The coders’ algorithm of hydracrypt and umbrecrypt cracked

the-coders-algorithm

The security researcher from Emsisoft Fabian Wosar managed to crack the encryption algorithms of numerous ransomware thus making many hackers angry. Nevertheless, Wosar is not going to stop, but on the contrary – recently, he has managed to decipher the ransomware families HydraCrypt and UmbreCrypt and has released a new decrypter.

HydraCrypt and UmbreCrypt are new ransomware families initially detected in 2016. At their core, both stem from CrypBoss ransomware which was leaked and put by the unknown authors on PasteBin last year. Since the source code was out in the open, Wosar’s task of cracking turned out to be much easier.

“Unfortunately the changes made by the HydraCrypt and UmbreCrypt authors cause up to 15 bites at the end of the file to be damaged irrecoverably”, the expert explained in his blog.

But, apparently, the new ransomware authors who took the source code CrypBoss as a basis, did not pay much efforts here – there are very few modifications to the original source. The good news is that in most cases, these additional 15 bites are useless at all, and the files can be recovered. Wosar found out that these additional bites are not dangerous for all types of files but just for a few. Moreover, these additional 15 bites are quite often added as buffer data, so the encryption can be “cured” by simple opening and saving of the file.

The expert has also released a special tool for data recovery to be used in those cases where simple techniques are not that helpful. This decrypter will be able to tackle both HydraCrypt and UmbreCrypt.

Comodo Antivirus allows remote access to the PC

comodo-antivirus

Comodo Internet Security installs and launches a VNC server by default.

Tavis Ormandy, a security researcher from Google Project Zero, has discovered yet another problem with a software product from Colomo. This time software at issue is Comodo Internet Security, which installs and launches a VNC server, allowing remote access to the PC, by default.

As it turned out, when this product is being installed, a new browser called Chromodo is installed too. Chromodo is a modified version of the browser Chrome. Chromodo looks very much like Chrome and imports all the user’s settings, cookies, etc.

According to the researchers, when a user installs such products as Comodo AntiVirus, Comodo Firewall or Comodo Internet Security, on his or her OS Windows computer, the application GeekBuddy is installed too with the purpose of providing remote tech support.

GeekBuddy, in its turn, installs and starts a VNC server with admin privilege that can be accessed via local network. During certain period, there wasn’t any password protection on the server. Later, Comodo changed the situation for the better, though the passwords set by the company appeared to be easily predictable, says Ormandy. “Any authorized user or software started in the system could get a password from Windows registry and raise privileges after getting access to the server. It is not hard to guess the password, as it is short, simple and predictable”, Ormandy noted.

A method of stealing data from offline PCs discovered

sposob-kragi-danih

The researchers managed to decipher PC’s data by studying its electro-magnetic emanation. Israeli security researchers have discovered a method of hacking computers, which are not connected to the Internet. These experts managed to steal crypto keys by means of measuring electro-magnetic emanation during the data decoding. They used the attack method known as “side channel attack”. Having obtained the PC privacy key Using GnuPG, the researchers measured the electro-magnetic emanation of the target PC. Within a few seconds, they managed to obtain a secret key that allowed them to decipher the data.

According to the researchers, the equipment necessary to carry out such an attack costs approximately $3 000. No physical intervention- for example, removing the computer’s cover – is required. According to the research report, the electro-magnetic emanation of the target PC was measured during decryption of the data. They focused on a narrow frequency band, and after signal processing, they obtained “a clear trace that revealed information about operands used in elliptic curve cryptography”. Utilizing these findings, the researchers revealed the secret key.

To obtain the key, the researchers observed 66 decipher operations 0,05 seconds each. It took them 3,3 seconds in total to get the result. But it’s important to note that the researchers meant that the calculations took 3,3 seconds, not the attack itself.

Linux Trojan spyware has a Windows version

4

Experts from Kaspersky Lab reported about discovery of “twin brother” of Linux.Ekocms trojan, the malware that had previously been found by “Doctor Web”. According to a new report, this malware now has a Windows version.
Generally, the Windows version of this Trojan works similarly to its Linux counterpart. Of course, there are certain differences in the code that reflect the differences in the operating systems, but they can not be called significant. The principle of operation remains the same in both.

There are two major differences between Windows and Linux versions: the Windows version includes a keylogger function, that is, all keystrokes are recorded and stored in the log file. Linux-version of the Trojan also used to contain this component, but it was disabled in the samples detected by experts. The second difference, which makes the Windows version even more dangerous is that the Windows malware uses stolen Comodo certificates to make the system take the trojan for a legitimate and secure application from a trusted source.
The update to the report appeared later states that the company had found one more kind of this Trojan, namely, Backdoor.Win32.Mokes.imw. This sample can boast audio recording function, which is also disabled in the Linux version.

eBay Administration is not going to fix a dangerous bug

3

Researchers from Check Point recently discovered a serious vulnerability in the eBay online platform. The technique used by the bug got the name JSF ** k. It allows attackers to circumvent eBay filters. It means that an attacker can open his or her own shop on eBay, add malicious JavaScript into the item description, and then reap the rewards.

Moreover, on January 16th eBay representatives said that they do not plan to fix this vulnerability.
The problem is that cybercriminals can now cheat eBay filters, which are responsible for detection of malicious code. So, they can create supposedly legitimate pages stores on eBay, plant malicious code into them using JSF ** k, and when a visitor opens such a page, it leads to very unpleasant consequences.

In fact, hackers are limited only by their imagination. After visiting a malware-laden page, a person can become a victim of phishing attack or identity theft. For example, on infected eBay page, he or she is likely to be prompted to download eBay mobile application for a special price. Everything looks legitimate and safe, but if the victim confirms the download, malware is loaded to the device.

Since eBay representatives officially stated that they don’t consider the possibility of such an attack a vulnerability, Check Point experts can only hope that the company will change its mind.

BlackEnergy Trojan gets into the system through a vulnerability in Microsoft Office 2013

2

Information security experts from SentinelOne exposed a new tactic of spreading BlackEnergy malware, which has been attacking SCADA-system throughout Europe. It turns out that the latest version of this software is distributed together with Microsoft Office, and targets inattentive and careless employees of energy companies, who unintentionally bring malware to the system.

A team of specialists from SentinelOne conducted reverse-engineering of the malware and found indications that this software is distributed in the manner described above.

BlackEnergy 3 Office 2013 makes use of the vulnerability that has been fixed some time ago, so it may work only on the unpatched machines, or in case an employee opens an infected Excel document.

Energy companies are not likely to use outdated software, so the malware is still brought – voluntarily or involuntarily – to such companies by the staff.

If the experts’ conclusion that BlackEnergy has already present in many power systems of European countries, turns out to be true, the malware can be used to cause blackouts and other emergency situations, which poses a considerable threat to the power grids.

Android malware steals voice two factor authentication

1

Experts from Symantec have recently reported about discovery of a new version of the banking Trojan called Android.Banksy, which steals users’ financial information. The difference between this Trojan and other malware of this kind is in that Android.Banksy is capable of intercepting two-factor authentication codes transmitted by voice calls.

Malware is constantly evolving, and so do the means of protection. Malicious software has already learned how to intercept one-time codes of two-factor authentication (2FA), which are called one-time passwords (OTP) and sent to the user via SMS. As a result, some financial institutions began to deliver OTPs via voice calls. The automatic system calls the user, and a robot reads aloud the one-time authentication code. Now specialists from Symantec have found that this method can not be considered reliable anymore.

The latest version of the Trojan is able to switch your smartphone to the silent mode and automatically intercept voice calls, including those when one-time passcodes are read. Symantec’s experts say that this feature is only working for a number of Asian countries so far.
As means of protection against such attacks, Symantec experts recommend a standard set of measures: users should update their software in time, install applications from trusted sources only, install a reliable anti-virus, and carefully watch what permissions are requested by every application they install.

Bitdefender Total Security was added on our site

bitdefender-total-security

On January 21, 2016 Bitdefender Total Security was added on our site http://www.anti-keyloggers.com. This product has garnered many awards and accolades since its inception in 2001. From the prestigious European IST Prize, to the #1 Best Buy ranking from PC World. Nowadays, it is the best anti-keylogger in the world. It is not operating on Windows 10, but we believe that the product developer are going to improve that.

New product IObit Malware Fighter PRO appeared

iobit-malware-fighter-pro

On January 21, 2016 on our site http://www.anti-keyloggers.com a new product IObit Malware Fighter PRO appeared. It is the first and by now the only program working on Windows 10. Its 43 languages interface makes it truly unique. Testing results that prove its high quality are displayed on our site.

Loaris Trojan Remover was tested and posted

Loaris trojan remover

On January 14, 2016 anti-keylogger Loaris Trojan Remover was tested and posted on the site http://www.anti-keyloggers.com.
This program has proved to be simple and comfortable for users. It prevents monitoring your important information. This anti-keylogger works on modern operating systems (Windows XP, Windows 7, Windows 8), except Windows 10. 10 interface languages enable it to be easily used in any corner of the world and by clients of any nationality.
Its testing showed excellent results, gaining 8 points on 10-point scale.
When it was tested on Zemana Test, the results were excellent too. This program has been tested on four monitoring products of different quality levels. Three tests have given the positive result (i.e. the monitoring activity was not allowed).