Operation b70 : Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

In continuation with the last post, here is more from Microsoft.Please go through this brave but honest confession from Microsoft.......ummmm!!!!I would not say confession but actually Microsoft's attempt to save millions of innocent users...must read for info at

http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

Operation b70 : New OS from Mall comes preloaded with Malware

1.   For last few years since Cyber Crime has been making news,it has been always discussed that all free stuff on internet comes preloaded with some kind of malware or spyware or some kindda ware!!!Here's about a one month old news worth a share that defies this logic....it actually says that Malware comes inbuilt to the OS from the mall showroom from u where u made the purchase!!!!!!!!

"Microsoft’s Digital Crime Unit (DCU) has recently made this astonishing announcement.DCU conducted a study to get a sense of how much of the counterfeit software available is preloaded with malware.  Microsoft researchers purchased 20 new computers from PC malls.  These systems had counterfeit software preinstalled on them by the distributor. DCU examined the files on these PCs and found malware on four of the 20 computers that were purchased, a 20 percent infection rate.Several types of malware were pre-installed on the computers purchased from the PC mall.  This malware enabled the attackers to perform a range of actions including DDoS attacks, creating hidden access points onto the systems, keylogging and data theft.

The researchers also identified one type of malware found on these systems attempting to connect to the command and control servers of a known botnet.  The ensuing study uncovered that attackers were building this botnet by infecting digital products, like computers or software, that were then distributed through an unsecure supply channel.  The malware was also designed to spread via flash drive memory sticks. The subdomains that hosted the botnet’s command and control servers link to more than 500 different types of malware.  Some of this malware is capable of turning on cameras and microphones connected to infected systems."

4.   More on the story here. uuuuhh!!!!isn't it scary...a fresh piece of digital device that you buy comes with an inbuilt spy to spy on you and your data...... In fact it is a bold step and brave announcement by the Microsoft DCU...it could have been hidden but they found it ok to declare it open so that the user gets braver on its use...!!!

5.   DCU took legal action to disrupt the malware hosted in the subdomains, in Operation b70.  You can read more about Operation b70 and the DCU’s efforts here: http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

6.   Thanks Microsoft and http://blogs.technet.com

9TH JULY 2012 : R u a Victim?

1. All the fuss about 9th July that says about the risk of "DNSChanger" malware, which will result in your computer getting disconnected from the Web on July 9 if you don't clean it up. You won't be able to go online, and you'll need to contact your service service provider for help getting the malware deleted before you can reconnect to the Internet....strange it may sound...but it is true...even the FBI has given a warning sort at its link here at https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

2.  Just to check if u r a likely victim,McAfee has created a link at www.mcafee.com/dnscheck for you to find out if u r a likely victim or not ? I checked out the same on my PC....it showed the following screen shot.....

3.   Do check out urs....and rectify if need be....

FLAME on way to commit SUICIDE ?

1.    Further to my post on FLAME earlier which made a point wise summary based on my various reads across the web,here is something more interesting.....

2.    The creators of Flame have sent a 'suicide' command that removes it from infected computers ie  it has gotten orders to vanish, leaving no trace.As was mentioned in the post earlier that Flame may delete itself from systems that have been fully exploited without leaving any trace has come true soon......

3.   More on the subject at the link ahead and Thanks THN

 http://thehackernews.com/2012/06/flame-spy-virus-going-to-suicide.html

FLAME : The new'EST Threat bigger then STUXNET

1.         Off late there has been the much talked FLAME Virus in the IT Sec community.Few clean shots about FLAME in a point wise crisp format :

 -          Flame was first detected back in 2010 by Kaspersky Labs completely by accident.

-           Flame is terribly complex for a piece of malware. 20 times bigger than Stuxnet.

-           Its about 20MB package and is still being analyzed.

-           The Stuxnet  attack that damaged Iranian nuclear facilities last year is barebones by 

comparison.

-           Kaspersky assumes it was built by government scientists, but no one knows which government.

-           Flame gathers a huge amount of data from infected systems, but it has been hard to sort out where it is all going.

-           Dozens of control servers have been located, but the domains associated with them are registered with fake identities.

-           Flame steals hard drive contents, screenshots, and keystrokes.

-           Can also use the system microphone and Bluetooth radio to suck in more data.

-           To save on bandwidth, Flame may delete itself from systems that have been fully exploited. This is part of what made the infection hard to detect.

-          

-           Has incredible abilities to monitor in-boxes, take screen grabs, even record audio of conversations happening near the computer.

-           The entire virus had been pieced together like a LEGO creation, one part building on another. Things could actually be added onto the spyware after it was already on an infected computer, giving the developer enormous freedom to tinker at will.

-           One specific example is with a Bluetooth module, which allowed the spyware to be spread to other devices.

-           The two most popular ways are to send you an e-mail with an attachment, and a Web-based or drive by download that gets you to a malware website.

-           Another favourite way to get you is through social media websites. Attackers are so savvy that they now troll your "friends" list and generate an e-mail that looks like it's coming from you, so what friend wouldn't click on it, right?

-           Microsoft has revealed that the virus gained a foothold by spoofing one of its own security certificates.

-           The computer virus is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data.

-           Flame is basically a backdoor and a Trojan with worm-like features.

-           Consider this: It took several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame.

2.Thanks http://news.cnet.com

Malware in the name of Kim Jong-il death : BEWARE!!!

1.   A "malicious spam mail" in the name of the dead North Korean leader Kim Jong is doing the rounds of the webosphsere and biting anyone whoever clicks it.The malicious spam carries a fake name as "brief_introduction_of_kim_jong_Ill_pdf.pdf". The subject file exploits vulnerabilities in Adobe reader and leads to remote code execution in the victim PC.

2.   The emails contain a simple line of text announcing the death, likely copied and pasted from the CNN website, and carries an attachment named brief_introduction_of_kim-jong-il.pdf.pdf.Once downloaded and executed, the malicious file opens a non-malicious PDF file containing a picture and information about the deceased man in order to hide its true activity on the victims' computer.In other variants of the same theme, the attached file is named Kim_Jong_il_s_death_affects_N._Korea_s_nuclear_programs.doc and, once opened, it drops backdoor-opening malware into the system, which then connects to a remote Command & Control server for further instructions.After this much code execution...its JAI HIND.....

3.  So don't open this one from ur PC if u have read this much.....

4.  Thanks http://www.net-security.org

Common Malware Symptoms

If you are malware hit....u r likely to see one or few or all of these symptoms:

 Your programs and files are suddenly missing.
 Homepage of your web browser has changed.
 Search results are being redirected.
 You start ending up at websites you didn't intend to go to.
 New icons & programs appear on the desktop that you did not put there.
 Your desktop background has changed without your knowledge.
 Your programs won’t start.
 Your security protection have been disabled for no apparent reason.
 You cannot connect to the internet or it runs very slowly.
 Strange or unexpected toolbars appear in your web browser.
 Takes longer to start and runs more slowly than usual.
 Computer shows strange error messages or popups.
 Freezes or crashes randomly.
 Computer is performing actions on its own.
 You cannot access security related websites.

FLIRT BOTS

1.   I am sure most of you at at some point of time in your cyber surfing would have come across chat/messenging softwares like MSN or yahoo to mention a few....now although pretty old for the regular security guys, but thought of mentioning it here in my blog of how many of us succumb to the meanly desires of hackers via FLIRT BOTS.....u heard it correctly they are known as FLIRT BOTS.... 

2.  Here's how Flirt Bots work:

- The Bot strikes up a conversation in a chat room

- The Bots use a series of easily configurable "dialogue scenarios" with pre-programmed questions and discussion topics to compile a report on every person it meets

E.g.: ilovyou@yahoo.com says: "hey, whats up?" and further to this conversation they are invited to visit a website which could be used for any variety of malicious activity.

E.g.: ilovyou@yahoo.com says: "Ok go to http://??????.??/?????? and accept the invite on the page baby"

3.   In this case the victim is sent to a website "?????????.com" and is asked to provide personal information including credit card details in order to view the "webcam."

4.   The site can be used for many things - to host malicious downloads, or to try to sell you Fake AntiVirus software. The URL can do and host whatever the "bot master" specifies it to be .Frequently cyber-criminals collect a database of personal information and sell it to the highest bidder or anyone who will pay

5.   These "Flirt Bots", were first reported as a proof of concept(Evidence that demonstrates that a business model or idea is feasible.) by PC Tools in 2007.Thanks http://www.pctools.com

Operation Pay Back & LOIC

A good one to read about the link between Mega D Botnet,Operation Pay Back with the aid of LOIC @ here

Mozilla @ Prone again!!!!

1.    Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.

2.    Thanks http://www.us-cert.gov

Bredolab grabs Attention

1.    A 27-year-old Armenian man has been charged as being the mastermind behind the Bredolab botnet, a network of millions of compromised computers worldwide.Main features of this trojan botnet are enumerated below for info : 

• Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection. 
• Bredolab, known for spreading spam and rogue antivirus, is thought by some experts to have infected at least 30 million computers.
• Spread via drive-by attack websites and spam email attachments.
• Infecting machines with a backdoor that downloads additional malware without the victim's knowledge. 
• Sends out spoofed password reset messages to Facebook users in an attempt to spread malware and infect users of the social network.
• Has the power to obtain information on the user's computer including the ability to copy, change or delete files and other information," 
• Pushdo botnet uses Facebook to spread malicious email attachment: A phony message warns users that their Facebook password has been reset.
• Majority of infections are in the U.S. and the U.K. and many Western European countries.
• Discovered by the Dutch High Tech Crime Team in the late summer.
• Capable of infecting 3 million computers a month. The botnet network used servers hired in the Netherlands from a reseller of LeaseWeb, which is the largest hosting provider in the Netherlands, and one of the largest hosts in Europe.
• Able to constantly change its appearance to avoid detection by traditional antivirus signatures. Like other botnets, the Trojan communicated with the command-and-control server using encrypted messages.

Is ur Account Hacked ?- Common ways u get compromised.

1.    There is no doubt on the fact that Google users are growing phenomenally.....and with this growing rise also comes the phenomenal rise and ways to get compromised or become a botnet.Thus a Google Account is also valuable for spammers and other unknown citizenry looking to impair you with ur personal info and data on ur pc and account inbox. It’s not so much about your account, but rather the fact that your circle of relatives and friends see your Google Account and mails from it as reliable.

2.   Nothing new about this but the most common ways hackers can login to your Google password are:

• Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.

• Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.

• Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.

• Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“ujjwal3008”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “dosa” for “What is your favorite food?”

3.   Another common error that we all unknowingly is that we keep the password same for multiple accounts on yahoo,gmail,blumail and so on.......put on ur thinking caps......if one account linked to other user name is compromised ....then in a way all are....

Root Kits : Hidden Undetected Threats

1. Malwares,trojans,adwares,spywares,virus,wormwares etc etc....protection vide Internet security editions by so many OEMs...and now rootkits(its not actually a recent development....)...has been in the threat making for about 10-12 years..but now the term is getting serious....so what actually are rootkits?

2. Rootkit is the term given to a group of utilities that hackers can misrepresent to keep access into a computer system once they have hacked into it. It gives them admission rights to find out usernames and passwords, allow strike against remote systems, remain hidden by erasing history from the system logs, and overabundance of various surreptitious tools.Rootkit is a combination of two words, “root” and “kit”. Root means supreme & Kit means a group of programs or utilities providing access to a user to retain a constant root-level contact to a terminal. The presence of rootkit ideally remains untraceable.

3. So more simply,they are a set of programs that can hide not only themselves but also other viruses, spyware, keyloggers and network traffic from normal antivirus and spyware removal software! Yes, a rootkit can infect your computer and take full control of it! You look inside a folder which contains rootkit files but you will see nothing. Why? Because the rootkit has told it to tell the user there are no files here. That is why, they are so dangerous and hard to detect......

4. BlackLight,RKDetector 2.0,RootkitBuster 1.6,RootkitRevealer 1.71 & Rootkit Unhooker 3.0A are few of the rootkit removal tools available...google for further details

5. Thanks http://www.rootkitonline.com/

ScareWare : One more WAREior in the family

1. Adware,spyware,malware....and now one SCAREWARE.Imagine this...u r surfing innocently(???) on the web via your home/office PC,an advertisement appears on the web-page, trying to convince you that your computer is at risk and you must download the anti-virus to clean it. Once you click on the advertisement, a software trigger gets activated and you get caught in an unnerving loop impossible to abort. A scanner window will appear with red-letter warnings listing viruses purportedly infesting your hard drive. A series of dialogue boxes will follow giving you choices that all lead to the same screen: a sales pitch. Make the purchase, and you get a bogus inoculation. Try to cancel it, and you'll get repeated offers. It's like stepping into quicksand. The more you try to get out of it, the deeper you sink.....this is Scareware..the latest new generation way to get ur PC infected...although its first origin dates to sometime in 2004...its now that this is getting firm roots via increased strength of web surfers who are naive about security.

2. In brief, the scareware trickery ensnares internet users in the following steps:

• Criminals buy blocks of advertisement space on websites, intermittently slipping in a tainted advertisement.
• Just visiting a webpage with a tainted ad causes a fake warning box to appear.
• Clicking "OK" or "Cancel" launches the same thing: a "free scan."

After you've been lured into a fake "free" scan of your PC:

• The bogus scan will purport to find a virus infestation.
• Ensuing boxes steer the user to activate "Personal Antivirus," on left.
• The activation prompts take the user to a shopping cart.
• Declining to place an order triggers endless fake scans.

3. Thanks http://fanaticmedia.com

SECURITY ESSENTIALS : NO MORE "MORRO"

1. So it has been launched finally after a long wait...a few debates...a few hues and a not so lots of publicity....the microsoft antivirus "SECURITY ESSENTIALS". I downloaded it today and saw thats it is veri light at least as on date and has been able to capture the regular worms and malwares that were present in my desktop.

2. One problem for most of the Hindustani's......it only works on genuine microsoft windows....since prior to installation it checks if you have a genuine windows...if NOT ..then it comes out in between installation without procedding ahead....

MORRO : THE MICROSOFT SIDE OF ANTIVIRUS

1. Impregnable news is coming in that Microsoft is ready to launch its free anti-virus software called Morro for personal computers. This is a huge competition in making for security software leaders like Symantec Norton Antivirus and McAfee Anitvirus software.To address the growing need for a PC security solution tailored to the demands of emerging markets, smaller PC form factors and rapid increases in the incidence of malware, Microsoft Corp. plans to offer this to the new consumer security offering focused on core anti-malware protection.

2. Code-named “Morro,” this streamlined solution will be available in the last quarter of 2009 and is likely to allow comprehensive security from malware including viruses, spyware, rootkits and trojans. 

3. The surprising news is that Microsoft isn't bundling Morro with Windows.Currently in beta testing, it was available for download to the first 75,000 people in the United States, Israel, People's Republic of China and Brazil.

4. Morro” will take advantage of the same core anti-malware technology that fuels the company’s current line of security products, which have received the VB100 award from Virus Bulletin, Checkmark Certification from West Coast Labs and certification from the International Computer Security Association Labs. 

5. “Morro” will be available as a stand-alone download and offer malware protection for the Windows XP, Windows Vista and Windows 7 operating systems. When used in conjunction with the ongoing security and privacy enhancements of Windows and Internet Explorer, this new solution will offer consumers a robust, no-cost security solution to help protect against the majority of online threats.

6. Microsoft in an open source mooood!!!!!!!!!!