Jump to content
RESET Forums (homeservershow.com)

Malwarebytes Important Information


joem
 Share

Recommended Posts

Speaking of which... and yet again why you should subscribe to Susan Bradley's blog (especially if you're using 2012 (R2) Essentials).

http://msmvps.com/blogs/bradley/archive/2013/11/13/batten-down-the-hatches-for-cryptolocker.aspx

 

Also, Malware and ESET are two of the five scanners that have picked up a new variant.

https://www.virustotal.com/en-gb/file/96d6e3a19d9f529dd1c8cda5460a77d1f9286213b1d8f42f4d1fb146a9132acf/analysis/1384270918/

 

http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html

 

 

And yes, you should be scared shitless by these cryptovirus attacks.

Link to comment
Share on other sites

To clarify, Malwarebytes Pro can prevent and remove Cryptolocker infections, while Malwarebytes Free can only remove. Malwarebytes Pro can do both since it actively prevents execution of detected files, and we currently detect known Cryptolocker variants.

 

However, neither product can recover your personal files that were encrypted by a Cryptolocker infection. This is because you need the private key that's hosted on a "secret server" ( google asymmetric encryption for more info on this).

 

As HSS-Dave said, it's possible we could miss a new variant. I can assure you though, any Ransomers we miss get top priority, and we update our definitions multiple times daily to stay on top of things.

 

joem, it sounds like you were testing against a sample we've somehow missed. If that's the case, could you please share?

 

Source: I work for Malwarebytes

  • Like 1
Link to comment
Share on other sites

To clarify, Malwarebytes Pro can prevent and remove Cryptolocker infections, while Malwarebytes Free can only remove. Malwarebytes Pro can do both since it actively prevents execution of detected files, and we currently detect known Cryptolocker variants.

 

However, neither product can recover your personal files that were encrypted by a Cryptolocker infection. This is because you need the private key that's hosted on a "secret server" ( google asymmetric encryption for more info on this).

 

As HSS-Dave said, it's possible we could miss a new variant. I can assure you though, any Ransomers we miss get top priority, and we update our definitions multiple times daily to stay on top of things.

 

joem, it sounds like you were testing against a sample we've somehow missed. If that's the case, could you please share?

 

Source: I work for Malwarebytes

 

 

Thanks Josh & Malwarebytes! 

Link to comment
Share on other sites

Great to see a developer responding to concerns about his product.

 

Amen to that.

Also, if it hasn't been said enough: offsite backups

 

Heck, just backups period ;) Course, as you very well know, I'm huge on offsite backups :)

Link to comment
Share on other sites

Well.... Windows Server Backup stores the backups as VHDs on an unmounted volume. What happens if the cryptovirus ..... encrypts these files???? :)

Link to comment
Share on other sites

Well.... Windows Server Backup stores the backups as VHDs on an unmounted volume. What happens if the cryptovirus ..... encrypts these files???? :)

Well in that case, you'll need to start buying some Bitcoins!

 

But all of the current versions of Cryptolocker just target local and remote volumes which have drive letters, so the backup volumes and any remote shares which you access only via UNC paths would be missed by the Trojan.

 

Also it is looking for files with specific file extensions (.doc, .xls etc,) which currently doesn't include the backup file type as again they should be safe.

Link to comment
Share on other sites

 

Don't give the author any ideas!

 

 

Oh I'm sure they are busy keeping a watch on all of the various discussions taking place about this malware - the fact that the best defence against it is a good backup is no secret.

 

From their point of view however, looking for connected storage devices which don't have a drive letter and/or trying to enumerate and access UNC shares is far harder than simply going through the registry looking at each listed drive letter. While they are doing all that the malware is not doing its main function which is encrypting files and increases the chances of it being detected before it has had a chance to do what it's meant to do. In addition I think it is safe to assume that a company which is making proper backups is also probably going to have some kind of rotation and off-line backup system as well.

 

From the point of view of the malware writers it probably isn't worth going down that route - fingers crossed!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...