Jump to content

Photo

Blog Post #10 - The Worst PC Infections Yet


  • Please log in to reply
3 replies to this topic

#1
Naaackers

Naaackers

  • Forum Member
  • OTS FPR TJE LODS

  • 6,903 posts

Blost%20Post%20%2310.jpg?v=384fd679

 

Hey there fellow nerds. Just wanted to shed some light on some information I had sent my way from a tech forum i'm apart of. 

 

There are some INSANE viruses going around right now. The two biggest ones making national headlines are Crypto Lockers and Ransomeware. While both can be unique, they can also be one in the same. 

A cryptolocker is a virus-like malware that literally locks your files by way of encryption. This virus makes small changes to every file on your hard drive so that it is impossible to access without the key. And that key isn't free

 

Randomware, which ties into a cryptolocker, is a virus that locks you out of your computer completely, so that you can't use it. Your files may not be locked per-se, but your computer in it's entirety, is. And the only way to get access back is to pay the people who locked it in the first place. 

You thought those were bad? Listen to this. So, when your computer turns on, it looks to something called the MBR, or the Master Boot Record. To put it simply, the MBR is a tiny piece of information on your hard drive that tells your PC how to boot, and what to look for. If this is broken, your PC doesn't boot into windows. The MBR is specific to hard drives with Windows based OS's on it. 

When downloaded (usually through an email attachment), this virus runs a script that makes some changes to your MBR, forces a blue screen of death - so you have no choice but to restart your computer. However, when you do that, your MBR is broken and fails to boot. And it the process, your MFT (Master File Table, basically the key to all your files) are now encrypted and locked. So your files are still there, and remain untouched, but your computer has no idea what to do with them, or how to access them. 

 

It is at this point you are greeted with a ransom screen like this, where you are ordered to pay via the Tor network with Bitcoin. Your amount can range from $400, to $1500. 

The funny this is, every story that Ive heard regarding these types of infections always end the same. If you pay the ransom, you get your files back. These hackers want money, not your information. But, if you can't pay - you are in for a shit show. I've read stories of these infections spreading to entire NETWORKS. Hundreds of PC's and servers all locked. Crazy stuff. 

 

LET THIS BE A REMINDER TO YOU. BACKUP YOUR COMPUTER :)

The full write up from the forum is quoted below if you're interested in a read. 

 

The ransomware is distributed by emails masquerading as job applications

It's hard enough for non-technical users to deal with ransomware infections: understanding public-key cryptography, connecting to the Tor anonymity network and paying with Bitcoin cryptocurrency. A new malicious program now makes it even more difficult by completely locking victims out of their computers.

The new Petya ransomware overwrites the master boot record (MBR) of the affected PCs, leaving their operating systems in an unbootable state, researchers from antivirus firm Trend Micro said in a blog post.

The MBR is the code stored in the first sectors of a hard disk drive. It contains information about the disk's partitions and launches the operating system's boot loader. Without a proper MBR, the computer doesn't know which partitions contain an OS and how to start it.

Trend Micro researchers say Petya is distributed through spam emails that masquerade as job applications. This suggests that its creators target businesses in particular, with the messages being directed at human resources departments.

The emails have a link to a shared Dropbox folder that contains a self-extracting archive posing as the applicant's CV and a fake photo. If the archive is downloaded and executed, the ransomware is installed.

The malicious program will rewrite the computer's MBR and and will trigger a critical Windows error that will cause the computer to reboot -- a condition known as a Blue Screen of Death (BSOD).

Following this initial reboot, the rogue MBR code will display a fake Windows check disk operation that normally occurs after a hard disk error, according to computer experts from popular tech support forum BleepingComputer.com.

During this operation, the ransomware actually encrypts the master file table (MFT). This is a special file on NTFS partitions that contains information about every other file: their name, size and mapping to the hard disk sectors.

Petya does not encrypt the file data itself, which would take a long time for an entire hard drive, but by encrypting the MFT the OS will no longer know where the files are located on disk. The file data can still be read with data recovery applications, but rebuilding the actual files would likely be a lengthy and inexact process, especially in the case of fragmented files that are spread across different storage blocks in different regions of the disk.

After the MFT encryption is done, the rogue Petya MBR code will display the ransom message accompanied by a skull drawn in ASCII characters. The message instructs users to access the attackers' decryption site on the Tor anonymity network and provides them with a unique code that identifies their computer.

The price for the key required to decrypt the MFT is 0.99 bitcoins (BTC), or around US$430.

For now, the Petya spam campaign was seen targeting companies from Germany, but there's no guarantee that it will remain localized. In fact most ransomware attacks begin in a country or region and then grow to a global scale as the attackers gain more resources.

To unsubscribe from these announcements, login to the forum and uncheck "Receive forum announcements and important notifications by email." in your profile.

 



#2
TrackPadGaming

TrackPadGaming

  • Forum Member
  • The King of Stupid

  • 203 posts

If you want to be immune to this infection stop using email and start telegraph.  :)



#3
SpeedDemon

SpeedDemon
  • Staff
  • I AM THE MILKMAN!! MY MILK IS DELICIOUS!!

  • 452 posts

I just don't open any emails unless i know for sure who they are from. I mostly open up emails on my phone anyways. If this was to happen to me though I honestly wouldn't pay them the money. That means they would have won.


Edited by SpeedDemon, April 04, 2016.


#4
Paronity

Paronity

  • Forum Member
  • var Paronity = new Guru();

  • 16,889 posts

I was reading about these. This is just another good reason to have your OS, and all your files separate. I haven't heard or read of on that leaves anything other than the OS drive (IE: Doesn't encrypt drives others than you OS/Boot drive). 

 

The guys writing this stuff are getting clever. Getting info into the MBR is quite tricky. You just have to make sure you always know what you are opening and for god sakes, don't run anything that you don't know what it is from. (This is what I use virtual machines for these days, since they are so easy to make). If I have a file that I want to run to see what it does, I throw up a virtual machine and run it in there, so that the environment is a "throw-away". 

 

Good post Nackers. I kinda look forward to getting my hands on one of these so that I can vet it and test it out in a VM. :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users