• Tag Archives virus
  • Using DNS to weaken Locky ransomware threat

    Ransomware and other cyberthreats often go unseen by traditional detection methods like antivirus, deep packet inspection (DPI) or sandboxing. In fact, a report by Lastline Labs indicates that 51% of zero-day malware—threats that strike before developers have time to release a patch—is undetected by anti-virus solutions. So what can security professionals do to stop attacks? The answer lies, in part, in DNS.

    One of the most powerful ransomware threats currently targeting individuals and organizations is Locky, which infects up to 100,000 devices per day, of which 3% submit payments. Cybersecurity experts estimate that Locky possesses 17% of the entire global market share for all ransomware infections.

    First, let’s look at a few statistics that demonstrate the power and expense of Locky:

    Locky is typically delivered through aggressive spam campaigns, often claiming to be an invoice. Despite the known dangers of clicking on links in unknown emails, Locky is so sly it entices even trained IT staff to click on obscure messages and activate downloads.

    Once a download has completed, Locky connects with its Command & Control (C&C) server to get a cryptographic key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts:

    1. Direct IP communication
    2. A number of fixed domains
    3. A time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days

    Here is where DNS can play a role. DNS data can be analyzed to identify C&C connection mechanisms. When these communications are blocked, Locky’s ability to obtain encryption keys is limited, giving infected users a better chance of being protected.

    Unfortunately, the DGA used by Locky to generate domains and get encryption keys is marked with the current time period combined with a secret seed, making it harder to block new domains quickly. Locky changes seeds frequently, and reverse engineering current versions of the malware to discover each new seed takes time. Every new seed indicates another wave in the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.

    But examination of a worldwide feed of anonymized DNS queries, along with anomaly detection and correlation technology, makes it possible to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint is one company that has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it is possible to determine new seeds used by Locky, thereby enumerating all future new domains Locky will use.

    Below is a sampling of more recent domains created by Locky as detected by our DNS algorithms:

    • mrjuvawlwa[.]xyz
    • uydvrqwgg[.]su
    • uwiyklntlxpxj[.]work
    • owvtbqledaraqq[.]su
    • udfaexci[.]ru
    • eabfhwl[.]ru
    • olyedawaki[.]pl
    • uxwfukfqxhydqawmf[.]su
    • ikdcjjcyjtpsc[.]work
    • wrbwtvcv[.]su
    • osxbymbjwuotd[.]click
    • qtuanjdpx[.]info

    As Locky and other types of ransomware become more adept at avoiding detection and remediation, new strategies need to be used to combat them. Many of the new cyberthreat strategies make traditional malware block lists less effective. Facing DGAs with fast-changing seeds, security researchers must constantly identify the new seeds used by each wave of phishing to pre-generate domains. Once new seeds are released the old ones immediately become obsolete.

    By utilizing a broad set of DNS query data, it is possible to detect and track the evolution of generated domains through a variety of algorithmic methods such as clustering, reputation scoring, reverse engineering and additional methods that continuously evolve. Recent innovations include anomaly detection algorithms, new domain clustering and a Domain Reputation System that resulted in almost 100,000 domains and C&Cs provisioned daily for blocking.

    By employing these advanced methods, suspicious domains can be detected with a high level of accuracy very quickly, and false positives can also be weeded out so good traffic can still reach legitimate sites. Currently, this is the best defense against Locky. Service providers and companies can use this technique to protect their online users from having their files encrypted, and identify machines that have been infected.

    Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires cybersecurity expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Blocking traffic to these domains is a good way to avoid the threat of Locky, and expert security teams that take the right steps to understand its behavior and put appropriate measures in place to protect would-be victims will render cyberthreats much less effective.


  • Proteus botnet Malware with Remote Access

     

    The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.

     

    In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, hxxp://proteus-network[.]biz or hxxp://proteus-network[.]ml (the latter is inaccessible). The URL is hardcoded in the sample and is contacted multiple times to obtain necessary credentials for the tasks the botnet performs. The host name also appears in Pastebin, under the URL hxxp://pastebin[.]com/raw/LidbEiiR, in its encrypted form, and the botnet can retrieve the domain from there as well.

     

    The botnet starts by identifying the infected machine and obtaining the operating system’s info (whether 64 or 86 bit), the machine’s name, and the Windows version. All of the information is sent to the C&C to “register” the machine.

     

    After the machine is acknowledged by the C&C, the botnet proceeds to perform different tasks. As the botnet contacts the C&C to receive various pieces of information, the web requests are sent along with an encrypted string specifying the purpose of the request. These encrypted strings perform the following functions:

     

    • api/register – Register the infected machine
    • api/ping – Check if the machine is already registered
    • api/module – Check the mining module
    • api/proxy – Use reverse proxy
    • api/command – Receive commands from the C&C
    • api/account – Receive an account from the C&C
    • api/log – Handle the key logging document

     

    The header section of the HTTP requests is similar throughout the different sections of the source code:

    Content-type: application-json

    Authorization: {2D592824-48DE-49F8-8F96-A40B3904C794}

     

    When contacting the C&C, a POST request is sent with one of the above modes appended to the domain’s name, for example, hxxp://proteus-network.biz/api/log. The C&C sends a response to this request, which is then parsed by the botnet in search for the C&C’s reply.

     

    CheckerTask:

     

    The CheckerTask starts by contacting the C&C with the api/account string appended to the domain’s name. After sending a POST request, it receives a four-tuple composed of an account ID, an e-mail, a password, and the account type. The botnet attempts to access and steal the user’s credentials from a number of online websites, including:

     

    • eBay.com
    • otto.de
    • amazon.de
    • breuninger.com
    • dhl.de
    • netflix.com
    • coderbay.net
    • zalando.de

     

    The majority of these websites are German-based and the botnet searches for German words appearing in the responses. This leads us to believe this specific sample of Proteus targets are German victims. For example, if the message received from the website includes the phrase “stimmen nicht mit den bei uns hinterlegten Daten”, which means, “This does not match the data provided by us”. The botnet attempts to change the password’s first character from lower case to upper case or to append the character “1” to the end of the password and tries to log in again after three seconds. The response from the website is then checked to harvest more information about the victim, including name, address, country, bought and sold items, seller type and the last feedback received.

     

    Some of the websites which the CheckerTask tries to steal the credentials from may include a Captcha to prevent such automated logins. The Proteus botnet uses Death by Captcha (DBC), an API which solves any given Captcha and turns it into a text that the botnet can insert into the website, and proceeds with the login. Using DBC requires a username and a password, which are both hardcoded into the sample to enable Captcha analysis. We have managed to access the DBC account used in the sample, and found that it resolved 200 Captchas so far, which could hint to the number of successfully infected machines.

     

    LoggerTask:

     

    This task performs key logging on the infected machine. It starts by initializing a list of all the keyboard keys, and stores the logged keys into a file called tmpV213.txt found under the TEMP directory. When this file includes more than 250 characters, it is cleared and its content is sent to the C&C along with the api/log string.

     

    CommandsTask:

     

    This task receives commands from the C&C. The botnet sends a request to the C&C with the fingerprint and the api/command string. If the C&C sends a command to download a file, a new directory is created in the TEMP folder using a GUID, and a file called temp.exe is created in that directory. Alternatively, if the command is to “kill”, the process is killed. The task checks for new commands every two minutes.

     

    MiningTask, EMiningTask:

     

    The C&C determines the type of mining which the infected machine attempts, as well as the mining pool it will join. The EminingTask downloads an executable to the TEMP directory with the name loader.exe. The types of mining that appear in the sample are CPU, Zcash, Scrypt, and SHA256. During the mining task, and depending on the chosen type, the resources of the infected machine, such as the memory, CPU, and RAM, are used to provide the computing power necessary to produce the hashes accepted as a proof of work by each method. Even using a pool instead of individual mining, CPU usage soared rapidly and reached 100% in our labs when we ran the sample, which shows the processing power needed for the mining tasks.

     

    Conclusion:

     

    To summarize, the botnet conducts a complex attack: it infects a machine, steals credentials, logs keys and mines for currency, causing CPU level to reach 100%. Although the botnet has many of the crucial implementation tools needed for its attack, it heavily depends on communication with its C&C server and the information it transmits for the execution of its most basic functions.


  • Ransomeware Decrypters Available Decryption Service – Decryptor Download Decrypt Files

    New version of ODCODCDecoder Released Download Decrypter

    BloodDolly has released a new version of his ODCODC Ransomwaredecryptor. The decryptor can be downloaded from.

    Emsisoft Decrypter for Marlboro Download Decrypter

    The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR-based encryption algorithm. Encrypted files are renamed to “.oops”. The ransom note is stored inside a file named “_HELP_Recover_Files_.html” and includes no further point of contact.

    Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

    To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

    Decryptor released for the Merry Christmas or Merry X-Mas Ransomware Download Decrypter

    Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, .RMCM1 appended to them.

    Crypt38Decrypter Download Download Decrypter

    BitStakDecrypter Download Download Decrypter

    lphaDecrypter Download Download Decrypte

    Unlock92Decrypter Download Download Decrypter

    Hidden Tear Decrypter Download Download Decrypter

    Hidden Tear BruteForcer Download Download Decrypter

    PowerLockyDecrypter Download Download Decrypter

    GhostCryptDecrypter Download Download Decrypter

    MicroCop Decryptor Download Download Decrypter

    Jigsaw Decrypter Download Download Decrypter

    Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3) Download Decrypter

    RannohDecryptor tool is designed to decrypt files encrypted by:

    • CryptXXX versions 1, 2 and 3.
    • Marsjoke aka Polyglot;
    • Rannoh;
    • AutoIt;
    • Fury;
    • Crybola;
    • Cryakl;

    Globe3 Decryptor Download Decrypter
    The tool is designed to decrypt files encrypted by Globe3 Ransomware.

    Derialock Decryptor Download Decrypter
    Derialock decryptor tool is designed to decrypt files encrypted by Derialock

    PHP Ransomware Decryptor Download Decrypter
    PHP ransomware decryptor tool is designed to decrypt files encrypted by PHP ransomware

    WildFire Decryptor Download Decrypter
    WildfireDecryptor tool is designed to decrypt files encrypted by Wildfire

    Chimera Decryptor Download Decrypter
    ChimeraDecryptor tool is designed to decrypt files encrypted by Chimera

    Teslacrypt Decryptor Download Decrypter
    TeslaDecryptor can decrypt files encrypted by TeslaCrypt v3 and v4

    Shade Decryptor Download Decrypter
    ShadeDecryptor can decrypt files with the following extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg.

    CoinVault Decryptor Download Decrypter

    The CoinVault decryption tool decrypts files encrypted by Coinvault and Bitcryptor.

    Rakhni Decryptor (updated 14-11-2016) Download Decrypter

    RakhniDecryptor tool is designed to decrypt files encrypted by:

    • Crysis;
    • Chimera;
    • Rakhni;
    • Agent.iih;
    • Aura;
    • Autoit;
    • Pletor;
    • Rotor;
    • Lamer;
    • Lortok;
    • Cryptokluchen;
    • Democry;
    • Bitman (TeslaCrypt) version 3 and 4.

    Trend Micro Ransomware File Decryptor Download Decrypter

    Supported Ransomware Families

    The following list describes the known ransomware-encrypted files types can be handled by the latest version of

    the tool.

    Ransomware

    File name and extension

    CryptXXX V1, V2, V3*

    {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters

    CryptXXX V4, V5

    {MD5 Hash}.5 hexadecimal characters

    Crysis

    .{id}.{email address}.xtbl, crypt

    TeslaCrypt V1**

    {original file name}.ECC

    TeslaCrypt V2**

    {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ

    TeslaCrypt V3

    {original file name}.XXX or TTT or MP3 or MICRO

    TeslaCrypt V4

    File name and extension are unchanged

    Rating:

    485 found this helpful

    Category:

    Troubleshoot

    Solution Id:

    1114221

    13/12/2016, 22)42

    Using the Trend Micro Ransomware File Decryptor Tool

    Page 2 of 6

    https://success.trendmicro.com/solution/1114221#

    #

    TeslaCrypt V4

    File name and extension are unchanged

    SNSLocker

    {Original file name}.RSNSLocked

    AutoLocky

    {Original file name}.locky

    BadBlock

    {Original file name}

    777

    {Original file name}.777

    XORIST

    {Original file name}.xorist or random extension

    XORBAT

    {Original file name}.crypted

    CERBER V1

    {10 random characters}.cerber

    Stampado

    {Original file name}.locked

    Nemucod

    {Original file name}.crypted

    Chimera

    {Original file name}.crypt

    LECHIFFRE

    {Original file name}.LeChiffre

    MirCop

    Lock.{Original file name}

    Jigsaw

    {Original file name}.random extension

    Globe/Purge

    V1: {Original file name}.purge

    V2: {Original file name}.{email address + random characters}

    V3: Extension not fixed or file name encrypted

    DXXD

    V1: {Original file name}.{Original extension}dxxd

    Teamxrat/Xpan

    V2: {Original filename}.__xratteamLucked

    Crysis

    .{id}.{email address}.xtbl, crypt

    NMoreira Decryptor download
    The tool is designed to decrypt files encrypted by NMoreira Ransomware.

    Ozozalocker Decryptor download
    The tool is designed to decrypt files encrypted by Ozozalocker Ransomware.

    Globe Decryptor download
    The tool is designed to decrypt files encrypted by Globe Ransomware.

    Globe2 Decryptor download
    The tool is designed to decrypt files encrypted by Globe2 Ransomware.

    FenixLocker Decryptor download
    The tool is designed to decrypt files encrypted by FenixLocker Ransomware.

    Philadelphia Decryptor download
    The tool is designed to decrypt files encrypted by Philadelphia Ransomware.

    Stampado Decryptor download
    The tool is designed to decrypt files encrypted by Stampado Ransomware.

    Xorist Decryptor download
    The tool is designed to decrypt files encrypted by Xorist Ransomware.

    Nemucod Decryptor download
    The tool is designed to decrypt files encrypted by Nemucod Ransomware.

    Gomasom Decryptor download
    The tool is designed to decrypt files encrypted by Gomasom Ransomware.

    Linux.Encoder Decryptor download

    Decryption tools have been designed for infections of the Linux.Encoder.1 and Linux.Encoder.3 ransomware

     


  • Ransomware developers look to educate victims and Help Decrypt files

    Knowledge is good, At least according to the cybercriminals who are developing ransomware that will give a free decryption key if the victim reads two articles about ransomware.

    A new variant of Koolova was discovered by security researcher Michael Gillespie, that demands the victim read two articles: a Google Security Blog, Stay safe while browsing, and a Bleeping Computer article, Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

    Lawrence Abrams, said the ransomware itself behaves like Jigsaw in that once it encrypts the files it delivers a scrolling note telling the victim to read stories or else risk having their files deleted. In Jigsaw’s case the demand is for a ransom payment.


  • CTB-Locker ransomware spreading through fake Windows 10 Update emails

    With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.

    win10_blacked_out.png

    Image of fake Windows Update Email courtesy of Cisco

    As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

    Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

    It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

    Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida
    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida

    At this point, the computer’s data will be encrypted and there is not much that can be done about it.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere


  • Cryptowall 3.0 is back and rapidly spreading – Ransom Virus Malware Spyware Spam Email

    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Recovery and Decrypter
    Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Ransom Recovery and Decrypter CALL 754-234-5598

    Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.

    A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both.
    Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.

    As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.

    At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.

    Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.

    “We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.

    Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.

    The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.

    Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.

    Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.

    Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.

    “There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”

    Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.

    “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”

    www.CCREPAIRSERVICES.COM

    Local and Online PC Computer Repair Tel. 754-234-5598

    FAST SAME DAY COMPUTER REPAIR, VIRUS REMOVAL, CRYTOWALL FILE RECOVERY AND LAPTOP SCREEN REPAIR SERVICE


  • Computer Repair Services – Local Repair and On line Computer Technician Available

    If you need your computer up and running today, Call a reliable PC technician. Proudly Serving and providing on site local service in South Florida. Online service repair technicians available Anytime, Any day, Anywhere. Call 754-234-5598

    Complete Computer Repair

    SOME OF OUR COMPUTER AND NETWORK SERVICES

    • Networking — home office / business
      • Onsite PC support and installation
      • Hard drive Failure / Laptop Motherboard Repair
      • Data Backup and Data recovery
      • Malware, Viruses, Trojans, Rootkits, Ransomeware and Spyware Removal
      • Screen Replacement and repair
      • Apple Repair, PC Repair, Laptop Repair, Desktop Repair
      • Computer Upgrades and Build Custom Computers
      • Windows Upgrade, OSX Upgrades
      • Memory Upgrade, Hard drive upgrade,
      • Network Security, Secure Your Network, Internet Security
      • Wireless routers Installations
      • Wireless Printers Installation and Configuration
      • Anti-Virus Protection and Configuration
      • Windows Recovery for XP, Vista, Windows 7, windows 8, windows 10
      • Re install Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10 Installations

    –> We have computer parts for sale at low prices new and old for every make and model, HP, Compaq, Acer, Lenovo, Dell, Asus, Samsung, Toshiba, Sony, IBM, Emachines, Fujitsu, MSI and more.

    TEL. 754-234-5598

    *Lower prices than Geek Squad Fort Lauderdale, CompUSA Fort Lauderdale, Tiger Direct Fort Lauderdale, Staples Fort Lauderdale, Office Depot Fort Lauderdale, Online Virus Removal Sites, Local Computer Repair Shops. If you find a lower price call us and we will match that price. Computer Repair Coupons welcome, Computer repair discount for seniors.


  • Malicious Ads on Yahoo, AOL, Match.com, Trigger CryptoWall Infections

    cryptowall

    Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily.

    According to experts at Proofpoint, a firm that primarily specializes in email security, the exploit kit targeted a vulnerability in Adobe Flash via users’ browsers to install the ransomware on users’ machines.

    Malvertising is an attack that happens when attackers embed malicious code – in this case code that led to the latest iteration of CryptoWall – into otherwise legitimate ads to spread malware via drive-by downloads. Users can often be infected without even clicking on anything.

    CryptoWall, which takes users’ files, encrypts them with rigid RSA-2048 encryption, then asks for a fee to decrypt them, made a killing earlier this summer. In August it was reported that the ransomware made more than $1.1 million for its creators in just six months.

    Similar to Critoni/Onion, a ransomware dug up in July, CryptoWall 2.0 downloads a TOR client on the victim’s machine, connects to a command and control server and demands users send Bitcoin – $500 worth – to decrypt their files. Since the campaign lasted about a month, from Sept. 18 to this past Saturday, researchers are estimating that 40 of the campaign’s Bitcoin addresses collected at least 65 BTC each, a number that roughly translates to $25,000 a day.

    cryptowall1

    Proofpoint claims that high ranking sites such as AOL, The Atlantic, Match.com and several Yahoo subdomains such as their Sports, Fantasy Sports and Finance sites, were spotted serving up the tainted ads. Other sites lesser known in the U.S. such as Australia’s Sydney Morning Herald, The Age, and the Brisbane Times, were reportedly also doling out the ads.

    While the campaign started a month ago the firm claims things didn’t start to ramp up until recently.

    “After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites,” Wayne Huang, the company’s VP of Engineering, said of the campaign.

    The firm claims it worked quickly to notify those involved in the campaign, including the ad providers, and as of this week, believes the situation has been nullified.

    Last month researchers with Barracuda Labs found a CryptoWall variant with certificate signed by Comodo being distributed through ads on a handful of different websites. None of those sites were nearly as trafficked as those spotted by this most recent campaign however. The Alexa rankings for Yahoo (4), AOL (37), Match (203), and The Atlantic (386) place them within the top 500 of the internet’s most popular sites, something that likely upped the campaign’s exposure level.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • TripAdvisor’s Viator Hit by Massive 1.4 Million Payment Card Data Breach


    TripAdvisor’s Viator Hit by Massive 1.4 million Payment Card Data Breach

    TripAdvisor has reportedly been hit by a massive data breach at its Online travel booking and review website Viator, that may have exposed payment card details and account credentials of its customers, affecting an estimated 1.4 million of its customers.

    The San Francisco-based Viator, acquired by TripAdvisor – the world’s largest travel site – for £122 million (US$ 200 million) back in July, admitted late on Friday that the intruders have hacked into some of its customers’ payment card accounts and made unauthorized charges.

    The data breach was discovered in the bookings made through Viator’s websites and mobile offerings that could potentially affect payment card data.

    Viator said that the company has hired forensic experts to figure out the extent of the breach. Meanwhile, the company has begun notifying its affected customers about the security breach as said by the travel outfit in a press release.

    “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” Viator wrote. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

    “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”

    During investigation it found that the cybercriminals have broken into its internal databases and accessed the payment card data – including encrypted credit or debit card number, card expiration date, name, billing address and email address – of approximately 880,000 customers, and possibly their Viator account information that includes email address, encrypted password and Viator ‘nickname.’

    Additionally, the intruders may have also accessed the Viator account information, including email addresses and encrypted passwords, of over 560,000 Viator customers.

    According to the company, Debit-card PIN numbers were not included in the breach because Viator does not store them. The travel advisor said that they believe that the CVV number, the security numbers printed on the back of the customer’s credit card, were also not stolen in the breach.

    For those who are affected by the breach in United States, Viator is offering them identity protection and credit card monitoring services for free and and the company is also investigating the possibility of offering similar services to customers outside the country.

    Meanwhile, the company has warned its affected customers to regularly monitor their card activity and report any fraudulent charges to their card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.

    Viator also recommends its users to change their password for the site, as well as all other websites that uses the same credentials.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Rise in Anti-Child Porn Spam Protection Ransomware infections

    This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.

    sl.png

    ScreenLocker window for ACCDFISA v2.0, There are actually a few different versions of this. ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have different emails to message the virus creator.

    There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe’s.

    For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

    When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal’s SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This “lockout” screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

    This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

    Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

    The files that this infection creates when it is installed are:

    File List:

    c:\<Random>\svchost.exe – ScreenLocker / Decrypter

    c:\<Random>\howtodecryptaesfiles.htm – RansomNote that all RansomNotes lnk’s point to

    c:\ProgramData\fdst<Random>\lsassw86s.exe Encrypter / Main dropper

    c:\ProgramData\<Random>\<Random>.dll – Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

    c:\ProgramData\<Random>\<Random>.DLLS List of files to be infected by WinRar

    c:\ProgramData\<Random>\svchost.exe – WinRar CUI renamed

    c:\ProgramData\<Random>\svchost.exe – Sdelete Renamed

    c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll List of Numbers used by the infection

    c:\ProgramData\svtstcrs\stppthmainfv.dll List of Numbers used by the infection

    c:\Windows\System32\backgrounds2.bmp Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\lsassw86s.exe Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\scsvserv.exe Used to complete mangle / disable services to further lock down computer

    c:\Windows\System32\lsassvrtdbks.exe Assists with encryption

    c:\Windows\System32\session455.txt Temp Storage used with .BAT file to logoff user account

    c:\Windows\System32\decryptaesfiles.html Used to copy to ProgramData

    c:\Windows\System32\Sdelete.dll Used to copy Sdelete to ProgramData

    c:\Windows\System32\kblockdll.dll Used to Lock desktop

    c:\Windows\System32\btlogoffusrsmtv.bat Used to log user off

    c:\Windows\System32\default2.sfx Used with winrar to encrypt files

    c:\Windows\System32\cfwin32.dll WinRar CUI renamed

    %Desktop%\<Random>.Txt – Also contains Decrypt Key, But removed after completion

    Registry List:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe – Launches ScreenLocker

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Secret Government and Law enforcement spyware leaked

     

    Company That Sells 'FinFisher' Spying Software Got Hacked, 40GB Data Leaked
    FinFisher spyware, a spyware application used by government and law enforcement agencies for the purpose of surveillance, appears to have been hacked earlier this week and a string of files has been dumped on the Internet.
    The highly secret surveillance software called “FinFisher” sold by British company Gamma International can secretly monitors computers by turning ON webcams, recording everything the user types with a keylogger, and intercepting Skype calls, copying files, and much more.
    A hacker has claimed on Reddit and Twitter that they’d infiltrated the network of one of the world’s top surveillance & motoring technology company Gamma International, creator of FinFisher spyware, and has exposed 40GB of internal data detailing the operations and effectiveness of the FinFisher suite of surveillance platforms.
    The leaked information was published both on a parody Gamma Group Twitter account (@GammaGroupPR) and Reditt by the hacker that began publishing links to the documents and satirical tweets.
    The leaked files includes client lists, price lists, source code of Web Finfly, details about the effectiveness of Finfisher malware, user and support documentation, a list of classes/tutorials, and much more.
    The Reddit post Gamma International Leaked in self.Anarchism said, “a couple days ago [when] I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lots of other stuff in that 40GB.”

    The FinFisher files were first leaked on Dropbox as a torrent file and since have been shared across the internet, which means that it is now impossible to stop the information from being leaked.

    One spreadsheet in the dump titled FinFisher Products Extended Antivirus Test dated April this year, details the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies.

    It shows how FinFisher performed well against 35 top antivirus products. That means FinFisher would probably not be detected by a targeted users’ security systems.


    One more document also dated April this year has been identified that detailed release notes, for version 4.51 of FinSpy, show a series of patches made to the products including patch to ensure rootkit component could avoid Microsoft Security Essentials, that the malware could record dual screen Windows setups, and improved email spying with Mozilla Thunderbird and Apple Mail.


    The file dump also reveals that FinFisher is detected by OS X Skype (a recording prompt appears), so the users of OS X Skype would be alerted to the presence of FinFisher by a notification indicating that a recording module was installed.
    Company That Sells 'FinFisher' Spying Software Got Hacked, 40GB Data Leaked
    FinFisher cannot tap Windows 8 users, so rather the desktop client, the users should opt for the Metro version of Skype.
    The dump also contains a fake Adobe Flash Player updater, a Firefox plugin for RealPlayer and an extensive (though still undetermined) documentation for WhatsApp.

    A price list, which appeared to be a customers’ record, revealed the FinSpy program cost 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each,” the Reg. reported. “The document did not contain a date but it did show prices for malware targeting the recent iOS version 7 platform.”

    The leaked documents also included a FinSpy user manual and brochure. This previously kept so-called spying secret is not a secret now and we’ll be going to find a lot more in the upcoming weeks.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • SandroRAT Mobile Phone Android Malware that Disguises as Kaspersky Mobile Security

    Researchers have warned users of Android devices to avoid app downloads from particularly unauthorized sources, since a new and sophisticated piece of malware is targeting Android users through phishing emails.
    The malware, dubbed SandroRAT, is currently being used by cybercriminals to target Android users in Poland via a widely spread email spam campaign that delivers a new variant of an Android remote access tool (RAT).
    The emails masquerade itself as a bank alert that warns users of the malware infection in their mobile device and offers a fake mobile security solution in order to get rid of the malware infection.
    The mobile security solution poses as a Kaspersky Mobile Security, but in real, it is a version of SandroRAT, a remote access tool devised for Android devices, whose source code has been put on sale on underground Hack Forums since December last year.
    A mobile malware researcher at McAfee, Carlos Castillo, detailed the new variant of Android remote access trojan over the weekend. According to the researcher, the package spread via phishing campaign is capable of executing several malicious commands on the infected devices.
    SandroRAT gives the attacker an unrestricted access to sensitive details such as SMS messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices and store all the data in an “adaptive multi-rate file on the SD card” to later upload them to a remote command and control (C&C) server.

    Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRat,” wrote Carlos Castillo. “This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.”

    This new version of SandroRAT also has a self-update feature in it and it can install additional malware through user prompts for such actions. The malware gives the attacker full control over the messages, who can intercept, block and steal incoming messages, as well as insert and delete them.
    It also appears that the attacker can send multimedia messages with specific parameters sent by the C&C server and can also record nearby sounds using the device’s mic.
    Castillo also notes that the SandroRAT variant of malware had decryption capabilities for older releases of Whatsapp messaging app. But, the users running the latest version of Whatsapp in their Android devices are not vulnerable because the developers adopted a stronger encryption scheme.

    This decryption routine will not work with WhatsApp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt),” Castillo explained. “WhatsApp users should update the app to the latest version,” he advised.

    Users are advised to avoid application downloads from unauthorized sources, particularly when the app download link is send through an email. Good practice is to always prefer downloading apps from the Google Play Store or other trusted sources.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida