Windows BITS Service Used to Reinfect Computers with Malware

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia. 

For a year, gang operating rogue Tor node infected Windows executables

A flowchart of the infection process used by a malicious Tor exit node.

Attacks tied to gang that previously infected governments with highly advanced malware.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What’s more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the “MiniDuke” gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.

“OnionDuke,” as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Besides spreading through the Tor node, the malware also spread through other, undetermined channels. The F-Secure post stated:

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations.

The malicious Tor node infected uncompressed executable files passing through unencrypted traffic. It worked by inserting the original executable into a “wrapper” that added a second executable. Tor users downloading executables from an HTTPS-protected server or using a virtual private network were immune to the tampering; those who were careful to install only apps that were digitally signed by the developer would likely also be safe, although that assurance is by no means guaranteed. It’s not uncommon for attackers to compromise legitimate signing keys and use them to sign malicious packages.

Tor officials have long counseled people to employ a VPN use encryption when using the privacy service, and OnionDuke provides a strong cautionary tale when users fail to heed that advice.

This post was updated to remove incorrect statements concerning the use of virtual private networks.

For the complete story follow the source link below.

Source: Ars Technica

Is CryptoLocker Ransomware arriving on Android?

The U.S. version of the Android malware purporting to be CrytoLocker.

CrytoLocker Ransomware, the malware that locked up PCs until you paid off $300 and the so-called Menace of the Year, may have jumped from Windows to Android.

ThreatPost reports that the Reveton cyber-crime gang is advertising an Android version of CryptoLocker. This program seems to have no way to actively infect an Android smartphone or tablet. To get it you have to actually download the APK file.

To trick you into doing this, the malware masquerades as a porn application. As you’d expect, this malware is designed to hide out on porn sites. If I’d said it once, I’ve said it a thousand times, never download Android apps from third-party sites of any sort and don’t, no matter what operating system you’re running, download programs from porn sites.

If you’re fool enough to do this anyway and get infected, any time you try to use your device, you’ll be shown a warning display that accuses you of viewing child pornography or equally ugly and illegal porn. It then goes on to say that you’ll face a jail term of five to 11 years, unless, of course, you make a payment of $300 via MoneyPak. This is a legitimate pre-paid debt card service.

At this time, it’s unclear if this malware, labeled Koler.A really is a port of CryptoLocker or simply a malware program using the infamous ransomware name in vain. From the limited experience security companies have had with this program it seems most likely it is not actually encrypting your files.

That said, getting rid of Koler.A is currently a major annoyance. Android anti-virus programs don’t have a fix for it yet. If you can move the program’s icon to the trash, however, that “seems” to get rid of the program. The trick is you only have five seconds to delete it before the ransomware screen takes over your display.

For more information and the original story follow the source link below.

Source: ZD Net

Five reasons Microsoft could become a top Android smartphone company

I thought this article brought up some good points and thought I would share it here.

1) Microsoft already makes major profits from Android.
How much? Thanks to its patent agreements, Microsoft may have made as much as $3.4 billion in 2013 from Android sales. If it wasn’t for its Android patents, the analyst firm Nomura thinks Microsoft’s entertainment and devices division (EDD), which covers Xbox, Windows Phone and Skype would actually lose $2-billion dollars a year!

With its forthcoming Nokia acquisition, Microsoft could make ten times that much from its own Android smartphones. Also, unlike its potential Android competitors, Microsoft won’t have to pay its own patent fees. That automatically makes each MS-Android phone more profitable for Microsoft than an equivalent device for say Samsung.

Thinking of the Android phone powerhouse, Samsung owns the Android smartphone market the way Microsoft controls the PC market. Microsoft is one of the few companies with the resources to go toe-to-toe with Samsung. All it needs is to commit to a mobile operating system that people wants.

2) Android already owns the market.
The smartphone OS that everyone wants is Android. IDC’s latest fourth-quarter ranking shows Android has more than 78 percent of the worldwide smartphone market.. Between Android and IOS, the powerful mobile OS pair has 95 percent of the market.

I don’t care how much you may like some Windows Phones, they’re not selling. It’s been over a year now Windows Phone 8 was introduced, and it’s still not making serious inroads on either Android or iOS.

3) MS-Android has unique advantages over its competitors.
Ask anyone who makes Android phones what their biggest marketing problem is and they’ll tell that’s it’s trying to get their devices to stand out from their competitors. So, they add bloatware, which customers usually hate, or they paint on their own custom interface, which really doesn’t look that different from anyone else’s front-end.

What’s a company to do? Well, if you’re Microsoft, it can offer customers, Outlook instead of Gmail; Office 365 over Google Docs; and OneDrive, formerly SkyDrive, in place of Google Drive. Get the idea?

Microsoft has real software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) alternatives to Google’s offerings. While I have no love for Microsoft’s applications, there are hundreds of millions of users who have been using Outlook and Office since they first used a computer. A lot of them would love to use the apps they’ve known since they were kids on a widely-supported platform such as Android.

4) Lower development costs.
I don’t know how much Microsoft is spending on building Windows Phone 9, but it’s got to be north of a hundred million. How much does it cost to build Android? Oh wait, Microsoft doesn’t have to spend a thin dime on creating Android! Google, and other open-source developers, are the ones picking up the tab to build the Android Open Source Project (AOSP).

5) More apps, more developers
Android also already has a huge number of developers and existing applications. In fact, the Google Play store already has a million apps. Windows Phone? It probably just crossed over 200,000 apps. The Android developers are out there, it won’t cost them much money or time to bring their apps to MS-Android.

Presto! For far less money, Microsoft cuts its internal development costs and opens its doors to tens of thousands of new developers and hundreds of thousands of new programs.

ZD Net

UK teen launches Thinkspace, seeks to bring software development to high schools around the world

Thinkspace, an organization created by sixteen-year-old James Anderson, seeks to “inspire the next generation of app developers” through dedicated coding zones in high schools across the globe. Anderson formally launched Thinkspace this month with campuses in Plymouth and Northern Ireland.

Anderson first came up with the idea for Thinkspace when he became disappointed with the UK educational system’s approach to computer information and related topics. Rather than attempt to change the curriculum, Anderson sought to work around it by creating “Thinkspaces” within schools.

A Thinkspace is essentially a room filled with computers and mobile devices with which students are encouraged to build whatever software they can imagine. The UK Thinkspace, located at Plymouth’s Devonport High School for Boys, contains Android devices, iPod touches, iPads, Blackberrys, and Windows Phone devices, all connected to an assortment of Mac and PC computers.

The flagship UK campus cost around £10,000, but Anderson says that almost any budget will suffice. The goal is not necessarily to build state-of-the-art development labs, but rather to provide students with a place to go in order to learn to code, collaborate on projects, and just build software.

Any school interested in establishing a Thinkspace is welcome to join the program. The only requirement is that a teacher from the school join Thinkspace Social—a development-oriented social network created by Anderson—and begin inviting students from the school. Anderson told 9to5Mac that the organization is already looking to expand internationally into Australia, Israel, Singapore, and the United States.

The Thinkspace project has gained the backing of many well-known public figures, such as Google SVP of Engineering Vic Gundotra, Apple co-founder Steve Wozniak, Twitter CEO Dick Costolo, Virgin founder Richard Branson, and top executives from other companies like Microsoft.

Anderson told Wired that he envisions Thinkspaces as a student-driven program where experienced coders can help educate the next generation of software designers and developers. He hopes to see the program spread not only across Europe, but around the world.

For more photos click the soure link below.

Source: 9to5Google

XP’s retirement will be hacker heaven

Hackers will bank bugs until after Microsoft retires Windows XP in April 2014; expect attacks, say security experts

Cyber criminals will bank their Windows XP zero-day vulnerabilities until after Microsoft stops patching the aged operating system next April, a security expert argued today.

Jason Fossen, a trainer for SANS since 1998 and an expert on Microsoft security, said it’s simply economics at work.

“The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft’s response,” said Fossen. When a new vulnerability — dubbed a “zero-day” — is spotted in the wild, Microsoft investigates, pulls together a patch and releases it to XP users.

If the bug is critical and being widely used by hackers, Microsoft will go “out-of-cycle,” meaning it will issue a security update outside its usual monthly Patch Tuesday schedule.

But after April 8, 2014, Microsoft has said it will retire Windows XP and stop serving security updates. The only exceptions: Companies and other organizations, such as government agencies, that pay exorbitant fees for custom support, which provides critical security updates for an operating system that’s officially been declared dead.

Because Microsoft will stop patching XP, hackers will hold zero-days they uncover between now and April, then sell them to criminals or loose them themselves on unprotected PCs after the deadline.

“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks,” said Fossen. “But if they sit on a vulnerability, the price for it could very well double.”

Minus any official patching from Microsoft, XP zero-days and their associated exploits could remain effective for months, maybe even years, depending on how well security software detects and quarantines such attacks.

If Fossen’s thesis is correct, there should be signs of bug banking, most notably a sharp reduction in the number of publicly-disclosed or used-in-the-wild XP vulnerabilities during the fourth quarter of 2013 and the first quarter of 2014.

“[Hackers] will be motivated to sit on them,” Fossen stressed.

There really aren’t precedents to back up Fossen’s speculation, he acknowledged, because the last time Microsoft pulled the plug on an edition was July 2010, when it retired Windows 2000. But according to metrics firm Net Applications, at the time Windows 2000 powered just four-tenths of one percent of all PCs.

Windows XP will have a much larger share when it’s retired next year: Based on XP’s current rate of decline, Computerworld has projected that the old OS will still run between 33% and 34% of the world’s personal computers at the end of April 2014.

That would be 80 times the share of Windows 2000 when it retired.

But even with Windows 2000’s minuscule share when it left support, there were reports that an edition-specific zero-day was created and sold.

“I heard rumors of a new zero-day being found and sold after the support period expired [for Windows 2000],” said HD Moore, creator of the popular Metasploit penetration testing toolkit and the chief security officer of security company Rapid7. “But there were few if any examples that ended up in the public eye.”

Moore agreed with Fossen that XP bugs would be more valuable after April 2014, but contended that all Windows vulnerabilities would jump in value.

“Something more common [three years ago] was backporting new security advisories into functional exploits on Windows 2000,” said Moore in an email. “Every time a server-side vulnerability was found in Windows XP or 2003 Server, quite a few folks looked at whether this would also work against Windows 2000. My guess is that the retirement of Windows XP will result in all Windows vulnerabilities being of slightly higher value, especially given the difference in exploit mitigations between XP and newer platforms.”

It’s far easier to exploit flaws in Windows XP than in newer editions, such as Windows 7 and Windows 8, noted Moore, because of the additional security measures that Microsoft’s baked into the newer operating systems.

Microsoft has said the same. In the second half of 2012, XP’s infection rate was 11.3 machines per 1,000 scanned by the company’s security software, more than double the 4.5 per 1,000 for Windows 7 SP1 32-bit and triple the 3.3 per 1,000 for Windows 7 SP1 64-bit.

“Windows XP vulnerabilities will be valuable as long as enterprises utilize that version of the operating system,” said Brian Gorenc, manager of HP Security Research’s Zero Day Initiative, the preeminent bug bounty program. But Gorenc also argued that any XP zero-days would be outweighed by higher-priority hacker work.

“Researchers are primarily focused on the critical applications being deployed on top of the operating system,” said Gorenc in an email reply to questions today. “Attackers and exploit kit authors seem to rely on the fact that the update process and tempo for applications are not as well defined as those for operating systems.”

Fossen, convinced that XP would be a big fat target after April 8, wondered whether Microsoft might find itself in a tough spot, and back away from the line in the sand it’s drawn for XP’s retirement.

“If hackers sit on zero-days, then after April use several of them in a short time, that could create a pain threshold [so severe] that people organize and demand patches,” said Fossen.

The consensus among analysts and security experts is that Microsoft will not back down from its decision to retire XP, come hell or high water, because it would not only set an unwelcome precedent but also remove any leverage the company and its partners have in convincing laggards to upgrade to a newer edition of Windows.

But a few have held out hope.

“Suppose we get to a date post the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?” asked Michael Cherry, an analyst with Directions on Microsoft, in an interview last Decembe. “It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time, there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix.”

Jason Miller, manager of research and development at VMware, had some of the same thoughts at the time. “What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft’s security image,” Miller said.

Another option for Microsoft, said Fossen, would be to take advantage of a post-retirement disaster to do what it’s been doing for years, push customers to upgrade.

“They might also respond with a temporary deal on an upgrade to Windows 8,” said Fossen, by discounting the current $120 price for Windows 8 or the $200 for Windows 8 Pro. “Then they could say, ‘We’re aware of these vulnerabilities, but you should upgrade.'”

Source: Computerworld

Kaspersky Internet Security 2013 Has Bug That Can Lead to System Freeze

Potential attackers can exploit the flaw by sending specifically crafted IPv6 packets to the targeted computers

Kaspersky Lab’s Internet Security 2013 product contains a bug that can be exploited remotely, especially on local networks, to completely freeze the OS on computers running the software.

The bug can be attacked by sending a specifically crafted IPv6 (Internet Protocol version 6) packet to computers running Kaspersky Internet Security 2013 and other Kaspersky products that have the firewall functionality, security researcher Marc Heuse said earlier this week in an advisory published on the Full Disclosure mailing list.

“A fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system,” he said. “No log message or warning window is generated, nor is the system able to perform any task.”

IPv6 support is enabled by default for network interfaces in Windows Vista and later, as well as in many Linux distributions and in Mac OS. IPv6 adoption on the Internet is relatively low at the moment so the number of computers that are publicly accessible over IPv6 is not very high. However, most computers are accessible over IPv6 on local networks and have local IPv6 addresses assigned to them by default.

Heuse claims that he reported the bug to Kaspersky Lab on Jan. 21 and again on Feb. 14, but received no feedback from the company so he decided to disclose it publicly. In addition to the advisory he also published a proof-of-concept tool that can exploit the bug.

Kaspersky Lab acknowledged the existence of the issue for Kaspersky Internet Security 2013. “After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error,” the company said Thursday via email. “A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013.”

Although the issue is valid, there was no threat of malicious activity affecting the computers of any users who experienced the rare problem, the company said. “Actions have been taken to prevent such incidents from occurring in the future,” it said.

The company could not immediately confirm whether any other of its products are affected as well.

Source: Network World

New PC Malware Disguised as Antivirus Software to Scam You

There is new malware that is infecting PC’s and most people would never even realize it was there.

The malware comes from a rogue software group called FakeRean. According to McAfee it poses as an antivirus, claiming it scanned your computer and that your computer is infected and to buy the antivirus protection offered so that your computer will be safe. But in reality it takes control of your GUI to extort money out of you using these scare tactics.

The renegade software is showing up on different version of Windows, changing into the iteration of the operating system you’re running on.

Below is what you should be on the lookout for.

On Windows 7

On Windows Vista

On Windows XP

Microsoft Disrupts Nitol Botnet and Takes Control of Malware Hosting Domain

Microsoft has claimed, through an operation code named b70, that it has managed to disrupt more than 500 different strains of malware in a bid to slow down the threats posed by the Nitol botnet.

Microsoft has discovered that Chinese retailers have been involved in selling computers with pirated version of Windows loaded with malware. Microsoft believes that the malware could have entered the supply chain at any point seeing as how the computer travels among companies that transport and resell the computer it is hard to pin-point the time and location.

Microsoft’s official blog says this, “…cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers”

One thing that was noticed was that the malware was capable of spreading itself through common file transfers like USB based flash drives making it possible to spread malware to family members and friends.

A study done by Microsoft which was focused on the Nitol botnet found that nearly 20 per cent of the all the PCs that were purchased through unsecure Chinese supply chain were infected with malware. In this study Microsoft also found that in addition to hosting the Nitol botnet, the domain 3322.org contained 500 different strains of malware which were hosted using 70,000 sub domains. Microsoft also played crucial roles in disrupting the Kelihos and Zeus botnets while closely working with US officials.

New Crisis Malware Infecting Macs, VMware and Windows

Security experts have discovered a virus strain that compromises VMware virtual machines, and is infecting Mac OS X, Windows computers as well as Windows Mobile devices.

This virus strain has capabilities that have yet to be seen before, the Crisis malware normally arrives in a Java archive file (.jar). It is typically installed by posing as a Flash Player Java applet to trick a victim into opening it, letting the Crisis malware onto the PC. This archive contains executable files (.exe). And the malware is able to detect which platform it is running on and serve up the correct variant, targeting Apple and Windows operating systems.

According to a Kaspersky Lab Expert, once launched the worm puts in place a rootkit to hide itself from view; installs spyware to record the user’s every move on the computer; and opens a backdoor to the IP address 176.58.100.37, allowing miscreants to gain further access to the machine. The code is also said to survive after a system reboots.

The Windows variant of the virus will snoop into these user applications: Firefox, Internet Explorer, Chrome, Microsoft Messenger, Skype, Google Talk and Yahoo! Messenger. It will also shut off any anti-virus programs, log keypresses, download and upload files, lift the contents of the user’s clipboard, take screenshots, and record from the computer’s webcam and mic.

The Mac variant is very similar to Windows. It monitors Adium, Mozilla, Firefox, MSN Messenger (for Mac) and Skype, and records keystrokes. But on Mac OS X, the user does not need administrative privileges to install the software although its functionality is affected if there is insufficient information used. With admin-level access, the virus can slot in the rootkit.

According to The Register Crisis uses three methods to spread itself from Windows desktops: it can copy itself and an autorun.inf file to a removable drive in order to infect the next machine the storage stick is plugged into; it can sneak onto virtual machines; and it can drop modules onto a Windows Mobile device.

The virus does not use a vulnerability in the VMware software, it relies on a feature that allows the virtual machine’s files to be manipulated while it is not even running. The virus searches for the virtual machines images on the Windows PC and attempts to copy itself onto the system using a VMware Player tool.

“This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors,” Symantec researcher Takashi Katsuki concludes.