• Tag Archives online threats
  • Using DNS to weaken Locky ransomware threat

    Ransomware and other cyberthreats often go unseen by traditional detection methods like antivirus, deep packet inspection (DPI) or sandboxing. In fact, a report by Lastline Labs indicates that 51% of zero-day malware—threats that strike before developers have time to release a patch—is undetected by anti-virus solutions. So what can security professionals do to stop attacks? The answer lies, in part, in DNS.

    One of the most powerful ransomware threats currently targeting individuals and organizations is Locky, which infects up to 100,000 devices per day, of which 3% submit payments. Cybersecurity experts estimate that Locky possesses 17% of the entire global market share for all ransomware infections.

    First, let’s look at a few statistics that demonstrate the power and expense of Locky:

    Locky is typically delivered through aggressive spam campaigns, often claiming to be an invoice. Despite the known dangers of clicking on links in unknown emails, Locky is so sly it entices even trained IT staff to click on obscure messages and activate downloads.

    Once a download has completed, Locky connects with its Command & Control (C&C) server to get a cryptographic key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts:

    1. Direct IP communication
    2. A number of fixed domains
    3. A time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days

    Here is where DNS can play a role. DNS data can be analyzed to identify C&C connection mechanisms. When these communications are blocked, Locky’s ability to obtain encryption keys is limited, giving infected users a better chance of being protected.

    Unfortunately, the DGA used by Locky to generate domains and get encryption keys is marked with the current time period combined with a secret seed, making it harder to block new domains quickly. Locky changes seeds frequently, and reverse engineering current versions of the malware to discover each new seed takes time. Every new seed indicates another wave in the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.

    But examination of a worldwide feed of anonymized DNS queries, along with anomaly detection and correlation technology, makes it possible to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint is one company that has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it is possible to determine new seeds used by Locky, thereby enumerating all future new domains Locky will use.

    Below is a sampling of more recent domains created by Locky as detected by our DNS algorithms:

    • mrjuvawlwa[.]xyz
    • uydvrqwgg[.]su
    • uwiyklntlxpxj[.]work
    • owvtbqledaraqq[.]su
    • udfaexci[.]ru
    • eabfhwl[.]ru
    • olyedawaki[.]pl
    • uxwfukfqxhydqawmf[.]su
    • ikdcjjcyjtpsc[.]work
    • wrbwtvcv[.]su
    • osxbymbjwuotd[.]click
    • qtuanjdpx[.]info

    As Locky and other types of ransomware become more adept at avoiding detection and remediation, new strategies need to be used to combat them. Many of the new cyberthreat strategies make traditional malware block lists less effective. Facing DGAs with fast-changing seeds, security researchers must constantly identify the new seeds used by each wave of phishing to pre-generate domains. Once new seeds are released the old ones immediately become obsolete.

    By utilizing a broad set of DNS query data, it is possible to detect and track the evolution of generated domains through a variety of algorithmic methods such as clustering, reputation scoring, reverse engineering and additional methods that continuously evolve. Recent innovations include anomaly detection algorithms, new domain clustering and a Domain Reputation System that resulted in almost 100,000 domains and C&Cs provisioned daily for blocking.

    By employing these advanced methods, suspicious domains can be detected with a high level of accuracy very quickly, and false positives can also be weeded out so good traffic can still reach legitimate sites. Currently, this is the best defense against Locky. Service providers and companies can use this technique to protect their online users from having their files encrypted, and identify machines that have been infected.

    Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires cybersecurity expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Blocking traffic to these domains is a good way to avoid the threat of Locky, and expert security teams that take the right steps to understand its behavior and put appropriate measures in place to protect would-be victims will render cyberthreats much less effective.


  • TripAdvisor’s Viator Hit by Massive 1.4 Million Payment Card Data Breach


    TripAdvisor’s Viator Hit by Massive 1.4 million Payment Card Data Breach

    TripAdvisor has reportedly been hit by a massive data breach at its Online travel booking and review website Viator, that may have exposed payment card details and account credentials of its customers, affecting an estimated 1.4 million of its customers.

    The San Francisco-based Viator, acquired by TripAdvisor – the world’s largest travel site – for £122 million (US$ 200 million) back in July, admitted late on Friday that the intruders have hacked into some of its customers’ payment card accounts and made unauthorized charges.

    The data breach was discovered in the bookings made through Viator’s websites and mobile offerings that could potentially affect payment card data.

    Viator said that the company has hired forensic experts to figure out the extent of the breach. Meanwhile, the company has begun notifying its affected customers about the security breach as said by the travel outfit in a press release.

    “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” Viator wrote. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

    “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”

    During investigation it found that the cybercriminals have broken into its internal databases and accessed the payment card data – including encrypted credit or debit card number, card expiration date, name, billing address and email address – of approximately 880,000 customers, and possibly their Viator account information that includes email address, encrypted password and Viator ‘nickname.’

    Additionally, the intruders may have also accessed the Viator account information, including email addresses and encrypted passwords, of over 560,000 Viator customers.

    According to the company, Debit-card PIN numbers were not included in the breach because Viator does not store them. The travel advisor said that they believe that the CVV number, the security numbers printed on the back of the customer’s credit card, were also not stolen in the breach.

    For those who are affected by the breach in United States, Viator is offering them identity protection and credit card monitoring services for free and and the company is also investigating the possibility of offering similar services to customers outside the country.

    Meanwhile, the company has warned its affected customers to regularly monitor their card activity and report any fraudulent charges to their card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.

    Viator also recommends its users to change their password for the site, as well as all other websites that uses the same credentials.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • First Android Phone Ransomware that Encrypts your SD card Files

    We have seen cybercriminals targeting PCs with Ransomware malware that encrypts your files or lock down your computer and ask for a ransom amount to be paid in a specified duration of time to unlock it.
    To deliver the Ransomware malwares to the mobile devices, cyber criminals have already started creating malicious software programs for android devices. Last month, we reported about a new Police Ransomware malware that locks up the devices until the victims pay a ransom to get the keys to unlock the phone. But, the malware just lock the mobile screen and a loophole in the its implementation allowed users to recover their device and data stored on SDcard.

    Now, in an effort to overcome this, threat actors have adopted encryption in the development of mobile Ransomware malwares. Recently, the security firm ESET has discovered a new Android ransomware, dubbed as Android/Simplocker.A, that has ability to encrypt the files on the device SD card and then demand a ransom from the victim in order to decrypt those files.

    Once installed, the malware scans the SD card for certain file types such as image, document or video with extensions – jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypts them using AES in a separate thread in the background. After encrypting the files, the malware displays the following ransom message, written in Russian, which clearly means that this threat is targeting Russian Android users.

    WARNING your phone is locked!
    The device is locked for viewing and distributing child pornography , zoophilia and other perversions.
    To unlock you need to pay 260 UAH.
    1.) Locate the nearest payment kiosk.
    2.) Select MoneXy
    3.) Enter {REDACTED}.
    4.) Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt!
    After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

    The Ransomware malware directs victim to pay the ransom amount i.e. 260 UAH, which is roughly equal to $21 US, through the MoneXy service, as this payment service is not easily traceable as the regular credit card.

    mobile virus

    To maintain anonymity the malware author is using the Command-and-Control server hosted on TOR .onion domain and the malware sends the information of the infected device such as IMEI number to its server. The researchers at ESET are still analysing the malware:

    Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.

    The researchers have found that the malware is capable to encrypt the victim’s files, which could be lost if the decryption key is not retrieved from the malware author by paying the ransom amount, but on the other hand the researchers strongly advise users against paying fine, as their is no guarantee that the hacker will provide you decryption keys even after paying the amount.
    Unfortunately, mobile antivirus products are only capable to detect such known/detected threats only and can’t detect similar the new threats. So, it is important for you to always keep the back-up of all your files either manually on the computer system or use cloud backup services like dropbox, google drive etc, in order to protect it from the emerging threats.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida

    mobile virus
    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

     


  • Windows Efficiency Kit Virus

    Windows Efficiency Kit is a rogue anti-spyware program from the Rogue.FakeVimes family of computer infections. This program is considered scareware because it displays false scan results, fake security warnings, and does not allow you to access your legitimate Windows applications. Windows Efficiency Kit is distributed through web sites that display a fake online virus scanner that states your computer is infected and then prompts you to download the installation file. This infection is also promoted by hacked web sites that contain exploit code that tries to install the infection on your computer without your permission or knowledge.

    Once Windows Efficiency Kit is installed it will be configured to automatically start when you login to Windows. Once started, it will pretend to scan your computer and then states that there are numerous infections present. If you attempt to remove any of these supposed infections, the program will state that you first need to purchase a license before being allowed to do so. As all of the scan results are false, please ignore any prompts to purchase the program.

    Windows Efficiency Kit screen shot

    To protect itself from being removed, Windows Efficiency Kit will also block you from running any legitimate application on your computer. It does this to prevent you from running legitimate security software that may detect it as an infection and remove it. The message that you will see when you attempt to run a program is:

    Firewall has blocked a program from accessing the Internet

    Internet Explorer
    C:\Program Files\Internet Explorer\iexplore.exe

    is suspected to have infected your PC.
    This type of virus intercepts entered data and transmits them
    to a remote server.

    When you see this message please ignore it as your programs are not infected and will work normally after this infection is removed.

    While Windows Efficiency Kit is running it will also display fake security alerts that are designed to make you think your computer has a severe security problem. Some of these warnings include:

    Error
    There’s a suspicious software running on your PC. For more details, run a system file check.

    Error
    Trojan activity detected. System data security is at risk. It is recommended to activate protection and run a fully system scan.

    Just like the scan results, these warnings are fake and can be ignored.

    Without a doubt, this infection was created for the sole reason of scaring you into purchasing it. It goes without saying that you should definitely not purchase Windows Efficiency Kit, and if you already have, please contact your credit card company and dispute the charges stating that the program is a scam and a computer virus. To remove Windows Efficiency Kit and other related malware, PLEASE VISIT OUR WEBSITE

    CALL – COMPUTER REPAIR at 754-234-5598 if you are infected by any of these viruses.

    www.ccrepairservices.com