Altisik Service Overview

Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a “blue screen of death”.

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily, and with less suspicion from security software.

As for the distribution method, users on Reddit report receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs. Another method is through additional malware already present on the computer: vast loader malware botnets can offer huge gains for the operators of malicious coin miners.

Technical Analysis

Let’s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

Further, it pays special attention to Windows Defender settings, specifically ones that touch real-time protection. The malware checks the following system sections.

C:\Program Files\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.

Persistence and Privilege Escalation

Next, the miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:

"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\AltisikDevPL/AltisikHelper.dll",#1
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 548
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

As you can see, it runs the AltisikHelper.exe and AltisikHelper.dll processes. They are needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.

C2 Connection

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80 and 104.18.6.80, potentially complicating traffic analysis.

How To Remove Altisik?

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware – an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start menu → click Reboot while holding down the Shift button on the keyboard.

When your PC reboots, in the menu that appears after restarting, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode.

After switching to the Safe Mode with Networking, follow the steps below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Altisik Service Virus appeared first on Gridinsoft Blog.

PUA:Win32/SBYinYing Overview

PUA:Win32/SBYinYing is identified by Microsoft Defender as a potentially unwanted program. This detection is most commonly associated with a file named “EMP.dll”, which is typically found in pirated games. Torrents, especially those offering cracked games, are the main distributors of this malware. This is an ideal distribution method for malicious software because running cracked games often requires disabling antivirus software or adding the game to an exclusion list.

Once this PUA infiltrates a system, it starts doing its nasty job, particularly showing excessive ads and gathering basic information about the user. It is not as severe as regular spyware, but still creates a less than favorable situation for anyone who cares about privacy. And the aforementioned advertising behavior is what adds on top of that risk. Promotions that Win32/SBYinYing shows may contain phishing redirects, downloading links for unwanted programs or sometimes even straight up malware.

Technical Analysis

The previous information about PUA:Win32/SBYinYing provided a general overview, but to fully understand the nature of this threat, a more in-depth analysis is required. Let’s examine how this unwanted app behaves within a system using the “EMP.dll” file from a repackaged game as an example. While some behaviors of this software may be related to bypassing license checks, other actions raise significant concerns.

Execution

Since “EMP.dll” is not an executable .exe file, it requires another process to run it. In this case, a part of the installer calls for the rundll32.exe, a default process for launching dynamic-link libraries. The execution command looks like this:

C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\EMP.dll

The DLL file contains a section that may hold compressed or packed code. Similar to regular malware, PUA:Win32/SBYinYing performs standard checks to detect whether it is running in a virtual environment or a sandbox. It does this by examining certain system parameters, specifically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

SBYinYing queries various system settings, including information about hardware (disks, volumes) and software (policy settings, cryptographic machine GUIDs, etc.). It will cease further execution shall any of these contain traces of virtualization or sandboxing.

Defense Evasion

The next step involves identifying and evading security solutions. The techniques used here are more typical for malware, than for unwanted programs. File obfuscation, data encryption, attempts to disable or modify security software, injection into legitimate processes – Win32/SBYinYing does all of this. Among other things, the malware checks the following locations:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles

These places contain information about installed antivirus/anti-malware software. Typically, malicious programs change their behavior depending on which AV-vendor is present.

Privilege Escalation and Persistence

After basic checks, an unwanted program goes for escalating its privileges. It leverages legitimate processes like WerFault.exe and rundll32.exe, making this step relatively straightforward. As mentioned earlier, the malware uses rundll32.exe to execute the DLL library, allowing it to run malicious code embedded within the DLL. Additionally, the malware terminates the wmiadap.exe process with parameters /F /T /R, which appears to be an effort to evade detection or stop system monitoring. Here’s what the commands look like:

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1052 -s 460
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5188 -s 432
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2296 -s 484

WerFault.exe is a legitimate system process used for error reporting in Windows and Windows applications. In addition to leveraging this process, the malware creates scheduled tasks, enabling it to persist by running each time the system starts.

Network Activity

The malware exhibits notable network activity, making several DNS requests to connect to the internet. Some of the observed connections include:

TCP 40.88.32.150:443
TCP 65.9.73.63:443 (firefox.settings.services.mozilla.com)
TCP 54.187.157.95:443 (pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com)
10.216.185.205.in-addr.arpa
125.21.88.13.in-addr.arpa
130.155.190.20.in-addr.arpa

There are also numerous internal addresses that may be used to make the analysis harder. These connections suggest that the malware could be communicating with command servers, potentially exfiltrating data or receiving further instructions.

Does PUA:Win32/SBYinYing Steal Data?

While it’s theoretically possible for PUA:Win32/SBYinYing to steal data, in practice, this is unlikely. This unwanted app mostly works as adware, and the information it collects mostly serves for fingerprinting the system. Still, adware can redirect users to potentially dangerous websites, which in turn could be a source of more harmful malware. And that is when user data gets in risk.

This might explain why some users report that their Facebook and Steam accounts were compromised after PUA:Win32/SBYinYing was found on their systems. Another plausible explanation is the general risk associated with using pirated software. Using cracked games or software increases the likelihood that a user will eventually have their personal data stolen or files lost.

How to Remove PUA:Win32/SBYinYing?

To remove PUA:Win32/SBYinYing, it’s advisable to use advanced anti-malware software. Some users encounter difficulties when trying to eliminate this threat with Microsoft Defender. For this reason, I recommend using GridinSoft Anti-Malware as a tool to remove PUA:Win32/SBYinYing. You can follow the step-by-step guide below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Additionally, I strongly recommend refraining from downloading pirated games and software, as this is the most common method of distributing malware. Not only is it dangerous, but it’s also illegal.

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

Email spoofing, also known as spoofing email, involves forging the sender’s email address. Often, the address in the sender’s field is fake; any responses sent to this address will likely reach a third party. The primary goal of this scam is to deceive the user.

Fraudsters deploy a variety of tactics to execute a successful spoofing attack ¹. Below, we explore the most common methods they use.

1. Sharing a Similar Domain

To successfully spoof an email, fraudsters meticulously imitate sender addresses that appear similar to those of well-known organizations or companies. They typically:

• Alter the top-level domain, for example, from support@spotify.com to support@spotify.co
• Change the domain to include a country code, for example, support@spotify.com.ru
• Modify a single character in the domain name, turning support@spotify.com into support@spatify.com
• Use a variant of the domain that still references the brand, such as support@spotifyinfo.com
• Create an email address that incorporates the company’s name, like support.spotify@gmail.com

2. Substituting the Sender’s Name

This tactic involves falsifying the sender’s name, with the “From” and “Reply-To” headers displaying the fraudster’s address instead. This method is particularly prevalent on mobile mail clients, which typically only display the sender’s name. Fraudsters may use:

• Misleading variations of the company’s name.
• Fabricated names paired with deceptive email addresses.

Imagine that you receive an email like this:

Notice that all fields are correct, but the From and Reply-To fields are not. When Dude1 receives this email, he may think it’s from his boss. When he hits “Reply,” all he’ll see in the To: field is the name “BossMan,” but it will actually go back to his friend who spoofed the email, Dude2.

3. Changes the significance of the From and Reply-to fields

Because the SMTP protocol does not authenticate headers, fraudsters can easily forge addresses in the From and Reply fields without being noticed. Thus, they have the privilege of not being caught, as a fake is almost no different from the original.

Protection from Email Spoofing

To effectively guard against email spoofing, it’s essential to configure email security protocols such as SPF, DKIM, and DMARC. Below, you’ll find step-by-step guides on how to set up these protocols for popular email platforms:

1. Setting Up SPF (Sender Policy Framework)

SPF helps to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators.

• Gmail: Go to the Google Admin console, navigate to ‘Domains’, and then ‘Add a domain or a domain alias’. Add the SPF record in your DNS settings: v=spf1 include:_spf.google.com ~all
• Outlook: In the Microsoft 365 admin center, go to ‘Settings’ → ‘Domains’, select your domain, and add the SPF record to your DNS settings: v=spf1 include:spf.protection.outlook.com -all

2. Implementing DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) adds an encrypted signature to outgoing emails, allowing the receiver to verify that an email was indeed sent and authorized by the owner of the sending domain. Setting up DKIM correctly can help prevent email spoofing by verifying the authenticity of the sender. Here’s how to set up DKIM for Gmail and Outlook:

Implementing DKIM for Gmail:

To configure DKIM for Gmail, use the following steps:

1. Sign in to the Google Admin console.
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email.
3. Select the domain for which you want to set up DKIM and click GENERATE NEW RECORD. You might see this option only if you haven’t already set up DKIM for your domain.
4. Choose a key length of 2048 bits for better security (1024 bits is also available but less secure).
5. After generating the DKIM key, Google will provide you with a TXT record to add to your domain’s DNS. It will look something like this:

   google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AB"

   This is your public key.

6. Add this record to your DNS settings at your domain host. Keep in mind that DNS propagation can take up to 48 hours.
7. Once the DNS has propagated, return to the Admin console and click START AUTHENTICATION.

When DKIM is set up correctly, Gmail will sign outgoing emails automatically, allowing recipient servers to verify their authenticity.

Implementing DKIM for Outlook:

For users of Microsoft 365 or Outlook, the setup process involves similar steps:

1. Login to the Microsoft 365 Defender portal.
2. Go to Email & collaboration → Policies & rules → Threat policies → DKIM.
3. Choose the domain you wish to enable DKIM for and click Enable.
4. If no DKIM keys exist, Microsoft will prompt you to create them. Click on Create to generate the keys.
5. Microsoft will then provide two CNAME records to add to your domain’s DNS. These records delegate the DKIM signing authority to Microsoft. They typically look like this:
   selector1._domainkey.YOURDOMAIN.com CNAME selector1-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
selector2._domainkey.YOURDOMAIN.com CNAME selector2-YOURDOMAIN-com._domainkey.OURDOMAIN.onmicrosoft.com
6. Add these CNAME records to your DNS. Again, allow up to 48 hours for DNS changes to take effect.
7. Once DNS propagation is complete, go back to the Defender portal and confirm the DKIM status to ensure it is active.

Implementing DKIM for your domain significantly improves your email security by enabling email authenticity verification at the recipient’s end.

3. Configuring DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, policy, and reporting protocol. It builds on SPF and DKIM protocols, helping email receivers determine if a given message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle these discrepancies. Here’s a step-by-step guide to setting up DMARC:

Understanding DMARC Policy:

Before setting up DMARC, you need to understand the policies you can apply:

Steps to Configure DMARC:

1. Create a DMARC record: A DMARC policy is published as a DNS TXT record. The typical format of a DMARC record looks like this:

   v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

   In this example, ‘p=none’ specifies the policy, and ‘rua’ indicates where aggregate reports of DMARC failures will be sent.

2. Choose Your Policy: Decide which policy (none, quarantine, reject) fits your needs based on your security posture and the maturity of your SPF and DKIM setups.
3. Specify Email Reporting: Determine where you want reports of pass/fail to be sent. These reports are crucial for understanding the types of attacks targeting your domain and observing how your emails are being received on the internet. Use ‘rua’ for aggregate reports and ‘ruf’ for forensic reports:

   rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensic@yourdomain.com

4. Publish the DMARC Record: Add the DMARC TXT record to your domain’s DNS. This is similar to adding SPF or DKIM records. You typically enter the record into your DNS management dashboard.
5. Monitor and Adjust: After implementing DMARC, monitor the reports you receive and adjust your policy as needed. Initially starting with a ‘none’ policy and moving to ‘quarantine’ or ‘reject’ as you confirm that legitimate emails are passing SPF and DKIM checks is a common approach.

Additional DMARC Tags:

DMARC records can include several optional tags to refine its operation:

• aspf: Alignment mode for SPF (strict or relaxed).
• adkim: Alignment mode for DKIM (strict or relaxed).
• fo: Forensic options to specify conditions under which forensic reports should be generated.
• rf: The format to be used in forensic reports.
• ri: Reporting interval for how often you want to receive the aggregate reports.

The post How to Prevent Email Spoofing appeared first on Gridinsoft Blog.

Phishing is a cyber-attack method that introduces malware to a computer via email. Intruders send users emails containing links under various pretexts. After clicking these links, the malware enters your computer. Thus, cybercriminals deceive the target to get as much data about the user as possible: his card numbers, bank accounts, etc

Types of Phishing Attacks

We have already explored what phishing is and how it manifests itself. Now, let’s delve into the types of phishing so you can better recognize them, understand where they might appear, and grasp their potential dangers to your PC. See the detailed descriptions below:

• Email Phishing: This is the most common form of phishing. Fraudsters send fraudulent emails that seem to come from reputable sources, such as financial institutions or well-known companies, to steal sensitive information like login credentials or credit card numbers. The emails often contain a link that leads to a fake website designed to capture your personal information.
• Phone Phishing: Also known as voice phishing or vishing, this technique involves phone calls to users with the aim of tricking them into divulging personal, financial, or security information. Attackers might impersonate bank officials, tech support, or representatives from other organizations to obtain sensitive information directly over the phone.
• Clone Phishing: In clone phishing, attackers make a copy or “clone” of a previously delivered email from a trusted sender that contained a link or an attachment. The malicious actor changes the link or attached file to a malicious version and resends it under the guise of an update or correction of the original email, often claiming it was re-sent due to a mistake or problem with the previous link.
• Spear Phishing: Unlike the broad nature of standard phishing, spear phishing targets specific individuals or organizations. This type of attack involves personalized messages that are more convincing because they are often based on the victim’s job position, work relationships, or personal interests, gathered from various data sources like social media or compromised accounts.
• Angler Phishing: This type of phishing exploits social media platforms to masquerade as customer support accounts. Fraudsters create fake accounts or hack into existing ones to respond to genuine customer queries. Through this method, they aim to extract personal data or spread malware by encouraging the victim to click on malicious links or give up sensitive information under the pretense of resolving a support issue.
• Smishing and Vishing: Smishing is phishing via SMS messages, where attackers send text messages that lure recipients into revealing personal information or downloading malware. Vishing, as mentioned, is similar but conducted over the phone. Both methods use social engineering to convince the victim to act against their best interests, often creating a sense of urgency or fear.

Examples of Phishing Attacks

Above, we have reviewed the types of phishing. Consider now the examples of how these types of phishing appear in action:

• You receive a letter that will convince you only to click the link in this letter.
• The most common phrase in these emails is “Click here”.
• Emails that come alert that your payment is allegedly not passed, try again, and so on.
• The letter in which you are deceived as if you have not paid taxes and something should.
• The user can go to the fraudsters’ website, although initially entering the address of the bank.
• Replace DNS routers without user permission.

What is Spoofing Attacks?

Spoofing is the substitution of foreign data by a cybercriminal by falsification to use it for their evil intentions unlawfully. It is often done to bypass the control and security system and distribute malware. The most common types of spoofing are IP spoofing, DNS spoofing, and email spoofing.

Types of Spoofing Attack

1. Email Spoofing. This method involves deception and the forgery of the sender’s address in the letters. This is what the attacker does as a way to spoof the domain, change the sender address, and change the value of the fields “From” and “Reply to”
2. Website Spoofing. The attacker creates a fake site that masquerades as legitimate. For the visibility of a realistic site, intruders use legal logos, colors, and fonts. The purpose of this method is to install malware on your computer through such a site.
3. Caller ID Spoofing. In this case, the attacker is hiding under a fake phone number. Any outgoing call number is used, but the incoming one will be the one that the intruder wants. That is, it will be difficult to identify the attacker, as he hides his outgoing number.
4. IP Spoofing. It is the renumbering IP addresses in packets sent to the attacking server. The sending packet specifies the address that the recipient trusts. As a result, the victim receives the data that the hacker needs. You can completely exclude IP spoofing by comparing the sender’s MAC and IP addresses. However, this type of spoofing can be helpful. For example, hundreds of virtual users with false IP addresses were created to test resource performance.
5. DNS Server Spoofing. One way to crack something is to attack by replacing DNS domain names to replace the IP address. DNS (Domain Name Server) spoofing or DNS cache poisoning is a type of cyberattack used by an attacker to direct the victim’s traffic to a malicious website (instead of a legitimate IP address).

Examples of Spoofing Attacks

Each type of spoofing can manifest itself differently. However, for you to understand the general picture of how spoofing works, below we will look at some examples:

• In one case, spoofing is manifested by changing the IP address when the entire site is hacked.
• It may be a website disguised as a bank you know that asks you to log in and sends you a link, but it’s just a scam to get your confidential information.

Difference Between Phishing and Spoofing

Now that we know what phishing and spoofing are, we know of the species and how they manifest themselves in practice, then we can consider what the difference between them is:

• Objective: The purpose of spoofing and phishing is different. The purpose of phishing is to get information about the user. The goal of spoofing is identity theft.
• Nature of Scam: In the case of spoofing – it seems completely harmless and not even fraudsters. It does not extort email addresses or mobile numbers. But phishing is a scam because it steals users’ data.
• Subset: Phishing and spoofing have nothing to do with each other. But there is a similarity. The similarity is that spoofing steals an identity from the Internet before committing fraud.
• Method: The primary spoofing method is the use of malware when phishing uses social engineering.

How to Prevent Phishing and Spoofing Attacks

Of course, there are methods to avoid an attack from the side of spoofing and phishing attacks . Of course, you cannot do anything because you will hurt yourself, but we recommend you take some measures. See below:

Phishing:

Before clicking on the proposed link in the email, move your mouse over it and look at the address you will go to. It should be the same as you were given. If it is different – it is likely to be a hoax. If you receive messages with such a logo – “Do not hesitate”, “Last Chance”, “Hurry”, and the like, then delete them or send them to spam. They pressure you to make a quick decision and immediately click on the link. Open any attachment only through proven and reliable sources. If you have received an email from a particular user, but you are not sure it will be sent to you, you better call him.

Spoofing:

• Check the letter for grammatical and spelling errors.
• Look carefully at the sender’s address
• Encryption and authentication
• Robust verification methods
• Firewall (protects your network, filters traffic with fake IP addresses, blocks access of unauthorized strangers).

You can also apply the same tips that we have considered to prevent phishing. It would help if you were careful in all these aspects. You do not know what you will be exposed to. Put protection on your PC, which will work for your benefit, warn you about perceived threats, and will closely monitor all your online activities.

We invite you to try Gridinsoft Anti-Malware, it is an excellent protection against spoofing, phishing attacks, and other online threats. Moreover, it is also able to get rid of the virus that helps scammers to deceive you.

The post Phishing vs Spoofing: Definition & Differences appeared first on Gridinsoft Blog.

Trojan:Win32/Bearfoos.B!ml Overview

Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.

Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.

Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.

Technical Analysis

Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.

Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.

C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll

Gaining Persistence

After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\\AppData\Roaming\vzCravLx.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\\AppData\Local\Temp\tmp6EAE.tmp

This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.

Data Collection

The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:

As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.

Command & Control Server

The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200

These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:

TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137

After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.

Is Trojan:Win32/Bearfoos.B!ml a False Positive?

As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.

While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.

How to Remove Trojan:Win32/Bearfoos.B!ml?

To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

How can you identify a suspicious email as “Spam”? What steps can you take to protect your computer from potential spam infections? Is it safe to open such emails?

In this article, we will address all these questions, helping you decipher the overwhelming number of mysterious emails in your inbox, understand their origins, and provide practical tips to avoid falling prey to spam emails.

How to Identify Spam Emails

If you have never heard of this type of message or have not encountered a particular moment with “Spam”, then we will tell you about some signs:

• Check the sender’s address. Look carefully at the sender’s address bar. If there is some incomprehensible set of letters and numbers, move the cursor to the address to see it in full. If he alerts you, enter him into the search engine and try to find something about this address.
• Follow the intended query. Think logically that large companies will not ask you for personal information, registration, bank account number, insurance details, and other confidential data. If you assume for what reason this service or the company, then yes, but if it all looks as inappropriate as possible – do not fall for it, it is SpamSpam!
• Be careful if the message creates the appearance of something urgent. Do not fall for such phrases: “Urgently,” “does not require a delay,” and others like that. The intruders are trying to put pressure on you in this way. They want these headlines to make you make your decisions quickly and rashly.
• Check whether the email uses your name. The company that will send you an email will probably know your details, at least your first and last name. Such phrases like “Dear Customer” or “Dear Reader” should make you doubt their legitimacy.
• Checks grammar and spelling. What does that mean? The strange wording in the article, miswritten words, and no system can give you the idea that there is something wrong.

Examples of Spam Emails

All spam emails have different types; you need to know and understand where you can meet them.

• Spoofed emails – in this case, the attacker attempts to deceive you by stealing confidential data and impersonating a different person.
• Ads are the most common form of SpamSpam. These are often scammers, although sometimes it can be an actual advertisement or product.
• Malware warnings – TI messages suggest you click on a predefined link to protect your PC from malware.
• Money scams – in this case, the pretenders, by deception, in the form of volunteers and good virtues, try to draw money from you.
• Over-the-top promises – this you often could see on the Internet. These are promises about quick winning, fast losing weight, big payouts, and other lies.
• Forced or accidental subscriptions – you probably bought something on the Internet and know that you offered to subscribe to the newsletter about new updates after the purchase. But some companies do this secretly; after the purchase, you automatically subscribe to a hundred emails from them.
• Chain letters – this is a made-up, where you press psychologically, frightening you that something will happen to you.

How to Stop Spam Emails

If your Inbox is already crowded, making it difficult to navigate and understand where messages come from and why, follow these steps to rid yourself of the massive number of spam emails:

1. Report the email as spam. Use your email provider’s option to mark emails as spam. This helps improve spam filters and keeps your inbox clean.
2. Block spam email addresses. Block addresses that frequently send you spam. This prevents further emails from those addresses from reaching your inbox.
3. Use an email alias. Create an alias for situations where you might not want to share your main email address. This helps protect your primary inbox from spam.
4. Change your email privacy settings. Adjust your email privacy settings to limit who can send you emails and prevent your address from being publicly accessible.
5. Unsubscribe from unwanted newsletters or mailing lists. Use the unsubscribe link typically found at the bottom of newsletters and marketing emails to stop receiving them.
6. Check if your email is on the dark web. Use services that can check if your email address has been compromised or is being circulated on the dark web.
7. Use SPF and DKIM email authentication. Ensure your email provider uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to authenticate emails and reduce spam.

Report the Email as Spam

Reporting spam emails helps improve the spam filters of your email provider and reduces the amount of spam you receive. Here’s a step-by-step guide on how to report an email address that is sending spam:

Block Spam Email Addresses

Blocking spam email addresses prevents further emails from those addresses from reaching your inbox. Here’s a step-by-step guide on how to block an email address:

Use an Email Alias

Using an email alias can help protect your primary email address from spam and keep your inbox organized. Here’s a step-by-step guide on how to create and use an email alias:

Check if Your Email is on the Dark Web

Checking if your email is on the dark web can help you take proactive measures to protect your information. Here’s a step-by-step guide on how to check if your email is compromised:

Use SPF and DKIM Email Authentication

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are email authentication methods that help protect your domain from email spoofing and ensure that your emails are delivered securely. Here’s a step-by-step guide on how to use SPF and DKIM:

Monitoring and Maintenance

1. Regularly Check Your DNS Records: Ensure your SPF and DKIM records are up-to-date and correctly configured.
2. Monitor Email Deliverability: Use email deliverability tools to monitor how well your emails are being delivered and check for any issues related to SPF or DKIM.
3. Update Records as Needed: If you change email providers or add new sending sources, update your SPF and DKIM records accordingly.

The post How to Stop and Block Spam Emails appeared first on Gridinsoft Blog.

Directing someone to a specific IP address becomes simpler when altering the HOSTS file on their machine. However, modifying this file across numerous devices is a challenging task. Consequently, attackers often target the DNS server itself, making a single change that updates the responses for all querying clients. While various methods exist to manipulate DNS servers, most involve gaining control over the server.

What Is DNS and How Do DNS Servers Function?

Let’s revisit what DNS means. The Domain Name System is a foundational internet service that facilitates the conversion of human-readable domain names into machine-understandable IP addresses. Here are some essential components related to DNS:

• IP Address (Internet Protocol): A unique string of numbers assigned to each computer and server on a network, allowing them to locate and communicate with each other.
• Domain: A memorable text name, like “www.google.com,” that corresponds to the IP address of a server, simplifying the process of connecting to websites.
• Domain Name System (DNS): This system translates domain names into IP addresses.
• DNS Servers: These include four types of servers crucial to the DNS lookup process: resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, let’s discuss the resolver name server.
• Resolver Name Server: Operating within your system, this server begins the translation process by querying other servers to find the IP address associated with a domain name.

The DNS Lookup Process

When you enter a website’s domain name, the following process unfolds:

1. Your web browser and operating system (OS) first attempt to retrieve the domain’s IP address from the computer’s internal memory or cache, if previously visited.
2. If the cache doesn’t contain the IP address, the OS reaches out to a resolver name server.
3. This resolver then searches through a chain of servers to locate and return the correct IP address to your OS, which relays it to your web browser.

The DNS lookup process is a critical infrastructure component across the internet. However, vulnerabilities in DNS can expose users to security risks, such as malicious redirects, underscoring the importance of awareness and preventive measures.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, is a broad term that describes any attack where a perpetrator manipulates an end user’s device into connecting with a fraudulent domain or IP address, under the guise of a legitimate domain. This type of attack can deceive users into thinking they are interacting with a legitimate site when they are not.

There are numerous methods of DNS hijacking, and not all are unlawful. A common legal example is seen with pay-per-use WiFi portals. These services intercept DNS requests before the user has paid for access. Regardless of the user’s settings, all requests direct to a payment server page where the user can purchase WiFi access.

Another prevalent method involves altering the DNS settings on a client’s device. An attacker may change the settings so that the device uses a DNS server under their control instead of a legitimate service like 8.8.8.8. When a user attempts to access a secure site such as their online banking website, the rogue DNS server may redirect them to a fake website. This site acts as a proxy to capture all transmitted data. This technique was famously used by the DNSChanger trojan/malware, which, while now rare, was once a significant threat.

Other hijacking tactics include exploiting vulnerabilities within DNS server software, manipulating DNS registration systems, or utilizing visually deceptive domain names (homograph attacks). One early example of phishing employed a domain named paypaI.com where the letter ‘I’ was capitalized to mimic a lowercase ‘L’, misleading users into thinking it was the legitimate PayPal.com. With DNS now supporting international characters, these attacks have become even more sophisticated and harder to detect.

What is DNS Spoofing

DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.

Difference Between DNS Spoofing and DNS Hijacking

Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.

Conclusion

As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

Trojan:Win32/Tnega!MSR Overview

Trojan:Win32/Tnega!MSR is a Microsoft Defender detection that refers to malware that acts as a downloader. As the name suggests, such malware’s main task is to deliver additional malicious components to the infected device, i.e., payload. It may also include extra features like collecting system information or other basic details.

Main spreading ways for Tnega trojan are modified versions of games, cheats, or game add-ons. Since such tools always require antivirus software to be disabled, such a disguise creates ideal conditions for malware to run in the system. In addition to this, Tnega has a protection mechanism against antivirus detection and analysis. Everything is standard here – various techniques like code encryption, polymorphism, obfuscation, and checking for the presence of virtual environments. These techniques make it difficult to be detected and analyzed by antivirus programs and malware analyzers.

Technical Analysis

For a more detailed breakdown, I chose a sample that spreads as some kind of a mod for Roblox. As the detection is not specific to a malware family, there can be variations from one sample to another, but the general course of action will remain the same. Let’s break down some of the key behaviors and actions observed.

Once launched, the malware performs some checks to determine if the application is running in a virtual environment or sandbox. A rather common check, but it is still effective in weeding out artificial environments. To do this, it checks the following registry values:

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

These keys display the BIOS version, which is particularly hard to spoof when it comes to basic virtual machines. Such a check gives much more precise results than more classic ones, that view video driver information and the list of installed applications.

Persistence

To gain persistence, Trojan:Win32/Tnega!MSR uses Task Scheduler to run its executable file. This allows it to run periodically or on a schedule with elevated privileges. Registering a task as .NET code contains functionality that can also be used to launch other malicious programs.

After tinkering with the Task Scheduler, the malware’s executable file is injected into other system processes, allowing it to execute with elevated privileges in the context of these processes. It uses the WerFault.exe process with parameters -u -p -s .

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1912
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1908
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1908

This is only a few of the commands where Tnega abuses WerFault functionality. During the runtime testing, it interacted with the error reporting module for 9 times, which corresponds to the number of files it has downloaded from the C2. So yes, each one of these is about to run malware with max privileges.

C2 Connection

The malware communicates with C2 servers via HTTP to blend in with legitimate traffic. DNS resolutions are made to domains such as query.prod.cms.rt.microsoft.com. IP traffic is observed on specific ports like TCP 80, TCP 443, and UDP 137.

TCP 104.80.89.50:80
TCP 13.107.4.50:80
TCP 131.253.33.203:80
UDP 192.168.0.1:137
UDP 192.168.0.55:137

Payload

Next, Trojan:Win32/Tnega!MSR performs its primary function of dropping the payload. It writes files to the disc in various directories – C:\Users\\Downloads, C:\Users\user\Desktop and C:\Users\user\AppData\Roaming. The files typically arrive in the form of a .dmp file, meaning that malware further injects them into the memory of a legit process.

How To Remove Trojan:Win32/Tnega!MSR?

To remove Trojan:Win32/Tnega!MSR, it is best to use an advanced anti-malware tool. GridinSoft Anti-Malware is the optimal option. Since some users have encountered problems with Tnega removal using default Windows tools, a third-party solution is designed to remedy this situation. Moreover, using GridinSoft Anti-Malware does not require you to disable Windows Defender. So, they can work in pairs, complementing each other.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Tnega!MSR appeared first on Gridinsoft Blog.

What is an IP Stresser?

IP stresser is a special tool that tests a network or server for stress tolerance. The administrator can run the stress test to check whether the current resources (bandwidth, CPU power, or so) are sufficient to handle the additional load. Testing your network or server is a legitimate use of a stress test. However, running a stress test against someone else’s network or server, resulting in a denial of service to their legitimate users, is illegal in most countries.

What are booter services?

Booters (also known as bootloaders) are on-demand DDoS (Distributed Denial of Service) attacks that cybercriminals offer to shut down networks and websites. Consequently, booters are illegal uses of IP stressers. Illegal IP stresses often conceal the identity of the attacker’s server by using proxy servers. The proxy redirects the attacker’s connection by masking the attacker’s IP address.

Booters are often available as SaaS (Software-as-a-Service) and are accompanied by email support and YouTube tutorials. Packages can offer one-time service, several attacks over some time, or even “lifetime” access. A basic one-month package costs a tiny sum. Payment methods can include credit cards, Skrill, PayPal, or bitcoins.

The difference between IP Stresser and botnets

In contrast to IP Stresser, the owners of computers that use botnets are unaware that their computers are infected with malware. Thus, they unwittingly become accomplices to Internet attacks. Booters are DDoS services for hire offered by enterprising hackers. Whereas in the past, you had to create your botnet to conduct a large-scale attack, now it is enough to pay a small amount of money.

Motivations DDoS attacks

The motives for such attacks can be varied: espionage¹ to sharpen skills, business competition, ideological differences, government-sponsored terrorism, or extortion. The preferred payment method is bitcoins, as it is impossible to uncover the wallet owner. However, it is harder to go in cash when you have your savings in cryptocurrency.

Amplification and reflection attacks

Reflection and amplification attacks use legitimate traffic to overwhelm the targeted network or server. IP spoofing involves the attacker spoofing the victim’s IP address and sending a message to a third party on behalf of the victim. The third party, in turn, cannot distinguish the victim’s IP address from the attacker’s one and replies directly to the victim. The victim, as well as the third-party server, cannot see the real IP address of the attacker. This process is called reflection. For example, take a situation where the attacker orders a dozen pizzas to the victim’s home on behalf of the victim. Now the victim has to pay the pizzeria money for the pizzas, which she didn’t even order.

Traffic amplification occurs when a hacker forces a third-party server to send responses to the victim with as much data as possible. The ratio between the size of the response and the request is the amplification factor. The greater this amplification, the more potential damage is done to the victim. In addition, because of the volume of spoofed requests that the third-party server has to handle, it is also disruptive for it. NTP Amplification is one example of such an attack.

Amplification and reflection IP Stresser explained

The most effective types of bootstrap attacks use both amplification and reflection. First, the attacker spoofs the target address, then sends a message to a third party. The receiver sends the response to the target’s address, which appears in a packet as the sender’s address. The response is much larger than the original message, which amplifies the attack’s size. The role of a single bot in such an attack is about the same as if a teenage attacker called a restaurant, ordered the entire menu, and asked for a callback to confirm each dish. But the number for the callback belongs to the victim. As a result, the victim gets a call from the restaurant about orders it didn’t make and has to hold a line for a long time.

The categories of denial-of-service attacks

There are dozens of possible variations of DDoS attacks, and some of them have multiple subspecies. Depending on the hackers’ targets and skills, the attack may simultaneously belong to several types. Let’s review each of them one by one.

Application-layer attacks target web applications and often use the most sophisticated techniques. These attacks exploit a vulnerability in the Layer 7 protocol stack. They connect to a target and drain server resources by monopolizing processes and transactions. Because of this, they are challenging to detect and mitigate. A typical example is the HTTP Flood attack.

Protocol-based attacks exploit weaknesses at layers 3 or 4 of the protocol stack. Such attacks consume the victim’s processing power or other essential resources (such as the firewall). This results in a service disruption. Examples of such attacks are Syn Flood and Ping of Death.

Volumetric Attacks send large volumes of traffic to fill the entire bandwidth of the victim. Attackers generate bulk attacks using simple amplification methods. This attack is the most common — for example, UDP Flood, TCP Flood, NTP Amplification, and DNS Amplification.

Common denial-of-service attacks

The goal of DoS or DDoS attacks is to consume as many server or network resources as possible so that the system stops responding to legitimate requests:

• SYN Flood: A sequence of SYN requests is sent to the target system in an attempt to overload it. This attack exploits vulnerabilities in TCP connection sequences, also known as three-way handshakes.
• HTTP Flood: an attack in which HTTP GET or POST requests are used to attack a web server.
• UDP Flood: A kind of attack in which random target ports are flooded with IP packets containing UDP datagrams.
• Ping of Death: Attacks involve sending IP packets more significantly than the IP protocol allows. TCP/IP fragmentation works with large packets by breaking them into smaller ones. Legacy servers often fail if the full packets exceed the 65,536 bytes allowed. This has been fixed mainly in newer systems. However, Ping flooding is the modern incarnation of this attack.
• ICMP Protocol Attacks: Attacks on the ICMP protocol are based on the fact that the server must process each request before a response is sent back. The Smurf attack, ICMP flooding, and ping flooding exploit this by flooding the server with ICMP requests without waiting for a response.
• Slowloris: this is an attack invented by Robert “RSnake” Hansen. It tries to keep multiple connections to the target web server open as long as possible. Thus, additional connection attempts from clients will be rejected.
• DNS Flood: An intruder fills the DNS servers of a certain domain to disrupt DNS resolution for that domain.
• Smurf Attack: This attack uses malware called smurf. Using a broadcast IP address, large numbers of Internet Control Message Protocol (ICMP) packets are sent to the computer network with a fake IP address of the victim.
• SNMP reflection: An attacker spoofs the victim’s IP address and sends multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.
• DNS amplification: this reflection-based attack turns legitimate requests to DNS (domain name system) servers into much larger ones, thus consuming server resources.

Less popular DDOS methods

• NTP Reinforcement: A high volume reflection-based DDoS attack in which the attacker exploits the Network Time Protocol (NTP) server functionality to overload the target network or server with increased UDP traffic.
• SSDP: SSDP (Simple Service Discovery Protocol) attack is a reflection-based DDoS attack. It uses Universal Plug and Play (UPnP) network protocols to send an amplified traffic volume to the target victim.
• Teardrop Attack: An attack consists of sending fragmented packets to the target device. An error in TCP/IP prevents the server from reassembling such packets, resulting from which the packets overlapping each other, thus incapacitating the target device.
• Fraggle attack: the attack is similar to smurf, except that it uses UDP rather than ICMP.

What to do in case of a DDoS attack?

• Inform your data center and ISP immediately;
• Do not consider ransom – payment often results in escalating ransom demands;
• Notify law enforcement authorities;
• Monitor network traffic.

How to mitigate attacks?

• Install firewalls on the servers;
• Keep security patches up to date;
• Run antivirus software on a schedule;
• Monitor system logs regularly;
• Prevent SMTP traffic from being distributed by unknown mail servers;
• Causes of difficulty tracking the booter service.

Since the person buying these criminal services uses an external site to pay and receive instructions, the connection to the backend initiating the attack cannot be identified. Therefore, criminal intent can be challenging to prove. However, one way to identify criminal organizations is to track payment traces.

The post IP Stresser & DDoS Booter appeared first on Gridinsoft Blog.

What is PUABundler:Win32/CandyOpen?

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually install can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running it on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser will go mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly the search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Here goes the main concern: while CandyOpen usually installs junk apps that are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUA OpenCandy actions:

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove CandyOpen in no sweat. It will also find and remove all the additional junk OpenCandy can bring.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/CandyOpen (PUA OpenCandy) appeared first on Gridinsoft Blog.