Expanding your security zone: Being online while traveling

online-traveling

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

It’s been a few years now since Internet connections were limited to homes and offices. Cheap mobile flat-rates are your permanent link to Facebook, Twitter, and emails. And when you can’t connect for cost reasons or due to poor reception, WiFi hotspots are increasingly available at many central locations. German telecoms operator Deutsche Telekom, for instance, plans to expand its network of WiFi hotspots to 2.5 million access points by the end of 2016. And when the legal risks are eliminated in Germany with the amendment of the Duty of Care Act, more private access points will be available again. This would pave the way for unrestricted surfing enjoyment were it not for one or two other digital threats lurking around every corner.

Major weakness in public WiFi
Hotspots in particular are notorious for their lax security. Anyone can see the wireless signals between the device and the hotspot’s access point. Communication often continues via an unsecured connection even after the user has logged in, which must also be carried out unencrypted. Anyone with a notebook and the right software sitting anywhere within a range of a few dozen meters can then read whatever data you and the world are exchanging. As a user, you have no influence over whether and how the provider encrypts wireless traffic. Even when data packets between device and Wi-Fi router are encrypted, it only helps guard against the unwanted eavesdropper at the neighboring table. Every piece of information is still directly readable on the router and all Internet nodes behind it.

How to secure your data on public WiFi
To ensure your data stays private, you’ll need to encrypt it. You can do this in a variety of ways that we’ll look at now. Emails can be protected using special encryption programs like EnigMail or GnuPG. While installing them isn’t always easy for total novices, when the system’s up and running anyone can use it. There are also a few web-mail services offering encryption under the “E-mail Made in Germany” initiative. You can also secure all your browser activities. Secure Sockets Layer (SSL), usually identifiable by the little padlock icon in the address bar, protects the data transferred between Firefox, Internet Explorer or Chrome and the node on the Internet. You just need to access a website starting with https://… instead of http://. Plug-ins for many browsers can also take care of this automatically if required, such as HTTPS Everywhere for Firefox and Chrome.

Instead of securing each application separately you can also secure all data traffic, from the start until the end of transfer, by using a virtual private network (VPN). Companies usually install a VPN on users’ devices that they use for business. Private users too can protect their privacy using a VPN. To use it, you need to have software installed on your smartphone, tablet or notebook and a node which creates the tunnel only after you have logged in correctly. Countless companies like OpenVPN and Hotspot Shield offer free or reasonably priced VPN connections. These types of connection are only one narrow type of VPN where the connection between the device and the server is secured by the provider; after that, data packets escape into the Internet unencrypted. Despite this, at least third parties (e.g. hackers) in the direct vicinity of the hotspot cannot eavesdrop on your network connection.

The risks are more manageable if you log into the Internet using a cellular network data connection. The data between the device and the cellular network provider’s base station is encrypted and not shared with other users. This means snoopers who are standing nearby won’t be able to eavesdrop on the connection. That said, as soon as the data leaves the base station, it is, in principle, freely readable again. Here too, only a VPN will protect information right from the start until the end of its transfer.

Encryption also becomes a key consideration if you use cloud services. Whether you use OneDrive from Microsoft, Google Drive, Dropbox or Wuala – in principle, all of these online storage providers have access to every file stored in the cloud. The only thing that will help here is to encrypt the data on the device itself before sending it to the cloud. In the past, it was possible to recommend TrueCrypt as a secure encryption software solution. However, after its development came to a somewhat unclear stop, it is questionable whether the software isn’t a backdoor for intelligence services. Possible alternatives, for which security questions still remain, include AxCrypt, BlowFish Advanced, GnuPT/GnuPG, and Gpg4Win. Boxcryptor even explicitly supports all major cloud storage services, making the job easy. By the way, if you don’t want to put the effort into encrypting files and emails, you should at least secure your passwords, PINs, and TANs. Password safes like KeePass are easy to use, available for many operating systems, and are the better alternative to Post-it notes kept stashed beneath your keyboard. In addition, you should always enable the firewall on your device and install the latest version of a security software solution such as Avira Antivirus Pro, Avira Internet Security Suite or Avira Free Antivirus.

Safeguarding the dilemma of small size
The sheer portability of tablets, phablets, and smartphones also has a down side: What fits easily into your pocket will also fit easily into someone else’s. The loss or theft of portable devices has been on the rise for many years owing to the value of these prestigious digital objects. You’re limited in what you can do to protect yourself against this. If you’re traveling and distracted even for a brief moment while sitting at a table, you won’t notice that lightning-fast grab which leaves you deviceless. To ensure that the most you lose is only the device itself, you should keep an up-to-date backup of your data. In this respect, cloud services are perfect – provided the data is encrypted. Other important countermeasures include adequately long log-in codes or PINs as well as software like Avira Android Antivirus Security, which helps you find and track your smartphone or tablet again, or at least wipe the data on it remotely and make the device unusable for the thief.

Source : blog.avira.com

Avira Tech Support : Blog

Bad Rabbit – the not so cute ransomware

bad-rabbit-ransomware

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Yesterday, Avira labs recognized an attack by a new ransomware variant called Bad Rabbit. It is the typical file cryptor that will make all your personal files unreadable and will force you to pay a ransom for decrypting them. It overwrites the MBR file to deliver this message to the victim after the computer reboots.

Bad Rabbit - the not so cute ransomware - in-post

This threat comes to the victim’s computer as a drive-by-attack. We’ve identified the payload as being downloaded from h(tt)p://1dnscontrol(.)com/flash_install.php behind. It seems that for this attack, the criminals have not gone for an ordinary phishing attack (where the payload is mostly attached) but instead more likely used a malicious advertising banner or hacked website.

They haven’t chosen phishing for spreading the infection but they have used another famous social engineering method to get on the user’s computer. The dropped file needs to be executed by the user with admin rights to work. So, they probably decided that hiding it as a Flash Player installer was the best method. Recently we have seen quite often type of malvertising (a combination of malware and advertising) where you might need to install Flash Player first before watching the banner. Many people click daily on a fake Flash Player icon thinking that it is a new update:

  
If the malicious fake Flash Player is executed it drops the malicious DLL as C:\Windows\infpub.dat. This is launched using rundll32 and it drops a dispci.exe (the file decoder) and a cscc.dat (utility tool) file into the windows folder (c:\windows). In parallel, it also tries to spread these files on related computers in the network via brute forcing the administrative shares (\\computername\admin$) with a list of hardcoded credentials (e.g. sex, qwe123, qwe321, …)

For the dropped files in the Windows folder, it creates three task jobs.

It is interesting here to notice how the cybercriminals label the task job names because “Drogon”, “Rhaegal” and “Viserion” are dragons from the world-famous Game of Thrones series. But not only those ones. They also use the name of another character, “GrayWorm”, as the product name for the exe file. It is not the first time that the criminals mix popular culture icons with malware as we have seen before with Mr. Robot, James Bond, Pokemon, and much more.

This ransomware also has some special techniques to avoid leaving traces behind after the infection. One interesting method is deleting the usn journal.

Fsutil.exe usn deletejournal /D c: provides the solution to delete the journal cache. The cache detects, among other things, what changes have been made in a file after an encryption. In this way, only the cybercriminals (or anyone) can keep this information.

The file decoder sheds a light on what kinds of users the cybercriminals would like to target if you look at the list of file types.

It especially checks for filetypes of Virtual machines (e.g. vhdx, vmdk, vbox,…). This means they are also targeting the corporate arena and not just the “home user”.

The file decoder gives us an insight into what would happen on the victim’s computers’ if he paid the ransom.

The user should disable their antivirus or anti-malware program and should click on the decryption.lnk on the desktop. Additionally, after the files are decrypted, the filecoder plus the created task will be deleted from the system. Anyway, we recommend never to follow these instructions from cybercriminals.

The camouflaged file cscc.dat is originally a sys file which is part of the open encryption solution called “DiskCryptor” used by the ransomware.

This encryption method doesn’t change the file extension like many other file encryptors such as Locky. It remains the same but appends a string at the end of the file where “encrypted” can be read.

This time, it looks like the criminals spent more time creating the onion link page. It even has a loading animation of a decryption.

But don’t worry, Avira is already protecting you against this ransomware.

Source : blog.avira.com

Avira Tech Support : Blog

Support Scam: Your browser has been locked for support (that you just don’t want)

support-scam

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

With viewers’ browsers as a target, online scareware/scam pop-ups keep spiking in early August. The typical message for the latest wave of scareware promises users that the website has updated browser support and that these users need some special help to get back online. Along with this message, the scam often maximizes the browser and makes it impossible for the user to close it or click anywhere else.

We call it a support scam. The notices claim to have a malware infection or similar and try to scare the user with this news. These pages are absolutely annoying for the customer. While some may not be directly harmful, others redirect users to adware applications. — Oscar Anduiza, malware analyst at Avira.

The newest wave of support scam has the Avira Protection Services racking up over a hundred thousand new detections daily in early August. 

Crossing the grey line

While support scam can appear out of nowhere if you surf to “normal” sites it most often happens in the grey zone where users are streaming online content that may or may not be completely legal.

We see this more commonly in the grey/dark zone. Especially with the illegal movie and TV streams that are streaming copyrighted content like Game of Thrones, and on some porn sites.  — Oscar Anduiza, malware analyst at Avira.

Most of them are related to some kind of advertisement redirection or pop-up.

Keeping that browser clean 

Even if not visiting illicit streaming sites, there is a chance that a service scam will be encountered. However, staying secure is not too complicated.

  • Have an Antivirus installed and up-to-date. This will help ID and stop any additional malware from being bundled with the service scam.
  • Listen to your Antivirus. If the Antivirus signals that something is not quite right – even if it messes up that streaming experience – listen to it.
  • Stay updated. Think of it as a vaccination. The more up-to-date your device is, the less apt you are to catch something nasty.

Source : blog.avira.com

Avira Tech Support : Blog

Back in Black malware at your power company could put out the lights

crashoverride-malware

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Malware can do more than just hold up your device for ransom; they just might flip off the electrical power switch for an entire city. New malware is targeting the power grid infrastructure, say analysts, and this first attack is likely just a taste of what could come in the future.

The malware, called Industroyer or Crash Override, came into view in late 2016 when it knocked about 700,000 homes off the grid for few hours outside the Ukrainian city of Kiev. And that’s the good news. The bad news is that this malware knows its way around the power grid, can send out malicious commands to mission-critical equipment, and once configured and deployed, can be scaled out without direct hacker involvement.

There’s a SCADA in the lightswitch

This attack targeted several SCADA protocols used in Europe. SCADA, short for Supervisory Control and Data Acquisition, is the system of hardware and software controls behind almost every industrial process. Once activated, the Crash Override malware cycles through a range of circuit-breaker addresses, trips them, then repeats the process.

Malware targeting SCADA was not a big surprise. With origins dating back to intersection of manual controls and mainframe computers – it has been described as “insecure by design” by experts. Efforts to make SCADA more secure are something like putting a band-aid on a chest wound.

Following an even earlier hacker attack (also in Ukraine) on the power grid, the industry has taken a two-pronged approach: trying to prevent attacks and, almost more importantly, getting quickly back online afterwards.

Tidy hackers at work

Investigators aren’t exactly sure who wrote this malware – although some fingers are pointing towards Russia. What they are sure of is that these hackers did tidy work – without recycling old code or leaving digital fingerprints behind – and that more events are coming. There simply have been too many resources invested in creating this malware for this to be a one-off event. Besides, the malware has additional features and payloads not even activated this time. Investigators have raised the specter that this attack was just a POC (Proof of Concept) for getting the bugs ironed out of the malicious software before they move on to a real target.

Electrifying points to consider

Most people, myself included, are absolute strangers to the intricacies of high voltage systems. However, there are three points from this event that are applicable to everyone online.

  1. It can happen to you – The simple awareness that bad things can indeed happen is critical – for both power managers and individuals.
  2. Be prepared for bad events – Preventing or reducing the damage means having an action plan prepared. For this malware, Dragos recommended having robust backups of engineering files. For the average computer user, preparation should mean a combination of having files backed up, antivirus software in place, and software fully updated.
  3. Stay involved – “Human defenders are required” is the last line of the Dragos report. This is true for your online security. The best defense against a social engineering or customized spear-phishing attack is you.

Source : blog.avira.com

Avira Tech Support : Blog

Worldwide botnet Avalanche smashed

botnet-avalanche-smashed

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

According to Europol, victims of malware infections were identified in over 180 countries. The monetary losses associated with malware attacks conducted through the Avalanche botnet are estimated to be in the hundreds of millions of euros worldwide. Computer users can check their devices with the Avira PC Cleanerto see whether their device was infected and part of the botnet. The free tool scans the computer and removes the malicious software. Users who already use Avira anti-virus software are protected against the botnet.

Within the Avalanche botnet, a total of 20 different botnets have been identified. The targeted activity of the international criminal gang was distributing spam and phishing e-mails, as well as spreading ransomware and banking Trojans for tapping account and transaction data as well as stealing passwords.

To play safe: what PC users should do now

Check and clean the PC

If you do not have an anti-virus software installed, you should check your computer for a possible infection using, for example, the free Avira PC Cleaner. If the computer is infected, Avira PC Cleaner will remove the Avalanche botnet code. Avira PC Cleaner also detects if other malicious software is on the computer and will also remove it as well.

If you already have an anti-virus software installed and want to be safe, you can also use Avira PC Cleaner as a “second opinion” to check your system.

Change passwords

After cleaning your PC, change all passwords for online banking/shopping, payment services, e-mail, social networks, and other applications.

Check the Windows security settings

Open the maintenance center via Start -> Run -> wscui.cpl and check that the network firewall, antivirus, spyware protection, and Internet security are all fully active.

Install antivirus software

To protect against future cyber attacks, we recommend installing an antivirus software. With the free Avira Free Security Suite, your PC is reliably protected against botnets and a wide assortment of malicious software. In addition, you can optimize PC performance and securely surf through a VPN client in public Wi-Fis.

 Source : blog.avira.com

Avira Tech Support : Blog

KeRanger ransomware is now a menace for your Mac too

keranger-ransomware-attack-mac

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Mac computers were attacked by KeRanger ransomware

As you know, ransomware is one of the fastest-growing types of cyber threats. It attacks by encrypting data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data. According to security experts, cyber criminals manage to get from their victims hundreds of millions of dollars a year, especially by targeting Microsoft Windows operating system.  Now it looks like they have just expanded their horizons.

Ryan Olson (Palo Alto Threat Intelligence Director)  confirmed the “KeRanger” malware, which appeared on 4th of March, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” said Olson in an interview for Reuters.

This time the attack vector was very specific since an affected user had to download a specific program which download website was compromised.

How did it happen?

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog article posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

Apple’s immediate intervention over the weekend

Apple  had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. Other details were not provided yet.

Transmission, also, responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs. Transmission users were advised to immediately install the new update, version 2.92, if they suspected they might be infected.

How the ransomware acts after infecting your Mac

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

Once the encryption complete, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson also mentioned that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Be safe under Avira’s umbrella right away

Our Free Antivirus for Mac is able to detect the new KeRanger ransomware on Apple computers. If you are already seeking for solutions to protect your Mac against ransomware attacks.

Source : blog.avira.com

Avira Tech Support : Blog

Locky ransomware is dead, long live Locky

ransomware_is_dead_long_live_locky

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The first wave of Locky has passed, but the ransomware is still being distributed globally and within the DACH region. While this secondary distribution seems to be smaller than the first wave, the financial success of this malware for its authors and distributors gives us some clues as to what features will likely be included in the NEXT rounds of malware. “Follow the money” was the key phrase in All the President’s Men, Robert Redford’s classic film on Watergate — and this very much applies to malware. These clues from Locky are a mix of technical, distribution, and operational features – and should be a warning for computer users and companies planning their defensive strategies.

1. Drive me baby – Locky encrypted all drives on computers and networks – even the unmapped drives and shares. This expanded reach for encryption is expected to be included in future ransomware variants.

Response: Have a solid backup plan in place, ideally with a cloud service, as they offer file versioning and rollbacks. For consumers, having a spare HDD/SSD for a local backup is fine – but only if the harddisk is disconnected after the backup is finished. This also protects the backup against damage from other dangers like lightning-caused electrical surges.

2. New money from old tricks – Locky went to work by directly using macros in Word documents – and also by tossing in a bit of social engineering to get document recipients to activate the macros. That is quite old school – but it worked and was profitable for the cybercriminals.

Response: While zero-day threats are sexy, don’t forget to do the basic protection against continuing vulnerabilities such as macro manipulation. Consider enabling only digitally signed Office macros and disabling the rest. For corporate networks, this can be done in a way where end users are not able to see this option.

3. What the FUD! – In the early moments of the Locky onslaught, security publications pointed out the low detection scores in VirusTotal by most antivirus companies. This is a valid – but incomplete – look at the situation. We consider Locky to be FUD-level malware (Fully Undetected Malware), which means that the malware files were “optimized” until no AV scanner detected them anymore. Cybercriminals are testing their malware samples against the publicly available detection in VirusTotal – or against private and internal testing systems that in a similar way. The low detection scores have to be read with caution. Only some of the AV firms have cloud detection or other advanced detection methods in their products enabled on VirusTotal – sometimes, just as in poker, it is better to not show your full capabilities.

Response: Be skeptical about everything and always keep your eyes open.

4. Wisdom from the cloud – Avira detects Locky on several layers within its cloud detection and analysis. At the Auto Dump layer, Locky is being detected after layers of obfuscation have been removed. In the Night Vision machine learning layer, files are scored according to around 7,000 features, allowing us to catch malware in a very efficient way. In case that other detection layers catch the malware first, the Night Vision system will dynamically learn about the sample within a few minutes, and subsequently cover variants of this malware sample. In addition, the cloud analysis is out of reach for the cybercriminals.

Response: For complete protection, make sure that the cloud protection in your AV is fully activated. We feel this is so important, we’ve automatically included our consumer users in the APC. Corporate clients must, for data protection issues, sign off that they approve the EULA before stepping into the APC.

Source : blog.avira.com

Avira Tech Support : Blog

Ransomware “Tesla”: Are ransomware writers kidding us?

ransomware_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Most of us have probably seen e-mails like the one below in our inbox at one point or another:

phising

This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.

java_obf

The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.

java_dec

But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.

launcher

Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Source : blog.avira.com

Avira Tech Support : Blog