We’re seeing a horrifying variants of the Cryptolocker attack. Recall the “ransomware” that generated big cybercrime profit last year by holding data hostage and demanding money from the rightful owners after locking them out of their own files.
The new attack may target hiring managers who post online job openings. A resume comes in with a malware payload. Managers circulate the news about a promising candidate. The resume gets forwarded among the bosses, and the attack spreads.
The most frightening variant of this family of malware, called Kovter has been seen by adding child porn to the mix. Malware detection company Damballa reports that once this variant attacks a computer system, the sets out to find adult websites that may be sitting in the browser history. If there are none, it implants child porn into the computer, and then freezes a screenshot on the browser as an extortion tool.
While relatively few people have been affected so far, the number of systems impacted by this family of malware has more than doubled over the last month from 7,000 to 15,000, the impact of this attack could be devastating. It’s critical to understand that anyone accused of “storing” child pornography will be faced with a crushing round of legal problems.
Child porn is radioactive, and the law surrounding it is so unforgiving, that no matter what you do, you’re probably in trouble. We are even aware of a forensic expert who was prosecuted because he had images on his computer that were related to a case he was working on.
If child pornography were to suddenly appear on your screen (assuming you didn’t put it there), do not try to delete the files, do not forward them, and do not look to see what else is going on in the computer.
The best course of action is to immediately shut down the computer and take it to your attorney’s office, explain what happened, and request that he or she lock it up. If you’re at work, shut down your computer and go immediately to the HR manager or to your boss, and report the occurrence. Explain that the attack has the potential to spread throughout the organization unless it’s immediately isolated.
The next step will be locating people who understand the both the law, and the range of cyberattacks that may have taken place, then deciding how to approach law enforcement. Assuming you didn’t alter any data on your hard drive, a proper forensic examination of the machine should confirm when the files appeared, and that you do not have a history of browsing for child pornography.
In the workplace scenario, be very alarmed if your employer seems unconcerned, or directs you to turn on your computer and get back to work. If the company has in-house legal counsel, ask to speak with one of the attorneys.
If there’s no in-house lawyer, or if you have a contentious relationship with your employer, you may want to ask your own attorney to contact your employer and request the computer be put in quarantine pending further investigation.
In the worst possible case, a court order might be necessary. The employer might misunderstand the event, or use it as a reason to fire you.
One more problem – your attorney may not have encountered child porn, or may have limited knowledge about how to examine the evidence without getting you into trouble. He or she may need to research the subject first, and that could mean an uncomfortable couple of days for you at work.
Please take this seriously. Cryptolocker also started small, and became a significant danger in a short time. We hope the Kovter attack doesn’t achieve similar reach, but we also hope those who get hit will respond in a way that doesn’t compound their troubles.
By: Ira Victor, GIAC G17799 GCFA GPCI GSEC ISACA CGEIT CRISC
Digital Forensic Analyst, and Host, CyberJungle Radio
Please support our sponsors, as they support The CyberJungle:
Basis Technology is helping investigators perform faster, more efficient, cost-effective, and complete investigations in cybersecurity and incident response.
BASIS TECHNOLOGY……PLEASE VISIT THEIR SITE BASISTECH.COM