Jump to content

Search the Community

Showing results for tags 'Malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. A new and relatively rare Zeus Trojan program has been found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim's computer. Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies. The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus. But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C. Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page. “Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.” Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as$2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection. The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USDto get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up. "The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future." The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts. HOW TO REMOVE PANDEMIYA TROJAN The Trojan can be easily removed with a little modification in the registry and command line action, as explained below: Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.Stay Safe! Source
  2. Cybercriminals and advanced attackers are freely borrowing from one another’s repertoires to great success. The latest example involves spammers firing off up to a half-million email messages during limited campaign segments without triggering any detection alarms. Security company FireEye said the attackers have found a winning formula to evade detection in one used by a number of APT campaigns in which attack attributes are changed at a higher rate than IDS and other defenses can keep up. The campaigns, carried out by the Asprox botnet, were first spotted late last year and by the end of May were spiking noticeably. “Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys,” FireEye said in a report. In the past, APT campaigns carried out by nation states for the purposes of economic espionage or intelligence gathering, have begun to rely on tactics used in commercial malware campaigns. In May 2013, advanced attacks against NGOs, technologies companies, government agencies were spotted, and hints were found that the organizers had either borrowed or purchased commercial malware and propagation tools from the criminal underground. The Asprox campaigns have a much wider reach, infecting victims in countries worldwide in varied industries. The most recent iteration spotted by FireEye had also moved from including links to malicious sites and malware downloads, to embedding malicious code in attachments pretending to be a Microsoft Office document in a .zip file. Once the victim falls for the phishing or spam email and opens the infected attachment, the malware is injected into a process created by the attacker. Soon backdoor channels are opened to command and control servers and data is moved off machines in an encrypted format to the attackers. Formerly, Asprox campaigns used themes that ranged from airline tickets to United States Postal Service spam. The attackers have moved off those themes to court-related emails. Victims are seeing phony notices for court appearances, warrants, hearing dates and pre-trial notices.And it seems to be working. “We saw about 6400 unique MD5s sent out on May 29th. That is a 16,000 percent increase in unique MD5s over the usual malicious email campaign we’d observed,” FireEye said. “Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.” FireEye also said that campaigns that kicked off in May and lasted into June also were relying on a host of new command and control IP addresses. The malware includes commands to download additional code from a third-party site, code updates, registry modifications and even a command to remove itself, among others. “The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals,” FireEye said. “And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.” Source
  3. A new spam campaign has emerged in support of the Asprox botnet. The scheme involves shipping receipt emails that contain malicious links and purport to come from the United States Postal Service (USPS). Anyone who receives one of these emails and clicks on the link therein will have a zip file downloaded onto their machine, according to a Zscaler report. After a user downloads the zip file, it shows up as a seemingly legitimate looking Word document on the Windows desktop. That file is in actuality an executable which must be opened before the user becomes infected with the malware. Researchers from the security firmStopMalvertising analyzed Asprox – also known as Kulouz – in November. They found that the strain of malware began as a password-stealing botnet, but has since evolved to where it’s primary purpose is to launch automated SQL injection attacks. Asprox, they say, is notorious for spoofing shipping companies like the United Parcel Service and FedEx. Asprox is not new, with references to it on Threatpost dating back as far as 2009. As of Zscaler’s publication, the threat was scoring a fairly dangerous 4/52 on VirusTotal. At the time of our publication, the detection engines appear to have taken notice, and the threat is now scoring a less potent 27/52. According to the report, the malware copies itself into an infected user’s Local Application Data before creating an autostarter to ensure that the infection stays around even after restart. “The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising,” wrote Chris Mannon in the Zscaler analasys. “We’re seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.” Source
  4. Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it’s made for criminals via click-fraud schemes. Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security companies. The trio, which now includes two malware families Rotbrow and Brantall, are responsible for a startling jump in malware infections detected in the fourth quarter of last year, according to Microsoft. In its latest Security Intelligence Report (SIR), Microsoft puts the blame on Sefnit et al for a 3x increase in worldwide infection rates at the end of last year. The SIR reports on malware and vulnerability trends based on data collected by various Microsoft security products including the Malicious Software Removal Tool (MSRT). Through the first three quarters, infection rates at around six computers cleaned per 1,000 scanned. In Q4, that number jumped 18 per 1,000. Sefnit is the principal antagonist here, and it’s difficult to handle because it’s distributed through a number of non-traditional means, including peer-to-peer file sharing networks, and almost always it’s disguised as legitimate software, or bundled with something else. Enter Rotbrow and Brantall. Both of which have been re-classified as malware by Microsoft, and both present themselves to victims as legitimate software packages. Rotbrow, for example, pretends to be a safeguard against browser add-ons, while Brantall purports to be an installer for legitimate programs, Microsoft said. Microsoft said that both have been seen installing Sefnit. “Microsoft has been aware of this program since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the SIR says. “Researchers discovered that some versions of the Browser Protector process, called BitGuard.exe, drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time.” “Detections of Rotbrow decreased considerably after December, and the MMPC expects the CCM infection rate to return to more typical levels in subsequent quarters as the MSRT and other security products resolve the remaining backlog of old Rotbrow infections,” the SIR says. Sefnit, meanwhile, remains an evolving threat with a recent campaign shunning Tor as a command and control channel in favor SSH, a more traditional channel. In addition to click fraud, Sefnit is also used for Bitcoin mining and search result hijacking. A new click-fraud component discovered last year, Microsoft said, is used as a proxy service to relay HTTP traffic which is triggered to click on pay-per-click ads. The SIR also covered vulnerability trends, noting that high severity vulnerability disclosures were down almost nine percent, while medium severity were up 19 percent and accounted for 59 percent of disclosures in the second half of the year. Industry wide, vulnerabilities in apps other than browsers and OS apps increased 34 percent. OS vulnerabilities climbed 48 percent, while OS application vulnerabilities dropped 46 percent. Browser vulnerability disclosures were also down 28 percent in the second half of 2013. As for exploits, Microsoft reports that Java-based attacks are still king, followed by HTML/JavaScript attacks, though both dipped a bit in the fourth quarter, Microsoft said. The decline in both attacks could be traced to the disappearance of the Blackhole Exploit Kit upon the October arrest of its alleged author Paunch. Source
  5. Security researchers have uncovered a new Stuxnet like malware, named as “Havex”, which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a country’s power grid with a single keystroke. According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines. SMARTY PANTS, TROJANIZED INSTALLERS To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps. During installation, the trojanized software setup drops a file called "mbcheck.dll", which is actually Havex malware, that attackers are using as a backdoor. “The C&C server will [then] instruct infected computers to download and execute further components,” “We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.” F-Secure said. F-secure didn't mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany were targeted. INFORMATION GATHERING Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard. OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server. Other than this, it also include information-harvesting tools that gather data from the infected systems, such as: Operating system related informationA Credential-harvesting tool that stole passwords stored on open web browsersA component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.“So far, we have not seen any payloads that attempt to control the connected hardware.” F-secure confirmed. MOTIVATION? While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.” F-Secure noticed. HAVEX TROJAN FROM RUSSIANS ? In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed "Energetic Bear," where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia. According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011. That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government. Source
  6. IObit Malware Fighter Pro IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,84 Mb.
  7. More and more pieces of malware have become capable of targeting users running 64-bit versions of operating systems. One of them is KIVARS, a piece of malware whose 64-bit version was recently analyzed by researchers from Trend Micro. According to the security firm, the Trojan is distributed with the aid of TROJ_FAKEWORD.A, a dropper that's designed to drop two executable files and a Microsoft Word document on infected systems. In the 32-bit version, the executable files are copied into the "windows system" folder with the names iprips.dll, which is detected by Trend Micro as TROJ_KIVARSLDR, and winbs2.dll, detected as BKDR_KIVARS. The latest versions of KIVARS, which can target both 32-bit and 64-bit systems, drop these components in the same folder, but under a random name, with the backdoor file having either a .tib or a .dat extension. The dropper uses the right-to-left override (RLO) technique and a genuine Microsoft Word icon to make it look like the document file, which is password protected and acts as a decoy, is genuine, Trend said. These techniques have also been used in a campaign targeted at government agencies in Taiwan, which Trend Micro recently analyzed. Once executed, TROJ_KIVARSLDR, the loader installed as a service named iprip, loads and runs the backdoor payload BKDR_KIVARS in memory, Trend explained. The backdoor is capable of carrying out various tasks, including downloading, uploading and manipulating files, uninstalling malware services, taking screenshots, activating a keylogger, manipulating active windows, and executing mouse and keyboard actions. In the versions that support 64-bit operating systems, the loader is installed as services named Iprip, Irmon and ias. Additionally, the backdoor uses a slightly modified version of the RC4 encryption algorithm to encrypt its configuration information. RC4 is also used to encrypt the first packets sent by the malware back to the command and control (C&C) server. These initial packets contain information such as the victim’s IP, OS version, username, hostname, the version of KIVARS, and the layout of the keyboard attached to the infected device. In the latest versions of KIVARS, a randomly-generated packet is sent first to the C&C, based on which a key is generated to help the malware verify the reply from the server. Only then the system information is encrypted with RC4 and sent to the C&C. "The earlier versions of this BKDR_KIVARS only encrypts the 'MZ' magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4," Trend Micro Threat Analyst Kervin Alintanahin explained in a blog post. The threat group behind this campaign also uses the POISON remote access Trojan (RAT) for its malicious activities, Trend Micro said. Source
  8. Hackers are targeting Brazil’s Boleto payment system, the second most popular payment method in the country, and have conducted hundreds of thousands of fraudulent transactions valued at close to $4 billion. Formally known as Boleto Bancario, Boletos are financial documents issued by banks that can be used by consumers to make payments to utilities and other outlets. Boletos are either printed and mailed to customers, or are generated and sent via electronic transfers. Common to all are a bar code, identification field or numerical representation of the bar code, and an identification number. Researchers at RSA Security yesterday reported the discovery of an extensive and effective malware campaign that’s been operating for two years and has ratcheted up the sophistication of Boleto fraud, which used to be confined to offline forgery of the payment documents. The Boleto malware attacks leverage man-in-the-browser infections to attack vulnerabilities in Chrome, Firefox and Internet Explorer running on Windows PCs and redirects Boleto payments to the attacker’s money mule account. “Since the malware is MITB, all malware activities are invisible to both the victim and the web application,” RSA said in its report, adding that there are up to 19 variants of the malware. RSA said it has detected 495,753 fraudulent Boleto transactions since 2012, valued at $3.75 billion USD. “Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” RSA said. “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.” In a legitimate online Boleto transaction, an online store, for example, will generate and send the Boleto to a customer. The customer can then choose where to use it once it’s displayed in the browser. Once an infected PC is used, the Boleto data is stolen along with all browser data and sent to the attacker’s server. The attacker then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank. RSA said it has detected 192,227 bots, or unique IPs, that have been infected. More than 30 bank brands have been affected in this campaign, which has also scooped up more than 83,000 email credentials and other data stolen by the malware. RSA said this type of fraud is difficult for the customer to detect because the ID number fields aren’t tied to a payee and customers don’t generally validate that type of information. Banks, RSA said, don’t detect the fraud immediately because transactions are coming from customer computers and customers make frequent Boleto payments. Fraudulent Boleto ID numbers and attack characteristics have been turned over to the FBI and Brazil’s federal police, RSA said. “While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.” Source
  9. Cyber security sleuths have alerted Indian Internet users against hacking attempts of a clandestine multi-identity virus - Bladabindi - which steals sensitive personal information of a user for nefarious purposes. The virus, the Computer Emergency Response Team-India (CERT-In) said, could infect "Microsoft Windows operating system" and it spread through removable USB flash drives, popularly known as pendrive and data cards, including other malwares. CERT-In is the nodal national agency to combat hacking, phishing and to fortify security-related defences of the Indian Internet domain. "It has been reported that variants of malware called Bladabindi are spreading. This malware steals sensitive user information from infected computer system. Bladabindi could also be used as malware downloader to propagate further malware and provide backdoor access to the remote attacker. "Some of the Bladabindi variants could capture keyboard press, control computer camera and later send collected sensitive information to remote attacker. Bladabindi is infecting Microsoft Windows operating system and spreading via infecting removable USB flash drives and via other malwares," the latest advisory by the agency said. The threat potential of the malware or the virus can be gauged from the fact that it can acquire as many as 12 aliases to conceal its real identity and later affect a computer system or personal information of a user. "Bladabindi variants can be created using a publicly available malicious hacker tool. Attacker can create a malicious file using any choice of icon to mislead or entice naive user into running the malicious file," the advisory said. The virus possesses a unique ability to acquire a safe network domain id in order to falsely add itself to the firewall exclusion list and bypass a user's firewall mechanism. A typical 'Bladabindi' variant propagates by way of copying themselves into the root folder of a removable drive and create a shortcut file with the name and folder icon of the drive. When the user clicks on the shortcut, the malware gets executed and Windows Explorer is opened and it makes it seem as if nothing malicious happened. A potential attack by the virus could result into the loss of important proprietary data of a user like "computer name, country and serial number, Windows user name, computer's operating system version, Chrome stored passwords, Firefox stored passwords, the agency said in the advisory. "The malware can also use infected computer's camera to record and steal personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote attacker. The malware can also log or capture keystrokes to steal credentials like user names and passwords," the CERT-In cautioned users. The agency has also suggested some countermeasures against "Bladabindi'. "Scan computer system with the free removal tools, disable the autorun functionality in Windows, use USB clean or vaccination software, keep up-to-date patches and fixes on the operating system and application software, deploy up-to-date anti-virus and anti-spyware signatures at desktop and gateway level," the agency suggested. It also recommended users should not follow unsolicited web links or attachments in email messages, do not visit un-trusted websites, use strong passwords and also enable password policies, enable firewall at desktop and gateway level, guard against social engineering attacks and limit user privileges. Source: http://www.financialexpress.com/news/hacking-virus-bladabindi-prowling-in-india-targets-microsoft-windows-os/1273299/0
  10. GridinSoft Trojan Killer GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch / Keymaker Size: 46,00 Mb.
  11. Researchers have discovered click fraud malware designed to “hide in plain sight” and evade traditional security tools by embedding data into an image file. Lurk is a downloader which uses digital steganography – the art of hiding information in images, audio or video files, according to a Dell SecureWorks Counter Threat Unit (CTU) Threat Intelligence paper by Brett Stone-Gross. “Lurk specifically uses an algorithm that can embed encrypted URLs into an image file by inconspicuously manipulating individual pixels. The resulting image contains additional data that is virtually invisible to an observer,” he wrote. “It is unlikely that existing IPS/IDS devices could detect data that is concealed with digital steganography. As a result, Lurk may be able to evade network defenses and hide in plain sight.” Lurk is comprised of two parts – a dropper DLL and a payload DLL, with the former’s main job being to extract and load the latter, he added. Once the main payload DLL executes, it checks the victim computer for 52 different security products and apparently won’t install if it discovers one of 21 specific products. “Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files,” concluded Stone-Gross. “As a result, the use of steganography in malware may become more prevalent in the future.” Source
  12. Like most profitable criminal enterprises, the Shylock banking malware thrived because it was supported by a nimble infrastructure that allowed it to stay one step ahead of network and security monitoring capabilities, and the authorities. That race ended this week. Europol announced today that it, along with numerous law enforcement and industry partners had carried out a successful takedown of the Shylock infrastructure. The two-day culmination of the operation took place on Tuesday and Wednesday and was coordinated by the U.K.’s National Crime Agency and supported by Europol, the FBI, GCHQ in the U.K., and industry companies including Kaspersky Lab, BAE Systems Applied Intelligence and Dell SecureWorks. “Law enforcement agencies took action to disrupt the system which Shylock depends on to operate effectively,” Europol said in a statement. “This comprised the seizure of servers which form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers.” Few details were provided on the location of the command and control infrastructure, but Europol said it coordinated investigative actions with cooperation from authorities in Italy, the Netherlands, Turkey, Germany, France and Poland. CERT-EU, Europol said, was also instrumental in providing data on the malicious domains used by Shylock. No arrests were announced, though Europol said that previously unknown parts of the Shylock infrastructure were uncovered and additional law enforcement action may be upcoming. “It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU,” Troels Oerting, head of the European Cybercrime Center at Europol. “It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication.” Major takedowns of botnets and other cybercrime operations are quickly becoming commonplace. Though usually not a permanent solution, takedowns such as this one and the recentGameover Zeus takedown, which also impacted the Cryptolocker infrastructure, indicate improving cooperation between international law enforcement. “The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world,” said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit in the U.K. “This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.” Shylock, like Zeus, targeted banking credentials. Victims were usually tricked or lured into clicking on a malicious link that infected computers with the Trojan. Shylock surfaced in 2011 and at first was limited to the U.K., but quickly expanded into a global operations concentrating on victims in Europe and the United States. Online banking customers were victimized by Shylock’s man-in-the-browser style attacks against apredetermined list of as many as 60 banks. The Trojan would sniff out banking credentials and loot accounts. “Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. “To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol. Global action brings positive results – an example being the operation targeting Shylock malware.” Golovanov said in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6 percent to reach 28.4 million. The attackers behind Shylock were also careful to hide its tracks. Like other similar malware, such as versions of PushDo, Zeus and TDL/TDSS, Shylock made good use of a domain generation algorithm to send stolen data back to the attackers. The DGA feature sidestepped detection and research efforts effectively, experts said. One version of Shylock that surfaced in January 2013 was capable of spreading through Skype, in addition to network shares and even removable USB drives. Ultimately, Shylock could also steal browser cookies, use web injects on infected browsers and download and execute files on compromised machines. This article was updated at 12:15 p.m. ET with comments from Kaspersky Lab. Source
  13. Cybercriminals always look for the weakest link they can leverage to make as many victims as possible, and it looks like web browsers with out-of-date plugins are the norm in Europe. Browser plugin update situation in Europe According to the latest statistics from the Germany-based Cyscon GmbH, a company specializing in detecting an mitigating cyber threats, the users of most countries in Europe rely on poorly updated web browsers to explore the online world, which translates into plenty of possible victims for the crooks. The company makes available an interactive map that shows, in percentage, the proportion of a country’s users that do not rely on a browser that integrate plugin components updated with the latest patches available. According to Cyscon’s statistics at the time of the writing, the European country whose users are more aware of the security risks posed by out of date web browsing software, is Netherlands, where 51% of the computer users have at least one plugin component in the browser that needs to be updated. Although this is an alarming value, the country whose users would be more prone to falling victim to a cybercriminal, is Croatia, where it appears that 97% of the users contributing to Cyscon’s statistics do not have installed all the updates for said components. It is followed by Republic of Moldova, with 94%, Serbia with 86% and Germany with 80%. As shown by these statistics, there is no country with users sufficiently aware of risk posed by an old component with security glitches, to report outdate information lower than 50%. Source
  14. ViRobot APT Shield 2.0 is the best PC security program to block attacks of vulnerabilities(include Zero-Day vulnerabilities and Drive-by download vulnerabilities) in applications and Windows OS(include Windows XP) in advance, and it is compatible with anti-malware programs.Especially, ViRobot APT Shield 2.0 will be the best choice for PCs which can not be upgraded Windows XP to higher version of Windows. Features 1. Response to variety attacks of application vulnerabilities. It blocks attacks that use vulnerabilities in advance for applications such as document programs(MS Office, Adobe Reader, ...), Web brewers(IE, Firefox, Chrome, ...), Media players, Messengers, Compression software, and etc. 2. Blocking vulnerabilities due to the end of Windows XP support. It prevents attacks that use vulnerabilities in advance for Windows which cannot be applied security patches. 3. Complementing in accordance with the limits of Signature-based anti-virus. By behavior-based technology, it blocks creation and execution of malicious code that exploits vulnerabilities, and it also doesn't need pattern update. 4. Blocking the acceleration of document leak for many unspecified targets. Recently, malicious code is using social engineering to exfiltrate important document from companies, but this product blocks it completely. 5. Handling systems which are difficult to update Windows security patches. It's a very light product, because it requires only minimal resources of Hardware. It's suitable for various environments which are difficult to update Windows security patches in enterprise. Functions 1. Enhanced detection for malicious code It can block Zero-Day attacks in advance.It's not necessary to concern about False/Positive, because it detects abnormal behaviors of applications.It's possible to detect malicious code in real time.2. Flexible scalability and low costs It's compatible with anti-malware products all around the world, it ensures flexible scalability.It can save cost compared to network-based detection solutions. (No extra charge excepted license fee)3. Management efficiency It's possible to control security systems by connection with integrated log equipment(e.g. ESM).Monitoring service is provided through installation of Web log server.4. Usability Pattern update is not required.It's simple to install(The installation takes less than 10 seconds.)The portion of end users' direct control is minimized.It uses minimum resource. (e.g. Memory usage : less than 10MB)Screenshots Blocking malicious code that exploits vulnerabilities in applications. Document program -MS office, Adobe reader, Ichitaro, etc. Web browser - IE, Firefox, Chrome, Safari, Opera, Java, Flash, ActiveX, etc. Media player - Real player, QuickTime player, Winamp, etc. Messenger - Skype, Yahoo, Google, . etc. Compression software -WinZip, WinRAR, 7-Zip, etc. Homepage: http://www.aptshield.net/ Download link: http://www.aptshield.net/apt_individual_download.html Requirements: CPU:Intel Pentium III 500MHz or Above RAM:512 MB or Above HDD:Free space more than 500 MB OS: Windows XP / Windows Vista / Windows 7 / Windows 8/Windows Server 2003 / Windows Server 2008 / Windows Server 2012 -x86 and x64.
  • Create New...