Trojan Bohu - The Nightmare of Cloud Antivirus System

It's been a while since the cloud computing security services appeared for the first time as a magical security solution for computer users. If I remember, April 2009 is the moment when Panda Security announced the first Cloud Antivirus software, in Beta stage at that time, a free security solution that benefits of another technology developed by Panda, the Collective Intelligence. In a few words, it's about a huge database built with results of analyzed samples received by Panda Security Labs during years, results that are accessible by all the users from the cloud automatically and almost instantly. To have an idea about the size of this database, consider that Panda analyzed hundreds of millions of samples until now, and the new samples are analyzed and classified in a few minutes.

In this way, in the moment when a new threat is identified, let's say a possible new trojan or virus variant, named sometimes a zero-day malware, the signature and the disinfecting or removing instructions for that new trojan is automatically available for all the users of the cloud antivirus software, beating the common update technology of a classic antivirus.

Theoretically, this approach must lead to a lower computer resource(CPU and RAM memory) consumption, since the files analyzing job is passed to the Cloud servers. Maybe you will ask: What is the bandwidth consumed by this process of submitting files data to the servers, it must be huge? Well, it's not the case, because the scanned files are not submitted to the servers in their integrity, instead hashes of files are submitted.

The hash of a file is like a signature or a fingerprint of a file but very little in size, it's about a few bytes, so the Internet bandwidth is not affected significantly.

Although the software keeps a cached file with malware signatures on the local computer, a cloud antivirus is based on a client-server system and can benefits fully of its technology as far as there is a working Internet connection.

All good until now, when researchers from Microsoft discovered a new trojan, the so-called Trojan Bohu, originating from China, Taiwan more precisely, which seems to neutralize a cloud antivirus detection capabilities regarding the new threats, using several methods.

This trojan first appends several bytes of junk code to its body, making the antivirus detection using the hashes of files impossible and the reason is obvious, the hashes has been modified.

Secondly, the Bohu trojan installs a Network Driver Interface Specification (NDIS) driver and a Service Provider Interface(SPI) for monitoring and filtering the network traffic. When a connection attempt to a an IP or domain known to be used by the cloud antivirus will be detected, the HTTP requests for that IP will be blocked. Separately, the upload process of dubious files to the antivirus cloud servers is blocked.To accomplish this task, the trojan is looking for certain keywords in the HTTP requests, if a keyword is found then the subsequent communications with the sever are supressed. The cloud antivirus will be unable to access the "cloud knowledge" and as a consequence the end users are not protected anymore for the newest threats. This trojan could be the start of a nightmare for the cloud antivirus system developers and a big threat to the technology itself, because it highlights the weaknesses of this security system.

I agree that using these methods, a classic antivirus can also be blocked to update itself, but for a cloud antivirus the connection with the servers is of an utmost importance, it is the heart of its technology.

The Bohu trojan is presented to the supposed victim as a high-definition video player or video codec, of course fake, tricking the user to install it in the computer, so the social engineering is used as method of infection.

During the installation process several files with semi-random names and .xml extension, together with an executable file are dropped in %Program Files%Baidu folder and using these files, a new executable file is generated also with random name, which is the actual body of the Baidu trojan.

For example, Rising AV detect it as:

Dropper.Win32.Bobohu.a

Kaspersky AV as:

Trojan-Dropper.Win32.NSIS.tw

and Microsoft as:

Trojan:Win32/Bohu.A!Installer

to name only a few of its given names.

This newly created trojan will drop other malware files, which are actually its components:

siglow.dllsiglow.sysnewnetgar.dllspass.dlldsetup.exe

... and will add a registry entry with a random name & value to run at computer start-up:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunrandomValue_here

Until now, only 3 antivirus software vendors were affected: Kingsoft, Rising and Qihoo, all from China.

Meanwhile, they solved the problem providing signatures and solutions to neutralize this trojan, but the problem is conceptual and can be resumed in a few words: there is not a 100% reliable solution to protect a computer as far as it goes online, only an up-to-date antivirus, an up-to-date system and the common sense are the things which can protect us. Maybe the last one is the most important, because the common sense tells us to do not install any software in the computer, without knowing its origins and its reputation.

Types of DoS Attacks

The types of methodologies used in DoS attacks are many, but they can be divided into three essential categories: Flood attacks, Logic attacks, and Distributed Denial-of-Service (DDoS) attacks. Each has several methods within it that attackers may use to compromise or completely shut down an Internet-connected server.

Flood Attacks

The premise of a flood attack is simple. An attacker sends more requests to a server than it can handle, usually in a relentless manner, until the server buckles and gives in to the attacker. Once this type of attack ends, the server can return to normal operation. Flood attacks are very common because they are easy to execute, and the software used to execute them is easy to find. Methods of flooding include:

* Ping flooding - a method where the attacker or attackers flood the target server with ICMP Echo Request (ping) packets. This method depends on the victim returning ICMP Echo Relay packets, greatly increasing bandwidth usage and eventually slowing down or stopping the server.

* SYN flood - an attack in which the attacker sends repeated SYN requests (a TCP connection) that the target accepts. Normally, the server replies with a SYN-ACK response, and then the client follows up with an ACK to establish the connection. In a SYN flood, the ACK is never sent. The server continues to wait for the response, and if enough of these unfinished connections build up, the server can slow or even crash.

* Smurf attack - While a ping flood depends on the attacker's computer sending each ping, a smurf attack spoofs ping messages to IP broadcast addresses. If the target machine responds and in turn broadcasts that IMCP echo request, it passes on to even more and eventually spreads to more machines, which can forward the packets to even more. Modern routers have mostly fixed this issue, making smurf attacks less common.

* UDP attack - A UDP flood involves sending multiple high volume UDP packets to occupy the target system and prevent legitimate clients for accessing the server. The process requires the attacker to find out if a UDP port is free and has no application listening on it. It then sends the UDP packets, and the server is forced to reply with an ICMP destination unreachable packet.

Logic Attacks

Although the goal of a logic attack is the same as a flood attack, the method of intrusion is much different and often more subtle. While flood attacks usually look to bombard a server with an unusually high amount of standard traffic, logic attacks rely on non-standard traffic, exploited through security holes in your system.

Generally, a logic attack requires your server to have a discoverable weakness that the attacker can locate and then use against it. Because of this prerequisite, it is usually easy to prevent by keeping your server software and hardware up-to-date with the latest security patches and firmware respectively.

Many security firms, IT professionals, and software developers regularly test popular proprietary and open source software for security holes. When they find one, the holes are usually quickly fixed, but the only way to accomplish wide distribution of fixes is to publish the exploits. Attackers can then search for unpatched servers and infiltrate them.

While many logic attacks are strategic, it is possible for an attacker to randomly choose a server by using software to locate exploits on the Internet. For that reason, you should keep your server secure, even if you do not think someone has a reason to attack it.

Distributed Denial of Service (DDoS)

If the aforementioned DoS attacks are akin to tornadoes, then a DDoS is like a hurricane. The techniques for attack are usually the same. They may be flood attacks or logic attacks. The difference is that a DDoS comes from multiple attackers in a simultaneous and coordinated assault. Because of the severity and sheer power of a DDoS, it has become a common tool for cyber terrorists, political dissidents, and general protests against corporations or other public entities.

One of the common features of a DDoS is the usage of spoofed IP addresses, making it difficult to block the attackers. Futhermore, many of the computers used in a DDoS may have completely innocent owners who are not aware that their computers are being used in an attack.

A DDoS will usually start with a single attacking computer, but rather than exposing itself by using a direct attack, it will locate vulnerable computers and servers all over the world and secretly install the attacking software on them. In many cases, those infected computers will then seek out more "agents" to use in the attack. When the attacker is finish amassing this cyber army, they could have hundreds or even thousands of agents.

Prevention, Detection, and Mitigation

Some types of DDoS attacks can be prevented by blocking unused ports, keeping software updated, and using modern networking hardware. Others simply cannot be prevented, especially if it is a DDoS. The best you can do in those situations is to use detection software to find the attacks early and stop them from doing too much damage to your service.

Spyware Affected on Your PC - How to Remove Spyware From Your PC for Free?

The Definition of Spyware

Spyware is a type of malware that can be installed on computers. The presence of spyware is typically hidden from the user, and can be difficult to detect. Usually, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users.

The Harm of Spyware

The Backdoor program installed by spyware would collect pieces of information about users without their notice and sent the information to the hackers or business companies etc. It is one of the most important dangers in the Internet world, for the backdoor programs can be controlled by an attacker to make a botnet.

Spyware Removal

Firstly, if you notice a program truly is a spyware, you can block the website manually or by using software.

Secondly, you need to judge carefully whether to install some incidental plug-in board or not. Because some of them are spywares, indeed.

Thirdly, for the winders users, you should update your system regularly. Also, if you use Internet Explorer to visit websites, you need to fix the vulnerabilities timely.

Fourthly, scan and clear your computer system by using anti-spyware programs regularly.

Fifthly, you can run a firewall which can monitor the connecting of your running-programs. For instance, you can run ZoneAlarm to ban the unknown process to access your PC.

Lastly, to check whether there are leftover which you do not know, if yes, try to delete it.

Virus Removal - 3 Signs That Your PC Is Infected With a Virus and What You Can Do About It

Virus removal has, unfortunately, become a necessary part of computer ownership. With more, and more people using the internet to connect to information and content the risk of virus infection has increased. Most people are completely unaware of the fact that their computer is infected with a nasty virus until it is too late. So how do you know if your computer is infected with a computer virus or some other type of malicious software? In this article I will outline 3 common signs of computer virus infection and what you can do to successfully remove those viruses from your PC.

1. Mysterious Messages

Do you get strange messages on your computer whenever you start it up? Do you get messages like, "Your Computer is Stoned", or "Your Computer is Infected with Spyware"? This is an obvious sign that your computer has been hijacked by a nasty computer virus. Sometimes the mystery message can even be funny, but trust me, the results will not be humorous at all. The good news is that if you see the message, but can still navigate within your operating system then you have the ability to put an end to the virus without allowing it to do too much damage.

2. Mysterious Pop-ups

A common symptom of virus infection is mysterious web browser pop-ups. These pop-ups are usually intended to take you to a website where you will be prompted to purchase an affiliate product of some type. A lot of times there will be a browser pop-up that simulates an operating system window telling you that your computer is infected and that you need to download a specific type of software in order to clean your PC. If this is the case, just close the window and download some antivirus or anti-malware software right away.

3. Mysterious File Disappearance

If you notice data missing from your hard drive that you know was there a couple of days ago then this is a sure sign that your computer is infected with a virus. Viruses are notorious for wiping out hard drives and destroying information. If you catch on to this before total destruction has occurred then you will be able to save the data that you have left on your hard drive.

It can be tempting to save the money and attempt to remove a virus yourself but this is never recommended. Viruses are sneaky programs and they can hide very effectively. Instead, you should shop around for antivirus software that will eradicate the virus completely and preserve your data. Antivirus software is the best investment you can make when it comes to preserving the life of your computer and the information contained within it. Antivirus software will not only clean your PC of existing viruses, but it will also protect you from future attacks.

Remove PC Security 2011 - PC Security 2011 Removal Guide

PC Security 2011 is a fake anti-virus product that infects your computer and tries to force you into buying the full version for $79.95. Once it infects your computer, it generates fake scans that are meant to scare you into believing that your PC is infected, and that you need to buy this fake in order to disinfect your computer. It is not uncommon that such an infection is accompanied by a trojan downloader. Below are easy to follow PC Security 2011 removal steps.

Infected computers exhibit the following alert messages:
Warning! Identity theft attempt detected! Microsoft Corporation KeysPC Security 2011 has blocked spyware activity from this program - Name iexplore.exe Publisher unknownSpyware warning! Zafi.b trojanWarning! Adware Detected Mydoom.R Worm

Removal Instructions:
Hit the Ctrl+Alt+Delete keys on your keyboard to bring up task manager. If you receive an error message that an error occurred, please ignore this message.In task manager, go to the processes tab and locate the running process PC2011.exeRight-click on PC2011.exe and choose 'end process'.You should now be able to run and update your antivirus program. Update it to latest database, then run a full scan to remove the infection.

By following the above steps you should be able to first disable PC Security 2011 by killing its running process, then removing it by running your existing anti-virus program. If you have any trouble with the above steps, or if your antivirus is unable to remove the infection, you can visit this website which has more options for you to deal with and remove PC Security 2011.

This article has been viewed 14 time(s).
Article Submitted On: February 06, 2011

Windows Risk Eliminator Removal - How To Remove This Virus From Your System Completely

Windows Risk Eliminator is a new release from the scammers who previously made malicious programs such as the "Windows Security & Control" and "Windows Universal Tool". Just like these older fake anti-virus/spyware programs, this software was created to frighten you into thinking that your PC is full of errors and infections so you'll be tempted to purchase a non-existent upgrade. Although this program may seem genuine, you have to be careful because it is one of the easiest ways to be hacked and tricked online.

What Is Windows Risk Eliminator?

Windows Risk Eliminator is known as a "malware" or a "malicious software" virus that infects your PC. This program works by infecting your computer through the installation of fake software in your hard drive and then using it to lure you to buy a bogus upgrade of the software.

This virus will install automatically in your system via different methods such as a phony attachment in your email, a rouge download, or through malicious websites. Once installed, you will receive endless Windows Risk Eliminator alerts that will look extremely worrying, which will try to make you to think that your PC is about to break down from the infections. The virus will invade your system, making you unable to access and run programs like the Task Manager and internet browser. After being scared like this, you will then be pressured to get an upgrade. If you are not careful, your credit card details would be given to the hackers - along with other personal information in your computer. Currently, about 20% of online viruses are fake anti-virus/spyware software such as Windows Risk Eliminator, and anything like this should be immediately removed from your system.

How To Remove Windows Risk Eliminator

To eliminate this program, you either have to stop its processes and remove it manually, or use an automated tool that would do the task for you. To put an end to its processes, you have to restart Windows into "Safe Mode" - which will prevent any software programs from loading. After this, you have to delete the directories where the program installed itself. To perform this, you have to select "My Computer" and then look for "C:\Windows\WindowsRiskEliminator" file. Once found, hit the "SHIFT + DELETE" keys to permanently remove the directory from your computer.

The best way to get rid of rogue anti-virus/spyware programs such as the Windows Risk Eliminator is to use a powerful automated tool like the new "Frontline Rouge Remover" tool. This tool is very easy to use and can be relied to completely cleanse the system's infections. You have to take note that manual removal may not totally eradicate all the viruses. As we know, viruses are capable of self-replication, and with this, your PC may be vulnerable to further damages. To be confident that your computer will be malware-free and prevent future problems, download and run the Frontline Rouge Remover, which will automatically scan through your computer, identify the infected files, and quickly remove the infections.

What Is Spyware and How Will It Affect My Computer?

What is a Spyware?

A Spyware is a small software designed by a hacker who has good software programming knowledge. The aim is to steal the Internet banking User names, Passwords, Credit card and Debit card numbers etc from the computers of an unsuspecting online shopper. The spyware works in a stealth mode and the user never comes to know that his Credit Card or Internet banking details has been stolen and transmitted to the hacker online. He comes to know only when his money in the bank starts reducing or his credit card balance is over. By then it is too late to react.

How does Spyware Infect a PC or Laptop?

A Spyware gets installed in your computer without your knowledge. The Spyware infection usually happens within five minutes of connecting your PC or Laptop to the internet for the very first time. The Spyware is usually hidden into some freeware software or device driver installers etc that you download online. Often they infect a PC when you just visit a bad website. The hackers know the security loopholes in Internet explorer and Firefox etc which they use to enter your computer without you downloading any thing. When you install this downloaded freeware the spyware also gets installed and starts running either immediately or after the next restart. Some of these Spyware can run as a genuine Windows service and even a computer user with adequate knowledge may fail to detect these services. Some people who never ever have used a Credit card online or don't even know how to use internet banking also gets infected with Spyware in their computers.

How does Spyware send Data to Online Hackers?

Spyware is designed to capture every keyboard stroke that you press, get the details and address of every webpage that you visit, and also capture whatever you copy and paste. These information is put into a small text file or a binary file which ensures a very small file size less than 1 kb and transmitting this file will take only a fraction of a second. Amazingly, the hackers are very intelligent and bent on getting your sensitive and important data and will go to any extent. Some Spyware cannot be deleted even using Windows task manager. The data continues to be collected by Spyware even when you are not connected to the internet. And the next time you connect your PC to the internet, there goes your stolen sensitive data to the hacker. And you never knew all this happened till you see your bank money stolen or your credit card limit has reached.

Why Spyware is used to Steal Email ID & Passwords?

Even if a hacker is able to steal your Email ID and Password using a Spyware, you are in great danger. The hacker can use your Email ID and Password to log into your email account and start to send fake emails to all your friends email id existing in your email address book. A hacker can even send out threatening emails to anyone using from your email account. There are many software available that allows you to send emails without even logging into any email host. For example if the hacker sends out a threat using your email id as the from address to say, your country's president, the police could come and put you behind bars. How are you going to prove that it is not you who sent out that email?

Case Study - How Spyware was used to Make Money off a Doctor

This is a true story how a hacker made money off a Doctor using a Spyware. There was an Indian doctor whose email ID and PW were stolen by a hacker probably using a spyware and the hacker sent out a message to all his affluent friends asking for money as he is going through a bad phase in life financially. Most friends sent huge amounts to help him into a paypal account the hacker gave in the email. Then when a few of his friends abroad started asking him about his problems, the doctor stated that he has no problems and he has never sent out any such emails. This is a true story and the hacker was caught thanks to his stupidity of giving out his paypal account for the free money to pour in. So before it is too late Install a Good Internet Security Software in your Computer.

Remove Redirect Virus - Working Tutorial

The Redirect Virus (often called the "Google Redirect Virus") is nothing more than a thinly-disguised scam that's trying to get you to buy some fake products & other false websites. This virus works differently than most, in that it will continually hide away from most antivirus programs thanks to the way in which it just changes a few of the files that Windows will be using to run. Although this virus may seem nearly impossible to remove at first - it's actually very easy to clean off your system if you know what you're doing. This tutorial is going to show you exactly what you need to do to stop this virus from causing any more problems for you.

What Is The Redirect Virus?

This virus comes in two forms - either as a "Trojan Horse" or as a "rootkit" infection. It works by installing itself onto an actual file that Windows will be using on your PC, changing it and then disappearing for good. Although normal antivirus programs will not be able to identify and / or remove this virus, the good news is that you should be able to delete it very easily if you are able to use the processes outlined in the next few paragraphs;.

How To Remove The Redirect Virus

There are two programs you can use to get rid of this virus - one called "Hitman Pro" and another one called "ComboFix". These two tools are rather obscure virus removal applications, which have been developed to get rid of infections in a very specific way. Firstly, you should use the Hitman Pro application to scan through your PC and remove any of the Trojan Horse elements of the virus you may have. On top of that, it's also recommended that you use the ComboFix program to fix any of the damaged Windows settings that could be harbouring the virus. This will basically allow you to get rid of any remnants of the infection, boosting the speed and reliability of your PC as a result. If you do this and find that the redirect virus does not disappear, you will have to use a more powerful tool to remove it.

We actually recommend using a specific Google Redirect Virus removal application, which is called "FixRedirectVirus". This tool has been created by a UK computer technician to get rid of any of the parts of this virus on your PC, and works by showing you exactly what to do to get rid of it. You can use this program by downloading it onto your system and then following the steps it outlines. If you're someone who is not confident with PCs, or cannot remove the virus, using FixRedirectVirus is highly recommended.

Windows Shield Center - Get Rid of Windows Shield Center, It's Rogue Spyware

Do you have a strange new antivirus program on your PC labeled Windows Shield Center? This new rogue spyware is claiming to clean PCs, when in fact it infects computers and puts them at risk of further Trojans, rootkits, and possible identity theft. It uses fake Microsoft Security Essentials warnings to trick a user into paying for a non-existant removal program. Besides the annoying pop-ups and warning prompts, this virus can more dangerously harvest your financial information and steal your identity. It is not to be left alone for long, which is why we must get rid of Windows Shield Center as quickly as possible.

If you're wondering how you got this infection on your PC, the most common ways are visiting hijacked websites, downloading virused file packages, or streaming an infected video codec. Usually these methods are thrown at you while browsing questionable websites, but it can also happen simply by clicking on the wrong link or downloading the wrong file through e-mail or P2P.

You will know you're infected when strange warnings appear, such as "Microsoft Security Essentials Alert. Potential Threat Details, Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these items may be suspended until you take an action. Click 'show details' to learn more." or "System Security Warning, Attempt to modify register key entries is detected. Register entries analysis is recommended." Whatever you do, do not be pressured to buy a "full version" of Windows Shield Center. Removal is what is most important, and can be done manually or automatically.

Manual removal involves editing your system registry, which is not recommended for beginners. The reason being that a single mistake can end up costing you hundreds in technician fees or possibly more in replacing a computer that no longer boots up. Having said that, if you're an expert, then you will dig into your HKEY_LOCAL_MACHINE/SOFTWARE folder and get rid of the various corrupt values that this spyware has created. You will also need to block related websites, stop related processes, and remove related files and folders. The file listing can be found at my site below.

The easier and safer option is automatic removal. This way you can clean your PC and get it fast again in just a few clicks, and most importantly, your PC will be automatically protected against the next viruses and spyware released. For peace of mind and ease of use, there is no beating automatic removal. It's what I recommend to clients as well as friends, and it's what I use myself.

Are you sick of viruses threatening your security and financial data? Remove Windows Shield Center quickly and get rid of this extremely dangerous program for good!

Bob Walker is a veteran IT consultant with over twenty years of experience in the industry. He's helped clean up the computers of everyone from fortune 500 organizations to individual users and families. His website is dedicated to anti-spyware and virus removal research, where he ranks the most efficient anti-spyware and anti-virus programs currently available.

http://www.spyware-review.net/

Article Source: http://EzineArticles.com/?expert=Bob_L_Walker

Excellent Adware and Spyware Removal Tools

Adware and spyware is extremely annoying as it slows down your computer, bombards you with useless advertisements and can generally just be a pain. To fix this problem the most effective way is to acquire the best software designed to get rid of malware.

The first thing we must do is take a look at the symptoms below and compare them to the symptoms your computer is experiencing:-

* Sluggish computer speed
* Random pop ups appearing
* Random advertisements
* Different homepage
* New toolbars appearing on your browser

It's highly likely your computer is infected with malware if you have any of the above symptoms. Luckily though, it's extremely easy to fix! If you are a little confused because you have anti virus and it didn't pick it up, do not fret. Many anti virus packages don't have the capability to pick up malware threats. Instead you will need to purchase a dedicated adware and spyware removal tool.

Free Adware and Spyware Removal Software

One of the best products on the market is free, it's called Ad-Aware and it was created by Lavasoft. You can scan and repair your system with Ad Aware within minutes, and the best part about it is that it is free.

Using this type of tool is a great way to remove spyware, adware and malware. However, new spyware is being created everyday and free programs like this are a little slower to update than their paid counterparts.

Install a Popup Blocker

Have you ever had a pop up appear on your computer screen and you have clicked on it to make it go away? Of course you have, we all have just to make them vanish. However, by doing this we have unwittingly installed adware and spyware onto our computers which is causing all the symptoms mentioned above.

To prevent any further infection you can simply install a pop up blocker! You can get the Google tool bar for free which comes with a built in pop up blocker. This will stop your computer getting infected in the future within a few minutes of downloading.