RSS Feed
Sep 27

Cleaning an Infected USB Drive

Posted on Sunday, September 27, 2009 in Security News

Go to run
type cmd
press enter
in commad prompt type
del h:\autorun.* /f/s/q/a (where “h” is your USB Drive)
Press Enter
after this plug out your usb from usb port.
Plug it again.
Now your USB is virus free.

Also, it’s advised that anybody working in a domain environment turn off autorun of devices in their networks as a pre-caution against all worms (conficker/kido in particular).

How to use Group Policy settings to disable all Autorun features in Windows Server 2008 or Windows Vista

Use either of the following methods:

Method 1

  1. Click Start, type Gpedit.msc in the Start Search box, and then press ENTER.

If you are prompted for an administrator password or for confirmation, type the password, or click Allow.

  1. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
  2. In the Details pane, double-click Turn off Autoplay.
  3. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
  4. Restart the computer.

Method 2

  1. Click Start, type Gpedit.msc in the Start Search box, and then press ENTER.

If you are prompted for an administrator password or for confirmation, type the password, or click Allow.

  1. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
  2. In the Details pane, double-click Default Behavior for AutoRun.
  3. Click Enabled, and then select Do not execute any autorun commands in the Default Autorun behavior box to disable Autorun on all drives.
  4. Restart the computer.

How to use Group Policy settings to disable all Autorun features in Windows Server 2003, Windows XP Professional, and Windows 2000

  1. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK.
  2. Under Computer Configuration, expand Administrative Templates, and then click System.
  3. In the Settings pane, right-click Turn off Autoplay, and then click Properties.Note In Windows 2000, the policy setting is named Disable Autoplay.

  4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
  5. Click OK to close the Turn off Autoplay Properties dialog box.
  6. Restart the computer.
  • Share/Save/Bookmark
Comments (0) |
Sep 27

Latest Threats - New Clampi Variants

Posted on Sunday, September 27, 2009 in Security News

Backdoor.Win32.Clampi.a

Detection added Sep 23 2009
Description added Sep 25 2009
Behavior Backdoor
Technical details

This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size.

Installation

When launched, the Trojan creates the following file:

%AppData%\<name>.exe

<name&gr; is chosen at random from the list below:

dumpreport
msiexeca
svchosts
upnpsvc
service
taskmon
rundll
helper
event
logon
sound
lsas

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“<name2>” = %AppData%\<name>.exe|

<name2&gr; is chosen at random from the list below:

CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
Payload

The Trojan connects to servers to download and run malicious code. The server addresses are saved to the system registry key shown below:

HKCU\Software\Microsoft\Internet Explorer\Settings\"GatesList"

The Trojan saves its settings to the registry keys shown below:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID

The malicious code downloaded from the servers is designed to harvest information from the victim machine (user name, login data, program passwords, local and network passwords).

The Trojan can also be configured to steal login and password data for Internet banking systems by substituting spoofed pages for genuine banking system pages. The program targets popular financial organizations such as the ones listed below:

https://www.hsbc.co.uk
https://www.mybusinessbank.co.uk
https://investing.schwab.com

The Trojan will regularly download updates to its code and additional modules. The programs downloaded include:

  • Trojan programs designed to steal bank account data
  • Trojans designed to steal passwords to common applications such as:

Browsers

IE Password Protected Sites IE AutoComplete Fields Firefox OperaMessengers

MSN Messenger
ICQ
IRQ
Trillian
Miranda IM
Camfrog Video Chat
Easy Web Cam
Google Talk
FTP Programs

Total Commander
WS FTP
SecureFX FTP
WebDrive Ftp
FtpVoyager
AutoFTP
FTP Control
32bit Ftp
FTP Navigator
Far FTP
FlashFXP FTP
CuteFTP
CoffeeCup FTP
FileZilla FTP
FTP Now
CoreFTP
SmartFTP
Other Programs

Outlook Express
Dial Up
VNC
Remote Desktop
WinProxy
Google Desktop

Network propagation

In order to spread via the local network, the Trojan ties to copy itself to network machines by using ipc$ and admin$ and also shared folders. In order to launch itself on networked machines, the Trojan uses a legitimate utility, Sysinternal’s psexec.exe.

Note

In order to prevent the malicious program spreading via networks, servers used by domain administrators should be disinfected. Additionally strong passwords should be used on local machines.

The Trojan downloads a variety of code from servers. This code can be modified or replaced with other malicious code. At the time of writing, the Trojan was configured to connect to the addresses listed below:

panel.***boora.cn
147.202.39.***
174.36.82.***
195.12.38.***
195.189.247.***
195.225.236.***
205.234.231.***
209.51.159.***
209.85.120.***
61.153.3.***
64.18.143.***
66.128.55.***
66.199.237.***
66.199.237.***
66.225.237.***
66.7.197.***
75.102.23.***

The Trojan only runs on English versions of Windows.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious process.
  2. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the file created by the backdoor: 
    %AppData%\<name>.exe
  4. Delete the following system registry key: 
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<name2>" = %AppData%\<name>.exe

    Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

  • Share/Save/Bookmark
Comments (0) |
Apr 13

Twitter cleans up after weekend worm attacks

Posted on Monday, April 13, 2009 in Exploits, twitter, worm

Twitter security engineers were cleaning up on Monday following a series of worm attacks over the weekend, including at least two credited to a bored 17-year-old.

In the first attack, which began early on Saturday, four new accounts began spreading a worm, compromising about 90 accounts, Twitter co-founder Biz Stone wrote in a posting on the Twitter blog.

The worms appeared to do no damage other than spread to infected users’ followers and modify profile pages. You can get infected just by clicking on the name or image of someone whose account was infected.

Later that afternoon, about 100 accounts were compromised in a second wave, followed by another wave on Sunday morning, he wrote. Nearly 10,000 tweets that could have spread the worm were deleted, according to Stone.

Late on Sunday and into Monday morning, Twitter fended off another attack, he said. “Once again, we secured the compromised accounts and deleted any material that would further propagate the worm,” he wrote. Stone declined an interview request from CNET News, saying he didn’t have time.

The worms exploit a common vulnerability in Web applications called cross-site scripting, which allows someone to inject code into Web pages others are viewing.

In this instance, Twitter users who clicked on the name or image of anyone sending the worm messages would get infected and then send the message on to all that person’s followers. Anyone viewing an infected user’s profile would also get infected and pass the worm on.

via Latest Security News - CNET News.

  • Share/Save/Bookmark
Comments (0) | Tags: , , ,
Apr 12

Report: Conficker worm bites University of Utah

Posted on Sunday, April 12, 2009 in Malware, conficker, kido

More than 700 computers at the University of Utah have been infected with the Conficker worm.

The hit includes computers at the university’s three hospitals, the Associated Press reported early Sunday.

University spokesman Chris Nelson said the outbreak was detected Thursday, the AP reported. By the next day, the worm had struck at the hospitals, medical school, and the nursing, pharmacy, and health colleges.

Patient records have not been touched, Nelson said. IT cut off Net access for up to six hours on Friday in order to isolate the virus, the AP reported.

via Report: Conficker worm bites University of Utah | Security - CNET News.

  • Share/Save/Bookmark
Comments (0) | Tags: , , ,
Apr 12

Teen takes responsibility for Twitter worms

Posted on Sunday, April 12, 2009 in Exploits, Malware, worm

As a second Twitter exploit began circulating on the micro-blogging site Sunday, a teen-ager from Brooklyn told CNET News he created both worms because he was bored and wanted to draw attention to the Twitter flaw.

Much like Saturday’s StalkDaily worm, the “Mikeyy” worm posts unwanted messages to users’ pages. The “Mikeyy” worm began spreading on the micro-blogging site early Sunday, posting messages such as “Mikeyy I am done…,” “MikeyyMikeyy is done.,” and “Twitter please fix this, regards Mikeyy.”

Brooklyn resident Michael “Mikeyy” Mooney, 17, told CNET News in an interview that he created the worm “out of boredom.”

“I thought about it later and basically did it because I was bored,” he said. “And I didn’t think Twitter would fix (the flaw) very soon. But I didn’t think it would spread as far or as fast as it did.”

Mooney, a high school senior who said one day he hopes to get a job as a security analyst, said he has been creating worms for about three years. He added that the worms he creates aren’t designed to do much damage but that this will likely be his last worm.

“I’m done with Twitter,” he said, adding that he was feeling a bit overwhelmed. “I’ve been getting too much attention lately.”

Mooney said his site has has been live to the public for about two weeks and has 905 members, but that it “is growing quickly because of the worm.”

The messages circulating Saturday promoted StalkDaily.com, a short-messaging site similar to Twitter. While initially denying any responsibility for the worm, StalkDaily.com posted a message saying, “I have came clean and have accepted the responsibility for the worm…”

Twitter said it has closed the hole that allowed the worm to spread.

“We’ve taken steps to remove the offending updates, and to close the holes that allowed this ‘worm’ to spread,” Twitter said in a statement Saturday. “No passwords, phone numbers, or other sensitive information were compromised as part of this attack.”

However, Mooney said he released the second worm exploiting the original flaw Sunday morning, after Twitter claimed to have closed the holes. He also said that he had not yet been contacted by Twitter representatives.

via Teen takes responsibility for Twitter worms | Security - CNET News.

  • Share/Save/Bookmark
Comment (1) | Tags: , , ,
« Previous Posts
WordPress Loves AJAX