Tag : spyware

Pegasus Spyware Detected – Upgrade to iOS 9.3.5 ASAP

Pegasus2Pegasus

Malware that spies on user phone calls and text messages, has been alleviated thanks to the latest iOS mobile operating system upgrade, and the wise proceedings of a human rights activist. Canadian cyber security research group, Citizen Lab, published a report that a human rights activist, Ahmed Mansoor, received a text message with a malicious malware link attached. Thankfully Mansoor was not tempted to click on the link.

Rather he passed the link to Citizen Lab where researchers identified the correlation between the link and the NSO Group, an Israeli company notorious for selling a government-exclusive spyware product, Pegasus, that is described as a “lawful intercept”. Most have dubbed this the most sophisticated spyware software detected and Apple, Android and Blackberry smartphone users are the target. The main difference between this malware and others is Pegasus’s ability to infect the powerhouse of the operating system, the kernel of the phone. This allows the software to intercept any conversation before encryption ever takes place, so encrypting such apps proves pointless against Pegasus. The link would have been capable of jail breaking the iPhone and installing surveillance software used to access the camera and microphone. Mansoor’s WhatsApp and Viber calls would have been especially vulnerable in addition to his GPS location services.

Citizen Lab wrote in its report that “[w]e are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign.”

Last Thursday Apple released the latest version of iOS 9.3.5, which I highly advise upgrading to if you have not already done so. The update improves how iOS devices access memory and adds a patch that prevents visits to maliciously crafted websites from remotely executing arbitrary code.

Phew.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.pcmag.com 

Undetected Hacker Group Spying Since 2011…

Russia

Strider hackers reference the all-seeing eye of Sauron in their ‘nation-state level’ malware, which has been used to steal files from organisations across the globe. Unknown hacker group, ‘Strider’, has just been discovered by cyber-security researchers at Symantec. Strider hackers are referencing the all-seeing eye of Sauron in the groups ‘nation-state level’ malware in use currently to steal files from organisations all over the world. Apparently the group has aimed their malware at those that would be of potential interest to a nation state’s intelligence services.  The Remsec malware is mainly targeting organisations in Russia, however the group has infected airline systems in China, an embassy in Belgium, and a large organisation in Sweden, who’s name could not be confirmed. The malware in use is designed to infect a system and open a backdoor where it logs keystrokes and steals files.

 

The malware has been in operation since October 2011, but avoided detection by the majority of antivirus systems for nearly five years. Only 36 infections have been reported in these five years, but the nature and capability of the malware in terms of stealth and detection is rather unsettling. Components that make up Remsec are built as “BLOBs”, which stands for Binary Large Object, collections of binary data which are often difficult for antivirus security software to detect. The malware is deployed across a network rather than stored on a disk, which makes it increasingly had to detect.

A deeper look in the modules of the malware found the modules are written in the Lua programming language. This embedded scripting language is used to perform various functions and processes. In the case of Remsec, these functions include key logging and the code that contains references to the all-seeing eye of Sauron from the Lord of the Rings. The use of Lua modules leads security researchers to believe that Strider may have connections to the Flamer hacking group, known for using this type of programming in it’s malware. Another lead could be the connection the the infamous Regin malware. One of the victims of the Remsec malware had also been the victim of Regin malware. That poor machine!

 

The nature of the malware, combined with the coding and programming, leads security researcher to believe that the Strider group are highly proficient technically in the development of malicious software, and very well could escalate to a nation-state level attacker.

 

 

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.zdnet.com

Ransomware seeks victims via TeamViewer

Download-TeamViewerAnyone use Teamviewer? If so, sorry to say,  you may have been hacked.

A new ransomware has been discovered appending the .surprise extension to encrypt important files. Further research into the extension revealed the loader had EDA2 ransomware from memory, and was only attacking those who also had TeamViewer installed. The victim logs showed that TeamViewer had been utilized as a means to reach computers. Someone connected via TeamViewer and proceeded to download the encrypted surprise files onto the unsuspecting desktop.

The two TeamViewer IDs used by the attackers were  479441239 and 479440875.

This surprise ransomware is unique in that it has successfully bypassed AV signature definitions as well as behavior detection. Rather than containing the more typical encryption functions seen in ransomware, this surprise ransomware encompassed an encrypted BASE64 encoded string. This string is loaded into memory and functions from there.

The ransomware scans all fixed disks on the computer for files that contain a particular file extension. When it finds a matching file, it will encrypt it with the AES encryption key and append the .surprise extention to it. The targeted file extensions are a hefty list. It will skip any files containing the $ symbol or contain the c:/windows and c:/program strings in the filename.

Bleeping Computer discovered the 3 files the ransomware creates are as follows:

  • %Desktop%\DECRYPTION_HOWTO.Notepad ransom note.
  • %Desktop%\surprise.bat, which executes the vssadmin.exe Delete Shadows /All /Quiet to remove Shadow Volume Copies.
  • %Desktop%\Encrypted_Files.Notepad file that contains a list of encrypted files

Sadly for those encrypted there is no alternative method to gain access to the files at this time without paying the ransom.

If you would like to educate yourself in greater detail about the material presented in this blog post please visit:

http://www.bleepingcomputer.com/news/security/surprise-ransomware-installed-via-teamviewer-and-executes-from-memory/

Ransomware

 

Ransomware Malware Ransomware is the devilish and extremely debilitating program designed to lock and encrypt files in order to extort money from consumers, business owners, and even government officials. It seems that no one is safe in the fight against ransomware. Most ransomware programs are targeted at the most popular operating system, Windows. Ransomware programs can and will target other systems such as Android applications, Mac OS X and possibly even smart TVs in the near future. Not only is this an unsettling forecast for consumers, but also a call to action for preventative measures to protect your most important data files.

What can be done? Most users have learned the hard way that it is better to back up sensitive data to an external hard drive. However, this type of malware is tuned in to this. When a ransomware program infiltrates a computer, it infects all accessible drives and shared networks, encrypting all files found. This makes for a very irritating discovery of locked data across the board.

Rather than rely on the external hard drive method for backups, it is suggested that consumers adopt a new best practice. Ensure at least three copies of sensitive data are made, and stored in two different formats. At least one of these copies should be stored off-site or offline. This way if ransomware locks files away consumers are not forced into a sticky situation of deciding whether to risk paying for the data retrieval or losing the data forever.

What to do when faced with ransomware? Not much can be done once ransomware has attacked. Most security researchers advise not paying for files to be unlocked, as there is no guarantee that the hackers will provide the deception key once paid. Security vendors also worry about the implications for fueling the fire. The more consumers give in and pay for the safe return of their data, the further encouraged ransomware criminals become to continue this practice of extortion.

If I haven’t said it enough already, I will say it again. Prevention is key. Know how ransomware reaches your computer. Be especially careful of email attachments, word documents with macro code, and malicious advertisements. Always keep the software on your computer up to date. It is especially important to ensure that OS, browsers such as Flash Player, Adobe Reader, and Java are always updated when available. Unless you have verified the senders, never enable the execution of macros in documents. Finally and most importantly, perform daily activities from a limited user account rather than an administrative one. And always, always, utilize a well running and up to date antivirus program.

If you would like to educate yourself in more detail about material presented in this blog post please visit:

http://www.pcworld.com/article/3041001/security/five-things-you-need-to-know-about-ransomware.html

Windows 7 Recovery (Spyware)

I recently encountered a spyware/virus infection on a Windows 7 PC that was quite interesting. It was entitled Windows 7 Recovery. At first the spyware makes you think that your hard drive has failed and that you have many errors on your system. What actually happens to your desktop is the interesting part. The spyware takes all programs, desktop items, as well as the startup programs and marks them as hidden. This gives you the impression that something is wrong with your hard drive and you need to fix it. The fake Windows 7 Recovery then informs you that it has the ability to fix the issues for you if you purchase the software. This should be your first sign that it is not a legitimate piece of software. If you did not install it and it’s asking you to buy it, then stop immediately and contact your IT support. Also, do not worry about your files, as they are still there just hidden.

How to Fix:

I ran the sysinternals tool “autoruns” to find out exactly what program was automatically running and causing the problem. I went to the logon tab and under the registry keys for run I found 3 suspicious files consisting of randomly generated characters. I removed all three of these as well as the registry keys associated with them.

I also found a few other registry keys that were affected, which block certain things such as the ability to change the desktop background and use task manager. Remove the below registry keys if found on your system:

NOTE: If you do not know anything about the registry consult a technology professional.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>.exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “CertificateRevocation” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnonBadCertRecving” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop “NoChangingWallPaper” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = ‘1’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “Hidden” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “ShowSuperHidden” = 0′

Additional error messages that you may see:

“Hard Drive Failure The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system”

“System Error An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors”

“Critical Error Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error”

“Fix Disk Windows 7 Recovery Diagnostics will scan the system to identify performance problems. Start or Cancel”

“Windows 7 Recovery Diagnostics Windows detected a hard disk error. A problem with the hard drive sectors has been detected. It is recommended to download the following certified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?”

“Requested registry access is not allowed. Registry defragmentation required Read time of hard drive clusters less than 500 ms 32% of HDD space is unreadable Bad sectors on hard drive or damaged file allocation table GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash Drive C initializing error Ram Temperature is 83 C. Optimization is required for normal operation. Hard drive doesn’t respond to system commands Data Safety Problem. System integrity is at risk. Registry Error – Critical Error”

“Critical Error! Damaged hard drive clusters detected. Private data is at risk”

“Critical Error Hard Drive not found. Missing hard drive”

“Critical Error RAM memory usage is critically high. RAM memory failure”

“Critical Error Windows can’t find hard disk space. Hard drive error”

“Critical Error! Windows was unable to save all the data for the file System32496A8300. The data has been lost. This error may be caused by a failure of your computer hardware”

“Critical Error A critical error has occurred while indexing data stored on hard drive. System restart required”

“System Restore The system has been restored after a critical error. Data integrity and hard drive integrity verification required”

“Activation Reminder Windows 7 Recovery Activation Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features”

“Low Disk Space You are running very low disk space on Local Disk (C:)”

“Windows – No Disk Exception Processing Message 0x0000013”

Malware Terminology

The Information Technology world has a definite jargon of its own, which can be confusing to both the end users and (sometimes) to the IT people themselves. One of our biggest problems these days is Malware (mal meaning “bad”) infections on our users’ computers. In the interests of making the problem a little clearer, here is a basic (if not necessarily complete) dictionary of terms, in plain English.

Adware: Advertising-supported software. This is software that automatically plays, downloads or displays advertisements to a computer. A classic example would be a “helper toolbar” that causes advertising pop-ups on your screen.

Backdoor: Some spyware can install a credential and password that make unauthorized and unexpected entry into a computer possible by an outside user, who can then plant more malware and/or harvest available data.

Bot: A piece of software designed to grant an outside user complete control of your computer at will. A computer affected by bots is called a zombie, and “armies” of like-infected machines can be used to launch simultaneous attacks on other systems, or send out spam email messages.

Browser Hijacker: Code that replaces search pages, home pages or error pages with its own, allowing further browsing to be redirected to wherever it wants you to go (as opposed to where you wanted to go).

Rootkit: Code designed to gain root-access to your computer and manipulate it into allowing viruses or spyware to install and operate, while hiding from anti-virus scanners by appearing to be a part of the operating system.

Spyware: Differing from viruses in that they are not out to wreck your system, but to gain from it – controlling functions or accessing data for financial gain. Spyware might include keystroke loggers, backdoors, or browser hijackers, among other things.

Trojan: A disguise for malicious software, which may be brought into your computer as something apparently safe, but which can drop one or more harmful programs once inside. For example, an image file might contain code that operates only when the image is viewed, which installs backdoors, bots or viruses at that time, but which is otherwise inert.

Virus: A self-replicating program, intended to cause damage in computers. Pretty much pure vandalism, there is generally no gain for the perpetrators…

Worm: A program that looks for holes in your computer’s security, to get itself inside your computer where it can drop its payload (viruses or spyware). It is not, itself, either a virus or spyware, but may be thought of as something like a trojan. It scans IP addresses, opportunistically looking for entry points to exploit.

Mac Users Beware Of Malware

Do you think your Mac is immune to malware infections? If you said Yes, you would be wrong. Although there may not be as much malware for a Mac as there is for Windows, you should still not be caught sleeping.

According to the Security firm Sophos, from November 2nd to November 16th 2010, their Sophos Anti-Virus for Mac Home Edition collected some 50,000 malware reports (This is based on an approximate 150,000 users).

Note that some of the above mentioned malware will just not run on a Mac, but there are some that will. For instance the DNS Changer and OSX/Jahlav are some specific examples of infections that you want to remove from you system right away. Some people make take this lightly as they have the idea stuck in their head that their Mac cannot be infected….but guess what it can.

My recommendation to anyone that owns a computer or mobile device is to protect yourself. Any device connected to the internet whether it be 3G, Wi-Fi, or on your LAN can be infected.  Hopefully you do the right thing and I don’t have to say I told you so.

Try Google Pack!

As I was browsing around on Google the other day, I noticed a neat little tool they have called Google Pack, which essentially downloads and installs some of the most basic applications that you may typically need on your PC. See below for the list of apps.

Now generally I would use most of these applications on my own PC, but there are some I do not typically use. For instance, I do my best to stay away from using any types of toolbars as they cause problems more often than not. What you could do in this case for Firefox is install it and then disable the toolbar.

Google Pack is a customizable download complete with a web browser, office applications (Google Apps), antivirus (avast), Photo editor (Picasa), Skype, Google Earth, Adobe Reader, Google Talk, and RealPlayer. All of these software applications are optional.

I would personally use this software just for the ease of installing these apps from one location to save time.

Microsofts Onecare Online Scanner

This scanner performs many steps in one run. I had a workstation the other day that was infected with spyware. I ran this tool which scanned ports, spyware, viruses, registry issues, etc. It took just about over an hour to run and it fixed many issues. After a reboot the machine performed better and was able to dig deeper into cleaning and repairing the workstation. This is a full scan, all in one tool that can be handy in this situation. http://onecare.live.com/site/en-us/default.htm