• Tag Archives Spyware
  • Proteus botnet Malware with Remote Access

     

    The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.

     

    In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, hxxp://proteus-network[.]biz or hxxp://proteus-network[.]ml (the latter is inaccessible). The URL is hardcoded in the sample and is contacted multiple times to obtain necessary credentials for the tasks the botnet performs. The host name also appears in Pastebin, under the URL hxxp://pastebin[.]com/raw/LidbEiiR, in its encrypted form, and the botnet can retrieve the domain from there as well.

     

    The botnet starts by identifying the infected machine and obtaining the operating system’s info (whether 64 or 86 bit), the machine’s name, and the Windows version. All of the information is sent to the C&C to “register” the machine.

     

    After the machine is acknowledged by the C&C, the botnet proceeds to perform different tasks. As the botnet contacts the C&C to receive various pieces of information, the web requests are sent along with an encrypted string specifying the purpose of the request. These encrypted strings perform the following functions:

     

    • api/register – Register the infected machine
    • api/ping – Check if the machine is already registered
    • api/module – Check the mining module
    • api/proxy – Use reverse proxy
    • api/command – Receive commands from the C&C
    • api/account – Receive an account from the C&C
    • api/log – Handle the key logging document

     

    The header section of the HTTP requests is similar throughout the different sections of the source code:

    Content-type: application-json

    Authorization: {2D592824-48DE-49F8-8F96-A40B3904C794}

     

    When contacting the C&C, a POST request is sent with one of the above modes appended to the domain’s name, for example, hxxp://proteus-network.biz/api/log. The C&C sends a response to this request, which is then parsed by the botnet in search for the C&C’s reply.

     

    CheckerTask:

     

    The CheckerTask starts by contacting the C&C with the api/account string appended to the domain’s name. After sending a POST request, it receives a four-tuple composed of an account ID, an e-mail, a password, and the account type. The botnet attempts to access and steal the user’s credentials from a number of online websites, including:

     

    • eBay.com
    • otto.de
    • amazon.de
    • breuninger.com
    • dhl.de
    • netflix.com
    • coderbay.net
    • zalando.de

     

    The majority of these websites are German-based and the botnet searches for German words appearing in the responses. This leads us to believe this specific sample of Proteus targets are German victims. For example, if the message received from the website includes the phrase “stimmen nicht mit den bei uns hinterlegten Daten”, which means, “This does not match the data provided by us”. The botnet attempts to change the password’s first character from lower case to upper case or to append the character “1” to the end of the password and tries to log in again after three seconds. The response from the website is then checked to harvest more information about the victim, including name, address, country, bought and sold items, seller type and the last feedback received.

     

    Some of the websites which the CheckerTask tries to steal the credentials from may include a Captcha to prevent such automated logins. The Proteus botnet uses Death by Captcha (DBC), an API which solves any given Captcha and turns it into a text that the botnet can insert into the website, and proceeds with the login. Using DBC requires a username and a password, which are both hardcoded into the sample to enable Captcha analysis. We have managed to access the DBC account used in the sample, and found that it resolved 200 Captchas so far, which could hint to the number of successfully infected machines.

     

    LoggerTask:

     

    This task performs key logging on the infected machine. It starts by initializing a list of all the keyboard keys, and stores the logged keys into a file called tmpV213.txt found under the TEMP directory. When this file includes more than 250 characters, it is cleared and its content is sent to the C&C along with the api/log string.

     

    CommandsTask:

     

    This task receives commands from the C&C. The botnet sends a request to the C&C with the fingerprint and the api/command string. If the C&C sends a command to download a file, a new directory is created in the TEMP folder using a GUID, and a file called temp.exe is created in that directory. Alternatively, if the command is to “kill”, the process is killed. The task checks for new commands every two minutes.

     

    MiningTask, EMiningTask:

     

    The C&C determines the type of mining which the infected machine attempts, as well as the mining pool it will join. The EminingTask downloads an executable to the TEMP directory with the name loader.exe. The types of mining that appear in the sample are CPU, Zcash, Scrypt, and SHA256. During the mining task, and depending on the chosen type, the resources of the infected machine, such as the memory, CPU, and RAM, are used to provide the computing power necessary to produce the hashes accepted as a proof of work by each method. Even using a pool instead of individual mining, CPU usage soared rapidly and reached 100% in our labs when we ran the sample, which shows the processing power needed for the mining tasks.

     

    Conclusion:

     

    To summarize, the botnet conducts a complex attack: it infects a machine, steals credentials, logs keys and mines for currency, causing CPU level to reach 100%. Although the botnet has many of the crucial implementation tools needed for its attack, it heavily depends on communication with its C&C server and the information it transmits for the execution of its most basic functions.


  • CTB-Locker ransomware spreading through fake Windows 10 Update emails

    With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.
    win10_blacked_out.png
    Image of fake Windows Update Email courtesy of Cisco

    As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

    Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

    It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

    Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida
    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida

    At this point, the computer’s data will be encrypted and there is not much that can be done about it.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere


  • Cryptowall 3.0 is back and rapidly spreading – Ransom Virus Malware Spyware Spam Email

    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Recovery and Decrypter
    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Ransom Recovery and Decrypter CALL 754-234-5598

    Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.

    A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both.
    Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.

    As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.

    At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.

    Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.

    “We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.

    Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.

    The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.

    Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.

    Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.

    Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.

    “There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”

    Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.

    “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”

    www.CCREPAIRSERVICES.COM

    Local and Online PC Computer Repair Tel. 754-234-5598

    FAST SAME DAY COMPUTER REPAIR, VIRUS REMOVAL, CRYTOWALL FILE RECOVERY AND LAPTOP SCREEN REPAIR SERVICE


  • Malicious Ads on Yahoo, AOL, Match.com, Trigger CryptoWall Infections

    cryptowall

    Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily.

    According to experts at Proofpoint, a firm that primarily specializes in email security, the exploit kit targeted a vulnerability in Adobe Flash via users’ browsers to install the ransomware on users’ machines.

    Malvertising is an attack that happens when attackers embed malicious code – in this case code that led to the latest iteration of CryptoWall – into otherwise legitimate ads to spread malware via drive-by downloads. Users can often be infected without even clicking on anything.

    CryptoWall, which takes users’ files, encrypts them with rigid RSA-2048 encryption, then asks for a fee to decrypt them, made a killing earlier this summer. In August it was reported that the ransomware made more than $1.1 million for its creators in just six months.

    Similar to Critoni/Onion, a ransomware dug up in July, CryptoWall 2.0 downloads a TOR client on the victim’s machine, connects to a command and control server and demands users send Bitcoin – $500 worth – to decrypt their files. Since the campaign lasted about a month, from Sept. 18 to this past Saturday, researchers are estimating that 40 of the campaign’s Bitcoin addresses collected at least 65 BTC each, a number that roughly translates to $25,000 a day.

    cryptowall1

    Proofpoint claims that high ranking sites such as AOL, The Atlantic, Match.com and several Yahoo subdomains such as their Sports, Fantasy Sports and Finance sites, were spotted serving up the tainted ads. Other sites lesser known in the U.S. such as Australia’s Sydney Morning Herald, The Age, and the Brisbane Times, were reportedly also doling out the ads.

    While the campaign started a month ago the firm claims things didn’t start to ramp up until recently.

    “After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites,” Wayne Huang, the company’s VP of Engineering, said of the campaign.

    The firm claims it worked quickly to notify those involved in the campaign, including the ad providers, and as of this week, believes the situation has been nullified.

    Last month researchers with Barracuda Labs found a CryptoWall variant with certificate signed by Comodo being distributed through ads on a handful of different websites. None of those sites were nearly as trafficked as those spotted by this most recent campaign however. The Alexa rankings for Yahoo (4), AOL (37), Match (203), and The Atlantic (386) place them within the top 500 of the internet’s most popular sites, something that likely upped the campaign’s exposure level.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • New file-encrypting ransomware called CryptoGraphic Locker

    A new file-encrypting ransomware was discovered today by BartBlaze called CryptoGraphic Locker. Just like other encrypting ransomware, this infection will scan your your data files and encrypt them so that they are unusable. The infection will then display a ransom note that requires you to purchase the decryption key in order to decrypt your files. The initial cost to purchase the key is .2 BTC, or approximately $100 USD, which makes this one of the cheaper ransoms that we have seen in a long time. Though the ransom starts out small, there is a 24 hour timer built into the application that will increase the ransom amount each time it hits 0.

    Computer Virus Removal in Fort Lauderdale
    Cryptographic Locker

    When you are infected with CryptoGraphic Locker, the application will configure itself to start when you login to Windows. It will then scan your drives for data files and create new encrypted copies using AES encryption and then delete the old ones. These new files will be renamed to have the extension .clf. A list of all encrypted files will be stored in the %Temp%\CryptoLockerFileList.txt file. The data files that CryptoGraphic Locker targets are:

    .odt,.ods,.odp,.odm,.odc,.odb,.doc,.docx,.docm,.wps,.xls,.xlsx,.xlsm,.xlsb,.xlk,.ppt,.pptx,.pptm,.mdb,.accdb,.pst,.dwg,.dxf,.dxg,.wpd,.rtf,.wb2,.mdf,.dbf,.psd,.pdd,.pdf,.eps,.ai,.indd,.cdr,.dng,.3fr,.arw,.srf,.sr2,.mp3,.bay,.crw,.cr2,.dcr,.kdc,.erf,.mef,.mrw,.nef,.nrw,.orf,.raf,.raw,.rwl,.rw2,.r3d,.ptx,.pef,.srw,.x3f,.lnk,.der,.cer,.crt,.pem,.pfx,.p12,.p7b,.p7c,.jpg,.png,.jfif,.jpeg,.gif,.bmp,.exif,.txt

    When the infection has finished encrypting your data it will display a ransom screen that explains how you can pay the ransom and decrypt your files. Unlike other file-encrypting ransomware that have been released lately, instead of using a decryption site, the malware application itself allows you to make payments, receive your decryption keys, enter your key to decrypt files, etc. While the infection is running it will also terminate the following applications if they are started or are running: Process Hacker, MalwareBytes, Spyhunter, Msconfig, Task Manager, Registry Editor, System Restore, or Process Explorer.

    Last, but not least, the infection will also change your Windows desktop background to the background below. Suprisingly, it uses the CryptoLocker name in the wallpaper instead of the CryptoGraphic Locker name that it uses in the application window.

    wallpaper.jpg

    At this time the Command & Control servers are down, so there is no way to pay the ransom. There is, though, some good news for those who are infected. This ransomware does not delete files using a secure deletion method and does not wipe your system restore points. Therefore you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.

    Thanks to BartBlaze, Decrypterfixer, and Cody Johnston for providing info on this malware.

    File additions and registry changes are:

    %Temp%\CryptoLockerFileList.txt
    %Temp%\wallpaper.jpg
    <Path to Dropper>\<random.exe
    
    HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\User\AppData\Local\Temp\wallpaper.jpg"(old value="")
    HKCU\Control Panel\Desktop\WallpaperStyle	"1"(old value="10")
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CLock
    
    

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida
    

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable


  • Rise in Anti-Child Porn Spam Protection Ransomware infections

    This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.

    sl.png

    ScreenLocker window for ACCDFISA v2.0, There are actually a few different versions of this. ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have different emails to message the virus creator.

    There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe’s.

    For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

    When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal’s SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This “lockout” screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

    This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

    Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

    The files that this infection creates when it is installed are:

    File List:

    c:\<Random>\svchost.exe – ScreenLocker / Decrypter

    c:\<Random>\howtodecryptaesfiles.htm – RansomNote that all RansomNotes lnk’s point to

    c:\ProgramData\fdst<Random>\lsassw86s.exe Encrypter / Main dropper

    c:\ProgramData\<Random>\<Random>.dll – Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

    c:\ProgramData\<Random>\<Random>.DLLS List of files to be infected by WinRar

    c:\ProgramData\<Random>\svchost.exe – WinRar CUI renamed

    c:\ProgramData\<Random>\svchost.exe – Sdelete Renamed

    c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll List of Numbers used by the infection

    c:\ProgramData\svtstcrs\stppthmainfv.dll List of Numbers used by the infection

    c:\Windows\System32\backgrounds2.bmp Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\lsassw86s.exe Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\scsvserv.exe Used to complete mangle / disable services to further lock down computer

    c:\Windows\System32\lsassvrtdbks.exe Assists with encryption

    c:\Windows\System32\session455.txt Temp Storage used with .BAT file to logoff user account

    c:\Windows\System32\decryptaesfiles.html Used to copy to ProgramData

    c:\Windows\System32\Sdelete.dll Used to copy Sdelete to ProgramData

    c:\Windows\System32\kblockdll.dll Used to Lock desktop

    c:\Windows\System32\btlogoffusrsmtv.bat Used to log user off

    c:\Windows\System32\default2.sfx Used with winrar to encrypt files

    c:\Windows\System32\cfwin32.dll WinRar CUI renamed

    %Desktop%\<Random>.Txt – Also contains Decrypt Key, But removed after completion

    Registry List:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe – Launches ScreenLocker

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Secret Government and Law enforcement spyware leaked

     

    Company That Sells 'FinFisher' Spying Software Got Hacked, 40GB Data Leaked
    FinFisher spyware, a spyware application used by government and law enforcement agencies for the purpose of surveillance, appears to have been hacked earlier this week and a string of files has been dumped on the Internet.
    The highly secret surveillance software called “FinFisher” sold by British company Gamma International can secretly monitors computers by turning ON webcams, recording everything the user types with a keylogger, and intercepting Skype calls, copying files, and much more.
    A hacker has claimed on Reddit and Twitter that they’d infiltrated the network of one of the world’s top surveillance & motoring technology company Gamma International, creator of FinFisher spyware, and has exposed 40GB of internal data detailing the operations and effectiveness of the FinFisher suite of surveillance platforms.
    The leaked information was published both on a parody Gamma Group Twitter account (@GammaGroupPR) and Reditt by the hacker that began publishing links to the documents and satirical tweets.
    The leaked files includes client lists, price lists, source code of Web Finfly, details about the effectiveness of Finfisher malware, user and support documentation, a list of classes/tutorials, and much more.
    The Reddit post Gamma International Leaked in self.Anarchism said, “a couple days ago [when] I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lots of other stuff in that 40GB.”

    The FinFisher files were first leaked on Dropbox as a torrent file and since have been shared across the internet, which means that it is now impossible to stop the information from being leaked.

    One spreadsheet in the dump titled FinFisher Products Extended Antivirus Test dated April this year, details the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies.

    It shows how FinFisher performed well against 35 top antivirus products. That means FinFisher would probably not be detected by a targeted users’ security systems.


    One more document also dated April this year has been identified that detailed release notes, for version 4.51 of FinSpy, show a series of patches made to the products including patch to ensure rootkit component could avoid Microsoft Security Essentials, that the malware could record dual screen Windows setups, and improved email spying with Mozilla Thunderbird and Apple Mail.


    The file dump also reveals that FinFisher is detected by OS X Skype (a recording prompt appears), so the users of OS X Skype would be alerted to the presence of FinFisher by a notification indicating that a recording module was installed.
    Company That Sells 'FinFisher' Spying Software Got Hacked, 40GB Data Leaked
    FinFisher cannot tap Windows 8 users, so rather the desktop client, the users should opt for the Metro version of Skype.
    The dump also contains a fake Adobe Flash Player updater, a Firefox plugin for RealPlayer and an extensive (though still undetermined) documentation for WhatsApp.

    A price list, which appeared to be a customers’ record, revealed the FinSpy program cost 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each,” the Reg. reported. “The document did not contain a date but it did show prices for malware targeting the recent iOS version 7 platform.”

    The leaked documents also included a FinSpy user manual and brochure. This previously kept so-called spying secret is not a secret now and we’ll be going to find a lot more in the upcoming weeks.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • SandroRAT Mobile Phone Android Malware that Disguises as Kaspersky Mobile Security

    Researchers have warned users of Android devices to avoid app downloads from particularly unauthorized sources, since a new and sophisticated piece of malware is targeting Android users through phishing emails.
    The malware, dubbed SandroRAT, is currently being used by cybercriminals to target Android users in Poland via a widely spread email spam campaign that delivers a new variant of an Android remote access tool (RAT).
    The emails masquerade itself as a bank alert that warns users of the malware infection in their mobile device and offers a fake mobile security solution in order to get rid of the malware infection.
    The mobile security solution poses as a Kaspersky Mobile Security, but in real, it is a version of SandroRAT, a remote access tool devised for Android devices, whose source code has been put on sale on underground Hack Forums since December last year.
    A mobile malware researcher at McAfee, Carlos Castillo, detailed the new variant of Android remote access trojan over the weekend. According to the researcher, the package spread via phishing campaign is capable of executing several malicious commands on the infected devices.
    SandroRAT gives the attacker an unrestricted access to sensitive details such as SMS messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices and store all the data in an “adaptive multi-rate file on the SD card” to later upload them to a remote command and control (C&C) server.

    Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRat,” wrote Carlos Castillo. “This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.”

    This new version of SandroRAT also has a self-update feature in it and it can install additional malware through user prompts for such actions. The malware gives the attacker full control over the messages, who can intercept, block and steal incoming messages, as well as insert and delete them.
    It also appears that the attacker can send multimedia messages with specific parameters sent by the C&C server and can also record nearby sounds using the device’s mic.
    Castillo also notes that the SandroRAT variant of malware had decryption capabilities for older releases of Whatsapp messaging app. But, the users running the latest version of Whatsapp in their Android devices are not vulnerable because the developers adopted a stronger encryption scheme.

    This decryption routine will not work with WhatsApp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt),” Castillo explained. “WhatsApp users should update the app to the latest version,” he advised.

    Users are advised to avoid application downloads from unauthorized sources, particularly when the app download link is send through an email. Good practice is to always prefer downloading apps from the Google Play Store or other trusted sources.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida

     


  • Certain DevianArt advertising Campaigns lead to Malware, Spyware and Unwanted Applications on your computer

     

    DeviantArt Malwaretising

     

    Today, the estimated number of known computer threats like viruses, worms, backdoors, exploits, Trojans, spyware, password stealer, and other variants of potentially unwanted software range into millions. It has the capability to create several different forms of itself dynamically in order to thwart antimalware programs.

    Users of the biggest online artwork community, DevianART with Global Alexa Rank 148, are targeted by the potentially unwanted software programs — delivered by the advertisements on the website, Stop Malvertising reported on Sunday.

    A Potentially Unwanted Application (PUA) is a program that may not be intentionally malicious, but can negatively affect the performance and reliability of the system by distributing spyware or adware that can cause undesirable behavior on the computer. Some may simply display annoying advertisements, while others may run background processes that cause your computer to slow down. However, unlike malware, users themselves consent to install a PUA into their systems.

    The malicious advertisements are delivered via newly registered (3rd March 2014) domains – Redux Media (www.reduxmedia.com) and avadslite.com. “Over the past months, this domain has been seen to resolve to the following IP addresses: 107.20.210.36 (2014-05-01), 54.243.89.71 (2014-05-01) and 184.170.128.86 (2014-05-25). According to VirusTotal, malware has communicated with the last two IP addresses.” Kimberly from Stop Malvertising said.

    Once the user click on the Ad served by the DevianArt website, they are redirected to the Optimum Installer, a source of Potentially Unwanted Applications (PUA’s) that downloads legitimate software applications as well as bundled third-party software including toolbar.

     

    malware ad

    As shown, a pop-under warning will urge users to “update Media Player“, immediately followed by a second advertisement to “update Windows 7 Drivers” to avoid vulnerabilities, reduce crashes and ensure an optimal browsing experience. This is just a scam nothing more or less.

    Obviously, these are well known social engineering techniques to trick the computer user into installing malicious or ad-support software. Such infection are designed specifically to make money, generate web traffic, and will display advertisements and sponsored links within your web browser.

     

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Cryptowall Ransomware Spreading on the internet rapidly through advertisements

    Cryptowall Lock Malware spyware spreading
    Cryptowall Lock Malware

     

    Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims.

    Though earlier we saw the samples of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware malwares, the recent ones are more subtle in design, including Cryptolocker, Icepole, PrisonLocker, CryptoDefense and its variants.

    Now, the ransomware dubbed as Cryptowall, a latest variant of the infamous ransomware Cryptolocker is targeting users by forcing them to download the malicious software by through advertising on the high profile domains belonging to Disney, Facebook, The Guardian newspaper and others.

    Cryptolocker is designed by the same malware developer who created the sophisticated CryptoDefense (Trojan.Cryptodefense) ransomware, appeared in the end of March, that holds the victims’ computer files hostage by wrapping them with strong RSA 2048 encryption until the victim pays a ransom fee to get them decrypted.

    But unfortunately, the malware author failed to realize that he left the decryption keys left concealed on the user’s computer in a file folder with application data.

    So, to overcome this, the developer created Cryptowall ransomware and alike the latest versions of CryptoDefense, the infected system’s files and documents encrypted by CryptoWall are impossible to decrypt.

    The story broke, when researchers at Cisco revealed that cybercriminals have started targeting people with RIG Exploit Kits (EK) to distribute malicious Cryptowall ransomware malware.

    The Rig Exploit Kit was first spotted by Kahu Security in April, which checks for an unpatched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors.

    Researchers at Cisco have noticed high levels of traffic consistent with the new “RIG” exploit kit, thereby blocking requests to over 90 domains. On further investigation, the company observed that many of its Cloud Web Security (CWS) users were visiting on those malicious domains after clicking advertisements on high-profile domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” and many others.

    cryptowall ransomware If clicked, the advertisements redirect victims to one of those malicious domains in order to malvertise users and once the system get infected with the RIG Exploit Kit, it will deliver the payload which includes the Cryptowall Ransomware malware.

    Now, when this CryptoWall is installed in the infected system, it will start scanning the system Hard Drive for data files and encrypt them.

    After encrypting the files on victim’s system, it will create files containing ransom instructions in every folder it had encrypted, demanding up to $500 USD. The service where users are instructed to pay the ransom amount is a hidden service that uses the Command-and-Control server hosted on TOR .onion domain.

    The largest share of infections, some 42 percent, are in the United States, followed by England and Australia, but it believes that several groups and bad actors are involved in this attack chain.

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable


  • Android iBanking Trojan Source Code LEAKED ONLINE

    Smartphone is the need of everyone today and so the first target of most of the Cyber Criminals. Malware authors are getting to know their market and are changing their way of operations. Since last year we have seen a rise in the number of hackers moving from the Blackhat into the Greyhat.

     

    iBanking, a new mobile banking Trojan app which impersonates itself as an Android ‘Security App‘, in order to deceive its victims, may intimidate a large number of users as now that its source code has been leaked online through an underground forum.

    It will give an opportunity to a larger number of cybercriminals to launch attacks using this kind of ready-made mobile malware in the future.

     

    Since many banking sites use two-factor authentication and transaction authorization systems in order to deal with the various threats, by sending unique one-time-use codes to their customers’ registered phone numbers via SMS, but in order to defraud them, cyber criminals have started to create various mobile malware like iBanking to solve their purpose.

     In addition, with the iBanking malware, Computer malware is used to defeat the mobile-based security mechanisms used by the banking sites.

    Apart from the server-side source-code, the leaked files also include a builder that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application,” added Daniel Cohen.

    In addition to SMS Sniffing, the iBanking app allows an attacker to redirect calls to any pre-defined phone number, capture audio using the device’s microphone and steal other confidential data like call history log and the phone book contacts.

    During the installation process, the malicious app attempts to Social Engineer the user into providing it with administrative rights, making its removal much more difficult.

    Latest Computer news and virus and malware threats at Complete computer Repair Services Fort Lauderdale and all South Florida Latest Computer News and Repair Services

    www.ccrepairservices.com


  • The Mask, A malware campaign that remained undetected for 7 years

    A Sophisticated cyber spying operation, ‘The Mask’, that has been under the mask for about 7 years targeting approximately 31 countries, has now been ‘unmasked’ by researchers at Kaspersky Labs.
    The Researchers believe that the program has been operational since 2007 and is seems to be sophisticated nation-state spying tool that targeted government agencies and diplomatic offices and embassies before it was disclosed last month.
    In the unveiling document published by Kaspersky, they found more than 380 unique victims, including Government institutions, diplomatic offices/embassies, private companies, research institutions, activists etc.
    The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules.
    Developers of the ‘Mask’ aka ‘Careto’ used complex tool-set which includes highly developed malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.
    The malware targets files having an extension:

    *.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.

    Victims of this malware found in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
    The malware remains untraceable for about 7 years and was able to infect Mac OS X version, Linux, Windows, iPad/iPhone and android running devices.
    According to the researchers, the Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.
    In its main binary a CAB file having shlink32 and shlink64 dll files are found during the research from which the malware extract one of them, depending upon the architecture of the victim’s machine and install it as objframe.dll.
    It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and except this it has DINNER module which gets executed via APC remote calls and reload ‘chef’ module responsible for network connectivity and ‘waiter’ modules responsible for all logical operations.
    Another backdoor called SBD (Shadowinteger’s Backdoor) which uses open source tools like netcat is included in the malware. To infect Linux versions, Mozilla Firefox plugin “af_l_addon.xpi” was used and was hosted on “linkconf[dot]net”
    Spear phishing, a favorite attack used by most cyber attackers like SEA, was used to distribute this malware. Users were lured to click some malicious websites that contain a number of exploits to compromise their systems.
    Latest Computer news and virus and malware threats at Complete computer Repair Services

    www.ccrepairservices.com