Windows BITS Service Used to Reinfect Computers with Malware

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia. 

Sophisticated malware has been spying on computers since 2008 (updated)

Highly sophisticated malware isn’t limited to relatively high-profile sabotage code like Stuxnet — sometimes, it’s designed to fly well under the radar. Symantec has discovered Regin, a very complex trojan that has been spying on everyone from governments to individuals since at least 2008. The malware is highly modular, letting its users customize their attacks depending on whether they need to remote control a system, get screenshots or watch network traffic. More importantly, it’s uncannily good at covering its tracks. Regin is encrypted in multiple stages, making it hard to know what’s happening unless you capture every stage; it even has tools to fight forensics, and it can use alternative encryption in a pinch. Researchers at Symantec suspect that the trojan is a government-created surveillance tool, since it likely took “months, if not years” to create.

If it is meant for spying, though, it’s not clear just who wrote the malware or why. Unlike Dragonfly and other instances of professionally-made malware, Regin’s origin hasn’t been narrowed down to a particular country or region. About half of the infections have taken place in Russia and Saudi Arabia, but you can also find victims across India, Iran and multiple European nations. Also, it’s definitely not limited to telecoms or other high-value targets — 48 percent of known victims are people and small businesses. While Regin could easily be part of an online espionage campaign, it’s hard to rule anything out at this point.

Update: Kaspersky Labs did some extra sleuthing and found that Regin can attack cellular’ networks GSM base stations, mapping their infrastructure. Also, sources tell The Intercept that Belgian carrier Belgacom found the trojan on its internal networks. That’s potentially worrisome — while there’s no hard evidence of a connection so far, it suggests that Britain’s GCHQ may have used Regin to infiltrate Belgacom and spy on its users.

For more information and the original story follow the source link below.

Source: Engadget

Kaspersky Internet Security 2013 Has Bug That Can Lead to System Freeze

Potential attackers can exploit the flaw by sending specifically crafted IPv6 packets to the targeted computers

Kaspersky Lab’s Internet Security 2013 product contains a bug that can be exploited remotely, especially on local networks, to completely freeze the OS on computers running the software.

The bug can be attacked by sending a specifically crafted IPv6 (Internet Protocol version 6) packet to computers running Kaspersky Internet Security 2013 and other Kaspersky products that have the firewall functionality, security researcher Marc Heuse said earlier this week in an advisory published on the Full Disclosure mailing list.

“A fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system,” he said. “No log message or warning window is generated, nor is the system able to perform any task.”

IPv6 support is enabled by default for network interfaces in Windows Vista and later, as well as in many Linux distributions and in Mac OS. IPv6 adoption on the Internet is relatively low at the moment so the number of computers that are publicly accessible over IPv6 is not very high. However, most computers are accessible over IPv6 on local networks and have local IPv6 addresses assigned to them by default.

Heuse claims that he reported the bug to Kaspersky Lab on Jan. 21 and again on Feb. 14, but received no feedback from the company so he decided to disclose it publicly. In addition to the advisory he also published a proof-of-concept tool that can exploit the bug.

Kaspersky Lab acknowledged the existence of the issue for Kaspersky Internet Security 2013. “After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error,” the company said Thursday via email. “A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013.”

Although the issue is valid, there was no threat of malicious activity affecting the computers of any users who experienced the rare problem, the company said. “Actions have been taken to prevent such incidents from occurring in the future,” it said.

The company could not immediately confirm whether any other of its products are affected as well.

Source: Network World

Acer Discontinues Operations of eMachines PC Brand

Taiwan computer manufacturer Acer is discontinuing its eMachines brand. The move, which will see the brand’s operations come to a close, forms part of the company’s overall move away from budget base models and towards ultrabooks and similar form factors, something CEO JT Wang started in late 2011.

The company is continuing its three-year brand-consolidating process, according to DigiTimes, with the removal of the eMachines brand only being part of the process. Acer also owns Gateway, a company it bought in 2007, and finalized its buyout of Gateway-owned Packard Bell in 2008.

As already mentioned, eMachines focussed on the low-cost hardware section of the PC market. Its last notable releases included the $300 VESA-mountable Mini-e nettop, and the $400 all-in-one EZ1601.

Source: Electronista

Computer Virus Being Spread Using SOPA Alerts

The piece of legislation, Stop Online Piracy Act (SOPA), was dropped from United States Congress in January of this year. But it has returned, just not in the same form.

This time SOPA is showing up on users PC’s. Basically it is a virus that uses the SOPA bill to scare victims into paying $200. The virus locks down your computer and then only offers to unlock it if you pay the fee. This scam uses a lot of American government seals to make it look official and genuine.

It warns the victim that their IP address is on a blacklist after distributing illegal content. It then tells the victim to send a MoneyPak or a Western Union wire to pay for their fee. If the user doesn’t pay up, the virus threaten the user saying they will lose all their data.

It won’t delete all of your data on your PC, but it should be removed as soon as possible.

New PC Malware Disguised as Antivirus Software to Scam You

There is new malware that is infecting PC’s and most people would never even realize it was there.

The malware comes from a rogue software group called FakeRean. According to McAfee it poses as an antivirus, claiming it scanned your computer and that your computer is infected and to buy the antivirus protection offered so that your computer will be safe. But in reality it takes control of your GUI to extort money out of you using these scare tactics.

The renegade software is showing up on different version of Windows, changing into the iteration of the operating system you’re running on.

Below is what you should be on the lookout for.

On Windows 7

On Windows Vista

On Windows XP