With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.
Image of fake Windows Update Email courtesy of Cisco
As you can see the email pretends to be from the email address firstname.lastname@example.org and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.
Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.
It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.
Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.
At this point, the computer’s data will be encrypted and there is not much that can be done about it.
Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.
A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.
As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.
At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.
Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.
“We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.
Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.
The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.
Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.
Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.
Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.
“There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”
Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.
“The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”
If you need your computer up and running today, Call a reliable PC technician. Proudly Serving and providing on site local service in South Florida. Online service repair technicians available Anytime, Any day, Anywhere. Call 754-234-5598
Complete Computer Repair
SOME OF OUR COMPUTER AND NETWORK SERVICES
Networking — home office / business • Onsite PC support and installation • Hard drive Failure / Laptop Motherboard Repair • Data Backup and Data recovery • Malware, Viruses, Trojans, Rootkits, Ransomeware and Spyware Removal • Screen Replacement and repair • Apple Repair, PC Repair, Laptop Repair, Desktop Repair • Computer Upgrades and Build Custom Computers • Windows Upgrade, OSX Upgrades • Memory Upgrade, Hard drive upgrade, • Network Security, Secure Your Network, Internet Security • Wireless routers Installations • Wireless Printers Installation and Configuration • Anti-Virus Protection and Configuration • Windows Recovery for XP, Vista, Windows 7, windows 8, windows 10 • Re install Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10 Installations
–> We have computer parts for sale at low prices new and old for every make and model, HP, Compaq, Acer, Lenovo, Dell, Asus, Samsung, Toshiba, Sony, IBM, Emachines, Fujitsu, MSI and more.
*Lower prices than Geek Squad Fort Lauderdale, CompUSA Fort Lauderdale, Tiger Direct Fort Lauderdale, Staples Fort Lauderdale, Office Depot Fort Lauderdale, Online Virus Removal Sites, Local Computer Repair Shops. If you find a lower price call us and we will match that price. Computer Repair Coupons welcome, Computer repair discount for seniors.
Google is always keen to downplay the problem of malware on Android, for obvious reasons, but that doesn’t make the underlying threats any less troubling. New threats are being discovered all the time, and as the platform grows – with over 1.5 million Android devices being activated every day – the potential to infect ever more devices grows too.
It must be said that Google does a pretty decent job when it comes to eliminating malware from its own Play Store – less than 0.1% of apps there contain malicious code, according to F-Secure (pdf) – and efforts such ason-device monitoring have also helped to limit the impact of rogue software. But third-party Android stores fare considerably worse than this; according to Forbes, in one third-party store, a staggering 33% of apps were found to be infected.
One such threat was documented by security researcher Szymon Sidor this week, who found that by creating an app that exploited a simple loophole in the OS, he was able to get a device to capture photos using its camera, and then upload them to a remote server, without the user having so much as a hint that anything untoward had happened.
Your phone could be taking photos of you looking like this, without you knowing!
Sidor said that he had observed numerous apps on Google Play that were capable of taking photos covertly, but each of them required a visible indication of the app’s activity on screen and, critically, for the screen to be switched on. As he wrote on his Snacks For Your Mind blog, he set about trying to see if there was a way to perform the same task, but without that visible indication.
He succeeded, and he was able to do so by exploiting a simple loophole in Android’s security features. Android requires that, when a photo is being taken, a preview of the image viewfinder must be shown on the screen; it’s a measure to ensure that users know that the camera is engaged and not taking photos or videos of them without their knowledge.
But Sidor adjusted the code in his testbed app to continue displaying that preview, but only on a single pixel. That makes it completely impossible for a user to be able to see the preview, and therefore none the wiser if an app were to covertly be capturing snaps of them and uploading them elsewhere. The app was also able to capture other details from the device, such as battery level (crucial in helping to avoid detection of the app via its battery drain), and even the current location of the device. Check out the video below:
Perhaps the most disturbing finding is revealed in this little snippet (emphasis is ours):
The result was amazing and scary at the same time – the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.
Sidor’s post on his findings is well worth a read – and he also includes a few handy tips on how to protect yourself from the threat of malicious apps on your Android device. He acknowledges that he was not, in fact, the first to discover this flaw, but also adds that he has contacted Google with the details of his own research, in the hope that they will close the loophole with a future security patch.
Serving all Broward and Miami Dade County All Broward County Service Area Coconut Creek Cooper City Coral Springs Dania Beach Deerfield Beach Fort Lauderdale Hallandale Beach Hollywood Lauderdale Lakes Lauderhill Lighthouse Point Margate Miramar North Lauderdale Oakland Park Parkland Pembroke Pines Plantation Pompano Beach Sunrise Tamarac Westpark Weston Wilton Manors Hollywood Hills Miami Hialeah Opalocka Miami Springs North Miami Beach Sunny Isles Golden Beach South Beach and more.
NEW Laptop screens for sale, Computer Repair PC Windows and MAC OSX. Virus Removal, Broken Screen Repair Service and More. Currently in stock screen size 8.9 10 10.1 11.6 13 14 14.1 14.5 15 15.4 15.5 15.6 16 16.5 17 17.1 17.3 LED CCFL Bulb LCD type, cable & laptop screen inverter for sale
Manufacturer Screen for DELL HP COMPAQ ASUS ACER LENOVO IBM GATEWAY SONY SAMSUNG TOSHIBA APPLE
APPLE COMPUTER: MACBOOK PRO 17 Model A1229 MACBOOK PRO 17 Model A1151 MACBOOK PRO 17 Model A1261 MACBOOK PRO 17 Model A1212 MACBOOK PRO 17 Model A1229 MACBOOK PRO 17 Unibody Model A1297 MACBOOK PRO 15 Model A1226 MACBOOK PRO 15 Model A1150 MACBOOK PRO 15 Model A1211 MACBOOK PRO 15 Unibody Model A1286 MACBOOK PRO 15 Model A1260 MACBOOK PRO 13 Unibody Model A1384 MACBOOK PRO 13 Unibody Model A1278
WINDOWS PC: TravelMate – Extensa – Ferrari – Aspire Asus Eee – Lamborghini Inspiron, Latitude – Precision – Studio – Vostro – XPS – Studio XPS – Alienware – Mini – Legacy System Adamo LifeBook – Stylistic Pavilion – HP Omnibook – Envy – EliteBook – ProBook ThinkPad – IdeaPad – 3000 Sens – VAIO Series – eMachines – Gateway – Solo – Series Compaq Dynabook – Portege – Tecra – Satellite – Qosmio – Libretto