‘Hey Microsoft just called me’

Uhmm.. no they didn’t.  First off Microsoft isn’t going to call you, or really any other software company (try phoning their tech support and see how long it takes, imagine them actually phoning people proactively to solve problems).

The solution:  Don’t get rattled and don’t trust anyone (not webpages or people you don’t know).

This applies to those pop-up webpages you can’t close (often with loud messages playing).. “Call this number you are infected, owing taxes, under arrest, piracy, being investigated for terrorism.  You often see the terms FBI, RCMP, CIA, CRA and other scary federal agency letters, seals and the like.  Just as often you see spelling mistakes and poorly phrased English.

Here’s a quick list of thing to watch for in the ‘Tech Support Phone Scam’, I’ll cover the ‘Webpage scam further down’:

  • Clue #1: THEY called YOU
  • Clue #2: The Caller ID says ‘Microsoft’, ‘Tech Support’, or something techie sounding
  • Clue #3: They have a thick foreign accent and some ‘normal’ sounding name
  • Clue #4: They claim your computer is doing ‘something’ (spam, virus, hacking)
  • Clue #5: They ask you to open the windows Event Log Viewer
  • Clue #6: They ask you to go to a Website and install a Tool (Ammyy, TeamViewer, LogMeIn Rescue, and GoToMyPC)

As long as you don’t let them in (via the remote control programs) they can’t do anything but swear at you.  If you do let them in they’ll likely run for SYSKEY and now you have to pay a ransom to get your files back.  Couple hundred to a few thousand dollars with no guarantee you get your files back.

The annoying WebPage with plenty of threats and you can’t close it:

  • Clue #1: You can’t close the page
  • Clue #2: It’s usually playing some loud record voice telling you how you are in serious trouble (virus, taxes, police etc..)
  • Clue #3: You have a convient phone number to call to get this all fixed ASAP

If you call you are now in the ‘Tech Support Phone Scam’ at Clue #3 and they will quickly need you to allow them remote access (Clue #6).  To get rid of the page you can reboot or in your Taskbar (that bar on the bottom usually) RIGHT click on your browser and select ‘Close All’.

Variations of these scams include:

  • A relative needs money for bail in some foreign country, usually they got this information from your relatives FaceBook page.
  • CRA/IRS is coming to take your house (foreclose), sometimes they want you to send Bitcoins (digital currency) to some address.
  • Some crazy distant relative left you a pile of money but you need to pay for the ‘processing’ so they can mail you some massive cheque from Namibia or something.

If you want to help stop these people, tell others and especially our less digitally knowledgeable relatives (usually older and retired).  If you really want to help perhaps take a few lessons from 419 Eater (a site that helps fight back).

‘BadTunnel’ a gateway to hell

PhoneMicrosoft has a bounty program, which pays if you find a bug and explain why it’s a bug (or exploit).  They pay upto $50,000 USD for the information.  Yang Yu, founder of Tencent’s Xuanwu Lab has made previous successful bounty claims as well but this one is a whopper.  It affects every version of Windows back to Windows 95 (no patches coming for those old OS either).

The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.

“In combination with other system mechanisms, it can hijack the network traffic, and even run any program,” Yang said.  The flaw was addressed recently by Microsoft in security bulletin MS16-077 and in CVE-2016-3213.

“To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick,” Yang said. “[You] even may not need the victim to do anything when the victim is a web server.”

The key is the apparent predictability of a NetBios Name Service transaction ID, which an attacker can abuse by getting the victim to visit a URL hosting an exploit or open an exploited document. The victim’s machine will trust the attacker and they will be able to hijack traffic or force the victim to visit malicious sites.

Windows admins are advised to patch at once, or block UDP port 137.

Randsomware – the ‘new’ virus type

HelpLocky encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files.  Though the ransomware sounds like one named by my kids, there is nothing childish about it.  It targets a large number of file extensions and even more importantly, encrypts data on unmapped network shares.  If you don’t have a backup your data is gone, unless you pay and hope they payment isn’t yet another scam.

Those of you with a server are pretty safe.  Backups, Shadow Copies and the like but stand-alone computers are at risk.  The virus (usually run as a script or macro from an email attachment) will disable your shadow copy (removing backups) and sometime hunt the backups down wiping them out.

So far I’ve seem 5 infections of this virus and only 1 had data loss (that client at least remembers me specifically telling them.. “Seriously, you really need a backup of some type, you know, just in case”).  Each infection differed in the targeted files.  Sometimes it was MS Office files, image files or PDFs but there is no limit to what it COULD encrypt.. it just happened to have a priority before we stopped it.

Why did the anti-virus get it?  Because the user ran it, not as a virus but a function with their security and authorization.  Much trickier, to limit what the user can do a file (like saving & deleting) than limiting access to the same file.  It sound like a fine point but the micro-management required means you need a server and if you had one this virus is only inconvenient event, not a source of data loss.

The real victims are home users and ‘server less’ environments.  The most recent off-line backup could be the only fall back.

So if you see a .locky file on your machine, reboot.. NOW!  Pull the power cord if you need to it’s only in memory (usually) and that stops the encryption process.  If you are on a network you can look at the file properties of the newly created ‘How to fix’ file in the same directly (could be a few names but you’ll know it when you see it) and the under the Details of the file properties it’ll tell you the user/system infected (the one that created the new file).  Reboot that machine ASAP.

Google can offer you some help recovering, so can Malwarebytes.org (in finding any viral leftovers).  Your server and backups are your best hope, failing those a few bitcoins and some trust in the makers of the virus are all you might have left.

Backup often, trust no email attachments.

HeartBleed & Microsoft

HackedThe Heartbleed vulnerability in OpenSSL has received a significant amount of attention, worry naught it won’t get you unless you have Apache on your Windows server. Microsoft services were not impacted by the OpenSSL vulnerability and the Windows implementation of SSL/TLS was also not impacted.

Rest assured that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

Virus hits 600,000 Macs (so far)

For a couple of months Apple has been aware of some malware called ‘Mac Flashback’ and a resounding failure to do anything about it has cause and estimated (so far) 600,000 viral infections on Mac.  Thus the arguement finally ends, and rest assured this isn’t the first virus it’s just the first that cannot be swept under the rug.

So the time has come and you’ll need to check your computer for a bug, and unlike the well versed PC market it won’t be easy.  Then you’ll have to get a some real protection because what comes with the computer isn’t sufficient (obviously).  Steve Jobs is dead, Mac can get viruses and solution isn’t easy or pretty; welcome to the real world.

Read more: http://www.foxnews.com/scitech/2012/04/06/how-to-protect-your-mac-against-malware/#ixzz1rHktiW5X

You had WHO call you?

In Canada we don’t get the FBI, NSA, CIA, Homeland Security, State Police, Local Cops or a myriad of odd agencies with dubious jurisdictions wanting to know much of anything regarding your computer server.  In Canada you get one of two agencies 95% of the time, RCMP or CSIS, neither is good but both are better than the US alternatives that are often more interested in their goals than preserving your data.

What has been getting the attention lately has been around for over a year now and courtesy of the PRC (Peoples Republic of China).  Few will come right out and say it but state based espionage is the bread and butter of China’s financial machine.. what you can’t develop, you steal.

The target of choice right now is Microsoft Small Business Server 2003.  It’s a good OS and system but if compromised it can be difficult to detect, but here is something you can look for:

C:\Inetpub\wwwroot\iisstart.htm
Examine the file with Notepad and at the very top do you see any ‘funny’ code?  Something like this:

<!–czozNjM=–!>
<html>
<head>
<meta http-equiv=”Content-Type”
content=”text/html;
etc…

That code at the top.. that’s the signature that not all is right in your system.  Who, what, how and all the rest I’m researching but your machine, though not compromised, is quite possibly working for the bad guys.

I’ll add a comment when I have a name and process for removing this beasty.

“Hi, this is you computer company”

“Hello, this is your computer company and we are making this free call because you have a computer virus spamming the net.”

Oddly enough you don’t recognize the voice, and they don’t seem to know anything about your computer or anything else.  They tell you it’s really bad and just need to help you fix the problem.  The final hint.. their english is really bad and heavily accented.

It’s a scam.  Most people know it in seconds but those that are less farmiliar with computers tend to fall for it.  Tricked into giving out information that can result in signing up for useless services, programs or at worse let hackers into their machines.  People feel enough the fool after these misadventures to not tell others about their experience, thus hiding how often this really happens.

Warn your folks/kin/parents (the elderly are especially vulnerable) and be vigilant.  It’s an old trick with a new twist and Telus is no help at stopping these scammers from calling (you’d think they’d block the call-centers from calling into Canada at all).

If in doubt, call me.. but you already knew that.

Gone Phishing?

Sadly the old hacker stereo type of a 13 year old in his basement no longer applies, especially with the latest series of ‘Patriot Hackers’ traced back to China.  Gone are the poorly written spoofs to get you to give personal information and the like, we now have university graduates government funded to steal email accounts and infect computers.

U.S. officials briefed on the incident said the Obama administration isn’t going to raise the matter directly with the Chinese government until the facts become more clear. “Law enforcement needs to dig into this over the very short term so we have all the facts and procedures set out—then diplomacy,” a .S. official said.

Read more: http://online.wsj.com/article/SB10001424052702304563104576361863723857124.html#ixzz1OBHGdUkQ

What this means to the average computer user (this means you) is that you can trust less and less of what you see on the internet and especially email.  If it has an attachment you best be suspect, type in URLs yourself (don’t trust links) and when in doubt.. use the phone and call someone to verify.

McAfee got you down?

Minding your own business and all of the sudden you are told your system is insecure and needs a scan.  Problem is this isn’t a program you installed it’s ‘McAfee Security Scan’ which is just this side of malware.  You got it thanks to Adobe bundling it into their products and if you have FireFox you got it as an update without even being asked (thus the malware opinion).  Here’s the spin:

McAfee has made a free diagnostic tool, McAfee Security Scan, available as an optional download to customers when installing Adobe® Reader® and Adobe Flash® Player software from Adobe.com. The McAfee tool enables consumers to easily check for anti-virus software and firewall protection on their computers. When the scan is complete, users see a report detailing the presence and status of security protection, and are presented with special offers for McAfee security software, including McAfee Anti-Virus, McAfee Internet Security, McAfee Total Protection, and McAfee Family Protection – Adobe

So you get free advertising but little else (the software will ALWAYS say you need McAfee products).   Since Microsoft Security Essentials is free, works with Microsoft operating systems and updates regularly there is little point in buying an inferior product.  Install Malwarebytes as a recovery system (also free) and 98% of the bad things out there are blocked or recoverable.  So how do you rid yourself of McAfee?

  1. Uninstall McAfee using the Add/Remove Programs
  2. Consider changing from Adobe to another PDF reader
  3. Uninstall the PDF plug-in from FireFox or it’ll infect again

You will probably get McAfee with Flash, AIR and perhaps a few other Adobe products if you don’t UNCHECK the option.  Reminds me of Rogers Communications and thier idea of negative billing.. we’ll give you more stuff and charge you more unless you tell us not to.

Android Malware

Google removed a bunch of malicious apps, most disguised as legitimate apps, from the Android Market after they were found to contain malware. The malware, dubbed DroidDream, uses two exploits to steal information such as phone ID and model, and to plant a back door on the phone that could be used to drop further malware on the device and take it over.

There is a scanning software for known malware signatures but this system isn’t good at detecting brand new malware or existing malware that has been modified enough to slip past the antivirus programs.  Depending on the handset used, Android versions may be patched by now, but others are not. The vulnerabilities exploited by the malicious apps have been patched in Android 2.3, also known as Gingerbread, but older versions could still be vulnerable.

Read more at CNet.com