[AusNOG] CryptoLocker Virus

Pinkerton, Eric (AU Sydney) Eric.Pinkerton at baesystemsdetica.com
Thu Oct 24 12:13:00 EST 2013


https://www.virustotal.com/ might save you some time in future..

Your realising what almost everyone in the security industry has known for years, that A/V solutions relying on blacklisting has been a broken concept for years because it is  a very trivial task to take some malware, and pass it through a packer/obfuscator which will make it unique.

In addition, if they can figure out what AV solution you are using, they might even test it themselves to make sure your solution isn't going to stop it.


From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Daniel Pearson
Sent: Thursday, 24 October 2013 12:01 PM
To: AusNOG at lists.ausnog.net
Subject: Re: [AusNOG] CryptoLocker Virus

What makes it all worse is 5 out of 8 AV's I tested last night didn't pick it up...

I spun up a few VM's infected them while having AV on them and only 3 picked it up... Sophos, AVG and Trend

The rest Defender, Security Essentials, Kaspersky, etc didn't.

Patch released by MS for defender now picks it up but beware!

DP
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Robert Hudson
Sent: Thursday, 24 October 2013 11:52 AM
Cc: AusNOG at lists.ausnog.net
Subject: Re: [AusNOG] CryptoLocker Virus

On 24 October 2013 11:27, Pinkerton, Eric (AU Sydney) <Eric.Pinkerton at baesystemsdetica.com<mailto:Eric.Pinkerton at baesystemsdetica.com>> wrote:

IMHO, The 'best' policy is a combination of many things starting with training your end users to spot dodgy looking links, filtering egress traffic, patching patching and more patching, not using XP with IE6, monitoring your logs, changing your default password from 'password' and giving people permissions in line with their requirements (ie not making everyone a domain admin) etc etc.

Unfortunately, much of that relies on educating users, and if educating users was going to work, it'd have done so already. :(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131024/72591acf/attachment.html>


More information about the AusNOG mailing list