• Tag Archives rootkit
  • Proteus botnet Malware with Remote Access

     

    The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.

     

    In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, hxxp://proteus-network[.]biz or hxxp://proteus-network[.]ml (the latter is inaccessible). The URL is hardcoded in the sample and is contacted multiple times to obtain necessary credentials for the tasks the botnet performs. The host name also appears in Pastebin, under the URL hxxp://pastebin[.]com/raw/LidbEiiR, in its encrypted form, and the botnet can retrieve the domain from there as well.

     

    The botnet starts by identifying the infected machine and obtaining the operating system’s info (whether 64 or 86 bit), the machine’s name, and the Windows version. All of the information is sent to the C&C to “register” the machine.

     

    After the machine is acknowledged by the C&C, the botnet proceeds to perform different tasks. As the botnet contacts the C&C to receive various pieces of information, the web requests are sent along with an encrypted string specifying the purpose of the request. These encrypted strings perform the following functions:

     

    • api/register – Register the infected machine
    • api/ping – Check if the machine is already registered
    • api/module – Check the mining module
    • api/proxy – Use reverse proxy
    • api/command – Receive commands from the C&C
    • api/account – Receive an account from the C&C
    • api/log – Handle the key logging document

     

    The header section of the HTTP requests is similar throughout the different sections of the source code:

    Content-type: application-json

    Authorization: {2D592824-48DE-49F8-8F96-A40B3904C794}

     

    When contacting the C&C, a POST request is sent with one of the above modes appended to the domain’s name, for example, hxxp://proteus-network.biz/api/log. The C&C sends a response to this request, which is then parsed by the botnet in search for the C&C’s reply.

     

    CheckerTask:

     

    The CheckerTask starts by contacting the C&C with the api/account string appended to the domain’s name. After sending a POST request, it receives a four-tuple composed of an account ID, an e-mail, a password, and the account type. The botnet attempts to access and steal the user’s credentials from a number of online websites, including:

     

    • eBay.com
    • otto.de
    • amazon.de
    • breuninger.com
    • dhl.de
    • netflix.com
    • coderbay.net
    • zalando.de

     

    The majority of these websites are German-based and the botnet searches for German words appearing in the responses. This leads us to believe this specific sample of Proteus targets are German victims. For example, if the message received from the website includes the phrase “stimmen nicht mit den bei uns hinterlegten Daten”, which means, “This does not match the data provided by us”. The botnet attempts to change the password’s first character from lower case to upper case or to append the character “1” to the end of the password and tries to log in again after three seconds. The response from the website is then checked to harvest more information about the victim, including name, address, country, bought and sold items, seller type and the last feedback received.

     

    Some of the websites which the CheckerTask tries to steal the credentials from may include a Captcha to prevent such automated logins. The Proteus botnet uses Death by Captcha (DBC), an API which solves any given Captcha and turns it into a text that the botnet can insert into the website, and proceeds with the login. Using DBC requires a username and a password, which are both hardcoded into the sample to enable Captcha analysis. We have managed to access the DBC account used in the sample, and found that it resolved 200 Captchas so far, which could hint to the number of successfully infected machines.

     

    LoggerTask:

     

    This task performs key logging on the infected machine. It starts by initializing a list of all the keyboard keys, and stores the logged keys into a file called tmpV213.txt found under the TEMP directory. When this file includes more than 250 characters, it is cleared and its content is sent to the C&C along with the api/log string.

     

    CommandsTask:

     

    This task receives commands from the C&C. The botnet sends a request to the C&C with the fingerprint and the api/command string. If the C&C sends a command to download a file, a new directory is created in the TEMP folder using a GUID, and a file called temp.exe is created in that directory. Alternatively, if the command is to “kill”, the process is killed. The task checks for new commands every two minutes.

     

    MiningTask, EMiningTask:

     

    The C&C determines the type of mining which the infected machine attempts, as well as the mining pool it will join. The EminingTask downloads an executable to the TEMP directory with the name loader.exe. The types of mining that appear in the sample are CPU, Zcash, Scrypt, and SHA256. During the mining task, and depending on the chosen type, the resources of the infected machine, such as the memory, CPU, and RAM, are used to provide the computing power necessary to produce the hashes accepted as a proof of work by each method. Even using a pool instead of individual mining, CPU usage soared rapidly and reached 100% in our labs when we ran the sample, which shows the processing power needed for the mining tasks.

     

    Conclusion:

     

    To summarize, the botnet conducts a complex attack: it infects a machine, steals credentials, logs keys and mines for currency, causing CPU level to reach 100%. Although the botnet has many of the crucial implementation tools needed for its attack, it heavily depends on communication with its C&C server and the information it transmits for the execution of its most basic functions.


  • CTB-Locker ransomware spreading through fake Windows 10 Update emails

    With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.

    win10_blacked_out.png

    Image of fake Windows Update Email courtesy of Cisco

    As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

    Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

    It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

    Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida
    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida

    At this point, the computer’s data will be encrypted and there is not much that can be done about it.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere


  • Certain DevianArt advertising Campaigns lead to Malware, Spyware and Unwanted Applications on your computer

     

    DeviantArt Malwaretising

     

    Today, the estimated number of known computer threats like viruses, worms, backdoors, exploits, Trojans, spyware, password stealer, and other variants of potentially unwanted software range into millions. It has the capability to create several different forms of itself dynamically in order to thwart antimalware programs.

    Users of the biggest online artwork community, DevianART with Global Alexa Rank 148, are targeted by the potentially unwanted software programs — delivered by the advertisements on the website, Stop Malvertising reported on Sunday.

    A Potentially Unwanted Application (PUA) is a program that may not be intentionally malicious, but can negatively affect the performance and reliability of the system by distributing spyware or adware that can cause undesirable behavior on the computer. Some may simply display annoying advertisements, while others may run background processes that cause your computer to slow down. However, unlike malware, users themselves consent to install a PUA into their systems.

    The malicious advertisements are delivered via newly registered (3rd March 2014) domains – Redux Media (www.reduxmedia.com) and avadslite.com. “Over the past months, this domain has been seen to resolve to the following IP addresses: 107.20.210.36 (2014-05-01), 54.243.89.71 (2014-05-01) and 184.170.128.86 (2014-05-25). According to VirusTotal, malware has communicated with the last two IP addresses.” Kimberly from Stop Malvertising said.

    Once the user click on the Ad served by the DevianArt website, they are redirected to the Optimum Installer, a source of Potentially Unwanted Applications (PUA’s) that downloads legitimate software applications as well as bundled third-party software including toolbar.

     

    malware ad

    As shown, a pop-under warning will urge users to “update Media Player“, immediately followed by a second advertisement to “update Windows 7 Drivers” to avoid vulnerabilities, reduce crashes and ensure an optimal browsing experience. This is just a scam nothing more or less.

    Obviously, these are well known social engineering techniques to trick the computer user into installing malicious or ad-support software. Such infection are designed specifically to make money, generate web traffic, and will display advertisements and sponsored links within your web browser.

     

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Zeus Trojan (or Zbot Trojan) steals confidential information from the infected computer.

    Pandemiya hacking trojan

    A new and relatively rare Zeus Trojan program was found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim’s computer.

    Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies.

     

    The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus.

     

    But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C.
    Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page.

    Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.

    Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as $2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection.The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USD to get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up.

     

    The advent of a freshly coded new trojan malware application is not too common in the underground,” Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future.

    The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts.

    HOW TO REMOVE PANDEMIYA TROJAN

    The Trojan can be easily removed with a little modification in the registry and command line action, as explained below:

      1. Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value.
      2. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry.
      3. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Cryptowall Ransomware Spreading on the internet rapidly through advertisements

    Cryptowall Lock Malware spyware spreading
    Cryptowall Lock Malware

     

    Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims.

    Though earlier we saw the samples of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware malwares, the recent ones are more subtle in design, including Cryptolocker, Icepole, PrisonLocker, CryptoDefense and its variants.

    Now, the ransomware dubbed as Cryptowall, a latest variant of the infamous ransomware Cryptolocker is targeting users by forcing them to download the malicious software by through advertising on the high profile domains belonging to Disney, Facebook, The Guardian newspaper and others.

    Cryptolocker is designed by the same malware developer who created the sophisticated CryptoDefense (Trojan.Cryptodefense) ransomware, appeared in the end of March, that holds the victims’ computer files hostage by wrapping them with strong RSA 2048 encryption until the victim pays a ransom fee to get them decrypted.

    But unfortunately, the malware author failed to realize that he left the decryption keys left concealed on the user’s computer in a file folder with application data.

    So, to overcome this, the developer created Cryptowall ransomware and alike the latest versions of CryptoDefense, the infected system’s files and documents encrypted by CryptoWall are impossible to decrypt.

    The story broke, when researchers at Cisco revealed that cybercriminals have started targeting people with RIG Exploit Kits (EK) to distribute malicious Cryptowall ransomware malware.

    The Rig Exploit Kit was first spotted by Kahu Security in April, which checks for an unpatched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors.

    Researchers at Cisco have noticed high levels of traffic consistent with the new “RIG” exploit kit, thereby blocking requests to over 90 domains. On further investigation, the company observed that many of its Cloud Web Security (CWS) users were visiting on those malicious domains after clicking advertisements on high-profile domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” and many others.

    cryptowall ransomware If clicked, the advertisements redirect victims to one of those malicious domains in order to malvertise users and once the system get infected with the RIG Exploit Kit, it will deliver the payload which includes the Cryptowall Ransomware malware.

    Now, when this CryptoWall is installed in the infected system, it will start scanning the system Hard Drive for data files and encrypt them.

    After encrypting the files on victim’s system, it will create files containing ransom instructions in every folder it had encrypted, demanding up to $500 USD. The service where users are instructed to pay the ransom amount is a hidden service that uses the Command-and-Control server hosted on TOR .onion domain.

    The largest share of infections, some 42 percent, are in the United States, followed by England and Australia, but it believes that several groups and bad actors are involved in this attack chain.

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable


  • Uroburos Rootkit – Most sophisticated 3 year old Russian Cyber Espionage Campaign

    The Continuous Growth of spyware, their existence, and the criminals who produce & spread them are increasing tremendously. It’s difficult to recognize spyware as it is becoming more complex and sophisticated with time, so is spreading most rapidly as an Internet threat.

    Recently, The security researchers have unearthed a very complex and sophisticated piece of malware that was designed to steal confidential data and has ability able to capture network traffic.

    The Researchers at the German security company G Data Software, refer the malware as Uroburos, named after an ancient symbol depicting a serpent or dragon eating its own tail, and in correspondence with a string (Ur0bUr()sGotyOu#) lurking deep in the malware’s code.

    The researchers claimed that the malware may have been active for as long as three years before being discovered and appears to have been created by Russian developers.

    Uroburos is a rootkit designed to steal data from secure facilities, has ability to take control of an infected machine, execute arbitrary commands and hide system activities, communicating primarily using peer-to-peer connections in a network it has penetrated to infect new machines within the network, manages to pass back the exfiltrated information back to attackers from infected machines and network data, the researchers explained.

    The two main components of Uroburos are – a driver and an encrypted virtual file system, used to disguise its nasty activities and to try to avoid detection. Its driver part is extremely complex and is designed to be very discrete and very difficult to identify.

    The malware uses two virtual file systems, one NTFS file system and one FAT file system, and both are stored locally on the infected system and are used as a “workspace” by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output. The virtual file system can’t be decrypted without the presence of drivers, according to the Gdata’s analysis explained in the PDF.

    The driver is needed to decrypt the virtual file systems, to create several hooks to hide its activities, to inject libraries in the users land and to establish and manage some communication channels.

    “The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.”

    WITH LOVE From RUSSIA: Technical Similarities with the previous malware Agent.BTZ and that the malware Uroburos checks the presence of Agent.BTZ in the system and remains inactive if Agent.BTZ is present, makes the researchers believe that it was designed by the same by the Russian intelligence services, according to G Data analysis.

    “Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ,” say the researchers. They also added that the reason it is meant to be of the Russian origin is, “Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.”

    In 2008, USB and Removable storage drives placed on hold in the U.S. Army facilities after the spread of Agent.BTZ worm. The USB stick contained malicious code was trying to keep on multiplying further and infected the military’s network.

    The attacks carried out with Uroburos are targeting government institutions, research institutions, intelligence agencies, nation states, research institutions or companies dealing with sensitive information as well as similar high-profile targets. The oldest drivers identified by the researchers was compiled in 2011 is the evidence that the malware was created around three years ago and was undetected.

    “The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this Environment,” the G Data concluded.

    The team behind the development of the malware Uroburos has developed an even more sophisticated framework, which still remains undiscovered, the researchers believe. Many infection vectors are conceivable. E.g. Spear phishing, drive-by-infections, USB sticks, or social engineering attacks.

    For complete Online Latest news visit our blog

    WWW.CCREPAIRSERVICES.COM


  • Windows Accelerator Pro Virus

    Windows Accelerator Pro is a rogue anti-spyware program from the Rogue.FakeVimes family of computer infections. This program is considered scareware because it displays false scan results, fake security warnings, and does not allow you to access your legitimate Windows applications. Windows Accelerator Pro is distributed through web sites that display a fake online virus scanner that states your computer is infected and then prompts you to download the installation file. This infection is also promoted by hacked web sites that contain exploit code that tries to install the infection on your computer without your permission or knowledge.

    Once Windows Accelerator Pro is installed it will be configured to automatically start when you login to Windows. Once started, it will pretend to scan your computer and then states that there are numerous infections present. If you attempt to remove any of these supposed infections, the program will state that you first need to purchase a license before being allowed to do so. As all of the scan results are false, please ignore any prompts to purchase the program.

    To protect itself from being removed, Windows Accelerator Pro will also block you from running any legitimate application on your computer. It does this to prevent you from running legitimate security software that may detect it as an infection and remove it. The message that you will see when you attempt to run a program is:

    Firewall has blocked a program from accessing the Internet
    C:\Program Files\Internet Explorer\iexplore.exe
    is suspected to have infected your PC.
    This type of virus intercepts entered data and transmits them
    to a remote server.

    When you see this message please ignore it as your programs are not infected and will work normally after this infection is removed.

    While Windows Accelerator Pro is running it will also display fake security alerts that are designed to make you think your computer has a severe security problem. Some of these warnings include:

    Error
    Trojan activity detected. System integrity at risk.
    Full system scan is highly recommended.

    Error
    System data security is at risk!
    To prevent potential PC errors, run a full system scan.

    Just like the scan results, these warnings are fake and can be ignored.

    Complete Computer Repair Services can effectively remove this virus from your system wihthout any loss of data. Call 754-234-5598