GFI WebMonitor – Web Security and Internet Access Control Software

Most of companies want able to monitor and control user access to the Network and the Internet, GFI Software has a solution that can help you meet there need. Available as a standalone proxy version or as a dedicated plug-in for organizations that have deployed Microsoft ISA Server, GFI WebMonitor is a great, policy-based Web monitoring, filtering, scanning and control solution.

 

Read more

Welcome to Apple iCloud phishing attacks

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.

 

The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.

 

Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).

 

Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.

 

Subject:

Welcome to iCLOUD

Message body:

Important information for MobileMe members.

Dear MobileMe member,

Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.

Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.

Click here to update iCLOUD

Sincerely,

The Apple store Team

 

If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.

 

 

Yes, it’s a phishing website.

 

And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.

 

Crumbs! Imagine the harm a fraudster could cause with all that information.

 

Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.

 

By Graham Cluley @ nakedsecurity.sophos.com

Apple hires jailbreaking iPhone hacker Nicholas Allegra

Nicholas Allegra, better known as ‘comex’, the creator of the JailBreakMe website which made it child’s play for iPhone owners to jailbreak their devices, has been given an internship at Apple.

 

The 19-year-old from Chappaqua, New York posted the news of his new position on Twitter:

 

 

Allegra has given Apple plenty of headaches in the last couple of years, finding security vulnerabilities in Apple’s iPhone that allowed anyone to convert their smartphone into a device capable of running unapproved applications.

 

Normally jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad – but JailBreakMe made it significantly easier.

 

Just visiting the website with Safari would trigger a security vulnerability, allowing code to run which would jailbreak the iPhone or iPad.

 

Apple don’t like folks jailbreaking their iPhones, so it’s understandable that they would rather have the man behind the JailBreakMe website working for them rather than exposing their security weaknesses.

 

After all, whenever Allegra updated his JailBreakMe website to defeat Apple’s security he was given a potentially dangerous blueprint to more malicious hackers who may want to plant more dangerous code.

 

Each time Allegra has found a flaw in Apple’s software, the company has been forced to rush out a security patch.

 

So, what’s going to change now Apple has made jailbreaking expert Nicholas Allegra an intern?

 

Well, I would imagine that they’ll be strongly encouraging him to share with them any details of security flaws he finds with their software rather than updating his drive-by jailbreaking website. That way they’ll be able to work on patching any vulnerabilities he discovers before they are made public.

 

I’m sure they’ll be particularly keen to prevent Allegra from publishing details on how to jailbreak the next incarnation of iOS, version 5.0, or the much-mooted iPhone 5.

 

From Apple’s point of view it’s a case of: If you can’t beat ‘em, hire ‘em.

 

By Graham Cluley @ nakedsecurity.sophos.com

‘May God always bless..’ Facebook virus hoax spreads

Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.

 

 

Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)

 

The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.

 

Our friends at Facecrooks believe they have got to the bottom of the mystery.

 

They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.

 

 

Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.

 

If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.

 

And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.

 

It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”

 

Make sure that you stay informed about the latest genuine scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

CaSIR v3.5 – Common and Stubborn Infections Remover

 

Description:

If you have reached this page, then you probably have a very serious security problem which none of the well-known antivirus/antispyware software is able to deal with.

 

 

CaSIR is a FREE software to remove CaSIs.

 

 

What are CaSIs?

CaSIs is short for Common and Stubborn Infectors. These are malicious programs (Viruses, Worms, Trojans, etc.) that are notoriously difficult to detect and to remove by regular anti-virus programs. These malicious programs often have the capability to disable your computer or your anti-virus programs.

 

 

Good examples of these infectors are:

Win32.Brontok.q
Win32.Delf.cc
Win32.VB.by
Win32.VB.cz
Trojan.Win32.Small.wv (Medichi & Medichi2)
Trojan-Downloader.Win32.Todon.ai
Trojan-Downloader.Win32.Todon.aj
Worm.Win32.AutoRun.dkk (Ahsan virus)
Trojan-Downloader.Win32.VB.bbl

 

If one of the above nasty infectors infected your computer, you will not be able to install any of the well-known Antivirus software like Kaspersky, Mcafee, Norton, AVG, Panda… (and about 135 more different AVs!) and please, don’t try to use Safe Mode to remove them manually because those infectors will disable “Safe Mode”!

 

 

How do you get infected by these CaSI’s?

Well, mostly because you open an attachment from an email that isn’t from one of your friends. Or by using infected removable storage media (CDs,DVDs/Floppy disks/Flash disks, Memory Cards…). Or just by visiting a suspicious website which can result in your computer being compromised.

 

 

The only thing that could have saved you was having a good Anti-Virus program with up-to-date signatures. If you didn’t have those installed on your computer these CaSI’s could enter your system with ease and change lots of settings and take over your machine!

 

 

Once you are infected, NOTHING (no well-known anti-virus program) can rescue you anymore. You and your computer are doomed.

 

 

But now there is a solution and it is called CaSIR

 

 

What is CaSIR?

 

CaSIR (Common And Stubborn Infections Remover) — is an on-demand malware removal software. We designed it especially to remove the most common and stubborn infections from your computer. It can remove their running processes, their bodies, their registry entries and any other leftovers!

 

CaSIR doesn’t randomly search for CaSIs, but he goes directly to the areas that a specific CaSI infects and removes it from there, hence, it does its job in mere seconds!

CaSIR does more than that. It has a generic and strong technique that allows it to do the following:

. CaSIR removes the common restrictions made to your computer by these infectors which none of the AVs deal with.
. CaSIR removes the illegitimate services/processes frequently used by these infectors.
. CaSIR recognizes and instantly kills and deletes any running process/service that is disguising itself among the legitimate system services/processes.
. CaSIR removes any scripts used by these infectors to autorun.
. CaSIR removes any autostarting registry entries related to the illegitimate services/processes he detects.
. CaSIR deals with all your storage media (Fixed, floppy, removable…) and cleans them up all if need be.
. CaSIR cleans up your system registry so no more spy keys, garbage activities or messages keep asking for already deleted files.
. CaSIR’s signatures are fully updatable, once you download the software, all you need to do is to download the new definitions file frequently and you’re up-to-date and ready-to-go.

 

How to use CaSIR?

Just extract the zip-file you download which contains only two files:
- CaSIR35.exe: The main executable file.
- casirdef.cas The definitions file.

Simply run CaSIR (in Normal Mode) and press Start, Wait for seconds’ and you’re done!

 

If CaSIR detected any CaSIs, it will restart your computer and works in what we call “Pre-$hell mode”, after finishing it’s job, CaSIR will restart your computer in Normal mode.

 

 

Important notes:

1. Since CaSIR is a security software that deal with your file system, your system registry and running processes and services, it MUST be given all the rights it demands in order to remove any infection. Some other security software will try to block CaSIR or even flag it as malicious and prevent it from doing its job, please make sure it’s not blocked and there’s no other program blocking CaSIR. During disinfection process we recommend you to disable any other security solution you are running such as Antivirus, Firewall, monitoring tools ..etc.

 

 

2. Please do NOT attempt to run CaSIR in safe mode, CaSIR needs to investigate your system to know what CaSIs are active, if you ran CaSIR in safe mode, he might not be able to detect any active CaSIs, as they usually do not run in safe mode!

 

 

3. If you have more than one infected computer connected together to the same network, do NOT attempt to use CaSIR on the infected computer while the other infected ones are connected to it, this would results in getting infected again and again. You always need to disconnect the infected computer from the network before using CaSIR and do so with all your infected computers one by one!

 

 

What is “CDS Jobs” button? and why is it there?

CDS is short for “CaSIR Deep Scanner”. This is the part of CaSIR which uses the classic method of searching for malware; By the binary signature. We have added this new section of CaSIR starting from v2.0 because we lately noticed that some CaSIs’ authors have developed a new method of making identifying their malware more difficult, that is to make the CaSI spread using random file names, random registry keys, random registry values and random running processes names, so that any algorithm based on the malware File/Folder/RegKey/RegVal/Running Modules/Processes/Threads names would fail and be of no use!

 

 

If CaSIR detected any such a nasty CaSIs (those with random techniques), he will analyze the situation first and kill the active parts of the CaSI, then invoke the CDS which will scan all your hard disks/floppy disks/flash disks/memory cards/iPod/MP3/WMA Drivers available on your system to clean them, then he will restart your computer in Pre-$hell mode to continue removing the other CaSIs, after finishing it’s job, CaSIR will restart your computer in normal mode with a “Congratulations” message!

 

 

Please note that you can cancel those operations at any time, but we strongly don’t recommend that, because by doing that, you will put your computer in a dangerous situation as the CaSI will come back again when you restart your computer, so please be patient and let CaSIR finish it’s job.

 

 

Does CaSIR generate a log report?

Yes, after every phase of work, CaSIR will automatically generate a report file and saves it in same folder where CaSIR is. The report file always has the name: casirrpt.txt! This file is needed by us when you have any problem or inquiry and need to contact us, so please don’t forget to attach this file with your inquiry.

 

 

How to update CaSIR definitions?

There’s two methods of getting updates, offline and Online:

1. Online method:
Simply press “Update” button and follow the instructions on screen.

2. Offline method:
Visit www.sergiwa.com and go to downloads section, under Security software, you’ll find CaSIR Definitions file. Download it. The definitions file is a very small zipped file that contains the CaSIs signatures. All you have to do is to download casirdef.zip, extract its contents and replace it with the old one!

 

 

What are those RNP, GFL, SFL, GFD, SFD, RKM, RKD, RKA, RSO?

When CaSIR find an infection on your computer, it shows up the infection in the following way :

XXX – YYY

XXX: is the type of the infection found
YYY: is the infection itself

XXX has 9 different keywords

RNP : Running Process
GFL : Group of Files
SFL : Single File
GFD : Group of Folders
SFD : Single Folder
RKM : Registry Key to be Modified
RKD : Registry Key to be Deleted
RKA : Registry Key to be Added
RSO: Regular System Optimization

 

Do you have to buy CaSIR?

No; you don’t have to. CaSIR is 100% free of charge (for personal use only).

 

Download CaSIR from Here

 

 

CaSIR
Developer: Issam Sergiwa
Company: Sergiwa Software
OS: Windows XP, Windows Vista, Windows 7
Bugs? Problems?
Contact support@sergiwa.com

 

Bitdefender Safego The New Social Network Protection

Posts on your wall, comments from friends, status updates. These are the tools that help you build your online social interactions. But don’t forget that your online social life relies on a crucial ingredient: your friends’ trust in you. So why let infected links, spam or deftly crafted scams step in and spoil your fun? After all, we’ve all had enough of the “see who viewed your profile” tricks and of its countless siblings.

 

Using in-the-cloud scanning, Bitdefender Safego protects your social network account from all sorts of e-trouble: scams, spam, malware and private data exposure. But, most importantly, Safego keeps your online friends safe and …close.

 

 

To install the app Click Here

TDL4 – Top Bot

TDSS variants

 

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

 

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

 

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

 

TDL-3 encrypted disk with SHIZ modules

 

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

 

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

 

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

 

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

 

Yet another affiliate program

 

The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

 

Affiliates spreading TDL

 

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

 

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

 

The ‘indestructible’ botnet

 

Encrypted network connections

 

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

 

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

 

Example of configuration file content

 

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

 

Part of the code modified to work with the TDL-4 protocol.

 

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

 

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

 

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

 

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

 

TDSS module code which searches the system registry for other malicious programs

 

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

 

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

 

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

 

TDSS downloads

 

Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

 

Botnet access to the Kad network

 

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

 

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
2. Computers infected with TDSS receive the command to download and install the kad.dll module.
3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

 

Encrypted kad.dill updates found on the Kad network

 

Below is a list of commands from an encrypted ktzerules file.

 

• SearchCfg – search Kad for a new ktzerules file
• LoadExe – download and run the executable file
• ConfigWrite – write to cfg.ini
• Search – search Kad for a file
• Publish – publish a file on Kad
• Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

 

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

 

How publicly accessible and closed KAD networks overlap

 

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

 

Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

 

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

 

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

1. By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

 

Extended functionality

 

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

 

The proxy server module

 

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

 

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

 

Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

 

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

 

List of botnet command and control center commands

Working with search engines

 

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

 

List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

 

Control server address	Server address at the beginning of February	Server address at the  beginning of March	Percentage of  mentions in C&C lists
01n02n4cx00.cc	noip	noip	0,05%
01n02n4cx00.com	91.212.226.5	noip	0,43%
01n20n4cx00.com	91.212.226.5	91.193.194.9	0,21%
0imh17agcla.com	77.79.13.28	91.207.192.22	0,80%
10n02n4cx00.com	194.28.113.20	194.28.113.20	0,22%
1il1il1il.com	91.212.158.72	91.212.158.72	6,89%
1l1i16b0.com	91.193.194.11	91.193.194.11	0,43%
34jh7alm94.asia	205.209.148.232	noip	0,03%
4gat16ag100.com	noip	noip	2,07%
4tag16ag100.com	178.17.164.129	91.216.122.250	6,69%
68b6b6b6.com	noip	noip	0,03%
69b69b6b96b.com	91.212.158.75	noip	6,89%
7gaur15eb71.com	195.234.124.66	195.234.124.66	6,85%
7uagr15eb71.com	noip	noip	2,07%
86b6b6b6.com	193.27.232.75	193.27.232.75	0,14%
86b6b96b.com	noip	noip	0,24%
9669b6b96b.com	193.27.232.75	193.27.232.75	0,22%
cap01tchaa.com	noip	noip	2,19%
cap0itchaa.com	noip	noip	0,58%
countri1l.com	91.212.226.6	91.212.158.72	6,89%
dg6a51ja813.com	91.216.122.250	93.114.40.221	6,85%
gd6a15ja813.com	91.212.226.5	91.212.226.5	2,07%
i0m71gmak01.com	noip	noip	0,80%
ikaturi11.com	91.212.158.75	noip	6,89%
jna0-0akq8x.com	77.79.13.28	77.79.13.28	0,80%
ka18i7gah10.com	93.114.40.221	93.114.40.221	6,85%
kai817hag10.com	noip	noip	2,07%
kangojim1.com	noip	noip	0,14%
kangojjm1.com	noip	noip	0,24%
kur1k0nona.com	68.168.212.21	68.168.212.21	2,19%
l04undreyk.com	noip	noip	0,58%
li1i16b0.com	noip	noip	0,05%
lj1i16b0.com	noip	noip	0,05%
lkaturi71.com	noip	noip	0,14%
lkaturl11.com	193.27.232.72	193.27.232.72	0,22%
lkaturl71.com	91.212.226.6	91.212.158.72	7,13%
lo4undreyk.com	68.168.212.18	93.114.40.221	2,19%
n16fa53.com	91.193.194.9	noip	0,05%
neywrika.in	noip	noip	0,14%
nichtadden.in	noip	noip	0,02%
nl6fa53.com	noip	noip	0,03%
nyewrika.in	noip	noip	0,03%
rukkeianno.com	noip	noip	0,08%
rukkeianno.in	noip	noip	0,08%
rukkieanno.in	noip	noip	0,03%
sh01cilewk.com	91.212.158.75	noip	2,19%
sho1cilewk.com	noip	noip	0,58%
u101mnay2k.com	noip	noip	2,19%
u101mnuy2k.com	noip	noip	0,58%
xx87lhfda88.com	91.193.194.8	noip	0,21%
zna61udha01.com	195.234.124.66	195.234.124.66	6,85%
zna81udha01.com	noip	noip	2,07%
zz87ihfda88.com	noip	noip	0,43%
zz87jhfda88.com	205.209.148.232	205.209.148.233	0,05%
zz87lhfda88.com	noip	noip	0,22%

 

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

 

Command and control server statistics

 

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

 

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

 

Distribution of TDL-4 infected computers by country

 

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

 

To be continued…

 

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

 

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.

 

Source:  Securelist.com

Get a Free Copy of Avast Internet Security 6

 

*This is Legit, Registering your e-mail is from AVAST (German Site) & Trial Download from AVAST (US Site)

 

Register e-mail & you’ll be sent a free Avast internet Security registry License file, Good til April 2012.
1. Extract File, that you received&Downloaded from e-mail.
2. Download Avast internet security trial
Avast Internet Security Trial Link
3. During the installation process, Choose “custom installation” 
4. You’ll be asked for registry file (the file you extracted) during the first step.
5. Browse & locate file.
6. Finish installation.

 

*The e-mail will be in german.

 

*Heres the translated version of the e-mail that you’ll receive.

 

AVAST-use users love / prefer AVAST users

Thank you for your registration.

With this link you can download your personal registration file.

Registry File: http://www.my-avast.de/aktion/AVAST/down/license-com-so-gehts.zip

Com’s article goes like this:http://www.globell.com/aktion/Comsogehts/COMsogehts_0811_avast_IS.pdf

 

The program activation you please save this file onto your desktop or in My Documents, where you can find this file again.

 

Licensing can be done in different ways, you have to the software avast! Internet Security directly from the DVD issue of the magazine com! So user’s will.

 

Once you start the software installation you will be guided through a setup wizard through the installation. You will be asked in the further course of installation for a valid license file. Now you just need to select the directory where you saved the downloaded license file. This license information is read directly from the installation.

 

You should download avast! Internet Security have been installed as a demo, the licensing is done directly in the program. For this you should already described above, download the license file, and save. To carry out the licensing, you first open the software and select the tab “Administration” menu “subscription” from. There appears “to insert license file” in the window of a button. This window allows you to click and find the path where you saved the license file. Once you have selected your license file, you will be asked by the program whether you want to paste the license information. This you can confirm with “YES” and the process is completed.

 

It is also possible the license file with an already installed demo version directly read. This works on the license file you saved previously. Just select the license file with a left mouse click and then press the right mouse button. Once the menu appears, move the mouse on the menu item “Open With” and select “aswChLic..” After you have made your selection, you will be asked whether you want to insert the license file and confirm this with “Yes”. Now the process is closed.

 

Once your license file has been read correctly, including the subscription information, your valid license period are displayed.

 

We hope that this guide an aid in the licensing of your avast! Internet Security have been to and wish you a safe time with your AVAST software.

 

Source: http://dealspl.us

Mamutu 3.0 – 1 year subscription for free (GOTD)

How safe is your PC really?

To put it succinctly: Why signature-based security software is not enough

Normal security software recognizes Malware using Signatures, a type of digital fingerprint. What is problem with this? No fingerprint means no recognition. This means that the Malware must first be known to the manufacturer of the security software before it is possible to create a fingerprint allowing it to be recognized. The fingerprint database on your PC is then updated online on a daily basis. Only then can the Malware be recognized.

 

You are probably now thinking: “What about new Malware that manufacturer of the security software has never seen? They have no way of making a fingerprint of this…”. Exactly!

This is where the behavior-based Malware defense of Mamutu comes into play. It does not use a fingerprint to recognize dangerous software but rather on the basis of the behavior of the software. This allows Mamutu to recognize new Malware long before the signature databases have been updated. These types of Malware attacks are known as Zero-Day attacks. In addition to this, behavior-based Malware recognition is the only efficient way of recognizing Malware that has been built for a single specific attack, e.g. for industrial espionage.

 

The perfect security enhancement

Mamutu recognizes and reports the following types of behavior:

• Backdoor related behavior
• Spyware related behavior
• HiJacker related behavior
• Worm related behavior
• Dialer related behavior
• Keylogger related behavior
• Trojan Downloader related behavior
• Injection of code into other programs
• Manipulation of programs (patching)
• Invisible installations of software
• Invisible Rootkit processes
• Installation of services and drivers
• Creation of Autostart entries
• Manipulation of the Hosts file
• Changes of the browser settings
• Installation of debuggers on the system
• Simulated mouse and keyboard activity
• Direct disk sector access on harddisk
• Changes of the system group policies [NEW!]

 

Full control over internal system activities

You can now decide for yourself what programs are allowed to start on your PC and what actions may be performed. Detailed application rules are now available, allowing you to individually specify the permitted behavior of every application:

• Monitor application, but allow specific activities
  Select this option to always allow particular specific behavior of a program. In certain situations a benign program can contain a function that is very similar to a damaging function and is thus reported. If you are sure that this action is actually not dangerous then you can allow it. All other types of dangerous behavior are still reported.
• Always block this application
  Select this option to permanently block a particular program. You can also use this feature to provide child protection by preventing other PC users from starting a particular application.
• Exclude from protection
  Select this option to completely exclude an application from the monitoring process. Use this when you always trust an application and are sure that it does not execute any damaging actions.

 

Bonus feature: Application protection

You can use the application rules to protect specific programs from third-party manipulation. For example, this feature is used to prevent Mamutu from being terminated by Malware in order to disable the protection. You can also make use of this feature. You can protect your Browser and other important programs from being illegally terminated.

 

 

The program is available for $27.00 (1-year subscription), but it will be free for a limited-time offer by giveawayoftheday.com.

 

Download Mamutu 3.0 now

 

 

 

Symantec Loves VIPRE

Our good friends over at Symantec love VIPRE so much, they’ve decided to use the logo in their new marketing campaign!

 

 

We prefer our colors, of course (I like blue) but otherwise, not a bad copy of our logo.

 

 

Imitation is the sincerest form of flattery!

 

Alex Eckelberry -  GFI