New Malware Threat Hides In Your Registry

November 3rd, 2014

Malware written on circuit board

It seems a new malware threat emerges practically every day, but most threats have a lot in common. They gain access to your device in a similar fashion and are fixed or bypassed in a similar fashion. A new threat reported on the Symantec blog, however, is unique. Trojan.Poweliks isn’t like other malware that exists as a file on an infected machine. Instead, this particular form of malware hides in the computer’s registry.

Trojan.Poweliks still infects computers the way most other forms of malware do. Users are commonly infected through spam emails, malicious links and exploit kits. Users have reported seeing emails claiming to alert them about a missed package delivery. Opening the email and downloading the attachment leaves them infected.

Once a machine is infected, the trojan disguises itself as a registry subkey. That means most users will never be able to find it.

While it’s hidden, the malware receives commands remotely from the attacker and can take all sorts of nasty actions to cripple your computer and monitor your activity.

Staying safe from these types of threats requires both intelligent web use and proper security tools in place. An updated antivirus tool will catch many of these threats, but if you’re among the first users infected, your antivirus won’t be able to recognize the latest form of malware. That’s why your first line of defense has to be to avoid where these threats are commonly found. Don’t download suspicious email attachments or follow links sent to your email. These practices will help keep you out of harm’s way.

If you’d like to improve the security on any of your devices, or need help getting rid of malware that’s infected your machine, call Geek Rescue at 918-369-4335.

Android Ransomware Spreading Quickly Through US Users

October 22nd, 2014

Android Smartphone malware

A new Android ransomware threat is spreading fast thanks to it adapting to become a worm spread through text messaging. The Koler Android trojan was discovered by AdaptiveMobile in the United States and managed to affect hundreds of users in just one day. John E. Dunn of TechWorld explained how the Koler trojan is spreading so rapidly.

Koler began infecting victims who visited untrusted websites like porn and gambling sites. Many examples of mobile malware stays quarantined to those areas and never becomes a large scale problem for the general public. Koler, however, transformed into an SMS worm, which means it sends a shortened and disguised link via text message to everyone in an infected user’s contacts. That link appears to be from the user, which results in many of their contacts clicking on it and being infected themselves.

Those that click on the link are sent to a Dropbox page and asked to install a photo viewing app in order to see some photos that “someone” has uploaded of them. Agreeing to this download results in the Koler trojan to take quick effect.

Almost immediately, the user’s screen is blocked by a message supposedly from the FBI. A ransom is demanded to unlock the phone. Meanwhile, that same link is sent to the user’s contacts.

The good news is that if the default security options are enabled on your Android device, the download of the malware should be blocked because it stems from a third-party. However, many users have already discovered that their security settings aren’t configured correctly to protect them from a threat like this.

The make-up of this attack isn’t complicated, which means it’s also fairly straightforward to disable it. Dropbox has already been asked to remove the download from its servers and disable to link. Attackers could easily move their malicious files elsewhere and continue to victimize Android users, however.

If your device becomes infected by malware, Geek Rescue will fix it. Stop by or give us a call at 918-369-4335.

For your business solutions needs, visit our parent company JD Young.

Premium Text Sending Trojan Targets US Android Users

April 25th, 2014

Text message bubble on smartphone

There have been plenty of warnings about malware targeting Android devices. The Android operating system, due in large part to its open source nature, has been plagued by security threats at a much higher rate than Apple’s iOS. Still, there’s never been a documented trojan capable of sending premium SMS messages victimize users in the United States. As Adam Greenberg of SC Magazine reports, a trojan known as FakeInst has now done just that.

FakeInst isn’t only capable of sending text messages that cost users money. It’s also able delete messages, steal them and respond to contacts.

Users in the US also are far from the only victims of the SMS trojan. In all, 66 countries have been affected, including Canada, Mexico, France, Spain and Italy.

Unlike some other more malicious threats that infect devices through no real fault of their users, FakeInst has a specific infection method. A phishing website is set up that attracts users who are on their Android smartphone looking for pornographic content. The site asks visitors to download an application. After installing the application, the user is then asked to send a text message to a service to access content. These actions allow the trojan to infect the device and decrypt the necessary information needed to take over SMS capabilities.

This ends with the malware sending premium text messages that cost about $2 each.

Researchers have tracked the trojan to Russian origins, where the first reports of infection were found.

Thankfully, for most users this threat is easy to avoid. Don’t install apps from outside of the official Google Play store and certainly don’t download apps from less than reputable websites.

If your smartphone or other device has been infected by any type of malware, bring it to Geek Rescue or call us at 918-369-4335.

The Latest, Nasty Spam And Malware Threat

April 24th, 2014

Malware in email concept

How can you be sure that an email from your bank is what it claims to be? That’s a vital question in the wake of news that the latest spam and malware threat commonly springs from emails resembling messages from banks such as Wells Fargo and Lloyds Bank. Malcolm James of the All Spammed Up blog reports that the way malware is hidden in these spam messages and the way it then attacks your machine is troubling.

The emails come with an attachment. This attachment actually features another file within it, which contains malware. It’s a bit confusing even to write, which means it’s difficult for spam filters and antivirus tools to catch. Users will see a .ZIP file that claims to be a secure message from the bank and even features password protection. When opened, however, the user’s computer is attacked by the Upatre Trojan.

Upatre is the root of the problem, but it doesn’t do any real damage itself. It’s job is to communicate with the attacker and download more harmful malware to your system. The Zeus banking trojan is the first malware to download. It’s designed to steal your online banking log-in credentials. The Necurs malware is also downloaded, which is able to attack and disable security tools. This allows for a load of other malware to infect and attack your machine.

While many attacks of this nature are centralized overseas, the use of Upatre targets the United States almost exclusively. About 97-percent of recorded attacks using the trojan have targeted American users.

One of the issues with this style of attack is that users may not know they’ve been infected with anything for some time. Considering banking passwords are at stake, that’s an extremely dangerous risk.

To stay safe, users must resist the urge to open suspicious looking emails. An email from your bank may not seem suspicious, but remember that banks and other legitimate businesses likely won’t attach a file to an email unless they’ve told you ahead of time what they’re sending. If you have questions about an email, call your bank directly and ask them rather than risking malware infections.

If your computer or other device has been infected with malware, call Geek Rescue at 918-369-4335.

2013 Security Report Reveals Large Growth In Malware Production

April 16th, 2014

Malware on circuit board

It’s no secret that malware is an ever-present threat to internet users. It’s also no secret that while defenses against malware are steadily improving, the number of malware being produced and its capabilities are growing. A recent study released by security firm Panda Labs confirmed the growing threat of malware, as Tony Bradley reports for PC World.

In their 2013 security report, Panda Labs found that about a fifth of the malware that exists was created last year. That speaks to the rapid growth of malware production. In 2013 alone, 30-million new threats were created, which breaks down to about 82-thousand per day.

Of these newly minted threats, about 70-percent are trojans, which are particularly troubling forms of malware capable of mining data and even controlling an infected computer while staying hidden from users and security tools. Total, Panda Labs discovered more than 20-million trojans. The rest of the malware was made up of a combination of worms, viruses and adware or spyware. Trojans were also responsible for the most successful infections and accounted for almost 80-percent of infections in 2013.

In terms of application vulnerabilities, Java was to blame for the most attacks. Exploits on a security flaw in Java led to successful attacks on Twitter, Facebook, Apple and Microsoft.

With so many forms of malware around, it’s amazing users aren’t victimized more often. Most users aren’t infected by malware often, but even becoming the victim of malware once each month would mean you avoided all but .0001 of all new threats. Given these statistics, it’s clear why experts warn that there’s no such thing as perfect security.

Panda Labs also agreed with the consensus that in the mobile world, Android is the most popular target for malware producers. They also sent a warning to users that more targeted attacks aimed at stealing data would be coming this year.

Users who are unprotected by security tools like antivirus programs run a significantly higher risk of becoming the victim of an attack. This could lead to the harm of your computer and the theft of your data.

For help securing your computer or recovering from an attack, call Geek Rescue at 918-369-4335.


New Malware Infects PC To Infect Android Devices

January 28th, 2014

Smartphone connected to laptop

Generally, pieces of malware only harmful to the devices they target. For example, malware designed for Windows won’t be harmful to mobile devices, or vice versa. However, researchers have seen examples of malware that infects Android devices with the ultimate goal of infecting a PC connected to them. Now, as the Symantec blog reports, there is evidence of malware that infects PCs with the ultimate goal of infecting an Android device that connects via USB.

So far, there’s been no official word about how the malware, known as Trojan.Droidpak, infects PCs. Once it’s downloaded, the trojan begins adding malicious files to your system. First, a DLL registers itself as a system service. Then, a configuration file is automatically downloaded. Then a malicious APK and ADB (Android Debug Bridge). If an Android device is connected to the infected PC, an installation of the APK and ADB files is attempted repeatedly to ensure infection of the mobile device.

To be successful, the malware requires USB debugging mode to be enabled. To check if your phone allows debugging mode, go to ‘Applications’ in the settings menu. Then, select ‘Development’ and you’ll see an option to allow debugging mode when your phone is connected to a PC via USB.

If the malware successfully infects your smartphone or tablet, it disguises itself as an application called ‘Google App Store’ that even steals the Play Store logo. This particular trojan specifically looks for banking applications. When found, a user is prompted to delete that version of the banking app and replace it. The replacement app is a malicious version used to steal financial data and log-ins. The malware is also able to intercept text messages and forward them to a third party.

The good news is that currently the trojan only targets Korean banking apps, but it’s easy to see how this malware could be adjusted to start targeting US Android users. Turning off USB debugging mode is a good start and you should also turn off the AutoRun feature on your PC when connecting another device.

If your PC, smartphone, tablet or any of your devices are infected with malware, bring them to Geek Rescue or call us at 918-369-4335.

Malware Hidden In .Zip Email Attachments Makes Sudden Rise

January 15th, 2014

Envelope with trojan virus concept

Spam emails are always annoying, but they can be malicious and harmful also. Some emails have attachments that infect your computer with malware. Recently, security company Symantec noticed an extreme spike in the number of malicious .zip files being sent out, as Eric Park reports on the Symantec blog.

Sending malicious attachments is a common practice for hackers, but sending .zip files hasn’t been popular for some time. A .zip file is used to compress a much larger file, which makes it small enough to send over email. For criminal purposes, it also obscures the true nature of an attachment. Instead of a user clearly seeing that what should be a Word document is actually an executable file, all files end in .zip and must be downloaded and opened in order to find out what the file actually is. Downloading and opening these files, however, infects your computer with malware.

In the past few months, there had never been more than about 25-thousand instances of malicious .zip attachments being sent on a single day. But, from January 7 to the 10th, between 150-thousand and 200-thousand malicious .zip files were attached to spam emails. In addition to the sudden rise in number, the names of the .zip files being sent changed every day.

On the 7th, an email claiming to be from a legitimate bank like Wells Fargo was sent with a .zip attachment named ‘BankDocs’ followed by some numbers. By the next day, the tactics had changed to an invoice for an overdue payment to an unnamed company. The attached .zip file was named ‘Invoice’ followed by numbers. On the 9th, the .zip file was called ‘Early2013TaxReturnReport’ supposedly from the IRS and then an invoice from a specific company marked on the 10th.

Each of these messages were different, but all contained the same Trojan malware that is capable of stealing data from an infected computer. Since the message changed everyday, it’s difficult to warn users of exactly what to watch for. Instead, don’t download any attachments unless you know exactly what it is and are expecting a file to be sent to you.

Since January 10,  the messages with malicious .zip have gone back to their usual volume of a few thousand per day, but security experts warn that another large-scale attack could start again at any time.

If your computer has been infected with malware, come by Geek Rescue or call us at 918-369-4335.


Beware Malicious Offers To Update Your Browser

January 10th, 2014

Virus alert in browser

When was the last time you updated your web browser? Periodically, you’re prompted to update to the latest version in various ways, but not all of those prompts are legitimate. As Zeljka Zorz writes at Help Net Security, agreeing to update your browser from the wrong source leads to malware infections.

It’s a common scam that’s been around for years, but internet users in the UK have seen a recent surge in malicious offers to update their browsers. These offers occur in the form of pop-ups that look official enough. They claim to be “critical updates” and many even trap you in an unending loop that prevents you from closing the tab.

If you agree to download the update, what you’ll actually get is some form of malware. In the recent occurrences seen in the UK, a trojan used to steal information was downloaded instead of a browser update.

These scams are seen most on sites where you stream media. It seems users are more likely to believe that an update is needed when they think they won’t be able to stream the video they wanted to watch. But, even if you think your browser is in need of an update, it’s never a good idea to download from an untrusted source. Instead of clicking through on the pop-up, go directly to the browser developer’s site and check for recent updates.

This scam isn’t limited to web browsers either. Warnings that your operating system, or plug-ins to your browser are out of date are also used to convince you to download a malicious file. In every case, don’t download anything unless you’re on the developer’s site. It is a good idea to regularly check to see if applications you use are out of date. Doing so helps close security flaws and eliminates bugs and compatibility issues. But, you have to be careful when downloading and make sure it’s from a trusted source.

If your computer has been infected by malware, bring it to Geek Rescue or call us at 918-369-4335.

Vulnerability Of Two-Step Authentication Revealed

January 9th, 2014

Logging in on tablet

Two-step, or two-factor authentication is a generally trusted way to secure online accounts to ensure that only the account holder can access them. A recent hack on Blizzard’s World of Warcraft online game has exposed a vulnerability many had previously overlooked, however. Antone Gonsalves at Network World details how the attack took place and how it can be prevented in the future.

Two-step authentication requires a user to log-in to their account with their username and password. Then, a second passcode or PIN is supplied to users via text message, email or other means. That second code must also be input to give users access to their accounts. This two-step method is used to verify users anytime they use a new device to log-in.

It seems like a foolproof method for keeping hackers out of accounts that don’t belong to them, but the recent World of Warcraft hack demonstrated how a ‘man-in-the-middle’ attack provides a way around two-step authentication.

First, a trojan infected users on a popular online forum related to World of Warcraft. That trojan allowed for a man-in-the-middle attack, which allows criminals to intercept data and information a user believes they’re entering into a website. In this case, users attempted to log into their accounts using two-step authentication, but were really only giving hackers the information they needed to break into the accounts themselves. This also locked the actual users out of their own accounts.

Similar attacks have been observed on banking sites, where two-step authentication is also commonly used. Experts say these attacks highlight the weakness of most two-step authentication methods, which is the use of in-band authentication or using the same channel to input all information.

Because users are asked to enter their username, password and original generated code at the same time, over the same channel, it makes man-in-the-middle attacks extremely effective. Instead, experts suggest sites use two separate channels. For example, log-in to your account online with your usual information, then users would be prompted to enter a one-time PIN into a mobile app on their smartphone. Another suggested method is to send automated text alerts to users when someone tries to log-in using their information. If the IP address or geographic location doesn’t match their own, users would be able to reject the log-in attempt.

The lesson for users and businesses alike is that even two-step authentication doesn’t keep accounts completely secure. Hackers are getting more intelligent in their attacks all the time and technology that was once thought unbreakable now has vulnerabilities.

If your computer is infected with malware, or you’d like to investigate better security methods for home or business, call Geek Rescue at 918-369-4335.

Scareware Observed Targeting Android Users

December 24th, 2013

Virus warning

The amount of malware for smartphones grew exponentially throughout 2013. Because of its open source environment and number of users, Android phones were targeted most. Now, it seems some of the same tactics used for years by cyber criminals on PCs are transitioning to Android smartphones. Satnam Narang reports for Symantec that scareware has been observed attempting to trick users into downloading malware to their devices.

Scareware is a common practice used by hackers. By using social engineering, a criminal convinces a user that they’re facing an impending threat and need to buy or download a product to protect themselves. Usually, the scareware scam involves telling users that there is a virus or malware on their device and offering to remove it.

The latest scam observed targeting Android users involves mobile ads. They claim the user’s device has been infected by a trojan called MobileOS/Tapsnake. Tapsnake is a legitimate threat to Android users that’s been around since 2010, but it’s used here only to make the scam seem more credible. The ads include a button that claims to install a security app on your phone or scan and remove this threat. In actuality, you’re downloading malware.

Avoiding this type of scam should be simple. First, no online ad will scan your device and alert you of any malware it discovers. But, some unsuspecting users fall for it because they’re extremely worried about threats to their smartphone. This particular scareware displays on any smartphone, however. So, even iPhone users will be alerted that their Android device is at risk.

If you encounter on of these ads and are concerned about your phone, run your existing security app or download a trusted one from the Play store. To avoid accidentally downloading a malicious app, never download directly from a website.

If your smartphone has actually been infected by malware, bring it to Geek Rescue or call us at 918-369-4335.