Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Copy.com Used to Distribute Crypto Ransomware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Copy.com Used to Distribute Crypto Ransomware

Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www.my- sda24.com) . Interestingly, the malware itself was stored on copy.com. 

Copy.com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it.

At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy.com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files.

[1] https://www.virustotal.com/en/file/1473d1688a73b47d1a08dd591ffc5b5591860e3deb79a47aa35e987b2956adf4/analysis/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
OUCH!
Corporate users typically have corporate administrators.

If the latter dont restrict the privileges of the former, especially their ability to execute random junk they might leech from all over the net, then these corporate administrators should be fired in the first place.

If but their managers/supervisors dont let them configure the users systems properly: fire the managers/supervisors!

https://technet.microsoft.com/en-us/cc507878.aspx
is available in Windows for about 13.5 years now!
Anonymous
looks like companies are moving on this. maybe not as fast as they could be, but virus total already reports that 17/57 now detect
Blagarswinth

23 Posts
Just wondering if this still applies to MMC control for Network container control: "Currently, this applies only to Microsoft Windows Installer (*.MSI) packages. It does not apply to software downloaded in Microsoft Internet Explorer."
Blagarswinth
2 Posts

Sign Up for Free or Log In to start participating in the conversation!