malware

How to submit malware / virus to antivirus and malware companies

So you got yourself infected with a virus and hopefully you got rid of it before it did any serious damage.  If it had you may wish you had something like “CrashPlan” to get your files back.

And while a backup solution is always the best tool to recovery today we are going to talk about what to do once you have identified a suspected virus  or malware component that you want to share so others are free from such an issue.

This fight isn’t just on you, there is a large community made up of experts and everyday people who wan’t to help one another get rid of malware and computer viruses.

Here are a few sites I often submit the little bugs to for review:

For additional tools in scanning and verifying an infected file I often use VirSCAN.org

VirSCAN.org is a FREE on-line scan service, which checks uploaded files for malware, using antivirus engines, indicated in the VirSCAN list. On uploading files you want to be checked, you can see the result of scanning and how dangerous and harmful/harmless for your computer those files are.

Another Online Scan Tool: https://www.virustotal.com/
By the way VirusTotal is owned by Google

Best of luck to you all, and stay safe

 

Tech Short: CryptoLocker

CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files.

At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.

It targets files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files

CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.

To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.

Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.

The only way to recover form being infected is to restore the machine and its files from a clean backup.

I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.

I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.

Additional Notes:

CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.

What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.

To do this

  • Open the Group Policy Editor
  • Computer configuration
  • Windows settings
  • Security settings
  • Software Restriction Policies
  • Right click and create new
  • Go tin click additional rules

Create new path rules for the following

%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe – Security Disallowed

Also message to my fellow systems admin’s:

If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.

Communicate this with your management;

If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.

Links:

Ransomware Information Guide

CryptorBit Ransomware Guide

 

Savings Bull Filter Removal

Another day, another infection.

This time it’s the threat that goes by the name of Savings Bull (sample.dll) which is a form of Adware / Malware that infects a user’s computer and listens by proxy to network traffic of the infected victim.

Savings Bull copies itself  to your hard disk. The typical file name is sample.dll.

Savings Bull is adware which, when installed on a PC, may embed an unwanted browser extension, plug-in or add-on.  I take it that this Savings Bull may be distributed through packaged free programs.

I haven’t encountered a single  antivirus solution which flags this. Rather I have had encounters with customers and staff I support that have had issues connecting to local resources on their respective networks; in each case connecting to either .local address spaces or resources using port 8080

In my case a user was unable to connect to Visual Studio Team Foundation Server

Removing this was simple as this:

  • Open Windows Control Panel
  • Programs > Uninstall or change a program
  • Sort by date
  • Looking for an icon with an S and named Savingbull Filter and uninstall it.

wow.dll Virus / Trojan

Hmmm; Now isn’t this fun

Our IDS was tossing out the following message: ET TROJAN Tornado Pack Binary Request for one of the users, along with various others.

After some inspection; first running the local AV solution, and other solutions like Malwarebytes which did not locate the infection. I then loaded up Sysinternals Suite App, TCPView which showed several outbound connections to remote hosts. Using Process Explorer also by Sysinternals I was able to search the handle of the wow.dll discovered in TCPView. The process was bound to explorer.exe

My inspection took me to the following location: AppDataRoamingsrpetxnshntexqwow.dll where I found the virus .dll file and a config file ending in .ini with the the following contents:

[main]
version=3.0
aid=031
servers=deppeppepp.com:80; gangganggg.com:80;188.165.232.20:80;
knock=188.165.232.20

This seems to be a control file for the virus.

For now the issue remains unresolved and the users computer is set for a new image. I will be playing with the virus more in hopes to learn more of what it does and how to quickly identify it in the future. I do however think this is a Troj/Mdrop* type of infection or some variant

Microsoft’s fight against Poison Ivy

Info of what is known: Poison ivy (Backdoor:Win32/Poisonivy.E) is a backdoor trojan that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.

The following system changes may indicate its infection:
The existence of the following file: c:windows:svvchost.exe
The existence of the following registry entry: “StubPath” With data: “c:windows:svvchost.exe” in the subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components<CLSID>

Microsoft has released a temp fix, while they work on final solution.

“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” Microsoft stated in an official blog post. Microsoft has recommended that users download the Enhanced Mitigation Experience Toolkit which is designed to help prevent hackers from gaining access to your system.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

For now it is the recommendation of many security experts to use browsers such as Chrome or Firefox.

Over 300,000 hit by Internet blackout

According to the FBI, on Monday July 9th over 300,000 computers will no longer be able to access the internet due to a malware infection known as “DNS Changer Trojan”. The internet outage for these computers is due to the FBI shutting down the ring of cyber-criminals responsible for creating the Trojan late last year

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. Themalware redirected infected users’ Web searches to spoofed sites with malicious advertisements.

News Sources:  1, 2
More info on the DNS Changer Trojan here