Continue reading »]]> Malware, short for malicious software, is a computer program that runs on your computer without your consent and make your system do something that an attacker wants it to do. Virus, worm, backdoor, trojan horse, rootkit, bot, spyware, adware etc are types of malware.

 Virus

Computer viruses are small software programs that are designed to spread using a host from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk.

Worm

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other computers on the network and it may do so without any user intervention. Worms usually exploit a known or zero-day vulnerability that allows them to execute their copies on computers on the same network.

Trojan horse

A Trojan horse (or Trojan in short) is non-self replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user’s computer system. Nowadays, they are usually dropped as payloads by computer worms in order to give the attacker total control of the victim’s PC.

Backdoor

As their name implies, backdoor software allows an attacker to access a machine using an alternative entry method. Normal users log in through front doors, such as login screens with user IDs and passwords. Attackers use backdoors to bypass these normal system security controls that act as the front door and its associated locks. Once attackers install a backdoor on a machine, they can access the system without using the passwords, encryption, and account structure associated with normal users of the machine.

Rootkit

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. An attacker may use a rootkit to replace vital system files, which may then be used to hid processes and files the attacker has installed. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system’s mechanisms. Kernel rootkits can be especially difficult to detect and remove because they operate at the same level as the operating system itself and are thus able to intercept or subvert any operation made by the operating system. Any software such as antivirus software, running on the compromised system is equally easily subverted. The fundamental problem with rootkit detection is that if the operating system currently running has been subverted, it cannot be trusted, including to find unauthorized modifications to itself or its components.

Spyware

Spyware extract the personal information or details from the computers. This information is sent to specific locations without permission of owner which can be very dangerous. The attacker uses the spywares to steal the personal information of users like password or credit card number.

Adware

Adware usually try to sell something to the users which automatically appear as pop up window even if users don’t open these. Normally this program comes to the systems in the form of the gambling advertisements and these advertisements are related to the websites which you open. There will many windows open and users will not be able to close these windows in case of adware attack.

Malware Propagation Method 

There are many possible means that malware can get into your computer especially if your computer has no anti-virus program installed, has poor antivirus program or the out of date one.

Data Storage Devices

The nature of viruses is that it can replicate itself and attach to file or program. Data storage devices like

• Flash drive,
• External hard disk and
• Memory card are very popular today.

Malwares can easily copy themselves and spread from one computer to another through these storage devices. Shared directories like a multiuser file server can also be a means of malware propagation.

E-mail Attachment

Another popular means that malwares can spread themselves into many computers around the world is through e-mail attachments such as executable files, documents, funny images, greeting cards, audio and video files, etc that hide malware within them.
E-mail can have a link to a web site that appears to belong to a legitimate company but to an evil web site which contains malware. Malware can get into your computer by just visiting the web site. The e-mails are spoofed to appear to come from a trusted source.

Downloading Files or Programs which Contains malware

Some bad guys are intend to spread viruses by putting them as package with useful file like music, video, picture, e-book or software for people to download. These downloads appear to be useful and attractive but hiding malicious capacity.

How to protect malware

• Update your operating system frequently

The first defense against infection is a properly patched operating system. Make sure that you have all the critical updates recommended for your operating system and Internet Explorer. Since vulnerabilities are discovered every now and then, it is recommended that you leave your operating system to automatically update itself.

• Use Antivirus and Antispyware Software
  Always use efficient and up-to-date antivirus and antispyware software. Since modern day worms and Trojans can infect your pc without your knowledge by exploiting zero-day vulnerabilities, you cannot be safe unless you have an effective and updated antivirus and antispyware program. You should regularly update your antivirus and antispyware and make whole scan of your computer regularly. Which antivirus and antispyware is the best is an ever changing debate as performance tests performed one month will be different the next month. Antivirus like Avira Antivirus Personal (free) and Kaspersky (commercial with 30 days free trial) have both antivirus and antispyware feature with good protection. SUPER Antispyware and Malwarebytes Anti-malware have good spyware protection. Their free versions provide a useful scan/removal feature but have no real-time protection. If your antivirus has antispyware feature don’t install another antispyware. Don’t use two antivirus programs at once since they may interfere and that may result in decreased performance and damage on your system.
• Use Firewall
  A firewall is software or hardware that acts like a gate to help protect your computer against hackers and some computer viruses and worms that try to find unprotected computers that are connected to the Internet. This gate allows you to you to accept connections from sources you trust, and it keeps the gate closed for ones you don’t trust. A firewall works by examining information coming from and going to the Internet. It identifies and blocks information that comes from a dangerous location or seems suspicious. If you set up your firewall properly, hackers searching for vulnerable computers cannot detect your computer (often referred to as a stealthy connection)

The built-in firewall of Windows operating system is weak. Use a software firewall even if you do have a hardware firewall. Whether you are on dial up or high speed connection you must have a firewall or you can get infected faster than you can download any tools to fix your problems. There are many software firewalls you can choose. Comodo Personal Firewall, Outpost Firewall Free, PC Tools Firewall, Online Armore Personal Firewall and ZoneAlarmFree are some of free firewalls. They also have commercial versions. Some firewalls include both the firewall and antivirus. Do not install the antivirus part if you already have an antivirus. Use only one software firewall. Running multiple software firewalls is unnecessary and can cause issues with connectivity to the Internet or other unexpected behavior. Disable your Windows firewall if the firewall you choose do not disable it automatically. If you use Vista or Windows 7 make sure you check for compatibility before choosing a firewall.

• Be careful what you download and from where!
  There are lots of free programs and services out there that people love to download. These are programs are quite often come bundled with lots of malware that will cause you significant problems.If you are downloading unknown or untested files, which may be infected, from unknown sources directly onto your PC and run these programs, you are sharing your PC with the whole world since these programs will allow others access to your PC bypassing the firewall and other security programs. Avoiding these programs and servers completely is strongly advised. But if you must use them, choose more wisely. Know your software before install. Make sure that the developer is trustworthy and run software from trusted developers only. Check it using antivirus and antispyware.

Do not download e-mail attachments that you don’t trust. If you don’t know or trust the address from which the email came from, then it’s highly probable that the attachment is a worm. Even if you do know the address from which the email was from, if you didn’t ask for the attachment or if it looks suspicious, then don’t download it.

• Update your web browser - Updating web browser frequently prevents malware attacks that use weak browser security to execute malicious codes on your computer.

Tips

• Since Malwares these days are exploiting the autorun feature to execute their code when you open removable disks, it is highly advised that you disable the autorun feature on vista and its predecessors. Windows 7 has disabled the feature by default.
• It is highly recommended that you only use a Restricted User account (Note: Restricted User account in Windows XP these are called Limited User accounts and in Vista they are called Standard User accounts) while surfing the Internet. This can help to keep certain malware infections off your PC since they may require admin level privileges to do their dirty work. Some people find using restricted accounts full time to be too much of an annoyance. You can safely surf using an Admin account if you practice safe surfing, but many people are their own worst enemies and should really consider using Restricted User accounts.
• Put restore point and backup your data regularly so that you can restore the original if a data loss appears.
• Don’t do everything your computer tells you to do. Be very careful to read pop ups before clicking on them.

Symptoms of malware infection

The following are some primary indicators that a computer may be infected.

• Unusual error messages.
• System runs slow than usual.
• System hangs up frequently.
• Computer crashes
• Computer restarts itself after every few seconds.
• Disk drives inaccessible.
• Computer’s applications do not work.
• Hard disk’s LED/Indicator seems to be busy most of the time.
• System utilizes more resources than normal.
• Antivirus program disabled for no reason.
• An Antivirus program does not run and can’t be installed.
• Distorted desktop items, menus and dialog boxes.
• Windows works incorrectly.

These are common signs of infection. However, these signs may also be caused by hardware or software problems that have nothing to do with a malware. Use up-to-date and efficient antivirus software to be certain whether a computer is infected with a malware or not.

If you are sure that you are infected by a malware follow these don’ts until the malware is removed.

• Don’t e-mail attachments to anyone to stop the spread of the malware to someone else.
• Don’t plug in a USB drive or copy files. Some viruses can automatically copy themselves to a USB drive. The next time the infected drive is plugged into a computer, the virus will auto run, allowing it to spread to the new machine.
• Don’t log into any personal accounts such as e-mail and other accounts that contain personal and potentially sensitive data. If your PC is infected, your passwords and other login information are vulnerable to theft by the malware.
• Don’t enter credit card or banking information online.

How to remove malware

If you are sure that you are infected by a malware follow these steps to clean it.

• Disconnect from your network to prevent the malware from spreading to other computers.
• Lock Internet traffic with your firewall:

If you’re using a third-party firewall program such as ZoneAlarm or Comodo, then you can stop all Internet traffic in its path, preventing the offending program from spreading or reaching out across the Internet for help and updates. Even if you don’t have a dedicated firewall program, disable your network connections or you can just unplug the Ethernet cable. The downside is that, with no Internet, there is no updating of your anti-virus program, so make sure you’ve installed the latest updates before locking your system down completely.

• Update your Operating System:

Blocking a pesky virus could be as simple as running updates on your OS. While updating your OS won’t necessarily clear the infection out, it may plug up any security holes that allow the virus to spread and cause disorder on your PC.

• Use efficient and up-to-date Anti-Virus program and run a full system scan.

If the antivirus can’t remove try to identify and remove using tools discussed below.
Removing malware using tools

Removing malware using Process Explorer and Autoruns tools

Steps to remove

• Identify malicious processes and drivers
• Terminate identified processes
• Identify and delete malware autostarts
• Delete malware files
• Reboot and repeat

Process Explorer

When we look processes running on the machine using process explorer mostly malware processes are processes that:

• have no icon
• have no description or company name
• have no version information
• use totally random or pseudo-random names
• unsigned Microsoft or other company images
• live in Windows directory
• are packed
• include strange URLs in their strings
• have open TCP/IP endpoints
• hide themselves using Svchost and Rundll32
• host suspicious DLLs or services

To get more information about a process right click on it and look the properties or search online. In the following example the bottom svchost.exe is fake svchost.exe. It is a malware process.

If you are sure that a process is malware process follow these steps to terminate it. Be careful that if you terminate a process that is not malicious your software or operating system will fail to operate.

• Don’t kill the processes. They are often restarted by watchdogs.
• Instead, suspend them record the full path to each malicious EXE and DLL.
• After they are all asleep then kill them. Watch for restarts with new names.

Autoruns

Autoruns shows every place in the system that is configured to run something at boot and logon. Malwares which run at system boot are found in autostarts list.

Here Yahoo Messengger is a malware autostart.

To remove malware autostarts:

• Delete suspicious autostarts. You can disable them if you’re not sure
• After you delete or disable do a full refresh
• If they come back, run process (right click on it and run process explorer) to see which process is putting them back.

Tip:

• Use http://technet.microsoft.com/en-us/sysinternals/default.aspx to get process explorer and autoruns.

Continue reading »]]> Bots have been around for a while. There are both good and bad bots. A bot is a piece of software with a little bit of intelligence. It can receive and respond to commands. But also do other things depending on the purpose of the bots as well as its creator. Examples of good bots are Google Search Engine and Clever bot.

However we will focus on the bad one.

They have different purpose, such as stealing bank details and denial of service (DOS).

A bot is a tiny little thing that receives commands from the CC. The command and control (CC) is for commanding the bot to do varies things such as attack a site. Or it will request it to send passwords from a specific site.

Here is a short timeline of a bot and what it does.

- Connect to CC
- Receive command
- Carry out command
- Connect to CC waiting for the next command

Detection

Detecting a bot in your network or on a computer can be easy or a nightmare depending on the kind of the bot or the number of the computers infected. One of the tools to be used is Wireshark for capturing the network.
The second thing we can do is scanning your PC for malware.

Sinkholing

Sinkholing is the fun part of a sort of payback.
Here you are taking the control of a botnet  and erase it from earth/cyberspace. (Whitehat)

The first step in out Whitehat movement is to submi the ‘virus’ to virustotal, then the ‘virus’ will be sent to 40 different company and get it detected in a few days.

Continue reading »]]> Technical Details
Written using the C++ language
File Size: 1.6 MB

Overview
Win32.worm.dpug is a worm that infects Windows PCs running Windows XP and above.

Analysis
Upon execution, it checks weather it’s installed or not by quering the value of it’s key (“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtalkupdate”). If that fails, then it installs itself by copying it’s copy to %HOMEDRIVE%\%HOMEPATH%\gupd.exe and creates a registry key to insure execution upon boot. It then creates two threads that run indefinetly. The first thread loops every 5 minutes till it can successfully open
“http://google.com/index.html”. It then populates the drives of the computer and searchs for files ending with “.doc” and “.docx” extension and performs it’s payload on them.
The second thread creates a transparent window inorder to be notified when there is a device insertion. Upon device insertion, the malware copies itself to the
removable drive using a set of predefined names (“essay.exe”, “portfolio.exe” and “lecture notes.exe”) as well as names that it generates using the folders in the
drive as a hint.

Removal Instructions
At the time of this writing, it’s undetectable by almost all of the popular anti-virus products.

You can however install SFAM and run a full scan to completely remove all the copies of the malware.

Manual Removal Instructions
1) Kill the running instance of the malware (gupd.exe)
2) Delete gupd.exe from %HOMEDRIVE%\%HOMEPATH%
3) Delete all copies of the malware on Removable Drives

Continue reading »]]> A computer worm commonly known as “Teddy Afro” (Worm.Win32.AutoIt.a) is currently spreading in Ethiopia.

Continue reading »]]> Technical details