Attend our Free Webinars to Learn How to Get Maximum Value from Skyline: Special Guest Henry Lin from Match.com on Aug 27th

This post was originally published on this site

The Skyline team is hosting a live webinar to demonstrate the latest Skyline features and functionality and answer questions. Join us to learn how to get the most from Skyline and your VMware investment.

 

The webinars start at 9am PDT and are 45 minutes long.

 

August 27th Tips and Tricks to Get the Most from Your Proactive Support Service with Special Guest Henry Lin from Match.com Webinar: Register

 

See you there!


P.S. More webinars coming in September!

TA18-331A: 3ve – Major Online Ad Fraud Operation

This post was originally published on this site

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as “3ve”—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

  • %UserProfile%AppDataLocalVirtualStorelsass.aaa
  • %UserProfile%AppDataLocalTemp<RANDOM>.exe
  • %UserProfile%AppDataLocal<Random eight-character folder name><original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Above path to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

  • %UserProfileAppDataLocalTemp<RANDOM> .exe/.bat
  • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5<RANDOM><RANDOM FILENAME>.exe
  • %UserProfile%AppDataLocal<RANDOM><RANDOM>.lnk
  • %UserProfile%AppDataLocal<RANDOM><RANDOM>.bat

Kovter is known to hide in the registry under:

  • HKCUSOFTWARE<RANDOM><RANDOM>

The customized CEF browser is dropped to:

  • %UserProfile%AppDataLocal<RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

  • /?ptrackp=d{5,8}
  • /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
  • /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
  meta:
    desc = "Encoded strings in unpacked Kovter samples."
  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

References

Revision History

  • November 27, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Workstation 15: Guest screen flickering occasionally – can someone reproduce this issue?

This post was originally published on this site

After having upgraded to VMware Workstation 15 on my Windows 10×64 machine, each of my VMs shows a black flicker from time to time (once every 10 minutes or so).

 

This disturbance can be reproduced easily:

 

Simply start a VM with a Windows 10×64 OS installed and wait for about 10 seconds after having signed in to the guest OS. Then the first black flicker will occur:

 

Guest screen flickering.gif

 

After having opened a support ticket I’m having long discussions with VMware Support. They don’t seem to be able to reproduce this issue.

 

So I’m asking here: Can anyone reproduce this issue?

Windows 10 1809 Upgrade failes

This post was originally published on this site

Hello,

 

we have about 400 Windows 10 VDIs in use. We are currently trying to install the upgrade Windows 10 1809. Our hard disk controllers are available as SCSI controllers. During the upgrade the virtual machine gets stuck in the boot screen and does a rollback. The failure “The installation failed in the SAFE OS phase with an error during the INSTALL_UPDATES operation” appears.  If I connect the hard disks to the IDE controller, the upgrade works. The latest VMWare tools are already installed (10.3.5). But we wouldn’t like to switch all VDIs to IDE controllers. Is there a general problem?  I hope someone has an another idea. Thanks in advance.

 

With kind regards
Dominik Geb

Unable to assign apps

This post was originally published on this site

Recently upgraded console from 9.1.2. to 9.7.0.3 and I am trying to check the assignments for VMWare Boxer in our environment, however I’m unable to save to actually get to the assignment screen.  Under the license box on the right side of the screen it’s telling me i have -5 unallocated licenses and it will not let me save to continue.

Need help resolving.

Phone Call Attacks

This post was originally published on this site

More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It’s most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you.

Email and Emotions

This post was originally published on this site

Never send an email when you are angry; you will most likely regret it later. Instead, when you are emotional and want to reply to someone, open up an email and write everything you feel, but do not send it. (Be sure there is no name in the TO field so that you do not accidently send it.) After you have vented, save the email and come back an hour later. You only want to reply to any type of emotional situation after you have had time to cool down.