Tag : trojans

Do you understand the importance of cyber security?

cybersecurity-professionals-top-complaints

 

 

It is extremely important that you as the user understand why in the heck you should be concerned about the security of your device. Sure you may have heard about the tons of malware out there or the ransomware stealing millions from large corporations, but it is easy to disregard such headlines as a user. “What would anyone want with my computer?” proves to be the usual user mindset. It really does pay to be conscious however, and proactive none the less. Malware, and ransomware, a type of malware, is designed by cyber criminals with boatloads of knowledge as to how to steal your information, passwords, bank account numbers, log-ins, sensitive data and of course, your money. The general tactic appears in the form of downloaded malware or ransomware, unsuspecting to the user, waiting idly by until the person on the other side decides to take a dig into your life. Like the monster under your bed, but worse.

Malware  is something to worry about because for one, it is used to indefinitely steal your data and these days..your money. Not to mention the fact that if you happen to lose to cyber theft, not much can be done to help your case. Most cyber criminals operate in foreign countries outside U.S. legal jurisdiction, and to be honest even if they were, you still wouldn’t get your money back. It’s just not the way it works.

Don’t be a victim.

Ask anyone and they will tell you the quickest way to get hacked is by lack of updates for commonly hacked programs, basically leaving your doors unlocked and asking to be robbed, and by being tricked into installing a Trojan, the equivalent of the robber ringing the doorbell and you inviting them to stay for dinner before they rob you dry. Neither is good!

“Sure, there are hundreds of other methods: SQL injection attacks, password guessing, and so on. But nearly everything besides unpatched software and downloaded Trojans is statistical noise. In fact, if you fix the main two issues, you almost don’t need to do anything else.” – Roger A. Grimes computer security columnist for Info World

Malware can be broken down into worms, viruses, Trojans, and hybrids. Viruses spread by infecting other host files and when run initiate the malware to commence. Worms are self replicating, once started they need no further assistance. Trojans need victims to get to business. They do not spread themselves, rather the originating hacker must spread each copy to each victim separately, usually via email. The benefit to this is that unless you experience ransomware, that locks the device, Trojans can be removed once identified.

You’d be surprised the amount of users that still give away their logins to hackers every day. It’s insane. Typically the user is sent a phishing email asking for credentials and claims to be from a legitimate website. Many times the email makes a small call to action such as threatening the termination of service. Trust the website in this case, not the email and go directly to the website to confirm.

Signature-based anti-malware simply cannot keep up with the thousands of malicious programs that hit each month. That is just the truth of the matter. Some of the responsibility must be in the hands of the user, or a good IT management team. A single antivirus program can only get so far, it would be who of you to periodically run a boatload of free antivirus programs at once. Together, the programs together can identify what the single one could not.

 

 

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.infoworld.com

Removing Fake Microsoft Security Essentials

In today’s world of spyware, viruses, and malicious attacks, there are very few that have given me the thought that they could actually be real. Typically you get the one that pops up saying you have 95 viruses and that you need to pay to clean your system, which is an immediate red flag. Most of the time the spyware looks really fake, and by fake I mean they have no company name, or they just use a generic names like “Windows Security 2010,” and “Antivirus 2010.” I thought this always to be the case until just recently.

The call came in like any other, the user was describing that Microsoft Security Essentials had detected an infection and needs to be cleaned. I told the user to go ahead and click the clean option in Security Essentials and it will clean the file. When she did this, it said it could not be cleaned and the apply now button on the bottom changed to a “Scan Online” option.  It took me a second but I realized that I had never seen this option in security essentials ever before.

If you click on the Scan Online button, it will list a total of 35 antivirus programs, 30 of which are real and 5 which are rogue. The 5 rogue ones are:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpySafeguard or AntiSpy Safeguard

When these are allowed on the system they will perform a fake virus scan and say you are infected. Each one is the same, but slightly different interfaces. They also block certain applications from running (ex. Internet explorer, Malwarebytes, etc…). Below are the steps I took to resolve my issue.

Removing fake Microsoft Security Essentials.

Because I was offsite, I had to remote into this particular computer from another PC on the network, but if you are in front of it you can use the same methodology. I immediately checked add/remove programs and Microsoft Security Essentials was not even installed!

I downloaded the process explorer tool (procexp.exe) from live.sysinternals.com on a separate machine and put it on a network share (you can put it on a usb drive if you are in front of the PC). You can also try Ctrl+Alt+Del if it will work because it did not work for me. I opened the network share on the infected PC and copied procexp.exe onto the computer and ran it. NOTE: It is not usually best practice to open network shares when infected with spyware or viruses as they sometimes spread via those means but I had no other choice.

Here I found the fix.exe file was running on the system and I killed the process. I noted the path of the fix.exe file that procexp.exe shows you:

Documents and Settings(username)Application Datafix.exe

I then went into windows explorer > tools > folder options > view and made sure show hidden files and folders was selected. I browsed to the folder listed above and removed the fix.exe file. While in there I also noticed another interesting file with a randomly generated name.

Documents and Settings(username)Application Datajsdfgs.bat

I opened this file with notepad and saw the code in the picture below. This looked very suspicious, so I removed this as well.

Note: This may/may not be related to the Fake Security Essentials

I then thought I had the issue resolved and opened IE which worked fine, but then when I tried running Malwarebytes to scan the system, it still would not start. This alerted me that there is still a bigger issue. I also tried doing Windows update and this would fail as well. I began looking at my internet connection settings and found that there were static IP addresses that had been put into my TCP/IP settings. I checked on the location of these IP address and they appeared to be coming from the Ukraine. I removed them from my internet connection settings and then Microsoft updates worked fine again.

I also loaded up the real Microsoft Security Essentials and ran a full scan where it found and removed a rootkit.

Win32/Alureon.H

Upon removing this file, Malwarebytes and all other antivirus/spyware scans worked properly.

And just for good measure I downloaded the Piriform ccleaner utility from  www.ccleaner.com and ran the cleaner utility to remove all temporary files. I also ran the Registry tool in the application as well to fix all broken links in the registry.

After the full completion of all the afore mentioned tasks, the computer was running great and had no issues.

NOTE: Some of the symptoms in these email such as the file with the randomly generated name, DNS pointint to the Ukraine, and the rootkit may not necessarily be on your computer. These were found on mine during the cleanup. They may have been their previously, that is why it is always good to do a full scan with a legitimate antivirus/spyware program. It is also recommended that you consult a trained professional or be fairly tech savvy before trying to accomplish this yourself.


The tools I used are listed below:

Process Explorer (procexp.exe)

www.live.sysinternals.com (you can download the full suite of tools here for FREE!)

Malwarebytes

http://www.malwarebytes.org/

ccleaner

www.ccleaner.com