White Hat Hacker Tweaks Dridex Malware to Distribute Antivirus Software

The Dridex banking malware has been a huge headache for a large part of the financial and technology industries, but it seems there’s a white knight out there looking to turn the tables on this pesky infection. After a mysterious hijacking of the virus distribution servers, they’ve now started dealing out legitimate installers for Avira Free Antivirus, thus helping to remove the infection from systems and hopefully clearing up a few other issues along the way. The bonus being that anyone stupid enough to fall for the infection in the first place could technically come out cleaner on the other side.

The malware is most often spread through spam messages and malicious Word documents. Being one of the three most widely used trojans in the world, the malware targets online banking users and steals information before feeding it back to a server where it can be used to take money, as well as other information from your accounts. Agencies in the UK and US managed to disrupt the botnet last year, even going as far as indicting a man in Moldova who they believe was responsible for the attacks, but it did little, if anything, in the long run to prevent the botnet from distributing the software.

Researchers at Avira recently noticed that the Dridex distribution servers begin pushing an up-to-date Avira web installer instead of the trojan, which is obviously a great step in combatting the problem, although how long this will last remains to be seen.

“We still don’t know exactly who is doing this with our installer and why, but we have some theories,” said Moritz Kroll, a malware expert at Avira, via email. “This is certainly not something we are doing ourselves.”

The only theory that makes sense so far is that a white hat hacker has hijacked their servers and tried to turn the tables.

“I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods,” Kroll said. “If you think about it, there was a huge media announcement when Dridex was ‘taken down’ by the government authorities and a much smaller level of reporting on its return to the marketplace. That has got to be frustrating to some and might cause them to think: ‘The government tried to take it down, they could not, I can do something myself’.”

Either way, anything that slows this nasty bit of software is a good thing!

Cryptsy on Verge of Bankruptcy After $7.5m Bitcoin Theft

Popular cryptocurrency exchange Cryptsy is on the verge of bankruptcy after the startup admitted that it had fallen victim to an online heist in July 2014, during which a total of $9.58 million-worth of Bitcoins and Litecoins. The company has been left with outstanding liabilities of around 10,000BTC – approximately $4.15 million – which, if not met, could result in the business winding up.

“About a year and a half ago,” a blog post from Cryptsy reads, “we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies.”

“After a period of time of investigation it was found that the developer of Lucky7Coin had placed an IRC backdoor into the code of wallet, which allowed it to act as a sort of a Trojan, or command and control unit,” the post continues. “This Trojan had likely been there for months before it was able to collect enough information to perform the attack.”

The Trojan was able to steal around 13,000BTC ($7.5 million, based on the exchange rate at the time) and 300,000LTC ($2.08 million).

Cryptsy says that it did not disclose the theft at the time as it believed that it had enough cyptocurrencies in its reserve to make up the shortfall, supplementing that with its own profits. The site, though, has now failed to meet its outstanding liabilities. Unless Cryptsy can recover the stolen funds or can find a buyer to cover the shortfall, the company is set to declare itself insolvent.

Image courtesy of Bloomberg.

PageFair Breach Infects Windows PCs with Trjoan Flash Installers

PageFair, a service designed to “help websites survive the rise of adblock”, has been compromised, causing websites using its software to spread malicious Trojan Flash installers the PCs of visiting users. The company, which believes that “the rise of adblocking is now leading to the death of quality free websites”, admitted in a blog post that its Content Distribution Network (CDN) services account, used to serve its analytics JavaScript tag, had been compromised by hackers. The CDN was modified to distribute a Trojan botnet in the form of a fake Adobe Flash update for Windows.

Sean Blanchfield, CEO of PageFair, revealed in a blog post the attack took place on 31st October, was seemingly designed to target PageFair specifically, and lasted for just over 80 minutes.

“For 83 minutes last night,” the post reads, “the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.”

While PageFair is taking its share of responsibility for the attack, Ben Hartnett, VP of EMEA at security firm RiskIQ, thinks that it merely demonstrates how sophisticated hackers are becoming.

“We all know that hackers are getting smarter about how they distribute malware. The latest attack on PageFair shows how hackers are now actively targeting third-party components in a bid to reach a much larger number of victims,” Hartnett told The Inquirer. “By compromising PageFair’s analytics service, hackers were able to distribute malicious code to visitors of any website using this service. With organisations increasingly relying on their online presence to engage with customers, this style of attack is only going to increase, especially with organisations adopting more third party components to stay ahead of the competition.”

Ransomware Locks Your Android Phone Pin And Asks For Cash

Ransomware is akin to the booming stock market of yesteryear for hackers, the notion of locking an individual’s infected device is a powerful reality for today’s modern day connected gadgets. As such it can be no surprise that a new technique has surfaced which implements a free app on third-party app stores which changes the device’s locking PIN and then asks for $500 as a kind of screw you post it.

Technique of this ransomware.

Let’s take a look at the details; it may take a while so make yourself comfortable. Security firm ESET has detected this threat as a Android/Lockerpin.A, users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset, but this would delete all data as a consequence.

After successful installation, this type of malware attempts to obtain user admin privileges by attempting to trick users, it does this by overlaying the activation window with the Trojan’s malicious window which pretends to be an “Update patch installation”. As the user clicks through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window.

This is lethal considering the moment you click “continue” within the installation activation window, your device has fallen victim, the Trojan app has now obtained Administrator rights and has silently locked your device by setting a new PIN for the lock screen. Not long after this has happened, the user will be prompted to pay a $500 dollar ransom for allegedly viewing and harbouring forbidden pornographic material, below is a screenshot of this warning notice.

The device is then locked after the warning screen is displayed within the standard Android lock screen. The new PIN is generated randomly and not sent to the attacker. The only practical way to unlock is to reset to factory defaults.

Lockpin’s self defence mechanism part 2.

Not only does this type of ransomeware acquire device admin privileges it also stops users from attempting to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.

There’s more, this locker also attempts to kill running AV processes when the user tries to deactivate its Device Admin rights. The Trojan tries to protect itself from three mobile anti-virus applications which include ESET, Avast and Dr Web as well as the com.android.settings which prevents standard uninstallation through the application manager.

ESET state that its own self-protection mechanisms will prevent the malware from removing this vendor’s AV. Software.

Distribution of this malware

This Ransomware pretends to be an app for viewing adult/porn videos. In all cases, the application calls itself “Porn Droid”, giggity. 75% of so far infected devices have originated from the US; this is because malware coders are attempting to attack citizens of the US with the aim of collecting bigger payouts.

Unlocking the device

The only way to unlock your device without implementing a factory reset is to root your device; the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging) before using the commands

> adb shell
> su
> rm /data/system/password.key

The only crumb of comfort is that you cannot download this malicious app from the official Google Play Store, ESET recommends keeping your mobile AV software up to date if you have one. If not, be careful what you download, if you stick to official routes and be cautious of both unknown and suspicious apps which purport to be too good to be true. Back up any sensitive data and always update legitimate software, tech is becoming more advanced and so are the attackers.

Thank you eset for providing us with this information.

Image courtesy of xperiaseries

95% of Android Devices Vulnerable to Dangerous Exploit

Researchers from cybersecurity firm Zimperium have discovered a vulnerability within Android that allows hackers to access and control a device remotely, with 95% of smartphones and tablets running the operating system (between versions 2.2 and 5.1) thought to be at risk.

The fault, branded Stagefright, is within Android’s media library. All it takes to exploit is a fraudulent MMS message that, once received and the media is downloaded, can give hackers full control over an Android device, without the owner’s knowledge. Zimperium intends to present its findings at the Black Hat 2015 and Def Con security conferences, both in August.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Zuk Avraham, Zimperium’s Chief Technology Officer, said. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

Though Google has applied patches through its Android Open Source Project, Zimperium still implores Android device owners to check for software updates regularly, and contact their phone carrier if they think that the appropriate update has not been made available to them.

Google has thanked Zimperium for its findings and assured customers that it is proactively fighting to tackle such exploitations of its software:

“The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device. Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”

Thank you The Trigger for providing us with this information.

VLC Developer: Sourceforge Has Been Pushing “Crapware” Since 2012

Fans of software repository Sourceforge were aghast to discover that the site was hijacking orphaned pages and turning legitimate software into Trojans by bundling them with malware, the biggest profile of which were GIMP and Nmap. But now a member of the development team responsible for popular media player VLC has revealed that Sourceforge has been engaging in such shady practices since as early as 2012.

On his personal blog, Ludovic Fauvet has recounted the story of VLC’s rocky relationship with Sourceforge. While Sourceforge didn’t modify the VLC installer in any way, as it did with GIMP and Nmap, it did host scam ads for fraudulent versions of the legitimate software it hosted, including VLC.

Fauvet says:

“[I]n 2012 Geeknet [parent company of Sourceforge] started to add more banners to their pages and did not bother filtering ads that were obvious scam, misleading users to click on these fake “downloads” buttons. Some if not all of these advertisers were distributing VLC bundled with crapware (as we like to call them).”

“We alerted SF.net quite a few time [sic] asking them to be more careful about these ads and they acted like they were willing to help us, telling they’ll look into it, month after month. But nothing really changed on this side, they removed few ads but they came back eventually. In consequence they also offered to share some revenues with us. They gave few thousands dollars every couple of month [sic] to the non-profit (which was welcome since we’re all volunteers) but we were still unhappy because a lot of VLC users were still impacted by these misleading ads.”

“Then came Dice Holdings who bought most of the online media business of Geeknet (including Sourceforge) in September 2012. Soon after, our previous contact at SF.net left the boat, leaving us without any way to reach the new team for quite some time.”

“The situation worsened again, we received literally dozens of emails each week from angry users complaining about some bundled software and toolbars that were added to the installer. Sourceforge did not (yet) modify our installer in any way, instead our users were clicking on some of these misleading ads. I remember counting more than seven “download” button on our SF.net page!”

The fraudulent ads for VLC forced the developers to move away from Sourceforge:

“We couldn’t continue to operate this way so in April 2013 I started working on a new way to distribute VLC. We rented few servers, contacted some mirrors and everything was ready a couple of weeks later. We were finally able to pull the plug from the Sourceforge website.”

“The situation improved drastically for us past this change, no more complaints about misleading ads or user being tricked into downloading bundled crapware. But this was also the starting point of Sourceforge being SNAFU. One possible explanation could be that they lost their biggest project which was making a significant portion of their revenues since VLC was the most downloaded software on Sourceforge at the time. Interestingly enough, the Gimp project took the same decision few months later, aggravating the Sourceforge situation.”

It’s official: Sourceforge is for losers. Let the mass exodus begin!

Sourceforge Hijacks GIMP and Nmap with Trojans

Sourceforge has been found to be hijacking orphaned open source projects and adding malware to their repositories. Notable victims of this practice are the popular GIMP and Nmap accounts, using them to distribute third-party “bundle-ware” installers. GIMP fell victim to this scheme last week, and now Nmap has been “adopted” by Sourceforge, as Gordon “Fyodor” Lyon, creator of Nmap, reports:

Hi Folks!  You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after Sourceforge started tricking users with fake download buttons which lead to malware rather than GIMP.  Then Sourceforge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP.  Of course this goes directly against Sourceforge’s promise less than two years ago:

“we want to reassure you that we will NEVER bundle offers with any project without the developers consent”

http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

So much for that promise!  Anyway, the bad news is that Sourceforge has also hijacked the Nmap account from me.  The old Nmap project page is now blank:

http://sourceforge.net/projects/nmap/

Fyodor asks Sourceforge to remove the hijacked Nmap page, and reminds users to only download Nmap from the official SSL Nmap website.

Sourceforge later responded to the controversy, issuing the following statement:

“In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers for unmaintained SourceForge projects.”

Thank you Ars Technica and Seclists.org for providing us with this information.

Image courtesy of CyberKendra.

New Rootkit Uses Your Graphics Card as Blind Spot

Viruses, Trojans and Malware all have one thing in common, they try to stay hidden and move around so they won’t be detected before the job is done and the user discovers the unwanted piece of software. As the anti-virus tools become better, researchers are looking for new areas where they can hide their unwanted code – and they found one.

The development team JellyFish released a new Linux Rootkit demonstrating the Trojans invasion capabilities, going through the GPU to gain full control of your entire system.

Most security software available now will only scan your physical media and your memory, not your video memory. This already makes it the perfect spot to hide your code. The general development and power that graphics cards hold these days is another advantage that bad coders can take advantage off. GPUs are pretty much the most powerful part of any system and it can perform its actions in a fraction of the time that your CPU would need.

Using its techniques, the Linux Rootkit is able to get the highest management authority of the entire computer. After successfully obtaining privileges, an attacker can basically do what eve he wants, steal personal information and data to name the most obvious.

Windows and Mac OS X users shouldn’t feel secure either as a version for both systems is in development. The Windows tool currently only supports NVIDIA graphics cards and the machine must have CUDA tools and the appropriate drivers. The Linux Rootkit supports both AMD and NVIDIA cards but does require OpenCL drivers to be installed.

Mac OS X users might be the easiest target as the version will support both AMD and NVIDIA graphics cards and Mac OS X has OpenCL drivers enabled by default.

The good news on all of this is that it is a proof of concept and doesn’t do anything ‘bad’ as it is. The developers are also working on a JellyScan tool to detect and deal with threats of this kind.

Anonymous Accused of Running Botnet With Thousands of Hacked Home Routers

Haven’t yet changed your router username and password from “admin/admin”? If so, then your router could be part of a massive botnet, possibly run by members of Anonymous, according to cybersecurity experts Incapsula.

The network of hacked routers discovered by Incapsula are mostly located in the US, Brazil, and Thailand – but could affect any router in the world – and were infected by a number of different malware builds that built a botnet responsible for multiple DDoS attacks during December 2014.

Incapsula found that a great number of the hijacked routers were reporting back to AnonOps.com, a site owned and visited by Anonymous activists, “indicating that Anonymous is one of the groups responsible for exploiting these under-protected devices,” according to the report.

The affected “units are remotely accessible via HTTP and SSH on their default ports,” the report continues. “On top of that, nearly all are configured with vendor-provided default login credentials.”

“For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.”

The botnet, similar to the one used by Lizard Squad for bespoke DDoS attacks since Christmas, used the MrBrick Trojan to insert as-yet-unidentified malware into the affected routers.

The full Incapsula report can be read below:

Thank you The Daily Dot for providing us with this information.

Xtube Infecting Visitors With Malware

Adult site Xtube, rated in the top 800 sites in the United States, has been compromised and is infecting users with malware, warns Malwarebytes Labs. Visitors to the site can be redirected to the Neutrino Exploit Kit, exploiting a Flash vulnerability (because of course it does), to deliver the Trojan.MSIL.ED malware.

Malwarebytes says that Xtube has been made aware of the problem, but is yet to isolate the cause.

“Contrary to a malvertising issue where the problem is external, XTube admins need to look at their own server to identify the issue,” Jerome Segura, Senior Security Researcher at Malwarebytes, said. “Based on what we saw, this [is] a dynamic infection that injects [a] malicious iFrame ‘on-demand.’ In other words this is not hardcoded in the page’s source code, but added on the fly.”

The community section of the website is particularly affected, according to Segura, but adds that other pages on the site are infected. “We have seen server-side infections before that exhibit this type of behavior and they require a thorough review of the entire system and its logs,” Segura said.

Source: SC Magazine

Same Tech Used in Lenovo Superfish Software found in Twelve Other Apps

The SSL-busting technology recently discovered to be pre-installed on Lenovo laptops has been found as part of another 12 pieces of software, including Trojan malware. The HTTPS-bypassing code, developed by Israeli company Komodia, was a part of the now-infamous Superfish software found on-board Lenovo laptops.

Matt Richard, threat researcher for the Facebook security team, revealed the extent of the code’s reach in a post on Friday, writing, “What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove.”

He continued,  “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic.”

Even the developer Komodia calls one of its SDKs an “SSL hijacker”, so it’s no surprise that the code has found its way into malicious software. The malware, Trojan.Nurjax, was first discovered back in December. According to Symantec, the malware “hijacks the Web browser on the compromised computer and may download additional threats.”

Lenovo has apologised for inflicting the HTTPS-breaking code upon is customers and has released a program to aid removal of the Superfish software.

Source: Ars Technica

Trojan Posing as Infamous Movie The Interview Attacks Android Phones

Malware, under the guise of notorious Seth Rogen comedy The Interview, has been attacking Android smartphones in India. The Computer Emergency Response Team of India (CERT-In) first detected the Trojan, proliferated via a link offering a supposed download of The Interview. The virus is designed to compromise any banking apps installed on the phone in order to access the users’ accounts.

The CERT-In blog reads:

“Once installed (the virus), the application will display an icon using imagery from the poster of the movie The Interview. When the Trojan is being installed, it requests permissions to perform either open network connections, write to external storage devices or install application packages.

When the app (application) is installed, it claims to allow users to watch the movie The Interview for free but instead installs a two-stage banking Trojan onto infected devices.”

The hope is that, now that cybersecurity has detected and catalogued the Trojan, that it will not be allowed to spread beyond the Indian locale.

Source: DNA

Facebook Falling Prey to Porn-Based Malware

‘Don’t click on Facebook porn links’ is, generally, a good rule to live by, but it is doubly true right now: porn-based malware is spreading across the social network, infecting over 110,000 in just two days.

The malware is disguised as a YouTube video, but one that supposedly requires a Flash update (a giveaway in itself since, in the last few days, YouTube dumped Flash in favour of HTML5). Clicking on the link to download the Flash update will install a Trojan on your system that can override your keyboard and mouse, and then proliferate the malicious link on your Facebook profile.

Facebook has issued the following statement on the matter:

We use a number of automated systems to identify potentially harmful links and stop them from spreading. In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.

Source: Gizmodo

Symantec Uncovers Tricky ‘Regin’ Malware

Anti-Virus company Symantec has identified a heavy malware threat named ‘Regin’. It’s said by PC World that this nasty piece of work was likely developed by a nation state and used by these criminals to spy on governments, infrastructure operators, businesses, researching and individuals as far back as 2008.

Symantec released a statement on Sunday alongside a technical paper about the malware. Said to span across 10 countries including Russia, Saudi Arabia, Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan, Symantec had the following to say: “Regin displays a degree of technical competence rarely seen”. It’s interesting to note that England, Australia and USA are not included on this list.

Worried for your own safety? You probably shouldn’t be. Up until this news has been uncovered and spread across the globe, you hadn’t been effected by it personally, so why would you now? We’re not trying to partake in any ‘big news’ fear mongering, don’t worry. However, if you’re the president of one of the countries listed above, then maybe you should take a knee and listen. A very select target audience, I know.

It’s reported that the first incarnation of Regin was used to spy on multiple organizations from 2008 to 2011, seeing it withdrawn and re-injected late into 2013. Symantec also claim that nearly half of the systems with Regin installed have been identified to involve private individuals and small businesses.

Symantec claims that Regin is a back-door Trojan that is “customizable with an extensive range of capabilities depending on the target” and “it provides its controllers with a powerful framework for mass surveillance.” Alongside stating that “its authors have gone to great lengths to cover its tracks.”

We’ll continue to report as the story develops.

Image courtesy of Techtimes

JPMorgan Customers Target in Huge Phishing Campaign

JPMorgan, the No. 1 U.S. bank by assets, has confirmed that spammers have launched a phishing campaign targeting its customers. The spam-campaign is dubbed Smash and Grab and was launched on Tuesday by an unknown group. It however bears the resemblance of Eastern European cybercrime gangs and most of the infrastructure used in the campaign is located in Russia and Ukraine.

“It looks like they sent it out to lots of people in hopes that some of them might be JPMorgan Chase customers,” said bank spokeswoman Trish Wexler.

Most of the spam was stopped by filters in place by the large providers, but some will always manage to get through. And the phishing mail looks very realistic as it uses original email parts to fake it. The attack is somewhat unusual as it doesn’t just try to grab the credentials of unknowing users, it also tries to infect the PC’s with malware at the same time.

Users who click on the included malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they do not comply with this request, the site attempts to automatically install the Dyre banking Trojan on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group Plc.

Proofpoint saw about 150,000 emails from the group on Tuesday, the first day it noticed the campaign among its customers in the Fortune 500 and higher education. That makes it a moderately large campaign, but the largest attempts involve sending more than 1 million pieces of spam over a few days to Proofpoint clients, said Proofpoint’s VP of Threat Research Mike Horn.

The firm manages over 100 million email accounts. Horn said that Proofpoint quickly identified the spam and was able to stop it from infecting its customers, but was not sure how effective it was at infecting others.

Thank you Reuters for providing us with this information.

Image courtesy of Reuters.

Ransomware Threat Awareness Rising Among IT Security Experts

Almost half of IT security staff know at least one company that has been hit by ransomware attacks, designed to lock victims out of critical files until a monetary ransom is provided.

It’s a frightening threat with a growing amount of apprehension related to ransomware, with more security experts aware of the potential problem.  However, it remains difficult to educate employees on methods to detect fraudulent emails and train them to delete those types of emails.

Here is what Stu Sjouwerman, KnowBe4 CEO, said in a press statement:

“We thought it would be interesting to use the same questions to see what impact ransomware has had in six months time.  We found the threat of ransomware is very real and IT professionals are increasingly realizing traditional solutions like endpoint security are failing.  IT pros agree that end-user Security Awareness Training is one of the most effective security practices to combat these ransomware threats.”

Most ransomware require victims to either pay the ransom or try to restore files from a backup – but with many users, especially at small and midsize businesses lacking reliable IT resources, it can be many months before a proper data backup is done.

In the survey, 57 percent of respondents said if their backups fail, they’d have no other option but to pay the ransom.  If that wasn’t bad enough, 50-66 percent of backups fail, while data stored in the cloud is lost.

Thank you to KnowBe4 for providing us with this information

New Malware Is Reported To Be Affecting World Of Warcraft Gamers

World of Warcraft gamers and other MMORPG players are subject to hacks and exploits that attempt to steal their user names and passwords, after which the hackers will either rob the character of all their gold, or maybe even sell it off. For those of you out there who are still playing World of Warcraft, Blizzard has recently identified a new malware that poses as a client for a popular World of Warcraft add-on site.

It has been classified as a trojan horse and it looks and functions exactly the same as the Curse Client, in which gamers use to download World of Warcraft add-ons and tweaks. Furthermore, when attempting to search for “curse client”, a listing of the fake website pops up and will look exactly the same as the official one, so for those who weren’t paying attention, you might have inadvertently downloaded a malware onto your computer.

Blizzard suggests that those who have downloaded the client to delete it and perform a scan on their computer to ensure that there are no traces of it left, using programs such as Malwarebytes. Blizzard has also provided instructions to those who might have been infected as well. Either way, Blizzard advices those who are downloading the Curse Client for the first time to double check and make sure it is from the official site based on its URL.

Thank you Ubergizmo for providing us with this information

Ransomware The Good, Bad, And The Ugly

There are some sick people out there, people that try to take advantage of poor souls that do not know and understand computers. Today I happened upon a friends computer that had this strange image posted up on his screen. Once you start up the computer you are unable to access task manager or exit out of the program. Essentially the computer is locked down tight, and this particular virus can infect your entire network.

What is it? You might ask, or perhaps you know. This warning is not real, it is fake, it is a virus called Ransomware. Ransomware first showed up in 1989, in which it would have you send $189 to a P.O. Box in Panama. Today ransomware has you pay with a non-traceable MoneyPak card.

NBC Washington recently reported that ransomware has done some good, tricking Jay Matthew Riley, 21, of Woodbridge, Virginia, a child abuse image collector from the United States into turning himself in. Ransomware tells the user that they have been using their computers for illegal activities and that they can pay a nominal fee to make it all go away. Riley hauled his computer down to a local police department turning himself in. Police then looked over his computer finding images of underage girls, which warranted a search of his home. Police found several devices, which had more illegal images. Riley is currently being held without bail.

So if you see this image or an image like it pop up on your computer, you can check out Microsoft’s official website for tips on how to protect yourself, as well as removing this nasty software. But if you are an online law breaker, make sure you grab your computer and take it down to the local police department and save us all the trouble.

Thousands Of Computers Attacked By MalwareBytes Monday

Do you use Malwarebytes? If so you are among millions of customers of the Anti-Malware software distributor. Many of us monitor and repair our own computers, and we use largely known companies to keep our computers safe and secure. Unfortunately, every once in awhile there is a glitch which causes major issues for our computers, such as how Malwarebytes released an update which made our computers think that Windows was attacking Windows! Even though you might think that the Windows operating system is a virus, or acts like a virus from time to time, we don’t want Malwarebytes or any other software for that matter to delete our windows. The update did just that.

On April 15 at approximately 3 P.M. (PDT) Malwarebytes was updated, this update disabled thousands of computers within just a few minutes. Though the issue was caught in the initial few minutes of the release the damage had already been done. A simple definitions update for Malwarebytes turned into a fatal application for your computer, attacking .exe and .dll files alike thinking that nearly all of the files in your computer were viruses. Malwarebytes acted swiftly in working to disable the update and removing it from their servers. Unfortunately the damage had already been done. And they have apologised for their mistake, taking the blame.

“I want to offer my sincere apology to our millions of customers and free users. I started this company because I thought everyone was entitled to malware-free computing. We acted overzealously in that mission and realize far superior procedures around updating are needed. More was expected of us, and we failed.”  CEO Marcin Kleczynski posted on the official Malwarebytes forum

Thousands of computers being affected by this simple release is really devastating, we can only hope that Malwarebytes will test out the updates more thoroughly in the future. Of course we understand that they may have missed this issue, by trying to be the best anti-malware software out there, having the most current and up to date definitions available.

If you have been affected by the update, and you have not been able to fix your computer just yet, you can find repair information, and a tool HERE.

How do you keep your computer safe and secure, do you use a combination of Malwarebytes and an anti-virus software? Let us know in the comments below.

Source