Protect-Your-PC-From-Viruses

More »

Synchronized Security

Next-gen security with real-time intelligence sharing between your endpoints and firewall. More »

 

Monthly Archives: June 2017

Ukraine cyber attack: Chaos as national bank, state power provider and airport hit by hackers

Ukraine’s national bank, state power company and largest airport are among the targets of a huge cyber attack on government infrastructure.Rozenko Pavlo, the deputy Prime Minister, said he and other members of the Ukrainian government were unable to access their computers.“We also have a network ‘down’,” he wrote. “This image is being displayed by all computers of the government.”The photo showed his PC displaying a message claiming a disk “contains errors and needs to be prepared”, urging the user not to turn it off.

Images from other affected computers and disabled cash points showed what appeared to be ransomware, demanding a payment of $300 (£235) in Bitcoin to re-gain access to encrypted files.Analysts said the virus, named Petrwrap or Petya, appeared to work similarly to the WannaCry ransomware that infected more than 230,000 computers in 150 countries last month.Ukrainian state-run aircraft manufacturerAntonov was among the companies hit, along with power distributor Ukrenergo, which said the attack did not affect power supplies.The National Bank of Ukraine said an “unknown virus” was to blame, saying several unnamed Ukrainian banks were affected  along with financial firms. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement said.“The National Bank bank is confident that the banking infrastructure’s defence against cyber fraud is properly set up and attempted cyber attacks on banks’ IT systems will be neutralised.”Oschadbank, one of Ukraine’s largest state-owned lenders, said some of its services had been affected by a “hacking attack” but guaranteed that customer data was safe.Computers and departure boards at Boryspil International Airport in Kiev – the largest in Ukraine – were also down.“The official site of the airport and the scoreboard with the schedule of flights aren’t working!” the airport’s acting director, Pavel Ryabikin, wrote on Facebook.Meanwhile, the hack caused authorities in the Chernobyl exclusion zone to switch to manual radiation monitoring at the site of the 1986 nuclear disaster.The Ukrposhta state postal service, television stations and transport were also affected by the attack, which left Kiev metro passengers unable to pay using bank cards.

Many ATMs were disabled, displaying the message left by hackers, as were tills in supermarkets.Maersk said its IT systems were down across “multiple sites and businesses due to a cyber attack”, although it was unclear whether it was related to the situation in Ukraine.The Danish business congolmerate is the largest container shipping company in the world and also operates in the oil and gas sectors.Rosneft, a Russian government-owned oil firm, said it was also targeted by a “massive hacker attack” on its servers, as was steel maker Evraz.“The cyber attack could lead to serious consequences, however, due to the fact that the Company has switched to a reserve control system, neither oil production nor preparation processes were stopped,” a statement from Rosneft said.There were confirmed reports of the virus spreading to countries including Spain, France and India.The cyber attack – a day before Ukraine marks its Constitution Day – struck hours after a high-ranking intelligence officer was assassinated in a car bombing in Kiev.Police said Colonel Maksim Shapoval, a member of the defence ministry’s main intelligence directorate, was killed in the “terrorist act” on Tuesday.Ukraine has blamed Russia for repeated cyber attacks targeting crucial infrastructure during the past three years, including one on its power grid that left part of western Ukraine temporarily without electricity in December 2015.Relations between Kiev and the Kremlin collapsed in 2014 following Moscow’s annexation of Crimea and support for pro-Russian separatists in eastern Ukraine, where fighting continues despite a ceasefire agreement.Russia denies carrying out cyber attacks on Ukraine and allegations it has fuelled the eastern conflict by supplying rebels with troops and weapons.The UK’s Houses of Parliament were targeted in a separate attack on Friday that compromised up to 90 accounts as part of efforts to access the accounts of MPs, peers and their staff by searching for weak passwords.Less than 1% of the system’s 9,000 users were directly impacted by the “determined and sustained” attack, officials said, but some functions were temporarily shut down as a precaution.An increasing number of global cyber attacks, including those targeting the election campaigns of Hillary Clinton and Emmanuel Macron, have sparked warnings of a “permanent war” online.Guillaume Poupard, director general of the National Cybersecurity Agency of France (ANSSI) said intensifying attacks were coming from unspecified states, as well as criminal and extremist groups.“We must work collectively, not just with two or three Western countries, but on a global scale,” he added, saying attacks could aim at espionage, fraud, sabotage or destruction.“We are getting closer, clearly, to a state of war – a state of war that could be more complicated, probably, than those we’ve known until now.”

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

web-hosting-ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers. According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

linux-ransomware

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system. “The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note. “Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.” The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key. According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.Moreover, ensure that your systems are running the latest version of installed applications ……………

Dangerous Malware Discovered that Can Take Down Electric Power Grids

Last December, a cyber attack on Ukrainian Electric power grid caused the power outage in the northern part of Kiev — the country’s capital — and surrounding areas, causing a blackout for tens of thousands of citizens for an hour and fifteen minutes around midnightNow, security researchers have discovered the culprit behind those cyber attacks on the Ukrainian industrial control systems..Slovakia-based security software maker ESET and US critical infrastructure security firm Dragos Inc. say they have discovered a new dangerous piece of malware in the wild that targets critical industrial control systems and is capable of causing blackouts.Dubbed “Industroyer” or “CrashOverRide,” the grid-sabotaging malware was likely to be used in the December 2016 cyber attack against Ukrainian electric utility Ukrenergo, which the security firms say represents a dangerous advancement in critical infrastructure hacking.According to the researchers, CrashOverRide is the biggest threat designed to disrupt industrial control systems, after Stuxnet — the first malware allegedly developed by the US and Israel to sabotage the Iranian nuclear facilities in 2009.

This Malware Does Not Exploit Any Software Flaw

 

power-grid-malware
Unlike Stuxnet worm, the CrashOverRide malware does not exploit any “zero-day” software vulnerabilities to do its malicious activities; instead, it relies on four industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems.The CrashOverRide malware can control electricity substation’ switches and circuit breakers, designed decades ago, allowing an attacker to simply turning off power distribution, cascading failures and causing more severe damage to equipment.Industroyer malware is a backdoor that first installs four payload components to take control of switches and circuit breakers; and then connects to a remote command-and-control server to receive commands from the attackers.”Industroyer payloads show the authors’ in-depth knowledge and understanding of industrial control systems.” ESET researchers explain.”The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.”Since there have been four malware discovered in the wild to date that target industrial control systems, including Stuxnet, Havex, BlackEnergy, and CrashOverRide; Stuxnet and CrashOverRide were designed only for sabotage, while BlackEnergy and Havex were meant for conducting espionage.”The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages,” reads Dragos analysis [PDF] of the malware.

Beware! Fireball Malware Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS.Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers.While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide.Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim’s web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com).”It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time.” researchers said. “Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.”The fake search engine simply redirects the victim’s queries to either Yahoo.com or Google.com and includes tracking pixels that collect the victim’s information.

 Far from legitimate purpose, Fireball has the ability to spy on victim’s web traffic, execute any malicious code on the infected computers, install plug-ins, and even perform efficient malware dropping, which creates a massive security hole in targeted systems and networks.”From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware,” researchers said.At the current, Fireball adware is hijacking users’ web traffic to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware.”Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach,” researchers added.According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:
  • 25.3 million infections in India (10.1%)
  • 24.1 million in Brazil (9.6%)
  • 16.1 million in Mexico (6.4%)
  • 13.1 million in Indonesia (5.2%)
  • 5.5 million In US (2.2%)

“How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more,” researchers warned. “Many threat actors would like to have even a fraction of Rafotech’s power.”

Warning Signs that Your Computer is Fireball-Infected

If the answer to any of the following questions is “NO,” that means your computer is infected with Fireball or a similar adware,Open your web browser and check:

  1. Did you set your homepage?
  2. Are you able to modify your browser’s homepage?
  3. Are you familiar with your default search engine and can modify that as well?
  4. Do you remember installing all of your browser extensions?

To remove the adware, just uninstall the respective application from your computer (or use an adware cleaner software) and then restore/reset your browser configurations to default settings.The primary way to prevent such infections is to be very careful when you agree to install.You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.

Antivirus software provider lists for Windows

Antivirus software provider lists for Windows

If you’re running Windows 10, Windows 8.1, or Windows 8, you’ve already got Windows Defender built in, helping to protect you against viruses, spyware, and other malware.

Malware consists of viruses, spyware and other potentially unwanted software. Windows Defender is free and is included in Windows, always on and always working to protect your PC against malware. If you have Windows Vista or Windows 7, you may use Microsoft Security Essentials to help protect your personal or small business PC against malware.

Hackers and scammers sometimes use fake antimalware software to trick you into installing viruses or malware on your computer. Should you wish to explore alternatives to the already installed or available Microsoft antimalware software on your Windows PC, the reputable security companies listed below provide consumer security software that is compatible with Windows. Just click the company name to see the Windows-compatible product they offer. For business security software that is compatible with Windows, please contact your security vendor of choice.

Many companies, including those listed on this page, distribute anti malware software. You should carefully investigate the source of anti malware and other products before downloading and installing them. For more information, see Protect your PC.
Important: Windows Defender and Microsoft Security Essentials will turn themselves off if you install another anti malware program to protect your PC. Before you install anti malware software, check to make sure you don’t already have an anti malware product on your computer. If you do, be sure to remove the product you don’t want before you install the new one. It can cause problems on your computer to have two different anti malware products installed and running at the same time.

Antivirus software Lists for Windows