Subject: With your balance was filmed - 300 $ -Resolution of case #PP-025-851-848-207

ID

Transaction: {figure } {SYMBOL }

With your balance was filmed : - 500 $

                                                           -20 $

                                                           -49 $
---------------------------------------------------------------------

Balance is:                                      625 $

For more information, please see page View all history

Sincerely,

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT }

Interesting login page

• Don'tclick on links from unknown senders.
• Don'topen any attachment(s) of unknown senders. 
• In fact, don't even open mail from unknown senders.
• Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
• Install an antivirus and antimalware product and keep it up-to-date & running.
• When in doubt, visit the website of §vendor or §product or §servicedirectly.
• Block the IPs mentioned above in your firewall or hostfile or §solution.
• I almost forgot: uninstall Java.

•  is it the user for being "gullable" or being social engineered to click on a malicious link?
•  is it the fault of the antivirus or antimalware application for missing an infection?
•  is it the fault of the administrator in corporate networks for not having proper policies?
•  last but not least side-question: is antivirus useless?

• users: paying up to ransomware or rogueware, or CC (Credit Card) theft or fraud
• businesses: personal records stolen (user/password databases), business plans stolen, not to mention the financial & productional losses.

• making money on the back of the customer and 
• not protecting well enough.  

• You have no proper security implementations!
• Your §securitysolution sucks! (use ours!)
• You(r employees) are easily fooled!
• You use Windows!
• ...

Note: may differ from current view An ideal flowchart would be:

An ideal world?

• Should know his or her responsibility and consequences when browsing the web
• Should install an antivirus & firewall (free or not is irrelevant, as long as both elements are present)
• Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
• ... That's basically it.

• Should acknowledge the user.
• Should know the user's needs and shortcomings
• Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
• ... That's basically it.

• Should acknowledge both the user and the antivirus vendor
• Should keep giving feedback for both instances
• Should acknowledge the cat and mouse game between "viruses" and "antiviruses"
• ... That's basically it.

• See The antivirus vendor and The security company

• Should acknowledge the user
• Should know the user's needs and shortcomings and therefore:
• Simplify the processes while increasing the security (not easy, I know)

• listening to feedback from security companies and researchers and
• prioritize security and provide sufficient information about security patches.

• Continue the cooperation that currently exists between security companies and others
• Share your research, especially new malware trends. Everyone benefits!

• Consolidate your resources. There are countless researchers out there who are simply eager to share their findings, suggestions, research or simple MD5 hashes with you
• Share your own findings as well when there's an "APT". Do not simply use it for the next big marketing move
• Share, where appropriate, MD5 hashes so the community can benefit.

• Warn your customers when you see an unusual and/or malicious high traffic load from end-users

• Provide clear, useful and enough information on how to send an abuse report

• Don't panic. Panic is a bad counselor. Stay focused and note down what happened or at least what you noticed or think what happened. What did you do right before the culprit happened?
  Did it turn out your version of Office or Windows is illegal?
  Did you click on a link? Did you pick up a call from "Microsoft Support" but ended up in paying countless dollars/euros/pounds/etc. for a problem that didn't even exist in the first place? 
• Have you been infected with malware (in particular banking malware or ransomware)? 
• Were you the victim of CC theft, identity theft or any other form of online fraud or theft? 

• Internet Crime Complaint Center - http://www.ic3.gov/default.aspx
• Learn how to tell whether your Microsoft software and hardware are genuine - http://www.microsoft.com/en-gb/howtotell/default.aspx

• Contact your local police office and file a "cybercrime" complaint: you're a victim!
• Consult the website of your local CERT - Computer Emergency Response Team - Often they have additional information or may even have a hotline or contact form to report your incident.
• ...

• You are not to blame, only the malicious entity is to blame;
• Look at yourself before pointing the finger to others who have in fact provided you all these years with resources!
• Work together. Cooperate. Coordinate. Consolidate. You may call it "the 3 C's".
  Be victorious in your efforts to stop "cybercrime" once and for all!

Save the file and run! It is funny :)

DivX plug-in Required!

Download and execute the facebook app, please!

Fake facebook image dropper filename follows this pattern: (Me|You|Iam)(Sexy|Nice|Bitch|Naked|Funny|Lol)(PNG|JPEG|BMP|PIC)-(fb|facebook).com
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013

Hong Kong Sun Network - hosting multiple malicious websites

Fake facebook image dropper is being download from domains following this pattern: [a-z]{6}.best.(lt|volyn).ua/dlimage[0-9]{1,2}.php
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013

• Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
• Install an antivirus and antimalware product and keep it up-to-date & running
• Use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/
• Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
• Running "funny Facebook files" will usually provide you with everything but fun

Mail from Twitter

@bartblaze@imaguid@martijn_grooten@twitter Well, now you have something in common with @mikko. http://t.co/NTpLyL9sCN :-)
— Sean Sullivan (@5ean5ullivan) October 18, 2013

One of the first confirmations that PHP.net is was in fact compromised

Google Safe Browsing warning

Redirects

Your data being stolen

• Patch your Java & Adobe or uninstall it if you don't need it.
  Same goes for their browser plugins or add-ons!
• Keep your browser of choice up-to-date.
• Install an antivirus and antimalware product and keep it up-to-date & running.
• Use NoScript in Firefox or NotScripts in Chrome.
• Block the above IP. (either in your firewall or host file)

@MalwareMustDie Phishing Campaign http://t.co/ecm0urGFpv#malwaremustdie
— Jim Kesselring (@RazorEQX) November 5, 2013

UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581

Submission to Malware Tracker revealed CVE-2012-0158

Clues in yellow indicating it's indeed an .rtf file (font used: Calibri)

Word crashing & malicious process(es) spawning

• injecting into explorer.exe
• Creating a key as follows: HKU\​%S-ID-User%\​SOFTWARE\​eccbcffbaaedfcsacfsfdsf  

• %ApplicationData%
• %CommonApplicationData%

• Upgrade to the latest version of Microsoft Word (and Office as a whole). If that's not possible;
• Install ALL your Windows Updates! These exploits are long patched by Microsoft.
• Improve security for your Office files. This means disabling ActiveX, disabling macros and blocking external content. Useful links:
  Enable or disable ActiveX controls in Office documents
  Enable or disable macros in Office documents
  Block or unblock external content in Office documents
• Block ALL the IP's mentioned above in my post.
• Install a proper antivirus & antimalware solution. In a company: you better have a spamfilter!

• Look for suspicious Run keys (examples here) and delete the associated file(s).
• Run a full scan with your installed antivirus product.
• Run a full scan with another antivirus and/or antimalware product.
• In a company: warn your network administrator immediately!

• Patch your Java & Adobe or uninstall it if you don't need it. 
• Same goes for their browser plugins or add-ons!
• Keep your browser of choice up-to-date.
• Install an antivirus and antimalware product and keep it up-to-date & running.
• Use NoScript in Firefox or NotScripts in Chrome.
• Improve security for your Microsoft Office package. (Word, Excel, ...)
  This means disabling ActiveX, disabling macros and blocking external content. Useful links:
  Enable or disable ActiveX controls in Office documents
  Enable or disable macros in Office documents
  Block or unblock external content in Office documents

Remediate VBS worm

• Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).

• ! When you use option B, be sure to type only the letter of your USB drive!
  So if you have a USB drive named G:\, you should only type G
  This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).

• I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C:\ drive. (C:\Rem-VBS.log)

• When the tool is running, do not use the machine for anything else.
  (it takes about 30 seconds to run)

• Accidently used an option and want to exit the script? Use CTRL + C to stop it.

• Excedow
• Jenxcus
• Houdini/Dinihu
• Autorun worms
• Any other VBS (VBScript) or VBE malware
• Any other malware that abuses the WSH (Windows Script Host)

• Install all your Windows Updates.

• Disable autorun. This should already be done by Windows Update, but if not you can use:
  • Panda USB Vaccine, download from CNET
  • Follow the steps in this Microsoft article (also for companies)
• Don't simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, don't even think about it. You might want to read:
  Criminals push malware by 'losing' USB sticks in parking lots
  
• You can install and run Script Defender along your antivirus/antimalware product:
  Script Defender by AnalogX
  This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
  
• If you aren't planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host.
  
• For companies, take a look at this as well:
  Command line process auditing
  
• Last but not least, install an Antivirus and update it regularly.
  
  

• A (rotating) ad where malicious Javascript was injected
• AftonBladet itself had malicious Javascript injected

Windows Efficiency Master

Fake scanning results

• Usual blocking of EXE and other files
• Usual  blocking of browser like Internet Explorer
• Callback to 93.115.86.197 C&C
• Stops several antivirus services and prevents them from running
• Reboots initially to stop certain logging and monitoring tools
• Uses mshta.exe (which executes HTML application files) for the usual payment screen
• Packed with UPX, so fairly easy to unpack
• Connects to http://checkip.dyndns.org/ to determine your IP

•     Install an antivirus and antimalware product and keep it up-to-date & running.
•     Use NoScript in Firefox or NotScripts in Chrome.
•     Block the above IP. (either in your firewall or host file)

•  Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.
• If you are having issues doing this, reboot your machine in Safe Mode and remove the malware. For any other questions, don't hesitate to make a comment on this post or contact me on Twitter.

Browser blocked by Browlock

U zijn onderworpen aan schending van de auteursrecht en de naburige rechten (Video, Muziek en Software) en onrechtmatig gebruik oftewel verspreid auteursrechtelijk beschermde content

U hebt bekeken of verspreiden verboden pornografische content

Onrechtmatige toegang is gestart vanaf uw computer zonder uw medeweten of toestemming, Uw PC kan besmet raken met malware

Om uw computer te ontgrendelen en naar andere juridische gevolgen te voorkomen, bent u verplicht om een release vergoeding van 100 EUR-te betalen via PAYSAFECARD (u moet aankopen PAYSAFECARD kaart, opwaarderen van 100 EUR en voer de code). U kunt aankopen de code in elke winkel of tankstation. PAYSAFECARD is beschikbaar in de winkels in het land.

Message in Internet Explorer. Oops :-)

Payment methods by Browlock

WhoIs data, most probably fake

• First and foremost in these cases, install an extension that blocks (malicious) ads! 
  I suggest using Adblock Plus, compatible with most modern browsers.
• An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious Javascripts.

Start Task Manager

Browlock (Source)

'Normal' ransomware: Reveton (Source)

'Encrypting' ransomware: CryptoLocker (Source)

• the full conclusion by clicking here.
• the prevention & disinfection by clicking here. 

Encounter rate trends for the top 6 ransomware families in 1H13 (Source)

Weelsof ransomware earnings on 5/17/2012 (Source)

• Keep installing all relevant Windows Updates. (No, not Silverlight)

• Install an antivirus and firewall and keep it up-to-date and running.
• Uninstall any unused applications, for example Java.
  If you do need Java, keep the following in mind:
  
  • Uninstall any older Java versions, as keeping those older and vulnerable versions on your system is a very bad idea. You can follow the steps on Oracle's site itself or use JavaRa for example.
  • Disable Java in the browser by following the steps from Oracle here.
   
•  Keep your other sofware or applications up-to-date. You can use Secunia PSI for example.

• Install an adblocker, for example Adblock Plus.
• An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious (Java)scripts.
• As usual, don't open any unknown attachments or links. Use a strong spam filter if possible. You can also 'hover' or scroll over a link to see the real URL behind the link.
• Try to avoid shady or unknown websites if possible. An add-on like WOT can help you determine the legitimacy of a website.
• Keep your browser of choice up-to-date, as well as any add-ons or plugins.
• Don't fall for the obvious spam, phishing or scam attempts. Golden rule:
  if it looks too good to be true, it probably is!
• Last but not least, make backups! A few points to consider when making backups:
  
  • Don't leave your external drive plugged in after the backup. This to prevent your backup files will be encrypted as well. So, take your backup and disconnect your external hard drive afterwards.
  • Be careful with backups in the cloud as well. If you use Dropbox for example, and it syncs to your Dropbox folder after your data has been encrypted... You will have another copy of your encrypted data.
  • Test your backup, if possible. You wouldn't want to encounter an infection then to only find out your backups are corrupted somehow.
  • You can also write your backups to write-once media, like for example DVDs or Blue-Ray. Easier is of course using an external hard drive, but don't forget to disconnect it after you have made the backup.

• Use a strong password for your servers. Even better is to disable RDP from the internet if at all possible. Additionally, use a firewall to block unknown intruders or attackers.
• Use a strong spam filter. Preventing any infection now will save you a lot of work later.
• Use Group Policies if possible. An excellent resource on this is the following page by BleepingComputer, which includes several examples of Group Policies to stop ransomware from ever entering your company. Be sure to test these policies on a separate machine first if possible.  How to prevent your computer from becoming infected by CryptoLocker
• Another way is to restrict Administrator rights for your users. They shouldn't be installing any software other than work-related software anyway.
• If possible, educate your users. Have policies & procedures in place for BYOD (Bring Your Own Device) as well as any other malware incidents or outbreaks.
• Last but not least: make backups! This is something you should do either way. Best way is to let the backups be stored in another physical location than yours, if possible. (this not only to prevent ransomware from encrypting all the files on your shared drives or server, but also in case of a natural disaster or fire in your building. You never know.)

• First things first: do not pay for ransomware!
• If applicable, simply restore from a backup.

• If you are dealing with normal ransomware (Reveton, Urausy, ...):
  
  • Try booting in Safe Mode and performing a scan with your installed antivirus and an online antivirus.
  • You can also use other tools, like for example the Farbar Recovery Scan Tool. 
  • If in doubt, unsure what action to take, or simply not too computer-literate, you can always count on (free) help from several antimalware communities:
    BleepingComputer (EN) or Malwarebytes (EN)
    PC Web Plus (NL)
    Malekal's Forum (FR)
    InfoSpyware (ES)
    Trojaner-Board (DE)
•  If you are dealing with encrypting ransomware (CryptoLocker, BitCrypt, ...):
  
  • Try cleaning the malware first by following the steps above. Note that in some cases this is not the best action to take, as some ransomware variants install the decryption tool on your machine as well. In that case, it is better to ask help on any of the forums above.
    Afterwards:
  • Try restoring to a previous System Restore Point.
  • Try using any of the publicly available antivirus tools for decrypting your data. Keep in mind that most of these tools are for a specific ransomware family or variant.
  • Sometimes, you are lucky and can use Shadow Copies (Restore Previous Versions). If this doesn't work, you can use ShadowExplorer for example.
  • Sometimes, you can have luck restoring files by using data recovery software like Recuva, or for a bigger chance in restoring your files, PhotoRec. Note that these require you to delete the encrypted files, so use this as a last resort. Also note there's no 100% chance you'll be able to restore any of your data. (in any case)

• Fake support services -
  websites claiming to help you with computer issues- but in fact are just another scam
• Your phonenumber has been spread on the web one too many time (by either yourself or someone else)

• The man or woman often has an Indian accent
• They call from a number outside your current country or have an unknown caller ID
• They urge you that there's a problem with your computer that needs immediate fixing
• They impersonate legit companies, for example Microsoft or even an antivirus company

• Ammyy
• Bomgar
• GoToAssist
• TeamViewer
• ShowMyPC
• Logmein (or Logmein Rescue)
• ...  Others

"Scary errors in the Windows Event Viewer."Source

• You have to pay a reasonable sum of money, say 5 or 10 euros/dollars/pounds.
• You have to pay a not-so-reasonable amount of money, varying from 100 to 300 euros/dollars/pounds.

• The "technician" claims the transfer did not work or was incomplete and asks to try again.
  (but in fact it did work and they're just trying to rip you off even more.)
• They will steal login information and/or CC credentials or other bank account/Paypal/.... information.
  (several possibilities here obviously, depending on which type of payment you used.)

• Fear: they tell you there's an issue or several issues with your computer
• Uncertainty: you may have had some slowdowns recently. Or - coincidentally or not- you just had malware.
• Doubt: "I did have this issue, maybe they can help me?"

• Often, the remote tools mentioned will utilize an ID or code. Write down the ID or code.
• Write down the date and time when this remote sessions happened. Write down your public IP address if known - you can also check this via whatismyip.com.
• Write down the phone number(s) as well as date and time when they called you.
• Write down the name of the remote program/tool, as well as any other information you may think of. (name of the person calling you (99,9% of the time fake, but you never know), what exactly happened, if/how/when you paid or transferred any money and any other information which you think may be helpful.)

• Unplug the ethernet cable or turn off your wireless. Reboot your machine. Is a pop-up coming up asking for a connection or waiting for a connection? Close it.
• Call your bank, your CC card provider, Paypal or whichever means you have used - call your financial institution as soon as possible to cancel the transfer!
• Uninstall any new & unknown software you find. Verify in Add/Remove programs if none of the above mentioned tools have been installed, for example.
  Also check the usual locations, for example C:\Program Files or C:\Program Files (x86).
• Perform a full scan with your antivirus software, especially in the case of a fake antivirus or rogueware. Restore internet access at this point and run a scan with another online antivirus.
• Call your phone company! Ask them if they can verify who has called in case of an unknown caller ID - or to block the specific numbers should you receive these calls regularly.
• Change passwords of your computer - meaning your user password, but the password(s) of your bank account/Paypal and others as well.
• When you deem this necessary, perform a system restore of your machine. In serious cases, an even better option is to format your machine completely (though usually not necessary).

• Unknown caller ID or private number? Don't pick up, unless you're indeed expecting a phone call.
• Weird or long number calling you? Don't pick up. If you decide to pick up, listen to what they have to say, smile and put down the phone anyway.
• Receiving these calls regularly? Call your phone company so they can block it. If you're receiving a lot of these calls, be sure to not pick up, as they'll know there's someone on the other side, even though you put down the phone immediately.
• Missed a few calls from these numbers? Don't be tempted to call back. A similar scam is calling you, but after 1 second immediately hanging up. This may tempt you into calling back. Don't fall for that scam either. (they are not necessarily the same cybercriminals, but they both want your money.)
• Avoid shady "tech support" websites. A tool which may help you in this is WOT - Web Of Trust.
• Add yourself to the National Do Not Call Registry (US only). This may not prevent phone scammers, but it does prevent other marketeers from calling you and spreading your number to others. For all other countries: inform with your local CERT for options, as there aren't many available.
• Last but not least: use your common sense! When in doubt, simply hang up the phone.

• Include a clear page on your website warning about the possible malicious use of your software.
• Include an abuse report form - whether via a ticketing system, by call or mail or any other means.
• Send all information the victim provided to the legal authorities so they can take action.
• Inform the user of what has happened - should they blame you. Refer to your warning page about this scam.

CosmicDuke - the first malware seen to include code from both the notorious MiniDuke APT Trojan and another longstanding threat, the information-stealing Cosmu family. When active on an infected machine, CosmicDuke will search for and harvest login details from a range of programs and forward the data to remote servers.

@bartblaze@TimoHirvonen Hashes here: 82448eb23ea9eb3939b6f24df46789bf7f2d43e3 c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3
— Mikko Hypponen (@mikko) September 19, 2014

(Source)

Don't be fooled by the company name or description, this isn't IIS Express Worker Process nor has it anything to do with Microsoft.

Unzipped content of a .docx file

Unzipped content of  our .docx file

cmd.exe
savadminservice.exe
scfservice.exe
savservice.exe
ekrn.exe
msseces.exe
MsMpEng.exe
dwengine.exe
ekern.exe
nod32.exe
nod32krn.exe
AvastUi.exe
AvastSvc.exe
kav.exe
navapsvc.exe
mcods.exe
mcvsescn.exe
outpost.exe
acs.exe
avp.exe

• Don't open emails (and certainly no attachments) from an unknown source. 
• Install an antivirus and antimalware product and keep it up-to-date & running.
• Improve security for your Microsoft Office package. (Word, Excel, ...)
  This means disabling ActiveX, disabling macros and blocking external content. Useful links:
  Enable or disable ActiveX controls in Office documents
  Enable or disable macros in Office documents
  Block or unblock external content in Office documents

Each second outgoing connection to search.namequery.com

List of BIOS & firmware compatibility: http://www.absolute.com/en/partners/bios-compatibility

In order to be an effective system, the anti-theft agent must be stealthy, must have complete control of the system, and most importantly, must be highly persistent because wiping of the whole system most often occurs in the case of theft.
This activity is also consistent with rootkit behavior, the only difference being that rootkits are generally malicious, while anti-theft technologies act as a form of protection against thieves.

While Absolute Software is a legitimate company and information about Computrace product is available on the company's official website, the owner of the system claimed he had never installed Absolute Computrace and didn't even know the software was present on his computer. It could be assumed that the software was pre-installed by an OEM manufacturer or reseller company, but according to an Absolute Software whitepaper this should be done by users or their IT service. Unless you have a private IT service or your PC vendor took care of you, someone else has full access and control over your computer.

Lenovo ThinkPad (BIOS version: J9ET58WW)

Computrace module activation warning

It is also worth noting that many used or refurbished devices may have motherboards with a Computrace BIOS module that was activated by the previous owner.  In these cases, my recommendation would be the following:

1.       Obtain and install any missing or outdated HECI\Intel Management\IMEI drivers from the manufacturer.  Once these drivers are in place, any potential Absolute software installed on the computer will correctly communicate with the BIOS and it should automatically deactivate itself over the course of a few days.

2.       Contact the manufacturer and request a motherboard replacement.  Activated motherboards should not be re-sold by manufacturers or retailers if the necessary de-activation steps are not taken first.

• Two new binaries (different hashes) have been identified:
  ad73c636bb2ead416dfa541a74aea016 (wceprv.dll)
  4011590af6f13a42a869ae57d6174f4f (rpcnetp.exe)

• Several files are packed with UPX

• The wceprv.dll module has a Digital Signature which is issued to
  Absolute Software Corp. Serial Number: 35:ba:ec:87:59:d7:84:62:c3:d2:b7:ff:d4:c4:6e:51
• Machines will have an altered Master Boot Record (MBR); this is because Computrace parses the MBR and partition table - it writes some data into the sectors before the primary partition. According to the patent (US 20060272020 A1):
  In another embodiment, the CLM is stored in a substitute Master Boot Record (MBR), or a combination of the foregoing.

[...] to perform preemptive and reactive security measures to safeguard a missing, lost, or stolen device and the data it contains. With Computrace Mobile you can determine the location of the device and whether or not it’s on the move. You can also freeze it to prevent unauthorized access and send a message to the user to validate the status of the device. If the device contains important information, you can remotely retrieve files or delete them immediately. And you can generate an audit log of the data that’s been removed so you can prove compliance with corporate and government regulations.

Another option would be to request a motherboard replacement for your machine, as suggested above. Additionally you may reinstall the Operating System afterwards.




Absolute Computrace FAQ


Is Computrace malicious?
No.



Which devices does Computrace support and may be installed on?

(Source)

So yes, it's possible Computrace is installed on any other of your (mobile) devices. If you're looking for pointers, once again look for outbound connections to *.namequery.com or *.absolute.com.



Which firmware or BIOS brands does Computrace support and may be installed on?

• Acer
• Apple
• ASUS
• Daten
• DELL
• Fujitsu
• GammaTech
• General Dynamics Itronix
• Getac
• HP
• Lenovo
• Microsoft
• Motion
• NEC
• Panasonic
• Samsung
• Sony
• Toshiba
• Winmate
• Xplore Technologies

How recent was the Computrace agent variant you found?
I added this question as to compare it with Kaspersky's binary- which was compiled in June 2012

This variant of the Computrace agent was compiled in May 2012 (assuming it's not altered)

Another version of Computrace was found. Note that this is possibly due to small updates of the loader or agent module.



Will flashing the BIOS remove Computrace?
No, as it resides in a non-flashable portion of the BIOS.



Will downloading the latest BIOS drivers for my machine remove Computrace?
See "How to remove or uninstall Absolute Computrace".



I'd like to see more information about my BIOS/EFI/coreboot/firmware/optionROM.
You can use the excellent tool flashrom. If you are using anything but Windows, Anibal and Alfredo have also written a Python program to to dump the BIOS firmware and search for a CompuTrace Option ROM: dumpComputrace.py (Note: you'll need to apt-get flashRom/dmiDecode/UPX)



What if I'm a customer of Computrace and have doubts or want more information? 
Best thing to do is call them directly: +00 1 877 337 0337 (US number), choose option #1. The general number in Europe is: +44 118 902 2005 and for Asia: +65 6595 4594

More information on how to contact them as existing customer can be found here:
Absolute Software Support



What if I'm not a customer of Computrace and have doubts or want more information?
You can still use the numbers above if you like, or you can use the Absolute Software Contact Form.



What if I suspect I bought a stolen machine which has Computrace installed?
Contact Absolute Software (see above)! They will set up a case together with you and law enforcement.



Is there similar software out there like Computrace?
Yes, but it is not exactly the same as Computrace. An example is Prey. Another example is Intel's Anti-Theft Technology - which apparently will cease to exist in January 2015. Source:
Intel Anti-Theft Service FAQ

Nowadays, most Antivirus vendors also offer some form of anti-theft. For more information, refer to the corresponding websites of the vendors.



Why did you decide to write this blog post?
To provide even more additional & useful information, as well as out of sheer interest.



Do you have any additional information to share? 
Yes, see right below in the Resources section.




Resources

Absolute Software - Perspective on Kaspersky Report & FAQ
Absolute Software - Persistent servicing agent  (Patent US20060272020 A1)
Corelabs - Deactivate the rootkit (PDF)
Kaspersky - Absolute Computrace Revisited
Kaspersky - Absolute Computrace: Frequently Asked Questions





Acknowledgements

I'd like to thank, in no particular order:

• Anibal Sacco and Alfredo Ortega for their initial research.
• Alfredo Ortega for a refreshing chat and answering some additional doubts I had.
• Vitaliy Kamlyuk and Sergey Belov for their additional/follow-up research.
• Absolute Software's service desk/support specialists for their excellent service & answering any questions I had.

Thank you for reading.

"karpathos" sending a bit.ly link (Image source)

Image of IMG_211102014_17274511.scr file

Server in Czech Republic. VirusTotal reference

Interesting information in the debug path, note the "steamstealer" string. Screenshot via PeStudio

• Exit Steam immediately
• Open up Task Manager and find a process called temp.exe, wrrrrrrrrrrrr.exe, vv.exe or a process with a random name, for example 340943.exe
• Launch a scan with your installed antivirus
• Launch a scan with another, online antivirus
• When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
• Verify none of your Steam items are missing - if so, reinstall Steam as well.

• Be wary when someone new adds you on Steam and immediately starts sending links
• In fact, don't click on links someone unknown sends to you
• If you did, don't open or execute anything else - just close the webpage (if any) or cancel the download
• By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that here
• Add the IP 185.36.100.181 to your host file or block it in your firewall. In the host file, add:
  127.0.0.1 185.36.100.181 
• Follow the tips by Steam itself to further protect your account:
  Account Security Recommendations

process flow graph of pgp.exe (made using procDOT)

jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst,  MBD, xml,  xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx

@bartblaze Hey, maybe interesting for you: http://t.co/6rZUD1O1qZFound on hacked joomla page Got a lot of those files. All have same scheme
— Florian Gümbel (@fgdesign) February 25, 2015

getenv(HTTP_X_UP_CALLING_LINE_ID);

getenv(HTTP_X_NOKIA_ALIAS);

• Take back-ups regularly! Yes, even for your website.
• Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
• Keep your installed plugins up-to-date. Remove any unnecessary plugins.
• Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
• Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
• Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.