From the Virus files. Malware beneficial? Impossible. Well, not really.

I had an extremely difficult rootkit virus problem to handle yesterday.  I got it of course, but it was not easy.  Not because of the software but because of the pre-service interview and direction I took.  From now on I will ask more questions before I service anyones machines. They said they had a malware problem so I took off the malware.  The machine was still infected however.  I didn’t realize this at first  except on a fluke I remembered looking at the computer screen at seeing the scan slow down during a time that it shouldn’t have.  So I ran a scan got a hit and kept going.

The point is that the obnoxious malware made the customer have his machine serviced.   He hated all of the BS that the Malware was causing but didn’t realize that another and worse problem was the rootkit virus.  People have a tendency to look at these two very different infections as one big evil category.  Most malware wants you to know that it is there but the rootkit wants the opposite, to stay hidden. The Malware wants the victim to buy or do things while to rootkits job is to remain invisable and collect as much information as possible.  This info is then sold on the black market for large sums of money to people who can use it to use the credit card numbers and/or open lines of credit with the victims identity.  The victim was actually saved by the malware popping up and begging the victim to take itself and the virus off the machine. The popups exposed the real threat.  Good job malware.

So, from now on all malware scans start with rootkit virus scans no matter where the customer has said they have been.

BlackOS software package automates website hacking, costs $3,800 a year

An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro.

In a Thursday email correspondence, Christopher Budd, threat communications manager for Trend Micro, told that the software – known as BlackOS – can manage hacked sites that redirect end-users to websites servingmalware.

The redirection is carried out by injecting malicious IFrames into websites, Budd said, adding this can be done using one of several features available in BlackOS.

“[It] can also manage large lists of FTP credentials and [can] check each of the accounts’ credentials for validity, as well as verifies each malicious website URL against AV vendors to see if anyone blocks the website,” Budd said.

One of the things that makes BlackOS particularly useful for miscreants is that it scans a large range of IPs for exploitable vulnerabilities, Budd said, explaining that the attackers are not dialing in on specific targets.

“They do a mass attack, there are no specific targets as these websites are just a launch pad to perform their malicious attacks,” Budd said. “They are usually looking for an easy access, once they are inside they will try to level up the privileges to gain root access on the machine and therefore be able to [make] use of the BlackOS features, which is inject a malicious IFrames in all web pages.”

The posts advertising BlackOS in underground forums are written in Russian, according to the Trend Micro blog, which explains that the software costs $3,800 a year, or $100 a month for a budgeted version with basic configurations.

The BlackOS software is an updated version of the “Tale of the North” software, according to the blog.

Handling Destructive Malware


Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. This publication is focused on the threat of enterprise-scale distributed propagation methods for malware and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and Incident Response practices.

While specific indicators and modules related to destructive malware may evolve over time, it is critical that an organization assess their capability to actively prepare for and respond to such an event.

Potential Distribution Vectors

Destructive malware has the capability to target a large scope of systems, and can potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess their environment for atypical channels for potential  malware delivery and/or propagation throughout their systems. Systems to assess include:

  • Enterprise Applications – particularly those which have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include
    • Patch Management Systems,
    • Asset Management Systems,
    • Remote Assistance software (typically utilized by the corporate Help Desk),
    • Anti-Virus,
    • Systems assigned to system and network administrative personnel,
    • Centralized Backup Servers, and
    • Centralized File Shares.

While not applicable to malware specifically, threat actors could compromise additional resources to impact the availability of critical data and applications.  Common examples include:

  • Centralized storage devices
    • Potential Risk – direct access to partitions and data warehouses;
  • Network devices
    • Potential Risk – capability to inject false routes within the routing table, delete specific routes from the  routing table, or remove/modify configuration attributes – which could isolate or degrade availability of critical network resources.

Best Practices and Planning Strategies

Common strategies can be followed to strengthen an organization’s resilience against destructive malware.  Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.

Communication Flow

  • Ensure proper network segmentation.
  • Ensure that network-based access-control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols – and that directional flows for connectivity are represented appropriately.
    • Communication flow paths should be fully defined, documented, and authorized.
  • Increase awareness of systems which can be utilized as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.
    • Ensure that these systems are contained within restrictive VLANs, with additional segmentation and network access-controls.
  • Ensure that centralized network and storage devices’ management interfaces are resident on restrictive VLANs.
    • Layered access-control, and
    • Device-level access-control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.

Access Control

  • For Enterprise systems which can directly interface with multiple endpoints:
    • Require two factor authentication for interactive logons.
    • Ensure that authorized users are mapped to a specific subset of enterprise personnel.
      •  If possible, the “Everyone” , “Domain Users”  or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
    • Ensure that unique domain accounts are utilized and documented for each Enterprise application service.
      • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
      • Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
    • If possible, do not grant a service account with local or interactive logon permissions.
      • Service accounts should be explicitly denied permissions to access network shares and critical data locations.
    • Accounts which are utilized to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
  • Continuously review centralized file share access-control lists and assigned permissions.
    • Restrict Write/Modify/Full Control permissions when possible.


  • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
    • Failed logon attempts,
    • File share access, and
    • Interactive logons via a remote session.
  • Review network flow data for signs of anomalous activity.
    • Connections utilizing ports which do not correlate to the standard communication flow associated with an application,
    • Activity correlating to port scanning or enumeration, and
    • Repeated connections utilizing ports which can be utilized for command and control purposes.
  • Ensure that network devices log and audit all configuration changes.
    • Continually review network device configurations and rule sets, to ensure that communication flows are restricted to the authorized subset of rules.

File Distribution

  • When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined time period).
    • This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.
  • Monitor and assess the integrity of patches and AV signatures which are distributed throughout the enterprise.
    • Ensure updates are received only from trusted sources,
    • Perform file and data integrity checks, and
    • Monitor and audit – as related to the data that is distributed from an enterprise application.

System and Application Hardening

  • Ensure that the underlying Operating System (OS) and dependencies (ex: IIS, Apache, SQL) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based upon best practice guidance provided by the vendor.  Common recommendations include:
    • Utilize role-based access control,
    • Prevent end-user capabilities to bypass application-level security controls,
      • Example – disabling Antivirus on a local workstation
    • Disable un-necessary or un-utilized features or packages, and
    • Implement robust application logging and auditing
  • Thoroughly test and implement vendor patches in a timely manner.

Recovery and Reconstitution Planning

A Business Impact Analysis (BIA) is a key component of contingency planning and preparation.   The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):

  • Characterization and classification of system components, and
  • Interdependencies.

Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by a potentially destructive condition, recovery and reconstitution efforts should be considered.

To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within Incident Response exercises and scenarios):

  • Comprehensive inventory of all mission critical systems and applications:
    • Versioning information,
    • System / application dependencies,
    • System partitioning/ storage configuration and connectivity, and
    • Asset Owners / Points of Contact.
  • Comprehensive inventory of all mission critical systems and applications:
    • Versioning information,
    • System / application dependencies,
    • System partitioning/ storage configuration and connectivity, and
    • Asset Owners / Points of Contact.
  • Contact information for all essential personnel within the organization,
  • Secure communications channel for recovery teams,
  • Contact information for external organizational-dependant resources:
    • Communication Providers,
    • Vendors (hardware / software), and
    • Outreach partners / External Stakeholders
  • Service Contract Numbers – for engaging vendor support,
  • Organizational Procurement Points of Contact,
  • ISO / image files for baseline restoration of critical systems and applications:
    • Operating System installation media,
    • Service Packs / Patches,
    • Firmware, and
    • Application software installation packages.
  • Licensing/activation keys for Operating Systems (OS) and dependant applications,
  • Enterprise Network Topology and Architecture diagrams,
  • System and application documentation,
  • Hard copies of operational checklists and playbooks,
  • System  and application configuration backup files,
  • Data backup files (full/differential),
  • System and application security baseline and hardening checklists/guidelines, and
  • System and application integrity test and acceptance checklists.


In the event that an organization observes a large-scale outbreak that may be reflective of a destructive malware attack, in accordance with Incident Response best practices, the immediate focus should be to contain the outbreak, and reduce the scope of additional systems which could be further impacted.

Strategies for containment include:

  • Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable) – from which a malicious payload could have been delivered:
    • Centralized Enterprise Application,
    • Centralized File Share (for which the identified systems were mapped or had access),
    • Privileged User Account common to the identified systems,
    • Network Segment or Boundary, and
    • Common DNS Server for name resolution.
  • Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
    • Implement network-based access-control lists to deny the identified application(s) the capability to directly communicate with additional systems,
      • Provides an immediate capability to isolate and sandbox specific systems or resources
    • Implement null network routes for specific IP addresses (or IP ranges) – from which the payload may be distributed,
      • An organization’s internal DNS can also be leveraged for this task – as a null pointer record could be added within a DNS zone for an identified server or application
    • Readily disable access for suspected user or service account(s), and
    • For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems.

As related to incident response and incident handling, organizations are reminded to:

  • Report the incident to US-CERT and/or ICS-CERT for tracking and correlation purposes, and
  • Preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes.

Wi-Fi-Hopping Malware Behaves Like Actual Virus

This malware is sick: The experimental “Chameleon” malware spreads rapidly among Wi-Finetworks in densely populated areas, much as a disease spreads through crowded urban areas.

Developed in a laboratory at the University of Liverpool in England, Chameleon is the first malware known to propagate by hopping from one Wi-Fi network to another.

“It was assumed … that it wasn’t possible to develop a virus that could attack Wi-Fi networks; but we demonstrated that this is possible and that it can spread quickly,” Alan Marshall, Professor ofNetwork Security, said in a statement.

Chameleon is technically a worm, not a virus, because it replicates without human assistance by trying to crack the password of each new Wi-Fi router it encounters. Chameleon nevertheless behaves like a biological infectious organism, jumping among overlapping Wi-Fi networks as an airborne disease spreads among humans.

The researchers simulated Chameleon infections in London and Belfast and found that just a few infected devices can spread the worm to “thousands of infected devices within 24 hours.”

Furthermore, because Chameleon doesn’t migrate beyond Wi-Fi routers, it is undetectable to current anti-virus software, which scans for threats on computers and the Internet.

In its current state, Chameleon doesn’t do much more than replicate itself and identify poorly protected Wi-Fi networks, but the researchers say in their paper that such malware could be used to eavesdrop on Internet traffic, alter or destroy data packets or destroy an infected Wi-Fi router.

Chameleon doesn’t exist in the wild, so there’s no real risk of infection. The good news is a strong Wi-Fi password will keep your router safe from this kind of malware; if it can’t break into your router, it will simply move on to the next available one.

The bad news is that many commercial and private Wi-Fi networks have weak passwords, or simply aren’t password-protected at all.

In that sense, a Wi-Fi password is like a vaccine; having it will protect not only you, but the people (or Wi-Fi routers) around you as well.

360 million newly stolen credentials on black market

Retailers better start caring about their own computers soon.

BOSTON (Reuters) – A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

“The sheer volume is overwhelming,” said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

“We have staff working around the clock to identify the victims,” he said.

He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

“They can get access to your actual bank account. That is huge,” Bearfield said. “That is not necessarily recoverable funds.”

After recent payment-card data breaches, including one at U.S. retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.

In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website (

Rootkit? Another new trendy BS term? NO!!

We all know people like to change names and meanings of words just to make themselves cooler than the rest of us. ( see:hipster) The problem is that they usually fail and those of us that are use to them failing tune them out along with everything else they bring to the table.  The term “rootkit” is not one of them. This is serious and here is why.

They’ve actually been around for two decades.  Rootkits write themselves in between your operating system and your physical computer.  They’re designed to remain hidden from everyone and all other programs even the programs designed to find them.  They are very hard to eradicate.  They can move very easily between memory sticks and such ect… In other words, these are the fantasy programs that you see on TV/movies doing all the really bad stuff.  Well, no not that bad. They can’t unlock your house, wash your cat or drive you boat around. They can, however, monitor your computer activity.  All of it. It also give the hacker full access to your PC… One more time. The Hacker gets full access to your PC.

When one takes classes and reads more about malware eradication then one understands how difficult they truly are.  The first thing everyone teaches in classes is that to eradicate any machine they must be the first things to go. How do you find them?  Well I can tell you from experience that the main programs designed to protect computers are the first programs these little trolls protect themselves against. So the eradicator must use different tools.  I have those tools and I am becoming better at using them everyday but the war continues.  I know the hackers are out there writing new malware.  All I can do is train  the best I can, wait for a customer to get infected and hope I can fix it. So far, I have defeated all of them.

Top Ten Ways to Get Infected – How your online habits leave you and your computer at risk

Keeping safe online takes more than just installing a few security programs. To protect both you and your computer, here are the top ten bad habits you need to avoid.

1. Browsing the Web with javascript enabled by default

Today’s attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools that repackage the binary in an attempt to bypass signature-based scanners. Whether through social engineering or through website exploit, the choice of browser will be of little help. All browsers are equally susceptible to Web-based malware and this includes Firefox, Opera, and the much maligned Internet Explorer. Disabling Javascript on all but the most trusted sites will go a long ways towards safer web browsing.

2. Using Adobe Reader/Acrobat with default settings

Adobe Reader comes pre-installed on most computers. And even if you never use it, just the mere presence can leave your computer at risk. Vulnerabilities in Adobe Reader and Adobe Acrobat are the number one most common infection vector, bar none. Making sure you stay up-to-date with the latest version of Adobe products is imperative, but not foolproof. To use Adobe Reader (and Acrobat) safely, you need to make a few tweaks to its settings.

3. Clicking unsolicited links in email or IM

Malicious or fraudulent links in email and IM are a significant vector for both malware and social engineering attacks. Reading email in plain text can help identify potentially malicious or fraudulent links. Your best bet: avoid clicking any link in an email or IM that is received unexpectedly – particularly if you do not know the sender.

4. Clicking on popups that claim your computer is infected

Rogue scanners are a category of scam software sometimes referred to as scareware. Rogue scanners masquerade as antivirus, antispyware, or other security software, claiming the user’s system is infected in order to trick them into paying for a full version. Avoiding infection is easy – don’t fall for the bogus claims.

5. Logging in to an account from a link received in email, IM, or social networking

Never, ever login to an account after being directed there via a link received in an email, IM, or social networking message (i.e. Facebook). If you do follow a link that instructs you to login afterwards, close the page, then open a new page and visit the site using a previously bookmarked or known good link.

6. Not applying security patches for ALL programs

Chances are, there are dozens of security vulnerabilities waiting to be exploited on your system. And it’s not just Windows patches you need to be concerned with. Adobe Flash, Acrobat Reader, Apple Quicktime, Sun Java and a bevy of other third-party apps typically host security vulnerabilities waiting to be exploited. The free Secunia Software Inspector helps you quickly discover which programs need patching – and where to get it.

7. Assuming your antivirus provides 100% protection

So you have antivirus installed and are keeping it up-to-date. That’s a great start. But don’t believe everything your antivirus does (or rather doesn’t) tell you. Even the most current antivirus can easily miss new malware – and attackers routinely release tens of thousands of new malware variants each month. Hence the importance of following all the tips provided on this page.

8. Not using antivirus software

Many (probably infected) users mistakenly believe they can avoid malware simply by being ‘smart’. They labor under the dangerous misconception that somehow malware always asks permission before it installs itself. The vast majority of today’s malware is delivered silently, via the Web, by exploiting vulnerabilities in software. Antivirus software is must-have protection.

Of course, out-of-date antivirus is almost as bad as no antivirus software at all. Make sure your antivirus software is configured to automatically check for updates as frequently as the program will allow or a minimum of once per day.

9. Not using a firewall on your computer

Not using a firewall is akin to leaving your front door wide open on a busy street. There are several free firewall options available today – including the built-in firewall in Windows XP and Vista. Be sure to choose a firewall that offers both inbound and (as importantly) outbound protection.

10. Falling for phishing or other social engineering scams

Just as the Internet makes it easier for legitmate pursuits, it also makes it easier for scammers, con artists, and other online miscreants to carry out their virtual crimes – impacting our real life finances, security, and peace of mind. Scammers often use sad sounding stories or promises of quick riches to hook us into being willing victims to their crimes. Exercising common sense is one of the best ways to avoid online scams. For extra help, consider installing one of the free anti-phishing toolbars