Jump to content

Search the Community

Showing results for tags 'virus'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 26 results

  1. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  2. Viruses are the IKEA furniture of the living world. In the right kind of cell, a handful of instructions and a few molecular tools can churn out multitudes of infectious Billy bookcases. No DIY builder wants to travel all over town to gather materials - theoretically, germs shouldn't be any different. Yet a new discovery suggests at least one category of virus can still pull itself together even if its instructions are split up into separate cells. A team of researchers from the Université de Montpellier in France recently conducted an experiment on a group of viruses with genomes made up of more than one distinct section. What they found contradicted some pretty fundamental assumptions about how viruses reproduce. To understand the weirdness of their discovery, we first need to back up a little to refresh the basics of virus construction. A typical virus is comprised of little more than nucleic acid inside a protective container. Once smuggled inside a living cell, that nucleic acid sequence is either inserted into the host's own genetic library or used to coerce the cell's molecular assembly line into hammering together fresh copies of the virus. Nearly all viruses encode their genetic blueprints on a length of single- or double-stranded nucleic acid. But some single-stranded DNA viruses described as 'multipartite' spread that code across multiple segments, each transmitted in a separate protein box. It's like printing an IKEA manual on loose pages, and then forcing you to wait until an inept postal service delivers the full set of instructions. Sure, some people might be lucky enough to receive the full set, but it's hardly a good business model. So it seems that by delivering their own pages of genetic instructions this way, multipartite viruses seem to be going about reproduction the hard way. Which prompts questions on why such a bizarre method of reproduction even persists. But we can't really dismiss them - a variety of these serialised pathogens infect plants and fungi. Only a couple of years ago, one was found infecting animals for the first time. They're hardly doomed to extinction. "The chances of a multipartite virus losing an essential genome segment during transmission are estimated to be so high, its ability to successfully cause an infection has been a long-standing mystery," says plant pathologist Anne Sicard. Something in our understanding about how viruses reproduce has to give. Either complete sets of instructions are finding their way into single cells after all, or something unique is going on. To dig deeper, the team used a faba bean necrotic stunt virus (FBNSV), a pathogen of peas and beans which is made up of eight viral 'chromosome' packages. Fluorescent probes were then used to locate the end delivery points of distinct sections of the genome inside infected faba bean plants. By using different colours of probe and testing for combinations of separated segments, the team were able to verify it was extremely unlikely for a full complement of genetic segments to randomly end up inside any one cell. Yet that didn't seem to be preventing segments from being copied. This was true even for segments that weren't integral to the virus's most basic functions, such as replication, encapsidation, and movement within the host. "Altogether, we have shown that distinct segments of a virus's genome are not necessarily together within individual host cells, and that accumulation of one genome segment in a cell is entirely independent of accumulation of the others," says virologist Stéphane Blanc. The implications of the find suggest the products of one set of genetic instructions can have far-reaching influences, helping activate segments in other cells. The researchers found evidence for this hypothesis when they looked for the molecule encoded by the genome segment responsible for replication. While fewer than half of the plant's cells contained copies of this replication segment, nearly 85 percent of its cells contained its product. Strangely, this entire process more closely resembles the workings of a multicellular organism, with separate cells being forced to take on individualised tasks in the construction of a single virus. "It is conceivable that this 'multicellular' way of life could be adopted in numerous viral systems and opens up an entirely new research horizon in virology," says Blanc. This research was published in eLife. source
  3. Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies. Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency. However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers. Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well. Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing. The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing. How Malware Decides What To Do However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner. 1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section. Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file. 2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors. If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process. 3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor. This component helps the malware to copy itself to all the computers located in the local network using shared resources. Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender. What's more? There's A Spyware Feature As Well This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well. The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place. Source
  4. Wissertje

    nsanedown blocked by ESET

    ===== KEYWORDS ===== nsane.down blocked by ESETnsanedown blocked by ESETnsanedown.com blocked by ESETnsane.down banned by ESETnsanedown banned by ESETnsanedown.com banned by ESETESET nsane.down blockESET nsane.down banESET nsanedown blockESET nsanedown banESET nsanedown.com blockESET nsanedown.com ban ===== SOLUTION ===== Add *nsanedown.com* and *nsaneforums.com* (with the asterisks (star signs)) to the whitelist as described in the following ESET Knowledge Base article: http://kb.eset.com/esetkb/index?page=content&id=SOLN2960 ===== ACTUAL TOPIC ===== Good morning, If i go to //www.nsanedown.com/ than Eset blocks the page. Are you guys aware of this? I made some screenshots. Regards. Virus Database version: 8195 ===== ADDITIONAL KEYWORDS ===== ESET fixESET box, mara-fixESET mara-fixbox, mara-fixbox, mara-fix 1.6box, mara-fix 1.7box, mara-fix v1.6box, mara-fix v1.7mara-fixmara-fix 1.6mara-fix 1.7mara-fix v1.6mara-fix v1.7
  5. In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago. It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry. Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit). Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour. However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely. We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop. Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading. Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will continue to run, attacking more systems instead of immediately killing itself. One solution to this would be to setup sinkhole DNS servers on the network that resolve all unknown DNS queries to a single server that logs all requests. This is trivially setup with most DNS servers. The logs will quickly identify problems on the network, as well as any hacker or virus activity. The side effect is that it would make this killswitch kill WannaCry. WannaCry isn't sufficient reason to setup sinkhole servers, of course, but it's something I've found generally useful in the past. Conclusion Something obviously happened to the Boeing plant, but the narrative is all wrong. Words like "targeted attack" imply things that likely didn't happen. Facts are so loose in cybersecurity that it may not have even been WannaCry. The real story is that the original WannaCry is still out there, still trying to spread. Simply put a computer on the raw Internet (without a firewall) and you'll get attacked. That, somehow, isn't news. Instead, what's news is whenever that continued infection hits somewhere famous, like Boeing, even though (as Boeing claims) it had no important effect. Source
  6. Some viruses produce insulin-like hormones that can stimulate human cells -- and have potential to cause disease Scientists have identified four viruses that can produce insulin-like hormones that are active on human cells. Every cell in your body responds to the hormone insulin, and if that process starts to fail, you get diabetes. In an unexpected finding, scientists at Joslin Diabetes Center have identified four viruses that can produce insulin-like hormones that are active on human cells. The discovery brings new possibilities for revealing biological mechanisms that may cause diabetes or cancer. "Our research may help open up a new field that we might call microbial endocrinology," says Emrah Altindis, PhD, a Joslin research fellow and lead author on a paper in the journal PNAS on the work. "We show that these viral insulin-like peptides can act on human and rodent cells. With the very large number of microbial peptides to which we are exposed, there is a novel window for host-microbe interactions. We hope that studying these processes will help us to better understand the role of microbes in human disease." "Indeed, the discovery of the viral insulin-like hormones raises the question of what their role might be in diabetes, as well as autoimmune disease, cancer and other metabolic conditions," says C. Ronald Kahn, MD, Joslin's chief academic officer and senior author on the paper. The key idea for the investigation came when Altindis, whose previous research focused on creating vaccines against bacteria, attended a Joslin seminar that discussed potential causes of the autoimmune reaction that drives type 1 diabetes. He began to hypothesize whether bacteria or viruses could create insulin-like peptides (small versions of proteins) that could help to trigger the disease. By analyzing large public research databases that hold viral genomic sequences, he and his colleagues at Joslin found that various viruses can produce peptides that are similar in whole or in part to 16 human hormones and regulatory proteins. "What really caught our attention were four viruses that had insulin-like sequences," says Kahn, who is also the Mary K. Iacocca Professor of Medicine at Harvard Medical School. These viruses were from a family of viruses known to infect fish. To find out if they could be active in mammals, the Joslin team collaborated with Richard DiMarchi, professor of chemistry at Indiana University, whose lab chemically synthesized these viral insulin-like peptides (VILPs). Experimenting in mouse and human cells, the scientists studied whether the VILPs could act like hormones. Their experiments proved that the VILPs could indeed bind to human insulin receptors and receptors for a closely related hormone called IGF-1 (insulin-like growth factor 1). These are the critical proteins on the cells that tell them to take up glucose and to grow. Additionally, the peptides could stimulate all of the signaling pathways inside the cells that were stimulated by human insulin and IGF-1. And mice injected with the viral peptides exhibited lower levels of blood glucose, another sign of insulin action. Moreover, analysis of databases of viruses found in the human intestine showed evidence that humans are exposed to these viruses. "These viruses are definitely known to infect fish and amphibians, but they are not known to infect humans," Kahn points out. "However, it's possible that humans get exposed to these viruses through just eating fish. Nobody has checked directly whether under some conditions the viruses could either infect cells or be at least partly absorbed through the gut intestine." The scientists now will broaden their search for other viruses that produce human-like hormones. "This finding is the tip of an iceberg," Kahn says. "There are thought to be more than 300,000 viruses that can infect or be carried in mammals, and only 7,500 or so of these, or about 2.5%, have been sequenced. Thus, we certainly expect to find many more viral hormones, including more viral insulins, in the future." "This research also opens up a new aspect to study in type 1 diabetes and autoimmunity," he says. "It may be that these or similar microbial insulin-like molecules could be an environmental trigger to start the autoimmune reaction in type 1 diabetes. On the other hand, you could also imagine that this might desensitize the immune response and could be protective." A similar question is open for metabolic diseases such as type 2 diabetes and obesity, in which the body fails to respond properly to insulin. "You could envision that these viral peptides could either protect from or contribute to insulin resistance," Kahn says. These or similar viruses might also be a factor in certain human cancers. "If these viruses are inside the gut, could the VILPs they produce stimulate growth of gut cells so that you get polyps or tumors of the gut?" Kahn asks. "Or if they're absorbed or become infectious, could they infect any organ in the body?" Analyzing such viral peptides may eventually help drug companies to design new forms of synthesized human insulins. "We might be able to learn something, for example, about making insulins that don't need refrigeration and can be stored for long periods of time, or insulins that are absorbed more quickly or degrade more slowly," he suggests. Given Altindis's earlier research on infectious disease rather than in endocrinology, "our discovery gives an example of how work in one field can stimulate thought in another field," Kahn adds. "It really underlines the importance of cross-fertilization in the scientific discovery process, which is so valuable but so underappreciated." SOURCE
  7. FIREBALL – The Chinese Malware of 250 Million Computers Infected See details here > FIREBALL – The Chinese Malware of 250 Million Computers Infected An invasive form of malware believed to be attached to a Chinese firm could spell "global catastrophe," according to the cybersecurity firm that discovered it. The software has the power to gain near-complete control of targets, including spying on files. Dubbed Fireball, the malware was found by researchers at Check Point Security. The team said its purpose is to hijack web traffic to generate fraudulent ad revenue. It also includes remote control features for downloading more malware in the future. Fireball has already infected over 250 million computers worldwide. When it embeds itself into a machine, it takes control of the web browsers and "turns them into zombies." The browsers end up acting on Fireball's behalf. While it's currently relatively innocuous, focusing on installing plugins to increase ad distribution, Check Point warned it could easily be modified to be more sinister. Because Fireball is so powerful, it can be expected it will soon be used as the basis of more serious attacks. It can execute any code it desires on the user's machine, allowing it to steal files, spy on login activity and download additional malware. Although it's currently seeing use only as a browser hijacker for money-making purposes, Check Point explained that the potential is there to do much more. "How severe is it? Try to imagine a pesticide armed with a nuclear bomb," the company said. "Yes, it can do the job, but it can also do much more." Fireball is created by a Chinese firm called Rafotech. It is believed it has managed to infect so many machines worldwide because it frequently comes bundled with other applications. Users inadvertently install the software by blindly clicking through prompts from other apps. Check Point said that Rafotech "carefully walks along the edge of legitimacy." The company purports to offer search and marketing services but many of its products appear to be fake or hijacking tools. In a curious coincidence, Rafotech's website proudly advertises that it reaches "300 million users," a similar feature to Fireball's global reach. According to Check Point, Rafotech has the capability to "initiate a global catastrophe." If the company chose to use all of its software's capabilities, it could extract data from over 250 million PCs worldwide. Around 20% of the total Fireball installations are on corporate networks. It would be able to steal and sell sensitive documents, banking details and medical files. If it wanted, it could instruct Fireball to download ransomware utilities, allowing it to extort money from businesses around the globe. Even if Rafotech itself remains content to settle in the grey area of shady bundled software, there are already many similar browser hijackers in existence. Check Point found that Beijing-based ELEX Technology produces a series of products that may be related to Fireball. It is suspected that ELEX Technology and Rafotech are in some way related. Even if they're not directly under the same leadership, they appear to be aiding each other's distribution of browser hijacking utilities. This suggests there are at least two collaborators with potentially unhindered access to a quarter of a billion computers worldwide. Check Point said Fireball represents a "great threat" to global cybersecurity and could be the largest infection campaign in history. While its current intentions don't appear to be strongly malicious, there's nothing stopping its creators from embarking on a very different campaign. The distribution also presents other risks – if external hackers obtained the software, they could republish it themselves and unlock all its capabilities. Article source
  8. In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway. A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong. First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such. Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains: BySH01.exe (executable through AutoIt) 7za.exe (goodware, the well-known free tool 7zip) tcping.exe (goodware, a tool for performing TCP pings) MW_C.7z (a compressed password-protected file), which contains: An application –goodware for bitcoin mining An application –goodware for blocking the Windows desktop The attacker runs the BySH01.exe file, and the following interface appears: Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list. Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs. Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2. Desktop Lock Express 2, the application used by the attackers. We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors. Tips for the System Admin In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP: Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time. Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds. Article source
  9. Malwarebytes 3.0.6 Overview: 4x stronger, 4x faster Our engineers have now made your best defense against advanced threats even better. Malwarebytes 3.0 now offers four malware-fighting modules: Anti-malware Anti-ransomware Anti-exploit Malicious website protection You have all the best Malwarebytes detection, protection, and malware-removal in one tight package. Stop paying for your old, clunky antivirus. Product Page & Comparison: https://www.malwarebytes.com/premium/ Free features Anti-malware/Anti-spyware Detects and removes malware and advanced threats. Anti-rootkit Removes rootkits and repairs the files they damage. Premium features Real-time protection Detects malware automatically, before it can infect. Anti-exploit Shields vulnerable systems and software from exploit attacks. Anti-ransomware Stops ransomware attacks before your data is held hostage. Malicious website protection Prevents access to and from known malicious webpages. Changelog: https://forums.malwarebytes.com/topic/194279-malwarebytes-306-release-preview-now-available/ Performance/protective capability Several improvements to malware detection and remediation capabilities Several performance improvements, including improving startup time, improving shutdown time on Windows 7, addressing memory leaks and reducing CPU usage after a scan has completed Added MS Publisher as a default Protected Application for anti-exploit protection Usability Fixed issue where a previously activated Premium license could be dropped incorrectly Fixed issue where Malwarebytes version information would revert to default values of 3.0.0 in certain cases, such as when coming back from minimal safe mode Fixed issue where ‘Real-Time Protection turned off’ notifications would display incorrectly on initial startup Fixed problem where the 'Check for updates every' setting would get stuck at 14 days after changing frequency to ‘Days’ Fixed Help question marks throughout the main user interface so that they work when clicked Stability/issues fixed Addressed several crashes and blue screens, including the BSOD that could occur with Web Protection on Windows Insider Previews Fixed the issue with Exploit Protection that caused Edge to crash/hang on Windows Insider Previews Fixed issue when Exploit Protection was enabled that caused PowerPoint to not load Fixed conditions that could lead to an ‘Unable to connect to service’ error Fixed issue where exclusions did not work properly when there were associated threat traces detected Fixed issue where Web Protection would not start up properly Fixed numerous scan hangs or crashes, including one that could occur during heuristics phase Numerous other fixes to improve overall program stability and usability The one notable issue that was not able to be included in this release was problem with imaging programs (such as Macrium Reflect) where large artifact files are left System Volume Information file if a backup is created with anti-ransomware protection enabled. That one should be coming soon after this release! gHacks Review Article: Malwarebytes 3.0: new all-in-one protection Downloads: https://malwarebytes.box.com/s/nlda32e9t259ct2pt9r0h2a111iz2lvg - [Size: 52.9 MB]
  10. Malwarebytes 3.0 Final Stable Overview: 4x stronger, 4x faster Our engineers have now made your best defense against advanced threats even better. Malwarebytes 3.0 now offers four malware-fighting modules: Anti-malware Anti-ransomware Anti-exploit Malicious website protection You have all the best Malwarebytes detection, protection, and malware-removal in one tight package. Stop paying for your old, clunky antivirus. Product Page & Comparison: https://www.malwarebytes.com/premium/ Free features Anti-malware/Anti-spyware Detects and removes malware and advanced threats. Anti-rootkit Removes rootkits and repairs the files they damage. Premium features Real-time protection Detects malware automatically, before it can infect. Anti-exploit Shields vulnerable systems and software from exploit attacks. Anti-ransomware Stops ransomware attacks before your data is held hostage. Malicious website protection Prevents access to and from known malicious webpages. Changelog: https://www.malwarebytes.com/support/releasehistory/#malwarebytes-premium Performance/protective capability Added signature-less anti-exploit and anti-ransomware protection (Premium only) Up to 4x faster scan speeds, including even quicker Hyper Scans Removed non-essential reboots after certain malware removal events Advanced heuristic engine (Shuriken) now enabled by default Self-protection now enabled by default (Premium only) Usability Redesigned user interface for improved user experience Now configurable to integrate with Windows Action Center/Windows Security Center (Premium only) Update checks are done automatically so they don’t need to be scheduled Improved support for keyboard navigation and screen readers Stability/issues fixed Added ability to lock down My Account screen via User Access Policy Added ability to collect enhanced logs when directed to do so by support Fixed issue where Scheduler did not adjust for Daylight Saving Time Fixed issue where Scheduler defaulted to hourly Threat Scan instead of daily Fixed issue where Chameleon reported error messages numerous times to Windows Event Viewer Changed “Recover if missed by” setting in Scheduler to “Off” by default Prevented rootkit scanning in Custom Scans if full system drive is not selected Updated to latest version of 7-Zip DLL Addressed other miscellaneous defects gHacks Review Article: Malwarebytes 3.0: new all-in-one protection Downloads: https://downloads.malwarebytes.com/file/mb3/ or https://data-cdn.mbamupdates.com/web/mb3-setup-consumer- - [Size: 49.6 MB]
  11. Website spreading Gatak-infected keygens (via Symantec) Websites offering free keygens for various enterprise software applications are helping crooks spread the Gatak malware, which opens backdoors on infected computers and facilitates attacks on a company's internal network, or the theft of sensitive information. Gatak is a backdoor trojan that first appeared in 2012. Another name for this threat is Stegoloader, and its main distinctive feature is its ability to communicate with its C&C servers via steganography. Gatak relies on steganography to stain hidden Steganography is the technique of hiding data in plain sight. In the world of cyber-security, steganography is the practice of hiding malicious code, commands, or malware configuration data inside PNG or JPG images. The malware, in this case Gatak, connects to its online C&C server and requests new commands. Instead of receiving an HTTP network requests, for which all security software knows to be on the lookout, the data is sent as an innocuous image, which looks like regular web traffic. The malware reads the image's hidden data and executes the command, all while the local antivirus thinks the user has downloaded an image off the Internet. Keygens for enterprise software spreading Gatak Security firm Symantec says it uncovered a malware distribution campaign that leverages a website offering free keygens for various applications such as: SketchList3D - woodworking design software Native Instruments Drumlab - sound engineering software BobCAD-CAM - metalworking/manufacturing software BarTender Enterprise Automation - label and barcode creation software HDClone - hard disk cloning utility Siemens SIMATIC STEP 7 - industrial automation software CadSoft Eagle Professional - printed circuit board design software PremiumSoft Navicat Premium - database administration software Originlab Originpro - data analysis and graphing software Manctl Skanect - 3D scanning software Symantec System Recovery - backup and data recovery software All of the above are specialized apps, deployed in enterprise environments. The group behind this campaign is specifically targeting users that use these applications at work, but without valid licenses, in the hopes of infecting valuable targets they could hack, steal data from, and possibly sell it on the underground. Keygens don't work, they just infect users with Gatak The keygens distributed via this website aren't even fully-working tools. They just produce a random string of characters, but their purpose is to trick the user into executing the keygen binary just once, enough to infect the victim. The hackers are picky about the companies they target because the security firm has seen second-stage attacks on only 62% of all infected computers. Attackers use Gatak to gather basic information about targets, on which, if they deem valuable, deploy other malware at later stages. In some cases, the hackers also resort to lateral movement on the victim's network, with the attackers manually logging into the compromised PC. Attacks aren't sophisticated, and the hackers only take advantage of weak passwords inside the local network. Symantec says it didn't detect any zero-days or automated hacking tools employed when hackers have attempted to infect other devices on the local network. Gatak infections per industry vertical (via Symantec) Telemetry data shows that 62% of all Gatak infections have been found on computers on enterprise networks. Most of these attacks have targeted the healthcare sector, but it doesn't appear that hackers specifically targeted this industry vertical, as other companies in other verticals were also hit. Attackers might have opted to focus more on healthcare institutions because these organizations usually store more in-depth user data they can steal, compared to the automotive industry, gambling, education, construction, or others. "In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan," Symantec notes in a report. "They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent." Article source
  12. A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone. The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums. Emsisoft security researcher Fabian Wosar was able to create a decrypter for the earlier versions that allowed users to unlock their files for free. By May 2015, the PClock team updated their code and broke the decrypter. After that point, PClock victims could only restore their files from backup files or by paying the ransom. PClock resurfaces with new spam wave Since then, the number of infections with PClock has been low but steady. Microsoft's security team recently picked up a spike in activity from the group's operators. In their most recent spam campaign, the ransomware's creators are using emails disguised as fax messages, using a subject such as "PLEASE READ YOUR FAX T6931." The title is boring and mundane, but the email contains a file named "Criminal case against you," which might get some users' attention. PClock installed via Crimace trojan This RAR archive contains a WSF file. When users download and open the archive, and execute the WSF file, a JScript function starts a series of operations that download and install a malware known as Crimace, detected as TrojanDownloader:JS/Crimace.A. This threat is a malware downloader, a trojan that connects to an online server and downloads and runs other malware. In this case, it was PClock. If we take a look at the screenshots posted on the Bleeping Computer forums in January 2015, and the screenshots taken by Microsoft, we see that PClock hasn't evolved, at least visually, at all. PClock January 2015 variant PClock November 2016 variant (Source: Microsoft) PClock November 2016 variant (Source: Microsoft) The ransomware has remained at the same level of sophistication, still posing as a CryptoLocker clone, even if other more dangerous ransomware families have emerged in the meantime. PClock still an entry-level operation Furthermore, PClock's operators have yet to figure out how to host a decryption service on the Dark Web, the standard method for dealing with decryption operations, preferred by most high-end ransomware threats. After almost two years in the wild, PClock has remained an entry-level operation, requiring victims to get in contact with PClock's authors via email, a cumbersome and time-consuming task. The only thing that has changed is the number of targeted files. Initial PClock variants targeted only 100+ file types for encryption, while the most recent variant targets a whopping 2,630 file types. Article source
  13. Batu69

    Next-Gen Ransomware

    The one thing about cybercriminal is that they are persistent and always finds a new a way to attack. And they tend to improve themselves staying ahead of cyber defenders. Recently we have received one malware sample and the infected PC too. So we take a look at the malware sample. At first, we thought this is just another variant of ransomware but after doing some analysis, we found that this malware does not encrypt any files but still ask for ransom. Below are the pictures of the ransom note. Most of the previous ransomware note includes encryption methods, the deadline to decrypt the file, bitcoin address for payment etc. But this ransom note is different and has the title “Notice of Imposition of File”. This ransom looks like the notice sent from the federal office and has the following notice. Materials that Violates the Intellectual Property Right Suspicious Activity After reading the note, we can come to the conclusion that this note has the threatening message to the victim to pay the fine to settle the pre-trial within 24 hours with the following note. “You must pay penalty within 24 hours to settle the case out of court. Incase of failure to comply claims” ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO THE TRIAL. And this note also provides all the details of the victim which includes Name Birthday Phone Email Location Area Skype Account Details Facebook Account Details Linkedin Account Details IP Address CPU Details System Details PC Name Username And with note contain the victim images from facebook, LinkedIn, and picture taken from webcams. And when victims click the payment options, then it will take to the payment page where victims are requested to fill up their basic details and the credit card details. . In short, when this malware is infected in the PC, it will collect all the data of the victim, even capture the picture from the webcam and creates a ransom note which I described above and threatens the victim to pay ransom or they will leak their private data in public. More About This Malware This malware is distributed via Nuclear Exploit Kit and the users become a victim when they visit compromised WordPress website which redirects to Nuclear Exploit Kit Server. To spread this malware, we have identified one IP that have been used by cybercriminals. Analyzed Samples d5738a0199b58a754b03980349a66b89 Behavioural Analysis After being deployed malware disappears and runs it by dropped copy from the hidden folder created in C:\\Users\Username\AppData\Local\Temp\Low It also creates a link to the dropped malware in \AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup And it also drops other files z32jwcdbdaz7ab52tyxhr7x2smatqp2k zqweejj6blyvyxxq4da4rzvh3un5pzvv.exe __config3271.bat And then this malware starts to talk with Command and Control(C&C) server. We have identified two C&C server When the victim PC starts to communicate with C&C, then malware starts to collect data from the victim PC which can be used for the ransom note. After the data is collected to create a ransom note, then the malware becomes active to lock the screen with the ransom note. The following picture shows the malware process running in the background. And when a victim sends the requested ransom to cyber criminals, then the request is sent to the crooks server via a secure communication (TLS). The server IP is which is behind the TOR. Find the Malware Analysis details here https://malwr.com/analysis/MGVjYmJjY2I4ZTMwNDMwOWE5MDkzMWFmZTk5MDE4YTI/ This malware has evolved to another level and has become the next-generation ransomware. How to Protect yourself from malware? Install Anti-Virus/Malware Software. Keep Your Anti-Virus Software Up to Date. Run Regularly Scheduled Scans with Your Anti-Virus Software. Use updated version Operating System. Back up your file. Think Before you click. Use Strong Password with two-step verification. Cover up your webcam. Article source
  14. Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York, is the principal investigator of a project titled 'Practical Hardware-Assisted Always-On Malware Detection.' Credit: Jonathan Cohen/Binghamton University Fighting computer viruses isn't just for software anymore. Binghamton University researchers will use a grant from the National Science Foundation to study how hardware can help protect computers too. "The impact will potentially be felt in all computing domains, from mobile to clouds," said Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York. Ponomarev is the principal investigator of a project titled "Practical Hardware-Assisted Always-On Malware Detection." More than 317 million pieces of new malware—computer viruses, spyware, and other malicious programs—were created in 2014 alone, according to work done by Internet security teams at Symantec and Verizon. Malware is growing in complexity, with crimes such as digital extortion (a hacker steals files or locks a computer and demands a ransom for decryption keys) becoming large avenues of cyber attack. "This project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware," said Ponomarev. "[It is] a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors." Countering threats has traditionally been left solely to software programs, but Binghamton researchers want to modify a computer's central processing unit (CPU) chip—essentially, the machine's brain—by adding logic to check for anomalies while running a program like Microsoft Word. If an anomaly is spotted, the hardware will alert more robust software programs to check out the problem. The hardware won't be right about suspicious activity 100 percent of the time, but since the hardware is acting as a lookout at a post that has never been monitored before, it will improve the overall effectiveness and efficiency of malware detection. "The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution," said Ponomarev. "Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time." The modified CPU will use low complexity machine learning—the ability to learn without being explicitly programmed—to classify malware from normal programs, which is Yu's primary area of expertise. "The detector is, essentially, like a canary in a coal mine to warn software programs when there is a problem," said Ponomarev. "The hardware detector is fast, but is less flexible and comprehensive. The hardware detector's role is to find suspicious behavior and better direct the efforts of the software." Much of the work—including exploration of the trade-offs of design complexity, detection accuracy, performance and power consumption—will be done in collaboration with former Binghamton professor Nael Abu-Ghazaleh, who moved on to the University of California-Riverside in 2014. Lei Yu, associate professor of computer science at Binghamton University, is a co-principal investigator of the grant. Grant funding will support graduate students that will work on the project both in Binghamton and California, conference travel and the investigation itself. The three-year grant is for $275,000. Article source Other source: These researchers are modifying CPUs to detect security threats
  15. While it is not uncommon to find malware or code on Pastebin, it is a surprise to find a dropper that downloads the payload from Pastebin on the fly. The payload has turned out to be a RAT with keylogger capabilities. The dropper The dropper is not much more than an adaptable package to deliver the actual payload. This one is called VMWare.exe and the first screen of the installer pretends itself to be “WindowsInstall”. Although we are not entirely sure of its origin, this makes us consider a method of infection that is typical for sites offering cracks and keygens. The payload When we run the sample, we have noticed a connection to a specific Pastebin page. The code posted is a Visual Basic script that downloads and runs a file called Tempwinlogon.exe. The executable itself is posted in hexadecimal and reconstructed by the function in the script. We copied and altered the script to see where it puts the file. Don’t try this at home folks, at least not on a computer you need. Running unknown scripts that you happened to find somewhere isn’t always a good idea. The destination of the file turned out to be C:\Users\{username}\AppData\Local\Tempwinlogon.exe (on a system running Windows 7). The RAT This proved to be a .NET Trojan, detected by some vendors as Bladabindi, which is very similar to njRAT. It has keylogger functionality and connects to an IP in the 37.237.112.* range. keylogger The executable is copied to C:\Users\{username}\AppData\Roaming\Tr.exe and to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\353cd7180c8c415bfffe6958aebb47d8.exe to gain persistence. If the running process (Tr.exe) is stopped (by using the Task Manager, for example), this results in an immediate BSOD as shown below: File details SHA1 VMWare.exe 45653c39e8201a0b3c469ae6208ad6f2ed9835a4 SHA1 Tempwinlogon.exe b777b4c35ba0933f310b885a28e972c578a39922 Detected by Malwarebytes Anti-Malware as Trojan.Agent.GenX.IPH The Malwarebytes Website Protection Module blocks all traffic to the C2 server. A full removal guide can be found on our forums. Do consider changing your passwords though, if you have been infected with this RAT, since the passwords might have been compromised by this threat. After we reported this to Pastebin, the source page has been taken down. Summary A dropper we analyzed downloaded the code for part of its payload from Pastebin on the fly. The payload turned out to be a RAT with keylogging capabilities. Article source
  16. Microsoft Security Bulletins October 2016 Microsoft Security Bulletins October 2016 provides you with an overview of all security and non-security patches Microsoft released in that month. Microsoft released updates for supported operating systems and other company products on today's patch day. This guide provides you with information on the patches and related information. It covers all security and non-security updates that Microsoft released, plus additional information and links that may prove useful. It begins with an executive summary highlighting the most important information about the October 2016 Patch day. This is followed by the list of affected Windows client and server operating systems, and other Microsoft products. The severity and number of updates is listed for each product so that you can see on first glance how products that you use are affected. What follows is the list of security bulletins, security advisories, and non-security updates that Microsoft released in October 2016. The last part lists download options, and links to additional resources. Microsoft Security Bulletins October 2016 Executive Summary Updates for Windows 7 and 8 are provided as monthly rollup patches instead of individual updates from this Patch day on. We covered this in detail, and suggest you check out this article for details. Microsoft released a total of 10 security bulletins on the October 2016 Patch Day. Five of the ten bulletins are rated with a maximum severity rating of critical (highest), the remaining five with a maximum severity rating of important (second highest). All Microsoft client and server operating systems are affected by vulnerabilities. Microsoft Silverlight, Microsoft .Net Framwork, Microsoft Office, and various business products are affected as well. Operating System Distribution All client versions of windows are affected by MS16-118, Ms16-120 and MS16-122 critically. Windows 8.1, RT 8.1 and Windows 10 are furthermore affected by MS16-127 critically. windows 10 on top of that is affected by MS16-119 critically. Windows 10 is also affected by MS16-126, rated important, which fixes issues in the Microsoft Internet Messaging API. MS16-119 is a cumulative security update for Microsoft Edge. MS16-127 updates the integrated Adobe Flash Player on those systems. Windows Vista: 3 critical, 2 important, 1 moderate Windows 7: 3 critical, 2 important, 1 moderate Windows 8.1: 4 critical, 2 important Windows RT 8.1: 4 critical, 2 important Windows 10: 5 critical, 3 important Windows Server 2008: 1 critical, 2 important, 1 moderate, 1 low Windows Server 2008 R2: 1 critical, 2 important, 1 moderate, 1 low Windows Server 2012 and 2012 R2: 1 critical, 2 important, 2 moderate Server core: 1 critical, 3 important Other Microsoft Products Microsoft .NET Framework Security Only Release: 1 important. Microsoft .NET Framework -Monthly Rollup Release: 1 important. Skype for Business 2016: 1 important. Microsoft Lync 2010, 2013: 1 important. Microsoft Live Meeting 2007 Console: 1 important. Microsoft Silverlight: 1 important Microsoft Office 2007, 2010: 2 important Microsoft Office 2013, 2013 RT, 2016: 1 important Microsoft Office for Mac 2011, 2016: 1 important: Microsoft Word Viewer: 2 important Microsoft Office Compatibility Pack Service Pack 3: 2 important Microsoft SharePoint Server 2010, 2013: 1 important Microsoft Office Web Apps 2010, 2013: 1 important Security Bulletins Red = critical MS16-118 -- Cumulative Security Update for Internet Explorer (3192887) This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. MS16-119 -- Cumulative Security Update for Microsoft Edge (3192890) This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. MS16-120 -- Security Update for Microsoft Graphics Component (3192884) This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync. MS16-121 -- Security Update for Microsoft Office (3194063) This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. MS16-122 -- Security Update for Microsoft Video Control (3195360) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. MS16-123 -- Security Update for Windows Kernel-Mode Drivers (3192892) This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. MS16-124 -- Security Update for Windows Registry (3193227) This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information. MS16-125 -- Security Update for Diagnostics Hub (3193229) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. MS16-126 -- Security Update for Microsoft Internet Messaging API (3196067) This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. MS16-127 -- Security Update for Adobe Flash Player (3194343) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Security advisories and updates Non-security related updates KB3194798 -- Update for Windows 10 Version 1607 - The update includes quality improvements according to Microsoft. The history lists various fixes for issues, as well as security updates released today. See this page for details. KB3192392 -- Security only update for Windows 8.1 and Windows Server 2012 R2 Security updates to Microsoft Video Control, kernel-mode drivers, Microsoft Graphics Component, Windows registry, and Internet Explorer 11. KB3185331 - Monthly Rollup for Windows 8.1 and Windows Server 2012 R2 This security update includes improvements and fixes that were a part of update KB3185279 (released September 20, 2016) and also all security updates of KB3192392. KB3192391 -- Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP Security updates to Windows authentication methods, Internet Explorer 11, Microsoft Graphics component, Microsoft Video Control, kernel-mode drivers, Windows registry, and Microsoft Internet Messaging API. KB3185330 -- Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 This security update includes improvements and fixes that were a part of update KB3185278 (released September 20, 2016), and also resolves the security updates listed under KB3192391 KB3191208 -- Update for Windows 10 Version 1511 -- Can't install Windows servicing updates in Windows 10 Version 1511 KB3197099 -- Dynamic Update for Windows 10 Version 1607 -- Compatibility update for upgrading to Windows 10 Version 1607: October 11, 2016 KB890830 -- Windows Malicious Software Removal Tool - October 2016 KB2952664 -- Update for Windows 7 -- Compatibility update for upgrading Windows 7. See this article for details. KB2976978 -- Update for Windows 8.1 -- Compatibility update for Windows 8.1 and Windows 8. See this article for details. KB3192665 -- Update for Internet Explorer -- ActiveX installation that uses AXIS fails after you install MS16-104. KB3063109 -- Update for Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, and Windows Server 2008 R2 -- Hyper-V integration components update for Windows virtual machines that are running on a Windows 10-based host. KB3177467 -- Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 -- Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 20, 2016. KB3179930 -- Reliability Rollup for Microsoft .NET Framework 4.5.2, 4.6 and 4.6.1 on Windows 7 and Windows Server 2008 R2. KB3179949 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 and 4.6 on Vista and Server 2008. KB3181988 -- Update for Windows 7 and Windows Server 2008 R2 -- SFC integrity scan reports and fixes an error in the usbhub.sys.mui file in Windows 7 SP1 and Windows Server 2008 R2 SP1. KB3182203 -- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded -- September 2016 time zone change for Novosibirsk. KB3184143 -- Update for Windows 8.1 and Windows 7 -- Remove software related to the Windows 10 free upgrade offer. KB3184951 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows Server 2012. KB3185278 -- Update for Windows 7 and Windows Server 2008 R2 -- September 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates. Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player. Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor after installing KB3125574. Addressed issue that causes the Generic Commands (GC) to fail upon attempting to install KB2919469 or KB2970228 on a device that already has KB3125574 installed. All reported changes here. KB3185279 -- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 -- September 2016 update rollup for Windows 8.1 and Windows Server 2012 R2. Addressed issue that causes some USB storage devices to lose authorization when the device goes into the lowest power state, requiring user to re-authenticate using PIN when the device moves back to a working power state. Addressed issue that causes Windows Explorer to become unresponsive when sharing a folder that is the child of at least two shared parent folders. Addressed issue that causes a COM port to become unavailable after it is repeatedly opened and closed. Addressed issue that causes devices to lose connection to their virtual private network (VPN) a few seconds after connecting, if the connection is made using an integrated mobile broadband connection. All reported changes here KB3185280 -- Update for Windows Embedded 8 Standard and Windows Server 2012 -- September 2016 update rollup for Windows Server 2012. KB3186208 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2. KB3159635 -- Update for Windows 10 Version 1607 -- Windows 10 Update Assistant update. How to download and install the October 2016 security updates Updates are also provided via Microsoft's Download Center, monthly Security ISO image releases, and via Microsoft's Update Catalog. Direct Microsoft Update Catalog download links: Windows 7 Security-only October 2016 Windows 8.1 Security-only October 2016 Windows 8.1 Flash security patch October 2016 Additional resources Microsoft Security Bulletin Summary for October 2016 List of software updates for Microsoft products List of security advisories of 2016 Microsoft Update Catalog site Our in-depth update guide for Windows Windows 10 Update History Windows 8.1 Update History Windows 7 Update History Source
  17. A new strain of malware has been discovered by Kaspersky Labs, named 'StrongPity,' which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool. The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East. To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website. In the image above, clicking on the blue button will direct users to 'ralrab[.]com,' an obvious trickery done by cybercriminals to fool victims. Going through this link will lead unsuspecting users to the malicious software. Interestingly enough, there was a recorded case in Italy back in May where users were not directed to a fraudulent site anymore, but they were led to the StrongPity malware itself. StrongPity was also found directing visitors from popular software sharing websites to a poisoned installer of the TrueCrypt software. Malicious WinRAR links have been removed, but there were still redirects found on TrueCrypt installers by the end of September. According to Kurt Baumgartner, this method of cybercriminals can be compared to the Crouching Yeti/Energetic Bear attacks, which compromised legitimate software distribution websites. He states: "These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.” At this point, wherever in the world we may be, we advise our readers to exercise caution when it comes to downloading software from untrusted websites. Malware such as StrongPity are simply waiting for its next victim, potentially compromising your security in the long run once infected. Source: Kaspersky (1) (2) Article source
  18. New research carried out by analysts from Intelligent Content Protection concludes that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds of the websites are said to link to credit card scams. Entertainment industry groups hope the findings will motivate people to choose legal options instead. Most seasoned visitors of torrent sites and streaming portals know that many of the “download” and “play” buttons present are non-functional, at least in the regular sense. In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details. A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams. According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.” The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. “The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states. While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool. This nuance is left out of the official announcement, but the executive summary of the report does make this distinction. “We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes. Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware. The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access. “There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us. “An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.” This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel. The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime. “Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says. It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats. However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services. This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers. Source: TorrentFreak
  19. By Dan Goodin - Feb 11 2014, 8:33am AEST Attackers used phishing and zero-days to infect Windows, Mac, and Linux users. Mask victims by IP address. Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries. The "Mask" campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple's iOS and Google's Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it. Mask—or "Careto" as its Spanish slang translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these "advanced persistent threats" (APTs) are much more determined. They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value. "With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than five years," Kaspersky Lab researchers wrote in a detailed analysis published Monday. "In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober, or Icefog, making it one of the most complex APTs we observed." The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. In some cases, attackers impersonated well-known websites, such as those operated by The Guardian and The Washington Post. One of the exploits recently used by the attackers targeted CVE-2012-0773, a highly critical vulnerability in Adobe's Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers. "What makes 'The Mask' special is the complexity of the toolset used by the attackers," the Kaspersky analysis stated. "This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions, and possibly versions of Android and iPad/iPhone (Apple iOS)." Kaspersky researchers first stumbled onto Mask after noticing that it exploited a vulnerability in older versions of Kaspersky antivirus products to hide itself. The vulnerability has been patched for an unspecified amount of time, but attackers were exploiting the vulnerability on machines that continued to run older versions of the Kaspersky software. Like Stuxnet and many other pieces of malware used in the last five years, Mask code was digitally signed, in this case with a valid certificate issued to a fake company called TecSystem Ltd. Such digital credentials are designed to bypass warnings delivered by Windows and other operating systems before executing programs that haven't been vouched for by credentials issued by a recognized certificate authority. The malware uses encrypted HTTP or HTTPS channels when communicating with command and control servers. Researchers were able to take control of some of the domain names or IP addresses hosting the control servers that Mask-infected computers reported to. In all, the researchers observed 1,000 separate IP addresses in 31 countries connect. They also found traces of 380 different victim identifiers designated by the Mask naming convention. The Mask campaign was abruptly shut down last week within hours of being revealed in a short blog post. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the Kaspersky analysis noted. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section." Post updated to add "slang" to the third paragraph. http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen
  20. By Topher Kessler February 10, 2014 1:06 PM PST Disguised as a legitimate project on GitHub called StealthBit, the malware installs a browser extension to look for and steal BitCoin wallet and account credentials. Security research site SecureMac has discovered a new trojan horse that is targeted for OS X systems, and which spies on internet traffic use to steal Bitcoins. The trojan, called OS X/CoinThief.A, is disguised as a standard OS X application called StealthBit, which was recently uploaded to GitHub. While advertised as a legitimate project for receiving Bitcoin payments on Bitcoin Stealth Addresses (a key encryption routine for securing a bitcoin transfer), the StealthBit instead was a guise to install malicious tracker software on unsuspecting Mac users. The project page on GitHub included source code along with precompiled binaries for those without the means to compile their own. While this is a common and convenient practice for GitHub projects, in this case the precompiled binary did not match the project's source code, and instead contained the malware for tracking user's Web activity. When downloaded and run, the binary would install a browser extension in the user's home folder that would run when Safari or another Web browser was launched. This extension would then monitor the sites that users visit, and log credentials entered into them, in order to send account information for BitCoin sites, along with information about the user's system, to third party servers. In order to disguise the extension, the criminals behind it have given it generic names like "Pop-up blocker," and attempted to prevent its discovery by having it search for installations of common anti-malware tools and not install on systems containing them. Being a relatively new growing market with recent prices closing at around $700 per coin, BitCoin trading has attracted a number of attempts to mine, steal, and otherwise capitalize on this currency, and this latest malware is only the latest attempt to do so. For now, not much is know about OSX/CoinThief.A, and SecureMac and other security analysts are continuing to investigate the malware; however, if you have recently downloaded a BitCoin management tool from GitHub, then for now you can check your browser's active extensions to see if any are present that you did not specifically install. For Safari users, you can go to the Extensions section of Safari's preferences to view active extensions. For Firefox, you can select Add-ons from the Tools menu, and then click the Extensions section, and in Chrome you can select Extensions from the Window menu. If you find unknown extensions in these locations, then you can disable or remove them, but then re-check periodically to see if they reappear, as such activity would indicate a persistent component of the malware that keeps the extension installed and active. This malware is known to install background tasks that launch automatically when users log into their accounts. These routines are generally managed by Launch Agent scripts, which are located in the username > Library > LaunchAgents folder. While launch agents are commonly used by updaters and other programs you run to give you alerts and to schedule update checks, they are also used by malware developers to keep malicious programs alive in the background. By opening each launch agent and checking the "Program Arguments" or "Program" key, you can see what executable (and its corresponding path) is being targeted by that launch agent, and then check various online sources such as the Apple Support Communities to see if the paths and executables are legitimate. Unfortunately, sometimes launch agent manipulation by malware developers can be somewhat difficult to identify, especially since a launch agent and executable can be easily masked to look legitimate. Therefore, if you are uncertain of how to look for and remove malware, you might use a reputable anti-malware scanner that has been updated to identify CoinThief.A. As the investigation into this malware develops, definitions for it and any future variants of it will become available, and which can be used to better detect its presence and remove it from an infected system. http://reviews.cnet.com/8301-13727_7-57618666-263/new-os-x-trojan-monitors-web-activity-to-steal-bitcoins
  21. By Shona Ghosh Posted on 9 Jan 2014 at 15:21 Millions of PCs may have been infected by malware inserted into ads on Yahoo websites - and then used to mine bitcoins. Yahoo confirmed this week that hackers had managed to insert malware into ads displayed on some of its European sites, but hasn't said how many users have been affected. Security company Light Cyber estimates that several million PCs have been infected, and found the malware had been used to install Bitcoin-mining software on some machines. Separate estimates this week from security firm Fox-IT suggest the UK has one of the highest numbers of affected users. Light Cyber founder and vice president for product and strategy, Giora Engel, said the hackers were potentially building a huge network of Bitcoin-mining PCs, since the task is too labour intensive for one machine. He added that the malware had delivered other tools that gave hackers control over infected PCs. "This campaign downloaded a variety of different tools - some were malware to enable attackers to control each infected PC and steal passwords," he told PC Pro. "Other tools were more specific – the Bitcoin mining tool is not malware itself, it's something anyone can download and generate Bitcoin." Engel estimated that, with several million machines at their disposal, the hackers could be making $10,000 (approximately £6,000) a day. Security companies have said the number of Bitcoin-related attacks will rise this year, after the virtual currency shot up in value. One Bitcoin is currently worth around £500, though its value fluctuates. http://www.pcpro.co.uk/news/security/386452/yahoo-malware-turns-millions-of-pcs-into-bitcoin-network
  22. TDSSKillerPortable_x .x_English_o nline.paf.exe PortableApps.comFormatMakes application portableMakes application stealthDependencies: Administrative PrivilegesUNC: YesCompatible: WinAllCRC: 70AD6C73Size: 253 KB (259,642 bytes)Note: when an update is released, simply re-run installer to update. Why post an app. that's already posted by PortableApps.com? Because their version is faulty, leaves trash behind in the registry & file system.
  23. CryptoLocker: A particularly pernicious virus By Susan Bradley Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won't protect you. Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates. Forgive me if I sound a bit like those bogus virus warnings proclaiming, "You have the worst virus ever!!" But there's a new threat to our data that we need to take seriously. It's already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways. First, you see a red banner (see Figure 1) on your computer system, warning that your files are now encrypted — and if you send money to a given email address, access to your files will be restored to you. Figure 1. CryptoLocker is not making idle threats. The other sign you've been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as "Excel cannot open the file [filename] because the file format or file extension is not valid," as stated on a TechNet MS Excel Support Team blog. As noted in a Reddit comment, CryptoLocker goes after dozens of file types such as .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf. CryptoLocker attacks typically come in three ways: 1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus that finds and encrypts all files you have access to — including those located on any attached drives or mapped network drives. 2) You browse a malicious website that exploits vulnerabilities in an out-of-date version of Java. 3) Most recently, you're tricked into downloading a malicious video driver or codec file. There are no patches to undo CryptoLocker and, as yet, there's no clean-up tool — the only sure way to get your files back is to restore them from a backup. Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss. In this case, your best defense is prevention Keep in mind that antivirus software probably won't prevent a CryptoLocker infection. In every case I'm aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques — and a good bit of fear, uncertainty, and doubt — to trick users into clicking a malicious download or opening a bogus attachment. Your best prevention is two-fold: 1) Basic method: Ensure you keep complete and recent backups of your system. Making an image backup once or twice a year isn't much protection. Given the size of today's hard drives on standalone PCs, an external USB hard drive is still your best backup option. A 1TB drive is relatively cheap; you can get 3TB drives for under U.S. $200. For multiple PCs on a single local-area network, consider Michael Lasky's recommendations in the Oct. 10 Best Hardware article, "External hard drives take on cloud storage." Small businesses with networked PCs should have automated workstation backups enabled, in addition to server backups. At my office, I use Backup Box by Gramps' Windows Storage Server 2008 R2 Essentials (site). It lets me join the backup server to my office domain and back up all workstations. I run the backups during the day, while others in the office are using their machines — and I've had no complaints of noticeable drops in workstation performance. The upcoming release of Windows Server 2012 R2 Essentials (site) will also include easy-to-use, workstation-backup capabilities. Recently announced Western Digital drives will also act as both file-storage servers and workstation-backup devices. Source
  24. Okay so it all started like this... I was browsing around pastebin.com and checking out all the newest "untitled" posts. Here I came upon a rather interesting one with the link to a file named "keygen.exe" Knowing me, I downloaded the file, because most uploaders link to a text paste after having someone fill out a survey. So I decided to grab this new unknown keygen in hopes of it being a breakthrough and post it on nsane. EDIT: Here's a copy of the file that I downloaded- http://www.mirrorcreator.com/files/WQYKGMIJ/Keygen.rar_links My stupidity didn't occur to me at the time so I downloaded it and just double clicked, without shadow defending my HDD and sandboxing in Comodo's Virtual OS. The file opened and did not present a GUI. So I opened task manager and terminated "keygen.exe" Thinking I had fixed the problem I thought I was uninfected. Lo and behold, later while disabling startup programs, I found keygen.exe with the same cheat engine icon in my startup folder. Having rebooted a few times already I knew for sure that I had been infected. Today while randomly monitoring my active connections wondering why my internet was moving slowly and ping times were so high, I came across this screenshot: Right there, an unknown app was using HTTP_C to connect to A whois lookup on that IP revealed the following: SO now I know that I have a virus that's breaking my internet connection and using my bandwidth to do something else. Now this is frightening because my internet is at 100Mbs (11 MB a second download and upload) Someone is Africa is laughing their ass off at me because I fell for that trap. Now how do I start to remove this thing? I'm running Windows 7 Home Premium x64.
  • Create New...