Category Archives: Microsoft

Windows BITS Service Used to Reinfect Computers with Malware 

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia

The Best Cloud Storage

image

Access your files anytime, anywhere, and from any device.

I’m a huge fan of using cloud storage and heavily depend on these services to store my files while keeping them secure and easily accessible at any time. I have used just about every different cloud provider that allows users a free account with free storage, which is basically all the major players in the cloud storage field.

I am sharing this information that was gained through research conducted on the best storage providers by Reviews.com. Find the article here.

According to the research, 45 different options (including 26 different apps) for cloud storage services were tested to find the pros and cons and to determine the best all around services.

The best cloud storage providers:

Dropbox

image
Dropbox

Best For:       Lightweight Users

Free Storage Space:     2GB

Cheapest Premium Option:     $9.99 for 1TB

File-Size Limit:     Varies

Server Location:    United States

iOS App User Rating:      3.5

Android App User Rating:     4.4

Windows App User Rating:     3.5

Google Drive

image
Google Drive

Best For:       Teams and Collaboration

Free Storage Space:      15GB

Cheapest Premium Option:       $1.99 for 100GB

File-Size Limit:         5TB

Server Location:       Worldwide

iOS App User Rating:       4.5

Android App User Rating:        4.3

Windows App User Rating:      3.9

OneDrive

image
OneDrive

Best For:       Devoted Windows Users

Free Storage Space:       15GB

Cheapest Premium Option:       $1.99 for 100GB

File-Size Limit:         10GB

Server Location:         Worldwide

iOS App User Rating:         4

Android App User Rating:        4.4

Windows App User Rating:     4.2

Box

image
Box

Best For:         Enterprise Solutions

Free Storage Space:        10GB

Cheapest Premium Option:       $10 for 100GB

File-Size Limit:       Varies

Server Location:         Worldwide

iOS App User Rating:        4

Android App User Rating:        4.2

Windows App User Rating:      4.4

The following is from the research done by Reviews.com

How We Found the Best Cloud Storage

We started by compiling a list of 45 different cloud-based software solutions and then we hit the books (well, the internet, that is). We read reviews from the top technology blogs, dissected user guides, toyed with a bunch of settings, and narrowed our list down to our top four recommendations using these five criteria:

1. We removed services that are focused primarily on media- and OS-level backups.

17 disqualified

Of the active users we surveyed, 53 percent primarily use cloud storage for media and file sharing, so our best picks had to be well-rounded, and not focused on automated, system-level backups.

2. We removed services that are just for business and have no personal option.

21 disqualified

Enterprise cloud solutions are technical, and include a plethora of features that most people either don’t need, or would find confusing, such as task management and user comments.

3. We cut all services without extensive support for OS X, Windows, Android, and iOS.

24 disqualified

A huge benefit of cloud storage is that it bridges the gap between operating systems. We only passed services that support all of the most common desktop and mobile operating systems.

4. We cut any cloud storage services that did not offer a freemium version.

33 disqualified

Offering a freemium version is obviously a great way for companies to win new users, but it’s also part of being the best cloud storage service. Not everyone is a power user, after all. And why pay when you don’t have to?

5. We cut any contenders that didn’t have an average of 3.5 stars or higher from the App Store, Google Play Store, and Windows Store.

41 disqualified

If there’s one thing that should be indicative of cloud storage, it’s mobility. Filtering out low-rated mobile apps was a great way to find out which companies really catered to their users. Of course, app scores change with every update and release, but as of our latest update all of our top contenders had high marks.

For more information and the full breakdown of the research conducted by Reviews.com please follow the link below.

Research provided by Reviews.com

90 Percent of All SSL VPN Use Insecure or Outdated Encryption

image

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

New malware used to attack energy companies

malware
The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say

 

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.

The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.

The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.

The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.

“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”

Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.

The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.

“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”

For more information and the original story follow this link to Computerworld

For a year, gang operating rogue Tor node infected Windows executables

image
A flowchart of the infection process used by a malicious Tor exit node.

Attacks tied to gang that previously infected governments with highly advanced malware.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What’s more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the “MiniDuke” gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.

“OnionDuke,” as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Besides spreading through the Tor node, the malware also spread through other, undetermined channels. The F-Secure post stated:

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations.

The malicious Tor node infected uncompressed executable files passing through unencrypted traffic. It worked by inserting the original executable into a “wrapper” that added a second executable. Tor users downloading executables from an HTTPS-protected server or using a virtual private network were immune to the tampering; those who were careful to install only apps that were digitally signed by the developer would likely also be safe, although that assurance is by no means guaranteed. It’s not uncommon for attackers to compromise legitimate signing keys and use them to sign malicious packages.

Tor officials have long counseled people to employ a VPN use encryption when using the privacy service, and OnionDuke provides a strong cautionary tale when users fail to heed that advice.

This post was updated to remove incorrect statements concerning the use of virtual private networks.

For the complete story follow the source link below.

Source: Ars Technica

Backdoors and surveillance mechanisms in iOS devices

image

This paper is actually half a year old – give or take – but it’s gotten a lot of attention recently due to, well, the fact that he has uploaded a PowerPoint from a talk about these matters, which is obviously a little bit more accessible than a proper scientific journal article.

For instance, despite Apple’s claims of not being able to read your encrypted iMessages, there’s this:

“In October 2013, Quarkslab exposed design flaws in Apple’s iMessage protocol demonstrating that Apple does, despite its vehement denial, have the technical capability to intercept private iMessage traffic if they so desired, or were coerced to under a court order. The iMessage protocol is touted to use end-to-end encryption, however Quarkslab revealed in their research that the asymmetric keys generated to perform this encryption are exchanged through key directory servers centrally managed by Apple, which allow for substitute keys to be injected to allow eavesdropping to be performed. Similarly, the group revealed that certificate pinning, a very common and easy-to-implement certificate chain security mechanism, was not implemented in iMessage, potentially allowing malicious parties to perform MiTM attacks against iMessage in the same fashion.”

There are also several services in iOS that facilitate organisations like the NSA, yet these features have no reason to be there. They are not referenced by any (known) Apple software, do not require developer mode (so they’re not debugging tools or anything), and are available on every single iOS device.

One example of these services is a packet sniffer, com.apple.pcapd, which “dumps network traffic and HTTP request/response data traveling into and out of the device” and “can be targeted via WiFi for remote monitoring”. It runs on every iOS device. Then there’s com.apple.mobile.file_relay, which “completely bypasses Apple’s backup encryption for end-user security”, “has evolved considerably, even in iOS 7, to expose much personal data”, and is “very intentionally placed and intended to dump data from the device by request”.

This second one, especially, only gave relatively limited access in iOS 2.x, but in iOS 7 has grown to give access to pretty much everything, down to “a complete metadata disk sparseimage of the iOS file system, sans actual content”, meaning time stamps, file names, names of all installed applications and their documents, configured email accounts, and lot more. As you can see, the exposed information goes quite deep.

Apple is a company that continuously claims it cares about security and your privacy, but yet they actively make it easy to get to all your personal data. There’s a massive contradiction between Apple’s marketing fluff on the one hand, and the reality of the access iOS provides to your personal data on the other – down to outright lies about Apple not being able to read your iMessages.

Those of us who aren’t corporate cheerleaders are not surprised by this in the slightest – Apple, Microsoft, Google, they’re all the same – but I still encounter people online every day who seem to believe the marketing nonsense Apple puts out. People, it doesn’t get much clearer than this: Apple does not care about your privacy any more or less than its competitors.

Source: OS News

Note: this is not mentioned in the original article but is definitely worth noting that there is at least one company put there that cares about your privacy and always has and is the leader in security. That’s BlackBerry of course, they should be recognized for how great they are and they continually get over looked unless it is for something negative. BlackBerry for life! Best mobile OS is BlackBerry 10, period.

Is CryptoLocker Ransomware arriving on Android?

image
The U.S. version of the Android malware purporting to be CrytoLocker.

CrytoLocker Ransomware, the malware that locked up PCs until you paid off $300 and the so-called Menace of the Year, may have jumped from Windows to Android.

ThreatPost reports that the Reveton cyber-crime gang is advertising an Android version of CryptoLocker. This program seems to have no way to actively infect an Android smartphone or tablet. To get it you have to actually download the APK file.

To trick you into doing this, the malware masquerades as a porn application. As you’d expect, this malware is designed to hide out on porn sites. If I’d said it once, I’ve said it a thousand times, never download Android apps from third-party sites of any sort and don’t, no matter what operating system you’re running, download programs from porn sites.

If you’re fool enough to do this anyway and get infected, any time you try to use your device, you’ll be shown a warning display that accuses you of viewing child pornography or equally ugly and illegal porn. It then goes on to say that you’ll face a jail term of five to 11 years, unless, of course, you make a payment of $300 via MoneyPak. This is a legitimate pre-paid debt card service.

At this time, it’s unclear if this malware, labeled Koler.A really is a port of CryptoLocker or simply a malware program using the infamous ransomware name in vain. From the limited experience security companies have had with this program it seems most likely it is not actually encrypting your files.

That said, getting rid of Koler.A is currently a major annoyance. Android anti-virus programs don’t have a fix for it yet. If you can move the program’s icon to the trash, however, that “seems” to get rid of the program. The trick is you only have five seconds to delete it before the ransomware screen takes over your display.

For more information and the original story follow the source link below.

Source: ZD Net

Microsoft offering users 100 GB free OneDrive Storage

image

Microsoft is offering OneDrive users 100 GB of free storage, according to an email I received recently. You don’t just get the free storage for being a user, rather you have to sign up for Bing Rewards and from there use Bing as your search engine while being signed in to your Bing account to earn points to receive the free storage.

A screen shot of the email is above but it reads:

To celebrate the launch of OneDrive, we’ve partnered with Bing to bring you a special offer. Simply join Bing Rewards by signing into Bing once and, after just a week of searching, you can earn enough credits to get 100 GB of additional OneDrive storage for a year. It has never been easier to get free storage. Act now. This limited time offer ends soon.