Police, security vendors take down Andromeda botnet

Suspected bot master arrested in Belarus.

A joint operation between international law enforcement agencies, Microsoft and several security vendors has dismantled the Andromeda botnet responsible for infecting millions of computers around the world.

The botnet take-down was co-ordinated by the FBI in cooperation with Europol and German police.

Andromeda, which is also known as Gamarue, was used to distribute other malware and has been active since September 2011. It’s been linked with 80 other malware families and was used for the worldwide Avalanche botnet that was taken down in December last year. Belarus state media said the 37-year-old man earnt US$500 per sale of Andromeda, and US$10 per update for the malware. The total of revenues brought in by the malware business is yet to be ascertained.

The man’s hard drives, other data storage, and digital wallets have been seized by Belarus police and are being investigated.

Some 1500 domains associated with Andromeda were sinkholed, a technique used to prevent computers infected with the malware from reaching command and control servers by redirecting traffic to servers controlled by security vendors.

Microsoft said in 48 hours of sinkholing, around two million unique IP addresses of infected machines across 223 countries were recorded.

Over half of the total number of computers running the Andromeda malware remain infected. The sinkholing will remain in place for another year globally, including in Australia. Microsoft said its telemetry shows almost 1.1 million computers a month were infected by Andromeda this year.

It was used to steal credentials and download and install further malware on infected computers. This means Andromeda-infected computers are likely to harbour other malware such as the Neutrino distributed denial of service attack bot, as well as the Kelihos and Lethic spamware. Andromeda is modular malware and its functionality can be expanded with plug-ins such as keyloggers and form grabbers to capture and ex-filtrate users’ personal information.

The malware has spread worldwide through social media, instant messaging, spam, and removable hard drives.

It would detect if a target system’s keyboard layout was set to Russian, Ukrainian, Belarus or Kazakh languages – if so, Andromeda would exit without doing anything malicious.

Man Hacks Jail Computer Network To Get Inmate Released Early

So, now Malware network is not just limited to annoying ads, loss of business and data to Ransom ware, slow PC, poor internet bandwidth but social engineering is being used to release prison inmates. He was unsuccessful this time but you never know next time what other cyber attackers could do using malware.

A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early. To breach the jail’s network, the attacker used only spear-phishing emails and telephone social engineering.

The man named Voits called jail employees and posed as local IT staffers, tricking some into accessing a website, and downloading and installing malware under the guise of a jail system upgrade. According to court documents starting from approximately January 24, 2017, and until March 10, 2017, Voits used email spear-phishing and telephone social-engineering to trick Washtenaw County Jail employees into downloading and running malware on their computers.

Voits sent emails to jail staff posing as a man named “Daniel Greene” and asked for help with obtaining court records, and later also registered the domain “ewashtenavv.org,” a look-alike of “ewashtenaw.org,” the Washtenaw County’s official portal. Despite his efforts, the email spear-phishing campaigns were unsuccessful, and in mid-February, Voits switched to calling county jail employees.

During his calls, investigators said Voits posed as “T.L.” and “A.B.,” two actual Washtenaw County Jail, both working in the jail’s IT department. Telephone calls were successful. Some jail employees fell for Voits’ scheme and installed malware on their computers.

“Through the installation and use of this malware, Voits was able to gain full access to the County network, including access to sensitive County records such as the XJail system (the computer program used to monitor and track inmates in the County Jail), search warrant affidavits, internal discipline records, and County employee personal information,” the plea agreement reads.

The FBI says Voits was able to obtain information, including passwords, usernames, emails, and other personal information of over 1,600 County employees. Once Voits had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry “in an effort to get that inmate released early.”

Jail employees noticed the modification right away and alerted the FBI soon after, realizing what happened. The Washtenaw County Jail also hired a security company specialized in incident response to clean its IT network.

Jail officials said they paid $235,488 “to determine the full extent of the breach, to reimage numerous compromised County hard drives, to verify the accuracy of the electronic records of nearly every then current County Jail inmate, and to attempt to reassure the 1,600 County employees whose personal data had been compromised by purchasing an identity theft program for County employees.”

After pleading guilty last week, Voits now faces up to ten years in prison and a fine of up to $250,000. Voits also had to forfeit all the electronics equipment he used to carry out his attacks — a laptop, four phones, one circuit board, and an undisclosed amount of Bitcoin. Voits remains in custody.The man as arrested a month later and is now awaiting sentencing (maximum 10 years and a fine of up to $250,000).

Google Bans Android Apps That Show Lockscreen Ads

Google Play Developer Policy Center, Google has banned apps from the Play Store that show ads on the lockscreen.
As the new policy clearly states, only apps whose sole purpose is to interact and improve the lockscreen are allowed to show ads.

Apps like photo editors, VPNs, malware scanners, password managers, or others, whose role and purpose are quite evident, cannot utilize the lockscreen to monetize installs.

The policy will apply only to apps uploaded and made available through the Play Store. Google did not specify when it will start pulling apps from the store that break this policy, but it’s expected that a formal announcement will be made in the following days.

The policy change is long overdue, as lockscreen ads are often so invasive that they sometimes appear on top of the PIN pad, or other legitimate features.

There have also been instances when badly implemented lockscreen ads have intervened with the actual device screen-locking function and allowed third-parties to bypass the phone’s PIN.

Nevertheless, in most cases, shady app developers have misled users with false promises into using their custom lockscreen, which then rotated through various ads while the phone was charging, earning the app developer a profit.

Beware of iGotYou Ransomware

The IGotYou Ransomware is being delivered through spam email messages. As part of a spam email campaign, computer users will receive emails that seem to come from legitimate sources such as FedEx, DHL, Amazon or Paypal. The message prompts them to open a file attachment, typically a Microsoft Word document. When the victim opens the file, a corrupted script downloads and installs the IGotYou Ransomware onto the victim’s computer. The IGotYou Ransomware functions like most encryption ransomware Trojans, using a strong encryption method to make the victim’s files inaccessible. This allows the IGotYou Ransomware to take the victim’s files hostage since they can only be recovered with a decryption key that the cybercrooks hold in their possession. The IGotYou Ransomware will deliver a ransom note threatening the victim with the permanent deletion of the affected files unless the victim pays a large monetary ransom.

After the IGotYou Ransom ware encrypts the victim’s files, it delivers a ransom note to the victim’s machine. Computer users will find a program window titled ‘Files Encrypted’ that appears on their computers after Windows starts up. This program window asks the victim to pay 10,000 INR using Paytm, a regional online payment method similar to PayPal or Venmo. It is not a recommended decision pay the IGotYou Ransom ware ransom. It is very unlikely that the people responsible for the attack will restore the victim’s files, and computer users that pay the ransom may be targeted for further attacks because they have shown a willingness to pay. Furthermore, paying the IGotYou Ransom ware ransom allows the cyber crooks to continue financing these attacks, developing new encryption ransom ware Trojans and carrying out new tactics. Instead of paying the ransom, computer users should restore their files from a backup copy.

Max Total Security provides secure back up on your hard disk which can not be encrypted by Ransomware and can be used to recover your files. In addition to that Max Total Security provides protection from such Crypto Ransom ware.

BASS-FES Ransomware

BASS-FES (BitchASS File Encryption System) is a ransomware-type cyber threat that is based on the HiddenTear project. The virus uses AES cryptography and appends the .basslock file extension to the encrypted files. Then it drops a ransom note called “the BASS the File the Encryption the Service Notice.txt” on the affected computer’s desktop. The ransom payment is demanded in 1 BitCoin.

BASS-FES ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary.

That ransom message appears after encryption is completed and reads the following:

“File Recovery Notice by BitchASS File Encryption System (BASS-FES)
Your files have been successfully encrypted and backuped in the cloud storage by BASS File Encryption System.
If you want to recover your files, please send 1 BTC to the following adress:
18Cgi9ADqH9NsG6zqW2xEh7wl6dQM6Rvix
If you sent 1 BTC to the adress, email at bitchasshole@protonmail.com with your Bitcoin adress.”

You should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a guarantee for that. Plus, giving money to cybercriminals will likely motivate them to create more ransomware viruses or commit other crimes. We recommend using Max Total Security with ” Max Crypto Monitor ” to keep your pc safe and use its Data restore feature if ever something likes this happens.

Cyber Security Predictions -2018

The year 2018 will bring more connectivity, digital transformation initiatives, and data to companies, along with a number of new cybersecurity threats and landscape changes. Biggest areas that require extra attention are cloud computing and the internet of things, or IoT. The IoT includes the growing list of connected devices like smart thermostats, smart aquariums and smart light bulbs. Such electronics often come with security vulnerabilities that leave networks open to exploitation from hackers. For instance, hackers discovered a man-in-the-middle vulnerability in a smart refrigerator back in 2015 that granted them access to users’ gmail accounts.

Once an IoT device gets synced with a laptop, smartphone or tablet, all of the data on those machines can be compromised. Unfortunately, many of the IoT devices being manufactured today rely on cheap electronics that are incapable of supporting the security protocols that have become standard in other mobile devices. Even if a product is designed to meet the latest security standards, most IoT devices aren’t set up to receive automatic updates, so they remain vulnerable to new types of malware.

Cybercriminals will use ransomware to shut down point of sale systems. Many merchants have updated their payment systems to use end-to-end encryption and prevent criminals from obtaining credit card data from point of sale (POS) systems. This has led criminals to turn to ransomware as a means of monetizing an attack, as opposed to stealing and selling data.

Cyber terrorism also poses a threat to all humanity since successful attacks on power grids could have deadly consequences if hospitals, subways and other public services get disrupted.

IT security skills are already in high demand, and the need for new IT professionals will continue to increase with the digital transformation. Unfortunately, there may not be enough talent to fill all of the new job openings. Various reports estimate that up to 3.5 million IT security jobs will be unfilled in 2021 due to a severe talent shortage.

Government agencies and business leaders must partner together to recruit more young IT professionals, and universities will need to expand their curricula as data governance and AI technologies become more embedded into the fabric of society. Rather than maintaining a defensive approach to cyber security, the IT teams of the future could use artificial intelligence to predict threats before they arise. So there will be more application of Machine learning and Artificial Intelligence in threat detection.

Hacking Boeing 757

A US government official revealed that he and his team of IT experts remotely hacked into a Boeing 757 as it sat on the runway and were able to take control of its flight functions. Robert Hickey, a US Homeland Security cyber sleuth, managed to take over the passenger plane at Atlantic City International Airport in New Jersey.

boeing

He was successful in accomplishing a remote, non-cooperative, penetration. Which means he didn’t have anybody touching the aeroplane, He was not an insider threat. He stood off using typical stuff that could get through security and theye were able to establish a presence on the systems of the aircraft. Mr Hickey said his team used combination of radio frequency communication to hack into the craft, but that details of the breach remain classified.

There have been numerous car hacking attempts. Nothing is 100% safe in this world of internet (including iOT) but keeping your devices and Laptops as secure as possible, free from malware, spam and phishing with firewall and good detection using a good Total Security solution is the closest you can get to being secure.

Foxy Ransomware

Foxy ransomware is a file-encrypting virus that is based on the source code of an infamous Hidden Tear ransomware. Just like any other crypto virus, this one is designed to encrypt the files on the victimized computer, lock its screen and demand a ransom for a decryption tool. After the malware finishes its job, it appends a .nightmare file extension to the corrupted files.

Foxy

The Foxy file encoder Trojan is designed to apply a modified AES-256 cipher to the targeted data, which includes audio, video, images, text, databases and eBooks. The Foxy Ransomware is reported to run as ‘WindowsSoundDriver.exe’ and ‘Foxy – Rnsmwre.exe’ on compromised devices. Computer security experts note that the threat is designed to send the decryption key to its masters and delete the local Shadow Volume snapshots created by Windows, limiting the user’s recovery options effectively.
Cybersecurity experts say that ransomware is distributed via fake Windows Audio Driver , Spam emails attachments, corrupt or malicious scripts, embed doc files etc.

The Foxy Ransomware is classified as a mid-tier crypto-threat that should be removed using a reliable anti-malware such as Max Total Security. You can rebuild lost data by loading backups and copies from a cloud storage service (Dropbox, Google Drive, OneDrive, etc.) or Max Total Security Data back up.

WAFFLE Ransomware

Waffle Ransomware is newly detected file encryption virus created cyber criminals. It has been programmed with the sole motive to blackmail victims. Waffle Ransomware virus mostly get spread through spam emails, suspicious links, torrent or porn websites, peer to peer file sharing and many other tricks. This nasty ransomware virus will find and encrypt all kinds of files such as texts, documents, media files, presentations, etc. on your system.
It ask the users to pay a certain amount of money in exchange of the decryption key. However, users should know that most of the ransomware viruses does not restore users data completely even after payment.

These registry locations will show you presence of Waffle ransomware on your PC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Waffle Ransomware

HKEY_LOCAL_MACHINE\SOFTWARE\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas”

HKEY_CURRENT_USER\Software\Waffle Ransomware

If infected you can use Max Total Security >Tools>Browser Fox to reset all browsers. Recover your lost data from Max Total Security Data Back/Restore Tool and keep protection ON all the time. Happy surfing if you have Max Total Security on your PC.

Relock Ransomware

Relock ransomware is a file-encrypting virus that blocks the access to your data and demands a ransom. The Relock Ransomware Trojan is classified as a mid-tier crypto-threat that uses secure cryptographic algorithms to make data unreadable and suggest the user pay a ransom for the access to the encrypted data. The developers of the Relock Ransomware weaponized an open-source code and delivered the threat payload via spam emails to users.

This ransomware targets :
1. All Windows PC : This dubious computer virus can infect all versions of Windows computer including Windows XP, vista, 7, 8, 8.1 and the latest Windows 10.
2. Malicious code injection : This perilous threat can corrupt your registry files and inject its malicious codes to the registry files for getting automatically started on your machine without your permission.
3. Browser Redirection : Relock Ransomware Virus virus can also infect your working web browser and causes unwanted web redirection. This nasty threat can also bring other noxious malware on your PC.
4. Data Corruption : Relock Ransomware Virus virus is a lethal PC threat that harm your entire system data. It can corrupt your files and programs. It can also cause black screen of death on your computer.
5. Disable Security Programs : This nasty PC infection can also block your anti-virus and Firewall program to make its self safe in to your machine for longer time.
6. Gather sensitive Data : It can also gather your secret and confidential information by using keylogger and tracking your browsing habits. It can also risk your privacy by sharing your personal information with hackers.
7. Remote Access (Backdoor) : Relock Ransomware Virus is such a harmful virus that can allow remote hackers to remotely access your system. It can make your system more vulnerable and expose your privacy.

Data Recovery Options are Limited Significantly. It is recommended to scan with Max Total Security and use its Data back up and Recovery feature to recover your lost data.