Thursday, November 10, 2011

3 Million Computers Hijacked

An Eastern European pack of cyber thieves known as the Rove group hijacked at least four million computers in over 100 countries, including at least half a million computers in the U.S., to make off with $14 million in "illegitimate income" before they were caught, federal officials announced today. The malware allegedly used in the "massive and sophisticated scheme" also managed to infect computers in U.S. government agencies including NASA and targeted the websites for major institutions like iTunes, Netflix and the IRS -- forcing users attempting to get to those sites to different websites entirely, according to a federal indictment unsealed in New York today. The accused hackers, six Estonian nationals and a Russian national, rerouted the internet traffic illegally on the infected computers for the last four years in order to reap profits from internet advertisement deals, the indictment said. The FBI busted up the alleged international cyber ring after a two-year investigation called Operation Ghost Click. "The global reach of these cyber thieves demonstrates that the criminal world is... flat," said Janice Fedarcyk, the FBI Assistant Director in charge of the New York field office. "The Internet is pervasive because it is such a useful tool, but it is a tool that can be exploited by those with bad intentions and a little know-how." Though they operated out of their home countries, the alleged hackers used entities in the U.S. and all over the world -- including Estonia-based software company Rove Digital from which the group apparently gets its name -- to carry out the plot. According to the indictment, the suspects entered into deals with various internet advertisers in which they would be paid for generating traffic to certain websites or advertisements. But instead of earning the money legitimately, the FBI said the defendants used malware to force infected computers to unwillingly visit the target sites or advertisements -- pumping up click results and, therefore, ill-gotten profits to the tune of $14 million. The malware was also designed to prevent users from installing anti-virus software that may have been able to free the infected computers. The six Estonian nationals have been arrested on cyber crime charges while the Russian national remains at large. "Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise," Fedarcyk said. "Thanks to the collective effort across the U.S. and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled." How the Fraud Worked, According to the FBI The indictment describes several examples of alleged cyber fraud including two principle strategies: traffic redirection and ad replacement. In the first case, if a user searched for the websites of major institutions like iTunes, Netflix or the IRS, the search results would return normally. However, if the user tried to click on the link to the websites, the malware on the computer would force a redirect to a different website where the criminals would profit in their advertisement deal. In the second, when an infected computer visited a major website -- like -- the malware would be able to simply replace regular advertisements on that page with advertisements of their own making. Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Monday, May 16, 2011

Mac® OS X Threats in Review: from Rogue AV to Dedicated Malware Kits

OS X security myths dismantled by the recent developments in the malware landscape.

The past couple of weeks have mostly been about Mac threats. Once touted as being the crème de la crème of system security, the Mac OS X systems are now faced with an assortment of e-threats ranging from intelligently-crafted rogue antivirus utilities to highly advanced malware development tools. On top of that, the large number of 0-day exploits and flaws in both Apple software and third-party apps make it harder for the regular Mac OS X user.

MacDefender: classical Rogue AV with a twist

Rogue antiviruses may not be breaking news for the OS X user, since they have been around for a while, but the new contender called MacDefender takes the business to a whole new level. This classic example of truly efficient search engine poisoning paired with the “Open ‘Safe’ files after downloading” option in Safari made it easier for the crooks behind the MacDefender business to automate the extraction process of the malware from its archive and launch it without the user’s interaction.In order to get installed, the application still asks for the administrator’s password, but most inexperienced users will actually fall for this.

The MacDefender Rogue AV is hard at work

The installation process goes like this: the Mac user performs an image search query (such as lookups for pictures related to Osama Bin Laden’s death). When clicking on a poisoned link, a fake scanner pops-up on the screen, initializing a bogus scan that ends up triumphantly announcing the user that his system is swarming with malware. This is common practice in case of a rogue AV. At this point, the victim is hooked and ready to open his wallet in order to pay for a solution to this problem.

The fake scanner offers the answer: a not-yet-registered antimalware solution appears on the screen. The user only needs to download a .zip file with a filename like "". It will start disinfection the moment the user pays a “small” fee that the victim perceives, under the circumstances, as a blessing. Apart from the sum of money, the cyber-crook has at this point the user’s credit card credentials as well.

This piece of malware has been originally discovered on May 2nd and ever since, new morphed variants are emerging under different names, such as MAC Defender, Mac Security and Mac Protector.

Heavy Duty malware kits

Next in line is a DIY crimeware kit we have got word of since last month. Known by now under the name of Weyland-Yutani, this malware creation tool is meant to grow a nice new botnet with the help of cybercriminal wannabes. The builder has been sold on the underground forums for a while now and lets less tech-savvy cyber-thugs create their own malware by simply filling in some info in its builder. The Weyland-Yutani kit is equipped with a builder, an admin panel and it can also support encryption. The resulting bots support web injects and form grabbing in Firefox and – judging by the claims of its author - both Chrome and Safari will soon follow. The web-injects templates are identical to the ones used in Zeus and SpyEye. It is true that there have been other attempts at creating Do-It-Yourself malware kits for Mac OS X users, such as the HellRaiser bundle, but the Weyland-Yutani bundle is much more sophisticated.

The good news is that its author does not sell the kit anymore to individuals, which means that there are only a few builders bought by now. The bad news is that we’ve seen this move back in the heyday of Zeus, when the original DIY kit was pulled off just to be improved and get sold as SpyEye.

Software flaws leading to remote code execution

Last month’s update pack coming from the Cupertino-based vendor has an impressive log. According to the Apple Security Bulletin for April, the company has delivered no less that 9 fixes for various types of attacks ranging from buffer overflows to memory corruption in multiple applications and libraries. All of these flaws allow arbitrary code execution when a malicious movie file or image is opened. To be more specific, when you open a movie or image from the web, someone may actually execute code (plant malware) on your OS X computer without your intervention. No administrator password required.

Other fixes address buffer overflow and memory corruption issues in font-handling components that also allow a remote attacker to install malware on the computer without the user’s interaction. Things go as simply as visiting a website containing a specially crafted embedded font. Privilege escalation is also present in the bulletin: “A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges,” quotes the document. This means that, in special circumstances, non-administrators are able to execute and install software, which makes social engineering a lot easier.

I’m not going discuss the other vulnerabilities in third-party software that can get your Mac-running machine owned, but it’s worth mentioning that Skype issued an advisory documenting a flaw that allows an attacker to take control of the system by simply sending a specially crafted message. That’s easy, eh?

Bottom line

Now that Mac OS X has gained well above 10 percent of market share, cyber-crooks seem to have taken the users into their crosshair. If you think that you still don’t need a security solution just because you’re running a Mac OS X, then you’d probably be shocked to learn that during the latest Pwn2Own conference a fully-patched Mac OS X 10.6.6 computer running Safari 5.0.3 was owned in less than 5 seconds, leaving it open to further attacks.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Sunday, May 8, 2011

Malware instead of Carnations for Mother’s

Spam, phishing, malware are all thrown at you while you are busy looking for a nice gift for your wife, mother or sister on Mother’s Day
The International Mother’s Day has been celebrated, since 1910, with white and red carnations, appreciation letters replaced today by greeting cards, nice dinner in smart restaurants or jewelries especially created for such occasion. Unfortunately, this kind of events is not missed by cyber crooks who find this frenzy particularly convenient for their on-line scams. And with a bit of social engineering things can turn very ugly, should the enthusiastic buyer not exercise enough caution around this otherwise beautiful holiday.

First of all, many well-known online retailers are phished in order to mislead buyers into thinking that they are purchasing mother’s daygifts from their favorite virtual shop. The credit card credentials can this way fall into the hands of cyber-crooks and your savings can vanish in a heartbeat. If you are about to make such a purchase, it is highly recommended that you type in the whole address of the site you would like to visit and furthermore avoid clicking on links that land on your social networking wall or that reach your spam folder.

Second, with holidays around the corner, fake shops arise each day on the Internet. These online locations advertise fictitious products and take your not-so-fictitious money without ever delivering your order. If you can’t tell an online shop from a trustworthy source, maybe you either should do some research on the particular site before using its services or choose shops you’ve already tried with other occasions.

Third, spammers will also take a shot and try to trick people into accessing either certain sites advertising knock-off jewelry, accessories and pills or clicking links that will make the online shoppers land on various malicious sites where they can get a keylogger, a backdoor or a good old exploit from. And then all the critical data typed in may get into the wrong hands.

Lately, spam bundles with malware seems to have a strong comeback: with a bit of social engineering, people are convinced to download and open attachments that at a fist glance appear to be plain Microsoft® Word® documents but are in fact executable files rigged with malware.

For instance, these past days, a spam mail has circulated in which the message reads that you’ve just received your “order confirmation” from a purchase you made from a well-known online jewelry store that advertises amongst others custom made mother’s day rings. And if you happen to have searched for this kind of gifts, then you might fall for the trick and pay a considerable sum of money for the ring that will never be sent. Plus, all your credit card credentials will get into the malicious ill-intentioned hands.

Spam message and its attached malware

Malware-bundled greeting cards once again make it into the top five online threats around Mother’s Day. Spyeye, once known as Zbot or the notorious Koobface use every means and media to spread in search for your money. You may think that you have in your inbox a nice e-card, but in fact these bots use this beautiful disguise to send you attached malware.

If you’re shopping for mother’s day gifts using a smartphone, make sure that you see the whole address of your webshop of choice. Since cyber-crooks know that the small display of the smartphones might hinder the user from seeing the entire URL of the requested webpage, they usually set up spoofed webpages resembling webshops or other commercial services and wait for you to enter your credit card details. You are therefore advised to type in the entire URL manually and check if the website’s SSL certificate is in place.

In order to protect the integrity of your computer and data, make sure that you follow these safety guidelines:

•Install and update a security solution that contains at least antimalware, antispam and antiphishing modules.
•Do not open attachments that come from unknown senders; if you really need to do so, make sure that you download the attachment and scan it with your locally installed antivirus solution.
•Never use public computers to perform e-banking transactions or other online purchases. These computers may be laden with keyloggers or banker Trojans.
•Avoid shopping online when using public WiFi hotspots such as those in airports, coffee shops or malls. Usually, data exchanged between you and the online shop of choice flows through an unencrypted channel and can easily be intercepted by an attacker.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Thursday, February 10, 2011

Scanned Documents Spreading ZBot

MISCELLANEOUS Scanned Documents Spreading ZBot
Four PDF vulnerabilities exploited all in the “good” name of yet another Zbot spam campaign

You know printers. I know you do and you use them regularly if not daily. They sit in a corner of your office and spit pages whenever you make them. Some of these printers can also send scanned documents via e-mail, and I’ll bet that not all of you know something about this feature let alone use it. Well, cyber criminals do know about this and they even found a way to use it for their ill-intended actions.

And here’s how: the malware writers took the e-mail template proprietary to office printers and scanners and used it to distribute…well…spam. More to the point, they “distribute” e-mails disguised as scanned documents sent by a Xerox® WorkCentre Pro scanner and containing a “malicious” attachment in the form of a harmless PDF file.

And the attachment is a wolf in a sheep’s fur. The claimed Xerox WorkCentre Pro scanned document is in fact a malformed PDF file that exploits a bunch (more precisely 4) of Adobe® Acrobat Reader® vulnerabilities such as Collab.collectEmailInfo (CVE-2007-5659), Utilprintf (CVE-2008-2992), Collab.getIcon (CVE-2009-0927), mediaNewplayer (CVE-2009-4324) which are by now old – mostly related to remote code execution.

This malformed PDF file is on a new mission these days: to spread the Zbot.

Short reminder of ZBot operation style: Also known as Zeus, ZeusBot or WSNPoem, is a Trojan designed to steal sensitive information. It messes with certain processes and adds exceptions to the Microsoft® Windows® Firewall so as it is provided with both backdoor and server capabilities. On the one hand, ZBot ships out critical data gathered from the compromised computer, and on the other hand it waits at the gates of some “ports” further commands from remote attackers.

The latest variants are also able to steal bank-related information, login data, history of the visited Web sites and other details the user inputs, while also capturing screenshots of the compromised machine's desktop

Always keep your anti-virus product up to date to help protect you against this type of malicious spyware.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Wednesday, January 26, 2011

Top 5 Malware for Mac OS X

Top 5 Malware for Mac OS X Users Should Know About:

Why you need a Mac OS X Antivirus: an overview of the most aggressive pieces of malware targeting Mac OS X users
For quite a while now, Mac OS X systems have been touted to be safer and “smarter” than regular PCs using Windows operating systems. And so they were, since Mac OS X users represented a small fraction of the entire Internet user-base. However, as the number of users embracing Mac OS X increased, so did the interest of malware authors to have a bite from the shiny apple.

At the moment, there are around 300 e-threats especially designed for the Mac OS X platform. Some of them are simple adware-based applications ready to cash on the unwary, but others are highly dangerous tools that can easily hijack e-banking sessions or that expose the entire computer to the attacker. Below we’d like to present you a couple of the most dangerous e-threats that you should know about if you’re using a Mac-based computer.

Trojan.OSX.Jahlav.A & Trojan.OSX.Jahlav.A – The Fake Codec
The OSX.Jahlav family has been discovered in November 2008, when it started to be distributed as a fake codec. In order to lure users into downloading and installed the malicious DMG (Disk Image) file, the gang behind this scheme created a page claiming to feature an “unplayable” video. If the user installs this alleged codec, the malicious payload starts downloading additional Trojans from a remote web server.

Trojan.OSX.RSPlug.A – Porn may get you phished even on a Mac
This is one of the most dangerous families of malware running on Mac OS X. The RSPlug Trojan also plays the missing codec card in order to persuade the user into downloading and installing the infected DMG. It is present particularly on websites with pornographic content. Once installed, the Trojan tampers with the DNS server entries in order to redirect traffic from legit addresses to copycat, spoofed domains set up by phishers to collect critical information about e-banking accounts, email and the like.

This kind of attack is extremely difficult to tell, since the user will be redirected to the fake version of the website even when they manually type in the correct URL on when they access a bookmark that has worked in the past. The only hint would be the absence of the SSL certificate, but, since users hardly look for their presence, they probably won’t spot the trick.

Other uses of the RSPlug Trojan are related to redirecting users’ requests towards pornography websites or to websites asking to install adware / malware or take surveys.

Trojan.OSX.HellRTS.A – The Remote Access Tool
Trojan.OSX.HellRTS.A is more than a simple e-threat. It is a complex malware development kit that allows an attacker to create their own piece of malware for Mac OS X in no time. The pack contains a client-server application, where the server is the backdoor service running on the infected machine and the client application is used by the attacker to issue commands. Apart from the client and the server, the pack contains a Configurator - a config application that “fine tunes” essential aspects of the Trojan such as the listening port or connection password, as well as a SMTP grabber – used for routing ANY messages the victim receives to the attacker.

If the system has been successfully infected, a remote attacker may perform a wide range of operations on the infected computer, ranging from annoying pranks (such as launching chat instances, playing voices or instruments, launching applications and web pages, or shutting the system down / logging the user out etc.) to extremely harmful operations (including the execution of binary code, fetching all the data available on the HDD or routing all the incoming mails to an attacker’s address). The attacker can also watch the user work without their knowledge via the Desktop View module.

Trojan.OSX.OpinionSpy.A – Mac Screensavers reporting to the base
The OpinionSpy family of spyware is usually installed by a number of freely-distributed applications such as screen-savers and audio / video converters. The installer utility of these applications will fetch the spyware package, install it and run is with root privileges. Trojan.OSX.OpinionSpy.A poses as a marketing research tool, but it does more than collecting users’ browsing habits and preferences: it also opens backdoors and shuffles through a great number of documents found on both local and remote drives. The Trojan poses a great danger to the user’s privacy and to the security of the stored data.

Trojan.OSX.Boonana.A – The Social Network Worm
Trojan.OSX.Boonana.A is a multi-platform e-threat that can run on Windows, Mac OS X and Linux altogether. This Java-based piece of malware downloads a couple of malicious files in the user’s home folder in an invisible folder called “.jnana”, then installs a local IRC- and web server, among others. The Boonana piece of malware will also attempt to change the DNS server settings in order to hijack requests to legit websites towards spoofed websites as part of an extremely efficient phishing scheme.

In order to enjoy a safe surfing experience, we advise you to install a security solution for Mac OS X.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Friday, January 7, 2011

Fake Anti-Viruses Always Ring Twice

As more and more users have become accustomed to the usual look of rogue or fake anti-viruses, cybercriminals thought that it would be a good idea to tweak the style of their progenies a bit. One of the latest new entries purports to pertain to none other than the Microsoft® defensive suite.

Primary fake alert

Trojan.FakeAV.LHS attempts to dupe the user into installing it as a legitimate application. Once onto the unprotected machine, it creates and launches its clone from the current user’s Application Data folder and deletes the initial file that infected the computer. Moreover, it scrounges the registry settings under HKCU\Software\Microsoft\Windows NT\Winlogon\Shell, in order to be launched before the explorer.exe process.

Additionally, FakeAV.LHS mimics a system scan and issues multiple annoying warnings about a gazillion of imaginary infections and other e-threats, while also requiring the gullible user to install a so-called “Windows Optimization Center" for maintenance and disinfection purposes, as depicted in the following screenshot.

Secondary fake alert

FakeAV.LHS unleashing the annoying “optimization center”

After the installation of the malicious center, the rogue continuously bugs the user to purchase a so-called license that will complete the disinfection process. To be even more credible, the Trojan kills any process/application that the user launches/opens, reminding him or her to buy that useless license.

Inciting warning to throw money out the bogus anti-virus’ window

To make sure that you are not the victim of this kind of e-threats and that you are actually protecting your system and data, install a reliable (please do read “real”) and certified anti-malware suite.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Friday, October 29, 2010


If your contacts are receiveing a message from you that you did not send with the web address of your email account has been compromised. Your system may have a virus, or it may be as simple as changing your email password. Click Computers recommends changing your password to your email account.