• Posted on October 2, 2017 10:45 am
    Joseph Forbes
    No comments

    The latency of a network connection represents the amount of time required for data to travel between the sender and receiver. While all computer networks possess some inherent amount of latency, the amount varies and can suddenly increase for various reasons. People perceive these unexpected time delays as lag. The Speed of Light On a Computer Network No network traffic can travel faster than the speed of light. On a home or local area network, the distance between devices is so small that light speed does not matter, but for Internet connections, it becomes a factor. Under perfect conditions, light requires roughly 5 ms to travel 1,000 miles (about 1,600 kilometers). Furthermore, most long-distance Internet traffic travels over cables, which cannot carry signals as fast as light due to a principle of physics called refraction. Data over a fiber optic cable, for example, requires at least 7.5 ms to travel 1,000 miles. Typical Internet Connection Latencies Besides the limits of physics, additional network latency is caused when traffic is routed through Internet servers and other backbone devices. The typical latency of an Internet connection also varies depending on its type. The study Measuring Broadband America - February 2013 reported these typical Internet connection latencies for common forms of U.S. broadband service: fiber optic: 18 ms cable Internet: 26 ms DSL: 44 ms satellite Internet: 638 ms Causes of Lag on Internet Connections The latencies of Internet connections fluctuate small amounts from one minute to the next, but the additional lag from even small increases becomes noticeable when surfing the Web or running online applications. The following are common sources of Internet lag: Internet traffic load: Spikes in Internet utilization during peak usage times of day often cause lag. The nature of this lag varies by service provider and a person's geographic location. Unfortunately, other than moving locations or changing Internet service, an individual user cannot avoid this kind of lag. Online application load: Multiplayer online games, Web sites, and other client-server network applications utilize shared Internet servers. If these servers become overloaded with activity, the clients experience lag. Weather and other wireless interference: Satellite, fixed wireless broadband, and other wireless Internet connections are particularly susceptible to signal interference from rain. Wireless interference causes network data to be corrupted in transit, causing lag from re-transmission delays. Lag switches: Some people who play online games install a device called a lag switch on their local network. A lag switch is specially designed to intercept network signals and introduce significant delays into the flow of data back to other gamers connected to a live session. You can do little to solve this kind of lag problem other than avoiding playing with those who use lag switches; fortunately, they are relatively uncommon. Causes of Lag on Home Networks Sources of network lag also exist inside a home network as follows: Overloaded router or modem: Any network router will eventually bog down if too many active clients are using it at the same time. Network contention among multiple clients means that they are sometimes waiting for each other's requests to be processed, causing lag. A person can replace their router with a more powerful model, or add another router to the network, to help alleviate this problem. Similarly, network contention occurs on a residence's modem and connection to the Internet provider if saturated with traffic: Depending on the speed of your Internet link, try to avoid too many simultaneous Internet downloads and online sessions to minimize this lag. Overloaded client device: PCs and other client devices also become a source of network lag if unable to process network data quickly enough. While modern computers are sufficiently powerful in most situations, they can slow down significantly if too many applications are running simultaneously. Even running applications that do not generate network traffic can introduce lag; for example, a misbehaving program can consume 100 percent of the available CPU utilization on a device that delays the computer from processing network traffic for other applications. Malware: A network worm hijacks a computer and its network interface, which can cause it to perform sluggishly, similar to being overloaded. Running antivirus software on network devices helps to detect these worms. Use of wireless: Enthusiast online gamers, as an example, often prefer to run their devices over wired Ethernet instead of Wi-Fi because home Ethernet supports lower latencies. While the savings is typically only a few milliseconds in practice, wired connections also avoid the risk of wireless interference that results in significant lag if it occurs. How Much Lag Is Too Much? The impact of lag depends on what a person is doing on the network and, to some degree, the level of network performance they have grown accustomed to. Users of ​satellite Internet, expect very long latencies and tend not to notice a temporary lag of an additional 50 or 100 ms. Dedicated online gamers, on the other hand, strongly prefer their network connection to run with less than 50 ms of latency and will quickly notice any lag above that level. In general, online applications perform best when network latency stays below 100 ms and any additional lag will be noticeable to users.

    Blog Entry, DATA, Hardware
  • Posted on September 20, 2017 9:35 am
    Joseph Forbes
    No comments

    Whether you're a home PC user or a network administrator, you always need a plan for when the unexpected happens to your computers and/or network. A Disaster Recovery Plan (DRP) is essential in helping to ensure that you don't get fired after a server gets fried in a fire, or in the case of the home user, that you don't get kicked out of the house when mamma discovers you've just lost years worth of irreplaceable digital baby photos. A DRP doesn't have to be overly complicated. You just need to cover the basic things that it will take to get back up and running again if something bad happens. Here are some items that should be in every good disaster recovery plan: 1. Backups, Backups, Backups! Most of us think about backups right after we've lost everything in a fire, flood, or burglary. We think to ourselves, "I sure hope I have a backup of my files somewhere". Unfortunately, wishing and hoping won't bring back dead files or keep your wife from flogging you about the head and neck after you've lost gigabytes of family photos. You need to have a plan for regularly backing up your critical files so that when a disaster occurs you can recover what was lost. There are dozens of online backup services available that will backup your files to an off-site location via a secure connection. If you don't trust "The Cloud" you can elect to keep things in-house by purchasing an external backup storage device such as a Drobo. Whichever method you choose, make sure you set a schedule to backup all your files at least once weekly, with incremental backups each night if possible. Additionally, you should periodically make a copy of your backup and store it off-site in a fire safe, safe deposit box, or somewhere other than where your computers reside. Off-site backups are important because your backup is useless if it's burned up in the same fire that just torched your computer. 2. Document Critical Information If you encounter a major disaster, you're going to loose a lot of information that may not be inside of a file. This information will be critical to getting back to normal and includes items such as: Make, model, and warranty information for all your computers and other peripherals Account names and passwords (for e-mail, ISP, wireless routers, wireless networks, admin accounts, System BIOS) Network settings (IP addresses of all PCs, firewall rules, domain info, server names) Software license information (list of installed software, license keys for re-installation, version info) Support phone numbers (for ISP, PC manufacturer, network administrators, tech support) 3. Plan for Extended Downtime If you're a network administrator you'll need to have a plan that covers what you will do if the downtime from the disaster is expected to last more than a few days. You'll need to identify possible alternate sites to house your servers if your facilities are going to be unusable for an extended period of time. Check with your management prior to looking into alternatives to get their buy-in. Ask them questions such as: How much downtime is tolerable to them based on their business needs? What is the restoration priority (which systems do they want back online first)? What is their budget for disaster recovery operations and preparation? 4. Plan for Getting Back to Normal You'll need transition plan for moving your files off of the loaner you borrowed and onto the new PC you bought with your insurance check, or for moving from your alternate site back to your original server room after its been restored to normal. Test and update your DRP regularly. Make sure you keep your DRP up-to-date with all the latest information (updated points of contact, software version information, etc). Check your backup media to make sure it is actually backing something up and not just sitting idle. Check the logs to make sure the backups are running on the schedule you setup. Again, your disaster recovery plan shouldn't be overly complicated. You want to make it useful and something that is always within arms reach. Keep a copy of it off-site as well. Now if I were you, I would go start backing up those baby pics ASAP!

    Blog Entry, DATA, Data Recovery
  • Posted on September 2, 2017 10:13 am
    Joseph Forbes
    No comments

    All Windows computers include features that protect the operating system from hackers, viruses, and various types of malware. There are also protections in place to prevent mishaps that are brought on by the users themselves, such as the unintentional installation of unwanted software or changes to crucial system settings. Most of these features have existed in some form for years. One of them, Windows Firewall, has always been a part of Windows and was included with XP, 7, 8, 8.1, and more recently, Windows 10. It’s enabled by default. Its job is to protect the computer, your data, and even your identity, and runs in the background all the time. But what exactly is a firewall and why is it necessary? To understand this, consider a real-world example. In the physical realm, a firewall is a wall designed specifically to stop or prevent the spread of existing or approaching flames. When a threatening fire reaches the firewall, the wall maintains its ground and protects what’s behind it. Windows Firewall does the same thing, except with data (or more specifically, data packets). One of its jobs is to look at what’s trying to come into (and go out of) the computer from web sites and email, and decide if that data is dangerous or not. If it deems the data acceptable, it lets it pass. Data that could be a threat to the stability of the computer or the information on it is denied. It is a line of defense, just as a physical firewall is. This, however, is a very simplistic explanation of a very technical subject. Why and How to Access Firewall Options Windows Firewall offers several settings that you can configure. For one, it’s possible to configure how the firewall performs and what it blocks and what it allows. You can manually block a program that’s allowed by default, such as Microsoft Tips or Get Office. When you block these programs you, in essence, disable them. If you’re not a fan of the reminders you get to buy Microsoft Office, or if the tips are distracting, you can make them disappear. You can also opt to let apps pass data through your computer that aren’t permitted by default. This often occurs with third-party apps you install like iTunes because Windows requires your permission to allow both installation and passage. But, the features can also be Windows-related such as the option to use Hyper-V to create virtual machines or Remote Desktop to access your computer remotely. You also have the option to turn off the firewall completely. Do this if you opt to use a third-party security suite, like the anti-virus programs offered by McAfee or Norton. These frequently ship as a free trial on new PCs and users often sign up. You should also disable the Windows Firewall if you’ve installed a free one (which I’ll discuss later in this article). If any of these are the case, read “How to Disable the Windows Firewall” for more information. Note: It is vitally important to keep a single firewall enabled and running, so don’t disable the Windows Firewall unless you have another in place and don't run multiple firewalls at the same time. When you’re ready to make changes to Windows Firewall, access the firewall options: Click in the Search area of the Taskbar. Type Windows Firewall. In the results, click Windows Firewall Control Panel. From the Windows Firewall area you can do several things. The option to Turn Windows Firewall On or Off is in the left pane. It’s a good idea to check here every now and then to see if the firewall is indeed enabled. Some malware, should it get by the firewall, can turn it off without your knowledge. Simply click to verify and then use the Back arrow to return to the main firewall screen. You can also restore the defaults if you’ve changed them. The option Restore Defaults, again in the left pane, offers access to these settings. How to Allow an App Through the Windows Firewall When you allow an app in Windows Firewall you choose to allow it to pass data through your computer based on whether you’re connected to a private network or a public one, or both. If you select only Private for the allow option, you can use the app or feature when connected to a private network, such as one in your home or office. If you choose Public, you can access the app while connected to a public network, such as a network in a coffee shop or hotel. As you’ll see here, you can also choose both. To allow an app through the Windows Firewall: Open the Windows Firewall. You can search for it from the Taskbar as detailed earlier. Click Allow an App or Feature Through Windows Firewall. Click Change Settings and type an administrator password if prompted. Locate the app to allow. It won’t have a check mark beside it. Click the checkbox(es) to allow the entry. There are two options Private and Public. Start with Private only and select Public later if you don’t get the results you want. Click OK. How to Block a Program with the Windows 10 Firewall The Windows Firewall allows some Windows 10 apps and features to pass data into and out of a computer without any user input or configuration. These include Microsoft Edge and Microsoft Photos, and necessary features like Core Networking and Windows Defender Security Center. Other Microsoft apps like Cortana might require you to give your explicit permissions when you first use them though. This opens the required ports in the firewall, among other things. We use the word “might” here because the rules can and do change, and as Cortana becomes more and more integrated it could be enabled by default in the future. That said, this means that other apps and features could be enabled that you do not want to be. For instance, Remote Assistance is enabled by default. This program allows a technician to remotely access your computer to help you resolve a problem if you agree to it. Even though this app is locked down and quite secure, some users do consider it an open security hole. If you’d rather close that option, you can block access for that feature. There are also third party apps to consider. It’s important to keep unwanted apps blocked (or possibly, uninstalled) if you don't use them. When working through the next few steps then, check for entries that involve file sharing, music sharing, photo editing, and so forth, and block those that don’t need access. If and when you use the app again, you’ll be prompted to allow the app through the firewall at that time. This keeps the app available should you need it, and is thus better than uninstalling in many instances. It also prevents you from accidentally uninstalling an app that the system needs to function properly. To block a program on a Windows 10 computer: Open the Windows Firewall. You can search for it from the Taskbar as detailed earlier. Click Allow and App or Feature Through Windows Firewall. Click Change Settings and type an administrator password if prompted. Locate the app to block. It will have a check mark beside it. Click the checkbox(es) to disallow the entry. There are two options Privateand Public. Select both. Click OK. Once you’ve done this, the apps you’ve selected are blocked based on the network types you’ve selected.   Consider a Free Third-Party Firewall If you would rather use a firewall from a third-party vendor, you can. Remember though, the Windows Firewall has a good track record and your wireless router, if you have one, does a good amount of work too, so you don’t have to explore any other options if you don’t want to. It’s your choice though, and if you want to try it out, here are a few free options: ZoneAlarm Free Firewall – ZoneAlarm has been around for a very long time and is a trusted name. It protects your computer on many levels from hiding open ports to real-time security updates. It’s easy to download and set up and doesn’t require a lot of attention once it’s running. Explore ZoneAlarm Free here. TinyWall – Simple to use, effective, and non-intrusive, this firewall is a good choice for those users with only a little experience but a healthy curiosity. Download TinyWall safely from CNet. Comodo Firewall - This firewall comes with a full security suite and is best for more advanced users. It includes automatic updates but not a lot of built-in help. Check out Comodo here. For more information about free firewalls, refer to this article "10 Free Firewall Programs". Whatever you decide to do, or not do, with the Windows Firewall, remember that you need a working and running firewall to protect your computer from malware, viruses, and other threats. It’s also important to check every now and then, perhaps once a month, that the firewall is engaged. If new malware gets by the firewall, it can disable it without your knowledge. If you forget to check though, it’s highly likely you’ll hear from Windows about it through a notification. Pay attention to any notification you see about the firewall and resolve those immediately; they'll appear in the notification area of the Taskbar on the far right side.

    Blog Entry, Internet, KnowledgeBase (KB)
  • Posted on July 13, 2017 12:03 pm
    Joseph Forbes
    No comments

    Internet or 'Net' Neutrality, by definition, means that there are no restrictions of any kind on access to content on the Web, no restrictions on downloads or uploads, and no restrictions on communication methods (email, chat, IM, etc.) It also means that access to the internet will not be blocked, slowed down, or sped up depending on where that access is based or who owns the access point(s). In essence, the internet is open to everyone. What does an open internet mean for the average Web user? When we get on the Web, we are able to access the entire Web: that means any website, any video, any download, any email. We use the Web to communicate with others, go to school, do our jobs, and connect with people all over the world. Because of the freedom that governs the Web, this access is granted without any restrictions whatsoever. Why is Net Neutrality important? Growth: Net neutrality is the reason that the Web has grown at such a phenomenal rate from the time it was created in 1991 by Sir Tim Berners-Lee (see also History of the World Wide Web). Creativity: Creativity, innovation, and unbridled inventiveness have given us Wikipedia, YouTube, Google, I Can Has Cheezburger, torrents, Hulu, The Internet Movie Database, Reddit, LifeWire, and many more. Communication: Net neutrality has given us the ability to freely communicate with people on a personal basis: government leaders, business owners, celebrities, work colleagues, medical personnel, family, etc., without restrictions.  Strong net neutrality rules should be left in place to ensure all of these things exist and thrive. If Net Neutrality rules are removed, everyone that uses the internet will lose these freedoms. Is Net Neutrality available worldwide? No. There are countries whose governments restrict their citizens’ access to the Web for political reasons. Vimeo has a great video on this very topic that explains how limiting access to the internet can impact everyone in the world. Is Net Neutrality in danger? Possibly. There are many companies that have a vested interest in making sure that access to the Web is not freely available. These companies are already in charge of most of the Web’s infrastructure, and they see potential profit in making the Web “pay for play”. This could result in restrictions on what Web users are able to search for, download, or read. Some people in the United States are even afraid that changes from the Federal Communications Commission (FCC) could result in a negative net neutrality ruling. At Fight for the Future's Battle for Net Neutrality site, you can send a letter directly to FCC and Congress and let them know how you feel. You can also file a document into the official FCC proceeding to let officials know whether or not you want Net Neutrality regulations to change or remain in place. It's a super wonky form with a couple of weird things (hey, this is the government!) so follow these instructions carefully: Visit ECFS Express at the FCC website. Type 17-108 in the Proceeding(s) box. Press Enter to turn the number to a yellow/orange box. Type your first name and last name in the Name(s) of Filer(s) box. Press Enter to turn your name into a yellow/orange box. Fill in the rest of the form as you would normally fill in an internet form. Check the Email Confirmation box. Tap or click the Continue to review screen button. On the next page, tap or click the Submit button. That's it! You've made your feelings known. What would happen if Net Neutrality were to be restricted or abolished? Net neutrality is the foundation of the freedom that we enjoy on the Web. Losing that freedom could result in consequences such as restricted access to websites and diminished download rights, as well as controlled creativity and corporate-governed services. Some people call that scenario the 'end of the internet.' What are "Internet fast lanes"? How are are they related to Net neutrality?  "Internet fast lanes" are special deals and channels that would give some companies exceptional treatment as far as broadband access and internet traffic. Many people believe that this would violate the concept of net neutrality. Internet fast lanes could cause issues because instead of Internet providers being required to provide the same service for all subscribers regardless of size/company/influence, they could be able to make deals with certain companies that would give them preferred access. This practice could potentially hamper growth, strengthen illegal monopolies, and cost the consumer. In addition, an open internet is essential for a continued free exchange of information – a bedrock concept that the World Wide Web was founded upon. Net neutrality is important Net neutrality in the context of the Web is somewhat new, but the concept of neutral, publicly accessible information and transfer of that information has been around since the days of Alexander Graham Bell. Basic public infrastructure, such as subways, buses, telephone companies, etc., are not allowed to discriminate, restrict, or differentiate common access, and this is the core concept behind net neutrality as well. For those of us who appreciate the Web, and want to preserve the freedom that this amazing invention has given us to exchange information, net neutrality is a core concept that we must work to maintain.

    Blog Entry, DATA, EDUCATION
  • Posted on June 10, 2017 11:11 am
    Joseph Forbes
    No comments

    Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities:  the ability of running any code on victim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware. This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to  spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.   KEY FINDINGS Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks. The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware. Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent. The operation is run by Chinese digital marketing agency. Top infected countries are India (10.1%) and Brazil (9.6%)   Figure 1: Fireball Infection Flow     250 MILLIONS MACHINES AND 20% OF CORPORATE NETWORKS WORLDWIDE INFECTED The scope of the malware distribution is alarming. According to our analysis, over 250 million computers worldwide have been  infected: specifically,  25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has  witnessed 5.5 million infections (2.2%). Based on Check Point’s global sensors,  20% of all corporate networks are affected . Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates. Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Figure 2: Fireball Global Infection Rates (darker pink = more infections)   Ironically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections. Figure 3: Rafotech’s Advertisement on the Company’s Official Website   A BACKDOOR TO EVERY INFECTED NETWORK Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software (see the GOING UNDER THE RADAR section), and half malware. Although Rafotech  uses Fireball only for advertising and initiating traffic to its fake search engines, it  can perform any action on the victims’ machines These actions  can have serious consequences. How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more. These browser-hijackers are  capable on the browser level. This means that they can drive victims to malicious sites, spy on them and conduct successful malware dropping. From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C– it is not inferior to a typical malware. Many threat actors would like to have  a fraction of Rafotech’s power, as Fireball provides a critical backdoor, which can be further exploited.   GOING UNDER THE RADAR While the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting them a legitimate appearance. Confused? You should be. Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. How is that? Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the installment of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider. This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.   Figure 4: Bundling in Action   According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature. So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers. THE INFECTION MODEL As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others. It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes. Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors. As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.   Figure 5: Deal Wifi Installation Screen   HOW CAN I KNOW IF I AM INFECTED? To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious. Figure 6: trotux.com; a Fake Search Engine Run by Rafotech     THE RED BUTTON IN THE WRONG HANDS It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals. Banking and credit card credentials, medical files, patents and business plans can all be widely exposed and abused by threat actors for various purposes. Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years. Rafotech holds the power to initiate a global catastrophe and it is not alone. During our research we’ve tracked down additional browser-hijackers that, to our understanding, were developed by other companies. One such company is ELEX Technology, an Internet Services company also based in Beijing  produces products similar to those of Rafotech. Several findings lead us to suspect that the two companies are related, and may be collaborating in the distribution of browser-hijackers or in trading customers’ traffic. For example, an adware developed by ELEX, named YAC (“Yet Another Cleaner”) is suspected to be connected to Rafotech’s operation, dropping its browser-hijackers.   CONCLUSION In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies. The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.   HOW DO I REMOVE THE MALWARE, ONCE INFECTED? To remove almost any adware, follow these simple steps: Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.   For Mac OS users: Use the Finder to locate the Applications Drag the suspicious file to the Trash. Empty the Trash.   Note – A usable program is not always installed on the machine and therefore may not be found on the program list.   Scan and clean your machine, using: Anti-Malware software Adware cleaner software   Remove malicious Add-ons, extensions or plug-ins from your browser: On Google Chrome:a.       Click the Chrome menu icon and select Tools > Extensions. b.      Locate and select any suspicious Add-ons. c.       Click the trash can icon to delete.   On Internet Explorer:a.       Click the Setting icon and select Manage Add-ons. b.      Locate and remove any malicious Add-ons. On Mozilla Firefox:a.       Click the Firefox menu icon and go to the Tools tab. b.      Select Add-ons > Extensions. A new window opens. c.       Remove any suspicious Add-ons. d.      Go to the Add-ons manager > Plugins. e.      Locate and disable any malicious plugins.   On Safari:a.       Make sure the browser is active. b.      Click the Safari tab and select preferences. A new window opens. c.       Select the Extensions tab. d.      Locate and uninstall any suspicious extensions.     Restore your internet browser to its default settings: On Google Chrome:a.       Click the Chrome menu icon, and select Settings. b.      In the On startup section, click Set Pages. c.       Delete the malicious pages from the Startup pages list. d.      Find the Show Home button option and select Change. e.      In the Open this page field, delete the malicious search engine page. f.        In the Search section, select Manage search engines. g.       Select the malicious search engine page and remove from the list. On Internet Explorer:a.       Select the Tools tab and then select Internet Options. A new window opens. b.      In the Advanced tab, select Reset. c.       Check the Delete personal settings box. d.      Click the Reset button. On Mozilla Firefox:a.       Enable the browser Menu Bar by clicking the blank space near the page tabs. b.      Click the Help tab, and go to Troubleshooting information. A new window opens. c.       Select Reset Firefox. On Safari:a.       Select the Safari tab and then select Preferences. A new window opens. b.      In the Privacy tab, the Manage Website Data… button. A new window opens. c.       Click the Remove All button.           INDICATORS OF COMPROMISE C&C addresses attirerpage[.]com s2s[.]rafotech[.]com trotux[.]com startpageing123[.]com funcionapage[.]com universalsearches[.]com thewebanswers[.]com nicesearches[.]com youndoo[.]com giqepofa[.]com mustang-browser[.]com forestbrowser[.]com luckysearch123[.]com ooxxsearch[.]com search2000s[.]com walasearch[.]com hohosearch[.]com yessearches[.]com d3l4qa0kmel7is[.]cloudfront[.]net d5ou3dytze6uf[.]cloudfront[.]net d1vh0xkmncek4z[.]cloudfront[.]net d26r15y2ken1t9[.]cloudfront[.]net d11eq81k50lwgi[.]cloudfront[.]net ddyv8sl7ewq1w[.]cloudfront[.]net d3i1asoswufp5k[.]cloudfront[.]net dc44qjwal3p07[.]cloudfront[.]net dv2m1uumnsgtu[.]cloudfront[.]net d1mxvenloqrqmu[.]cloudfront[.]net dfrs12kz9qye2[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe   File Hashes FAB40A7BDE5250A6BC8644F4D6B9C28F 69FFDF99149D19BE7DC1C52F33AAA651 B56D1D35D46630335E03AF9ADD84B488 8C61A6937963507DC87D8BF00385C0BC 7ADB7F56E81456F3B421C01AB19B1900 84DCB96BDD84389D4449F13EAC75098 2B307E28CE531157611825EB0854C15F 7B2868FAA915A7FC6E2D7CC5A965B1E

    Hacking, Internet, Internet Scam Notices