Page 1 of 1

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Sat Feb 01, 2014 9:30 pm
by unixfreaxjp
This is poor strategy no matter how you care to describe it..
Yeah? And WHO're you & WHAT did you do instead commenting other's works, huh?
We don't need a commentator, we need a DO-ER! So, butt off !!

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Sat Feb 01, 2014 10:42 pm
by TheExecuter
say whatever but hes right.
instead of countering, you guys are just delaying the attack by putting their servers down.
and tbh wasting your own time, users can recreate the server in less time than you can put their servers down.
someday you'll just get tired. <yawn>

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Sun Feb 02, 2014 7:35 pm
by unixfreaxjp
By the way you sent an email.. want a cookie?
I asked: "So what did you do?" < A simple plain english..
your answer wasn't close to relevant.

You just talk the talk. A man = WALKs the WALK. Do what has to be done!
Think further, before mumbles, WHY the suspension is important? Do you think I'm THAT stupid!? This way we successfully nailed the ID of Kelihos botherder. Look at the IP, this domain rides Kelihos infected peers IP segment, think harder WHY? IS it as same scheme as you saw in CL before? NO! Use ur smart head harder on why ONLY THIS DOMAIN of many recent reports that I focused on suspension.

Who said killing servers?? I was dismantling ONE FF domain. Grab the IP then instead crying out loud. The IPs are written all over the place.

So again: WHAT DID YOU DO??? < no real answer here.
And don't bring a culture into this field you bigot. And FYI. No locker survived in JP and think AGAIN why..

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Sun Feb 02, 2014 8:48 pm
by TheExecuter
unixfreaxjp wrote:
And FYI. No locker survived in JP and think AGAIN why..
though this discussion is purely off the topic, i love where it goes. :D
how many lockers originally *were* in japan compared to other countries? answer: you have no idea, if you think you do then perhaps its time to quit.
how big is "JP"? certainly bigger than russian federation or china? and certainly more hacker friendly than mother russia that all cybercriminals who could have created a server in russia or nuke bunker would leave that and goto establishing it in japan. <sarcasm> that way i pity U.S.
must give you credit for removing lockers, which can be killed with just a safe mode and servers being domain reported which is childs play i guess unless you sent them an email which noone here can do. i guess you have a lot of time emailing registrars.
one more time -> locker is different than this variant, this variant crilock you actually destroyed those PC's which people could have payed and retrieved their systems back.
just in hopes of sending a message through community that malware must die? Bravo!
even though its not my position to comment on your work because frankly i think there are loads of better things to do in life than this, i would suggest you to look at what you are doing, reporting domains and coming here to brag?
lastly if malware dies, many of us are jobless. you will die, but malware won't die ever.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Mon Feb 03, 2014 8:08 am
by EP_X0FF
TheExecuter wrote: this variant crilock you actually destroyed those PC's which people could have payed and retrieved their systems back.
This is sort of advice to all victims of this encoder?
I agree that client-server type encoders must be considered differently than other ransomware but paying ransom is actually bad idea in any case.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Mon Feb 03, 2014 11:43 am
by TheExecuter
victims can only pay and retrieve their stuff, if they don't have a backup.
though it won't affect much a high school kid it would affect people who work in an office too much that paying money seems better than reconstructing tons of people's work.
its not an advice, but its general counsel that a person will weigh his money and amount of money his files will cost him later. whichever is more wins. paradoxial but nothing we can't do.
rather than send a complaint to registrar, only actual solution i can think of is seizing the server by some authority (won't always work i know) and distribute the private keys for decoding the data before its too late.
in a nutshell: i'd be too damn angry if my files got crypted and i have to pay a ransom, but i'll be more pissed and will literally spend some bitcoins to goto JP and kill this idiot who made me lose them forever just because he wanted to show his "elite" skills over the internet.
but whatever thats just a one man's view.
EDIT: i forgot to add those people who looked for warning of CL and payed the ransom only to find domain no longer exists. the CL creator was legit, but mr unixfreak just made him a scammer. T_T

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Mon Feb 03, 2014 2:44 pm
by unixfreaxjp
I agree that client-server type encoders must be considered differently than other ransomware but paying ransom is actually bad idea in any case.
↑ I am with you all the way on this thought! A+!
Extortion is a serious BAD matter, don't be too sweet about that.
Paying will merely feed the bad guys, funding their system+development and urging them (and other crooks too!) to practice/spread further.

Why not putting more priority to escalate to LE to seize the all IP addresses servers and pass it all to the antivirus industry to mitigate the encryption?? Any movement to that direction in CABIN.SU? After @Xylit0l did a hard work to post it? NO!!

My respect to @Xylit0l for brought this up (fast flux), thanks for @EP_X0FF's cool response,
I see the threat from NOT only for CL perspective, the but looks like only not so many people in this thread who's willing to see what's really BEHIND on that CABIN.SU's fast flux domain itself.
Open your eyes please! Don't just look at the CL matter from "a box" there.
If you call your self threat researcher. THINK! Why Fast Flux (FF) was used in THIS CABIN.Su particular CL case? Then why FF of a Botnet's IP were used? Why it has the same segment as what-so-called "Kelihos Botnet" (ever heard of this?? no?) ? And WHY .SU domains and not common TLD was used?
I bet you didn't even check the TTL of that fast flux either.. < you DID NOT check that far yet yelling and yelling and yelling.

To those who thinks that all I did is writing the email..go and read malwaremustdie posts!!
I wrote the email because is a right thing to do! To inform a good country related to the threat to act and make their network clean from scums that disgracing their people's image in the world! Tell me which country you live? so I WON'T send any alert to there.

So be it, have it your way, I am outta here. won't touch CL no more.
One more thing, I am damn proud to be Japanese!

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Mon Feb 03, 2014 5:12 pm
by EP_X0FF
TheExecuter wrote:victims can only pay and retrieve their stuff, if they don't have a backup.
though it won't affect much a high school kid it would affect people who work in an office too much that paying money seems better than reconstructing tons of people's work.
Well for the beginning. Guys behind encoders cannot be consider as "good" or whatever. They even not cyber-criminals, they must be considered as sort of cyber-terrorists.

Here is typical scenario.

You are so unlucky and infected with encoder while browsing pron sites or whatever you do, doesn't matter how you was infected (that's a another question about prevention and PC user training). You have a lot of important files on your PC. All of them are encrypted with strong crypto algorithm, AV won't help (they almost every time play role of useless junk btw). You don't have any backups. You have only two options -> leave it as is (go to police, just cry over your docs), pay ransom.

Now the key part. What you will do.

1) Pay ransom.
a) Cyber-criminals behind encoder were so honest so they gave you decoder. And it works! All your data saved. Fcuk, yeah. It is your data.
On a next day you have your friends/parents/dog with the same problem as yours. All their important data encrypted by another variant of the same shit. They call you asking for advice. How do you feel, bro? You recently just sponsored cyber-terrorists for another act, paying them money for retrieval of your/software vendors stupid mistakes. What you will advice here? Pay ransom too? So encoders achieve their goals. They can spend more money on further development, cryptor support, process automation and then they fly to Bahamas/Dominican wherever, drinking some beer and watching increasing number of victims and pays via their web panels. They can add special "thank you" page where all who have paid will be listed.

b) Cyber-criminals send you fake decoder or just FY message/nothing. Story ends here. This part of scenario only applies for encoders that are not oriented for long TTL. Massive drop and massive profit only one time.

2) Don't pay. Loose your data. Learn on your mistake. It's like a good slap in the face -> if you are not complete idiot you will learn on your mistake. Fight. Protect other people from the same mistake you did. Don't multiple infections, don't support them. No negotiations with terrorists.

Encoders are ITW for a long time. It is obviously that instead of creating yet another junkie software trash every year AV companies must inform people about ACTUAL threats around (not about yet another nobody cares stuxnet alike pure marketing BS), how to PREVENT them, how to GUARD yourself from them. Never wondered why in every stupid AV article you have everything - data dumps, cool diagrams, code snippets, marketing shit, but no ONE word about how to detect/remove/prevent this malware in manual mode.

As for client-server encoder we have obvious strategy here -> active infiltration, gathering data about people who behind this and acting together with police, just like was in case of Reveton (despite the fact it was different type of ransomware). Simple domain shutdown here is ineffective and counterproductive as this data maybe required to law enforcement actions.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

PostPosted:Mon Feb 03, 2014 6:29 pm
by unixfreaxjp
Hey @tjcoder
tjcoder wrote:It's a flux network being fed by multiple PPI and spam campaigns, good luck with that..
WRONG!! Do not making LIES of research's fact here! CABIN.SU was an FF for round robin only 12 limited specific scattered Ukrainian(mostly)-US(two of them) uniq IP (which obviously understandable why they need specific machine for it), too small to be called "A NETWORK"! Doh! Did you milk the IP? Or read prev. posts/references? Naaah, likely..
Eventhough a domain is fast-fluxed doesn't mean it has to become a "NETWORK". Researchers (which I hardly can call you "engineer") like you is spreading non-sense & bring the right perspective into a /dev/chaos and taking innocent people (Read: VICTIMS) with you!! You should be the one who educate them on what is RIGHT and WRONG!!
tjcoder wrote:P.S. those flux nodes you 'took down' have been syncing a new domain for days now..
And do you think I didn't notice that too? Guess why I didn't mention it? Ever you "think"?
tjcoder wrote:Anyone who didn't get to pay inside that <48 hour window still have to pay, they just have to pay a fee in addition now.. Nice strategy security expert.. You increased the operators profit margin..
Read what @EP_X0FF's kindly long-written wisdom in here --> http://www.kernelmode.info/forum/viewto ... 110#p22133 < Coz I won't be that nice to you.

And I agree with the wisdom that @EP_X0FF's mentioned ↓here↓, so I stopped any suspension efforts, but is NO thank's to you.
EP_X0FF wrote: We have obvious strategy here -> active infiltration, gathering data about people who behind this and acting together with police, just like was in case of Reveton (despite the fact it was different type of ransomware). Simple domain shutdown here is ineffective and counterproductive as this data maybe required to law enforcement actions.