Jump to content

Search the Community

Showing results for tags 'trojan'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 26 results

  1. PyXie RAT capabilities include keylogging, stealing login credentials and recording videos, warn researchers at BlackBerry Cylance - who also say the trojan can be used to distribute other attacks, including ransomware. A newly discovered hacking campaign by a 'sophisticated cyber criminal operation' is targeting healthcare and education organisations with custom-built, Python-based trojan malware which gives attackers almost control of Windows systems with the ability to monitor actions and steal sensitive data. Malicious functions of the remote access trojan , dubbed PyXie RAT, include keylogging, credential harvesting, recording video, cookie theft, the ability to perform man-in-the-middle attacks and the capability to deploy other forms of malware onto infected systems. All of this is achieved while clearing evidence of suspicious activity in an effort to ensure the malware isn't discovered. However, traces of the attacks have been found and detailed by cyber security researchers at Blackberry Cylance, who named the malware PyXie because of the way its compiled code uses a '.pyx' file extension instead of the '.pyc' typically associated with Python. PyXie RAT has been active since at least 2018 and is highly customised, indicating that a lot of time and resources have gone into building it. "The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber criminal operation," Josh Lemos, VP of research and intelligence at Blackberry Cylance told ZDNet. The malware is typically delivered to victims by a sideloading technique which leverages legitimate applications to help compromise victims. One of these applications uncovered by researchers was a trojanized version of an open source game, which if downloaded, will go about secretly installing the malicious payload, using PowerShell to escalate privileges and gain persistence on the machine. A third stage of the multi-level download sees PyXie RAT leverage something known in the code as 'Cobalt Mode' which connects to a command and control server as well as downloading the final payload. This stage of the download takes advantage of Cobalt Strike – a legitimate penetration testing tool – to help install the malware. It's a tactic which is often deployed by cyber criminal gangs and something which aids in making attacks more difficult to attribute. This particular downloader also has similarities with another used to download the Shifu banking trojan, however, it could simply be a case of criminals taking open source – or stolen – code and re-purposing it for their own ends. "An advantage of utilizing a widely used tool such as Cobalt Strike is it makes attribution difficult since it is used by many different threat actors as well as legitimate pentesters. With the Shifu banking trojan similarities, it is unclear if it is the same actors or if someone else reused some of its code," said Lemos. Once successfully installed on the target system, the attackers can can move around the system and implement commands as they please. In addition to being used to steal usernames, passwords and any other information enter the system, researchers note that there are cases of PyXie being used to deliver ransomware to compromised networks. "This is a full-featured RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances," said Lemos. The full extent of the PyXie RAT campaign still isn't certain, but researchers have identified attacks against over 30 organisations, predominately in the healthcare and education industries, with hundreds of machines believed to have been infected. Aside from likely being a well-resourced cyber criminal group, it's currently unknown who exactly is behind PyXie RAT, but the campaign is still thought to be active. However, despite the sophisticated nature of the malware, researchers state that it can be protected against by standard cyber hygiene and enterprise security best practices including operating system and application patching, endpoint protection technology, auditing, logging and monitoring of endpoint and network activity and auditing of credential use. Source
  2. Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process. The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer … The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background. Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain. Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server. Apple says it is improving its app review process to detect this approach. The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm. The apps were all from AppAspect Technologies. iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this. Wandera is the same company that warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet. Source: 1. 17 malware iPhone apps removed from App Store after evading Apple’s review (via 9to5Mac) - Main article 2. Trojan malware infecting 17 apps on the App Store (via Wandera) - Main reference to the article p/s: The list of 17 apps that are mentioned on the article are as follows:
  3. Xtreme RAT: A deep insight into the remote access trojan’s high profile attacks Its capabilities include uploading or downloading files, manipulating running processes and services, capturing screenshots of victim’s computers, recording audios and videos via microphone or webcameras, and interacting with the registry. Its victims include financial organizations, telecom companies, gaming companies, the IT sector, the energy and utility sector, and more. Xtreme RAT which was developed by ‘xtremecoder’ is written in Delphi. The Remote Access Trojan is active since 2010. The source code of Xtreme RAT has been leaked online. Its capabilities include uploading or downloading files, manipulating running processes and services, capturing screenshots of victim’s computers, recording audios and videos via microphone or webcameras, and interacting with the registry. Xtreme RAT has infected several financial organizations, telecom companies, gaming companies, the IT sector, the energy and utility sector, and more. Xtreme RAT attacks against Israel In 2012, Attackers used Xtreme RAT to target Israeli and Palestinian governments. In 2015, attackers gained unauthorized access to Israel defense systems and compromised the systems using the Xtreme RAT. Molerats attacks In 2014, Xtreme RAT was used to target US financial institutions and European government organizations. The targets of the spear-phishing campaign includes Palestinian and Israeli surveillance organizations, Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US, and the UK, The Office of the Quartet Representative, the British Broadcasting Corporation (BBC), a major U.S. financial institution, and Multiple European government organizations. W32.Extrat campaigns In 2015, Colombian financial employees were targeted with multiple phishing email campaigns delivering Xtreme RAT. The four attack teams Caramel, Cuent, Maga, and Molotos targeted Colombian financial employees with phishing emails disguised as payments and tax-related emails that included the W32.Extrat attachments. Malspam campaign In 2017, researchers observed amalspam campaign delivering the Xtreme RAT. The malspam campaign targeted Spanish speaking users. The phishing emails sent to the targets lured them into executing the malicious Macro. In a recent report, researchers analyzed Xtreme RAT and stated that the victim organizations include a European video game company, Middle Eastern, South Asian, and East Asian telecommunications companies, an East Asian industrial conglomerate, and an East Asian IT company. Source
  4. This Trojan infects Chrome browser extensions, spoofs searches to steal cryptocurrency The malware also takes over browser update and integrity checks. 0:00 The Razy Trojan is targeting legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims. According to new research published by Kaspersky Lab, the malware, known as Razy, is a Trojan which uses some of the more unusual techniques on record when infecting systems. Detected by the cybersecurity firm as Trojan.Win32.Razy.gen, Razy is an executable file which spreads through malvertising on websites and is also packaged up and distributed on file hosting services while masquerading as legitimate software. The main thrust of the malware is its capability to steal cryptocurrency. Razy focuses on compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex. Different infection vectors are in place depending on the type of browser found on an infected system. Razy is able to install malicious browser extensions, which is nothing new. However, the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers. In the case of Google Chrome, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates. "We have encountered cases where different Chrome extensions were infected," the researchers say. "One extension, in particular, is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions." In order to compromise Firefox, a malicious extension called "Firefox Protection" is installed. When it comes to Yandex, the Trojan will also disable integrity checks, rename the browser.dll file, and create registry keys to prevent browser updates. A malicious extension called Yandex Protect is then downloaded and installed. Most of the malware's functions are served through a single .js script which permits the malware to search for cryptocurrency wallet addresses, replace these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, as well as modify the web pages of cryptocurrency exchanges. Razy is also able to spoof Google and Yandex search results on infected browsers, which could result in victims unwittingly visiting malicious web pages. The Trojan will often tamper with results relating to cryptocurrency in an attempt to entice users to hand over their credentials -- for example, by promoting new services or bargain coin sales which require the user to log in if they wish to participate. In all three browser cases, a number of additional scripts are downloaded. Two of the scripts, firebase-app.js and firebase-messaging.js, are legitimate statistics collectors, while two others, bgs.js and extab.js, are malicious, obfuscated scripts which modify web pages and allow malicious ads to be inserted. At the time of writing, a total of six wallets linked to this campaign hold 0.14 BTC, alongside three wallets which contain roughly 25 ETH. Source
  5. A new trend in adware and unwanted program purveyors is to install protection software that makes it more difficult for Windows users to run their security programs and clean infections. This was seen with the SmartService rootkit that blocked AV software from running and now with a protection program being called CertLock. Since the end of May, security forum helpers have noticed reports that people are not able to install and run security programs on their infected computers. When they try to run the programs, they are greeted with an alert that states that the publisher has been blocked from running on the computer. It turns out that this is being caused by CertLock disallowing a security vendor's certificate on the affected computer so that Windows does not allow the program to run. CertLock disallows security vendor certificates Being commonly detected as Ceram or Wdfload by anti-virus vendors, CertLock is distributed by unwanted programs bundles, such as miners. Once installed, CertLock will block a security vendor's certificate by adding them to a special Windows registry key. This causes Windows to not execute any programs that are signed with that certificate. CertLock blocks a certificate by creating a subkey named using the thumbprint of the certificate it wants to block to the following key: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ As an example, one of ESET's certificates has a thumbprint of F83099622B4A9F72CB5081F742164AD1B8D048C9. To block this certificate, CertLock will create a Registry key called: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 Under this key will be a single BLOB value that contains the certificate information. You can see an example of the registry key used to block the ESET certificate below. If a certificate is added to the Disallowed list, when a user tries to run a program that is signed by this certificate they will be greeted with an error that states "The publisher has been blocked from running software on your machine". You can see an example of the ESET installer being blocked using this method below. Blocked ESET Installer While blocking certificate prevents signed installers from running, it also prevents already installed programs that use the blocked cert from executing as well. For example, when Malwarebytes' code-signing certificates are blocked, users are greeted with errors when they try to run the program. These errors state: Unable to start Unable to connect the Service. or Error Runtime Error (at 49:120): Could not call proc. You can see examples of these errors below: Unable to connect the Service Error Malwarebytes 49:120 Error This trojan really does not like Avast While CertLock already disallows the use of the AVAST certificate, it also goes a step further to make sure Avast is unable to run. It does this by pointing many Avast.com hostnames to 127.0.0.1 using the Windows HOSTs file so that the computer cannot connect to them. CertLock generates the list of Avast hosts to block by downloading the files.avast.com/iavs9x/servers.def file. This file contains a list of hostnames associated with Avast security program. It then parses this file and adds them to the Windows HOSTS file as shown below. Modified HOSTS File By adding the hostnames to the HOSTS file and pointing them to 127.0.0.1, it effectively blocks the computer from reaching these servers. How to remove Certificates Disallowed by CertLock ToolsLib.com co-administrator and Malwarebytes AdwCleaner developer Jérôme.B has created a tool called AVCertClean that will scan the Disallowed registry key for legitimate blocked keys and remove them. To use the tool, simply download and execute it. The program will then automatically remove blocked certificates AVCertClean When the program has finished, it will display a log that lists the certificates that were cleaned by AVCertClean. AVCertClean Log Now that the certificates are no longer being blocked, users can install and run their security programs in order to clean their computer. In some situations, user's may need to restart the application in order to get them to run. For example, for Malwarebytes to run after cleaning the certs, users should go into the Windows Service Manager (services.msc) and restart the Malwarebytes Service. IOCs Hashes: b1cbe0ee129bc96cc3e3d2aa4bc2ce3f6b7403045bd0ffc8956b7b7af4d070f5 - Installer (Password Protected) b529ca4dd148fdfcee0c1f267bc6821cc5168c121363fa690536a72e0f447c19 - CertLock (Thx Aura) Registry Entiries Associated with CertLock: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[computer_name] %temp%\[temp_name].tmp.exe Files Associated with CertLock: %temp%\[temp_name].tmp.exe Disallowed Certificates (Thumbprints): Security Vendor Thumbprint AVAST AD4C5429E10F4FF6C01840C20ABA344D7401209F AVAST DB77E5CFEC34459146748B667C97B185619251BA AVG 3D496FA682E65FC122351EC29B55AB94F3BB03FC AVG AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 AVG Technologies E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF Adaware 9132E8B079D080E01D52631690BE18EBC2347C1E Avira A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 BitDefender 18DEA4EFA93B06AE997D234411F3FD72A677EECE BitDefender ED841A61C0F76025598421BC1B00E24189E68D54 BullGuard A5341949ABE1407DD7BF7DFE75460D9608FBC309 Bullguard 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 Checkpoint Software 5240AB5B05D11B37900AC7712A3C6AE42F377C8C Comodo 03D22C9C66915D58C88912B64C1F984B8344EF09 Comodo 872CD334B7E7B3C3D1C6114CD6B221026D505EAB CurioLab 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 Doctor Web 4420C99742DF11DD0795BC15B7B0ABF090DC84DF Doctor Web FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 ESET A59CC32724DD07A6FC33F7806945481A2D13CA2F ESET F83099622B4A9F72CB5081F742164AD1B8D048C9 Emsisoft 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF Emsisoft 5DD3D41810F28B2A13E9A004E6412061E28FA48D F-Secure 0F684EC1163281085C6AF20528878103ACEFCAAB FRISK 1667908C9E22EFBD0590E088715CC74BE4C60884 GData 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF K7 Computing 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 K7 Computing 7457A3793086DBB58B3858D6476889E3311E550E Kaspersky 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F Kaspersky D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 Malwarebytes 249BDA38A611CD746A132FA2AF995A2D3C941264 Malwarebytes B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 McAfee 775B373B33B9D15B58BC02B184704332B97C3CAF McAfee 88AD5DFE24126872B33175D1778687B642323ACF PC Tools 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 Panda FBB42F089AF2D570F2BF6F493D107A3255A9BB1A SUPERAntiSpyware 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A Safer Networking 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 Symantec 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF Symantec AD96BB64BA36379D2E354660780C2067B81DA2E0 ThreatTrack Security 9C43F665E690AB4D486D4717B456C5554D4BCEB5 ThreatTrack Security DB303C9B61282DE525DC754A535CA2D6A9BD3D87 Total Defense E22240E837B52E691C71DF248F12D27F96441C00 Trend Micro 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 Trend Micro CDC37C22FE9272D8F2610206AD397A45040326B8 Webroot 3353EA609334A9F23A701B9159E30CB6C22D4C59 Webroot 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 Article source
  6. A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware. The name of this "hacker" is Mohammed Raad, according to his Facebook profile, but he also goes online by the nickname of "vicswors baghdad," according to his Facebook, Twitter, Google+, and YouTube profiles. While there are countless of people who download and fool around with malware kits, Recorded Future claims this actor took it one step further by launching real-world campaigns. Recorded Future: Raad behind some Houdini campaigns Raad's actions would have gone unnoticed if he wouldn't have weaponized and started distributing Houdini (or H-worm), a VBScript-based RAT that was created and first spread in 2013. His biggest mistake was by using PasteBin to store the RAT's main body, a VBScript file. Because threat intelligence firm Recorded Future regularly scrapes and archives PasteBin uploads, his actions were uncovered earlier this month, after experts observed an overall increase in VBScripts posted on online paste sites. Analyzing this surge, experts realized that most of the scripts were the Houdini VBScript. Analyzing the data, they identified three spikes of activity in August 2016, October 2016, and March 2017. Recorded Future experts believe an infected computer would download the VBScript from the paste site, which would later connect to a C&C server and gain persistence on the infected host by setting up a local folder and registry key. Raad registered a C&C domain under his real name To find more details on who was behind this surge in VBScripts on paste sites, researchers took a look at all the C&C server URLs found inside the Houdini scripts. This search identified C&C servers hosted on 105 subdomains for dynamic DNS providers (ddns.net, no-ip.com, etc.), but also one clear net domain. That domain was microsofit[.]net, which was registered by Raad. At this point, researcher realized that many of the other 105 dynamic DNS subdomains were variations on this actor's name, either using Raad or the word Mohammed in the subdomain name (mohammadx47.ddns.net; mohamedsaeed.ddns.net; etc.). It didn't take long for researchers to find Raad's social media profiles, where they found his affiliation with the Anonymous hacker collective, inclination for dabbing in malware, and messages through which he entered promotions for the dynamic DNS services he used in the C&C server infrastructure. Raad is playing around with ransomware Furthermore, they found comments made by Raad on a YouTube video advertising the MoWare H.F.D ransomware, asking the author for a copy of the ransomware package. A few days later, Raad posted an image on Facebook showing the MoWare ransomware source code, implying that he received a copy, and was currently editing the code. There is no evidence the author released his ransomware in the wild. Raad's social media profiles suggest he's an Iraqi national living in Munich, Germany. Raad did not respond to a request for comment from Bleeping Computer in time for this article's publication. Other actors leveraging paste sites According to Recorded Future experts, malware authors are increasingly abusing paste sites as cogs in their malware distribution campaigns. A day before the report unmasking Raad's activity, Recorded Future experts uncovered the activity of another crook, going by the name of Leo and wzLeonardo. Experts say Leo was using a VBScript hosted on Pastebin that when executed would install the njRAT remote access trojan on the victim's computer, while also downloading encrypted RAT encrypted strings stored on HasteBin, another paste site. Recorded Future believes Leo is based either in Brazil or Tunisia. Source
  7. The interestingly named "Swearing Trojan" appears to be using fake mobile base stations in China to send phishing SMS messages to fool victims. If you're heading to China, you may want to watch out for legit-looking SMS messages from local carriers China Mobile and China Telecom. That's because the group behind the banking malware known as "Swearing Trojan" has been using fake mobile stations to masquerade as a real carrier and send phishing SMS messages that trick you into clicking on a malicious URL, according to security research group Check Point. While there have been reports that the authors behind the malware have been arrested, Check Point said it is still detecting the spread of the malware. Once installed, Screaming Trojan intercepts your bank's 2FA passwords, giving the malware authors access to your bank account. Besides fake mobile base stations, the malware also propagates via your contact lists, using seemingly real messages to get other victims to download the malware or fake "nude celebrity" scams to get victims to click on a malicious URL. Source
  8. Citadel author pleads guilty Russian programmer behind Citadel Trojan, which was used for bank-account-raiding, has pleaded guilty. Mark Vartanyan, also known by the name of "Kolypto," was arrested last year in Norway and extradited to America a month later. He was charged with one count of computer fraud, for which he pleaded guilty. In exchange for his admission, Vartanyan could get up to 10 years in jail and a $250,000 fine, down from 25 years behind bars. He will only find out his sentence in June. "We must continue to impose real costs on criminals who believe they are protected by geographic boundaries and can prey on the American people and institutions with impunity," said FBI special agent David LeValley. "It further demonstrates the FBI's long-term commitment to identifying and pursuing cyber criminals world-wide, and serves as a strong deterrent to others targeting America's financial institutions and citizens through the use of malicious software." A trip back to 2011 If your memory is a bit fuzzy on the Citadel issue, that's understandable because the trojan appeared back in 2011. It infected Windows PC, silently picking up victim's online banking credentials only to later allow criminals to get their hands on the cash. Citadel could also spy on computers and hold files to ransom, setting down a trend that's now grown into a phenomenon. According to US prosecutors, at its height, the malware infected 11 million computers and was responsible for the theft of over $500 million from bank accounts. "Between on or about August 21, 2012, and January 9, 2013, while residing in Ukraine, and again between on or about April 9, 2014, and June 2, 2014, while residing in Norway, Vartanyan allegedly engaged in the development, improvement, maintenance and distribution of Citadel. During these periods, Vartanyan allegedly uploaded numerous electronic files that consisted of Citadel malware, components, updates and patches, as well as customer information, all with the intent of improving Citadel’s illicit functionality," reads a case file. Nowadays, there are some versions of the malware still circulating. At its base, Citadel is a variant of the famous ZeuS banking trojan. Citadel was one of he first malware-as-a-service out there, with its source code being sold on exclusive Russian dark web forums. Source
  9. Researchers at Arbor Networks have come across a new piece of malware that could be linked to the Trojan used in the campaign known as Operation Potao Express. The malware caught the attention of Arbor Networks researchers after a link to a VirusTotal analysis was posted on Twitter by an Italy-based expert who uses the online moniker Antelox. An analysis of the Trojan and its dropper showed that the threat could be linked to the Potao malware family. The Potao malware, which has been described as a “universal modular cyber espionage toolkit,” has been around since at least 2011, but it was first analyzed in detail in 2015 by ESET. In its report on Operation Potao Express, ESET said the malware was most probably of Russian origin and it had been used in attacks aimed at entities in Ukraine, Russia, Georgia and Belarus, including what experts described as “high-value targets.” The new malware that Arbor Networks believes may be linked to Potao has been dubbed “Acronym” based on a debugging string and the URLs pointing to command and control (C&C) servers. Acronym and its dropper appear to have been compiled in mid-February. The dropper is designed to kill the wmpnetwk.exe Windows process and replace the legitimate wmpnetwk.exe file with the malware. Once executed, Acronym uses the Registry or the Task Scheduler to ensure that it’s persistent. It then contacts a C&C server and sends it information about the infected machine. Similar to Potao, Acronym is a modular malware. Its built-in commands allow attackers to capture screenshots, download and execute other files, and run plugins. Since the C&C servers were offline at the time of Arbor’s analysis, researchers have not been able to identify any of the plugins. However, similarities in the plugin functionality have led experts to believe that Acronym may be connected to Potao. Other similarities include the use of the same C&C infrastructure, attempts to contact C&C domains on the same ports, and the use of temporary file names that start with “HH.” On the other hand, there are several differences when it comes to encryption and how the malware is delivered – unlike Potao, Acronym’s dropper does not use decoy documents, DLL files or process injections. Furthermore, some parts of the Acronym code, including for HTTP communications, encryption and the screenshot functionality, appear to have been copied from publicly available examples. “As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching,” said Arbor Networks’ Dennis Schwarz. Article source
  10. Dridex v4 is already used in campaigns against UK banks Dridex v4 is making a comeback with new capabilities that make it even harder to detect. Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports. AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze. "In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research. This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself. More changes to Dridex The addition of AtomBomb wasn't the only change to Dridex. In fact, developers also worked on a major upgrade to the way encryption is configured. The upgrade includes implementing a modified naming algorithm, a new persistence mechanism and a few additional enhancements. This new update isn't necessarily surprising for researchers. "The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud," X-Force writes. The new Dridex v4 is currently being used against British banks, and estimates indicate that the attacks may sometime soon move towards the United States. AtomBombing was first spotted by enSilo back in October when the security firm warned that attackers were using Windows' atom tables, which made the code injection technique affect all version of Windows. It works by using code injections to add malicious code into legitimate processes, which makes the malware harder to detect by security products. Source
  11. A wave of attacks by cybercrooks pushing a new variant of the resilient Pushdo Trojan has compromised more than 11,000 systems in just 24 hours. Indian PCs have been most affected by the outbreak, but systems in the UK, France and the US have also been hit, according to security software firm Bitdefender. The Romanian firm reckons 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. Other countries that have been heavily affected by the Pushdo variant include Vietnam and Turkey.Bitdefender figures come from traffic towards the sinkholed domains associated with the botnet's control system. Traffic to these seized sinkholes came from 11,000 unique IP addresses in a period of 24 hours. These pings represent infected hosts phoning home for instructions. The most affected region seems to be Asia, with India and Vietnam topping the list of compromised hosts and accounting for around 10 per cent of infections each. The US accounts for another 5 per cent of the total. “We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” states Catalin Cosoi, chief security strategist at Bitdefender. “The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.” The Pushdo Trojan has been used to distribute secondary malware strains such as ZeuS and SpyEye, but over the years its main use has been geared towards spam distribution. The actually spamming is done through a commonly associated components called Cutwail that are frequently installed on compromised PCs. Despite four takedowns in five years against Pushdo command-and-control servers, the botnet endures. The public and private keys used to protect the communication between the bots and the C&C servers have been changed with the latest variant, but the communication protocol remains the same. The latest Pushdo binaries add an encrypted overlay not found in previous versions. If the conditions specified in the overlay are not met, the sample does not run properly. The DGA (Domain Generation Algorithm) used by the latest variant has also been slightly revamped. DGAs are used to periodically generate a large number of domain names the zombie hosts can ping for instructions. The approach (pioneered by the infamous Conficker worm) makes life harder for law enforcement. Its successful application in this malware goes a long way towards explaining the resilience of Pushdo. Source
  12. GridinSoft Trojan Killer 2.2.3.7 GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch Size: 32,99 Mb.
  13. Banker Trojans have proven to be reliable and effective tools for attackers interested in quietly stealing large amounts of money from unwitting victims. Zeus, Carberp and many others have made piles of money for their creators and the attackers who use them, and researchers have been looking at a newer banker Trojan that has the ability to bypass SSL protection for banking sessions by redirecting traffic through the attackers’ own domains. The Trojan, which is being called either Dyre or Dyreza by researchers, uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site. The malware arrives in users’ inboxes through spam messages, many of which will look like messages from a financial institution. The list of targeted banks includes Bank of America, Natwest, Citibank, RBS and Ulsterbank. Researchers say that much of the activity from the Trojan so far is in the U.K. When a victim opens the attached zip file in a spam message, the malware installs itself on the machine and then contacts a command-and-control server. Researchers at CSIS in Denmark located a couple of the C2 servers and discovered that one of them had an integrated money mule panel for several accounts in Latvia. The goal of the malware, of course, if to steal users’ credentials for online banking and other financial sites. Various banker Trojans go about this in different ways, and Dyreza’s creators decided to employ browser hooking to help defeat SSL. “The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says. When users go to one of the targeted financial sites and attempt to log in, the data is intercepted by the malware and sent directly to the attackers. Victims would not have any visual cues that their data is being siphoned off or that the malware is redirecting their traffic to a domain controlled by the attackers and it’s no longer encrypted. “Here’s the kicker. All of this should be encrypted and never seen in the clear. By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” anotheranalysis by Ronnie Tokazowski of PhishMe says. “To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking. No DNS queries were performed for the c1sh Bank of America domain, suggesting the attackers simply appended this to the Host field in the network traffic.” The Dyreza malware has the ability to hook Google Chrome, Mozilla Firefox and Internet Explorer. Dyreza’s creators decided to employ browser hooking to help defeat SSL. Source
  14. GridinSoft Trojan Killer 2.2.3.2 GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch Size: 31,90 Mb.
  15. GridinSoft Trojan Killer 2.2.3.1 GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch Size: 39,86 Mb.
  16. Security researchers from Trusteer have been monitoring a new Trojan which they’ve dubbed Zberp, and is a combination between Zeus and Carberp families of malware. The source code for the notorious Zeus banking Trojan was leaked back in 2011 and the source code for Carberp was put up for sale on Russian cybercrime forums in June 2013. Researchers knew it would only be a matter of time until malware developers combined the two threats. Trusteer experts first spotted Zberp a few weeks ago when they noticed that cybercriminals were using the Andromeda botnet to download this hybrid malware. According to the researchers, Zberp si actually a variant of Zeus VM, but its behavior is also similar to versions of the Carberp Trojan family. The new Trojan enables cybercriminals to perform various tasks, including harvesting system information and taking screenshots. It can also be utilized to steal FTP and POP account credentials, user SSL certificates, and data submitted to HTTP forms. The Trojan also comes with some optional features designed for web injections, dynamic web injections, man-in-the-middle (MitM) and man-in-the-browser (MitB) attacks, and VNC/RDP connections. To ensure that their creation is not easy to identify and remove, the developers of Zberp have incorporated several evasion techniques taken from both ZeuS and Carberp. For example, Zberp relies on a clever trick seen in Zeus VM to ensure it’s persistent. The threat deletes its registry entries when the operating system starts. This way, it’s not detected by security solutions during normal system scans. However, when the infected computer is shut down, the persistence key is written back into the registry. Also similar to Zeus VM, Zberp uses steganography to embed configuration code into an innocent-looking image file. The use of steganography was observed by researchers even before Zeus VM. However, malware developers continue to rely on this technique since it can be an efficient way to evade anti-malware solutions. From Carberp, Zberp borrows a “hooking” technique. This is used not only to control web browsers and steal information, but also to help the threat evade protection software. In order to ensure that solutions capable of detecting Carberp would not identify Zberp, the hook is implemented differently. It’s in the same place, but one “push” instruction has been moved by one byte and a new “mov” instruction has been added. The Trojan is also capable of evading detection by using SSL to encrypt communications with the command and control server. Most antivirus engines from VirusTotal did not recognize the threat when it was first detected. However, most modern anti-malware solutions that rely on more than just signatures should be able to detect Zberp. Source
  17. GridinSoft Trojan Killer 2.2.2.7 GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch Size: 49,80 Mb.
  18. ZeuS, or Zbot is one of the oldest families of financial malware, it is a Trojan horse capable to carry out various malicious and criminal tasks and is often used to steal banking information. It is distributed to a wide audience, primarily through infected web pages, spam campaigns and drive-by downloads. Earlier this month, Comodo AV labs identified a dangerous variant of ZeuS Banking Trojan which is signed by stolen Digital Certificate belonging to Microsoft Developer to avoid detection from Web browsers and anti-virus systems. FREE! FREE! ZeuS BRINGS ROOTKIT UPDATE Recently, the security researcher, Kan Chen at Fortinet has found that P2P Zeus botnet is updating its bots/infected systems with updates version that has the capability to drop a rootkit into infected systems and hides the trojan to prevent the removal of malicious files and registry entries. The new variant also double check for the earlier installed version (0x38) of ZeuS trojan on the infected system and then replaces it with updated binary files (0X3B version). “Every P2P Zeus binary would extract the version number from the update packet and compare the version number that is hardcoded in its body” to verify the success of update process. According to researchers, there is only a minimal change in the new variant of P2P Zeus as the new binary also drops a rootkit driver file into the %SYSTEM32%\drivers folder, apart from its original functions. New Zeus Trojan equipped with rootkit feature makes it more sophisticated and increases the difficulty of removing Zeus from infected systems. HOW TO PROTECT YOURSELF FROM ZeuS TROJAN We recommend users to use common sense and think twice before giving a click to any link on their e-mails or at any other websites they visit. Trustworthy companies don't send attachments unless you have requested specific documents. So, always use caution if you receive any email from an unknown contact with attachments that you haven't requested and do not bother to open it. Install a best Internet Security Tool and Configure the firewall to maximize the security of your computer system. Source
  19. GridinSoft Trojan Killer 2.2.2.6 GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch Size: 47,49 Mb.
  20. selesn777

    Loaris Trojan Remover 1.3.2.1

    Loaris Trojan Remover 1.3.2.1 Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting this Malware, but not always good at effectively removing it. The majority of Anti-Malware Scanners are well able to detect malicious software - Trojan Horses, Internet Worms, Adware/Spyware etc. - but are not always efficient in removing them once they have been triggered. Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by some standard antivirus scanners. Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Two types are available. The Standard scan quickly scans the system with no need for further configuration of the scan parameters.The Custom scan… allows the user to select any of the folders for scan. Are you bombarded with popup ads, seeing new toolbars in your browser, is your home page changing to unwanted destinations or are you bombarded with irritating spam? Perhaps strange software loads on startup or your favorites have new entries that YOU DONT WANT. If So.. Your PC is most likely infected with adware, spyware, spybot, trojans or another internet parasite. These programs have the ability to track your browsing habits and even steal such personal information as bank account numbers and passwords. Spyware has the power to install more parasites on your computer without your consent. Everything you do and everything you type is being recorded right now! Companies know what your interests are! Hackers will access your PC and do anything they wish. They can even steal your Identity and You would never be the wiser! The Solution: Download the latest version of Loaris Trojan Remover right now. You will be able to completely clean your computer of all these invasive threats! Your computer will be clean and will run alot faster - Your Privacy will be Protected! Additional Tools: Software requirements Loaris Trojan Remover supports all 32-bit and 64-bit Windows families including XP, 2003, Vista, Windows 7 and Windows 8 (32-bit/64-bit)1 GB RAM60 MB free hard drive spaceMinimum 800 x 600 screen resulutionWebsite: http://loaris.com/ Language: English Tablet: Crack / Key Size: 45,16 MB
  21. SabotaSe

    Trojan on NSANE?

    Hi Guys... Trojan detected Nsane forum ..? There is nothing wrong? http://prntscr.com/32boy6 sorry if it is not room
  22. By Topher Kessler February 10, 2014 1:06 PM PST Disguised as a legitimate project on GitHub called StealthBit, the malware installs a browser extension to look for and steal BitCoin wallet and account credentials. Security research site SecureMac has discovered a new trojan horse that is targeted for OS X systems, and which spies on internet traffic use to steal Bitcoins. The trojan, called OS X/CoinThief.A, is disguised as a standard OS X application called StealthBit, which was recently uploaded to GitHub. While advertised as a legitimate project for receiving Bitcoin payments on Bitcoin Stealth Addresses (a key encryption routine for securing a bitcoin transfer), the StealthBit instead was a guise to install malicious tracker software on unsuspecting Mac users. The project page on GitHub included source code along with precompiled binaries for those without the means to compile their own. While this is a common and convenient practice for GitHub projects, in this case the precompiled binary did not match the project's source code, and instead contained the malware for tracking user's Web activity. When downloaded and run, the binary would install a browser extension in the user's home folder that would run when Safari or another Web browser was launched. This extension would then monitor the sites that users visit, and log credentials entered into them, in order to send account information for BitCoin sites, along with information about the user's system, to third party servers. In order to disguise the extension, the criminals behind it have given it generic names like "Pop-up blocker," and attempted to prevent its discovery by having it search for installations of common anti-malware tools and not install on systems containing them. Being a relatively new growing market with recent prices closing at around $700 per coin, BitCoin trading has attracted a number of attempts to mine, steal, and otherwise capitalize on this currency, and this latest malware is only the latest attempt to do so. For now, not much is know about OSX/CoinThief.A, and SecureMac and other security analysts are continuing to investigate the malware; however, if you have recently downloaded a BitCoin management tool from GitHub, then for now you can check your browser's active extensions to see if any are present that you did not specifically install. For Safari users, you can go to the Extensions section of Safari's preferences to view active extensions. For Firefox, you can select Add-ons from the Tools menu, and then click the Extensions section, and in Chrome you can select Extensions from the Window menu. If you find unknown extensions in these locations, then you can disable or remove them, but then re-check periodically to see if they reappear, as such activity would indicate a persistent component of the malware that keeps the extension installed and active. This malware is known to install background tasks that launch automatically when users log into their accounts. These routines are generally managed by Launch Agent scripts, which are located in the username > Library > LaunchAgents folder. While launch agents are commonly used by updaters and other programs you run to give you alerts and to schedule update checks, they are also used by malware developers to keep malicious programs alive in the background. By opening each launch agent and checking the "Program Arguments" or "Program" key, you can see what executable (and its corresponding path) is being targeted by that launch agent, and then check various online sources such as the Apple Support Communities to see if the paths and executables are legitimate. Unfortunately, sometimes launch agent manipulation by malware developers can be somewhat difficult to identify, especially since a launch agent and executable can be easily masked to look legitimate. Therefore, if you are uncertain of how to look for and remove malware, you might use a reputable anti-malware scanner that has been updated to identify CoinThief.A. As the investigation into this malware develops, definitions for it and any future variants of it will become available, and which can be used to better detect its presence and remove it from an infected system. http://reviews.cnet.com/8301-13727_7-57618666-263/new-os-x-trojan-monitors-web-activity-to-steal-bitcoins
  23. selesn777

    Loaris Trojan Remover 1.3.1.0

    Loaris Trojan Remover 1.3.1.0 Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting this Malware, but not always good at effectively removing it. The majority of Anti-Malware Scanners are well able to detect malicious software - Trojan Horses, Internet Worms, Adware/Spyware etc. - but are not always efficient in removing them once they have been triggered. Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by some standard antivirus scanners. Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Two types are available. The Standard scan quickly scans the system with no need for further configuration of the scan parameters.The Custom scan… allows the user to select any of the folders for scan. Are you bombarded with popup ads, seeing new toolbars in your browser, is your home page changing to unwanted destinations or are you bombarded with irritating spam? Perhaps strange software loads on startup or your favorites have new entries that YOU DONT WANT. If So.. Your PC is most likely infected with adware, spyware, spybot, trojans or another internet parasite. These programs have the ability to track your browsing habits and even steal such personal information as bank account numbers and passwords. Spyware has the power to install more parasites on your computer without your consent. Everything you do and everything you type is being recorded right now! Companies know what your interests are! Hackers will access your PC and do anything they wish. They can even steal your Identity and You would never be the wiser! The Solution: Download the latest version of Loaris Trojan Remover right now. You will be able to completely clean your computer of all these invasive threats! Your computer will be clean and will run alot faster - Your Privacy will be Protected! Additional Tools: Software requirements Loaris Trojan Remover supports all 32-bit and 64-bit Windows families including XP, 2003, Vista, Windows 7 and Windows 8 (32-bit/64-bit)1 GB RAM60 MB free hard drive spaceMinimum 800 x 600 screen resulutionWebsite: http://loaris.com/ Language: English Tablet: Crack / Key Size: 62,10 MB
  24. selesn777

    Loaris Trojan Remover 1.3.0.8

    Loaris Trojan Remover 1.3.0.8 Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting this Malware, but not always good at effectively removing it. The majority of Anti-Malware Scanners are well able to detect malicious software - Trojan Horses, Internet Worms, Adware/Spyware etc. - but are not always efficient in removing them once they have been triggered. Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by some standard antivirus scanners. Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Two types are available. The Standard scan quickly scans the system with no need for further configuration of the scan parameters.The Custom scan… allows the user to select any of the folders for scan. Are you bombarded with popup ads, seeing new toolbars in your browser, is your home page changing to unwanted destinations or are you bombarded with irritating spam? Perhaps strange software loads on startup or your favorites have new entries that YOU DONT WANT. If So.. Your PC is most likely infected with adware, spyware, spybot, trojans or another internet parasite. These programs have the ability to track your browsing habits and even steal such personal information as bank account numbers and passwords. Spyware has the power to install more parasites on your computer without your consent. Everything you do and everything you type is being recorded right now! Companies know what your interests are! Hackers will access your PC and do anything they wish. They can even steal your Identity and You would never be the wiser! The Solution: Download the latest version of Loaris Trojan Remover right now. You will be able to completely clean your computer of all these invasive threats! Your computer will be clean and will run alot faster - Your Privacy will be Protected! Additional Tools: Software requirements Loaris Trojan Remover supports all 32-bit and 64-bit Windows families including XP, 2003, Vista, Windows 7 and Windows 8 (32-bit/64-bit)1 GB RAM60 MB free hard drive spaceMinimum 800 x 600 screen resulutionWebsite: http://loaris.com/ Language: English Tablet: Crack / RegKey Size: 63,02 MB
  25. Developer: Fuken Gruven - portablexapps Notice: As Fuken has left his website i just update this version from his latest SAS. Enjoy!
×
×
  • Create New...