Infamous "OpenSC.WS" is back

    It would seem that the infamous "Security research" forum (trojan coding forum) called OpenSC.WS is back up. The admin "reine" claims he was traveling and missed the billing email, and claims that was the reason for this extended down time. There is no word on whether the constant DDOS attacks will continue now that this forum is back up, I suspect it won't be long before they start up again.

    So what does this mean for us, security wise? It means that there will now, once again be more viruses being used in the public. While many of OpenSC's users left for other forums, there are still others who waited patiently for it's return to start selling malware again. While this won't cause an increase in extremly hazardous malware like FLAME or StuxNet, you can expect to see more RATs (Remote Administration Tools) and small bitcoin mining malware (Bitcoin is an online currency frequently used for illicit business). So I suggest you all set up those anti-virus and firewalls, and tread carefully.

Please let me know if you are interested in a particular topic for my next post

Stuxnet, Duqu, Flame, and Gauss.

    Stuxnet, Duqu, Flame, and now, Gauss. These four malwares are some of the most dangerous out there. They are all coded fairly similarly, which brings up the question, are they coded by the same person? We can't really know for sure, but I believe that the answer is yes and no.

     As you may be aware, some time ago, HBGary Federal was experimenting with stuxnet decompiles, and suspected to be planning on using it for their own purposes. The hacker group Anonymous intercepted multiple emails and compromised one of their servers to find that they had most of the stuxnet source code. Anonymous then released this source to the public. A While after this, we see Duqu appear. While Duqu is very similar to Stuxnet, it is still quite different. This leads us to believe that while it was based on the source of Stuxnet, the version released by Anonymous, it was coded, or modified, by someone else.

    After that, we encounter Flame. This malware is very different, although many of its features are quite similar. Many thought Flame was an attack by a government, possibly the US. There is little to no evidence to support this, although it is entirely possible. This malware was also derived from the stuxnet source, although it was modified a great deal more than Duqu. So, once again, this is most likely from another coder entirely.

    Now, a newer malware was detected, and named "Gauss".While much of this malware is still unknown  as its main payload is fairly heavily encrypted, it seems to fall in with Stuxnet, Duqu, Flame, etc. There are also some who think this is another governmental espionage virus. While I do not know much about this malware, it does seem likely that governments are relying heavily on things like malware for infosec and things of that nature. Things like Flame could even be used to shut down power grids, take  over full control of a network, etc, which could be extremely useful.

As soon as I learn more about Gauss, or the relationship between all these trojans/malware I will let you know.

More on Gauss
http://www.crysys.hu/
Eset

Stuxnet source
github

Credits
Eset
Crowdleaks

Which Anti-Virus software should you use?

    Many people have Anti-Virus software, but is it the best one? I usually don't recommend to get an Anti-Virus/firewall bundle, as one company makes a better firewall, while another makes a better Anti-Virus. In this post, I will tell you which Anti-Virus/firewall software I recommend, and which ones to avoid.

   Let's start with free options. There are quite a few free Anti-Virus options out there, but most only work for a limited time, or have limited functionality. If you really don't want to spend money on this, then I recommend Malwarebytes Anti-Malware. I have used this, and so have many of my friends and family, and it works great. It is perfect for a short term solution while you try to figure out what software to purchase. This is both a fire wall and a anti virus, and The ones I recommend you avoid are Avast and AVG, both free and premium versions. These are considered a joke by the very people who code and spread malware. This is nothing personall, they just are not that great. A good free firewall is Comodo. Combinng these two is a fairly decent security solution. Now onto a great paid solution.

Note, these ads lead to paid or premium version of the product

    My favorite and, I think, best Anti-Virus is ESET's Nod32. It is one of the most up to date and fastest updating firewalls out there. This is the Anti-Virus that I use, and have for awhile. I recommend that you stay away from Norton products, the source of these have been leaked to the public, making it much easier for malware authors to avoid or bypass it. For firewall I recommend Kaspersky. It is one of the more "feared" firewalls for hackers and malware authors. These two togethor should be good enough to stop most attempted attacks. Always remember though, even the NSA gets hacked, so if you're not carefull, you can be another victim to a yet unkown zero day. so be sure to stay safe online.

Which Anti-Virus and/or Firewall software do you prefer and why?

Mobile adware on the rise

    As many of you may know, there are many apps that are not entirely beneficial, most being for andriod phones. Now that so many people have a smart phone, malware creators are starting to focus more and more on making malicious apps. These can not only steal your personall data, or harass you and your friends with spam and ads, it also drains your battery. A recent survey has shown that about 12% of phones run out of battery completely each day. This can be very annoying, and with 60% of people saying that battery life is the main selling point, very costly.

A trend micro study on battery usage

    Adware is now incorporated into many apps, and while most ads are displayed legitimatly, they can now create illigitimate "notifications" or icons, that, when clicked, lead to the advertisers website. Many of these ads also steal your personall info, most of them without any sort of notification that they are doing this. They collect and send data in the background, and burn through your battery life and data usage.

    There are many free antivirus apps that can protect agains most common threats, and also many paid apps. I personally recommend either Sophos mobile security, or ESET's mobile app. They can be found here and here, respectively (Sophos being free, ESET a paid app).

Credits:
Trend Micro

ZeroAccess: How to remove the latest version

   In my previous 2 posts I have highlighted the changes in the newer version of ZeroAccess and how to tell if you are infected, and who is at most risk. This post will cover how to get rid of this infection, and what tools to use to protect against it.

    The easiest way is to download one of many anti-virus programs, or removal tools. I always recommend ESET as they have always gotten the job done for me and my family. ESET has made a tool specifically to remove the ZeroAccess bot, one that is easy and completely free.

1. Download the tool here
2. Start the tool by double clicking it.
3. Press "Y" when it asks you if you want to restore system services
4. Once the tool has finished working, restart your computer by pressing any key.
5. You may be prompted with a security window upon restarting, click yes or allow
6. Click "Yes" on the repair window
7. Once the repair is finished, you will be prompted to restart again, do so.
8. For best results and to ensure complete removal, purchase ESET Smart Security or ESET Nod32 and run a full scan.

    As you can see, it is fairly simple to remove this virus, if you have any trouble, comments, or questions, let me know in the comments section (Don't be embarrassed, I have to approve comments, if you think it is a stupid question, just ask that I do not post the comment, and I will contact you directly.)

    The main way this bot spreads is through exploits, most of which are patched in the latest versions of the software they are designed to exploit, so make sure you apply regular updates, and don't visit shady sites. Also, I know it may be hard to refrain from pirating things like games, so I encourage you to only download "cracks" if there have been many downloads, even then, make sure to read the comments and do not download if it is reported to be infected, or not working correctly. Also remember that I do not condone pirating or any form of illegal downloads.

ZeroAccess: 9 million infected, are you one of them?

    As I mentioned in my previous post, ZeroAccess is still around and is adapting. Over 9 million PCs are now infected with this bot. Most are located in the USA or Western Europe. 33% of super nodes are located in Germany, with the US coming in a close second with 32%. A super node is an infected machine that is not behind a system like NAT so that other bots, or peers, can access it. This post will be mainly directed at how to tell if you are infected, and who is at the most risk of infection.

    ZeroAccess uses multiple install locations, so you should check all of them. The main component drops at two locations, 1 in appdata, the other in windows/installer. if one is deleted, the other is still perfectly capable of functioning. The two locations are shown in figure 1.1.

Figure 1.1
Thanks to SophosLabs

 Both contain a dll file, named "n" (the main component), which are added to startup by hijacking a COM directive. These also contain a file named "@" which is a list of predetermined peers for the bot to connect to and retrieve updates, commands, etc. These folders also have 2 directories named "U" and "L" which contain plugins and temp files.


Also, if you have windows vista or up, ZeroAccess will try to patch services.exe fortunately, it is easy to restore by running the following command:

sfc.exe /scanfile=c:\windows\system32\services.exe

Simply check for these signs to see if you are infected. If you have been browsing the web without appying recent updates to internet explorer, adobe flash, or java, scan and fix, and apply all updates.
My next post will explain in detail how to remove and protect from this virus.

Credits:
SophosLabs

ZeroAccess: still alive and kicking. Part: 1/3

    ZeroAccess is still around and seems to be growing, albeit not as fast as a month or two ago. The coders of ZeroAccess seem to have made major changes to the bot. It uses all new protocols to communicate, drops to a different location, uses different startup methods, and seems to be moving away from kernel-mode and operates mostly in user-mode in both 32 and 64 bit versions. SophosLabs goes into much more detail here

    The bot now uses ports 16464 and 16465 by the 32-bit and 64-bit versions of one botnet; ports 16470 and 16471 are used by the 64-bit and 32-bit versions of the other botnet. This shows that there are 4 distinct and separate botnets, wether they are operated by the same person or group is unknown at this time.

    The bot also drops to a new location, while it used to drop at symlink dir or %APPDATA%, it now drops at %APPDATA%, Windows/installer, or recycle bin.

    The new version, rather than overwriting a driver, it hijacks a COM object and/or patches services.exe. This seems to be a much more stable and more permanent way to do it.

    Both x64 and x86 bit versions of the bot also seem to be doing everything in the user-mode rather than kernel-mode, while in previous versions, x86 used kernel. There are still some new samples that use kernel-mode, but not nearly as many as before.


Part 2 will cover where and how many are infected and finally part 3 will be removal and prevention.
Please comment with any questions and I will do my best to answer.


Credits:
THN
SophosLabs

New IE Zero day (what a surprise)

    Well, yet another exploit for the shoddy excuse of a browser known as Internet Explorer has been found. This exploit works with IE 7, 8, and 9. It works by dropping a malicious SWF file, which then drops a Trojan R.A.T. (Remote Administration Tool) known as "Poison Ivy". Microsoft has not yet commented on the matter, but is probably preparing a security advisory.

    The Exploit is detected by most Anti virus software, so make sure to firewall up. The threat has been linked to the same hacker group responsible for the Java zero day released late last month. Both are now available for free on Rapid7's Metasploit framework. Rapid7 reasercher "sinn3r" wrote

“Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.” 

I highly suggest you IE users dump your current browser and pick up chrome.
Be sure to comment with ideas for next post, and keep an eye out for my upcoming google+ and facebook pages.

Update:
Microsoft releases fix for the zero day and a number of other flaws. They also fixed a flaw with adobe libraries that were used by IE.
This update is applied automatically if you have automatic update enabled or you can run windows update.

Credits
krebs
Trend Labs

PlugX or Korplug

     Some of you may have heard about a campaign using Poison Ivy to target users in Japan, China, and Taiwan. The same group is now developing a new RAT (Remote Administration Tool) called PlugX or Korplug. They seem to be distributing both side by side and are using some of the same servers to control both. This Trojan is detected as "Backdoor.Win32.Plugx". The Trojan is being deployed in attachments to spam mail (examples provided here). Some variants of this virus may be signed with stolen certificates.

    How to remove:
    Most Antivirus programs (such as Norton and Nod32) detect and remove this Trojan, so running a scan with any of these should get rid of the problem. However, it is possible to manually remove this trojan by following these steps (provided by 2-spyware)

1. Delete registry values: 
1. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SXS
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SxS
2. Delete files: 
1. %UserProfile%\SxS\bug.log 
2. %UserProfile%\SxS\rc.exe 
3. %UserProfile%\SxS\rc.hlp 
4. %UserProfile%\SxS\rcdll.dll

Sorry for this short post, more information on this threat will be posted later. Be sure to check the sources for more information and continued reading.

Remember to comment with a topic for my next post.



Sources:
TrendMicro
Symantec

Extended Silence

I have been gone for awhile and I intend to start posting once again. I was pursuing another one of my many interests but I am back now.

I will post the source code of a java virus I found, heavily commented, for all of you interested in the inner workings of a virus. I also hope this will cause anti-virus companies to start paying more attention to Java jars and such as there are many files like jars that AVs do not scan. A jar is essentially treated as a compressed archive, and not as an executable program. This needs to change as I have seen a large rise in java viruses myself.
Anyway, check back soon if you're interested.

Some more on Flame

Flame, a virus I overviewed in my previous blog posting, has become common knowledge, and possibly even old news for some. It is for this reason that Microsoft states that it is not worried about it anymore. They have, however, released a patch fixing an exploit it used to digitally sign itself with official Microsoft certificates. It says that it is worried other viruses might also try to exploit this loop. If you have not done so, make sure to apply the latest updates to secure your computer. This update is "KB2718704" and should be applied automatically if you have that enabled.

Credits: The hacker news, krebsonsecurity

As always, tell me what to post about next in the comments below.

A quick overview of Skywiper/flame

I have read numerous reports and analysis of this (relatively) new virus discovered in the wild, including, but not limited to, those of The Hacker News, McAfee, TrendLabs, Eset, and Damballa. Here is what I have found so far.

Flame is an incredibly large and sophisticated piece of malware. It seems to be targeting the middle east, and has been around since 2010 (first detection). The file itself is about 20mb large and contains everything it needs to run (libraries, etc). There is speculation about who made it, a private entity or a nation state. I personally am leaning towards a government (possibly US) as it seems to be targeting political and military victims (this may just be the conspiracy theorist inside me). It is capable of monitoring keystrokes, capturing webcam data, taking screenshots, and listening though microphones connected to the infected machine. It spreads by through any connected removable storage, through printer sharing, and domain controllers. It is very careful to not leave any tracks and removes all traces of itself and other viruses when uninstalled. The main class itself is estimated to have 750,000 lines of C code (650,000 have been reversed by McAfee).

Initial detection map
McAfee

It is larger than StuxNet and some believe it to be created or used by the same group, while others think they may just be "recycling" some of StuxNet's code (more likely). Flame is the most sophisticated virus known to date, and contains a vast amount of obfuscation and anti-decompiler code. Accodording to McAfee, it is capable of at least the following:

- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

I'll keep you all posted and give more info once I get it.

let me know what I should post about next!

ZeroAccess Part 3: How to stop it.

If you have read Part 1 and Part 2, you should have a pretty good idea of what ZeroAccess is and how dangerous it is. In this post, I will go through multiple methods of removal that I have found while searching the web.

1. Tools
1. cleanpcguide.com has a removal tool that you can download here
2. Use ESET's removal tool downloaded here
3. Use McAfee's RootkitRemover, available here
2. Manual Removal (as Provided by   http://www.cleanpcguide.com/remove-zeroaccess-removal-guide-how-to-remove-zeroaccess/ )
1. Stop ZeroAccess process using the windows task manager. (This will most likely be some random name, if you see a process that you do not recognize, right click and view location to find files associated with it, this will be needed in step 4, then end it.)
2. Uninstall ZeroAccess program from windows control panel Add/Remove Programs. (control panel --> Programs --> Remove/change, then find something you think looks fishy, or do not remember installing)
3. Open windows registry using regedit.exe command. Find and Remove all ZeroAccess Registry Files. (will usually be under the HKLM or HKCU run directory (startup registry))
4. Search for ZeroAccess Files on your computer and delete it. (files found in step 1)

If none of these work, the malwarbytes community is very helpful. You can ask for help here.

Tell me what you thought of this three part series, and remember to comment what I should blog about next.

ZeroAccess Part 2: What does it do?

First off, sorry this took so long. It is finals week so I have been quite busy.

Overview


ZeroAccess will install 2 different versions of itself depending on the system architecture (32 or 64 bit). Once it has dropped the correct version, and elevated it's privileges, it starts talking with other infected machines to get  instructions. Most of the time, it is used to "Sell Installs". That is, other "hackers" can pay someone to install their virus onto the already infected machines. One of the most popular viruses that is installed with ZeroAccess is Zeus (see Zeus Continues to Evolve and New Variant of Zeus includes Ransomeware). Once that is installed, the "hacker" can steal your personal data including, but not limited to, your credit card number, login credentials to different sites (including banking sites) etc.

Installation

• 32 bit
• When file dropper is executed, it checks whether it is on a 32 or 64 bit computer, then installs the corresponding kit. If it is on a 32 bit machine, it drops a kernel mode or Ring-0 rootkit. It drops itself into a hidden folder. It adds itself to startup, and checks it's list of predetermined C&C (Command and Controls). it then attempts to connect to them on TCP port 13620 and awaits commands.
• 64 bit
• The 64 bit version of ZeroAccess does not have a Ring-0 rootkit. It does, however, have a Ring-3 or User-mode kit. When initiated, it attempts to raise it's privileges as described in part 1. Once that is done it protects its process (makes it harder to kill) and waits for commands.

Communication

The virus comes with a list of known IPs of infected machines. If these machines have UPNP enabled and the ports are properly opened, they become server nodes. If not, then they are just clients. Once it has succesfully made a connection, it is added to the other bots list, and updates its own list. It then periodically checks in with the other servers to see if any new commands were issued. The bot uses TCP port 13620 to connect to others. All communication is encrypted with RC4 encryption. 

Monetizing

The virus is most commonly used to install other viruses like Zeus. It also downloads a click fraud virus. This virus is almost always seen with ZeroAccess, so it is thought that it may be authored by the creator of ZeroAccess. And finally, it downloads a spam bot. This is a virus that is used to send spam, junk, or infected links via e-mail.

Conclusion

This is a very sophisticated piece of malware, and while it may not yet be on par with the TDL family, it is definitely getting there. While it is already dangerous now, imagine what it could become capable in 5 or 10 years from now. As soon it is detected, this must not be ignored. the only way to stop it effectively is to completly remove it from the system. While it is currently only used to download malware to monetize, this could and most likely will change as the owner rents out space and allows other files to be downloaded.

Credits to McAfee labs, Sophos, and PrevX

ZeroAccess Part 1: What is it

ZeroAccess is quickly becoming one of the go to rootkits, and may surpass the TDL family in the coming years. Machines are most commonly infected using 2 techniques, the first being through an exploit kit, the second being Social Engineering.

BlackHole Exploit Pack
Infection Statistics

Let's first take a look at how the exploit kit infection works. First, an Exploit Pack, is a webpage that is designed to exploit software commonly installed on computers, such as Flash, Java, Internet Explorer, etc. It tries to find loopholes to let it silently download and execute a program on the victims computer. Most Exploit Packs use outdated exploits that are already patched, although, a few extremely high-end packs use what are known as "0-Day" exploits. This means that it works for the newest version of exploited software, and is not yet know/detected. To drive traffic to these exploits, "hackers" find holes in legitimate websites, and embed a small code into the pages that will direct the user to their site unknowingly. This is most often done through an "IFrame" set to be 0px wide and 0px high. Since the user does not need to see or interact with the exploit site, this works perfectly. Sometimes a JavaScript is embedded, although this is less common as some web hosts have JavaScript disabled, and it is more noticeable. The exploit then goes through its list of exploits, and, if one is found working, downloads and executes the payload (ZeroAccess).

Figure 1.1

Sometimes, the "hacker" uses Social Engineering techniques to try and get the user to willing download and execute the file. This is usually done by attaching the file to some sort of program crack or keygen. The "hacker" will bind his virus (ZeroAccess) to the crack, and then upload it to a filehost, or torrent host. The user will download and execute this file and, since it works, won't be very suspicious. The "hacker" can also use something called a "Java Drive By". This is more of a mix of exploit and Social Engineering. The "Hacker" sets up a site where there is a browser game or camera that needs Java to run. When the victim goes to the website, he will first be prompted to allow java to run (see Figure 1.1), then he will be asked to download and install an "update". This update, of course, is actually the "hackers" virus. Then, once the user clicks ok, the page will "refresh" and the application that required Java will work. The user, being satisfied that it works, will not suspect a thing.

Figure 1.2

When the virus is executed, it first checks what architecture the computer is (32 or 64). It then drops the related file and dies. Once the file is dropped, if execute on a non-admin account, it will require a UAC popup window . It does this by acting as if it is an official adobe update. It replaces a .dll inside of the adobe installer folder, and prompts the user to download the update (see Figure 1.2). This "update" actually downloads the latest flash player, but also gives the virus admin permissions. It then goes on to connect to other infected computers, and await orders.

Stay tuned for Part 2: What does it do
then later, the final part Part 3: How to stop it

Credits to McAfee labs, Sophos, and PrevX

Open Source Malware: Is It Worse?

Lately alot of malware has been released "Open Source" meaning that it comes with the source. some bots that come this way are:

• µBOT
• Aldi Bot
• vnLoader
• osRat
• Darkflame
• Zeus 2.0.8.9

Now, why would these be more trouble, open source means easier to detect correct? While this is true, it also means that it can be easily modified without the need of s program called a "crypter." This means that any average joe can come along, download these sources, change the string names and it will be harder to detect. While this alone will not make the file FUD (fully un-detected), there are a few other tricks that more well-versed users can use. This also means that the "hacker" can create modifications to the code, and have a virus that is a lot "deadlier", if you will, than it originally was. Granted this requires that the "hacker" has at least some basic coding knowledge, but there are plenty of tutorials out there that can make most people into malware coders in no time (although don't expect to code the next Zeus anytime soon). 

So, you might ask yourself, what is a good Anti-Virus to protect us from these mods?

• ESET SMART SECURITY is a pretty good AV.
• Malwarebytes Anti-Malware is also pretty good.

I also mentioned some coding tutorials,

• Coding for Penetration Testers: Building Better Tools
• Malware, Rootkits & Botnets A Beginner's Guide

Those two are some very basic books for those who want to learn more.'

So, what do you think? Is Open Source worse for us? Why or why not?

also remember, tell me what you want to hear about next!

McAfee Labs Threat Report for Q1 2012

Here is just a brief overview of what is happening in the cyber underworld according to McAfee;

1. People are starting to use rootkits more
• almost 200,000 new rootkit samples in this quarter
• Koutodor is at about 50,000 new samples
• TDSS is falling (about 100,000, down from 120,000)
• ZeroAccess is still becoming more popular (about 170,000 new samples)
2. Fake AVs are still going strong (690,000 new samples)
3. Autorun samples are about the same as last quarter (480,000)
4. Password stealers are extremely popular it seems. (1mil new samples)
5. Signing malware is also becoming more of a habit for "Hackers" (about 325,000 total samples of signed binaries, about 200,000 new)
6. Mac malware is once again dwindling (280 new samples)
7. fake AV for Mac is a little higher than last quarter, but still fairly low (about 150 new samples)
8. Spam is Extremely low, and still falling (a little over a trillion messages per month)
9. Large botnets are on the rise again (about 5mil infections)
• Cutwail net is leading the rest by a fairly large margin
10. Bad rep URLs are down again (about 7,500 new URLs)
11. Drivebys and silent infection sites are up (about 800,000 malicious URLs)
12. phishing sites are still down, but quickly rising (about 4,100 new sites)
13. Hacktivism is also on the rise as many are taking up their cyber-arms to stick it to the man

Read the full report Here
Remeber to comment what I should post about next.

New variant of Zeus includes ransomware.

Ransomware is quickly becoming one of the more popular malware features. It encrypts all the users files, disabling them from doing anything unless a certain sum of money is sent to a specified account, usually via liberty reserve. A new Zeus variant has been discovered that also has this feature. Some of the code is shown below in Figure 1.

Figure 1

While this is dangerous, and probably still not yet fully implemented, it is very simple to unlock your computer. Once you make the payment, a new registry entry is created that prompts Zeus to un-encrypt your files. This makes it quite simple to remove the encryption. Here are steps to follow.


1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot

This should cause Zeus to un-encrypt all your files and you can remove it from there (simply run a virus scan using something like: Norton AntiVirus 2012 or Malwarebytes Anti-Malware

thanks for reading, remember to comment on what I should post next.
credits to The Hacker News for images and un-encryption steps and research data

Adware is making a comback

Browser extensions are now being used by adware developers to inject ads into websites. Many Wikipedia users have been complaining of ads being displayed on its site, while Wikimedia has stated that they will not put up adds. Wikimedia is a non-profit and will never display ads on their site, so if you see them, you most likely have a bad browser extension.

Not only do these adware extensions cause annoying ads, some of them are even used for more sinister purposes. One extension mentioned by wikimedai called "IWantThis!" is spyware that is masquerading as adware. In its privacy policy it states:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us.

Some of these extension may come bundled with freeware downloaded from other sites, and be installed involuntarily. Many of these extensions target Chrome as the go to browser, but are very capable of being installed on other browsers as well. Few antivirus software will actually scan or detect faulty or malicious browser extensions so it is up to you to keep yourself secure. Never install toolbars or extensions that promise "free cursors", "free games", etc. Regularly check through your extension/toolbars/addons and disable/remove those that you are not using or did not install. And, as always, do not download or install anything fishy.

Remember to post in the comments what you would like to see next.

Zeus continues to evolve.

Zeus, a popular banking bot, continues to evolve.  It now has a feature called "web-fakes", it mirrors a website. such as bank of america, and now, rather than just stealing your info, prompts the user to use a "secure mobile app". The app, nicknamed "Zitmo" acts as an official app but steals your info and is capable of hijacking your account. SpyEye, a competitor to Zeus, also has a feature like this now, nicknamed "Spitmo". The source for Zeus v2.0.8.9 is available on many sites, and will be linked at the conclusion of this blog for those interested in studying it. SpyEye, on the other hand, is more protected, and while there are tutorials on how to crack it, it is not as simple, and only works on windows XP as it exploits a faulty timer. Both of these bots have been modified many times into many different versions, and there are even rumors of a p2p version of these bots. A tutorial on how to crack SpyEye can be found on http://xylibox.blogspot.com/2011/08/cracking-spyeye-13x.html (A link to SpyEye will also be added to the end of this post for those who want to study it). Both of these bots have been used by huge banking and carding rings and are not to be used for any illegal purposes.

• Zeus (password: zeus)
• SpyEye

As always, post in the comments what you would like to see next.

Android malware spreads through bogus apps

Android is quickly becoming a very popular OS for malware developers. Android apps can be coded in java, a very simple language that can be picked up by anyone. Recently, many viruses have been created and put up for download on third party android app stores. These "apps" mimic there intended clone but add malware functionality such as connecting to a webpage and waiting for orders. This can cause high wireless web traffic causing your phone bill to go up drastically if you are not so fortunate as to have an unlimited data plan. Let's try to make this a little simpler. Lets say you don't want to pay for angry birds, so you go find someplace to download it free. What you don't know is that this is not only angry birds, but it also has a virus attached. The virus can be so small (under 100kb) that you don't even notice the difference in size. Once angry birds is initialized, your phone connects to a website and awaits further instruction.
Some ways that you can prevent this is by

• Get an Android antivirus (such as Symantec Mobile Security )
• Make sure you trust the source you are downloading from (if it seems too good to be true, it is)
• Download only from the legitimate source (Android marketplace)

As always, post a comment for what I should post about next

Source:

Bogus Facebook apps spreading Android malware : The Hacker News ~ http://thehackernews.com/2012/05/bogus-facebook-apps-spreading-android.html

Downloads to watch out for

Hello again everyone,
It has come to my attention that many people are looking for a Diablo III crack. I know the game looks amazing, and I myself can't wait for one to come out so I can try it. I urge you DO NOT download any "crack" links you find, they are fake and filled with malware. I assure you that as soon as I find a crack and confirm it works and is not infected, I will tell you all about it and where to get it. If you have downloaded a "crack" and found it to not be working, please run Malware Bytes to remove any and all possible viruses attached to it. Here is a picture depicting a "hacker" bragging about how many virus installs he got.


I also urge to scan all downloaded files before executing them.

 If you have any link you would like me to check out, or any safety tips, please post them in the comments.
And, as always, comment if you have suggestions on topics for my next post.

New worm, spreads through IM

A new worm has been detected that spreads through things like facebook private messages. It is detected as WORM_STEKCT.EVL the malicious file name is "May09-Picture18.JPG_www.facebook.com" . The actual link to the malicious file is shortened using the popular shortening service called TinyURL. Once executed, the file disables all process associated with anti-virus. It then downloads another worm called WORM_EBOOM.AC. This worm monitors your internet usage and attaches itself to messages you post or send. Both these worms connect to a website and send/receive data from it.


How to prevent getting infected:

• Scan all files before running. Most viruses will be detected, I recommend Malware Bytes
• When you run a file downloaded, use a VM
• Regularly scan your system for viruses, and clean your cache, many viruses drop themselves here
• Don't download anything you don't fully trust, chances are, it's a virus.

That's all for now, be sure comment with other suggestions on how you keep yourself secure and what I should talk about next.