malware Archives - Page 25 of 26

Sony Under Attack: The Wiper Malware

Securitymalware, security, sony, wiperOphtek, LLC

Dec 2014

The sophisticated Wiper malware which was launched against Sony Pictures does exactly what it sounds like: wipes anything and everything from systems.

“Wiper” uses a malicious set of attacks:

Wipe out all information held on hard disks
Reboot servers
Prevent access to Exchange emails
Close down networks
Used on all versions of Windows

How Wiper malware works:

The Wiper executable file, recognized as exe, is known as a “dropper” file.
This file will install itself over supporting files and as a trusted Windows service.
It also creates a network share within the system root directory. This allows any other computer over the network to reach it.
It uses the WMI (Windows Management Interface) to communicate with other machines and run code to and from them to spread itself further across the network.
This allows wiper to gain access to any machine on the system via a computer network exploitation (CNE).
Broadcasts are sent out to remote command networks via a “beacon” message, the malware is already accessing the hard drive to delete data by each sector.
It overwrites data with ordinary user privileges by disguising itself as a USB 3.0 device driver. This is a commercially available disk driver, made by EldoS.
It then instructs the operating system to halt for a couple of hours then wake up with a reboot. By this time, all the data is wiped clean by the malware.

Wiper attack on Sony Pictures

Sony Pictures is a prime example of being on the receiving end of the “Wiper” attack. This particular attack recently gained media attention, got the FBI involved and caused a stir at Antivirus companies.

A snippet from the FBI memo about Wiper

Speculation at Sony from a Re/code analysis reports links the attack to North Korea. This is partly due to a near identical attack carried out against South Korea by their northerly neighbors. Originally it was claimed the attack was motivated by disgruntled ex-workers who were laid off due to a company restructure earlier in the year.

What can you do?

It’s likely that this kind of attack is mostly aimed at very high profile companies, like in our example above. In general it’s wise to do the following to keep on top of your business or home security:

Update Anti-virus definitions. Be sure to have the latest updates from you Antivirus provider. Updates are added regularly to detect and quarantine suspicious files from doing further damage.
Verify your backups, and opt for an offsite or Cloud solution, in the case of a catastrophic data loss.
Update your critical Windows Servers and desktops with the latest operating system security patches.
Avoid being spear fished. Do not open unknown emails which contain attachments or files. Be conscious of spoof emails that may trick you into clicking attachments.
Lock down USB usage. With the help of an endpoint management solution, you can set policies to only allow authorized USB devices, which can help prevent this type of attack.
Revise your IT policies to only give specific administrators privileges to run, execute and share resources.

For more information about the Wiper virus and how you can protect your business from malicious malware, contact your local IT professionals.

Malware Spreading Through Adobe Flash Exploit

Office IT, SecurityAdobe, Flash, malwareOphtek, LLC

Nov 2014

Flash is common enough to be a prime target for malware. A new Adobe Flash exploit has been found allowing criminals to run malicious code.

Flash is susceptible to tampered files used to display multimedia, videos and animations while you are browsing the internet. This mainly affects desktops; however, it’s not an issue with servers since servers are less likely to have users on them browsing the internet.

Understanding the new Adobe Flash vulnerability

Taking a closer look at the cause for infections spreading through Adobe Flash, the risk usually lies in binary browser vulnerability within the .SWF files, where it is dropped by an undisclosed iframe.
Iframe is an inline frame. Back in the 90s, Microsoft came up with the idea for basic webpages to point to another page. This allowed a website to combine the content of its page with another. An iframe allows you to embed one site into another one seamlessly, with two different webpages displaying as one. Sounds like a great idea at the time, right?
It initially worked very well for Internet Explorer. What wasn’t foreseen was malware authors exploiting these iframe features.
This exploit affects only Internet Explorer users, which is why we urge everyone to use a more secure browser such as Firefox or Chrome.

What does this Malware vulnerability do?

The injected iframe may have something subtly embedded such as a single pixel within the SWF file.
It’s high risk to Internet Explorer Users, where the Iframe can identified by its negative absolute positioning and random number approach.
The usual behaviour from these types of files will eventually take you to a currently black-listed blank domain.
This, of course, could change at any time. It could pose as a spoof site, aiming to steal data or to install malware.

How to protect yourself

The solution is simple, stay on top of your Adobe Flash updates. This is very important, especially if you use your web browser to do online gaming, stream music, watch videos and animations, such as on YouTube, which nearly always uses Adobe Flash Player. By keeping updated with the latest Adobe updates, you’ll help to close down those vulnerabilities discussed above, and more.

It’s good news if your choice of browser is Google Chrome. Chrome automatically updates your browser to the latest version of Adobe Flash.

All Onsite PC Solution Managed Services clients are automatically protected during their monthly maintenance.

To learn how to update Adobe Flash, please see our article Here (https://www.ophtek.com/should-you-update-adobe-flash/)

Cryptowall Becoming The Most Destructive Malware of 2014

Network, Office IT, Securitycryptowall, malware, securityOphtek, LLC

Nov 2014

Cryptowall, Cryptolocker and Cryptodefence; all malware looking to hold your computer ransom. Here’s what you need to know about these viruses.

Cryptowall is one of the worst malwares out there that can maliciously encrypt your network and system files, holding them ransom in exchange for a Bitcoin payment. Typical Bitcoin payments can vary between $500 to $1000. Since there’s many hacker groups in existence in the wilderness, Cryptowall has evolved from Cryptolocker to practically do the same thing. And to confuse matters even more, there’s another variant like Cryptowall known as Cryptodefense.

The ransom message from a Cryptowall infection

Cryptowall in a nutshell

Cryptowall works by using encryption to change all of your network files, making them unreadable.
It affects Windows XP to Windows 8 Operating Systems.
It also cleverly deletes Shadow Volume Copies to stop any admins from restoring encrypted files.
Only the attacker holds the key to decrypt the files that makes them readable again.
The ransom increases after 7 days to nearly double the amount and is only payable with Bitcoin.

With this angle of attack, it’s no wonder why hackers are using this hostile method to forcibly siphon Bitcoin payment from their prey.

Examples of attacks

Durham Police

One prime example that has gained recent media coverage is Durham town police in New Hampshire. As a typical response from any law enforcement agency, the police refused to pay the ransom to cooperate with the cyber criminals.
It had impacted 1500 of their own computers, with most of their police e-mail system, spreadsheets and word processing functions being affected. It had bypassed their spam and AV filters, and was masked as an attachment in an email.
The danger lies in that the police receive plenty of emails with attachments to notify them of complaints such as potholes from residents, which of course, aren’t to be ignored. For this very reason an infected email attachment was opened, executed and it ran through the system.
Fortunately for them, they were able to stop the attack from spreading to other company functions and police networks in other towns by isolating their network and recouping their system from offline back-ups.

Business Decisions

Another example of an attack came from a client of Stu Sjourwerman’s security training firm knowB4. The attack happened after an administrator opened an infected file, which ran through onto their 7 mapped server drives, encrypting all 75 GB of data held there.

There were many negative factors against them:

Firstly, they had unverified backups, which would take time to see whether they worked or not, a risk which would be costly to the time in terms of extended downtime with no guarantee of a successful restore.
Secondly, setting up a Bitcoin account involves a lengthy process to set up with society checks that can take days to complete.
In desperation with shortening their downtime, they decided to pay the ransom. It was a business decision, meaning either losing out $500 in Bitcoin or thousands for operation downtime.
The problem was, they didn’t have the Bitcoin to pay the ransom.

The turning point:

Luckily, they had sought Stu Sjourwerman’s help, where he had Bitcoins at hand, ready for such an event like this one.
This company’s IT admins had, prior to this event, taken a security awareness course lead by ex- hacker Kevin Mitnick and with Stu Sjourwerman.
Contrary to the police case, this company had taken the advice from the course, and with Stu Sjourwerman’s Bitcoins, they managed to pay the ransom to avoid further downtime.
In the end they did recover their files; however there was corruption to one of their databases, which all in all took another painstaking 18 hours to return to normal.

Not all cases end well and not all ransoms release the files as promised. It’s really at the discretion the criminal cyber gangs controlling the attack.

For more ways to strengthen your office security and IT policy enforcement, contact your local IT professionals.

3 Reasons to Watch Your Computer Processor Usage

hardware, Security, Servicescpu, malware, pc, trojan, WindowsOphtek, LLC

Jul 2014

Your computer processor is the brain of your system. If your processor runs at 100% capacity there could be a serious problem. Here’s why you should check your CPU.

Modern operating systems like Windows 7, Windows 8 and Mac have come a long way in terms of making the most of your computer’s processor. Multi-core processors have given computers a big boost too. These and many other factors mean your processor should rarely be used at 100% capacity. So what could it mean if your computer processor is being used at 99% or 100%?

1. A bitcoin mining virus has infected the system

Bitcoins are a fairly new form of online currency that can be transferred and used anywhere in the world. Bitcoins are generated using a computers processor. However imagine having access to tens if not hundreds of thousands of unsuspecting processors to generate bitcoins for you. This has motivated criminals to write bitcoin mining viruses that will use your computers processor to make them money.

2. Trojan infections on the computer

A trojan virus allows someone to connect to your computer over the internet. They can use trojans to view your screen, record anything you type on your keyboard, steal your files or casually browse the data on your computer. Trojan viruses are one of the leading causes of identity theft and can sometimes be very difficult to remove.

3. Software is malfunctioning or failing

As hard as they try, software publishers aren’t always able to keep their software up to date and working smoothly with the latest systems. Often times the publishers will rely on users to let them know when their software misbehaves so they can release an update or fix. High CPU usage can be a sign of a malfunctioning program so be sure to save your work often.

All managed services clients are automatically covered against high CPU usage. Here’s how you can check if your processor working too hard.

For more ways to protect your home or office computers, contact your local IT professionals.

3 Ways to Remove Malware from your PC

Security, SoftwareDetect, malware, Remove, virus, WindowsOphtek, LLC

Jun 2014

Is your PC running slower or are you getting unwanted popups and ads? You may have a malware or virus infection. Here are 3 ways to remove infections.

1. First, make sure that you have an infection.

Aside from Windows running slowly, one telltale sign of an infection is the computer running programs and processes that look completely unfamiliar.

Open Windows Task Manager. Right- click the taskbar and choose Task Manager from the menu.

Select the Processes tab and click Memory or Mem Usage to to sort the running processes by how much RAM they use.

This should display the processes in descending order of memory usage. If it is in ascending order, you can click the Memory or Mem Usage tab again to view the processes with the largest memory on top. Paying special attention to these processes, look for ones with unfamiliar looking names.

In particular, focus on high memory processes running in the task manager that have names with strange characters or symbols. Perform a google search on the peculiar looking processes to find out if they are legitimate.

If the search results on the web point toward it being a malicious process, you may be able to remove it as a startup program. Click the Start button, type msconfig in the search box, and click it when it comes up as a menu selection.

After the system configuration utility loads, click the Startup tab to display the programs the system loads when the computer starts up.

Try to find the suspect process in the list of Startup Items and uncheck the box next to it to remove it as a startup process. It will be removed when Windows restarts.

2. Run a virus scan on your system

If you haven’t already done so, run a scan of your system with an antimalware or antivirus program. Malwarebytes and Microsoft Security Essentials are highly recommended. First start with a simple scan. If this detects anything, remove the threats it detects. Next, run a full system scan.

If successive full system scans still detect malware, take note of the threats the scanner displays. Run a Google search on the threats to see if anyone has posted a successful method to remove the virus.

Detection of viruses on successive scans likely indicates that your antimalware program has been compromised. Accordingly, downloading a new malware scanner is a good idea. Barring Malwarebytes, Bitdefender, Eset Online Scanner, and House Call are excellent suggestions.

But before running a scan with any of these antimalware programs, reboot the computer into Safe Mode with Networking. To do this, restart the computer and press F8 repeatedly when the logo of the motherboard manufacturer appears on the screen.

You will next see a black screen showing Advanced Boot Options. From this list select Safe Mode with Networking.

This will boot into a simplified version of Windows that runs only necessary programs. Usually malware doesn’t load in safe mode. In safe mode, run your new malware scanner in advanced or custom mode. These modes are favored because you need to scan every directory on the computer. Be sure to perform a full scan on the entire system. This will take some time. You can probably watch a full length feature film while this occurs.

After this scan cleans up your computer, run another with a different malware program. Again, be sure to do a full system scan in Safe Mode with Networking. If the second scanner detects nothing, it is a good bet your system is purged of infections.

3. Run a live disc virus scan

If multiple scans keep detecting infections, you will need to reboot into a Linux live disc. While there are many live Linux distributions to choose from, Kaspersky Rescue Disk is highly recommended, as the interface is simple for Windows users.

For more assistance on this or other issues affecting your computer, consult your local IT professionals.

« Previous 1 … 23 24 25 26 Next »

Tag Archives: malware