• Category Archives Virus Threats
  • New emerging viruses and spyware loose in the net and identification of diffrent type of malware

  • Using DNS to weaken Locky ransomware threat

    Ransomware and other cyberthreats often go unseen by traditional detection methods like antivirus, deep packet inspection (DPI) or sandboxing. In fact, a report by Lastline Labs indicates that 51% of zero-day malware—threats that strike before developers have time to release a patch—is undetected by anti-virus solutions. So what can security professionals do to stop attacks? The answer lies, in part, in DNS.

    One of the most powerful ransomware threats currently targeting individuals and organizations is Locky, which infects up to 100,000 devices per day, of which 3% submit payments. Cybersecurity experts estimate that Locky possesses 17% of the entire global market share for all ransomware infections.

    First, let’s look at a few statistics that demonstrate the power and expense of Locky:

    Locky is typically delivered through aggressive spam campaigns, often claiming to be an invoice. Despite the known dangers of clicking on links in unknown emails, Locky is so sly it entices even trained IT staff to click on obscure messages and activate downloads.

    Once a download has completed, Locky connects with its Command & Control (C&C) server to get a cryptographic key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts:

    1. Direct IP communication
    2. A number of fixed domains
    3. A time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days

    Here is where DNS can play a role. DNS data can be analyzed to identify C&C connection mechanisms. When these communications are blocked, Locky’s ability to obtain encryption keys is limited, giving infected users a better chance of being protected.

    Unfortunately, the DGA used by Locky to generate domains and get encryption keys is marked with the current time period combined with a secret seed, making it harder to block new domains quickly. Locky changes seeds frequently, and reverse engineering current versions of the malware to discover each new seed takes time. Every new seed indicates another wave in the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.

    But examination of a worldwide feed of anonymized DNS queries, along with anomaly detection and correlation technology, makes it possible to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint is one company that has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it is possible to determine new seeds used by Locky, thereby enumerating all future new domains Locky will use.

    Below is a sampling of more recent domains created by Locky as detected by our DNS algorithms:

    • mrjuvawlwa[.]xyz
    • uydvrqwgg[.]su
    • uwiyklntlxpxj[.]work
    • owvtbqledaraqq[.]su
    • udfaexci[.]ru
    • eabfhwl[.]ru
    • olyedawaki[.]pl
    • uxwfukfqxhydqawmf[.]su
    • ikdcjjcyjtpsc[.]work
    • wrbwtvcv[.]su
    • osxbymbjwuotd[.]click
    • qtuanjdpx[.]info

    As Locky and other types of ransomware become more adept at avoiding detection and remediation, new strategies need to be used to combat them. Many of the new cyberthreat strategies make traditional malware block lists less effective. Facing DGAs with fast-changing seeds, security researchers must constantly identify the new seeds used by each wave of phishing to pre-generate domains. Once new seeds are released the old ones immediately become obsolete.

    By utilizing a broad set of DNS query data, it is possible to detect and track the evolution of generated domains through a variety of algorithmic methods such as clustering, reputation scoring, reverse engineering and additional methods that continuously evolve. Recent innovations include anomaly detection algorithms, new domain clustering and a Domain Reputation System that resulted in almost 100,000 domains and C&Cs provisioned daily for blocking.

    By employing these advanced methods, suspicious domains can be detected with a high level of accuracy very quickly, and false positives can also be weeded out so good traffic can still reach legitimate sites. Currently, this is the best defense against Locky. Service providers and companies can use this technique to protect their online users from having their files encrypted, and identify machines that have been infected.

    Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires cybersecurity expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Blocking traffic to these domains is a good way to avoid the threat of Locky, and expert security teams that take the right steps to understand its behavior and put appropriate measures in place to protect would-be victims will render cyberthreats much less effective.


  • New Spam Campaign Distributes Locky Ransomware and Kovter Trojan Combined

    Criminals have taken a liking to the idea of combining multiple types of malware into one distribution campaign. Malware Protection Center researchers discovered a string of email messages using malicious attachments to spread both Locky ransomware and the Kovter Trojan. It is not the first time these two types of malware are distributed in the same campaign, as dual-pronged spam campaigns have become more common as of late.

    This morning we noticed the start of a campaign using  New notice to Appear in Court as the email subject. The attachments are identical to the Typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the same sites used in the USPS, FedEx, UPS current campaigns.  I am sure that both campaigns will continue side by side. It is very likely that different “affiliates” are using the same distribution network, but each one prefers a different email lure to gain victims.

    The attachments all start with a zip named along the lines of Notice_00790613.zip which contain another zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js

    Criminals Step Up Malware Distribution

    It is rather disconcerting to learn opening a malicious email attachment can introduce two different types of malware at the same time. As if the Locky ransomware is not annoying to deal with on its own, computer users will also be affected by the Kovter Trojan. This latter piece of malware specialized in click fraud, generating a lot of illegal advertisement revenue for criminals.

    Through a malicious email attachment, criminals execute a script that contains links to multiple domains where the malware types are downloaded from. By making the attachment a .Ink file, the recipient may click it and have the payload download executed in the background. PowerShell scripts have become a fan favorite among criminals targeting Windows users these days, that much is certain.

    Researchers discovered a total of five hardcoded domains in the script from where the malware can be downloaded. Both the Locky ransomware and Kovter Trojan payloads are hosted on these platforms, and it is expected more of these domains will continue to pop up over time. Although law enforcement agencies can take down these domains rather easily, criminals will not hesitate to create additional hosting solutions over time.

    As one would expect from these spam email campaigns, the message in question is a fake receipt for a spoofed USPS delivery email. In the attached zip file, there is the malicious .Ink file , which initiates the PowerShell script once opened. One interesting aspect about this script is how it checks if the file is downloaded successfully and if is at least 10KB in size. Once that has been verified, it will stop the process automatically.

    Microsoft researchers feel the use of multiple domain names to download the payload from is a powerful obfuscation technique. Blacklisting one specific URL is a lot easier than dealing with a handful of different domains. Moreover, this method seems to hint at how criminals can easily add more servers to download the malicious payloads from if they want to. A very troublesome development, to say the least.

    Perhaps the most worrisome aspect of this new malware distribution campaign is how criminals continue to update the payloads themselves. Both Kovter and Locky receive regular updates, which means the development of ransomware and click-fraud Trojans is still going on behind the scenes. Moreover, it goes to show criminals will continue to rely on multi-pronged distribution campaigns for malware and ransomware moving forward.


  • Proteus botnet Malware with Remote Access

     

    The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.

     

    In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, hxxp://proteus-network[.]biz or hxxp://proteus-network[.]ml (the latter is inaccessible). The URL is hardcoded in the sample and is contacted multiple times to obtain necessary credentials for the tasks the botnet performs. The host name also appears in Pastebin, under the URL hxxp://pastebin[.]com/raw/LidbEiiR, in its encrypted form, and the botnet can retrieve the domain from there as well.

     

    The botnet starts by identifying the infected machine and obtaining the operating system’s info (whether 64 or 86 bit), the machine’s name, and the Windows version. All of the information is sent to the C&C to “register” the machine.

     

    After the machine is acknowledged by the C&C, the botnet proceeds to perform different tasks. As the botnet contacts the C&C to receive various pieces of information, the web requests are sent along with an encrypted string specifying the purpose of the request. These encrypted strings perform the following functions:

     

    • api/register – Register the infected machine
    • api/ping – Check if the machine is already registered
    • api/module – Check the mining module
    • api/proxy – Use reverse proxy
    • api/command – Receive commands from the C&C
    • api/account – Receive an account from the C&C
    • api/log – Handle the key logging document

     

    The header section of the HTTP requests is similar throughout the different sections of the source code:

    Content-type: application-json

    Authorization: {2D592824-48DE-49F8-8F96-A40B3904C794}

     

    When contacting the C&C, a POST request is sent with one of the above modes appended to the domain’s name, for example, hxxp://proteus-network.biz/api/log. The C&C sends a response to this request, which is then parsed by the botnet in search for the C&C’s reply.

     

    CheckerTask:

     

    The CheckerTask starts by contacting the C&C with the api/account string appended to the domain’s name. After sending a POST request, it receives a four-tuple composed of an account ID, an e-mail, a password, and the account type. The botnet attempts to access and steal the user’s credentials from a number of online websites, including:

     

    • eBay.com
    • otto.de
    • amazon.de
    • breuninger.com
    • dhl.de
    • netflix.com
    • coderbay.net
    • zalando.de

     

    The majority of these websites are German-based and the botnet searches for German words appearing in the responses. This leads us to believe this specific sample of Proteus targets are German victims. For example, if the message received from the website includes the phrase “stimmen nicht mit den bei uns hinterlegten Daten”, which means, “This does not match the data provided by us”. The botnet attempts to change the password’s first character from lower case to upper case or to append the character “1” to the end of the password and tries to log in again after three seconds. The response from the website is then checked to harvest more information about the victim, including name, address, country, bought and sold items, seller type and the last feedback received.

     

    Some of the websites which the CheckerTask tries to steal the credentials from may include a Captcha to prevent such automated logins. The Proteus botnet uses Death by Captcha (DBC), an API which solves any given Captcha and turns it into a text that the botnet can insert into the website, and proceeds with the login. Using DBC requires a username and a password, which are both hardcoded into the sample to enable Captcha analysis. We have managed to access the DBC account used in the sample, and found that it resolved 200 Captchas so far, which could hint to the number of successfully infected machines.

     

    LoggerTask:

     

    This task performs key logging on the infected machine. It starts by initializing a list of all the keyboard keys, and stores the logged keys into a file called tmpV213.txt found under the TEMP directory. When this file includes more than 250 characters, it is cleared and its content is sent to the C&C along with the api/log string.

     

    CommandsTask:

     

    This task receives commands from the C&C. The botnet sends a request to the C&C with the fingerprint and the api/command string. If the C&C sends a command to download a file, a new directory is created in the TEMP folder using a GUID, and a file called temp.exe is created in that directory. Alternatively, if the command is to “kill”, the process is killed. The task checks for new commands every two minutes.

     

    MiningTask, EMiningTask:

     

    The C&C determines the type of mining which the infected machine attempts, as well as the mining pool it will join. The EminingTask downloads an executable to the TEMP directory with the name loader.exe. The types of mining that appear in the sample are CPU, Zcash, Scrypt, and SHA256. During the mining task, and depending on the chosen type, the resources of the infected machine, such as the memory, CPU, and RAM, are used to provide the computing power necessary to produce the hashes accepted as a proof of work by each method. Even using a pool instead of individual mining, CPU usage soared rapidly and reached 100% in our labs when we ran the sample, which shows the processing power needed for the mining tasks.

     

    Conclusion:

     

    To summarize, the botnet conducts a complex attack: it infects a machine, steals credentials, logs keys and mines for currency, causing CPU level to reach 100%. Although the botnet has many of the crucial implementation tools needed for its attack, it heavily depends on communication with its C&C server and the information it transmits for the execution of its most basic functions.


  • Ransomeware Decrypters Available Decryption Service – Decryptor Download Decrypt Files

    New version of ODCODCDecoder Released Download Decrypter

    BloodDolly has released a new version of his ODCODC Ransomwaredecryptor. The decryptor can be downloaded from.

    Emsisoft Decrypter for Marlboro Download Decrypter

    The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR-based encryption algorithm. Encrypted files are renamed to “.oops”. The ransom note is stored inside a file named “_HELP_Recover_Files_.html” and includes no further point of contact.

    Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

    To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

    Decryptor released for the Merry Christmas or Merry X-Mas Ransomware Download Decrypter

    Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, .RMCM1 appended to them.

    Crypt38Decrypter Download Download Decrypter

    BitStakDecrypter Download Download Decrypter

    lphaDecrypter Download Download Decrypte

    Unlock92Decrypter Download Download Decrypter

    Hidden Tear Decrypter Download Download Decrypter

    Hidden Tear BruteForcer Download Download Decrypter

    PowerLockyDecrypter Download Download Decrypter

    GhostCryptDecrypter Download Download Decrypter

    MicroCop Decryptor Download Download Decrypter

    Jigsaw Decrypter Download Download Decrypter

    Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3) Download Decrypter

    RannohDecryptor tool is designed to decrypt files encrypted by:

    • CryptXXX versions 1, 2 and 3.
    • Marsjoke aka Polyglot;
    • Rannoh;
    • AutoIt;
    • Fury;
    • Crybola;
    • Cryakl;

    Globe3 Decryptor Download Decrypter
    The tool is designed to decrypt files encrypted by Globe3 Ransomware.

    Derialock Decryptor Download Decrypter
    Derialock decryptor tool is designed to decrypt files encrypted by Derialock

    PHP Ransomware Decryptor Download Decrypter
    PHP ransomware decryptor tool is designed to decrypt files encrypted by PHP ransomware

    WildFire Decryptor Download Decrypter
    WildfireDecryptor tool is designed to decrypt files encrypted by Wildfire

    Chimera Decryptor Download Decrypter
    ChimeraDecryptor tool is designed to decrypt files encrypted by Chimera

    Teslacrypt Decryptor Download Decrypter
    TeslaDecryptor can decrypt files encrypted by TeslaCrypt v3 and v4

    Shade Decryptor Download Decrypter
    ShadeDecryptor can decrypt files with the following extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg.

    CoinVault Decryptor Download Decrypter

    The CoinVault decryption tool decrypts files encrypted by Coinvault and Bitcryptor.

    Rakhni Decryptor (updated 14-11-2016) Download Decrypter

    RakhniDecryptor tool is designed to decrypt files encrypted by:

    • Crysis;
    • Chimera;
    • Rakhni;
    • Agent.iih;
    • Aura;
    • Autoit;
    • Pletor;
    • Rotor;
    • Lamer;
    • Lortok;
    • Cryptokluchen;
    • Democry;
    • Bitman (TeslaCrypt) version 3 and 4.

    Trend Micro Ransomware File Decryptor Download Decrypter

    Supported Ransomware Families

    The following list describes the known ransomware-encrypted files types can be handled by the latest version of

    the tool.

    Ransomware

    File name and extension

    CryptXXX V1, V2, V3*

    {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters

    CryptXXX V4, V5

    {MD5 Hash}.5 hexadecimal characters

    Crysis

    .{id}.{email address}.xtbl, crypt

    TeslaCrypt V1**

    {original file name}.ECC

    TeslaCrypt V2**

    {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ

    TeslaCrypt V3

    {original file name}.XXX or TTT or MP3 or MICRO

    TeslaCrypt V4

    File name and extension are unchanged

    Rating:

    485 found this helpful

    Category:

    Troubleshoot

    Solution Id:

    1114221

    13/12/2016, 22)42

    Using the Trend Micro Ransomware File Decryptor Tool

    Page 2 of 6

    https://success.trendmicro.com/solution/1114221#

    #

    TeslaCrypt V4

    File name and extension are unchanged

    SNSLocker

    {Original file name}.RSNSLocked

    AutoLocky

    {Original file name}.locky

    BadBlock

    {Original file name}

    777

    {Original file name}.777

    XORIST

    {Original file name}.xorist or random extension

    XORBAT

    {Original file name}.crypted

    CERBER V1

    {10 random characters}.cerber

    Stampado

    {Original file name}.locked

    Nemucod

    {Original file name}.crypted

    Chimera

    {Original file name}.crypt

    LECHIFFRE

    {Original file name}.LeChiffre

    MirCop

    Lock.{Original file name}

    Jigsaw

    {Original file name}.random extension

    Globe/Purge

    V1: {Original file name}.purge

    V2: {Original file name}.{email address + random characters}

    V3: Extension not fixed or file name encrypted

    DXXD

    V1: {Original file name}.{Original extension}dxxd

    Teamxrat/Xpan

    V2: {Original filename}.__xratteamLucked

    Crysis

    .{id}.{email address}.xtbl, crypt

    NMoreira Decryptor download
    The tool is designed to decrypt files encrypted by NMoreira Ransomware.

    Ozozalocker Decryptor download
    The tool is designed to decrypt files encrypted by Ozozalocker Ransomware.

    Globe Decryptor download
    The tool is designed to decrypt files encrypted by Globe Ransomware.

    Globe2 Decryptor download
    The tool is designed to decrypt files encrypted by Globe2 Ransomware.

    FenixLocker Decryptor download
    The tool is designed to decrypt files encrypted by FenixLocker Ransomware.

    Philadelphia Decryptor download
    The tool is designed to decrypt files encrypted by Philadelphia Ransomware.

    Stampado Decryptor download
    The tool is designed to decrypt files encrypted by Stampado Ransomware.

    Xorist Decryptor download
    The tool is designed to decrypt files encrypted by Xorist Ransomware.

    Nemucod Decryptor download
    The tool is designed to decrypt files encrypted by Nemucod Ransomware.

    Gomasom Decryptor download
    The tool is designed to decrypt files encrypted by Gomasom Ransomware.

    Linux.Encoder Decryptor download

    Decryption tools have been designed for infections of the Linux.Encoder.1 and Linux.Encoder.3 ransomware

     


  • Ransomware developers look to educate victims and Help Decrypt files

    Knowledge is good, At least according to the cybercriminals who are developing ransomware that will give a free decryption key if the victim reads two articles about ransomware.

    A new variant of Koolova was discovered by security researcher Michael Gillespie, that demands the victim read two articles: a Google Security Blog, Stay safe while browsing, and a Bleeping Computer article, Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

    Lawrence Abrams, said the ransomware itself behaves like Jigsaw in that once it encrypts the files it delivers a scrolling note telling the victim to read stories or else risk having their files deleted. In Jigsaw’s case the demand is for a ransom payment.


  • E-Payment Alert Notification From Another US Bank – Customer phishing scam

    A slightly unusual phishing scam today

    https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/scam_warning1.gif?fit=300%2C300&ssl=1

    The original email is nothing special and has a blank body and a PDF attachment. The PDF has a link to http://kamzink.com/redirect-new-alert-logon/redirect.htm which redirects you to ( or should redirect you to ) http://rattanhospital.co.in/new-usbank-security-update/usbank.com.online.logon/home  However this site only works in Firefox using Noscript when I block scripts from  omtrdc.net. ( which looks like an Adobe Marketing cloud analytics script)  Allowing scripts from that site display a blank page for me in all browsers.  I assume the phishers made a mistake and that script will only work on the genuine website so is  unable to display the page. This shows the error in just copy & pasting an entire website homepage  & just changing a few links on it.  Anyway, anything the phishers do wrong is a step in the right direction to protect users.

    Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

    The original email looks like this It will NEVER be a genuine email from your bank  any other company so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine usbank website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phishes will ask you fill in the html ( webpage) form that comes attached to the email.

    From: US BANK <unitedbankpayment.alert@communication.com>>

    Date: Wed 28/12/2016 08:15

    Subject: E-Payment Alert Notification From Another US Bank Customer

    Attachment: US_Bank_Payment_2_.pdf

    Body content:  Blank / Empty

    Following the link sends you to a site looking identical to the genuine usbank.com website ( with the above provisos)

    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.


  • Spoofed FedEx and USPS Kovter and Locky sites Ransomeware Malware Keeps Spreading

    www.ccrepairservices.com
    Locky Ransomeware New CPRS CCRS Computer Repair Miami Fort Lauderdale Website

    Following on from these  [ FEDEX ] [ USPS ]  posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts.  All the sites used in this malware spreading campaign are hacked / compromised sites.

     

    The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads  a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01 at the end of the url to &m=01 ( or 02-05). This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.

    I only accidentally  found out about the second /3rd /4th /5th  counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped/ miscopied  the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and blocked by an antivirus or web filter service.

    25 December 2016:  ( Payload Security report  )

    3spension.com
    minebleue.com
    chaitanyaimpex.org
    break-first.com
    grancaffe.net
    www.meizumalaysia.com
    dreamoutloudcenter.org
    megrelis-avocat.com

    /counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ

    /counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

    27 December2016:  ( Payload Security report  )

    lacasadeicuochi.it
    boardedhallgreen.com
    www.memoodgetactive.det.nsw.edu.au
    rebecook.fr
    peachaid.com
    kidsgalaxy.fr
    baltasmenulis.lt
    artss.org

    /counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7  

    /counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

    28 December 2016:  ( Payload Security report  )

    thanepoliceschool.com
    chimie.iset-liege.be
    partnersforcleanstreams.org

    /counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE

    /counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01

    29 December 2016:  ( payload Security report)

    cobycaresfoundation.org
    dev.zodia-q.com
    shark1.idhost.kz
    italysfinestdesign.it
    salutgaudi.com
    zodia-q.com

    /counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

    /counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

    2nd version today ( Payload Security Report )

    /counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

    /counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

    31 December 2016: ( Payload Security Report)

    www.iblasoni.com
    aventurarealestatedirectory.com
    www.apogeoform.net
    oytunidil.com
    ocentsinus.com
    sonja.ostrovanka.cz
    instalaciondeairesplit.com

    /counter/?a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ
    /counter/?i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ&a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&r=01

    31 December 2016: update 2 ( Payload Security)

    spiritdoula.net
    www.yabaojiuhe.com
    windycrestrental.com
    maggieellisbusinessconsulting.com
    pn-group.com
    inflation.us

    /counter/?a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7
    /counter/?i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7&a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&r=0


  • Mobile banking trojan now has encryption and is targeting over 2000 apps

    Security experts at Kaspersky Lab have discovered a modification of the mobile banking Trojan, Faketoken, which can encrypt user data. Kaspersky Lab has detected several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

    Disguised as various programs and games, including Adobe Flash Player, the modified Trojan can also steal credentials from more than 2000 Android financial applications.

    To date, the modified Faketoken has claimed over 16,000 victims in 27 countries, with the most located in Russia, Ukraine, Germany and Thailand.

    The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud.

    In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using AES symmetric encryption which can, in some cases, be decrypted by the victim without paying a ransom.

    During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data: both directly, like contacts and files, and indirectly, through phishing pages.

    The Trojan is designed for data theft on an international scale. Once all the necessary rights are in place, it downloads a database from its command and control server containing phrases in 77 languages for different device localisations.

    These are used to create phishing messages to seize passwords from users’ Gmail accounts. The Trojan can also overlay the Google Play Store, presenting a phishing page to steal credit card details.

    In fact, the Trojan can download a long list of applications for attack and even an HTML template page to generate phishing pages for the relevant apps. Kaspersky Lab researchers uncovered a list of 2249 financial applications.

    Intriguingly, the modified Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications.

    “The latest modification of the Faketoken mobile banking Trojan is interesting in that some of the new features appear to provide limited additional benefit for the attackers. That doesn’t mean we shouldn’t take them seriously. They may represent the groundwork for future developments, or reveal the ongoing innovation of an ever-evolving and successful malware family. In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe,” says Roman Unuchek, senior malware analyst at Kaspersky Lab.


  • Android Trojan Switcher Infects Routers via DNS Hijacking – Android Trojan Switcher Infects Routers via DNS Hijacking

    A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices.

     

    Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they’ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm.

    One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router.

    The malware does so by carrying out a brute-force password guessing attack on the router’s admin web interface. Once in, Switcher swaps out the addresses of the router’s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down.

    This makes it so queries from devices on the network are re-routed to the servers of the attacker, something that can open victims to redirection, phishing, malware and adware attacks.

    “The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic,” Kaspersky Lab said Wednesday, “The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

    The creators of the Trojan were a little sloppy when it came to crafting parts of its command and control website however; they left a table complete with internal infection statistics publicly viewable. According to Buchka, who has reviewed the site, the attackers boast to have infiltrated 1,280 WiFi networks over the last several weeks.

    In a Securelist post on the malware posted Wednesday Buchka cautioned users to review their routers’ DNS settings for the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59. He also took the opportunity to encourage users – although for many it goes without saying – to verify that they’ve changed their routers’ default login and passwords.

    Several weeks ago a handful of router users in Germany fell victim when a variant of Mirai, the nasty malware that’s become synonymous with internet of things vulnerabilities, took hold of their devices. While those routers didn’t suffer from a hardcoded username/password vulnerability, they did have port 7547, usually used by internet service providers to remotely manage the device, open.

    The behavior of Switcher is somewhat similar to that of DNSChanger, malware that’s been repurposed as an exploit kit as of late. A recent campaign observed by Proofpoint was targeting wireless routers and changing DNS entries in order to steal traffic. In that instance routers made by D-Link, Netgear, Pirelli and Comtrend were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.


  • CTB-Locker ransomware spreading through fake Windows 10 Update emails

    With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.
    win10_blacked_out.png
    Image of fake Windows Update Email courtesy of Cisco

    As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

    Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

    It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

    Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida
    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida

    At this point, the computer’s data will be encrypted and there is not much that can be done about it.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere


  • Cryptowall 3.0 is back and rapidly spreading – Ransom Virus Malware Spyware Spam Email

    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Recovery and Decrypter
    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Ransom Recovery and Decrypter CALL 754-234-5598

    Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.

    A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both.
    Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.

    As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.

    At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.

    Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.

    “We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.

    Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.

    The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.

    Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.

    Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.

    Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.

    “There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”

    Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.

    “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”

    www.CCREPAIRSERVICES.COM

    Local and Online PC Computer Repair Tel. 754-234-5598

    FAST SAME DAY COMPUTER REPAIR, VIRUS REMOVAL, CRYTOWALL FILE RECOVERY AND LAPTOP SCREEN REPAIR SERVICE


  • TripAdvisor’s Viator Hit by Massive 1.4 Million Payment Card Data Breach


    TripAdvisor’s Viator Hit by Massive 1.4 million Payment Card Data Breach

    TripAdvisor has reportedly been hit by a massive data breach at its Online travel booking and review website Viator, that may have exposed payment card details and account credentials of its customers, affecting an estimated 1.4 million of its customers.

    The San Francisco-based Viator, acquired by TripAdvisor – the world’s largest travel site – for £122 million (US$ 200 million) back in July, admitted late on Friday that the intruders have hacked into some of its customers’ payment card accounts and made unauthorized charges.

    The data breach was discovered in the bookings made through Viator’s websites and mobile offerings that could potentially affect payment card data.

    Viator said that the company has hired forensic experts to figure out the extent of the breach. Meanwhile, the company has begun notifying its affected customers about the security breach as said by the travel outfit in a press release.

    “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” Viator wrote. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

    “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”

    During investigation it found that the cybercriminals have broken into its internal databases and accessed the payment card data – including encrypted credit or debit card number, card expiration date, name, billing address and email address – of approximately 880,000 customers, and possibly their Viator account information that includes email address, encrypted password and Viator ‘nickname.’

    Additionally, the intruders may have also accessed the Viator account information, including email addresses and encrypted passwords, of over 560,000 Viator customers.

    According to the company, Debit-card PIN numbers were not included in the breach because Viator does not store them. The travel advisor said that they believe that the CVV number, the security numbers printed on the back of the customer’s credit card, were also not stolen in the breach.

    For those who are affected by the breach in United States, Viator is offering them identity protection and credit card monitoring services for free and and the company is also investigating the possibility of offering similar services to customers outside the country.

    Meanwhile, the company has warned its affected customers to regularly monitor their card activity and report any fraudulent charges to their card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.

    Viator also recommends its users to change their password for the site, as well as all other websites that uses the same credentials.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida