Bookmark and Share

Viruses/Malware/Phishing

Viruses, Worms, Trojan Horses Oh, My!

These terms refer to malicious programs that infect computers. Once infected, a computer can be commandeered by a hacker and made to do his or her bidding. A hacker may steal personal data and erase your hard drive. Or the hacker may use your hard drive to store pirated movie files or launch an attack on other computers using your infected PC.

Most commonly, desktop computers become infected by email attachments. Opening or executing the attachments results in infection. Filters on our servers detect and stop more than 99.9% of email viruses before they reached your PC. Hackers use other methods to corrupt your PC. A Web site may entice you to download a file supposedly containing a useful program. Or you may FTP a virus-infected file from a server. Executing this file infects your PC.  For this reason, it is imperative to run virus-scanning software on your PC. Regularly scanning for infected files will detect and quarantine the common worms and Trojan horses that may reside on your computer.

These defensive measures are necessary but they're not sufficient. You PC may be inviting hackers to load malicious files by exploit hidden security holes in your operating system and applications.  Security patches are released monthly for Windows NT workstations. Microsoft's FrontPage Web publishing software can turn your PC into a poorly secured Web server that lets hackers implant Trojan horse software in your computer.A firewall can block many kinds of attacks directed at a poorly secured PC but it cannot stop them all. Ultimately, PC security depends on personal vigilance. This is what you need to do:

  1. Install virus protection software on your PC.
  2. Scan your PC’s hard drives and floppies for viruses weekly. This generally takes 20 minutes or less. SOM IS can configure your PC to make this happen automatically.
  3. Make certain virus software definition files are updated at least once each week. SOM IS can configure your PC to make this happen automatically.
  4. Disable unnecessary ports and services on your PC. SOM IS can assist in identifying and closing them.
 

Ports & Services

Computers rely on services to send information between each other through ports. A "service" is a small program running in the background that recognizes and interprets information sent via standard protocols. For example, a Web service will recognize the HTTP protocol and allow Web traffic to pass from a Web server to a PC browser. Services listen to and speak to ports. A "port" is a software connector that works very much like your PC’s hardware printer or keyboard connector. It sends one type of information from one place to another. For example, Web traffic travels between computers through port 80.

Of the more than 65,000 ports that are available for use, fewer than 200 are used for legitimate purposes by most computers. Unused ports are appropriated by malicious software. Viruses install rogue services and then communicate with the hacker over these ports. A firewall can block access to unneeded ports from the Internet; however, it cannot block port traffic from inside the local area network. An infected computer on the LAN can spread malicious software to other PCs behind the firewall. To prevent this kind of exploitation, unnecessary ports and services on each PC must be individually be disabled. This will help protect the LAN and all PCs from internal threats that firewalls are powerless to control.

Virus Protection Software

UMB has a campus-wide software license agreement with Symantec Corp. UMB faculty, staff and students may obtain a copy of the Norton AntiVirus scanning software from the Software Licensing Office at HS/HSL for a $30 fee. Because virus infections are so common (one in every 300 e-mails is infected) and because a virus can be devastating to a computer and to the network hosting it, School of Medicine policy requires virus-scanning software to be installed, regularly updated and constantly active on every computer. Wise computer owners will also install virus protection software on notebook computers and on home computers that connect to the Internet. Under the campus agreement you may install the Norton AntiVirus scanning software and virus definition files on your home PC. For more information or to obtain a copy, call the Center for Information Technology Services' (CITS) Software Licensing Office at 6-8166, or visit the web site: http://www.umaryland.edu/cits/software/.

Scanning

Virus scans can be initiated either locally by you, remotely by SOM IS or both. Local scanning allows you to check your PC whenever a new file is saved. Remote scanning allows SOM IS to automatically check your PC for known viruses at regular intervals.

Updating your Virus Protection Software

During installation this software can be set for remote or local management. Remote management allows SOM IS to automatically update the virus definition file on your PC every time you log on the SOM network. Local management makes you responsible for learning of virus definition file updates, downloading and installing them yourself. For those choosing local management, regularly check for updated Norton virus definition files at: http://www.symantec.com/avcenter/defs.download.html.

To view information about currently known viruses: http://securityresponse.symantec.com/avcenter/vinfodb.html/ or http://www.antivirus.com/vinfo/.

Occasionally, you may receive emails from others warning of a new virus. Some of these are genuine but many are hoaxes. If you receive an email of this type, please check on the Symantec website to see whether or not the virus is credible: http://www.symantec.com/avcenter/hoax.html.

Industry News & Alerts

NCCIC logo
 

November 13, 2013: Please read important information from the US Computer Emergency Readiness Team about a computer infection that attempts to extort money from victims by encrypting data on the system and all connected devices and file shares in an attempt to collect a ransom.

National Cyber Awareness System:
TA13-309A: CryptoLocker Ransomware Infections
11/05/2013 10:58 AM EST

Original release date: November 05, 2013 | Last revised: November 13, 2013

Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention 

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation 

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
  • Users who are infected should change all passwords AFTER removing the malware from their system
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
    • Restore from backup,
    • Restore from a shadow copy or
    • Perform a system restore.
     

References

Revision History

  • Initial
  • November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

This product is provided subject to this Notification and this Privacy & Use policy.