View blogs | Login

Inside Cryptolocker Virus: How it Works

Cryptolocker virus is a major issue that has been passing via email to novice users by disguising itself as either a harmless PDF document, Microsoft Document, or a Text File. Users need to be informed that these files are far from harmless and begin encrypting files on the network drivers then finally on local computers. Once the virus has begun encryption, there is no going back. An informed user can help prevent this virus from being opened and being spread. This article is an attempt to give inside knowledge about how this virus works, in hopes that an educated end-user will avoid its traps.

In order to prevent Cryptolocker virus from attacking your computer, you must first understand its background. So, there are two parts in this virus. First, delivery mechanism and next, the actual payload that runs on your machine. Each part of this virus works together to encrypt your documents, images, PDFs, and other data files.

Delivery Mechanism Breakdown:
The delivery mechanism can be deceiving with Cryptolocker virus. Windows operating system will normally prompt the user to run a file if it is downloaded from the internet. This gives you the control to decline anything suspicious from downloading. However, if a file is created on the local machine (the computer you are using), Windows will not prompt the user to run the file. Therefore, if an already existing and trusted program by the user creates the virus, Windows will not prompt your confirmation. This is because Windows believes this to be trusted material and it will be downloaded automatically. Virus creators have utilized this to their advantage while creating the Cryptolocker virus.

Virus creators use Microsoft Office feature called Macros, which allow users to run VBA Code, or Visual Basics for Application (name of the programming language), within a MS office document. Although VBA is not very powerful on its own, it has the ability to call functions available in Windows API through a mechanism called Interop. Using Interop, the macro downloads the raw bytes that make up the virus. Since this is not a file being downloaded, firewalls never check its contents. Additionally, the virus writer can alter these bytes by encrypting them every time so no virus detector can check its signature, even if it wants to.

Once these raw bytes are on the client machine, the VBA macro saves it to an EXE File. This makes the operating system believe the executable is created on the same machine. Therefore, it never prompts the user for download, sneaking its way onto your local machine.

Payload Breakdown:

Once the delivery mechanism has successfully carried the virus to execute on the victims computer, it first goes against network drives. A network drive is a storage device on a local access network (LAN) within a business or home. So this attack affects more than one user. User files usually get encrypted with 256-bit AES encryption. Getting anything back after this type of virus attack is nearly impossible.

Now that we have broken down the parts of Cryptolocker virus and how it attacks your local machine, you can use this knowledge to protect your computer from this virus. As mentioned earlier, once this virus is downloaded, getting anything back is next to impossible. So, it is important you take as many steps towards protection as possible!

Another way to protect your computer from such a virus is by using an anti-spam messaging system such as Synametrics Technologies software called Xeams. Xeams filters through emails to separate spam from good messages. To find out more about Xeams, and how it can help protect your computer from Cryptolocker virus call us or visit our website.

Phone: +1609-750-0007

Created on: 4/20/16 11:13 AM
Last updated on: 4/20/16 11:19 AM


Social Media

Powered by