You searched – Gridinsoft Blog https://gridinsoft.com/blogs/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 29 Aug 2024 21:36:19 +0000 en-US hourly 1 https://wordpress.org/?v=68297 200474804 Altisik Service Virus https://gridinsoft.com/blogs/altisik-service-virus/ https://gridinsoft.com/blogs/altisik-service-virus/#respond Thu, 22 Aug 2024 21:35:07 +0000 https://gridinsoft.com/blogs/?p=26391 Altisik Service is a malicious coin miner that usually installs and runs on the target system without the explicit consent of the PC owner. It disguises itself as a Windows service, which makes it difficult to stop or remove. Let’s have a closer look at how this malware operates and how to delete it from… Continue reading Altisik Service Virus

The post Altisik Service Virus appeared first on Gridinsoft Blog.

]]>
Altisik Service is a malicious coin miner that usually installs and runs on the target system without the explicit consent of the PC owner. It disguises itself as a Windows service, which makes it difficult to stop or remove. Let’s have a closer look at how this malware operates and how to delete it from the system.

Altisik Service Overview

Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a “blue screen of death”.

Altisik Service in the Task Manager screenshot
Altisik Service in the Task Manager

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily, and with less suspicion from security software.

As for the distribution method, users on Reddit report receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs. Another method is through additional malware already present on the computer: vast loader malware botnets can offer huge gains for the operators of malicious coin miners.

Technical Analysis

Let’s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

Further, it pays special attention to Windows Defender settings, specifically ones that touch real-time protection. The malware checks the following system sections.

C:\Program Files\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.

Persistence and Privilege Escalation

Next, the miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:

"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\AltisikDevPL/AltisikHelper.dll",#1
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 548
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

As you can see, it runs the AltisikHelper.exe and AltisikHelper.dll processes. They are needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.

C2 Connection

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80 and 104.18.6.80, potentially complicating traffic analysis.

How To Remove Altisik?

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware – an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start menu → click Reboot while holding down the Shift button on the keyboard.

Press Shift + restart to open Windows Recovery menu

When your PC reboots, in the menu that appears after restarting, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Advanced options on the recovery menu

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).

Startup settings screenshot

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode.

After switching to the Safe Mode with Networking, follow the steps below:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Altisik Service Virus appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/altisik-service-virus/feed/ 0 26391
PUA:Win32/SBYinYing https://gridinsoft.com/blogs/pua-win32-sbyinying/ https://gridinsoft.com/blogs/pua-win32-sbyinying/#respond Fri, 09 Aug 2024 12:31:28 +0000 https://gridinsoft.com/blogs/?p=26161 PUA:Win32/SBYinYing is a potentially unwanted application (PUA) that is often bundled with certain cracked games. It may display ads to users or redirect them to potentially harmful websites, which puts it in the same line with adware and browser hijackers. Most often, user get infected with that malware after downloading cracked software. PUA:Win32/SBYinYing Overview PUA:Win32/SBYinYing… Continue reading PUA:Win32/SBYinYing

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

]]>
PUA:Win32/SBYinYing is a potentially unwanted application (PUA) that is often bundled with certain cracked games. It may display ads to users or redirect them to potentially harmful websites, which puts it in the same line with adware and browser hijackers. Most often, user get infected with that malware after downloading cracked software.

PUA:Win32/SBYinYing Overview

PUA:Win32/SBYinYing is identified by Microsoft Defender as a potentially unwanted program. This detection is most commonly associated with a file named “EMP.dll”, which is typically found in pirated games. Torrents, especially those offering cracked games, are the main distributors of this malware. This is an ideal distribution method for malicious software because running cracked games often requires disabling antivirus software or adding the game to an exclusion list.

PUA:Win32/SBYinYing Detection window screenshot
PUA:Win32/SBYinYing Detection window

Once this PUA infiltrates a system, it starts doing its nasty job, particularly showing excessive ads and gathering basic information about the user. It is not as severe as regular spyware, but still creates a less than favorable situation for anyone who cares about privacy. And the aforementioned advertising behavior is what adds on top of that risk. Promotions that Win32/SBYinYing shows may contain phishing redirects, downloading links for unwanted programs or sometimes even straight up malware.

Technical Analysis

The previous information about PUA:Win32/SBYinYing provided a general overview, but to fully understand the nature of this threat, a more in-depth analysis is required. Let’s examine how this unwanted app behaves within a system using the “EMP.dll” file from a repackaged game as an example. While some behaviors of this software may be related to bypassing license checks, other actions raise significant concerns.

Note: we at GridinSoft heavily vote against using any illegally-activated software, as it violates copyright laws in the majority of countries. Aside from this, such software is a significant malware risk. This test with the actual library from the cracked program was done purely for the purpose of research, with all the needed precautions.

Execution

Since “EMP.dll” is not an executable .exe file, it requires another process to run it. In this case, a part of the installer calls for the rundll32.exe, a default process for launching dynamic-link libraries. The execution command looks like this:

C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\EMP.dll

The DLL file contains a section that may hold compressed or packed code. Similar to regular malware, PUA:Win32/SBYinYing performs standard checks to detect whether it is running in a virtual environment or a sandbox. It does this by examining certain system parameters, specifically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

SBYinYing queries various system settings, including information about hardware (disks, volumes) and software (policy settings, cryptographic machine GUIDs, etc.). It will cease further execution shall any of these contain traces of virtualization or sandboxing.

Defense Evasion

The next step involves identifying and evading security solutions. The techniques used here are more typical for malware, than for unwanted programs. File obfuscation, data encryption, attempts to disable or modify security software, injection into legitimate processes – Win32/SBYinYing does all of this. Among other things, the malware checks the following locations:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles

These places contain information about installed antivirus/anti-malware software. Typically, malicious programs change their behavior depending on which AV-vendor is present.

Privilege Escalation and Persistence

After basic checks, an unwanted program goes for escalating its privileges. It leverages legitimate processes like WerFault.exe and rundll32.exe, making this step relatively straightforward. As mentioned earlier, the malware uses rundll32.exe to execute the DLL library, allowing it to run malicious code embedded within the DLL. Additionally, the malware terminates the wmiadap.exe process with parameters /F /T /R, which appears to be an effort to evade detection or stop system monitoring. Here’s what the commands look like:

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1052 -s 460
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5188 -s 432
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2296 -s 484

WerFault.exe is a legitimate system process used for error reporting in Windows and Windows applications. In addition to leveraging this process, the malware creates scheduled tasks, enabling it to persist by running each time the system starts.

Network Activity

The malware exhibits notable network activity, making several DNS requests to connect to the internet. Some of the observed connections include:

TCP 40.88.32.150:443
TCP 65.9.73.63:443 (firefox.settings.services.mozilla.com)
TCP 54.187.157.95:443 (pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com)
10.216.185.205.in-addr.arpa
125.21.88.13.in-addr.arpa
130.155.190.20.in-addr.arpa

There are also numerous internal addresses that may be used to make the analysis harder. These connections suggest that the malware could be communicating with command servers, potentially exfiltrating data or receiving further instructions.

Does PUA:Win32/SBYinYing Steal Data?

While it’s theoretically possible for PUA:Win32/SBYinYing to steal data, in practice, this is unlikely. This unwanted app mostly works as adware, and the information it collects mostly serves for fingerprinting the system. Still, adware can redirect users to potentially dangerous websites, which in turn could be a source of more harmful malware. And that is when user data gets in risk.

This might explain why some users report that their Facebook and Steam accounts were compromised after PUA:Win32/SBYinYing was found on their systems. Another plausible explanation is the general risk associated with using pirated software. Using cracked games or software increases the likelihood that a user will eventually have their personal data stolen or files lost.

How to Remove PUA:Win32/SBYinYing?

To remove PUA:Win32/SBYinYing, it’s advisable to use advanced anti-malware software. Some users encounter difficulties when trying to eliminate this threat with Microsoft Defender. For this reason, I recommend using GridinSoft Anti-Malware as a tool to remove PUA:Win32/SBYinYing. You can follow the step-by-step guide below:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

Additionally, I strongly recommend refraining from downloading pirated games and software, as this is the most common method of distributing malware. Not only is it dangerous, but it’s also illegal.

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pua-win32-sbyinying/feed/ 0 26161
How to Prevent Email Spoofing https://gridinsoft.com/blogs/prevent-email-spoofing/ https://gridinsoft.com/blogs/prevent-email-spoofing/#respond Fri, 19 Jul 2024 15:20:27 +0000 https://gridinsoft.com/blogs/?p=9471 Types of Email Spoofing Email spoofing, also known as spoofing email, involves forging the sender’s email address. Often, the address in the sender’s field is fake; any responses sent to this address will likely reach a third party. The primary goal of this scam is to deceive the user. Fraudsters deploy a variety of tactics… Continue reading How to Prevent Email Spoofing

The post How to Prevent Email Spoofing appeared first on Gridinsoft Blog.

]]>
Types of Email Spoofing

Email spoofing, also known as spoofing email, involves forging the sender’s email address. Often, the address in the sender’s field is fake; any responses sent to this address will likely reach a third party. The primary goal of this scam is to deceive the user.

Fraudsters deploy a variety of tactics to execute a successful spoofing attack 1. Below, we explore the most common methods they use.

1. Sharing a Similar Domain

To successfully spoof an email, fraudsters meticulously imitate sender addresses that appear similar to those of well-known organizations or companies. They typically:

  • Alter the top-level domain, for example, from support@spotify.com to support@spotify.co
  • Change the domain to include a country code, for example, support@spotify.com.ru
  • Modify a single character in the domain name, turning support@spotify.com into support@spatify.com
  • Use a variant of the domain that still references the brand, such as support@spotifyinfo.com
  • Create an email address that incorporates the company’s name, like support.spotify@gmail.com

2. Substituting the Sender’s Name

This tactic involves falsifying the sender’s name, with the “From” and “Reply-To” headers displaying the fraudster’s address instead. This method is particularly prevalent on mobile mail clients, which typically only display the sender’s name. Fraudsters may use:

  • Misleading variations of the company’s name.
  • Fabricated names paired with deceptive email addresses.

Imagine that you receive an email like this:

Preventing Email Spoofing - Example 1

Notice that all fields are correct, but the From and Reply-To fields are not. When Dude1 receives this email, he may think it’s from his boss. When he hits “Reply,” all he’ll see in the To: field is the name “BossMan,” but it will actually go back to his friend who spoofed the email, Dude2.

3. Changes the significance of the From and Reply-to fields

Because the SMTP protocol does not authenticate headers, fraudsters can easily forge addresses in the From and Reply fields without being noticed. Thus, they have the privilege of not being caught, as a fake is almost no different from the original.

Protection from Email Spoofing

To effectively guard against email spoofing, it’s essential to configure email security protocols such as SPF, DKIM, and DMARC. Below, you’ll find step-by-step guides on how to set up these protocols for popular email platforms:

1. Setting Up SPF (Sender Policy Framework)

SPF helps to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators.

  • Gmail: Go to the Google Admin console, navigate to ‘Domains’, and then ‘Add a domain or a domain alias’. Add the SPF record in your DNS settings: v=spf1 include:_spf.google.com ~all
  • Outlook: In the Microsoft 365 admin center, go to ‘Settings’ → ‘Domains’, select your domain, and add the SPF record to your DNS settings: v=spf1 include:spf.protection.outlook.com -all

2. Implementing DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) adds an encrypted signature to outgoing emails, allowing the receiver to verify that an email was indeed sent and authorized by the owner of the sending domain. Setting up DKIM correctly can help prevent email spoofing by verifying the authenticity of the sender. Here’s how to set up DKIM for Gmail and Outlook:

Implementing DKIM for Gmail:

Setup DKIM for Gmail - Prevent Email Spoofing

To configure DKIM for Gmail, use the following steps:

  1. Sign in to the Google Admin console.
  2. Navigate to AppsGoogle WorkspaceGmailAuthenticate email.
  3. Select the domain for which you want to set up DKIM and click GENERATE NEW RECORD. You might see this option only if you haven’t already set up DKIM for your domain.
  4. Choose a key length of 2048 bits for better security (1024 bits is also available but less secure).
  5. After generating the DKIM key, Google will provide you with a TXT record to add to your domain’s DNS. It will look something like this:
    google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AB"

    This is your public key.

  6. Add this record to your DNS settings at your domain host. Keep in mind that DNS propagation can take up to 48 hours.
  7. Once the DNS has propagated, return to the Admin console and click START AUTHENTICATION.

When DKIM is set up correctly, Gmail will sign outgoing emails automatically, allowing recipient servers to verify their authenticity.

Implementing DKIM for Outlook:

For users of Microsoft 365 or Outlook, the setup process involves similar steps:

  1. Login to the Microsoft 365 Defender portal.
  2. Go to Email & collaborationPolicies & rulesThreat policiesDKIM.
  3. Choose the domain you wish to enable DKIM for and click Enable.
  4. If no DKIM keys exist, Microsoft will prompt you to create them. Click on Create to generate the keys.
  5. Microsoft will then provide two CNAME records to add to your domain’s DNS. These records delegate the DKIM signing authority to Microsoft. They typically look like this:
    selector1._domainkey.YOURDOMAIN.com CNAME selector1-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
    selector2._domainkey.YOURDOMAIN.com CNAME selector2-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
  6. Add these CNAME records to your DNS. Again, allow up to 48 hours for DNS changes to take effect.
  7. Once DNS propagation is complete, go back to the Defender portal and confirm the DKIM status to ensure it is active.

Implementing DKIM for your domain significantly improves your email security by enabling email authenticity verification at the recipient’s end.

3. Configuring DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, policy, and reporting protocol. It builds on SPF and DKIM protocols, helping email receivers determine if a given message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle these discrepancies. Here’s a step-by-step guide to setting up DMARC:

Understanding DMARC Policy:

Before setting up DMARC, you need to understand the policies you can apply:

None: This policy allows all emails, regardless of authentication status, to be delivered (used for monitoring and reporting purposes).
Quarantine: Emails that fail DMARC authentication will be moved to the spam folder or a similar location.
Reject: Fully blocks delivery of emails that fail DMARC authentication.

Steps to Configure DMARC:

  1. Create a DMARC record: A DMARC policy is published as a DNS TXT record. The typical format of a DMARC record looks like this:
    v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

    In this example, ‘p=none’ specifies the policy, and ‘rua’ indicates where aggregate reports of DMARC failures will be sent.

  2. Choose Your Policy: Decide which policy (none, quarantine, reject) fits your needs based on your security posture and the maturity of your SPF and DKIM setups.
  3. Specify Email Reporting: Determine where you want reports of pass/fail to be sent. These reports are crucial for understanding the types of attacks targeting your domain and observing how your emails are being received on the internet. Use ‘rua’ for aggregate reports and ‘ruf’ for forensic reports:
    rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensic@yourdomain.com
  4. Publish the DMARC Record: Add the DMARC TXT record to your domain’s DNS. This is similar to adding SPF or DKIM records. You typically enter the record into your DNS management dashboard.
  5. Monitor and Adjust: After implementing DMARC, monitor the reports you receive and adjust your policy as needed. Initially starting with a ‘none’ policy and moving to ‘quarantine’ or ‘reject’ as you confirm that legitimate emails are passing SPF and DKIM checks is a common approach.

Additional DMARC Tags:

DMARC records can include several optional tags to refine its operation:

  • aspf: Alignment mode for SPF (strict or relaxed).
  • adkim: Alignment mode for DKIM (strict or relaxed).
  • fo: Forensic options to specify conditions under which forensic reports should be generated.
  • rf: The format to be used in forensic reports.
  • ri: Reporting interval for how often you want to receive the aggregate reports.

How to Prevent Email Spoofing

The post How to Prevent Email Spoofing appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/prevent-email-spoofing/feed/ 0 9471
Phishing vs Spoofing: Definition & Differences https://gridinsoft.com/blogs/difference-between-phishing-and-spoofing/ https://gridinsoft.com/blogs/difference-between-phishing-and-spoofing/#respond Fri, 19 Jul 2024 12:34:37 +0000 https://gridinsoft.com/blogs/?p=8274 What is a Phishing Attack? Phishing is a cyber-attack method that introduces malware to a computer via email. Intruders send users emails containing links under various pretexts. After clicking these links, the malware enters your computer. Thus, cybercriminals deceive the target to get as much data about the user as possible: his card numbers, bank… Continue reading Phishing vs Spoofing: Definition & Differences

The post Phishing vs Spoofing: Definition & Differences appeared first on Gridinsoft Blog.

]]>
What is a Phishing Attack?

Phishing is a cyber-attack method that introduces malware to a computer via email. Intruders send users emails containing links under various pretexts. After clicking these links, the malware enters your computer. Thus, cybercriminals deceive the target to get as much data about the user as possible: his card numbers, bank accounts, etc

Types of Phishing Attacks

We have already explored what phishing is and how it manifests itself. Now, let’s delve into the types of phishing so you can better recognize them, understand where they might appear, and grasp their potential dangers to your PC. See the detailed descriptions below:

  • Email Phishing: This is the most common form of phishing. Fraudsters send fraudulent emails that seem to come from reputable sources, such as financial institutions or well-known companies, to steal sensitive information like login credentials or credit card numbers. The emails often contain a link that leads to a fake website designed to capture your personal information.
  • Phone Phishing: Also known as voice phishing or vishing, this technique involves phone calls to users with the aim of tricking them into divulging personal, financial, or security information. Attackers might impersonate bank officials, tech support, or representatives from other organizations to obtain sensitive information directly over the phone.
  • Clone Phishing: In clone phishing, attackers make a copy or “clone” of a previously delivered email from a trusted sender that contained a link or an attachment. The malicious actor changes the link or attached file to a malicious version and resends it under the guise of an update or correction of the original email, often claiming it was re-sent due to a mistake or problem with the previous link.
  • Spear Phishing: Unlike the broad nature of standard phishing, spear phishing targets specific individuals or organizations. This type of attack involves personalized messages that are more convincing because they are often based on the victim’s job position, work relationships, or personal interests, gathered from various data sources like social media or compromised accounts.
  • Angler Phishing: This type of phishing exploits social media platforms to masquerade as customer support accounts. Fraudsters create fake accounts or hack into existing ones to respond to genuine customer queries. Through this method, they aim to extract personal data or spread malware by encouraging the victim to click on malicious links or give up sensitive information under the pretense of resolving a support issue.
  • Smishing and Vishing: Smishing is phishing via SMS messages, where attackers send text messages that lure recipients into revealing personal information or downloading malware. Vishing, as mentioned, is similar but conducted over the phone. Both methods use social engineering to convince the victim to act against their best interests, often creating a sense of urgency or fear.

What is a Phishing Attack?

Examples of Phishing Attacks

Above, we have reviewed the types of phishing. Consider now the examples of how these types of phishing appear in action:

  • You receive a letter that will convince you only to click the link in this letter.
  • The most common phrase in these emails is “Click here”.
  • Emails that come alert that your payment is allegedly not passed, try again, and so on.
  • The letter in which you are deceived as if you have not paid taxes and something should.
  • The user can go to the fraudsters’ website, although initially entering the address of the bank.
  • Replace DNS routers without user permission.
Fraudsters in all forms are trying to steal your data. To avoid this, we want to provide you with some rules on how to protect yourself from phishing attacks.

What is Spoofing Attacks?

Spoofing is the substitution of foreign data by a cybercriminal by falsification to use it for their evil intentions unlawfully. It is often done to bypass the control and security system and distribute malware. The most common types of spoofing are IP spoofing, DNS spoofing, and email spoofing.

Types of Spoofing Attack

  1. Email Spoofing. This method involves deception and the forgery of the sender’s address in the letters. This is what the attacker does as a way to spoof the domain, change the sender address, and change the value of the fields “From” and “Reply to”
  2. Website Spoofing. The attacker creates a fake site that masquerades as legitimate. For the visibility of a realistic site, intruders use legal logos, colors, and fonts. The purpose of this method is to install malware on your computer through such a site.
  3. Caller ID Spoofing. In this case, the attacker is hiding under a fake phone number. Any outgoing call number is used, but the incoming one will be the one that the intruder wants. That is, it will be difficult to identify the attacker, as he hides his outgoing number.
  4. IP Spoofing. It is the renumbering IP addresses in packets sent to the attacking server. The sending packet specifies the address that the recipient trusts. As a result, the victim receives the data that the hacker needs. You can completely exclude IP spoofing by comparing the sender’s MAC and IP addresses. However, this type of spoofing can be helpful. For example, hundreds of virtual users with false IP addresses were created to test resource performance.
  5. DNS Server Spoofing. One way to crack something is to attack by replacing DNS domain names to replace the IP address. DNS (Domain Name Server) spoofing or DNS cache poisoning is a type of cyberattack used by an attacker to direct the victim’s traffic to a malicious website (instead of a legitimate IP address).

Types of spoofing

Examples of Spoofing Attacks

Each type of spoofing can manifest itself differently. However, for you to understand the general picture of how spoofing works, below we will look at some examples:

  • In one case, spoofing is manifested by changing the IP address when the entire site is hacked.
  • It may be a website disguised as a bank you know that asks you to log in and sends you a link, but it’s just a scam to get your confidential information.
Read Also: Sniffing and Spoofing: Difference, Meaning, Tips to Avoid It

Difference Between Phishing and Spoofing

Now that we know what phishing and spoofing are, we know of the species and how they manifest themselves in practice, then we can consider what the difference between them is:

  • Objective: The purpose of spoofing and phishing is different. The purpose of phishing is to get information about the user. The goal of spoofing is identity theft.
  • Nature of Scam: In the case of spoofing – it seems completely harmless and not even fraudsters. It does not extort email addresses or mobile numbers. But phishing is a scam because it steals users’ data.
  • Subset: Phishing and spoofing have nothing to do with each other. But there is a similarity. The similarity is that spoofing steals an identity from the Internet before committing fraud.
  • Method: The primary spoofing method is the use of malware when phishing uses social engineering.
Phishing is a type of cyber attack that uses social engineering. Spear phishing vs phishing, what’s the difference?

How to Prevent Phishing and Spoofing Attacks

Of course, there are methods to avoid an attack from the side of spoofing and phishing attacks . Of course, you cannot do anything because you will hurt yourself, but we recommend you take some measures. See below:

Phishing:

Before clicking on the proposed link in the email, move your mouse over it and look at the address you will go to. It should be the same as you were given. If it is different – it is likely to be a hoax. If you receive messages with such a logo – “Do not hesitate”, “Last Chance”, “Hurry”, and the like, then delete them or send them to spam. They pressure you to make a quick decision and immediately click on the link. Open any attachment only through proven and reliable sources. If you have received an email from a particular user, but you are not sure it will be sent to you, you better call him.

Spoofing:

  • Check the letter for grammatical and spelling errors.
  • Look carefully at the sender’s address
  • Encryption and authentication
  • Robust verification methods
  • Firewall (protects your network, filters traffic with fake IP addresses, blocks access of unauthorized strangers).

You can also apply the same tips that we have considered to prevent phishing. It would help if you were careful in all these aspects. You do not know what you will be exposed to. Put protection on your PC, which will work for your benefit, warn you about perceived threats, and will closely monitor all your online activities.

We invite you to try Gridinsoft Anti-Malware, it is an excellent protection against spoofing, phishing attacks, and other online threats. Moreover, it is also able to get rid of the virus that helps scammers to deceive you.

Phishing vs Spoofing: Definition & Differences

The post Phishing vs Spoofing: Definition & Differences appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/difference-between-phishing-and-spoofing/feed/ 0 8274
Trojan:Win32/Bearfoos.B!ml https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/ https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/#respond Sat, 13 Jul 2024 12:31:59 +0000 https://gridinsoft.com/blogs/?p=25679 Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender associated with data stealing malware. It may flag this malware due to the specific behavior patterns, assigning that name even to malicious programs of well-known families. As the Defender uses machine learning for this detection, it can sometimes be a false positive. Trojan:Win32/Bearfoos.B!ml Overview Trojan:Win32/Bearfoos.B!ml is a detection… Continue reading Trojan:Win32/Bearfoos.B!ml

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender associated with data stealing malware. It may flag this malware due to the specific behavior patterns, assigning that name even to malicious programs of well-known families. As the Defender uses machine learning for this detection, it can sometimes be a false positive.

Trojan:Win32/Bearfoos.B!ml Overview

Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.

Trojan:Win32/Bearfoos.B!ml detection
Trojan:Win32/Bearfoos.B!ml detection

Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.

Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.

Technical Analysis

Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.

Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.

C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll

Gaining Persistence

After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\\AppData\Roaming\vzCravLx.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\\AppData\Local\Temp\tmp6EAE.tmp

This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.

Data Collection

The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:

  • 360Chrome
  • Microsoft Edge
  • 7Star
  • Amigo
  • Brave Browser
  • Citrio
  • CentBrowser
  • Chedot
  • Chromium
  • Orbitum
  • CocCoc Browser
  • Comodo Dragon
  • Coowon
  • Elements Browser
  • Epic Privacy Browser
  • Sleipnir5 (Fenrir Inc)
  • Iridium
  • Kometa
  • ChromePlus (MapleStudio)

As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.

Command & Control Server

The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200

These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:

TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137

After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.

Is Trojan:Win32/Bearfoos.B!ml a False Positive?

As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.

While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.

How to Remove Trojan:Win32/Bearfoos.B!ml?

To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/feed/ 0 25679
How to Stop and Block Spam Emails https://gridinsoft.com/blogs/avoid-spam-email/ https://gridinsoft.com/blogs/avoid-spam-email/#respond Thu, 04 Jul 2024 12:32:03 +0000 https://blog.gridinsoft.com/?p=747 Spam refers to the flood of unwanted emails that clutter your inbox, often from unknown and dubious sources. These emails not only waste your time but can also pose serious security threats by attempting to install malware or steal your personal information. Spam has been a nuisance since the early days of the Internet, making… Continue reading How to Stop and Block Spam Emails

The post How to Stop and Block Spam Emails appeared first on Gridinsoft Blog.

]]>
Spam refers to the flood of unwanted emails that clutter your inbox, often from unknown and dubious sources. These emails not only waste your time but can also pose serious security threats by attempting to install malware or steal your personal information. Spam has been a nuisance since the early days of the Internet, making it a persistent problem to tackle. This is why it’s crucial to understand the benefits of using malware protection to safeguard your data.

How can you identify a suspicious email as “Spam”? What steps can you take to protect your computer from potential spam infections? Is it safe to open such emails?

In this article, we will address all these questions, helping you decipher the overwhelming number of mysterious emails in your inbox, understand their origins, and provide practical tips to avoid falling prey to spam emails.

10 working tips to protect your personal data. Data protection includes any measures we take to protect data, no matter where it is stored.

How to Identify Spam Emails

If you have never heard of this type of message or have not encountered a particular moment with “Spam”, then we will tell you about some signs:

  • Check the sender’s address. Look carefully at the sender’s address bar. If there is some incomprehensible set of letters and numbers, move the cursor to the address to see it in full. If he alerts you, enter him into the search engine and try to find something about this address.
  • Follow the intended query. Think logically that large companies will not ask you for personal information, registration, bank account number, insurance details, and other confidential data. If you assume for what reason this service or the company, then yes, but if it all looks as inappropriate as possible – do not fall for it, it is SpamSpam!
  • Be careful if the message creates the appearance of something urgent. Do not fall for such phrases: “Urgently,” “does not require a delay,” and others like that. The intruders are trying to put pressure on you in this way. They want these headlines to make you make your decisions quickly and rashly.
  • Check whether the email uses your name. The company that will send you an email will probably know your details, at least your first and last name. Such phrases like “Dear Customer” or “Dear Reader” should make you doubt their legitimacy.
  • Checks grammar and spelling. What does that mean? The strange wording in the article, miswritten words, and no system can give you the idea that there is something wrong.
Fraudsters are just trying to keep you on their ads, or something, by sending out a huge number of letters, but sometimes they manage to achieve their intended goal due to this. How to legally retaliate for email spam

Examples of Spam Emails

All spam emails have different types; you need to know and understand where you can meet them.

  • Spoofed emails – in this case, the attacker attempts to deceive you by stealing confidential data and impersonating a different person.
  • Ads are the most common form of SpamSpam. These are often scammers, although sometimes it can be an actual advertisement or product.
  • Malware warnings – TI messages suggest you click on a predefined link to protect your PC from malware.
  • Money scams – in this case, the pretenders, by deception, in the form of volunteers and good virtues, try to draw money from you.
  • Over-the-top promises – this you often could see on the Internet. These are promises about quick winning, fast losing weight, big payouts, and other lies.
  • Forced or accidental subscriptions – you probably bought something on the Internet and know that you offered to subscribe to the newsletter about new updates after the purchase. But some companies do this secretly; after the purchase, you automatically subscribe to a hundred emails from them.
  • Chain letters – this is a made-up, where you press psychologically, frightening you that something will happen to you.

How to Stop Spam Emails

If your Inbox is already crowded, making it difficult to navigate and understand where messages come from and why, follow these steps to rid yourself of the massive number of spam emails:

  1. Report the email as spam. Use your email provider’s option to mark emails as spam. This helps improve spam filters and keeps your inbox clean.
  2. Block spam email addresses. Block addresses that frequently send you spam. This prevents further emails from those addresses from reaching your inbox.
  3. Use an email alias. Create an alias for situations where you might not want to share your main email address. This helps protect your primary inbox from spam.
  4. Change your email privacy settings. Adjust your email privacy settings to limit who can send you emails and prevent your address from being publicly accessible.
  5. Unsubscribe from unwanted newsletters or mailing lists. Use the unsubscribe link typically found at the bottom of newsletters and marketing emails to stop receiving them.
  6. Check if your email is on the dark web. Use services that can check if your email address has been compromised or is being circulated on the dark web.
  7. Use SPF and DKIM email authentication. Ensure your email provider uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to authenticate emails and reduce spam.

Report the Email as Spam

Reporting spam emails helps improve the spam filters of your email provider and reduces the amount of spam you receive. Here’s a step-by-step guide on how to report an email address that is sending spam:

GmailOutlookYahoo MailApple Mail (iCloud)ProtonMail

Gmail

  1. Open Gmail and go to your inbox.
  2. Find the spam email you want to report and open it.
  3. Click on the three vertical dots (More) in the top-right corner of the email.
  4. Select “Report spam” from the dropdown menu.
  5. A confirmation message will appear. Click “Report spam” again to confirm.

Outlook

  1. Open Outlook and go to your inbox.
  2. Find the spam email you want to report and open it.
  3. Click on the three horizontal dots (More actions) in the top-right corner of the email.
  4. Select “Mark as junk” from the dropdown menu.
  5. Confirm by clicking “Report” in the pop-up window.

Yahoo Mail

  1. Open Yahoo Mail and go to your inbox.
  2. Find the spam email you want to report and open it.
  3. Click on the three horizontal dots (More) in the top-right corner of the email.
  4. Select “Report spam” from the dropdown menu.
  5. Confirm by clicking “Report” in the pop-up window.

Apple Mail (iCloud)

  1. Open Apple Mail and go to your inbox.
  2. Find the spam email you want to report and open it.
  3. Click on the Flag icon at the top of the email.
  4. Select “Move to Junk” from the dropdown menu.

ProtonMail

  1. Open ProtonMail and go to your inbox.
  2. Find the spam email you want to report and open it.
  3. Click on the three vertical dots (More) in the top-right corner of the email.
  4. Select “Mark as spam” from the dropdown menu.

Block Spam Email Addresses

Blocking spam email addresses prevents further emails from those addresses from reaching your inbox. Here’s a step-by-step guide on how to block an email address:

GmailOutlookYahoo MailApple Mail (iCloud)ProtonMail

Gmail

  1. Open Gmail and go to your inbox.
  2. Find the email from the address you want to block and open it.
  3. Click on the three vertical dots (More) in the top-right corner of the email.
  4. Select “Block [sender’s name]” from the dropdown menu.
  5. Click “Block” again in the confirmation box.

Outlook

  1. Open Outlook and go to your inbox.
  2. Find the email from the address you want to block and open it.
  3. Click on the three horizontal dots (More actions) in the top-right corner of the email.
  4. Select “Block [sender’s name]” from the dropdown menu.
  5. Confirm by clicking “OK” in the pop-up window.

Yahoo Mail

  1. Open Yahoo Mail and go to your inbox.
  2. Find the email from the address you want to block and open it.
  3. Click on the three horizontal dots (More) in the top-right corner of the email.
  4. Select “Block sender” from the dropdown menu.
  5. Confirm by clicking “OK” in the pop-up window.

Apple Mail (iCloud)

  1. Open Apple Mail and go to your inbox.
  2. Find the email from the address you want to block and open it.
  3. Click on the sender’s name or email address at the top of the email.
  4. Select “Block Contact” from the dropdown menu.
  5. Confirm by clicking “Block” in the pop-up window.

ProtonMail

  1. Open ProtonMail and go to your inbox.
  2. Find the email from the address you want to block and open it.
  3. Click on the three vertical dots (More) in the top-right corner of the email.
  4. Select “Block sender” from the dropdown menu.

Use an Email Alias

Using an email alias can help protect your primary email address from spam and keep your inbox organized. Here’s a step-by-step guide on how to create and use an email alias:

GmailOutlookYahoo MailApple Mail (iCloud)ProtonMail

Gmail

  1. Open Gmail and go to your inbox.
  2. Click on the gear icon in the top-right corner and select “See all settings”.
  3. Go to the “Accounts and Import” tab.
  4. In the “Send mail as” section, click “Add another email address”.
  5. Enter your alias email address and click “Next Step”.
  6. Verify the alias by following the instructions sent to the alias email address.
  7. To use the alias when composing an email, click on the “From” field in the compose window and select your alias email address.

Outlook

  1. Open Outlook and go to your inbox.
  2. Click on the gear icon in the top-right corner and select “View all Outlook settings”.
  3. Go to “Email” and then “Sync email”.
  4. In the “Manage or choose a primary alias” section, click “Add email”.
  5. Select “Create a new email address and add it as an alias” and enter your desired alias.
  6. Click “Add alias” and follow the verification steps.
  7. To use the alias, compose a new email and select the alias from the “From” dropdown menu.

Yahoo Mail

  1. Open Yahoo Mail and go to your inbox.
  2. Click on the gear icon in the top-right corner and select “More Settings”.
  3. Go to the “Mailboxes” tab.
  4. In the “Email alias” section, click “Add”.
  5. Enter your desired alias and click “Set up”.
  6. Verify the alias by following the instructions sent to your primary email address.
  7. To use the alias, compose a new email and select the alias from the “From” dropdown menu.

Apple Mail (iCloud)

  1. Open iCloud.com and sign in with your Apple ID.
  2. Click on “Mail” and then the gear icon in the lower-left corner.
  3. Select “Preferences” and go to the “Accounts” tab.
  4. Click on “Add an alias”.
  5. Enter your desired alias, full name, and label, then click “OK”.
  6. To use the alias, compose a new email and select the alias from the “From” dropdown menu.

ProtonMail

  1. Open ProtonMail and go to your inbox.
  2. Click on the gear icon in the top-right corner and select “Go to settings”.
  3. Go to the “Addresses/Users” tab.
  4. Click on “Add address”.
  5. Enter your desired alias and follow the on-screen instructions to verify and set up the alias.
  6. To use the alias, compose a new email and select the alias from the “From” dropdown menu.

Check if Your Email is on the Dark Web

Checking if your email is on the dark web can help you take proactive measures to protect your information. Here’s a step-by-step guide on how to check if your email is compromised:

Have I Been PwnedSecurity FeaturesThird-Party Services

Using Have I Been Pwned

  1. Open your web browser and go to the Have I Been Pwned website.
  2. Enter your email address in the search bar and click on “pwned?”.
  3. Review the results to see if your email address has been compromised in any data breaches.
  4. If your email is found, the site will list the breaches and provide details about what information was exposed.

Using Your Email Provider’s Security Features

  1. Log in to your email account (Gmail, Outlook, Yahoo, etc.).
  2. Go to the security or privacy settings.
  3. Look for an option that checks if your email is compromised or if there are any suspicious activities. Some providers have built-in features to alert you if your email is found on the dark web.
  4. Follow the on-screen instructions to check your email’s security status.

Using Third-Party Services

Several third-party services can help you check if your email is on the dark web. Here are a few reliable options:

  • Identity Guard: Offers dark web monitoring as part of their identity theft protection services.
  • Experian Dark Web Scan: A free tool provided by the credit reporting agency Experian.

Steps to Take if Your Email is Found on the Dark Web


Change Your Passwords: Immediately change the passwords for your compromised email account and any other accounts that use the same password.

Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA on your accounts.

Monitor Your Accounts: Keep a close eye on your email and other accounts for any suspicious activity.

Use a Password Manager: Use a password manager to generate and store strong, unique passwords for each of your accounts.

Consider Identity Theft Protection: Enroll in an identity theft protection service for ongoing monitoring and support.

Use SPF and DKIM Email Authentication

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are email authentication methods that help protect your domain from email spoofing and ensure that your emails are delivered securely. Here’s a step-by-step guide on how to use SPF and DKIM:

Setting Up SPFSetting Up DKIM

Setting Up SPF

1. Access Your Domain’s DNS Settings:
  • Log in to your domain registrar or hosting provider’s control panel.
  • Navigate to the DNS settings or DNS management section.
2. Create an SPF Record:
  • Add a new TXT record to your DNS settings.
  • In the Name field, enter @ or leave it blank (depending on your provider).
  • In the Type field, select TXT.
  • In the Value field, enter your SPF record. A typical SPF record looks like this:
    v=spf1 include:_spf.google.com ~all
    This example allows Google to send emails on your behalf. Modify the value based on your email provider’s recommendations.
  • Save the changes.
3. Verify the SPF Record:

Use an SPF validation tool, such as MXToolbox or SPF Record Checker, to verify your SPF record is set up correctly.

Setting Up DKIM

1. Generate a DKIM Key Pair:
  • Log in to your email service provider’s control panel (e.g., Google Workspace, Office 365).
  • Navigate to the DKIM settings section and generate a DKIM key pair (public and private keys).
2. Add the DKIM Public Key to Your DNS:
  • Log in to your domain registrar or hosting provider’s control panel.
  • Navigate to the DNS settings or DNS management section.
  • Add a new TXT record for DKIM.
  • In the Name field, enter the DKIM selector and your domain name. It often looks like this: google._domainkey.yourdomain.com.
  • In the Type field, select TXT.
  • In the Value field, paste the DKIM public key provided by your email service provider. It looks something like:
    v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa...
  • Save the changes.
3. Enable DKIM Signing:
  • Go back to your email service provider’s control panel.
  • Navigate to the DKIM settings section.
  • Enable DKIM signing for your domain. This will ensure outgoing emails are signed with the private key.
4. Verify the DKIM Record:

Use a DKIM validation tool, such as MXToolbox or DKIM Record Checker, to verify your DKIM record is set up correctly.

Monitoring and Maintenance

  1. Regularly Check Your DNS Records: Ensure your SPF and DKIM records are up-to-date and correctly configured.
  2. Monitor Email Deliverability: Use email deliverability tools to monitor how well your emails are being delivered and check for any issues related to SPF or DKIM.
  3. Update Records as Needed: If you change email providers or add new sending sources, update your SPF and DKIM records accordingly.

How to Stop and Block Spam Emails

The post How to Stop and Block Spam Emails appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/avoid-spam-email/feed/ 0 747
DNS Spoofing vs DNS Hijacking https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/ https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/#respond Wed, 03 Jul 2024 14:09:09 +0000 https://gridinsoft.com/blogs/?p=9848 Domain Name Services (DNS) play a crucial role in our IP networks. DNS servers map website names to their corresponding IP addresses. By altering information on a DNS server, you can redirect users to different IP addresses, potentially leading them astray from their intended destinations. One method to achieve this redirection is by modifying files… Continue reading DNS Spoofing vs DNS Hijacking

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

]]>
Domain Name Services (DNS) play a crucial role in our IP networks. DNS servers map website names to their corresponding IP addresses. By altering information on a DNS server, you can redirect users to different IP addresses, potentially leading them astray from their intended destinations. One method to achieve this redirection is by modifying files on computers, such as the HOSTS file. This change forces the computer to connect to the IP address specified in the file, bypassing the DNS server query.

Directing someone to a specific IP address becomes simpler when altering the HOSTS file on their machine. However, modifying this file across numerous devices is a challenging task. Consequently, attackers often target the DNS server itself, making a single change that updates the responses for all querying clients. While various methods exist to manipulate DNS servers, most involve gaining control over the server.

What Is DNS and How Do DNS Servers Function?

Let’s revisit what DNS means. The Domain Name System is a foundational internet service that facilitates the conversion of human-readable domain names into machine-understandable IP addresses. Here are some essential components related to DNS:

  • IP Address (Internet Protocol): A unique string of numbers assigned to each computer and server on a network, allowing them to locate and communicate with each other.
  • Domain: A memorable text name, like “www.google.com,” that corresponds to the IP address of a server, simplifying the process of connecting to websites.
  • Domain Name System (DNS): This system translates domain names into IP addresses.
  • DNS Servers: These include four types of servers crucial to the DNS lookup process: resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, let’s discuss the resolver name server.
  • Resolver Name Server: Operating within your system, this server begins the translation process by querying other servers to find the IP address associated with a domain name.
What is DNS and how does it work?
What is DNS and how does it work?

The DNS Lookup Process

When you enter a website’s domain name, the following process unfolds:

  1. Your web browser and operating system (OS) first attempt to retrieve the domain’s IP address from the computer’s internal memory or cache, if previously visited.
  2. If the cache doesn’t contain the IP address, the OS reaches out to a resolver name server.
  3. This resolver then searches through a chain of servers to locate and return the correct IP address to your OS, which relays it to your web browser.

The DNS lookup process is a critical infrastructure component across the internet. However, vulnerabilities in DNS can expose users to security risks, such as malicious redirects, underscoring the importance of awareness and preventive measures.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, is a broad term that describes any attack where a perpetrator manipulates an end user’s device into connecting with a fraudulent domain or IP address, under the guise of a legitimate domain. This type of attack can deceive users into thinking they are interacting with a legitimate site when they are not.

There are numerous methods of DNS hijacking, and not all are unlawful. A common legal example is seen with pay-per-use WiFi portals. These services intercept DNS requests before the user has paid for access. Regardless of the user’s settings, all requests direct to a payment server page where the user can purchase WiFi access.

Another prevalent method involves altering the DNS settings on a client’s device. An attacker may change the settings so that the device uses a DNS server under their control instead of a legitimate service like 8.8.8.8. When a user attempts to access a secure site such as their online banking website, the rogue DNS server may redirect them to a fake website. This site acts as a proxy to capture all transmitted data. This technique was famously used by the DNSChanger trojan/malware, which, while now rare, was once a significant threat.

Other hijacking tactics include exploiting vulnerabilities within DNS server software, manipulating DNS registration systems, or utilizing visually deceptive domain names (homograph attacks). One early example of phishing employed a domain named paypaI.com where the letter ‘I’ was capitalized to mimic a lowercase ‘L’, misleading users into thinking it was the legitimate PayPal.com. With DNS now supporting international characters, these attacks have become even more sophisticated and harder to detect.

What is DNS Spoofing

What Is DNS Spoofing?
What Is DNS Spoofing?

DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.

Difference Between DNS Spoofing and DNS Hijacking

Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.

DNS Spoofing vs DNS Hijacking

Conclusion

As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/feed/ 0 9848
Trojan:Win32/Tnega!MSR https://gridinsoft.com/blogs/trojan-win32-tnega-msr/ https://gridinsoft.com/blogs/trojan-win32-tnega-msr/#respond Thu, 27 Jun 2024 14:31:45 +0000 https://gridinsoft.com/blogs/?p=21792 Trojan:Win32/Tnega!MSR is a malicious program that functions to deliver other malware. It uses numerous anti-detection tricks and is often distributed as mods and cheats for popular games. Such threats are capable of delivering spyware, ransomware and pretty much any other malware. Trojan:Win32/Tnega!MSR Overview Trojan:Win32/Tnega!MSR is a Microsoft Defender detection that refers to malware that acts… Continue reading Trojan:Win32/Tnega!MSR

The post Trojan:Win32/Tnega!MSR appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Tnega!MSR is a malicious program that functions to deliver other malware. It uses numerous anti-detection tricks and is often distributed as mods and cheats for popular games. Such threats are capable of delivering spyware, ransomware and pretty much any other malware.

Trojan:Win32/Tnega!MSR Overview

Trojan:Win32/Tnega!MSR is a Microsoft Defender detection that refers to malware that acts as a downloader. As the name suggests, such malware’s main task is to deliver additional malicious components to the infected device, i.e., payload. It may also include extra features like collecting system information or other basic details.

Trojan:Win32/Tnega!MSR detection window screenshot
Trojan:Win32/Tnega!MSR detection window

Main spreading ways for Tnega trojan are modified versions of games, cheats, or game add-ons. Since such tools always require antivirus software to be disabled, such a disguise creates ideal conditions for malware to run in the system. In addition to this, Tnega has a protection mechanism against antivirus detection and analysis. Everything is standard here – various techniques like code encryption, polymorphism, obfuscation, and checking for the presence of virtual environments. These techniques make it difficult to be detected and analyzed by antivirus programs and malware analyzers.

Technical Analysis

For a more detailed breakdown, I chose a sample that spreads as some kind of a mod for Roblox. As the detection is not specific to a malware family, there can be variations from one sample to another, but the general course of action will remain the same. Let’s break down some of the key behaviors and actions observed.

Electron app screenshot
Electron app

Once launched, the malware performs some checks to determine if the application is running in a virtual environment or sandbox. A rather common check, but it is still effective in weeding out artificial environments. To do this, it checks the following registry values:

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

These keys display the BIOS version, which is particularly hard to spoof when it comes to basic virtual machines. Such a check gives much more precise results than more classic ones, that view video driver information and the list of installed applications.

Persistence

To gain persistence, Trojan:Win32/Tnega!MSR uses Task Scheduler to run its executable file. This allows it to run periodically or on a schedule with elevated privileges. Registering a task as .NET code contains functionality that can also be used to launch other malicious programs.

After tinkering with the Task Scheduler, the malware’s executable file is injected into other system processes, allowing it to execute with elevated privileges in the context of these processes. It uses the WerFault.exe process with parameters -u -p -s .

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1912
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1908
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1908

This is only a few of the commands where Tnega abuses WerFault functionality. During the runtime testing, it interacted with the error reporting module for 9 times, which corresponds to the number of files it has downloaded from the C2. So yes, each one of these is about to run malware with max privileges.

C2 Connection

The malware communicates with C2 servers via HTTP to blend in with legitimate traffic. DNS resolutions are made to domains such as query.prod.cms.rt.microsoft.com. IP traffic is observed on specific ports like TCP 80, TCP 443, and UDP 137.

TCP 104.80.89.50:80
TCP 13.107.4.50:80
TCP 131.253.33.203:80
UDP 192.168.0.1:137
UDP 192.168.0.55:137

Payload

Next, Trojan:Win32/Tnega!MSR performs its primary function of dropping the payload. It writes files to the disc in various directories – C:\Users\\Downloads, C:\Users\user\Desktop and C:\Users\user\AppData\Roaming. The files typically arrive in the form of a .dmp file, meaning that malware further injects them into the memory of a legit process.

Payload files

How To Remove Trojan:Win32/Tnega!MSR?

To remove Trojan:Win32/Tnega!MSR, it is best to use an advanced anti-malware tool. GridinSoft Anti-Malware is the optimal option. Since some users have encountered problems with Tnega removal using default Windows tools, a third-party solution is designed to remedy this situation. Moreover, using GridinSoft Anti-Malware does not require you to disable Windows Defender. So, they can work in pairs, complementing each other.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:Win32/Tnega!MSR appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-tnega-msr/feed/ 0 21792
IP Stresser & DDoS Booter https://gridinsoft.com/blogs/ddos-booter-ip-stresser/ https://gridinsoft.com/blogs/ddos-booter-ip-stresser/#respond Thu, 20 Jun 2024 06:15:10 +0000 https://gridinsoft.com/blogs/?p=9464 The toolkit of cybersecurity specialists in companies does not consist only of security tools. To imitate the intruders, they apply using the tools like IP stressers. These tools create an environment and circumstances similar to the real attack. It is also an evil counterpart of IP stressers – DDoS-booters. But how do they work? Let’s… Continue reading IP Stresser & DDoS Booter

The post IP Stresser & DDoS Booter appeared first on Gridinsoft Blog.

]]>
The toolkit of cybersecurity specialists in companies does not consist only of security tools. To imitate the intruders, they apply using the tools like IP stressers. These tools create an environment and circumstances similar to the real attack. It is also an evil counterpart of IP stressers – DDoS-booters. But how do they work? Let’s figure that out.

What is an IP Stresser?

IP stresser is a special tool that tests a network or server for stress tolerance. The administrator can run the stress test to check whether the current resources (bandwidth, CPU power, or so) are sufficient to handle the additional load. Testing your network or server is a legitimate use of a stress test. However, running a stress test against someone else’s network or server, resulting in a denial of service to their legitimate users, is illegal in most countries.

How IP stresser works

What are booter services?

Booters (also known as bootloaders) are on-demand DDoS (Distributed Denial of Service) attacks that cybercriminals offer to shut down networks and websites. Consequently, booters are illegal uses of IP stressers. Illegal IP stresses often conceal the identity of the attacker’s server by using proxy servers. The proxy redirects the attacker’s connection by masking the attacker’s IP address.

DDoS Booter
DDoS booter interface

Booters are often available as SaaS (Software-as-a-Service) and are accompanied by email support and YouTube tutorials. Packages can offer one-time service, several attacks over some time, or even “lifetime” access. A basic one-month package costs a tiny sum. Payment methods can include credit cards, Skrill, PayPal, or bitcoins.

The difference between IP Stresser and botnets

In contrast to IP Stresser, the owners of computers that use botnets are unaware that their computers are infected with malware. Thus, they unwittingly become accomplices to Internet attacks. Booters are DDoS services for hire offered by enterprising hackers. Whereas in the past, you had to create your botnet to conduct a large-scale attack, now it is enough to pay a small amount of money.

Motivations DDoS attacks

The motives for such attacks can be varied: espionage1 to sharpen skills, business competition, ideological differences, government-sponsored terrorism, or extortion. The preferred payment method is bitcoins, as it is impossible to uncover the wallet owner. However, it is harder to go in cash when you have your savings in cryptocurrency.

Amplification and reflection attacks

Reflection and amplification attacks use legitimate traffic to overwhelm the targeted network or server. IP spoofing involves the attacker spoofing the victim’s IP address and sending a message to a third party on behalf of the victim. The third party, in turn, cannot distinguish the victim’s IP address from the attacker’s one and replies directly to the victim. The victim, as well as the third-party server, cannot see the real IP address of the attacker. This process is called reflection. For example, take a situation where the attacker orders a dozen pizzas to the victim’s home on behalf of the victim. Now the victim has to pay the pizzeria money for the pizzas, which she didn’t even order.

Smurf attack scheme
The simplified scheme of an amplification attack

Traffic amplification occurs when a hacker forces a third-party server to send responses to the victim with as much data as possible. The ratio between the size of the response and the request is the amplification factor. The greater this amplification, the more potential damage is done to the victim. In addition, because of the volume of spoofed requests that the third-party server has to handle, it is also disruptive for it. NTP Amplification is one example of such an attack.

Amplification and reflection IP Stresser explained

The most effective types of bootstrap attacks use both amplification and reflection. First, the attacker spoofs the target address, then sends a message to a third party. The receiver sends the response to the target’s address, which appears in a packet as the sender’s address. The response is much larger than the original message, which amplifies the attack’s size. The role of a single bot in such an attack is about the same as if a teenage attacker called a restaurant, ordered the entire menu, and asked for a callback to confirm each dish. But the number for the callback belongs to the victim. As a result, the victim gets a call from the restaurant about orders it didn’t make and has to hold a line for a long time.

The categories of denial-of-service attacks

There are dozens of possible variations of DDoS attacks, and some of them have multiple subspecies. Depending on the hackers’ targets and skills, the attack may simultaneously belong to several types. Let’s review each of them one by one.

Application-layer attacks target web applications and often use the most sophisticated techniques. These attacks exploit a vulnerability in the Layer 7 protocol stack. They connect to a target and drain server resources by monopolizing processes and transactions. Because of this, they are challenging to detect and mitigate. A typical example is the HTTP Flood attack.

Protocol-based attacks exploit weaknesses at layers 3 or 4 of the protocol stack. Such attacks consume the victim’s processing power or other essential resources (such as the firewall). This results in a service disruption. Examples of such attacks are Syn Flood and Ping of Death.

Volumetric Attacks send large volumes of traffic to fill the entire bandwidth of the victim. Attackers generate bulk attacks using simple amplification methods. This attack is the most common — for example, UDP Flood, TCP Flood, NTP Amplification, and DNS Amplification.

Common denial-of-service attacks

The goal of DoS or DDoS attacks is to consume as many server or network resources as possible so that the system stops responding to legitimate requests:

  • SYN Flood: A sequence of SYN requests is sent to the target system in an attempt to overload it. This attack exploits vulnerabilities in TCP connection sequences, also known as three-way handshakes.
  • HTTP Flood: an attack in which HTTP GET or POST requests are used to attack a web server.
  • UDP Flood: A kind of attack in which random target ports are flooded with IP packets containing UDP datagrams.
  • Ping of Death: Attacks involve sending IP packets more significantly than the IP protocol allows. TCP/IP fragmentation works with large packets by breaking them into smaller ones. Legacy servers often fail if the full packets exceed the 65,536 bytes allowed. This has been fixed mainly in newer systems. However, Ping flooding is the modern incarnation of this attack.
  • ICMP Protocol Attacks: Attacks on the ICMP protocol are based on the fact that the server must process each request before a response is sent back. The Smurf attack, ICMP flooding, and ping flooding exploit this by flooding the server with ICMP requests without waiting for a response.
  • Slowloris: this is an attack invented by Robert “RSnake” Hansen. It tries to keep multiple connections to the target web server open as long as possible. Thus, additional connection attempts from clients will be rejected.
  • DNS Flood: An intruder fills the DNS servers of a certain domain to disrupt DNS resolution for that domain.
  • Smurf Attack: This attack uses malware called smurf. Using a broadcast IP address, large numbers of Internet Control Message Protocol (ICMP) packets are sent to the computer network with a fake IP address of the victim.
  • SNMP reflection: An attacker spoofs the victim’s IP address and sends multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.
  • DNS amplification: this reflection-based attack turns legitimate requests to DNS (domain name system) servers into much larger ones, thus consuming server resources.
The ways the DDoS attack that can be applied to the network
The ways the DDoS attack that can be applied to the network

Less popular DDOS methods

  • NTP Reinforcement: A high volume reflection-based DDoS attack in which the attacker exploits the Network Time Protocol (NTP) server functionality to overload the target network or server with increased UDP traffic.
  • SSDP: SSDP (Simple Service Discovery Protocol) attack is a reflection-based DDoS attack. It uses Universal Plug and Play (UPnP) network protocols to send an amplified traffic volume to the target victim.
  • Teardrop Attack: An attack consists of sending fragmented packets to the target device. An error in TCP/IP prevents the server from reassembling such packets, resulting from which the packets overlapping each other, thus incapacitating the target device.
  • Fraggle attack: the attack is similar to smurf, except that it uses UDP rather than ICMP.

IP Stresser & DDoS Booter

What to do in case of a DDoS attack?

  • Inform your data center and ISP immediately;
  • Do not consider ransom – payment often results in escalating ransom demands;
  • Notify law enforcement authorities;
  • Monitor network traffic.

How to mitigate attacks?

  • Install firewalls on the servers;
  • Keep security patches up to date;
  • Run antivirus software on a schedule;
  • Monitor system logs regularly;
  • Prevent SMTP traffic from being distributed by unknown mail servers;
  • Causes of difficulty tracking the booter service.

Since the person buying these criminal services uses an external site to pay and receive instructions, the connection to the backend initiating the attack cannot be identified. Therefore, criminal intent can be challenging to prove. However, one way to identify criminal organizations is to track payment traces.

The post IP Stresser & DDoS Booter appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ddos-booter-ip-stresser/feed/ 0 9464
PUABundler:Win32/CandyOpen (PUA OpenCandy) https://gridinsoft.com/blogs/puabundler-win32-candyopen/ https://gridinsoft.com/blogs/puabundler-win32-candyopen/#respond Sat, 15 Jun 2024 11:39:58 +0000 https://gridinsoft.com/blogs/?p=18938 PUABundler:Win32/CandyOpen (or OpenCandy) is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, which is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen in a real-world example. What is PUABundler:Win32/CandyOpen? As… Continue reading PUABundler:Win32/CandyOpen (PUA OpenCandy)

The post PUABundler:Win32/CandyOpen (PUA OpenCandy) appeared first on Gridinsoft Blog.

]]>
PUABundler:Win32/CandyOpen (or OpenCandy) is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, which is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen in a real-world example.

What is PUABundler:Win32/CandyOpen?

PUA OpenCandy Detection
PUA OpenCandy Detection

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually install can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running it on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

PUABundler:Win32/CandyOpen list of programs
“Installer” – unremarkable naming for a remarkable unwanted program

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser will go mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly the search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Unwanted programs CandyOpen
Unwanted apps installed by CandyOpen

Here goes the main concern: while CandyOpen usually installs junk apps that are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUA OpenCandy actions:

  • Stops Windows Update
  • Disables User Access Control (UAC)
  • Injects into other processes on your system
  • Adds a local proxy
  • Modifies boot configuration data
  • Modifies file associations
  • Track, keep records, and report an infected user’s internet browsing activity.
  • Modifies your system DNS settings
  • Change the infected user’s browser homepage and tamper with their preferences/settings.
  • Install and insert unwanted/unknown browser toolbars and browser plug-ins/extensions/add-ons.
  • Adds files that run at startup
  • Change the default search provider.
  • Display of unwanted advertisements.
  • Change the desktop background.

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove CandyOpen in no sweat. It will also find and remove all the additional junk OpenCandy can bring.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post PUABundler:Win32/CandyOpen (PUA OpenCandy) appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/puabundler-win32-candyopen/feed/ 0 18938