Thursday, March 27, 2014

HOW TO MAKE A BOOTABLE USB FLASH DRIVE

BOOT IT AND BYPASS THAT MALWARE






I've read several articles about this over the last few years but I never really wrote down the various steps involved in doing it for a Blog post. Exit WBY and enter Bryan Guevara, roaming columnist for SecurityDaze! I knew he had the steps down cold, and shortly after I asked him if he wanted to do this article it was waiting for me in Ye 'ol In-Box.

Bryan Guevara


MAKING A BOOTABLE USB FLASH DRIVE


Hello. This is a very quick tutorial I wrote using the program called "YUMI" which you can find via this LINK. It's straight forward to use, and while I only included one item to my boot Flash drive, you can add other utilities to it as long as you have room on your Flash drive!

 As Brian mentioned in another Blog post, Flash drives have really come down in price so that you can purchase a fast USB 3.0 32Gb Flash drive for under $20 now (I think that will hold more than a few ISO's).





Recorded Steps

This file contains all the steps and information that was recorded to help you describe the procedure to others. 

Before sharing this file, you should verify the following:
  • The steps below accurately describe the recording.
  • There is no information below or on any screenshots that you do not want others to see.
Passwords or any other text you typed were not recorded, except for function and shortcut keys that you used.

"There were errors during recording. Some information may be missing."


You can do the following:

Steps

Previous Next
Step 1: (‎3/‎26/‎2014 11:14:46 AM) Just right click on "YUMI-2.0.0.2 (list item)" in "Program Manager" 

No screenshots were saved for this step.
Previous Next
Step 2: (‎3/‎26/‎2014 11:14:47 AM) Then left click on "Run as administrator (menu item)"

No screenshots were saved for this step.
Previous Next
Step 3: (‎3/‎26/‎2014 11:14:50 AM) Now left click on "Create (button)" in "YUMI 2.0.0.2 Setup " 



Previous Next
Step 4: (‎3/‎26/‎2014 11:14:53 AM) Left click on "Step 1: Select the Drive Letter of your USB Device. (combo box)" in "YUMI 2.0.0.2 Setup" [Note, my Flash drive is designated as the "F" drive and your drive letter will vary].



Previous Next
Step 5: (‎3/‎26/‎2014 11:14:54 AM) Left click on "F:\ MULTIBOOT 3GB (list item)" 



Previous Next
Step 6: (‎3/‎26/‎2014 11:14:56 AM) left click on "Step 2: Select a Distribution to put on F: (combo box)" in "YUMI 2.0.0.2 Setup". A "Distribution" would typical be an ISO file, like you'll soon see in my example.



Previous Next
Step 7: (‎3/‎26/‎2014 11:14:58 AM) Using your mouse, drag start on "Position (thumb)" 




Previous Next
Step 8: (‎3/‎26/‎2014 11:15:14 AM) Now, mouse drag end on "Step 2: Select a Distribution to put on F: (list)" 



Previous Next
Step 9: (‎3/‎26/‎2014 11:15:16 AM) For this exercise I'm going to left click on "Dr.Web Live CD (list item)" 



Previous Next
Step 10: (‎3/‎26/‎2014 11:15:20 AM) Left click on "Browse (button)" in "YUMI 2.0.0.2 Setup". You will have to have an ISO file to do this - YUMI does not provide them for you.




Previous Next
Step 11: (‎3/‎26/‎2014 11:15:21 AM) Left click on "Name (edit)" of your ISO file in "Open" 

Previous Next
Step 12: (‎3/‎26/‎2014 11:15:24 AM) Left click on "Open (split button)" in "Open" 



Previous Next
Step 13: (‎3/‎26/‎2014 11:15:26 AM) Left click on "Create (button)" in "YUMI 2.0.0.2 Setup" 





Previous Next
Step 14: (‎3/‎26/‎2014 11:15:27 AM) Left click on "Yes (button)" in "YUMI 2.0.0.2 Setup" 





Previous Next
Step 15: (‎3/‎26/‎2014 11:16:21 AM) Left click on "Next > (button)" in "YUMI 2.0.0.2 Setup " and away it goes!




Previous Next
Step 16: (‎3/‎26/‎2014 11:16:23 AM) Left click on "Yes (button)" in "YUMI 2.0.0.2 Setup" if you have more than one ISO file. In this exercise I'm only using one, so I will click "NO".



Previous Next
Step 17: (‎3/‎26/‎2014 11:29:28 AM) At this point I am through so I would do a Left click on "No (button).




Additional Details

The following section contains the additional details that were recorded.
These details help accurately identify the programs and UI you used in this recording. 

This section may contain text that is internal to programs that only very advanced users or programmers may understand.
 
Please review these details to ensure that they do not contain any information that you would not like others to see.

Hopefully this will help you out -

Bryan
Posted by at No comments:

Wednesday, March 26, 2014

"GAMEOVER" IN THE NEWS AGAIN

AND AGAIN, AND AGAIN...








It wasn't too long ago that I wrote about the "Gameover" Trojan, and here it is back in the news today with reports from F.Secure that it is targeting users of Monster.com [it's hard enough just finding a job much less getting your identity stolen while doing it].

If your computer is infected it will replace the normal login screen for Monster with one that looks very much like the original:

CLOSE, BUT NOT REALLY THE REAL LOG IN SCREEN


It will then inject another screen which will ask you security questions which could lead to them learning more about you:

IMAGES COURTESY OF F.SECURE BLOG POST
You can read an article from PCWORLD HERE, and also the original Blog post from F.Secure's site HERE for more information.

Have you ever wished you had a bootable USB flash drive to help knock off an infected computer? If you do, but don't know how to go about it [ed. - unless you "Google" it], "Securitydaze" roving columnist Bryan Guevara will have complete instructions on how to go about it on Thursday's blog post!

'Nuff Said,
Brian
Posted by at No comments:

Tuesday, March 25, 2014

MONDAY MARCH 24 BYTES ON TUESDAY

IT'S TUESDAY
GET YOUR NEWS LATE!






From over the weekend, news bits and bytes dredged up from under water coolers in secure offices, dark alleyways that smell, inside a half eaten can of cold beans taken from the hand of a Hobo, and at times from various websites comes this weeks breathtaking news...


MICROSOFT WARNS WORD USERS

[ed. - For years I've been telling my customers to "never have their preview windows in Outlook open"]. Microsoft is warning customers this week for Microsoft Word versions 2003-2014, and Word RT about a vulnerability that exists in Word (Outlooks default editor) where malicious code could be executed in a mail message by just having it open in the preview window. Yesterday they issued  Microsoft Security Advisory (2953095), which explains this in more detail and please go there to read to full Advisory.


EA GETS HACKED

EA [the computer game maker] said one of it's web servers was hacked, and the people who did it put up an Apple login page. Anyone who logged into the fake iTunes page got their credentials stolen. No word on how many were taken but it would enough for me if I were you who did it, to start changing passwords pronto! Read the Article HERE.


LOOKING FOR A CHEAP FLASH DRIVE?


Well, I was, so over the weekend I found that prices were pretty darn good and thought I'd bring it up in this blog post. I found a PNY Turbo 64gb USB 3.0 flash drive for only $31.77 [the same thing at 128gb was under $50]. I put the link somewhere, oh, it's HERE
MALWAREBYTES VERSION 2.0 IS....FINALLY HERE!

We've been wondering when this was coming out, and I suspected very soon after reading there was a new version that also continued to support Windows XP computers. Yesterday I checked their Blog several times until I finally saw the announcement!

In part, the blog reads: 

 

"Malwarebytes Anti-Malware 2.0 ships with a completely redesigned user interface to make the product easier to use, more informative, and to provide quicker access to key functionality. We have also built in and improved our Anti-Rootkit and Chameleon self-protection technologies, which have been in beta for the past year."

I can vouch for the Beta Anti-Rootkit technology having used it for the past 15 months. The "Pro" version is now called "Premium" and you can read the entire blog post HERE

Now go out there and kill some Malware this week -

'Nuff Said,
Brian
Posted by at 1 comment:

Friday, March 21, 2014

FRIDAY BYTES FOR MARCH 21

BITS AND BYTES FOR FRIDAY









It's finally Friday again - the end of another week, and here are this Friday's "Bits & Bytes" -

SYMANTEC FIRES CEO



Symantec, the large Internet and personal computer security firm fired it's second CEO in 2 years. Hired to help turnaround the company which had been losing business to competitors, apparently Steve Bennett wasn't fast enough.


FIREFOX ADDRESSES MANY SECURITY ISSUES IN NEW UPDATE



If you opened up Firefox as early as yesterday you probably noticed it went through a forced update. 20 security issues were addressed [in case you wondered about why it was updating]


LINUX SERVERS WITH OLDER KERNEL 2.6 ATTACKED

Any site using this older, outdated kernel (2.6 from 2003) on their web server are being attacked. According to CISCO, peopled going to any site with the older kernel are being redirected to a malicious web page. As one would expect, it involves adding some Java script onto vulnerable servers. For full information, you'll find that HERE.


PILEUP FLAWS AND ANDROID OS

A research paper from  Indiana University Bloomington and Microsoft says that an Android OS-based system (phone/tablet) if infected with Malware would upgrade it's privileges when the system OS is updated as well, or in other words, it would have it's current access "Grandfathered" into the updated OS. You can read more about that on the Malwarebytes Blog HERE.

RATS


If you recall from a post last year a RAT is a "Remote Administration Tool" used by certain types of Malware. If you want to know a little more about them FireEye recently posted a pretty decent article on their blog, HERE.

And, rats! I'm out of time...

'Nuff Said,
Brian
Posted by at No comments:

Thursday, March 20, 2014

CONFUSED ABOUT WHAT YOUR IP ADDRESS MEANS TO YOU?




Then please visit my March 20th Blog post HERE
Posted by at No comments:

Monday, March 17, 2014

MONDAY MARCH 17th

ONLY A FEW BYTES THIS MORNING






Microsoft, trying to lure XP users away from the OS, and at the same time boost sales of Windows 8 computers are offering $50 off a Windows 8 computer as an enticement to switch. This news comes after Firefox decided to ditch the browser they were developing for the Metro interface, citing the low percentage of Windows 8. And, while on the topic of XP, I read an article over the weekend that said two-thirds of the ATM machines still ran on Windows XP, which makes me wonder when we will read about ATM attacks...

 As reported on the Malwarebytes Blog, scammers are making use of the missing aircraft, flight MH370 on Twitter and Facebook to make some money with some of the following eye grabbing headlines:

“Shocking Video: Malaysian Airlines missing flight MH370 found at sea”

“Malaysian Airplane MH370 Already Found. Shocking Video Release Today by CNN”

“Plane has been spotted somewhere near Bermuda triangle. Shocking videos released today. CNN news”

“MH370 Malaysia plane has been found. Shocking videos released today. Last video of passengers crying released”
If you get one of these from one of your "friends", ignore it and please don't pass it onto your other unsuspecting "friends".

And while on the topic of scams, let me remind you about the NetFlix scam from several weeks ago.

This was reported on several sites, including the Malwarebytes Blog. While it's something you should be aware of, my reminder is that this type of scam [ed. - fake tech support numbers, phone calls from Microsoft Support w/ thick Indian accents, etc.] is quite common, and take the time to question yourself about it's legitimacy before clicking a link, calling the 1-800 number in front of you, or letting someone who called you purporting to be some technical support person gain remote access to your computer.

'Nuff Said,
Brian
Posted by at 2 comments:

Saturday, March 15, 2014

LENOVO LAPTOPS WITH INSTANT RESET BUTTON AND NORTON

"THERE IS A KNOWN PROBLEM..."








Don't you hate it when you're trying to figure out an issue and ultimately it ends, rather, starts with the line above? No, I don't own a Lenovo laptop, I just happened across this while looking at security websites this morning.

Error: "8506,421" appears on my Norton product

However, if you get this message on your Lenovo laptop, and it has "instant reset", you should know that:

"There is a known issue with Norton security software and the Instant Reset utility distributed on some Lenovo laptops. Symantec is working on reproducing this issue. Unfortunately, in the meantime, Symantec recommends not to install Norton products on Lenovo laptops with Instant Reset functionality"

For the complete bulletin details, click HERE.

'Nuff Said,
Brian
Posted by at 50 comments:

Friday, March 14, 2014

ADOBE PATCHES 2 CRITICAL SECURITY HOLES IN FLASH










The post title pretty much sez it all folks, go directly to Adobe's website and get your Flash updated ASAP!

RIGHT HERE

'Nuff Said,
Brian
Posted by at 2 comments:

Monday, March 10, 2014

"DO YOU WANT TO SEE YOUR FRIEND [INSERT NAME] NAKED"?

JUST ONE OF THE LATEST FACEBOOK SCAMS






So, you log onto Facebook and go to your page and see a message or link from someone you know, or maybe you know (but you have too many "friends" to really know) and it says "Do you want to see your friend naked?" or, "Your friends private video?", possibly including a partial picture of "the friend", or in many photos it's of a female friend and may only show a picture of their face or someone else (lower half) in a short skirt.

 Thankfully you're not a cat, because if curiosity got to you and you clicked on that link you would be dead. However, being human...

 You would be directed [ed. - rather redirected] to a malicious website which tells you that your flash player is out-of-date and to click on the link to update to the latest version, which really gets you behind a rock and a hard place when a browser add-on/plug-in is added (allowing the pictures you view on Facebook to be stolen and re-used in the malware campaign and infecting your PC), including the a fore mentioned link to the picture or video you clicked on being added to your timeline, thus infecting others.
Over 2 million people have been infected by this attack.

  1. You should never have clicked on that link, but reported it to Facebook.
  2. Whenever re-directed to a site claiming you don't have the latest Adobe Flash Player, close it and go directly to Adobe to download FLASH. If it comes back with a message "Already installed", you've dodged a virtual bullet.
  3. Now open Malwarebytes, update it's definitions and run a quick scan to see if it finds anything.
  4. Go in a corner and sit there for 2 weeks [yes, food and bathroom breaks allowed]
And, on the opposite end of the scale, many of use would NOT want to see our friend naked, or their "private video"...


'Nuff Said,
Brian
Posted by at 1 comment:

Friday, March 7, 2014

SHORT BYTES FOR FRIDAY

SHORT NEWS FOR YOUR FRIDAY SNOOZE








MICROSOFT THROWS IN THE TOWEL

Microsoft will soon offer a dual-boot phone in their attempt to claw themselves into a major cellphone maker by allowing users to choose to boot to either the Windows phone OS or Android's OS. Considering both operating systems and their tendency to attract hackers IMHO by purchasing one of these phones a person has just increased the possibility of being infected with malware by 2.



MICROSOFT AND CRITICAL IE PATCH

That zero-day exploit affecting IE9 and IE10 is reportedly to be officially patched next week



IDC ANALYST FIRM FORECASTS COMPUTER GROWTH

A recent press release from IDC reports that worldwide PC shipments fell by -9.8% in 2013 and continue to fall this year by -6%, not recovering until 2018.


Cisco Small Business Router Password Disclosure Vulnerability

On march 5th, CISCO released advisory cisco-sa-20140305-rpd addressing a security flaw which could allow an attacker to gain admin rights to the devices listed in the advisory. They have released free firmware updates to correct it.

 

Android RATs Branch out with Dendroid

Symantec's Blog post on March 5th pointed out the evolution of Android malware with the latest and greatest threat that can be purchased off underground websites. This program can turn good APPS into bad ones. In part, they wrote on the post that:

According to postings on underground forums, the official seller of Dendroid is known as “Soccer.” The seller markets Dendroid as offering many features that have never been seen before and comes with 24/7 support, all for a once off payment of $300 to be paid through BTC, LTC, BTC-e, or other services. Some of the many features on offer include the following:
  • Delete call logs
  • Call a phone number
  • Open Web pages
  • Record calls and audio
  • Intercept text messages
  • Take and upload photos and videos
  • Open an application
  • Initiate a HTTP flood (DoS) for a period of time
  • Change the command-and-control (C&C) server

As always, click on the link for full details.

 

ComiXology Hacked! Change Your Password Now 

ComiXology, a digital comic book seller says they were hacked and are telling subscribers to change their passwords immediately. This was reported on PC Magazines website. You can read the full story HERE

Have a safe weekend -

'Nuff Said,
Brian
Posted by at 1 comment:

Wednesday, March 5, 2014

MALWARE PRE-INSTALLED ON ANDROID DEVICES?

DEVICES HAVE PRE-INSTALLED FAKE NETFLIX APP






Marble Security received feedback about the Netflix APP on Android phones and tablets, saying it came pre-installed when they received their phones. The phony APP redirected communications to a server in Russia, sending login and password data along with credit card numbers.

Briefly, they looked at a variety of Android devices and found the fake APP on these devices:

"Marble Security found the fake Netflix app on six devices from Samsung Electronics: the GT-N8013 Galaxy Note tablet, the SGH-1727 Galaxy S III phone, the SCH-1605 Galaxy Note 2 phone, the SGH-1337 Galaxy S4 phone, the SGH-1747 Galaxy S III phone and the SCH-1545 Galaxy S4 phone.

The fake app was also found on three Motorola Mobility devices, the Droid Razr, Droid 4 and Droid Bionic; two Asus tablets, the Eee Pad Transformer TF101 and the Memo Pad Smart MT301; and on LG Electronics’ Nexus 5 phone."

You can read the full article HERE.

'Nuff Said,
Brian


Posted by at No comments:

Tuesday, March 4, 2014

MICROSOFT SPEAKS "XP" AGAIN

DIE HARD - PART III







This was posted earlier on my other Blog:

On a Microsoft Blog post that you can read in it's entirety HERE, they announced a limited migration tool for those who wanted to try to migrate to Windows 8. It will transfer files and user setting but NO applications. 

Beginning March 8th you will see the following appear on your XP screen:


And it will continue to appear on the 8th of every month until you either move off XP, or click the box to not show that message again. In the post they mention a special deal from Laplink which has lowered it's price of it's Professional package to $23.95 just for XP users. This will move many, but not all of your programs. The link for this is on the Microsoft Blog and (of course) HERE. If I'm not mistaken, it will migrate select programs, user settings and data to not just Windows 8, but Windows 7 as well.

'Nuff Said,
Brian
Posted by at 1 comment:

Sunday, March 2, 2014

ZEUS + GAMEOVER = ONLINE BANKING NIGHTMARE

"GAMEOVER PLUS"









If you've been reading my Blog posts you'll remember I wrote about an online-banking Trojan that steals your credentials - It's name was/is Zeus [ed. - pause for clap of thunder and lightning bolt]. Naturally Zeus had children, offshoots of the original; one of those was called "GAMEOVER".

As with many popular threats, eventually the Zeus program code found it's way onto the Internet [ed. - those dark websites where much like a dimly lit alley, you wouldn't usually walk down in the darkest of nights] spawning variations like the a fore mentioned "GAMEOVER".

One spawn leads to another and now there is "GAMEOVER-PLUS" which not only steals your banking info but comes complete with a kernel level ROOTKIT which makes it very hard, and possibly impossible to remove unless your hard drive is wiped clean (i.e. - formatted). The kernel level rootkits mission? To protect Gameover-Plus from being removed.

"And we all know that we shouldn't open suspicious emails with attachments...CORRECT??"

How do you get infected? Currently by email, with an attachment. It may come from a Bank (they will use many different banks hoping one of them will be yours) or from another service with an attachment like "Invoice.zip". And we all know that we shouldn't open suspicious emails with attachments...CORRECT??

Once again, while surfing some of my favorite security Blogs I ran across this information via a post on the SOPHOS security website. If you open the attachment a Trojan downloader is activated, and it's this downloader that brings "Gameover-Plus" into your computer, installs the rootkit which resides on your hard drive AND within the computers memory.

 One other aspect the differentiates itself from it's predecessor is that Gameover-plus it controlled peer-to-peer vs. from a remote server. The difference is distinct and could mean while you are trying to remove it, someone on the other end may be actively trying to stop you, something I've run across several times in the field although not specifically for this Trojan.

 If you suspect an infection TURN YOUR COMPUTER "OFF" until you can get some professional help to attempt removal. For those interested in the more technical information about this I suggest you read the Blog post on SOPHOS security's site HERE.

 'Nuff Said,
Brian

Posted by at 1 comment:
Subscribe to: Posts (Atom)