WARNING: Windows Malware, Mac Damage

Discussion in 'macOS Virtual Machine' started by Rob970, Dec 9, 2013.

  1. Rob970

    Rob970 Bit poster

    Messages:
    1
    Last week one of my clients contracted Crypto Locker in their Windows VM.

    The malware entered via an attachment in Apple Mail as a ZIP archive that contained a Windows executable (.exe). Long story short, it got double-clicked and proceeded to encrypt the documents on their server's shared drive, which was mounted on the Mac side of the computer and shared via the Parallels Shared Folders.

    We had solid backups, so we deleted the infected VM and restored from backup, but many of their files were encrypted by the malware and hence unusable.

    This was a first for me: damage to Macintosh files from the virtual machine. Since then I have limited which folders can be accessed by the virtual machine and turned off coherence mode. I welcome other suggestions.

    Rob
     
    Rob970, Dec 9, 2013
    #1
  2. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Suggestions? Use an AntiVirus on Windows, optionally on OS X too.
    Why isn't the mailserver actively running an antivirus? Nowadays even free webmail services like Gmail scan all attachments for malware, this is so prevalent that the bad guys are sending links to the malware now instead of attaching it, but maybe that's actually how you got the virus over there.

    Also, maybe Windows opened the file because you have Application sharing turned on, because the file actually has an .exe extension it opened in Windows, I suggest turning off Application Sharing.

    Additionally: http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
     
    Last edited: Dec 9, 2013
    Specimen, Dec 9, 2013
    #2
  3. Techhead156

    Techhead156 Hunter

    Messages:
    130
    ok,, first of all your safe on Mac, Macs can't read can't read these types of files anyway.

    Scanning your windows stuff from mac is a good idea too. In future, you may want to try these :-

    http://anonym.to/?http://download.bitdefender.com/removal_tools/BDAntiCryptoLocker_Release.exe

    http://www.foolishit.com/vb6-projects/cryptoprevent/

    or just keep the VM as "isolated", and/or just be vigilant :)

    The warning that a zip file was received in Apple mail, or any email program in itself, should set of alarm bells. I'd would be asking "Where did it come from?" and "Who sent it?" "Is it something i'm expecting" ?

    Usually you can actually pay the ransom in bitcoins, and they WILL decrypt the files.. So, i would actually say its legit, because they are not trying to fool you. They are giving what you asked . That is, your files.

    However, since you have a backup, that would be easier, just hope you have more than one copy....

    Whichever direction you look, it all starts with the user who opened the attachment in the first place.
     
    Last edited: Dec 25, 2013
    Techhead156, Dec 25, 2013
    #3

Share This Page