1. Forum
  2. FidoNet
  3. ANTI VIRUS

  • ?US-ASCII?Q?TA15-098A:_AAEH?

    From Ben Ritchey@1:393/68 to All on Thu Apr 9 19:32:34 2015
    =-=-=-=-=-=-= Original message BEGINs here: =-=-=-=-=-=-=

    Subject: ?US-ASCII?Q?TA15-098A:_AAEH?
    From: ?US-ASCII?Q?US-CERT? <US-CERT@ncas.us-cert.gov>



    National Cyber Awareness System:

    TA15-098A: AAEH [ https://www.us-cert.gov/ncas/alerts/TA15-098A ] 04/09/2
    015 12:00 AM EDT
    Original release date: April 09, 2015

    Systems Affected

    * Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
    * Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012


    Overview

    AAEH is a family of polymorphic downloaders created with the primary purp
    ose of downloading other malware, including password stealers, rootkits,
    fake antivirus, and ransomware.

    The United States Department of Homeland Security (DHS), in collaboration
    with Europol, the Federal Bureau of Investigation (FBI) and the Departme
    nt of Justice (DOJ), released this Technical Alert to provide further inf ormation about the AAEH botnet, along with prevention and mitigation reco mmendations.

    Description

    AAEH is often propagated across networks, removable drives (USB/CD/DVD),
    and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Bee
    bone or Changeup, the polymorphic malware has the ability to change its f
    orm with every infection. AAEH is a polymorphic downloader with more than
    2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network. AAEH has been used to download oth
    er malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.


    Impact

    A system infected with AAEH may be employed to distribute malicious softw
    are, harvest users' credentials for online services, including banking se rvices, and extort money from users by encrypting key files and then dema
    nding payment in order to return the files to a readable state. AAEH is c apable of defeating anti-virus products by blocking connections to IP add resses associated with Internet security companies and by preventing anti -virus tools from running on infected machines.

    Solution

    Users are recommended to take the following actions to remediate AAEH inf ections:


    * "Use and maintain anti-virus software" - Anti-virus software recogniz
    es and protects your computer against most known viruses. It is important
    to keep your anti-virus software up-to-date (see Understanding Anti-Viru
    s Software for more information [ http://www.us-cert.gov/ncas/tips/ST04-0
    05 ]).
    * "Change your passwords" - Your original passwords may have been compr omised during the infection, so you should change them (see Choosing and Protecting Passwords for more information [ http://www.us-cert.gov/ncas/t ips/ST04-002 ]).
    * "Keep your operating system and application software up-to-date" - In
    stall software patches so that attackers can't take advantage of known pr oblems or vulnerabilities. Many operating systems offer automatic updates
    . If this option is available, you should enable it (see Understanding Pa
    tches for more information [ http://www.us-cert.gov/ncas/tips/ST04-006 ])
    .
    * "Use anti-malware tools" - Using a legitimate program that identifies
    and removes malware can help eliminate an infection.

    Users can consider employing a remediation tool (examples below) that wil
    l help with the removal of AAEH from your system.

    Note: AAEH blocks AV domain names thereby preventing infected users from
    being able to download remediation tools directly from an AV company. The
    links below will take you to the tools at the respective AV sites. In th
    e event that the tools cannot be accessed or downloaded from the vendor s
    ite, the tools are accessible from Shadowserver (http://aaeh.shadowserver .org).

    The below are examples only and do not constitute an exhaustive list. The
    U.S. Government does not endorse or support any particular product or ve
    ndor.

    References

    * F-Secure Online Scanner for Windows Vista, 7 and 8 [ http://www.f-sec ure.com/en/web/home_global/online-scanner ]
    * F-Secure Removal Tools for Windows XP [ http://www.f-secure.com/en/we b/labs_global/removal-tools/-/carousel/view/142 ]
    * McAfee Stinger for Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8
    [ http://www.mcafee.com/stinger ]
    * Microsoft Safety Scanner for Windows 8.1, Windows 8, Windows 7, Windo
    ws Vista, and Windows XP [ http://www.microsoft.com/security/scanner/en-u s/default.aspx ]
    * Sophos Virus Removal for Windows XP SP2 and above [ http://www.sophos .com/VirusRemoval ]
    * Trend Micro Threat Detector for Windows XP, Windows Vista, Windows 7,
    Windows 8/8.1, Windows Server 2003/2008, and 2008 R2 [ http://www.trendm icro.com/threatdetector ]

    Revision History

    * April 9, 2015: Initial Release ________________________________________________________________________

    This email was sent to certecho@net396.fidonet.org using GovDelivery, onbehalf of: United States Computer Emergency Readiness Team (US-CERT) B7245 Murray Lane
    SW Bldg 410 B7 Washington, DC 20598 B7 (888) 282-0870
    Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ]



    -+-
    + Origin: FidoNet<>Internet Gateway -Huntsville AL- USA- (1:396/3)

    =-=-=-=-=-=-=-= .END of Forwarded message =-=-=-=-=-=-=-=

    --
    Guardien Fide :^)

    Ben aka cMech Web: http://cmech.dynip.com
    Email: fido4cmech(at)lusfiber.net
    Home page: http://cmech.dynip.com/homepage/
    WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

    --- GoldED+/W32-MSVC
    * Origin: FIDONet - The Positronium Repository (1:393/68)