Malware, viruses, what are they?

[Batu69]

General explanation about different kinds of online threats. What they do, and how.

Introduction

Viruses, malware, worms, adware, there are many different kinds of online threats.

It can be confusing for one to understand the level of dangerousness of each, what they do and how to remove. In this post, I will try to demystify this and shed some light on how they sneak into your machine and stay undetected.

If you think that document is missing something, please let me know I’ll be happy to add it.

Definitions

• Malware: Means “Malicious Software”, this is the most general definition.
• Virus (High threat): As soon as a malware has auto-replication feature, it’s a virus. Able to infect other files, Ex: Virut/Sality
• Worm (High threat): Ability to replicate through the network. Can be by email, instant message. Most of the time it’s because the user opens it, but can also exploit some vulnerabilities to propagate. Ex: Worm/Msn
• Adware (Low threat): Means “Advertisement Software”. It will display ads to the user, or play advertisement in the background. Ex: Adware.Eorezo
• Rootkit (High threat): A rootkit modifies system memory (at user or kernel level) to hide itself and/or prevent its removal. Rootkits are usually designed to protect affiliate malware that are weaker. Ex: Rootkit ZeroAccess, Necurs
• Trojan (Medium threat): Ability to open a backdoor on a machine, and download (on demand) some other piece of malware in order to execute it.
• Dropper (Low threat): Is the entry point of an infection, it’s often encrypted and the smallest as possible to bypass antiviruses. Will download the real malware on internet (or extract from resources) and execute it (like a Trojan, yes).
• Password Stealer(High threat): Ability to steal passwords from various sources: Web (Social networks, Banks, …), FTP (to get control of web servers), Email account (to send malware or SPAM in your name). Those passwords are then sent to the attacker.
• Keylogger (High threat): Is able to save everything you type with your keyboard, take screenshots of your screen. They look for password (Like Password Stealer).
• Banker(High threat): Injects some code in your web browser when you are on a bank website (or about to buy something online), so that they get your bank credentials. Those credentials or credit cards are then sent back to the attacker. Ex: Zeus/Zbot.
• (Crypto)Ransomware (High threat): A Ransomware will either totally lock your computer, or for Crypto variants they will encrypt all your documents. In any case they ask a ransom to revert to original state. Ex: Reveton, CryptoLocker.
• Rogue Antivirus (Medium threat): They look like legit antivirus software, but they aren’t. Most of the time they display false infection, and want you to buy them to “remove” the infection. In reality there’s no infection, nor real scanner. And when you buy them, they simply do nothing.
• PUP (Low threat): That means “Potentially Unwanted Software”. They are legit software, but most of the time the user didn’t install them. They are bundled with other software, and user didn’t uncheck the “option” to install the affiliate software. Besides, most of PUPs are also Adware. Some PUPs are also using Rootkit tricks.
• Spambot (Medium threat): They are designed to send SPAMs, either directly from a compromised web server, or using victim messaging. They can also be web crawlers, searching the web for email addresses where to send SPAM.

It’s important to note that a malware can be of several types above. Actually most of them are, for example Zeus is a Banker, with Password Stealer capability, as well as Trojan to turn the machine into a zombie PC (part of a botnet).

• Botnet: It’s a group of zombie machines (bots), all linked to a C&C (see below). Botnets are often used to perform DDoS attacks, sending SPAM, bruteforce passwords (stolen from a database for example), …
• Bot (Zombie PC): A machine part of a botnet. It’s connected to the C&C, waiting for orders to execute.
• C&C (C2): A machine part of the botnet, dedicated to send commands to the others and get information and stolen data back from them. There can be one or several C&C, depending on the botnet architecture and complexity.
• DDoS: Attack by denial of service. To be efficient, must be coordinated between many different IP addresses. Often performed by a botnet. An attack will make the victim’s server/website unreachable, with possible economic consequences.
• SPAM: Illegitimate email, promoting a service, a product or anything.
• Bitcoin mining: Bitcoins are a virtual currency, that can be “mined”. We spend CPU resources (electricity in fact) to earn money.
• Exploit: A vulnerability into a software, operating system, or code in general. When exploitable, this can lead to privilege escalation (get admin rights) or remote code execution (starting a process without the consent of user). An exploit can be fixed by the software editor with a patch.
• 0-day exploit: It’s a vulnerability for which there is no patch available yet. This means everyone having the software is vulnerable.
• Exploit Kit: A kit of exploits. This is a platform server that will test your machine against many exploits, until one works. When an exploit works, the exploit kit will be able to deliver a Payload that will infect your machine. Most of the time, exploit kits are called through a malvertising.
• Payload: This is the “useful load”, the code for which all the infection chain was made for. It can be the malware itself, or its dropper.
• Malvertising: Means “malicious advertising”. It’s an ad that has been designed to call an exploit kit to infect your machine. In theory, major advertising platforms are validating ads before they are served, but smaller platforms don’t do it, or don’t do it right. Some are even created to serve malware under-the-hood.
• Compromised Server: When a server uses software with vulnerabilities, an attacker can take control of it through an exploit. When done, the compromised server can be used in a botnet, or directly to host malware, host phishing pages, send SPAM, …
• Phishing page: A webpage designed to look like a specific Bank login page, social network, anything where a user can put credentials. Those credentials will then be used for malicious actions, or sold.
• Persistence Item: This is an item that gives a malware the ability to be started at boot. It can be a registry key, a startup shortcut, a patched system file, a MBR infection, … (see below).
• Hooking: Setup a hook is an action performed by a rootkit. We can summarize that action by placing a filter on top of a system API. For example, NtOpenProcess is the API needed if we want to kill a process. If a rootkit hooks that API, it will be able to tell if the process termination is allowed or not, and protect its process.

Why are malware made?

They of course are made to make money. A lot of people are not understanding how malware writers make money.
It’s indeed a very lucrative activity, here’s a quick list of how they earn money:

• Selling malware/code: That’s the most obvious way to earn money. Malware writers sell their malware to other bad people, or sometimes they sell the source code.
• Displaying ads: That’s how adware make money. Each ad displayed/clicked generates money for them.
• Click fraud on ads: That’s another way to make money with ads. While the previous one is barely legal, this one is totally prohibited. Malware will simulate clicks on ads in the background, so the infected user will never know that his machine is clicking on ads. Ads clicked of course belong to the malware writer.
• Sending SPAM: A compromised server, or a bot, can be used to send SPAM to a list of email addresses. Spammers earn money every 1000 SPAMs sent.
• Selling Information: A banker, password stealer will bring back stolen passwords, and credit cards numbers. They are sold on black market at a rate that depends on which country they are from (Ex: 50$ for a US). Personal data can also be sold: Name – Email – Phone number, for SPAM campaigns.
• Providing easy malware installation: Rootkits can download/install/protect an affiliate malware (with compensation). Exploit kits are paid to install a particular payload.
• Selling Rogue Licenses: Rogue software owner will earn money by selling fake licenses.
• Asking Ransom: A Ransomware owner will be paid by infected people for giving them access back to machine/files. But most of the time they just take the money.
• Sell/Lease a Botnet: A Botnet can be useful for attacking a contestant, etc. Botnet owner is paid to give control of his botnet for 24/48/72 hours. The higher the number of bots, the higher the price.
• Bitcoin mining: Bitcoin mining is most of the time performed on infected machine, because malware owner will not pay power consumption. But he will get bitcoins into his own wallet.
• Selling/Blackmail DDoS attacks: Same as leasing a botnet, except that botnet owners can also blackmail a company himself by offering to NOT attacking them if they pay a ransom. Imagine a big commercial website being attacked during black Friday. They can’t, and sometimes they pay the ransom.
• Selling exploits/0-day: Some people are specialized in searching and selling 0-day exploits to bad guys. Depending on the targeted software, these 0-day exploits can be sold several thousands of dollars. They will then be integrated in exploit kits (above).

It all start with an infection

• Installed by the user itself: Fake P2P music/video file that is actually a EXE file. Fake cra.ck/key.gen for a software.
• Bundled software: User will download an installer for a software A, but will not uncheck affiliate programs installation. This will result with installation of software A, B, C. Unfortunately, B and C are malware.

Pdfcreator installing AVG-Toolbar

Drive-by-download: This is the term used when speaking of malvertising, malicious web code, fake “required” plugins. It can be installed after you open an email attachement. They are installed sometimes without the user knowing it.

Fake plugin (grahamcluley.com)

Malware deployment

A malware will often be deployed in several steps:
The dropper is the file that is served first (the one you downloaded), that dropper is usually heavily encrypted, packed to bypass antiviruses. It will either unpack the payload from a resource, or download it directly from a server. Then the payload is executed.

Once executed, the payload will very often “install” itself to survive at reboot with a persistence item (see below). Additionally it can load several components to hide itself and/or harden its removal. Then it will perform the task for which is was designed.

(damballa.com)

Persistence Items

The persistence item of a malware is what makes it start at boot. Without it, malware would no longer exist after a machine is restarted.
So persistence item is the weakness of every malware infection.
Here’s a quick list of where a malware can hide its persistence item:

• Registry: RUN key, Services key, Browser Helper Object, … There are tons of different places in the registry to start a software at boot.
• Scheduled Task: We can schedule a program to start at boot.
• Startup folders: Placing a shortcut into one of them will start the program at boot.
• MBR/VBR infection (Bootkit): A bootkit will modify bootstrap/bootloader code of the Master Boot Record or Volume Boot Record to load its own driver before the operating system even loads.
• Patched system file: By modifying a legit system file (that is loaded at startup), the malware can place its own code and it will be executed at startup.
• Web browser extension: Nowadays, a computer will 99% of the time have a web browser opened during a work session. So an extension is a good choice to place malware code, plus it will have access to a lot of sensitive information.

Remaining Stealth

To remain hidden in the system, malware will often use several tips:

• Use randomly generated names to avoid detection by name.
• Hijack system names (1), Ex: svhost.exe (the real one is svchost.exe).
• Hijack system names (2), Ex: %temp%/explorer.exe (the real one is %windir%/explorer.exe). In task manager, we don’t see the full path.
• Perform process injection: Either by injecting code into existing process (like explorer.exe), or by creating a copy of existing process and by injecting code into it.
• Use hooking to hide or protect its process, persistence items.

Removal

To remove an infection, you can do it with several ways:

• Remove payload (99% of the time, a file).
• Remove persistence item(s).

Removing both is better, but either way would prevent the malware from loading.

Credit To: http://www.adlice.com/

[onlygreen]

Nice 1.

I have tried to find simply but catching the Category of Malware....

[ugurano]

thx for this here

[SURbit]

What Is CRYPTO RANSOMWARE Anyway ??? ??? ???

 

Ransomware is a type of malware (malicious software), that tries to take your files, business data

and personal memories stored on your computer hostage.
In general there are two types: Screen lockers and crypto ransomware.

The idea behind screen lockers is simple: Prevent the user from using his computer by displaying

some kind of password prompt that they can’t get around unless they pay for the correct unlock code.

 

This type of ransomware was wildly popular just a couple of years ago, but is almost extinct nowadays

as it has been replaced by its newer and much more devious sibling; the crypto ransomware.
Crypto ransomware doesn’t lock you out of your computer. Instead it locks you out from accessing

your files and all the precious information and memories stored within them by the use of encryption.

The idea of ransomware isn’t a particularly new one. In fact the first publicly documented case of

ransomware, the “AIDS” trojan, can be traced back to the year 1989, when home computing was still

in its infancy.
The idea of “AIDS” was to encrypt all the file names on your computer.
To restore your system back to normal, you would have to pay a ransom of $189.
The malware author was quickly identified back then, as the only way to receive money was to have

victims wire or mail it to him, leaving behind an easy to trace paper trail.
The success and widespread usage of anonymous currencies like Bitcoin however, makes following

the money almost impossible, which allows ransomware gangs to often operate in the shadows for

years without being caught.

Once a crypto ransomware makes it onto your system, it will look for files that it finds interesting,

like for example pictures, videos, save games, databases, documents and music.
It will then encrypt these files using some form of cryptography.
The type of cryptography used ranges from easy to break self-made algorithms and methods to

impossible to break military grade encryption.

 

After all your files have been encrypted, it will usually get rid of backups and shadow copies of your

files, so you can’t just restore them.
Last but not least it will leave ransom notes behind all over your computer, making you wildly aware

of what just happened and outlining how to pay the ransom to get your files back.

 

How can you protect yourself from ransomware?

The best defense from ransomware is a good set of backups – stored on a disconnected device.

Backups are one of these things we all know we should do, but we rarely do until it is too late, even

though they not only protect you from ransomware but more mundane threats like hard disk failure

or computer theft as well.
As mentioned before, a lot of ransomware will target your backups specifically.
That is why it is important to store your backups somewhere, where your computer can’t usually

touch them.
An external disk drive, that is usually detached from your computer or some kind of cloud based file

storage or backup system are a good idea.
You can also find a backup buddy and store your backups at a friend’s computer and vice versa.
No matter what option you choose, make sure you do them regularly, preferably daily, and also make

sure you tested the restoration process at least once.

----------------------------------------------------------

Trojan-Ransom (Winlock)

How to protect a computer from Trojan-Ransom (Winlock)

Trojan-Ransom malware aims to block access for the user to a computer or restrict work on the

computer.
It demands monetary payment to unblock the computer and to return it to the initial state.
The main peculiarity of Trojan-Ransom family is its commercial orientation.

Each program of this class is an instrument to trick the money out of users and to deliver it to

cybercriminals.

To avoid possible infection with Trojan-Ransom family, download and install a Internet Security

Suite which includes high-level protection against ransom malware.

If your computer is infected with a program of the Trojan-Ransom family, then download and launch

Kaspersky Windows Unlocker from Kaspersky Rescue Disk.

 

Third-party applications run on my PC - Trojan-Ransom (Winlock)

Invader (Intrusion into the process) is a category of malicious objects which embeds its code into the

address space of other programs thus getting access to the program recourses.
Such operations as loading a module into another process, RAM modification in the process, running

exploits and others belong to programs of this kind.

If your computer uses programs which automatically switch the keyboard layout, some AV treats

these actions as dangerous;
because attempts to intrude into processes used by other programs are typical for Malware

(for example, password interceptors, etc.).

If an executable file to which the AV component triggers is legal and belongs to the application

which was installed on your computer it is recommended to add this file to the Trusted.
If an executable file does not belong to any applications installed on your PC and does not have a

digital signature either it is recommended as suspicious object.

----------------------------------------------------------

 

Delete Infected files from Temporary Internet Files Folder:

How to delete infected files from Temporary Internet Files folder in Internet Explorer

(should be similar for v 6-11)

In order to remove infected files stored in the folder Temporary Internet files in Internet Explorer,

do the following:
1.If you work under Windows 8, then go to Desktop (for this, click the Desktop tile in the Microsoft

Design Language interface).
2.Launch Internet Explorer.
3.In the main menu click (dear symbol)-(Tools) -> Internet Options.
4.In the Internet options window on the General tab under Browsing history click the Delete button.
5.In the Delete Browsing History window check the box Temporary Internet files and click the

Delete button.
6.In the Internet options window click the OK button.
7.Close Internet Explorer.

----------------------------------------------------------

 

Trojan-Ransom.Win32.Shade

If the message that your files have been encrypted appeared on your Desktop and the files

extensions have changed to .xtbl
or .ytbl, you have become a victim of the Trojan-Ransom.Win32.Shade cryptovirus

(also detected by other antivirus software as

Trojan.Encoder.858, Ransom:Win32/Troldesh.A, TROJ_GEN.R00WC0DF615).

Malware of this class encrypts documents, images, and video files on the infected computer and

demand a ransom from the victim.

How the computer gets infected
1.Through email messages You receive an email message with an attached .exe file, archive or image.

The message usually imitates a notification or request from official institutions, delivery services, etc.  

2.By visiting an infected website Ransomware can get to your computer when you visit an infected website.

Often, viruses are masked as offers to update commonly used software, such as Java, Flash Player,

Adobe Reader, etc. which pops up on unsafe websites.  

When you open an attachment in the message from the sender you do not know or when you click a

suspicious link or download a file on a website, you risk infecting your computer with ransomware.

At the moment of infection no visible changes are made to the computer; the files are encrypted in the

background mode.
After the encryption process is completed, the screen gets blocked with the banner demanding payment

in exchange to files decryption.

Shall you pay the ransom?
No one can guarantee that malefactors will send you the key to decrypt your files after you pay the

requested ransom.
Please note: Using software found on the Internet to decrypt the files can be dangerous.

 

What to do if your computer is infected:
 

Delete the virus

1.Perform full scan of your computer using Anti-Virus. Deleting the virus can prevent further infection.
2. Restore previous file versions

Usually, it is impossible to restore the encrypted files without the key for decryption.
If system restore points have been created on the computer, you may be able to restore previous

versions of the encrypted files.

Please note: At the moment, files with .xtbl or ytbl extension cannot be decrypted.
As soon as the solution is found, the information will be available AV forums.

 

How to prevent the infection

To prevent an infection or minimize damage, follow the recommendations below:

1. Create a restore point
If system restore points have been created on the computer, you may be able to restore previous

versions of the encrypted files.

Learn more about system restore.
http://windows.microsoft.com/en-us/windows/repair-recovery-help#repair-recovery-help=windows-8&v1h=win8tab1
On the MS Windows site - In the upper-right corner of the window, select your operating system.

2. Scan your computer for malware

Use a Anti-Virus to scan your computer, if you have no antivirus software installed or if your antivirus

software is unable to detect malware. USE Kaspersky Virus Removal Tool -

http://www.kaspersky.com/antivirus-removal-tool?form=1

 

Direct Download Link - http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

3. Install a antivirus software
Anti-Virus Software products with latest databases will block an attack and prevent an infection.
Internet Security Suites have the Anti-Virus engine as the core protection of them.

No need to buy both from same Developer.

4. Update regularly
Update your anti-virus software on a regular basis. During the update, antivirus databases and product

components are updated, existing features are improved, and new features are added.

Apart from updating your antivirus software, we recommend that you regularly install operating

system updates, update browsers and other apps you use.
Software vendors regularly eliminate vulnerabilities which can be used by malware factors. 

5. Check the settings
Make sure your Anti-Virus is enabled and do not change the default settings of the components

unless you understand them.
For more information about the Settings of the AV component(s), see the articles and user comments

from the Developers website.

6. Backup your files regularly
It's recommend that you regularly create backup copies of all important files and store them on a

removable drive or in the online storage. If you use Software set a schedule for the backup task.

 

Protect against CryptoLocker malware:

CryptoLocker is malware which encrypts files on the infected computer and demands ransom for

decrypting them.

Usually the victim has 96 hours to make a payment.
If the money is not transferred to the cybercriminals' account within this time span, the decryption key

gets removed from the computer and the files remain unreadable.

 

CryptoLocker description:
After CryptoLocker penetrates into the system, it scans the computer and connected network drives for

the files with popular extensions: doc, docx, xls, xlsx, jpg, ppt.
All the files found are encrypted with a public key, then the screen is blocked with a demand that user

must pay the ransom.

CryptoLocker employs assymmetric key encryption: files are encrypted with a public cryptographic key

while decryption requires a secret key that is stored on the cybercriminals' remote server.

Public keys are unique for each infected computer.
It is impossible to decrypt files without a secret key.

Any attempts of deleting CryptoLocker or entering a wrong key will result in deletion of the secret key

that is necessary for decryption (i.e. the files will remain permanently encrypted and inaccessible).

 

Prevention:

CryptoLocker employs a cryptographically secure method of encryption that cannot be forced by

decrypting programs.
Once the computer has been infected, obtaining the secret key is the only way to decrypt the files.

However, there are some ways to prevent infection or minimize the damage.

Create a system restore point:

If you have system restore points created on your computer, you may be able to restore previous

versions of some encrypted files.

 

For more information on creating a restore point, please refer to the following pages:
For Windows 8.1 / RT8.1 users --- http://windows.microsoft.com/en-us/windows-8/restore-refresh-reset-pc
For Windows 7 users ------------- http://windows.microsoft.com/en-us/windows7/create-a-restore-point
For Windows Vista users --------- http://windows.microsoft.com/en-us/windows/what-is-system-restore#1TC=windows-vista
For Windows XP users ------------ http://windows.microsoft.com/en-us/windows/end-support-help

Run a malware scan:

Use Kaspersky Rescue Disk to run a full scan of your computer to detect malware activity if your

computer is infected:
1. Download the disk image of Kaspersky Rescue Disk 10. -
   http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
2. Burn it to CD/DVD or copy it to a USB drive and boot from it.
CD/DVD - http://support.kaspersky.com/8093
USB    - http://support.kaspersky.com/8092
3. Install an anti-virus solution
An anti-virus application with up-to-date databases will block the Trojan attack thanks to continuous

threat monitoring.

 

Windows 8.1, Windows RT 8.1 Set up a drive for File History
http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

Restore files or folders using File History
http://windows.microsoft.com/en-us/windows-8/how-use-file-history

----------------------------------------------------------

How to protect against file-encrypting Ransomware:

General recommendations
1. Do not open attachments in unknown senders' emails
In most cases, ransomware that encrypt your files are distributed via email as attachment.
The cyberciminals' goal is to persuade you to open the attachment, that is why malicious emails are

titled as if they contained important imformation, such as court order, notice of intended prosecution,

late fee notice or similar to these.
Not only EXE files can be harmful. Security Lab experts confirm that malicious file can have the

DOC and PDF formats.

2. Keep your operating system, antivirus software and other applications timely updated.

 

What to do if the files have been encrypted by Ransomware:

Disable automatic deletion of detected malicious files from your AV software.

If you have an antivirus product installed on your computer, reconfigure its settings:
1.Disable automatic deletion of detected harmful objects.
2.Set the action Move to Quarantine.

***Please note: it is not recommended to delete quarantined files because they may contain keys

that can be useful for decryption.***

Send suspicious files for analysis:
If you discovered a suspicious file that might have caused unwanted encryption of your files, send

a request to a Virus Lab, Attach the suspicious file to your request.
Many accept files via email, when sending an email, create an archive protected with the password

infected, (using the WinRar file archiver).
When setting the password, select the check box Encrypt file names.

3. Create copies of affected (encrypted) files

4. Try to restore the files
You can try to restore affected files from their previous versions:
In Windows Vista ---- http://windows.microsoft.com/en-US/windows-vista/Recover-lost-or-deleted-files
In Windows 7 -------- http://windows.microsoft.com/en-US/windows7/Recover-lost-or-deleted-files
In Windows 8 -------- http://www.asoftech.com/articles/windows-8-data-recovery.html
Windows 8.1, RT 8.1 - http://windows.microsoft.com/en-GB/windows-8/how-use-file-history

5. Use the utilities for automatic file decryption
RectorDecryptor - http://support.kaspersky.com/viruses/disinfection/4264
XoristDecryptor - http://support.kaspersky.com/viruses/disinfection/2911#block1
RakhniDecryptor - http://support.kaspersky.com/viruses/disinfection/10556

WARNING! Create backup copies of the files before running the utilities.

----------------------------------------------------------

Emsisoft:

Over the past couple of years, we managed to build a certain reputation when it comes to ransomware.
Our malware research team, which is deeply embedded into various major technical support communities

like BleepingComputer or Trojaner-Board to monitor new malware trends and outbreaks closely,

is quite proud of the fact, that none of the major or minor ransomware outbreaks in the last 5 years

affected Emsisoft users in a significant way.

 

[To give you an idea of just how effective our products are at keeping even new and yet unknown

ransomware from harming your system and the files on it, we thought it would be a good idea to let

twenty different ransomware families have a go on a system protected by Emsisoft Anti-Malware.

To make things a bit harder for us, we disabled both the Surf Protection, so the malware can communicate

with its command and control server freely, as well as the File Guard, so that signature based detection

is removed from the equation, as signatures most likely didn’t exist yet at the time the ransomware was

first released.
We hope you enjoy watching Emsisoft Anti-Malware squash some of the biggest ransomware threats out

there, without the help of any signatures, just as much as we do, knowing your system is well protected from

all of these and hundreds more.]

 

Strong indications that ransomware devs don’t like Emsisoft:

As reported by our friends at Bleepingcomputer, the developers of the Radamant Ransomware Kit have

now released a new, third version of their ransomware.
This comes after the Emsisoft lab, lead by our CTO Fabian Wosar, succesfully developed a decryptor for

the previous two versions.
The first version of Radamant encrypts data files with a RDM extension, while the second version uses

a RRK extension.
There are now rumors of a third version that we have not seen yet.
For the first two versions, our developed decryptor can recover a victim’s files  – for free.
It comes to no surprise though, that the developer of the Radamant ransomware wasn’t very happy

with Fabian and Emsisoft for interfering with his business.

Take a look at the embedded strings in the ransomware malware executables and the domain names

for their Command and Control Servers:

For example, in the latest version of the malware executable there are strings such as
 emisoft f**kedbastardsihateyou that shows the developers displeasure that are really similar to “Emsisoft”.
But see for yourself:

http://www.bleepstatic.com/images/news/ransomware/radamant/not-happy/not-happy-with-fabian.png

The Radamant developer also included Emsisoft in the domain name of one of his Command & Control

servers:
emisoftsucked.top (typo included).

http://www.bleepstatic.com/images/news/ransomware/radamant/not-happy/new-c2-with-emsisoft.png

As stated in
http://www.bleepingcomputer.com/forums/t/599368/radamant-ransomware-kit-support-topic-encrypts-files-to-rrk-rdm-extension/page-4#entry3895835,

Fabian does not appear to be insulted, but rather quite the opposite:

“I am not really sure how things work in your circles, but in my circles getting insulted by malware

authors is considered the highest kind of accolade someone can get, so thank you very much for that.
Just next time, please try to get the company name right.
But it’s a common mistake, so I let that one slide.”- Fabian Wosar

If you’re a victim of the Radamant ransomware and would like to recover your files and download

our decrypter, please read and visit the forum thread at Bleepingcomputer in which you can find the

most recent info and instructions.

CREDITS:

http://blog.emsisoft.com/2015/12/22/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/?ref=ticker151231&utm_source=newsletter&utm_medium=newsletter&utm_content=subnews&utm_campaign=ticker151231

http://blog.emsisoft.com/2015/12/29/strong-indications-that-ransomware-devs-dont-like-emsisoft/?ref=ticker151231&utm_source=newsletter&utm_medium=newsletter&utm_content=subnews&utm_campaign=ticker151231

http://support.kaspersky.com/viruses/common/10952#block1

http://support.kaspersky.com/viruses/common/10646#block2

http://support.kaspersky.com/viruses/common

 

 

 

 

 
 

[SURbit]

Here are some useful Video's and Guide's and information to help with understanding and removal of Nasty's !

Malware Fundamentals:

Malware (Malicious Software) is a collective term for all kinds of threats including Viruses,

Worms, and Trojans.
This link gives an overview on the impact malware has on individuals, its role in cybercrime

and how it spreads.
https://www.youtube.com/watch?v=afzkoB_lYNk

Webinar that explains the entire infection chain:

Webinar that explains the entire infection chain,
from a website getting compromised to an end user's computer becoming infected with a bot and

then ransomware.
It also covers some basic terminology and describes how security tools can help break the infection

chain at various points.
https://www.youtube.com/watch?v=P1U9_s7j4Hg

Virus Removal 101 (Kill any virus with out losing data):

Clean your computer and rid it of any virus's, spyware, adware and malware all for free.
Don't pay outrageous prices on these services, it's not that hard to do, here I'll show you.
https://www.youtube.com/watch?v=9WVT7f_NDBQ

First download these files:
1. http://www.bleepingcomputer.com/downl...
2. http://www.upload.ee/files/5256226/Ma...
3. http://download.cnet.com/Spybot-Searc...
4. http://download.cnet.com/Avast-Free-A...
Then move them to a folder on your desktop and follow the instructions in the video for the correct order

of installation.

How to remove computer virus, malware, spyware, full computer clean and maintenance:

This video show's step by step how to remove computer viruses, malware, spyware, full computer clean

and maintenance, and how to optimize and speed up a slow computer, and computer security check-up.
https://www.youtube.com/watch?v=7n0onMeoZNA

Needed FREE files and steps: (FOLLOWING ALONG WITH VIDEO IS ADVISED)
1.  Mbam: https://data-cdn.mbamupdates.com/web/mbam-setup-2.2.0.1024.exe
2.  SAS: http://cdn.superantispyware.com/SUPERAntiSpyware.exe
3.  Ccleaner:  http://download.piriform.com/ccsetup513.exe
4.  Run cleaner
5.  Clean registry
6.  "Should I Remove It?" Remove harmful programs:  http://www.shouldiremoveit.com/installers/ShouldIRemoveIt_Setup.exe
7.  Start-up audit
8.  Web browser clean and optimization
9.  Hard drive fragmentation
10. Windows firewall
11. Windows updates
12. Anti-virus check
****Recommended Free Antivirus:
a)  Avast (Best Free Protection) http://files.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
Microsoft Security Essentials - Windows 7, Vista http://windows.microsoft.com/en-us/windows/security-essentials-all-versions
    Windows Defender - for Windows 8, RT, 8.1, RT 8.1, 10, provides built-in protection against malware. You can't use Microsoft
    Security Essentials, but don't need to — Windows Defender is already included Windows 8, RT, 8.1, RT 8.1, 10 and ready to go.
c)  AVG - http://files-download.avg.com/inst/mp/AVG_Protection_Free_698.exe
d)  Avira - https://package.avira.com/package/oeavira/win/int/avira_en_av_5695ee622826c__ws.exe
13. Remove SAS results
14. Remove Mbam results
15. Reboot/Restart computer

Computer Threats from A to Z:

Finally, a guide to help you. Threatsaurus a-z of computer and data security threats. (PDF download)
Sophos Threatsaurus is a 100-page directory of security alerts and tips, written in language that even

non-IT professionals will understand.
http://bit.ly/15FlXbv

Direct Link:
https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en.pdf

[ ANDROID ]

The Easiest Way to Uninstall Malware on an Android Device [How-To]:

In this video, I'll be showing you how to uninstall malware from your Android device—even that dreaded

$500 "FBI" ransomware Moneypak virus.
Rather than fighting through endless pop-ups, screen-jacking malware, or even general sluggishness,

just boot into Safe Mode to make the whole process faster.
https://www.youtube.com/watch?v=rdKKT1c_7Cw

Full Tutorial: http://android.wonderhowto.com/how-to/uninstall-malware-from-your-android-device-0164072/

 

 

[SURbit]

Ransomware - 7 Tips for Recovery & Prevention

 

1. Plan

The time to figure out how you would respond to such an incident is NOT the minute it happens. Figure out in advance who to call for help, how to reach them quickly, and where your passwords, install disks and other important items are. File them where they can be easily found, but NOT on a PC whose infection can prevent you from accessing the details needed to fix it.

 

2. Back up and test

The salvation of my customer was in its ability to restore from a backup. To protect yourself from various risks, including ransomware, you need a good backup strategy, which must include monitoring backup status and testing of the restore process to ensure that restored files are usable. A backup process without testing may not be worth much.

 

3. Use antivirus software and firewalls

Much has been written of late about the growing obsolescence of antivirus software, and to some extent firewalls. This is claimed because these products are signature-based, and active malware signatures change rapidly. The fallacy of this argument, however, is that for every malware item with newer signatures in the wild, there are hundreds still making the rounds that have older signatures, and can thus be blocked. I suggest that you ignore the theorists, and implement a good firewall and antivirus package. Keep them up to date and monitor them.

 

4. Perform software updates

Ransomware, like many malware programs, makes use of vulnerabilities in Windows, OS X and other software to infect your systems. You must faithfully ensure that updates get applied. I encounter many customer PCs that have not had an update in months. These are sitting ducks. Also, don’t forgot firmware updates for your network and IoT devices, which can also help prevent attacks.

 

5. Restrict mapped drives

Make sure that server drives are only mapped to the user PCs where they are actually needed. Use read-only folders where possible. If an infected PC cannot access the server drive, it cannot infect it. Note that cloud drives can be susceptible as well, as a recent report by Krebs on Security confirms.

 

6. Know who uses your PCs

Restrict the use of each PC to only authorized people. In an office environment, keep them locked down, so that maintenance personnel or other passers-by cannot use them for a quick Web search. At home, avoid letting your kids use any PC with work-related data.

 

7. Respond if the worst happens

If you find yourself encrypted and without a backup, you may be forced to pay the ransom. I find it distasteful to even suggest this approach, but if the value of your data is sufficient, you may be forced to make that decision. Even the FBI has stated that this may be the best course of action in some cases. As I said above, malware authors, out of concern that people will not “trust” them and stop paying, are doing a better job of making sure the victims can get their files back. There are, however, no guarantees with this approach. 

Bottom line: The best cure for ransomware is diligent prevention. Once you are infected, your options may be limited, expensive and unpleasant.

SOURCE