Main Area and Open Discussion > Living Room
Be prepared against ransomware viruses..
SeraphimLabs:
Are there any fast global checks? Like are the ransomed files renamed to some bizarre file extension, or just ".zip" (that happens not to be unzippable)? So then you could put a list of all sane file extensions somewhere, and then some kind of deep background process that says "hey, if you find yourself creating anything evil, stop all activity and holler"?
-TaoPhoenix (June 27, 2015, 01:51 PM)
--- End quote ---
The one I encountered turned every image, office document, email, and html file into a .EXX added on to its normal extension.
I literally had dodged a bullet with it- the night before I had noticed it acting funny and kicked it off the network suspecting malware. Next morning it had the cryptolocker ransome notice up and while it still ran all of the documents on it had been encrypted.
If I had left it alone it would have tried to encrypt everything it could reach on the fileserver.
bit:
Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified? i.e. which tries to catch these kinds of ransomware evils by catching and killing them as soon as they try to modify a document that the security software knows should never be changed/deleted.
-mouser (June 27, 2015, 01:22 PM)
--- End quote ---
I don't even understand the procedural explanation on this, let alone the technical end, but it does mention your keyword honeypot:
Tarpit tool sticks it back to teenage mutant Nimda worm
"The tool, called LaBrea, creates a tarpit ("sticky honeypot") by making use of unused IP addresses on a network and creates "virtual machines" that answer to connection attempts
LaBrea answers those connection attempts generated by worms in a way that causes an infected machine at the other end to get "stuck", sometimes for a very long time."
article date - Sept 21, 2001
Edvard:
I remember LaBrea. The original author almost abandoned the project, citing potential legal action against him because the nature of LaBrea goes against certain provisions of the Federal Wiretap Act, namely:
Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection…
--- End quote ---
Basically, LaBrea does exactly that; intercepts electronic communication. How that actually would play out in the courts is another matter, as TechRepublic's John McCormick pointed out back in 2003:
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any lawyer will tell you that the law has little or nothing to do with common sense.
--- End quote ---
I think the honeypot concept mouser is talking about involves more of a "mousetrap" aspect; an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify, but is in fact actively monitored by said 'honeypot' application such that when the file or network is accessed, the process doing the access is immediately targeted and shut down. Sounds like a good idea to me; how to implement? Beyond me.
mouser:
I think the honeypot concept mouser is talking about involves more of a "mousetrap" aspect; an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify, but is in fact actively monitored by said 'honeypot' application such that when the file or network is accessed, the process doing the access is immediately targeted and shut down.
--- End quote ---
exactly.
wraith808:
What about the vector? You said that the relative was pretty pc savvy... I'm just wondering what got him.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version