Showing posts with label norton. Show all posts
Showing posts with label norton. Show all posts

Saturday, September 22, 2012

ZeroAccess: 9 million infected, are you one of them?

    As I mentioned in my previous post, ZeroAccess is still around and is adapting. Over 9 million PCs are now infected with this bot. Most are located in the USA or Western Europe. 33% of super nodes are located in Germany, with the US coming in a close second with 32%. A super node is an infected machine that is not behind a system like NAT so that other bots, or peers, can access it. This post will be mainly directed at how to tell if you are infected, and who is at the most risk of infection.

    ZeroAccess uses multiple install locations, so you should check all of them. The main component drops at two locations, 1 in appdata, the other in windows/installer. if one is deleted, the other is still perfectly capable of functioning. The two locations are shown in figure 1.1.
Figure 1.1
Thanks to SophosLabs
 Both contain a dll file, named "n" (the main component), which are added to startup by hijacking a COM directive. These also contain a file named "@" which is a list of predetermined peers for the bot to connect to and retrieve updates, commands, etc. These folders also have 2 directories named "U" and "L" which contain plugins and temp files.


Also, if you have windows vista or up, ZeroAccess will try to patch services.exe fortunately, it is easy to restore by running the following command:
sfc.exe /scanfile=c:\windows\system32\services.exe
Simply check for these signs to see if you are infected. If you have been browsing the web without appying recent updates to internet explorer, adobe flash, or java, scan and fix, and apply all updates.
My next post will explain in detail how to remove and protect from this virus.

Credits:
SophosLabs



Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , ,

Tuesday, May 22, 2012

New variant of Zeus includes ransomware.

Ransomware is quickly becoming one of the more popular malware features. It encrypts all the users files, disabling them from doing anything unless a certain sum of money is sent to a specified account, usually via liberty reserve. A new Zeus variant has been discovered that also has this feature. Some of the code is shown below in Figure 1.
Figure 1
While this is dangerous, and probably still not yet fully implemented, it is very simple to unlock your computer. Once you make the payment, a new registry entry is created that prompts Zeus to un-encrypt your files. This makes it quite simple to remove the encryption. Here are steps to follow.


1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot

This should cause Zeus to un-encrypt all your files and you can remove it from there (simply run a virus scan using something like: Norton AntiVirus 2012 or Malwarebytes Anti-Malware

thanks for reading, remember to comment on what I should post next.
credits to The Hacker News for images and un-encryption steps and research data
Posted by at 2 comments:
Labels: , , , , , , , ,

Sunday, May 20, 2012

Android malware spreads through bogus apps

Android is quickly becoming a very popular OS for malware developers. Android apps can be coded in java, a very simple language that can be picked up by anyone. Recently, many viruses have been created and put up for download on third party android app stores. These "apps" mimic there intended clone but add malware functionality such as connecting to a webpage and waiting for orders. This can cause high wireless web traffic causing your phone bill to go up drastically if you are not so fortunate as to have an unlimited data plan. Let's try to make this a little simpler. Lets say you don't want to pay for angry birds, so you go find someplace to download it free. What you don't know is that this is not only angry birds, but it also has a virus attached. The virus can be so small (under 100kb) that you don't even notice the difference in size. Once angry birds is initialized, your phone connects to a website and awaits further instruction.
Some ways that you can prevent this is by

  • Get an Android antivirus (such as Symantec Mobile Security )
  • Make sure you trust the source you are downloading from (if it seems too good to be true, it is)
  • Download only from the legitimate source (Android marketplace)
As always, post a comment for what I should post about next

Source:
Bogus Facebook apps spreading Android malware : The Hacker News ~ http://thehackernews.com/2012/05/bogus-facebook-apps-spreading-android.html
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)