A collection of anti-cryptographic and regular malware stuff

I figured I'd finally contribute (copy+paste information from other sources) something of worth to this blog, so what I'll do is, collect as much stuff as possible on helping networks try and prevent cryptographic malware crap like cryptolocker and all it's spawn. Thanks for that, by the way, cryptolocker authors, I do hope you get destroyed by a sudden stampede of elephants.

A lot of this stuff can probably be applied to other things, not just crypto* varients.

Niceties aside, here's some goodies to start you off with. I'll periodically update this post, so keep it in mind.

Part 0) Anti-virus, Browser Plugins/Extensions, Flash, Java and Common Sense

Part of this one is probably the hardest to implement, specifically the common sense part, as you're always going to have stupid users who do stupid stuff, usually unintentionally - like "oh I've been waiting on invoice.zip.exe.pif.bat, better open that shit up!", people who look after lots of MS networks, or a big MS network have probably encountered them - you need to educate your users to not open attachments that even might look slightly bad, but instead to either email their IT, forward it to a mailbox that scans for bad stuff. If you want mail security, there are plenty of ways to go about that - from free to premium options. Like the previous post with Pluralsight, I'm not here to sell you shit, I don't make money from this - I'm just advising what I've used in my travels.

Email

For inbound spam filtering, there's a nice cheap service called Spamhero, which is fairly solid - they've served me well in all the places I've used it. Outbound filtering with these guys isn't really an option, and it has been in the suggested features for years now, so don't expect that anytime soon, some nice features include LDAPS support, free whitelabeling (good for MSPs) and geographic filtering.

For both inbound and outbound, there's a few options too, but the one I'm most familiar with is Barracuda's ESS. It's packed with features, so I won't go over them, the link is there. Read away. It's not too badly priced either, but it's no where near as cheap as spamhero, so if you really don't need outbound filtering, I'd still recommend that.

If you're all about that self hosted solution, have a client/boss that doesn't like to spend money, or are just wanting a project there's ScrolloutF1, which is a collection of open source stuff all bundled together, comes in ISO form if you just want to install it from scratch as a debian based distribution, or you can install it on your server, it does work really well but expect to be tweaking it to suit your needs, out-the-box it's not really suitable and does need some work to get going. It does do inbound and outbound filtering, so if you get it going, it'll be more cost effective than the two above.

If you're in a workplace that users are allowed to roam free on the internet, and aren't under any sort of browser restrictions, you should really get some sort of ad blocking stuff on your network.

Web Browsers

If you have Firefox or Chrome deployed on your network, I can't recommend uBlock Origin enough. Chrome link / Firefox link
It's very much the essential browser adblock, none of this AdBlockPro pish here.

If you have the misfortune of having to look after a network where IE is the standard, or you have a Windows 10 network where everyone is using Edge, there are some other options.

For starters, using your router - block port 53 outbound from everything except your DNS server internally, and then use this amazing set of lists to block whatever you want to get blocked, this is a good idea even if you have the adblockers installed. It stops users from setting their own DNS servers, stops malware from using other DNS servers to query externally, it pretty much means your DNS server on your network is the only thing that can do what it needs to. It's not a silver bullet, but it is a step in the right direction.

If you don't want to block port 53, you can always try rolling out a custom hosts file using the above list of blockable hosts. You can always add your own stuff to it too remember! This can be done either manually, with group policy or using some other third party application.

The process for group policy would be to share the hosts file you want to deploy then create a batch script to replace the existing hosts file on the machines on your network.

A fairly crude example on how to do this with batch:

@echo off

attrib -r %SystemRoot%\system32\drivers\etc\hosts
copy "\servernameorip\shared folder\folder 2\hosts" %SystemRoot%\system32\drivers\etc\hosts
attrib +r %SystemRoot%\system32\drivers\etc\hosts

Anti Virus

As for anti virus on the users machines, I recommend BitDefender. I won't link it here as it comes in so many different flavours that it's up to you what your business needs, or if its just a lone computer. Whatever you decide to install, make sure you set up device policies to prevent silly users from bringing in unauthorised portable storage devices as well as some of the other granular options, for example, limit browsing habits meaning you can skip a fair amount of the previous section.

Flash, Silverlight and Java

Do you REALLLLLLY need them? If you don't, uninstall them, block them from getting reinstalled. It lowers the attack surface by a fair amount.

Part 1) Software Restriction Policies

Ahh yes, the one you might already have in place, well I have been playing around with filetypes and paths and have listed some which you can find here: Paste.ee

Feel free to adjust/add file extensions you may feel weary with.
Please note, that when you have these in your group policy, and they're all gpupdated and whatnot, you may notice that you might experience a bit of a complaint wave as people realise certain applications might not work anymore, your best bet is to maybe inform the users that you're going to be rolling this out and that if they notice that programs that usually work fine suddenly stop or there is a message saying an administrator has blocked someone, get them to email in exactly what they tried to run so you can inspect it and then whitelist it.
There are examples on how to do this on this spiceworks post. Though, I don't agree with allowing local administrators to be exempt from the policy. It's also a useful post if you don't know how to set up software execution policies in the first place.

What this basically does is stop files from being ran in temp folders, app data folders and the like. This helps prevent users executing weird invoice.exe attachments, among other things. It might seem like a lot to stop this, but it really is useful.

Part 2) File Screening

File screening is another good strategy to implement as it can give you a quick indication that someone has been hit with cryptographic malware, by notifying you that something that shouldn't have happened on a file share was recently attempted and by whom. This part does pretty much only apply to windows domains where you have the file server resource manager role installed somewhere.

A lot of the stuff here has been covered really well by the author of this site so a lot of what I have done is actually based off of this, or pretty much is this. A quick reference for a list of known crypto* malware exentions is here.

Update

I have actually written a little powershell to add the filegroups, you can find it here.

Part X) Useful Links/Tools

ADWCleaner - Small, quick malware scanner and removal tool.

Junkware Removal Tool - Similiar to the above tool.

RogueKiller - Rootkit detection and removal tool.

HiJack This - Generates a report of stuff that you let go wrong.

RKill - Kills off running malware processes, so you can get to work cleaning them.

ComboFix - For that user that gets all the infections ever but is adamant that they don't want a fresh install of windows even though every hacking group has had a play around with their computer. Try all the above options before this one

IP/URL BlockLists - A big collection of blocklists of malicious IPs and URLs that you can implement in your security setup.


I'll add more to this when I get the time, there's a lot of things that can be added


R##