Archive for category Security

Should I tell someone about eCrime ??? YES !!!!

I know that I am in Australia and my experience might not reflect other countries, but I say yes. If you have had an eCrime committed against you (not your general virus or malware) then REPORT IT!!!

The more you report, the more the problem is taken notice of, the more investigation happens.

My post today to Facebook

A win for the good guys.

We had a business client scammed out of a large amount of money through an email.
We pursued it. We recommended and assisted in filling in the eCrime report.
We pushed it along. The police told the client, nothing will come of this. The client also felt that they were banging their head against a wall.
Well, today they receive notification that the money is about to be transferred back.
We helped chase the criminal through the Czech republic and into Spain.
Now, the person is cornered and my client has been offered a chance to be there in court and be a part of the process.

Reporting eCrime is the smart choice ! Things can happen !!!

Tags: ,

New Encryption Virus: Ransomware : CryptoWall v 4.0

WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:


  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).


A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.


Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom 🙂

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

Think before you click

Are you worried someone is going to steal your passwords? your details? your money? your privacy? your confidential company secrets? Your employers business? Your livelihood?
You have good reason to worry. Malicious people out there are trying to steal these very things and more. Both indirectly and directly. Everyone is a target. They don’t care who you are, they want your assets or want to leverage you to get to someone else’s assets.
They want to trick you, rip you off and make your life a misery. After all, they can make good money wrecking your life.
We as IT people help you to select antivirus, firewalls and implement security.
Unfortunately you are still the weakest link in the security chain.
So, what rules can help keep you safe?
Think before you click. Stop the click. Avoid the click. Just think a few more seconds before you push that mouse button. 
 stop the click
When you are on the internet, in your email, receive a USB drive from an unknown source or a friend’s external hard disk full of movies, don’t click on suspicious things!
Just in case the little voice in your head has not learnt how to warn you about suspicious things, here are our rules. 
It’s Free! If something proclaims it is free, it is likely not. Stop and think, how are they making money? How are they staying in business? How do they get funding? Can you trust their software? Can you trust their ethics?
Emails claiming you have gained access to something for free, web popups offering items for free or free software, can often lead you into a painful mess. If you have not paid for it, then I hope you researched it thoroughly before you jumped into it.
It is often said that if the product is free, you are the product. Turns out that you’re also the lab rat.
If you can’t afford something, don’t go looking for free solutions on the internet. Often you will end up being caught out. Be very careful.
You Won! If you won something, did you enter to win? Did you really enter that lottery? are you really the millionth visitor to a website? Can you really make money entering this scheme?
If you click now, do you really get an iPad? If you download this new toolbar, will it make your life better?
Chances are no. You did not enter these things nor have you won anything. Dismiss that email, that internet popup or popup from your program. It is after you.
Panic and click now! That email you received about illegal activity occurring on your bank account, accidental bank fee overcharge, your suspended account, an unexpected Tax return, urgent court appearance, invoice you have overdue, post item you have been waiting for you, shipping notice for a surprise parcel … all have urgency. All want you to click.
Don’t believe it. Don’t follow any link in the email. Don’t open the attachments. Don’t run anything, don’t give it your passwords.
No matter how realistic and correct the logos are, how accurate their data is, treat it with scepticism. The senders spend ages trying to make their messages seem authentic.
Think to yourself, do I actually have an account with these guys? Have I opted for email invoices from them? Do I have a parcel on the way?
If you answer yes, then manually go to a browser, type in their web address as you know it (not from the email), change your passwords online, download your invoice and complete your business under your terms.
Often when you hover over the links in the email or on a webpage, it is taking you to somewhere else other than where it is meant to.
Always manually go to a website to logon or change details, never follow an email link.
Missed messages You have an email about a missed Facebook, Google, Phone, Mobile or Fax message. Attached is the message. Don’t open it. Sign into these services and check your messages. Don’t use links in the email or look at the attachments. Think, do you actually use these services ? Can your mobile send you an email if you miss a message?
Awesome Job offer You have an email about a job opportunity. You happen to be looking for a job so you click the email right? Wrong. At best this is a random email sent to you coincidently and you will get a job that is not legal, is looking to exploit you or maybe you will not get paid. At worst this thing is going to hack you. Unless you have signed up for job alerts and get emails as expected, don’t open these things.
Safe in Web mail You have a suspect email but it is in your web email so you are safe to open the attachment as it will not affect your pc. Wrong. It will get you and your PC. 
Save money on downloads Your son/daughter has found a way to download music and movies for free. They can also get you free software like the latest Microsoft Office. You get it from them as you trust them. Whoops.
You have stepped into a trust network which contains people whom likely know little about how vulnerable they are. Most of these things are pirated. Many of the tools and websites that support these downloads will hack you and give you additional things inside your download that you don’t expect.
Image files, video files and even PDF files can contain viruses. Remember, free is not always free. We make a lot of money cleaning up peoples computers after they have downloaded a free “something”. 
Your Protected
You have antivirus and a firewall. You are safe! No, you are not really. There are thousands of new viruses and Malware detected per hour. If your systems are only a few hours behind, then there are thousands of nasties you can’t be protected from. If you choose to download something and force it to download, many times you can override your protections or work beyond the system, making you vulnerable. At best, you are safer and have good odds.
You will often get website popups offering you special prices or free things. When you click them, you will likely get more popups and you may end up downloading all kinds of things. If you get a popup and push the cancel button to make it go away, you think you are safe? No you are not! The website programmers control everything on the popup. They control the install button and the cancel button. Why can’t they make the install button, install the software as normal and make the cancel button, install something else without telling you? Of course they can. your best option is to click the cross in the top right hand corner and close the popup completely.
You have these cool toolbars in Internet explorer that make your life easier. Sure, except many of them track your movements, download other tools and slow your browser down. Remove the toolbars and don’t accept them.
Unexpected presents
You downloaded a program and afterwards, you have toolbars, new icons on the desktop and your machine runs slow. Nothing like you expected. Often many “free” tools include other “free” tools. Many of these are Malware. Read carefully the terms of the product you are installing. If the terms for your product “xxx” refer to a different product “yyy” then chances are there is something else bundled into the installation. I have seen many products where you need to carefully read the terms and click decline or cancel many times to get past the “bundled” software to get to the final product you really want. Often you need to unselect tick boxes during the install to get a clean install.
Often during the install you will spot a name or logo of one of the programs “Partner products”. It might ask “do you want to install?”, you say No. Then another product comes up and it says “Would you like to skip this offer” and as you previously said no, you don’t fully read what is on the screen and instinctively press No and guess what, it installs it. You selected no, you don’t want to skip the product. It did as it was told. Be careful on the play with words that can occur during these installs.
Updating tools like Java or Adobe (As examples) can now offer you extra toolbars like ASK toolbar and the like. You need to be careful as accepting these things not only slows your machine down, it bolts sometimes badly written toolbar code into Internet explorer (So it causes crashes) and can change your default search page and home web page.
Solving your own IT problems
Many people get tricked into downloading driver update tools, pc fix up tools or registry repair tools. They usually don’t help. These can be dangerous, bog your machine down and download other items.
Known types of attachments are safe
Many email attachments look like a harmless PDF files but are not. It is easy to change the icon you see and choose one that you associate as safe. A malicious item can have a “safe” icon. This is further complicated as there are exploits that allow real PDF and Jpeg files to carry viruses and Malware. Simply be sceptical of any files you download or receive as attachments.

There are many other tricks we use to avoid these nasties. This short list will get you thinking. Using this list you can avoid some of the bigger nasties like Cryptolocker and Cryptowall

Think before you click !  


Tags: , , ,

Can a hacker really access my machine and see what I am doing ?

Short answer, yes.

The following is some text from the website

I found this tool out there on someones server and logging everything.  It was a good thing we came along and found/removed this.

Do you want to know what your buddy or co-workers are doing online? Or perhaps you want to check up on your children or spouse and know what they are doing on the computer? With Perfect Keylogger it is possible in just 2 minutes! This program runs on the installed computer, fully hidden from its users, and logs everything that is typed in a protected file. Install Perfect Keylogger and take total control of the PC!

Perfect Keylogger is a new generation keylogger which is virtually undetectable. It was created as an alternative to very expensive commercial products like Spector Keylogger or E-Blaster. It has a similar functionality, but is significantly easier to use. Complex internal mechanisms are hidden from the user behind the friendly interface. You can install Keylogger and immediately use it without changing of its settings.

Perfect Keylogger is a popular award-winning tool, translated into 20+ languages. It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list.

Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later.

Our keylogger has unique remote installation feature. You can create a pre-configured package for instant and stealth installation on the target computer.

New Smart Rename feature lets you to rename all keylogger’s executable files and registry entries using one keyword!

One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of “on alert” words or phrases and keylogger will continually monitor keyboard typing, URLs and web pages for these words or phrases. You tell Perfect Keylogger which phrases to watch out for – for example, “sex,” “porno”, “where do you live,” “are your parents home,” “is your wife sleeping,” “I hate my boss” – whatever you decide to include. When a keyword is detected, Perfect Keylogger makes screenshot and immediately sends email notification to you.

Perfect Keylogger was the first keylogging software solution which can be absolutely invisible in Windows 7/Vista/XP Task Manager! Now we are glad to offer the full Windows 64 bit support – you won’t find it in most of competition products.

The program lets you easily view the log file, displaying the title of the window (for example, title: “John (Online) – Message Session” in ICQ), the date and time of the action and the contents of the typed matter itself.

Unlike some other spy software products, Perfect Keylogger does not send any information to our company. Only you will receive the log files. We guarantee absolute privacy, high quality product and technical support – that’s why we have thousands of satisfied customers.

You pay once, all updates are free. For example, customers, who bought the first version in 2002, now can get the advanced latest version for free! You can be sure that you will always have the most modern spy software!

We have to tell you, that such a software is very complex and only 2-3 products on the market, including this, have a good quality to use them effectively. Do not use a cheap or a free monitoring software! You can get an important data leaks or the system crashes! We can guarantee your system safety with our product.

Perfect Keylogger is available in three editions: full version, full version remote edition and basic edition. Choose the functionality you need.

Tags: ,

You think someone is trying to hack you but you can’t be sure what all these logins are?

If you have additional account auditing turned on, your server Eventlogs can contain a wealth of information.

For example Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category identify different reasons for a logon failure.

However, just knowing about a successful or failed logon attempt doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways you can logon to a computer such as interactively at the computer’s local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS.

 Thankfully, logon/logoff events specify the Logon Type code which reveals the type of logon that prompted the event.



Event Type:        Success Audit
Event Source:    Security
Event Category:                Logon/Logoff
Event ID:              540
Date:                     16/07/2011
Time:                     04:25:08
User:                     test\user
Computer:          SERVER
Successful Network Logon:
               User Name:        user
               Domain:                               test
               Logon ID:                             (0x0,0x23B0C8DE)
               Logon Type:       3
               Logon Process:  Kerberos
               Authentication Package:               Kerberos
               Workstation Name:      
               Logon GUID:      {5522f527-584a-acf0-bce5-8f84029452f8}
               Caller User Name:           –
               Caller Domain:   –
               Caller Logon ID: –
               Caller Process ID: –
               Transited Services: –
               Source Network Address:  
               Source Port:       0

Event Type:        Failure Audit
Event Source:    Security
Event Category:                Logon/Logoff
Event ID:              531
Date:                     16/07/2011
Time:                     04:15:52
User:                     NT AUTHORITY\SYSTEM
Computer:          SERVER
Logon Failure:
               Reason:                                Account currently disabled
               User Name:        user
               Domain:                               test
               Logon Type:       10
               Logon Process:  User32
                Authentication Package:               Negotiate
               Workstation Name:        SERVER
               Caller User Name:           SERVER$
               Caller Domain:  test
               Caller Logon ID: (0x0,0x3E7)
               Caller Process ID:             4376
               Transited Services:          –
               Source Network Address:  
               Source Port:       1053

 The source port is useless … it is their random port at their end. This end … what are they using to access the server and what port ?

 Logon Type 2 – Interactive

This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” (iLo) remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such. 


Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.) This can include email relay.


Logon Type 4 – Batch

When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a logon failure event where logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.


Logon Type 5 – Service

Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.


Logon Type 7 – Unlock

Hopefully the workstations on our clients networks automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.


Logon Type 8 – NetworkCleartext

This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

I have seen this also occur when Trend Micro Proxy information is set incorrectly and it tries to do a pattern update.


Logon Type 9 – NewCredentials

If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2.


Logon Type 10 – RemoteInteractive (RDP)

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.


Logon Type 11 – CachedInteractive

Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.


Of course it helps, if you have auditing turned on and pumping data into your Security Eventlog.