Wednesday, October 10, 2012

Infamous "OpenSC.WS" is back

    It would seem that the infamous "Security research" forum (trojan coding forum) called OpenSC.WS is back up. The admin "reine" claims he was traveling and missed the billing email, and claims that was the reason for this extended down time. There is no word on whether the constant DDOS attacks will continue now that this forum is back up, I suspect it won't be long before they start up again.

    So what does this mean for us, security wise? It means that there will now, once again be more viruses being used in the public. While many of OpenSC's users left for other forums, there are still others who waited patiently for it's return to start selling malware again. While this won't cause an increase in extremly hazardous malware like FLAME or StuxNet, you can expect to see more RATs (Remote Administration Tools) and small bitcoin mining malware (Bitcoin is an online currency frequently used for illicit business). So I suggest you all set up those anti-virus and firewalls, and tread carefully.

Please let me know if you are interested in a particular topic for my next post

Friday, October 5, 2012

Stuxnet, Duqu, Flame, and Gauss.

    Stuxnet, Duqu, Flame, and now, Gauss. These four malwares are some of the most dangerous out there. They are all coded fairly similarly, which brings up the question, are they coded by the same person? We can't really know for sure, but I believe that the answer is yes and no.

     As you may be aware, some time ago, HBGary Federal was experimenting with stuxnet decompiles, and suspected to be planning on using it for their own purposes. The hacker group Anonymous intercepted multiple emails and compromised one of their servers to find that they had most of the stuxnet source code. Anonymous then released this source to the public. A While after this, we see Duqu appear. While Duqu is very similar to Stuxnet, it is still quite different. This leads us to believe that while it was based on the source of Stuxnet, the version released by Anonymous, it was coded, or modified, by someone else.

    After that, we encounter Flame. This malware is very different, although many of its features are quite similar. Many thought Flame was an attack by a government, possibly the US. There is little to no evidence to support this, although it is entirely possible. This malware was also derived from the stuxnet source, although it was modified a great deal more than Duqu. So, once again, this is most likely from another coder entirely.

    Now, a newer malware was detected, and named "Gauss".While much of this malware is still unknown  as its main payload is fairly heavily encrypted, it seems to fall in with Stuxnet, Duqu, Flame, etc. There are also some who think this is another governmental espionage virus. While I do not know much about this malware, it does seem likely that governments are relying heavily on things like malware for infosec and things of that nature. Things like Flame could even be used to shut down power grids, take  over full control of a network, etc, which could be extremely useful.

As soon as I learn more about Gauss, or the relationship between all these trojans/malware I will let you know.

More on Gauss

Stuxnet source


Saturday, September 29, 2012

Which Anti-Virus software should you use?

    Many people have Anti-Virus software, but is it the best one? I usually don't recommend to get an Anti-Virus/firewall bundle, as one company makes a better firewall, while another makes a better Anti-Virus. In this post, I will tell you which Anti-Virus/firewall software I recommend, and which ones to avoid.

   Let's start with free options. There are quite a few free Anti-Virus options out there, but most only work for a limited time, or have limited functionality. If you really don't want to spend money on this, then I recommend Malwarebytes Anti-Malware. I have used this, and so have many of my friends and family, and it works great. It is perfect for a short term solution while you try to figure out what software to purchase. This is both a fire wall and a anti virus, and The ones I recommend you avoid are Avast and AVG, both free and premium versions. These are considered a joke by the very people who code and spread malware. This is nothing personall, they just are not that great. A good free firewall is Comodo. Combinng these two is a fairly decent security solution. Now onto a great paid solution.
Note, these ads lead to paid or premium version of the product

    My favorite and, I think, best Anti-Virus is ESET's Nod32. It is one of the most up to date and fastest updating firewalls out there. This is the Anti-Virus that I use, and have for awhile. I recommend that you stay away from Norton products, the source of these have been leaked to the public, making it much easier for malware authors to avoid or bypass it. For firewall I recommend Kaspersky. It is one of the more "feared" firewalls for hackers and malware authors. These two togethor should be good enough to stop most attempted attacks. Always remember though, even the NSA gets hacked, so if you're not carefull, you can be another victim to a yet unkown zero day. so be sure to stay safe online.

Which Anti-Virus and/or Firewall software do you prefer and why?

Friday, September 28, 2012

Mobile adware on the rise

    As many of you may know, there are many apps that are not entirely beneficial, most being for andriod phones. Now that so many people have a smart phone, malware creators are starting to focus more and more on making malicious apps. These can not only steal your personall data, or harass you and your friends with spam and ads, it also drains your battery. A recent survey has shown that about 12% of phones run out of battery completely each day. This can be very annoying, and with 60% of people saying that battery life is the main selling point, very costly.
A trend micro study on battery usage

    Adware is now incorporated into many apps, and while most ads are displayed legitimatly, they can now create illigitimate "notifications" or icons, that, when clicked, lead to the advertisers website. Many of these ads also steal your personall info, most of them without any sort of notification that they are doing this. They collect and send data in the background, and burn through your battery life and data usage.

    There are many free antivirus apps that can protect agains most common threats, and also many paid apps. I personally recommend either Sophos mobile security, or ESET's mobile app. They can be found here and here, respectively (Sophos being free, ESET a paid app).

Trend Micro

Sunday, September 23, 2012

ZeroAccess: How to remove the latest version

   In my previous 2 posts I have highlighted the changes in the newer version of ZeroAccess and how to tell if you are infected, and who is at most risk. This post will cover how to get rid of this infection, and what tools to use to protect against it.

    The easiest way is to download one of many anti-virus programs, or removal tools. I always recommend ESET as they have always gotten the job done for me and my family. ESET has made a tool specifically to remove the ZeroAccess bot, one that is easy and completely free.

  1. Download the tool here
  2. Start the tool by double clicking it.
  3. Press "Y" when it asks you if you want to restore system services
  4. Once the tool has finished working, restart your computer by pressing any key.
  5. You may be prompted with a security window upon restarting, click yes or allow
  6. Click "Yes" on the repair window
  7. Once the repair is finished, you will be prompted to restart again, do so.
  8. For best results and to ensure complete removal, purchase ESET Smart Security or ESET Nod32 and run a full scan.
    As you can see, it is fairly simple to remove this virus, if you have any trouble, comments, or questions, let me know in the comments section (Don't be embarrassed, I have to approve comments, if you think it is a stupid question, just ask that I do not post the comment, and I will contact you directly.)

    The main way this bot spreads is through exploits, most of which are patched in the latest versions of the software they are designed to exploit, so make sure you apply regular updates, and don't visit shady sites. Also, I know it may be hard to refrain from pirating things like games, so I encourage you to only download "cracks" if there have been many downloads, even then, make sure to read the comments and do not download if it is reported to be infected, or not working correctly. Also remember that I do not condone pirating or any form of illegal downloads.

Saturday, September 22, 2012

ZeroAccess: 9 million infected, are you one of them?

    As I mentioned in my previous post, ZeroAccess is still around and is adapting. Over 9 million PCs are now infected with this bot. Most are located in the USA or Western Europe. 33% of super nodes are located in Germany, with the US coming in a close second with 32%. A super node is an infected machine that is not behind a system like NAT so that other bots, or peers, can access it. This post will be mainly directed at how to tell if you are infected, and who is at the most risk of infection.

    ZeroAccess uses multiple install locations, so you should check all of them. The main component drops at two locations, 1 in appdata, the other in windows/installer. if one is deleted, the other is still perfectly capable of functioning. The two locations are shown in figure 1.1.
Figure 1.1
Thanks to SophosLabs
 Both contain a dll file, named "n" (the main component), which are added to startup by hijacking a COM directive. These also contain a file named "@" which is a list of predetermined peers for the bot to connect to and retrieve updates, commands, etc. These folders also have 2 directories named "U" and "L" which contain plugins and temp files.

Also, if you have windows vista or up, ZeroAccess will try to patch services.exe fortunately, it is easy to restore by running the following command:
sfc.exe /scanfile=c:\windows\system32\services.exe
Simply check for these signs to see if you are infected. If you have been browsing the web without appying recent updates to internet explorer, adobe flash, or java, scan and fix, and apply all updates.
My next post will explain in detail how to remove and protect from this virus.


Wednesday, September 19, 2012

ZeroAccess: still alive and kicking. Part: 1/3

    ZeroAccess is still around and seems to be growing, albeit not as fast as a month or two ago. The coders of ZeroAccess seem to have made major changes to the bot. It uses all new protocols to communicate, drops to a different location, uses different startup methods, and seems to be moving away from kernel-mode and operates mostly in user-mode in both 32 and 64 bit versions. SophosLabs goes into much more detail here

    The bot now uses ports 16464 and 16465 by the 32-bit and 64-bit versions of one botnet; ports 16470 and 16471 are used by the 64-bit and 32-bit versions of the other botnet. This shows that there are 4 distinct and separate botnets, wether they are operated by the same person or group is unknown at this time.

    The bot also drops to a new location, while it used to drop at symlink dir or %APPDATA%, it now drops at %APPDATA%, Windows/installer, or recycle bin.

    The new version, rather than overwriting a driver, it hijacks a COM object and/or patches services.exe. This seems to be a much more stable and more permanent way to do it.

    Both x64 and x86 bit versions of the bot also seem to be doing everything in the user-mode rather than kernel-mode, while in previous versions, x86 used kernel. There are still some new samples that use kernel-mode, but not nearly as many as before.

Part 2 will cover where and how many are infected and finally part 3 will be removal and prevention.
Please comment with any questions and I will do my best to answer.