Archive | September 2012

Fake Chase account summary emails now widespread

Be careful of new spammy emails from (apparently) Chase.com. These emails state that your account has been locked out, and to “click here” to unlock your account. However, doing so can compromise your computer. Only click links that appear to be real, which means when you hover over the link, it should show the same address in the status bar at the bottom of the browser. If it really is from Chase.com, you should see https://www.chase.com/ as the first part of the address. If there is anything extra placed after the .com part, except for a forward slash (as noted in the link example highlighted red), distrust it. Don’t click on it. If anything, call Chase customer support about the email rather than clicking the link.

It’s also very obviously a spammy email, because of the grammar/spelling errors involved. And also because of the following (when I view the full header):

  • Return-Path: <armagedo@c12.iservidorweb.com>
  • Received-SPF: none (domain of c12.iservidorweb.com does not designate permitted sender hosts)
  • Received: from armagedo by c12.iservidorweb.com with local (Exim 4.77)
    (envelope-from <armagedo@c12.iservidorweb.com>)
  • Message-Id: <e1tf5am-00009j-dx@c12.iservidorweb.com> id 1TF5am-00009J-DX
  • X-AntiAbuse: Sender Address Domain – c12.iservidorweb.com
  • IP: 69.175.87.58

See for yourself:

Fake Chase email

You can avoid spammy issues like this coming to your inbox by downloading the following tool:

Spam Filter for Outlook and Outlook Express

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}
  • C:\RECYCLER\S-x-x-x\${RANDOM STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining

 


Get the review of Malwarebytes’ Anti-Malware

New TDL4 variant affecting government, ISPs, etc.

TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

Much of this information pulled from TechWorld.

 

One of the newer partition infections includes a dropper located at c:\windows\svchost.exe

 

Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):

 

Kaspersky Internet Security 2012

Flame malware command-and-control servers reveal earlier origins, among other links

Government malware, Flame, Stuxnet, etc. is expanding and becoming more of a problem. Computer systems are getting even more inventive, but not at the alarming rate that dangerous malware is expanding. There may be more links other than Stuxnet for Flame.

First, computer systems are created for specific purposes, and have been for about forty years now. However, some of the newer computer systems are created to become like robots, which means that the computer system works on its own without user intervention. But, what happens when malware targets the core computer systems of oil industries, energy companies, military plants, etc.? It can cause dangerous and severe consequences if the system were to become compromised.

Second, the Flame malware became uprising just this past May, where it infected over 1000 computers, according to Kaspersky Lab. The victims of the first attack included governmental organizations, educational institutes, and personal users. Most of the attacks were central over West Asia, including Iran, Israel, Syria, Saudi Arabia, Egypt, among others. Supporting a kill command, which would eliminate all traces of the malware from the computer attacked, this command was sent soon after the malware’s exposure. Right now, there are no reported active infections of Flame, or other variants being created.

However, there are derivatives of the Flame malware being created. We reported a few weeks ago about Shamoon being actively distributed using its skiddie approach. There are other links that were recently found (like Gauss) that can relate Flame to command-and-control usage back to 2006. Which means this Flame project could be as much as 6 years old, or is related to malware from then.

Instead of looking like a botnet interface, the Flame command centers look more like content-management systems (CMS), and have many other new approaches. One of its approaches included the three fraudulent certificates, which Microsoft patched to block them back in June.

More news about the findings and C&C servers were fully unveiled to the recent Flame investigation by Kaspersky Lab and the news from Symantec (PDF). Researchers at Kaspersky Lab state they were suspicious about the findings of a development link to Stuxnet back in June, when communication was eavesdropped between the team.

Some of the key developers behind all of this situation include speculation of the US & Israel combined. However, there is no known evidence backing these claims, except for what researchers can reveal about coding types and other methods used.

Much of the articles by Kaspersky Lab and Symantec include the following speculations as well:

  • Four programmers at least tag-teamed on the job of development as their nicknames were left in the code.
  • One-server called home 5000 victim machines during just a one-week period in May, suggesting at least 10,000 victims.
  • The infections weren’t just focused on one-group of organizations or people, but in separate groups of targets in many countries.
  • Many of the targets focused a lot on Iran and Sudan.
  • Different custom protocols were used to communicate with the servers, not just one protocol. Meaning that there were at least four different protocols used to communicate to the servers.
  • Tons of data was stolen, which 5.5 GBs was reported in just one week of data-mining from the malware.
  • The attackers are either mining for government information, or attempting to gain military intelligence.

The developers behind the Flame malware have a lot more secrets, which are being unveiled. More ties are being linked to Stuxnet and Flame, and when the information becomes available, it’ll be here on seCURE Connexion’s blog. The Flame developers obviously have a lot of nerve developing these cyber-weapons. But, many politicians and security experts have warned of this information warfare for years. Here we are at the peak!

To protect your computer from hackers, use Kaspersky’s PURE Total Security:
Kaspersky PURE Total Security

Security & BYOD for the iPhone 5 (mini-whitepaper)

As you upgrade to the iPhone 5, please keep in mind some principles, both personal and business.

  • If your iPhone will be handed down to a child, make sure ALL critical data is removed from there. This includes all business data, personal details, etc. It is highly critical to maintain your business and personal identity.
  • As new devices are created, new threats are created as well. These security threats need to be identified and taken care of. Just because it is a new iPhone does not mean it’s immune from security threats. Security is a losing battle, because hackers are always trying to stay one-step ahead of programmers/developers. While developers are working around the clock trying to prepare these new capable hardware/software, hackers are doing the same working against them.
  • The iPhone 5 is set to accelerate BYOD, which means better available options to network administrators. Things like data copying, wiping operations (erasing loads of data), etc.
  • The iOS 6’s Passbook feature can store financial information for securing digital transactions. If you’re comfortable storing that information go ahead, otherwise just keep it off.
  • Emails, texts, and calendar appointments can be modified by the Siri app, without requiring the administrator to log in to the device.
  • If Apple succeeds in the acquisition of AuthenTec, it allows for a fingerprint identification security system for the device, making it more secure physically. But this technology is pending at the moment.
  • Apple calls the iPhone 5 “The thinnest, lightest, fastest iPhone ever”, but they mention nothing about security do they?

 

If this has helped you personally or your business in any way, please consider making a donation to help further the seCURE Connexion project.

Second Opinion Malware Scanners: Why buy one?

Second opinion malware scanners are the best key in managing vulnerabilities. What a regular antivirus or internet security program doesn’t find or catch, the second opinion malware scanner can catch. This is an integral part of a defense-in-depth method, which is a very good idea in maintaining the security of your computer AND your identity. ID theft is one of the biggest security problems on the internet today, but luckily thanks to many anti-malware companies, there are ways to avoid these types of problems.

Second opinion malware scanners do not interfere with other antivirus/internet security software. If they do, rarely, the support team at each company are dedicated to helping you solve that issue pretty fast. These types of programs are engineered to work alongside an antivirus and internet security program.

The following is a short list of second opinion malware scanners. I only recommend two of them, because they are the best, and because I’m an affiliate:

  1. Malwarebytes’ Anti-Malware Pro (MBAM Pro)

    Overall, this program is a powerhouse against malware. It provides the best secondary protection mechanisms with IP blocking functionality. Also, allows you to protect the MBAM interface with a password. It keeps hackers out, and the user is allowed in. It also provides priority database updates, excellent customer support, and lightning fast scanning technology. This comes at a lifetime price of only $24.95 (USD), which means once you buy it, you don’t pay anymore fees ever again!
    Try Malwarebytes, the Leader in Malware Removal
  2. Hitman Pro by Surfright

    Now, this program, Hitman Pro, is a different story. It provides a behavioral scan for malware, which checks programs and files for typical malware/virus-like behavior. If it thinks it is a threat, the program alerts you asking you to remove it. It also uses the cloud to enable itself to scan your computer with the newest data from all antivirus companies about zero-day threats. This program is best known for its ability to find kernel-mode rootkits, and its ability to remove even some of the toughest malware. What could be better? Buy Hitman Pro Today!
  3. Zemana Anti-Malware
    This program is a bit newer in the market, and not as well known as the above two. However, it is a competitor in the anti-malware field, and deserves a mention nonetheless. From the vendor: “Zemana Anti-Malware is a second opinion scanner designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti-virus software, firewalls, etc.)”.

Apple releases major update to iTunes with version 10.7

160 vulnerabilities are being fixed with a new release from Apple for iTunes 10.

The newest version number is 10.7. Update now!

Most of the fixes rolled out are involved with WebKit. WebKit is a layout engine from Apple, which allows webpages to be rendered in a browser. Therefore, the main problems faced in iTunes 10 are with the Store site. WebKit is also used in Safari browser by Apple and Chrome browser by Google. Google apparently helped get the fixes for Apple’s iTunes program.

Many of the vulnerabilities in WebKit are from bug reports in 2011. Just now fixing these flaws shows how low this is on the priority list with the Apple development team concerning iTunes. These same vulnerabilities were apparently fixed long ago in Safari and Chrome. So, what’s the excuse?

Users can get the security fixes by updating iTunes directly in the application.

Apple’s statement on the security update page:

Available for: Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.

 

Protect your computer now from ANY vulnerability by getting a second opinion malware removal scanner and protection program:

 

%d bloggers like this: