In late 2011, an international law enforcement task force disabled one of the largest botnets ever seen(1). This botnet was facilitated by a DNS Changer Malware(2), known under various names such as TDSS, TDL4, Alureon, and others.

This malware changes the user’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the cybercriminals in order to facilitate spamming and further malware infections of the victim’s computer.

The rogue DNS servers have been replaced by clean DNS servers, but after July 9 these servers will be taken offline, meaning that computers that are still infected with TDSS will lose access to the internet. Up to 350,000 computers are estimated to be affected in this manner.

How to check for infection

The FBI is recommending that users seek help from IT professionals, among other sources. If you would like to perform checks for yourself or your clients, a variety of “are you infected?” web sites have been enabled. A list of international sites is found here:
http://www.dcwg.org/detect/

How to fix infected computers

If a computer is found to be infected, there are a variety of free tools that will specifically deal with this threat. A listing of these tools can be found here:
http://www.dcwg.org/fix/

If you require free assistance in checking and disinfecting multiple machines on a network, please contact us immediately at: virus at cmsecuretech dot com.

Network Malware Reporter Beta

We are beta testing a network malware analysis tool, which creates reports that can help you automatically verify that an entire network is clean using 4 of today’s top antimalware engines. If you would like to participate in the beta test, please contact us at virus at cmsecuretech dot com.

Sources:

1.Esthost Taken Down – Biggest Cybercriminal Takedown in History |
http://blog.trendmicro.com/esthost-taken-down-biggest-cybercriminal-takedown-in-history/

2. FBI Report: DNS Changer Malware (Adobe Acrobat) |
http://www.fbi.gov/DNS-changer-malware.pdf

The most common type of infection can include a trojan downloader and connection to a command and control server, which eventually will drop the most telltale sign of infection: scareware.  One source  estimates that scareware nets upwards of $130 million dollars a year by tricking PC  users into paying for a fake antivirus solution to remove the virus that it itself has caused.  These can be difficult to remove, as they include updater and watchdog services that prevent them from being disabled.  Add a rootkit component and possibly an MBR infection and you have your work cut out for you.

Today is the first part of a series designed to help the SMB Consultants deal with the increasingly complex malware threat effectively and highlight new tools and techniques in the process.

When it is difficult to get direct access to kill malware processes, one tool that we keep in our toolbox is HitmanPro, by Surfright. One of the reasons for this is because it can run in “Force Breach” mode, which comes in handy when malware has subverted the explorer shell and prevents you from turning it off.

If you are not familiar with HitmanPro, it’s a powerful anti-malware tool that uses the detection and removal technologies of several commercial AV vendors on an on-demand basis.  It will remove malware for free for 30 days once installed, and is perfect for those malware cleanup emergencies. This tool has many interesting features, but today we are going to focus on force breach mode.

 Download (Amazon S3)

1. After downloading copying Hitman Pro to the infected computer, simply hold down the left CTRL key while launching Hitman Pro.  Once the splash screen appears, you can let go of the CTRL key.  You may notice the windows system tray may disappear, this is because it kills all non-essential processes when it enters force breach mode.

2. Once the splash screen comes up, you will  have the option to start up Hitman Pro in several modes, including something the makers call “Early Warning Scoring” mode (We’ll cover this in a future newsletter). For now, try the default scan. and click ‘Next’

3. Hitman will connect to the cloud and perform its tasks.  If malware has subverted DNS, Hitman will test for this and automatically get around this problem. Once items have been detected, you can activate Hitman Pro free for 30 days and remove the infection.  We have double checked with Surfright and they confirmed that using Hitman for a 3rd party is permitted under their licensing terms.

4. Hitman will perform malware removal and cleanup.  Depending on the infection, you might have to restart the computer.  If there are remnants of the infection left, it should be much easier to handle with traditional antivirus tools and techniques at this point.

Below is a video that shows the entire process (Previous version 3.5)

If you have any questions regarding HitmanPro or want to request a free NFR license (Consultants only) please send us a message.

*(denotes required field)

Name: *

E-Mail Address: *

Company *

Message: *

CAPTCHA Code: *

Just when they released, probably their most secured operating system ever, we now see that there are more holes in the Microsoft family that we have to worry about.

More Problems With Internet Explorer

A couple of months ago, there was a flaw found in the Internet Explorer family of browsers. It affected all versions. Microsoft released a fix and all was thought to be well in the world. But it turns out this is not true. There has been another major flaw found when it comes to the Internet Explorer browser.

Read the full article here

Want to know where the Google Street View car is? In the UK, there was a collaborative effort to track it through pictures and crowdsourced mapswhen it was over here collecting the pictures for Google Nostalgia (ah, those days when Woolworths was open).

Full article is here

The “Black Hawk Safety Net” website taught hacking techniques and provided malicious software downloads for its 12,000 members in exchange for a fee, the Wuhan Evening News newspaper reported this weekend, citing police in Huanggang, just east of Wuhan.

Read the full article here: