Fear As A Weapon To Get You To Open Infected Zip Files

While not in person, this kind of email is as much an attack using social engineering as some unknown tech who shows up saying they are there to repair your copier when you weren't expecting it, but is really there to gain unauthorized onsite access to your network.

The desired outcome is the same - access!  Their weapons is social engineering, cunningly forcing the person in front of them to suspend doubt and allow them access to the building (in the case of the copier repairman) or access to launch an attack on the company's network (in the case of the zip file).

The response to this email is natural, what do you mean my account was declined?!?

And before common sense kicks in the zip is opened the files extracted and wham the malicious content of the zip file is let loose on your company's network.  

Rules for the new world of infected Zips:

  • If you are presented with a Zip that you were not expecting do not open it until you are able to verify it's legitimacy.  
  • If an employee comes to you and tells you they have opened a Zip that did not contain what it was expected to contain, or appeared to contain a file that would not open or nothing at all immediately turn it off and call your tech support.
  • If you find yourself face to face with one of the now numerous Ransomware screens demanding money for your data, call in an expert like Top Speed.  Not all hope is lost, depending on a number of factors your company may not need to pay the criminals.

Depending on the Ransomware variant there are options that may be available in your situation.  Or if you are running an Enterprise Backup Solution, where multiple versions of files are backed up, recreating a short amount of work is likely to be far more cost effective than converting USD into Bitcoins and paying the ransom.


Malicious Email Disguised as Microsoft Volume Licensing

This email appears perfectly legitimate although it's consequences could be devastating to a business!

Most businesses use some version of Microsoft and are aware of licensing requirements, even when they don't know the specifics of their licenses.  So when an email arrives appearing to be from Microsoft's Volume Licensing Service Center and it is properly addressed to the business owner or other correct recipient within the company, most are likely to view it as legitimately from Microsoft.

Take a look at the example of this scam below.  All the company and owner specifics are correct, although yes we redacted the actual business information, and as this company uses Microsoft products the owner immediately thought - I had better figure out what this is all about. MS_Licensing

Helping to add legitimacy to this email, in the case of this business owner, is they are in the process of an expansion and are actively acquiring hardware and software, including some Microsoft products.

So what happens when the unsuspecting victim clicks on the link?  That's where this rouse gets even more convincing.  Upon clicking the link two things happen.

First a web browser does indeed open the main page of the Microsoft Volume Licensing Service Center.  Well that definitely looks right.


Second a prompt to download and save a file also opens. The prompt is right next to the Microsoft page so this is clearly a download from Microsoft.  Except it's not.  The download is a zip file.  As we've said over and over and over if you aren't expecting a zip file, don't save it and absolutely don't open it.

"But I thought it was from Microsoft..."

Once the zip is extracted and the program file is run it pretends to be a Screen Saver, which is an interesting choice.  With monitors just going to sleep these days less and less people use screen savers so it's planting the infection in an unused portion of most people's computers.

While we didn't take the testing further, and the link in this email has been taken down preventing further testing, the download came from a Polish domain and is likely either a variant of the Dyre Malware which has previously been noted to hide as a screen saver or another method of delivery of one of the numerous versions of ransomware currently causing trouble all across the Internet.

The lesson here is the importance of vigilance. Hovering over the link before clicking shows this goes to a .pl (Polish) domain and right there no matter how good the email looks it's obviously fake. Or the moment you're prompted to do anything with a zip file that you weren't expecting either just delete it or if you believe the sender is legitimate call or email to verify the zip before extracting.


Do You Know What Malvertising Is?

We've all become accustomed to seeing ads on websites.  Some sites are slowed down as ads continually load on multiple sides.  This is most evident on sites our kids frequent and frequently complain about, like Cool Math Games.  The continually loading of new ads causes the all too frequent "Dad the website's frozen again!!!"

Most Internet users are aware that ads fit into two main categories.  The first comes from out own Internet history.  Did you just look up swimming suits?  Well now you're being served ads for places selling swimming wear.  The second are ads being pushed so hard you feel like you're seeing them everywhere - sometimes twice on the same page, such as the Prominence Health Plan ad being served twice, right next to each other on the Cool Math Games pages, see the attached image.  We get it, you want to sell health insurance, but these ads are beyond annoying.

There is also a third kind of ad that is taking on a life of it's own and it's effects are far worse than causing irritation.  Malvertising could be infecting a site you regularly visit.

In the the last two weeks multiple sites have been found to be serving malvertising ads, which cause malware infections on the user's computer.  The specific infection being seen is in the Kovter Trojan executable family which once installed it connects to a Command-and-Control server after which the computer can be exploited in any number of ways.

The most recent infected ads have been served via the AOL Ad-Network, advertising.com.  Below is a list of sites known to have served the malvertising:

  • huffingtonpost.ca
  • huffingtonpost.com
  • mandatory.com
  • laweekly.com
  • gooddrama.net
  • fhm.com
  • thewmurchannel.com
  • buzzlie.com
  • mojosavings.com
  • houstonpress.com
  • soapcentral.com
  • theindychannel.com
  • gamezone.com
  • weatherbug.com

After clicking on the infected ad the user is redirected through multiple sites, finally ending up on Polish websites, domain country code .pl.  From Cyphort here is the breakdown of the redirection chain from huffingtonpost.com. 


You also might occasionally see an ad that isn't being served, see below.  This tends to slow the the website even further as the ad attempts to load or errors out.  This is also sometimes a result of virus protection blocking a particular ad it knows contains something malicious. 

Typically if you're in need of a certain service we recommend avoiding clicking on those flashy ads.  Rather do your own search and avoid whatever might infect your computer when you thought you were just getting an insurance quote.



First WireLurker - Now Masque Attack

  • Published in Apps

Reports are out on another even more dangerous iOS malware in the wild - Masque Attack.

Masque Attack shows that Apple's ban of the WireLurker infected apps have been ineffective as Masque Attack is utilizing the same provisioning loophole that WireLurker used. The vulnerability exists because iOS doesn't enforce matching certificates for apps with the same identifier.

Apple unfortunately has a history of being slow to patch security flaws, so the fact that this loophole has yet to be patched is not surprising.  The real question is how many more copycat infections will be out there before Apple does get the patch released...

WireLurker required the user to download the infected app to their computer and then attach their iOS device via USB to infect the iOS device. Masque Attack skips that overly complicated step and infects iPhones and iPads when the user visits infected webpages and agrees to install a new app. So there is a moment where the user could say no to that new app and stay safe, but...

The Masque Attack infected app can replace any app on the iPhone or iPad, excluding those pre-installed by Apple. This includes banking, email or any other third party app. Once the user inputs their credentials into the replaced app the information is sent to the malware's creators.

Now here's the kicker to Masque Attack, and this one really should irritate you, Security Firm FireEye reported the discovery of this malware to Apple on July 26th.  Three months plus and no patch.  According to FireEye the latest iOS 8.1.1, which is in beta, is still vulnerable.

One surprising "feature" FireEye discovered is that the infected replacement apps could get access to the data from the original apps.  In one of their tests, FireEye "used an in-house app with a bundle identifier 'com.google.Gmail' with a title 'New Flappy Bird'. When FireEye "installed this app from a website, it replaced the original Gmail app on the phone."  And just like that your iOS device is infected.  See below for the image and details showing how FireEye tested this malware.

Images from FireEye Masque Attack Experiment Images from FireEye Masque Attack Experiment

Details from FireEye - "Figure 1 illustrates this process. Figure 1(a) (b) show the genuine Gmail app installed on the device with 22 unread emails. Figure 1(c) shows that the victim was lured to install an in-house app called “New Flappy Bird” from a website. Note that “New Flappy Bird” is the title for this app and the attacker can set it to an arbitrary value when preparing this app. However, this app has a bundle identifier “com.google.Gmail”.

After the victim clicks “Install”, Figure 1(d) shows the in-house app was replacing the original Gmail app during the installation. Figure 1(e) shows that the original Gmail app was replaced by the in-house app. After installation, when opening the new “Gmail” app, the user will be automatically logged in with almost the same UI except for a small text box at the top saying “yes, you are pwned” which we designed to easily illustrate the attack. Attackers won’t show such courtesy in real world attacks."

You have to love the extra bit of humor FireEye showed in their test.  "yes, you are pwned"  :)

The same preventative measures hold true from WireLurker to Masque Attack:

  • Don't install apps from third-party app stores
  • Don't click "Install" from any popups found on webpages
  • If you ever have "Untrusted App Developer" appear, click "Don't Trust" and either abort the install or uninstall that app immediately

The Hits Keep Coming To Apple's iOS

  • Published in Apps

iPadAnother bit of malware, named WireLurker, has been discovered targeting iPhones and iPads.

iPhone and iPads are infected when the device is connected through USB to a Mac computer where an infected OS X app has been downloaded. The source of the infection is reported to be third-party OS X apps in the Maiyadi App Store in China.  For the time being most of the reports of infection are located in China.  Apple devices are at risk whether they've been jailbroken or not.

Security firm Palo Alto Networks researcher Claud Xiao has said this "heralds a new era in malware attacking Apple's desktop and mobile platform" and is "the biggest in scale we have ever seen."

The larger the Apple market share, the more attractive Apple becomes as a target for cyber criminals.

Palo Alto Networks says the infected WireLurker app has been downloaded over 356,000 times to OS X computers, how many of those computers have attached via USB to an iPhone or iPad is unclear.  Once infected the malware has the capability of stealing "a variety of information" from the mobile device.

The recommendation is the same for iOS or Android, don't download from third-party app stores.

If nothing else, this malware is a proof of concept for malware / virus developers that Apple devices are not impenetrable.


Diary Queen Hit By Same Malware That Hit Target and The UPS Stores

DGMalware, named Backoff, has been found on Dairy Queen Point of Sale computers in numerous states including Nevada.  The states with known infections are Alaska, Alabama, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Iowa, Idaho, Indiana, Illinois, Kansas, Kentucky, Massachusetts, Maryland, Maine, Michigan, Minnesota, Missouri, Mississippi, Montana, North Carolina, North Dakota, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, Wisconsin, West Virginia and Wyoming.

In case you're keeping count, that's only Hawaii, Rhode Island, Louisiana, and Vermont without known Backoff infections.  This does not mean that every Dairy Queen in these states has been infected, for instance there are only two locations with known infections in Nevada both in Las Vegas.  Click here for a full list of affected Dairy Queens.

Most Dairy Queen locations are independent franchises and at the time of the malware detection Dairy Queen did not have a policy requiring the independent franchises to notify Dairy Queen corporate of the breach.  It is likely after these incidents Dairy Queen will put this kind of policy in place.  As a result there may still be additional Dairy Queens that have the Backoff malware, but have not yet disclosed that information.

Julie Conroy of Aite Group told KrebsOnSecurity, "This goes back to the eternal challenge with all small merchants, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don't' think they are a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they're not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule."

Most people are familiar with the Target, UPS Store, or Supervalu breaches, either because you've received a replacement credit card in the mail or from news coverage, but how does this malware work and why are we continuing to see new infections and breaches?

First while we call it by a single name, Backoff has multiple variants, each new variant trying to make it so that Anti-Virus software won't detect and thereby block it.  Second is like Julie Conroy said often smaller companies don't believe themselves vulnerable to attacks like Backoff and either aren't running a quality anti-virus or aren't keeping their anti-virus up-to-date.

Either of those choices can have disastrous consequences.  Backoff infections are multiplying at an alarming rate, in July 2014 SC Info Security News Magazine reported that "Nearly 600 U.S. businesses compromised by 'Backoff' POS malware." by the end of August the Wall Street Journal reported, "More than 1,000 businesses affected by 'Backoff' malware."  If you count each Dairy Queen as a separate business, they account for over 400 infections alone.

Backoff is installed on Point of Sale terminals typically by attackers compromising remote access tools that allow users to connect to the computers via the Internet; often the compromise is as a result of the remote access account having too weak or an easy to guess password.

(See our article on password security.)

Once access is gained Backoff works as a simple backdoor Trojan that installs itself as a running service that initializes itself after startup, making it survive a reboot.  After it's installed Backoff opens port 80 and waits for instructions from the command and control server.  Backoff also cleverly hides itself by pretending to be an Adobe Flash Player update in the system registry.

What can small businesses do to protect themselves and their customers?  Most of it comes down to putting the right processes and protection in place and from there it's about network vigilance.  One giveaway, that someone monitoring your network should catch, would be port 80 being open; this would be unusual for a Point of Sale system unless a particular software required it, and in that case the person or company you have overseeing your network would keep note of any possible security concerns that could arise.

If you're in Northern Nevada and have questions or concerns about the vulnerability of your business's Point of Sale system give Top Speed Computer Service a call and we'll come out do an evaluation.  775-852-4333


There's No Such Thing As Free Wifi

There's no such thing as a free lunch is as true today as when it was first written in the 1930s, as well as it's likely origin in the once common practice of saloons in America offering a "free" lunch to any patron who purchased at least one drink.

Today, you can take that adage and attach it to a number of scenarios in technology.  There's no such thing as free email. There's no such thing as free software. And the one we're talking about now - There's no such thing as free wifi.

We'll skip the obvious part about how you paid for the hotel room with "free" or complimentary wifi, or the Starbucks you purchased to sit and enjoy as you use their "free" wifi, or the "free" wifi now available when you walk through any number of retail stores like Target. Instead we're going to talk about something many people consider much more insidious - Adware injected into webpages on "free" wifi networks.

In 2012 Justin Watt was staying at a Courtyard Marriott in New York. Justin happens to be a web developer and as such is a bit more savvy about what he's seeing on the screen than your average web surfer. When Justin went to use the "free" wifi to access his blog he noticed a colored bar at the top of his page that shouldn't be there. His curiosity was peaked and he viewed the source code for part of the site and, "Sure enough I saw some unfamiliar CSS (including the prefix rxg) and JavaScript that had been injected after the <head> tag." Justin goes on to say in his blog, "And I found some unfamiliar JavaScript after the <body> tag."

Justin was immediately concerned his site had been hacked and began digging through his core files. Everywhere he checked his site was intact and unharmed. After much testing and eliminating possibilities Justin determined, "somewhere between the Internet and my computer, someone is injecting JavaScript into EVERY SINGLE PAGE I LOAD."

Justin did not see this as the final answer rather the next place to look. Using a utility that unpacks packed Java he was able to determine that the primary purpose of this JavaScript injection was ad injection / ad takeover, in other words forcing unwanted ads upon the unsuspecting "free" wifi user.

The next question, at least for anyone techy inclined, was had the hotel's wifi been hacked or was their something more malicious at work?  Could the hotel's ISP be involved?  Had the hotel itself brought in this technology to influence guests? Justin was also concerned about who could be notified, who would care about this invasion?

Computer companies spend a great deal of time removing Adware from computers and as a result users spend a great deal of money paying to have Adware, Malware, Viruses and Ransomware removed from their computers. But this is the cost of being online; the Internet is crawling with things we don't want on our computer and we'd like to believe that when using "free" wifi the company providing it has our best interests at heart and has put security in place to keep our systems safe.  Sadly that's not always the case.

Back to that odd prefix tag "rxg", this is how Justin was able to get to the bottom of the injected JavaScript with the help of one of his blog readers.  It turned out that "rxg" was short for Revenue eXtraction Gateway, made by a Nevada company RG Nets.

From RG Nets site, "...the rXg is the perfect platform for clear communication, authoritative control and complete cognizance over your RGN end-user population."  If that doesn't make you weary of ever using "free" wifi again I don't know what will.  RG Nets site goes on to say, "...profitable IP RGNs extract revenue from the end-user community through a combination of direct and indirect mechanisms."

demo video is available on RG Nets site. A portion of the video transcript, "As you can see the pervasive nature of the advertising banner on all webpages guarantees banner advertising impressions. The RGNets rXg HTML payload rewriting feature is a tremendously powerful tool, with a broad spectrum of applications for Internet marketing programs."  YIKES!

For anyone traveling through Atlanta's International Airport they are listed as an RG Net rXg success story, so be wary of what you see on our screen with that "free" wifi.  A local Nevada success story is the Peppermill Hotel & Casino where the rXg is "...used to advertise resort amenities, restaurants, gaming specials and events." At the Peppermill the rXg is also used to charge for different levels of access including, casino patron, convention attendee or exhibitor, and overnight guess access.

While the Marriott came out shortly after Justin posted his blog and said, "...this functionality has now been disabled." this article does not appear to have harmed RG Nets, although it appears to purchase an rXg you must now contact them directly through a contact page on their website.

Screenshots from an RG Nets online brochure.

RGNets1RGNets2                     RGNets3


Not A Good Week To Own A Mac

On the heels of the ShellShock aka Bash disclosure that Mac OS X is included in the list of vulnerable operating systems comes word that hackers are using Reddit to connect Macs to a Botnet.

First let's start with what is a Botnet?  A botnet is a collection of programs interconnected via the Internet communicating with other similar programs in order to perform tasks. When the program is installed on numerous computers, those programs depend on instructions from the command and control server they are connected to for information on tasks to be performed. They can be connected together by the command and control server to create a spam bot, where machines are brought together to send unwanted or malicious emails, or another example would be when a botnet is used in a DDoS (distributed denial of service) attack often against a government body or corporation.

Cyber criminals have developed a malware, dubbed Mac.BackDoor.iWorm, using C++ and Lua to open a backdoor into Mac OS X machines. When the malware is launched it saves it's configuration in a separate file and attempts to read the /Library directory, then uses system queries to determine the home directory of the Mac OS X account under which it is running, it then writes the data needed for it to continue to operate into this file.  Next Mac.BackDoor.iWorm opens a port on the computer, sends a request to a remote site for a list of control servers, connects to the remote servers and then waits for instructions.


Reddit comes in to play as Mac.BackDoor.iWorm is using the search service at reddit.com to return results listing botnet C&C servers and ports published by the cyber criminals in the comments posted to minecraftserverlists under an account vtnhiaovyd. The malware, now a bot, picks a random server from the list to connect to. When the bot successfully connects to the server, it sends information about the open port on the machine it's infected as well as a unique ID for that machine that was created as a part of the configuration when it installed.

Now that machine waits for instructions from the Command and Control Server. As of the latest reports there is no evidence that these bots have received any instructions. Information obtained by Doctor's Web researches showed 17,658 computers had been infected by the malware and were part of the botnet as of September 26, 2014; a week later there are no available statistics for additional infected Macs. Of those infected over a quarter are in the US.

For anyone who continues to believe that Macs are safe and unaffected by viruses and malware, let this week be a wake up call.  Previously Macs have been a less frequent target not due to their security, but due to their smaller market share.  The more Macs on the market the more cyber criminals will be targeting them.  

Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

800 South Meadows Parkway

Suite 600

Reno, NV 89521

Log in or Sign up