The only consolation for Microsoft after losing this battle is the numbers. Android did not win by a huge margin. Android’s share of the market is 37,93%, while Microsoft is just barely behind with 37,91%. Judging by the facts provided in the report there are several main reasons to back up Android’s success. Asia’s influence on the global market, decaying popularity of PC, and increasing numbers of smartphone sales. But if we go back to desktops – there is no surprise that Windows holds its positions firmly. Mac and Linux are just following the leader. Affordable prices and easy operation make smartphones on Android the people’s choice. Nevertheless, this platform has it obvious minuses: limited access to MS Office functions, low-data processing capacity, high power usage, etc.

However, there is one major issue with Android we want to stress on in this article. When you compare Android and Windows statistics regarding cyber security, you will see how the first fall far behind. You cannot stay on top of the charts without dealing with major security flaws and exploits in your system. Otherwise, your dedicated users will be an easy target for scammers of all sorts and ransomware developers as well. You have probably heard about malicious software that has struck fear into the hearts of Android users all over the world, have not you?

Cyber criminals are not leaving attempts to improve their malware for the most popular OS willingly, you know. Some Chinese companies have been caught red-handed in installing spyware and malware in cheap smartphones for US and EU markets. In addition to that, Android is still almost defenseless against ads-injected Trojans. We’re not talking just about annoying advertisements but also about spyware which transmit user’s personal info to remote servers. Another big problem with Android’s security is limited antivirus usability due to some algorithms being incompatible with the operating system. Having no anti-malware protection Android users can only rely on their vigilance and awareness.

The post Windows is no longer the most popular OS appeared first on RemovalBits.com.

According to latest reports, this ransomware has a name – OSX/Filecoder.E. Research done by analysts and various cybersecurity experts indicates that the virus is not distributed by email spamming. It is designed to infiltrate the system when the user is trying to download something via BitTorrent pages.

In case you’re downloading something using p2p (peer-to-peer) technology, then your device might have caught some suspicious applications. In addition to that, downloading anything from torrents is akin to playing Russian roulette since it is so easy to trick an unsuspecting or inattentive user into installing something harmful instead of helpful.

In this particular scenario, fake installers downloaded by the user open a loophole for the OSX/Filecoder.E to sneak in. After the installation of the program is complete, the user is asked to apply a «crack» by clicking on the bundled executable file. This way you are making all preparations inviting the virus to do his devious job. When installation circle is complete, the ransomware starts scanning the data on the infected device (on hard drives, network drives, and external ones too). Most valuable information gets encrypted with a public key, so you are going to need a private key to restore your files later. Hackers offer you to pay a ransom – all the details are written in the README!.txt files appearing in random folders.

The creators of OSX/Filecoder.E ransomware virus will charge 0.25 Bitcoin (approximately $292) for their decryption services. If the user is willing to speed up the process – he or she can pay 0.45 Bitcoins (~$526). In this case, all corrupted files will be restored in 10 minutes. At least that is what scammers promise.

Experts from ESET report a major flaw in the OSX/Filecoder.E virus. While other ransomware applications always contact their C&C servers in order to inform the mastermind about new victims and save private keys for decryption, this particular app fails to do so. It means that criminals cannot have any means of helping the victim after the ransom is paid.

Although this ransomware is designed for Mac devices, don’t let your guard down since it might also visit other operating systems. If you are not protected by advanced anti-malware programs or antiviruses, then just one wrong download or infectious link is enough to compromise your security. Don’t forget to create backups regularly! It is always good to have copies of your valuable files stored somewhere else besides your hard drive, believe us! This way no ransomware can spoil your day.

The post Warning: Mac-targeting ransomware appeared first on RemovalBits.com.

First of all, it is incredible how Americans tend to neglect the danger of cyber threats and don’t take them seriously. The majority of the respondents don’t spend time on educating themselves to protect their gadgets (stationary and mobile as well) from hackers. Furthermore, they have poor knowledge in other topics related to anti-malware protection and cybersecurity. This explains why the number of hacker attacks increases with each year; ignorance serves criminals. When people think they are educated and smart enough not to fall in the hacker’s trap, they become careless – and losing your guard is already a 50% to become infected.

To be more specific…

The State Cybersecurity Survey is a series of questions regarding the dangers and threats in the cyber world. Most participants proudly said that their knowledge in this field is on par with any specialists around. According to the results, people think that it takes one random antivirus program to be installed in order to be protected from anything. Moreover, practically no one believes that their devices have been hacked before. But if we look at the statistics and check cybercrime frequency in NA, it becomes clear that people don’t know what they are talking about lacking knowledge, experience, comprehension of the threat in general, not mentioning and the ability to admit it.

Just to be more concrete here:

• 26% of the respondents admitted that their gadgets might have been hacked. While other said that they never had any problems with security.
• After noticing weird computer behavior only 46% of respondents immediately informed their banks about suspicious activity. Others thought that changing passwords is enough.
• Despite expressing confidence in their knowledge and experience, 87% of the survey participants admitted that they cannot recognize if their devices have been hacked without the expert’s help.
• 84% of the respondents do not trust social network sites to be completely secure. The level of trust varies from low to extremely suspicious.
• The most valued information for 84% of participants is their social security number.

Conclusion   

Respondents of the State Cybersecurity Survey indicated that they believe that their data in various places can be protected by facilities themselves and no other measures are needed. People don’t believe that additional precautionary measures would lead to positive changes, thus why to waste time on them.

We’re sad to admit that people’s ignorance opens a lot of loopholes for hackers and malware creators. Although everyone is using gadgets today, only every fourth has some thought regarding cybersecurity. Other are more than vulnerable to viruses, worms, and other threats. We remind you to keep your cyber defenses up-to-date to protect systems and private information.

Source: securitymagazine.com.

The post 60% of Americans are cyber security experts appeared first on RemovalBits.com.

The second vulnerability with identifier CVE-2016-8222 is somewhat similar to the famous previous ThinkPwn vulnerability. The vulnerability could allow an attacker to overwrite important system variables of BIOS and invoke SMM services of microprocessor operation mode, which means that attackers could get privileges at the level of minus the second ring (-2).

Regarding the Intel Management Engine (ME) technology has recently been written several articles on the internet. In short, this is a whole sub-system hardware and software from Intel in chipset, which allows you to control your computer, also remotely, regardless of the operating system, as well as if the computer is working at the moment or not. Intel ME uses system resources, including some regions of physical memory and hardware devices functions. At the same time, these resources are used by Intel ME should be suitably blocked from the influences of the outside, for example, an attacker who wants to modify the configuration parameters of the Intel ME with the purpose to run its own code on the highest minus third (-3) level of privileges of the microprocessor. Such protection of the physical memory region, Lenovo forgot to set initially.

Vulnerability refers to Local Privilege Escalation type (the LPE) and could allow an attacker to obtain the highest level of privileges minus the third ring (-3).

The Intel Management Engine (ME) is a set of hardware features developed by Intel that enable administrators to manage, repair and protect computers on their networks. During the manufacturing process, a setting is configured on the manufacturing line that locks regions of memory used by the ME and prevents them from being reconfigured. Lenovo has discovered that this protection was not enabled on certain Lenovo systems.

Update LEN-9903 is addressed to the following Lenovo notebook computer production:

• 110-14IBR/110-15IBR
• B70-80, E31-80, E40-80, E41-80, E51-80, G40-80, G50-80, G50-80 Touch
• Ideapad 300-14IBR/300-15IBR, Ideapad 300-14ISK/300-15ISK/300-17ISK, Ideapad 510S-12ISK
• K21-80, K41-80
• MIIX 710-12IKB, XiaoXin Air 12
• YOGA 510-14ISK/510-15ISK, YOGA 710-11IKB, Yoga 710-11ISK, Yoga 900-13ISK, YOGA 900S-12ISK

ThinkServer TS150 and ThinkServer TS450 Servers are also subject of the update.

The second vulnerability is present in one of the drivers of UEFI-firmware of ThinkPad notebooks and allows an attacker who has already received the highest administrator rights in the system, to go down to the minus second (-2) ring to run his own code in SMM mode.

A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability.

This vulnerability could allow an attacker to bypass Microsoft Device Guard protections for systems running Windows 10.

In turn, compromising SMM operation mode of the microprocessor allows an attacker to compromise a such protection technologies of Windows 10, which operate using virtualization mechanism, as a Device Guard and Credential Guard. Since virtualization subsystem runs on the ring -1 privileges, the SMM code will not be difficulty to bypass its defense mechanism.

We recommend to everyone to install the updates.

The post Lenovo has fixed vulnerabilities in their computer firmware appeared first on RemovalBits.com.

Samsung has also fixed the vulnerability in Android firmware of their devices with an update SMR-NOV-2016. The Company has corrected LPE-vulnerability Dirty COW in the Linux kernel with the identifier SVE-2016-7504 (CVE-2016-5195). Vulnerability Dirty COW was also patched by Google. Unlike Google, Samsung didn’t specify the models of their devices, which will be available to update the firmware. Instead, they indicated that the update will be available for “flagship models”.

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.

Samsung has fixed a large number of vulnerabilities that are present only in their devices. For example, LPE-SVE-2016-6736 vulnerability which was present in the driver /dev/fimg2d (Samsung Graphics 2D driver) on the company’s devices with chipset Exynos 5433/54xx/7420. Samsung has also fixed Dirty COW vulnerability in Linux Kernel, which could be used by hackers to increase their privileges in the system.

SVE-2016-7504: Linux kernel race condition on CopyOnWrite (DirtyCOW)

 Severity: Critical

Affected versions: All devices

Reported on: October 20, 2016

Disclosure status: Privately disclosed.

Where a lot of write operations and calls to madvise() happens, one of the write operations can reach and write to read-only memory map by a race condition on the Linux kernel when operating with CopyOnWrite(COW) operation.

The fix introduces a new “state” for copy-on-write pages which prevents the race condition.

For its Nexus devices, Google has fixed a large number of Critical LPE-vulnerabilities in various drivers and in the Kernel, which could be used to gain privileges in the system by cyber criminals, as well as local rooting of the devices. For example, several vulnerabilities with identifiers CVE-2015-8961, CVE-2016-7911, CVE-2016-7910 in the file subsystem of the Kernel could be used by attackers to obtain root access over the system that could result in a reflashing of the device.

Actual for the following devices: Google Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL.

The following drivers and subsystems of Android Kernel have been updated:

Cryptographic driver Qualcomm.

File subsystem of the Kernel.

SCSI drivers, the Media, as well as ION’s, network, sound subsystem of the kernel.

NVIDIA GPU driver.

Qualcomm camera driver and Qualcomm bus driver.

Synaptics Touchscreen driver.

Vulnerability Dirty COW (CVE-2016-5195) has been fixed by the last part of the update 2016-11-06 security patch level.

We recommend users to update their devices!

The post Google and Samsung have fixed the vulnerability Dirty COW in Android firmware appeared first on RemovalBits.com.

Mirai in Japanese means “Future” and Hajime – “beginning”.

The experts write that the infection process with Hajime is divided into three stages. In addition, the threat is called a worm, not without a reason: Hajime is able to reproduce on its own. First, the worm attacks port 23 in attempt to get the login and password of the system by using the brute force.  The most common combinations of credentials are hard-coded in the code of Hajime. If the port 23 is closed, or the attack fails, the malware leaves attempts and moves to the next IP-address. If the bruteforce was successful, the worm executes the following commands on the device:

enable

system

shell

sh

/bin/busybox ECCHI

Thus, malware determines if it has infected the Linux system. According to the data of Rapidity Networks, malware attacks ARMv5, ARMv7, Intel x86-64, MIPS and Little-endian platforms, it means that the scope of its activities is much wider than that of similar IoT-threats. Afterwards, Hajime goes to the next stage of the attack. It downloads the 484-bytes file ELF-file and executes it, thereby opening a connection to the attacker’s server. Malware receives a file from the server and executes it as well. In the next stage of the attack this file is used to establish the connection with the PSP-network using the DHT protocol. Through P2P, using DHT and uTP, the Trojan downloads other payloads.

The researchers note that Hajime is similar to several other threats simultaneously. Thus, the worm uses P2P network as well as Rex Trojan; it has a list of usernames and passwords combinations for bruteforce random IP-addresses and spreads itself same as Miari; and also uses the mechanism of infection, consisting of several stages, like NyaDrop. Thus Hajime is written in C, rather than Go, as Rex. It uses P2P networks, and doesn’t work directly with management servers like Mirai. In addition, the malware is dangerous for a number of different platforms, while NyaDrop attacks only devices with MIPS architecture.

Judging by the hard-coded credentials in the code of Hajime, worm attacks CCTV cameras, routers and DVR-systems. More specifically, malware is a threat for Dahua Technologies Companies devices and ZTE Corporation, and also for a number of equipment of other companies that produce products (mainly DVR-systems), as a result of white-label partnership with XiongMai Technologies.

In order to protect your IoT-devices, it is recommended to avoid visiting suspicious websites from them or downloading any unofficial apps. Also, if it is possible, block the port number 23. Use the last version of antivirus software and update virus data base signature as frequent as possible.

The post Hajime Trojan worm written in C can be controlled by P2P and infects IoT-devices appeared first on RemovalBits.com.

Although the HDDCryptor has appeared last winter, experts say that there is a new version of this ransomware spreading online. Experts from Morphus Labs said that their company was investigating the mass infection of a certain systems of international companies and HDDCryptor attacked the offices of the company in Brazil, India and United States.

All of the experts agree that while the scale of HDDCryptor spread is modest. Basically the victims themselves download the ransomware from various malicious websites, in very rare cases the malware got into computer as a secondary infection, downloaded by another malware. Once installed the ransomware scans the local network for network drives. Afterwards it uses a fee tool Network Password Recovery which searches and steals credentials of users of shared network folders. When these stages are completed, ransomware uses open source utility DiskCryptor, to encrypt files on the victim’s system.  The tool takes into account the results of previous “researches” of the malware and successfully uses the passwords to connect to the network drives to encrypt files there as well.

Once finished encrypting data, HDDCryptor replaces the content of the MBR with custom bootloader and initiates the reboot process. Instead of loading operating system, victim sees a message with ransom demands. The infected users are forced to contact the ransomware authors by e-mail for further instructions. At the moment the ransom demand is around 1 Bitcoin (about $600).

Experts note that the January version of the ransomware displayed somewhat different message and was pointing to another email address. Also in January, victims were assigned a unique four-digit ID, whereas now has a six-digit ID. According to analysts, who investigated the bitcoin address that is associated with a bitcoin wallet of criminals, since the start of the new campaign in September, only four people have paid the ransom.

The post HDDCryptor – ransomware which can overwrite the MBR on the victim’s computer appeared first on RemovalBits.com.

The fact that the attackers will exploit such trends as Pokemon Go was quite predictable. Discovered malware is just another proof that attackers are closely watching what is happening in the world and do not stop to take advantage of the hype around this or that trend. The researchers write that a Trojan, named HEUR: Trojan.AndroidOS.Ztorg.ad is disguised very well and that is why the threat was noticed too late. All of malware files were encrypted by commercial packer and unpacked they really contain useful materials related to Pokemon Go, which the Trojan used to maintain the “legend”. And only as small module with obfuscated code was responsible for malicious functions.

Once infected the device, the Trojan is not immediately performing malicious actions. Firstly malware verifies that it is not running on a virtual machine and waits for the user to install or uninstall any application, to make sure that everything is in order. Only after this, Trojan contacts the management server, sending the operators a data about the infected device which includes operating system version, default language, as well as the country in which the device is located. The answer, received from the server, was coming in JSON-file format, containing multiple links, by clicking on which, the malware would start downloading on the infected device additional files. These files are the real weapon of Trojan, since they contain exploits for various vulnerabilities in Android, mostly found in 2012-2015. So, one of the exploits was developed by Hacking Team and slipped into the Internet as a result of last year’s hack of the company. Armed, Trojan finally could pass to the active phase of the attack, receive a super user rights and then install additional applications and display the advertisements to the victim.

The experts write that while the Trojan operators primarily monetized their business through advertising and didn’t distribute additional malware. But there is no guarantee that tomorrow they will not want more money and begin to spread the same malware more dangerous things, for example ransomware or bank Trojans.

The post Trojan, disguised as a guide for Pokemon Go has been installed more than 500 000 times! appeared first on RemovalBits.com.

It’s not a secret that the hacker resources of all kinds exist not only in the darknet, but in the normal Internet as well. On these sites and forums public exchanges their experiences, discussing not too legal tools and attack techniques (usually under the close supervision of law enforcement, because the resources are available in Google search, and for anyone who wishes to join). On one of these resources (LeakForums) experts from Sophos firstly noticed pahan12 user who offered to all to buy from him his remote access Trojan SLICK RAT. As shown by subsequent analysis, those who have acquired SLICK RAT, eventually became infected with KeyBase malware, which pahan12 put in the code. KeyBase stole passwords of unlucky hackers and sent to the attacker’s website. Experts believe that this is not a coincidence, because the link contains the text “pahan123”. Researchers believe that the attacker then used the stolen credentials of accounts on various hacker forums to enhance his own reputation.

Intrigued by this opportunity, experts continued to investigate and soon discovered that Pahan deals not only with the distribution of SLICK RAT and works not only on the aforementioned website.

It turned out that in November 2015 Pahan has been spreading Aegis Crypter tool for obfuscation and hiding the code of malware from antiviruses. But the attacker’s version also included the “undocumented” Trojan RxBot. Another case happened in March 2016, under the name Pahann attacker has been selling one of the versions of KeyBase keylogger, that infected customers with COM Surrogate malware, and then with Trojans RxBot and Cyborg.

The most recent hacker’s activity has been detected on the already mentioned LeakForums, spreading SLICK RAT attacker began in June 2016. Experts write that it is impossible to determine exactly how many people were infected by Pahan attacks, but note, that there is certainly no honor among thieves.

The post Researchers from Sophos have found a hacker, who has been infecting other hackers with his own malware appeared first on RemovalBits.com.

This family of Trojans has been known since 2011, and the authors regularly release new versions of malicious programs, developing their own “product”. Experts write that BackDoor.TeamViewerENT.1 by architecture resembles BackDoor.TeamViewer.49, which is in turn composed with several modules. But while the Trojan found in May only used TeamViewer to load into the memory of the victim’s machine some malicious libraries, the new TeamViewer uses a backdoor to spy.

General malicious functions of the malware are concentrated in avicap32.dll library, and settings are stored in an encrypted configuration block. In addition to the specially created malicious attackers’ library Trojan saves necessary for operation of TeamViewer files and folders, as well as several additional files-modules. Thus, the attackers exploiting legitimate opportunities of Windows: if the application requires loading a dynamic link library, the system will first try to find a file with the same name in the same folder where the program is stored, and only after – will search in Windows system folder. Thus, since the TeamViewer application really needs avicap32.dll library, which is stored by default in one of the Windows system directories. Malware keeps malicious library with the same name directly in a folder with a legitimate executable TeamViewer, causing the system to load into memory a Trojan library instead of legitimate one.

After launching the Trojan, it disables the display of error events for TeamViewer process, also hides its own files and intercepts in the memory of TeamViewer process invocation of various application and system functions. If you remove any of malicious files, the Trojan will easily download them back again from the remote server. Additionally, if BackDoor.TeamViewerENT.1 detects an attempt to start the Windows Task Manager and Process Explorer, it kills the TeamViewer process on the infected machine. Once connected to the remote cyber criminals’ server, the backdoor can perform various malicious commands, including start listening to the sound from the microphone, watching via webcam, download, save and run files, connect to specified remote host, run commands via cmd.exe, update config files and many more. Basically the infected computer will be in total control by cyber criminals.

These commands open up wide opportunities for the attackers to spy on the infected users, steal confidential information. In particular, it is known that with the help of this Trojan cyber criminals have been installing Trojans from the family of Trojan.keylogger and Trojan.PWS.Stealer on the infected computers.

It is recommended to keep your computer protected with antivirus and firewall. Always update your system and anti-virus software to the latest versions. Trojan BackDoor.TeamViewer.49 can be easily detected by most of the up to date antivirus software.

The post Recently discovered another backdoor for Windows, which is using the components of Teamviewer appeared first on RemovalBits.com.