Homeland Security & Trend Micro Recommend Uninstalling QuickTime Now

When it comes to software that you may not have heard of, or even used, recently QuickTime appears on my mind. A popular video software the system seems to have faded away, from both ours and Apple’s minds. These actions have led for Trend Micro and the Department of Homeland Security to recommend that if you have QuickTime installed on your Windows PC, uninstall QuickTime for your own safety.

The warnings both from Trend Micro and the Department of Homeland Security come as Trend Micro discover two new critical vulnerabilities within the software that could be used by remote attackers to gain control of your system. While there aren’t any active attacks targeting this problem, both groups are recommending you uninstall the software from your windows system as Apple will no longer release security updates for QuickTime on windows.

The options seem pretty clear-cut, uninstall some software or risk being exposed to a threat that will never get fixed. While QuickTime on Mac’s is unaffected, Windows users should look to use some of the alternative options available for them if you want to watch media content on your PC.

For information on how to uninstall QuickTime, you can visit Apple’s support page here.

HIV May Not Be Stopped By Gene Editing

We are often taught that in order to solve a problem we break it down to its simplest parts and then deal with each part on its own. Some scientists have taken this to heart and begun looking at gene editing techniques to stop HIV, something that may not be stopped by gene editing after all.

If you removed the qualities and characteristics that make HIV bad, you’d be left with a harmless virus. Using CRISPR, a technique that allows you to cut up DNA and has been used to modify countless other types of cells, a group tried to pursue this course of action only to discover that the results were less than appealing.

As a result of the CRISPR, the cells not only survived but began to mutate, with the host cells actually helping repair the cuts to the DNA by inserting DNA bases, creating a mutated version that even an immune system wouldn’t detect. These actions could lead to a mixed technique, with anti-HIV drugs being deployed alongside a series of cuts (more is better in this case), to help slow down and understand the HIV virus, maybe even leading to a cure in the future.

As with all things science is making steps one foot at a time and with the knowledge from their past actions, even the smallest setback in developing a cure could be what finally helps create a cure for the HIV virus.

Petya – The Ransomware That Deletes Your Master Boot Record

Ransomware is getting nastier and nastier. Initially just an attempt to turn malicious software (malware) into something that is financially rewarding, ransomware works by encrypting your files and asking that you pay them (normally in bitcoins) in order to get the keys required to unencrypt the files. The latest one looks to make it even harder for you to bypass it by deleting master boot records on infected computers.

Named Petya, the new ransomware overwrites master boot records of affected PC’s meaning that your computer, next time it’s turned on, doesn’t even know where to go find our operating system, resulting in a computer that can’t even find the OS, let alone load it. Trend Micro report that the email seems to be hidden in emails that are advertising themselves as a job advert, with an email linking to a dropbox folder. Within the folder is a self-extracting archive, apparently the applicants CV and photo only once extracted the ransomware is installed.

The system is then tricked into a critical error, resulting in everyone’s favourite blue screen of death. During reboot the false master boot record (MBR) that was put in place by Petya will encrypt the master file table, this is the record of every file, location and where and how to get it to it on your system. By encrypting this file, you don’t need to go near the actual files, as any operating system will be unable to find the files. Encrypting one file instead of hundreds reduces the speed, meaning that people are often left with no choice but to pay the 0.99BTC (£296 roughly) fee that they request.

With ransomware getting even more aggressive in its tactics, it’s all that more important to ensure you check emails because you receive them and keep your anti-virus and anti-malware software up to date.

USB Thief Infects ‘Air-gapped’ Computers And Leaves No Trace

Malware (short for malicious software) is a type of program that is intended to cause harm to a system, be it in the form of ransomware, like that which has hit several hospitals in the US, or just you generic popup creating malware. A new malware named USB Thief, looks to break the chain of common threats by hiding itself and infecting systems even when they aren’t connected to the internet.

The internet is a wonderful thing but the problem with everyone being able to share and talk to one another is that sending something nasty is as easy as clicking a button (or in some cases, the software even does this for you). USB Thief avoids this by working on USB sticks, the very same ones you use to send information to and from your computer to your parents or even your friends.

The software hides by only executing under a certain set of rules, that is using a key created from the original USB drive it was created for. Even when it does spread it uses a unique key created using the ID of the USB stick and the time, meaning that traditional attempts to copy and discover the malware fail when suddenly it has unknown hardware in the mix.

Not only does it mean it won’t always execute, breaking the common rule of repeated behaviour is traceable behaviour, but it doesn’t leave any evidence on the infected computer, meaning your data could be stolen and you wouldn’t even know it. USB Thief lives up to the second part of its name, with it at the moment only working to steal data, but Tomáš Gardoň, a malware analyst with antivirus provider Ese says that “it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload”.

By avoiding the internet and focusing on the more traditional method of using USB drives, the virus is able to infect systems similar to how Stuxnet worked, enabling it to infect ‘air-gapped’ system (those which aren’t connected to the internet). With the USB lock in place, only the original USB created by its designers can infect systems, meaning if you didn’t create the original you won’t be able to use it.

If that wasn’t enough the USB Thief’s developer seems to have done its homework as it only runs as part of a command from portable versions of legitimate applications like Notepad++ and Firefox. If you’re running Kaspersky Lab or G Data though you should be okay as the malware won’t install itself on your system, a feature that was no doubt down to results from some initial testing.

Malware Could Be Using Legitimate Signature Certificates

When it comes to installing software on your computer, we often have to take it on faith that the software is safe to use. As an extra precaution, the latest step is to allow companies to use “certificates”, digital signatures that show that a trusted company created the software. A group known for creating malware may have found a way around this system though as some of their nasty programs are using legitimate signature certificates.

By using legitimate signature certificates your computer trusts the software and installs it without further hassle, the problem being that the software is less than safe and, in fact, is just malware (or malicious software). According to Symantec, the group known as Suckfly has used no less than nine different singing certificates from nine different companies since 2014.

Categorising the found malware into groups, Symantec found that 11 of the identified tools could be used for backdooring into your system. While others could be used to log and find out your information, some even checked your network traffic to find out what could be used to access your system through port scanning software.

With so many certificates being stolen and used for signing malware, and it becoming a common practise amongst malware creators, could we see the need for another way of finding and checking software is legitimate if these techniques are so easily bypassed?

 

“Cyber Pathogen” Claims On Locked iPhone Made Up

The debate of privacy vs security is one that has lasted for hundreds of years, if not longer. With people claiming that while security is important, if that is compromised or done without checks, such as with the PRISM program, then our privacy means nothing to those who could abuse the system. Currently, Apple is debating this very same matter with the FBI in Congress, and it seems that one of the people who have come out in support of the FBI may have been using tall tales to back up his argument.

We’ve reported on Michael Ramos’s (a San Bernardino County District Attorney) claims that Apple must unlock the iPhone involved in the current case. His claims involved the fact that the phone, which was given to a county employee, had access to the San Bernardino infrastructure and could hold a “dormant cyber pathogen” which would be used to perform a terrorist attack on their infrastructure.

These claims were met with skepticism and some people even said it was like saying that you may find a “magic unicorn” on the iPhone. It now seems that even Ramos can’t hide from people as he has come out and told the Associated Press that he has no proof or knowledge that the phone could be used in that way.

In his response he states:

“This was a county employee that murdered 14 people and injured 22. Did he use the county’s infrastructure? Did he hack into that infrastructure? I don’t know. In order for me to really put that issue to rest, there is one piece of evidence that would absolutely let us know that, and that would be the iPhone.”

Jonathan Zdziarski commented on his personal blog about this response, talking about the original comments by explaining that “Ramos’s statements are not only misleading to the court, but amount to blatant fear mongering”.

It would seem like his original claims were just that, fear mongering, in the hopes of providing support to a personal point of view. The move seems to have backfired, offering only more fuel for the pro-encryption people backing Apple and their arguments that they need people who know about cyber-security making the decision.

Illumina – The Google of DNA

We have all used Google and other search engines to find everything from that news article we told our friends about the other day to the cute cat video that we just can’t stop watching. We use search engines because they let us find and pick up things more easily, so why not use something similar for our genetic sequences?

San Diego-based biotech company Illumina Machines uses the Illumina for just that. The Illumina is a DNA sequencing machine that has so far generated as much 90% of all our data regarding the DNA sequence to date. That doesn’t mean they plan to stop though as they are about to move into a new venture with another company that focuses on liquid cancer biopsy’s, Grail. With less than a hundredth of the world’s population having their genetic sequence mapped, the idea is that increasing the mapping and detail that these scans are done we can detect, pick up and analyse illness and irregularities in our very building blocks.

Eric Endicott, the director of global relations at Illumina, stated that “we are at a tipping point genomics, where a broad community of scientists and researchers continue to translate the potential of the genome from science to discoveries and applications”.

Would you want a map of your genome done? From the looks of it, Illumina is keen to go from theory to practice by letting everyone get their genetic sequences mapped, even letting companies use it in the field to help detect illnesses and high-risk patients before they are struck by the symptoms.

Hospital Pays Bitcoin Ransom to Fix Ransomware

Viruses and malware are issues for the best of us, from forgetting to scan your computer once to being baited in by that interesting link in an email, there are many ways for your system to get infected. Ransomware is one of the nastier pieces of malware, denying you access to your system until you pay the creator of the virus. While the FBI recommend you pay up, does this still apply when you are a hospital?

Earlier in the week, we reported that hackers had hit a Hollywood hospital with ransomware. Hollywood Presbyterian Memorial Medical Center was hit by the ransomware, with an initial request for 9000 bitcoins, coming close to 3.5 million dollars, to get the key required to unlock their systems. While it may not have been the 9000 bitcoins, the Hospital has now announced that they have paid 40 bitcoins to unlock the system.

President and CEO Allen Stefanek claims that the initial price tag of $3.6 million was false and that paying this fee was the “quickest and most efficient way to restore our systems and administrative functions”.

Even with backups and anti-virus software, there will always be some viruses that are able to get into systems, with ransomware benefiting the creators we don’t expect this to be the last time that we see it hitting public services.

MazerBOT Targets Android Phones – Unless They’re In Russia

Malware, or malicious software, includes everything from your pop-up ads to opening doors for full-scale hacks to companies. Taking a trip the malware museum shows you how software like Dridex can not only threaten banking systems but also your everyday smartphone. The latest malware on the Net is called MazarBOT and has a unique feature, it won’t install itself if you are in Russia.

MazarBOT has been seen advertised on certain forums for a few months now but was never actually seen in use, until now. MazarBOT is a nasty piece of software that takes control of your android phone, with a specific focus on people who use their phone for online banking. Peter Kurse, IT security expert and founder of CSIS Security Group, did a deep investigation into the problem discovering more about this malware.

By sending a “swarm” of SMS’s to random phone numbers to Denmark, the software has started to spread by sending a message with a link to the android package file, the contents of which are none other than MazarBOT. Able to intercept text messages, including those with two-factor authentication codes, MazarBOT is a nasty piece of work, sending your phone’s location to a number (starting with Iran’s country code) upon successful installation.

Upon detecting that the phone is in Russia though the malware will stop installing, this is initially thought to be in order to avoid drawing the wrath from Russia’s security services.

Take a Trip to the Malware Museum

I’m sure many of you have been to a museum at one point or another but did you know there was also a museum for Malware? That’s right, there’s a huge online collection of things that want to ruin your computer, and no, I’m not just talking about that “download more RAM” banner. Don’t worry, though, as this museum isn’t going to leave you with a wildly virus infected computer, it’s actually run by Archive.org and is more an art exhibition that a pit of doom that will wipe your hard drives.

Most people have heard of malware, most of you have likely suffered at the hand of it too, but there’s also a little artistic beauty to many of these bits of malicious software of days gone by. The exhibition was put together by online security expert Mikko Hypponen, and offers a visual collection of old-school viruses and the often creative visual effects, ascii art and more that they use to use to effectively troll their victims. It’s certainly a colourful display too, and you can see them in action in all their glory.

There are some pretty cool animations in there too, it’s not just blocks of text or pop ups like you would expect from modern spam-centric viruses. If anything, I’d say the hackers of the past were far more creative and more often than not were just out to demonstrate their skills and cause destruction, rather than be financially motivated; not that this makes what they did any better for the user of course.

So what are you waiting for? Take a trip back to the days of MS-DOS and floppy discs, screen saver viruses and more and who knows, maybe you’ll learn a bit of computer history while you’re at it.

View the full gallery at Archive.org.

White Hat Hacker Tweaks Dridex Malware to Distribute Antivirus Software

The Dridex banking malware has been a huge headache for a large part of the financial and technology industries, but it seems there’s a white knight out there looking to turn the tables on this pesky infection. After a mysterious hijacking of the virus distribution servers, they’ve now started dealing out legitimate installers for Avira Free Antivirus, thus helping to remove the infection from systems and hopefully clearing up a few other issues along the way. The bonus being that anyone stupid enough to fall for the infection in the first place could technically come out cleaner on the other side.

The malware is most often spread through spam messages and malicious Word documents. Being one of the three most widely used trojans in the world, the malware targets online banking users and steals information before feeding it back to a server where it can be used to take money, as well as other information from your accounts. Agencies in the UK and US managed to disrupt the botnet last year, even going as far as indicting a man in Moldova who they believe was responsible for the attacks, but it did little, if anything, in the long run to prevent the botnet from distributing the software.

Researchers at Avira recently noticed that the Dridex distribution servers begin pushing an up-to-date Avira web installer instead of the trojan, which is obviously a great step in combatting the problem, although how long this will last remains to be seen.

“We still don’t know exactly who is doing this with our installer and why, but we have some theories,” said Moritz Kroll, a malware expert at Avira, via email. “This is certainly not something we are doing ourselves.”

The only theory that makes sense so far is that a white hat hacker has hijacked their servers and tried to turn the tables.

“I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods,” Kroll said. “If you think about it, there was a huge media announcement when Dridex was ‘taken down’ by the government authorities and a much smaller level of reporting on its return to the marketplace. That has got to be frustrating to some and might cause them to think: ‘The government tried to take it down, they could not, I can do something myself’.”

Either way, anything that slows this nasty bit of software is a good thing!

VirusTotal – Anti-Virus For Your Firmware

Malware happens all too often, with it spreading like a wildfire around the world due to the connectivity offered by the internet, with banks and companies being offered money to install it. While not all malware is bad, it’s not something you want to invite into your system and Google’s new VirusTotal service looks  set to provide an anti-virus for your firmware.

Firmware is an often neglected piece of code. It can be found acting as a bridge between your hardware and your software, more than often your operating system. The problem being that it’s often hidden from anti-virus and malware scanning software, even more so due to its notorious ability to survive clean installations and reboots.

VirusTotal will allow people to upload firmware images and then scan them for any signs of malicious code and even mark it as legitimate or suspicious, meaning you can quickly detect if that new BIOS’s image is actually going to help or destroy your new PC.

Being able to scan and detect viruses that have hidden under the radar for so long will come in handy for many. After it was revealed that malware could have been hidden in the firmware for hard drives by the NSA, people have been on guard and this new tool could soon have an array of firmware images to help scan, detect and protect systems around the globe.

Being able to scan everything from files to even URL’s, you can be certain that a site is safe and the files you download are safe before you even hit the link next time.

CryptoWall 4 Is Being Distributed Via a New Campaign

There has been a huge explosion of online ransomware within the last year or two which has seen a huge number of consumer’s, unfortunately, falling victim to this ever present and growing technique. Now, there is a new technique which is being served to consumers via the PopAds network and it contains the Magnitude exploit kit via pop-under ads.

For those who are unfamiliar with a Pop-under ad, this is a type of online advertisement that appears behind the main browser window and remains open until the user manually closes it. Consumers who failed to update their version of Flash Player (which we are constantly being informed to do) were immediately infected with the CryptoWall ransomware.

The infection campaign began around the 1st January 2016 with ads being placed within avenues that included both NSFW and also video streaming sites. Below is an image to convey the geographic location of infections that have been caused by this new technique, as you can see, Spain is in the lead with 14.3% with the Netherlands, France and Poland that are next and are level with 11.4% each. The spread of countries according to this data is mostly within Europe, although an exception to this is South Korea.


Once a user has been infected they will typically see a CryptoWall ransom page window that will state the following as conveyed by the image below, it is a bit of an insult to say “Congratulations, you have become a part of  large community Cryptowall” Users will need to pay a ransom as is commonly associated with these typical types of ransomware infections.

These cases highlight the need for a strong and reliable backup system which will help to mitigate in the event that your hard drive is encrypted, also, it is always essential to keep your browser, plugins and various system updates current for your OS. If you wish to add further defenses then it may be worthwhile to either disable or uninstall Flash Player as well as running an up to date Anti-Virus and Malware scanner.

These types of infections will become more and more advanced and also very common in 2016 and vigilance is required by users in order to help to avoid such attacks.

Image courtesy of ssri

Add to Anti-Banner

Ransomware Just Got Worse By The Use of JavaScript

Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.

While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.

Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.

The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.

The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.

We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.

Raspberry Pi Foundation Asked to Install Malware

Earlier this week the Rpi foundation were approached by a lady called Linda. Linda asked the team if they would ever so kindly distribute an exe file alongside their Linux operating system, Raspian. The e-mail they were sent asks if the foundation would perform the miracle of running an exe on a Linux operating system in return for a sum of money based on a Price Per Installation scheme (PPI).

It’s amazingly surprising the sheer cheek that this company has, as they’re asking one of the world’s most know organizations to cheat its customers. Why on earth would this company think they would go along with it? I don’t know. However, I can safely say that the foundation has not accepted this fantastic offer. The Raspberry Pi foundation is now a huge corporation with over 5 million Pi boards having been sold since the release of the original Pi. The use of an open source operating system has also done them wonders. There are thousands upon thousands of scripts and programs for the Pi available to the public.

Pi Facts: The name “Raspberry” originates from the fruit-based naming tradition for microcomputers in old days. “Pi” refers to “Python” because Python was one of the first programs ported to run on Raspberry Pi. Hence the rather unusual name.

Image sourced from Adafruit

Plague Inc. To Receive Multiplayer In Update

You lean back, the leather chair supporting you as you spin and maliciously stroke your cat with a sinister laugh that would make Dr Evil proud. We’ve all imagined our life as the hero of the story, James Bond or countless others, but some of us (myself included) will admit that we’ve also imagined what it would be like sitting in the chair and plotting to take over the world. Plague Inc works with that feeling, what if you were the bad guy, or in this game’s case it’s all about the diseases that you are trying to spread. Soon though you could see yourself racing against your friends to see who can wipe out humanity first.

On December 1st Plague Inc: Evolved will enable Vs. mode, in which not only do you have to develop a disease to take over the world, constantly battling and creating new ways to prevent being cured but you will have to watch out, your friends will also be looking to wipe you out.

Of course, what’s a new update without new abilities? Why not send an unscheduled plane full of infected to your friends country, or how about using genetic exposure to help what’s survivors try to fight off your opponents disease?

Sometimes being bad is just too good.

Police Body Cameras Pre-Installed With Worm

Police are just one of many organisations that are using technology to help their everyday activities. One of these pieces of technology is body cameras, small devices which can record a policemen’s actions, allowing them to operate and display both their and others actions in court at a later date. With many police forces making these required pieces of technology and disciplining officers who turn them off it is a serious issue when these devices are exploited or misused. So what happens when they are installed with viruses?

Martel Body Cameras are supplied with GPS and are sold and marketed for use by official police departments. It would seem though that users who plug in these devices get more than they bargained for when iPower Technologies began testing the devices.

iPower Technologies are a network integrator looking at creating a cloud-based system for storing police and government videos, so during the course of their testing of products they quickly discovered something shocking. The Martel body camera came pre-installed with Win32/Conflicker.B!inf virus, a worm.

The worm in question, once unleashed, automatically spreads across the network and the internet attempting to spread it to other systems, a serious impact if the systems are meant to be secure, as government agencies expect of theirs. iPower have since contacted Martel but are yet to receive an official acknowledgement of the problem, as such they have released the information regarding this matter in a blog post. They state that the reason they have released the information is due to the severity of the security implications that these devices pose with their presence within government and police forces around the US.

Below you can find the video iPower posted showing that their anti-virus does in fact pick up and contain this worm.

New Ransomware Does The Unforgivable – Forgets How To Unlock Your Files

Ransomware is a whole new level of problems for computer users. Previously malicious software, or malware for short, would spread causing chaos and destruction wherever it could, but ransomware is a little more targeted. Ransomware is designed to stop you from accessing your files and in order to gain access you are normally requested to pay an account a sum of money. With the kind of details you store on your computers these days, can you afford not to pay? Even the FBI say pay the ransom, but what happens when they don’t decrypt your files, granting you access which you’ve just paid a lot of money for. It’s a risk many take and many more will have to suffer thanks to the ransomware Power Worm, which forgets how to decrypt your files.

Encryption is the process in which using a key (similar to a password) you jumble up a file, making it extremely difficult to read or access without knowing the password that was used to encrypt it in the first place. Power worm does the usual, gets into the system and then encrypts your files but thanks to a NULL result in its code it forgets to store the key, meaning even if you pay its impossible to retrieve your files.

Please protect your files with regular backups on an external memory device and be careful when downloading or running any software.

Image courtesy of NSK Inc.

“Pay The Ransom” Says FBI Ransomware Advice

Ransomware is a significant threat to huge corporations as it is to you and me, the notion of every single byte of your personal files being locked up is a frightening thought to those who have treasured memories in the form of images and documents. How effective is Ransomware? It turns out very considering the FBI (Federal Bureau of Investigation) is warning companies that they may be better of paying the ransom to the attackers in order to see their files again.

This centres on the success rate of Cryptolocker, Cryptowall and also other forms of ransomware that utilizes ultra-secure encryption algorithms in order to lock up data.  Joseph Bonavolonta who is the Assistant Special Agent in Charge of the FBI’s CYBER and Counter intelligence Program in its Boston office was speaking at the Cyber Security Summit 2015 where he stated that “The ransomware is that good”.

This form of attack has been around for more than a decade which is slightly surprising considering one associates this technique as a newish phenomenon. Although the last three years have seen attacks rise sharply via both malicious email attachments and also drive by downloads which include Malvertising.

According to the FBI, Cryptowall is the most common form of ransomware considering it had received 992 complaints that totalled $18 million in losses. The FBI still wants firms to contact their local law enforcement agency, but, if a company’s data is locked then in all probability the FBI will not be able to retrieve it without a ransom payment.

An interesting element is the feeling that if attackers keep ransoms low for consumers, a bigger percentage will just pay, after all, many people have expendable income and may be inclined to pay.

I am not sure this advice from Joseph Bonavolonta is necessarily helpful, granted, I can understand his sentiments that the FBI may not be able to retrieve any data without a ransom payment, but, if you advise people to pay then this will keep happening over and over again. Criminals partake in these practices in order to make money; if they are making money then I am sure they would feel it’s worthwhile.

Also, there is no guarantee that you would actually gain access to your data once a ransom has been paid, after all, there is no incentive to do so despite Mr Bonavolonta’s reassurances that “You do get your access back”

The best prevention is to be aware of any email attachments or links contained within spam emails and to Not Click on them, if you’re expecting an attachment from a known source, always verify the email just in case said source has been hacked themselves. Any attachments should be scanned to be on the safe side if you trust the email, if you don’t, don’t download or click anything, I know that Nigerian Billionaire sounds tempting, but it’s not worth it, also, always keep your system backed up for a variety of reasons.

Image source

Global Nuclear Facilities at Greater Risk of a Cyber Breach than Previously Thought

We all know various connected infrastructure defences are vulnerable; these include recent attacks on high-profile websites and also communication arms of governments and well-known individuals. Technically anything can be hacked and therefore robust implementations need to be focused on securing data within organizations. Nuclear facilities are one such example and a new report warns of an increasing threat of a cyber attack that focuses on these plants.

The report by the influential Chatham House think tank studied cyber defences in power plants from around the world over an 18-month period; its conclusions are that “The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks”. It pinpoints “insecure designs” within the control systems as one of the reasons for a possible future breach, the cause of this is most likely the age of the facilities and the need for modernization.

The report also disproves the myth surrounding the belief that nuclear facilities are immune from attacks due to being disconnected from the Internet. It said that there is an “air gap” between the public internet and nuclear systems that was easy to breach with “nothing more than a flash drive” Great, in theory that little USB drive could cause a nuclear holocaust. The report noted the infection of Iran’s facilities was down to the Stuxnet virus that used the above route.

The researchers for the report had also found evidence of virtual networks and other “links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations”.

It was found by the report that search engines that sought out critical infrastructure had “indexed these links” and thus made it easy for attackers to find ways into networks and control systems.

This report has cheered me right up, it is noted that nuclear facilities are stress tested to withstand a variety of long-standing scenarios, though there does need to be a better understanding from staff in charge of the infrastructure in order to limit any potential damage a breach could inflict. The industry needs to adapt, gone are the days of one or two experts who could hack into a system, from state-sponsored cyber attacks to a teenager in their bedroom, the knowledge base is growing day by day and many companies are paying the price for poor security.

Let’s hope it’s not a nuclear power plant,

Thank you bbc for providing us with this information.

Image courtesy of zeenews

Wifatch: The Vigilante Malware

Malware. That one word which seems to inspire fear and dread in everybody who hears it, even more so when you’ve experienced it first hand on one of your many devices. Malicious Software, or Malware for short, is often used by people to spread itself over the internet or even WiFi in the hopes of creating openings for other malicious software, from a program that can redirect you when you go on the internet to one that encrypts your hard drive until you pay hundreds of pounds so that (if they are true to their word) they will release your files. The world has changed since those dark days, there is a new piece of software in the world; Wifatch is here.

Wifatch was found in late 2015 by Symantec and focuses on the bugs and security issues normally involved in routers (a piece of hardware we all use but rarely update). This malware doesn’t just infect your router and use it to spread to others, it closes off potentially dangerous loopholes and bugs on your router. That’s right, this malware, a piece of software that by its very nature breaches your security and trust, is trying to help stop you from being affected by … malware?

Not only does it block common points of danger for routers but it also tries to disinfect infected systems, even going so far as to reboot systems in the hopes of stopping any malware that is currently running.

The developer even left a funny message in its source code for those brave enough to browse it.

Is this the kind of software that we need? What do you think about this vigilante malware?

Thank you Symantec and the BBC for the information.

Images courtesy of Symantec.

Green Dispensing Malware to ATM Machines

A downside of technical innovation lies in the unfortunate ability to hack devices with the aim of stealing information and scamming consumers out of their savings. ATM’s are not immune to this threat and a new breed of malware has the ability to allow an attacker the option to drain the ATM’s cash vault before erasing the evidence.

The malware in question is coined “Green Dispenser” and it implements an out of service message on the ATM, but, all is not well as attackers with access to the correct pin codes can then drain the ATM’s cash vault and erase Green Dispenser using a deep delete process, leaving little if any trace of how the ATM was robbed. Let’s take a look at the deployment and operation process of this greedy piece of malware.

Deployment and Operation

The only way this malware can be installed is via physical access to the machine, therefore it is not possible to walk up to an ATM which is situated in a shop or sunk into a bank wall and attempt to install such code, therefore this raises the option of a compromised employee with access to said machines. Green Dispenser has the ability to target “ATM hardware from multiple vendors using the XFS standard. It achieves this by querying for peripheral names from the registry hive before defaulting to hardcoded peripheral names”.

An operational functionality in the coded run date is “2015” with the month being earlier than September. This suggests to analysts that Green Dispenser was employed in a limited operation and designed to deactivate itself to avoid detection. A second layer which the attackers have implemented with the aim of hiding their activities lies in the authentication using a hardcoded pin which is then followed by a second pin which this time is dynamic.

It is believed the attacker in question derives this second PIN from a QR code which is displayed on the screen of the infected ATM, which is then read by an application that can be scanned onto a smart phone. Think of this as similar to logging into your favourite website, you input in a password before using a second two factor authentication method to unlock your account, by implementing this method it makes it more secure so that only the person in question can use the malware, provided they have the correct authentication.

Once the malware is run it attempts to verify if the month is earlier than September and the current year is 2015, if it finds the year to be say 2014, it simply shuts down. If the details are correct, Green Dispenser “creates a second desktop environment on the ATM called “dDispW” and creates a window in the second desktop called “Dispenser”. This is with the aim of overlaying an “Out Of Order” message within the ATM screen; it is worth noting that the message has appeared in Spanish as well as English.

Below is the QR code screenshot, “If the dispense cash option is selected, Green Dispenser attempts to query the registry location “HKEY_USERS\ .DEFAULT\XFS\LOGICAL_SERVICES\class=CDM” to find the peripheral name for the cash dispenser. If not found, it defaults to “CurrencyDispener1” which is the cash dispenser peripheral name on specific ATMs. It then makes a call to WFSExecute with the command set to “WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash”.

As you can see, it’s a complex piece of malware which aims to offer the option to take as much money as you would like, which is good, (Disclaimer – please don’t take as much money as you want, it may sound good but it is not) Manufactures and banks would need to work together to counteract these threats with updated modern security upgrades, if not, expect these methods to become a standard in attacks against machines.

Thank you proofpoint for providing us with this information.

Image courtesy of hacer

Malware In Hilton Hotels Results in Card Details Being Stolen

How often do you use your card? When you pop down to the shop and breaking that ten-pound note will result in too many coins to carry back? How about when you’re buying things online? Finally, how many have used their cards to book hotels? If you’ve stayed at a Hilton hotel recently and used your card to pay at one of their Point of Sale (POS) terminals, you may want to double check your cards not got anything suspicious on it.

Hilton Hotels has stated they are investigating the possible security breach reported by Brian Krebs, an investigative journalist, who traced a collection of misused cards and found a common source in the till’s that are located in one of the many restaurants and gift shops located in Hilton Hotels  located in the US.

Sadly this is not the end of the story, the security alert that Visa released for this flaw was made in August, with the malware apparently being active between April and July this year. Given the number of hotels, and the ease at which people can pay for things using their cards, the number of potential cards that have been affected by this issue is surely only going to rise as more and more people become aware of it.

As with all cards, credit or debit alike, you should always keep an eye on it and raise any concerns regarding payments that you don’t recall making, or seem to be to companies you’ve never heard of, to your bank/building society.

Thank you the Register for the information.

Image courtesy of ITP.

Roaming The Open World Of GTA V Money Generator Scams

Grand Theft Auto is a franchise which has captured the imagination of fans with an engrossing open player world and also regular updates which never fail to entertain. But, with every tech development lays the reality of scammers and hackers who regularly target consumers with the notion of “free” items which are not as generous as they appear to be.

This time around it’s the good old-fashioned money generator scams which are attempting to persuade GTA V players with the promise of free money to be used within the game. So, what are the potential traps for those who stumble onto the wrong site and decide to commit a bit of GTA of their own?

Example – gta5moneyserver(dot)com

This site is in the business of counterfeiting news articles from popular legitimate websites, this is with the aim of touting its own service while convincing consumers of its own credibility. There are problems which are easy to spot; firstly, the articles are badly written which is a red flag in itself; secondly, none of the articles appear on the genuine sites if cross referenced and the formatting is uneven.

OK, let’s imagine I believe this, I don’t of course, that would be idiotic, the perpetrators of the site would need to implement a technique in order to send users free GTA cash. According to them, they have “exploited a cloud server through a very private 264bit encrypted DNS IP”  If a user submits a gamer tag through the site then he/she would be promoted to fill in a scam survey, which has plagued the internet for what seems like forever and a day. You won’t be receiving your coins anytime soon so it’s best to avoid.

All sites purporting to offer free in-game, well, anything, that is not from an official URL address site or provider is in all probability too good to be true. It will either contain a survey, virus or some .exe file which is little more than a fake, it might also ask for personal details which is also to be avoided. Oh, and while you’re at it, avoid any sites which “offer” in game Money, free DLC generators, rank improvements, account unbanning and any kind of DNS code tricks.

These scams will vary in order to seem relevant, but it will be in all likelihood the same outcome.

Thank you malwarebytes for providing us with this information.

Tax Credit Refund Scam Is affecting UK Based Individuals

Tax credits are a hot topic at the moment, this is in part to the Conservative death by a thousand cuts, I said cuts, plans which are set to reduce the income of many of the poorest in society by an average of £800 a year. Unfortunately, the adverse media coverage has been picked up by scammers who have devised a fraud which promises tax credit refunds.

Individuals have received messages within the last few days to a week which utilizes the Goo.gl shortening URL to redirect victims to what appears to be a compromised website: The message reads “Dear valued customer, we are happy to inform you that you have a new tax credit refund from HMRC. Click on the following link [URL] to claim your HMRC refund”

These messages have been sent via texts although you may want to keep a look out for other forms including emails in case the scammers diversify. The stats are below concerning this fraud, as you can see, it’s shocking to note that there have been 731 clicks so far considering the scam is pretty new.

  • 731 clicks so far, with the majority of them coming from the UK.
  • 440 of those were on iPhone, and 252 were using Android. Just 31 people were browsing via Windows.
  • The shortened link is around 1 week old, so the scam is pretty fresh.

The phishing page is located at – savingshuffle(dot)com/hmrc/Tax-Refund(dot)php:

The scam page appears to be from HMRC, but to be clear it is certainly NOT from the official government-backed site. The page would like many personal details which includes the following

  • Name
  • Address
  • Phone
  • Email
  • telephone number
  • card details,
  • Sort code and account number.

Scroll further down the page and the scammers would also quite like a piece of “Identity Verification” in the form of a driving license number, national insurance number and mother’s maiden name. There’s also a pre-filled refund amount of £265.48 next to the submit button.

This is fake; this is a scam and please DO NOT under any circumstances click on any link which purports to offer any kind of refund. The official HMRC do not send any messages which purport to offer any kind of refunds in the first place. An official bank or government-backed service wouldn’t start a message with the words “Dear Valued Customer” Also, be aware just in case you receive a message with your name offering a refund, this would also be a scam with absolute certainty.

There will be inevitably more variants of this scam which prey on people’s financial circumstances; always be suspicious.

Thank you malwarebytes for providing us with the information.

One Plus 2 Equals Malware?

Well, yes, sort of, before I am lambasted for inserting a clickbate headline, let me explain, OnePlus 2 Smartphone’s have been somewhat of a revelation since its launch, from a repairable part design to more than decent specs which place it handily within the price point market. This all sounds exciting, the problem lies with the Chinese companies marketing that rely on the same notion of an invite-based system which has been utilized within this incarnation.

This rather convoluted purchase agreement has led to the synonymous and wide-spread unavailability which has befallen many consumers. Consumers are an interesting bunch, if a particular TV series or gadget is difficult to obtain, the next best thing is to locate said device through alternative means, this is what many people did after hearing that KSP, Israel’s largest digital store, would be in fact selling the phone without an invite.

Great, many paying consumers thought, the only downside lay with the unfortunate realization that the phone also came bundled with malware. The annoying process masqueraded in the form which utilizes Google Chrome while using the device. “Using said browser would automatically redirect to other sites with the word tracking in them or a site called global.mytracker, before giving permission to access the website requested”.

After further investigation, it turns out there were four potential threats which were found after running, yes we want your data to sell AVG. Honestly, you don’t know which is worse considering an Anti Virus which purports to safeguard your digital identity is also caught offering your browsing history to ad companies, kudos John Williamson at eTeknix for analysing this story. It has also become apparent that users in the US are also being screwed after purchasing this phone through an online retailer by the name Gearbest.

The solution is to undertake an entire operating system reinstall with the aim of banishing the malware. There are suspicions of third-party outlets injecting dodgy operating processes and apps within the phone, rather than an outright deception by the manufacturer who have warned against purchasing the device through other means.

As a tech fan I am finding the relentless pursuit of nefarious attacks against consumers rather wearying, any individual should have confidence in the retailer and also the product without the fear of a virus or malware. If you’re interested in this smartphone, then only buy from official channels and be careful of any deals which sound too good to be true.

Thank you geektime for providing us with this information.

Image courtesy of frandroid