Irish businesses hit hard by data locking ransomware Filecoder/Cryptolocker

ESET Ireland reports the last few weeks have seen an increased number of victims of data locking ransomware among Irish businesses.

Malware and support experts from the antivirus firm ESET Ireland (Ciaran McHale, Lorna Mayers, Urban Schrott) have been receiving calls for help from all over the country from businesses hit by one of the most malicious forms of malware – data locking ransomware known as Cryptolocker, detected by ESET as Win32/Filecoder. We have received reports from Westmeath, Wexford, Waterford, Galway, Donegal, etc, mainly from SMBs with an average of 15 computers each.

Filecoder malware infects the computer then encrypts (locks) all Word, Excel, PDF and other files, so the owner can’t open them until he has purchased a decryptor from the attackers, which unlocks them. The cybercriminals usually request the ransom to be paid in Bitcoin and the average amount required is between US$300 and US$500. A 2013 UK survey showed 41% of those attacked decided to pay the ransom and Bitcoin traffic associated with accounts related to ransomware showed cybercriminals made in excess of US$20 million per month.

What most of the affected companies had in common was that they had poor security and partial or no antivirus software in place. Several suspect their infection came from an email attachment. In most cases one machine became infected first then encrypted all network shares. Many of these companies also didn’t have their data backed up, so some decided to pay the ransom to retrieve their files.

ESET’s suggestions on dealing with Filecoder infections

Don’t pay the money

Contact a computer professional instead, if you can’t unlock it yourself. In some cases – especially filecoders – there may be nothing you can do, but an IT professional should be your first stop.

Don’t think that if you get past the lock screen, it’s “gone”

It is sometimes possible to get “past” the lock screen displayed by some forms of ransomware – but that doesn’t mean you’re safe. Your computer is probably still infected. Unless you have in-depth knowledge, don’t get your hopes up, as many use strong encryption which is basically impossible to break. Either invest in proper AV software or contact an IT professional for help.

If you are backed up, you’re “immune” to filecoders

Filecoders rely on one thing – that you keep unique, precious files on your PC. Don’t. Learn what “backup” means – and choose the right solution for you. For home users, a simple way to start “backing up” is to use cloud services such as Google Drive, Dropbox and Flickr to store documents, music, videos and photos. These services offer free versions, and can at least save some of the most personal files on your computer from being devoured by malware.

by Urban Schrott, ESET Ireland

For a detailed look on protecting yourself from Filecoder, see this article by ESET’s Lysa Myers: 11 things you can do to protect against ransomware, including Cryptolocker


Heartbleed claims British mums and Canadian tax payers as victims

The critical security vulnerability in OpenSSL known commonly as “Heartbleed” continues to raise alarms, with websites now warning that hackers have breached their systems by exploiting the bug, and stolen personal information about users.

For instance, Mumsnet – a phenomenally popular British parenting website with 1.5 million registered users – has reported that its servers were not only vulnerable, but that users’ data had been accessed as a result:

On Friday 11 April, it became apparent that what is widely known as the ‘Heartbleed bug’ had been used to access data from Mumsnet users’ accounts.

Heartbleed is a security hole that existed in OpenSSL, the security framework which most websites around the world use. There’s a summary of Heartbleed and its effects here.

On Thursday 10 April we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole (known as the Heartbleed patch). However, it seems that users’ data was accessed prior to our applying this fix.

So, over the weekend, we decided we needed to ask all Mumsnet users to change their passwords. So, you will no longer be able to log in to Mumsnet with a password that you chose before 5.45pm on Saturday April 12, 2014.

We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed. That’s why we’ve required every user to reset their password.

I must admit I was a little puzzled by the statement. One of the “features” of the Heartbleed bug is that it doesn’t leave any clues that systems have been compromised, making it hard for sites to know that they have fallen victim.

However, BBC technology reporter Rory Cellan-Jones got to the bottom of the mystery when interviewing Mumsnet chief executive and founder Justine Roberts about the security scare.

In that report, Roberts says that she became aware that hackers had accessed users’ passwords when her own Mumsnet account was used without permission by a hacker, who subsequently posted a message claiming that they had accessed the account after exploiting the Heartbleed OpenSSL flaw.

A smoking gun and convincing evidence that Heartbleed was involved? Perhaps not. After all, perhaps Roberts was phished or had keylogging spyware on a computer that she had used that grabbed her password.

Mumsnet Heartbleed advisory

However, Mumsnet was perhaps wise under the circumstances to assume the worst and force members (known as Mumsnetters) to reset any password created on or before Saturday.

And I was pleased to see as well that Mumsnet recommended users change their passwords anywhere else on the net where they might be using the same password.

It’s worth everybody realising that you should never use the same password in more than one place – otherwise you could have an account breach on a site which might not be critically important (Mumsnet, for instance) leading to much more serious hacks of your personal information elsewhere.

Meanwhile, in other news from the other side of the great Atlantic pond, the Canadian tax agency has revealed that social insurance numbers of about 900 taxpayers were removed from CRA systems by hackers exploiting the Heartbleed vulnerability.

Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

Again, it’s not clear how the Canadian authorities determined that the Heartbleed security hole had been the vehicle for stealing the tax payers’ information.

But one thing is obvious. Now it has been publicly proven how easy it is to exploit Heartbleed, we can expect more and more online criminals to try their luck, and see what information they might be able to glean from online companies and websites that have not taken sufficient steps to protect the data on their servers.

by Graham Cluley, ESET We Live Security

‘Heartbleed’ encryption flaw leaves millions of sites at risk

A flaw in an encryption technology used to protect major websites including Yahoo has left a huge amount of private data at risk – researchers advise internet users to change all their passwords.

The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It afffects the open-source encryption software OenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.

Threatpost says that the vulnerability has affected major sites including password manager LastPass and the FBI’s web presence, and says, “Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.” Threatpost says that a proof-of-concept exploit for the bug has already been posted on coding site Github.

The researchers who discovered Heartbleed say that it has left private keys, and other secrets exposed “for years”. The researchers tested the vulnerability themselves and were able to, ““We have tested some of our own services from an attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”

The bug was discovered by researchers from Finnnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely teh bug has been exploited.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

ESET Senior Research Fellow David Harley offers advice on how to deal with problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”

Open SSL wrote on their site, “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1.”

by Rob Waugh, ESET We Live Security

ESET’s technical dissection of Win32/Sality trojan


Win32/Sality is a family of malware that has been using a peer-to-peer botnet since at least 2003. It is a file infector and a trojan downloader, the latter of which is mainly used to send spam, although it has been used for different purposes such as faking advertising network traffic, Distributed Denial of Service or VoIP account cracking. All commands and files exchanged through Sality’s P2P network are digitally signed, making it resistant to protocol manipulation. Its modular architecture and the longevity of the botnet show good programming practice and an efficient software design.

We’ve been tracking the Win32/Sality network for quite some time now and we’ve seen more than 115,000 IP addresses reachable from the Internet. Those peers are called “super peers”, which keep the botnet alive and propagate commands to regular peers.

We have seen the same components downloaded over the years with little change to their underlying behavior. Lately, a new component has appeared with some novel characteristics: the ability to change a residential broadband gateway router’s primary DNS address, which differs from the usual FTP password stealer or spambot deployed by Win32/Sality. According to our telemetry data, this component was dropped for the first time at the end of October 2013. It was first publicly discussed by Dr. Web, which has published a technical analysis of one component, the IP address scanner. They named it Win32/RBrute.

This blog will contain

  • An overview of the infrastructure supporting the primary DNS changer component
  • A technical analysis of the two binaries that support the operation
  • A brief analysis of the spread of the operation
  • A review of the similarities between the DNS changer component and the other components dropped by Win32/Sality

A new purpose: changing a router’s primary DNS

This feature adds a new dimension to the Win32/Sality operation. The first component, detected by ESET as Win32/RBrute.A, scans the Internet for router administration pages in order to change the entry for their primary DNS server. The rogue DNS server redirects users to a fake Google Chrome installation page whenever they are trying to resolve domains containing the words “google” or “facebook”. The binary distributed through this installation page is in fact Win32/Sality itself, providing a way for the Sality botnet’s operators to increase its size further by infecting other users behind this router.

The IP address used as the primary DNS on a compromised router is part of the Win32/Sality network. In fact, another malware, detected by ESET as Win32/RBrute.B, is installed by Win32/Sality on compromised computers and can act either as a DNS or a HTTP proxy server to deliver the fake Google Chrome installer.

The Operation

Far from being a new technique, changing the primary DNS on a router is quite in vogue right now for everything from the theft of bank credentials to blocking communications with security vendors, especially with recent reports of vulnerabilities in different routers’ firmware.

Win32/RBrute.A tries to find the administration web pages for routers by downloading a list of IP addresses from its C&C server to scan and then reporting back its findings. At the time of our investigation, Win32/RBrute.A targeted the following routers:

  • Cisco routers matching “level_15_” in the HTTP realm attribute
  • D-Link DSL-2520U
  • D-Link DSL-2542B
  • D-Link DSL-2600U
  • Huawei EchoLife
  • TP-Link TD-8816
  • TP-Link TD-8817
  • TP-Link TD-8817 2.0
  • TP-Link TD-8840T
  • TP-Link TD-8840T 2.0
  • TP-Link TD-W8101G
  • TP-Link TD-W8151N
  • TP-Link TD-W8901G
  • TP-Link TD-W8901G 3.0
  • TP-Link TD-W8901GB
  • TP-Link TD-W8951ND
  • TP-Link TD-W8961ND
  • TP-Link TD-W8961ND
  • ZTE ZXV10 W300

If a web page is found, the C&C sends a short list of about ten passwords to the bot and instructs it to perform a brute force password guess attack against the router. If the bot is able to log in to the router, it will then proceed to change the router’s primary DNS server settings. It is interesting to note that only brute force attack is used to gain access to the router’s administration portal; no exploit code is used. The authentication is done with usernames of “admin” and “support”, although previous versions also tried “root” and “Administrator”. Below is a list of passwords we have observed being transmitted from the C&C:

  • <empty string>
  • 111111
  • 12345
  • 123456
  • 12345678
  • abc123
  • admin
  • Administrator
  • consumer
  • dragon
  • gizmodo
  • iqrquksm
  • letmein
  • lifehack
  • monkey
  • password
  • qwerty
  • root
  • soporteETB2006
  • support
  • tadpassword
  • trustno1
  • we0Qilhxtx4yLGZPhokY

In the event of a successful login, the malware changes the primary DNS server to a rogue one, reports a successful infection to the C&C, and continues with scanning the Internet.

Once a router’s primary DNS address is compromised, all DNS queries made by users will go through the rogue DNS server, modifying them to point to the fake Chrome installer page whenever “facebook” or “google” domains are resolved.

Figure 1 This example shows a successful redirection for a domain that is not registered but contains the word “google”.

This operation is somewhat similar to DNSChanger, which drove users to install fake software to further spread malware using a rogue DNS service.

Once a computer is infected by running the fake Google Chrome installer, its primary DNS server will be changed to “” by updating the following registry key:

HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{network interface UUID}/NameServer = “”

It should be noted that the IP address “″ belongs to Google Public DNS, a legitimate domain name service operated by Google, and it is not involved with Win32/RBrute.

Since infected PCs will no longer be using the router’s DNS server, they will cease to be affected by its bogus redirections. On the other hand, the router is still compromised and will nag each computer trying to resolve “facebook” or “google” domains through its DNS service until they are infected with Win32/Sality. This tactic is far from stealthy and in fact tries to goad the user into infecting its system or simply breaking “google” and “facebook” domains for operating systems that are not targeted (e.g. Linux).

Currently, the goal of this operation appears to be solely to increase Sality’s botnet size.

Technical Analysis

Win32/Sality’s DNS changer component is composed of two binaries: a router scanner and a DNS / HTTP server. Both malware are dropped by Win32/Sality.

Router Scanner Binary – Win32/RBrute.A

At the beginning of the execution, the malware creates a mutex with the name “19867861872901047sdf” to avoid running multiple instances.

It then checks a hard-coded IP address every minute to fetch a command; that command is either a scan instruction or a request to try to log onto an IP address to change the primary DNS.

A scan instruction comes with an IP address to start and the number of addresses to try. Win32/RBrute.A will try to do a HTTP GET on TCP/80, hoping to receive a HTTP Error 401 – Unauthorized. The router model is extracted from the realm attribute of the HTTP authentication schemes. If a targeted router is found, the malware sends back its IP address to the C&C.

Figure 2 Win32/RBrute.A flowchart

The C&C will then issue a request to login to the router using a password provided by the C&C. If the login is successful, the primary DNS server is changed in the router to a host running the Win32/RBrute.B malware.

DNS and HTTP Server Binary – Win32/RBrute.B

This component is divided in three parts: the control thread, the DNS server thread, and the HTTP server thread.

Although both the DNS and the HTTP server thread can be used at the same time, the malware will choose, based on a random value, to be either a DNS or a HTTP server. A constant in the formula ensures that 80% of the infections will act as DNS servers, although we’ve seen this constant set to 50% at the beginning of the operation.

Figure 3 Choosing the DNS or HTTP server thread randomly.

If the chosen server thread would not start, the malware will fall back to the other mode:

Figure 4 Fallback to the other mode if the thread couldn’t start.

The operator can also force a thread to start by sending a specially crafted DNS or HTTP request. A mutex with the name “SKK29MXAD” ensures that only one instance can run on the host.

Control Thread

The control thread is used to report back to the C&C and to reconfigure the server instance.

Every two minutes, the malware will send a packet to a hard-coded IP address containing information about the machine on which it is running. The C&C will then answer with an IP address that will be used to deliver the infected Chrome installation. If the malware is in DNS mode, the IP address served by the C&C will be that of a rogue HTTP server installed on a Sality-compromised machine. In the other case, the C&C will send the IP address of a server outside of Sality’s P2P network, which will be serving the fake Chrome installation page.

Listed below is the host information sent by the control thread to the C&C:

  • Computer name – GetComputerName()
  • Local time – GetLocalTime()
  • Country – GetLocaleInfoA()
  • Windows directory – GetWindowsDirectoryA()
  • Windows product name – from the registry key “HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Product Name”
  • CPU names – from the registry keys
    “HKEY_LOCAL_MACHINE/HARDWARE/DESCRIPTION/System/CentralProcessor/<CPU #>/         ProcessorNameString”
  • Memory stats – GetMemoryStatusEx()
  • Result of IsDebuggerPresent()
  • Memory usage of the malware – GetProcessMemoryInfo()
  • Uptime of the malware – in minutes
  • Number of threads n use

The information packet has the format:

0×00   DWORD         Checksum (CRC32)
0×04   WORD          Payload length
0×06   BYTE          Unused
0×07   BYTE          Mode (HTTP – 0×32 or DNS – 0×64)
0×08   BYTE[]       Host information

The screenshot below shows an information packet sent to the C&C.

Figure 5 Host information packet sent to the C&C.
In blue: payload checksum, in red: payload length, in black: encrypted server mode, in green: encrypted host information

The host information, green in the previous example, is the following string encrypted with RC4:

9BC13555|24.03.2014 21:56:27|United States|C:\WINDOWS|Microsoft Windows XP|proc#0 QEMU Virtual CPU version 1.0|1|358|511|1117|1246|0|2|0|0|

The C&C will then answer with a packet with the service IP address to use:

0×00   DWORD         Checksum (CRC32)
0×04   WORD          Payload length
0×06   BYTE          Unused
0×07   BYTE          Command (start – 0×02 or stop – 0×03 the service)
0×08   DWORD         Service IP address (Win32/RBrute.B HTTP server or rogue HTTP server)

DNS Server Thread

The DNS server looks for requests that contain “google” or “facebook” in the domain name. If it finds one, the DNS response it will send back will contain the IP address of a Win32/RBrute.B HTTP server on the Sality network. If the query doesn’t contain “facebook” or “google”, it will relay the query to Google’s DNS servers (“” or “”) and will forward the response to the client.

Sending a packet to the server on UDP/53 with “0xCAFEBABE” as the payload will set the “udme” flag in the Windows registry key “HKEY_CURRENT_USER/SOFTWARE/Fihd4″. This flag ensure that the DNS server thread will start at the next reboot, overriding the random process. The server will reply “0xDEADCODE” to confirm the command.

HTTP Server Thread

When receiving a browser request by a user that has been redirected, the HTTP server thread will first look at the browser User-Agent and will have a different behavior consequently.

If the User-Agent contains “linux” or “playstation”, the server will silently drop the connection (how rude!). If the User-Agent makes reference to a mobile (matching one of the following words: “android”, “tablet”, “Windows CE”, “blackberry” or “opera mini”), the server will serve Win32/Sality (!) malware 5% of the time even though these are mobile devices User-Agent; otherwise, the request is dropped. Finally, if the User-Agent contains “opera”, “firefox”, “chrome”, “msie” or anything else, the user will be served the Win32/Sality.

The User-Agent will affect the port on which the query is made on the rogue HTTP server distributing the malware.

User-Agent Port used
Android, tablet, Windows CE, Blackberry, Opera mini 8979
Linux, Playstation None
Opera 4979
Firefox 5979
Chrome 6979
MSIE 7979
Others 6979


Any HTTP GET request sent to these ports will serve the fake Chrome installation page… even if you’re browsing with Chrome!

Akin to the DNS server thread, the botmaster can affect the HTTP server behavior by sending a specially- crafted HTTP packet. Specifically, sending a GET or POST request with the User-Agent “BlackBerry9000/ Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831” will set the “htme” flag in the registry key “HKEY_CURRENT_USER/SOFTWARE/Fihd4″, effectively ensuring that malware will start the HTTP server thread upon reboot, overriding the random process. The server will send “<html>kenji oke</html>” to confirm a successful execution.

The HTTP server also keeps a list of allowed files to be served. If a browser makes a HTTP query on a domain matching “google” or “facebook” to a file not in the list, the server will reply with a HTTP 200 OK, with the following payload:

<html><meta http-equiv=”refresh” content=”0; url=/”></html>
This redirects the browser to the front page — hence serving the fake Chrome installation page. For example, if the user browses to “” and “does-not-exist” is not in the allowed files list, the user will be redirected to “” instead of having the usual HTTP 404 error.

We should also note that every HTTP GET query made on the HTTP server that contains the string “.exe” will be forwarded to the rogue HTTP server, regardless of the allowed files list. The rogue server will always answer with an infected binary.

Similarities with other Sality components

Based on the following observations, we believe that the main file infector and all the components previously described are all developed by the same group of people. By looking at each of the components binaries, they all share the same technical details and coding style.

No persistence needed

None of the dropped Sality components, including those discussed before, needs a way to be persistent across system reboot, although some modules might store configuration in the registry. They are always downloaded and launched by the persistent layer: the file infector.

Buffer Initialization

The operators have the standard practice of initializing their buffers with the ‘0’ value. The compiler “visual-c++” doesn’t optimize the following C code when the operators compile a software:

char buf[4096] = {0};

This is compiled into the code displayed in the following screenshots.

Figure 6 Un-optimized initialization of a buffer of size 4096 bytes.

This assembly stub is seen in every component dropped by Win32/Sality.

Bypassing the Firewall

All components that need to receive connections from the Internet share the same code to add a specific rule in the Windows Firewall authorizing incoming requests to go through. It will add the value “[malware file name]:*:Enabled:ipsec” to the following registry key “HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List” to achieve this goal. The following screenshot shows a subset of the “add_to_firewall_exception()” function.

Figure 7 A subset of “add_to_firewall_exception()” function, shared by almost all components of Win32/Sality.

In Win32/RBrute.B, this function is called at the beginning of the malware execution:

Figure 8 Calling add_to_firewall_exception() before creating the mutex in the WinMain() function of Win32/RBrute.B.

Same thing found in the Win32/Sality’s spambot component:

Figure 9 Win32/Sality’s spambot component calling the add_to_firewall_exception() function

Infection Statistics

Our data show that the detection for Win32/Sality is currently decreasing or at least staying stable since 2012. We believe that the reduced number of detections is due to the reduced efficiency of the current infection vectors. This might explain why the operators are looking for new ways to spread Win32/Sality.

If we take a look at the detections for the last year, we can see a small increase, around December 2013, in Win32/Sality detections that coincides with the date where the DNS changer component was released in the wild, although those numbers should be taken with a grain of salt since other factors could contribute to variation in its spreading, like being dropped by another botnet.

We’re not sure about the effectiveness of the Win32/Sality router DNS changer operation, since a lot of router configuration portals listen only on the private address space (e.g., — making them non-accessible from the Internet. Also, the router password brute force is not very aggressive, only trying a list of about ten passwords.


The usual infection vectors of Win32/Sality might not be sufficient to keep the botnet alive; hence the botnet controllers are deploying new component to grow the botnet. DNS hijacking on routers can be quite effective if done correctly. It can reach a lot of users behind a single router, especially on public access points. As routers are not commonly protected by security solutions, it provides an unrestricted environment to attackers allowing them to try several techniques to steal users’ information. An existing technology that could fix the problem is DNSSEC, since the result of a DNS request is cryptographically signed and hence not prone to tampering. A good security practice that would reduce the scope of the problem is to change the default password on router’s web interface.

by Benjamin Vanheuverzwijn

ESET will not end Windows XP products support


After 8th April 2014, Microsoft will no longer provide system updates for Windows XP.
ESET will support the Microsoft Windows XP versions of ESET products at least until the end of April 2017.

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available. Regular system updates are used to repair exploits and patch existing security vulnerabilities.

Q: Will ESET products and virus definitions on Windows XP still be updated?

A: Yes. At least until the end of April, 2017 ESET will maintain support for customers with ESET products installed on the Windows XP operating system and will continue to offer the following services during that period:

  • Regular virus signature updates for the latest threats
  • Consistent updates to other parts of the antivirus engine
  • ESET Customer Care support requests

Currently, ESET still supports and provides updates for endpoint products that work with Windows NT 4.0 and Windows 2000, both of which reached end of life (EOL) status in 2004 and 2010, respectively.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, etc., will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched and all your applications are on the latest versions with the latest patches as well. Please note that while your service from ESET will not change, your system could become more vulnerable to threats because it will no longer receive regular system updates from Microsoft.

We recommend that you use the latest version of your ESET product to maintain the highest degree of protection possible with the non-updated Windows XP operating system.

To maintain the highest level of security, we recommend that you upgrade your operating system or move your important data onto a computer with a more current operating system.

by Urban Schrott and Aryeh Goretsky

Time to Move On From Windows XP

The world today is a much different place than it was in 2001 when Microsoft released Windows XP. With Windows XP Microsoft combined features to handle games and multimedia for consumers, and to provide stability and reliability for businesses. This strategy made for a wildly popular operating system. Now, thirteen years later, Windows XP comes to an end of sorts on April 8, 2014. After this, Microsoft will cease providing security updates or support for this venerable operating system.

Consider how your own use of technology has changed, in the last 13 years: In 2001, my home PC had an Intel Pentium 4 processor that ran at 1.8GHz and a gigabyte of RAM. Today, my home PC has an Intel Core i7 processor that runs at 3.7GHz and 32 gigabytes of RAM. While the processor in today’s PC appears to be only twice as fast as my computer from 2001, such comparisons are misleading. The actual difference in performance between the two is closer to 60-fold, and even faster for some operations. And my Internet connection? That went from just under a megabit-per-second to 20 megabits, a twenty-fold increase in speed.

Technology evolves, and just as our computers have changed, so has the software they run. Microsoft Windows is no exception to the rule, especially when it comes to security.

Numerous updates to Windows XP were released over the years, including three giant Service Packs in 2002, 2004 and 2008 that not only fixed numerous vulnerabilities that had left Windows XP open to attack, but added new features. In 2007, Microsoft’s struggle to release the successor to Windows XP ended with the release of Windows Vista. Microsoft then resumed releasing operating systems on a two-year cycle. Windows 7 arrived in 2009 and Windows 8 in 2012, just a little behind schedule.

Each new version of Windows has not only brought new features, but greatly strengthened security. The six-year gap between Windows XP and Windows Vista and the lackluster response to Windows Vista meant that a lot computers remained on Windows XP. Those computers remained vulnerable to attacks that, if they were not blocked completely by newer versions of Windows, were at least much more difficult for attackers to exploit successfully.

What you can do

If your home or business PC is still running Windows XP, it is not too late to upgrade.

I do not recommend going to Windows Vista, simply because support for it will be ending in 2017. Microsoft will stop supporting Windows 7 in 2020, and Windows 8.1 in 2023. From a security perspective, Windows 8.1 is a great improvement, but the interface is very touch-focused. Unless you are using a touchscreen, you might be better off upgrading to Windows 7 or using a program that makes the Windows 8.1 interface more like an earlier version of Windows. Computers running Windows 7 are still available from stores and computer manufacturers online.

The business-focused editions of Windows 7 (Professional, Ultimate and Enterprise) can run Windows XP Mode, which embeds the older version of Windows inside the new one.  This might let you run a last remaining application requiring Windows XP, at least until it is replaced. Keep in mind Windows XP Mode suffers identical issues to Windows XP and is a bridge to replacement of Windows XP, not a means of prolonging XP’s life. Windows XP Mode is not available for Windows 8.1.

XP Questions and Answers

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, as well as various industrial and scientific equipment, will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched; all your applications are on the latest versions with the latest patches as well; your PC is not just regularly backed-up, but you are testing those backups by periodically restoring them; your PC is running up-to-date security software; and you should also be figuring out how you can move away from Windows XP to a newer version of Windows.

Resources: Windows XP-specific

General Advice: How to secure a PC

Resources: Windows 8-specific

We will have more to say about XP’s retirement on We Live Security. Let us know your concerns and we will endeavor to address them

Author Aryeh Goretsky, ESET

10 years of Mac OS X malware

Before we begin, let’s make one thing really clear.

The malware problem on Mac OS X is nothing like as bad as it is on Windows.

There are something like 200,000 new Windows malware variants being discovered each day. Malicious code activity in the Mac world is far less frenetic, but the fact is, malware does exist that can infect our iMacs or MacBooks.

And if your Apple computer is unlucky enough to fall victim you’re not going to feel any better than your PC-owning friends who are struggling to remove a backdoor Trojan or a pernicious browser toolbar from their copy of Windows.

Apple IIAlso, it’s worth bearing in mind that Mac malware is not a new phenomenon.

Malware for Apple devices actually predates the Macintosh *and* the PC, with the first example being the Elk Cloner worm written by Rich Skrenta, and designed to infect Apple II devices way back in 1982.

But threats on Apple II and Apple computers running Mac OS 9 and earlier aren’t really relevant anymore to anyone aside from historians.

What modern Mac users care about are what malware threats exist for Mac OS X.

And, it turns out, that 2014 will see the tenth anniversary of Mac OS X malware. Here are some of the more notable examples of worms and Trojan horses that have been seen for the platform in the last ten years.

Renepo (2004)

As ESET’s Mac malware facts webpage illustrates, the first malware specifically written for Mac OS X emerged in 2004.

Renepo (also known as “Opener”) was a shell script worm, and contained an arsenal of backdoor and spyware functionality in order to allow snoopers to steal information from compromised computers, turn off updates, disable the computer’s firewall, and crack passwords.


Renepo was never going to be a serious problem for the vast majority of Mac users, as it didn’t travel over the internet and required the attacker to have access to your computer to install it. Nevertheless, it was an indicator that Apple Macs weren’t somehow magically protected against malicious code.

Leap (2006)

Leap represented, for many people watching observing Apple security, the first real worm for the Mac OS X operating system.

Leap could spread to other Mac users by sending poisoned iChat instant messages – making it comparable to an email or instant messaging worm.

At the time, some Mac enthusiasts leapt (geddit?) to Apple’s defence and argued that Leap “wasn’t really a virus”, but claimed it was a Trojan instead. But – in my opinion – they were wrong.

The argument typically went that because Leap required user interaction in order to infect a computer (the user had to manually open the malicious file sent to them via iChat), then it couldn’t be a virus or a worm

But then commonly discovered examples of Windows malware encountered at the time either, like the MyDoom or Sobig, also required manual intervention (the user clicking on a file attachment). And yet, Mac users seemed very keen to call those examples of Windows malware “viruses” at every opportunity.

In my opinion, viruses is a superset consisting of other groups of malware, including internet worms, email worms, parasitic file viruses, companion viruses, boot sector viruses and so forth. Trojans are in an entirely different class of malware because – unlike viruses and worms – they cannot replicate themselves and cannot travel under their own steam.

Leap was rapidly followed by another piece of malware, a proof-of-concept worm called Inqtana which spread via a Bluetooth vulnerability.

So, next time someone tells you that there are no viruses for Mac OS X – you can now speak with authority and tell them, oh yes there are!

Jahlav (2007)

Things took a more serious turn with Jahlav (also known as RSPlug), a family of malware which deployed a trick commonly seen on Windows-based threats by changing an infected computer’s DNS settings. There were many versions of Jahlav, which was often disguised as a fake video codec required to watch pornographic videos.


Of course, the criminals behind the attacks knew that such a disguise was a highly effective example of how social engineering could trick many people into giving an application permission to run on their computer.

The truth was that many Mac users, just like their Windows-loving counterparts, could easily let their guard down if they believed it would help them see X-rated content.

MacSweep (2008)

An early example of Mac OS X scareware, MacSweep would trick users into believing it was finding security and privacy issues on their computers – but in fact any alerts it displayed were designed simply to trick unsuspecting users into purchasing the full version of the software.

Snow Leopard (2009)

Snow Leopard isn’t malware, of course. It was version 10.6 of Mac OS X, released in August 2009.

And the reason why it is included in this history of Mac OS X malware is because it was the first version of the operating system to include some built-in anti-virus protection (albeit of a very rudimentary nature).

Mac OS X Snow Leopard intercepting some malware

Apple, rattled perhaps by the widespread headline-making infections caused by the likes of the Jahlav malware family, had decided it needed to do something.

However, as its anti-virus functionality only detected malware under certain situations (and initially only covered two malware families) it was clear that security-conscious Mac users might need something better.

Boonana (2010)

This Java-based Trojan showed that multi-platform malware had well and truly arrived, attacking Macs, Linux and Windows systems.

The threat spread via messages on social networking sites. pretending to be a video and asking the enticing question “Is this you in this video?”.


MacDefender (2011)

MacDefender saw Mac malware infections reach new heights, as many users began to report seeing bogus security warnings on their computer.

Using blackhat search engine optimisation techniques, malicious hackers managed to drive traffic to boobytrapped websites containing their rogue anti-virus scans, when users searched for particular images.

The danger, of course, was that users were being duped into handing over their credit cards in order to purchase a “solution” to the alarming messages.


Tens of thousands of people contacted Apple’s technical support lines, requesting assistance.

Flashback (2011/2012)

The Flashback malware outbreak of 2011/2012 was the most widespread attack seen on the Mac platform to date, hitting more than 600,000 Mac computers.


The attack posed as a bogus installer for Adobe Flash and exploited an unpatched vulnerability in Java, with the intention of stealing data (such as passwords and banking information) from compromised Mac computers, and redirecting search engine results to defraud users and direct them to other malicious content.

In September 2012, ESET researchers published a comprehensive technical analysis of the Flashback threat which is well worth a read, if you want to know more.

Lamadai, Kitm and Hackback (2013)

In recent years, Macs have also been used for espionage – and naturally suspicious fingers have begun to point towards intelligence agencies and government-backed hackers when very specific victims are targeted.

The Lamadai backdoor trojan, for instance, targeted Tibetan NGOs (Non-Governmental Organizations), exploiting a Java vulnerability to drop further malware code onto infected users’ computers,
Lamadai malware

Kitm and Hackback, meanwhile, spied on victims at rge Oslo Freedom Forum, giving the malicious hacker the ability to remotely run commands at will.

LaoShu, Appetite and Coin Thief (2014)

So, what of 2014? Has the 10th anniversary been a notable year so far for Mac OS X malware?

Well, according to researchers at ESET, new Mac malware variants continue to be seen every week, putting Mac users who don’t defend their computers at risk of data loss or having their computer compromised by an attack.

State-sponsored espionage continues to make its presence felt, with the discovery of Appetite, a Mac OS X Trojan that has been used in a number of targeted attacks against government departments, diplomatic offices, and corporations.

Angry Bird, upset that people are pirating his softwareLaoShu meanwhile, has been widely spread via spam messages – posing as an undelivered parcel notification from FedEx, and scooping up documents of interest that have not been appropriately secured.

CoinThief, however, has probably received the most attention recently as it is distributed in cracked versions of Angry Birds, Pixelmator and other top apps, duping users into infection.

What made CoinThief most interesting, however, was that investigators found the malware was designed to to steal login credentials related to various Bitcoin-related exchanges and wallet sites via malicious browser add-ons.

In summary – protect yourself

This has just been a short history of Mac OS X malware. If you want to learn more about any of these threats, or are interested in any of the other Mac malware that ESET has seen in the last 10 years, be sure to check out the company’s “Straight facts about Mac malware” webpage and consider taking the free trial of ESET Cybersecurity for Mac.

Because, even though there isn’t as much malware for Mac as there is for Windows, one infectious outbreak is too many, and we know that the bad guys are working hard to find fresh victims.

by Graham Cluley

OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan


Security researchers at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have uncovered a widespread cybercriminal campaign that has seized control of over 25,000 Unix servers worldwide.

The attack, which has been dubbed “Operation Windigo” by security experts, has resulted in infected servers sending out millions of spam emails. Its complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information. Victims of “Operation Windigo” have included cPanel and

ESET’s security research team, which uncovered Windigo, today published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code. Download ESET’s detailed technical paper about “Operation Windigo”

OPERATION WINDIGO: Gathering Strength For Over Three Years

While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.

“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control,” said ESET security researcher Marc-Étienne Léveillé.  “Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk.  Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

An Appeal To Sysadmins To Take Action Against Windigo

Over 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.

“Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important.  Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users,” says Léveillé.  “The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam.  A few minutes can make the difference, and ensure you are part of the solution.”

How To Tell If Your Server Has Fallen Foul Of Windigo

ESET researchers, who named Windigo after a mythical creature from Algonquian Native American folklore because of its cannibalistic nature, are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Tough Medicine For Windigo Victims

“The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,” continued Léveillé. “Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment.”

If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software.  It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.

For a higher level of protection in future, technology such as two-factor authentication should be considered.

“We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks,” explains Léveillé.  “Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line.”

All computer users are reminded that they should never reuse or choose easy-to-crack passwords.

Further Information

ESET has published a detailed investigation into the “Operation Windigo” cybercrime campaign, and the various malware components which make up the threat. To download the full report, please visit ESET’s We Live Security blog.  To follow the developing story on Facebook, Google+ or Twitter, please use hashtag #windigo

It’s not the Russians, six out of ten top email spammers come from USA


Recent research shows that six out of ten top spammers are located in USA, two in Ukraine, one in India and another in Canada.

Whenever ESET Ireland warns the public of some new spam or scam that’s hitting Irish mailboxes, we inevitably get asked the question, where is this all coming from, who is behind it. Now we have some latest statistics from Spamhaus, a Swiss-based organization, whose mission is to track the Internet’s spam operations, that shed some light on the spamming sources. Up to 80% of spam targeted at Internet users in North America and Europe is generated by a hard-core group of around 100 known professional spam gangs whose names, aliases and operations are documented in their database. The TOP 10 chart of listed spammers is based on those that are viewed as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. They flag these gangs and individuals as a priority for law enforcement agencies.

The top ten spam gangs are:

1         Mamba Hosting / Rob McGee / Craig Ames – United States

2         Daniel Alvarez / Convex Marketing – United States

3         Canadian Pharmacy – Ukraine

4         Yair Shalev / Kobeni Solutions – United States

5         Dante Jimenez / Aiming Invest – United States

6         Jagger Babuin / BHSI – Canada

7         Michael Lindsay / iMedia Networks – United States

8         Century Infotech – India

9         Yambo Financials – Ukraine

10     Quick Cart Pro – United States

Their activities include using many falsified domains to send tens of millions of spams per day using botnet techniques, renting an endless number of servers to host their own spam webpages and the webpages of their spam-clients, billing for child, animal, and incest-porn, pirated software, and fake pharmaceuticals.

At ESET Ireland we often write about various spams and scams targeting Irish computer users, such as the recent fraudulent “Notice of Tax Return” purporting to come from Irish Tax and Customs and many others. Most of the time it is difficult to define where the spam is coming from, as the cybercriminals behind it use various techniques to hide their origin behind faked domain names.

All the spam the cybercriminals send is in various ways designed to make money for them and never for the benefit of the receiver, no matter what wonderful things it may promise. ESET Ireland therefore recommends computer users use spam filters and flag and delete any spam they may encounter, to help prevent its spreading.

by Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Bitcoin-stealing Mac malware spreads disguised as cracked versions of Angry Birds

Mac users are warned not to download pirated software from file-sharing peer-to-peer networks, as ESET researchers have discovered Bitcoin-stealing malware being spread via cracked apps.

The malware, OSX/CoinThief , was first discovered earlier this month and was found to steal login credentials related to various Bitcoin-related exchanges and wallet sites via malicious browser add-ons.

CoinThief was first spotted earlier this month by SecureMac researchers, who found it had been distributed via popular download sites such as and, disguised as trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit and Litecoin Ticker.

However, the malware experts at ESET labs have also seen OSX/CoinThief spread through torrents as cracked versions of the following popular Mac OS X applications:

  • BBEdit – an OS X text editor
  • Pixelmator – a graphics editor
  • Angry Birds – a game of trebuchet-powered temperamental avian bombardment
  • Delicious Library – a media cataloguing application

There is clearly strong evidence that the trojan was specifically designed to profit from the current Bitcoin craze and fluctuating exchange rates.

The hackers behind the CoinThief trojan are trying to cash in on the current Bitcoin craze and fluctuating exchange rates by breaking into users’ digital wallets. As ESET’s research team has shown, Mac users who download and install pirated software from torrent sites are not only depriving developers of their rightful income, but putting their computers and finances at risk as well.

Whether you’re a Bitcoin-enthusiast or not, it’s essential that you protect your Mac with an up-to-date anti-virus product, and resist the temptation to download cracked and pirated software. Instead, go to a legitimate source – such as the developer’s own website or the Mac App store.

ESET researchers continue to analyse the malware, and will publish updates with any further developments.


Get every new post delivered to your Inbox.

Join 66 other followers