Archive for Malware – Page 2

Remote command line to delete subfolders

This is a follow up to my post regarding 44,175 folders being created in a temp folder due to a bad definition file from Vipre/MAV.

The system in question had frozen up, and after we rebooted the server, I was not able to login using my normal remote control software (TeamViewer). But I was able to access the system from a remote command prompt.

That’s how I discovered the 44,175 folders. The question was: how do I delete all those sub folders?

A quick web search uncovered a usable solution, and after a test to verify it would work, I was ready to delete all those folders.

Here’s the command I used (obviously, enter the appropriate parent directory):

for /D %p in (c:\users\don\appdata\local\temp\*.*) do rmdir “%p” /s /q

image

Quickbooks dbdata11.dll and Vipre/MAV

Friday morning (6-26-2015) I started receiving calls from several of my customers saying that they could not run Quickbooks, and that they were getting an alert that the file “dbdata11.dll” has been quarantined.

image

With the help of other members of The ASCII Group, we quickly determined that it was a false positive due to a bad definition file update from Vipre (or the RMM version called MAV).

Soon after, MAXFocus (previously GFI) sent out a service status alert of the issue, and that it had been resolved with definition version 41468 and above. It was recommended to add the file (dbdata11.dll) to the Vipre/MAV exception list, before updating systems with the newer definition file.

Note: make an exception only for the file, and not the folder and file, as the folder name is randomly generated by QuickBooks.

That should have been it. Right? … Wrong!

I received a call from one of my users saying that one of their systems with QuickBooks installed on it had locked up. At about the same time they reported this issue, I received an email alert from the RMM service I use saying that the C: drive of this system had dropped to below 20% free space.

Once we got the system rebooted, I logged in and discovered that there 44,175 folder taking up nearly 62GB of disk space. The location of these folders were in C:\Users\QBDataServiceUser22\appdata\local\temp. Each of these folders contained a single file: dbdata11.dll.

It turns out that every time Vipre/MAV quarantined this file, QuickBooks created a new temp folder with the same file!

So once I had the A/V definition file updated, and we rebooted the system, I went in and safely deleted all 44,175 folders! 

What a fun way to spend a Friday!

Watch Out for Malicious Flashlight Apps

Who would have thought that the flashlight app on your smartphone could be malicious?

According to this cyber-security company, SnoopWall, there are at least ten flashlight apps that are malicious, and can steal and send personal data. They published a threat assessment report back in October, 2014.

If your phone has one of these listed apps, the recommendation is to backup your contacts and personal files from your phone, and then do a factory reset your phone. Deleting the app is not enough, as these apps are storing malicious information  in hidden places on your phone.

Here is a 6 minute video from Fox News interviewing SnoopWall’s CEO, Gary Miliefsky, on this subject.

Vipre creating thousands of SBS_STDRL temp files

Over this past weekend, I started seeing a buildup of temp files in the C:\Windows\Temp directory. Temp files were named SBS_STDRL_*. My immediate and natural fear was of a virus/hack attack.

The only thing in common with all the systems in question was that they all were running MaxFocus (formerly GFI) Managed AntiVirus program (Vipre). As soon as I stopped MAV from running, the temp files stopped accumulating. Looking at the file dates, this all started on Thursday Jan-15-2015.

image

I contacted MaxFocus Sunday evening and submitted a support ticket. By then I had systems as few as a hundred files, up to systems with over 100,000 temp files created. Fortunately, the size of these files was only 1K.

For the most part, this issue did not cause a lot of problems. However, I did have several customer servers that were negatively impacted by this issue. They started calling Monday morning reporting of poor performance.

On Monday Jan-19-2015 Threat Track Security (formerly Vipre) released a Notice on temp file issue in their forum acknowledging the issue, plus indicating that these files could be deleted.

We are currently investigating an issue where the SBS_STDRL files in C:\Windows\Temp are not being deleted automatically. These files are generated by Active Protection and through VIPRE scans. This may cause increased scan times depending on system specifications. You can delete these files by running command prompt as admin then entering the following command: del %windir%\temp\SBS_STDRL*

Later that day they posted a follow up indicating that the issue was caused by a bad definition file, and that it had been fixed with definition version 36798.

This issue has been fixed in definition version 36798. Please make sure you have updated your definitions to the latest version to stop this issue from happening. Please note, this will not delete the SBS_STDRL files that are already created, so the instructions in the first part of this should be followed if you wish to remove these files.

By Tuesday morning, all systems were running fine. I utilized a built in script of MaxFocus RMM to schedule a cleanup of system temp files, which included checking the C:\Windows\Temp folder.

Cloud-based Web Protection from GFI now available

imageGFI recently rolled out their new Web Protection solution allowing KW Support & Consulting to deliver web security, web filtering and web bandwidth monitoring to its clients. Web Protection is integrated into the GFI RemoteManagement dashboard and is based on GFI’s award-winning GFI WebMonitor product.

Features include:

  • Web security – stop client’s end-users from accidentally visiting malicious sites pushing malware, phishing, proxies, spyware, adware, botnets, etc.
  • Web filtering – help end-suers stay productive with common-sense web browsing policies designed for the workplace. Protects the business from legal liability and reduce the risk of a security breach through proactive internet access controls.
  • Bandwidth Monitoring – automatic alerts when excessive bandwidth activity on a network is identified, so you can remediate quickly and maintain productivity.

With Web Protection integrated into the GFI RemoteManagement platform, there is no software to install at the client site, no DNS name records to create or modify, and all settings and policies are managed right from the RMM dashboard.

If a user goes to a malicious web site, this is the type of warning screen they will receive:

image

New Crypto-Locker with DropBox attachment

There has been a rush of reports on newer strains of the Crypto-Locker (Ransomware) type of virus. If it gets on your computer, it will begin encrypting your data files and make them unusable. More importantly, your screen will display a message saying that you must pay $1,000 if you want to restore access to your files.

Now comes word that some of these newer strains are being delivered by dropping files from a rogue DropBox account to your computer via a link in an email.

In fact, I just identified the first of these type of emails myself. On further investigation, I found that, indeed it was associated with DropBox. Fortunately, my spam filter blocked the email.

The email appeared to be a harmless email saying that I had received a fax from a company called J2.com. Here’s the email, as viewed from my spam filter:

image

The red arrows indicate the two links in the email. If I hover (but don’t click) over either link, this is the URL that it displayed:

image

Here is a blog from MXLab on the same exact issue.

So, please — be very careful with emails and attachments.

Microsoft includes XP in fix for recent IE security issue

Microsoft has released today (May 1, 2014) a security update (MS14-021 / 2965111) that addresses the recent Internet Explorer (IE) issue that was first discussed in Security Advisory 2963983. More importantly, Microsoft has decided to make this patch available for Windows XP users, although XP is officially no longer a supported operating system.

If your computers are set to receive automatic Windows updates from Microsoft, then this patch will be automatically installed.

Read more here:

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

https://technet.microsoft.com/library/security/ms14-may 

https://technet.microsoft.com/library/security/ms14-021

Unregister VGX.DLL for IE Zero-Day workaround

Post revised 4/30/2014

Over this past weekend (April 27, 2014), there have been numerous reports of another zero-day security flaw with Internet Explorer. Some sites have gone so far as to say :”stop using Internet Explorer” completely until this flaw is fixed.

But given that the vulnerability exists in a now deprecated VML vector graphics format, there is an easy workaround solution that is recommended by Microsoft and others — simply unregister the VGX.DLL system file that is associated with this deprecated format.

To unregister VGX.DLL manually

These instructions should work for XP, Vista, Windows 7, and Windows 8 computers. Before starting, you will need to know if you are running a 32-bot or a 64-bit version of Windows.

  1. Press “WIN“+R keys to display the Run window.
    WIN” = Windows key next to the ALT key. Press the “WIN” key like a Shift key, and then press the letter “R“)
  2. Type (or copy and paste) the following command into the Window, including the double quotes:
    “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
  3. Wait for a response window to appear telling you that the command was successful.
  4. If you are running a 32 bit version of windows, you are done.
  5. If you are running a 64 bit version of Windows, you need to repeat steps 1-2-3, but using the following command instead:
    “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll”

For more information:

https://technet.microsoft.com/en-us/library/security/2963983.aspx

http://nakedsecurity.sophos.com/2014/04/27/microsoft-acknowledges-in-the-wild-internet-explorer-zero-day/

Microsoft Security Essentials Crashing on XP

Microsoft Security Essentials (MSE) is Microsoft’s free anti-virus program for personal use, and for businesses with 10 or less computers. Microsoft has indicated that is you already have MSE installed on Windows XP, then it will be supported and updated for another year, given that XP is no longer a supported platform.

To my surprise, I was at a client’s office on Wed April 16th and powered up two XP workstations. Both of them hung for the longest time right after logging in. Once they did come up, I was presented with various error messages about MSE. With no time to investigate, I went ahead and uninstalled MSE and then installed a different anti-virus program.

Today, I heard that the a bad definition file might have been the cause.

Stolen Email Passwords Again!

Yahoo reported today that usernames and passwords of some of their email customers have been stolen. Read the specifics in this ABC News Wire story.

Unfortunately, this is becoming a daily occurrence, and much like the person who kept yelling “fire”, we are slowly becoming numb to these warnings of security breaches and identity thefts. But we must not let down our guard.

So, what can you do? Here are a few suggestions, and by no means complete:

  • Use strong passwords – the password for your email account should (1) contain a combination of letters, numbers and special characters, and (2) be 8 or more characters in length. Why? Because it makes it that much harder for spammers and hackers to break your password. An easy to implement rule is to replace some letters with numbers or similar special characters.
    One example, if your password was “racingcars”, you might change it to “R@c1ngC@r$” – where I simply replaced the letter a with @, the letter i with the number 1, and the letter s with $.
  • Change your email password – if you think your email account has been compromised, go online to your email provider’s web site and change your password immediately.
  • Don’t click on links within emails – especially those that are mass emails sent from financial institutions, stores, or online web sites. Example: if you get an email from PayPal saying there’s an issue with your account, don’t click on the link in the email. Instead, open up your browser and go directly to the PayPal website.
  • Restrict incoming email – if you really want to cut back on junk email, many email programs, including Outlook, will allow you to set up a “Safe Senders” list. If a person is not listed in your “Safe Senders” list, then the email will be sent to your Junk Mail folder. Outlook will also give you the option to automatically add everyone in your Contacts to your Safe Senders list.
  • Learn to use the BCC: field – BCC stands for “Blind Carbon Copy”. If you are going to send out an email to a group of unrelated people, then list their email addresses in the BCC: field rather than the TO: field.
  • Never send confidential information by email – if someone needs your social security number, call them and give it to them over the phone. Don’t email it. Don’t text it. You have to consider the possibility that anything you put into an email could get into the wrong hands.

C’est la vie!