Steps to Stay Away from Shark Ransomware

Shark, a new type of Ransomware, is available for free and is being distributed on the cyber-ground, according to the latest research.

What is Shark Ransomware?

Shark is a ‘Ransomware as a Service’ (RaaS), which allows budding cyber-criminals to create their own customized Ransomware with little or no technical knowledge.  In addition, the Ransomware claims to be using a fast encryption algorithm, supports multiple languages, and is “undetectable” by antivirus software. Shark Website is hosted on publicly-accessible server, which is very uncommon because cyber-criminals make use of Tor network, which allows them to remain anonymous.

Working of Shark Ransomware

Wannabe attackers can download a .zip file containing the Ransomware configuration builder and a text file, which has a Warning note. It informs that they should use a virtual machine when making use of the .zip file. As soon as the configuration is entered, a base 64 version of the configuration is generated. After configuration settings, cyber-criminals need to distribute the Ransomware.

Once it is executed, it creates an entry in Microsoft Registry. Then, it encrypts the configured file extensions such as .pdf, .doc, .xls, .ppt etc. and append the .locked extension to encrypted files. Once the encryption is successful, a Ransom note is presented to the user on how they can pay the ransom, and allows victims to view these instructions in 30 different languages. The victim needs to enter an e-mail address and then pay the ransom to a specific Bitcoin address.

Solutions

  • Update your antivirus software (like eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Always download apps from their official website or Google Play Store instead of unknown sources because many apps store are still offering the app.
  • Download applications of a reliable app developer. In addition, check the user ratings and reviews of the app before download.
  • Ensure that all the software installed in your systems are updated frequently, including Oracle Java and Adobe.
  • Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  • Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments can infect your system.
  • Open e-mails only if you are positive about the source.
  • Regularly create backup of your important files.
Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , | Leave a comment

Scammers Eyeing Rio Olympics

As you gear up to cheer your country in Olympics, cyber-criminals are leaving no stone unturned to trap sports fans by launching various kinds of tactics such as Ransomware, Trojan, Botnet, phishing and lottery scams.

Ransomware

Half of the year has passed by and we have witnessed various Ransomware such as Locky, Petya, Samas, Android.Trojan.SLocker.CV attacking individual computers, psonal mobile phones and business organizations. According to eScan research, cyber-crooks would be relying on social engineering techniques to lure Olympic lovers into clicking on links or giving their account credentials. The email recipients would presume the email to be genuine, unknowingly download the Ransomware by opening the file sent by the cyber crooks or malicious website.  Ransomware may also delivered via drive-by download attacks on compromised websites. Drive-by-download are malicious pieces of a program that is downloaded to a computer without the users’ consent or knowledge. The malware delivered by drive-by download is usually classified as a Trojan horse, because it deceives the user about the nature of the website or email.

Botnet

eScan predicts that the wily culprits can also take the help of Botnets to deceive the users into falling prey. Botnet allows hackers to take control of many computers at the same time and turn them into zombies or bots. The word Botnet is coined from two words ‘robot’ and ‘network’. These are used to infect large number of PCs which are often controlled through a server. It acts as a communication resource for other devices. Therefore cyber-criminals can act as the master of a large ‘zombie network’ – or ‘bot-network’ – that is capable of delivering a Distributed Denial of Service (DDOS) attack or a huge spam campaign.

Recently we have come across various scams evolving Rio Olympic Games 2016. We would like to alert our users to restrain them from being victims.

Phishing

According to US-Cert, Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These e-mails often attempt to entice users to click on a link that will take them to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. The cyber-criminals see opportunities in global events and 2016 Olympic Games are no exception. With the high demand for Olympic Games criminals have sensed this opportunity to create many fake websites by registering such domain names containing “rio” and “rio2016” to sell fake Olympic tickets for luring sports fans. According to the Wall Street Journal, there is an underground market for SSL certificates, which ensure a secure connection between a server and a web browser helps the sites look legitimate. The simple business model used here is where the recipients are asked to provide personal information including sensitive details like bank account details and card details to purchase the tickets.

Lottery Scams

Cyber-crooks are making use of e-mails written in English and Portuguese, to lure victims that they are the winners of ticket lottery organized by International Olympic Committee and the Brazilian Government. The spammers are attempting to convince e-mail recipients that their e-mail addresses have been chosen randomly from a large list. In order to claim their prize, the victims need to reply to the e-mail and furnish their personal information.

How To Stay Safe?

  • Use a trustworthy Anti-Virus and Anti-spyware (eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Always download apps from their official website or Google Play Store instead of unknown sources because many apps store are still offering the app.
  • Download applications of a reliable app developer. In addition, check the user ratings and reviews of the app before download.
  • Ensure that all the software installed in your system are updated frequently, including Oracle Java and Adobe.
  • Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  • Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
  • Open e-mails only if you are positive about the source.
  • Always check for “https” prefix before entering any financial information for electronic transmission over the internet.
  • Never send or reply to emails, which ask for sensitive information such as Credit card number, PIN (Personal Identification Numbers) and Bank account number to an unauthorized person.
  • Avoid using your debit/ credit card extensively to stay safe from POS (Point-Of-Sales) system scams and card cloning frauds which is expected to rise in Rio during Olympics.
  • Lastly, restrain yourself from using public Wi-Fi for prolonged session in Olympics zone unless anything is important or urgent.
Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , , , , , , | Leave a comment

eScan Advisory on Ransomware

ransomware

Ransomware is again in the news! Almost major social media, e-mails are infested with discussion forums on various ransomware and their adverse effects on the respective devices. eScan delves deep into the R&D again and resurfaces the advisory on the same.

Overview of Ransomware

Half of the year has passed by and we have witnessed various Ransomware such as Locky, Petya, Samas, Android.Trojan.SLocker.CV attacking individual computers, personal mobile phones and business organizations. We already predicted in our threat prediction that “Ransomware creators would be looking to target new operating system such as Mac”, KeRanger happened to be first Ransomware to target Mac OS X system.

What is Ransomware?

According to US-CERT, Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars and is sometimes demanded in virtual currency, such as Bitcoin.

How does it spread?

Locky Ransomware enters user’s e-mail as highly obfuscated JavaScript (file with .JS extension) inside an archive, which is attached to a Spam Mail, usually pretending to be an official document. Opening of such an attachment is enough to get system compromised with Ransomware. This virus can also spread via file sharing services and social networking sites, which may contain similar attachments and files. It might be presented to user as useful or something required, like an update.

Petya Ransomware, another destructive Ransomware is transmitted through spam e-mails targeting business users pretending to contain job applications. For instance, HR personnel receiving a Dropbox link to a file, which pretends to be resume of a candidate, seeking a position in the company. Clicking the file leads to installation of Ransomware.

Impact

Ransomware not only targets individuals, but businesses and government can also be victims to it. Around 150 Computers of Mantralaya, headquarters of Maharashtra Government were attacked by Locky.  Paying the ransom amount doesn’t guarantee that encrypted files would be released.

Solution

  • Update your antivirus software (like eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Always download apps from their official website or Google Play Store instead of unknown sources because many apps store are still offering the app.
  • Download applications of a reliable app developer. In addition, check the user ratings and reviews of the app before download.
  • Ensure that all the software installed in your system are updated frequently, including Oracle Java and Adobe.
  • Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  • Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
  • Open emails only if you are positive about the source.
  • Regularly create backup of your important files.

 

 

 

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment

Trojans Squeeze the Life out of Android

Android Trojan

#Android #Trojan

Is your Android Phone infected with an Android Trojan Horse? You’re minding your own business when your Android phone dings and you see that a close friend has texted you a link with some pictures, and most of us would tap the link without even thinking about whether it was unusual that he/ she had suddenly taken up texting selfies, and could unwittingly become victims of a mobile Trojan scam.

Windows Operating system has been the popular victim of Trojan Horses until now. Since the penetration of Smart Phones in the market, the users’ hands never been idle reasons of this smartphones are at high risk of the Trojan programmers to infect the Mobile operating system. Once a user has installed one of the malicious apps, the Trojan collects nearly 30 different types of information about the user’s device and transmits them to a remote server operated by the attacker. An Android Trojan which displays unwanted ads and installs nuisance software on mobile devices has been discovered in all Smartphones. The Trojan module is able to “remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” Here are many ways to get your mobile device infected with Android Trojan. For example, when you are going to browse online or watch a video on the Internet, you may be tricked into installing an app first which gives you a prompt message that you are missing a plug-in, then it will suggest you to download software called Video Player or Adobe Flash Player update. Once you do that and open the downloaded software, it turns out to be Android Trojan and your phone screen gets locked up right away. On the other hand, the virus can be disguised as a mp4 file or other APK files which are often bundled with spam e-mails without any notice. According to the research, more than 15,000 spam e-mails containing malicious files has hit the inboxes of Android users in the last few days. Users should be more cautious and take necessary measures to avoid such infection on the device.

In some cases, the virus only attacks web browsers instead of taking over the whole phone screen. Android Trojan hijacks your Internet and doesn’t allow you to go online anymore. It also requests users to pay to full access to the phone.

The Trojans are malicious programs that can perform any dangerous actions in your Smartphone and Tablets. For example, this malware can send SMS to premium numbers, can read your SMS, and even block your SMS. Also, it can request USSD codes to activate value added service to cost your money in the Mobile account.

Some Trojan can take Root privileges using vulnerability in your Android Phone and can do any actions. If they gain Android Device Manager Privileges, You can’t detect and uninstall Trojan viruses from your Android Phone. Even some other Android Trojan can steal your private information and leach your mobile data. Once this Trojan has collected all of your personal information, those details are sent back to a database where the information is logged. From there, the hackers of the Trojan can collect those details and use them elsewhere.

Once Trojan is launched, the Trojan transmits the following information on the device to the server:

  • OS version
  • SDK system version
  • Device model
  • Screen resolution
  • CPU type
  • IMEI identifier
  • ISO country code
  • Android build version
  • Cell phone number
  • SIM serial number
  • User’s location
  • Network subtype
  • Availability of root access
  • The current version number of the Trojan
  • Generated unique user ID for phone
  • Network connection type
  • Mobile network operator
  • E-mail address connected to a Google user account
  • Google Cloud Messaging identifier (GCM id)
  • The “user agent” parameter generated using a special algorithm
  • Whether an infected application has administrator privileges
  • Name of an infected application
  • Presence of a Google Play application on the device

emails spam

#spam

In addition to the initial information sent to the C&C server, there are many more functions that can be requested remotely such as:

  • Download an APK and prompt user to install it
  • Get call logs
  • Get SMS inbox
  • Get bookmarks
  • Get contacts
  • Get list of installed apps
  • Lock the screen
  • Redirect calls to a specific number

Possible Danger Caused By Android Trojan:

  • It will take control of your mobile phone rapidly once it is downloaded.
  • It will pretend itself as a legit warning and then ask for a payment.
  • It will not allow you to change your phone settings or open Google Play to download antivirus program.
  • It may damage your computer data and the Android system.
  • It will not let you power off the phone or do anything else except the inputs related to the demand for Money.

money fraud

#Money #Fraud

How to Remove this Trojan

In order to remove this Trojan, a factory reset is recommended, though it is advised to take the phone to an expert, as different Smart Phones have different methods of initiating a Factory reset or Safe Mode.

Safety Tips to Prevent Infection

  1. Always install apps from Google play and official sites.
  2. Turn off Bluetooth if not in use.
  3. Install reliable mobile security software that automatically scans apps before they run for the first time.
  4. Take regular backups of your important data on your phone on cloud or external storage devices.
  5. Before connecting your mobile devices to any computer, ensure that the latter is secure with multi-layered antivirus software.
  6. Avoid clicking links in unknown and unsolicited e-mails and SMSs.
  7. Have your mobile apps updated to their latest version. And ensure that your mobile OS is updated too.

eScan strongly recommends Android users to pay careful attention to applications they are going to download, and install programs developed only by reputable companies. eScan for Android effectively detects and removes all known modifications of Android Trojan and, therefore, this malicious program poses no threat to our users.

Posted in eScan 11 | Leave a comment