Pokémon GO - On the border of reality!

Like many I grew up playing Pokémon and watching the TV series. Initially created in 1995 the brand still remains extremely popular with children and adults today. With over 45 games, 4 TV Series, 5 TV specials and 19 Movies being created, the brand has earned an easy $57.65 billion in revenue as of 2015.

screens

The latest addition to the series is a new game 'Pokémon GO'. The official launch from closed beta to the public occurred today (6th July 2016), with thousands of downloads on both iOS and Android devices. The game is still very much in it's early stages meaning we could see major changes for this child hood favourite.

pokemon-go-plus-with-strap-1500x1000Wearable accessories aren't yet available but concepts have been released. The idea is to add easability, improving game play so you don't need to constantly look at your mobile device. It also makes for a free form of marketing for the game due to the distinctive design and colours.

 

Niantic_Labs_logoThe main company behind this augmented reality game being Niantic, Inc, formally an internal startup within Google which branched off in August 2015. Niantic are well known for an already popular MMO location based game 'Ingress' which gained more publicity in Sydney, Australia as of recently due to an Anomaly, an event related to the story and gameplay.

The partnership with Pokémon company Nintendo brought with it a '$20M Series A' investment round and in February 2016 an additional $5M funding to ensure the production and launch of the game.

I'm sure this is only the beginning for the new game and certainly won't be the last thing we see from the Pokémon brand.

** Update 7th July - Trainers around the world may be delayed due to ongoing server issues. Many are unable to get past the login screen, the issue more than likely related to the surge in app downloads and traffic to their servers.

pokeload

 

Social Media Thoughtlessness

For the past few years now I've endured what I consider to be "cancerous" social media posts and new forms of hoaxing which usually remained within Facebook but as of lately has spread to LinkedIn a social media platform which is aimed at being more professional.

I'm unsure if I'm seeing it across more networks now because my network size has increased or that maybe people are becoming more comfortable with these social media actions "like" and "share" so much so that they've lost their meaning.

So many posts are thoughtlessly liked and shared so much so that browser add-ons/extensions were created to block or replace certain content that many deemed unnecessary.

Technology inept or gullible?

When there's new technology, sites or games there will always be forms of hoaxing/scamming with it. Over and over I'm seeing Facebook Like Farming which appeal to human emotions to gain page likes. Commonly these pages are then sold off and you'll wind up seeing a post from a page you swear you never liked.

derp4Greed could be a factor in our quick actions because lots of people are convinced Apple, BMW and other big companies give away hundreds of thousands to anyone online for just liking their new Facebook Pages and sharing their "Give away" posts.

So what's the solution here? Should social media companies be handling this in a better way? Or should we be educating ourselves about technology a bit more before using it?

 

 

Think before you do! Using Google to find out more and sites like Hoax-Slayer are great for myth busting.

WordPress Bot Target

Recently I've had a huge influx of traffic to my site to the point that Apache reached it's max connections and MySQL couldn't respond in time. Turns out a small DDOS was occurring.

It's common for popular software like WordPress to become a target for bots that roam the internet crawling servers for exploits to add to their botnet. Unfortunately it's something that not all hosting providers will help detect and stop that's why specialist services like CloudFlare have become available.

After noticing the server grinding to a halt I went through some basic steps to determine where the fault may be.

  • Using another server or device on another network to check the site, a popular free service is "Down For Everyone or Just Me"
  • Use networking commands like ping thomasrothwell.com and traceroute thomasrothwell.com to determine if the domain provider or DNS could be effected. Again sites are available to-do this if you don't have command line available. Ping.eu
  • SSH into the server to check the logs "/var/log/" is the most common directory but will of course vary depending on your Hosting Provider and OS. Check your web server and database logs, this'll help narrow down what's falling over first.
  • Check your server resources, RAM & CPU usage may be spiking. Again commands like top will help identify the main consumers.
  • If you come across a suspect IP you can use an IP Address Abuse Database to help identify it's legitimacy.

It turned out to be a similar IP range hitting the server and doing a POST request to a WordPress file xmlrpc.php. This is a common target as it's used to communicate with third party services like RSS and plugins.

185.130.4.197 - - [04/May/2016:10:59:34 -0400] "POST /xmlrpc.php HTTP/1.0" 500 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.103.252.3 - - [04/May/2016:10:59:33 -0400] "POST /xmlrpc.php HTTP/1.0" 500 609 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

I stopped the web server from running so the server would free up some resources in-order to work a bit quicker as the response time when typing was very sluggish.

service apache2 stop

I grabbed the IP Addresses via the access logs and then used IPTABLES to block the connections.

iptables -I INPUT -p tcp -s 185.103.252.170 -j REJECT
iptables -I INPUT -p tcp -s 185.130.4.120 -j REJECT
iptables -I INPUT -p tcp -s 185.130.4.197 -j REJECT
iptables -I INPUT -p tcp -s 5.10.73.4 -j REJECT
iptables -I INPUT -p tcp -s 185.103.252.3 -j REJECT
iptables -I INPUT -p tcp -s 5.154.191.67 -j REJECT

Simply start the web server again and everything was back running smoothly again!

Keeping up with the Malware

Recently I had a deeper encounter with Ransomware a form of malware that’s spreading at an alarming rate. It works by restricting the users computer or data then demands that they pay a ransom in order to gain access back. While it's not a new thing creators seem to be bypassing even some of the more advanced virus scanners which offer out of the box web & download scanning.

In 2015 alone the FBI received at least 2,500 complaints related to ransomware attacks, which amounted to approximately $24 million in losses to the victims. Australians have reportedly lost millions from similar forms of malware and online scams this year alone.

This form of malware is commonly spread via phishing emails. These emails appear to come from legitimate companies, luring you to click a link which then offers a website that "appears to be" correct. Visually the site could look identical but it's really a fake, the easiest thing to-do is compare web addresses. Real site VS the fake "http://auspost.com.au/" isn't the same as "http://auspost-1f290.rnd.net.au".

My mother had unintentionally downloaded and opened a self executing zip file even with my rants about opening certain emails, files and NOD32 being installed. "Crypt0Locker" was still downloaded and ran. The program copied itself to a few locations while encrypting or at least obfuscating the source of files and then adding the file extension ".encrypted".
Crypt0L0cker-Virus1A browser window appeared with instructions on what had just happened and how to gain control of the files again.

The instructions state to deposit X amount of bit coins into a specific address.

The site being served is using the Tor network along with the crypto-currency Bitcoin, unfortunately this makes it a lot harder for law enforcement to track and and put a stop to these malicious people.

So to pay the money or attempt a fix myself? Of-course I went with fix it myself which lead to several hours of research, trial and error then repeat.

The Quickest Fix

A handy feature known as System Restore can resolve this. Unfortunately the feature isn't always on or a restore point is a long time ago. If you're one of the lucky ones you may have a restore point that's recent you can follow the instruction on the Microsoft website to-do this.

The Alternate Fix

First you'll want to remove any traces of the malware to prevent re-infection or at the very least prevent the window from constantly popping up in your face.

The easiest solution is to use a free trial of Malware Bytes or Hitman Pro let one of these scan your entire system and follow the prompts.

Next is attempting to restore files. Shadow Explorer may allow you to see versions of files which could allow restoration. Unfortunately this is a bit of a manual process.

Bleeping Computer provide a very default walkthrough on how to use Shadow Explorer - http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

Prevention

Even the most careful get hit at some stage so the key is educating yourself even if it's a little, try following some of the points below:

  1. Use a Virus Scanner and keep it up-to date
  2. Don't open emails unless you're 100% certain it's safe. If the Email Spam filter didn't pick it up then you can examine the From address to check the legitimacy.
  3. Download files from websites that are being served from the correct Web Address
  4. Use more modern and secure browsers such as Firefox or Google Chrome

TL;DR - A new version of Crypt0Locker and variations exist where no easy fix is available. The older version of Crypt0Locker had a method to restore files and remove the malware.

You could have a variation of the virus, so these steps may not work for you. To be precise on what actions should be taken you can upload an infected file to this site: https://id-ransomware.malwarehunterteam.com/ which will detect the form of ransomware you've been hit with.

Finally keep an eye on Scamwatch - https://www.scamwatch.gov.au/