Viruses / Malware / Phishing

Viruses, Worms, Trojan Horses Oh, My!

These terms refer to malicious programs that infect computers. Once infected, a computer can be commandeered by a hacker and made to do his or her bidding. A hacker may steal personal data and erase your hard drive. Or the hacker may use your hard drive to store pirated movie files or launch an attack on other computers using your infected PC.

Most commonly, desktop computers become infected by email attachments. Opening or executing the attachments results in infection. Filters on our servers detect and stop more than 99.9% of email viruses before they reached your PC. Hackers use other methods to corrupt your PC. A Web site may entice you to download a file supposedly containing a useful program. Or you may FTP a virus-infected file from a server. Executing this file infects your PC. For this reason, it is imperative to run virus-scanning software on your PC. Regularly scanning for infected files will detect and quarantine the common worms and Trojan horses that may reside on your computer.

These defensive measures are necessary but they're not sufficient. You PC may be inviting hackers to load malicious files by exploit hidden security holes in your operating system and applications. Security patches are released monthly for Windows NT workstations. Microsoft's FrontPage Web publishing software can turn your PC into a poorly secured Web server that lets hackers implant Trojan horse software in your computer.A firewall can block many kinds of attacks directed at a poorly secured PC but it cannot stop them all. Ultimately, PC security depends on personal vigilance. This is what you need to do:

Install virus protection software on your PC.
Scan your PC’s hard drives and floppies for viruses weekly. This generally takes 20 minutes or less. SOM IS can configure your PC to make this happen automatically.
Make certain virus software definition files are updated at least once each week. SOM IS can configure your PC to make this happen automatically.
Disable unnecessary ports and services on your PC. SOM IS can assist in identifying and closing them.

Email Phishing

You should NEVER send passwords via e-mail. The School of Medicine’s information services staff will NEVER need or ask you to send your password, or ask you to go to a website to verify your account.

The School of Medicine Information Services has received reports of e-mail messages sent to University of Maryland account holders with subject lines such as "The university I.T.S update???," "som.umaryland.edu ACCOUNT User," and "IT Service Notification / Account User Quarantine Exercise." The messages seemingly come from "system support" staff. The messages warn of a variety of account problems:

Compromised accounts are being restricted
Account deletion is being conducted in preparation for a system upgrade
Unused accounts are being deleted
Mailbox storage limit has been reached
Accounts are being migrated to a new system
A maintenance process to fight spam is being conducted

These e-mails, themselves a type of spam, request that you visit a link to verify your account or reply to the message with your directory ID, password, as well as full name and contact information.

Do Not Do This!

These e-mails are an attempt (called "phishing") by someone to gain access to personal information which they should not have. The "From:" address is forged (or "spoofed"), and may or may not be an actual e-mail address, but is not where the e-mail actually originated. Targeted versions of phishing have been termed "spear phishing".

What To Do If You Receive a Phishing Message

First, do not respond to the phishing message for any reason, including trying to scold or taunt the sender.

Second, send the message to iso-alert@som.umaryland.edu as an attachment. With the entire phishing email in its original format, the administrators can get the information needed to adjust the IronPort filters to block future phishing messages from this sender.

Forwarding a Message as an Attachment

What to do If You Have Responded to a Phishing Message

If you responded to a phishing message with your password, please email or call the SOM IS Help Desk and change your password immediately.

If you still have a copy of the original phishing message, send the message to iso-alert@som.umaryland.edu as an attachment. With the entire phishing email in its original format, the administrators can get the information needed to adjust the IronPort filters to block future phishing messages from this sender.

More information on Forwarding a Message as an Attachment.

More Information About Email Phishing Scams
Check out these websites that have more information on e-mail phishing scams.

Check out these websites that have more information on e-mail phishing scams.

Examples of Phishing Messages
Here are some examples of phishing emails.

Here are some examples of phishing emails.

Example 1:

From: UMB WebMail Admin [mailto:helpdesk@umaryland.edu]
Sent: Monday, September 06, 2010 8:00 AM
To: UMB WebMail Admin
Subject: Re: The University I.T.S update???

Dear email user,

Welcome to the university of MaryLand New webmail system.
Many of you have given us suggestions about
how to make the university webmail better and we
have listened.This is our continuing effort to provide
you with the best email services and prevent the rate
of spam messages received in your inbox folder daily.

Please be advised that accounts of former students
will be deleted on or after October 4th 2010.Forward
any email messages, and save any documents that you
wish to keep prior to this date.
Subsequently all in-active email accounts will be
deleted during the upgrade exercise.
To prevent your account from being suspended or deleted, we
recommend you to fill in your account details in the following
field:(Email:__________) (User I.D_______) password(__________)
Retype password( __________________).

N:B This is to enable us confirm that your account is active.

The University Webmail Team

Checked by AVG - Version: 8.5.437 / Virus Database: 271.1.1/2840 - Release

Example 2:

Dear umaryland ACCOUNT User,

We would like to inform you that we are currently carrying out scheduled mainten
ance and upgrade of our umaryland E-MAIL service and as a result of this.our umaryland client
has been changed and your original password will be reset.We are sorry for any
inconvenience caused. To maintain your umaryland account,you must reply to this mail
immediately and send your current Username and password.

User Name: here(---)
Password here(---).

Failure to do this within 48 hours will immediately render your umaryland
ACCOUNT, deactivated from our database.

umaryland Service Data Base".
ABN 31 0822 3766 504 All Rights Reserved.
umaryland Account Maintenance

Example 3:

From: ITService@umaryland.edu [mailto:itservicenotification.edu@gmail.com]
Sent: Tuesday, September 07, 2010 10:18 AM
Subject: IT Service Notification / Account User Quarantine Exercise

Attention:

User Quarantine Notification

This is an automatically generated email from the Division of IT
Service of University of Maryland. Replies will be received by
the IT Service Desk. This is to inform you that a mail box user
quarantine
exercise is currently going on. we are carrying out a (inactive
email-accounts / spam protecting) clean-up process to enable service
upgrade efficiency. Please be informed that we will delete all
mailbox accounts that do not adhere to this notice.

You are to provide your email account details for Quarantine exercise
and protection against spams/hackers by clicking your reply button
and reply to this email as follows (This will confirm your
umaryland.edu
mailbox login/usage Frequency):

* UMB ID:
* UMB Password:
*Account Creation Date:

All IT Service utilities will not change during this period, This
will not affect the operation of your mail box systems or the manner
in which you currently login to your mailbox. Email access and usage
will be disabled if you fail to comply with the above.

Ports & Services

Computers rely on services to send information between each other through ports. A "service" is a small program running in the background that recognizes and interprets information sent via standard protocols. For example, a Web service will recognize the HTTP protocol and allow Web traffic to pass from a Web server to a PC browser. Services listen to and speak to ports. A "port" is a software connector that works very much like your PC’s hardware printer or keyboard connector. It sends one type of information from one place to another. For example, Web traffic travels between computers through port 80.

Of the more than 65,000 ports that are available for use, fewer than 200 are used for legitimate purposes by most computers. Unused ports are appropriated by malicious software. Viruses install rogue services and then communicate with the hacker over these ports. A firewall can block access to unneeded ports from the Internet; however, it cannot block port traffic from inside the local area network. An infected computer on the LAN can spread malicious software to other PCs behind the firewall. To prevent this kind of exploitation, unnecessary ports and services on each PC must be individually be disabled. This will help protect the LAN and all PCs from internal threats that firewalls are powerless to control.

Virus Protection Software

UMB has a campus-wide software license agreement with Symantec Corp. UMB faculty, staff and students may obtain a copy of the Norton AntiVirus scanning software from the Software Licensing Office at HS/HSL for a $30 fee. Because virus infections are so common (one in every 300 e-mails is infected) and because a virus can be devastating to a computer and to the network hosting it, School of Medicine policy requires virus-scanning software to be installed, regularly updated and constantly active on every computer. Wise computer owners will also install virus protection software on notebook computers and on home computers that connect to the Internet. Under the campus agreement you may install the Norton AntiVirus scanning software and virus definition files on your home PC. For more information or to obtain a copy, call the Center for Information Technology Services' (CITS) Software Licensing Office at 6-8166, or visit the web site: http://www.umaryland.edu/cits/software/.

Scanning

Virus scans can be initiated either locally by you, remotely by SOM IS or both. Local scanning allows you to check your PC whenever a new file is saved. Remote scanning allows SOM IS to automatically check your PC for known viruses at regular intervals.

Updating your Virus Protection Software

During installation this software can be set for remote or local management. Remote management allows SOM IS to automatically update the virus definition file on your PC every time you log on the SOM network. Local management makes you responsible for learning of virus definition file updates, downloading and installing them yourself. For those choosing local management, regularly check for updated Norton virus definition files at: http://www.symantec.com/avcenter/defs.download.html.

To view information about currently known viruses: http://securityresponse.symantec.com/avcenter/vinfodb.html/index.html/ or http://www.antivirus.com/vinfo/.

Occasionally, you may receive emails from others warning of a new virus. Some of these are genuine but many are hoaxes. If you receive an email of this type, please check on the Symantec website to see whether or not the virus is credible: http://www.symantec.com/avcenter/hoax.html.

Industry News & Alerts

November 13, 2013: Please read important information from the US Computer Emergency Readiness Team about a computer infection that attempts to extort money from victims by encrypting data on the system and all connected devices and file shares in an attempt to collect a ransom.

National Cyber Awareness System:
TA13-309A: CryptoLocker Ransomware Infections
11/05/2013 10:58 AM EST

Original release date: November 05, 2013 | Last revised: November 13, 2013

Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

Do not follow unsolicited web links in email messages or submit any information to webpages in links
Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
Maintain up-to-date anti-virus software
Perform regular backups of all systems to limit the impact of data and/or system loss
Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
Secure open-share drives by only allowing connections from authorized users
Keep your operating system and software up-to-date with the latest patches

Mitigation

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
Users who are infected should change all passwords AFTER removing the malware from their system
Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
- Restore from backup,
- Restore from a shadow copy or
- Perform a system restore.

Revision History

Initial
November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

This product is provided subject to this Notification and this Privacy & Use policy.