Stuck on a Pop Up!
Problem:
Ever have one of those terrible pop ups “YOUR COMPUTER IS INFECTED!!!!!” trap you on a page while it blares loud warnings that the FBI is coming to raid your house and steal you cat? It happens to every one of my clients sooner or later. So how do you get out of it?
Solution:
It’s a CTRL-ALT-DEL and kill the browser. But there’s a catch! Most browsers will offer to “restore session” when you bring it back up. DON’T! That’ll bring back the ad. Just start a new sessions and head back to your browsing!
Rebuild boot sector (complicated)
Problem:
Windows 10 not booting – blinking cursor or can’t find installation
Solution:
Bring up the command prompt:
Boot from any DVD or USB Windows 7, 8, or 10 media.
Once you have reached the Windows Setup screen (where you select the Language, Time and Keyboard settings), press the SHIFT + F10 keys to bring up the Command Prompt.
Find out whether your disk is set to GUID Partition Table (GPT) or Master Boot Record (MBR):
In the Command Prompt, type diskpartand press Enter.
Type list disk and press Enter.
Look for your disk and see if the GPT column has an asterisk (*) – this will indicate the disk is GPT. If no asterisk is found, then the disk is set as MBR.
Type exit and press Enter.
If the type is MBR:
From the Command Prompt, type dir a: and press Enter.
If drive A: is found and a directory is displayed, check for the Windows folder in the directory. If it is there, that is the System Drive. Skip to step 2.
If the drive is not found or it doesn’t contain the Windows folder, type dir b: and press Enter. Continue through the alphabet until the drive with the Windows folder is found, but skip the X: drive. That will be the install files from the USB or DVD you are using. The most common location is the C: drive, so that example will be used in the rest of the article.
Once it is found, type:bcdboot C:Windows /S C:
In this case, C is the drive where Windows folder was found. If the Windows folder is on a different drive, use that drive letter instead of “C” in the bcdboot command above.
The message Boot files successfully created must be shown before you can continue.
Type: diskpart and press Enter.
Type: list disk and press Enter.
Type: sel disk C and press Enter.
In this case, C is the drive where Windows folder was found. If the Windows folder is on a different drive, use that drive letter instead of “C” in the sel disk command above.
Type: list vol and press Enter.
Type: sel vol C and press Enter.
In this case, C is the drive where Windows folder was found. If the Windows folder is on a different drive, use that drive letter instead of “C” in the sel disk command above.
Type: active and press Enter.
You should get a confirmation that the volume has been successfully set as active. If you don’t get the confirmation, it means that either the disk is set to GPT (not MBR), or there is a problem with the disk. Make sure you are working with the right disk.
Type: exit and press Enter.
Reboot the device – you can do this quickly from the command prompt by typing: shutdown -f -r -t 00 and press Enter.
If the type is GPT:
From the Command Prompt, type dir a: and press Enter.
If drive A: is found and a directory is displayed, check for the Windows folder in the directory. If it is there, that is the System Drive. Skip to step 2.
If the drive is not found or it doesn’t contain the Windows folder, type dir b: and press Enter. Continue through the alphabet until the drive with the Windows folder is found, but skip the X: drive. That will be the install files from the USB or DVD you are using. The most common location is the C: drive, so that example will be used in the rest of the article.
Type: diskpart and press Enter.
Type: list disk and press Enter
Type: sel disk C and press Enter.
In this case, C is the drive where Windows folder was found. If the Windows folder is on a different drive, use that drive letter instead of “C” in the sel disk command above.
Type: list part and press Enter.
Look for the partition labeled as System.
Once it is found, assign the letter R to the partition. If the letter R is already taken, you can choose any unassigned letter. To assign the letter type: assign letter=r: and press Enter.
Type: exit and press Enter.
Return to the command prompt, type the following one line at a time, pressing Enter after each line:
cd /d r:EFIMicrosoftBoot
ren BCD BCD.bak
bcdboot c:Windows /l en-us /s m: /f UEFI
Note The /l en-us part of the command sets the Windows language to English. To set a different language, replace en-us with a different language code (such as de-de for German).
Mac Fruitfly virus
Found a fascinating article on an insidious virus for Macs on the Malwarebytes site.
Six months after it was discovered, the first Mac malware of the year is still causing a stir.
The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, and keyboard and mouse.
But despite its recent discovery, little is known about the malware.
Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, got to work.
Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said. Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.
But what it does, and why, aren’t widely known.
“It’s not the most sophisticated Mac malware,” said Wardle in a Signal call last week, but he described it as “feature complete.” Like others, he wasn’t sure what the malware did exactly on first glance.
Instead of reverse-engineering the malware’s code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.
“I had to figure out how to create a command and control server that could speak the ‘language’ of the malware,” he said. That let him fully deconstruct what the malware did simply by “asking” the malware the right questions, giving him an unprecedented view into its capabilities.
He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.
“The most interesting feature is that the malware can send an alert when the user is active,” said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. “I haven’t seen that before,” he said. He even found that some commands supported additional parameters. What he called the “second byte” to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality — a useful feature for low-bandwidth connections or trying to evade network detection.
He noticed that the malware was communicating out to primary servers that were offline. But some of the backup servers were available.
Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers. And that’s when his screen began to fill up with victims’ computers connecting to his servers, one after the other.
“I thought — ‘f**k!’ — I have to be responsible here,” he said. When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user). “I just logged the connections and parsed the computer names, then closed the connection,” he said.
The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said. “It was just a general smattering of users.”
But questions remain over where the malware came from, and what purpose it performs.
Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.
He also wasn’t sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.
Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.
“You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack,” he said. “This is just another illustration that Macs are just as vulnerable as any other computer.”
In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.
“It’s not surprising that this malware wasn’t detected for five or more years, because current Mac security software is often rather ineffective,” he said. “Most don’t even look for this kind of activity.”
Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.
Apple did not respond to a request for comment.
Originally posted at
http://www.zdnet.com/article/new-analysis-fruitfly-mac-malwware-almost-undetectable-backdoor/