SMS Der er tale om en decideret cyberkatastrofe, siger flere eksperter oven på afsløringen af, at den amerikanske internetgigant Yahoo har haft indbrud, hvor 500 millioner brugeres data - sandsynligvis også mange danskeres - er blevet stjålet.Derfor handler det om hurtigst muligt at få skiftet kodeordet.Der er tale om det største, kendte datatyveri nogen sinde, og eftersom mange stik mod alle gode råd genbruger deres kodeord mange steder, kan eftervirkningerne blive endog ret så alvorlige.Yahoo har en milliard aktive, månedlige brugere, og 225 millioner bruger hver måned deres Yahoo Mail.Men mange har også bare en ekstra Yahoo Mail ud over deres egentlige e-mailkonto.Derfor skal man straks logge ind på sin Yahoo-konto og ændre sit kodeord - og ikke til et, som man bruger andre steder.Allerhelst bør man bruge såkaldt tofaktorgodkendelse, hvor man - ud over det almindelige kodeord - skal indtaste en engangskode, som man får tilsendt som SMS-besked, hver gang man logger ind.

Dermed skal en hacker også have adgang til ens telefon for at kunne komme ind.Hvis hackersagen gør, at man kommer i tanker om en konto, som man ikke bruger, er det måske anledningen til at få den nedlagt og lukket.Hackerne har kopieret folks navne, e-mailadresser, telefonnumre, fødselsdage, kodeord og i visse tilfælde også de sikkerhedsspørgsmål og -svar, som man normalt bruger til at få et nyt kodeord, hvis man selv har glemt det gamle.I forkerte hænder kan de give hackerne adgang til ens e-mailkonto, hvis de ikke kan aflæse de stjålne kodeord.Yahoo har dog brugt en slags kryptering af folks kodeord.Hackerne skal derfor råde over kraftige computere for at kunne knække koderne en ad gangen.Mange bruger dog - også stik mod alle gode råd - elendige kodeord som »12345« eller »password«, og dem kan hackerne forsøge sig med først og se, hvor langt de kommer.Yahoo er selv gået i gang med at kontakte alle, som selskabet kan se er blevet ramt af hackerangrebet.Yahoo mener selv, at en fremmed regering står bag.Tilsyneladende er de mange data blevet stjålet allerede i slutningen af 2014, og Yahoo anbefaler selv alle, der ikke har skiftet kodeord siden da, at få gjort det straks.

Hvorfor det først er nu, at oplysninger om hackningen kommer frem, er en gåde for mange.Det står ikke klart, hvornår Yahoo selv opdagede de ubudne gæster.Yahoo står for at blive købt af den amerikanske telegigant Verizon.Lækagen sætter bestemt ikke Yahoo i et gunstigt lys, og det forventes, at advokater snart vil begynde at sagsøge selskabet for den dårlige sikkerhed.De amerikanske myndigheder er allerede i gang med deres undersøgelser og vil senere beslutte, om Yahoo får en bøde eller straf.stolen cc bitcoinOnline advertising is a multi-billion dollar business mostly ran by Google, Yahoo or Bing via AdSense-like programs.bitcoin bear whaleThe current generation of clickbots such as the Redirector.Paco Trojan have taken abuse to a whole new level, burning through companies’ advertising budget at an unprecedented pace.agora bitcoin address

This paper is based on research carried by Bitdefender antimalware researchers Cristina Vatamanu, Răzvan Benchea and Alexandru Maximciuc.The malware’s objective is to redirect all traffic performed when using a popular search engine (such as Google, Yahoo or Bing) and replace the results with others obtained from a Google custom search.The goal is to help cyber-criminals earn money from the AdSense program.ethereum future trendGoogle’s AdSense for Search program places contextually relevant ads on Custom Search Engine’s search results pages and shares a portion of its advertising revenue with AdSense partners.best bitcoin faucet appTo redirect the traffic the malware performs a few simple registry tweaks.ethereum live blocksIt modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried.bitcoin fenomen

This file tells the browser to redirect the traffic to a different address.The malware tries to make the search results look authentic.However, there are some markers that would normally raise suspicions.In the status bar of the browser, messages like “Waiting for proxy tunnel” or “Downloading proxy script” may be displayed.Secondly, the Google page takes abnormally long to load.Furthermore, the malware doesn’t show the typical yellow ‘o’ characters above the page numbers.bitcoin buying drugsRedirector.Paco has been active in the wild starting mid-september 2014.bitcoin mining get richDuring this period it has managed to infect more than 900000 IPs worldwide, mainly from India, Malaysia, Greece USA, Italy, Pakistan, Brazil and Algeria.MSI type The malicious infection chain starts with a modified MSI file.The installation files usually belong to known benign programs such as “WinRAR 5.2 msi”, “WinRAR 5.11”, “YouTube Downloader 1.0.1”, “WinRAR 5.11 Final”, “”Connectify 1.0.1”, “Stardock Start8 1.0.1”, “KMSPico 9.3.3”.

The installation files are modified using Advanced Installer[1] [2] .[3]In one of the versions analyzed, three additional files were added to the installation file: “prefs.js”, “reset.txt” and “update.txt”.As seen in the image below, the “prefs.js” file will be dropped in %programfiles% while “reset.txt” and “update.txt” will be dropped in %commonprogramfiles%.In addition to these, two scheduled tasks are also added in order to assure persistence on the system.The Scheduled tasks, named “Adobe Flash Scheduler” and “Adobe Flash Update” will start the files dropped in the %commonprogramfiles% folder.The “Adobe Flash Scheduler” task will execute the “update.txt” file using VBScript each time a user logs on, while “Adobe Flash Update” will execute “reset.txt” in the same way, but only on Tuesdays at 6:00 PM.Reset.txt, comprised of nine lines of text and an additional 164 blank lines at the beginning, modifies the Internet Settings for the current user.

It first deactivates the proxy cache by setting the value “EnableAutoProxyResultCache” to 0 from the key “HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings”.Afterwards, it modifies the following four values.The content of the PAC file: As shown, any request to any page that starts with https://www.google or https://cse.google will be redirected to the IP 93.*.*.240 on port 8484.However, at this point, since the requests are made on the HTTPS protocol, they will be accompanied by a warning that alerts the user that there is a problem with the certificate.This is where update.txt comes in use.Update.txt downloads and installs a root certificate so that any connection that goes through the server specified in the PAC file looks private.As displayed in the image below, the icon for the HTTPS protocol remains unaltered, so the user doesn’t get suspicious.However, if he checks the certificate, he can observe that it was issued by DO_NOT_TRUST_FiddlerRoot.

JavaScript file The malware also contains JavaScript files similar in behavior to update.txt and reset.txt files.The script is given below.The script first queries the “text” record from the DNS server for remotesettings1.mtmyoq.se.This returns the following output.The text record contains two URLS, splitted by the character “|”.The first one points to the PAC file, while the second is the certificate that will be used in order to avoid the issuing of alerts when HTTPS is used for browsing.The URL that will be stored in registry is “http://localhost.[redacted]/localhost.local”.Other variants of the same scripts were spotted in the wild.For example, a variant of this script was made to look like a PDF file.This was achieved by using markers specific to PDF files as well as parts from a PDF file as comments for the JavaScript.Another variant of the JavaScript was made to look like a ini file.In fact we have found two versions of this kind of file.In the first case, the whole JavaScript was written as a single line and was appended to a line located in the middle of the original file.

A great amount of blank spaces were also inserted between the original line and the JavaScript code to hide it in case someone was checking the file with a text editor that doesn’t have word wrap enabled.In another version, the same JavaScript was broken and pieces were inserted at random positions in a configuration file.Unless someone views this file with an editor that has syntax highlighting is very hard to spot the malicious code..Net Type This component of the malware modifies the search results locally and not through the use of an external server, as previous ones.For this to be accomplished, the malware performs a man-in-the-middle attack, as described below: 1.Tries to contact a server every 5 seconds in order to receive the URLs  to redirect 2.Modifies the registry settings in order to redirect some requests to the local system 3.Starts a server on the local system to receive the redirected requests and modify them A piece of code describing the steps: In order to contact the server, the malware has integrated a simple DGA.

A list of domains is generated based on a fix seed.The TLDs for these domains is ‘se’.In addition a number is prepended at the beginning of the string.It represents a counter, starting with the value 1, and is incremented until a condition is satisfied.As it can be observed, the first generated domain, 1.m[redacted]q.se is the one found in the JavaScript file.These binary files will iterate through the list of generated domains and will perform a nslookup operation in order to retrieve the txt record of each domain.In contrast to the JavaScript file, the responses are encrypted using base64 and rijndael algorithms.The setup for the rijndael algorithm is: After applying the decryption algorithm, the following xml is revealed: The tag contains the ‘server.pac’ functionality.In this case, all searches performed on the three most popular search engines (Google, Bing and Yahoo) are going to be redirected to the local system on the port 8080, where a man-in-the-middle server listens.

After the PAC file is retrieved, the user’s Internet Settings are adjusted so that the browser will query the PAC file.The steps are similar to the ones performed by the JavaScript file, yet the PAC file will not be retrieved from an external server, but from a HTTP server listening on port 9090 on the local system.Once the browser is configured, the malware starts the man-in-the-middle service, as well as the HTTP server that will provide the PAC file to the browser.For the main-in-the-middle proxy, the malware relies on the FiddlerCore, a .NET class library that allows the capturing and alteration of HTTP and HTTPS traffic.The Fiddler service is configured to run on port 8080, to ignore certificate errors, as well as to modify HTTP headers, the HTTP response and body.The redirection can be performed either by returning the 302 response code or by replacing the keyword “/search” with “/cse?cx=”.Also, to overcome certificate errors, a new root certificate is added using the CertMaker class from the FiddlerCore library.