BlitzBlank 1.0 – Removes infections that nothing else removes
August 28, 2010 by admin
Filed under Removal Tips,Tools and Videos
When others fail to properly clean up…
Malware infections are not always easy to clean up. These days the software pests use clever techniques to protect themselves from being deleted. In more and more cases it is almost impossible to delete a Malware file while Windows is running.
Files and registry entries are often locked in different ways to prevent them from being deleted. Active Malware processes monitor each other and start each other anew as soon as one of them is destroyed.
The only solution is to delete the pests during the Windows Boot process – before any Malware has started running and has activated its self-protection mechanisms.
BlitzBlank: Deletes on Boot
BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. It deletes files, Registry entries and drivers before Windows and all other programs are loaded.
To do this it uses special low-level technology and different protection mechanisms that make it almost impossible for Malware to hinder BlitzBlank from carrying out the desired actions.
Script Support
You can use the Designer View to create removal jobs per mouse-click or write your own removal scripts in the Script View.
The following Script commands are supported:
- DeleteFile: [ReplaceWithDummy]
- MoveFile: [ReplaceWithDummy]
- DeleteFolder: [ReplaceWithDummy]
- MoveFolder: [ReplaceWithDummy]
- DeleteRegKey: [ReplaceWithDummy] [Backup]
- DeleteRegValue: [ReplaceWithDummy] [Backup]
- DisableDriver: [Backup]
- Execute:
Note: Parameters in [square brackets] are optional parameters and are used without the square bracket.
Every command requires the path to the object(s) to be changed on the following line. For all “Move” commands, the source and target paths are separated by a space. Paths with embedded spaces must be “surrounded” by double-quotation marks.
Download now!
- Download BlitzBlank – guaranteed for free!
System requirements
BlitzBlank runs on Windows XP, Vista, 7 as well as on 2003/2008 Servers in all 32 bit and 64 bit editions.
BlitzBlank does not require software installation and can be started immediately. Administrative rights are required on start.
Caution!
BlitzBlank should be used by professionals or on advise of professionals only! It can destroy your operating system when used wrong. Use it with caution!
License
BlitzBlank is free for any use. We are not responsible for any lost files and data that have been accidently removed. We explicitly point out that the software may damage your operating system seriously when used incorrectly.
Best In Test!
JailbreakMe: Apple issues emergency iPhone/iPad security patch
August 12, 2010 by admin
Filed under Security News
Apple has kept true to its promise, and released a security patch for users of iPhones, iPads and the iPod Touch, closing the door on a vulnerability that could have exposed them to malware and other malicious attacks.
The vulnerability first came to the public’s attention after it was used by a website, JailbreakMe.com, which made it simple for iPhone and iPad users to jailbreak their devices.
As I reported earlier this month, the drive-by jailbreak exploited a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts. Therefore, just visiting the JailbreakMe website could run code on the visitor’s iPhone, iPod Touch or iPad.
Such a vulnerability, if left unpatched, leaves open opportunities for hackers to spread malicious code to Apple’s mobile products.
The iOS 4.0.2 update for iPhone and iPod Touch can be downloaded and installed using iTunes, with further information available in Apple’s support advisory HT4291.
The same process can be used to update Apple iPads to version 3.2.3 of iOS, with detailed information about the vulnerability published on Apple’s support knowledgebase.
Critical patches for Windows and Flash Player
August 11, 2010 by admin
Filed under Security News
If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.
First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.
Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.
The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.
Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.
Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.
Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.
If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Microsoft readies emergency patch for Shortcut zero-day flaw
August 5, 2010 by admin
Filed under Security News
Updated Good news from Microsoft. It has announced that it plans to release an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.
The so-called Shortcut exploit is being exploited by specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction.
Malware exploiting the vulnerability have included Stuxnet, Chymin and Dulkis, Zbot, and – most recently – Sality.
“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers,” Christopher Budd, Senior Security Response Communications Manager at Microsoft, wrote on the MSRC blog.
Microsoft normally publishes its security patches on the second Tuesday of each month, but this one is scheduled to be released today (Monday, August 2 2010) at 10am PST (1800 BST).
Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too. We would recommend that computer users apply the patch as soon as possible.
As Microsoft is issuing a permanent patch for the shortcut vulnerability, we would recommend that users uninstall the Sophos Windows Shortcut Exploit Protection Tool before applying the Microsoft fix.
Android malware steals info from one million phone owners
August 1, 2010 by admin
Filed under Security News
Updated A developer of Android apps has been accused of using their apps to steal information from more than one million smartphone users.
John Hering and Kevin MaHaffey, of mobile security firm Lookout, told the Black Hat security conference in Las Vegas that they discovered that a wallpaper app developed by Jackeey Wallpaper (who have created over 70 different applications for the Google Android mobile operating system) secretly transmitted affected phones’ numbers, subscriber identifiers, and voicemail numbers to a server in Shenzen, China.
Over a million people are believed to have downloaded the app – which Sophos has not yet seen – from the Android Market (Google’s equivalent to the Apple iPhone AppStore).
This isn’t the first time that the Android smartphone operating system has apparently been targeted by malware, of course.
One of the challenges that owners of smartphones running the Android operating system face is that it is not as closely monitored as Apple’s equivalent, and adopts a more relaxed philosophy as to what apps can be published.
Although there’s much criticism that Apple has received for the way it controls the iPhone environment, it’s clear that the only malware attacks we’ve seen to date on that platform (such as Duh and the infamous rickrolling Ikee worms) have affected users who have chosen to jailbreak their iPhones and escape the relative safety of the AppStore.
Yes, malware has previously emerged for jailbroken iPhones, but the malicious applications have not made it onto users’ devices via Apple’s highly guarded AppStore.
It remains to be seen how many users will treat security as a factor when choosing between the rival mobile operating systems.
Update Some media reports suggested incorrectly that voicemail passwords were accessed by the wallpaper app, and it’s important to make clear that this is not true.
More malware exploiting Windows shortcut vulnerability
July 26, 2010 by admin
Filed under Security News
It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).
Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.
Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:
Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.
Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.
W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.
W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).
Shortcut zero-day attack code goes public
July 20, 2010 by admin
Filed under Security News
If you’ve been following Chet Wisniewski’s blog over the last few days you will already know about the serious zero-day vulnerability that has been found in versions of Windows.
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
Sophos detects the malware we’ve seen so far using the exploit as W32/Stuxnet-B and Troj/Cplink-A.
Google ‘malware’ sponsored advert delivers fake anti-virus
July 15, 2010 by admin
Filed under Security News
“Be careful what you ask for – you might get it.”
That’s the thought running through my head today after I searched for the word “malware” on Google.
As you’ll see in the following short YouTube video I made, a sponsored link right at the top of the Google search results points to a fake anti-virus website posing as a legitimate security company:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
If you download the fake anti-virus program promoted on the website you risk infection by malware identified by Sophos as Troj/FakeAV-AOV.
Contract_05_07_2010.zip – all you’ll contract is a malware infection
July 8, 2010 by admin
Filed under Security News
SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.
A typical email reads:
Subject: Permit for retirement
Message body:
Good day,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>Attached file: Contract_05_07_2010.zip
Beware ‘Your log 05.07.2010′ emails – they carry malware
July 8, 2010 by admin
Filed under Security News
Malicious hackers are spamming out emails around the world disguised as a changelog, with the intention of infecting recipient’s Windows computers with the attachment.
A typical email reads as follows, although there can be minor variations in the message body:
Subject: Your log 05.07.2010
Message body:
Dear Customers,
as promised your changelog is attached,
<name>Attached file: Changelog_05_07_2010.zip
The emails, by the way, are always signed off by the first name of the person who is mentioned in the message’s from: field. That field is, of course, forged – it’s not really that person who sent you the email so don’t blame them if you get infected!
