Monday, July 24, 2017

Cryptolocker (Repost from Nov. 2013)

I originally posted this back in November 2013. Unfortunately, when I closed down the old site, I lost the original post. Fortunately, I backed up the database of posts I had made and reconstructed the post as it was.

By now, most people have heard of CryptoLocker, a nasty piece of "Ransomware" that encrypts the document and jpeg files on your hard drive and then gives you a period of four days (up from three, I believe), to pay a ransom of $300 US or 300 EUR, or 2 Bitcoins (there are reports saying it is down to a half) to obtain the private key required to decrypt the files.

All I've known about it to this point was what I read in accounts by others, and listening to Security Now! on the TWiT Network. That is, until episode #431 of Security Now! when the host, Steve Gibson of grc.com, announced that he had obtained a copy of the malware (it wasn't CryptoLocker, but then he did get it) and asked if anybody wanted to "play with it" he would send them the file. I decided to take a chance and he sent me a link to the file. I have an old netbook that was doing nothing but collecting dust, so I installed Windows 7 on it and then I added some photos and documents to the drive so it would have something to work with since I wasn't sure if it only targeted the Documents folder. Then, nervously, I extracted the .exe file and double-clicked it. I was expecting something immediate, but nothing happened.
 

Image 1
(Image 1) The top two processes are CryptoLocker, and the CPU usage will pin at 100% during the initial process. These processes cannot be stopped.

 
I had to leave the house for a few hours, so I left the computer running while I was gone. When I returned home there was a message on the screen...
 
(Image 2) The Netbook has a small screen, but there is a "Next >>" button at the bottom of the window.


Image 2
I originally tried the test in Sandboxie, but when I ran it and nothing happened immediately, I decided to run it in the clear. The first successful test took place in the open, unprotected right on the hard drive. In order to get the computer back to normal, I reinstalled Windows 7 and insured that there was no sign of the malware. Then I installed 7-zip (to extract the file) and Sandboxie, and ran the malware in the default sandbox. Doing a quick calculation from when I left the house and the time remaining on the countdown when I came home, I figured it would take 15 to 20 minutes. Sure enough, the window above pops up. Also, a sandbox window pops up telling me that there files ready to recover. It appears that CryptoLocker copied the files from my entire hard drive and encrypted them within the default sandbox. I closed the Sandboxie window without recovering and went into the sandboxed Documents folder. There I found all of the same .xls, .rtf and .doc filenames (I've read that it's upward of 60 different file types affected), but upon opening, were nothing but gibberish. Back outside of the sandbox, my files were in perfect shape. I then went the main CryptoLocker screen and clicked the Next >> button (not seen in the picture), and checked out the "Convenient Payment Methods". MoneyPak (USA only), Ukash, cashU, and Bitcoin (most cheap option). According to Steve Gibson, the payment options are hardwired into the program and this is an old copy of CryptoLocker.


(Image 3) The Bitcoin screen. Needless to say, the CryptoLocker folks will not be getting any money out of me.

Then I tried one last test on this infection, I emptied the default sandbox. I kept the Task Manager running when I hit delete and the two processes that were CryptoLocker went away. There was no sign of it anywhere. I let the computer sit for a while, I ran system updates, opened files, and surfed the internet. It was gone.

I shut the computer down overnight while CryptoLocker was still running in the sandbox, but when I started the computer in the morning, CryptoLocker wouldn't run. So, I emptied the sandbox and ran it again.

This is not an ad for Sandboxie, but it is the best known free sandbox program available. As I have demonstrated here, it can protect your files from CryptoLocker and can be cleared out quickly and easily. Would I run this experiment on my main PC which contains tons of at-risk, work-related documents using Sandboxie? If I had to, sure. Will I? No.

I would not recommend running this experiment at all unless you are willing to take the risk or are a professional (I am not the latter at all). The only reason I did it is because I happened to have a computer laying around doing nothing. I also kept careful watch on my main computer's Task Manager, but it does not wander around the network apparently.

Movie Monday: Duck and Cover

It's only a sunrise, not an atomic bomb
By the time I was growing up, the imminent threat of nuclear annihilation was either passed or mutually assured destruction was guaranteed, so protecting one's self would have been futile. We didn't practice the air raid drill and we weren't told to "duck and cover" except for a tornado. I can't help but think that if you were anywhere close to an atomic explosion you would be instantly vaporized. I could be wrong, though.

Here it is for your enjoyment, Duck and Cover...with a catchy jingle, too.

Saturday, July 22, 2017

Lowered Expectations

A little, fuzzy caterpillar
I got a new computer and was setting it up as I recorded this. It has been a lovely weekend so far and hopefully I'll have the opportunity to get some yardwork done. I found some really cool puzzle game apps in my quest to find the movie The Room. The apps are also called the room, but they're puzzle games. I also saw the Ready Player One trailer and my thoughts on the idea of this movie haven't changed...they're going have to make some serious sacrifices to the story.

Episode 97: Lowered Expectations

The Room app

Thursday, July 20, 2017

Leave a Comment

I can't do anything about this screen
It appears that some people have had a bit of trouble commenting. I allow Anonymous comments, although I may not take them as seriously unless I can figure out who you are. Your best bet would be to use the Name/URL selection from the drop-down menu. If you don't have a URL, use http://aliencg.com since it links back to this website (or use a random Wikipedia page for added fun).

I turned off word verification, but I can't turn off the "I'm not a robot" check thing, so you're on your own there. I would prefer if you used some sort of name so that I can reply to you personally.

Thank you,

The Management

Monday, July 17, 2017

Where's That Kiss Episode?

OK, so one casualty in the move to the new blog is the SGMR Special #1: The Good Side of Kiss that Oliver and I recorded back in April. Well, it is still alive and now appears on The Smooth Sailing website, thanks to Jason. I have posted the link below to the new page for it as well as Special #2: The Not-So-Good Side of Kiss.

I was not willing to take any chances and have that podcast get DMCA'd on Archive.org, so I asked Jason to post it on Smooth Sailing. Anyway, if you haven't listened to both of these, this is a good time to catch up.

SGMR Special #1: The Good Side of Kiss

SGMR Special #2: The Not-So-Good Side of Kiss


Sunday, July 16, 2017

This Is a Test

I've moved the podcasts and blogs to new locations. I am using a combination of Blogger and Archive.org to host everything and have cancelled my Squarespace subscription. This is something I've wanted to do for a while, and with the expiration coming up in less than a month, it seemed the right time to do it. I was figuring on all this taking a week or more to figure out, but I managed it in two days. If you're subscribed to the SGMR Podcast, then there's a new episode attached to this post. Also, there is a convenient link below.

Episode 96: This is a Test

SGMR Podcast feed

Saturday, July 15, 2017

And Now For Something Different

Hi.

I can hear you asking where the blog is. It's here. Due to the high cost and low return (read: no return) of the previous site, I have decided to close that blog and retire all of the writings. I still have them, as well as the photos and the podcasts. I'm starting anew on the personal side of things. I have moved podcast hosting to Archive.org, and the blog is now hosted on Blogger. The Illuminati Social Club is intact and on its own blog over at illuminatipod.blogspot.com. All of the past episodes have been uploaded and there is a new feed for the podcast (the old one was deleted by Apple).

Once I get back to personal podcasting, I will set up a new feed and get it listed on iTunes and wherever else I can so that it's easy to subscribe to. Anyway, please listen to The Showhole and Smooth Sailing.

Monday, July 10, 2017

MMPR 2017 Wrap-Up

This past weekend was the annual Marshall McLuhan Podcaster Roundtables in Hamilton, ON. Anthony Marco organized the event, people showed up, talked, ate, drank, and recorded podcasts. We visited some new places and some from previous years. I got the chance to talk to more people this year as well. Huge shout out to Oliver Rockside for opening his home to me and for driving my ass around on Saturday. This was a blast.

Episode 95: MMPR 2017 Wrap-Up

The podcasts I appeared on this weekend: Smooth Sailing Podcast, The ShowholeMarshall McLuhan Variety Hour