White Hat Hacker Tweaks Dridex Malware to Distribute Antivirus Software

The Dridex banking malware has been a huge headache for a large part of the financial and technology industries, but it seems there’s a white knight out there looking to turn the tables on this pesky infection. After a mysterious hijacking of the virus distribution servers, they’ve now started dealing out legitimate installers for Avira Free Antivirus, thus helping to remove the infection from systems and hopefully clearing up a few other issues along the way. The bonus being that anyone stupid enough to fall for the infection in the first place could technically come out cleaner on the other side.

The malware is most often spread through spam messages and malicious Word documents. Being one of the three most widely used trojans in the world, the malware targets online banking users and steals information before feeding it back to a server where it can be used to take money, as well as other information from your accounts. Agencies in the UK and US managed to disrupt the botnet last year, even going as far as indicting a man in Moldova who they believe was responsible for the attacks, but it did little, if anything, in the long run to prevent the botnet from distributing the software.

Researchers at Avira recently noticed that the Dridex distribution servers begin pushing an up-to-date Avira web installer instead of the trojan, which is obviously a great step in combatting the problem, although how long this will last remains to be seen.

“We still don’t know exactly who is doing this with our installer and why, but we have some theories,” said Moritz Kroll, a malware expert at Avira, via email. “This is certainly not something we are doing ourselves.”

The only theory that makes sense so far is that a white hat hacker has hijacked their servers and tried to turn the tables.

“I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods,” Kroll said. “If you think about it, there was a huge media announcement when Dridex was ‘taken down’ by the government authorities and a much smaller level of reporting on its return to the marketplace. That has got to be frustrating to some and might cause them to think: ‘The government tried to take it down, they could not, I can do something myself’.”

Either way, anything that slows this nasty bit of software is a good thing!

Google Isn’t Happy With AVG’s Chrome Plugin

AVG have a give and take relationship when it comes to their attitudes and approach with security and privacy, from their creation of glasses that could hide you from facial recognition software to going so far as to start selling your browsing activity to companies. AVG Chrome plugin has been found to bypass Chrome’s security features, something which Google are less than happy with.

The Web TuneUp tool is available for download from Chrome’s extension store, which sent the web addresses where they were compared against known malicious sites, in hopes that they could warn you before you land on one of those bad sites. The way the plugin was created though reportedly left the information open to exploits as reported by Google Security researcher Tavis Ormandy on December 15 in an issue report. In the report, he describes it by stating that it “exposes browsing history and other personal data to the internet”.

Ormandy was less than pleased about it, stating that he was unsure if he should contact AVG (an action that he did do) or if he should ask the extension abuse team to investigate it as a PuP (Potentially unwanted program, a term often used to describe pieces of software that could also be described as viruses or malware).

As of December, 28th AVG has completed a secure patch for the plugin while it has been reported by Ars Technica that the plugin was frozen while the plugin was investigated for policy violations.

AVG Can Sell Your Browsing Activity to Ad Companies

AVG has updated its Privacy Policy in a bid to make the free version more profitable and will now collect “non-personal data” which can be sold to third parties. This is an extraordinary revelation and not what you would expect to see from a company supposedly trying to protect your privacy and security. The changes will come into effect on the 15th October and an AVG spokesperson said they are planning to adopt an opt-out data scheme:

Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide,”

While AVG has not utilized data models to date, we may, in the future, provided that it is anonymous, non-personal data, and we are confident that our users have sufficient information and control to make an informed choice.”

According to AVG, this move is designed to be as transparent as possible and clearly outline how individual’s data is sold onto third parties. Despite this, I highly doubt AVG’s free users are happy about this sudden declaration and will probably transfer to another free alternative such as Avast. Perhaps, an opt-in measure would have been a better PR exercise but AVG are well-within the amount of people agreeing to that would be minimal.

How do you feel about companies selling your browsing data?

Thank you Wired for providing us with this information.

John McAfee Calls McAfee Antivirus “One of the Worst Products on the ****** Planet”

WARNING: This article references materials that contain explicit Language

We all have (or should be using) an antivirus program (or several for some people). For some people its Norton, a company which seems interested in putting a faraday cage in your trousers, or maybe even Avast, who recently revealed that the android “factory reset” fails to wipe all your saved personal information. Either way the creators of this software and their software ranges from “divine saviors of computers” to “the embodiment of a technological devil”. One of the more well-known programs is McAfee, however, it would seem its creator (who has not been involved with the software for many years) feels his program falls into the latter category.

Speaking on his official “I am John McAfee AMA” on Reddit, McAfee was talking about the video he released two years ago in which he helped guide people on how to uninstall the software, if you are interested in the video then please read our article about it here or check out the video below. Warning, NSFW language and themes throughout.

In his AMA (ask me anything), mcafee-ama posted stating:

“…. Also McAfee is one of the worst products on the ****** planet”
Original post can be found here: (Warning: explicit langauge)

John McAfee is not one to shy away from the spotlight, mostly for the wrong reasons, ranging from being arrested for charges of being drunk and in the possession of a firearm, to speaking out and asking Google users to “wise up” when it comes to their privacy and confidentiality.

McAfee certainly doesn’t live a calm life, so what will he do next?

Image courtesy of The Independent

The Latest Adventure of John McAfee? Arrested Again!

Oh John, you’re entertaining but as sane as a lorry load of peanuts. John has been arrested again and this time the charge is for DUI and possession of a handgun while under the influence, this was after legging it from police in Belize; it takes some talent to be drunk, high and armed at the same time.

I am not quite sure police are taking him seriously after an individual by the name of Sheila Austin, who is the warrants clerk for the Henderson County Sheriff’s Office confirmed that he was that McAfee before stating “I don’t know why he would move to a little town like ours,” According to authorities, McAfee resides in a place by the name of Lexington Tenn, yep me neither, so I researched this and it turns out Tenn is short for Tennessee and is located within the western part of the state between Nashville and Memphis, which is based ideally for the music scene.

John McAfee was released on a bond of $5,000 (£3228) approx, but not before a mug shot was taken, which is below, in the great words of noted wordsmith Afroman, because I got high, because I got high, la, la, la, la.

On a serious note, it just goes to show how John McAfee has fallen after losing most of his $100 million dollar fortune which is owed to the stockmarket crash of 2008. He had been living in Belize until police paid him a visit to ask why his neighbour was dead, at which point he fled to Montreal Canada where he lived with his wife before eventually moving to Tennessee. John McAfee stated in an interview that his assists were frozen by law enforcement in Belize with the outcome being close being broke.

It’s difficult to pinpoint what this eccentric entrepreneur will do next. He is the type of person to be involved with a tank, or a rocket or possibly blowing something up, good job hes not allowed anywhere near nuclear missiles.

Thank You CNN Money and image for providing us with this information

Windows 10 Ransomware Discovered

Well this didn’t take long! A new form of ransomware has been discovered which if downloaded, will automatically encrypt your files before demanding a fee to unlock them. The distributors of this malicious code are attempting to impersonate Microsoft by “offering” users a free upgrade via email. This scam takes full advantage of the Windows 10 download process, which asks consumers to virtually wait in a metaphorical line for the upgrade.

So how does it work?

The distribution works by sending an email to consumers offering them a free Windows 10 upgrade. A sample of this type of email is below, firstly, the “from” address on the email is spoofed, (update<at>microsoft.com). This is not actually from Microsoft but from an IP address in Thailand. The attackers are also using a similar colour scheme to that of Microsoft with the aim of luring consumers into associating this email as genuine.

The next red flag is courtesy of the letter format which does not parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email. Another suspicious but sneaky technique is the mail virus scanner which indicates the email is fine, it links to an open source mail scanner, but this is designed to trick users.

What is the Payload of the virus?

If this email is taken as a genuine correspondent from Microsoft, you will be asked to download a zip file which contains an executable file. Once run, the below screenshot will pop up. The payload is CTB-Locker, a ransomware variant and is currently being delivered to users at a high rate, whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is similar to this kind of ransomware with a few extra features which include, the use of elliptical curve encryption which provides the same public/private key encryption but it’s a different type of algorithm with lower overheads.

Another feature for this locker includes using hard-coded IP addresses on non-standard ports to establish communication. There is also a significant amount of data being exchanged between systems, which are largely uncharacteristic for ransomware. An analysis of network traffic reveals that there were ~100 network streams to various IP addresses.  The most common ports being utilized are 9001, 443, 1443, and 666.

So how do I protect myself from this threat?

Be very careful with emails of this nature, look at the details and if unsure, research it, this is a powerful weapon at staying current and educated on the nature of these threats. Always question a “Free Upgrade” which is sent to your inbox, never open or install executable or any other file without checking the authenticity of the email and file. If in doubt, don’t open it.

These scams are becoming more sophisticated for the average user with the aim of virtually locking your files up. Always perform regular backups and use an up to date antivirus scanner as a matter of course.

Thank You to Cisco Blogs for providing us with this information

Image courtesy of digitallife

Bit Defender Admits To Being Hacked

Oh the irony never fails to amuse, an Anti Virus company who boast on keeping customers safe from online threats, have themselves falling victim to a hack. Kaspersky discovered a bot within their system and now so has Bit Defender, who have admitted to being hacked.

Bit Defenders security policy will be under heavy criticism after the hacker going by the name of DetoxRansome, claims to have access to the Bit Defender customer information which allegedly includes passwords. The hacker also claims this information has been stored in an unencrypted format by the antivirus giant.

Bit Defender have responded and stated that a “potential security issue with a server and determined a single application was targeted within a component of its public cloud offering”  The company have also responded to the amount of data which might have been leaked by stating that, “exposure of a few user accounts and passwords is very limited and it represents less than one percent of our SMB customers”

There are reports that the hacker has demanded Bit Defender pay a ransom of $15,000, or see all the information dumped online. As noted by news sources, the hacker looks as if they have dumped around 250 customers usernames and passwords onto the web. Among the names were extensions belonging to .gov, which indicates government customers might have been affected.

The Hackers version is the following “We had taken control of two BitDefender cloud servers and got all logins. Yes, they were unencrypted, I can prove it… they were using Amazon Elastic Web cloud which is notorious for SSL [a form of web encryption] problems.”

The level of severity depends on which version you believe, either Bit Defender have only comprised a reported 1% of data or the whole lot. One thing looks apparent, for the love of god, why oh why did they not encrypt sensitive information, if a company offers cloud storage then this has to be secure, or as near as.

In a corporate world as consumers you receive corporate promises, looks excellent on the outside, dig deeper and your logins might be on the open web. Only time will tell to the extent with which Bit Defender have been compromised, let’s hope this is an alarm call to change practises when storing sensitive information online, or not as the case all too often is.

Original Bit Defender logo courtesy of dev0blog

Thank You Forbes for providing us with this information

Malwarebytes Offers Free Reprieve to Pirates

Oh the conundrum of pirated software, on one hand, it’s better to support the product, on the other hand it’s free, but loyalty is what counts, yeah but it’s free. Software companies have tried many avenues to stop pirates, from banning individuals from using particular online games to as in Microsoft’s case, offering free copies of Windows 10 to cracked software owners only to change their minds around 50 times.

Popular and successful Anti Virus Company Malwarebytes have taken a different view and are offering an amnesty to pirated keys in exchange for legitimate licences. How does it work? Well according to the Malwarebytes website, if you try, well not you, but if someone attempts to activate a pirated licence key, a message will appear informing them of two options. One is to contact Malwarebytes for a new 12 months key before its disabled with the second option being for paid customers of legitimate licences.

Malwarebytes aims to roll out a new licensing system which is stronger and also hopes to determine which keys are for which owners. The offer is for a limited time only but as of writing, there is no defined end date to which this offer will end. It’s a brave move to offer a free key to pirates, but in turn the company is not threatening users with legal action etc which might build a stronger reputation with users in the long run.

Or this could be just the case of spreading a huge net to see who bytes, bites, I am speaking in tech, either way it will be interesting to follow the progress of this offer.

Thank you Malwarebytes and Forum for providing us with this information

Image courtesy of degreedix

Panda Antivirus Flags Itself as Malware, Bricks Computers

A warning to Panda Security antivirus users: do not reboot your PC. In a baffling show of incompetence, the latest Panda antivirus update has the program flagging itself as malware, putting core files in quarantine, and leaving computers unable to connect to the internet, unstable, or, at worst, completely unusable.

Though Panda insists that the problem was “repaired immediately”, it warns that is certain instances could cause the “incident to persist”. The company reassured customers that “only a small part” of its install base were affected.

Despite Panda’s reassurances, there seems to be a small chance that the problem could still affect some computers. Rather than play Russian roulette with your system, it may be wiser to jettison Panda’s software entirely.

Source: ZDNet

AVG Makes Glasses That Hide You From Facial Recognition Software

AVG, a company commonly known for protecting computing devices from viruses has embarked on an endeavour to protect your face from facial recognition software.

The concept, as demonstrated at Mobile World Congress, relies on a pair of glasses that, when worn, prevent facial recognition from detecting the presence of eyes, the most common marker for such technology.

The glasses contain LEDs that are only visible to digital cameras, which blocks areas used to recognise faces, and, in conjunction with a lining of reflective material that bounces flashlight back at the camera, make it harder to take a photo of the wearer.

Though still in the prototype stage, AVG hopes to develop the concept into a consumer model soon. The technology is sure to displease Microsoft, though, who recently revealed plans to use Kinect in retail spaces to recognise and track shoppers.

Source: Gizmodo

SanDisk Unveils New SanDisk Ultra II Solid State Drive

SanDisk Corporation announced the new SanDisk Ultra II Solid State Drive with enhanced SSD Dashboard. The new drive is designed to deliver a cost-effective and easy upgrade solution for PC owners looking to improve performance, battery life, and power efficiency. The enhanced SSD Dashboard provides visibility into the drive’s performance, security, and available firmware updates, to maintain peak performance at all times.

“We live in an era where we expect to have information at our fingertips any time, anywhere, with technology that keeps us connected to both our personal and work lives on devices that won’t fail,” said Dinesh Bahal, vice president of retail product marketing at SanDisk. “The new SanDisk Ultra II SSD, together with the improved SSD Dashboard, provides consumers with an easy, affordable way to ensure that their PC can keep pace with their increasingly connected, information-driven lifestyle.”

The drive promises up to 28 times the perfomance and up to 15 percent longer battery life compared to a 2½” 7200 RPM HDD. It featurs sequential read speeds of up to 550 MB/s and write speeds of up to 500 MB/s and is based on the X3 NAND Flash technology and comes equipped with nCache 2.0 technology. nCache utilizes a two-tiered caching architecture to optimize drive speed and endurance. The drive is also shock resistant, which keeps data safe even if the computer is bumped or dropped.

[youtube width=”800″ height=”600″]https://www.youtube.com/watch?v=6sYEQZ0HWp0[/youtube]

The SanDisk SSD Dashboard comes with 17 different languages to choose from and will displays the drive’s performance, allow for manual or scheduled TRIM, update firmware when available and get tips on how to maintain the drive at its peak operation. It also has support features to get assistance from “Live Chat” and “Ask a Question via Email”. The Sandisk SSD Dashboard has the added value of an included Drive-cloning tool that works in 3 easy steps, Antivirus based on Trend Micro Titanium Antivirus and has theft recovery powered by Absolute LoJack.

“Consumers upgrading their PC for a faster experience with the SanDisk Ultra II SSD want the data migration process to be easy,” said Mike McCandless, vice president of sales and marketing, Apricorn, Inc. “We’re excited to partner with SanDisk to provide the Apricorn EZ Gig cloning software to SanDisk customers for simple data migration from slower hard disk drives. EZ Gig is available either through the new SanDisk SSD Dashboard software suite or within the SanDisk SSD Conversion kit and works with all SanDisk client SSDs.”

The SanDisk Ultra II SSD comes with a 3-year warranty and a rated endurance of 1.75 million hours. It will be available worldwide by Sandisk’s network of authorized distributors and resellers in September. It will be offered in capacities of 120GB (MSRP $79.99), 240GB (MSRP $114.99), 480GB (MSRP $219.99), and 960GB (MSRP $429.99).

Google Engineer: Android Users Do Not Need Anti-Virus Software

Is antivirus needed on mobile devices? It is a question that will get you conflicting answers depending on who you ask. Adrian Ludwig, who is the chief engineer for Android security at Google, has stated that antivirus serves no purpose for Android mobile users:

“I think … paying for a product that you will probably never actually receive protection from is not a rational reduction of risk – but people buy things for lots of reasons.”

Furthermore he claims the bulk of the security is done at Google’s end by scanning and verifying apps before they are allowed to hit the Google App Store. As a result he claims Android is one of the safest platforms out there and risks are overstated:

“And in practice most people will never see a potentially harmful application from our data … [in fact] most people won’t even know someone who has ever installed a potentially harmful application. So … I believe it is an overstated risk.”

Check out more details from the interesting interview at the source link. What do you think? Do you use antivirus for Android?

Source: Sydney Morning Herald

Image courtesy of eTeknix

Hackers Use ‘The Cloud’ to Control Malware and Botnets

Security firm Trend Micro has apparently revealed new evidence of botnets and malware not only being hosted in the cloud, but also being remotely controlled from cloud servers. The main goal for hackers has been revealed to be disguising their malicious software as regular traffic between corporate end points and cloud services.

Trend Micro has revealed in a blog post a case where hackers were using DropBox in order to host the command and control instructions for malware and botnets, which eventually made it past corporate firewalls. While the news is not new, the cloud has apparently increased in popularity as well as security risk. In the past, small files needed to be controlled by a command and control (C&C) system, which was usually hosted by hackers or placed on servers easily identified as suspicious.

With cloud-based systems however, hackers can now place the C&C on cloud servers and communicate with the botnets and malware like ‘normal traffic’, making it harder to be identified. The company has emphasized that any cloud-based solution can eventually be used as a host for C&C software. Companies not using any type of cloud-based solution but receive traffic spikes from any of them have some type of warning and are encouraged to investigate the activity.

However, this does not mean that every company using cloud-based solutions is now infected. Trend Micro has just shed some light on how hackers are able to and could try infecting corporate systems using the technique described above. A good counter-technique for security specialists in order to prevent such hacking practices is to closely monitor all traffic between end-point users and cloud-based solution, marking anomalies and suspicious activities as threat until otherwise proven to be ‘safe’.

Thank you Network World for providing us with this information
Image courtesy of LifeHacker

Traditional Antivirus Software “Simply Don’t Work” According to Security Specialists

While the National Crime Agency did warn people about the upcoming GOZeuS and CryptoLocker malware, information given by security specialists point to the fact that traditional antivirus software is not enough even for a simple malware prevention, yet alone the more advanced malware types.

Comodo Group‘s CEO, Melih Abdulhayoglu, points out that most traditional antivirus software on the market “simply don’t work” and detects threats such as viruses and malware only when they have already infected the system, rendering them obsolete.

“For years the antivirus industry has been promoting a flawed product to the mass market as a protection product – a huge con. As a result, there are millions of business and home users who think that they are safe online, just by running an antivirus product – this is madness! Traditional antivirus products do not and can not protect you from new malware like Cryptolocker that they can’t detect.”

Melih emphasises that the only method of keeping a system clean is through containment technology. The technology puts unknown traffic coming from the internet into a sandbox environment for further analysis, meaning that the data cannot react or spread within the system until it has been identified as ‘safe’. This way, Melih states that the malware is detected and denied access before it can even get near the system at hand.

Businesses however are more susceptible to viruses and malware than homes. This is said to be due to the fact that hackers are writing specific malware which target a single individual system inside the company, from which it will inevitably grant access to the entire company’s network.

“For businesses, the problem is Advanced Persistent Threats (APT). Criminals are writing specific tailored malware aimed at one person in a company and then stealing data via that person. It’s designed to be undetectable, or viewed as too small a problem to solve. Think of it like this: the pharmaceutical industry wouldn’t bother to spend billions on curing a disease that infects just one person, so these bad guys are hoping that the security industry doesn’t put resources into solving a problem targeted at just one individual.”

However, this does not mean everyone is doomed to have their systems infected. Egemen Tas, VP of Engineering at Comodo, emphasises that a combination of a strong and trusted† antivirus software along with basic execution control (such as the annoying popup in Windows, which everyone tends to deactivate, appearing every time an ‘unknown’ or application requiring elevated privileges wants to launch) is enough to keep your system clean.

“In order to stay protected from GOZeuS and CryptoLocker, users should follow cyber-hygiene best practices,” said Egemen Tas, VP of Engineering at Comodo. “It’s not as complicated as you may think. You should use a certified and proven antivirus product, always installing the latest version and applying updates. Additionally, you should go beyond traditional security prevention by utilizing a HIPS (host-based intrusion prevention system) product, and applying some basic application execution control to prevent these types of malware from taking over your system.”

Also, since there are cases where malware can infect a system through the e-mail service, Egemen states that a good prevention practice is “not opening attachments from unsolicited emails”, meaning that if an unexpected email from an unknown person or even a friend arrives in your inbox containing a strange attachment, it is better to delete it rather than risk opening it.

UK’s National Crime Agency Gives Two-Weeks Notice Regarding GoZeuS and CryptoLocker

The UK National Crime Agency warns the public to take advantage of a two-week notice in order to protect themselves from two major malware roaming the internet, the GoZeuS and CryptoLocker, which are responsible for transferring cash from online accounts and holding personal data for ransom.

The NCA stated that the alert is the most largest industry and law enforcement collaborations to this date and that the FBI’s involvement in several countries has weakened the global network of infected computers, meaning that the notice and prevention ahead of the malware activity can help diminish the infection chance.

GoZeuS, also known as P2PZeuS or Gameover ZeuS, and CryptoLocker are said to target all versions of Windows operating systems, including the ones running in virtual environment, servers or embedded versions. The agency also states that the malware is responsible for transferring hundreds of millions of pounds around the world.

In the case where GoZeuS cannot transfer significant amounts of money from a personal computer, it is said that CryptoLocker is called as a back-up plan, locking the user’s personal data and holding it for ransom, currently price at 1 Bitcoin. The recent estimate of infected systems is said to be at 15,500 PCs in the UK alone.

The infection is said to occur by clicking fake links or attachments in e-mail sent by people in the contact book who have already been infected by the malware. The NCA recommends users to always keep their software up to date and check their computers for infection using antivirus software.

Thank you TheNextWeb for providing us with this information
Image courtesy of TheNextWeb