Tools for Remove Malware

Hackers today are not only becoming increasingly successful in finding new ways to break into computers, but achieving a one hundred per cent success rate at the same time. Cybersecurity firms are witnessing a rampant multiplication of cyberattacks categories that now range from malware and spyware to highly sophisticated breaches directed towards large businesses/enterprises. Today we bring you a list of 8 free tools to get rid of malware.

1.Ad-Aware

Anti-spyware and anti-virus program developed by Lavasoft that detects and removes malware, spyware and adware on a user's computer.

2.Emsisoft Emergency Kit

The Emsisoft Emergency Kit contains a collection of programs that can be used without software installation to scan for malware and clean infected computers.

3.Norman Malware Cleaner

This simple and user friendly tool not only detects malicious software but also removes them from your computer. By downloading and running the program it will clean an infected system completely.

4.SUPERAntiSpyware

Shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPERAntiSpyware is not designed to replace antivirus software.

5.Spybot

Spybot Search & Destroy is a set of tools for finding and removing malicious software. The immunisation feature preemptively protects the browser against threats. System scans and file scans detect spyware and other malicious software and eradicates it.

6.Combofix

Executable software, intended for users with advanced computer skills to run it only on occasions where a regular antivirus would not detect certain malware, or where an antivirus cannot update or otherwise function.

7.Microsoft Security Scanner

Free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

8.Malwarebytes Anti-Malware

Made by Malwarebytes Corporation, it was first released in January 2008 and is available in a free version, which scans for and removes malware when started manually.

The Mask, a malware campaign that remained undetected for 7 Years

A Sophisticated cyber spying operation, ‘The Mask’, that has been under the mask for about 7 years targeting approximately 31 countries, has now been ‘unmasked’ by researchers at Kaspersky Labs.

The Researchers believe that the program has been operational since 2007 and is seems to be sophisticated nation-state spying tool that targeted government agencies and diplomatic offices and embassies before it was disclosed last month.

In the unveiling document published by Kaspersky, they found more than 380 unique victims, including Government institutions, diplomatic offices/embassies, private companies, research institutions, activists etc.

The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.

Developers of the ‘Mask’ aka ‘Careto’ used complex tool-set which includes highly developed malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.

The malware targets files having an extension:

*.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.

Victims of this malware found in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

The malware remains untraceable for about 7 years and was able to infect Mac OS X version, Linux, Windows, iPad/iPhone and android running devices.

According to the researchers, the Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.

In its main binary a CAB file having shlink32 and shlink64 dll files are found during the research from which the malware extract one of them, depending upon the architecture of the victim’s machine and install it as objframe.dll.

It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and except this it has DINNER module which gets executed via APC remote calls and reload ‘chef’ module responsible for network connectivity and ‘waiter’ modules responsible for all logical operations.

Another backdoor called SBD (Shadowinteger's Backdoor) which uses open source tools like netcat is included in the malware. To infect Linux versions, Mozilla Firefox plugin “af_l_addon.xpi” was used and was hosted on “linkconf[dot]net”

Spear phishing, a favorite attack used by most cyber attackers like SEA, was used to distribute this malware. Users were lured to click some malicious websites that contain a number of exploits to compromise their systems.

Kaspersky research found linkconf.net, redirserver.net and swupdt.com as hosting exploits. These websites don’t infect the visitor, instead attacker hosts the exploit in a folder which cannot be navigated using the web, but they direct the link to that exploit in the phishing email.

To mask the attack into real, attackers use a fake SSL certificate of some unknown company TecSystem Ltd valid since 2010 and sometimes they also use subdomains to mask the attack appear more real; in which they simulate newspaper subsections that may include SPAIN’s main Newspaper, The Washington Post and The Register etc.

Kaspersky had performed this research with more interest due to the reason that the malware has tried to exploit the vulnerability in its product i.e. Workstation products prior version 6.0.4.*, and KAV/KIS 8.0 versions.

“In case of the Careto implant, the C&C communication channel is protected by two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.” they said.

During the research and investigation of this malware, CC servers were found down, which shows that attacker group was monitoring all aspects related to the malware activity. Since there are no identified patterns in these attacks and who is behind these activities is yet a matter of investigation for the researchers out there.

Author : Shivam Kotwalia, CodeKill

First widely distributed Android bootkit Malware infects more than 350,000 Devices

In the last quarter of 2013, sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user.

A Russian security firm 'Doctor Web' identified the first mass distributed Android bootkit malware called 'Android.Oldboot', a piece of malware that's designed to re-infect devices after reboot, even if you delete all working components of it.

The bootkit Android.Oldboot has infected more than 350,000 android users in China, Spain, Italy, Germany, Russia, Brazil, the USA and some Southeast Asian countries. China seems to a mass victim of this kind of malware having a 92 % share.

A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data, remove the application, open connection for Command and controller.

A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init' script (initialize the operating system) to re-load the malware as you switch on your android.

When you start your device, this script loads the Trojan 'imei_chk' (detects it as Android.Oldboot.1) which extract two files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk  (Android.Oldboot.1.origin), copy them respectively in /system/lib and /system/app.

Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download, remove installed apps, and install malicious apps.

Since it becomes a part of the boot partition, formatting the device will not solve the problem. The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer, or was likely distributed inside modified Android firmware. So, users should beware of certain modified Android firmware.

Two weeks ago, Some Chinese Security Researchers have also detected a bootkit called 'Oldboot', possibly the same malware or another variant of it.

"Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus products in the world can’t completely remove this Trojan or effectively repair the system."

"According to our statistics, as of today, there’re more than 500, 000 Android devices infected by this bootkit in China in last six months.

The Android malware Android.Oldboot is almost impossible to remove, not even with formatting your device. But if your device is not from a Chinese manufacturer, then chances that you are a victim of it, are very less.

This bootkit is not the first of this kind. Two years back, in the month of March we reported, NQ Mobile Security Research Center uncovered the world's first Android bootkit malware called 'DKFBootKit', that replaces certain boot processes and can begin running even before the system is completely booted up.

But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully, the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone.

Users are recommended to install apps from authorized stores such as Google Play, disable installation of apps from ‘Unknown Sources’ and for a better security install a reputed security application.

You can also try to re-flash your device with its original ROM. After flashing, the bootkit will be removed.