Endpoint Protection

 View Only

  • 1.  Kovter Ransomware

    Posted May 26, 2014 10:38 AM

    Greetings,

    I read about a rather nasty variant of Cryptolocker called Kovter and have two questions with regard to SEP coverage.

    1. Does SEP have any definitions for this strain

    2. If so, what is the Symantec-name of the threat?

     

    http://datasecurityblog.wordpress.com/2014/05/25/cyberattack-puts-child-porn-on-your-computer-how-do-you-respond/

    https://blog.damballa.com/archives/2430

     

    Kind Regards,

    Chad



  • 2.  RE: Kovter Ransomware

    Posted May 27, 2014 11:55 AM

    Symantec has various AV detections and IPS signatures for it.

    http://www.symantec.com/security_response/writeup.jsp?docid=2014-032622-1552-99

    All IPS sigs here:

    http://www.symantec.com/security_response/attacksignatures/

    Start with trojan.crypto for a search



  • 3.  RE: Kovter Ransomware

    Posted May 28, 2014 03:14 AM

    Thank you for the references, but I was curious specifically about the Kovter variant.  I am familiar with the other crypto* signatures and wanted to know if Symantec lumped everything together into a generic category or had something a little more specific.  If nothing else, what does Symantec call Kovter?



  • 4.  RE: Kovter Ransomware

    Posted May 28, 2014 04:04 AM

    Have you had a rummage around virustotal yet?  The name kovter appears to have been around for about a year now on their site, and states Symantec either has sigs for it or marks it down as simply "Trojan Horse" or "Trojan.Ransonlock".

    I can't see any full writeups on it as yet



  • 5.  RE: Kovter Ransomware

    Trusted Advisor
    Posted May 28, 2014 08:19 AM

    Kovter is a varient of various Trojan.ADH.X that symantec detects the majority of varients of this.

    http://www.symantec.com/security_response/writeup.jsp?docid=2013-090515-0609-99

     

    One example of the varient is:

    Microsoft Trojan:Win32/Kovter.B 20131217
         
    Symantec Trojan.ADH.2 20131217 

     

    Virus Totals

    https://www.virustotal.com/en/file/18958ca9f4a8b0f1335368383abc1cae21b38e27824f401d109a543fa63df80c/analysis/



  • 6.  RE: Kovter Ransomware

    Posted May 28, 2014 09:50 AM

    I'd take this with a pinch of salt, as the Symantec link shows the defs have not been updated since 2012, whereas the file hash was registered on Virustotal in 2013, with many later ones.

    As VirusTotal says the latest "kovter" related hash reported to them (4months ago) was marked with the generic term "Trojan Horse" all you can do at this time is ensure everything is up-to-date, and make sure you have IPS and SONAR installed and running.

    If you have a suspicious file, then get Symantec to analyse it.  Otherwise (depending on your appetitie for risk), you could look into the more stringent preventative measures like System Lockdown or Application and Device Control hardening.  More info on both below:

    http://www.symantec.com/docs/HOWTO27322
    http://www.symantec.com/docs/TECH132337



  • 7.  RE: Kovter Ransomware

    Posted May 28, 2014 11:37 AM

    Hi Chad,

    It's not possible to say without knowing which exact MD5 you mean.

    Definitely do submit any files to Security Response, if you are encountering this.

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
     

     

    Also, ensure that all defenses are up-to-date and your organization is prepared for any sort of disaster.

     

    Symantec Endpoint Protection – Best Practices
    http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

    The Day After: Necessary Steps after a Virus Outbreak
    https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak