Zero Day Adobe and Microsoft Exploits

Adobe has released (for the second time this month) an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

Attackers are already exploiting it!

Please apply this patch and stay secure.
If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is v. 33.0.1750.117 for Windows, Mac, and Linux. To learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu (the option to apply any pending updates should appear here as well).

The most recent versions of Flash are available from the Adobe download center here, but beware potentially unwanted add-ons, like McAfee Security Scan, Chrome browser etc..). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

AND..

Microsoft has released a stop-gap fix for a previously unknown zero-day vulnerability in Internet Explorer versions 9 and 10 to combat a separate zero-day campaign. IF possible (many users cannot because of other ‘line of business software’ that requires versions 9 or 10) to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.

Microsoft site explanation is here

Actual ‘Fix-It tool is here

If you run it make sure you ‘right-click’ on the file after it’s downloaded and ‘Run As Administrator’

Be safe folks, Peace.

BlackPOS breach

So here is a story about the recent MASSIVE thefts at Target Neiman Marcus and other retailers.

What is by far the most scary is this line,
“…said it was possible for Target and Neiman Marcus to be hacked after the software tried several easy passwords to remotely hack the stores’ registers, and added that the malware, called BlackPOS..”

We are finding out the breach occurred because of poor Security practices! Easily guessed or worse, standard passwords at the gates!

This is totally unacceptable and, in my opinion, everyone involved from the top to bottom of these IT chains should be fired and also be part of any litigation directed at the companies.

You know you hear it from me and just about everyone else: use complex Usernames and especially passwords. NEVER use a default username or password. Never use the same password for different accounts.

So I’ll say this again to everyone. Please change your passwords to something complex (that includes Upper and lower case letters, numbers AND symbols) and do NOT use that same password for different accounts.

Well that is all. Peace out.

CryptoLocker news

Okay folks, here we go again. More ransomware is spreading and it can hit you. [Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.]

Ransomware/Malware that encrypts your data and tries to sell it back to you, or else, is not new. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

Enter the latest Menace – CryptoLocker. If you have become seriously infected and do not take IMMEDIATE remedial steps, there is, sadly, not much you can do [unless you have full ‘offline’ backups as I am always ranting about] but pay up!

This is getting some recent much needed attention by the press. Here is a recent short article. A Google search will turn up hundreds more.

The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

  • Stay patched. Keep your operating system and software up to date.
  • Make sure your anti-virus is active and up to date.
  • Avoid opening attachments you weren’t expecting, or from people you don’t know well.
  • Make regular backups, and store them somewhere safe, preferably offline.

Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup!!

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. An unsuspecting computer user will either get an email purporting to be from their bank, friends, Facebook or a host of other fake senders or be asked to click on a pop up in a Website. The person thinks it’s legitimate, clicks on it and before they know it the virus is installed on their computer which encrypts their data. The person will be given a time period, for instance 72 hours, to make a payment in exchange for the key to decrypt all the data. Refuse and the data on the hard drive will be gone forever.

These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please make sure that your antivirus/malware software and systems are up to date. And for Pete’s sake do NOT open attachments from the likes of those listed. IF you think you need to track something go to the ‘front door’ of the shipping company or bank and login/track there.

Once YOU infect yourself (yes, it is an action taken by the user that starts the infection!!) [Like any other piece of malware, common sense goes a long way. The critical thing is it’s not going to install files by itself. You have to initiate some action.] you will soon probably see a screen that looks like this:

CryptoLocker-thmb

Examples of known CryptoLocker email subjects include:

USPS – Your package is available for pickup ( Parcel 173145820507 )

USPS – Missed package delivery ("USPS Express Services" <service-notification@usps.com>)

USPS – Missed package delivery

FW: Invoice <random number>

ADP payroll: Account Charge Alert

ACH Notification ("ADP Payroll" <*@adp.com>)

ADP Reference #09903824430

Payroll Received by Intuit

Important – attached form

FW: Last Month Remit

McAfee Always On Protection Reactivation

Scanned Image from a Xerox WorkCentre

Scan from a Xerox WorkCentre

scanned from Xerox

Annual Form – Authorization to Use Privately Owned Vehicle on State Business

Fwd: IMG01041_6706015_m.zip

My resume

New Voicemail Message

Voice Message from Unknown (675-685-3476)

Voice Message from Unknown Caller (344-846-4458)

Important – New Outlook Settings

Scan Data

FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]

Payment Advice – Advice Ref:[GB2198767]

New contract agreement.

Important Notice – Incoming Money Transfer

Notice of underreported income

Notice of unreported income – Last months reports

Payment Overdue – Please respond

FW: Check copy

Payroll Invoice

USBANK

Corporate eFax message from "random phone #" – 8 pages (random phone # & number of pages)

past due invoices

FW: Case FH74D23GST58NQS

Symantec Endpoint Protection: Important System Update – requires immediate action

What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

Users who are infected with the malware should IMMEDIATELY consult with a reputable security expert to assist in removing the malware. And should NOT attempt to mitigate or in anyway try to ‘fix’ the issue themselves – this will only insure the loss of data!!

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. There are methods that can/may be used to recovery you ‘Shadow Copies’, but this often times requires an expert.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

So to summarize the very first line of defense is to have good computing common sense and usage. Second if my usual mantra FULL IMAGE BACKUPS ON A REGULAR BASIS TO EXTERNAL/REMOVABLE MEDIA. I can’t say this enough. And I’m sure to get the calls from folks who are screwed. I sympathize, a little anyways.

Okay end rant. Be safe. Peace all.

Terrifying new Ransomware

This is here some scary sh%t.
I know I sound like this guy

the-sky-is-falling-2

about backing up your entire systems to ‘offline/removable’ media but I’ll keep on saying it.

This nasty is spreading fast on corporate networks. Scary thing is it still uses social engineering and poor user training/safety methods to launch/install. It usually arrives as an email attached archived zip file with an executable inside that should have been a dead giveaway that this message was malicious and was in no way legitimate. But sadly most people have not been properly educated on computer safety or are just plain lazy and don’t think to look at what they are doing. But once installed it can wreck havoc on a company.

Please develop and use some kind of offline full system backup plan for your personal and especially your business.

Do not think or rely on ‘cloud based’ backup system to protect you from this type of attack. Think about it, your now encrypted files would be uploaded to the cloud and overwrite your original/good ones.

I’ve written so many times about the need for offline backups you can just look through my blog and find more info about that.

Be safe folks!

Avoid Internet Doomsday: Check for DNSChanger Malware Now

Some background:
The DNS system is a network of servers that translates a web address — such as http://www.google.com — into the numerical addresses that computers use to locate actual websites, computers and servers. It is known as the Internet’s phone book, which translates URLs to the IP address for the server hosting the Web site. This is not only true for Web sites, but also for any other Internet-based service being used, including servers for e-mail, backups, synchronization, chat programs, and calendars AND antivirus programs to update themselves.

Back in November, law enforcement authorities working with the Federal Bureau of Investigation arrested six of the seven individuals in Estonia responsible for infecting millions of Windows and Mac machines worldwide with the DNSChanger Trojan. As part of the “Operation Ghost Click” raid, FBI agents also seized over 100 servers at data centers throughout the United States masquerading as legitimate DNS servers.

If the FBI were to simply shut down the DNS network, then the millions of computers that had been affected by the malware would instantly no longer be able to access the Internet, and given the scope of this malware infection, would suddenly cut off many and very likely have a notable negative impact globally. Being infected with the malware, these systems would not benefit from users checking for and changing their DNS settings, since the malware would continually revert it and thereby continually disrupt communications.

To prevent this, the FBI instead chose to keep the rogue DNS servers active and convert it to a legitimate DNS system for infected computers. Since November 2011, there has been a campaign by the government, security agencies and MANY high profile internet service providers (ISPs) to notify users of the DNSChanger malware and offer services to help users identify systems that are infected.

Most victims don’t even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

To quickly and easily see if this may affect you and what you can do about it visit this site

Click on the link in the middle of the page and you will be notified if you are currently infected.

If you are infected/compromised you can visit this page for resolution tips and instructions.

Remember this trojan/virus will affect PC’s AND Macs. Better safe than sorry. Or you could always call me for a hou$e call when your system won’t connect to the internet.

You can read the FBI’s page here.

Google has one here

Facebook also has one here.

Another Flashback Variant – 2nd in two days!

Hey Mac users who still haven’t taken the hint and update your systems’ security there’s yet another version of the Flashback Trojan for you to enjoy.

It infects unprotected Macs in the same way Flashback.K did, through a Java applet exploit, and installs itself without the need of your password.
And, just as its predecessor, Flashback.K erases its footprints by deleting the Java cache and ensures its propagation by installing into the Java Update folder. You can read more here.

Apple released a Java patch in early April, as well as a Flashback removal tool, but clearly not all Mac users patched.

But many Mac users don’t even qualify for the patch—it was only available to systems running OS X 10.6 (from 2009) and later. Mac users running OS X v.10.5 and earlier were advised to disable Java altogether. WTF!! However, it’s quite possible that many users of these older systems just didn’t get the memo and are still running insecure software.

Here is F-Secure’s site that has the checker and removal tool. Check that out too. And please update your systems folks.

OK Mac guys here we go again!

There’s Another Mac Trojan Spreading Via Microsoft Office documents and email attachments. The Trojan apparently spreads through infected Office documents, and it’s in “active stage”, which means that it searches through documents on infected machines.

Please note that this is a very sophisticated and malicious attack that not only ‘infects’ your machine but also installs a ‘bot’ to control it, scan through your system, and take what ever it wants to! ALL WITHOUT YOUR INTERACTION AFTER THE FIRST INFECTION!

The attack vector utilizes several vulnerabilities. The Java whole that Apple finally just fixed last week. And a Microsoft vulnerability that MS patched 3 years ago. (but they may update that patch too).

Please folks keep your Operating System, Applications and security software up to date and don’t be one of those poor naive bastards that thinks this cannot happen to you.
You can read more here and here

Mac Fanboys and Girls let the terror start

UPDATE:

There is now a simple tool you can use to check to see if you are infected by this Trojan. So far they are finding more and more people with it!

The tool is called, appropriately enough, the FlashbackChecker tool. You can get that here. Download and run it and see if you are in the clear.

Note that FlashbackChecker can’t actually remove the Trojan, it can only detect it. So, if you or a family member does find it on their machine, you’ll have to go back and run those original terminal commands (from F-Secure’s site) to determine exactly what you need to remove.

—-

Mac Trojan is infecting LOADS of people!! OK now the terror starts for you fanboys (and girls). My last article told you of this Mac Trojan. Now it’s apparently infected at least 600,000 users so far (read here) and it’s terrifying everyone! It’s written in an unknown language, doesn’t even need your password to compromise you! Please read and take precautions.

It’s written in an unknown language, and doesn’t even need your password to compromise you, and.

For instructions on how to check for and how to remove it you can AND SHOULD go here. This is F-Secure’s site.

NO system that is connected to a network is EVER safe. It can only be made more secure. Don’t ever think you Operating System is your security; it’s not – YOU ARE!

Be safe out there people!

[side note: I wonder how many calls I’ll get about this and how to repair the damage? The compromised system I can fix – your emptied bank account I cannot. Just saying.]

New Flashback Trojan Infecting Macs NOW

A new Mac Trojan that can now infect your computer from little more than a visit to a website AND requires NO PASSWORD TO INSTALL is making it’s rounds and promises some scary things!

The exploit was patched in February for MS Windows systems, however Apple has yet to release one for OSX.
Read more about it here.

F-Secure has a method for checking for and removing the infection here.

So once again folks please do not be naive and think you are immune to attack simply because your Operating System is not MS Windows.

Be safe out there.

More Scareware going around–Fake disk errors and hidden files.

More security news. There is another round of Scareware/Trojans going around that trick users into infecting their machines http://bit.ly/zqaBJK and then ransoming a fix for money.

This new threat, named "Trojan.HiddenFilesFraud.A" by Bitdefender’s researchers, hides all files and folders on your machine and disables some standard keyboard shortcuts so you can’t un-hide them. To further inflame your mania it displays error messages as-if from Windows reporting such worries as "damaged hard disk clusters." Disk scareware hides files.Just when your frenzy is at its peak, the fake disk repair tool goes to work. It busily spins and flashes and eventually reports a plethora of errors. Want the problem fixed? All you have to do is register… for $80. The worst of it is, even when you do register it doesn’t unhide your files. Pay $80 for the repair utility that will do absolutely nothing once purchased. The scam is done, the money is gone. And there is a good chance your credit card will be used for more fraudulent activity in the very near future!

It displays a fake ‘error’ and ‘fix window’ that if clicked on (EVEN TO CLOSE!!) actually infects the machine! The the user is supposed to be scared enough and convinced to reach for his pocket and 

Please keep your Anti-virus/Spyware application, Systems and especially your Browsers up to date! I have posted previously on how to ‘get out’ of this bogus application look here http://bit.ly/pUhosM and throughout my blog for MANY articles regarding security please check them out. Or you could just pay me to fix what you mess up for not following my advise. Smile

Be safe folks! Peace.