Microsoft: Rootkit infection requires Windows reinstall

Microsoft announced today that a new root-kit causes so much havoc by bury's itself deep into the computer's boot sector, that infected users will be forced to perform a re-install of the operating system to fix the problem.

This Trojan, called "Popureb", digs deeply into the system's boot sector. The only way to get rid of it is to return Windows to its out of the box configuration. According to Microsoft's Malware Protection Center, "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state." For those that are not familiar with the recovery disk, it allows a user to return Windows to its factory settings.

Popureb overwrites the hard drive's master boot record (MBR). Since the Trojan hides on the MBR, the rootkit is pretty much invisible to both the operating system and any security software. The Trojan detects write operations aimed at the master boot record, and switches any write operation to a read operation. New data is never written to the disk.

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

Unlimited gTLDs?

The Internet Corporation for Assigned Names and Numbers (ICANN) recently approved the future use of unlimitedgTLDs (Generic Top Level Domain’s).  There are a total of 22 gTLDs. These domains range from: .com to .org to .net, but starting in January 2012, that list of 22 domains, will soon expand to a limitless number! Anything you can dream up will be able to be a gTLD.

So, what does this mean for businesses with websites online? It means that things may get a bit interesting andexpensive… The top advice that owners of businesses with an online presence hear is protect your domain(s) from possible cyber squatters.  So, if you own yourbusiness.com, you should probably own yourbusiness.net, .org, .biz, and any common misspellings of your domain name, and every possible variation (within your budget) so your customers don’t mistype your web address and end up at a website that is not owned by you.  So, with limitless TLDs when would you know to stop buying domains? Until you go broke, I guess….

Which brings me to my next point, Will everyone be able to register any top level domain?

Yes, but at a very, very HIGH price.  The application fee for the domain will be $185,000 and the yearly domain fee will be $25,000.  For major online players, that is chump change, but for small online businesses, that is an astronomical price for a domain.  So, will everyone have a custom domain? No, but just knowing that you can is pretty cool.

“Windows license locked”: Ransomware Targets Windows

“Windows license locked!” “This copy of Windows is locked. You may be a victim of fraud or there may be an internal system error” – malware message Mikko Hyppönen of F-Secure has warned of a new variant of what he calls “Ransomware” or ransom trojans. These are attacks by malware that takes a computer hostage and then tries to extort a payment in return for returning control of the computer or its files to the owner. Sometimes, the malware will encrypt files (using AES – Advanced Encryption Standard, for example) until  some “ransom” is paid by buying a key to unlock the hostage computer. The attack tries to extort money from users by pretending to be Microsoft and convincing the victims to dial international telephone numbers to” reactivate” Windows. The initial stage of the attack displays a message claiming that Windows is “locked” and must be reactivated. At this stage, the victims are unable to boot their computers into normal or even safe mode. “To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.” The telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges. While these numbers may look like generic service numbers, they aren’t. •  002392216368 begin_of_the_skype_highlighting            002392216368      end_of_the_skype_highlighting •  002392216469 begin_of_the_skype_highlighting            002392216469      end_of_the_skype_highlighting •  004525970180 begin_of_the_skype_highlighting            004525970180      end_of_the_skype_highlighting •  00261221000181 begin_of_the_skype_highlighting            00261221000181      end_of_the_skype_highlighting •  00261221000183 begin_of_the_skype_highlighting            00261221000183      end_of_the_skype_highlighting •  00881935211841 The numbers go to various countries (“00″ is the prefix for international dialing). The countries are: São Tomé and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819). The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries. After three minutes or so, the caller is given this unlock code: 1351236 and the unlock code appears to be the same every time the number is called. Mikko believes that this number will unlock any affected computer. As he put it, “I hate the idea of paying money to these clowns, just enter that code.” He explains that it is a pretty clever bit of social engineering and that some victims may never even realize that they’ve been scammed. The scammers make money through “short stopping,” or the practice of billing a call at a rate higher than the actual destination. F-Secure detect this trojan as Trojan.Generic.KDV.153863 (with a hash of md5: 9a6f87b4be79d0090944c198a68012b6). You can watch Mikko’s video of the malware here. Tweet This Post

View article...