Loading...

Follow Quick Heal Antivirus Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Estimated reading time: 1 minuteThe recent zero-day vulnerability CVE-2018-15982 in Adobe Flash Player enables attackers to perform a Remote Code Execution on targeted machines. Adobe has released a security advisory APSB18-42 on December 5, 2018 to address this issue. According to Adobe, the in-wild exploit is being used in targeted attacks. Vulnerable Versions Adobe Flash Player 31.0.0.153 and earlier versions for Desktop Runtime, Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player 31.0.0.108 and earlier for Installer. About the vulnerability This is a Use after free vulnerability in Adobe Reader which allows attackers to perform a Remote Code Execution on targeted machines. The vulnerability allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. After successful exploitation, attackers can take control of the vulnerable system and executes extracted malware. Reportedly, the vulnerability is currently being exploited in the wild through a malicious Office document. This Office document is an initial attack vector which executes malicious Flash file. According to the advisory, the malicious office document was spread via spear-phishing attack. Quick Heal Detection Quick Heal has released the following detection for the vulnerability CVE-2018-15982: Exp.SWF.CVE-2018-15982.A Exp.SWF.CVE-2018-15982.B Exp.SWF.CVE-2018-15982.SL Quick Heal Security Labs is actively looking for new in-the-wild exploits for this vulnerability and ensuring coverage for them. References https://helpx.adobe.com/security/products/flash-player/apsb18-42.html Subject Matter Experts Prashant Tilekar |Quick Heal Security Labs The post CVE-2018-15982- Adobe Flash Player use after free (Zero Day) vulnerability alert! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 2 minutesYou are at your computer, engaged in some important work and suddenly a message pops up on the screen, “Your Antivirus software license has expired”. You conveniently choose to ignore the notification, intending to get back to it whenever you get free, but, you never do! What Happens when Antivirus Licence Expires Using Antivirus program with expired license, opens the door to a landscape of online threats. While you may be feeling relaxed & expecting your expired antivirus program to protect you, the fact is that post expiry of licence, below features stop working: Software Updates – Cyber-criminals are on a constant drive to come up with new and advanced techniques to launch cyber-attacks. To protect you from this, Quick Heal releases software updates that protect you from around 50,000 new threats every day. These updates are provided only till the product has a valid license, and hence PCs with expired antivirus licenses are vulnerable to such threats.  Cloud Protection – Cloud protection is an additional layer of security that provides robust protection in addition to daily updates. It helps in identifying and blocking malicious tactics adopted by new age malware. As cloud protection doesn’t work post license expiry, immunity to combat this malware weakens. Ransomware Protection – As the product stops receiving security updates, it loses ability to detect the new tactics of ransomware attacks in trend. This may put your important data at risk of getting hijacked. Phishing Protection – Phishing protection automatically blocks accidental access to phishing websites, which steal your banking credentials, credit card information and other personal details. As it stops working post license expiry, you may end up losing your confidential information to hackers through fake websites and suffer financial loss. Browsing Protection – Browsing protection automatically blocks access to infected websites, which download malware in your system. As this protection doesn’t work post license expiry, chances of your computer getting infected are high. Anti-Spam (Email) Protection – Anti-Spam stops phishing emails from getting delivered in your inbox. In the absence of Anti-Spam Protection, you can be a victim to fraudulent email scams. Vulnerability Scan – New security loopholes in computer operating system and other installed software applications open easy path for hackers. Post license expiry, the product loses ability to identify and patch up the new vulnerabilities which can be easily exploited by hackers to plant attacks. Parental Control – Keywords based restrictions (for e.g. violence) help you block all the relevant websites being accessed by your kids. As this does not work post license expiry, your kids can come across such inappropriate content which you intent to restrict for them. This concludes that an expired Antivirus program is good for nothing. Kindly spare a moment to renew your antivirus license TODAY!! Just in case your license has not yet expired, make sure that the Auto Update feature is enabled in product, to help us protect your computer better. The post 8 reasons not to count on your expired antivirus software to protect you!! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 2 minutes  As holiday shoppers gear up for a shopping spree on Black Friday and Cyber Monday, it’s important to be on alert to protect yourself from getting scammed. Here are few tips to help you enjoy a carefree and scam free holiday shopping season: Do not get tricked by similar looking websites and brand URLs Shopping season is an active time for scammers to send out fraudulent emails. Scammers often use variants of popular brands and online shopping sites, to trick online shoppers into revealing personal details or visit fake websites. Thus, to ensure a safe online shopping, it is advisable to type the URL of the desired retailer directly into the web browser and be absolutely careful about your typos.   Look for hidden charges & misleading bargains in SALE Often times, the price of items tagged under “SALE” are already marked up and you are simply mislead to buy it at “sale” price (which is actually the original price of item). In fact, the prices may be higher than the original price of that same item in some other season. In addition, hidden charges like delivery charges may not be part of the “sale” price and you actually end up buying the item at a cost equal to or higher than its original price.   Check refund & return policies It is extremely important that you carefully read the terms and conditions of refund and return, before you purchase an item during the sale days of Black Friday & Cyber Monday. Many stores fail to post their refund/return policies for items available under sale and then later you have no option left, even if the item proves out to be defective.   Stay away from too-good-to-be-true discounts and contests As much as you may be tempted to participate in too-good-to-be-true-contests promoted through social media posts or suspicious emails, be absolutely wary of such contests. Most often, these scams are designed simply to collect your personal information or shell out your money. So, avoid promotions or contests that require you to make a financial transaction or pay money.   Use only secured internet connections for shopping While you may get carried away with the amazing deals and discounts on offer during Black Friday & Cyber Monday, take care to shop only on secured internet connections that begin with begin with https:// instead of the usual http://.     The post Beware of getting scammed during Black Friday & Cyber Monday SALE!! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 3 minutesThis children’s day let’s talk about one of the most relevant topics for kids these days- the Internet! Children spend a lot of their time doing homework, talking to friends or playing games on the internet. For parents, it is more important than ever to teach their kids early on how to make the most of the internet without experiencing its many pitfalls. Till even a few years back, things were much more simple. Parents laid down certain instructions and children followed them. The communication happened face-to-face – think of those long conversations on the dinner table – and parents had a general idea of what was happening in their life. Fast forward to now and things have become far more complicated. The internet has always been around but in this day and era, it is everywhere. No longer is a child’s pathway to the Internet a cranky dial-up connection on a large home common PC for the entire family. According to research, most children are getting their first smartphones by the age of 10. Every house has Wi-Fi. Even Facebook and Twitter are getting older; every day brings a new social media platform which is the rage. From Snapchat where you can share pictures and videos for a limited time to Telegram where you can message anonymously, there’s a platform for almost everything. And of course, as a parent, it’s bound to be a lot to take in. While kids are growing up in the digital age, how do parents ensure that their children stay safe and sound in this new world? THE GOOD, THE BAD AND THE UGLY OF THE INTERNET At best the internet is a great source of information for children, at worst it can seriously affect their emotional well-being by feeding them unpleasant content. Let’s have a look at what exactly is the good, the bad and the ugly side of the Internet. The good: A useful source of information on educational topics The bad: Wasting time by excessive use of social media, chatting apps, and browsing The ugly: Internet hoax, cybercrime, cyberbullying, cyberstalking etc. It is important that parents are particularly cautious of the dark side or the ugly side of the Internet. In our busy lives it gets difficult to keep up with what’s new around us but as a parent, you must be aware of all the ways in which your kid can be affected. EDUCATING KIDS ABOUT ONLINE SAFETY Teaching your kids how to use the internet is a lot like teaching them how to ride the bicycle. Initially you give them support by constantly being with them and as they practice and gain confidence you retreat. So don’t worry if your kid hits a roadblock or stumbles a couple of times, they will learn from these experiences eventually. Here are some ways in which you can teach kids about online safety. It’s a good idea to talk to your kids about their internet usage. Encourage a healthy discussion where they regularly talk to you about their activities on the internet. This will make them comfortable to approach you in case they face any problem. Teach your kids not to disclose any personal information online. Tell them that sharing personal details like contact number, address, bank account number can be dangerous as this information can be misused. Tell your kids to be careful while using social networking sites. While teenagers may find it appealing to show off their photographs and check-ins on social media, do warn them that excessive use of social networking can affect their studies as it can get addictive. Nothing is private once you upload it on the internet. Kids need to know that if they do not wish the world to know about something then they shouldn’t publish it online. Everything shared on the internet is permanent, even if you delete it and someone has already shared it or taken a screenshot it remains. The internet can sometimes encourage rude behavior but kids must know that they should never say things online which they would not in a face to face interaction. Cyberbullying can be dangerous. Do not trust strangers online. Kids should be…
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 3 minutesDiwali holidays are just round the corner and your kids might have already received their holiday assignments. But, the kids are more excited about the fact that they will now have ample time to browse on the internet. While you want your kids to really enjoy the holidays, there’s a thought constantly nagging at the back of your mind, “How will I keep my kids away from the internet all day?” Sounds like a familiar situation doesn’t it?? Well, in this era of digital evolution where, every second a new technology is getting replaced by another enticing technology, it can be a challenge to keep your kids away from the internet. This constant and unmonitored access of kids to internet can also expose them to the dangers of cyber bullying, stalking, etc. Thus, it becomes imperative for parents to monitor their child’s access and activities on the internet and make them aware of safe web practices. How can we implement parental control? It may come as bit of a harsh rule on your kids, if you completely stop them from accessing internet. A better option instead would be to install a security software like Quick Heal Total Security or Quick Heal Internet Security, which comes with “Parental Control” feature. How does parental control feature work? The parental control feature comes with a range of benefits that can help parents make online experience safe for their kids: Website Blocking You can choose to block your kid’s access to a particular website, simply by adding its URL to the list of already blocked websites. Not only this, you can also block their access to subdomains. For instance: If you wish to block access to “yahoo.com” and its subdomains, then every single URL containing yahoo.com will automatically get blocked.    Internet Access Scheduler Parents are often concerned about kids not using their time constructively and whiling away their time on the internet. This Parental Control tool can help your kids from becoming internet addicts, by allowing you to schedule their internet access time. So, now you can not only schedule the days on which your kids can access internet but also decide the duration they can spend browsing the internet. This tool can especially prove handy to keep a check on your kids during exam times.   Category Blocking The parental control feature not just allows you to block inappropriate websites but also inappropriate categories of content, even if you are unaware of the URL. So, for instance, you wish to restrict your child from accessing adult or social content, then all websites containing adult or social content will automatically get blocked. There is also an option for “Exclude” list that allows you to add exceptions to your restriction, so that particular URLS can still be accessed even if you block the category.   Malicious Category Blocking Often times, kids are unaware of the threats they can get exposed to, by downloading a malicious content or email attachment. As a responsible and alert parent, you can restrict access to malicious content and cut down on threats, simply by denying access to categories like “Hacking Software”, “Spam Websites”, etc. Blocking All/Specific User This feature is especially beneficial if you have multiple user accounts set up on your computer. You can choose to have different parental control settings for each of your kids depending upon their age, interest and requirements. In short, Parental Control feature can make the online experience absolutely safe for your kids and also assist them with safe web practices. So, this festive season, gift safety to your little ones by buying and activating a Quick Heal Total Security or Quick Heal Internet Security pack and save yourself from sleepless nights!! The post This Diwali gift your kids online safety with parental control appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 6 minutesCyber-attacks through phishing emails are increasing and generally, attackers use DOC embedded macros to infiltrate victim’s machine. Recently Quick Heal Security Labs came across a Phishing e-mail sample which uses Microsoft’s equation editor exploit to spread Hawkeye keylogger. Cybercriminals use different techniques to steal confidential data. Now they are offering advanced forms of malware to fulfill their purpose. That’s why we are still observing actively evolving new threats. Hawkeye belongs to a family of keylogger. The latest Hawkeye v8 reborn uses Microsoft Office Equation Editor Vulnerability CVE-2017-11882 to infiltrate. We also published a detailed blog post on this exploit which can be read here. This exploit uses new techniques to evade detection of AV product. It compiles its code while executing and loads payload in memory without writing it on the disk. Flow of Execution: Fig1.Flow of execution Exploit Analysis: The buffer overflow vulnerability is present in the “FONT” record in equation native object. To exploit this vulnerability, OLE object must invoke equation native object and to do so it needs to include Equation Native stream in OLE file. It can be done by using two types: Use of “Equation Native” stream. Use of CLSID of “Equation Native” stream. In this case, it uses CLSID instead of “Equation Native” stream. Fig. 2: {0002CE02-0000-0000-C000-000000000046} of Equation Editor present in OLE file. It uses “OLE10native” stream to parse the OLE objects to “Equation Native” stream. Following is the minimal header of “OLE10native” stream: DWORD Size of equation object (MTEF header + MTEF data) After execution of OLE, file equation editor is invoked and starts parsing the record. First, it parses MTEF header and TYPESIZE header and next starts to parse FONT record. In this case, it is overflowed by the buffer of FONT record content. The following figure shows the structure of OLE10Native stream which goes to parse by Equation Native object. Fig. 3: Structure of header of OLE object. Exploiting this vulnerability results in executing shellcode and finally content malicious payload download from CNC server. Fig. 4: Malicious URL present in the Shellcode. Shellcode connects to URL to download malware by using “URLDownloadToFileW” API present in Urlmon.dll and executes it to do some malicious activity. In our case, we found malware as Hawkeye keylogger which performs keylogging activity and sends data using SMTP server. Payload Analysis: The Latest Hawkeye keylogger uses 3 step execution. It starts with container it executes loader which Injects Hawkeye payload into Regasm.exe then it captures keystroke and credentials stored in the browser, outlook as well as some FTP file manager and sends them using SMTP protocol. In the first stage, Encrypted C# code which is present in the text format in malware file is decrypted and then compiled in memory. After that Compiled code present in memory is executed by malware. Following code is used for compilation of code and in memory execution using .NET framework utilities. As the code is in text form and compiled at runtime. It reduces payload size and helps them to hide from antivirus programs. Fig.  5: Compilation and In-Memory Execution of malware CSharpCodeProvider is used to access utility of .NET compiler i.e. csc.exe used to compile code dynamically. To execute such a code in memory without its physical copy it provides compiler option (as shown in Fig. 5). When we provide “GenerateExecutable” as false then it creates a class library. If we provide the value as “true” then it creates an executable file. For “GenerateInMemory” if we provide “false” as the value then it saves a physical copy of assembly at %temp%/randomname.exe. If “GenerateInMemory” is true then it doesn’t save a physical copy of assembly on secondary disk. Then by using compilerResults.CompiledAssembly.EntryPoint.Invoke(null, null); it will execute code from the entry point. In the second stage, loader decrypts Hawkeye reborn stub from resource and injects it into RegAsm.exe. Regasm.exe is assembly registration tool of .NET used to register or unregister assembly. In this malware, by using reflection (i.e invokeMember method) regasm.exe is executed, and hawkeye payload is passed as a parameter to regasm.exe. Then this payload is executed as child process under Regasm.exe. In Fig. 6 Text4 is the path of regasm.exe and hXYyylN6() returns decrypted byte array of payload. Fig. 6: Injecting Hawkeye stub…
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 2 minutesFestivities in India have begun and it’s time for a joyride of celebrations, merriment, lots of tantalising food and exchange of gifts. Talking of food and gifts, the festive season is also a time for ecommerce sites to spring into action, by offering tempting discounts and sales to lure people into buying. With a major population accustomed to using smartphones for their daily needs, it’s no wonder that most people prefer to shop and order using the various apps on their smartphones. So, while you are busy making financial transactions with your mobile phones, it is important that you also spare a moment to consider ways to safeguard your mobile payments. Remember that the festival season is not just a busy time for you, but also for endless hackers lurking in the darkness, waiting for their chance to strike an attack. How To Safeguard Your Mobile Payments?                                                                                       Talking of mobile security, one name that resonates in the industry is Quick Heal Total Security app, capable of thwarting all attempts by hackers to attack your smartphone & mobile payment apps. This Quick Heal app basically scans the payment apps on your smartphone for viruses & threats and blocks all phishing websites from accessing your confidential information. A valuable addition to this app is the “SafePe” feature – designed especially to counter threats to mobile banking and mobile payments. SafePe basically ensures a safe & secure online banking, shopping and transaction experience, by taking all necessary steps to keep the threats at bay. How SafePe Works? Considering the significant growth in Android banking Trojans, SafePe protects your phone against banking Trojans. This feature also ensures that your phone is not infected by spyware, keylogger or other malwares. It acts as a proactive shield, protecting your phone against infections or tampering by advanced malware, so that you are alerted before you initiate an online transaction. SafePe not just ensures the safety of your phone, but also the network it is using for making online transactions. It checks whether or not you are on secure website, at the time of making online payments. It ensures whether or not your smartphone is rooted since, rooted phones are vulnerable to attacks that can cause extreme damage. Gone are the times when phones were used simply for making & receiving calls. With the advancement in technology, smartphones today have become our handiest tool for shopping, banking, browsing, data storage, online transactions and every other need. Thus, leaving such an important device vulnerable to easy attacks by viruses, malware and spyware, could lead you to a damage beyond repair. So, while this festive season you invest your time & money on buying a smartphone and using it for your day-to-day needs, it would be equally helpful to invest in a reliable mobile security solution like Quick Heal Total Security. This would only make your festivals more safe, secure & enjoyable! The post This festive season secure your mobile payments appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “DisplayName” in ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64 encoded strings. Fig 10. Encrypted data received from CnC Server Base64 encoded string that depicts the information that the malware tries to steal from victim machine like (Username, password, installed software, browser information etc). Fig 11. Decrypted Response string After decrypting the other buffer which is encrypted with Xor operation, we came to know that it has lots of dlls (~48) that are dumped in the directory: %Temp%\2fda” and it also contains some strings. Some dlls are related to browser plugin. Malware loads these dlls in memory and exact browser & other information. Malware is able to steal accounts information, browsing & cookies details and also retrieves the public ip address of the infected machine by calling to “hxxp://ip-api.com/json”. It is also able to list out all the installed software in the system, list all running processes by calling CreateToolhelp32Snapshot, Process32first, Process32next functions. It also collects information about the different…
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview