Synology Urges You To Be On Guard Against Ransomware

Ransomware is some of the nastiest pieces of software in existence and in theory, it could hit anyone. Some people naturally have a greater risk, through the kind of work and tasks they do with their systems. But in theory, anyone can be unlucky enough to be hit with this kind of evil doing through security holes in the software being used.

This warning and reminder isn’t based on a specific new kind of ransomware, it is more to raise awareness of this kind of threats. Encryption-based ransomware such as CryptoWall, CryptoLocker, or TorrentLocker are on the rise, and they don’t just target Windows-based systems as many belief, they have also begun targeting network-based storage devices. Because of its stealthy nature and disastrous effects, ransomware is commonly perceived as a sophisticated, highly destructive, and unstoppable malware threat.

An advanced user isn’t really afraid of ransomware as they usually make backups of everything onto their network connected devices – or work directly from there via permanent shares and iSCSI setups. In the case of an infection, they simply wipe their system and install it again, and that would be the end of that story. Creators of this kind of nasty software know that and they want a piece of that pie too, which is why they have started to attack other systems besides workstations.

Where there is a threat, there is a way to defend yourself against it, at least in 99.9 percent of situations.

  • Update your operating system. Most people are up-to-date on their Windows and OS X updates simply because you’re being told when they’re available. But when was the last time you updated your NAS OS? Most NAS systems have automatic update features available and you should at the very least enable this for critical updates.
  • Install security software. A good anti-virus software is a good place to start and you’ll find solutions such as Avast or Intel security in your NAS’ app features. It will take up some resources to have it running, but those are resources that you should be happy to give up. Especially if you use the automatic download features found in all NAS units.
  • Disable Remote Desktop Protocol. Remote Desktop Protocol (RDP) is a very common target for malware, which is why you should disable it if you don’t absolutely need it.
  • Install Mobile Apps and use Push Notifications. Applications for your smartphone and tablet are another great way to stay on top of your headless systems. Together with the push notifications feature you get up-to-date statuses from your system right into your pocket.
  • Beware of your actions. The golden rule is as it always has been, beware of what you do. Take the one second extra to hover a link and check the destination in the status bar before you click it, turn off features such as Hide file extensions for known file types, and don’t trust anything until you have verified the authenticity.

This time, the warning came from Synology, but in theory, it could have come from any of the big manufacturers. The bigger a company and brand gets, the more likely it is that their systems will be actively searched for vulnerabilities. Luckily Synology and other NAS’ have even more features that will help you in case that you get hit by this kind of malware.

A multi-version backup of all your files is naturally the best defense. If everything is backed up, then the evil ones can take their ransom demand and stick it where the sun doesn’t shine. Backup all your vital files from your system and onto your NAS is the first step and from there on you should have at least one more backup step – this could be a cloud solution, another NAS, or external drives, for example. Synology’s new Cloud Station Backup app can do all this for you through a single app, so it is as easy as it’s ever been. Hyper Backup is another awesome tool that lets you enjoy a full range of multi-version backup destinations from local shared folders, expansion units, and external hard drives, to network shared folders, Rsync server, and public cloud services. It can also isolate data for further protection from internet threats.

If your system supports Snapshot Replication through Btrfs file system, then you got another level of protection right there. Snapshot Replication allows you to replicate data from a primary site to an offsite location up to every 5 minutes and 15 minutes for LUNs, ensuring all your critical data in shared folders or virtual machines in iSCSI LUNs can be recovered quickly in the event of a disaster.

Synology also put up a mini-site that summarizes all these information along with the step to follow if you should have been effected. The fact that this site even was made, speaks for the severity of these attacks and how far they’re spreading. So be aware, practice safe surfing, and show an evolved behavior.

Homeland Security & Trend Micro Recommend Uninstalling QuickTime Now

When it comes to software that you may not have heard of, or even used, recently QuickTime appears on my mind. A popular video software the system seems to have faded away, from both ours and Apple’s minds. These actions have led for Trend Micro and the Department of Homeland Security to recommend that if you have QuickTime installed on your Windows PC, uninstall QuickTime for your own safety.

The warnings both from Trend Micro and the Department of Homeland Security come as Trend Micro discover two new critical vulnerabilities within the software that could be used by remote attackers to gain control of your system. While there aren’t any active attacks targeting this problem, both groups are recommending you uninstall the software from your windows system as Apple will no longer release security updates for QuickTime on windows.

The options seem pretty clear-cut, uninstall some software or risk being exposed to a threat that will never get fixed. While QuickTime on Mac’s is unaffected, Windows users should look to use some of the alternative options available for them if you want to watch media content on your PC.

For information on how to uninstall QuickTime, you can visit Apple’s support page here.

Get Your System Back From Petya Without Paying a Penny!

When it comes to security threats and risks, the community as a whole is at its best when it has a common goal. An example of this was two weeks ago when a new ransomware was found going by the name Petya. Petya didn’t act like normal ransomware but instead decided it would go after your master boot record, often locking people out their entire system until they received their password after paying a nice little fee. That was until some clever people got together to create some tools to get your system back from the ransomware without paying a single penny!

The original web tool came from the twitter account @leostone and lets you retrieve your file by providing it with a selection of data from the infected hard drive. Getting the data may seem like something difficult but a separate researcher went and created a tool titled Petya Sector Extractor that can find and retrieve the required data in seconds.

By removing the hard drive and plugging it into another computer, these tools can work together to retrieve the password required to unlock your master boot record from the clutches of Petya. The sector extractor tool is hosted by Bleeping Computer, a computer self-help forum, and reports that not only does the technique work but has also provided a step-by-step tutorial for anyone who isn’t 100% regarding how to return all their family photos at zero cost.

iOS Mobile Device Management Protocol Can be Abused to Load Malware

 

Apple has worked hard to make it difficult to allow users to unwittingly install unauthorized and malicious apps onto their devices. Despite this, there is still one way in that attackers are still able to exploit: the mobile device management protocol. Researchers from Check Point Software Technologies will be demonstrating the hack as part of a presentation at the Black Hat Asia security conference on Friday.

The technique to inject malware onto iOS devices involves taking advantage of the communication between MDM products and iOS devices being vulnerable to man-in-the-middle attacks and can be performed with minimal user interaction. MDM products are used by companies to configure, control and secure the devices of employees remotely, as well as providing access to private app stores for easy internal app deployment. Of course, this attack relies on the target device being registered to an MDM server in order for there to be a connection to hijack.

Initially, a user would have to be tricked into installing a malicious configuration profile on their device, which could be easy to slip in with a number of the profiles that corporate users are used to installing such as VPN, Wi-Fi, email and other important settings. The malicious profile would then install a root certificate to route the device’s internet connection through a proxy. This can be used to route all traffic through a server under the attacker’s control and engage the man-in-the-middle attack. From there, the attacker is free to push malicious apps to the device using a stolen enterprise certificate or a malware app could be disguised as an app the user expects. A user must still accept the choice to install the app, but even if it is refused, the attacker is free to push the request repeatedly, essentially locking the device up until the install is accepted.

Check Point have named this vulnerability Sidestepper, due to the fact that it effectively side-steps the new restrictions for enterprise app deployments in iOS9. Misuse of enterprise certificates is nothing new either, with Check Point finding that in one Fortune 100 company, over 300 sideloaded apps signed with over 150 enterprise certificates existed. So while MDM technologies may be great for businesses, users must be just as much on their guard against attacks targeting those deployments as any other app or profile they may install.

Bitdefender Releases Free Tool to Fend Off Ransomware

Ransomware is a growing vector of attack in recent times and very few are truly safe from it and the potential loss of their personal data. Now antivirus firm Bitdefender have published a free tool that is capable of preventing computers from being infected by some of the most common strains of ransomware including Locky, TeslaCrypt and CTB-Locker.

The Crypto-Ransomware Vaccine works a lot like a biological vaccine of sorts against these types of ransomware, similar to a previous Bitdefender tool that was designed to stop CryptoWall infection. That tool may have been rendered useless by changes to CryptoWall, but the principle of how it works remains effective for other types of ransomware. It works by tricking the ransomware into believing that the system it is targeting has already been infected by the same strain and in order to avoid nested encryption on a single system, many ransomware authors engineer their software to ignore already infected machines.

Of course, it is always best to avoid ransomware in the first place than rely on this tool, and as such it is recommended that users also ensure that their operating system, browsers and other software such as flash player, which is notorious for its vulnerabilities are kept up to date. The tool may be very effectual at defending against a specific set of ransomware, but it is a complimentary measure to users not running a full security suite or wishing to ensure defense from malware as part of it.

Petya – The Ransomware That Deletes Your Master Boot Record

Ransomware is getting nastier and nastier. Initially just an attempt to turn malicious software (malware) into something that is financially rewarding, ransomware works by encrypting your files and asking that you pay them (normally in bitcoins) in order to get the keys required to unencrypt the files. The latest one looks to make it even harder for you to bypass it by deleting master boot records on infected computers.

Named Petya, the new ransomware overwrites master boot records of affected PC’s meaning that your computer, next time it’s turned on, doesn’t even know where to go find our operating system, resulting in a computer that can’t even find the OS, let alone load it. Trend Micro report that the email seems to be hidden in emails that are advertising themselves as a job advert, with an email linking to a dropbox folder. Within the folder is a self-extracting archive, apparently the applicants CV and photo only once extracted the ransomware is installed.

The system is then tricked into a critical error, resulting in everyone’s favourite blue screen of death. During reboot the false master boot record (MBR) that was put in place by Petya will encrypt the master file table, this is the record of every file, location and where and how to get it to it on your system. By encrypting this file, you don’t need to go near the actual files, as any operating system will be unable to find the files. Encrypting one file instead of hundreds reduces the speed, meaning that people are often left with no choice but to pay the 0.99BTC (£296 roughly) fee that they request.

With ransomware getting even more aggressive in its tactics, it’s all that more important to ensure you check emails because you receive them and keep your anti-virus and anti-malware software up to date.

Malware May be Using Real GPS Data to Scam Speeders

There is a new malware scam hitting computers in Pennsylvania posing as an email containing a speeding ticket and containing a link that loads malicious software onto the user’s computer. The emails claim to be from the police department of Tredyffrin, Pennsylvania, and masquerading as an official body is nothing special for malware. What is interesting is that the data used in the tickets is said to be accurate, including the street names, their speed limits and the actual speed that the perpetrator drove at, according to the Tredyffrin Police Department.

Exactly where the data is coming from is unknown, but the current suspect is that the source is a phone app with access to the user’s GPS data and perhaps other personal information that provided the attackers with contact details. This source could be from either a legitimate app that has been compromised and hands over data to the attackers or a purpose-built malicious app that has been uploaded to the internet. It is common knowledge that GPS data can be used to determine speed as well as location, which would make GPS-using apps a good method for obtaining the data.

Thankfully for many, this malware scam seems to be highly localized to the Tredyffrin area, but it gives a good view of a new type of attack emerging. Possessing data that normally only legitimate sources would have makes a great way to deceive people into believing that they are the sources they claim to be. Despite this, this scam chooses not to offer a payment link for the fictional speeding ticking, in lieu of downloading malware, but other parties may make use of this method to different ends on a much larger scale in future.

USB Thief Infects ‘Air-gapped’ Computers And Leaves No Trace

Malware (short for malicious software) is a type of program that is intended to cause harm to a system, be it in the form of ransomware, like that which has hit several hospitals in the US, or just you generic popup creating malware. A new malware named USB Thief, looks to break the chain of common threats by hiding itself and infecting systems even when they aren’t connected to the internet.

The internet is a wonderful thing but the problem with everyone being able to share and talk to one another is that sending something nasty is as easy as clicking a button (or in some cases, the software even does this for you). USB Thief avoids this by working on USB sticks, the very same ones you use to send information to and from your computer to your parents or even your friends.

The software hides by only executing under a certain set of rules, that is using a key created from the original USB drive it was created for. Even when it does spread it uses a unique key created using the ID of the USB stick and the time, meaning that traditional attempts to copy and discover the malware fail when suddenly it has unknown hardware in the mix.

Not only does it mean it won’t always execute, breaking the common rule of repeated behaviour is traceable behaviour, but it doesn’t leave any evidence on the infected computer, meaning your data could be stolen and you wouldn’t even know it. USB Thief lives up to the second part of its name, with it at the moment only working to steal data, but Tomáš Gardoň, a malware analyst with antivirus provider Ese says that “it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload”.

By avoiding the internet and focusing on the more traditional method of using USB drives, the virus is able to infect systems similar to how Stuxnet worked, enabling it to infect ‘air-gapped’ system (those which aren’t connected to the internet). With the USB lock in place, only the original USB created by its designers can infect systems, meaning if you didn’t create the original you won’t be able to use it.

If that wasn’t enough the USB Thief’s developer seems to have done its homework as it only runs as part of a command from portable versions of legitimate applications like Notepad++ and Firefox. If you’re running Kaspersky Lab or G Data though you should be okay as the malware won’t install itself on your system, a feature that was no doubt down to results from some initial testing.

Malware Could Be Using Legitimate Signature Certificates

When it comes to installing software on your computer, we often have to take it on faith that the software is safe to use. As an extra precaution, the latest step is to allow companies to use “certificates”, digital signatures that show that a trusted company created the software. A group known for creating malware may have found a way around this system though as some of their nasty programs are using legitimate signature certificates.

By using legitimate signature certificates your computer trusts the software and installs it without further hassle, the problem being that the software is less than safe and, in fact, is just malware (or malicious software). According to Symantec, the group known as Suckfly has used no less than nine different singing certificates from nine different companies since 2014.

Categorising the found malware into groups, Symantec found that 11 of the identified tools could be used for backdooring into your system. While others could be used to log and find out your information, some even checked your network traffic to find out what could be used to access your system through port scanning software.

With so many certificates being stolen and used for signing malware, and it becoming a common practise amongst malware creators, could we see the need for another way of finding and checking software is legitimate if these techniques are so easily bypassed?

 

Stagefright Vulnerability Now a Serious Threat to Android Devices

 

The Stagefright vulnerability in Android is nothing new, however for a long time it was (mostly) harmless due to difficulties in reliably using the flaw for malicious purposes Unfortunately for Google and Android users, researchers at Isreali cyber-security firm NorthBit have developed a proof-of-concept exploit, named Metaphor, based on Stagefright that is able to reliably compromise Android devices.

The Metaphor exploit uses a set of back-and-forth communications that allow attackers to probe the defenses of a target device before attempting the compromise. When a victim visits a website that has a malicious MPEG-4 file embedded in it, it will cause Android’s built-in media server to crash, and send data on the device’s hardware to the attacker, it will then send another video file, capture additional data and finally deliver a video file that is able to compromise the device. The procedure may seem long and complicated, but in reality, Metaphor was found to be able to break into most devices within 20 seconds. Unfortunately for fans of stock Android, the attack was found to be most effectual on Nexus 5 devices running their stock firmware, but the customized versions of Android found on phones from HTC, LG and Samsung are not safe.

While this attack may pose a threat to the 275 million Android phones running versions 2.2 all the way to 5.1, devices that are running the most up-to-date version, 6.0 Marshmallow are safe. Additionally, the attack needs to be tailored to a specific set of Android hardware, so it is likely that only those running the most popular devices would be targeted for the attack, as well as many of them having already received patches specifically to defend against Stagefright. As a result, those with older Android devices may want to be careful or think about a new handset, lest they remain vulnerable to this exploit if it enters the wild.

KeRanger Mac Ransomware Flaw May Allow Recovery of Files

A few days ago, KeRanger, the first Mac ransomware found in the wild was discovered. Now, according to researchers from antivirus firm Bitdefender, KeRanger turned out to be based on a previous piece of ransomware known as Linux.Encoder, which emerged late last year, targeting Linux-based web servers.

The advantage to this is that Linux.Encoder possessed flaws in its cryptographic implementation for at least the first three versions, which allowed Bitdefender’s researchers to develop tools that could decrypt the files affected by the malware. According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, even the latest version of Linux.Encoder (4), has the same flaws that affected the previous versions.

“The infected Mac OS X torrent client update analyzed by Bitdefender Labs looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016,” Bitdefender researchers stated in a blog post published on Tuesday. The result of this is that KeRanger also contains the same broken cryptographic implementation.

Bitdefender is yet to publish a tool able to decrypt KeRanger affected files, however, development of such a tool is under consideration, should the demand be sufficient.

The purpose behind KeRanger still remains to be seen, considering the great lengths that those responsible for it have gone to, including stealing a legitimate Apple developer’s certificate and hacking into a popular and trusted open source project’s website, if the ransomware they were distributing had such a crucial known weakness. Whether a newer, more dangerous version of KeRanger will appear in the future could be quite likely, however, those affected by its current iteration should be thankful that this incident was not more serious.

First Mac-Targetting Ransomware Appears in the Wild

Despite the rising amount of ransomware attacks recently, Apple’s Mac OSX has so far remained unaffected by it. Unfortunately, for Mac-users, security firm Palo Alto Networks announced on Sunday that it had discovered the world’s first ransomware that is aimed at OSX computers. Now named “KeRanger”, the malware was discovered through a rogue version of the popular Transmission BitTorrent client.

KeRanger was first noticed on Saturday on the Transmission forums, where some users posted unusual reports that copies of Transmission downloaded from the main site were infected with malware. This means that the Transmission site itself was compromised, as the KeRanger infected versions of the client were served over an HTTP connection instead of the usual HTTPS used for the remainder of the website. Transmission later published a message stating that: “Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.”

When a computer is infected with the KeRanger ransomware, through installing a compromised version of Transmission, the installer runs an embedded executable file on the system. It then waits 3 days before connecting to its command and control (C2) servers over the Tor anonymizer network. From there, it begins the process of encrypting certain types of files and documents on the system before issuing a demand of one bitcoin (around $400) to a specific address in order to restore access to their files. The current version of KeRanger was also reported to still be under development, with future iterations of the malware potentially able to encrypt Time Machine backups too, in order to prevent restoration.

It was only a matter of time before ransomware came to the Mac, however, it is worrying how vulnerable usually trustworthy open source projects are to unwillingly carrying malware. While the infected version of Transmission has since been pulled from their site, if you believe you have been infected, Palo Alto Networks’ report includes steps on how to identify and remove KeRanger.

“Cyber Pathogen” Claims On Locked iPhone Made Up

The debate of privacy vs security is one that has lasted for hundreds of years, if not longer. With people claiming that while security is important, if that is compromised or done without checks, such as with the PRISM program, then our privacy means nothing to those who could abuse the system. Currently, Apple is debating this very same matter with the FBI in Congress, and it seems that one of the people who have come out in support of the FBI may have been using tall tales to back up his argument.

We’ve reported on Michael Ramos’s (a San Bernardino County District Attorney) claims that Apple must unlock the iPhone involved in the current case. His claims involved the fact that the phone, which was given to a county employee, had access to the San Bernardino infrastructure and could hold a “dormant cyber pathogen” which would be used to perform a terrorist attack on their infrastructure.

These claims were met with skepticism and some people even said it was like saying that you may find a “magic unicorn” on the iPhone. It now seems that even Ramos can’t hide from people as he has come out and told the Associated Press that he has no proof or knowledge that the phone could be used in that way.

In his response he states:

“This was a county employee that murdered 14 people and injured 22. Did he use the county’s infrastructure? Did he hack into that infrastructure? I don’t know. In order for me to really put that issue to rest, there is one piece of evidence that would absolutely let us know that, and that would be the iPhone.”

Jonathan Zdziarski commented on his personal blog about this response, talking about the original comments by explaining that “Ramos’s statements are not only misleading to the court, but amount to blatant fear mongering”.

It would seem like his original claims were just that, fear mongering, in the hopes of providing support to a personal point of view. The move seems to have backfired, offering only more fuel for the pro-encryption people backing Apple and their arguments that they need people who know about cyber-security making the decision.

Mozilla Bans Popular YouTube Unblocker Add-On

One of Firefox’s popular add-ons has been kicked from the repository after repeated bad behavior, and it is unlikely to come back. The YouTube add-on uses a list of proxy servers to circumvent geoblocking of YouTube videos, which in itself is a very useful feature, but one that you’ll have to find another add-on for from now on.

The latest of multiple issues with the popular browser add-on that already accumulated over 250 thousand downloads started last weekend with a user reporting an issue on the Mozilla bug tracker. After installing the add-on, his anti-virus software alarmed him right away that it had blocked a download coming from a third-party website which had been flagged as malware by Avast Anti Virus.

On further examination, the user found out that the add-on was altering the browser settings and disabled the add-on signing feature preventing unauthorized installs, AKA add-ons that haven’t been signed or certificated by Mozilla. After disabling this security feature, the YouTube Unblocker add-on then went on to download another add-on called Adblock Converter from a third-party domain via an unsecured connection, an add-on that is categorized as malware and isn’t to be found in the official add-on library. To make matters even worse, users without proper anti-virus or anti malware solutions wouldn’t even know that this extra add-on was installed as it wouldn’t show up in the about:addons page either and it would reinstall itself again if a user managed to uninstall it in safe mode.

This is far from the first time that this add-on has been under investigation for bad behavior, last time in June 2015 where they were caught circumventing the official guidelines for add-ons with update code that bypassed the official Mozilla review process. Before that, they were caught tampering with search results and sending data back to the company without the users consent or knowledge, even when the user opted out of the feature.

Luckily for users who need a geo-unblocking feature for their Firefox browser, there are plenty of other alternatives to choose from.

Mac Malware Implies HackingTeam Has Returned

HackingTeam has been quiet recently, following the hack against them last July that revealed embarrassing amounts of their private data, emails, and code. Now researchers have discovered a piece of newly developed malware affecting the Mac OSX operating system that has led to a belief that the group has returned.

A sample of the malware was uploaded to Google’s VirusTotal scanning service on the 4th of February which at the time wasn’t detected by any major anti-virus products (now according to Ars Technica, it is detected by 10 out of 56 AV services.) SentinelOne researcher Pedro Vilaça demonstrated on Monday some functions of the malware which was shown to last be updated around October or November with an embedded encryption key dated October 16th. The malware works by installing a copy of HackingTeam’s Remote Code Systems compromise platform, with these two pieces of evidence implying that the malware is built upon old and unexceptional code from the team, instead of the entirely new code that the group promised they would return with following their compromise.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have shown us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another examination of the sample by Patrick Wardle, a Mac security expert at Synack, found that while the malware appears to be built upon the old HackingTeam code it has several tricks up its sleeve for evading detection. This includes using Apple’s native encryption scheme to protect its binary file, which is the first of its kind seen by Wardle.

Exactly how the malware gets installed is yet to be discovered, with top possibilities are users being deceived into installing it thinking it is benign software, or that it is bundled with another piece of malware that executes its installer. While this malware isn’t enough proof alone to show that HackingTeam is active again, Vilaça found through the Shodan search engine and a scan of the IP address in VirusTotal’s sample show that the control server has been active as recently as January, which means this malware, regardless of its origin, should be treated as more than a hoax.

Linux Mint Site Hacked – Genuine ISO Replaced by Malware

The official website for Linux Mint has been hacked, and the ISO download of the operating system was replaced with a malicious version on Saturday (20th February), the head of the project has announced. The fraudulent version of the Linux Mint 17.3 Cinnamon edition was inserted into the site via a backdoor exploit, redirecting users from the real URL to absentvodka.com, which hosted malware posing as Linux Mint.

Anyone that downloaded Linux Mint from the official website yesterday (torrents or direct HTTP link downloads are thought to be unaffected) should read on for instructions on how to deal with the problem.

The post on the Linux Mint Blog – which includes instructions to help remove the malware version – reads:

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso

e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso

30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso

3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso

df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

  • Put the computer offline.
  • Backup your personal data, if any.
  • Reinstall the OS or format the partition.
  • Change your passwords for sensitive websites (for your email in particular).

Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Hospital Pays Bitcoin Ransom to Fix Ransomware

Viruses and malware are issues for the best of us, from forgetting to scan your computer once to being baited in by that interesting link in an email, there are many ways for your system to get infected. Ransomware is one of the nastier pieces of malware, denying you access to your system until you pay the creator of the virus. While the FBI recommend you pay up, does this still apply when you are a hospital?

Earlier in the week, we reported that hackers had hit a Hollywood hospital with ransomware. Hollywood Presbyterian Memorial Medical Center was hit by the ransomware, with an initial request for 9000 bitcoins, coming close to 3.5 million dollars, to get the key required to unlock their systems. While it may not have been the 9000 bitcoins, the Hospital has now announced that they have paid 40 bitcoins to unlock the system.

President and CEO Allen Stefanek claims that the initial price tag of $3.6 million was false and that paying this fee was the “quickest and most efficient way to restore our systems and administrative functions”.

Even with backups and anti-virus software, there will always be some viruses that are able to get into systems, with ransomware benefiting the creators we don’t expect this to be the last time that we see it hitting public services.

MazerBOT Targets Android Phones – Unless They’re In Russia

Malware, or malicious software, includes everything from your pop-up ads to opening doors for full-scale hacks to companies. Taking a trip the malware museum shows you how software like Dridex can not only threaten banking systems but also your everyday smartphone. The latest malware on the Net is called MazarBOT and has a unique feature, it won’t install itself if you are in Russia.

MazarBOT has been seen advertised on certain forums for a few months now but was never actually seen in use, until now. MazarBOT is a nasty piece of software that takes control of your android phone, with a specific focus on people who use their phone for online banking. Peter Kurse, IT security expert and founder of CSIS Security Group, did a deep investigation into the problem discovering more about this malware.

By sending a “swarm” of SMS’s to random phone numbers to Denmark, the software has started to spread by sending a message with a link to the android package file, the contents of which are none other than MazarBOT. Able to intercept text messages, including those with two-factor authentication codes, MazarBOT is a nasty piece of work, sending your phone’s location to a number (starting with Iran’s country code) upon successful installation.

Upon detecting that the phone is in Russia though the malware will stop installing, this is initially thought to be in order to avoid drawing the wrath from Russia’s security services.

Take a Trip to the Malware Museum

I’m sure many of you have been to a museum at one point or another but did you know there was also a museum for Malware? That’s right, there’s a huge online collection of things that want to ruin your computer, and no, I’m not just talking about that “download more RAM” banner. Don’t worry, though, as this museum isn’t going to leave you with a wildly virus infected computer, it’s actually run by Archive.org and is more an art exhibition that a pit of doom that will wipe your hard drives.

Most people have heard of malware, most of you have likely suffered at the hand of it too, but there’s also a little artistic beauty to many of these bits of malicious software of days gone by. The exhibition was put together by online security expert Mikko Hypponen, and offers a visual collection of old-school viruses and the often creative visual effects, ascii art and more that they use to use to effectively troll their victims. It’s certainly a colourful display too, and you can see them in action in all their glory.

There are some pretty cool animations in there too, it’s not just blocks of text or pop ups like you would expect from modern spam-centric viruses. If anything, I’d say the hackers of the past were far more creative and more often than not were just out to demonstrate their skills and cause destruction, rather than be financially motivated; not that this makes what they did any better for the user of course.

So what are you waiting for? Take a trip back to the days of MS-DOS and floppy discs, screen saver viruses and more and who knows, maybe you’ll learn a bit of computer history while you’re at it.

View the full gallery at Archive.org.

White Hat Hacker Tweaks Dridex Malware to Distribute Antivirus Software

The Dridex banking malware has been a huge headache for a large part of the financial and technology industries, but it seems there’s a white knight out there looking to turn the tables on this pesky infection. After a mysterious hijacking of the virus distribution servers, they’ve now started dealing out legitimate installers for Avira Free Antivirus, thus helping to remove the infection from systems and hopefully clearing up a few other issues along the way. The bonus being that anyone stupid enough to fall for the infection in the first place could technically come out cleaner on the other side.

The malware is most often spread through spam messages and malicious Word documents. Being one of the three most widely used trojans in the world, the malware targets online banking users and steals information before feeding it back to a server where it can be used to take money, as well as other information from your accounts. Agencies in the UK and US managed to disrupt the botnet last year, even going as far as indicting a man in Moldova who they believe was responsible for the attacks, but it did little, if anything, in the long run to prevent the botnet from distributing the software.

Researchers at Avira recently noticed that the Dridex distribution servers begin pushing an up-to-date Avira web installer instead of the trojan, which is obviously a great step in combatting the problem, although how long this will last remains to be seen.

“We still don’t know exactly who is doing this with our installer and why, but we have some theories,” said Moritz Kroll, a malware expert at Avira, via email. “This is certainly not something we are doing ourselves.”

The only theory that makes sense so far is that a white hat hacker has hijacked their servers and tried to turn the tables.

“I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods,” Kroll said. “If you think about it, there was a huge media announcement when Dridex was ‘taken down’ by the government authorities and a much smaller level of reporting on its return to the marketplace. That has got to be frustrating to some and might cause them to think: ‘The government tried to take it down, they could not, I can do something myself’.”

Either way, anything that slows this nasty bit of software is a good thing!

VirusTotal – Anti-Virus For Your Firmware

Malware happens all too often, with it spreading like a wildfire around the world due to the connectivity offered by the internet, with banks and companies being offered money to install it. While not all malware is bad, it’s not something you want to invite into your system and Google’s new VirusTotal service looks  set to provide an anti-virus for your firmware.

Firmware is an often neglected piece of code. It can be found acting as a bridge between your hardware and your software, more than often your operating system. The problem being that it’s often hidden from anti-virus and malware scanning software, even more so due to its notorious ability to survive clean installations and reboots.

VirusTotal will allow people to upload firmware images and then scan them for any signs of malicious code and even mark it as legitimate or suspicious, meaning you can quickly detect if that new BIOS’s image is actually going to help or destroy your new PC.

Being able to scan and detect viruses that have hidden under the radar for so long will come in handy for many. After it was revealed that malware could have been hidden in the firmware for hard drives by the NSA, people have been on guard and this new tool could soon have an array of firmware images to help scan, detect and protect systems around the globe.

Being able to scan everything from files to even URL’s, you can be certain that a site is safe and the files you download are safe before you even hit the link next time.

Banking Malware ‘Dridex’ is Back!

We’ve all had that moment, those unwanted pop-ups and advertisements on your computer that make you suddenly realise “I’ve got a virus”. It’s one of the things we tend to think happens to others but it can happen to anybody and with the internet it’s easier and easier to spread malicious software, or malware, around the world. One piece in particular has reappeared, this time targeting your online banking experience.

Dridex has made several appearances before, such as when the NCA estimated its cost to the UK was around £20 million. IBM’s X-force have found a more recent version of the malware and it features a whole new trick up its sleeve. By targeting something known as the DNS (Domain Name Service), instead of getting redirected to your banks website, Dridex will now send you to a fake site. From there, users enter their details believing everything to be okay, only to have then handed over their login details to the malware.

The issue with this is that you can be on the “right” website, the page looks normal, the web address is correct and everything else that makes you trust the site, but suddenly its only when you’ve logged in that you realise there is nothing right about the site.

13 of the U.K’s largest banks have had their websites replicated, which may not seem like many but if you count how many times people check their bank accounts online, even taking a few pounds from each of them could quickly reach millions.

The malware is spread through several ways, one of the most common being a manipulated Office document. As a result we remind our readers that attachments are like candy, never accept them from strangers and if you are not expecting them, be extra careful!

Ransomware Just Got Worse By The Use of JavaScript

Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.

While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.

Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.

The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.

The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.

We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.

Raspberry Pi Foundation Asked to Install Malware

Earlier this week the Rpi foundation were approached by a lady called Linda. Linda asked the team if they would ever so kindly distribute an exe file alongside their Linux operating system, Raspian. The e-mail they were sent asks if the foundation would perform the miracle of running an exe on a Linux operating system in return for a sum of money based on a Price Per Installation scheme (PPI).

It’s amazingly surprising the sheer cheek that this company has, as they’re asking one of the world’s most know organizations to cheat its customers. Why on earth would this company think they would go along with it? I don’t know. However, I can safely say that the foundation has not accepted this fantastic offer. The Raspberry Pi foundation is now a huge corporation with over 5 million Pi boards having been sold since the release of the original Pi. The use of an open source operating system has also done them wonders. There are thousands upon thousands of scripts and programs for the Pi available to the public.

Pi Facts: The name “Raspberry” originates from the fruit-based naming tradition for microcomputers in old days. “Pi” refers to “Python” because Python was one of the first programs ported to run on Raspberry Pi. Hence the rather unusual name.

Image sourced from Adafruit

Hyatt Hotels Hit by Hacker

Today Hyatt Hotels issued a warning to their visitors in the wake of a cache of malware being discovered on their customer payment system being discovered. This isn’t the first hotel chain to suffer security issues recently, with Hilton, Mandarin Oriental, Starwood and Trump Collection all having suffered issues with the security of their payment systems.

The security breach was made public by Hyatt’s Global President of Operations, Chuck Floyd, in a post on their official website. While there was no mention of exactly when the issue was discovered, he reported that the problem had been fixed and the system in place have had their security strengthened. Previous customers have been encouraged to check their credit card statements in case of unauthorized use of their payment details.

A lot of the details regarding the incident still remain unclear and unmentioned by Hyatt. They neither confirmed nor denied whether the malware led to the leaking of any customer data. Hyatt is currently investigating the issue fully with the help of leading third-party cybersecurity experts. The results of this investigation will be posted on Hyatt’s website.

Operating in 52 countries and with 627 hotels in their portfolio, the potential impact of this hack is huge if it led to the leak of customers’ personal and payment details. Thankfully, only around half of their properties were impacted by the malware, with franchised hotels managing to be unaffected.

Global Bot Network ‘Dorkbot’ Busted and Taken Down

There are two well-known groups that both use the name Dorkbot, one being a great group of organizations that sponsor grassroots meetings of artists, engineers, designers, scientists, inventors, and anyone else working under the very broad term ‘electronic art’. The other one is part of the dark side and it is, or rather was, a large bot network of worms that spread through instant messaging, USB drives, websites, and social media sites.

The Dorkbot network has been watched since 2011 and had over a million systems infected with 80,000 to 120,000 more each month according to Microsoft. But now the law enforcement agencies around the world have put a stop to it thanks to the FBI, European Cybercrime Center, and the Interpol Digital Crime Center while being assisted by Microsoft in tracking down the control servers.

The network was stealing pretty much anything it could get it hands on such as Facebook and Gmail credentials, Netflix accounts, but also PayPal and other payment credentials. This is just the latest in many botnets that have been cracked lately and it is nice to see the officials doing something about this nuisance of hackers that plague the internet. At the same time, senates and legislators are trying to push for harder penalties for operators and users of botnets.

At the time of writing, there was no news whether they had any leads on who was behind the network and controlling it or whether they just managed to take down the network itself.