All,

I have one Windows 7 machine (not connected to any production environment in our office and even running on a separate Internet connection to be on the super safe side) for visiting "Warez" websites. I am using this Windows 7 machine to scan the Internet for illegal copies of our SetupBuilder product. I've been doing this for ten years, so I know what I am doing. The machine is Symantec Endpoint protected and the virus definition always up-to-date.

Last Friday evening, I powered the *Warez* machine off and went home. This morning I came in the office to find that computer... running. Hmmm, what happened? On Saturday afternoon, it automatically powered on and the CryptoWall Trojan horse (an adsense ad infected the machine) encrypted files using the military grade encryption RSA-2048. You must have the private key in order to get your .doc, .txt, .xls, .bmp, .png, .jpg, .pdf, image and video files decrypted and the software will hold your files hostage until a ransom in Bitcoin is paid. It will also attack every mapped network drive, external drive, or USB flash drive until its mission is complete.

Be warned, this improved CryptoWall variant is very dangerous !!! Backup your machines, protect your hard work. Tell your customers about it.

If you are interested, this is my *PRODUCTION* environment for maximum safety and damage prevention:

My main development machine is a Dell Precision M6600 Mobile Workstation with 32 GB RAM. Internal Samsung SSD 850 1 TB and SanDisk SSD Extreme Pro 960 GB. Then an external Samsung SSD 850 1 TB, a Transcend SSD370 512 GB and a SanDisk Extreme Pro 128 GB flash drive USB 3.0 for fast backups. On top of this, we have several traditional spinning 2.5-Inch hard drives (HDD) for regular backup rotation stored in three different locations. About 30 TB of storage space.

The Dell M6600 is powered by Windows 10 Enterprise x64. This machine is rock solid, military grade, with excellent performance. But I'll replace it with a Dell Precision 7710 64 GB RAM later this year. Only one (1) program is running on the M6600 host: VMWare Workstation 12.

I have three Virtual Machines (VMs) for software development and 20 VMs for software testing purposes. My development VMs (protected by ESET NOD32) have three virtual disk drives. Virtual drive "C" is always the Windows Operating System and Program Files drive (with no "data" files on it). Virtual drives "E" and "F" are my data file drives.

My second (backup) development machine is an Apple MacBook Pro Retina with 2,6 GHz Quad-Core Intel Core i7 (Turbo Boost up to 3,8 GHz), 16 GB RAM, and 4-channel PCIe 1TB SSD delivering SSD 1 GB/s write and 888 MB/s read speeds. It is running VMWare Fusion 8.

The cool thing is, I can copy the VMWare virtual drives from my Dell to the MacBook and vice-versa. This is excellent.

I am always prepared for the worst case scenario <g> Good luck and happy computing!

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Hi Friedrich,

If you ran your browser via SandBoxie and deleted the contents of the
sandboc after each session do you think it would have still got
through?

Graham

Hi Graham,

> If you ran your browser via SandBoxie and deleted the contents of the
> sandboc after each session do you think it would have still got through?

To be honest, I don't know. Given how much effort the people behind
CryptoWall have put into this brand new variant :-(

I read an interesting statement on a hacker forum: "Sandboxie is a great
program, but thinking that it will protect your system from
every infection is a flaw that will eventually get you infected."

BTW, it happened here under a restricted Windows account, UAC enabled, ad
blocker enabled, Symantec Endpoint Protection enabled. I did not install
any software. I noticed that Symantec Endpoint Protection reported a
malfunction (definition update issue, or something similar), but a few
seconds later the machine was fully protected again. IMO, CryptoWall 4 did
this.

Friedrich

Hi Friedrich,

It's a real pain all this virus, malware, ransonware stuff.
Realistically it's even hard to search the web for advice as you're
just as likely to hit upon sites trying to infect you.

Can I take it that only your VM was infected and that CrptoWall didn't
manage to get through to the host?

Yous say only VM Workstation is running on the host, I assume that's on
top of a normal OS install, or is that not how it works?

Never used VMWare but have Virtualbox VMs for 32 bit work
(ReportWriter, Clarion 6.1) and visiting 'iffy' sites.

Graham

Hi Graham,

> It's a real pain all this virus, malware, ransonware stuff.
> Realistically it's even hard to search the web for advice as you're
> just as likely to hit upon sites trying to infect you.

Absolutely! :-(

> Can I take it that only your VM was infected and that CrptoWall didn't
> manage to get through to the host?

To be on the safe side, this native-hardware machine (an old Dell M6300
Precision from 2008) is not connected to any of my production computers.
Being a security paranoiac, it even has its own Internet connection that
does not share an IP with my production machines.

> Yous say only VM Workstation is running on the host, I assume that's on
> top of a normal OS install, or is that not how it works?

Yes, the "host" is running Windows 10 Enterprise Edition. I am not doing
anything on the host (not even open Notepad <g>). It's a clean machine,
only VMWare Workstation installed. In VMWare I have 23 VMs installed.
I do all my work exclusively in VMs.

Nice side effect: when I buy a new computer or in case of a solid-state
drive failure, I do the following to get back into production mode:

1. Install Windows 10 Enterprise Edition on the new machine/SSD
2. Install VMWare Workstation 12
3. Copy all VM images to the new machine/SSD

That's it. It takes a maximum of 1 hour and I have my 23 virtual machines
with different operating systems (Windows 95 up to Windows Server 2016) up
and running.

> Never used VMWare but have Virtualbox VMs for 32 bit work
> (ReportWriter, Clarion 6.1) and visiting 'iffy' sites.

All my main development work is done in:

- 32-bit Windows XP SP3 VM (Clarion, Visual Studio 2002, Borland C++ 4.53)
- 32-bit Windows XP SP3 VM (Visual Studio 2008 and 2010)
- 64-bit Windows 10 Enterprise (Visual Studio 2015 and code-signing)

I have not done any work on native hardware for over 8 years now.

Friedrich

Hi Friedrich,

Sounds like a plan to me :-)
Many thanks for the extra info.

I suppose it's all dependant upon the quality and frequency of your VM
b backups.
So how is that managed ie what software do you recommend, and does
backing up a VMWare VM interrupt usage at all?

Graham

I wonder if there's a Cryptowall detector that doesn't contain
cryptowall<g>.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

> I wonder if there's a Cryptowall detector that doesn't contain
> cryptowall<g>.
Quite <vbg>

Must say Friedrich likes to live dangerously visiting Warez and Hacker
sites :-Z

Graham

Graham,

> So how is that managed ie what software do you recommend, and does
> backing up a VMWare VM interrupt usage at all?

All my income work is done in VMware VM's but I don't leave them
running overnight, just my host runs at night. At 3:30 AM my 3 offsite
cloud backup services do their thing which includes backing up the
VM's and all my InBack backups. By morning everything is completed
including complete virus and malware scans which start up at 2:30 AM.

If my brain is quiet I sleep quite well now that my backups are
offsite and handled for me. No more tapes or external drives to worry
over or remember to use day to day. Nor a worry they get consumed in a
fire since I rarely ever made it to the offsite storage!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Everyone feels safe until they aren't<g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Everyone feels safe until they aren't<g>

But I also feel comfortable, is that better?!<g>


I have a VM dedicated to browsing and TeamViewer and I don't use a
browser anywhere but there. It's also in a different workgroup so it
doesn't "see" my other VM's or host.

I use a text based email and news reader both of which can display
HTML but not by default and, unless Agent changed it on me, both using
their own built-in HTML renderer instead of IE.

I run Ad Blocker and No Script on my browsers.

I run AVG, Malwarebytes Anti-Malware and Anti-Exploit on my host and
all VM's... so, yeah, reasonably comfortable!<g>


And here's a freebie for ya<g>, I only visit porn sites on my laptop.

Lee White

Pretty sure that we all were curious about that<g>

>And here's a freebie for ya<g>, I only visit porn sites on my laptop.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Jeff,

> Everyone feels safe until they aren't<g>

Indeed! I've been bitten too many times with backups not working, not
being restorable or readable or whatever. I do image backups, but I do
not rely on them. If they are bad, you're hosed if you don't have file
backups. I use VMs for some development, but I have had a VM go belly
up so I'm not really trusting them either;) I have lost work and data,
due to bad backups or failed backups so I'm pretty paranoid about
backups. I do backup the VM files every night, I backup the VM drives
using Acronis and I backup ALL work files to external devices and
version control and online and off-site and I'm still not 100%
comfortable. When you feel secure and comfortable is when the stuff
takes a big bite out of your behind!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Graham,

> Sounds like a plan to me :-)
> Many thanks for the extra info.

You are very welcome :-)

> I suppose it's all dependant upon the quality and frequency of your VM
> b backups.
> So how is that managed ie what software do you recommend, and does
> backing up a VMWare VM interrupt usage at all?

To be on the safe side, I only backup "powered off" VMs. All of my
development VMs have three virtual drives (C, E, F). C = Operating System
and Program Files, E + F = Data (mail, documents, source codes, etc.). The
drive configuration is set to "Persistent" mode. That means, changes are
immediately and permanently written to the disk. To backup my data, I copy
the .VMDK drive image files (see attached screenshot) to my external SSD
and/or HDD.

BTW, my test machines have "Nonpersistent" virtual drives. Changes to the
disk are discarded when I power off the VM (clean machine). So I always
have a "clean" machine to test updates or new features.

Friedrich

Hi Friedrich,

> BTW, my test machines have "Nonpersistent" virtual drives. Changes to the
> disk are discarded when I power off the VM (clean machine). So I always have
> a "clean" machine to test updates or new features.
That's very interesting, not heard of this Persistent/NonPersistent
option before - I'll need to see if it's something that's available for
VirtualBox as it looks very useful.

Graham

Friedrich,

> To be on the safe side, I only backup "powered off" VMs.

Me too... great minds and all that!


> So I always have a "clean" machine to test updates or new features.

Not here... too much dust in my home!<g>

Lee White

> That's very interesting, not heard of this Persistent/NonPersistent
> option before - I'll need to see if it's something that's available for
> VirtualBox as it looks very useful.

Hi Graham,

In Virtualbox, be sure to have a snapshot of the VM where you test.

Then from the Virtualbox pulldown menu select the option to Power Off the
VM (instead of using the Windows Shutdown button) and make sure that the
"Restore Snapshot" box is checked.

That basically dumps the VM and restores it to where it was before you used
it for testing (it is very fast in this mode).


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hi Charles,

> That basically dumps the VM and restores it to where it was before you used
> it for testing (it is very fast in this mode).
That's great information, many thanks Charles.
Saved me a lot of searching around.

Graham

Quick update: this old Dell machine (M6300 Precision Mobile Workstation,
Intel Core 2 Duo T9300 2.5Ghz.800Mhz with 8GB RAM), delivery date was June
26, 2008 (nearly 8 years ago) is running Windows 10 Professional now. It
automatically detected all devices. Amazing.

Friedrich

Hi Friedrich,

That's pretty good for a 8 year old machine.

Computers must be like dogs, ie multiply their age by 12 to get
equvalent in human terms - 96 year old wow :-Z

Graham

Hi Friedrich,

> Quick update: this old Dell machine (M6300 Precision Mobile Workstation,
> Intel Core 2 Duo T9300 2.5Ghz.800Mhz with 8GB RAM), delivery date was June
> 26, 2008 (nearly 8 years ago) is running Windows 10 Professional now. It
> automatically detected all devices. Amazing.

The only problem I have had with Windows 10 was with a bad drive.
Windows 7 happily ignored it but Windows 10 was hacking on it all day
long until I unplugged it. Brought the computer to it's knees. The
drive was completely dead, couldn't be formatted or anything, but
apparently W10 thought it could do something with it;) Everything else
has worked fine. It's also 8 years old - but I've replaced _everything_
in it at least once since then - as well as the box<bg> so I don't
think it counts.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC