Cyber Monday survival guide Part 2

This is part 2 of my 2 part series.

For Part 1, go here: http://malwareaware.blogspot.com/2013/11/cyber-monday-survival-guide-part-1.html

Tip #5: Scan the computer you are using for malware.
If the computer you are using is already compromised, you might as well broadcast your personal information. Making sure that the computer is clean puts the odds back in your favor.

Tip #6: Use strong passwords.
Using strong passwords will make it harder for cybercriminals to break into your accounts. And I have talked about strong and secure passwords before.

Tip #7: Avoid strange computers whenever possible.
Computers are a bit like public restrooms. If it is not yours or you do not know who has been in, you don't know what has been going on. Which is one of the reasons why I am afraid of public restrooms.
Even worse with computers. People cannot install malware onto a toilet (yet).

Tip #8: Beware of fake deals you get in your inbox.
Unless you are on a company's emailing list, or you have bought from them, you should not be getting offers from them in an email. This advice also applies to social media websites. And do not fall for coupon scams that ask for personal info in exchange for a chance to win some big prize.

Tip #9: Trust your intuition.
You know what they say: If it looks, sounds, or feels too good to be true, it probably is. This advice should not be lost on anyone. If something just does not feel right to you, it is at least worth a closer look. By doing this, the most you have to lose is a few minutes of your time, while you stand to gain the knowledge to make the right choice.

Tip #10: Delete your internet history.
Remember how you said that you were going to be "napping"? If anyone in your family is a cyber detective like me, you are likely going to want to keep all this from them.
In Firefox: Click on the orange Firefox tab in the upper left hand corner, then go to history, then click clear recent history. Make sure all checkboxes in the new window are checked, and set it for however long you have been "napping".

Google Chrome: Go to your History in the options icon in the upper right hand corner, then click clear history.
Internet Explorer: Click on the options cog in the upper right hand corner, then go over to safety, then click Clear Browser History, then make sure all checkboxes are checked with the exception of preserving your favorite websites.

Please tread carefully if you are using a computer that is not yours. And by and large, the true decision of what to delete and what to leave blank is to be made on a case by case basis.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

Don't mind this feedshark code.

<a href="http://www.hypersmash.com">HyperSmash</a>

Read More

How to remove Windows Cleaning Toolkit (Rogue)

Alright, there's a new rogue antivirus program making the rounds called Windows Cleaning Toolkit. It's part of the same family as Windows Expert Console, and thus will have the same removal guide.

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

A removal guide follows. And this one is a bit different from the rest, but this is the simplest way to remove it.

Step #1: On the scanner which tells you that you are "infected" click Remove All. And yes, this seems counter-intuitive considering that it is a rogue, but just go with it and stay with me on this.

Step #2: On the new web page that opens, you should see a button on the bottom right of the screen that says "Click here if you already have an Activation Code." Click on that button.

Step #3: Put in the following activation code: 0W000-000B0-00T00-E0020
Please note that if you are on the infected computer while reading this guide, you can copy and paste this code in.

Step #4: Even though the rogue is now subdued, it could still cause issues with removal. So we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #5: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 6.

Step #6: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #7: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #8: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #9: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 10.

Step #10: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #11: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #12: Enjoy your computer which should now be free of Windows Cleaning Toolkit.

Update: 11/27/2013 8:30 AM CST.
---------------------------------------------------------------------------------------------------------------

I've received reports that in more then a few cases, the above removal guide does not work properly. After further investigation, the culprit seems to be another variant of this rogue with the same name. If this is the case with you and the guide does not work, please follow these instructions to help you manually remove the rogue.

Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.

Step #2: On the boot menu, choose Safe Mode with Command Prompt.

Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.

Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\

Step #5: Highlight Winlogon.

Step #6: Double-click Shell and clear the entry and replace it with "explorer.exe" (without quotes)
 

Step #7: Run explorer.exe.
 

Step #8: Navigate to %appdata% and delete guard-xxxx.exe.
 

Step #9: Reboot into regular mode.

Step #10: Your computer should now be free of the rogue. But it does not hurt to run a full scan with MalwareBytes just like you would have done in the above removal guide. So once you have done this, follow Step 6 and onward of the removal guide above this one.

Read More

How to remove Windows Expert Console (Rogue)

Alright, there's a new rogue antivirus program making the rounds on the internet. It's called Windows Expert Console.

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

A removal guide follows. And this one is a bit different from the rest, but this is the simplest way to remove it.

Step #1: On the scanner which tells you that you are "infected" click Remove All. And yes, this seems counter-intuitive considering that it is a rogue, but just go with it and stay with me on this.

Step #2: On the new web page that opens, you should see a button on the bottom right of the screen that says "Click here if you already have an Activation Code." Click on that button.

Step #3: Put in the following activation code: 0W000-000B0-00T00-E0020
Please note that if you are on the infected computer while reading this guide, you can copy and paste this code in.

Step #4: Even though the rogue is now subdued, it could still cause issues with removal. So we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #5: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 6.

Step #6: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #7: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #8: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #9: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 10.

Step #10: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #11: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #12: Enjoy your computer which should now be free of Windows Expert Console.

Update: 11/27/2013 8:30 AM CST.
---------------------------------------------------------------------------------------------------------------

I've received reports that in more then a few cases, the above removal guide does not work properly. After further investigation, the culprit seems to be another variant of this rogue with the same name. If this is the case with you and the guide does not work, please follow these instructions to help you manually remove the rogue.

Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.

Step #2: On the boot menu, choose Safe Mode with Command Prompt.

Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.

Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\

Step #5: Highlight Winlogon.

Step #6: Double-click Shell and clear the entry and replace it with "explorer.exe" (without quotes)
 

Step #7: Run explorer.exe.
 

Step #8: Navigate to %appdata% and delete guard-xxxx.exe.
 

Step #9: Reboot into regular mode.

Step #10: Your computer should now be free of the rogue. But it does not hurt to run a full scan with MalwareBytes just like you would have done in the above removal guide. So once you have done this, follow Step 6 and onward of the removal guide above this one.

Read More

Malware Predictions for 2014.

What if you could see into the future? Or at least get a glimpse into the future of technology. More specifically malware, because that is what this blog is here for.

Using what we know about malware today, we can make predictions about what we might be seeing in the future. This predictions are not random, but actual diagnostic reasoning that gives us a clue as to what is coming.

In short, this blog post gives us a glimpse into what's coming to the world of malware very soon.

#1: Malware targeted at Windows XP will rise dramatically.

Reasoning: Malware writers have done this before; when Microsoft stops supporting an operating system, they use exploits that will not be patched to infect users with malware. That being said, none of that can compare with the amount of malware that we have today. This is something that I am certain of. The temptation of Windows XP will be too much for malware writers to resist.

Predicted Probability: 100%

#2: CryptoLocker-style ransomware will become more common.

Reasoning: Would you say making $5 million in one month is profitable business? How about if you have to do nothing but make changes to a program and get paid?

The writers of CryptoLocker have proven this: The type of infection that they put out is an effective way to make money. And because most modern malware is meant to make money in some way, malware writers will flock to this type of ransomware.

Predicted Probability: 90%

#3 New conventional malware will go down (But that’s not a good thing.)

Reasoning: Antivirus software has become better at detecting new malware throughout the years. And detection rates have remained high for some time now with the exception of malware that conventional antivirus software just is not equipped to really handle. Because of this, less money will go into the pockets of malware writers. And as I have said before, if the writers are bankrupt, they cannot make more malware.

The downside? Malware writers will see this and will realize that the old business model just is not working anymore. This plays into my first two predictions quite nicely. They will make their attacks more complex and harder for antivirus software to detect effectively.

Predicted Probability: 75%-80%

#4: Smart TVs will become a vector for infection.

Reasoning: Those newfangled Smart TVs can only get smarter. They will get smarter to the point that they might even be able to replace computers to a degree. Malware writers will see this and will start making some sort of malware for the Smart TV.

The prediction is a bit like rolling chicken bones for me. I predicted this privately last year, and that did not happen. My theory on that is that I predicted it too early.

Predicted Probability: 35%-55%

#5: Rogue antivirus software will become obsolete. (On Windows computers at least)

Reasoning: Rogues have been a dying breed of malware for about three years now. And throughout those three years, a few security professionals (and myself) have said that by next year, rogues will be dead. They’re dying, they are not completely dead yet.

Antivirus software has gotten a lot better at detecting this type of malware, where before no antivirus could really touch them. Then again, a lot more people know about rogues then they did back in 2006 when they first started infecting people.

The downside? We only just this year saw rogues starting to really look to other platforms. I’m sure that some of my readers will remember what I have said about Android rogues.

I’m not going to put 100% behind this one because the writers of this type of malware could still have something up their collective sleeve that we have not seen before. But with the fact that there are less and less rogues, this seems like a sound prediction to make.

Predicted Probability: 85%

Thank You for reading. I invite readers to comment with any questions or comments.

Read More

Cyber Monday survival guide Part 1.

I in no way advocate camping out at a store on Black Friday in order to get a good deal on that special something you have been eying. For one thing, you have to spend time away from your family. For another, you risk getting killed or tossed around by the crowd. And yes, that has happened before, and odds are it will happen again this year.

An alternative is Cyber Monday, taking place the Monday after Thanksgiving, this day allows you to find good deals online. Searching online will prevent you from getting (physically)  tossed around, and you can look while at your house or wherever you are staying under the guise of "taking a nap."

The issue? Cybercriminals will be shopping too, and not for DVD players. They will be shopping for anything they can steal from you. With that in mind, I've put together a little guide that might just help you avoid getting infected with malware, or having your identity stolen. Both of which will likely ruin your Happy Holidays.

Tip #1: Guard your credit card well. The most important tip on this guide is to protect your credit card. If you get anything from this guide, please let it be this.

When shopping online, the only you generally need to enter in a payment are the numbers on both sides of the card, and your PIN number. Needless to say, if these get in the wrong hands, it can get bad quickly. So be careful who you entrust them with.

Tip #2: Shop at secure websites only.

When you go to pay for something online, there should be a locked padlock somewhere in your browser. This tells you that the website is using HTTPS, which makes it harder for hackers to eavesdrop and capture your information. If there's no padlock, shop somewhere else. Even if it costs a bit more, it is worth it to keep your info away from prying eyes.

Tip #3: Stick with the websites you know if at all possible.

Try and stick with websites that you know are legit. Or if you need to go to a website that you don't know of, a quick online search will give you reviews and complaints.

Tip #4: Read the fine print.

^{In today's modern world, companies can get away with putting in small text called "fine print." And what is even worse is that almost no one ever reads this to the point where they understand it and they know their options if say, they want to return something.}

OK, I'm not as sneaky as most companies, and that's a good thing. Either way, the message is clear: Read the fine print.

More to come in Part 2.

Read More

CryptoLocker now setting aim at UK.

"Let the invasion begin" should have been the foreword-going mantra for those that made CryptoLocker. But as we know of no mantra, we assume that there is none.

The National Crime Agency has issued an alert regarding CryptoLocker: http://www.nationalcrimeagency.gov.uk/news/256-alert-mass-spamming-event-targeting-uk-computer-users

CryptoLocker has been going strong since September of this year. During that time, it seems to have mostly targeted the US, until now.

The NCA is estimating that emails with the CryptoLocker attachment may have reached the tens of millions.

An investigation has been launched to see where the email addresses are from and where they are being used. I personally think that the email addresses are spoofed, therefore finding the source will not really be all that helpful.

As of this writing, Bitcoin is valued at about $574 a coin. Meaning that anyone forced to pay the ransom late now has to pay the ten Bitcoins which at this point means $5,740

This is all the news that I have not said before in a blog post.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

CryptoLocker Post #10

OK, from what I have gathered, this is my 10th blog post regarding CryptoLocker. And if you are reading this, you likely already know what it is. But for those of you who have not heard any computer security news for the past two months, CryptoLocker is a piece of file encrypting ransomware that you can learn more about by looking at my other posts regarding it.

Not a whole lot more to talk about that is new. CryptoLocker is still being spread via email as an attachment. This attachment is normally a executable that is in a zip file format. This file can be unzipped to find the executable that you can then run.

But something new-ish is that the zip file is now password protected. This is a measure used to prevent mail filters that companies are setting up from blocking files with a .zip file name extension. Because these filters are not made to block password protected files.

This is both a good sign and a bad sign.

It is a bad sign because the makers of CryptoLocker are monitoring to see what methods are working to prevent infection.

It is a good sign because companies are now paying attention to CryptoLocker.

I do not see this issue with CryptoLocker going away any time soon. Granted, we may find the makers of CryptoLocker. But that will not stop other creative malware writers from making their own CryptoLocker. The cybercriminals who made this know that this makes money.

But I do know that when this method gains popularity with malware writers, they will make mistakes. Whoever made CryptoLocker did not cut any corners. We will be able to exploit mistakes in order to find a way to defeat this.

But until then, we must press on the fight against CryptoLocker.

And with that, I deliver the following sentence. A plea, a promise, a call:

We must stand united to repel CryptoLocker and other such invaders from our internet.

Thank you for reading, I invite readers to comment with any questions or comments.

Read More

The latest and greatest ways to block CryptoLocker.

I've written quite a few blog posts about this ransomware. So by now I am just going to assume that everyone has read it. And odds are, if you are reading, you know what it is anyway.

There are now two ways that can be used to block CryptoLocker from encrypting your files. One of which I have already talked about, but for the sake of convenience, I will talk about it here as well.

The first way is a tool that blocks the execution of the ransomware. Because the ransomware executes from appdata, which is not a place where many applications execute from, this can be used against the ransomware by blocking anything from running from appdata.

This tool was made by FoolishIT and can be downloaded here: www.foolishit.com/download/cryptoprevent/

For more info on this tool, go here: http://www.foolishit.com/vb6-projects/cryptoprevent/


The second way is a way to block the ransomware from encrypting your files.

This way is part of the public beta of HitmanPro.Alert and can be used along with the first method of blocking CryptoLocker.

HitmanPro.Alert was made by SurfRight, and you can find more info and download the beta here: http://www.surfright.nl/en/cryptoguard

Please note that these tools can be used together without any conflicts arising. It is also important to note that these tools can only help you if you are not infected with CryptoLocker. They will not help you if you are already infected.

With both the anti-malware community and the mainstream media being on high alert from this ransomware, I can see a turn in the tide happening soon against this ransomware. Although I cannot forecast in what way it will take form, I know that it will happen.

Whoever made this ransomware has angered too many to continue infecting people. Sooner or later, the good guys win. This is how it has always been, and this is how it will continue.

Thank you for reading, I invite readers to comment if you have any questions or comments.

Read More

CryptoLocker as of 11/3/2013

If you have read my other posts on this, you know. But for those of you who do not, there is a piece of ransomware that has been making the rounds on the internet since September of this year. And what have given it the ability to spread for this long is the fact that it actually encrypts your files.

I'm not going to go into it all here, because that's what my other posts are for. You can just read the other posts under "The CryptoLocker Saga" label in order to find everything I know about this ransomware.

The purpose of writing this blog post is to inform users of two recent changes with CryptoLocker.

Change #1: Some of the newest variants of CryptoLocker delete all Shadow Copies of your files. This leaves your only options being to restore from backups or to pay the ransom. And attempting to pay the ransom is the perfect way to talk about the second change.

Change #2: Say you have run out of time to pay the ransom. The clock has gone down to zero, and you without any backups, have no way of recovering your files.

Those who made CryptoLocker are now operating a website which allows you to download the public and private key for your copy of the ransomware as well as a decrypter. Although there is one issue that some people might have with this. To pay the ransom before time runs out costs 2 Bitcoins or the equivalence in the form of money loaded onto a GreenDot MoneyPak card. To pay it after time runs out costs 10 Bitcoins. This converts into $2,100 US Dollars.

So, about $400 before time runs out, $2,100 after time runs out. It does not surprise me that those who make CryptoLocker are doing this. I'm sure that quite a few people are desperate to get their files back. This is somewhat smart considering that the page is completely independent of how much time the ransomware says you have.

Thank you for reading. Feel free to comment if you have any questions or comments.

---------------------------------------------------------------------------------------------------------------

Updated 11/7/2013:

The price of the "late payment" option keeps going up along with the price of Bitcoins. As the price goes up for one Bitcoin (about $300 at this point), the price of the late payment will go up (about $3,000 at this point.)

I would highly recommend that if you are infected with this, you make it your top priority to determine if you have any other options then to pay the ransom. If you find out before time is up, you can still pay the $300 flat rate via a GreenDot MoneyPak card. At this point, it will save you $2,700, but this figure can change. And if Bitcoin takes a big dive, odds are good that those that make CryptoLocker will no longer take it.

Read More