Wednesday, October 29, 2014
Tuesday, October 28, 2014
Thursday, October 23, 2014
Ransomware
WHAT IS RANSOMWARE?
A Reveton payload attempting to extort money from a user, by fraudulently claiming that the user must pay a fine to the Metropolitan Police Service.
Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access.
Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.
WHY IS IT SO EFFECTIVE?
Ransomware payloads utilize elements of scareware to extort money from the system’s user. The payload may, for example, display notices purportedly issued by companies or law enforcement agencies which falsely claim that the system had been used for illegal activities, or contains illegal content such as pornography and pirated software or media.
Some ransomware payloads imitate Windows XP’s product activation notices, falsely claiming that their computer’s Windows installation is counterfeit or requires re-activation. These tactics coax the user into paying the malware’s author to remove the ransomware, either by supplying a program which can decrypt the files, or by sending an unlock code that undoes the changes the payload has made. These payments are often delivered using either a wire transfer, premium-rate text messages, through an online payment voucher service such as Ukash or Paysafecard, or most recently, the digital currency Bitcoin.
CryptoLocker needs to be taken very seriously, because it can result in the total and irreversible destruction of all your personal and company files.
Examples of Scareware messages related to ransomware:
“Your computer has been infected with a virus. Click here to resolve the issue.”
“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
VARIANTS
Here’s a Excel document that had been specifically encrypted by CryptoLocker
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.
Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.
INTERCONNECTION TYPES OF MALWARE
Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker.
Ransomware doesn’t choose targets. Both home users and businesses can become infected with ransomware whith negative consequences, including:
Temporary or permanent loss of sensitive or proprietary information;
Disruption to regular operations;
Financial losses incurred to restore systems and files;
Potential harm to an organization’s reputation.
Paying the ransom is not a guarantee that the encrypted files will be released, but it only guarantees that the malicious actors receive the victim’s money and their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
Prevention
Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require Data Recovery services.
Recommended preventive measures to protect computers and networks from ransomware infections:
Do not follow unsolicited web links in email.
Use caution when opening email attachments.
Follow safe practices when browsing the web.
Perform regular backups of all critical information to limit the impact of data loss and to help the recovery process. This data should be kept on a separate device, and backups should be stored offline.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.
As with other forms of malware, security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.
If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data. Security experts have suggested precautionary measures for dealing with ransomware, such as using software or other security policies to block known payloads from launching, along with “offline” backups of data stored in locations inaccessible to the malware.
One of the most powerfull software package that is available to help against ransomware is the well known Malwarebytes Anti-Malware and recommended for prevention and removal from all types of Malware.
Ransomware
Monday, October 20, 2014
Windows thumbnail preview not working
Straight to the point.
Windows Explorer pane not showing thumbnail previews ?
There are a few reasons that are common in both Windows 8 and Windows 7 that explains why the Explorer pane is not showing thumbnail previews:
Thumbnails are disabled under Folder Options, showing instead Icons.
Thumbnails are disabled under Folder Options, showing instead Icons.
Settings to Show thumbnails instead of icons under System Properties >> Advanced >> Performance >> Visual Effects, are disabled.
Settings to Show thumbnails instead of icons under System Properties >> Advanced >> Performance >> Visual Effects, are disabled.
There are other options that might disable or enable the Thumbnail Previews like Group Policy or using REG (Windows Registry) files. If you need help just use the comments below or use the contact form and I will try to help you.
Windows thumbnail preview not working
Thursday, October 16, 2014
What is your IP?
Find out below…
What would I need my IP address for?
Some people want to run a mail, ftp or game server on their computer and for that software to run it is usually necessary to enter the public IP address currently assigned to the user into the configuration. Other people would like to use a remote desktop application and want to know what IP address to connect to from a remote location.
Ipv4_address
What is a IP Address?
An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: “A name indicates what we seek. An address indicates where it is. A route indicates how to get there.”
The designers of the Internet Protocol defined an IP address as a 32-bit numbers and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous growth of the Internet and the predicted depletion of available addresses, a new version of IP (IPv6), using 128 bits for the address, was developed in 1995.
IPv6 was standardized as RFC 2460 in 1998, and its deployment has been ongoing since the mid-2000s.
IP addresses are binary numbers, but they are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6).
The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally and delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities. [more from Wikipedia]
NOTE-This article uses material from the Wikipedia articles which are released under the Creative Commons Attribution-Share-Alike License 3.0
What is your IP?
Whois behind any domain name
Whois
Discover who is hosting a website.
The secrets that nobody search for….
WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.
The protocol stores and delivers database content in a human-readable format. [more from Wikipedia]
A WHOIS search provides information regarding a domain name, such as deptec.info. It may include information, such as domain ownership, where and when registered, expiration date, and the nameservers assigned to the domain.
Whois services operate through a whois server. Any one can connect to a whois server and send a query. The whois server will then respond to the query and close the connection.
NOTE:
There are several reasons when a WHOIS search may not provide useful results.
Private WHOIS provided by registrar to protect a domain name’s details.
The domain name does not exists or is not registered.
You can use this online tool to do your queries:
Whois Lookup using Telnet
For example, you want to find the domain registration details for “deptec.info”
The whois server for .info domains is whois.afilias.info. So we need to connect to whois.afilias.info on port 43 (the TCP port defined for WHOIS requests) and then send the string deptec.info followed by a carriage return linefeed pair… or just press the key on your keyboard
Try this on your own!
From the Windows Start button select ‘Run’.
Now type
telnet whois.afilias.info 43
and click OK.
The telnet window will open up and briefly show a ‘connecting..’ message. Once the connection is made the window will be blank.
Now type in any .info domain (e.g. bloguito.info) and press the enter key (please note that the telnet window will not display the text that is being typed in)
You should be able to see the unformatted raw domain record in the window.
Using PuTTY as a Telnet client
A lot of people have been having problems with the telnet client or have been unable to install it on Windows.
An alternative is to use PuTTY, a free telnet client: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Here are the quick instructions to use PuTTY to connect to WHOIS servers and send queries:
Download and run putty.exe.
Under Connection > Telnet select Passive for Telnet negotiation mode.
Return to the Session page, and select Telnet for Connection type.
Type in the desired hostname (i.e. whois.afilias.info) in the Host Name field.
Type 43 in the Port field.
Select Never under Close window on exit.
Click Open.
You should see a blank terminal window:
Putty Is connected
Type in the domain you want to query and hit Enter
Type in the domain you want to query
Et voilà
You can close the notification dialog, and then scroll back up to the top of your Putty window, to see the results:
You can close the notification dialog, and then scroll back up to the top
Whois behind any domain name
Sunday, October 5, 2014
Saturday, October 4, 2014
Subscribe to:
Posts (Atom)