Category Archives: Technology

Cryptolocker – The Dreaded Trojan Horse Malware That’ll Put Your Company At Risk

Written by William Roush on November 13, 2013 at 8:47 pm

CryptoLocker

CryptoLocker is the latest nightmare malware that people in the network security community have been dreading for awhile. It follows very basic encryption principals that make it impossible to crack and get your files back, the software is simple and has been constantly evolving making it impossible for antivirus programs to keep up.

So far companies have been put out of business due to their IT staff not being prepared for an attack like this. Do not be the next company to get added to the list of casualties.

How CrypoLocker Works

CryptoLocker so far has only been seen coming in over e-mail, usually attached in a ZIP file. System administrators have reported CryptoLocker spreading through spoofed e-mail accounts to mailing lists, meaning that whoever is helping spread this malware seems to be hand-picking easy targets that’ll likely open attachments, not just blasting e-mails indiscriminately. Additionally there have been reports of infections through Java, and infections through the Zeus botnet.

Once you’re infected, CryptoLocker calls back home for a RSA 2048-bit public encryption key, this key can only be used for encryption, it will not work for decryption of your files. It will then encrypt all files it finds both on your machine, and on any attached network drives (this includes cloud storage like Google Drive and Dropbox) that end in the following extensions (this list may be incomplete):

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, .jpg, .jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif

Then it’ll wait for you to pay for the decryption key for 72 hours, after the 72 hours your encryption key is deleted and your ability to recover the encrypted files are gone forever. Some more recent versions allow you to upload an encrypted file which they’ll crack for more money (> $3,000) after the 72 hours expires.

How Do I get My Files Back?

The answer is one of two methods: pay the ransom, or recover from backups. So far if our current understanding of how CryptoLocker works is correct, it’ll be pretty much impossible to “crack” your files (people have been handing around a crack for MBL ransomware, this will NOT crack CryptoLocker, the encryption algorithms are completely different). CryptoLocker is a strong reminder that offline backups are extremely important. Online backups can be useless, being as CryptoLocker will gladly encrypt those if they’re attached to the system that has been infected. If you’re backing up to a removable hard drive, keep them unplugged when not actively backing up, additionally I’d recommend rotating at least two drives in and out, so if you get infected while you have the one drive plugged in while you’re actively backing up, you can always recover from the other.

Paying the ransom has appeared to work fine, however recovery of your encrypted files has been reported to be around 5GB/hr, so large file servers can take days to be recovered, in cases where a solid backup would bring a business back online in minutes. Additionally the original infected machine keeps a list of all encrypted files in the registry, you must not clean/remove this machine being as it must be used to decrypt the files on your hard drive. However even if you follow all the previous requirements and pay the ransom, some command and control servers have been taken offline, and their encryption keys have been lost.

Shouldn’t My Antivirus Prevent It?

As of definitions released on 2013-11-11, most antiviruses seem to be able to catch both the older variants and the newer variant compiled on 2013-10-21 13:23:51. This however is no guarantee that new variants of the malware will be produced that will not be stopped, it’s been running wild for over two months at this point, lots of people depended on their slow antivirus vendors to protect against malware such as this and paid the price.

Can’t We Stop It From Calling Home?

Technically yes: however your machine needs to be removed from the internet. The creator of CryptoLocker has so far thought of everything, and is jumping to new command and control servers at regular intervals. It appears that CryptoLocker derives a domain from the system clock, and will generate where the next server’s domain name will be (example: www.gevcgvgufvpiqozpnzpj.com), and the servers that these domains resolve to appear to be random, set up until they’re caught and taken down.

Prevention Methods

In order of the line of defense: the first would be your mail server (the main entry point of CryptoLocker). First you should never be accepting executable files, that includes scanning ZIP files for executables, some administrators have even gone as far as to automatically quarantining all ZIP files. Additionally removing Java will help if the above report of a Java infection from a jnlp file is to be believed. Additionally either look into a mail filtering solution or make sure your antivirus definitions are up to date on your mail server.

Of course the next layer is your end users, educating users to never open unknown attachments is always very important. This is always hit and miss depending on your company’s attitude towards IT (and how strict your company has been with enforcing use policies). This is of course the most effective long-term solution, but may be unrealistic.

Group Policy Objects to enforce to hopefully block CryptoLocker.

Group Policy Objects to enforce to hopefully block CryptoLocker.

Update

See an updated list of SRPs here.

The final layer that you’ll have control over is catching CryptoLocker before it can do it’s damage. So far the only effective method has been to disallow applications from running from the user’s AppData folder. While this is an acceptable short-term solution, I would not be surprised to see variants of CryptoLocker finding random locations to execute from and picking one, making it impossible to stop it via this method.

Of course with antivirus definitions catching up over the past couple days, we may see the malware creator take his winnings and go home, so keep those definitions up to date and buckle down and hope for no more variations that’ll slip past.

Also, for those that are really brave, there are 3rd party applications like CryptoPrevent, I haven’t heard anything good or bad about these tools, so investigate at your own risk.

Protecting Yourself In The Event Of An Infection

As you might have guessed, the above methods don’t seem that certain to prevent an infection, and it’s an unfortunate reality of this virus (at least for the time being), so the best we can do is have a strong recovery plan in place. Always stick with the basic 3-2-1 backup rule:

  • 3 copies
  • 2 different types of media
  • 1 offsite/offline

Make sure you have a solid server backup solution (VSS snapshots on Windows have shown to work well as one of these copies), confirm it’s running, run some restoration tests to make sure your backups are in good condition and you can restore promptly in the event of an emergency. If restoring your file server from your cloud backup provider is going to take two weeks now is a good time to consider another backup solution that’ll cut that recovery time in the event of CrypoLocker. Make sure that either all users are storing their files off of their machines (folder redirection, offline files, etc.) or make sure you have a solid client backup solution on-site (I recommend CrashPlan PROe).

vSphere 5 Memory Management

Written by William Roush on November 12, 2013 at 7:14 pm

A very informative video describing how the VMware hypervisor vSphere (AKA: ESXi) handles your virtual machine’s memory. The video below shows how to dig into your virtual machine’s memory usage statistics, read esxtop, and discusses how memory compression and Transparent Page Sharing (TPS) works!

Password Security Using KeePass Password Safe (And A Small List Of Similar Software)

Written by William Roush on November 11, 2013 at 6:45 pm

As we use more and more applications online, it becomes more important to be able to stay secure after a data breach at any one of them, last thing we want is to find out one of the sites you subscribe to has had a data breach and uses weak encryption, and a hacker uses that password you’ve reused to gain access to other accounts of yours!

Why Use A Password Generator?

One of the main security recommendations is to use a unique password for every application we have. In my case I’d have to remember over 100 passwords! There are some methods that I’ve seen out there to memorize that many passwords including PasswordCard, but even remembering 100+ combinations of colors/symbols can be difficult. Even when I had rotations of passwords it was hard to remember which sites used which passwords.

Until we move onto something like Public-key authentication (Linux has an option to use this), it is best for us to find a software suite that will assist us in following this very important security guideline.

What Is Keepass?

KeePass is a desktop application (there are mobile versions for Android and iPhone available) that allows you to manage your passwords via a heavily encrypted file. This password can be encrypted using a master password, a keyfile, your Windows account, or any combination of the three. Because your KeePass file is encrypted, you can share it using really simple methods such as storing it on a web server, however I’ve found it best to drop it on something like DropBox or your own cloud using SharePlan or OwnCloud.


Creating a new KeePass database file.

Creating a new KeePass database file.


Managing passwords is a snap, it also comes with an auto-type feature, where you put your cursor in the box on the website, go to KeePass, and click “Perform Auto-Type”.


Right click menu, showing auto-type, editing keys, etc.

Right click menu, showing auto-type, editing keys, etc.


Additionally KeePass will generate very long and complex passwords, you can tweak the password generation options depending on your need (some sites limit you to a maximum length, very annoying when you have a more secure password you’d like to use).


A long range of options for password generation.

A long range of options for password generation.


You can store a lot of relevant data with your KeePass passwords, don’t ever forget a username again (for those pesky sites that don’t use your e-mail address)!


New password screen, showing a very complex password length you couldn't memorize.

New password screen, showing a very complex password length you couldn’t memorize.


Other Options

LastPass / RoboForm / 1Password / Dashline

All of the above applications follow the same general idea: store your passwords on the public cloud. They typically have better integration with browsers to auto-fill form fields (KeePass can get “confused” at times due to form layout, and not fill it out properly). Additionally you don’t run the risk of losing your passwords because you lost your KDBX file, and the sharing of your passwords between your multiple devices is simplified.

Software like LastPass offer local-only decryption, which I find is a requirement before I even consider a cloud offering. However LastPass has had a data breach before that resulted in all master passwords needing to be reset, so it’s hard to gauge how secure the system can be when everything is hinging on your master password that you regularly communicate to LastPass with.

PasswordState

PasswordState is a web based application that provides similar features to the above systems, but for a corporate environment on a private cloud, where password lists may need to be shared or be able to be transferred in the event of a staff member leaving. On top of that you’d want a full audit log of users looking up passwords, and PasswordState provides all of this in a slick interface. This doesn’t seem to have the nice accessibility tools for mobile devices that some of the offerings above have, but the price is cheap (free for up to 5 users, and ~$400USD will cover 10 users for a year, with support being ~$70USD) and for stuff like corporate passwords I strongly recommend private cloud solutions, especially where the sharing of passwords between multiple accounts makes it easier for outsiders to crack into it.

VMWare – vSphere 5 Licensing

Written by William Roush on July 16, 2011 at 9:03 pm

We’ve been eagerly awaiting vSphere 5 for awhile now, and it has been less than a week since VMWare made their big announcement including new features, but more important to most of us at this time, their new licensing model.

 

Now we’re looking at these numbers for virtualization licensing costs:

  • $995 – per CPU + 24GB vRAM
  • $2875 – per CPU + 32GB vRAM
  • $3495 – per CPU + 48GB vRAM

 

This has sparked quite the uproar in the VMWare community, as of writing which includes a 28,000 view, 40 page threadnaught which includes complaints from clients and vendors about canceled orders and requests to migrate, and some of the largest responses their Facebook community has ever seen, to which VMWare almost makes fun of the situation with cute vRAM mascots.

 

 

What is vRAM?

VMWare’s responses have mainly been that we just “don’t understand” how vRAM works, it’s simple enough: how much RAM is currently being allocated to your VMs? Or if you’re still physical, how much RAM do you currently have in your machines?

Not that hard.

 

One of the biggest responses from VMWare has been repeating like a broken record is that “most of our customers will not experience an increase in costs”, however I believe they’re missing critical points.

Let me preface it with what we’re looking at personally as a company: We haven’t yet bought VMWare, we’re currently discussing with a VMWare partner to get new hardware together and plan a new setup, virtualizing two racks of servers.  We leverage RAM to help increase the speed of our SQL servers, so we’re looking at 24GB/36GB servers (x3). On top of that we’re looking at our partner for Disaster Recovery (DR) services.

 

We’re not concerned with our current setup, how much can we grow now?

One of the biggest benefits for virtualization is the ability to grow, in vSphere 4 we can purchase more RAM than we’ll consume being as it’s relatively cheap, and provision it to our cluster of servers as we see fit. VMWare even supports RAM hot plug, which makes this even more tasty!

 

Again lets preface this with a real world application of planning for growth:

I’ve proposed the possibility to leverage AMD’s 12-core Opterons (16-core Opterons are due to be out Q4 2011) and a quad socket board so that we can leverage a high number of cores per socket, and high memory density.  We can start out with 3×1 CPU boxes with 96GB of RAM. We can purchase 3 licenses for $10,485, we’ll have N+1 failover of up to 192GB of provisioned RAM with no over-allocation, 288GB of usable memory if we allow certain services to fail when we go into a degraded mode.

Model CPUs vRAM Licenses Costs vs vSphere 4
v4 x3 512GB 3 $10,485 100%
v5 x3 192GB 4 $13,980 133%
v5 x3 512GB 11 $38,445 366%

 

So what we are to take away from this is on v4 I am not limited by vRAM, so I’m going to max it out at N+1 failover of 1/4 of the total RAM you can put in these boxes (to be fair and compensate for not allocating all sockets on the board). I can upgrade the box to 256GB of RAM before purchasing a new license. To cover our ability to grow in v4, our v5 pricing will be nearly 4 times as much.

Under the new licensing system, to just break even with our capacity of our N+1 failover, we’ll be looking at having to buy a 4th license, a 33% increase, and that hard limits us to no over-allocation, and no degraded mode.

 

Virtualizing memory intensive servers becomes way too costly.

Here we’re going to really hit home with how much this hurts, to virtualize one SQL server is going to use the vRAM of their cheapest license. So to virtualize one of our 3 servers is going to cost us $995.

Every time we go to provision a VM, we basically have to look at vRAM as a limit to what we can give it, and if that limit is reached, we must discuss with accounting, which is something we wanted to get away from having to do every time we provisioned a VM. Under the v4 licensing model I could easily allocate all 3 of these servers on a single socket 6 core Xeon with 64GB of RAM, with failover it’s still only 66% of the v5 cost.

 

Over-allocation of RAM is just a way for VMWare to charge us for hardware we don’t have.

One of the major benefits you get with VMWare is the ability to allocate more RAM than exists on your boxes, depending on the workload, this can work brilliantly in your favor. As certain services run through their steps they’ll allocate and deallocate a massive amount of RAM, the total RAM consumption can be higher than the total amount of RAM you have available on your system (this is standard for our development servers on VMWare), under the new model, VMWare is charging me for hardware I do not actually have!

This also goes for Transparent Page Sharing (TPS), basically memory deduplication which is another nifty feature of VMWare.

 

Penalize those with newer hardware.

There has been no talk about doubling vRAM allocation every 18 months (to keep up with Moore’s law), on top of that with the example we have above, we’re already highly penalizing anyone that purchases new equipment specifically aimed at consolidating workloads.

 

DR services, mostly pointless.

We were looking into purchasing disaster recovery services from a VMWare partner, primarily because of the additional hardware and licensing costs associated with spinning up a DR box offsite. However with the vRAM setup, we can have a standby box for next to nothing in licensing (well, in theory… the next issue destroys this).

 

Wait! We’re still bound by sockets?

Yes, we still have to pay per-socket, so we can’t even take the benefit of dropping the pCPU (physical CPU) model, which penalized those that were running older hardware that couldn’t consolidate as many cores per socket.

 

Home users get shafted too.

This one really hurts me personally too. Another employee at our company and I both run VMWare products at home, with the 8GB limit on RAM we’re limited severely on our home boxes. I’m pretty frugal with hardware and mainly virtualize Linux, but my coworker runs a lot of Windows boxes, and I can see how he’ll hit the 8GB limit quickly.

At which point, we both might as well just run XenServer, I’ll get additional hardware support (and no RAM limit when I need to allocate more than 8GB of RAM), and my coworker can get his additional RAM. When we both get familiar with XenServer, guess what we recommend at work?

 

No discussion about Moore’s Law.

Moore’s Law in pure simplistic terms says that computing capabilities will just about double every two years, we’ll need vRAM to rapidly run alongside hardware developments as 2TB, 4TB, etc. supported boards hit the server market and are easy to purchase. VMWare wont comment on this, and it’s hard to move an entire system over to VMWare when we don’t know if we’re going to get strangled quickly and are unable to use bleeding edge technology.

 

48GB for Enterprise systems?

This is assuming 4GB/VM per core on 12-core opterons, and we should be looking at consolidation ratios of 4-5VMs/core, meaning that I’m getting less than a GB of RAM per VM, I hope you’re running Linux!

 

Where do we go from here?

Personally I have no problem with a vRAM model itself, as long as it keeps the price the same for potential growth.

  • Drop the pCPU model entirely, if we want to go with vRAM it’s time to stop penalizing those running 4/6 core Xeons (I have my own speculation that the Intel/VMWare alliance is partially the reason for the move to vRAM away from pCPU).
  • Bump up vRAM 256GB/license for Enterprise licenses, this aligns with the current 4 socket 1TB boards on the market, keep up with the ratio for the newest available equipment.
  • To be somewhat fair, put caps on what each tier of licensing can get, if you’re allocating terabytes of RAM to machines, you’re an enterprise customer.

Now here is the painful part and the reason I know why VMWare doesn’t want to do this: this will reduce the cost for people that aren’t using their full allocation of vRAM. However there are three points to this:

  • XenServer and Hyper-V are quickly catching up with their feature sets, you need to be more competitive.
  • Most people will probably keep their vRAM over-licensing because they like the ability to easily grow, they will see this as money they’ve already got cleared with accounting, and that the freedom to grow upward is completely worth the cost. It will also allow us to cover our smaller systems (such as development) with vCenter when the cost cannot be justified under the pCPU model.
  • You’ll never be able to convince customers that giving them less at the same price is a deal.

 

I really do like the vSphere product todeath, but VMWare’s business descisions are scaring me away from it.