Flame Command & Control Server Password Cracked

Flame was arguably the next big thing in the state sponsored malware section after Stuxnet. If you are not aware, Flame is a malware that was used to infect computers in the Middle East for espionage purposes.

Flame was investigated by a joint effort of Kaspersky, Symantec, ITU-IMPACT and CERT-Bund/BSI. Symantec had earlier failed to crack the password of Flame’s Control Centre and had put out a blog post asking for help in cracking the hash, 27934e96d90d06818674b98bec7230fa. Dmitry Bestuzhev of Kaspersky cracked the hash to find the clear text password as 900gage!@#. We are not yet aware of the method he used to crack the hash.

The decoding of the hash led to the researchers being able to see the Command-and-Control servers for the Flame malware. Kaspersky has posted a detailed blog post analyzing the C&C. All of the servers were running a 64-bit version of Linux called Debian. The programming languages used where PHP, Python and bash and virtualization was run under OpenVZ.

An initial look at the C&C revealed that the attackers had used a minimal interface with no terms such as bot or botnet, possibly to avoid suspicion of hosting company. There was no way to send commands to the C&C as well.

To send a command or set of commands to a victim, the attacker uploaded a specially crafted tar.gz archive, which was processed on the server. A special server script extracted the archive contents and looked for *.news and *.ad files. These files were put into corresponding directories “news” and “ads”. The C&C allows an attacker to push an update to a specific victim, or all victims at a time. It is possible to prioritize a command which allows to organize an order of commands (i.e. collect all data and only after self-removal). The priority and target client ID was transferred in an unconventional way. They were stored in the filename that the attacker uploaded to a C&C.

The researchers also discovered three protocols – SP, SPE, FL and IP which were used to communicate with different clients of which, Flame was identified as FL. This suggests that there are three more Flame like malware in the wild which have not been discovered yet.

The analysis of the C&C shows that servers were first setup on 03 December, 2006 which suggests that Flame was operational for much longer than what we had first thought. The scripts used by the operators also contained other valuable information, the nick name of the developers. Kaspersky hasn’t published their names and has only identified them as D, H, O and R in the blog post.

You can read more about the Kaspersky’s analysis of Flame’s C&C here and a whitepaper by Symantec on Flame here [PDF].

Germany is Using Trojan Spyware on its Citizens?

Today, I received a letter from Emsisoft that explained how a well known group of hackers in Germany discovered and tested a trojan program that’s used by the German Federal government to spy on its citizens. These white hat hackers, known as the Computer Chaos Club, determined that the “R2D2″ or “State Trojan” is not only able to spy on an infected target computer, it’s also able to download more software and remotely control the target computer. So far, it’s designed to work only on Windows based PCs.

Spy Man

Back in 2008, Computerworld reported that WikiLeaks documents provided information that Germany had hired a company named “Digitask” to create a trojan spy program for them. A few days ago, ZDnet was confirming that a few of the German State agencies have admitted to using this trojan in their investigations. Naturally, these were “legal” uses of the trojan, and required a judge’s signature.

The Electronic Frontier Foundation was curious to see if the U.S. Government had similar trojans, and in 2008, they submitted  a FOIA request. Unlike many other attempts to get information released, the EFF received documents that revealed how the FBI was investigating ways to intercept Skype conversations. I think we can assume that since then, the U.S. has done more than just “investigate” how to spy on Skype.

What does all of this mean to the average Windows user? It means that you not only have to worry about threats from the usual hackers after your money, you also have to worry about “Big Brother” trojans from your own government. Fortunately, companies like Emsisoft, F-Secure and Sophos have assured us that they intend to search and elimate government trojans as well as the typical spyware we’re used to seeing.

For those of you who are using Macintosh or Linux instead of Windows, feel free to stick out your tongue and say “na na na na na na“. You don’t have to worry about these trojans … for now.

WARNING: Fotos_Osama_Bin_Laden.exe Email Attachment Is A Banking Trojan

As if the various Osama Bin Laden video scams on were not enough, a new malware is being spread through emails now. If you receive any emails with an attachment named Fotos_Osama_Bin_Laden.zip or something similar, DO NOT OPEN IT.

Banking Trojan

According to F-Secure Labs, an email is doing the rounds of the internet with an attachment named Fotos_Osama_Bin_Laden.zip, this could be named differently too as Photos_Osama_Bin_Laden.zip. The file contains an executable named Fotos_Osama_Bin_Laden.exe.

The executable does not contain any photos of Osama Bin Laden but is infected with the Trojan-Downloader:W32/Banload.BKHJ, which is a banking Trojan. It installs on the system and will start to monitor your online banking sessions via a Browse Helper Object (BHO) and try to redirect your payments to wrong accounts.

If you have downloaded or clicked on the attachment run an free online scanner or a anti-malware after disabling access to the internet. You might also want to run scans using your Antivirus. If you don’t have one, head over to our Free Antivirus section to find one.

The new Trojan is playing on human curiosity generated by the death of Osama Bin Laden. There are actually no leaked photos or videos of the event. As an advice, please don’t click on any links which tell you that you can watch a censored video or pictures of Osama Bin Laden’s death.

You will not be able to watch any videos or pictures unless the US government releases them. So hold your horses until then and don’t spread the virus of become affected by it.

20% of Facebook Accounts are Infected?

bitdefender-safegoAccording to BitDefender, 2 out of 10 Facebook Walls (or Newsfeeds) are infected or at risk in some way. In October, BitDefender, a well known anti-virus and security provider, launched a Facebook app called BitDefender safego. Safego scans your Facebook wall posts to determine if there are any links to bad apps or risky links. Here’s a quote from BitDefender:

facebook-infectionBitDefender safego > Since its launch,BitDefender safego has managed to scan 17 million Facebook posts and it has detected infections on the news feeds of around 20% of its users.We are glad we’ve been able to warn our users of these threats and we’ll continue to focus our efforts on adding new security features and increasing our detection rate. Thanks everyone for your feedback and remember: if your friends stay safe, then you’re safe!

In addition to all of Facebook’s privacy problems, everyone should know by now that it’s a huge source of infections for Windows PCs. BitDefender apparently decided that it was time to help warn people about this problem.

The free BitDefender safego app is currently in Beta testing, and you can try it out by visiting the page while logged into Facebook. In addition to the link and app checking abilities of BitDefender safego, it also checks your profile for information that you should not be sharing.

I was fortunate enough to get a clean bill of health from safego, can you say the same thing about your Wall? Give safego a try now to be sure.

New Ways to Get Infected Online – Fake Update Downloads

app-blocked2-ico Two days ago, the Symantec blog posted an article that describes how the newest and most successful malware and fake anti-spyware fools you into downloading it. The descriptions and images of these social engineering attacks are something you should see, so that you’ll know it when it happens to you.

Below are four images from the Symantec article. The first three show a web page with a fake warning to download updates. The last image shows you the payload, which is a fake anti-spyware program that tries to fool you into purchasing it (also known as scareware).

Image #1 download Firefox Secure Updates


Image #2 download Updates


Image #3 download Chrome Updates


Image #4 resulting download scareware called Security Tool


Even though these images are a bit fuzzy, you can still see that they’ve done a good job of looking like legitimate warnings. The bad news is that this isn’t the scariest part. It gets worse.

According to the article, trying to cancel these warnings does no good. The fake warnings keep popping up. If you exit the page without downloading these updates, something even worse happens. They redirect you to a site that hits you with some heavy duty exploits that could infect your PC.

The Symantec article only tells you that their software and some common sense will keep you protected from these fake warnings.

If you want my advice, do the following if you think you are seeing a fake warning:

  1. Close the browser.
  2. Follow up with an anti-virus scan of your system.
  3. Use MalwareBytes Anti-malware to clean your system if you think you’ve been infected.
  4. If all else fails, and you’re certain you have a problem, go to an anti-spyware forum to get help. (SpywareWarrior and PC-Help are good)
  5. Optional tell me about your adventures, or comment below.

Update: Lorraine emailed me this link to removal instructions that helped her remove the “My Security Shield” scareware which looks like the “Security Tools” above.

[Source Symantec Blog]

HELP!!! What Is TeaTimer.exe? Why Is It Running On My Computer?

Another distress help call came to us through the contact us form asking us about a weird task running on a user’s computer. The task in question is called TeaTimer.exe and has been running on the user’s computer.

TeaTimer.exe is not a virus, spyware or malware, in-fact it is run by a spyware defending software called Spybot Search & Destroy.

So if you have this spyware protector installed in your system, you will most like see it in running processes.

Here is a excerpt from the Spybot knowledgebase:

The Resident TeaTimer is a tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future.

However there are certain variants of worms that use the same name, if you do not use the above software, you should definitely cleanup the worm.

To solve any spyware issues you might want to read a article which we had written earlier about removing spywares/worms from your computer.

To stay on the safer side don’t forget to read our articles on Detailed Instructions on Protecting Your Computer from Internet Threats and Online Security Tips Keep your computer secure and safe.

What Is GoogleCrashHandler.exe? Is It a Virus or Spyware?

Update: Click here for more interesting tips on dealing with unknown file types and processes.

One of our readers recently saw a suspicious file that was running on their system called GoogleCrashHandler.exe, and asked us what that file was and whether it was a virus or Spyware?

GoogleCrashHandler.exe is a helper file for the Google Update software, if you have Google Update installed on your system, you will see an instance of GoogleCrashHandler running when you visit the processes tab in Task manager.

Update: Google now has a help page that explains what GoogleCrashHandler.exe is for;

GoogleCrashHandler.exe runs continuously on your computer if you’ve selected to send anonymous usage statistics and crash reports to Google for certain Google software, like Google Chrome. It helps send crash details to Google when your Google software unexpectedly shuts down. We use this data to help determine how to prevent these errors from happening in the future.

To stop GoogleCrashHandler.exe from running, turn off the sending of usage statistics and crash reports for all the Google software on your computer.

This file is neither a Virus nor a spyware, however if you want to get rid of it you will have to uninstall Google update from your PC.

Windows program installer is not the best way to remove programs, if you are looking for alternatives some of the excellent alternatives for uninstalling software from your PCs.

More Resources That Might Interest You

  • Analyze The Processes In Your Windows Background – Want to know more about a process that is running on your computer? Read this article on how you can easily do it.
  • Windows Task Manager Alternatives – The default Windows task manager does not provide the control you should have, use one of the free alternatives available to manage processes more easily.
  • Add/remove Programs Alternatives – Many a times the default add/remove programs leaves a lot of information back, try one of these free alternatives to remove software completely.
  • Find Which Programs Can open Unknown File Types – Have you ever come across files that you are not aware of or have never seen before? Use this excellent free utility to find which application can open that file.
  • New on Techie Buzz? Visit the  Home Page to view the latest content or browse our huge gallery of  Tips and Tricks posts. We also have a huge list of hand-picked popular posts, don’t forget to visit the  Top Posts section to read them.
  • If you are visiting this blog for the first time, why don’t you subscriber to our  RSS feeds to get regular updates, we also deliver free newsletter directly to your inbox,  signup for our free newsletter.