With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.
Image of fake Windows Update Email courtesy of Cisco
As you can see the email pretends to be from the email address firstname.lastname@example.org and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.
Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.
It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.
Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.
At this point, the computer’s data will be encrypted and there is not much that can be done about it.
Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.
A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.
As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.
At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.
Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.
“We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.
Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.
The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.
Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.
Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.
Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.
“There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”
Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.
“The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”
Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily.
According to experts at Proofpoint, a firm that primarily specializes in email security, the exploit kit targeted a vulnerability in Adobe Flash via users’ browsers to install the ransomware on users’ machines.
Malvertising is an attack that happens when attackers embed malicious code – in this case code that led to the latest iteration of CryptoWall – into otherwise legitimate ads to spread malware via drive-by downloads. Users can often be infected without even clicking on anything.
CryptoWall, which takes users’ files, encrypts them with rigid RSA-2048 encryption, then asks for a fee to decrypt them, made a killing earlier this summer. In August it was reported that the ransomware made more than $1.1 million for its creators in just six months.
Similar to Critoni/Onion, a ransomware dug up in July, CryptoWall 2.0 downloads a TOR client on the victim’s machine, connects to a command and control server and demands users send Bitcoin – $500 worth – to decrypt their files. Since the campaign lasted about a month, from Sept. 18 to this past Saturday, researchers are estimating that 40 of the campaign’s Bitcoin addresses collected at least 65 BTC each, a number that roughly translates to $25,000 a day.
Proofpoint claims that high ranking sites such as AOL, The Atlantic, Match.com and several Yahoo subdomains such as their Sports, Fantasy Sports and Finance sites, were spotted serving up the tainted ads. Other sites lesser known in the U.S. such as Australia’s Sydney Morning Herald, The Age, and the Brisbane Times, were reportedly also doling out the ads.
While the campaign started a month ago the firm claims things didn’t start to ramp up until recently.
“After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites,” Wayne Huang, the company’s VP of Engineering, said of the campaign.
The firm claims it worked quickly to notify those involved in the campaign, including the ad providers, and as of this week, believes the situation has been nullified.
Last month researchers with Barracuda Labs found a CryptoWall variant with certificate signed by Comodo being distributed through ads on a handful of different websites. None of those sites were nearly as trafficked as those spotted by this most recent campaign however. The Alexa rankings for Yahoo (4), AOL (37), Match (203), and The Atlantic (386) place them within the top 500 of the internet’s most popular sites, something that likely upped the campaign’s exposure level.
Waiting for the root access for your AT&T or Verizon Android phone? Then there is really a Great News for you!
Geohot (aka George Hotz) – a famed cracker who was responsible for hacking the PlayStation 3 and subsequently being sued by Sony – has built and released a root tool called Towelroot on Sunday night that will let most Android smartphones users to root their Android device with one click only, as long as it has an unpatched version of the Linux kernel. EXPLOITS LINUX KERNEL VULNERABILITY
Towelroot application exploits the same vulnerability (CVE-2014-3153) which was recently disclosed by the hacker Pinkie Pie in the Linux kernel version 3.14.5 and most versions of other Android devices, which could be leveraged by hackers to potentially acquire root access on affected devices.
Having root access of your device simply means you make System-level changes to your device such as accessing and modifying any file or program using any mode (single- or multi-user). It is just like operating an administrator account on a computer. SUPPORTED DEVICES
Towelroot supports handful of devices so far including some particularly tough phones. here’s the list:
AT&T Galaxy S5
Verizon Galaxy S5
Galaxy S4 Active
AT&T Galaxy Note 3
Verizon Galaxy Note 3
Also some users have even reported its success with the all time favorite company of GeoHot, Sony Xperia SP C5303.
Geohot became famous for being the first person to carrier unlock the original iPhone in 2007 and later for creating the limera1n jailbreak tool for future versions of the iPhone. He gained fame after subsequently hacking the software of the PlayStation 3 console, thereby opening up the ability to add homebrew and play pirated games, for which he was taken to court by Sony. HOW TO ROOT ANDROID DEVICE
Step 1: Download Android Rooting application from towelroot.com and install it.
Step 2: While Installation you might receive warning message saying that Towelroot “contains code that attempts to bypass Android’s security“. Just hit Install anyway after selecting the checkbox: “I understand and still want to install it“.
Step 3: Once the Towelroot installation completes, launch the application and click the button reading “make it ra1n” and it will force your device to reboot.
Step 4: After the device reboots to home screen your phone will be rooted with its bootloader unlocked. Cheers!
Along with the Android users who were itching to get Android rooting technique for their devices and doing tons of things such as customizations, patching apps and installing third-party ROMs, the new tool will also allow cybercriminals as well to gain administrative access to a victim’s phone.
Specifically, at the same time the cyber criminal with the administrative access could potentially run malicious code, retrieve files, bypass third-party or security applications including containers like Samsung’s secure Knox sub-operating system, and place backdoors for future access on users’ devices.
Could a perfectly innocent looking device like router, TV set-top box or security cameras can mine Bitcoins? YES! Hackers will not going to spare the Smart Internet-enabled devices.
A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.
Security Researcher at Antivirus firm Symantec spotted the Darlloz Linux worm back in November and they have spotted the latest variant of the worm in mid-January this year.
Linux.Darlloz worm exploits a PHP vulnerability (CVE-2012-1823) to propagate and is capable to infect devices those run Linux on Intel’s x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.
The latest variant of Linux.Darlloz equipped with an open source crypto currency mining tool called ‘cpuminer’, could be used to mine Mincoins, Dogecoins or Bitcoins.
Symantec Researchers scanned the entire address space of the Internet and found 31,716 devices infected with Darlloz. “By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization.” Kaoru Hayashi, senior development manager and threat analyst with Symantec in Japan.
Major infected countries are China, the U.S., South Korea, Taiwan and India.
Crypto Currency typically requires more memory and a powerful CPUs, so the malware could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.A Few weeks back, Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the “Internet of Things Grand Security Challenge“, offering prizes of up to $300,000 for winners.
Users are advised to update firmware and apply security patches for all software installed on computers or Internet-enabled devices. Make sure, you are not using default username or password for all devices and block port 23 or 80 from outside if not required.
NEW Laptop screens for sale, Computer Repair PC Windows and MAC OSX. Virus Removal, Broken Screen Repair Service and More. Currently in stock screen size 8.9 10 10.1 11.6 13 14 14.1 14.5 15 15.4 15.5 15.6 16 16.5 17 17.1 17.3 LED CCFL Bulb LCD type, cable & laptop screen inverter for sale
Manufacturer Screen for DELL HP COMPAQ ASUS ACER LENOVO IBM GATEWAY SONY SAMSUNG TOSHIBA APPLE
APPLE COMPUTER: MACBOOK PRO 17 Model A1229 MACBOOK PRO 17 Model A1151 MACBOOK PRO 17 Model A1261 MACBOOK PRO 17 Model A1212 MACBOOK PRO 17 Model A1229 MACBOOK PRO 17 Unibody Model A1297 MACBOOK PRO 15 Model A1226 MACBOOK PRO 15 Model A1150 MACBOOK PRO 15 Model A1211 MACBOOK PRO 15 Unibody Model A1286 MACBOOK PRO 15 Model A1260 MACBOOK PRO 13 Unibody Model A1384 MACBOOK PRO 13 Unibody Model A1278
WINDOWS PC: TravelMate – Extensa – Ferrari – Aspire Asus Eee – Lamborghini Inspiron, Latitude – Precision – Studio – Vostro – XPS – Studio XPS – Alienware – Mini – Legacy System Adamo LifeBook – Stylistic Pavilion – HP Omnibook – Envy – EliteBook – ProBook ThinkPad – IdeaPad – 3000 Sens – VAIO Series – eMachines – Gateway – Solo – Series Compaq Dynabook – Portege – Tecra – Satellite – Qosmio – Libretto
Laptops, Notebooks, Netbooks & Desktop Computer services in your home office or business at the lowest price and best service.
COMPUTER SERVICE REPAIR & SALES
Laptop Screen Repair Service
Lcd Screen / CCFL Repairs and Replacement
Computer Blue / Black or White screen error Repair
Wireless Internet DSL / Cable & Printer Setup and Support
FixÂ / Repair & Replacement of all Computer components not working
* We have Laptop & Desktop PC Computers for sale
We Can make your old and slow laptop computer good as new and Super Fast
SERVICING ALL MANUFACTURER BELOW
Acer – TravelMate, Extensa, Ferrari, Aspire
Apple – MacBook, MacBook Air, MacBook Pro
ASUS – Asus Eee, Lamborghini
Dell – Inspiron, Latitude, Precision, Studio, Vostro, XPS, Studio XPS, Alienware Mini Legacy System Adamo
Fujitsu – LifeBook, Stylistic
Hewlett-Packard – HP Pavilion, HP Omnibook Envy EliteBook ProBook
Lenovo – ThinkPad, IdeaPad, 3000
Micro-Star International (MSI) – Megabook, Wind
Samsung Electronics – Sens
Sony – VAIO Series
eMachines – Gateway – Solo – Series Compaq
Toshiba -dynabook, Portege, Tecra, Satellite, Qosmio, Libretto
All Computer Work Repairs and Laptop Repairs done by professional tech with 20+years Experience
Serving Miami Dade County Service Area Aventura Bal Harbour By Harbor Islands Biscayne Park Brownsville Coral Gables Coral Terrace Country Club Country Walk cutler Bay Doral El Portal Fisher Island Florida City Fountainebleau Gladeview Glenvar Heights Golden Beach Golden Glades Goulds Hialeah Hialeah Gardens Homestead Indian Creek Islandia Ives Estates Kendale Lakes Kendall Kendall West Key Biscayne Leisure City Medley Miami Miami Beach Miami Gardens Miami Lakes Miami Shores Miami Springs Naranja North Bay Village North Miami North Miami Beach Ojus Olympia Heights Opa-locka Palmetto Bay Palmetto Estates Palm Springs North Pinecrest Pinewood Princeton Richmond Heights Richmond West South Miami South Miami Heights Sunny Isles Beach Sunset Surfside Sweetwater Tamiami The Crossings The Hammocks Three Lakes University Park Virginia Gardens Westchester West Little River West Miami West Perrine Westview Westwood Lakes 305 786 area code Florida
Broward County Service Area Coconut Creek Cooper City Coral Springs Dania Beach Deerfield Beach Fort Lauderdale Hallandale Beach Hollywood Lauderdale Lakes Lauderhill Lighthouse Point Margate Miramar North Lauderdale Oakland Park Parkland Pembroke Pines Plantation Pompano Beach Sunrise Tamarac West Park Weston Wilton Manors Hollywood Hills 954 754 area code Florida