ThreatSTOP and DNS Firewall block Cryptolocker

Stop extortion by cybercriminals using IP and Domain Name reputation.

ThreatSTOP has started blocking a new variety of malware called "cryptolocker" for our subscribers and those of our OEM partner Infoblox. Cryptolocker is a new and widely spreading form of "Ransomware" that encrypts files on an infected Windows computer and any networked file systems it has access to.

As noted by The Register and other places, there's a new cross-platform vulnerability out that installs via a piece of Java that does a check for "Windows or Mac" and then installs the malware suitable for the platform.

If you are a criminal and trying to steal things then breaking the law in other ways is unlikely to concern you. To me such a statement seems obvious, but apparently it isn’t – and I’m not just talking about cyber-criminals here.

On the Kaspersky SecureList blog there's an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim's webcam and stream the data back to the crooks.

The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new "update" that users are tricked to install.

ThreatSTOP is spending the week up in San Francisco at RSA. We will be on the Vyatta booth, #452, showcasing our joint solution for the protection and centralized management of virtual and cloud firewalls.

I am please to announce a new release of the ThreatSTOP cloud service. With this release we are able to support subscribers whose public IP address changes from time to time. Typically these are subscribers to ADSL services where a new IP address is obtained whenever the ADSL link is reestablished but it may also apply to other internet connectivity types as well. We have added this capability by adding support for specifying a DNS name instead of an IP address when configuring a device. We expect the majority of subscribers to use a dynamic dns service such as dyndns.org or no-ip.com but any dns name can be entered, all that is necessary is that the dns record be updated promptly once the ip address has changed.

Just before the Christmas/New Year holidays, ThreatSTOP rolled out support for two new firewall types: the open source pfSense firewall and Cisco's IOS firewall running on its ISR platform.

This weekend we have put our new log-parsing and reporting code into production. The new code significantly increases our speed of log parsing (by about two orders of magnitude) and it provides a lot more help to help our users research what particular blocked threats were caused by. As product manager I am very pleased to say that it is a massive improvement over the previous stuff but, for our existing users, there are a couple of niggles.

This morning I saw various reports of a new type of Ransomware, masquerading as a fake Microsoft warning that your copy of windows is invalid. I had a quick check and was unsurprised to note that ThreatSTOP subscribers were already protected.