ESET Reviews Scariest Zombie Botnets and Offers Safe Online Tips for Halloween


With Halloween here, ESET Ireland has the safety of online users on their mind once again. So what are the surfers to steer clear of on this day? And what is the scariest zombie malware out there? Let’s have a look at both security tips and take a look at the scariest zombie botnets.

ESET Ireland has put together four golden tips to take the “scary” out of your online adventures this Halloween:

Be careful with e-mails with a Halloween subject. Halloween, as many other noteworthy dates and events, is used by attackers to perform social engineering and convince you that their emails are a good thing, when they are actually malicious. If you don’t expect the email, it is a good idea to just not open it.

Update your AV-Solution. If you don’t have one, install it. The “I know what I am doing on the Internet-and don’t need-protection” defence or “I-use-a-secure-platform” are myths. Threats like drive-by-download could exploit a vulnerability in your browser as soon as you visit the page without ever clicking anything on it. And at Halloween we might see a rise in these kinds of attacks.

Set updates on your software to “automatic.” The time when you sit in front of your computer and perform all updates manually is close to never. The next best thing is to set updates automatically. Remember that all software should be updated, not only the OS, browsers and AV. PDF readers, Java, Office, video players are also key to keep up to date. So, that makes it everything!

For Halloween when searching in Google, Bing, Yahoo, be aware that some attackers use techniques to bump up the ranking of infected sites, which is known as BlackHat SEO, so as to increase the likelihood you could click on them. In addition, sometimes they compromise legitimate websites, which makes it even harder to spot. So, pay attention to the source you are clicking on first, and second with an up-to-date anti-malware solution you should be able to detect these threats.

What are “zombies” in cybersecurity language?

A “zombie” is a machine that has been infected with a certain type of remotely controlled malware. … A network of zombies is a bit like post-apocalyptic infection scenarios in the movies. Some of these things are virtually un-killable – there always seems to be that last undead creature lurking in the shadows, ready to start the next wave of trouble. Here is a list of the five zombie networks that gave us, and many of the other researchers helping to try to stop them, the creeping willies. The following are the top five zombies on our list:

Storm – This is the oldest malware on our list. It had some of the first early successes in using some of the tactics that would later be used by other botnets. It was massive, gaining as many as ten million Windows machines at its zenith. It was also one of the first incredibly large botnets that was used for the financial gain of its authors.

Conficker - At its height, Conficker had infected many millions of Windows machines: some figures say as many as 15 million. In the movies, when a threat is overwhelming our way of life, a group of specialists must be formed to take down the enemy. This was no different: the flood of infections was so great that the Conficker Working Group was created to fight it. However, there are still over one million computers still affected worldwide, six years after it was first discovered.

Zeus - This malware had not only a successful botnet on Windows machines, but it had a component that stole online banking codes from a variety of infected mobile devices (Symbian, Windows Mobile, Android and Blackberry). In 2012, the US Marshals and their tech-industry partners took down the botnet. But the original authors took pieces of their original creation and brought it back to life as Gameover Zeus, which the FBI and its partners took down this summer. But that was not the end of this beast: its creators are once again rebuilding their zombie network. And remember Cryptolocker, which had us losing so much sleep last year? This threat was being spread by Zeus variants.

Flashback – For folks who thought that “Macs don’t get viruses”, Flashback was a bit of a shock. But Macs can and do get malware – infected machines became part of a massive botnet. Flashback got a huge percentage of the total number of Apple machines worldwide, with over 600,000 infected at its peak. The botnet now sits abandoned.

Windigo – On the surface, this bot appears like so many others: it steals credentials from infected machines, or uses their processing power to send spam. And with only a few tens of thousands of infected machines at its peak, this threat would hardly seem to qualify with the likes of the rest of the botnets on this list. But on the other hand, the authors of this malware seem to have grown their zombie army very slowly, such that they managed to stay under the radar for quite some time. And those tens of thousands of machines are Linux machines, mostly servers, and many of these infected machines host websites that millions of people visit.

Enjoy the Internet without malware. Go Explore. Follow our blog at

5 tips from top professional gamers: how to turn your hobby into a profitable career

goex1, a best-of-the-web curation website from ESET, takes a serious look at an emerging online ‘sport’: pro gaming. collated the top five pieces of advice for those interesting in trying their hand at becoming a pro-gamer.

With more than five players having earned more than $1 million USD each in the past two years, the industry is growing quickly, attracting new sponsors, audiences and gaming talent.

For example, Evil Geniuses, a leading new media agency which specialises in contracting pro gamers, appointed Peter ‘PPD’ Dager, aged 21, as the captain of at the recent Dota 2’s Invitational gaming event. PPD was awarded a third place title at the event, banking $1 million USD for this team.

“People think it’s just a game,” says Dager. “They do not understand how much work myself and others like me put into it. They think my life is easy when in reality it’s actually stressful. On an average day, I usually game five to ten hours.” But the time to make a mark is limited. Many gamers are known to ‘burn out’ by age 25. Top players are still largely based in Asia. Competing against South Korean teams can be daunting as teams often live together, like Olympic atheletes, practicing for up to 12 hours per day.

Opportunities in this global industry are not only limited to gaming. Casting players, managing teams, and sponsoring events are also viable roles for those who want to get involved in the industry. Gregg Baker, Head of Community at giffgaff, a UK-based mobile network, is launching League of Legends tournaments in the UK. “If you are the best at your game and it happens to be a very popular one, then life-changing amounts of money can be earned,” says Baker. “The best teams in the world compete for multimillion prize pots in South Korea and elsewhere. Add to this sponsorships – one of the UK’s best teams, Team Dignitas, is sponsored by Intel – and you can soon start earning a salary of up to $1m a year if you are at the top of your tree.”

So, what does it take to be a pro-gamer? Check out our top 5 tips collated from pro gamers:

When you’re playing with pro players, put your best self forward. Try hard, communicate well, and show critical thinking. If you’re playing consistently with pro players in games, you’ll develop a reputation. Your best chance of being recognised is if they think highly of you.

Being a pro player is more of a lifestyle than an occupation. You’ll have a practice schedule, sponsor obligations, and may even be required to move to live in a team house. Be prepared to give it your all if this is truly your desired profession.

The best of the best will always rise to the top. Always look to how you can improve yourself to get better. You can’t control your teammates’ actions. The best of the best are always hyper-focused on how they can improve, not blaming others for their mistakes.

It’s very different to play the game as a release from responsibilities as opposed to it being your main responsibility. Lots of pro players can burn out because of this. If you want to be around for a while, make sure you understand that this is like working 60-80 hours per week.

Study those who are already at that level. Study the top players and analyse what they do that separates them from the rest. An understanding of this and how to incorporate it into your own play is essential.

For more details and advice, visit, which was recently nominated for the prestigious CMA award in the category entitled Best Non-Retail Consumer, and read PRO GAMING: THE WORLD’S BEST GAMERS ON HOW TO TURN YOUR HOBBY INTO A MILLION DOLLAR CAREER.

42% of Americans hit by regular online attacks, says Microsoft survey

A study by Microsoft has revealed that 42 percent of Americans face ‘weekly or daily’ attacks by cybercriminals trying to access their computers, Network World reports.

1,006 people aged between 18 to 74 were polled, and the survey discovered that alongside the 42% of US citizens who endure weekly attacks on their PC, 28% noticed attempts by landline telephone, 22% via tablet and 18% through mobile phone.

However, the survey indicates that the threats are having an effect that cybercriminals will not welcome: enhanced security on the part of the potential victims. Neowin reports that 73% of those surveyed are “taking precautions when it comes to protecting their personal information, up 25% from a survey taken in 2012.” The break down of these steps is ‘downloading apps from trusted sources’ (49%, up 21 points), ‘keeping apps up to date’ (41%, up 17 points), using a PIN to lock phones (39%, up 19) and using the latest version of the OS (37%, up 16 points).

Computer Weekly states that this extra vigilance seems to go hand-in-hand with consumer fears about scams, with “nearly two-thirds of respondents voicing concerns about schemes such as phishing, spear-phishing, fake websites and healthcare scams, compared with just more than half saying the same in 2012.”

Fear of online shopping scams was a major area for concern, with 60% of respondents concerned about unsecured websites, overpayment, email shopping and ‘lottery scams’.

Interestingly, the survey revealed that ‘traditional scams’ are on the wane, with respondents experiencing lottery and advance-fee fraud scams both dropping nine percentage points since 2012. Unfortunately, this seems to have been replaced with new, more intricate scams, such as telephone fraud, with the Microsoft blog post on the poll stating that this brings “the total number of scams back to 2012 levels.”

As well as the obvious fraud issues online scams can create, the survey found that half of the victims of online fraud polled felt ‘very or extremely violated,’ highlighting that financial issues aren’t the only consequence of cybercrime.

AV-Comparatives: ESET Smart Security has Best Web Filtering to Protect Children


ESET has achieved the highest score in the latest Parental Control test by AV-Comparatives, an independent testing authority.

ESET flagship product ESET Smart Security which is currently being launched already in its eight generation – has been rated as best for web filtering among the 12 tested Windows Internet security suites with parental control. With heightened focus on children internet safety to coincide with European Cyber Security Month is featuring videos with safety tips for parents − the latest one highlights safer browsing on YouTube.

ESET Smart Security achieved the highest score for an Internet security suite in our web filtering test, blocking 91% of sites overall. …We found its parental controls to provide simple, easily configurable web filtering,“ states the AV-Comparatives report.

Safety for children in cyberspace is our priority and we are happy that independent tests of our products prove just that. However, we do not stop there. In our security awareness initiative for European Cyber Security Month in October, we highlight our child safety video content.

The latest video features YouTube safety. As YouTube is one of the most popular websites in the world, it can expose younger viewers to inappropriate content. With just five easy steps, you can keep your children safer. Other previously published videos provide tips for safer online gaming or social media safety.

Operation Windigo: “Good job, ESET!” says malware author

Following the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity to ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET. He is interested in reverse engineering Linux and OS X malware. He is passionate about making links between different malware to have an overall view of how they are interconnected.

Quite some time has passed since you last spoke about the large Linux crimeware operation dubbed Operation Windigo. Has there been anything happening lately worth of mention?

We are still monitoring the Windigo gang. Unfortunately, we have not observed a decrease in their malicious activities since the publication of the report in March 2014. We still measure and block the same amount of traffic being redirected from Cdorked websites. Moreover, the various pieces of malware have been updated to evade our indicators of compromise (IoC).

What is the biggest challenge posed by threats like these to system administrators?

We have been notifying a lot of infected parties and I would say that the lack of Linux forensic knowledge is the main problem for sysadmins. Windigo uses a lot of tricks to stay under the radar. Since it doesn’t interrupt the affected server’s legitimate activity, such a server could be infected for a very long time before the administrator notices the infection. Some sysadmins may stay in denial and refused to believe their server is infected.

What kind of changes were introduced in the recent versions of the Linux/Ebury malware?

The authors of the Ebury malware react quite quickly to our publications. Within a month, we’ve seen a new version of the malware evading our indicators of compromise. Here are a few of the most noticeable changes:

  • The version number has jumped to 1.5.1 (which is the latest version number that we’ve seen). We also saw version 1.4.1 for the first time in April 2014. At the time we released the Operation Windigo report in March, the latest version observed had been 1.3.5.
  • Ebury no longer uses shared memory for storing stolen credentials and maintaining inter-process communication. Instead, a new process is started and injected with the Ebury payload with LD_PRELOAD. Stolen credentials are kept in this new process address space. Inter Process Communication (IPC) with OpenSSH is initiated over a UNIX domain socket.
  • The domain name generator algorithm (DGA) used as a backup to exfiltrate credentials has changed. This backup is used when it has not been configured by the operator.
  • Version 1.5 no longer infects the so file directly. The Ebury payload is located in a new file in the library directory with the filename The system’s original is then patched to link to this new malicious library instead of The Ebury code will then be loaded and hook OpenSSH.

Using this new information gleaned from our monitoring, CERT-Bund has updated its page with the Ebury IOCs.

In addition to the “Good job, ESET!” from the malware authors, your team has won the first Virus Bulletin Péter Szőr award for your report on Operation Windigo. How does that make you feel?

There were a lot of excellent papers on malware research this year and I would like to give credit and respect to the other nominees and to all the researchers who have published great work in the last years.

In addition to what was said before, I would like to acknowledge that most of the co-authors and researchers involved in the Operation Windigo paper are newcomers to the anti-virus industry. For us, receiving an award like this is much appreciated recognition from our peers and gives us confidence that we are heading in the right direction.

"Good Job, ESET! And thanks for IDA."

Our first priority is to protect our customers against all threats, including new and emerging ones. As a researcher, it is great to be able to focus deeply on a specific threat like this one. Thanks to ESET’s belief in proper research, we were able to really do a deep investigation and protect our customers at the same time. We are really pleased it was so well received by the press, our customers and Virus Bulletin.

Thanks Marc-Etienne for your time.

October is the Cyber Security Month: stats, events and advice

Since October 2012, the European Cyber Security Month is going live as a pilot plan across Europe. Inspired by the concept of other similar projects that were successfully implemented around the globe. One of them is the Stop. Thinking. Connect campaign supported by the National Cyber Security Awareness Month in the United States.


The good news is that this year, we at ESET are also supporting this cause. As you know, we are not only providing security solutions to protect our users, but also we believe in raising awareness in our community through different channels. That’s why we are supporting the Cyber Security Month with our We Live Security Portal in 3 languages and activities in San Diego, United States. We remember that ESET is also part of Securing our eCity in the United States and Argentina Cibersegura, non-profit organizations that aim to create a safe digital neighborhood that protects every citizen through awareness programs, conferences and good practices.

One good thing about these initiatives is that we have the opportunity to get more people involved. In this case we also count with the support of the European Commission and the European Union Agency for Networking and Information Security among a lot of other companies. However, let’s see how this became so important and why.

How is the online criminal service industry?

According to the last report released a couple weeks ago from Europol’s European Cybercrime Centre, 2.8 billion people and over 10 billion devices around the world access the internet. This means the more people getting connected, the greater the attraction is for attackers to find new victims.

Additionally, the report states that the EU will still be one of the most important targets of cybercrime because of its advanced Internet infrastructure and progressively more Internet-dependent economies.

Who is behind cybercrime?

This is another interesting question that people have been asking since the first viruses were seen. According to BBC’s Interview with Troels Oerting, Head of European Cybercrime Centre (EC3), there are only around 100 cybercriminal masters behind global cybercrime scene. Despite of the number of these malicious minds, the one important thing to remember is that no matter how many people are behind Internet attacks, the impact on you as user is always considerable. The quantity of does not cybercriminals necessarily explain severity or the breadth of an attack, which means that people’s information will still be intercepted, personal data compromised and money stolen.

How can we fight cybercrime and what can you do?

There are many ways to help. The most important thing is to keep safe when surfing by using a security solution and some good Internet practices. Here, you may also find interesting information about how to proceed when a company suffers a data breach and information could be compromised.

However, besides protecting yourself from these attacks, awareness is a powerful weapon. Therefore, we think that you may help informing yourself and helping to inform others. Remember, everyone could – and should – help spreading the word.

We wish you a safer Cyber Security Month!

Monthly Threat Report: September 2014


The Top Ten Threats


1. HTML/Refresh
Previous Ranking: N/A
Percentage Detected: 3.89%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.


2. Win32/Bundpil
Previous Ranking: 1
Percentage Detected: 2.29%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:



3. JS/Kryptik.I
Previous Ranking: 2
Percentage Detected: 2.03%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.


4. Win32/Adware.MultiPlug
Previous Ranking: 3
Percentage Detected: 1.88%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.


5. Win32/RiskWare.NetFilter
Previous Ranking: 4
Percentage Detected: 1.52%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.


6. LNK/Agent.AK
Previous Ranking: 5
Percentage Detected: 1.46%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.


7. Win32/Sality
Previous Ranking: 6
Percentage Detected: 1.36%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.

It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature:


8. HTML/Iframe
Previous Ranking: N/A
Percentage Detected: 1.34%

Type of infiltration: Virus

HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.


9. Win32/Danger.DoubleExtension
Previous Ranking: N/A
Percentage Detected: 1.26%

Win32/Danger.DoubleExtension is the name for generic detection of file using two or more extensions in filename (to appear to be document/picture file etc.) while the real file format is PE32. The last file extension has executable form.


10. INF/Autorun
Previous Ranking: 7
Percentage Detected: 1.2%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.



Get every new post delivered to your Inbox.

Join 76 other followers