Like I think we all said that AV is not going to save you against todays current malware attacks, even if your users aren't admin the malware can right to user writeable areas of the OS. And from what the current samples I have looked at in sandbox they are pretty malicious and leave a lot of IOC (indicators of compromise on systems). ( Process injection, Mutex's, Memory resident, Encrypted payloads, Anti-tampering, you name it, and ohh yes Signed Malware with valid certificates and encrypted outbound communications are the new craze)
I have mentioned it before, if you control code execution on your systems you are winning, if you don't you are losing. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected] Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Thursday, February 27, 2014 3:07 PM To: [email protected] Subject: Re: [NTSysADM] RE: Cryptolocker http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ Yup, you find out which vendors have really bad updating strategies. On 2/27/2014 12:03 PM, Ryan Shugart wrote: > I actually have a test GPO to implement this, thanks. The concern we're > having is just what needs to be whitelisted and the process in finding that > out. It won't be fun, some not very smart software sticks executables into > the %appdata% folder and runs from there, such as Java updates, for example. > Ryan > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Susan Bradley > Sent: Thursday, February 27, 2014 12:52 PM > To: [email protected] > Subject: Re: [NTSysADM] RE: Cryptolocker > > Software restriction policies. > > Ignore the url the concepts are valid > > http://www.foolishit.com/vb6-projects/cryptoprevent/ > > And yes it can also be done with group policy. > > I've never seen antivirus actually protect anyone. I've seen a/v > vendors say they have protection but they are always one step behind > because it's really not a virus, it's a program that launches > encryption on your system. > > Encryption is not a virus. > > On 2/27/2014 11:36 AM, Ziots, Edward wrote: >> AV isn’t going to detect advanced malware like CryptoLocker. >> >> As a start I would do a egress filter trust to untrust for these IP’s. >> >> https://discussions.nessus.org/thread/6799 >> >> The most >> >> recent alert I saw yesterday came from the Center for Internet >> Security <http://www.cisecurity.org/>. In their advisory, >> >> they listed the following IPs as being associated with the network >> activity: >> >> 144.76.192.130 >> >> 192.155.83.72 >> >> 212.2.227.70 >> >> 95.59.26.43 >> >> 162.243.66.243 >> >> 162.243.70.51 >> >> 166.78.144.80 >> >> 192.210.230.39 >> >> 194.28.174.119 >> >> 195.22.26.231 >> >> 195.22.26.252 >> >> 195.22.26.253 >> >> 195.22.26.254 >> >> 212.71.250.4 >> >> 50.116.8.191 >> >> 69.61.18.148 >> >> 74.91.124.113 >> >> 86.124.164.25 >> >> 87.255.51.229 >> >> 93.189.44.187 >> >> 95.211.172.143 >> >> 96.43.141.186 >> >> Are your 3^rd party software on the endpoints up to date? >> >> Z >> >> Edward E. Ziots, CISSP, CISA, Security +, Network + >> >> Security Engineer >> >> Lifespan Organization >> >> [email protected] <mailto:[email protected]> >> >> Work:401-255-2497 >> >> This electronic message and any attachments may be privileged and >> confidential and protected from disclosure. If you are reading this >> message, but are not the intended recipient, nor an employee or agent >> responsible for delivering this message to the intended recipient, >> you are hereby notified that you are strictly prohibited from >> copying, printing, forwarding or otherwise disseminating this >> communication. If you have received this communication in error, >> please immediately notify the sender by replying to the message. >> Then, delete the message from your computer. Thank you. >> >> // >> >> *From:*[email protected] >> [mailto:[email protected]] *On Behalf Of *Ryan Shugart >> *Sent:* Thursday, February 27, 2014 2:27 PM >> *To:* [email protected] >> *Subject:* [NTSysADM] Cryptolocker >> >> Hi: >> >> We’ve been plagued with Cryptolocker for the past several months, >> just two infections yesterday. We’re running McAfee 8.8 with the >> latest DATs and its just not finding this virus in time. If anyone >> is using an antivirus solution that does detect this, can you let us know? >> We’re interested in a possible switch. >> >> Thanks. >> >> Ryan >> >> Ryan Shugart >> >> LAN Administrator >> >> MiTek USA, MiTek Denver >> >> 314-851-7414 >> >> >> © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED >> >> _ ________________________________ _ >> >> This communication (including any attachments) contains information >> which is confidential and may also be privileged. It is for the >> exclusive use of the intended recipient(s). If you are not the >> intended recipient(s), please note that any distribution, copying, or >> use of this communication or the information in it is strictly >> prohibited. If you have received this communication in error, please >> notify the sender immediately and then destroy any copies of it. >> > -- > Got your CryptoLocker prevention in place? > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > Only two more patching days of XP.... are you ready? > > > > > © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED > ________________________________ This communication (including any > attachments) contains information which is confidential and may also be > privileged. It is for the exclusive use of the intended recipient(s). If you > are not the intended recipient(s), please note that any distribution, > copying, or use of this communication or the information in it is strictly > prohibited. If you have received this communication in error, please notify > the sender immediately and then destroy any copies of it. -- Got your CryptoLocker prevention in place? http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ Only two more patching days of XP.... are you ready?
