Archive for category Hacker

Should I tell someone about eCrime ??? YES !!!!

I know that I am in Australia and my experience might not reflect other countries, but I say yes. If you have had an eCrime committed against you (not your general virus or malware) then REPORT IT!!!

The more you report, the more the problem is taken notice of, the more investigation happens.

My post today to Facebook

A win for the good guys.

We had a business client scammed out of a large amount of money through an email.
We pursued it. We recommended and assisted in filling in the eCrime report.
We pushed it along. The police told the client, nothing will come of this. The client also felt that they were banging their head against a wall.
Well, today they receive notification that the money is about to be transferred back.
We helped chase the criminal through the Czech republic and into Spain.
Now, the person is cornered and my client has been offered a chance to be there in court and be a part of the process.

Reporting eCrime is the smart choice ! Things can happen !!!

Tags: ,

Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom 🙂

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877”

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

Criminal law and IT in South Australia

Ever wondered what criminal law applies and what the laws actually are ?

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86B

86B—Interpretation

In this Part—

“computer data” includes data in any form in which it may be stored or processed in a computer (including a computer program or part of a computer program);

“electronic communication” means the communication of computer data between computers by means of an electronic communication network;

“electronic communication network” means devices and systems by which computer data is communicated between computers and includes—

            (a)         a link or network that operates wholly or partially by wireless communication; and

            (b)         the world wide web;

“impairment” of electronic communication includes prevention or delay but does not include interception if the interception does not impair, prevent or delay the reception, at the intended destination, of the computer data that is being communicated;

“modification” of computer data includes—

            (a)         deletion or removal of the data;

            (b)         an alteration of the data;

            (c)         an addition to the data;

“possession” of computer data includes possession of the medium or device in which the computer data is stored;

“serious computer offence” means an offence against section 86E, 86F, 86G or 86H;

“serious offence” means an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed;

“use”—a person uses a computer if the person causes the computer to perform a function.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86C

86C—Meaning of unauthorised access to or modification of computer data

        (1)         Access to, or modification of, computer data is unauthorised unless it is done or made by the owner of the data or some other person who has an authorisation or licence (express or implied) from the owner of the data to have access or to make the modification.

        (2)         A person is to be regarded as the owner of computer data if—

            (a)         the person brought the data into existence or stored the data in the computer for his or her own purposes; or

            (b)         the data was brought into existence or stored in the computer at the request or on behalf of that person; or

            (c)         the person has a proprietary interest in, or possessory rights over, the medium in which the computer data is stored entitling the person to determine what data is stored in the medium and in what form.

        (3)         For the purposes of an offence against this Part, the onus of establishing that access to, or modification of, computer data was unauthorised lies on the prosecution.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86D

86D—Meaning of unauthorised impairment of electronic communication

        (1)         An impairment of electronic communication is unauthorised unless it is caused by the person who is entitled to control use of the relevant electronic communication network or some other person who has an authorisation or licence (express or implied) from the person who is entitled to control use of the relevant electronic communication network to cause the impairment.

        (2)         A person is to be regarded as being entitled to control use of the relevant electronic communication network if the person is entitled by law to determine who is to have access to the network for the purpose of sending or receiving electronic communications.

        (3)         For the purposes of an offence against this Part, the onus of establishing that an impairment of electronic communication was unauthorised lies on the prosecution.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86E

86E—Use of computer with intention to commit, or facilitate the commission of, an offence

        (1)         A person who—

            (a)         uses a computer to cause (directly or indirectly)—

                  (i)         unauthorised access to or modification of computer data; or

                  (ii)         an unauthorised impairment of electronic communication; and

            (b)         knows that the access, modification or impairment is unauthorised; and

            (c)         intends, by that access, modification or impairment to commit, or to facilitate the commission (either by that person or someone else) of, a serious offence (the “principal offence”),

is guilty of an offence.

Maximum penalty: The maximum penalty for an attempt to commit the principal offence.

        (2)         An offence may be committed under this section—

            (a)         whether the principal offence was to be committed at the time the computer was used or later; and

            (b)         even though it would have been impossible in the circumstances to commit the principal offence.

        (3)         If the principal offence is in fact committed—

            (a)         this section does not prevent the person who used the computer from being convicted as a principal offender or as an accessory to the commission of the principal offence; but

            (b)         a person is not liable to be convicted of the principal offence (or as an accessory to the principal offence) and of an offence against this section.

        (4)         A person cannot be convicted of an attempt to commit an offence against this section.

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86F

86F—Use of computer to commit, or facilitate the commission of, an offence outside the State

        (1)         A person who—

            (a)         uses a computer in this State to cause (directly or indirectly)—

                  (i)         unauthorised access to or modification of computer data; or

                  (ii)         an unauthorised impairment of electronic communication; and

knows that the access, modification or impairment is unauthorised; and

            (b)         intends, by that access, modification or impairment, to commit, or to facilitate the commission (either by that person or someone else) of, a prohibited act in another jurisdiction (the “relevant jurisdiction ),

is guilty of an offence.

Maximum penalty: The maximum penalty under the law of this State for an attempt to commit the prohibited act in this State.

        (2)         A “prohibited act” is an act that would—

            (a)         if committed with intent in the relevant jurisdiction, constitute an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed; and

            (b)         if committed with intent in this State, constitute an offence for which a maximum penalty of life imprisonment or imprisonment for a term of at least 5 years is prescribed.

        (3)         A person may be convicted of an offence against this section—

            (a)         whether the prohibited act was to be committed at the time of the conduct to which the charge relates or later; and

            (b)         even though it would have been impossible in the circumstances to commit the prohibited act.

        (4)         A person cannot be convicted of an attempt to commit an offence against this section.

        (5)         In this section—

“act” includes an omission or state of affairs that is (if it occurred in this State) capable of constituting an element of an offence.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86G

86G—Unauthorised modification of computer data

A person who—

            (a)         causes (directly or indirectly) an unauthorised modification of computer data; and

            (b)         knows that the modification is unauthorised; and

            (c)         intends, by that modification, to cause harm or inconvenience by impairing access to, or by impairing the reliability, security or operation of, computer data, or is reckless as to whether such harm or inconvenience will ensue,

is guilty of an offence.

Maximum penalty: Imprisonment for 10 years.

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86H

86H—Unauthorised impairment of electronic communication

A person who—

            (a)         causes (directly or indirectly) an unauthorised impairment of electronic communication; and

            (b)         knows that the impairment is unauthorised; and

            (c)         intends, by that impairment, to cause harm or inconvenience, or is reckless as to whether harm or inconvenience will ensue,

is guilty of an offence.

Maximum penalty: Imprisonment for 10 years.

 

 

CRIMINAL LAW CONSOLIDATION ACT 1935 – SECT 86I

86I—Possession of computer viruses etc with intent to commit serious computer offence

        (1)         A person is guilty of an offence if the person—

            (a)         produces, supplies or obtains proscribed data or a proscribed object; or

            (b)         is in possession or control of proscribed data or a proscribed object,

with the intention of committing, or facilitating the commission (either by that person or someone else) of, a serious computer offence.

Maximum penalty: Imprisonment for 3 years.

        (2)         In this section—

“proscribed data” means a computer virus or other computer data clearly designed or adapted to enable or facilitate the commission of a serious computer offence;

“proscribed object” means a document or other object clearly designed or adapted to enable or facilitate the commission of a serious computer offence.

Examples—

1         A disk, card or other data storage device containing a computer virus or other computer data adapted for the commission of a serious computer offence.

2         Instructions (whether in hard copy or electronic form) for carrying out a serious computer offence.

        (3)         If it is established in proceedings for an offence against this section that the defendant was in control of proscribed data, it is irrelevant—

            (a)         whether the data is stored inside or outside the State; or

            (b)         whether the defendant owned or was in possession of the medium or device in which the data was stored.

        (4)         A person may be convicted of an offence against this section even though it would have been impossible in the circumstances to commit the intended offence.

        (5)         A person cannot be convicted of an attempt to commit an offence against this section.

 

SUMMARY OFFENCES ACT 1953 – SECT 44

44—Unlawful operation of computer system

        (1)         A person who, without proper authorisation, operates a restricted-access computer system is guilty of an offence.

        (2)         The maximum penalty for an offence against subsection (1) is as follows:

            (a)         if the person who committed the offence did so with the intention of obtaining a benefit from, or causing a detriment to, another—$2 500 or imprisonment for 6 months;

            (b)         in any other case—$2 500.

        (3)         A computer system is a restricted-access computer system if—

            (a)         the use of a particular code of electronic impulses is necessary in order to obtain access to information stored in the system or operate the system in some other way; and

            (b)         the person who is entitled to control the use of the computer system has withheld knowledge of the code, or the means of producing it, from all other persons, or has taken steps to restrict knowledge of the code, or the means of producing it, to a particular authorised person or class of authorised persons.

Tags: , , ,

Can a hacker really access my machine and see what I am doing ?

Short answer, yes.

The following is some text from the website http://www.blazingtools.com/bpk.html

I found this tool out there on someones server and logging everything.  It was a good thing we came along and found/removed this.

Do you want to know what your buddy or co-workers are doing online? Or perhaps you want to check up on your children or spouse and know what they are doing on the computer? With Perfect Keylogger it is possible in just 2 minutes! This program runs on the installed computer, fully hidden from its users, and logs everything that is typed in a protected file. Install Perfect Keylogger and take total control of the PC!

Perfect Keylogger is a new generation keylogger which is virtually undetectable. It was created as an alternative to very expensive commercial products like Spector Keylogger or E-Blaster. It has a similar functionality, but is significantly easier to use. Complex internal mechanisms are hidden from the user behind the friendly interface. You can install Keylogger and immediately use it without changing of its settings.

Perfect Keylogger is a popular award-winning tool, translated into 20+ languages. It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list.

Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later.

Our keylogger has unique remote installation feature. You can create a pre-configured package for instant and stealth installation on the target computer.

New Smart Rename feature lets you to rename all keylogger’s executable files and registry entries using one keyword!

One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of “on alert” words or phrases and keylogger will continually monitor keyboard typing, URLs and web pages for these words or phrases. You tell Perfect Keylogger which phrases to watch out for – for example, “sex,” “porno”, “where do you live,” “are your parents home,” “is your wife sleeping,” “I hate my boss” – whatever you decide to include. When a keyword is detected, Perfect Keylogger makes screenshot and immediately sends email notification to you.

Perfect Keylogger was the first keylogging software solution which can be absolutely invisible in Windows 7/Vista/XP Task Manager! Now we are glad to offer the full Windows 64 bit support – you won’t find it in most of competition products.

The program lets you easily view the log file, displaying the title of the window (for example, title: “John (Online) – Message Session” in ICQ), the date and time of the action and the contents of the typed matter itself.

Unlike some other spy software products, Perfect Keylogger does not send any information to our company. Only you will receive the log files. We guarantee absolute privacy, high quality product and technical support – that’s why we have thousands of satisfied customers.

You pay once, all updates are free. For example, customers, who bought the first version in 2002, now can get the advanced latest version for free! You can be sure that you will always have the most modern spy software!

We have to tell you, that such a software is very complex and only 2-3 products on the market, including this, have a good quality to use them effectively. Do not use a cheap or a free monitoring software! You can get an important data leaks or the system crashes! We can guarantee your system safety with our product.

Perfect Keylogger is available in three editions: full version, full version remote edition and basic edition. Choose the functionality you need.

Tags: ,