Should you uninstall Kaspersky software?

Q: Should I uninstall Kaspersky anti-virus from my computer?

A recent Wall Street Journal story about a National Security Agency contractor that had classified documents on his home computer and was allegedly targeted because of his use of Kaspersky Lab anti-virus software has once again put the Russian cybersecurity company in the spotlight.

The theory is that hackers used the file inventory process that Kaspersky anti-virus uses to discover the sensitive files and target the contractor.

Concerned?  See below for suggestions on how to remove Kaspersky from your computer.

Government ban

Software from Kaspersky Lab was removed from the U.S. General Services Administration approved list in July and in September, the Department of Homeland Security ordered federal agencies to stop using any software made by Kaspersky Lab because of concerns about the company’s ties to Russian intelligence.

The founder of the company, Eugene Kaspersky, has long had a cloud of uncertainty over him because of his early ties to the KGB and its replacement, the FSB. As a teenager, he studied cryptography in school and by his mid-20s, he created an anti-virus program to protect his own computer that eventually led to Kaspersky Lab.

This most recent allegation certainly makes using the company’s software even more disconcerting.

Should you remove it?

Despite the company’s repeated denials of any connection to the Russian government, with the plethora of security programs that don’t come with the “Russian baggage,” switching to another program is the safest way to go.

To be realistic, the likelihood that you would somehow become the target of Russian government hackers just because you are using a Kaspersky program is pretty slim, but there’s no reason to take the chance.

Alternative programs

The vast majority of security programs on the market are actually from companies outside of the U.S. For example, popular programs such as AVG & Avast (Czech Republic), Bitdefender (Romania), ESET (Slovakia), F-Secure (Finland), Panda (Spain), Sophos (UK) and Trend Micro (Japan) are all controlled by companies outside the U.S.

Many in the U.S., because of ongoing concerns about the U.S. government’s overreach, have proclaimed their preference to using a program based in another country, especially allies such as Finland, the U.K. and Japan.

Switch to Trend Micro, Security You Can Trust.

Removing Kaspersky Lab products

The standard way of removing programs in Windows is via Start > Control Panel > Add/Remove Programs, or you can use Kaspersky’s removal tools for either Windows or MacOS.

Advanced Windows users may want to take the additional step of manually scanning the registry to a make sure that all Kaspersky-related keys have been removed.

Mac users can also use the free Dr. Cleaner app to ensure that it’s properly removed as simply dragging it to the trash does not properly remove it. Some programs like Trend Micro Worry-Free Business Security can automatically remove other programs, which makes converting a large number of computers more efficient.

Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.

Aut

Read more »

Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

Read more »

A Hacker's Tool Kit - Cybercrime is growing ever more pervasive—and costly.

Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.

Read more »

Here is every patch for KRACK Wi-Fi attack available right now

Monday morning was not a great time to be an IT admin, with the public release of a bug which allowed WPA2 security to be broken.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WPA, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake which permits devices with a pre-shared password to join a network.

According to security researcher Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks (MiTM) and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the exploit from being utilized in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android version 6.0 Marshmallow and above.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, 10 CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

So who is on top of the game?

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available."

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

The WiFi Standard: A fix is available for vendors but not directly for end users.

Mikrotik: The vendor has already released patches which fix the vulnerablities.

Google: Google told The Verge that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

OpenBSD: Patches are now available.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Check back as we update this story.

via zdnet

Read more »

Petya: Wiper or Ransomware & How to Protect Yourself

Learn the facts about the recent Petya attack that crippled many organizations worldwide. 

- Is it your regular run-of-the-mill ransomware or a wiper? 
- Who is a target? Why did it spread so quickly?
- How can organizations better protect themselves against similar attacks?

Read more »

How To Protect Android Banking Apps From Malware

The recent case of WannaCry ransomware reminded us to be cautious of the growing malware menace that ended up infecting thousands of systems around the globe. Regardless, the scale of the ransomware attack may give rise to other malware attacks such as Android malware invasions.

The latest smartphone statistics from Gartner are not surprising as they reveal the soaring popularity of Android smartphones around the globe. According to the survey, over 350 million smartphones sold in Q4 2016 were running an Android operating system. The ever-increasing popularity and most probably the open-source nature of the OS is perhaps what attracts cybercriminals to make relentless efforts to hack into the device and salvage the personal data of users.

Cybercriminals use specialized malware to carry out the hacks and achieve their ulterior motives. Australia, where cybercrimes like data and identity theft are common, and in fact, on the rise, is also not safe from the invasion of Android malware.

Cyberattackers Use Malware to Steal Banking Details

Last year, cybersecurity researchers at ESET came across a malware, aka Android/Spy.Agent.SI, which could put millions of Australian customers’ bank account details at serious risk. The malware could copy popular banking apps from different countries such as CommonWealth Bank, NAB and ANZ banks in Australia. As a result, the malware would show an overlay screen on the infected apps, showing fake username and password fields for snatching these sensitive details.

The malware was so potent that it could circumvent the two-factor authentication security of the app, thereby revealing the details to the hackers. Later the same year, security researchers at Kaspersky Lab also discovered a similar but modified Trojan malware that could bypass the Android 6’s security features. As a result, the hacker could be able to steal the bank account details of the online banking app users.

Fast forward to 2017, a small group of Russian hackers used a malware to dupe Russian bank users, stealing over $800,000. The hackers deceived the unsuspecting users by showing them fake banking apps that were plagued with the malware that would steal their money.

How to Protect Android From Malware

Be it a ransomware attack or a malware attack, these cyber threats aren’t going to go away anytime soon. Fortunately, there are ways we can prevent these attacks and the ensuing calamities.

1. Install Latest Security Patch: More often than not, attackers carry out successful hacks by exploiting security vulnerabilities in the system software, and Android is no exception. By exploiting a security hole in your Android, a hacker or snooper can inject a malware or any other malicious tool that could result in GPS hijacking, data theft, and identity theft, to name a few. Therefore, it is imperative to install security patches as soon as they are released by the vendor.

2. Avoid Pirated Apps: There are many Android users who readily root their devices so they can have more control on the OS. In fact, in most cases, users end up rooting their devices so they could install a new version of the OS that is not officially available for the specific device. Keep in mind that APK files are easily hacked. Any individual with the wrong intention of stealing your personal data can install a malware into the APK and leak your data without your knowledge. The best way to prevent such malware is by avoiding pirated apps altogether.

3. Checkout Permissions: Before you download an app from Google Play Store, you may have noticed that the Play Store asks for certain permissions. It is important that you read the permissions thoroughly to ensure that the app isn’t asking for any unnecessary permissions. For instance, a recipe app would not require permission for your GPS. If it does, it is most likely an unreliable app. In such situations, avoid downloading the app and report it as well.

4. Use Security Tools: Be it a computer or an Android device, installing the right security tool can help users avert the calamity caused by cyberattacks. Especially, if you are a savvy online banking app user, it is important that you use some kind of security tool, or best yet encryption tool. With encryption in place, you can have a safe environment to make online transactions.

Digital privacy and security are getting weaker with every passing year. As more and more cyberattacks continuously invade different sectors, it won’t be too long before cybercriminals freely roam the digital space. However, by implementing the security tips mentioned above, not only can you protect your device but also take a firm stand against the rising plague of cyberthreats.

via LTP

Read more »

The Malware Used Against The Ukrainian Power Grid Is More Dangerous Than Anyone Thought

Image: CheepShot/Flickr

Researchers have discovered a new powerful—and dangerous—malware that targets industrial control systems.

Last December, when attackers hacked a power transmission company in Ukraine and cut electricity to tens of thousands of customers for an hour around midnight, it was considered a less severe assault than one that occurred the previous December. The latter attack cut power to more than 230,000 Ukrainians for one to six hours during peak dinner hours in the dead of winter.

But new analysis of malware used in the more recent attack suggests it may be more sophisticated and dangerous than previously believed.

Researchers who examined the malicious code say it's a modular toolkit composed of multiple components that have the ability to launch automated assaults against industrial control systems managing the electric grid.

The toolkit doesn't exploit software vulnerabilities to do its dirty tricks—the way most malware does—but instead relies on exploiting four communication protocols or standards that are used with industrial control systems in Europe, the Middle East, and Asia, according to the researchers. This means the attackers could use the same toolkit to target systems in these regions, and may already have done so.

"There's a ton of functionality in this that was never used in Ukraine," says Robert M. Lee, co-founder of Dragos, a critical infrastructure security company that examined the code. "This suggests it was being prepared for use at multiple sites."

With a little tweaking, Lee says the same toolkit would also work against parts of the grid in the US.

The malicious toolkit, which is being called Industroyer by the Slovakian antivirus firm ESET and CrashOverride by Lee and his firm, includes two backdoors, which the attackers use to gain persistence on systems (the second one is designed to regain access if the first backdoor is detected or disabled); a wiper component for erasing critical system files to render grid operator stations inoperable; and a port scanner to map infected networks during the reconnaissance stage.

Researchers with ESET say Industroyer/CrashOverride is the biggest threat to industrial control systems since Stuxnet, the worm that damaged centrifuges used in Iran's nuclear program back in 2009. But Lee downplays this, saying although the toolkit is a big deal, it's designed to disrupt equipment and service, not destroy equipment the way Stuxnet did.

There have only been four malware attacks found in the wild that target industrial control systems: Stuxnet, Black Energy2, Havex and now Industroyer/CrashOverride. BlackEnergy and Havex were designed for espionage; but only Stuxnet and Industroyer/CrashOverride were designed solely for sabotage.

The distinction is important because determining the intent of malware is often difficult to do but has important implications for how an intrusion might be viewed under the international laws of war where espionage is not considered a use of force but sabotage is.

"Anyone who finds this [on their system] can assume the intention is attack," says Lee. "There is no function in this malware that you could use for espionage. So there is zero reason to position this anywhere where you weren't going to attack."

Lee says the malware itself isn't very sophisticated—it has a lot of the same functionality found in other malware attacks. What makes it sophisticated is the extensive knowledge the authors have about industrial control system protocols.

"With this [logic bomb] function, you could be looking at a day or two of outages fairly easily."

The heart of the malware are the four ICS-specific modules that operate in conjunction with one another to exploit four protocols known as IEC 101, IEC 104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

"What's sophisticated is knowing what protocols to use and in what order," Lee says. "These protocols provide an ability to map out the industrial equipment inside the environment and send commands to [substations] to impact circuit breakers."

The malware has to be custom-built for each target using a configuration that is specific to that site, so an attacker couldn't turn it into a worm to attack just any system it encounters. But Lee says this doesn't mean attackers couldn't target multiple sites simultaneously. The toolkit has logic bomb functionality, which means attackers could infect multiple systems to launch a simultaneous attack against them.

"A smart adversary could take on portions of a grid and substations, similar to what we saw in 2015, for a couple hours," he says. "But with this [logic bomb] function, you could be looking at a day or two of outages fairly easily. I don't think you could go above that—this wouldn't cause cascading failures."

Even so, "you're obviously talking about a complete psychological impact on your human populace that you would not want," he notes.

The 2016 attack on Ukraine's power grid, which struck December 17 at a substation outside the capital city Kiev, was believed to be a test for refining attacks on critical infrastructure around the world.

Once the attackers installed their backdoor, they stole system and administrator account credentials, which allowed them to move through the network undetected. They sat on the network conducting reconnaissance for months, scanning network traffic and studying the daily behavior of administrators so they could mimic their activity.

The malicious toolkit that was used in the attack contained a December 17, 2016 timestamp that activated the protocol components to launch their attack. Lee says the toolkit had the ability to launch a continuous assault on the circuit breakers so that each time operators would try to regain control in order to re-close the breakers, the malware would open them again.

"As operators tried to take control, it goes into an infinite loop," Lee says.

At this point the wiper module would also get activated and delete system files on operator machine to crash them and prevent them from rebooting. The only way operators could then restore power was to physically switch to manual operation mode at the substation.

The attack in 2015 was tied specifically to the model of equipment used at each of the three distribution plants; the attackers had to study the specific equipment those used at the plants and design their attack to target them. But there's no equipment component to this newer attack.

"It is directly applicable to every site in Europe, most of the Middle East and most of Asia," he says. The US uses a different communication protocol known as DNP3 (Distributed Network Protocol 3), but this doesn't make it immune to the same kind of assault.

"The way this framework is built, it would be very easy to [switch] in a DNP3 module […] and you'd be able to replay this against portions of the US grid," he says.

Lee says detecting an attack using the Industroyer/CrashOverrride framework would not be too difficult to do. Because the four modules using the communication protocols operate in a very distinct pattern, administrators could configure their security tools to watch for this.

• View on motherboard.vice.com

Read more »

Sophos continues to work at protecting customers from the WannaCry ransomware attack – here’s what you need to know.

Sophos continues working to protect customers from the WannaCry ransomware attack. That effort has been successful, but we continue to receive many questions about how this attack happened, what we must do to defend our organizations, and, of course, what’s next?

This article is designed to answer those questions.

What happened?

A fast-spreading piece of ransomware called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) held computer systems hostage around the globe Friday. National Health Service hospitals (NHS) in the UK was hit hard, with its phone lines and IT systems being held hostage. From there, the attack spilled across the globe.

It encrypted victim’s files and changed the extensions to: .wnry, .wcry, .wncry and .wncrypt. It then presented a window to the user with a ransom demand:

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers’ APT EternalBlue Exploit (CC-1353). It also uses strong encryption on files such as documents, images, and videos.

This was different from past ransomware attacks. Why?

There were some unique aspects to the WannaCry attack. Typical ransomware infections happen after the victim clicks on a malicious email attachment or link. In this attack the malware was able to exploit a remote code execution (RCE) vulnerability that allowed it to infect unpatched machines without users having to do anything.

Because of that, this was able to spread in the same rapid fashion as the worm outbreaks common a decade ago, such as Slammer and Conficker.

Specifically, WannaCry exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Organizations running older, no-longer-supporter versions of Windows were particularly hard hit. In fact, Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement:

We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

Is this over?

Unlikely. With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them. We also expect aftershocks Monday as employees at affected company’s who weren’t there Friday return to work and fire up their computers.

What is Sophos doing to protect customers?

Sophos continues to update protections against the threat. Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

Is there anything I need to do?

You’ll want to ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks. As noted above, Microsoft has made the decision to make the Security Update for platforms in custom support only — Windows XP, Windows 8, and Windows Server 2003 — broadly available for download:

Windows Server 2003 SP2 x64	Windows Server 2003 SP2 x86
Windows 8 x64	Windows 8 x86
Windows XP SP2 x64	Windows XP SP3 x86	Windows XP Embedded SP3 x86

As we always say, patching is critical. For Sophos customers, keep checking the Wana Decrypt0r 2.0 Ransomware Knowledge Base where we’ll be issuing updates.

via sophos

Read more »

Check if you were hit by the massive 'Avalanche' cybercrime ring

SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren't victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.

“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.

The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.

Known as "Avalanche," the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.

Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.

"They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims," and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.

“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.

The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims' accounts.

As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.

Law enforcement takedown

On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.

Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.

“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.

Multiple companies worldwide have written tools to run this scan.

As Europol said on its website, "computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control."

While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.

“It does give some reason for concern that our anti-cybercrime efforts still can't match the speed and dexterity that cyber criminals use for their own efforts," said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.

Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be "back up and running in short order.”

Read more »

Alert (TA16-336A) Avalanche (crimeware-as-a-service infrastructure)

Systems Affected

Microsoft Windows

Overview

“Avalanche” refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), is releasing this Technical Alert to provide further information about Avalanche.

Description

Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers.

In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise.

Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

The following malware families were hosted on the infrastructure:

• Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
• URLzone (aka Bebloh)
• Citadel
• VM-ZeuS (aka KINS)
• Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
• newGOZ (aka GameOverZeuS)
• Tinba (aka TinyBanker)
• Nymaim/GozNym
• Vawtrak (aka Neverquest)
• Marcher
• Pandabanker
• Ranbyus
• Smart App
• TeslaCrypt
• Trusteer App
• Xswkit

Avalanche was also used as a fast flux botnet which provides communication infrastructure for other botnets, including the following:        

• TeslaCrypt
• Nymaim
• Corebot
• GetTiny
• Matsnu
• Rovnix
• Urlzone
• QakBot (aka Qbot, PinkSlip Bot)

Impact

A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware had the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may have allowed criminals unauthorized remote access to the infected computer. Infected systems could have been used to conduct distributed denial-of-service (DDoS) attacks.

Solution

Users are advised to take the following actions to remediate malware infections associated with Avalanche:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though parts of Avalanche are designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of an Avalanche malware, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email – Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser (see Avoiding Social Engineering and Phishing Attacks for more information).
• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
• Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
• Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

          ESET Online Scanner

          https://www.eset.com/us/online-scanner/(link is external)  

          F-Secure

          https://www.f-secure.com/en/web/home_global/online-scanner(link is external)

          McAfee Stinger

          http://www.mcafee.com/us/downloads/free-tools/index.aspx(link is external)

          Microsoft Safety Scanner

          https://www.microsoft.com/security/scanner/en-us/default.aspx(link is external)

          Norton Power Eraser

          https://norton.com/npe(link is external)

         Trend Micro HouseCall

          http://housecall.trendmicro.com/(link is external)

References

• https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
• http://www.bankinfosecurity.com/avalanche-group-linked-to-fraud-a-2573(link is external)

Revisions

• December 1, 2016: Initial release
• December 2, 2016: Added TrendMicro Scanner

via: https://www.us-cert.gov/ncas/alerts/TA16-336A

Read more »