Avoid Internet Doomsday: Check for DNSChanger Malware Now

Some background:
The DNS system is a network of servers that translates a web address -- such as http://www.google.com -- into the numerical addresses that computers use to locate actual websites, computers and servers. It is known as the Internet's phone book, which translates URLs to the IP address for the server hosting the Web site. This is not only true for Web sites, but also for any other Internet-based service being used, including servers for e-mail, backups, synchronization, chat programs, and calendars AND antivirus programs to update themselves.

Back in November, law enforcement authorities working with the Federal Bureau of Investigation arrested six of the seven individuals in Estonia responsible for infecting millions of Windows and Mac machines worldwide with the DNSChanger Trojan. As part of the "Operation Ghost Click" raid, FBI agents also seized over 100 servers at data centers throughout the United States masquerading as legitimate DNS servers.

If the FBI were to simply shut down the DNS network, then the millions of computers that had been affected by the malware would instantly no longer be able to access the Internet, and given the scope of this malware infection, would suddenly cut off many and very likely have a notable negative impact globally. Being infected with the malware, these systems would not benefit from users checking for and changing their DNS settings, since the malware would continually revert it and thereby continually disrupt communications.

To prevent this, the FBI instead chose to keep the rogue DNS servers active and convert it to a legitimate DNS system for infected computers. Since November 2011, there has been a campaign by the government, security agencies and MANY high profile internet service providers (ISPs) to notify users of the DNSChanger malware and offer services to help users identify systems that are infected.

Most victims don't even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

To quickly and easily see if this may affect you and what you can do about it visit this site

Click on the link in the middle of the page and you will be notified if you are currently infected.

If you are infected/compromised you can visit this page for resolution tips and instructions.

Remember this trojan/virus will affect PC's AND Macs. Better safe than sorry. Or you could always call me for a hou$e call when your system won't connect to the internet.

You can read the FBI's page here.

Google has one here

Facebook also has one here.

Another Flashback Variant - 2nd in two days!

Hey Mac users who still haven't taken the hint and update your systems' security there's yet another version of the Flashback Trojan for you to enjoy.

It infects unprotected Macs in the same way Flashback.K did, through a Java applet exploit, and installs itself without the need of your password.
And, just as its predecessor, Flashback.K erases its footprints by deleting the Java cache and ensures its propagation by installing into the Java Update folder. You can read more here.

Apple released a Java patch in early April, as well as a Flashback removal tool, but clearly not all Mac users patched.

But many Mac users don't even qualify for the patch—it was only available to systems running OS X 10.6 (from 2009) and later. Mac users running OS X v.10.5 and earlier were advised to disable Java altogether. WTF!! However, it's quite possible that many users of these older systems just didn't get the memo and are still running insecure software.

Here is F-Secure’s site that has the checker and removal tool. Check that out too. And please update your systems folks.

OK Mac guys here we go again!

There’s Another Mac Trojan Spreading Via Microsoft Office documents and email attachments. The Trojan apparently spreads through infected Office documents, and it's in "active stage", which means that it searches through documents on infected machines.

Please note that this is a very sophisticated and malicious attack that not only 'infects' your machine but also installs a 'bot' to control it, scan through your system, and take what ever it wants to! ALL WITHOUT YOUR INTERACTION AFTER THE FIRST INFECTION!

The attack vector utilizes several vulnerabilities. The Java whole that Apple finally just fixed last week. And a Microsoft vulnerability that MS patched 3 years ago. (but they may update that patch too).

Please folks keep your Operating System, Applications and security software up to date and don't be one of those poor naive bastards that thinks this cannot happen to you.
You can read more here and here

Latest Mac Malware news 06-04-2011

The Mac Trojan/Malware 'MacDefender' now calls itself 'Mac Shield'.

The malware keeps changing names and looks but still is relatively the same as before. However it is still infecting loads of machines and is, in my opinion very dangerous; it lures users into providing sensitive financial information to thieves.

Sophos for Mac will remove it. (free) Get it here.

So will Virus Barrier Express from the Apple App Store; here. also free.

Here is my previous article too.

Apple releases fix for MacDefender Trojan

Ok OS X folks. Looks like Apple finally is releasing a 'fix/update' for the MacDefender Trojan.

The update provides a File Quarantine definition for the "OSX.MacDefender.A" malware and Mac OS X 10.6.7 will now automatically update the definitions on a daily basis. The update will also search for and remove MacDefender and its known variants.

The knowledge base article is here 

and the actual download is here

Please update your systems.

My previous article is here.

MacDefender Trojoan Strikes Again!

Apple and Mac folks I'd like to welcome you to the Windows world of malicious and pernicious attacks - even 'drive bys'. For over two decades I and the rest of the security world have been trying to inform people that NO networked system is safe from attack. Because of the sheer number and percentage of Windows machines vs. Mac and Linux machines, they have been the most easily targeted and exploited target. But that is changing! With the spread of OSX on the desktop and the realization by the malicious software vendors that Mac people are VERY EASILY duped and exploited because of their false sense of security, they are coming on strong and fast!

I recently wrote about the new Mac Trojan out and how to defend against it and remove it – read here. After 25 days Apple finally did put a notice and instructions on how to remove it. BUT only after telling their technicians AND users that 1st it didn't exist and then that they would not provide help!

Mac malware authors have released a new, much more dangerous version of MacDefender trojan variant:

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."
Please read this from ZDnet

Apple is promising an update to OS X "in the coming days" that will detect the malware and its known variants, remove it, and remain in order to warn the user if they download it again. But don’t hold your breath!

I've spent years worth of time dealing with people who have been 'sold' on the false idea that "Macs don't get viruses or hacked". Wrong wrong wrong! OS X is built on a '*nix' core - one of the oldest operating system architectures in the world. How could you NOT think that there are exploits around that are just waiting to be ported to the newest derivatives? What type of systems do you think the hackers/crackers where getting into in the 70's and 80's?
I fault Apple a great deal for this. They have been literally selling the LIE that Macs are not susceptible to hacks for years. AND people believe them!

Again welcome to the world of Windows PC responsible computing. Be careful or get burned.

Please practice safe computing folks.

MacDefender trojan/malware is currently spreading on Mac systems - let’s kill it!

MacDefender, is the rogue antimalware trojan currently spreading on Mac systems. This malware is known by a variety of names, including "Mac Defender", "MacProtector", "Mac Security", "Apple Security", and "Apple Security Center".  It is a great example of how ‘social engineering’ can be used to trick people into harming themselves. Below are clear and easy procedures for removing it, read the quick summary or follow the links at the end for walk-throughs with loads of screen shots

I have written recently about this here, but it appears more people are being ‘snagged’.

Apple support is being of absolutely NO help either! In fact they are telling their people,"Do not attempt to remove malware.." Read about that BS here if you wish. So I thought I'd again provide some tips.

Here is the simple summary of what to do:

1. In Safari under "Preferences", at the bottom of the "General" tab (the first tab), uncheck "Open safe files". This will prevent Safari from starting threats like MacDefender automatically after downloading them.
2. Open up "Activity Monitor" (this is in your Utilities folder within Applications)
3. Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
4. Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
5. Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
6. Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan. Yes. It's really that simple to remove.

Here are the two best links I could find for simple walk-throughs. I would rather not repeat the tutorials they have already taken the time to do.
Their work is much appreciated.

Now the super links with detailed screen shots and some additional tips:
The HowToGeek.com site has a great walk through here.

VRT-blog has some good information on this also, read that here.

Folks, if you use a Mac and you connect it to any systems – especially the internet, please realize that you are vulnerable to attacks and hacks. NO system is immune to attack! Although Mac’s and Linux systems have benefited by a more secure file system/OS structure (for the most part) than previous Windows systems AND the fact that their numbers were small - about 8% of all network connected desktop machines and presented a ‘low volume’ target they are now increasingly being attacked. This is especially true since many Apple uses have been lied to and told they are invulnerable to attacks.

BE SAFE FOLKS!

New Mac Trojan horse and Security tips from the NSA

There is a new Mac Trojan horse masquerades as virus scanner – read about that here . This is another example of social engineering - tricking users into making security mistakes.
Users looking for legitimate protection against viruses on their Macs might be duped into downloading and installing this. Essentially this is ‘ransomware’. It requires payment to ‘stop’ the ‘infection’. AND the payment information is often then sold to other nefarious people.

Remember that NO operating system is immune to attack. And since every system is utilized by humans they remain the biggest weak link - humans that is.

Also in other security news the NSA has released some good advice and documents for better security practices with your home network, and Operating Systems (including Mac OSX).
Read about that here. [via PCMAG Security watch blog].

Nearly all of this contains information that I and other security people have been saying for years but is well worth reading.

More Maleware in the wild ‘E-Card’

Hi folks just thought I'd pass this on.
The folks at Shadow Server have found this propagating.
There are loads of new security threats - many using tried and true vectors.
This one uses the 'E-Card' email route.
One that STILL somehow get people! Please NEVER, EVER, EVER open up these type of links!
They often look like this.

Microsoft also has information on this latest threat here:

http://blogs.technet.com/b/mmpc/archive/2010/12/31/unhappy-new-year.aspx

Please folks be careful and exercise caution when opening email or ‘clicking’ on links. and  keep your systems up to date.

Another reason to use Firefox and Add-ons/Extensions

As I've previously written more than a few times I use Firefox as my primary Internet Browser because of extensive amount of add-ons and scripts available. This helps to make the browser a 'super tool' for me. With Firefox I can block unwanted adds and scripts, stop annoying 'auto play' music and videos, download just about any video, picture or file, FTP from within my browser, download/convert to PDF nearly any web page and many other cool and productive things.

Now I can add virus scanning files BEFORE I download files to that list.
The VTzilla Firefox extension adds a Scan with VirusTotal option to Firefox's right-click context menu and file download dialog that allows you to scan any file for a virus before you commit to downloading it to your computer.

VirusTotal is a service that analyzes suspicious files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and web analysis toolbars.
It's a brilliant web service that scans any file you send it against 42 of the best malware scanners available.

They now have an add-on for Firefox that let’s you scan via a simply 'right-click’ on a file you intend to download.

Get Started

The first thing you must do is to install the add-on itself, you can do this by RIGHT-clicking on the following this link while visiting this site with Firefox and choosing ‘Save Link As, then save it to your desktop or where ever.

Then simply drag the file (.xpi) into an open Firefox browser window and it should start the install process. Make sure to choose to ‘Allow’ and install.

Note: By default, VTzilla turns on a new toolbar in Firefox. To disable it, navigate to View -> Toolbars, then uncheck VirusTotal Toolbar.

After installing the component you will have to restart Firefox to start making use of it, below you can find some examples of use.

Scan suspicious links with VTzilla

Imagine you have logged into your Gmail account and you have received a suspicious email from your bank. The email is informing you about an unauthorized access to your account and is asking you to follow a link and provide your credentials to view the account access log.

Since you are a smart guy, you know that this mail is probably a phishing case. Even though you know that this is a scam, you are committed to help others, hence, you right click on the suspicious link and select the Scan with VirusTotal option from the context menu:

This will open a new tab in the same browser window, such tab will show the report for the requested URL scan. Note that the scanning process will also download the file/site of the target link, so do not forget to click on the View downloaded file analysis link.

Scan downloads before storing them

Let us suppose your good friend John Doe has sent you an email with a slide presentation. You know that very often these slides contain exploit code that will compromise your computer. When you click on the slide presentation in your webmail a download dialog appears, you are a cautious user, you therefore decide to scan the file first with VirusTotal:

Once you have checked the file, you will decide whether or not to download it to your PC.

Simple.

Warning!!: VirusTotal is not a substitute for any antivirus software installed in a PC, since it only scans individual files on demand. It does not offer permanent protection for users' systems either.

OS X Security and Malware

Please folks practice safe computing - keep your systems up to date, don't install pirated software (including music and videos), clear your browser cache often, and don't install 'helpers' or 'codecs' you cannot thoroughly verify.
Using the line, "I have a Mac I don't get worms or virus' etc." is not only naively silly, it can also be costly.
Remember OS X is built on a Unix foundation and Unix has been around since 1969! So you can bet as the Mac user population increases the number of hacks 'ported' to OS X will start to grow exponentially. That coupled with the Apple's misleading marketing campaign saying, "Mac's don't get virus' etc." often leads to poor computing habits that can, and I am sure will be exploited more and more.
So keep safe out here.
Some scary info:
http://www.sophos.com/blogs/sophoslabs/v/post/4811

http://www.sophos.com/blogs/sophoslabs/v/post/3710

Peace out

Conflicker Worm is here!

Yes folks, it looks like the worm is very active again.
Please take the time to protect yourself and your data. A few minutes of safety can save hours or days of frustration and money.

The worm started spreading late last year, infecting millions of computers and turning them into "slaves" that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.

The Worm is quietly turning personal computers into servers of e-mail spam, flooding users with malicious emails that in turn can spread the worm again.
It is loading more malicious software onto computers under their (botnet creators) control.
According to Russian-based security researcher Kaspersky Lab.
"Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC's owner, along with a fake anti-spyware program.
The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.
Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95.
If they buy it, their credit card information is stolen and the virus downloads even more malicious software."

Please don't be one of those who get scammed, lose control of their system or lose their data altogether.

Microsoft has some good resources here:
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

And offers a great free scan that I recommend here:
http://onecare.live.com/site/en-us/default.htm

For further steps you can take read my two previous posts:
http://mycraniumdrain.blogspot.com/2009/03/conflicker-protection.html

http://mycraniumdrain.blogspot.com/2009/03/more-conflicker-check-for-infection.html

Peace and safe computing

Let's Kill Some Spyware!!

I recently had to help some people remove some serious spyware/malware/virii.
No normally if I can't 'kill' the bad stuff fairly quickly. I will simply get the persons 'data' - documents, pics, music etc. - off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.
But sometimes in a business situation this is not always possible.
Or sometimes all the needed applications are not available for 're-install'
For this you must try and 'save' your system without the 'nuclear option'.
So here is one of the best methods I use on a 'running' active system.
Read all the instructions and download ALL of the suggested applications from a 'non-infected' machine 1st.
Then place them on a portable drive - usb or a directory on the infected system [c:\killmalwareapps or something]
Ok let's start.
1st on the infected machine delete the 'hosts' and 'lmhost' files.
They will be located in the c:\windows\system32\drivers\etc folder.
[Possibly c:\winnt\system32\drivers\etc]
First try an online scan from Trend Micro.
To do this safely - using an 'external non-infected browser' you need to run 'Firefox portable' off USB drive.
This will allow a 'clean run' of a browser for a live malware/spyware scan:
How To:
The article here:
http://firefox-fangirl.livejournal.com/1977.html
explains how to download the latest portable Firefox builds and how to correctly install it as a 'portable app' on a separate folder or usb drive. I 'install' it to a directory called 'portablefirefox' and then I copy that to my USB drive.

Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:
http://housecall65.trendmicro.com/
Make sure you do NOT use any browser installed on the infected system!!!
Use the 'Firefox Portable' application to get to the web.

Other tools to have on hand (on your usb drive) before starting.
From Sysinterals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Get the following apps. Download on clean system and transfer to usb.
Autoruns - Finds all the crap actually loading at startup.
You will finds all kinds of 'crap' that shouldn't be there.
http://download.sysinternals.com/Files/Autoruns.zip
Extract and run this to show EVERYTHING that is loaded at start up.
This includes applications, scripts, drivers, active X controls, dll's and more.

Process Explorer
http://download.sysinternals.com/Files/ProcessExplorer.zip
This helps find unwanted running strigs and helps in there termination.
Run the application to see every currently running process/application on your system.

You will often need some or all of the following applications to 'kill' bad processes.
That is, malicious programs that are running 'un-authorized' processes.

unlocker
http://ccollomb.free.fr/unlocker/

wholockme
http://www.dr-hoiby.com/WhoLockMe/

file assassin
http://www.malwarebytes.org/fileassassin.php

A great spyware finder:

spybot s&d
http://www.safer-networking.org/en/spybotsd/index.html
I install this as my online scan is running (if possible).
Don't confuse this application with other that are trading on the 'Spybot' name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.
http://www.spybotupdates.biz/files/spybotsd162.exe

Remember to have all these files already downloaded and copied to your portable drive.

And to assist in cleaning our all 'temp' type files:
CCleaner
Especially usefull if there is an 'unseen' internet app (ie or firefox) downloading malware in the background continually
I will run this over and over while running spybot scans.

http://www.filehippo.com/download_ccleaner/download/d1565b7fb77b48a3692a199d871845fd/

Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don't have a 'Live' type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren's, or a custom Bart PE disk.