What kind of malware is Beep?

Not so long ago, Minerva cybersecurity researchers discovered a very interesting malware with an equally exciting name, “Beep”. Beep Malware is a new stealth virus with several features designed to steal sensitive information and create a chain of infections. The latter involves downloading/installing additional malware or components. Consequently, it can infect devices with Trojans, ransomware, cryptocurrency miners, or other malware.
There is speculation that Beep is delivered via a spam email attachment, Discord, or OneDrive URL. It is also mentioned to be a “malware-as-a-service” i.e. it offers other criminals to spread their payloads within the botnet infected by the Beep . It consists of three components: a dropper, an injector, and a payload.

Dropper

The dropper starts its work after some anti-debugging and anti-VM checks. Then it creates a new registry section with the value “AphroniaHaimavati” and a base64-encoded PowerShell script. It then adds a scheduled task every 13 minutes and executes the PowerShell script stored in the registry. Before running, the script loads the data and stores it in an injector called AphroniaHaimavati.dll.

Injector

The injector is a component that uses several debugging and virtual machine protection techniques to inject a payload into a legitimate system process, for example, “WWAHost.exe”. This is achieved by cleaning the process and is done to avoid detection by antivirus tools.

Payload

The primary payload tries to collect the needed data from the compromised machine. It then encrypts them and tries to send them to C2, which has been hard-coded. Although C2’s hard-coded address was disabled during the analysis, the malware tried connecting even after 120 failed attempts.

Despite the limitations of malware analysis, experts were still able to detect the following functions in the sample, which are triggered by C2 commands:

• dll (executes a dll file)
• exe (runs an.exe file)
• shellcode (executes further shellcode)
• screenshot (a task that seems to collect the process list)
• additional (gathers more data)
• knock timeout (modifies “Keep-alive” intervals for C&C)

Moreover, it has at least four functions that were not used during the test: destroy, init, task, and balancer. This, however, does not make it less dangerous.

Evading detection methods

Let’s look at what the Beep malware highlights: the detection evasion techniques it uses throughout the execution process. Once analysts dug deeper into this sample, they noticed the use of many evasion techniques. This gave the impression that the authors of the Beep malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as possible. For example, one method was to delay execution using the Beep API, hence the malware’s name.

Anti-analysis features in Beep malware:

• Beep API function anti-sandbox. It’s the same function after which the malware is named. An alternative to the Sleep API function, which generates a beep on the PC speaker, delaying malware execution (warning wait) to avoid sandbox detection.
• Dynamic string deobfuscation. This method means the code strings are kept obfuscated for the whole time, and the confusion layer is removed only for those strings that are going to be used at the moment. Deobfuscation is done using xor/sub/add/not assembly functions.
• System Language check. A pretty typical IP location checkup that is often met in malware developed in ex-USSR countries, particularly Russia and Ukraine. It is performed to avoid infecting machines from these locations – such distorted ethics. If either Russian, Ukrainian, Belarusian, Tajik, Slovenian, Georgian, Kazakh, or Uzbek (Cyrillic alphabet) are detected in the system, Beep will cease any further execution.
• NtGlobalFlag field checkup for anti-debugging. In this case, malware seeks for the offset of NtGlobalFlag. If it matches with the one that is typical for the system with a debugger enabled – the Beep ceases execution.
• Own implementation of IsDebuggerPresent API function. Beep malware developers implemented the ASM variant of the C++ call, which checks if the process that calls for this function is debugged by a user-mode debugger.
• Stack Segment Register checkup. The fact that the Beep is written in Assembly allows it to communicate directly with the processor. It uses information from the stack segment register of the CPU to see if there are any calls typically used for debug purposes.
• Read Time Stamp Counter (RDTSC) instruction check. Malware checks the number of CPU ticks since the last reset to determine if it runs on a virtual machine. Machines with freshly-installed OS may be the source of false positives though.
• CPUID anti-vm. Using CPUID function, malware А obtains the Hypervisor Brand string, which contains information about virtualization software vendors. Names like VMWare, Oracle, Parallels, Citrix or others will trigger self-destruction procedures.
• VBOX registry key anti-vm. It’s one of the least complicated checks that aims at displaying if there are any VM-specific registry keys present in the system. Detecting the one causes malware to self-destruct.

The injector component implements the following evasion methods:

• INT 3 and INT 2D anti-debugging. Generates an exception that will make the debuggers stop working. The former literally sets a breakpoint in the debugger execution; INT 2D instruction allows the malware to change execution flow when it detects a debugger presence.
• CheckRemoteDebuggerPresent() API anti-debugging. Is a kernel32.dll function that sets (-1)0xffffffffff in the DebuggerPresent parameter if a debugger is present. Internally it also uses NtQueryInformationProcess with ProcessDebugPort as the ProcessInformationClass parameter.
• IsDebuggerPresent() API anti-debugging. The easiest method to protect against debugging that determines whether custom modes debuggers, such as OllyDbg or x64dbg, debug the current process. Typically, the function only checks the “BeingDebugged” flag of the Process Environment Block (PEB).
• ProcessDebugPort anti-debugging. Allows the malware to retrieve the debugger port number for a process using ntdll!NtQueryInformationProcess(). There is a documented ProcessDebugPort class that retrieves a DWORD value of 0xFFFFFFFFFF (decimal number -1 ) if the process is debugging.
• VirtualAlloc()/GetWriteWatch() anti-debugging. It is a low-level Windows API providing many options. For example, GetWriteWatch allows you to get the addresses of the pages that have been written to since the region was allocated or the write tracking state was reset. In addition, this function can track debuggers that may modify memory pages outside of the expected pattern.
• OutputDebugString() anti-debugging. Debugger detection method based on the result of a callback. An obsolete method because it only works for Windows versions before Vista. If no debugger is present and kernel32!OutputDebugString is called, and an error occurs.
• QueryPerformanceCounter() and GetTickCount64() anti-debugging. This method retrieves the current performance counter value, which is a high-resolution time stamp (<1µs) that can be used to measure time intervals. Thus measures the delay between instructions and execution to determine if the system is running a debugger.

How dangerous is the Beep malware?

The authors of Beep malware primarily focus on evading detection, which makes it difficult for security software and researchers to detect and analyze. On the other hand, it has shown minimal and incomplete functionality for its direct purpose, i.e., stealing data and executing commands. Still, nothing stops the hackers from expanding malicious functionality. And even if this particular malware is more about being a technology demonstrator sample, it is expected to see these evasion techniques in other, more common malware samples.

The post New stealthy “Beep” malware focuses heavily on evading detection appeared first on Gridinsoft Blog.

Email spoofing or spoofing email is the forgery of the sender’s email addresses. The address specified in the sender’s string is often false; if you send a response to this address, it is likely to come from a third party. The purpose of this scam is precisely to deceive the user and not to be declassified.

Reasons for Email Spoofing

If you think that email spoofing is only to harm, you are wrong; sometimes, it is used for legitimate purposes. Companies that use external contractors for specific purposes, but at the same time, their replies should come from the company’s address. companies do not want to disclose the names of specific employees who correspond with customers on behalf of the company. It should also note that the complete change of the headers From and Reply to is changed for legitimate purposes. Malicious spoofing involves the following purposes:

• Spam: In this case, the attackers send their letters on behalf of famous companies, banks, and other organizations.
• Phishing: Here, fraudsters forge email addresses so that the composed letters convince the victim to go to a phishing resource and enter all personal or financial data.
• Compromising corporate mail: The attacker is disguised as a familiar person, for example, a partner, employee, friend, representative of the organization, etc. Then they try to get all the information they need about you, convince you to transfer money or give out the organization’s confidential information.
• Extortion: The attacker convinces the victim that he has hacked the user’s system or device and that the victim needs to pay a ransom to get it back. So the fraudster blackmails the user without foundation.

Types of Email Spoofing

Fraudsters use different ways to make a successful operation. Below we will present the most common methods of spoofing.

1.Sharing a similar domain

To successfully spoof, fraudsters carefully imitate the addresses of senders under the addresses familiar to your organizations, companies, and others. To do so, they shall take the following steps:

• replace the first level domain, for example, support@spotify.co
• replace the second-level domain for first-level national domains, for example, support@spotify.com.ru
• replace the second-level domain with other characters or a letter, for example, support@spatify.com
• replace the second-level domain to cause an association with the company masquerading as an attacker, for example, support@spotifyinfo.com
• use the name of the company under which the fraudster is disguised as a mailbox. looks like this: support.spotify@gmail.com

2.Substitution of sender’s name

In this case, the sender’s name is falsified, and the From and Reply-To header contains the fraudster’s address. This method is often developed on mobile mail clients because they only have a default name.
As their name, fraudsters often use:

• The false terms of the company or organization that usage.
• Fake names with a phony email address.

3.Changes the significance of the From and Reply-to fields

Because the SMTP protocol does not authenticate headers, fraudsters can easily forge addresses in the From and Reply fields without being noticed. Thus, they have the privilege of not being caught, as a fake is almost no different from the original.

Protection from Email Spoofing

Malicious messages can get into your email for the most incomprehensible reasons, even if there is security. It means you should take the following steps to protect yourself from fraudsters.

Avoid strange attachments or unfamiliar links. If you received a suspicious email that you did not expect and it asks you to authenticate or click the link to confirm your identity or enter the data in the attached form-not, be kept. To make sure that this letter is from a legitimate organization, open the official website of the organization, log into your account and see if you have received a letter from there.

Recheck the contents of your email using your browser. It is clear that there is no need to be afraid of anything that comes to the post office, but checking all that you get will not be superfluous. If you are confused by the content of the email, copy it and paste it into the browser search bar. If this is a fraud, you will already see similar emails from other users complaining about this.

Don’t fall for the winnings. Pranks and gifts are another way to influence users. If you are sure you did not participate in any lottery, this is definitely not your win. It’s just a scam by a crook to compromise your data.

Use antimalware software. Antivirus software will help you prevent attacks from malware and fraudsters. It will scan everything on your device and remove all pests that have come to your device. Antimalware software will not be able to track messages from scammers, but the servers to which you can go through such a message, antimalware, will perfectly track and will not allow this infection to get on your device.

Use email security protocols. To reduce the flow of spam and threats, you must take care of security protocols. For example, some companies use SMTP, SPF, and DKIM mail to improve their security.

The post How to Prevent Email Spoofing in 2022 appeared first on Gridinsoft Blog.

Backstory

Each second, the enormous damage that hackers are trying to inflict on organizations results in organizations and cyber criminals constantly competing with those who want to succeed by hacking or protecting sensitive data. Companies, on the other hand, are spending billions on security measures. Even compared to 2021, investment has nearly doubled to around $460 billion by 2025. Priorities related to risk management are clear, as research conducted by Gartner and KPMG shows.

Collected responses from CEOs and CIOs indicate a substantial shift in focus on security solutions and cloud services, up 61% and 53%, respectively, as cybersecurity risk is seen as the biggest threat to organizations over the next few years. Organizations seem to have recognized this problem and are headed in the right direction. However, Cyber Security Ventures estimates that by 2025, hackers could be siphoning $10.5 trillion annually from companies. This global tally includes any company, large or small, regardless of its field of business. This is because the antiquated perimeter network that used to be used has existed for so long that cybercriminals can barely overcome it these days. As a result, organizations are struggling to resist the pressure. But as organizations continue to lack effective solutions to cyber threats caused by human error or ineffective security policies, external and internal risks expose organizations to financial losses and reputational damage.

What is a Secure Access Service Edge (SASE)?

SASE is one of the latest significant innovations in cloud network security. It became especially relevant during the pandemic. As solid and consolidated organizations have become single endpoints worldwide, they have become less resistant to threats and much more challenging to control and manage from a distance. SASE aims to minimize complexity by creating optimized connections for remote users to access the organization’s cloud resources, replacing data centers with cloud-based network security infrastructure. It also aims to maximize efficiency by implementing more layered but unified security measures. It also changes the mindset and approach to security practices. There is no longer a need for a lot of expensive, complicated, and bulky equipment to solve the cybersecurity problem.

How does it work?

We will look at the five main components of SASE, which describe its concept. The principle is to combine the best practice components of network security:

SD-WAN Service (SD-WAN)

Software-defined wide area network (SD-WAN) solutions provide organizations with the added benefit of utilizing an enterprise extensive area network (WAN) in conjunction with multiple cloud infrastructures. This provides high-speed data exchange and application performance on branch office WAN edge networks. One of such a system’s main benefits is providing dynamic path selection from multiple connectivity options (MPLS, 4G/5G, broadband), thereby providing organizations with fast and easy access to business-critical cloud applications.

Firewall as a Service (FWaaS)

FWaaS is a new type of next-generation cloud firewall. It doesn’t just hide physical firewall devices behind the cloud but solves the device form factor issue and makes network security (URL filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. Essentially, the entire organization is connected to a single logical global firewall with a single application-aware security policy. It’s not for nothing that Gartner singled out FWaaS as an emerging infrastructure protection technology with a high-performance rating.

Secure Web Gateway (SWG)

SWG protects users from Web threats and enforces and enforces acceptable corporate use policies. Thus, instead of directly connecting to a website, the user accesses the SWG, which is responsible for securing the user to the desired website. It also performs URL filtering, Internet visibility, malicious content inspection, Internet access control, and other security measures.

Cloud Access Security Broker (CASB)

CASB is cloud-based, on-premises, or hardware-based software that intermediates between users and cloud service providers. CASB can bridge security gaps and is distributed in a software-as-a-service (SaaS) format. In addition to providing visibility, it allows organizations to extend the scope of their security policies from on-premises infrastructure to the cloud and create new policies for the cloud context.

Zero Trust Network Access (ZTNA)

Using the principles of zero-trust, “trust no one, verify everything” approach to cybersecurity, which controls user access as well as access to company resources, reducing the risk of internal threats. In addition to its ability to operate as a cloud service, SASE is flexible enough to allow a combination of different network security features.

The goal of SASE in the network

The SASE platform is a cloud-based solution that aims to improve cybersecurity significantly. It also optimizes cumbersome, hardware-based infrastructure, making it more accessible to remote workers. In addition, it provides less-efforts scalability based on business needs. Finally, it helps manage the organization’s security policies at multiple levels. Infrastructure built on the fundamental SASE framework requires fewer network resources and investments in the long run. It contributes to cybersecurity efficiency by integrating data protection and information security from multiple perspectives.

What is Zero Trust?

In networking, zero trust is a security solution framework based on principles concerning how levels of trust are interpreted in an organization. The essence of the approach is to stop assuming that anyone who once entered the network is forever trustworthy. However, the massive shift to remote operation and the increase in cyberattacks have shown companies how vulnerable outdated security model is.

Zero trust is the constant assessment of each connection (and its level of security and needs) when accessing resources within the enterprise. These connections include employees, partners, customers, contractors, or other users. Also, connections can mean devices and applications. Zero trust provides dynamic protection for each connection, adjusting access rights and other privileges based on risk status. It uses means of identification and creates a profile that allows you to determine who or what may pose a danger. But often, it’s not a question of who is a threat but who is not.

For example, in the case of remote work, millions of employees are accessing data from home networks on unidentified devices. While that employee may not have posed a threat in the office, that situation could change once that employee switched to the home office. A typical solution would be to block access to the corporate network and applications for this user.

How is Zero Trust built?

The essence of zero-trust is “trust no one, verify everything” and categories of tools are emerging that help you consistently implement a zero-trust security strategy in your organizational architecture:

Users & devices

Workforce management is the first step in bringing order to identity verification, increasing network visibility, and controlling traffic flow security. Tools such as MFA (multi-factor authentication), SSO (single sign-on), or IP whitelisting allow for a more layered verification system to provide secure access with extra blockers in case of phishing or lost credentials.

Network & applications

In addition to the lack of trust in connections, the zero-trust model also analyzes the environment in which external and internal data are transmitted. Partitioning and isolating the workspace into smaller segments and implementing ZTNA (zero-trust network access) or 2FA (two-factor authentication) allows management and compliance requirements to use more centralized risk management instead of access control.

Automation & analytics

Zero trust automation is straightforward to minimize the possibility of human error and increase the efficiency of the actions taken. It helps administrators detect incoming threats, alert security protocols promptly and prevent unwanted network interference. However, the ongoing analysis identifies deviations from standard patterns and indicates a possible need for improvement.

The right combination of tools helps the IT department do the routine security work:

• Monitoring user and device behavior;
• Verifying compliance with security policies;
• Reducing potential breaches;
• Protecting sensitive data.

Network traffic becomes more distributed, controlled, and segmented users can access only what and how much they need based on their defined roles. Thus, the potential for disruption is minimal but not zero. Therefore, it can be identified and monitored more effectively, as activity logs help quickly identify any breaches.

The main role of zero-trust in the network

Daily routine tasks are impossible without granting access to the company’s internal network, applications, or knowledge base. Zero-trust solutions maintain access control and put basic processes in order by individually validating users, devices, networks, or applications. In addition, proper tools and reasoning logic provide more convenient additional control over the overall security architecture.

SASE and Zero Trust are two parts of the same whole

Both Zero Trust and SASE are infrastructure systems that focus on security. They were created to achieve the same goals, namely to protect organizations from cyber threats better. Neither of these architectures provides an off-the-shelf solution as a platform. Instead, it is the logic of thinking about how to modernize legacy network perimeter solutions and security awareness. Although these approaches have differences, Zero Trust and SASE complement each other and are essential approaches to the future of cybersecurity.

How do they support each other?

SASE as infrastructure is a considerable security model that requires time and resources to integrate correctly. Consequently, the implemented elements work as a well-established mechanism, ascertaining improved security measures throughout the company.

The Zero Trust approach, on the other hand, is relatively easier to implement. However, it requires the daily involvement of organization members. Significant improvements in safety and security are why zero-trust tools are often seen as an integral part of SASE. The latter becomes the medium for implementing the idea of zero-trust.

Benefits of combining SASE and Zero Trust

SASE and Zero Trust help enterprises apply policies across their entire network. This approach provides several significant benefits, including more robust network security, simplified network management, lower costs, and a unified view of the whole network. SASE and ZTNA can also help enterprises significantly reduce the risk of data breaches and the attack surface. By combining these two approaches, enterprises can create a reinforced cybersecurity perimeter that is difficult for attackers to penetrate. This can ensure that only authorized users and devices can access sensitive data and systems and that users and machines only have access to the resources they need to do their jobs.

The post SASE vs Zero Trust – What is Best? appeared first on Gridinsoft Blog.

But where the good things come sometimes the bad ones follow. We talk about the so-called digital risks you willingly take when embarking on another new social media life. A lot of people spend a considerate time living digitally and one day start worrying about what details of reality they expose. Another question — “How does it influence me” — is usually consequential from the first one. And it does influence you not only in a way where social media platforms shape your digital personality but also your online cybersecurity.

Below you will find the five most common mistakes people tend to make on social media. These mistakes are often neglected but those that once made can have unpleasant results for a person.

Accepting friend requests from unknown accounts

You may be the friendliest person in the world, but that is not a good option online. That’s not only about allowing a stranger to view your personal information. In that way, you’re putting at risk other people you befriended on social media. That is especially true if you have a private account, so seeing your info requires your permission. In the case of public accounts, anyone can see what you’re posting and sharing, but even this option some users go with brings other nuances to think about when securing your cyber safety.

Having a private account means aiming at less exposition of your details, plans for the future, et cetera. It is important to be consequent in these attempts to make them as effective as possible. These random people who send you friend requests and seemingly want to just to get to know more people and make some friends can be different kinds of fraudsters like romance scammers, phishers, boxers, etc. You never know their true intentions, and even getting into a conversation with them might lead to more dangerous consequences.

Not checking photos you’ve been tagged on

Have you checked what on those photos that you’ve been tagged on? If you’re not — you better do. You are the one who’s in charge of the content you’re allowed to circulate on the Internet related to your account. Keeping an eye on what others share about it is also an important thing in your cyber well-being. No one wants some embarrassing photos of oneself from a friend’s birthday party to end up online. And sometimes it’s not only your friends to blame for sharing content you’d rather wish to lay in archives. You have to check settings that will allow you to have more control over the content related to your account.

Oversharing

This is a mistake that most people may have made the most. The problem in today’s digital landscape makes life much easier for threat actors but not for ordinary users themselves. Sharing the current workplace, your own, or your relatives’ home location doesn’t positively contribute to securing one’s safety. A well-informed threat actor can hope for a more successful cyber attack with the kinds of information you sometimes provide themselves on one of your social media accounts.

The good practice will be to minimize the info you share on social media accounts. It is especially actual in cases when a social network asks for it, but that is not an obligatory thing. Nevertheless, your coworkers and friends on Facebook most likely won’t need the info about the school you attended, who is your third cousin, or where you lived before. Normally, people on the same social media platform only need a way to somehow identify that this account belongs to you — the person they know or want to befriend.

For this they only need to see your name and a photo showing that it is truly you. If you are quite good at managing your digital footprint and its size, sharing just your name and a photo won’t put you at some enormous cyber security risk but instead you restrict a variety of freely circulated information on your persona for anyone on the internet to use for their purposes.

Don’t also forget about not oversharing your life events on social media platforms you use when you post photos with geolocation, sharing stories in real time tagging places or people you are going to visit or visited, revealing in posts your travel plans, major life plans, etc. Too much is also posting photos that explicitly show your surrounding neighborhood, your workplace, and places you regularly go shopping. Oversharing your life events may lead to serious life-threatening cases like stalking, burglary, physical assaults, etc

Neglecting some security essentials

Some of the important security essentials include enabling two-factor (2FA) or multi-factor authentication (MFA) features, restricting access to the information on your social media account, enabling some of the features that won’t allow completely strange people in any way to interact with your account. You only need several minutes to set these settings, but they will save you a significant amount of time when in the future you may have to deal with a cyber-attack or data breach. On any major social media platform, you can find various tutorials on how to make sure you follow security essentials concerning your safety it and know how to apply them.

Reusing passwords on multiple accounts

A number one rule in cybersecurity hygiene. One password — one account. In case of a compromise of one account, you won’t endanger the other accounts that may have the same password. Of course, it can be hard when trying to manage all the passwords users now can have which can amount sometimes to up to fifty or a hundred passwords. But you can always choose a reliable password manager that will help you to secure your accounts’ access and keep passwords in one place.

The post 5 Security Mistakes You’re Making On Social Media appeared first on Gridinsoft Blog.

What is a computer virus?

The computer virus is a piece of code or self-replicating malware that aims to penetrate the user’s device and damage the system. Most viruses have a purely destructive structure and aim to take over your computer. The virus itself can make copies of itself, making its destructive effects even more serious. It is important to note that the virus term is not synonymous with malware. Actually, it is just a malware class – same as spyware or ransomware.

How Do Computer Viruses Work?

In operation, I can divide computer viruses into two types. Those ones get on your device to multiply themselves and the ones that are waiting for the user to activate them.

Viruses have four phases:

• Dormant phase: In this phase, the virus is in standby mode, it lurks for the user and remains hidden.
• Propagation phase: At that point, the virus begins to replicate itself and hide its copies in programs, files, or other parts of your disk. This process will continue until you remove the virus and its copies from the device. The clones themselves can be slightly altered to avoid detection, but this will not prevent them from further attempts at self-replication.
• Triggering phase: to activate a virus that only waits for it, the user must, for example, click on the icon or open the application that is needed for the pest. However it does happen that some viruses have a certain amount of time to revive. For example, a certain number of computer reboots.
• Execution phase: At this moment, the virus begins its full-scale activity. He releases his malicious code into the system and starts destroying what he needs.

How Do Computer Viruses Spread?

Viruses can spread through the Internet through various infection mechanisms. Here are some common options through which this can happen:

• Emails: This is one of the most common methods of intruders. As crooks can attach any malicious thing to the letter, they are very potent carriers for malware. Sometimes the email itself may contain an infection in its HTML.
• Downloads: Intruders can hide their viruses in various documents, plugins, apps, and other places that are available for download. Note: In addition, we recommend our recent article on “How to Legally Get Spam Email Revenge“.
• Messaging services: Distributing the virus via SMS is also not the most difficult option. It is possible to do this through WhatsApp Facebook Messenger and Instagram. There they hide like in emails.
• Old software: If you forget or just don’t want to update your operating system, then your device is full of vulnerabilities and may be subject to attack from computer viruses.
• Malvertising: Advertising banners on websites and any pop-up windows can also be an option to infect your device. It is so sophisticated that it can be hidden even on legitimate and reliable websites. We recommend an interesting study about malware VS ransomware, the difference, and the facts that are worth remembering.

Types of computer viruses

Although we mentioned earlier that the virus is just a kind of malware, this fact does not prevent the virus itself from manifesting itself differently and thus having several types. Today, several computer viruses are active on the Internet.

• Direct action virus: It is the most common among others and is also the easiest to create. It works by joining a large number of COM or EXE files, after which they delete themselves.
• Boot sector virus: It infiltrates your boot sector, which is responsible for booting your operating system when you start your device to easily infect that device. These viruses are spread mainly through CDs, floppies, and USB drives. But because these are already obsolete methods of distribution, the virus itself is already gradually disappearing from its position.
• Resident virus: It is aimed at damaging your device’s RAM. Its privilege is that even if you remove it from your RAM, it can still be saved. The list of its destruction can also add the destruction of tons of files, motherboard memory, and the ability to write you rude emails.
• Multipartite virus: these viruses aim to infect your files, boot space, and more. The problem is that they are hard to root out, as they can settle inside your files and downloads.
• Polymorphic virus: These beauties hide under the guise of a modified form. When they create their clones, they change slightly, which helps them avoid detection.
• Macro virus: The purpose of such viruses is to hide in your Word document files? namely DOC and DOCX. After the user downloads the file, he will be asked to enable the macros, and if the user agrees, he will automatically download the virus.

Avoiding the latest computer virus threats

To protect yourself and your data, we suggest you make a habit of a few rules. This way you will be able to prevent all the above. This will be a pleasant experience for you, after which you will not have to be afraid to visit any site or another network.

• Have a healthy sense of skepticism: Do not press everything you see in unfamiliar emails. Do not fall for what you did not expect to get.
• Go legit: try not to copy media from platforms you don’t know where to share files. Be careful with what you load, it may carry a malicious compound.
• Be careful even in established stores: Before downloading any application, make sure it is secure. In turn, the Apple Store and the Play Store are trying to keep infected apps out, but some manage to slip in and remove some devices before they are removed.
• Steer clear of ads and pop-ups: Do not pay attention to pop-ups and banners when visiting websites. Because they are often infected and carry malicious code. If you are interested in the product offered in the advertisement, then go directly to the site and see what you need.
• Install updates: don’t forget to update your operating system. All new updates are designed to bypass and prevent new viruses from being installed on your device. That way, the system will have no vulnerabilities that viruses can exploit.
• Add an extra layer of protection: Most importantly, no matter how well-thought-out the steps of using the Internet are, you can not 100 percent protect yourself from pests. Therefore, we suggest that you take advantage of the right protection, which will not only remove the already existing virus but can prevent them from getting to your device.

We offer you Gridinsoft Anti-Malware – an excellent scanner, virus removal detector, 100% effective. You will definitely save your money and peace of mind by dealing with the consequences of malware activity. When in doubt, explore the full review list of 15 reasons and benefits to choose this product.

The post The Essential Guide to Computer Viruses appeared first on Gridinsoft Blog.

On November 11, 1983, the first virus was written, which ushered in a new era of dangerous programs for computers. An American student at the University of Southern California, Fred Cohen, wrote a program that demonstrated the ability to infect a computer at a virus reproduction rate of 5 minutes to 1 hour.

The first non-lab virus, called “Brain,” capable of infecting only floppy disks, appeared in January 1986 and was of Pakistani origin. And the first antivirus program was developed in 1988. The following year, Cohen wrote a paper in which he anticipated the dangers of viruses spreading through computer networks and talked about the possibility of creating antivirus programs. Let us remember which viruses were the most destructive in the short history of computer networks.

MyDoom virus

The first version of the worm, MyDoom, appeared on January 26, 2004, and was distributed via e-mail and peer-to-peer networks. The program was written in C++. It created a backdoor (a flaw in the algorithm deliberately put there by the programmer) in the victim’s operating system and triggered a denial of service (DDoS) mechanism. Within a very short time the worm had invaded the Internet, and in 2004 about 16 – 25% of all e-mails were infected with MyDoom. The worm’s host file weighs only a few tens of kilobytes and contains the following line: “sync-1.01; andy; I’m just doing my job, nothing personal, sorry.” When infected, the worm modifies the operating system, blocking access to sites of antivirus companies, news feeds, and various sections of the Microsoft portal. It attacked DDoS in February of the same year.

In 2011, McAfee recognized MyDoom as the most “expensive” malware in history: losses associated with infection by the virus due to major spam campaigns ultimately amounted to $38 billion. Researchers note that MyDoom is entirely self-sufficient and autonomous. The worm can spread forever if people keep opening email attachments.

CryptoLocker

Ransomware appeared in September 2013. The virus was spread via email. Once the user opened the email, a program attached to it automatically launched and encrypted all the files on the PC. To restore access to the files, the victim had to pay a not-insignificant sum in bitcoins. After paying, the user should have received a private key to restore access to the files. However, people did not know that once infected, the files are lost forever. To avoid getting infected with the CryptoLocker virus, you should:

• First, constantly update your antivirus software.
• Ignore suspicious emails with attachments; do not click on random unrecognized links.
• Finally, backup your files regularly.



ILOVEYOU virus

After the victim opened the attachment, the virus sent a copy of itself to all contacts in the Windows address book and the address specified as the sender’s address. It also made some malicious changes to the user’s system. The virus was sent out to mailboxes from the Philippines on May 4-5, 2000; the subject line contained the “ILoveYou,” and the script “LOVE-LETTER-FOR-YOU.TXT.vbs” was attached to the letter. The “.vbs” extension was hidden by default, which made unsuspecting users think it was a simple text file. In total, the virus affected more than 3 million computers worldwide. The estimated damage the worm caused to the global economy is estimated at $10 – 15 billion, for which it entered the Guinness Book of World Records as the most destructive computer virus in the world.

Morris Worm

The Morris worm is considered the virus that started it all. The first computer worm’s widespread use in the real world was much more destructive and spread faster than expected. In 1988, a virus-infected a network of 60,000 computers (about 10% of the UNIX machines of the time), preventing them from functioning correctly. The worm did not destroy the files, but it was throwing punches. Vital military and university functions were severely slowed down. Emails were delayed for days. The damage from the Morris worm was estimated at $96.5 million.

The creator of the virus, Robert Morris, had kept the program code well hidden, and it was unlikely that anyone could prove his involvement. He used a loophole in the Internet email system and a bug in the “finger” program that identified network users. It was also designed to remain hidden. But his father, a computer expert for the National Security Agency, felt it was better for his son to confess to everything. At trial, Robert Morris faced up to five years in prison and a $250,000 fine. However, considering extenuating circumstances, the court sentenced him to a $10,000 fine and 400 hours of community service.

Melissa virus

“An $80 Million Cyber Crime in 1999” – FBI Mellisa was distributed under the guise of a plain text document, which, when opened, was passed on to the victim’s first 50 email contacts. The document contained information that could interest users: passwords for access to pay sites or links to popular cartoon series. The program was not designed to steal money or information, but it caused quite a bit of damage. The virus hit more than 300 corporations and government agencies, including IT giant Microsoft, which shut down several times due to email overload. In addition, the malware generated enormous Internet traffic and slowed down already overloaded servers. Although it was localized within days, the damage had already been done. At a conservative estimate, about $80 million was spent to clean up and repair the damage caused by the program.



Zeus

Zeus/Zbot is a malicious package that uses the client/server model. It is used to create massive botnets. It was first detected in 2011. This application is a type of malware targeting the Microsoft Windows operating system. The two main methods of infection are spam messages and hidden downloads. The primary purpose of Zeus is to gain access to confidential details of a victim’s bank account and debit it. The virus can bypass the protection of centralized server systems and scan the user’s personal information. Users can’t even trace the channels their stolen data travels through. Also, in some cases, Zeus can download ransomware that encrypts files and demands money in exchange for unlocking them. Zeus has infected about 3 million computers in the U.S. and compromised significant organizations, including NASA and Bank of America.

Technically, Zeus is a Trojan, a malware masquerading as legitimate software. It uses keylogging and website tracking to steal passwords and financial data. For example, when a banking site is used, or a financial transaction is made, it can record keystrokes during authorization. Zeus initially only worked on Windows, but now some variants can compromise Android phones.

Code Red

The Code Red worm was first discovered by two eEye Digital Security employees, Mark Meiffret and Ryan Perme. They named the found malware after their favorite soda, Code Red Mountain Dew. Appearing in 2001, it targeted computers with the Microsoft IIS Web server installed. By infiltrating the computer, Code Red makes hundreds of copies of all the data. Eventually, it consumes so many resources that the system fails and crashes. A denial-of-service attack algorithm is then launched, and remote access to the infected server is granted via a backdoor.

The most famous Code Red cyber attack was the attack on the White House website. That same year, 2001, the red worm infected more than 250,000 computer systems. According to experts, it resulted in lost productivity and a whopping $2 billion damage.
Microsoft developed a “patch” designed to protect computers specifically against Code Red to keep government agencies and the general public safe from this malware.

Stuxnet

The Stuxnet worm appeared online in 2010 and initially targeted Iran’s nuclear facilities. The virus destroyed more than 1,000 centrifuges at Iran’s Natanz uranium enrichment facility, an affiliate of the large company Foolad Technic. Stuxnet spreads via USB sticks and Windows computers. The Stuxnet Trojan is based on a search for a specific model of the programmable logic controller (PLC) manufactured by Siemens. These small industrial control systems perform all sorts of automated processes, such as those in chemical plants, manufacturing plants, oil refineries, and nuclear power plants. Computers control these PLCs, which is the Stuxnet worm’s primary target. It has been reported that the worm has already infected more than 50,000 computers. The German company Siemens said 14 infected control systems were mainly in Germany.

Conficker

The Conficker worm was first attacked in early 2009. Within days it had infected ten million computers. The botnet formed by the infected computers was one of the largest in the world. Microsoft offered a reward of $250,000 for information that could help catch the author or authors of Conficker. Microsoft also agreed to partner with several organizations to take down the worm. This rapid spread of the worm is related to a network service. Using a vulnerability in it, the worm downloaded itself from the Internet.

Interestingly, the developers of the worm learned how to constantly change its servers, and something attackers had not managed to do before. Also, the worm spread itself via USB sticks, creating an executable autorun.inf file and a RECYCLED\{SID}\RANDOM_NAME.vmx file. On the infected system, the worm logged itself into services. It was stored as a DLL file with a random name consisting of Latin letters. The worm took advantage of a buffer overflow in a Windows operating system and executed a malicious code with a bogus RPC request. It also disabled some services, such as Windows Automatic Updates, Windows Security Center, Windows Defender, and Windows Error Reporting. It blocked access to the websites of several antivirus vendors.

As you can see, all of the viruses discussed above appeared at the beginning of the 21st century, when most modern cybersecurity technologies were in their infancy. Now the situation has fundamentally changed. Modern operating systems and advanced antivirus applications protect against most malware. However, we should not relax because even malware from this list is still roaming the net. On the other hand, rampant cybercrime leads to an ever-increasing need for protection specialists.

The post Which Deadliest Virus in History? Types to Remember appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/which-deadliest-virus-in-history-types-to-remember/feed/ 1 9271