CryptoWall 3.0 virus on your site/ads ???

Hi guys - I'm in IT 25 years (L3 engineer at HP for past 15) so please don't blow this off. No that doesn't mean I know everything, very well aware of it - but I'm not prone to stupid rookie mistakes is my point. This isn't my specific area of expertise however, so I'm entirely open to new data (can't troubleshoot problems otherwise, right?). Sorry, looking for the fastest way to alert you guys... I know this may not be the best method.

I was on your site when attacked by CryptoWall 3.0. (not CryptoLocker). It's well-known ransomware. I suspect it was via your ads (the common vector). I hope you are aware of the problem or at least the danger. This isn't new. I caught it before it got any sensitive data- but 400+ files lost and I am having to clean up. Thanks. :(

I have some idea that you can't control the ad content... but you should be monitoring your 3rd party content, etc. to protect your user community. You guys really need to take care of this, you don't need to have your reputation tarnished in the news... besides the obvious concern about having your customers PC's trashed. I've been a subscriber for many years and now I am afraid to come to the site. Not cool.

Best of luck, let me know if there are any questions if I can assist.

btw- since even your help pages and forums are loaded with ads... I'm not hanging out here to watch for replies. I'll be back after I've installed CryptoPrevent or other local security policy controls to prevent a re-attack.

@brownj00: Hi there, I've alerted the dev team to this issue. Hopefully, one of them will step in with some insight regarding this situation.

@brownj00: Do you happen to remember what the ads were for at the time that you saw the Cryptowall infection? And can you explain exactly what you saw when? It's obviously a tough thing to narrow down when we deal with ad networks that rotate thousands of ads in and out, but we'll try our best. I'll also talk to our ad team and see what they can do to track this down.

This targets out of date systems. If you're running with all the latest patches you would be safe from this.

http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

So, yeah we're definitely looking into this with all seriousness but its best keep your Windows machine up to date or its not safe to connect it to the internet.

@edgework: Hi, indeed patching is good guidance, and I second that for all users. Unfortunately it is not safe to connect to the internet even if you are 100% patched and updated.

As I work security, firewalls, and website apps for Fortune 500 clients for a long time I am aware of the concern in spades. Users need to update OS patches, browsers, code platforms (such as Java, .Net, ActiveX, Flash, Shockwave, Silverlight, etc.) and all plug-ins. Not all of those have auto-update agents so people need to stay on top of it. All the time, even monthly can be too slow - but we can't expect users to handle this on a daily basis. However, even when all components are current on patches there are still vulnerabilities.

So that's all good. However, "blaming the user" is not what anybody wants to hear from a reputable site when this happens.

Sorry guys, I did not notice which ads were up when my anti-virus started screaming at me. I had just opened a second tab that I wasn't look at. I think the article on DA:I patch. I had 1-2 other tabs open but there were no ads on those and they had been on the same page for many hours.

As soon as my corporate AV alerted me it was clear something was running amok... I killed the browser with Alt-F4 and brought up Process Monitor to see which thread was writing to my hard drive, found it and killed that process. That made it hard to see what was on-screen. About 15-20 seconds and it ate 400 files. If there is a cookie or something that may give any other details I'm glad to check. I can show the URL's but I think that doesn't help.

If I see it happen again I can try and grab a screen shot. If there is anything else I can check on the client side let me know via email. Thanks.

@brownj00: Sorry if I sounded like I was blaming the user, I'm not. I'm just making sure that your report doesn't get people unnecessarily riled up about what is not a zero-day and had been patched already. These drive by downloads attack REALLY old vulnerabilities in the first place and MS has blocked Cryptowall even in the case when Java, browser etc. are way out of date. If a user purposely (and it is an intentional thing) disables updates then when they're infected with what is not a zero-day who's fault is it?

I take this VERY seriously. We do monitor this stuff at many levels. Recently when we saw the mere potential of a zero-day exploit from our ad network I pulled the whole site down rather than potentially infect users. I'm not doubting you encountered this but its also very possible some other source was the point of infection. CBSi had a bunch of people on this and we found nothing.

@edgework: Ok, thanks. I'm glad to hear you guys have done due diligence and more. Your response sounds like everything your users would hope for, which is much appreciated. I don't want to waste your time, but balance that with wanting to alert you as quickly as possible in the event you have an issue that might impact everyone.

I've got a VM client sandbox with a barely patched browser for testing, visiting the same sites I had up yesterday. No incidents yet, which is not surprising due to rotating ads. If I do see anything useful I will have more data next time.

I also had one of the dictionary sites open in the background, and yeah I see it has plenty of ads too. It could have rotated an ad without me seeing that when I was looking at GS. Just wikipedia otherwise. So I want to be clear it is certainly possible it was not your ad feeds- and that stuff is 3rd party content from other providers.

For any other users, a helpful note: to help reduce your risk check out this tool. Very helpful for users to keep their stuff updated. Checks your browser, java, flash, adobe, silverlight, etc. in one step. There are similar utilities but this works for any browser and checks more than just plug-ins, completely free, etc.

From http://krebsonsecurity.com/2011/03/test-your-browsers-patch-status/ (reputable source)

https://browsercheck.qualys.com/ (reputable security company)

@brownj00:

This is why i refuse to disable ABP just to have better change of links on the site actual work Ads are dangerous these days even if there old exploits.

Which is why ABP and other ad block extensions are used other then ads can be annoying