Fix for WannaCry

Megan Morrone talks to Iain Thomson about a possible fix for those infected with the Wannacry ransomware. Researchers have found a fix to unlock affected computers. The tool called wannakiwi allows you to avoid paying the bitcoin ransom, but only if you’re running Windows XP, Windows 7, and Windows 2003 AND if you haven’t rebooted your PC since the attack. The key is not magic, its math that works by finding all the prime numbers that are stored in the ransomware’s code. A different tool called WannaKey was released yesterday but only worked on Windows XP and required a second app.

Advertisements

This Week in Tech 614: $46 at the Piggly Wiggly

The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign

–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.

This terrifying malware destroys your PC if detected

A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.

The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.

Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.

That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.

Such “wiper” malware has been used in the past, notably against South Korean targets in 2013 and against Sony Pictures Entertainment last year, an attack attributed to North Korea by the U.S. government.

The last check Rombertik does is the most dangerous one. It computes a 32-bit hash of a resource in memory, and if either that resource or the compile time had been changed, Rombertik triggers self-destruct.

It first takes aim at the Master Boot Record (MBR), the first sector of a PC’s hard drive that the computer looks to before loading the operating system. If Rombertik doesn’t have access to the MBR, it effectively destroys all of the files in a user’s home folder by encrypting each with a random RC4 key.

Once either the MBR or the home folder has been encrypted, the computer restarts. The MBR enters an infinite loop that stops from computer from rebooting. The screen reads “Carbon crack attempt, failed.”

When it first gets installed on a computer, it unpacks itself. Around 97 percent of the content of the unpacked file is designed to make it look legitimate and is composed of 75 image and 8,000 decoy functions that are actually never used.

“This packer attempts to overwhelm analysts by making it impossible to look at every function,” Talos wrote.

It also tries to avoid sandboxing, or the practice of isolating code for a while until it has checked out. Some malware tries to wait out the period it is in a sandbox, hoping the sandbox period will time out and it can wake up.

Rombertik stays awake, however, and writes one byte of data to memory 960 million times, which complicates analysis for application tracing tools.

“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” Talos wrote.

via This terrifying malware destroys your PC if detected | PCWorld.

Beware: Fake “The Interview” movie download app is in the wild

“The Interview” is undeniably the hottest movie of the year, which is a comedy about a plan to kill North Korea’s leader, Kim Jong-un. It has also been the most controversial, backed by disputes with hackers threatening theaters who will play the said movie with physical action, and also by demands to pull the film, delaying its release. The movie did reach theaters, albeit limited, and the internet, via YouTube, Xbox Video and other similar video streaming websites.

With all the racket and commotion, the Rogen-Franco movie has also been a big hit on torrent websites, downloaded tons of times illegally. Apparently, this has been a cue for the cyber evildoers to trick innocent minds again into infecting their smartphones and tablets with malware.

In a recent blog post by Graham Cluley, a security blogger, an Android app claiming to be a client to download the movie is swarming the internet today. Quoting Irfan Asrar, a McAfee security expert, the app is part of a torrent, exclusive to South Korea. Cluley states:

“Researchers at McAfee – in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding The Interview‘s release,”

The app looks like an innocent application that will help you pirate the movie. But in reality, it contains an Android Trojan named “Android/Badaccents”, which was hosted on Amazon Web Services. It is a banking Trojan which affects a number of Korean banks, including Citi Bank, and is out to steal your personal information and wipe the money off your bank cards. The collected data then apparently goes to a Chinese mail server. He has mentioned in his blog that at least 20,000 devices have been infected by the Trojan.

One peculiar thing was observed by Cluley though, the malware checks for the device’s manufacturing information; if the device is set to “Samjiyon” or “Arirang,” which means the handset has been purchased in North Korea, the malware will not infect the host device, and instead display an error message stating “an attempt to connect to the server failed.”

Pondering on whether this was a politics related attack, Cluley quotes Asrar:

“Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks),”

Cluley has mentioned that McAfee has notified Amazon of the issue, so further infections can be prevented. Also, he has warned people that there is a possibility of the Trojan being hosted on other websites, wearing different disguises.

via Beware: Fake “The Interview” movie download app is in the wild – Neowin.

One-click test finds Gameover Zeus infections on PCs

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware’s aggressive URL matching algorithm.

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware’s configuration file.

For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has “amazon” in it, including https://www.f-secure.com/amazon.com/index.html.

“We can use this to ‘trick’ Gameover bots and make an easy check to see if an infection is present in your browser!” said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.

Tricking an infected PC to “bite”

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.

“We search for the string ‘LoadInjectScript’,” Tikkanen said. “If the string is found on the page, we know Gameover Zeus has infected your browser!”

The test is not perfect though, because the malware doesn’t support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it’s possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.

via One-click test finds Gameover Zeus infections on PCs | PCWorld.

What a fake antivirus attack on a trusted website looks like

Malware that masquerades as legitimate antivirus programs is one of the more insidious threats to plague people browsing websites. In many cases, attackers rely on simple text and graphics to trick visitors into thinking they\’re on the verge of a successful drive-by attack and deliver the warning under the guise of a trusted security application. People who fall for the ruse by following the advice presented in the advisory end up infecting themselves.

A recently captured video of one of these attacks in progress demonstrates why they continue to work—at least on less-experienced users who despite their lack of savvy know enough to be wary of online attacks. Shortly after visiting a legitimate site, the computer presents a Window carrying the name of a well-known security application, in this case Microsoft Security Essentials. The window provides a plausible warning and recommends the user take immediate action to head off imminent infection. The video was shot by researchers from security firm Invincea as they browsed to the main page of Dailymotion.com.

As convincing as the attacks are to some, the video makes clear that these scams aren\’t usually hard to spot by people with a small amount of training. Malware warnings, for instance, should never require a user to install an executable file, as the warning in the video does. Legitimate malware warnings will also never be delivered in a browser window and should be generated only by anti-malware programs already installed. When in doubt, users who receive malware warnings should close the browser altogether and see if the popup window persists. Opening an antivirus program from the Windows start menu and running a scan from there is also a good move.

The advice will likely strike some readers as obvious. But for the Aunt Mildreds and Uncle Earnests of the world who are still new to the Internet—or possible a more seasoned Internet user who is in a rush—the Invincea video may be useful.

Interestingly, the video marks the second time this month DailyMotion has been observed delivering rogue malware warnings to visitors. A DailyMotion representative told ThreatPost Invincea’s original notification was never acknowledged. The company suspects today’s attack is a continuation of the earlier one and the site was never cleaned up. Invincea said only three of the 50 major antivirus programs initially detected the rogue malware, although that figure is sure to improve as providers update their wares.

via What a fake antivirus attack on a trusted website looks like | Ars Technica.

Ransomware targets smaller businesses, security CEO warns

Trending cyber attacks such as ransomware may be typically overlooked by small and midsize businesses, but the CEO of security firm Lumension warns that they are actually in the line of fire.

Pat Clawson, LumensionPat Clawson

Around the world, ransomware has been proved to be effective in midsized business environments and below, mainly due to the lack of tools available to deal with the attack, said Pat Clawson, chairman and CEO of Lumension, which is based in Scottsdale, Arizona.

“Most corporations have the means to deal with that outright from a technology and people perspective,” he said. “However, if it is a ten person business environment, it is going to cost them a lot of money to get the issue resolved.”

Clawson admits that it is not uncommon for these smaller businesses to even consider paying the ransom with the hope all of the stolen data returns.

“For that reason, ransomware is more effective when it targets SMBs that do not have the ability to fight it by themselves with technology or people,” he said.

Knowledge and power

The benefit that bigger companies have is access to the necessary tools and manpower to take care of the problem, as well as prevent it from happening in the first place.

“The guys who create the ransomware are also smart enough to know where the money is to be made,” Clawson said. “Instead of corporations, they tend to target SMBs and individual people that may fall prey to the attack.”

In addition to having the necessary tools to combat ransomware, Clawson said corporations have a culture where staff are more aware of the pitfalls of ransomware, if it manages to get through at all.

“Their technology is already catching the ransomware at the gateway,” he said. “However, if something does get through, their ability to undo the ransomware is significantly easier than for a private business or single user on their own.”

via Ransomware targets smaller businesses, security CEO warns | PCWorld.

Trojan horse malware destroys delivery files to hide its tactics

Trojan horse malware destroys delivery files to hide its tactics

Microsoft has discovered an unusually stealthy Trojan capable of deleting files it downloads in order to keep them away from forensics investigators and researchers.

The Trojan downloader, called Win32/Nemim.gen!A, is the latest example of how malware writers are using sophisticated techniques to protect their own trade secrets. The Trojan essentially makes downloaded component files irrecoverable, so they cannot be isolated and analyzed.

“During analysis of the downloader, we may not easily find any downloaded component files on the system,” Jonathan San Jose, a member of Microsoft’s Malware Protection Center, said in a blog post. “Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.”

Microsoft managed to grab some components as they were being downloaded from a remote server. The malware’s two purposes was to infect executable files in removable drives, and to unleash a password stealer to snatch credentials from email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop, and Google Talk.,

Typically, downloaders’ only job is to deliver the core malware. In this case, the downloader delivered the malware and continued to be an integral part of the operation.

Malware gets sneaker

In general, malware has become better at remaining under the radar. Some of the stealthiest malware is used in advanced persistent threats targeted at specific organizations.

“Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today,” said Paul Henry, a forensic analyst for Lumension.

For sometime, criminals have developed malware that can sense when it is in a virtualized workstation commonly used by researchers to isolate and study malicious code. When it is in such an environment, the malware will enter a dormant state, so it cannot be easily discovered.

Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer’s registry or hard drive, Henry said.

“Your grandfather’s security solutions will leave you utterly defenseless against today’s evolving threats,” he said.

via Trojan horse malware destroys delivery files to hide its tactics | PCWorld.

Chameleon clickfraud botnet costs advertisers $6 million a month

Researchers at Spider.io have detailed the discovery of a clickfraud botnet that is purportedly causing at least 70 times more financial damage than the Bamital network Microsoft and Symantec killed in early February. By its estimates, the security outfit says the “Chameleon” botnet is costing advertisers more than $6 million per month.

Spider.io has been tracking the network’s behavior since last December and believes it must be highly sophisticated to have evaded display advertisers, which use various algorithms to monitor site activity. The malware targets Windows PCs and uses them to access webpages with a Flash-enabled Trident-based browser.

Currently, more than 120,000 host machines have been identified with 95% of them located in the US. The midwest, southwest and west coast seem to have the highest concentration of infected systems, particularly California, Hawaii and Texas, which each have 10,000 or more computers that have been affected by Chameleon.

The botnet-controlled machines are directed to generate views for at least 202 websites, though more could be discovered. Spider.io says about 14 billion ad impressions are served across those sites and Chameleon is responsible for a whopping 9 billion or more of them, as well as 7 million distinct ad-exchange cookies.

The researchers say the bots produce click traces and generate engagement activity similar to normal users and they can run Flash and execute JavaScript. However, the network is less impressive on a macro level as all the bots show up as running IE9 on Windows 7 and they repeatedly visit the same sites with little variation.

Spider.io has provided a blacklist of 5,000 IP addresses for the worst of Chameleon’s bots, but we haven’t seen any information about shutdown and cleanup efforts. Perhaps that’s underway and the researchers simply chose not to reveal anything yet. If not, this seems like a prime candidate for Microsoft’s next takedown.

via Chameleon clickfraud botnet costs advertisers $6 million a month – TechSpot.