Secure data image

What You Need to Know about Dorkbot to Keep Your Organization Safe

More than 1 million computers running Microsoft Windows have been infected by the Dorkbot botnet. Here is what you need to know about this threat so that you can keep your company’s online account credentials safe.

The U.S. Computer Emergency Readiness Team (US-CERT) — a division within the U.S. Department of Homeland Security — issued a security alert about Dorkbot in December 2015. This botnet has infected more than 1 million computers running Microsoft Windows in over 190 countries, according to Microsoft. A botnet consists of a large number of computers and other devices under a cybercriminal’s control. Cybercriminals use botnets for a variety of nefarious reasons. By learning what cybercriminals hope to accomplish with Dorkbot and how Dorkbot infiltrates computers, you can better understand how to protect your computer from this threat.

What Cybercriminals Hope to Accomplish with Dorkbot

Cybercriminals are mainly using Dorkbot to steal online account credentials and other types of private information. This is possible because Dorkbot monitors and intercepts communications between web browsers and various websites.

In an effort to keep the infected computers under their control, cybercriminals sometimes instruct Dorkbot to block access to certain security software websites. That way, the computers will not receive any anti-malware definitions that might rid them of the infection. Some cybercriminals also have Dorkbot install additional malware on victims’ computers.

Cybercriminals even use Dorkbot-infected computers in denial-of-service (DoS) attacks. These attacks prevent people from accessing a service by overwhelming it with service requests.

How Dorkbot Infiltrates Computers

Dorkbot can be spread multiple ways. One method uses phishing emails that try to get the recipients to click a link that will lead to a Dorkbot infection.

Another method uses drive-by downloads, which exploit known vulnerabilities in web browsers, plug-ins, and other components that work within browsers. Cybercriminals create exploit kits that infect computers with Dorkbot through these vulnerabilities. They place the kits on websites they build or legitimate websites they hack into. If computers connecting to these websites have not received the patch that fixes the exploited vulnerability, Dorkbot will be automatically installed on those computers without the users knowing about it.

After Dorkbot infects a computer, it automatically tries to spread to other machines. One way it does this is through social engineering attacks. For example, Dorkbot might send instant messages to the Skype contacts listed in an infected computer. The messages usually try to trick them into clicking a link that will download Dorkbot onto their computers. Similarly, Dorkbot might carry out social engineering attacks through social networks such as Facebook and Twitter.

A further way Dorkbot tries to spread to other machines is through removable drives, such as USB drives. If users of Dorkbot-infected computers plug a removable device into their computers, Dorkbot copies itself to the device. When the device is plugged into a different computer, Dorkbot will automatically spread to that computer. Fortunately, this method is not very effective anymore due to changes in how the Autorun feature in Windows works, according to Microsoft.

How to Protect Your Computer from Dorkbot

To help protect your computer from Dorkbot and other malware, follow these recommendations:

  • Use anti-malware software. Anti-malware software providers regularly update their product to protect computers from the most current threats.
  • Install software updates promptly, such as those for Windows and web browsers. If you keep your operating system, web browser, and other software up to date, cybercriminals will not be able to install malware like Dorkbot through known vulnerabilities.
  • Be cautious when you receive instant messages, social media messages, and emails that contain links, even if they are from a trusted source. If possible, verify that your contact actually sent you the link before you click it.
  • Do not download software from websites other than the software developer’s website if possible. The software might have been modified so that it infects your computer with Dorkbot or other malware.

If you want to make sure that your computer is not infected with Dorkbot, ensure your anti-malware software is active and up-to-date. If your computer was infected, be sure to change your online account passwords immediately, as they might have been compromised.

Wed, 20 Jan 2016 07:00:32 -0500 <![CDATA[

Before getting rid of an old computer, you need to make sure that all the personal and sensitive data on the hard drive is irretrievable. If personal or sensitive data falls into the wrong hands, your business could incur staggering direct and indirect expenses. The average total cost of a data breach in 2015 was $3.8 million, according to the Ponemon Institute’s report, “2015 Cost of Data Breach Study: Global Analysis”.

An organization does not even need to experience a data breach to incur expenses due to the improper disposal of data on hard drives. In 2014, Visionworks failed to secure the personal information of more than 72,000 Maryland residents after it misplaced two old unsecured servers. They might have been accidentally taken to landfills. Both servers contained encrypted credit card data. They also contained customers’ names, addresses, birthdays, and purchase histories.

Even though there was no evidence that any of the data had been compromised, the Consumer Protection Division of Maryland’s Office of the Attorney General sued Visionworks. The company agreed to pay Maryland $100,000. It also agreed to provide identity theft insurance and an additional year of credit monitoring to Maryland customers requesting these coverages. Visionworks had already offered all affected customers a year of free credit monitoring immediately after the incident.

How to Make Sure the Data on an Old Hard Drive Is Irretrievable

When getting rid of an old computer, you might be tempted to simply reformat the hard drive. However, formatting a hard drive does not destroy the files on the drive. It only destroys the information that the operating system uses to find those files. Anyone can easily retrieve the files using a data recovery tool.

There are several proper ways to make sure the data on a hard drive is irretrievable. Common methods include:

  • Overwriting: You can use data destruction software to overwrite a hard drive’s data with a pattern of meaningless characters. You may need to run the software multiple times to fully overwrite a drive’s data.
  • Degaussing: You can erase data using a magnetic field. There are different types of degaussers, so you need to make sure you pick the right one for the job. The National Security Agency/Central Security Service (NSA/CSS) discusses the different types of degaussers in its Degausser Evaluated Products List. This document also lists the degaussers that meet the NSA/CSS requirements for erasing magnetic storage devices containing classified or sensitive data.
  • Crushing: You can use a hard drive crusher to pierce, bend, and mangle hard drives beyond physical repair. The data on the crushed hard drive is still intact, but it is difficult to retrieve.
  • Shredding: Similar to paper shredders, hard drive shredders cut hard drives into randomly sized strips. The data is still intact, but it is even more difficult to retrieve than the data on crushed drives.
  • Disintegrating: Disintegrators cut hard drives into smaller and smaller pieces until they are unrecognizable and not reconstructible. Disintegrating is usually done after shredding.

For even better protection, you can use more than one method. You might first degauss or overwrite the data. Afterward, you can crush, shred, or disintegrate the hard drive.

New Technologies – SSD

Newer technologies such as Solid State Drives (SSDs) pose new challenges to destruction since many of the old “wiping” approaches simply do not apply. Shredding or disintegrating of SSD drives are the most advisable approaches.

Factors to Consider When Deciding on a Method

There are several factors to consider when deciding how to make sure the data on your old hard drives is irretrievable. Two important considerations are cost and how many hard drives you need to get rid of.

Data destruction software is cheap. Some programs are even free. However, using this software can be time-consuming because you need to run the program several times to be effective. It is not uncommon for a single pass to take eight hours. So, if you have many drives to get rid of, this might not be the best option.

You can get the job done much quicker with a machine that degausses, crushes, shreds, or disintegrates hard drives. These machines, though, can be expensive. If you do not want to buy one, there are firms that offer hard drive destruction services. Some firms will transport a client’s hard drives to their facilities, where the drives are destroyed. Other firms will destroy a client’s hard drives at the client’s site.

Another important consideration is whether your organization falls under any industry or government regulations. Some laws call for the proper disposal of protected health information, such as names, addresses, social security numbers, and medical histories. Depending on the regulation, you may or may not be able to select who will dispose of the data — your employees or a hard drive destruction firm. If done in-house, the employees tasked with this job must receive training on the proper way to dispose of the data. Their supervisors must also receive this same training. If you hire a firm, you need to enter into a contract that requires the firm to safeguard the data during its disposal.

Other industry and government regulations may require you to properly dispose of data on old hard drives. Each regulation has its own requirements.

Qualified IT professionals at InfoStructures can help you determine the best way to meet all applicable requirements.

Network diagram image

Managing Malware Threats on Your Web Servers

IT managers and security professionals are increasingly worried about targeted malware and its effect on business operations for their enterprise web servers. However, according to a recent survey by security firm Bit9, these professionals are decreasingly confident in their ability to identify and stop such security threats.

Bit9’s server security survey found that targeted malware attacks are the top server security concern of 52 percent of respondents (all 966 respondents are IT and security professionals), up 15 percent from the prior year.

Twenty-five percent of survey respondents said their servers were attacked in 2012, up 8 percent. Twelve percent of those surveyed ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. Forty-three percent of respondents use more than one full-time employee to manage server security.

These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources-before they execute-while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers-both physical and virtual-is to allow only trusted software to execute and prevent all other files from running.”

Besides the obvious idea of installing anti-virus/anti-malware software on your web servers, here are some other ideas for securing them:

1. Remove services you are not using

Default operation system installations and configurations are not secure because many unnecessary network services are installed, such as remote registry services, print server services, etc. The more services running on an OS, the more ports will be left open for malicious users to enter. So, disable unnecessary services so that the next time the server is rebooted, they are not started automatically.

2. Patch, patch, patch

Make sure you enterprise web platforms and Content Management Systems (CMSes) are kept up-to-date. Open source platforms are very often well-maintained in terms of security vulnerabilities. Monitor the blogs and/or vendor announcements for availability of new patches. Ensure that you have a way to test patches for your systems and that you have a regular patch cycle. Be prepared to patch more often should immediate remediation be required. date maintainedMost enterprise web platforms Default operation system installations and configurations are not secure because many unnecessary network services are installed, such as remote registry services, print server services, etc. The more services running on an OS, the more ports will be left open for malicious users to enter. So, disable unnecessary services so that the next time the server is rebooted, they are not started automatically.

3. Secure remote access

Whenever possible, server administrators should login to web servers locally. However, if remote access is needed, make sure that the remote connection is secured properly by using tunneling and encryption protocols (e.g., VPN). When possible, restrict remote access to specific accounts only, and make sure that old accounts are disabled when no longer needed.

4. Server-side scripting and web application content

Keep web application or website files and scripts on a separate partition or drive other than that of the OS, logs, and any other system files. Hackers who gain access to the web root directory are able to escalate their privileges and gain access to data on the whole disk, including the OS and other system files.

5. Keep development, testing, and production environments separate

It is easier and faster to develop a newer version of a web application on a production server, so it is common to develop and test an application directly on the production servers themselves. Therefore, it is also common on the Internet to find newer versions of a specific website, or some content which should not be available to the public, in directories such as /test/, /new/, or other sub directories. These applications are in their early development stages, so they tend to have vulnerabilities. To avoid the threat of a hacker using these versions of your application, conduct the development and testing of web applications on servers isolated from the Internet, and never connect them to real life data and databases.

These steps are just the start to a more secure server environment. The best thing you can do to keep your organization safe from the threat of malware is to stay abreast of security technologies, as they are developed, to stay one step ahead of malicious users.

Malware infected computer image

Client Alert – Cryptolocker Ransomware Outbreak

In the last few weeks, and with increasing frequency, our clients have been encountering instances of a new type of malware known as ransomware. The most popular of these, known as Crytpolocker, infects your computer and encrypts your data files on your computer as well as on any network shares you have connected with a drive letter (e.g., F: drive). Victims are advised they have XX hours to submit payment (usually $100 or $300) in order to have their files unencrypted. If this time passes, the “private key” required to decrypt the files is deleted, and files cannot be easily recovered. The warning message looks something like this:

CryptoLocker screenshot

I’m sure you’re wondering how law enforcement authorities cannot follow the payment trail to the criminals ransoming people’s data. It’s likely that international non-state actors are involved and are likely using “Botnets” ( to spread the malware. In addition, the payment methods the ransomers are using minimize the risk of their being identified.

How Do I Protect My Organization?

Due to significant variations in the payload, antivirus and other malware vendors have not been able to easily identify and quarantine this software, which has arrived on people’s computers primarily via email attachment, often claiming to be from FedEx or UPS. Besides recovering backups of your files, there is no practical way to recover your encrypted data without paying the ransom. The most practical approach at this time is to a) ensure you have backups of your data files on all drives and shares you are attached to; b) modify your email filters to disallow executable attachments and zip files; and c) educate your users!

Instructions for your users: Do not open attachments from senders who you don’t recognize. FedEx and UPS don’t send emails with attachments! If you do see attachments, do not attempt to open zip files or any executable files, even if they have a name that implies they are a PDF file (another common method).

We have seen multiple variants of this malware already and expect to see more. CONTACT US if you need assistance or advice on mitigating the risk of infection, or if you have already been infected.