“Locky” is a new “crypto-ransomware” type of malware that locks up your computer files and requires a monetary payment to unlock them. Locky is delivered via email as an invoice in a Word attachment.
Details from one ransomware email are shown below; this may be one of many variations.
Subject line: ATTN: Invoice J-98223146
Message: Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
If you click on the attachment, you are encouraged to “enable macros”. If you comply and enable macros, malicious code is installed and the malware attack begins. The malware will begin to encrypt your files and attach the “Locky” extension. A ransom note is then left in every directory that has been infected, informing you to make a payment in order to unlock your files.
For specific details about the malware and what it will do to infected systems, see Trend Micro’s article “New Crypto-Ransomware Locky Uses Malicious Word Macros.”
If you receive a ransomware email, do NOT click on the attachment. Send the original email with full Internet headers to email@example.com, and delete the email. How to include full email headers is at k-state.edu/its/security/report/getheaders.html.
CryptoLocker is in a category of malware called ransomware. Once it’s installed, it encrypts most of the files on your computer as well as any files stored on connected network volumes. The only way to recover the encrypted files is to pay a ransom to the criminals or restore from backups. Several instances of this malware have been reported on the K-State campus and some of them have encrypted shared network volumes, affecting entire departments and forcing administrators to perform large data restores. Continue reading “CryptoLocker malware spreading through campus, destroying data”
Malware targeting Apple Mac computers was inevitable – hackers couldn’t continue to ignore this popular platform where users tend to be complacent because they buy into the myth that Macs are more secure. They are not inherently more secure; they’ve just been ignored by cybercriminals… until now. Several K-State departments have reported Mac computers infected with fake antivirus malware called MACDefender or something similar.
Like its Windows scareware counterparts, MACDefender tries to trick the user into buying useless or non-existent security software for up to $99 by convincing them their computer is infected. The only thing they’re infected with is the fake AV software, and those tricked into making the purchase give their credit card information to criminals.
Continue reading “Malware for Macs hits campus”
When K-State’s IT security team investigated a compromised system detected by its Intrusion Detection System last week, they were surprised to discover that the infected device was a television! Yes, a TV. Of course it’s not just any ol’ TV — it’s a special Samsung TV that also has a computer and operating system in it, so it can be used for multiple functions. In this case, it was used as an information kiosk in the lobby of a building to provide touch-screen access to information about the building and the department housed therein.
This device is running a special “embedded” version of Windows XP that had unpatched vulnerabilities. Since it was connected to the campus network, it was exposed to hackers — who exploited the vulnerabilities, took over control of the computer portion of the device, connected it to an IRC botnet, and used it to transfer pirated movies and who-knows-what-else.
Continue reading “A hacked TV at K-State = a "sign" of things to come?”
Silently sneaking onto your computer, Torpig lies in wait for you to log in to your bank’s website and sends your account information to well-organized criminals. Torpig has found its way on to more than 70 computers at K-State in the last year, and the number of infections is on the rise. The chart below shows infections from February 2009 through February 2010.
Unfortunately, security technology can’t always prevent infection because the malicious software changes rapidly and uses sophisticated stealth techniques to hide itself on infected computers. Thus, once again the user plays a key role in preventing infection and financial fraud.
Torpig, also known as Sinowal or Anserin, is malicious software belonging to the Trojan horse family that is designed to steal sensitive information from the computer that it infects. It specifically targets personal and corporate financial information such as credit card data, usernames, and passwords used in the victim’s web browser. It’s constantly changing and evolving and employs rootkit functionality to make it very difficult to detect and remove.
Torpig initially infects computers in several different ways. Continue reading “Torpig malware threatens K-Staters' bank account information”
One thing I’ll say about hackers is they are persistent, and I guess that fact shouldn’t surprise me since the same ol’ tricks reap dividends. Last Thursday, Nov. 5, K-State was hit with a cyberattack nearly identical to one that wreaked havoc on campus last July and, like last summer, it succeeded in compromising more than 130 campus computers.
The attack consisted of four different e-mails that tried to trick people into opening a malicious .zip attachment. Users who opened the attachment instantly infected their computer with a new variant of malware that antivirus software did not detect. The compromised computers were then used to try to infect other computers by sending the same malicious e-mails to addresses harvested from local addressbooks on the infected computers.
Once again, the best solution for preventing these types of attacks is for you, the user, to be suspicious of any unexpected e-mail from unknown sources and do not open an attachment until you confirm its legitimacy. One troubling thing is the four e-mails were virtually identical to the ones from last summer, with the following four subject lines:
Continue reading “Malicious e-mails strike again; 130+ computers compromised”
In order to escape detection by antivirus software, hackers are constantly altering the malware they proliferate through malicious e-mail attachments, web links, USB flash drives, and a variety of other means. Estimates of new malware produced every day are as high as 50,000, which makes it impossible for pattern-based antivirus software to keep up and detect every single one.
That is not to say antivirus has no value — Trend Micro antivirus has detected more than 73,000 instances of malware since Jan. 1. In fact, in one recent report, Trend Micro security software was rated the most effective tool for catching malware among evaluated consumer-grade antivirus products, so Trend Micro OfficeScan is doing its job. The point is antivirus software cannot catch all malware, so K-Staters are potentially vulnerable to new malware when it first arrives.
One way K-Staters can help is to submit new malware to Trend Micro for analysis, so those characteristics can be added to the pattern files used by OfficeScan to detect and delete malware. To make this easier for K-Staters, the IT security team developed the “Malicious Software Reporting Tool” where suspicious file(s) can be uploaded and described.
Continue reading “Submitting malware samples for analysis helps improve Trend Micro”
On Monday afternoon (July 13), thousands of K-Staters received malicious e-mail messages with .zip attachments. DO NOT OPEN THE ATTACHMENTS IN THESE E-MAILS, nor click on any links in these messages. Opening the attachment will result in your computer becoming infected and then being used to try to infect other computers by sending the malicious e-mails to accounts both on and off campus.
The malicious e-mails have subjects like:
- Your friend invited you to twitter!
- You have received A Hallmark E-Card!
- Shipping update for your Amazon.com order 254-78546325-658742
- Jessica would like to be your friend on hi5!
and the attachments have names like:
- Invitation Card.zip
- Shipping documents.zip
Nearly 100 K-State computers became infected on Monday when people opened the malicious attachments. Continue reading “Malicious e-mail attachments infect numerous K-State computers”
Since today (July 14) is the second Tuesday of the month, Microsoft is releasing its usual monthly security patches for the Windows operating system and select Microsoft applications. While it is always important to apply these and other security patches as soon as possible, it’s particularly important this month because at least two of the six patches fix vulnerabilities that are being actively exploited.
One of the patches fixes a critical vulnerability in the Microsoft Video ActiveX Control that has often been in the security news in the past week. Nearly 1,000 websites in China are known to be infected with a malicious script that exploits this vulnerability. Continue reading “Apply today’s Microsoft security patches ASAP”