Re: [NTSysADM] RE: Cryptolocker

[Susan Bradley]

Microsoft to add a standalone Windows Enterprise version to its business 
line-up | ZDNet#ftag=RSS14dc6a9:
http://www.zdnet.com/microsoft-to-add-a-standalone-windows-enterprise-version-to-its-business-line-up-7000026860/#ftag=RSS14dc6a9
On 2/27/2014 1:13 PM, Aakash Shah wrote:
If you have access to the Enterprise editions of Windows, AppLocker is another 
feature built into Windows to consider.  This is like Software Restriction 
Policies, but allows you to add publisher rules more easily.  So for instance, 
you can whitelist GoToMeeting by whitelisting the publisher's certificate 
(Citrix).  This way, the exe's can potentially run from anywhere as long as 
they are signed by the publisher.  This is very helpful when some software 
writes into many different folders for each version (GoToMeeting is one 
notorious example).

-Aakash Shah

-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ziots, Edward
Sent: Thursday, February 27, 2014 12:37 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Cryptolocker

Like I think we all said that AV is not going to save you against todays 
current malware attacks, even if your users aren't admin the malware can right 
to user writeable areas of the OS. And from what the current samples I have 
looked at in sandbox they are pretty malicious and leave a lot of IOC 
(indicators of compromise on systems). ( Process injection, Mutex's, Memory 
resident, Encrypted payloads, Anti-tampering, you name it, and ohh yes Signed 
Malware with valid certificates and encrypted outbound communications are the 
new craze)

I have mentioned it before, if you control code execution on your systems you 
are winning, if you don't you are losing.

Z

Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-255-2497


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.




-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Susan Bradley
Sent: Thursday, February 27, 2014 3:07 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: Cryptolocker

http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/

Yup, you find out which vendors have really bad updating strategies.

On 2/27/2014 12:03 PM, Ryan Shugart wrote:
I actually have a test GPO to implement this, thanks.  The concern we're having 
is just what needs to be whitelisted and the process in finding that out.  It 
won't be fun, some not very smart software sticks executables into the 
%appdata% folder and runs from there, such as Java updates, for example.
Ryan

-----Original Message-----
From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] On Behalf Of Susan Bradley
Sent: Thursday, February 27, 2014 12:52 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: Cryptolocker

Software restriction policies.

Ignore the url the concepts are valid

http://www.foolishit.com/vb6-projects/cryptoprevent/

And yes it can also be done with group policy.

I've never seen antivirus actually protect anyone.  I've seen a/v
vendors say they have protection but they are always one step behind
because it's really not a virus, it's a program that launches
encryption on your system.

Encryption is not a virus.

On 2/27/2014 11:36 AM, Ziots, Edward wrote:
AV isn’t going to detect advanced malware like CryptoLocker.

As a start I would do a egress filter trust to untrust for these IP’s.

https://discussions.nessus.org/thread/6799

The most

recent alert I saw yesterday came from the Center for Internet
Security <http://www.cisecurity.org/>. In their advisory,

they listed the following IPs as being associated with the network
activity:

144.76.192.130

192.155.83.72

212.2.227.70

95.59.26.43

162.243.66.243

162.243.70.51

166.78.144.80

192.210.230.39

194.28.174.119

195.22.26.231

195.22.26.252

195.22.26.253

195.22.26.254

212.71.250.4

50.116.8.191

69.61.18.148

74.91.124.113

86.124.164.25

87.255.51.229

93.189.44.187

95.211.172.143

96.43.141.186

Are your 3^rd party software on the endpoints up to date?

Z

Edward E. Ziots, CISSP, CISA, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org <mailto:ezi...@lifespan.org>

Work:401-255-2497

This electronic message and any attachments may be privileged and
confidential and protected from disclosure. If you are reading this
message, but are not the intended recipient, nor an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that you are strictly prohibited from
copying, printing, forwarding or otherwise disseminating this
communication. If you have received this communication in error,
please immediately notify the sender by replying to the message.
Then, delete the message from your computer. Thank you.

//

*From:*listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Ryan Shugart
*Sent:* Thursday, February 27, 2014 2:27 PM
*To:* ntsysadm@lists.myitforum.com
*Subject:* [NTSysADM] Cryptolocker

Hi:

We’ve been plagued with Cryptolocker for the past several months,
just two infections yesterday.  We’re running McAfee 8.8 with the
latest DATs and its just not finding this virus in time.  If anyone
is using an antivirus solution that does detect this, can you let us know?
We’re interested in a possible switch.

Thanks.

Ryan

Ryan Shugart

LAN Administrator

MiTek USA, MiTek Denver

314-851-7414


© COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED

_  ________________________________ _

This communication (including any attachments) contains information
which is confidential and may also be privileged. It is for the
exclusive use of the intended recipient(s). If you are not the
intended recipient(s), please note that any distribution, copying, or
use of this communication or the information in it is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately and then destroy any copies of it.

--
Got your CryptoLocker prevention in place?
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
Only two more patching days of XP.... are you ready?




© COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED
________________________________ This communication (including any
attachments) contains information which is confidential and may also be 
privileged. It is for the exclusive use of the intended recipient(s). If you 
are not the intended recipient(s), please note that any distribution, copying, 
or use of this communication or the information in it is strictly prohibited. 
If you have received this communication in error, please notify the sender 
immediately and then destroy any copies of it.
--
Got your CryptoLocker prevention in place?
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
Only two more patching days of XP.... are you ready?




--
Got your CryptoLocker prevention in place?
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
Only two more patching days of XP.... are you ready?