Shrunk Expand

  • Tag Archives latest news
  • Proteus botnet Malware with Remote Access

     

    The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.

     

    In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, hxxp://proteus-network[.]biz or hxxp://proteus-network[.]ml (the latter is inaccessible). The URL is hardcoded in the sample and is contacted multiple times to obtain necessary credentials for the tasks the botnet performs. The host name also appears in Pastebin, under the URL hxxp://pastebin[.]com/raw/LidbEiiR, in its encrypted form, and the botnet can retrieve the domain from there as well.

     

    The botnet starts by identifying the infected machine and obtaining the operating system’s info (whether 64 or 86 bit), the machine’s name, and the Windows version. All of the information is sent to the C&C to “register” the machine.

     

    After the machine is acknowledged by the C&C, the botnet proceeds to perform different tasks. As the botnet contacts the C&C to receive various pieces of information, the web requests are sent along with an encrypted string specifying the purpose of the request. These encrypted strings perform the following functions:

     

    • api/register – Register the infected machine
    • api/ping – Check if the machine is already registered
    • api/module – Check the mining module
    • api/proxy – Use reverse proxy
    • api/command – Receive commands from the C&C
    • api/account – Receive an account from the C&C
    • api/log – Handle the key logging document

     

    The header section of the HTTP requests is similar throughout the different sections of the source code:

    Content-type: application-json

    Authorization: {2D592824-48DE-49F8-8F96-A40B3904C794}

     

    When contacting the C&C, a POST request is sent with one of the above modes appended to the domain’s name, for example, hxxp://proteus-network.biz/api/log. The C&C sends a response to this request, which is then parsed by the botnet in search for the C&C’s reply.

     

    CheckerTask:

     

    The CheckerTask starts by contacting the C&C with the api/account string appended to the domain’s name. After sending a POST request, it receives a four-tuple composed of an account ID, an e-mail, a password, and the account type. The botnet attempts to access and steal the user’s credentials from a number of online websites, including:

     

    • eBay.com
    • otto.de
    • amazon.de
    • breuninger.com
    • dhl.de
    • netflix.com
    • coderbay.net
    • zalando.de

     

    The majority of these websites are German-based and the botnet searches for German words appearing in the responses. This leads us to believe this specific sample of Proteus targets are German victims. For example, if the message received from the website includes the phrase “stimmen nicht mit den bei uns hinterlegten Daten”, which means, “This does not match the data provided by us”. The botnet attempts to change the password’s first character from lower case to upper case or to append the character “1” to the end of the password and tries to log in again after three seconds. The response from the website is then checked to harvest more information about the victim, including name, address, country, bought and sold items, seller type and the last feedback received.

     

    Some of the websites which the CheckerTask tries to steal the credentials from may include a Captcha to prevent such automated logins. The Proteus botnet uses Death by Captcha (DBC), an API which solves any given Captcha and turns it into a text that the botnet can insert into the website, and proceeds with the login. Using DBC requires a username and a password, which are both hardcoded into the sample to enable Captcha analysis. We have managed to access the DBC account used in the sample, and found that it resolved 200 Captchas so far, which could hint to the number of successfully infected machines.

     

    LoggerTask:

     

    This task performs key logging on the infected machine. It starts by initializing a list of all the keyboard keys, and stores the logged keys into a file called tmpV213.txt found under the TEMP directory. When this file includes more than 250 characters, it is cleared and its content is sent to the C&C along with the api/log string.

     

    CommandsTask:

     

    This task receives commands from the C&C. The botnet sends a request to the C&C with the fingerprint and the api/command string. If the C&C sends a command to download a file, a new directory is created in the TEMP folder using a GUID, and a file called temp.exe is created in that directory. Alternatively, if the command is to “kill”, the process is killed. The task checks for new commands every two minutes.

     

    MiningTask, EMiningTask:

     

    The C&C determines the type of mining which the infected machine attempts, as well as the mining pool it will join. The EminingTask downloads an executable to the TEMP directory with the name loader.exe. The types of mining that appear in the sample are CPU, Zcash, Scrypt, and SHA256. During the mining task, and depending on the chosen type, the resources of the infected machine, such as the memory, CPU, and RAM, are used to provide the computing power necessary to produce the hashes accepted as a proof of work by each method. Even using a pool instead of individual mining, CPU usage soared rapidly and reached 100% in our labs when we ran the sample, which shows the processing power needed for the mining tasks.

     

    Conclusion:

     

    To summarize, the botnet conducts a complex attack: it infects a machine, steals credentials, logs keys and mines for currency, causing CPU level to reach 100%. Although the botnet has many of the crucial implementation tools needed for its attack, it heavily depends on communication with its C&C server and the information it transmits for the execution of its most basic functions.


  • Ransomeware Decrypters Available Decryption Service – Decryptor Download Decrypt Files

    New version of ODCODCDecoder Released Download Decrypter

    BloodDolly has released a new version of his ODCODC Ransomwaredecryptor. The decryptor can be downloaded from.

    Emsisoft Decrypter for Marlboro Download Decrypter

    The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR-based encryption algorithm. Encrypted files are renamed to “.oops”. The ransom note is stored inside a file named “_HELP_Recover_Files_.html” and includes no further point of contact.

    Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

    To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

    Decryptor released for the Merry Christmas or Merry X-Mas Ransomware Download Decrypter

    Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, .RMCM1 appended to them.

    Crypt38Decrypter Download Download Decrypter

    BitStakDecrypter Download Download Decrypter

    lphaDecrypter Download Download Decrypte

    Unlock92Decrypter Download Download Decrypter

    Hidden Tear Decrypter Download Download Decrypter

    Hidden Tear BruteForcer Download Download Decrypter

    PowerLockyDecrypter Download Download Decrypter

    GhostCryptDecrypter Download Download Decrypter

    MicroCop Decryptor Download Download Decrypter

    Jigsaw Decrypter Download Download Decrypter

    Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3) Download Decrypter

    RannohDecryptor tool is designed to decrypt files encrypted by:

    • CryptXXX versions 1, 2 and 3.
    • Marsjoke aka Polyglot;
    • Rannoh;
    • AutoIt;
    • Fury;
    • Crybola;
    • Cryakl;

    Globe3 Decryptor Download Decrypter
    The tool is designed to decrypt files encrypted by Globe3 Ransomware.

    Derialock Decryptor Download Decrypter
    Derialock decryptor tool is designed to decrypt files encrypted by Derialock

    PHP Ransomware Decryptor Download Decrypter
    PHP ransomware decryptor tool is designed to decrypt files encrypted by PHP ransomware

    WildFire Decryptor Download Decrypter
    WildfireDecryptor tool is designed to decrypt files encrypted by Wildfire

    Chimera Decryptor Download Decrypter
    ChimeraDecryptor tool is designed to decrypt files encrypted by Chimera

    Teslacrypt Decryptor Download Decrypter
    TeslaDecryptor can decrypt files encrypted by TeslaCrypt v3 and v4

    Shade Decryptor Download Decrypter
    ShadeDecryptor can decrypt files with the following extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg.

    CoinVault Decryptor Download Decrypter

    The CoinVault decryption tool decrypts files encrypted by Coinvault and Bitcryptor.

    Rakhni Decryptor (updated 14-11-2016) Download Decrypter

    RakhniDecryptor tool is designed to decrypt files encrypted by:

    • Crysis;
    • Chimera;
    • Rakhni;
    • Agent.iih;
    • Aura;
    • Autoit;
    • Pletor;
    • Rotor;
    • Lamer;
    • Lortok;
    • Cryptokluchen;
    • Democry;
    • Bitman (TeslaCrypt) version 3 and 4.

    Trend Micro Ransomware File Decryptor Download Decrypter

    Supported Ransomware Families

    The following list describes the known ransomware-encrypted files types can be handled by the latest version of

    the tool.

    Ransomware

    File name and extension

    CryptXXX V1, V2, V3*

    {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters

    CryptXXX V4, V5

    {MD5 Hash}.5 hexadecimal characters

    Crysis

    .{id}.{email address}.xtbl, crypt

    TeslaCrypt V1**

    {original file name}.ECC

    TeslaCrypt V2**

    {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ

    TeslaCrypt V3

    {original file name}.XXX or TTT or MP3 or MICRO

    TeslaCrypt V4

    File name and extension are unchanged

    Rating:

    485 found this helpful

    Category:

    Troubleshoot

    Solution Id:

    1114221

    13/12/2016, 22)42

    Using the Trend Micro Ransomware File Decryptor Tool

    Page 2 of 6

    https://success.trendmicro.com/solution/1114221#

    #

    TeslaCrypt V4

    File name and extension are unchanged

    SNSLocker

    {Original file name}.RSNSLocked

    AutoLocky

    {Original file name}.locky

    BadBlock

    {Original file name}

    777

    {Original file name}.777

    XORIST

    {Original file name}.xorist or random extension

    XORBAT

    {Original file name}.crypted

    CERBER V1

    {10 random characters}.cerber

    Stampado

    {Original file name}.locked

    Nemucod

    {Original file name}.crypted

    Chimera

    {Original file name}.crypt

    LECHIFFRE

    {Original file name}.LeChiffre

    MirCop

    Lock.{Original file name}

    Jigsaw

    {Original file name}.random extension

    Globe/Purge

    V1: {Original file name}.purge

    V2: {Original file name}.{email address + random characters}

    V3: Extension not fixed or file name encrypted

    DXXD

    V1: {Original file name}.{Original extension}dxxd

    Teamxrat/Xpan

    V2: {Original filename}.__xratteamLucked

    Crysis

    .{id}.{email address}.xtbl, crypt

    NMoreira Decryptor download
    The tool is designed to decrypt files encrypted by NMoreira Ransomware.

    Ozozalocker Decryptor download
    The tool is designed to decrypt files encrypted by Ozozalocker Ransomware.

    Globe Decryptor download
    The tool is designed to decrypt files encrypted by Globe Ransomware.

    Globe2 Decryptor download
    The tool is designed to decrypt files encrypted by Globe2 Ransomware.

    FenixLocker Decryptor download
    The tool is designed to decrypt files encrypted by FenixLocker Ransomware.

    Philadelphia Decryptor download
    The tool is designed to decrypt files encrypted by Philadelphia Ransomware.

    Stampado Decryptor download
    The tool is designed to decrypt files encrypted by Stampado Ransomware.

    Xorist Decryptor download
    The tool is designed to decrypt files encrypted by Xorist Ransomware.

    Nemucod Decryptor download
    The tool is designed to decrypt files encrypted by Nemucod Ransomware.

    Gomasom Decryptor download
    The tool is designed to decrypt files encrypted by Gomasom Ransomware.

    Linux.Encoder Decryptor download

    Decryption tools have been designed for infections of the Linux.Encoder.1 and Linux.Encoder.3 ransomware

     


  • Windows 10 Surveillance Platform weaponized into and back ported Implants delivered seamlessly to Windows 7 and 8 via Windows Update

    Windows 10 Surveillance Platform weaponized into and back ported Implants delivered seamlessly to Windows 7 and 8 via Windows Update

    You may or may not have noticed shenanigans in your windows based 7 and * machines.

    Microsoft likes the data they stream from windows 10 machines soo much that they decided to back port functionaly and carve out impants resulting in a of push 4 optional and 2 important windows updates

    They will appear in control panel installed updates as

    Optional
    “Update for Microsoft Windows (KB3068708)”
    “Update for Microsoft Windows (KB3075249)”
    “Update for Microsoft Windows (KB3080149)”
    “Update for Microsoft Windows (KB3022345)”

    Important
    “Update for Microsoft Windows (KB2952664)”
    “Update for Microsoft Windows (KB3021917)”

    If you have better things to do than hand eye troll through the list of installed updates then here are two approached to detect the SurveillanceWare Implants.

    The referenced KB’s are specific to the surveillance implants which target Windows 7 only. If your running windows 8, 8.1 or 10 your more than likely fighting much more of a loosing battle. So this section is specific so where it may be temporarily possible to remove the Implants.

    Detection – Open an elevated command prompt
    wmic QFE list full /format:texttablewsys | find “KB3068708”
    wmic QFE list full /format:texttablewsys | find “KB3022345”
    wmic QFE list full /format:texttablewsys | find “KB3075249”
    wmic QFE list full /format:texttablewsys | find “KB3080149”
    wmic QFE list full /format:texttablewsys | find “KB3021917”
    wmic QFE list full /format:texttablewsys | find “KB2952664”

    or alternatively detect with an update to the systeminfo command

    systeminfo | findstr “KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664”

    To start removal after optionally taking an evidence image or a system backup
    wusa /uninstall /kb:3068708 /quiet /norestart
    wusa /uninstall /kb:3022345 /quiet /norestart

    Then reboot seems required then continue
    wusa /uninstall /kb:3075249 /quiet /norestart
    wusa /uninstall /kb:3080149 /quiet /norestart
    wusa /uninstall /kb:3021917 /quiet /norestart
    wusa /uninstall /kb:2952664 /quiet /norestart

    ———- Windows 7, 8, 8.1 script to detect implants——-
    Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

    I guess they thought they could catch more fish with 14 baited lines.

    Here are two batch files . run the larger script to see whats detected.

    Open an elevated command prompt

    create a batch file
    Name: check-kb.bat

    Add the batch script content

    @echo off
    echo ‘ Only the first parameter is used in the search, the rest display context.
    echo ‘
    echo ‘
    echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10
    @echo on
    wmic QFE list full /format:texttablewsys | find “%1”
    @echo off

    Create a batch file, purpose is to check for currently known Implants.
    Name: checkfor_NPI_patches.bat

    Add the batch script content

    @echo off
    SetLocal
    REM — (as of 2015-08-26):
    cls
    call Check-kb KB3012973 – Opt in payload – Upgrade to Windows 10 Pro
    call Check-kb KB3021917 – Opt in payload – Update to benchmark Windows 7 SP1
    call Check-kb KB3035583 – Opt in payload – delivers reminder “Get Windows 10” for Windows 8.1 and Windows 7 SP1
    call Check-kb KB2952664 – Opt in payload – Pre launch day push of payload for compatibility update for upgrading Windows 7
    call Check-kb KB2976978 – Opt in payload – Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8
    call Check-kb KB3022345 – Opt in payload – surveillance Telemetry [Replaced by KB3068708]
    call Check-kb KB3068708 – Opt in payload – Update for surveillance customer experience and diagnostic telemetry
    call Check-kb KB2990214 – Opt in payload – Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows
    call Check-kb KB3075249 – Opt in payload – Update that adds surveillance telemetry to Windows 8.1 and Windows 7
    call Check-kb KB3080149 – Opt in payload – Update for CIP and surveillance with diagnostic exfil leveraging telemetry
    call Check-kb KB3044374 – Opt in payload – Marketing Windows 10 surveillance payload to windows 8,8.1 devices
    call Check-kb KB2977759 – Opt in payload – Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response
    call Check-kb KB3050265 – Opt in payload – Marking via Windows Update services opting in to Windows 10 surveillance Implant
    call Check-kb KB3068707 – Opt in payload – CIP telemetry request response check in for Windows 7,8,8.1

    Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.

    wusa /uninstall /kb:??????? /quiet /norestart
    ——-Housekeeping QA

    Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

    An eye on post removal Hinkyness had some hits after removals and reboots.

    1) Only two of the four uninstalled KB’s reappeared as available optional “Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

    Important “Update for Windows 7 for x64 based Systems (KB3068708)”

    The important one was the “Update for customer experience and diagnostic telemetry” Important to who, NSA?

    The “KB3068708″ Update for customer experience and diagnostic telemetry” did not reappear as an available patch. It may be dependent on one of the other three removed bits
    2) Before the uninstall, I had foresight to search the infected file system
    for .manifest with a common namespace string called assemblyIdentity which is set to a string value “Microsoft-Windows-Authentication-AuthUI.Resources”

    The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

    The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.
    Conclusion, the removal did not remove the manifest files pushed in the original infection.
    3) In a read of KB 3080149, it indicated it installed and updates / requires maintenance of a file named utc.app.json

    Before removal, the file file was found in 6 places on the infected filesystem
    After “removal” the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

    discovered and removed using the disribed method 22 additional implants
    Found all 6 utc.app.json were removed and it had left two backup copies under the name utc.app.json.bk
    in
    C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings
    C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings
    in the same directory, found a backed up file telemetry.ASM-WindowsDefault.json.bk

    In order to see the hidden system directory, you must elevate to admin
    dir wont show the rest of the telemetry files unless you clear the files attributes
    An Elevated file explorer will show the files
    Files wont be readable until you change owner permissions or change your running user principal context to that which does allow access to the file.

    telemetry file content
    {
    “settings”: {
    “Microsoft-ApplicationInsights:::sampleRate”: “100”,
    “Microsoft-ApplicationInsights-Dev:::sampleRate”: “100”,
    “Microsoft-ApplicationInsights-Dev:::latency”: “Realtime”,
    “xbox.xsapi:::sampleRate”: “100”,
    “Office:::sampleRate”: “100”,
    “Skype:::sampleRate”: “100”,
    “Census:::sampleRate”: “100”,
    “Microsoft.Windows.Appraiser.General::ms.CriticalData:sampleRate”: “100”,
    “Microsoft.Windows.Appraiser.Instrumentation::ms.Telemetry:sampleRate”: “100”,
    “Microsoft.Windows.Compatibility.Asl::ms.Telemetry:sampleRate”: “5”,
    “Microsoft.Windows.Inventory.General::ms.CriticalData:sampleRate”: “100”,
    “MicrosoftTelemetry::ms.CriticalData:sampleRate”: “0”,
    “MicrosoftTelemetry::ms.Measures:sampleRate”: “0”,
    “MicrosoftTelemetry::ms.Telemetry:sampleRate”: “0”,
    “Setup360Telemetry::ms.CriticalData:sampleRate”: “100”,
    “SetupPlatformTel::ms.CriticalData:sampleRate”: “100”,
    “TelClientSynthetic:HeartBeat_5::sampleRate”: “100”
    }}
    content file of utc.app.json
    {
    “settings”: {
    “UTC:::GroupDefinition.MicrosoftTelemetry”: “f4-Redacted data-6aa”,
    “UTC:::CategoryDefinition.ms.CriticalData”: “140-Redacted data-318”,
    “UTC:::CategoryDefinition.ms.Measures”: “71-Redacted data-63”,
    “UTC:::CategoryDefinition.ms.Telemetry”: “321-Redacted data-32”,
    “UTC:::GroupDefinition.Microsoft-ApplicationInsights”: “0d-Redacted data-d0b”,
    “UTC:::GroupDefinition.Microsoft-ApplicationInsights-Dev”: “ba-Redacted data-3d”,
    “UTC:::GroupDefinition.xbox.xsapi”: “53b-Redacted data-af3”,
    “UTC:::GroupDefinition.Office”: “8DB-Redacted data-155”,
    “UTC:::GroupDefinition.Skype”: “9df-Redacted data-a89”,
    “UTC:::DownloadScenariosFromOneSettings”: “1”
    }

    To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

    4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.

    Firewall now blocks outbound access from your network to
    vortex-win.data.microsoft.com
    Name: VORTEX-cy2.metron.live.com.nsatc.net
    Address: 64.4.54.254
    Aliases: vortex-win.data.microsoft.com
    vortex-win.data.metron.live.com.nsatc.net
    vortex.data.glbdns2.microsoft.com

    settings-win.data.microsoft.com
    Non-authoritative answer:
    Name: OneSettings-bn2.metron.live.com.nsatc.net
    Address: 65.55.44.108
    Aliases: settings-win.data.microsoft.com
    settings.data.glbdns2.microsoft.com

    Chances are that anything outbound to “.data.microsoft” should likely be blackholed if you opt out of the “Idiots Do Opt Having Pervasive Surveillance Patches” IDOH-PSP program for short.

    Hope this helps to bring most of the malware workflow, as is early info on this new day of vendor sponsored in your face implants, info will likely be incomplete.


  • E-Payment Alert Notification From Another US Bank – Customer phishing scam

    A slightly unusual phishing scam today

    https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/scam_warning1.gif?fit=300%2C300&ssl=1

    The original email is nothing special and has a blank body and a PDF attachment. The PDF has a link to https://kamzink.com/redirect-new-alert-logon/redirect.htm which redirects you to ( or should redirect you to ) https://rattanhospital.co.in/new-usbank-security-update/usbank.com.online.logon/home  However this site only works in Firefox using Noscript when I block scripts from  omtrdc.net. ( which looks like an Adobe Marketing cloud analytics script)  Allowing scripts from that site display a blank page for me in all browsers.  I assume the phishers made a mistake and that script will only work on the genuine website so is  unable to display the page. This shows the error in just copy & pasting an entire website homepage  & just changing a few links on it.  Anyway, anything the phishers do wrong is a step in the right direction to protect users.

    Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

    The original email looks like this It will NEVER be a genuine email from your bank  any other company so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine usbank website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phishes will ask you fill in the html ( webpage) form that comes attached to the email.

    From: US BANK <unitedbankpayment.alert@communication.com>>

    Date: Wed 28/12/2016 08:15

    Subject: E-Payment Alert Notification From Another US Bank Customer

    Attachment: US_Bank_Payment_2_.pdf

    Body content:  Blank / Empty

    Following the link sends you to a site looking identical to the genuine usbank.com website ( with the above provisos)

    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.


  • Mobile banking trojan now has encryption and is targeting over 2000 apps

    Security experts at Kaspersky Lab have discovered a modification of the mobile banking Trojan, Faketoken, which can encrypt user data. Kaspersky Lab has detected several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

    Disguised as various programs and games, including Adobe Flash Player, the modified Trojan can also steal credentials from more than 2000 Android financial applications.

    To date, the modified Faketoken has claimed over 16,000 victims in 27 countries, with the most located in Russia, Ukraine, Germany and Thailand.

    The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud.

    In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using AES symmetric encryption which can, in some cases, be decrypted by the victim without paying a ransom.

    During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data: both directly, like contacts and files, and indirectly, through phishing pages.

    The Trojan is designed for data theft on an international scale. Once all the necessary rights are in place, it downloads a database from its command and control server containing phrases in 77 languages for different device localisations.

    These are used to create phishing messages to seize passwords from users’ Gmail accounts. The Trojan can also overlay the Google Play Store, presenting a phishing page to steal credit card details.

    In fact, the Trojan can download a long list of applications for attack and even an HTML template page to generate phishing pages for the relevant apps. Kaspersky Lab researchers uncovered a list of 2249 financial applications.

    Intriguingly, the modified Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications.

    “The latest modification of the Faketoken mobile banking Trojan is interesting in that some of the new features appear to provide limited additional benefit for the attackers. That doesn’t mean we shouldn’t take them seriously. They may represent the groundwork for future developments, or reveal the ongoing innovation of an ever-evolving and successful malware family. In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe,” says Roman Unuchek, senior malware analyst at Kaspersky Lab.


  • New KillDisk wiper varient threatens industrial control networks with Ransomware Trojan

    The TeleBots gang, which recently attacked Ukrainian banks with KillDisk malware that used Mr. Robot imagery (pictured), may now be targeting industrial control systems with a ransomware variant.

    The TeleBots gang, which recently attacked Ukrainian banks with KillDisk malware that used Mr. Robot imagery (pictured), may now be targeting industrial control systems with a ransomware variant.

    The KillDisk disk-wiper program that was used in conjunction with BlackEnergy malware to attack Ukrainian energy utilities has evolved into ransomware that may be targeting industrial-control networks.

    According to researchers at CyberX, the new variant was developed by the TeleBots cybergang, which recently emerged from the Sandworm threat group that is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016, and allegedly compromised U.S. industrial-control systems and SCADA systems in 2014. Earlier this year, ESET researchers reported that TeleBots was a using different version of KillDisk to conduct cybersabotage attacks against the Ukrainian financial sector.

    In a blog post on Tuesday, CyberX reported that the ransomware variant is distributed via malicious Office attachments and displays a pop-up message demanding 222 Bitcoins, which is currently the equivalent of approximately $206,000. The variant’s exorbitant ransom and its link to Sandworm suggests that the group could be actively launching ransomware attacks against industrial-control networks.

    KillDisk uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt local hard-drives and network-mapped folders that are shared across organizations, CyberX further reported.


  • Android Trojan Switcher Infects Routers via DNS Hijacking – Android Trojan Switcher Infects Routers via DNS Hijacking

    A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices.

     

    Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they’ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm.

    One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router.

    The malware does so by carrying out a brute-force password guessing attack on the router’s admin web interface. Once in, Switcher swaps out the addresses of the router’s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down.

    This makes it so queries from devices on the network are re-routed to the servers of the attacker, something that can open victims to redirection, phishing, malware and adware attacks.

    “The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic,” Kaspersky Lab said Wednesday, “The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

    The creators of the Trojan were a little sloppy when it came to crafting parts of its command and control website however; they left a table complete with internal infection statistics publicly viewable. According to Buchka, who has reviewed the site, the attackers boast to have infiltrated 1,280 WiFi networks over the last several weeks.

    In a Securelist post on the malware posted Wednesday Buchka cautioned users to review their routers’ DNS settings for the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59. He also took the opportunity to encourage users – although for many it goes without saying – to verify that they’ve changed their routers’ default login and passwords.

    Several weeks ago a handful of router users in Germany fell victim when a variant of Mirai, the nasty malware that’s become synonymous with internet of things vulnerabilities, took hold of their devices. While those routers didn’t suffer from a hardcoded username/password vulnerability, they did have port 7547, usually used by internet service providers to remotely manage the device, open.

    The behavior of Switcher is somewhat similar to that of DNSChanger, malware that’s been repurposed as an exploit kit as of late. A recent campaign observed by Proofpoint was targeting wireless routers and changing DNS entries in order to steal traffic. In that instance routers made by D-Link, Netgear, Pirelli and Comtrend were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.


  • Microsoft PowerPoint Vulnerable to Zero-Day Attack

    New Windows zero day being exploited through PowerPoint

    Summary: A vulnerability exists in Windows OLE for all versions except Server 2003. The company has released a workaround to block known attacks, but newer attacks could still get through.

    Microsoft has disclosed a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The attack is being exploited through limited, targeted attacks using Microsoft PowerPoint.

    Microsoft has released a Fix it “OLE packager Shim Workaround” that should stop the known PowerPoint attacks. It does not stop other attacks that might be built to exploit this vulnerability. The Fix it is not available for 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1.

    There are some important mitigating factors for this problem. It is a remote code execution vulnerability, so if a user opens an affected Office document, the attacker would gain control of the system with the same privileges as the user. Using Windows with limited permissions limits the damage this attack can cause.

    Microsoft reports that in the attacks they know of, a User Account Control (UAC) prompt was raised when the user opened the document. This is not typical behavior and should alert many users that something is wrong.

    Attacks could be sent through files other than Microsoft Office documents, if the handling application supports OLE objects. In reality, Office documents are the obvious vehicle for spreading such an attack.

    The security advisory describing the problem also includes instructions for configuring the Enhanced Mitigation Experience Toolkit 5.0 to protect against the known attacks.

     

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Privacy criticism hits OSX Yosemite over Location data and Safari Search Results being submitted to apple

    apple rainbow logo

    Apple has fixed a huge number of security vulnerabilities in OS X and iTunes and, at the same time, is being hit with criticisms about privacy issues in the new version of OS X.

    The latest version of the operating system, known as Yosemite, sends location information to Apple by default via the Spotlight search feature, something that has angered users and privacy advocates. Yosemite was released to users on Oct. 17 and within hours users began reporting that highly specific location data was being sent from their machines back to Apple. The feature that enables this data collection and transmission is Spotlight, a powerful search function in OS X that in Yosemite now has the ability to return search results not just from the user’s Mac, but also from iTunes, the App Store and the Web.

    APPLE COLLECTS USERS’ DATA AND FORWARDS IT TO MICROSOFT AS WELL

    On one hand, where Apple decided to enable hard drive encryption by default, despite the FBI requests not to do so. But on the other, the company is itself putting its users’ privacy on risk. The same data Apple collects from the users’ searched term on Spotlight will also be forwarded to Microsoft’s Bing search engine as Apple freely admits in its terms of service.

     

    When a user has location services on her Mac enabled, some of the data from searches, including location information, is sent to Apple.

    “When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services,” the disclaimer in Yosemite says.

    HOW TO PROTECT YOURSELF

    Users can turn off Spotlight Suggestions and Bing Web searches in System Preferences which are enabled by default, noted the company.

    A developer has created a Python script which you can  Download The Script  from our site to prevent Apple from collecting data, so you can switch off the Spotlight search by going through step-by-step instructions for doing it.

    Disable “Spotlight Suggestions” and “Bing Web Searches” in System Preferences > Spotlight > Search Results.

    Safari also has a “Spotlight Suggestions” setting that is separate from Spotlight’s “Spotlight Suggestions.” This uses the same mechanism as Spotlight, and if left enabled, Safari will send a copy of all search queries to Apple.

    You’d be forgiven for thinking that you’d already disabled “Spotlight Suggestions,” but you’ll also need to uncheck “Include Spotlight Suggestions” in Safari > Preferences > Search.

    “Yosemite Spotlight’s default sending of precise location and search terms is probably the worst example of ‘privacy by design’ I’ve seen yet.

    On the security side of things, Yosemite includes fixes for dozens of vulnerabilities, several of which can result in remote code execution. Yosemite includes a patch for the Bash Shellshock vulnerability as well as fixes for flaws in a number of components, such as the app sandbox, IOKit, the OS X kernel and many others. One of the more serious issues fixed in this release is a problem with the 802.1x implementation that could allow an attacker to get the user’s credentials.

    “An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default,” Apple said in its advisory. 

    There’s also a fix for a vulnerability in the way that OS X handled altered apps.

    “Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution,” the advisory says.

    In the new version of iTunes, Apple has fixed a bug that could allow an attacker with man-in-the-middle position to crash iTunes or execute arbitrary code. The release of iTunes 12.01 also includes patches for dozens of memory corruption vulnerabilities in WebKit.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • ONE MILLION people already running Windows 10

     

    Microsoft announced early this week that they have released a Technical Preview of Windows 10. This sounds awesome. Because I always loved the moment when new OS release comes from Microsoft. People were expecting Windows 9 after the previous 8.1 but it was quite surprising that Microsoft Skipped 9 and released Windows 10.

    Microsoft has revealed that a million people have signed up for the Windows Insider Program it is using to offer early access to Windows 10 for those willing to test the operating system’s early iterations.

    Of those crash test dummies, Redmond says 36 per cent are running the OS in a virtual machine.That leaves about 650,000 people running Windows 10 on bare metal.

    Microsoft says

    “Insiders” have delivered “over 200,000” pieces of feedback. If the list of most-requested features Microsoft has presumably allowed to reach Paul Thurrott’s Supersite for Windows is any guide, feedback is not coming from sysadmins: most requests concern minor UI tweaks and aesthetics, although “Make it easier to use a local account” is the third-most-requested new feature.

     

    SNEAKPEAK

    Well if you are not familiar with previous release then Download Windows 8.1 ISO first. Then you can have better picture what changes Microsoft brought in this Metro Style User Interface. There was large community which was preferring Windows 7 on these new Metro Interface operating Systems. That’s why Microsoft had to take a new step. This time they created a Mix of Windows 7 and Windows 8 to create the New Windows 10.

    Windows 10 Download ISO 64 bit Free

    Features of Windows 10 Technical Preview

    Below are some noticeable improvements which you’ll get after Windows 10 Download ISO 32 Bit 64 Bit.

    • New Cleaned Start Menu.
    • Mix of Windows 7 Menu and Windows 8 Metro Interface.
    • Virtual Desktops Feature.
    • Task View Option with Arrays of Virtual Desktops.
    • Dynamically Resizing of Windows Apps.
    • Huge Search Improvements.

    More Features can be seen when you Download Windows 10 ISO.

    Windows 10 Download ISO 32 Bit 64 Bit

    Windows 10 Technical Specs

    • Software Full Name: Windows 10 Technical Preview 32 Bit 64 Bit English
    • Setup File Name: WindowsTechnicalPreview-x86-EN-US.iso (32 Bit), WindowsTechnicalPreview-x64-EN-US.iso (64 Bit)
    • Full Setup Size: 2.93 GB (32 Bit), 3.81 GB (64 Bit)
    • Setup Type: Offline Installer / Full Standalone Setup:
    • Compatibility Architecture: 32 Bit (x86) / 64 Bit (x64)
    • Latest Version Release Added On: 2nd Oct 2014
    • License: Free
    • Developers: Microsoft

    Minimum System Requirements for Windows 10

    Before you start Windows 10 Download ISO 32 Bit 64 Bit, Make sure you PC meets minimum system requirements.

    • Processor: 1 GHz
    • Memory (RAM): 1 GB (For 32 Bit), 2 GB (For 64 Bit)
    • Space: 16 GB Free Hard Disk Space

    Microsoft’s not saying when the feedback will result in a new release of of the OS, or when it will go on sale. ®


  • TripAdvisor’s Viator Hit by Massive 1.4 Million Payment Card Data Breach


    TripAdvisor’s Viator Hit by Massive 1.4 million Payment Card Data Breach

    TripAdvisor has reportedly been hit by a massive data breach at its Online travel booking and review website Viator, that may have exposed payment card details and account credentials of its customers, affecting an estimated 1.4 million of its customers.

    The San Francisco-based Viator, acquired by TripAdvisor – the world’s largest travel site – for £122 million (US$ 200 million) back in July, admitted late on Friday that the intruders have hacked into some of its customers’ payment card accounts and made unauthorized charges.

    The data breach was discovered in the bookings made through Viator’s websites and mobile offerings that could potentially affect payment card data.

    Viator said that the company has hired forensic experts to figure out the extent of the breach. Meanwhile, the company has begun notifying its affected customers about the security breach as said by the travel outfit in a press release.

    “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” Viator wrote. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

    “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”

    During investigation it found that the cybercriminals have broken into its internal databases and accessed the payment card data – including encrypted credit or debit card number, card expiration date, name, billing address and email address – of approximately 880,000 customers, and possibly their Viator account information that includes email address, encrypted password and Viator ‘nickname.’

    Additionally, the intruders may have also accessed the Viator account information, including email addresses and encrypted passwords, of over 560,000 Viator customers.

    According to the company, Debit-card PIN numbers were not included in the breach because Viator does not store them. The travel advisor said that they believe that the CVV number, the security numbers printed on the back of the customer’s credit card, were also not stolen in the breach.

    For those who are affected by the breach in United States, Viator is offering them identity protection and credit card monitoring services for free and and the company is also investigating the possibility of offering similar services to customers outside the country.

    Meanwhile, the company has warned its affected customers to regularly monitor their card activity and report any fraudulent charges to their card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.

    Viator also recommends its users to change their password for the site, as well as all other websites that uses the same credentials.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida