Mike's Mostly Tech blog

Avoid Internet Doomsday: Check for DNSChanger Malware Now

Some background:
The DNS system is a network of servers that translates a web address — such as http://www.google.com — into the numerical addresses that computers use to locate actual websites, computers and servers. It is known as the Internet’s phone book, which translates URLs to the IP address for the server hosting the Web site. This is not only true for Web sites, but also for any other Internet-based service being used, including servers for e-mail, backups, synchronization, chat programs, and calendars AND antivirus programs to update themselves.

Back in November, law enforcement authorities working with the Federal Bureau of Investigation arrested six of the seven individuals in Estonia responsible for infecting millions of Windows and Mac machines worldwide with the DNSChanger Trojan. As part of the “Operation Ghost Click” raid, FBI agents also seized over 100 servers at data centers throughout the United States masquerading as legitimate DNS servers.

If the FBI were to simply shut down the DNS network, then the millions of computers that had been affected by the malware would instantly no longer be able to access the Internet, and given the scope of this malware infection, would suddenly cut off many and very likely have a notable negative impact globally. Being infected with the malware, these systems would not benefit from users checking for and changing their DNS settings, since the malware would continually revert it and thereby continually disrupt communications.

To prevent this, the FBI instead chose to keep the rogue DNS servers active and convert it to a legitimate DNS system for infected computers. Since November 2011, there has been a campaign by the government, security agencies and MANY high profile internet service providers (ISPs) to notify users of the DNSChanger malware and offer services to help users identify systems that are infected.

Most victims don’t even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

To quickly and easily see if this may affect you and what you can do about it visit this site

Click on the link in the middle of the page and you will be notified if you are currently infected.

If you are infected/compromised you can visit this page for resolution tips and instructions.

Remember this trojan/virus will affect PC’s AND Macs. Better safe than sorry. Or you could always call me for a hou$e call when your system won’t connect to the internet.

You can read the FBI’s page here.

Google has one here

Facebook also has one here.

Another Flashback Variant – 2nd in two days!

Hey Mac users who still haven’t taken the hint and update your systems’ security there’s yet another version of the Flashback Trojan for you to enjoy.

It infects unprotected Macs in the same way Flashback.K did, through a Java applet exploit, and installs itself without the need of your password.
And, just as its predecessor, Flashback.K erases its footprints by deleting the Java cache and ensures its propagation by installing into the Java Update folder. You can read more here.

Apple released a Java patch in early April, as well as a Flashback removal tool, but clearly not all Mac users patched.

But many Mac users don’t even qualify for the patch—it was only available to systems running OS X 10.6 (from 2009) and later. Mac users running OS X v.10.5 and earlier were advised to disable Java altogether. WTF!! However, it’s quite possible that many users of these older systems just didn’t get the memo and are still running insecure software.

Here is F-Secure’s site that has the checker and removal tool. Check that out too. And please update your systems folks.

OK Mac guys here we go again!

There’s Another Mac Trojan Spreading Via Microsoft Office documents and email attachments. The Trojan apparently spreads through infected Office documents, and it’s in “active stage”, which means that it searches through documents on infected machines.

Please note that this is a very sophisticated and malicious attack that not only ‘infects’ your machine but also installs a ‘bot’ to control it, scan through your system, and take what ever it wants to! ALL WITHOUT YOUR INTERACTION AFTER THE FIRST INFECTION!

The attack vector utilizes several vulnerabilities. The Java whole that Apple finally just fixed last week. And a Microsoft vulnerability that MS patched 3 years ago. (but they may update that patch too).

Please folks keep your Operating System, Applications and security software up to date and don’t be one of those poor naive bastards that thinks this cannot happen to you.
You can read more here and here

Windows AND Mac System Security News 04-12-2012

For OSX users:
Apple just released Java for OS X 2012-003, an update to the Java implementation in OS X. The update removes “the most common variants of the Flashback malware.” Check that out here. You should definitely update your Java NOW!

For Windows users.
It’s even scarier again. Trend Micro has found some scary ass Ransomware.

You can and SHOULD read the scary details here.

From TrendMicro’s blog, here is some of the details.

“We have encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection take effect. When the system restarts, the ransomware displays the following message:

This message prompt informs affected users that the PC is now blocked and that they should pay 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268. Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

Bottom line PLEASE keep your security software, Operating Systems and Browsers (including and especially browser plug-ins like Java, Flash etc.) up to date and patched.

Peace.

Mac Fanboys and Girls let the terror start

UPDATE:

There is now a simple tool you can use to check to see if you are infected by this Trojan. So far they are finding more and more people with it!

The tool is called, appropriately enough, the FlashbackChecker tool. You can get that here. Download and run it and see if you are in the clear.

Note that FlashbackChecker can’t actually remove the Trojan, it can only detect it. So, if you or a family member does find it on their machine, you’ll have to go back and run those original terminal commands (from F-Secure’s site) to determine exactly what you need to remove.

—-

Mac Trojan is infecting LOADS of people!! OK now the terror starts for you fanboys (and girls). My last article told you of this Mac Trojan. Now it’s apparently infected at least 600,000 users so far (read here) and it’s terrifying everyone! It’s written in an unknown language, doesn’t even need your password to compromise you! Please read and take precautions.

It’s written in an unknown language, and doesn’t even need your password to compromise you, and.

For instructions on how to check for and how to remove it you can AND SHOULD go here. This is F-Secure’s site.

NO system that is connected to a network is EVER safe. It can only be made more secure. Don’t ever think you Operating System is your security; it’s not – YOU ARE!

Be safe out there people!

[side note: I wonder how many calls I’ll get about this and how to repair the damage? The compromised system I can fix – your emptied bank account I cannot. Just saying.]

New Flashback Trojan Infecting Macs NOW

A new Mac Trojan that can now infect your computer from little more than a visit to a website AND requires NO PASSWORD TO INSTALL is making it’s rounds and promises some scary things!

The exploit was patched in February for MS Windows systems, however Apple has yet to release one for OSX.
Read more about it here.

F-Secure has a method for checking for and removing the infection here.

So once again folks please do not be naive and think you are immune to attack simply because your Operating System is not MS Windows.

Be safe out there.

More Scareware going around–Fake disk errors and hidden files.

More security news. There is another round of Scareware/Trojans going around that trick users into infecting their machines http://bit.ly/zqaBJK and then ransoming a fix for money.

This new threat, named "Trojan.HiddenFilesFraud.A" by Bitdefender’s researchers, hides all files and folders on your machine and disables some standard keyboard shortcuts so you can’t un-hide them. To further inflame your mania it displays error messages as-if from Windows reporting such worries as "damaged hard disk clusters." Disk scareware hides files.Just when your frenzy is at its peak, the fake disk repair tool goes to work. It busily spins and flashes and eventually reports a plethora of errors. Want the problem fixed? All you have to do is register… for $80. The worst of it is, even when you do register it doesn’t unhide your files. Pay $80 for the repair utility that will do absolutely nothing once purchased. The scam is done, the money is gone. And there is a good chance your credit card will be used for more fraudulent activity in the very near future!

It displays a fake ‘error’ and ‘fix window’ that if clicked on (EVEN TO CLOSE!!) actually infects the machine! The the user is supposed to be scared enough and convinced to reach for his pocket and

Please keep your Anti-virus/Spyware application, Systems and especially your Browsers up to date! I have posted previously on how to ‘get out’ of this bogus application look here http://bit.ly/pUhosM and throughout my blog for MANY articles regarding security please check them out. Or you could just pay me to fix what you mess up for not following my advise. Smile

Be safe folks! Peace.

Online safety tips from Google

Here is a very good walk though of basic online safety steps that just about everybody should read. From start to finish!

Google on Online Security

It covers just about everything I and other security professionals have been saying for years. Strong passwords, up to date Operating Systems and Browsers, updated Antivirus and applications. NOT clicking on links in emails but instead using the ‘front door’ of sites etc.

It is still worth spending a few minutes of time to read and follow the advice. To not do so is simply foolish.

Phishing attacks getting more efficient for the bad guys

Folks, please, please, please be very careful of what you click on and what financial information you provide. Especially in response to an ‘alerting’ email!
There are a great number of ‘phishing’ attacks occurring again and they are getting even more sophisticated. Many almost look and sound legitimate. I have written previously on some of this here.

But as a reminder, if you get an email or text telling you you must login to a financial (or any other for that matter) site via a link in an email DO NOT CLICK ON ANY LINK AND MOST IMPORTANTLY DON’T ENTER ANY INFORMATION IF YOU DO!!
If you must visit a bank, credit card or online vendors site for ‘verification’ or what ever do so through the ‘Front Door’. By that I mean open a brand new Web Browser window and log in to ‘their site’ and proceed from there. i.e. https://wellsfargo.com etc.

If you click on many of these links a few things are likely to happen. 1st you will probably be silently infected by a Trojan/backdoor application and 2nd you will probably be brought to a ‘bogus’ site that looks very much like the legitimate site. You will be prompted to enter in financial and/or information such as account/card numbers passwords and other verification. The MOMENT you do you can be assured that your account will be compromised! Sometimes in as little as a few minutes your account can be emptied!

Here is an example of one of the hundreds of emails that have been hitting my email server this weekend. You can see that it almost looks legitimate; the wording is sufficiently scary and authoritative and there is a ‘real logo’. But the link in the email is to a phishing site. AND the email address on the ‘from’ is not correct.

This looks very ‘scary’ and it is – but for the reason that you WILL be screwed, not that you are yet.

Please use some caution in the digital world. You would not give a perfect stranger your bank card and pin but some will do just that in cyberspace.

Be safe folks!

Computer Virus Infects U.S. Drone Fleet!

This should just serve as another warning – PEOPLE KEEP YOUR AV AND ANTI-SPYWARE SOFTWARE UP TO DATE!!

Use multiple types of protection, keep your systems OS files and applications updated.

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. Read about that HERE

While you, as a civilian home user, don’t have the large ‘target’ on you that the government and large financial institutions do, you still need to be safe.

This will undoubtedly come down to poor security measures taken from the beginning of the OS install/configuration and on to user management policies – letting users run with administrative or elevated privileges that should not have it.

Come on folks think security first or you WILL be taken advantage of