Jump to content

David H. Lipman

Experts
  • Content Count

    15,939
  • Joined

  • Days Won

    1

Everything posted by David H. Lipman

  1. Please avoid such shady sites. The site that supposedly indicates what the DLL is, is not about the information. It about pushing crapware. It is using the name of the DLL as its ploy to goad one into the crapware installation. https://www.virustotal.com/gui/file/b1d4caaf30643bd13f61b790c8a51003d996ee82171d2ee649b7accf7cdd31f0/detection
  2. I don't have access to files on VT anymore so can't examine it and so I have no clue what it does.
  3. Besides being known to Virus Total since 2013, and thus too old for Malwarebytes signature creation, it is a trojan and not a virus.
  4. @Muschel I'm glad to hear that. Thank you for the update.
  5. If you willy-nilly Browse the Internet you can possibly land on a malicious web site using an Exploit and cause malware to be downloaded with a possible execution. Your Profile indicates " Interests: Malware analyzing " so you should be well aware that all viruses are malware and not all malware are viruses and viruses play a very small fraction within the malware arena. The vast majority of malware are trojans and the chances of a malicious web site using an Exploit to cause download and possible execution will be for a trojan, and not a virus. Putting it back into perspective, if you are just using Google Images this will not be too likely. It is possible but not probable and because that possibility exists, is the reason we install anti malware software on our computers. Graphic files in themselves are not malicious per se. The web site hosting it can be and that's why you always have to be on your guard. Graphic files come in many formats such as GIF, PNG, JPEG, BMP, PCX and other formats. There have been graphic files that have been crafted in such a way as to exploit known vulnerabilities in the Graphics Rendering module of MS Windows. Left unpatched, that's one way a site using an Exploit can effect a malware download with a possible execution. Graphic files can also be used to hide malware "in plain site". The Graphic File can be manipulated in such a way as where a PE binary is appended to the graphic or mathematically added ( Example: XOR ) or by using steganography. In that state the modified graphic file is safe and will not "self execute" and it will require a secondary program or script to extract the PE binary which is the malware.
  6. It has a time scaled histogram selector. You grab it and look at the time and stop when appropriate. It does have some Hot-Keys but no Fast Forward or Rewind Button. https://www.vlchelp.com/vlc-media-player-shortcuts/
  7. BEC Scam Costing Almost US$11 Million Leads to FBI Arrest of Nigerian Businessman "The chief executive officer (CEO) of the Invictus Group of Companies, Obinwanne Okeke, has reportedly been arrested by the U.S. Federal Bureau of Investigation (FBI) after he was accused of conspiracy to commit computer and wire fraud. The FBI investigation into Okeke was initiated after a victim of a business email compromise (BEC) scam informed the FBI that it had been defrauded of nearly US$11 million. According to an affidavit from FBI Special Agent Marshall Ward, who spearheaded the investigation, a phishing email was sent to the chief financial officer (CFO) of Unatrac Holding Limited, the UK-based export sales office for the construction equipment company Caterpillar. The email contained a URL leading to a spoofed webpage asking for the login credentials of the CFO’s Microsoft Office 365 account. Once the CFO entered his credentials, the attackers managed to gain access to all the contents of the CFO’s Office 365 account, from emails to digital files. The CFO’s email account was then used to issue fund transfer requests to Unatrac’s financial department. The scam involved fake invoices featuring the corresponding company logos and templates to make the emails seem more legitimate. The attackers even went so far as to send emails from an external account to the CFO’s account, which were then forwarded to the finance team, and created and changed filter rules to intercept legitimate emails and mark them as read. Between April 11 and 18, 2018, employees of the Unatrac financial department issued 15 payments totaling nearly US$11 million, with some of the payments going to the same account. The affidavit mentioned that the CFO’s account was accessed at least 464 times using Nigerian IP addresses. The attackers also downloaded files from the CFO’s account, with one of the downloaded files being sent to a Gmail address. Further investigation by the FBI revealed that the email was used for other fraudulent schemes. Ward managed to obtain records from Google, which allowed the FBI to link the email to another email address. The second email address was connected to a forum account that eventually led the FBI to conclude that Okeke is part of the BEC scam."
  8. Refers to; CVE-2019-13615 VideoLAN VLC was just updated to v3.0.8 but CVE-2019-13615 does not seem to have been addressed. https://www.videolan.org/developers/vlc-branch/NEWS However according to this, the issue has been fixed. https://trac.videolan.org/vlc/ticket/22474
  9. That's not entirely true. If you can see an image, it is an image file, and MBAM stops there. However the file can be manipulated such as a PE binary appended to the graphic or mathematically added ( Example: XOR ) or can be a case of steganography. I recently looked at a Chinese data stealing trojan that downloaded assistive modules, from BAIDU, that were supposedly a JPEG ( identified by the string JFIF in the binary header ) but further into the binary was appended a PE executable. It was that Chinese data stealing trojan that would strip off the JPEG from the PE contents. Thus allowing the add-on malware modules to "hide in plain sight". MBAM will only look at the first two characters and see if it is marked by 'MZ' and if it isn't, it will pass scrutiny even if at a given Offset there is an appended PE binary. Off course in that state the modified graphic is safe and will not "self execute" and will require a secondary program or script to extract the PE binary.
  10. What software you use to scan an object would be dependent upon what the intention is. As noted the Brother MFC is a TWAIN compliant All-in-One ( AIO ) so any TWAIN compliant software can be used. If I want to scan a photo to a JPEG, I may use PhotoShop Elements or XnView. If I am Word Processing a document I may write the document with LibreOffice Writer and then scan the object directly within the document. If I wanted to do Optical Character Recognition ( OCR ) I may use Adobe Acrobat or PaperPort. However, to do any of the above, the computer must be able to communicate with the scanner either over TCP/IP or USB. It is the job of the MFC's TWAIN software to act as middle-ware in this function and it has no idea how the scanner is connected until it is told what IP Address the MFC is setup on or to use USB. As I noted that is performed with the Control Center program and from your Desktop ScreenShot, I see it as the icon in the System Tray labeled; CC3 ( ControlCenter3 ). https://support.brother.com/g/s/id/htmldoc/mfc/cv_mfc9120cn/encn/html/sug/chapter3.html
  11. If I understand this correctly, you have a Brother MFC-J615W AIO colour inkjet. You tried to SCAN over IP - It failed. You reconnected the Brother MFC using USB. You then tried to SCAN over USB - It failed. Often when you use third party software it is dependent upon a TWAIN driver. The Brother MFC is TWAIN compliant Usually there is a way to configure the TWAIN software to connect to its associated scanner. Specifically identify the connection with the IP Address or via USB. I don't have a Brother AIO in front of me but this is often a Utility in the Brother StartMenu and/or is performed with the Control Center icon in the Windows System Tray. EDIT: Example: Below is the Utility for Epson Scan Settings. Note the choices; Local and Network.
  12. The FavIcon shows on two different Windows 7 PCs of mine using two different Firefox versions.
  13. State Farm hit by data breach "State Farm – the largest property and casualty insurance provider in the US - has been compromised in a credential stuffing attack. The firm acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and on Wednesday (August 07), it sent out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by a bad actor. The insurer’s data breach notification email read: “State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.” This type of cyberattack is called credential stuffing. Attackers will buy or take usernames and passwords that were leaked from other companies’ data breaches and they will try to use those credentials to log-in to other accounts and sites. It works well against people who use the same password for lots of different sites – something many people are in the habit of doing."
  14. You can't mix the Input Ports and the Output Ports together as that would create a Feedback Loop.
  15. I think Over Arching enmasse fraudsters rake in Millions. This action was just one action taken against one of many fraudsters who is based in the US. Unfortunately many are from "another" country.
  16. https://public.tableau.com/profile/federal.trade.commission#!/vizhome/DoNotCallComplaints/Maps
  17. FTC Sending Refunds to Victims of Tech Support Scam "The Federal Trade Commission is sending refund checks and PayPal payments totaling more than $802,000 to 12,140 consumers as part of a settlement with the operators of a St. Louis-based scam that tricked consumers into buying unnecessary technical support services. Eligible consumers paid for tech support products and services from Global Access Technical Support, which also used the names Global sMind, Global S Connect, Yubdata Tech, and Technolive. The FTC alleged the defendants worked with affiliate marketers to place pop-up ads that falsely claimed the consumer’s computer was infected with viruses or malware. The ads urged consumers to immediately call a toll-free number for help. When consumers called the number, they were connected to telemarketers who falsely claimed to be affiliated with Microsoft or Apple. The telemarketers claimed they needed remote access to consumers’ computers to diagnose the problem. Once given access, the telemarketers tricked consumers into believing that harmless directories on their computers were evidence of problems that required immediate repair. Consumers who receive a check from the FTC should deposit or cash the checks within 60 days, as indicated on the check. For the first time, the FTC is also sending refund payments via PayPal to consumers for whom the agency does not have a mailing address. Consumers will have 30 days to accept the PayPal payment. The FTC’s consumer blog post provides more details about how the refund process will work. The average refund amount is $66. The FTC never requires people to pay money or provide account information to cash a refund check. If recipients have questions about the refunds, they should contact the FTC’s refund administrator, Analytics, at 844-881-1379."
  18. Exactly. It is a OS generated file that is normal. Virus Total is a simple way to check any file. As you now see, there are 3 Virus Total Reports for three copies of "GDIPFONTCACHEV1.DAT". I think you'll find every User Profile has one.
  19. Yes, your presumptions have no basis in fact. There are 100's of files in the OS. Many are caches too. Why single this file out ? Here's the Virus Total report for my Win7 User Profile http://www.virustotal.com/file/1e4f4a4bb936381af55b3f262680a220df11da6cb24320320b6ec2c47de80512/analysis/ Here's the Virus Total report for another file from my Win7 User Profile on another PC https://www.virustotal.com/gui/file/ada06efed5d7a4d328f96c93efca893daf1cc2f3f3b879e535aa31cfa83a0b4c/detection
  20. It is an OS created data file related to your Profile and should left alone. If you have worries on a data files, send it to Virus Total. It will check it with more than 50, participating, anti malware vendors.
  21. If it is a Windows OS based server then it is a non-dedicated server. Non-dedicated servers such as Windows server is often compromised because of the Insider Threat when the role as a File Server is abused by administrators who install unapproved software and Browse the Internet. Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files via signatures. That means MBAM will not target; JS, JSE, PS1, PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc. It also does not target documents via signatures such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc. It also does not target media files; MP3, WMV, JPG, GIF, etc. Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files). MBAM specifically targets binaries that start with the first two characters being; MZ They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as; TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'. This includes file names that use Unicode Right-to-Left Override to obfuscate an executable file extension.
  22. I'm glad to read you decided to file a complaint with the US FBI's IC3. Tech Support scammers are a real problem and Law Enforcement needs all the information from victims that they can receive. PS: Best 'O Luck with that job interview Jim
  23. @JC_Stewart Steer clear from non-vetted applications such as "Shield Apps" and "PC Privacy Shield". Any applications that were installed subsequent to the Microsoft FakeAlert and the company associated with the Tech Support Scam behind the phone number (866) 359-5578 can not be trusted. Chances are the Tech Support Scammer behind the phone number, (866) 359-5578, is an affiliate and received affiliate revenue ( aka; kickback ) for the installation. If you haven't reviewed the references I previously provided, please do so... US FBI PSA - Tech Support Fraud US FTC Consumer Information - Tech Support Scams US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.