Archive for Malware

Emergency Patch for Adobe Flash Player to be released

Adobe is working on a patch to address a critical vulnerability in their Flash Player software. The exploit impacts those on version 20.0.0.306 and earlier. If your Flash Player is at version 21.0.0.182 or above, then you are not impacted by this exploit.

The patch may be available as soon as Thursday April 7, 2016.

Read more at this PC World post.

Analysis of a Ransomware

Ransonware (often referred to as Cryptolocker) is a malicious virus threat in today’s environment.

If the virus gets onto your computer, it will begin locking down files on your computer by writing a hidden secured password to those files. It will then display a message that you have XX number of hours or days to pay the ransom to get the password to unlock your files.

Unless you have solid backup, your two options are: pay the ransom or lose all your files. The ransom could be in the hundreds of dollars. For a California hospital, that ransom was to the tune of $17,000 dollars!

MalwareBytes has a blog post on their site dated March 1, 2016 which gives an in-depth analysis of how such a ransomware virus works.

I found it an interesting read, and thought I would pass it along.

You can go directly to the blog post and read it, or I saved it as a PDF file that you might find easier to read.

Kudos to MalwareBytes!

Scam Alert for Fake Phone Calls from Microsoft Support

It seems to go in waves … phone calls supposedly from a Microsoft person informing you that your computer is infected or has been compromised. We’re in such a wave as I have recently had several people tell me that they have receive such phone calls.

The red flag that this is a scam is when the person calling you says that there will be a fee involved for fixing it.  Microsoft clearly states on their web site:

“You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes.”

Bottom line: Any unsolicited phone call from anyone reporting that your computer is infected with a virus, or has been hacked or compromised, should be considered a scam. I would advise that you quickly hang up on them. Do not try to talk your way through it. It’s not worth it.

Here are three links that contain more information on these scams. The first is Microsoft’s own warning on these scams, the other two identify they type of things these scammers will do to try to convince you that they are real and that they have intimate knowledge about your computer.

Finally, here is a true story from a customer of mine who reported that this happened to him this morning:

I got a phone call at home from a man who says his name is John, and claiming to be from Windows Licensing Technical Support.  It sounded like he was calling from India, and I can hear other people in the background making similar calls.  He says that my computer has been sending a message to their servers indicating that there is an issue with my computer and license.  He then asks for me to turn on my computer, and for a fee that he can help correct the issue. 

I asked him to read to me the license number that he is registering as having an issue.  After some push back (he wanted me to read him my license number), hesitation, and almost a minute for him to look it up, he finally rattles off a long serial number (888DC … D7B062).  Already I know that this isn’t a real windows license number so I ask him for their number and I’ll call back if I really have an issue.  He gives me 209-894-0429 as their support line.  The number which showed up on my caller ID was 9-9876.

Ransomware Prevention Kit Now Available

Back HomeThirdTier has announced the availability of their Ransomware Prevention Kit.

This is an update over their 2013 kit. This is a “build your own” solution kit. They offer many different things so that you, as an I.T. professional, can put together what your client or company needs. It also includes some educational material.

There’s no cost to the kit, itself. But they are using this as a fundraiser to support females that want to enter the field of Information Technology. Way to go, Amy Babinchak and Susan Bradley!

The kit includes:

  • Group Policies
  • New WMI Filters
  • Software Restriction Policy instructions
  • TOR, Flash, Zip blocking
  • Firewall settings
  • PC and User settings
  • Securing backup
  • Application Whitelisting
  • Recovery Keys
  • Deployment Script
  • Powerpoint Presentation Slides
  • Blog post listing
  • Other Resources
  • File Server Resource Manager
  • and new content added from time to time

New Ransomware Prevention Kit Coming Soon

Back HomeAmy Babinchak, President of Third Tier, has announced that they will be releasing an updated version of their Ransomware Prevention Kit next week.

http://www.thirdtier.net/2015/11/the-new-ransomware-kit-is-coming-soon/ 

Two years ago (October 2013), Amy and her team led the way in providing a solution to help block the CryptoLocker attacks that were causing havoc worldwide (see blog post).

A lot has changed in the past two years, and such threats can still do great harm and damage for both individuals and businesses. Thanks to Third Tier, I sleep better knowing that my systems are protected.

Finally, Third Tier wants to reach out and encourage more women to get certified and work in the I.T. field, and is using this new Prevention Kit to raise money for this effort!

Ransomware Still Causing Havoc

Nearly two years ago (October 2013) I wrote a blog post titled “Beware Cryptolocker Malware Madness”, a warning about a new strain of ransomware called “Cryptolocker”.  At that time, I immediately implemented new protection software and strengthened security policies on the servers and workstations that I manage.

The Detroit Free Press recently ran an updated article about ransomware attacks on computers:

image

During these past two year, there have been several new variations of this malware threat. It has found its way into home computers as well as multi-national companies. Unfortunately, it is not easily detected by security or anti-virus programs. I have had to cleanup a ransomware attack only three times. In all three cases, we had backups available to restore those files that had been encrypted.

When a computer has been attacked, the virus begins to put a highly secured password on all your files. Suddenly, you find that you cannot open up letters, pictures, spreadsheets, as well as data files (Quicken, QuickBooks, etc.). And, if your computer is on a home or business local network, this ransomware can quickly spread to other computers or servers.

The reason it is called “ransomware” is because you generally have 72 hours to pay their ransom, which can range from $200 to thousands of dollars, to unlock your files. Unless you have a backup of those files, you either pay the ransom or lose those files for good.

In the near future I will be communicating with my clients on additional security precautions I will be recommending to minimize the threat and damage caused by this malware.

MaxFocus Releases BitDefender Support for Their RMM Solution

MaxFocus (formerly GFI) formally released today a new AV engine, powered by BitDefender, for their Remote Management (RMM) platform. You can read the details on their blog site.

Their current AV engine (Vipre) will be supported for the near future, which will allow us to test and transition customers to BitDefender in an orderly manner.

For MSPs, like myself, there are several new things that will make managing AV easier and better:

  1. imageThere are only three policies (server, desktop and laptop) with BD, versus separate policies for different O/S and Server versions
  2. Snooze feature allows you to temporarily disable the Managed Antivirus (MAV) for up to one hour when doing system maintenance on a device. Previously, you would need to create a “Disable AV” policy and then move a device or system to that policy.
  3. Direct communication from the dashboard to MAV managed devices is now available. This means that scanning and update commands are sent instantly, rather than waiting for the next time the device checks in with the system.

Customers and users may ask why a new AV engine?

The threat landscape in today’s environment is constantly changing. So it is critical that we offer the best solution for antivirus and malware protection . Some of the benefits for customers are;

  1. BitDefender has been shown to be more effecting against fighting malware and viruses, with less false positives
  2. Behavioral (heuristic) scanning is added, along with Active Protection, provides another layer of defense

For your reading pleasure:

image

Quickbooks dbdata11.dll and Vipre/MAV

Friday morning (6-26-2015) I started receiving calls from several of my customers saying that they could not run Quickbooks, and that they were getting an alert that the file “dbdata11.dll” has been quarantined.

image

With the help of other members of The ASCII Group, we quickly determined that it was a false positive due to a bad definition file update from Vipre (or the RMM version called MAV).

Soon after, MAXFocus (previously GFI) sent out a service status alert of the issue, and that it had been resolved with definition version 41468 and above. It was recommended to add the file (dbdata11.dll) to the Vipre/MAV exception list, before updating systems with the newer definition file.

Note: make an exception only for the file, and not the folder and file, as the folder name is randomly generated by QuickBooks.

That should have been it. Right? … Wrong!

I received a call from one of my users saying that one of their systems with QuickBooks installed on it had locked up. At about the same time they reported this issue, I received an email alert from the RMM service I use saying that the C: drive of this system had dropped to below 20% free space.

Once we got the system rebooted, I logged in and discovered that there 44,175 folder taking up nearly 62GB of disk space. The location of these folders were in C:\Users\QBDataServiceUser22\appdata\local\temp. Each of these folders contained a single file: dbdata11.dll.

It turns out that every time Vipre/MAV quarantined this file, QuickBooks created a new temp folder with the same file!

So once I had the A/V definition file updated, and we rebooted the system, I went in and safely deleted all 44,175 folders! 

What a fun way to spend a Friday!

Watch Out for Malicious Flashlight Apps

Who would have thought that the flashlight app on your smartphone could be malicious?

According to this cyber-security company, SnoopWall, there are at least ten flashlight apps that are malicious, and can steal and send personal data. They published a threat assessment report back in October, 2014.

If your phone has one of these listed apps, the recommendation is to backup your contacts and personal files from your phone, and then do a factory reset your phone. Deleting the app is not enough, as these apps are storing malicious information  in hidden places on your phone.

Here is a 6 minute video from Fox News interviewing SnoopWall’s CEO, Gary Miliefsky, on this subject.

Vipre creating thousands of SBS_STDRL temp files

Over this past weekend, I started seeing a buildup of temp files in the C:\Windows\Temp directory. Temp files were named SBS_STDRL_*. My immediate and natural fear was of a virus/hack attack.

The only thing in common with all the systems in question was that they all were running MaxFocus (formerly GFI) Managed AntiVirus program (Vipre). As soon as I stopped MAV from running, the temp files stopped accumulating. Looking at the file dates, this all started on Thursday Jan-15-2015.

image

I contacted MaxFocus Sunday evening and submitted a support ticket. By then I had systems as few as a hundred files, up to systems with over 100,000 temp files created. Fortunately, the size of these files was only 1K.

For the most part, this issue did not cause a lot of problems. However, I did have several customer servers that were negatively impacted by this issue. They started calling Monday morning reporting of poor performance.

On Monday Jan-19-2015 Threat Track Security (formerly Vipre) released a Notice on temp file issue in their forum acknowledging the issue, plus indicating that these files could be deleted.

We are currently investigating an issue where the SBS_STDRL files in C:\Windows\Temp are not being deleted automatically. These files are generated by Active Protection and through VIPRE scans. This may cause increased scan times depending on system specifications. You can delete these files by running command prompt as admin then entering the following command: del %windir%\temp\SBS_STDRL*

Later that day they posted a follow up indicating that the issue was caused by a bad definition file, and that it had been fixed with definition version 36798.

This issue has been fixed in definition version 36798. Please make sure you have updated your definitions to the latest version to stop this issue from happening. Please note, this will not delete the SBS_STDRL files that are already created, so the instructions in the first part of this should be followed if you wish to remove these files.

By Tuesday morning, all systems were running fine. I utilized a built in script of MaxFocus RMM to schedule a cleanup of system temp files, which included checking the C:\Windows\Temp folder.