Showing posts with label research. Show all posts
Showing posts with label research. Show all posts

Wednesday, October 10, 2012

Infamous "OpenSC.WS" is back

    It would seem that the infamous "Security research" forum (trojan coding forum) called OpenSC.WS is back up. The admin "reine" claims he was traveling and missed the billing email, and claims that was the reason for this extended down time. There is no word on whether the constant DDOS attacks will continue now that this forum is back up, I suspect it won't be long before they start up again.

    So what does this mean for us, security wise? It means that there will now, once again be more viruses being used in the public. While many of OpenSC's users left for other forums, there are still others who waited patiently for it's return to start selling malware again. While this won't cause an increase in extremly hazardous malware like FLAME or StuxNet, you can expect to see more RATs (Remote Administration Tools) and small bitcoin mining malware (Bitcoin is an online currency frequently used for illicit business). So I suggest you all set up those anti-virus and firewalls, and tread carefully.


Please let me know if you are interested in a particular topic for my next post
Posted by at No comments:
Labels: , , , , , , , , , ,

Saturday, September 22, 2012

ZeroAccess: 9 million infected, are you one of them?

    As I mentioned in my previous post, ZeroAccess is still around and is adapting. Over 9 million PCs are now infected with this bot. Most are located in the USA or Western Europe. 33% of super nodes are located in Germany, with the US coming in a close second with 32%. A super node is an infected machine that is not behind a system like NAT so that other bots, or peers, can access it. This post will be mainly directed at how to tell if you are infected, and who is at the most risk of infection.

    ZeroAccess uses multiple install locations, so you should check all of them. The main component drops at two locations, 1 in appdata, the other in windows/installer. if one is deleted, the other is still perfectly capable of functioning. The two locations are shown in figure 1.1.
Figure 1.1
Thanks to SophosLabs
 Both contain a dll file, named "n" (the main component), which are added to startup by hijacking a COM directive. These also contain a file named "@" which is a list of predetermined peers for the bot to connect to and retrieve updates, commands, etc. These folders also have 2 directories named "U" and "L" which contain plugins and temp files.


Also, if you have windows vista or up, ZeroAccess will try to patch services.exe fortunately, it is easy to restore by running the following command:
sfc.exe /scanfile=c:\windows\system32\services.exe
Simply check for these signs to see if you are infected. If you have been browsing the web without appying recent updates to internet explorer, adobe flash, or java, scan and fix, and apply all updates.
My next post will explain in detail how to remove and protect from this virus.

Credits:
SophosLabs



Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)