Housing Portal Virus
Posted by onelittlemoment

Just a word to all of those out there who (like me) are contantly on the Housing Portal attempting to get a better room.

I was on last Tuesday hitting F5 on my work computer over my lunch hour. Sometime over that hour, my computer got a virus. It copied and deleted all of the files on my computer. Then it added a file to my system telling me to call some number to recover my data. They were essencially holding my files 'hostage'.
My antivirus programs (Windows Defender and Malware Bytes) were both up to date and run immediately upon discovering the issue. The virus still slipped through them as well as my company firewall. The virus was traced back to the Housing Portal.
The subsequent damage to my work computer and the common drive of company data took our outside IT company about 10 hours and several hundred dollars to recover the data from a previous backup and purge the virus from my computer, as well as several other computers.

Just a word to the wise, if you're going to F5 the housing portal, I would recommend doing so on a computer that isn't networked to anything you don't mind losing. Just in case.

Posted by marimaccadmin

I really don't think this is the housing portal, as we've had people doing to same thing as you are with no other complaints, but I will pass it on.

Posted by roundtop

That virus family is called Crypto-Ransomeware, and cannot be obtained by refreshing a site like the housing portal.  There are relatively few drive-by installation viruses these days. Most you have to click on a link or popup to enter your system, or they rely on dynamic javascript content on older browsers.

This particular virus is hard (if not impossible) to trace, as it begins as a trojan that is a downloader, which then pulls the virus off another compromised system on the internet (effectively a command and control node), then sets about encrypting all your document files. As it does this, it connects to another web server (command and control) and sends it the encryption/decryption keys (or in some cases only downloads the encryption keys).

So yeah, it sucks. Not much you can really do, but it is doubtful that the housing portal had it.

Note: Windows defender is an on-demand only scan, not on-access, and malwarebytes can be an on-demand only scanner (there is an on-access version too). So did you have Active AV protection including web scanning?

Disclaimer: I work for another AV Security company, which is how I know how this operates.

Posted by aldctjoc

Defender on Windows 8, 8.1, and 10 should have real-time detection capabilities. I admit, I do prefer other products, but the point is that Defender for Win 8 and above is not really the same beast it was in the past and shouldn't be a works-on-demand-only program. That said, I don't argue when other applications get recommended since I'd rather use something different myself.


Anyway, crypto-ransomware: I agree with roundtop - I don't see this being delivered from the housing portal. Most ransomware variants work from links in malicious emails, some work via ad injection (which wouldn't really come from the page you're visiting, but rather "injected" into a displayed ad... I don't see this being the case with the housing portal, BTW), and there are yet others out there that anyone can read up on. I don't know if I'd dismiss drive-by download attacks based on diminishing prevalence - it's not like that attack method has vanished yet - but at the same time, like roundtop, I'm not ready to accept that it's the case here, not without evidence from the page hosting side at least. In my mind it's more likely that this was simply a time-delayed onset infection, since that is actually a feature found in some of these malware packages (Locker, for example. Or for Mac OS, KeRanger). 

I can't rule out a housing portal compromise, but I'd be surprised if that ended up being the case. Even if it was, why a ransomware attack? Why chose that when these attackers successfully compromised a site where they can collect much personally identifiable information - and if an attacker plays their cards right, credit card info - in a way that wouldn't be immediately obvious to the user? Granted, that's easier said than done; for credit cards, PCIDSS may not be perfect, but it is an obstacle that can confound thieves unless they're well versed in attacking payment card systems. Plus, gathering stolen data, whether it includes payment card info or not, doesn't automatically mean you can exfiltrate it without attracting notice. But again, sticking cryptolocker there is sort of like breaking into a bank, then refusing to go after the money in the vault, and instead choosing to slap new passwords on everyone's account so you could demand ransoms for them. You've gotten yourself into the middle of a larger score and you settle for that

Well, anyway, my 2 cents. 

Posted by brotherbock

Not in the industry, but I don't see why refreshing would do anything that simply accessing the site in the first place wouldn't do. 

Posted by marimaccadmin

BTW, we did look into this and found no evidence of a virus on the site, so it apepars you picked it up somewhere else, sorry.

New Post Sign in to write a new post.