Posts Tagged ‘virus’

Mystery Duqu Virus

Posted by

Computer security vulnerabilityEarlier this year cyber security software company Kapersky announced the discovery of a cyber intrusion that affected many of it’s internal computer systems which initiated a large scale investigation. They believe the virus penetrated their systems through an email attachment sent to an employee at the company. From there the virus moved stealthily through the company’s computer network targeting it’s customer’s computer networks and collecting information. Instead of removing the virus Kapersky monitored the virus on their systems in an attempt to better understand its function and purpose.

The investigation led to the discovery of a new highly sophisticated malware platform known as Duqu. The platform was developed from one of the most skilled, mysterious and powerful underground groups in malware. The virus is considered to be in the same league of complexity as the “Stuxnet” worm that was discovered in June 2010 by “Symantic” and has been nicknamed the “step-brother of Stuxnet” in the cyber security world. The Stuxnet worm was a malware created to target Iranian nuclear centrifuge control system software and reportedly ruined one-fifth of Iran’s nuclear centrifuges.

The Duqu malware platform was initially discovered in 2011 by Crysys labs in Budapest Hungary. Crysys Labs released a 60 page document to the cyber security world defining it as a cyber threat that was not related to Stuxnet as was initially believed because it was nearly identical to Stuxnet, but seemingly had a completely different purpose.

In 2012 the mysterious group responsible for Duqu seemed to have gone dark, and the Duqu virus seemed to no longer pose a threat, that is, until now.

The Duqu virus attacks Microsoft Windows computers by using a “zero-day-vulnarability” that uses a Microsoft Word document (.doc) to exploit the computer. A win32k font parsing engine actually enables the virus to install onto the victims computer when the victim downloads and tries to open the Microsoft document.

At first Duqu was thought to be targeting industrial control systems like the “Stuxnet” worm, but recent revelations have uncovered a very different purpose for the virus. The virus actually is a form of spyware targeted hotel computer systems where nuclear arms talks with the Iranian government and allied world leaders (p5+1 events) were happening throughout the world.

Costin Raiu, director of the global research and analysis team at Kaspersky, said the virus was packed with more than 100 discrete “modules” that enabled the infected computers to be controlled by someone else. Other modules found were designed to compress video feeds from surveillance cameras, and also target communications from phones to Wi-Fi networks. The attackers would know who was connected to the infected network, allowing them to eavesdrop on conversations and steal electronic information. The virus is also capable of operating two-way microphones in hotel elevators, computers and alarm systems. The virus automatically deposits a small file on the infected computer to enable a way for the attackers to monitor and return to the computer at a later date.

The only question is, who is responsible for this complex and sophisticated eavesdropping attempt? Who would benefit most from this sort of intelligence? Cyber security experts at Kapersky hinted toward involvement from the Isreali government, initially naming the virus “The Duqu Bet”. “Bet” being the second letter of the Hebrew alphabet, but later changed the name to Duqu 2.0. The Israeli government did not claim any involvement in the Duqu malware platform.

The sophistication and dedication of the Duqu group is a testament of just how complex a virus can be all in an attempt to collect information.

ALERT: Rombertik destroys your computer, avoids detection

Posted by

Virus AlertA new destructive virus known as Rombertik avoids detection from most anti-virus software by making a computer unusable by deleting key files on a computer and filling the hard drive with extraneous bytes of data in order to overwhelm the anti-virus software from detecting it.

Security experts from Cisco say the virus steals login information and other private data. The malware infects the computer via a malicious email attachment.

The malware is also constantly monitoring the computer for security scans in order to avoid detection. The virus will initiate a “self-destruct” sequence that makes the computer unusable by erasing the master boot record (MBR) so that the computer only reboots and never gets into the Windows operating system most likely resulting in a full system restore in order to correct the issue.

ALERT: CryptoWall 3.0 ransomware. Backup or pay BIG!

Posted by

Crypto malware scrambles dataSince 2012 a very sophisticated new form of ransom-ware has been infecting millions of Windows computers. CryptoWall, Cryptorbit, and CryptoLocker or Crypto-malware is a Trojan horse that encrypts files on the compromised computer. The malware uses RSA 2048 bit encryption to scramble important data files using public/private key cryptographic technology making the data files unusable. The victim is instructed to pay a hefty ransom fee ranging from $150 to $750 USD using an anonymous bitcoin payment method to purchase the decryption key that will allegedly decrypt the users files. Even if the user pays the ransom, there’s no guarantee that the attacker will provide the decryption key needed to unlock their files.

After the CryptoWall ransomware seemed dormant for several months a more sophisticated new release known as CryptoWall 3.0 appeared this Monday and has already infected thousands of computers.

Can the malware be removed to get the data back?

While it may be possible to remove the virus from the infected computer, it will not unlock the encrypted files.

How does the ransomware get on the computer?

The ransomware is usually disguised as a fake Windows update for applications such as Adobe Reader, Adobe Flash Player or Java. These types of updates often appear as pop-up windows when the victim visits an unsafe website. The malware may also be distributed as a spam email attachment or as a device driver download from a compromised website.

Is an external drive or cloud sync drive safe?

The ransomware looks for important user files on the hard drive and any devices connected to the computer in order to do the most damage. The ransomware also encrypts files located in the computer users sync folders such as Google Drive or DropBox. So external hard drives, thumb drives and even cloud backup solutions are vulnerable to the attack. Always unplug your external backup drives from your computer.

Can the encryption be cracked?

Currently there is no easy way to crack the encryption methods used by the Crypto malware that scrambled the users important data files. Even the most powerful super-computers cannot easily break the encryption. The only known method to attempt breaking the encryption is to brute force (guess) the private key. This is a highly unlikely solution as it would possibily take 6.5 billion years for a desktop computer to make the correct guess, but is the only solution available at this time.

Will the encryption be cracked in the future?

Possibly with the advancement of quantum computing, current forms of encryption will become less secure and possibly exploitable. Only time will tell at this point.

How to not become a victim of Crypto-malware?

The best known method to safe guard your data against cryptographic malware and other types of virus data loss is to have a reliable incremental backup solution in place. An incremental backup system keeps snapshots over time of your data that can be restored in the event of a data disaster. Talk to South City Computer about an incremental backup solution that will work for you.

How to fix Proxy Server Isn’t Responding issue

Posted by

Fix the proxy server isn't respondingOne of the more common computer issues we see because of malware is a misconfiguration Proxy Server connection setting in the browser. You may be able to do a quick fix to get your Internet connection back up and running, however if this has gotten set and you don’t recall doing it, this is probably because your computer is infected with malware or a virus.

NOTE: This may only temporarily fix your Internet connection issue and malware may change this setting back on reboot. It is recommended you get professional computer repair services.

In Windows Search type inetcpl.cpl.

Right click and choose to Run as administrator.

Click the Connections tab, and then click LAN settings button.

Un-check the Use a proxy server for your LAN check box.

Make sure Automatically Detect Settings is checked.

If you have already attempted this fix, and are still getting a Proxy Internet connection issue then you may need computer repair service. Bring your computer to South City Computer or to a local computer repair service and support provider near you.

Why is the Proxy Server Setting enabled?

While every issue is different, malware is usual the culprit behind this proxy setting being changed on a computer. The setting allows for all Internet traffic to be rerouted and monitored through another computer. This is likely in order to serve pop-ups and/or search your Internet traffic for usernames, emails, credit card numbers,and passwords.

Alert: Fake Anti Virus Software

Posted by

Avasoft Professional Fake Anti-VirusOver the past couple years there have been a number of computer viruses that appear to be anti-virus software. The programs will appear to be scanning your computer and finding many computer viruses, trojans, and worms. Some of these fake anit-virus programs will even turn off the network connection until a payment is made into a phishing website.

Computer Virus

Computer virus mimicing anti-virus software

Fake Anti-Virus programs can appear to be “very similiar” to real anti-virus software programs to most computer users. However they are NOT really anti-virus software at all, and do not find viruses and worms on your computer, but instead are fake/phoney interfaces meant to scam you into divulging your personal identity and credit card information. It is very important you do not fall for this type of Internet scam, as it could cost you big and cause you future problems.

This past week a computer came into South City Computer with a fake anti-virus program called Avasoft Professional Antivirus. The customer understood this was a fake anti-virus program and immediately brought her computer in to have her data backed up and the computer fully restored to factory defaults to insure the program would longer infect her computer.

If you think your computer may have fake antivirus software on it, bring it to South City Computer today!

// //