CryptoLocker: The Worst Computer Virus EVER!

Ransomware is an especially odious type of malware. The way it works is simple. Your computer will be infected with some malicious software. That software then renders your computer entirely unusable, sometimes purporting to be from local law enforcement and accusing you of committing a computer crime or viewing explicit pictures of children. It then demands monetary payment, either in the form of a ransom or a ‘fine’ before access to your computer is returned.

Horrible, isn’t it? Well, get ready to meet CryptoLocker; the evil patriarch of the Ransomware family.

What Is CryptoLocker

CryptoLocker is a piece of malware targeting computers running the Microsoft Windows operating system. It is typically spread as an email attachment, often purporting to be from a legitimate source (including Intuit and Companies House). Some say it is also being spread through the ZeuS botnet.

Once installed on your computer, it systematically encrypts all documents that are stored on your local computer, as well as ones that are stored on mapped network drives and mounted removable storage.

The encryption used is strong, 2048 bit RSA, with the decryption key for your files being stored on a remote server. The odds of you being able to break this encryption is almost nonexistent. If you want to get your files back, CryptoLocker asks for you to fork over some cash; either two bitcoins (At the time of writing, worth almost USD $380) or $300 in either MonkeyPak or Ukash prepaid cards. If you don’t pay within three days, the decryption key is deleted and you lose access to your files forever.

CryptoLocker in action

CryptoLocker in action

Protecting Against It

Reports suggest that some security programs have had a hard time of preventing CryptoLocker from getting its claws onto your system before it’s too late. Fortunately, American security expert Nick Shaw has created a handy piece of software called CryptoPrevent (free) . This applies a number of settings to your installation of Windows that prevents CryptoLocker from ever executing and has been proven to work in Windows XP and Windows 7 environments.

It’s also worth making sure that you check emails to see if they’re suspect before you open up any email attachments. Do they have an email address that matches up with the purported sender? Were you expecting any correspondence from them? Is the spelling and grammar consistent with what you’d expect from the genuine sender? These are all reasons to be suspicious of an email and to think twice about poking in any attachments.

Having Proper Backup

In these circumstances, I’d encourage everyone to make regular backups that are isolated from your computer. Using a networked backup solution will be utterly ineffective, as CryptoLocker has been known to encrypt data stored on these volumes.

If you use a cloud backup service like Carbonite, you can take comfort in knowing the odds are good that your files are versioned. That means if you back up an encrypted copy of a file you care about, you can revert to an earlier version. An employee of Carbonite posted this advice on Reddit.

I work for Carbonite on the operations team, and I can confirm this for most cases – I will also offer these two pieces of advice:

1) If you are affected by the virus, you should disable or uninstall Carbonite as soon as possible. If you stop backing up the files, it’s more likely that Carbonite will not have overwritten a “last known good” backup set. There is a high risk of some recent data loss (you’re effectively going back in time, so if we have no record of the file existing at a previous time, you won’t get it back) with this method, but it’s far, far better than losing all of your files.

2) When you call customer support, which you should do as soon as possible, specifically mention that you are infected with cryptolocker. It was mentioned in the post above, but I just wanted to put emphasis on it because it’ll get you through the queue faster.

Edit: also, just to state the obvious, make doubly sure the infection is off your machine before you call support, please.

Should You Pay The Ransom?

What if your computer gets compromised? It goes without saying that brute forcing a file encrypted with 2048 bit encryption is almost impossible. Noted computer security firm Sophos has looked at a number of files that have been encrypted by this particular malware and has failed to notice any obvious means in which they can be decrypted without forking over a ransom.

With that in mind, the only way to get your data back is by paying the ransom. However, this poses a major ethical dilemma. By paying the ransom, you make this type of chicanery profitable and therefore perpetuate it. However, if you don’t pay the ransom, you forever lose access to everything you’ve been working on which is stored on your computer.

What further complicates things is that it is impossible to ascertain who would be the recipient of any money paid. It may something so simple as a single person working from his bedroom looking to get rich at the expense at others, or it might be something much more sinister.

Conclusion

I’ll leave the floor to you, the reader. Would you pay the ransom? Have you been infected with CryptoLocker? Leave your thoughts in the comments box below.

Locked yourself out of Jenkins?

Removed all permissions from your account did you? Save it did you?  Feeling a bit stupid?

Yeah, me too!

First steps

SSH to your server and stop Jenkins

/etc/init.d/jenkins stop

Now modify the config XML

sudo vi /var/lib/jenkins/config.xml

You now have two options to regain access

Yeehaw way

Turn security off and remove the <authorizationStrategy> node

<useSecurity>false</useSecurity>

Now restart Jenkins and head over to your admin UI to resecure it quick before the trolls get in.

/etc/init.d/jenkins start

Like a boss way

If you want to be safe and not open up a security hole at all, you can add the security permissions into the config XML manually. Just replace USERNAME with own

<authorizationStrategy class=”hudson.security.ProjectMatrixAuthorizationStrategy”>

<permission>hudson.model.Computer.Configure:USERNAME</permission>
<permission>hudson.model.Computer.Connect:USERNAME</permission>
<permission>hudson.model.Computer.Create:USERNAME</permission>
<permission>hudson.model.Computer.Delete:USERNAME</permission>
<permission>hudson.model.Computer.Disconnect:USERNAME</permission>
<permission>hudson.model.Hudson.Administer:USERNAME</permission>
<permission>hudson.model.Hudson.Read:USERNAME</permission>
<permission>hudson.model.Hudson.RunScripts:USERNAME</permission>
<permission>hudson.model.Item.Build:USERNAME</permission>
<permission>hudson.model.Item.Configure:USERNAME</permission>
<permission>hudson.model.Item.Create:USERNAME</permission>
<permission>hudson.model.Item.Delete:USERNAME</permission>
<permission>hudson.model.Item.Read:USERNAME</permission>
<permission>hudson.model.Item.Workspace:USERNAME</permission>
<permission>hudson.model.Run.Delete:USERNAME</permission>
<permission>hudson.model.Run.Update:USERNAME</permission>
<permission>hudson.model.View.Configure:USERNAME</permission>
<permission>hudson.model.View.Create:USERNAME</permission>
<permission>hudson.model.View.Delete:USERNAME</permission>
<permission>hudson.scm.SCM.Tag:USERNAME</permission>

</authorizationStrategy>

Now restart Jenkins and sit back with a smug grin.

/etc/init.d/jenkins start

MySQL – Too many files open

I run my servers on CentOS using cPanel/WHM. When I first started  running my own server, it did not take long for me to see how little I know about Linux. I had a funky problem with my MySQL dropping out after so much time. It seemed like the more people I had on my sites, the faster it would go down. But after I rebooted the server, it all started working fine again… For a while anyway.

I got to looking around to see if there is a error log for MySQL. And sure enough there is. By default, the error log is located at:

/var/lib/mysql/**HOSTNAME**.err

The **HOSTNAME** would be your server’s hostname, (if you do not know your hostname, simply use the command “hostname” and it will output your hostname)

To view the last 500 lines of your error log, simply use:

tail -500 /var/lib/mysql/**HOSTNAME**.err

In my error log, I began to see this:

130925 12:39:23 [ERROR] Error in accept: Too many open files
130925 12:43:39 [ERROR] Error in accept: Too many open files
130925 12:47:55 [ERROR] Error in accept: Too many open files
130925 12:52:11 [ERROR] Error in accept: Too many open files
130925 12:56:27 [ERROR] Error in accept: Too many open files
130925 13:00:43 [ERROR] Error in accept: Too many open files
130925 13:04:59 [ERROR] Error in accept: Too many open files
130925 13:09:15 [ERROR] Error in accept: Too many open files
130925 13:13:31 [ERROR] Error in accept: Too many open files
130925 13:17:47 [ERROR] Error in accept: Too many open files
130925 13:22:03 [ERROR] Error in accept: Too many open files
130925 13:26:19 [ERROR] Error in accept: Too many open files
130925 13:30:35 [ERROR] Error in accept: Too many open files

Did a little bit of googling, and discovered that by default, centOS has a hard limit of the amount of files that can be opened at a time, which causes MySQL to error out until you reboot the server. However, this can be fixed by running the doing the following:

nano /etc/sysctl.conf

Add this line at the bottom of the config file:

fs.file-max = 100000

Save and close the file, then reboot the server.

After you rebbot your server, you will want to run the following command to verify that your settings was saved and correct:

sysctl fs.file-max

If it reads 10000, then your server is now ready to handle MySQL!

Is your computer protected?

According to a survey done by Verzion, 75% of all successful computer attacks are on systems that are vulnerable rather than targeting a specific system or company.  What does this mean?

It means if your system is not protected from Viruses or other other malware, then your computer will likely EVENTUALLY be hacked or infected with some sort of malware.  If your not sure where to start on getting your computer secure I will explain it to you.

 

Anti-Virus

When it is flu season what do you do? Simple, go get a preventative shot once a year. As with people, there are viruses for computers. And it is even easier than getting a shot to prevent your computer from having viruses. Simply install an Anti-Virus.  There are MANY to choose from, but the one that ALL of my computers run is Avast.

Avast Logo

Why does the AlexRiggs.com Network choose AvastAvast is free to use for personal use. You can install Avast on as many computers as you choose, and it will never cost you a dime. Of course, there are paid version, and they do try and up-sell you the paid protection, but the free version is good enough for most people.

 

Firewall

When you leave for work in the morning do you leave all of your windows and doors open or do you shut them to make it harder for a thief to enter? I would say most people shut AND lock it all. A firewall can be compared to this. Your computer has what is called ports. Ports are simply a “Window” that something from the internet can communicate with your computer, or the other way around, your computer can connect with the internet. When you access the internet with your web browser, you are using the internet at port 80.  A firewall closes all un-needed “windows” on your computer to ensure that a hacker cannot enter from a opened port.  Windows comes built-in with a Firewall, however, I have come to find that since Windows Firewall is on every computer that runs Windows operating system, that if there is ever a “backdoor” found on one computer, it would be found on yours too. However, if you install an aftermarket firewall, then your computer will not be affected by the backdoor in the generic Windows Firewall. That is also why I choose Avast. Not only do they have anti-virus, but they also sport a Firewall in their award-winning software. This package is however not free through Avast, but since I use Avast for an anti-virus, it is handy to have it all in one place.

Shorten a link so you can share it easier

You found the perfect website for your friend, so you decide that you will text it to him. After opening up a new text, you realize that the link look something like this…

A long url

You tren realize there is no way that you will be able to type that on a phone and send to your friend. So you jump over to my newest site… Go – The link shortner.  In just a couple clicks, you can turn that long link into something like this:

http://alexriggs.com/go/alex

You can then send him that link, and it will take him right to the same page that the L-O-N-G URL would have took him to. And the best part – you can see how many people has visited the link and other statistics with click tracking.

Of course this is another free service from the AlexRiggs.com Network of sites. So give it a try today!

Go – The link shortner