Archive for: Malware
It has been reported over at TorrentFreak that TalkTalk HomeSafe is now blocking bittorrent sites. It seems like TalkTalk HomeSafe labels all bittorrent sites with a “Virus Alert” message when trynig to view that site. This statement just simply isnt correct as it states that all bittorrent sites (isohunt.com, thepiratebay.org, etc) have malware on the site that will infect any computer that accesses the sites.
It seems like TalkTalk have been told to put a ban on the sites, but didnt really know how they could ban the sites legally. You might be losing a lot of customers after this TalkTalk!
Thanks to a new virus which makes users believe all of their data has been deleted, computer users everywhere are in mass panic and repair shops are busier than ever. This new virus is pure genius and is, as old-school hackers would put it, a “truly righteous” hack. It exploits a loophole in Java which gives the virus god-rights on the computer and installs without the user ever knowing. Unlike most viruses today which trick the user into thinking they have a virus and clicking ‘OK’ to clean it up (which actually installs it), it is embedded in webpages which use Java and installs silently. And since nearly everyone has Java turned on to surf the internet, it installs quietly and effortlessly. Suddenly, all the computer’s files, icons and folders are “gone.” Panic ensues as users frantically try to figure out how to recover their “lost” data. But what has really happened is that the virus has simply hidden every file on the computer! Genius, right? I can only imagine the developers are sitting back having a good laugh about it all.
So what do you do if you get hit by this lovely virus? A non-techy person could take it to a computer repair shop and spend anywhere from $85-$150 to get it fixed. Or for you geeks, you could fix it yourself using the following steps:
(Please note the following steps are for experienced users only – if you are not comfortable performing any of the below steps, take the computer to a professional!)
1) Immediately boot into Safe Mode (with networking) and do not leave this until you are done! (Mashing F8 at the boot screen will do this on most computers – read the boot screen if F8 doesn’t do the trick)
- If you have to reboot at any time, make sure you boot back into Safe Mode!
2) Download and run RKill: http://www.bleepingcomputer.com/download/anti-virus/rkill. This will terminate the virus from running and allow you to clean up the computer. Any of the download links should work – they just have various names to confuse viruses.
3) You need to be able to see the folders/files which are hidden. To do this, do the following:
- Click your start menu
- In the ‘run’ field, type “cmd” and hit enter
- Type: c:*.* /d /s –h
- **The virus may make files read-only as well. If so, include –r.
- **If the virus makes files system files, add –s.
- Do NOT add any unnecessary –r or –s commands. Only use these commands if needed.
4) Make sure you have the following programs installed and updated:
- Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
- Super AntiSpyware (http://www.superantispyware.com)
- Remove ANY other antivirus program you have as most don’t live up to their promises and often do more harm than good (ESPECIALLY Norton, McAfee and AVG).
5) Run a FULL scan on both Security Essentials and Super AntiSpyware.
6) Clean up your registry! (If not comfortable with this, pay for a professional cleanup!)
- Go to Start –>Run–>’regedit’ and hit enter, then ‘Ok’ or ‘Yes’
- Go to HKEY_CURRENT_USER–>Software–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove anything which looks suspicious and is not a file you recognize. For instance, an entry with a name like FKA546542EJJAL and stored in a temp file is probably a virus (EXAMPLE ONLY). This is also a good time to remove unnecessary programs from starting up at boot time.
- Go to HKEY_CURRENT_USER–>Software–>Microsoft–>WindowsNT–>CurrentVersion–>Winlogon
i. Again, remove anything suspicious. If you don’t see anything obvious, DO NOT DELETE ANYTHING.
- Go to HKEY_USERS–>’user name’ or ‘.DEFAULT’–> Software–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove suspicious files as mentioned above
ii. Do this for EVERY user
- Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove suspicious files (be EXTRA careful here as some of these files are necessary for system files to run at startup. Again, if not sure, take it in for a professional cleanup!)
- Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>WindowsNT–>CurrentVersion–>WinLogon
i. Double click on ‘Shell’ and make sure it ONLY says ‘explorer.exe’. If there is anything after it, delete it!
ii. Double click on Userinit and make sure it ONLY says ‘C:Windowssystem32userinit.exe,”. If there is anything after it, delete it!
7) Lastly, do a quick file cleanup
- Go to C:WindowsSystem32
i. Sort by Date Modified – click twice so you see the most recent date on top
ii. Going from the date you got infected (hopefully you are doing this the same day or the next day) remove any files which look suspicious (yet again, if you don’t know what you are doing, take it to a professional!)
- Go to C:Windows and do as above but look at folders as well as files
- Delete cookies and temp files (any self-respecting geek knows how to do this already)
So by now you have:
1) Made your files viewable and usable again
2) Removed the virus and any associated viruses or malware through using the recommended software
3) Removed registry entries to prevent anything bad from loading on startup and thus re-infecting your machine
4) Removed any negative system entries which may also be contributing to the problem.
You might have even discovered you had other spyware, malware or viruses you didn’t know about throughout all this. But if you did everything correctly, you should be clean. If not, now is definitely a good time to take the computer in for a professional cleanup as your machine likely has bigger problems than you were aware of. Good luck!
**Please note that running these commands will make EVERY file on the system viewable and editable, including previously hidden system files you shouldn’t mess with. Use extreme caution when working with files after doing this. If you aren’t comfortable with this, consider paying for a professional cleanup.
GFI VIPRE Antivirus is one of the best solutions available in the market regarding operating systems security. With a lot of versatility, GFI VIPRE offers tons of options and configurations to deploy on client or server machines, plus is very simple to install.
Operating systems security against malware and virus is a key factor in every organization, even though most small or mid-size companies avoid this matter. GFI VIPRE Antivirus provides the simplicity and scalability any company should be looking for in security solutions.
Some of the most important features included in GFI VIPRE Antivirus are:
Simple installation and environment configuration: The platform does not require complex configurations. For a complete detailed step-by-step check this link.- Centralized management: Central console to administer all your clients and the possibility to delegate read-only permissions to operators.
- Easy deployment: Fast and several options to discover machines, plus automatic deployment included. If clients are not available, MSI manual installation can be used.
- Scalability: You can configure different sites and different policies that will be handled by GFI VIPRE Antivirus, making possible to protect all necessary computers with different options among them.
- High compatibility: Windows 2000 SP4 or newer operating systems are supported as client machines (Windows 7 included of course).
- Flexible reporting: Vast options to configure reporting within your environment.
- Very low resources necessary: GFI VIPRE Antivirus represents one of the antiviruses that require a very small portion of your machine resources, making it completely silent and transparent to users.
Here’s a comparison from the most used antivirus and the CPU usage when a scan is running:
As a quick reference, here’s an overview about the process of implementing GFI VIPRE Antivirus (detailed step-by-step here):
- Review requirements for server and client machines.
- Define the type of machines and the behavior you would like to be present in the antivirus software, depending on the machine category.
This will be represented in the policy we can configure for each category we decide (for example: mobile computers will have a more restrictive policy than the workstations).
- Install GFI VIPRE Antivirus.
- Create and configure system policies to apply agent machines.
- Add agents and validate VIPRE installation. The platform provides the possibility for automated installation and of course manual.
- Run a manual scan in agents to validate current health status of your clients. Automatic scans in agents can be configured but we can also trigger manual scans whenever we need.
- Generate reports using Report Viewer.
- Configure any additional sites and permissions for different type of users. We can have simple operators to the platform using the GFI VIPRE console.
You can download the free trials for GFI VIPRE Antivirus in this link.
Koobface Trojan is back, and now it comes with a few surprises for some friends: Infecting Mac OS X and Linux OS. Intego, the Mac Security Blog, informed that this virus is spreading through social networks and does affect Mac computers as well as Linux.
Koobface appears in social networks like Facebook, Twitter and MySpace and now they will not infect only Windows computers. One of the common messages we should receive indicating the presence of Koobface: “Is this you in this video?” once we click on the link it will try to run an applet from Java which will install a malware in the OS.
As for Windows, Koobface will run a local web server and an IRC Server, acting as a Botnet and as a DNS changer; and of course will try to reproduce to other computers.
Intego assures that the Intego VirusBarrier X6 and X5 detect and eradicate this malware, but we must avoid running any unknown Java applet in our computer, and if so, we should detect an installation is running and quickly cancel it.
Mozilla official blog recently announced the removal of an add-on which was transmitting personal and confidential data from users to a remote site.
The add-on is called (or was) Mozilla Sniffer, which it was uploaded on June 6th to the official add-on site from Mozilla. And it was downloaded by 1800 users and 334 had this add-on active. The behavior of this add-on apparently took all of the private browsing data from users (like user names and passwords), and send it to a remote site.
Since Mozilla blacklisted this add-on; all of those who had it working should see this feature disabled from their browsers.
Mozilla also makes a contradictory statement about this situation:
“Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.”
But later in the same article:
“Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site”.
Damn right you’ll be reviewing those add-ons! If you are publishing add-ons, features and options for your product within your site, you should be aware there’s a responsibility behind it.
A bit of an embarrassment for Mozilla Firefox – and it comes at a a bad time too, right when they’re loosing their dominance in the browser world as Chrome catches up.
Mozilla has been known as a very safe browser as compared to its old enemy, Internet Explorer. In fact, many people used it for just that reason. So the last thing Mozilla needed was reports of Malware in two ad-ons which were available for download from their website.
“Two add-ons in the experimental section of addons.mozilla.org were found to be containing malware,” Mozilla said on its security blog. “These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents.
It is thought that well in excess of 4,000 downloads of the ad-ons have taken place since they were first released in September. So are you one of the thousands of people who inadvertently infected their own machines? Well if you downloaded Sothink 4.0 and all versions of Master Filer then there’s a good chance you are. These installed Win32.LdPinch.gen and Win32.Bitfrose.32.Bitfrose Trojan respectively. So if you have downloaded these, I suggest running a scan of your system ASAP.
Microsoft has been working for a long time now in giving a good and reliable antivirus platform for all users. And when I say “for all users” I mean a free one. Seems that the dream is about to become true today: Microsoft Security Essentials will be release to the public as the free antivirus solution from Microsoft.
Microsoft Security Essentials will be replacing Windows Live OneCare as the security suite for viruses and malware. The suite can be installed in Windows XP, Vista and 7; and seems that already has a good review about the protection you can achieve, by giving you a shield for 97,8% of the existing malware in the web.
On the other side, some of the other reviews this antivirus platform has received so far say that the engine inside it is a little bit slow and intrusive with other applications.
And of course, leaders from other security solutions already are trying to tear this solution down, like McAfee: “will compete against other free solutions by offering limited security functionality”; or Symantec saying it is a “thin defense” and not giving you any type of antispam or identity safeguards.
Let people decide then.
Spam levels have increased in the last few months, since March more precisely, in a 141% said McAfee Threat Report from Second Quarter in 2009. The main reason resides in another increase: botnets (infected computers used for spamming and other attacks) up to 16%. Need an explicit number? That translates in 117 billion spam emails every day.
The number that is quite disturbing as well, is the botnets that are currently infected: 14 million computers. 150k every day, that represent 20% of all the computers that are acquired every day. And these botnets and zombies they are not only responsible for most of the spam, also they generated other attacks like denial-of-service to the White House, New York Stock Exchange and South Korean government web sites.
About South Korea, that’s the country that increased the most in the botnet activity, up to 45%; but yes, the US keeps in the top of that list with over 15% of the entire zombie population.
These spam numbers do not come alone, malware attacks have increased, specially the ones that infect the Windows auto-run that do not require any user intervention to “spread the evil”. That type of malware even outnumbered the Koobface or the Conflicker attacks.
This is a battle that will never end I think, I’m sure that those that depend on this kind of battles will not let it end.
What do you think?
Koobface malware found his way to infect thousands of Twitter users in the last days, increasing of course the number of Twitter updates giving messages like “My home video 
[url]“. The URL mentioned is listed randomly, all directing the traffic to a Koobface site.
Twitter’s reaction was fast and already suspended most of the users infected to avoid the virus from spreading. TrendMicro blogged about this and is already giving their users the solutions if they were infected.
This is apparently the second attack given by Koobface in Twitter, the first one used only three different TinyURLs with infected users; this malware mutation gave the infection a longer life than the previous one, that also appeared on Facebook, MySpace, Bebo, Hi5, Friendster and LiveJournal.
There’s no question about it, when you are that big, you will always have attackers and damage control will be needed.
It was reported over on Techcrunch and Crunchgear that there wa a virus that was running rampant across the YouTube network with the certain embedded videos. It was reported that Internet Explorer (IE) and Firefox were targeted, later reports said it was just IE.
The virus was reportedly named Actns/Swif.T and contains a phishing scam that directs uses to a website with an embedded .SWF and then installs a program called “Antivirus 2009.” Users were warned of this potentially damaging malware by avoiding weird pop-ups, requests for personal information, or re-direction to unknown sites.
The story was later recanted as it appeared to be a YouTube specific situation. On the back end the virus protection service being used was returning false positives identifying code within certain embedded videos as malware. The entire incident is harmless, and there is no security breach on the YouTube network. Spokesperons from YouTube are handling the situation and ensure us that YouTube is currently safe and free of any malware problems.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=833d08cc-d478-424f-b878-aac0511d7af1)
