Police, security vendors take down Andromeda botnet

Suspected bot master arrested in Belarus.

A joint operation between international law enforcement agencies, Microsoft and several security vendors has dismantled the Andromeda botnet responsible for infecting millions of computers around the world.

The botnet take-down was co-ordinated by the FBI in cooperation with Europol and German police.

Andromeda, which is also known as Gamarue, was used to distribute other malware and has been active since September 2011. It’s been linked with 80 other malware families and was used for the worldwide Avalanche botnet that was taken down in December last year. Belarus state media said the 37-year-old man earnt US$500 per sale of Andromeda, and US$10 per update for the malware. The total of revenues brought in by the malware business is yet to be ascertained.

The man’s hard drives, other data storage, and digital wallets have been seized by Belarus police and are being investigated.

Some 1500 domains associated with Andromeda were sinkholed, a technique used to prevent computers infected with the malware from reaching command and control servers by redirecting traffic to servers controlled by security vendors.

Microsoft said in 48 hours of sinkholing, around two million unique IP addresses of infected machines across 223 countries were recorded.

Over half of the total number of computers running the Andromeda malware remain infected. The sinkholing will remain in place for another year globally, including in Australia. Microsoft said its telemetry shows almost 1.1 million computers a month were infected by Andromeda this year.

It was used to steal credentials and download and install further malware on infected computers. This means Andromeda-infected computers are likely to harbour other malware such as the Neutrino distributed denial of service attack bot, as well as the Kelihos and Lethic spamware. Andromeda is modular malware and its functionality can be expanded with plug-ins such as keyloggers and form grabbers to capture and ex-filtrate users’ personal information.

The malware has spread worldwide through social media, instant messaging, spam, and removable hard drives.

It would detect if a target system’s keyboard layout was set to Russian, Ukrainian, Belarus or Kazakh languages – if so, Andromeda would exit without doing anything malicious.

Man Hacks Jail Computer Network To Get Inmate Released Early

So, now Malware network is not just limited to annoying ads, loss of business and data to Ransom ware, slow PC, poor internet bandwidth but social engineering is being used to release prison inmates. He was unsuccessful this time but you never know next time what other cyber attackers could do using malware.

A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early. To breach the jail’s network, the attacker used only spear-phishing emails and telephone social engineering.

The man named Voits called jail employees and posed as local IT staffers, tricking some into accessing a website, and downloading and installing malware under the guise of a jail system upgrade. According to court documents starting from approximately January 24, 2017, and until March 10, 2017, Voits used email spear-phishing and telephone social-engineering to trick Washtenaw County Jail employees into downloading and running malware on their computers.

Voits sent emails to jail staff posing as a man named “Daniel Greene” and asked for help with obtaining court records, and later also registered the domain “ewashtenavv.org,” a look-alike of “ewashtenaw.org,” the Washtenaw County’s official portal. Despite his efforts, the email spear-phishing campaigns were unsuccessful, and in mid-February, Voits switched to calling county jail employees.

During his calls, investigators said Voits posed as “T.L.” and “A.B.,” two actual Washtenaw County Jail, both working in the jail’s IT department. Telephone calls were successful. Some jail employees fell for Voits’ scheme and installed malware on their computers.

“Through the installation and use of this malware, Voits was able to gain full access to the County network, including access to sensitive County records such as the XJail system (the computer program used to monitor and track inmates in the County Jail), search warrant affidavits, internal discipline records, and County employee personal information,” the plea agreement reads.

The FBI says Voits was able to obtain information, including passwords, usernames, emails, and other personal information of over 1,600 County employees. Once Voits had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry “in an effort to get that inmate released early.”

Jail employees noticed the modification right away and alerted the FBI soon after, realizing what happened. The Washtenaw County Jail also hired a security company specialized in incident response to clean its IT network.

Jail officials said they paid $235,488 “to determine the full extent of the breach, to reimage numerous compromised County hard drives, to verify the accuracy of the electronic records of nearly every then current County Jail inmate, and to attempt to reassure the 1,600 County employees whose personal data had been compromised by purchasing an identity theft program for County employees.”

After pleading guilty last week, Voits now faces up to ten years in prison and a fine of up to $250,000. Voits also had to forfeit all the electronics equipment he used to carry out his attacks — a laptop, four phones, one circuit board, and an undisclosed amount of Bitcoin. Voits remains in custody.The man as arrested a month later and is now awaiting sentencing (maximum 10 years and a fine of up to $250,000).

Google Bans Android Apps That Show Lockscreen Ads

Google Play Developer Policy Center, Google has banned apps from the Play Store that show ads on the lockscreen.
As the new policy clearly states, only apps whose sole purpose is to interact and improve the lockscreen are allowed to show ads.

Apps like photo editors, VPNs, malware scanners, password managers, or others, whose role and purpose are quite evident, cannot utilize the lockscreen to monetize installs.

The policy will apply only to apps uploaded and made available through the Play Store. Google did not specify when it will start pulling apps from the store that break this policy, but it’s expected that a formal announcement will be made in the following days.

The policy change is long overdue, as lockscreen ads are often so invasive that they sometimes appear on top of the PIN pad, or other legitimate features.

There have also been instances when badly implemented lockscreen ads have intervened with the actual device screen-locking function and allowed third-parties to bypass the phone’s PIN.

Nevertheless, in most cases, shady app developers have misled users with false promises into using their custom lockscreen, which then rotated through various ads while the phone was charging, earning the app developer a profit.

Beware of iGotYou Ransomware

The IGotYou Ransomware is being delivered through spam email messages. As part of a spam email campaign, computer users will receive emails that seem to come from legitimate sources such as FedEx, DHL, Amazon or Paypal. The message prompts them to open a file attachment, typically a Microsoft Word document. When the victim opens the file, a corrupted script downloads and installs the IGotYou Ransomware onto the victim’s computer. The IGotYou Ransomware functions like most encryption ransomware Trojans, using a strong encryption method to make the victim’s files inaccessible. This allows the IGotYou Ransomware to take the victim’s files hostage since they can only be recovered with a decryption key that the cybercrooks hold in their possession. The IGotYou Ransomware will deliver a ransom note threatening the victim with the permanent deletion of the affected files unless the victim pays a large monetary ransom.

After the IGotYou Ransom ware encrypts the victim’s files, it delivers a ransom note to the victim’s machine. Computer users will find a program window titled ‘Files Encrypted’ that appears on their computers after Windows starts up. This program window asks the victim to pay 10,000 INR using Paytm, a regional online payment method similar to PayPal or Venmo. It is not a recommended decision pay the IGotYou Ransom ware ransom. It is very unlikely that the people responsible for the attack will restore the victim’s files, and computer users that pay the ransom may be targeted for further attacks because they have shown a willingness to pay. Furthermore, paying the IGotYou Ransom ware ransom allows the cyber crooks to continue financing these attacks, developing new encryption ransom ware Trojans and carrying out new tactics. Instead of paying the ransom, computer users should restore their files from a backup copy.

Max Total Security provides secure back up on your hard disk which can not be encrypted by Ransomware and can be used to recover your files. In addition to that Max Total Security provides protection from such Crypto Ransom ware.