kujawa yesterday about CryptoLocker. He mentioned that Java and Flash are two of the main ways this virus is able to enter a Windows system. An unsuspecting user might conduct a search for something in Google, and click on a few links, and one of those web sites could be infected with the distribution mechanism to install CryptoLocker on your system. The recommendation is to disable Java from your web browser (only enabling it when needed), and absolutely keep both Java and Flash up to date.

Keep Your Antivirus / Anti-Malware Up To Date

The instant they release protection for this, you want to receive it. This is not a replacement for my backup suggestion above, but will save you some headaches.

Be Careful What You Click

We have received reports that CryptoLocker infections originated both from infected web sites and emails. It’s tough to ensure entire staff are cautious, but it’s still important for me to mention. If something appears suspect, don’t click it. If you receive an email you’re not expecting, don’t open it. If “your bank” sends you transaction details for a transaction you don’t remember making, don’t click the links. Just be careful what you click. These infections are able to circumvent the antivirus.

Mac and Linux Users

While CryptoLocker does not directly infect Mac or Linux machines at this time, these systems may have network-accessible file shares open to the network or a virtual machine. Therefore if a Windows computer on the network or a Windows virtual machine becomes infected with CryptoLocker, it is possible to lose the files hosted on your Mac or Linux computer (or NAS device).

Cloud Users Beware

CryptoLocker will crawl through and destroy personal files on cloud-based mapped drives such as Google Drive, PogoPlug or DropBox.

Thanks for reading, and stay safe!

Robbie

Why am I receiving virus emails from old friends?

A customer emailed me, puzzled by why they’re suddenly receiving a bunch of virus emails from friends they haven’t spoken to in a number of years.

These types of mass-mail viruses can be very confusing, since they nearly always appear to come from someone you know.

Here’s why and how that happens…

Let’s say someone who you haven’t talked to in a few years (we’ll call him “Bruce”), who is part of the same “circle of friends”, caught a virus.  So the virus goes into their address book and starts mass mailing everyone in the address book, and spoofs who it is from.

Bruce’s address book:

  • John
  • Betty
  • Doug

Bruce gets a virus.  The virus sends an email to John pretending to be Betty, and an email to Doug pretending to be John.

Doug replies to John and says “You have a virus!” But John doesn’t have a virus; Bruce does.

It’s often difficult or impossible to track down the true culprit, and that’s why it’s imperative that everyone on Microsoft Windows have an up-to-date Virus Scanner such as ESET Smart Security 6.  It is also important on any platform (Windows, Mac, Linux, or even Smart Phone) that you be familiar with phishing scams, and be extra cautious what you open or click.