New Windows Security Tool from Safer-Networking Ltd!

2015-11-12_12-12-55From a company that those of use in the IT security industry know well, Spybot Search and Destroy. This is for Windows 10 users concerned about the new monitoring features built into Windows 10, and of course we’ve heard that MS intends to port these features back to Windows 7 and 8.

Anyway, they have developed a new utility, Spybot Anti-Beacon. This is a standalone tool which was designed to block and stop the various tracking (telemetry) features (aka: issues) present in Windows 10. They have since modified it to block similar tracking functionality in the Windows 7Windows 8 and Windows 8.1 operating systems. I interested, you can check it out here…

https://www.safer-networking.org/spybot-anti-beacon/

Advertisements

Security Maintenance Tip of the Week!

Tip:

Log into your Twitter and Facebook accounts on your computer and look through the apps you have granted access to over the years. Do you still use all of them? If not, revoke access! Here’s how to do it…

Twitter
Log into Twitter.com from your computer.

1. Click your profile image in the top right of the page.

2. Choose “Settings” from the list.

GetToSettings

3. Click “Apps” from the list on the left of the page.

Apps

Facebook
Log into Facebook.com from your computer.

1. Click on Privacy lock icon in the top right of the page.

2. Choose the “See More Settings” link from the bottom of the list.
FacebookSettings

3. Click “Apps” from the list on the left of the page.
FacebookApps

These are all of the apps that have access to your Twitter or Facebook account that you have granted access to over the years. Chances are, there will be plenty that no longer need access, likely from old devices you may no longer have or use.

Why bother, you ask? Here is how this works. The more Apps that have access to your Twitter/Facebook accounts provides a bad person with more opportunities to find one that has a vulnerability the will allow them to take over your account. Removing the apps that you don’t need reduces this attack surface. It is the little things that bite us.

In my opinion, Twitter/Facebook should add an expiration date so you have to revisit these settings every once in a while.

Happy Hunting!

CryptoWall 4.0! Watch out folks, she’s back for another round!

CryptoWall 4.0 released with new features such as Encrypted File Names.
See “What is CryptoWall” at the end of this post.

CryptoWall 4.0 has been released that displays a redesigned ransom note, new file names, and now encrypts a file’s name along with its data.

Ransom Note Image

Ransom Note

For those who may have become infected by this variant, you can visit the dedicated CryptoWall 4.0: Help_Your_Files Ransomware Support Topic to discuss the infection or receive support on it.

The most significant change in CryptoWall 4.0 is that it now also encrypts the file names of the encrypted files.  Each file will have its name changed to a unique encrypted name like 27p9k967z.x1nep or 9242on6c.6la9. The file names are probably encrypted to make it more difficult to know what files need to be recovered and to make it more frustrating for the victim.

encrypted-files

Folder containing Encrypted Files

Below are two examples of the emails:

SPAMemail1

SPAMemail2

If you receive one of the emails, the link follows a specific pattern: [unrelated compromised website]/abuse_report.php?[your domain name].  The domain names are not important.  You can always get the malware by substituting any string of characters for the domain name in the URL (assuming no one has fixed the compromised website yet).

URL

Shown above: Substituted a string of “X”s for the domain name in a URL from one of the emails.

Final Words

If you receive one of these emails, and you download the file, you should see plenty of warnings the file is not safe.  In a company environment, properly-administered Windows hosts should prevent people from running the malware.

Warning1

Warning2

Warning3

In my personal opinion, this mal-spam isn’t a serious threat if you are aware that it is out there.  So why do criminals run these campaigns?  Apparently, enough of their emails get through, people still fall for the allure of clicking links and opening random email attachments, and their Windows computers are configured so they can run it.

I recommend that you keep your antivirus solution always on and UP-TO DATE! It can be used as an additional layer of protection for you systems.

If you have a bad habit of clicking/opening random links and attachments, Bitdefender Labs has developed a vaccine that allows users to immunize their computers and block any file encryption attempts, even if they become infected with CryptoWall, one of the most powerful clones of the Cryptolocker malware.

As usual, I have NOT tested this software for effectiveness. So use at YOUR OWN RISK.

Bitdefender advises customers to run a fully dedicated Internet Security solution such as those provided by Bitdefender to protect against all threats. The CryptoWall Immunizer is only effective in protecting systems that may get infected with versions one and two of the Cryptowall ransomware at this point in time.

What is CryptoWall?

Cryptolocker and its public-private key encryption mechanism has become a huge financial success for its creators. Its high turnaround prompted other cyber-criminal entities to write copycats that use much more sophisticated spreading and encryption algorithms. Some of the most notorious families of ransomware now wreaking havoc include CryptoWall, Citroni and TorLocker. Android users were also massively targeted by ransomware throughout 2014.

Chrome To Begin Pausing Flash Ads By Default, Starting 10/1

http://techcrunch.com/2015/08/28/chrome-will-begin-pausing-flash-ads-by-default-starting-in-september/

Google: New setting to save power by pausing plugin content

With the Beta release of Chrome 42, we’ve launched a new setting that automatically pauses plugin content that’s peripheral to the main page. This can help you save precious battery power and CPU cycles. But don’t worry, the primary plugin content on pages (games, videos, etc.) should still run just fine.

To adjust these settings, in the Chrome Browser Address bar type,

chrome://settings/content

  • Scroll to Plugins; here is what each option does:
    • Run all plugin content (used to be recommended)
    • Detect and run important plugin content
      • Chrome will automatically run the main plug-in content on websites, but not run peripheral plug-in content.
    • Let me choose when to run plugin content
      • Chrome will prevent any plug-ins from running automatically, but you can run specific plug-ins by right-clicking on them and choosing “Run this plug-in.”
  • Use the “Manage Exceptions” button to for individual options

Amazon Bans FLASH starting Sep. 1

http://advertising.amazon.com/ad-specs/en/policy/technical-guidelines

  • (Blocked by uBlock Origin due to: “/advertising.” in EasyList • Fanboy+Easylist-Merged Ultimate List)
  • Easily allowed by clicking on “Allow Temporarily”

Beginning September 1, 2015, Amazon no longer accepts Flash ads on Amazon.com, AAP, and various IAB standard placements across owned and operated domains. This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.

uBlock Origin; A Must Have Browser Plugin

Latest and Greatest Ad/Malware blocking available for Chrome, Firefox, and Safari (you’re not still using Internet Explorer, I hope).

uBlock

Why do I need this plug-in, you ask? See the above image. Malvertising is a fast growing business that’s job is to infect you with malware through adds on common sites that you visit. See this story from August 27th

Angler Exploit Kit Strikes on MSN.com via Malvertising Campaign; read more here or see summary here:

“The same ad network – AdSpirit.de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN.com. This is the work of the same threat actors that were behind the Yahoo! [and Huntington Post] malvertising.

The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers.

The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.

This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud.com to perform multiple redirections to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure).

While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark.”

  • Infection Chain:
    • com => lax1.ib.adnxs.com => pub.adspirit.de
  • uBlock Origin:
    • com – Found in
      • Malvertising filter list by Disconnect
      • Peter Lowe’s Ad server list
      • Dan Pollock’s hosts file
    • de: Found in:
      • Malvertising filter list by Disconnect
      • Peter Lowe’s Ad server list
      • hpHosts’ Ad and tracking servers

uBlock Origin is available for Chrome, Firefox, and Safari, install it today!

Stay secure folks!

Carl