Fix for WannaCry

Megan Morrone talks to Iain Thomson about a possible fix for those infected with the Wannacry ransomware. Researchers have found a fix to unlock affected computers. The tool called wannakiwi allows you to avoid paying the bitcoin ransom, but only if you’re running Windows XP, Windows 7, and Windows 2003 AND if you haven’t rebooted your PC since the attack. The key is not magic, its math that works by finding all the prime numbers that are stored in the ransomware’s code. A different tool called WannaKey was released yesterday but only worked on Windows XP and required a second app.

Advertisements

This Week in Tech 614: $46 at the Piggly Wiggly

The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign

–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.

This Android Trojan blocks victims from alerting banks

By Michael Kan | PCWorld

A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.

Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post.

Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.

The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.

The newer variants of Fakebank.B, however, will do more than just collect financial login data. They will also monitor whatever phone calls are made.

If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.

So far, this new Trojan has only been detected in Russia and South Korea. Symantec is advising users refrain from downloading apps from less trustworthy sources, like third-party app stores.

The call-barring function shows how banking Trojans are continuing to evolve. Earlier this year, Symantec detected another kind called Android.Bankosy that can bypass voice-based two-factor authentication systems.

To do this, the Trojan will secretly activate call forwarding on the victim’s phone. All calls will then be redirected to the hacker’s own number.

This botnet has infected nearly a million devices since 2014

By | TechSpot

One of the many ways that cybercriminals earn income is through affiliate advertising programs like Google’s AdSense. Rather than generate traffic through content creation, hackers figure out ways to trick advertising platforms into thinking a partner is sending them legitimate traffic. Not knowing they’re being scammed, the advertising platform pays the partner for the referral.

Such is the case with a clickbot known as Redirector.Paco which Bitdefender Labs detailed on Monday.

According to the security firm, Redirector.Paco has been active in the wild since September 2014. On an infected system, whenever you perform a query on a popular search engine like Bing, Google or Yahoo, the search results are replaced with affiliate links which, when clicked, generate revenue for the hacker.

Bitdefender Labs says the malware is able to redirect traffic by making a few simple registry tweaks on the infected system which tells the browser to send the traffic to a different address. The malware attempts to make the search results look authentic although there are signs – like messages in the status bar referencing a proxy – that indicate something is amiss.

Lengthy load times are also an indicator of infection, Bitdefender Labs said.

The malware has infected more than 900,000 IPs worldwide, most of which are located in Algeria, Brazil, Greece, India, Italy, Malaysia, Pakistan and the US. The payload is typically injected into modified installers for trusted programs including Connectify, WinRAR, KMSPico, Start8, Stardock and YouTube Downloader.

Tech support scammers now utilizing ransomware-like lock screens to threaten people

By Justin Luna | Neowin

Some of us may be very well aware of the classic tech support scam stories, where a man randomly calls people, and informs them that they are from “Windows company” and that the call recipient’s computer has been detected full of viruses. These cold callers then use fake Blue Screen of Deaths, and make the victim think there really is something wrong with their PC.

Tactics like these can be easily terminated, with the use of a few built-in Windows tools, as well as a few keystrokes. However, scammers have been seen improving their game, and are now incorporating lock screens, in order to threaten a user even more.

This technique can be attributed to the infamous ransomware, where a malicious program encrypts a user’s computer files, and sets a PC to be stuck on a lock screen prompting them to pay up.

As for this one, the scammers trick the victims into thinking that their Windows’ license has expired, and then removes any ability for the user to control their computer. “This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it,” according to Jérôme Segura of Malwarebytes Labs.

There is an entire ecosystem on how these malware are being distributed, one of which includes bundling them into Pay Per Install applications. “What you thought was a PC optimizer or Flash Player update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers,” said Segura.

A security researcher, @TheWack0lian has shared a sample on how the new tech support scam tactic works. Through a genuine-looking Microsoft program, which installs without any particular incident, the malware waits for the user to restart their system. Upon rebooting, a user will be welcomed by what looks like Windows configuring updates, though this is already the malware kicking in.

Once its “process” is done, it displays an error screen saying that the user’s Windows license is expired. It even takes the time to display the user’s current license key and computer name, to make it look more legitimate.

Now, to be able to unlock the system, the only choice a user has is to dial the number flashed on the screen, leading them into the said cold tech support scammers who are eager to steal victims’ personal information, as well as their credit card number. Calling the number, it was discovered by the researchers that there is a hidden functionality to the locker. Pressing Ctrl+Shift+T will display an installer for TeamViewer, a remote access computer program. However, the scammer refused to proceed with unlocking the computer unless a payment of $250 is made.

Fortunately, the researchers were able to find a way to bypass the lock screen. Victims of the said issue can press Ctrl+Shift and then the S key. Alternatively, a user can enter either “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” into the “Product Key” field to be able to unlock the PC. This however, might only work for some versions of the rogue program.

With these kinds of programs rapidly evolving right before our eyes, it is very alarming to see how much these kinds of malware can take many innocent and susceptible people hostage, and play on their fears in addition to stealing money from them.

It always pays to be wary of where we always go on the internet, as well as what links we click on. Also, a good security software is always handy, to be able to block out the malware that can possibly not only ruin our computers, but also possibly a part of our lives.

These are the worst domains for harboring malware

By IDG News Service | PCWorld

Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.

Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the world’s top 10 “worst TLDs” on Saturday. What’s interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLD’s ratio of abusive domains compared to legitimate ones.

Over the years, lists of spam-friendly top level domains have typically had .com, .net and .org at the top. However, a TLD’s trustworthiness ultimately relies on the ability of the organization that manages it — known as the registry — to police its name space and to enforce rules for its resellers, the registrars.

If, for example, 1 percent of all .com domains were used for malicious activity, one could say that the .com registry, Verisign, is doing a relatively good job at keeping the abuse rate down. The problem is that because the .com TLD is so large, its 1 percent might represent more malicious domains than in a much smaller TLD where the rate of abusive domains is actually 50 percent.

Therefore, comparing good-vs-bad ratios is a better way to determine which registries care more about their TLDs’ reputation, something that ultimately affects their legitimate customers.

“Spam and other types of abuse continue to plague the Internet because bad actors find it very cheap and very easy to obtain thousands of domain names from the Top Level Domain registries and their resellers, the registrars,” Spamhaus said in a blog post. “A few registrars knowingly sell high volumes of domains to professional spammers for profit, or do not do enough to stop or limit spammers’ access to this endless supply of domains. These registrars end up basing their entire business model on network abuse.”

Based on Spamhaus’ data, some of the generic TLDs that have been created in recent years thanks to ICANN’s relaxed policies are not doing enough to stop abuse. This could be either because they’re inexperienced at tackling such issues or because they care more about revenue than a clean Internet.

At this time, Spamhaus’ 10 Worst Top Level Domains list looks like this: .download with 76 percent bad domains; .review with 75.6 percent bad domains; .diet with 74.3 percent bad domains; .click with 72.4 percent; .work with 65 percent; .tokyo with 51 percent; .racing with 50.8 percent; .science with 49.9 percent; .party with 45.3 percent and .uno with 42.5 percent.

Some TLD owners claim that it’s up to resellers to deal with cases of domain misuse and policy violations, but if they don’t force those resellers to take action, nothing will change, Spamhaus said. “A good number of the TLDs succeed in keeping spammers off their domains and work to maintain a positive reputation; this shows that, if they wished to, any TLD registry can ‘keep clean’.”

Nasty new ransomware program threatens to leak your files online

| PCWorld

Ransomware creators have taken their extortion one step further: in addition to encrypting people’s private files and asking for money before releasing a key, they now threaten to publish those files on the Internet if they’re not paid.

This worrying development has recently been observed in a new ransomware program dubbed Chimera that was documented by the Anti-Botnet Advisory Centre, a service of the German Association of the Internet Industry.

The attackers behind this new threat target mainly businesses by sending rogue emails to specific employees that masquerade as job applications or business offers. The emails contain a link to a malicious file hosted on Dropbox.

Once Chimera infects a computer it starts encrypting the local files. After the first reboot it displays a ransom note on the user’s desktop. The attackers ask for a payment of around 630 euro in Bitcoin in order to provide the decryption key.

Up to this point, the process is similar to that followed by other ransomware programs. However, Chimera’s creators have taken their intimidation attempts to a new low. In their ransom note they claim that if they’re not paid they will publish the user’s files on the Internet.

There’s no evidence that any victim’s personal data has yet been released online, the German Anti-Botnet Advisory Centre said in a blog post.

It’s not clear if the ransomware program does indeed siphon off user files before or after encrypting them. But the threat could be enough to scare even users who have backups into paying.

Ransomware programs typically encrypt data locally and don’t upload it to command-and-control servers because that would require a lot of storage space, even if attackers restrict the theft to certain file types such as pictures.

But the prospect of this happening in the future is scary, as it would pose a major privacy risk to businesses and consumers alike.

Newly discovered adware digs its claws deep into Android, is nearly impossible to remove

Security researchers found over 20,000 adware samples hiding in apps that masquerade as Facebook, Twitter, Snapchat, and other popular services.

| @derekwalter | PCWorld

Security researchers have uncovered a new style of Android malware that hides inside of apps that act and look like they’re legitimate services.

Lookout Security described the unsavory practice as “trojanized adware.” Essentially the third-party apps look and function like Google, Facebook, Twitter, WhatsApp, and other popular apps. But once they’re installed, they assign themselves system-level permission and serve up ads throughout the rest of the OS, generating money for the hacker.

It’s a new level of evil genius because the security firm says they’re nearly impossible to uninstall: the best option for those who fall victim is to just ditch out on the device and pick up a new one. The trojanized apps obtain root-level access and install themselves as system apps, so even a factory reset doesn’t get rid of them.

The impact on you: While this may sound dire, it confirms our core piece of security advice: stick to the Google Play Store or Amazon App Store and always install the latest Android OS and Play Services updates. The absolute best option is to pick up a new Nexus device, which Google has pledged will get monthly security updates directly from Mountain View. BlackBerry recently made a similar pledge, with Silent Circle (maker of the Black Phone), and a few others jumping on board. So far, Google has been the most aggressive at sticking to the timeline.

The Wild West of Android apps

These miscreants are hiding out in third-party app stores and in software downloaded via the web. They still look and work like regular apps, but then release the trojanized adware into your device with nearly limitless access to key data.

In a blog post outlining the threat, Lookout’s Michael Bentley cautioned against rooting one’s phone, a popular activity by those who like to install custom ROMs and tinker with the way their phone works.

“The act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain. Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed,” he said.

The security firm said there are three similar families of the trojanized adware that serve up the ads: Shuanet, Komage, and Shudun. Together, they’re responsible for over 20,000 different samples of malware.

Such an issue could be a particular headache for enterprise, as the apps with root access would then be able to get their hands on sensitive company data.

However, it reaffirms that unless you really know what you’re doing, you should avoid rooting your phone and venturing out to such uncharted waters. And, again, stick to the Google Play Store and Amazon App Store, where software is tested for malware and digitally signed before being made available.

Firefox 40 adds Windows 10 UI tweaks, expanded malware protection and more

The Mozilla Foundation has released Firefox version 40 to its public channel for both desktop and Android devices. The milestone update includes a minor Windows 10-inspired UI update and expanded malware protection in addition to the usual batch of bug fixes.

Mozilla said it has made “thoughtful” tweaks to the Firefox interface to give it a streamlined feel. Specifically, version 40 includes larger design elements – a larger “close” button on tabs and a bigger font in the address bar, for example – to make it easier to use with touchscreen devices on small screens.

Following Mozilla’s public outcry to Microsoft regarding the Windows 10 upgrade process, it’s comes as little surprise to see the foundation address some of its qualms in the new version of Firefox. Mozilla has created some support material to help show users how to restore or select Firefox as their default browser in Windows 10.

When using the search field on the Windows 10 taskbar to search the web, Firefox will display results from whichever search engine you select as your default instead of relying on Bing. Other browsers require third-party extensions to pull off the same task although that’s likely to change in the near future.

New developments in Google’s Safe Browsing service now allow Firefox 40 to issue a warning if you’re about to navigate to a website known to contain malicious or deceptive software.

via Firefox 40 adds Windows 10 UI tweaks, expanded malware protection and more – TechSpot.