Tag Archives: malware

The tyranny of CryptoLocker has ended, or at least paused.

Ding dong the witch is dead:

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

CryptoLocker screenshotIf you have been infected by the CryptoLocker ransomware and all your files have been encrypted without your consent, go to FireEye and Fox-IT’s decryptcryptolocker website post haste. These noble folks seem to have located the CryptoLocker servers that store the unique private keys (called “master decryption keys”) for infected systems and will allow you to decrypt your encrypted files . . . gratis!

I warned about CryptoLocker when it first appeared in the fall of 2013. It is a very malicious piece of work.

I applaud FireEye and Fox-IT. I’m not sure how they were able to locate the CryptoLocker servers. (New randomly-named servers were created every day.) Also, it seems that CryptoLocker’s claim that the private keys would be destroyed after several days wasn’t true, since FireEye and Fox-IT appear to have found the keys intact on one or more CryptoLocker servers. In any case, FireEye and Fox-IT deserve a big round of applause.

The Register published a good article about decryptolocker and its background. According to their article, my celebration may be premature:

Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns.

Lions and tigers and bears! Oh my!

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Make off-line backups NOW.

A new improved piece of malware that’s targeted at Windows users has entered the stage. It encrypts ALL of your Windows computer’s document files — .docs, spreadsheets, photos, etc — as well as any files that it finds in your Dropbox or on your network’s shares, and demands a ransom to decrypt them. It overwrites your original unencrypted files with zeros. Here’s one sad CryptoLocker story.

CryptoLocker is nasty. It apparently propagates via Phishing attacks: you know, those emails that contain a malicious link and/or attached file. Supposedly CryptoLocker is delivered by an email that looks like it’s from a legitimate company such as FedEx, UPS, a bank, or other business.

One bad feature of CryptoLocker is that it encrypts every file that it can find and gain write access to: this includes your backup files that reside on any online external drives. If it has a drive letter, its files will be encrypted by CryptoLocker. Here is a YouTube video clip of someone who paid the $300 ransom.

Malwarebytes documents CryptoLocker. The best protection is to use offline backup systems. Carbonite would be immune, as would offline tape backup systems.

Sophos has a good CryptoLocker page with video demo. It notes,

A Naked Security reader just commented that from a single infected computer, he was “faced with 14,786 encrypted files over local and mapped network drives.”

Backup system must include versioning

Let’s assume the worst: your files have been encrypted by CryptoLocker. To ensure that you can restore an unencrypted version of each file, your backup system should include a feature called versioning. You’ll need to select from a backup set that was done before CryptoLocker infected your computer . . . and these earlier versions must be stored off-line, or CryptoLocker will encrypt them, too!


Update, 6 Nov 2013: I’ve read that CryptoLocker is distributed via an emailed attachment. The attached file purports to be a PDF file. It is in fact an EXE file. When the victim clicks on the attached file, the attack begins.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

0 bytes free = an obnoxious infection

Last week I ran into an ingenious Windows XP infection.

"Claustrophobia" by NinaValetova
“Claustrophobia” by NinaValetova
The victim’s hard drive rapidly runs out of free disk space. I never did identify the exact culprit. The virus continually appends to a hidden file named “avenger.txt” in the root of drive C:. When I found it, c:\avenger.txt was over 500 gigabytes in size!

My cure was to reformat the disk and install a fresh copy of Windows XP.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Recent virus vectors

Within the last year or so, Microsoft Windows has become pretty secure. (I didn’t think that I’d ever use the words “Windows” and “secure” in the same sentence.) Microsoft has been relentless in fixing Windows’ vulnerabilities and distributing those fixes through Windows Update. Now the malware creators have turned to Adobe Reader, Flash, and Java to spread their infections, so it’s doubly important that you keep these three programs up to date so that they block the latest exploits. Rust, and the malware scourge, never sleeps.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Universal Plug and Play vulnerabity

I’ve never been comfortable with Universal Plug and Play (UPnP). It was dreamed up by Microsoft in an attempt to make networking easier for end-users and first appeared in Windows Millenium Edition (“Win ME”). I didn’t trust it then, and I still don’t trust it. The name “Universal Plug and Play” leverages Microsoft’s successful implementation of MS-Windows’ (benign) “Plug and Play” service, which first appeared in Windows 95. The UPnP name continued Microsoft’s tradition of confusing terminology and poor corporate communications in general.

UPnP has always skated on thin ice. For one thing, it contains no provision for authentication. It assumes that all UPnP objects reside behind a firewall and that no UPnP packets can traverse any public-facing router. These are naïve assumptions. I always disable UPnP, or at least I think that I disable it. (Some routers expose UPnP to the Internet no matter what the router’s admin instructs it to do!)

UPnP: Universal Plug and Play
UPnP’s discovery phase

Recently researchers, over a five month period, port scanned the entire IPv4 Internet multiple times, recording the IP address of each network device with exposed UPnP. They found 81 million vulnerable devices. Read the results:


shieldsupAre you vulnerable?
Check your Internet-connected local area network’s devices for exposure of UPnP capability to the outside world by using Steve Gibson’s ShieldsUP!.

UPnP bugs history
Apparently Intel, many years ago, published reference code in a library that demonstrated UPnP implementation. Most router manufacturers incorporated Intel’s UPnP library into their routers’ firmware. Intel’s UPnP library apparently contains bugs that can expose UPnP capability to the router’s WAN (Wide Area Network) port(!).

Read more: upnp-hacks.org.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java may still be vulnerable even after Oracle’s security patch.

diagram: Baptiste MATHUS
This is a comedy of errors.

For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.

Andy Greenberg wrote about the latest Oracle problems with Java in a recent Forbes article.

Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.

The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.

The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.

Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Microsoft scrambles to thwart Duqu worm.

Source: The Hacker News
Duqu flow and Execution Diagram

From eastern Europe with love.

In September, a new worm, dubbed Duqu, appeared in Hungary. It shares some characteristics with the Stuxnet worm. It spreads via infected Microsoft Word documents and then exploits a vulnerability in Windows’ TrueType parsing engine.

It appears that Duqu captures keystrokes and attempts to steal digital certificates. It sends them to “its master” in encrypted form within a 600 KB JPEG file and related encrypted files. Initial reports indicate that once Duqu is behind a firewall, it uses multiple methods to spread within a workgroup.

Microsoft plans to issue a 4-part patch to thwart Duqu on November 8, along with its usual “patch Tuesday” updates. I’ve not heard if Microsoft Security Essentials latest update will detect Duqu.

A new generation of infection

Stuxnet introduced new techniques: it uses encryption to hide itself on the target computer and to hide the contents of its stolen data that it sends “home”. Even the IP address of “home” changes randomly. Once it has set up shop in an infected computer, it resists further infection from unknown infections. Duqu uses similar techniques and seems to remove itself after 36 days, to reduce the chance of detection.

As usual, don’t click on any unexpected email attachments.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

There might be a RAT in your kitchen.

Double-prism binocular design: Moritz Carl Hensoldt
Operation Shady RAT just may be watching you.

Is your anthem the 1984 pop single “I always feel like somebody’s watching me“? You may be right. Dmitri Alperovitch, in his recent article Revealed: Operation Shady RAT states, “. . . I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly).

He should know. Mr. Alperovitch and McAfee have been studying what they call “Operation Shady RAT”. (RAT is an abbreviation for remote access tool.) Its depth, breadth, and audacity are impressive. They coyly call the perpetrator “a state actor”, but it’s an open secret that China uses the Internet to aggressively spy on governments, defense contractors, and even seemingly benign targets.

Foxnews’ report, Massive Global Cyberattack Targeting U.S., U.N. Discovered; Experts Blame China explains some implications.

Most commercial organizations — especially banks — are reluctant to publicize any security breaches, so it’s unlikely that we’ll ever know just what’s been compromised, damaged, or stolen by Operation Shady RAT.

If you think that this isn’t really happening, just check the unfiltered log files of an Internet-facing router / firewall that protects any organization. It’s amazing to see how many port scan attempts hammer these routers 24 hours a day. And a fair number (maybe 50 percent) originate from IP addresses within China. Not convinced? Log into your own router as its admin and check activity on its WAN port: you’ll see many uninvited guests knocking on its door all day long. Most are just random testing of defenses, roughly the same as a burglar who walks down the street, knocking on doors to find a weak target to break into.

(My apologies to UB40 for my allusion to their reggae hit, Rat in Mi Kitchen. Great tune.)

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

The hits just keep coming.

XP Total Security 2012 Trojan Horse screen view
More bad guys than ever are launching cyber-attacks for fun and profit.

Desktop Attacks

I’ve recently encountered an old enemy: a Trojan Horse that’s been around for 3 years or more. It’s recently calling itself XP Total Security 2012 and it’s gotten nastier and more tenacious than its earlier incarnations. I no longer spend much time trying to remove this bad boy: I just backup the infected computer’s data, format the hard drive, re-install Windows, and restore the (scanned) data. Most security experts agree with this tactic.

Server Attacks

Elinor Mills, in an article that appeared in CNet News, June 17, 2011: Keeping up with the hackers, included a chart of recent major break-ins.There are some surprising headliners in the Victims column: RSA, who specialize in security, Sony makes multiple appearances, payroll giant ADP, Citigroup, US Senate,et al.

Sony has been hacked so often, that there’s even a website, hassonybeenhackedthisweek.com. This can’t be good for Sony’s reputation!

I’m thinking of moving from Windows to Ubuntu for my daily web-browsing, just to avoid these constant attacks, security patches, updates, etc.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695


The stopbadware.org site, together with partners such as Google, are reducing Internet crime. The question is: How much?

I like the idea of the good guys on the Internet banding together to fight the bad guys. Some major players — Google, Paypal, and Mozilla — have partnered with stopbadware.org. Until the Internet posse arrives to save us, we’ll need to help each other. I like stopbadware.org’s list of badware — programs that harm you while claiming to help you.

This is a step in the right direction. As always, I recommend that you install one antivirus and one anti-malware program on your computer. None is perfect: they all, to a greater or lesser degree, report false negatives and false positives. I usually install a couple anti-malware programs but make sure that only one starts at startup time. I scan with the second anti-malware program maybe once a month, just as a validity check.

What do I like?

I like Microsoft Security Essentials. It’s free for personal use and scores well when compared to commercial antivirus programs. Microsoft Security Essentials is available at no charge for customers who are verified to have a copy of genuine Windows in select countries. No registration or personal information is required, only automatic verification of your genuine Windows installation.

Visit my website: http://russbellew.com

© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Malware hi-jack of DNS address

A DNS hi-jack is a clever way for a bad guy to control an infected computer.

Expanded description of DNS
Domain Name System (DNS) block diagram
Illustration: Lion Kimbro

I just finished disinfecting a Windows XP computer that had been a member of a bot-net for months. As I removed layers of malware, I discovered that the computer was making DNS requests to a pair of DNS servers that are located in the Ukraine(!), rather than to the DNS servers within the owner’s ISP (Internet Service Provider). Such a setup allowed the Ukraine administrator of the DNS servers to control what domains the infected computer may and may not visit. This infected computer could visit most websites but . . . it couldn’t download Windows updates, McAfee Antivirus updates, or visit any other anti-virus or anti-malware publishers’ sites.

I’m not sure exactly how this DNS hi-jack took place, but it probably started by the user unknowingly executing a virus “dropper” program. Somehow, one of the viruses on this computer had fooled McAfee Antivirus into thinking that everything was fine, when in fact it was months out of date and was infected from head to toe.

A DNS server is like a phone book: look up a person’s name, and find their phone number. With DNS, you look up an Internet domain (such as “russbellew.com”) and receive the domain’s IP address (such as

This Windows PC’s DNS configuration has been hijacked.

On most home computers, the addresses of the DNS servers are supplied by the ISP (Internet Service Provider). On this infected PC, a malware provider had replaced these addresses with the addresses of DNS servers that are located in Ukraine. The addresses of the Ukraine DNS servers are and Here’s the whois data:

inetnum: –

netname: PROMNET-NET
descr: Promnet Ltd.
country: UA
admin-c: OV527-RIPE
tech-c: OV527-RIPE
person: Ondrej Voloshin
address: Ekaterininskaya str., 41, 65000, Odessa, Ukraine
phone: +380504414402
nic-hdl: OV527-RIPE


The DNS addresses had been changed by a piece of malware that had changed these entries in the Windows registry:

  • hklm\system\controlset001\services\tcpip\parameters#nameserver
  • hklm\system\controlset002\services\tcpip\parameters#nameserver
  • hklm\system\controlset\services\tcpip\parameters#nameserver

The implications of a DNS hi-jack are profound: the hi-jacker could put up fake websites such as http://www.bankofamerica.com (residing on his own IP address) and redirect infected clients to this bogus website, where it could capture account numbers and passwords. Another ploy could be to put up a phony http://www.bankofamerica.com site and use iframes to embed the real http://www.bankofamerica.com within it. Then just capture packets between the infected computer and the genuine http://www.bankofamerica.com. And, of course, prevent the targeted user from visiting any sites that the hi-jacker wished to exclude.

If you missed it, read See how easy it is to launch your own infection. or just watch Symantec’s video that shows how easily a botnet master may control his/her botnet infected computers . . . across the globe.

Visit my website: http://russbellew.com

© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Brace for attack from ransomware.

A new form of Ransomware appears.


Just what we needed: ANOTHER form of malware! This one has been called the porn virus.

A new trojan horse has appeared, from Japan. It masquerades as a game installation program, then grabs the target computer’s web browsing history, publishes it on its own website, and demands a payment to remove the browser history from that website. The BBC has done a good job of describing this example of ransomware, as well as ransomware associated with Koobface and Zeus (both are very bad news.): http://news.bbc.co.uk/2/hi/8622665.stm.

SecurityTool makes your PC INsecure

Secure Tool screenshot

This Trojan Horse seems to be helping you defend against infections. Unfortunately, it’s an infection that’s trying to steal your money.


I’ve recently encountered a Trojan Horse program called SecurityTool that has a very convincing friendly facade. When I first saw it, I thought that it was a legitimate antivirus program / firewall, similar to Norton 360. It seems to scan your PC and discover infections. It disables all user programs except itself “for your protection” and hijacks the web browser to point the user to a web page where it attempts to have the user buy a program that will “fix” his/her computer. It’s essentially ransomware. Please don’t enter your credit card number when this program is active — who knows who will then capture your credit card info?!

It looks like this originated from the same evil geniuses who created PC Antispyware 2010: http://russbellew.spaces.live.com/Blog/cns!D5F86162D2CCCC87!495.entry

Here are simple instructions to remove SecurityTool: http://www.2-spyware.com/remove-security-tool.html. I’ve found that the folder that contains the SecurityTool executable may have a different name than the one referred to within the article. You may have luck discovering its folder’s name by booting into Safe Mode (press F8 at startup) and running msconfig.exe to examine the startup group. The SecurityTool executable file is easily identifiable because it will probably be the only startup group executable file that’s located in a subdirectory beneath Documents and Settings.

I’ve used a different removal procedure. I physically remove the infected PC’s hard drive, and temporarily hang that hard drive as a slave from a known clean PC, and then (step1) use the clean PC to scan the infected hard drive. AVG 8.5 will detect and remove the offending executable files. This method treats the registry as just another set of files, so after returning the hard drive to the infected PC, you’ll need to scan it. When you’re done, you will probably be left with a vestigial item in the startup group. To avoid this, note what was removed in step 1 and remove any reference to it within the startup group. (Use either msconfig.exe or SpyBot Search & Destroy in Advanced / Tools / Startup to do this.)

Increasingly, I find myself routinely removing infected hard drives from victims’ PCs to scan them on clean PCs. Otherwise, I’m trying to clean an infected PC with an infected PC.


Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

See how easy it is to launch your own infection.

Watch the video
Click to watch the video
I’m amazed at how easy the Zeus crimeware toolkit is to use . . .
and how much control of infected computers it allows, as demonstrated in this well-done video.: http://www.symantec.com/tv/products/details.jsp?vid=85242653001  Hats off to Symantec for producing this. (Zeus is a bear to detect and remove from an infected computer!)
If your computer is unprotected, you may wish to download and install Microsoft’s brand new Security Essentials (released 29 Sept):  www.microsoft.com/security_essentials/  It’s free for personal (not business) use. The beta version received glowing reports (http://russbellew.spaces.live.com/blog/cns!D5F86162D2CCCC87!463.entry).
Visit my website: http://russbellew.com

Ask Google what malware it’s found on any website

Detail from “The Procession of the Trojan Horse in Troy” by Giovanni Domenico Tiepolo, who died in 1804.
You can ask Google if it has detected malware or similar problems on any website.
For starters, click the following URL:
Here’s what Google reported about myspace.com a few minutes ago:
What happened when Google visited this site?
Of the 31916 pages we tested on the site over the past 90 days, 72 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-17, and the last time suspicious content was found on this site was on 2009-09-17.
Malicious software includes 77 scripting exploit(s), 5 trojan(s), 1 worm(s).
Malicious software is hosted on 45 domain(s), including <deleted>.
31 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including
This site was hosted on 29 network(s) including <deleted>.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, myspace.com appeared to function as an intermediary for the infection of 1 site(s)  . . .


You can test Google’s safe browsing analyzer on other sites by, within your browser’s address bar, changing myspace.com to another site of interest.
Recent articles about Facebook and Myspace dangers:
Thanks to Steve Gibson’s latest Security Now! podcast for this tip.