If you have an IDS that can support PCRE, below is a regex that will detect the
latest Angler URI pattern evolution that’s been going around today.
^http:\/\/[^\x2f]+\/viewtopic\.php\?(?![^\x0a]*?[&]?f=\d+&t=)(?![^\x0a]*?[&]?t=\d+&(?:start|p|f)=)[A-Za-z\d_-]{1,5}=\d{1,5}(?:&[A-Za-z\d_-]{1,5}=\d{1,5}){1,}$
Rob.
From: [email protected] [mailto:[email protected]] On
Behalf Of Dave Lum
Sent: Wednesday, July 08, 2015 11:13 AM
To: [email protected]
Subject: RE: [NTSysADM] OT: VirusScanning software
“Luckily we have other systems in place that mitigated the extent of damage,
such as really good backups, and tested restore procedures.” Aye. That. Also,
shadow copies are your friend. Enabling System Protection via GPO is another
mitigation step I use (aka shadowcopy on the PC itself).
Best if you can keep it out altogether – I like Robert’s methodology as well.
Dave
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Jonathan Link
Sent: Wednesday, July 08, 2015 7:43 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [NTSysADM] OT: VirusScanning software
So, we just got hit with a Croptywall variant with SRP in place. I didn't
disbelieve you Susan, I was just hoping that we could avoid infection until I
got a true whitelisting solution in place.
Oh and I'm on vacation, so this is extra fun to restore backups via the VPN.
Luckily we have other systems in place that mitigated the extent of damage,
such as really good backups, and tested restore procedures.
On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley
<[email protected]<mailto:[email protected]>> wrote:
I have many consultant stories of ransomware nailing clients with software
restriction policies in place - especially the web cocktail variants.
Applocker/whitelisting = Enterprise SKUs. Which I hardly ever see in my space,
nor does the customer base afford the time and effort.
Great if you have the budget to do it, sucks if you don't have the licenses and
infrastructure.
On 7/3/2015 11:54 AM, Jonathan Link wrote:
I was posting from my phone in a hurry, DYAC. Software Restriction, not proper
pixies.
Susan, I haven't seen an executable run in any location that has been blocked
by SRP. IF you have a very narrow whitelist, it helps a lot.
On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link
<[email protected]<mailto:[email protected]>> wrote:
You can also use proper pixies to restrict where software can run. I've blocked
the user profile folder and added an exception for the desktop and a couple of
other places that I can't recall. Users have to move downloaded apps to ther
desktop to install. I haven't had a Cryptowall infection in 2 years.
On Friday, July 3, 2015, Susan Bradley
<[email protected]<mailto:[email protected]>> wrote:
It changes so fast that as soon as they do the bad guys code up something new.
there's no silver bullet here.
Silverlight/flash/java. Use it,patch it or lose it.
Web filtering at the firewall. If your firewall doesn't provide web
filtering/UTM options it's time to upgrade. Home users look at OpenDNS (yes
even now that Cisco is buying them)
Filter attachments/zips.
Least priv/non admin.
Block the app location (yes this impacts firefox and office installs) Google
foolishit for non domain or cryptolocker group policy toolkit
Education to your users that that email you got isn't a legit email.
On 7/3/2015 10:09 AM, David McSpadden wrote:
Quick, anyone know of a VirusScanning software that is catching CryptoWall 3.0
yet?
David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190<tel:317.554.8190> | F: 317.554.8106<tel:317.554.8106>
[Description: imcu email icon]<http://imcu.com/> [Description: facebook
email icon]
<https://www.facebook.com/IndianaMembersCU> [Description: twitter
email icon] <https://twitter.com/IndMembersCU>
[Description: email logo]
[mcp2]
This e-mail and any files transmitted with it are property of Indiana Members
Credit Union, are confidential, and are intended solely for the use of the
individual or entity to whom this e-mail is addressed. If you are not one of
the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please notify the sender and delete this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing, or copying of this email is strictly
prohibited.
Please consider the environment before printing this email.
Attention: Information contained in this message and or attachments is intended
only for the recipient(s) named above and may contain confidential and or
privileged material that is protected under State or Federal law. If you are
not the intended recipient, any disclosure, copying, distribution or action
taken on it is prohibited. If you believe you have received this email in
error, please contact the sender, delete this email and destroy all copies.
IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not a
secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to
interception, misuse and forging. Equitable cannot ensure the privacy and
authenticity of any information sent by way of the public Internet. Equitable
will not be responsible for any damages you may incur if you communicate
confidential and personal information to us over the Internet or if we
communicate such information to you at your request. This e-mail and any
attachments are confidential, may be covered by legal professional privilege or
exempt from disclosure under applicable law, and are intended for the addressee
only. If you are not the intended recipient, you are not authorized to and must
not disclose, copy, distribute or retain any or part of this e-mail and any
attachments without written permission of The Equitable Life Insurance Company
of Canada.
