How to Check for Viruses

Whether you think you might have a virus on your computer or devices, or just want to keep them running smoothly, it’s easy to do a virus scan. How to check for viruses depends on the software and device you have, so we’ll go through everything you need to know to run a scan effectively and keep your computers, phones and tablets in tip-top shape.

Do You Need a Virus Scan?

First, let’s cover a few of the telltale signs your device might have a virus. Is your computer or device acting sluggish or having a hard time booting up? Have you noticed missing files or a lack of storage space? Have you noticed emails or messages sent from your account that you did not write? Perhaps you’ve noticed changes to your browser homepage or settings? Or maybe, you’re seeing unexpected pop-up windows, or experiencing crashes and other program errors. These are all examples of signs that you may have a virus, but don’t get too worried yet, because many of these issues can be resolved with a virus scan.

What Does a Virus Scan Do?

Each antivirus program works a little differently, but in general the software will look for known malware that meets a specific set of characteristics. It may also look for variants of these known threats that have a similar code base. Some antivirus software even checks for suspicious behavior. If the software comes across a dangerous program or piece of code, it removes it. In some cases, a dangerous program can be replaced with a clean one from the manufacturer.

How to Check for Viruses

The process of checking for viruses depends on the device type and its operating system. Check out these tips to help you scan your computers, phones and tablets.

On a Windows computer

If you use Windows 10, go into “Settings” and look for the “Updates & Security” tab. From there you can locate a “Scan Now” button.

Of course, many people have invested in more robust antivirus software that has a high accuracy rate and causes less drain on their system resources, such as McAfee Total Protection. To learn how to run a virus scan using your particular antivirus software, search the software’s help menu or look online for instructions.

On a Mac computer

Mac computers don’t have a built-in antivirus program, so you will have to download security software to do a virus scan. There are some free antivirus applications available online, but we recommend investing in trusted software that can protect you from a variety of threats. Downloading free software and free online virus scans can be risky, since cybercriminals know that this is a good way to spread malware.

Whichever program you choose, follow their step-by-step instructions on how to perform a virus scan, either by searching under “help” or looking it up on their website.

On smartphones and tablets

Yes, you can get a virus on your phone or tablet, although they are less common than on computers. However, the wider category of mobile malware is on the rise and your device can get infected if you download a risky app, click on an attachment in a text message, visit a dangerous webpage, or connect to another device that has malware on it.

Fortunately, you can protect your devices with mobile security software. It doesn’t usually come installed, so you will have to download an application and follow the instructions.

Because the Android platform is an open operating system, there are a number of antivirus products for Android devices, allowing you to do a virus scan.

Apple devices are little different, because they have a closed operating system that doesn’t allow third parties to see their code. Although Apple has taken other security precautions to reduce malware risks, such as only allowing the installation of apps from Apple’s official app store, these measures aren’t the same as an antivirus program.

For more robust protection on your Apple devices, you can install mobile security software to protect the private data you have stored on your phone or tablet, such as contacts, photos and messages.

All-In-One Protection:

If safeguarding all your computers and devices individually sounds overwhelming, you can opt for a comprehensive security product that protects computers, smartphones and tablets from a central control center, making virus prevention a breeze.

Why are virus scans so important?

New online threats emerge every day, putting our personal information, money and devices at risk. In the first quarter of 2019 alone McAfee detected 504 new threats per minute, as cybercriminals employed new tactics. That’s why it is essential to stay ahead of these threats by using security software that is constantly monitoring and checking for new known threats, while safeguarding all of your sensitive information. Virus scans are an essential part of this process when it comes to identifying and removing dangerous code.

How often should you run a virus scan?

Most antivirus products are regularly scanning your computer or device in the background, so you will only need to start a manual scan if you notice something suspicious, like crashes or excessive pop-ups. You can also program regular scans on your schedule.

Preventing Viruses

Of course, the best protection is to avoid getting infected in the first place. Here are a few smart tips to sidestep viruses and other malware:

Learn how to surf safely so you can avoid risky websites, links and messages. This will go a long way in keeping you virus-free.
Never click on spammy emails or text messages. These include unsolicited advertisements and messages from people or companies you don’t know.
Keep the software on your computers and devices up to date. This way you are protected from known threats, such as viruses and other types of malware.
Invest in comprehensive security software that can protect all of your devices, such as McAfee LiveSafe.
Stay informed on the latest threats, so you know what to look out for. The more you know about the latest scams, the easier they will be to spot and avoid.

The post How To Do A Virus Scan appeared first on McAfee Blog.

Read More

Account takeover attacks surge as a result

Read More

Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource. For example, these certs are commonly used to encrypt web and database traffic across the internet to protect these applications from man-in-the-middle attacks and other compromises.

To read this article in full, please click here

Read More

Truth, transparency and trust are the three T’s that all CISOs and CSOs should embrace as they march through their daily grind of keeping their enterprise and the data safe and secure. Failure to adhere to the three T’s can have serious consequences.

Case in point: A federal judge recently ordered Uber Technologies to work with its former CSO, Joseph Sullivan (who held the position from April 2015 to November 2017), and review a plethora of Uber documents that Sullivan has requested in unredacted form for use in his defense in the upcoming criminal trial.

The case against Uber’s former CSO

By way of background, Uber’s former CSO faces a five-felony count superseding indictment associated with his handling of the company’s 2016 data breach. The court document, filed in December 2021, alleges Sullivan “engaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC and to impacted users and drivers.” Furthermore, the two individuals, who are believed to have affected the hack and subsequently requested payment for non-disclosure ultimately received $100,000 from Uber’s bug bounty program. These individuals were identified in media as, Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, both of whom were later indicted for their breach of Lynda (a company acquired by Linkedin).

To read this article in full, please click here

Read More

Who doesn’t love an anniversary and the opportunity to reminisce about “where we were” when an historical event happened? Such is the case over the last several days when it comes to remembering WannaCry, the ransomware that infected thousands of computers five years ago and cost companies all over the world billions of dollars in damages.

WannaCry broke onto the infosec scene on May 12, 2017. Taking advantage of the vulnerable version of the Server Message Block (SMB) protocol, it ultimately infected approximately 200,000+ machines in more than 150 countries. While Microsoft had issued a patch for the SMB flaw more than a month before the attacks began, millions of computers had not been unpatched against the bug. The largest ransomware attack ever, it impacted several big names globally, including the UK’s National Health Service, US delivery giant FedEx, and Deutsche Bahn, the German railway company.

To read this article in full, please click here

Read More

Many aren’t following the advice of their own training programs

Read More

Double extortion now the norm, says Group-IB

Read More

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

The initial attack vector is a phishing email with a Microsoft Word document attachment.
Upon opening the document, VBA executes a malicious shellcode
Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Figure 1- flowchart of infection chain

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

Figure 2- Image of what the user sees upon opening the document

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

Figure 3- Oleid output
Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

Figure 6- De-obfuscated VBA macro (stage 1)
Figure 7- De-obfuscated VBA macro (stage 2)

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Figure 8- Document properties

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

Figure 10- Code of VirtualProtect
Figure 11- Shellcode’s memory and protection after calling VirtualProtect()

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

Figure 12- Environment variable set in Winword.exe space

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

Figure 13- SetTimer function (Execution of shellCode)

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL 
hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ 

CMD 
rundll32 “C:UsersuserAppDataLocalTempy9C4A.tmp.dll”,DllRegisterServer 

Figure 14- Exports of Downloaded DLL

After successful execution of the shellcode, the environment variable is removed. 

Figure 15- Removal of Environment Variable

IOC 

TYPE 
VALUE 
PRODUCT 
DETECTION NAME 

Main Word Document 
6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f 
McAfee LiveSafe and Total Protection 
X97M/Downloader.CJG 

Downloaded dll 
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 
McAfee LiveSafe and Total Protection 
Ursnif-FULJ 

URL to download dll 
hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ 
WebAdvisor 
Blocked 

MITRE Attack Framework 

Technique ID 
Tactic 
Technique Details 
Description 

T1566.001 
Initial Access 
Spear phishing Attachment 
Manual execution by user 

T1059.005 
Execution 
Visual Basic 
Malicious VBA macros 

T1218.011 
Defense Evasion 
Signed binary abuse 
Rundll32.exe is used 

T1027 
Defense Evasion 
Obfuscation techniques 
VBA and powershell base64 executions 

T1086 
Execution 
Powershell execution 
PowerShell command abuse 

 Conclusion 

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

Read More