Quarterly Malwarebytes Cybercrime report Q2 2017

July 7, 2017 on 9:17 am | In General | No Comments

The second quarter of 2017 brought ransomware to unprecedented levels with worldwide outbreaks that went almost out of control.
Proud to have worked on this report about that quarter:
https://www.malwarebytes.com/pdf/white-papers/CybercrimeTacticsAndTechniques-Q2-2017.pdf

InfoSec 2017

June 15, 2017 on 2:35 pm | In General | No Comments

Me in a panel discussion with CEO Marcin Kleczynski and Helge Husemann

New router

April 30, 2016 on 2:40 pm | In General | No Comments

Before:
Before

After:
after

ASML hack

March 2, 2015 on 7:09 pm | In General | No Comments

ASML is a Dutch company that manufactures machines used in computerchips-production. Among the customers, are Samsung, Intel and TSMC, which are also among the main shareholders.
ASML is an industry leader and in fact the central link in maintaining Moore’s law. In this race to fit more transistors in a circuit, ASML is assumed tob e well underway in perfecting euv-technology.
After reports on Dutch websites last Friday about the company being hacked by a Chinese group called PLA Unit 61486, ASML confirmed a security breach on Saturday.
According to ASML hackers gained unauthorized acces to a limited portion of its IT systems. They took steps shortly after the breach occured an are conducting an investigation into the nature, origin and objective of the breach.
ASML is a leading coroporation in their field. Their machines are mainly high-tech machines for the semiconductor industry. Giving the large amounts of Research and Developement involved it is very likely that if the attackers were indeed Chines they were after the designs for these machines.
This attack would fit in a pattern of Chinese attempts at security breaches in the technology sector, both in the US and Europe.
One unnamed source claims the attackers were after the ground breaking euv- technology that uses extreme ultraviolet light lithografy in a method to produce smaller chips. It has taken ASML a lot of research and money to get this process to a working level fit for mass-production.
ASML said there is no evidence of valuable files being stolen, neither from themselves nor from their customers. At this time they were unable to confirm the origin of the attack. It is also unclear how the attackers gained access. Most likely it was a targeted phishing attack at the companies staff.
ASML did not comment on the fact whether their French office was targeted as well or just the Dutch headquarter. If they release any more information about this, we will certainly keep you posted.

Sources:
Tweakers (Dutch) reported it first
ASML Press Release

How did I get infected (comic book style)

January 18, 2015 on 2:15 pm | In General | 1 Comment

Let’s get this expensive software for free.

Oh, I have to install some extras?

Oh no!! And then it fails!!

So, do I have my “free cracked” software?
Nope, but I did get:

Maybe I should have bought:

THE END

Much Ado About Browser Malware

September 26, 2012 on 11:32 am | In General | No Comments

Browser hijacked or infiltrated?

Types of browser malware
There are many types of malware that are interested in your surfing behavior and what you write online.
These browser hijackers are usually qualified as spyware or trojans.
Other malware may take you to sites of their choice. These are usually called hijackers. Included in this category are the ones that generate pop-ups.
Not all of the above malware programs are standalone programs. You will understand that a browser extension, plugin, browser helper object or whatever the extensions of your browser are called, offer a very effective way of infiltrating your computer.

Signs of infection
Possible ways that you may notice an active browser infection are:

  • Changed homepage
  • Having to fill out online forms at least twice
  • Unusually slow browsing
  • Bookmarks that you can’t remember making (usually for online casino’s and porn sites)
  • Commercial popups appearing all the time, even when you are visiting sites that do not serve popups. These can also show up as new tabs or new browser windows.

Prevention
I can hear people saying: that won’t happen to me because I’m using {fill out the browser that you think is safest}.
But using a safer browser is not a final solution. What is generally true is that the more popular your browser is, the bigger the chance that some malware-coder is looking for a security breach.
Another big contribution to how safe you are is your behavior online. The easier you are tempted to click on anything, the bigger the chance that at some point you will be hit.
You can help your behavior by using aids that block certain sites, like for example the Website blocking feature that the full version of Malwarebytes Anti-Malware has to offer.

One thing I do myself is use two different browsers. One for the serious matters like online banking and such and one for the casual surfing, games and social media.
If they manage to infect the last one, at least I don’t have to worry so much about my important passwords getting stolen.

If you suspect that the browser malware was installed as an extension, here are the instructions to disable extensions for the most popular browsers.

How to disable IE add-ons:

  • Click the Tools button, point to Manage Add-ons, and then click Enable or Disable Add-ons.
  • In the Show list, click Add-ons that have been used by Internet Explorer to display all add-ons.
  • Click the add-on you want to disable, and then click Disable.
  • Repeat step 4 for every add-on you want to disable. When you are finished, click OK.

How to disable Chrome extensions

  • This is the method to temporarily disable extensions, but they stay disabled untill you re-enable them manually.
  • Click the wrench icon on the browser toolbar.
  • Select Tools.
  • Select Extensions.
  • On the Extensions page, click Disable for the extension you’d like to temporarily remove.

How to remove Firefox extensions

  • At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP), and then click Add-ons. The Add-ons Manager tab will open.
  • In the Add-ons Manager tab, select the Extensions or Appearance panel.
  • Select the add-on you wish to remove.
  • Click the Remove button.
  • Click Restart now if it pops up. Your tabs will be saved and restored after the restart.

Cure
But what if the prevention didn’t work or was installed too late?
Our program Malwarebytes Anti-Malware can detect and remove these types of malware.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Update Malwarebytes Anti-Malware
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Close your browser, if possible. This is not always necessary, but when dealing with browser plugins or extensions, it will make removal easier and more complete.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.
  • When completed, a log will open in Notepad. This should show that the browser malware was removed.
  • Run a Full scan to remove any left-overs.

Conclusion
Browser malware can pose a serious risk to your computer and even your finances, so practice safe surfing.
Make sure your security software is kept up to date and be carefull out there.
As mentioned before the full version of Malwarebytes Anti-Malware offers multiple layers of protection:

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Backups

June 13, 2009 on 8:12 pm | In General | 1 Comment

An important, but quickly forgotten aspect of computer security is backing up important data.

In general there are two types of backups, full and incremental. A full sized backup will have a size in the same order as the original, before compression. An incremental backup will save only the changes since the last backup. By nature these will always be based on a full backup.

Storage is an important factor. How many backups do you need? Will there be circumstances when you need to go back more then one day? Maybe even a week? How often do you make a full backup and how many incremental backups will be made in between?

Another thing to consider is whether the backup device is bootable. In other words, do you need to copy the backup to the original place first or can you boot from the media device?

In case of disaster the data and the backup should be so far apart that the disaster can’t destroy them both. After all if the backup is destroyed in the same fire what good will it do you?
Although some solutions like the ioSafe Solo can withstand a lot. ūüėÄ

New category: programming

February 4, 2009 on 1:34 pm | In General | 1 Comment

As you may have noticed I have started posting snippets of code.
Mostly it is meant as a reminder to myself, since I tend to forget how I solved problems and then spend too much time looking for it.
This should help me find my solutions back easier and faster. And if it’s useful to anyone else, my pleasure. ūüėČ

Problem in HijackThis

April 26, 2008 on 2:23 pm | In General | 6 Comments

Today (april 26 2008) at 12.36 GMT I downloaded HJTinstall.exe from trendsecure.com

I then installed HijackThis on my Virtual machine running Windows 2000
The header of the log looked like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:09, on 26-4-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Then I made a reg file with this content

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Consequently HijackThis showed this line:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
which is not justified because no startup was added.
For a file to get started from under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\subkey
the subkey needs to contain a value called DLLname which points to the dll that gets loaded.
To clarify, a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
This is not the case here, because this value was not created and did not exist.

Changed the regfile to:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“DLLname”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Then HijackThis does the correct thing.
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\System32\ffaabb.dll (file missing)
(file missing) because I didn’t bother to plant one. ūüôā

Last try I did on the VM to find out where HJT gets the path to the dll

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”%WINDIR%\\ffaabb.dll”

After merge HJT reports:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.

Screenshot of regedit looking at this part of the registry:
Winlogon Notify

Finally I downloaded the standalone executable HijackThis.exe from the same source and merged the last regfile on my XP computer.
The result is the same in essence:
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\

HijackThis did remove the subkey in question from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify under all the above circumstances.

I would like to add that I reported this problem over a month ago to Trend at which point I was promised they would look into it and fix it if they could reproduce it.
Since I haven’t heard from them since, even after two reminders, I have to assume that they don’t plan to do anything about it.
This is not a very serious problem, but it can be confusing and with the many users of this program it may lead to wrong decisions being made.

It starts … again

November 3, 2006 on 2:30 pm | In General | 2 Comments

This blog was started at GeeksToGo
to share my research into newly found malware.
I will start transferring my posts from there later on,
because the blog module at GeeksToGo will be discontinued.
Hoping you will still come and read,
Pieter Arntz aka Metallica

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^