Category Archives: Antivirus Vendors

Antivirus Vendors

Panda Security

They can remotely access and control my computer?

trojans panda security

We are always talking about ransomware and the importance of keeping your corporate network protected, and we want to warn our readers about the popular Trojan attacks that are going after small and medium sized businesses. But how do you know when it’s a Trojan? How can you secure yourself against Trojans?

5 Things You Should Know

  1. They are malicious software programs designed to rob information or take control of the computer. These attacks target businesses that manage top-secret information.
  2. Trojans are the most popular type of malware and have been for years. Running closely behind them is Ransomware.
  3. Trojans seem harmless but as soon as they are executed they will damage systems and steal information.
  4. Most of them create backdoors and give unauthorized users remote access and control over your system…but they go unnoticed!
  5. Trojan horse: The professional trickster. It disguises itself as something its not.

trojans infographicTrojans: Topping the Charts

Trojans make up the majority of the 227,000 malware samples that are detected daily by PandaLabs. Month after month, they continue to be in first place as the most created malware.

Increasing since the second quarter of 2016, Trojans currently make up 66.81% of the new malware samples created this quarter. Viruses make up 15.98% (Worms 11.01%, PUPs 4.22% and Adware/Spyware at 1.98%).

What do their creators want to achieve?

  • Steal personal and corporate information: bank information, passwords, security codes, etc.
  • Take photos with webcams, if there are any!
  • Erase the hard-drive.
  • Capture incoming and outgoing text messages.
  • Seize the call registry.
  • Access (consult, eliminate and modify) the address book.
  • Make calls and send SMS messages.
  • Use the GPS to figure out the geographic location of the device.

How can we protect ourselves from Trojans?

 Avoid downloading content from unfamiliar websites or sites with dubious reputations.

– Monitor downloads from p2p applications.

– Keep your advanced security solution updated. Install one of the Panda Solutions for Companies that best adapts to you and protect yourself from these dangers.

– Analyze your computer for free and make sure it’s Trojan free.

The post They can remotely access and control my computer? appeared first on Panda Security Mediacenter.

Panda Security

Want to be a top tech company? Use a centralized management tool.

systems-managementThe ship of single-device users sailed long ago. Our desks are covered with technology: desktop PCs, laptops, phones, smartphones, etc. and our technological needs have also changed (in fact, they keep changing!). We can’t just think about what we need to do: we need to take action. But despite this, it is challenging to develop an integrated strategy that that protects multiple devices while adapting to user behavior. Businesses cannot afford to fall behind (and fall victim to cyberattacks!) because they did not implement the right tools and practices for their IT infrastructure.

We use a variety of channels and network-connected devices (and that number is growing exponentially) to communicate in the workplace.  Now, we also have to think about a new group that may affect our business’s security that includes both BYOD (Bring Your Own Device) and the Internet of Things (IoT), and they require proper protection, management and control.

Microsoft and Apple Take Control

The growth of connected devices has led to a computer security revolution. IT teams in companies are adapting to new security requirements by implementing monitoring software and management software to control the devices that makeup the IT infrastructure. If the service is hosted in the Cloud, the better. It’s no longer necessary for an additional superstructure since a network connection and console access via browser is sufficient enough.

In 2011, Apple realized the benefit of Cloud-based management, and amplified all of their devices, including mobile phones and tablets, to fit this model. Cloud management reduces support and operation costs. Realizing the benefits of an easy-to-use system that can be used on mobile devices too, the tech giant Microsoft has decided to adopt this strategy with their Windows 10 operating system. , Microsoft is taking advantage of this new system that offers unified management for a variety of devices, whatever they may be.

There is a high rate of protection and remote monitoring for these Cloud-based systems which has also reduced support and operational costs, increased efficiency in the IT infrastructure, and improved employee productivity. To achieve this, proper management of the company’s IT infrastructure is fundamental.

Businesses can easily monitor and offer remote support to all of their corporate devices, regardless of their location, with Panda Systems Management. This tool makes it possible to manage the IT infrastructure and its maintenance from a centralized platform.

Want to be like Microsoft and Apple? Adopt their philosophy and use a centralized management system! Manage your devices with Panda Systems Management, an easy-to-use tool that allows you to yield great benefits with minimal investment.

 

The post Want to be a top tech company? Use a centralized management tool. appeared first on Panda Security Mediacenter.

AVG

Crypt888 Ransomware Has Facelift as It Seeks Fresh Victims

We’ve been following the slow evolution of an interesting strain of ransomware we have named ‘Crypt888’, which is unlike other strains that have reported on over the past few months.

 

Crypt888 has been focused on experimenting with user interfaces rather than improving its code, serving up ransom instructions in a variety of languages including Italian and, most recently, Czech.

In June 2016, AVG’s Virus Lab released six free decryptors for the recent strains of ransomware. We continue to monitor the situation, ready to update the tools as the ransomware evolved.

Our research uncovered one strain, Crypt888, behaving differently to the others. Instead of improving the code, the malware authors were focused on experimenting with the user interfaces such as changing the language of the ransom message.

This means that the underlying Autolt script remains the same in the previous versions … but oddly, the ransom instructions are served up in the Czech language only in the latest version.

This is how we identified and tracked the evolution of Crypt888’s.

Tracking a threat

Crypt888, also known as MicroCop and Mircop, is one of the many ransomware strains discovered in 2016 and its evolution has been very specific. After analyzing various samples, we found that the wallpaper containing ransom instructions is the only part of Crypto888 that has changed.

The underlying AutoIt script has remained more or less the same in all the known versions of this strain. So too has the encryption algorithm, encryption key, file names, and various other components, which is not so usual. While this means our decryptor can rescue your encrypted files, it means that the way in which Crypt888 presents itself keeps changing. In the latest version, the instructions appear in Czech.

Changing the language in which the ransom message is delivered has been a hallmark of this particular threat. We tracked several evolutions of Crypt888 from its first appearance in June this year.

  • The ‘Guy Fawkes’ version, June 22, 2016: first known version of this ransomware
  • The ‘Business Card’ version, July 8, 2016: this version appears and looks like a test version as there are no payment instructions
  • The ‘Italian’ version, July 29, 2016: this version had several new features and the errors in the language suggest machine translation
  • The ‘Czech’ version, September 21, 2016: the latest variety appears in yet another language, again with errors suggesting the author is not a native speaker

The first encounter

The first known version of Crypt888 appeared as black wallpaper with the image of a Guy Fawkes mask, a notorious symbol usually associated with Anonymous. The message accused the victim of stealing 48.48 Bitcoins ($30,000) from ‘the wrong people’ and requesting its return.

The threat intimated there would be repercussions but there were no details about how to comply with repayment or how the decryption process would work after payment was made. This is probably the reason why we found only one transaction to the provided bitcoin address so far.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new

Testing, testing, 1 – 2 – 3

A few weeks later, we identified a second version. This time, the wallpaper with the story and related accusations were gone. In fact, there were no payment instructions at all and instead, the wallpaper contained the “business card” (as seen in this video).

We have no clear explanation why this particular image has been used but we think it was probably a test version based on a fact that there were no instructions or payment addresses provided to victims.

Just in case, however, we released a free Crypt888 decryption tool, which was able to recover files encrypted by both of this and the earlier version.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new2

The Italian affair

Three weeks later, we identified yet another version of Crypt888 which had multiple changes. While the AutoIt code was once again similar to the previous versions and the same algorithms used – so our decryption tool is still fully functional for this version –  the code was obfuscated.

There was a new image which contained ransom instructions in Italian, with typos and errors that suggest machine translation. In addition, this version of Crypt888 did not create the text file LEGGIMI.txt, which should contain the payment instructions. This means victims would find themselves left with encrypted files and no instructions as to how to recover them.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/cryptoware

Czech-mate

Malware researcher S!Ri identified this latest version one month after the Italian version. We investigated further and found its code is no longer obfuscated, and essentially, it’s the same as the first two versions with the wallpaper being the only notable difference.

These ransom instructions this time appear in Czech and are a departure from previous versions in terms of content. Firstly, the ransomware claims that it is a ‘Petya ransomware 2017’. But don’t be fooled – it is not. This is probably a maneuver to fool victims hit by Crypt888 that are trying to find a free fix online.

Petya is a much more sophisticated piece of ransomware and it is not decryptable at the moment. This is not the first time one ransomware strain has pretended to be another; we observed lesser known ones have masqueraded as a more famous one, such as TeslaCrypt, CryptoLocker, or CryptoWall on a number of occasions.

The Czech version also differs in that the ransom amount is ‘only’ 0.8 Bitcoin ($480 at the time of writing). The number reflects an apparent fixation with the digit ‘8’ as it is heavily used across the program: in the ransom amounts, the configuration of the encryption algorithm, the created file names, etc. That’s why we chose the name Crypt888 when we identified it.

Another change is that victims are threatened with a five-day deadline to pay, and two email addresses are provided for the victim to send proof of payment (and to receive the decryption tool, allegedly) yet no penalties are mentioned if the deadline is missed.

Finally, the authors hint in the text about the ransomware’s origin with the sentence which, when translated, means “We belong to Czech/Russian Hackers”. Based on the accuracy of the available text and code quality, it is hard to believe those claims, as it contains many typos, incorrect word order, odd mixtures of text with and without Czech diacritics, and other errors. More likely, the text was created by machine translation, like the Italian version.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new4

At the time of writing, we have not found any further language variants of this ransomware and can reassure people that our free decryption tool will work for all the versions described here.

We suspect the authors of Crypt888 are still producing new versions of their ransomware. Their technique is in contrast to authors of other ransomware families in that they focus primarily on changing graphics and preparing fake stories rather than on improving their code. We are continuing to monitor for any new variants that will make it necessary to adapt our decryption tool to ensure victims have a means to mitigate a Crypt888 attack.

Panda Security

Tales from Ransomwhere: Macros & Ransomware(s)

tales-ransomware-7

How does MW get into systems?

This ransomware’s initial infection vector occurs when it’s sent/received through Phishing campaigns.ransomware-macros-6

First, the user receives an email with the malicious file in zip format, giving the illusion it is a zip, but in this case, the user also receives some type of invoice; this varies depending on the message received or the name of the file. On this occasion, the received file has the following name: Receipt 80-5602.zip, as seen in the screen capture.

In this compromised file you will find a Microsoft Office document, or more specifically, an Excel with the extension “.xls” containing macros (codes are in Visual Basic Script)

How is this Code/Macro Executed?

By defect,  unless we have the macro execution forced in Excel, the damaged code will not automatically run, unless, an advertisement appears indicating that the document contains macros, as demonstrated in the second screen capture.

ransomware-macros-2

And…What is this Macro?

The basic feature of this macro is to use the “dropper”, what we mean is, download and execute the other binary file, in this case a file encrypter or ransomware; although it could have been another malicious program like RATs, backdoors, bots, etc.

In this case, as with droppers, the file (or payload) runs on a remote server when executed.

ransomware-macros-3

Once the macro is executed, it is now in charge of taking the next steps: downloading and deciphering the remote file that is encrypted, and afterwards, ejecting it.

If we look at the name of the file running from the macro, or its command-line execution, we will see that the ransomware comes by DLL format; this has become increasingly more common. In addition, it requires that an export is indicated to operate, in this case “qwerty”, as shown in the following screen shot:

ransomware-macros-6

Why do it this way? Simply because a lot of systems that update the malware analysis (sandboxes) have problems when they execute programs/codes/libraries that require parameters, that are sometimes unknown.

Once encrypted, this library’s MD5: 586aaaaf464be3a4598905b5f0587590

Finally, from PandaLabs we would like to give you the following advice: if you don’t want to have an unwanted surprise, when you receive Office documents from unknown senders do not click the button that says “activate macros”. Lastly, make sure your antivirus solutions and systems are always up-to-date!

The post Tales from Ransomwhere: Macros & Ransomware(s) appeared first on Panda Security Mediacenter.

Panda Security

Almost half of companies save employee passwords in Word documents

passwordsThere is a growing awareness of cybersecurity within companies, but are these companies taking action to improve their security? As seen in a recent study, 750 IT security decision-makers worldwide were surveyed to see whether they are “learning and applying lessons from high-profile cyber-attacks”, and if it influences their security priorities and decisions.

The study examined the contradictory situation that is currently present in a number of global businesses. On a positive note, 79% of those surveyed said that they learned their lesson after seeing cyberattacks jeopardize the IT security in other companies, and 55% confirmed that they have changed the way they manage corporate accounts in order to adapt to the current cybersecurity climate and avoid unnecessary risks.

Nevertheless, the survey also exposes a very different reality. Far different from those who are complying with security procedures, 40% of the survey’s participants stated that they just use a Word document or worksheet to manage their company’s credentials and 28% stated that they use a shared server or a USB stick, for the same purpose. What is obvious is that IT security is absent in almost half of the 750 businesses in the survey.

Of course the previously mentioned storage methods are all susceptible of suffering a cyberattack, especially if they fall into the hands of someone with the right know-how, but they can also be leaked by the company’s own employees. A Word document makes private information accessible for any employee in the company.

To ensure that employees only use their own password, companies should use a password manager that will also protect their company’s devices. This will also help keep documents and devices, like a Word document or USB memory stick that stores passwords, safe from a cyberattack or infection.

In terms of cybersecurity, there is still a long way to go in the business environment. IT security should be a priority. Although, 95% of these organizations have a plan in place in case of IT emergencies, only 45% of them periodically check that they are functioning properly.

Despite their carelessness, 68 % of those surveyed claim that their greatest concern and challenge is the data theft of their customers (but this percentage does not correspond with the cybersecurity mechanisms implemented by IT security heads).

The post Almost half of companies save employee passwords in Word documents appeared first on Panda Security Mediacenter.