Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company

Operation Windigo was one of the biggest operations against a criminal gang of this year – led by ESET with help from law enforcement and scientists from around the world, including Europe’s CERN (the organization behind the Large Hadron Collider). It highlighted a new, dangerous threat, where criminals target UNIX servers to redirect victims – and successfully took over thousands of servers and sites around the world.

Pierre-Marc Bureau, Security Intelligence Program Manager says, “The malicious gang is using these servers to send spam, redirect web traffic to malicious content, and steal more server credentials to widen their operation.” At its height, Windigo sent 35 million spam messages a day and redirected 500,000 web users to malicious sites. A detailed analysis of the malware and techniques used, and the ongoing battle against Windigo, can be found here, written by Bureau. ESET researcher Oliver Bilodeau chronicles the ongoing battle against Windigo here.

The victims often never knew they were infected. Even today ESET blocks thousands of redirects from infected servers – and this arduous research has thrown light on a new, sinister face of cybercrime.

ESET researchers have helped many companies identify and neutralize the infection, and this effort goes on today. Francois Gagnon, whose company was targeted, reveals what happened when this novel, emerging threat took hold of his large company.

Bureau says, “ESET has invested months of efforts to analyze, understand, and document Operation Windigo. At the peak of analysis activity, six researchers worked on the investigation.  We are very proud of the current results and we continue to monitor the situation. All servers have not been cleaned and the malicious gang behind the operation is still in control of significant resources. There is still a lot of work to do!” Veteran security researcher, writer and We Live Security contributor Graham Cluley says that at one point half a million PCs were attacked a day. Most victims remained unaware.

Francois Gagnon, owner of a business whose servers in France and Canada fell victim for weeks, explains how a large business can fall prey – and not notice.

Were you aware that this sort of attack was possible?

Like most businesses of our size, we knew criminals ‘sniffed around’, but had never been subject of a serious attack. To begin with, we didn’t realize what it was. But this did not feel like something really offensive. It was running in the background pretty silently. No crash or anything happened. I think that’s why it had infected so many servers before people started to react.

Did the nature of the attack surprise you?

One of the first things you learn in any form of hi-tech business is that anything is possible. But we knew from the start that Windigo was something different. It was subtle. No one stole our database – the first we heard was that suspicious behavior like random redirections in some websites were mentioned by some customers.

When did you realize that something very bad was happening?

We discovered that some of our servers were on Email Blacklists – used to pick out spammers. We knew that our system had sent spam. Our customers also mentioned that some of our sites – we have 2,000 – were randomly redirecting customers. It was customer complaints that helped us realize something was badly wrong. Some suspicious behaviors like random redirections in some websites were mentioned by some customers as well.

Just how ‘stealthy’ is this infection – how long did it take you to realize you were a victim?

I suppose we have been infected a few weeks before we realized what was going on.We pushed our investigation further and realized that most servers had been infected after we had opened tickets with cPanel. Their servers were infected and they infected our servers using SSH connections to us.

How did you react? Did you fear your business was under threat?

We rapidly went from not worrying to the worst worry of all – that it was an advanced threat, targeted specifically at us. We run a dozen servers and 2,000 sites. At the beginning we thought that it could be a targeted attack, but we quickly understood that many other businesses were running through the same issues. Plenty of people were talking about those strange behaviors on many forums.

Did you work closely with researchers on this – when did you realize that there were so many other victims?

We were quickly contacted by ESET and were told about how big this infection was and quickly started to work very closely with the research team. We cleaned infected servers but kept some intact for ESET’s investigation. Marc-Etienne of ESET offered advice – clean the server and reinstall. It’s a harsh cure, but we did it. We have now cleaned almost all of our infected servers and re-installed. We worked closely with ESET’s team, and some servers were used to help the researchers understand the infection. We have now-reinstalled most of them.

Why were you targeted?

That is easy. We have a lot of servers, and many customers in France and Canada.

Why do you think your business was targeted?

Simply because we have many servers, and many customers in France and Canada. Thanks to the quick action of ESET, our company’s reputation was not damaged – we listened to our customers and acted. We did not suffer severe financial loss, either.

What are your feelings towards the gang behind this – and the companies still suffering?

This attack is big. Many web hosting companies were infected and didn’t even know what it was. They were told by cPanel to reinstall – and that was it. That was all the help we got. We were lucky. We worked closely with ESET, who helped put it right, and I hope we helped in turn with the Windigo project.

What is the status of your company now?

We are fully operational. We have always been cautious and took seriously any strange or suspicious behavior. If the government took these kind of attacks more seriously and invested more money to help companies such as ESET it may prevent some attacks.

At his request, We Live Security used a fake name for our interviewee. The gang behind Windigo is still at large and reprisals are a possibility.

ESET will not end Windows XP products support

windows-xp-54321-623x420

After 8th April 2014, Microsoft will no longer provide system updates for Windows XP.
ESET will support the Microsoft Windows XP versions of ESET products at least until the end of April 2017.

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available. Regular system updates are used to repair exploits and patch existing security vulnerabilities.

Q: Will ESET products and virus definitions on Windows XP still be updated?

A: Yes. At least until the end of April, 2017 ESET will maintain support for customers with ESET products installed on the Windows XP operating system and will continue to offer the following services during that period:

  • Regular virus signature updates for the latest threats
  • Consistent updates to other parts of the antivirus engine
  • ESET Customer Care support requests

Currently, ESET still supports and provides updates for endpoint products that work with Windows NT 4.0 and Windows 2000, both of which reached end of life (EOL) status in 2004 and 2010, respectively.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, etc., will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched and all your applications are on the latest versions with the latest patches as well. Please note that while your service from ESET will not change, your system could become more vulnerable to threats because it will no longer receive regular system updates from Microsoft.

We recommend that you use the latest version of your ESET product to maintain the highest degree of protection possible with the non-updated Windows XP operating system.

To maintain the highest level of security, we recommend that you upgrade your operating system or move your important data onto a computer with a more current operating system.

by Urban Schrott and Aryeh Goretsky

ESET’s Threat Trends Predictions 2014: The next battle for internet privacy, a new assault on Androids, and a new wave of hi-tech malware

Each year, ESET releases its Threat Trends Predictions report for the coming twelve months, written by our global network of security experts, and based on wide-ranging analysis of trends in cybercrime and malware. This year’s report centres on three key trends, the first and foremost being privacy – the others being threats to mobile devices, and new, hi-tech malware targeting PCs and other devices in the home. You can download the full 35 page report Trends for 2014: The Challenge of Internet Privacy (.PDF).

The reaction to Edward Snowden’s revelations concerning the activities of the US National Security Agency (NSA) demonstrates that Internet users really do care about digital privacy and security. Our report analyses how users can protect their information – but ESET experts warn that ensuring data is locked down (by the use of encryption, for instance) is merely the first step towards real security.

“The challenge to internet privacy has not meant a decrease in cases of people affected by any malicious code or other kind of computer threat,” the researchers write. “Concern about privacy is a good starting point, but it is essential for people to be aware of all aspects of Information Security. Otherwise, it is not possible to mitigate the impact of computer threats.”

Next year will also see an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014. ESET Research Laboratory points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.

Filecoders such as the ransomware Cryptolocker have been one of this year’s most notorious attacks, one that is still spreading worldwide. More such malware is expected in 2014.Likewise, Bitcoin and other e-currencies will remain a target for cybercriminals – but gangs may cast their nets wider, and threats against devices such as smart cars, games consoles and smart TVs may loom on the horizon.

The use of DDoS as a means of protest will continue to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed a lot of hacking as well as DDoS for activist purposes is predicted in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

Detailed info available in ESET Ireland’s Blog post 2014 security and privacy predictions

2014 security and privacy predictions

Have you been wondering what trends in security and privacy ESET researchers are predicting for 2014? The following is a sampling, a year-end snack plate if you will. (Later in the month we will also be serving a main course of 2014 predictions in the form of a whitepaper from our colleagues in Latin America.)

Perennial readers of the ESET blog will know researchers do not relish making predictions, and yet each year we make them. Why? Because some people ask nicely, and because there is some practical value in looking ahead at where future attacks on information systems might come from, and in what form. Sometimes we name trends that are already in motion, like Bring Your Own Device, which has been a trend for several years. But we only draw attention to an ongoing trend if we think its persistence has implications for security and privacy (for example, one of researchers sees the increasing diversity of cheap smartphones adding to the BYOD challenge).

2014 predictions

First up is ESET Distinguished Researcher Aryeh Goretsky who predicts that, as locked-down computing environments such iOS and Windows RT come to the fore, we will see criminals increase their focus on identify theft. In other words: “Why 0wn the computer when you can 0wn the p3rs0n?”

Aryeh also observes that, while biometric authentication–such as a fingerprint reader–has largely been a feature of corporate computers: we now have the first widespread consumer computing device to incorporate this technology–the Apple iPhone 5s–and we will begin to see fingerprint sensors become increasingly common in other consumer computing devices. Aryeh suggests we will see this first at the higher “prosumer” end of the market, and then increasingly in less expensive devices, as the cost of sensors decreases. Low end devices will still probably not have these in 2014, partially because of cost and partially because of market segmentation reasons.

A third Goretsky prediction is that research into UEFI rootkits will continue, and we will probably see a handful of proof-of-concept demos, largely device or manufacturer-specific and due to flawed implementations of the standard or from improper key management by manufacturers. Or both.

Weighing in from the Netherlands, ESET Senior Research Fellow Righard Zwienenberg predicts the trend for Bitcoin to become more and more popular and valuable will continue. However, illicit Bitcoin-miners as well as Bitcon-stealers will also increase. Righard suggests that, as Bitcoins become more valuable, and because they are untraceable, operators of ransomware scams will increasingly demand payment in Bitcoin.

Righard also thinks 2014 will see a gradual increase in IPv6 installations along with the associated implementation faults that will allow some taking over of networks and systems.

A third Zwienenberg prediction is that the BYOD trend will get even larger due to more and cheaper (non)branded devices, making CYOD more needed than ever (see ‘From BYOD to CYOD: Security issues with personal devices in the workplace‘). Consequently, there will still be a big need to convince the people about the right device policies and security measures.

Weighing in from the redwood forests, ESET security researcher Cameron Camp predicts that the convergence of payment systems on smartphones and other mobile devices will increase the value of them as a target, and scammers will spend more effort aimed at financial fraud on these platforms.

Cameron also see nation states moving closer to drafting digital truces between trading partners in response to escalating tensions and the underlying need to continue strong trade in a semi-protected fashion. This is analogous to naval trade routes, where protecting cargo vessels carrying goods was deemed critical for semi-open worldwide trade, and therefore subject to various safe harbors, rules of engagement, etc.

Mr. Camp also predicts a year-long escalating cat-and-mouse game between anonymizing technologies (and related crypto products) and those who try to break into them in various fashions and with various motives. This will result in a bevy of new and novel technologies hitting the streets in an attempt to reclaim some modicum of the expectation of private communication, for better or worse (depending on one’s point of view).

ESET security researcher Lysa Myers sees the use of DDoS as a means of protest continuing to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed Lysa predicts a lot of hacking as well as DDoS for activist purposes in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

David Harley, ESET Senior Research Fellow, thinks cyber criminals will pay more attention to finding vulnerabilities and potential exploits in mobile operating systems. This will be driven, in part, by the convergence of payment systems on smartphones and other mobile devices that Cameron mentions.

Mr. Harley also thinks that, as the use of mobile devices–especially smartphones–as a means of strengthening privacy by two-factor authentication becomes more common, it will become more important to consider the use of other kinds of security software (where available) to reduce the risk of other attacks, including the interception of financial and other sensitive transactions.

Another Harley prediction is that post-Snowden concerns about whether providers are sharing cloud-stored data with government agencies–voluntarily or through enforcement of legal processes–will revive questions about the geographical location of data and cloud storage and processing. Older concerns about differing approaches to data privacy will flare up due to fresh mistrust and tensions between nations, not only between European and other nations, but even between European nations with differing views on how to counter terrorism without infringing on the privacy of their citizens. The General Data Protection Regulation, which among other things will aim to extend European Community data protection principles (see European Union Directive 95/46/EC) to countries outside the Community, is expected to be adopted in 2014. But it may not be compatible with sending data to be processed in countries where government rights to carry out surveillance are seen as excessive.

Finally, a few predictions of my own, starting with an educated guess about basic phishing attacks against consumers in developed countries. These will continue to be conducted from less developed countries where such activity is tolerated because it provides revenue to an under-employed citizenry.

A popular computer magazine asked ESET for one big and bold prediction for 2014 and my money is on: Cryptowar! An unprecedented level of interest in encryption products due to continuing revelations about state-sponsored surveillance of companies and consumers.

I will end this buffet of 2014 predictions with the first Internet fumble! I predict a small but not insignificant percentage of current Internet users in developed countries will scale back their online activities in light of continuing revelations about state-sponsored surveillance of companies and consumers. This and other aspects of the “Snowden effect” will not do the economy any good. I leave you with an illustration of what happened to Cisco’s stock price after it publicly referenced the “NSA effect” on future sales.

cisco-share-price

Author Stephen Cobb, We Live Security

Nearly one in four Irish lost money online!

ESET Ireland’s latest survey reveals 22 per cent of Irish have already lost money to cybercrime, which could mean they have suffered up to €300 Million of financial loss because of it.

Everyone knows virus infections occur, cards get abused, scams happen. But the prevailing sentiment is still that it’s something that happens rarely and it’s primarily just a nuisance. ESET Ireland’s latest survey reveals it has likely happened to someone you know and it actually cost them money.

Cyber-threats can incur financial damage in many ways. From the costs of having an infected computer repaired, or having your credit card abused online, to the recent wave of ransomware infections, which lock your files and demand a ransom to unlock them.

ESET Ireland commissioned a survey in October, carried out by Amárach Research on a thousand Irish adults, which asked whether they ever suffered financial loss and how much, because of cyber-threats, consisting of repairing an infected computer, having their credit/debit card abused, being victim of an online/phone/text scam or a target of hacking, etc.

graph

While 78% said they suffered no loss (or didn’t use a computer), the 22% who did, which is nearly one in four people, represent a very significant percentage. With 9% having lost up to €50 and the Irish population currently being at about 3,5 Million adults (the survey only covered the adult population), this translates into 315000 people having lost up to a total of over €15 Million just for the first group! And if we add up all the numbers and losses of all others, from the top 9% to the bottom 1% who lost over €3000 (if 10 out of 1000 told us they lost over €3000, in the whole of Ireland that could mean 35000 people with a total of over €105 Million in costs?), the final statistical estimate of Irish direct and indirect cyber-crime damages could be beyond €300 Million.

The demographic breakdown is also interesting. Dublin and the rest of Leinster seem to be the safest, with 19% having suffered losses, while Connaught and Ulster seem hardest hit, with 30% having lost money already. Females and the older generation seem to be more cautious, with 20% females versus 24% of males and the older age group of 45-54 with 19% versus the younger group of 25-34 with 27% having suffered financial consequences of their online activities. In one of our previous surveys we have found out that 54% of Irish computer users have already suffered a malware infection, 15% had their credit/debit card abused, and 14% were victims of online or phone scams.

All these numbers should really convince people to start taking computer security a bit more seriously, as a survey we did on online behaviour actually revealed the situation has decreased in the last 2 years!

What to do?

  1. Keep your system and your antivirus software patched and up to date.
  2. Don’t open suspicious files, go to suspicious websites or download suspicious pirated materials, and particularly if your antivirus warns you you’re about to open something dangerous, do take its warning seriously. Think before you click!
  3. Be very careful with your online banking and credit card information, if you’re unsure of anything you’ve received online, just ring your bank and ask!
  4. Stay informed about latest threats (on blogs like ours), so you know what to avoid. Bad guys that are after YOUR money are always thinking up new ways to scam you.

Has Irish online security decreased over the last two years?

New research shows a startling decrease of online security practices among Irish computer users, worse results in all categories of a comparative 2011/2013 survey.

In 2011 ESET Ireland has commissioned the first survey with Amárach Research, to determine how Irish computer users comply with their Antivirus software’s warnings. The results weren’t optimistic back then, as large percentages ignored their Antivirus’ warnings and voluntarily exposed their computers and networks to infection.

In 2013 we asked Amárach to repeat the survey, to see what the situation is like now and, unfortunately, the results we received show that the situation has deteriorated in every category we asked about.

So… when an Antivirus, any Antivirus, alerted the users something potentially bad was detected, now only 52% complied with the warning (was 66%), 19% stayed on a website they got warned about (was 15%), 24% ignored the warning when they tried to open a potentially infected file or program (was 14%), 8% actually disabled their Antivirus, because it wouldn’t let them open a file or a program or look at a website (was 6%), and 6% use no Antivirus software (was 4%).

AntivirusWarnings

The demographic breakdown shows some very interesting patterns. The youngest generation (ages 15-24) is the only one where complying with Antivirus warnings has actually increased (from 35% to 46%), so they seem to be taking things more seriously than they used to. But the midlife cyber-crisis seems to have hit the 35-44 year-olds hard, as they have shown the worst decline. Of 74% that used to trust their Antivirus’ warnings only 45% do so now, they are the worst age group when it comes to dodgy websites, as now 20% ignore warnings and continue surfing, while only 9% used to and they are also the worst when it comes to opening suspicious or infected files or programs, as 26% now ignore warnings, from the previous 11%.

While it is somewhat comforting that the percentage of people without any Antivirus protection is still relatively low, it is quite concerning that so many have it, but don’t comply with the warnings.

Any Antivirus tries to automatically prevent infections and the spreading of viruses and other malware. But that cannot work if computer users ignore or disable the protection, because they’re intent on doing something with the computer, regardless of the consequences. Malware is not used just to annoy users, but to steal their passwords, banking and credit card details, entangle them in scams and fraud, etc., all things that can have serious financial consequences. Is visiting that one dodgy site really worth that risk? Can we seriously expect our information superhighway traffic to be safe, if only one half of the drivers notices the traffic lights, one quarter willingly ignores them and one in twelve drives without brakes?

The Irish becoming serious about protecting laptops, less about other devices, but have no idea what data leakage is

The latest research ESET Ireland did was about how covered Irish computers and devices are with antivirus and data leakage protection.

The research by ESET Ireland, was carried out on a thousand people. First we determined what sort of devices the Irish use to connect to the internet:

Am03

Then we found out 90% of Windows-based PC/Laptop users have antivirus installed, as do 63% of Mac users. Linux users, however, still feel confident they’re entirely invulnerable, as only 10% use antivirus protection. The picture is a bit grimmer among mobile users, as only 41% of Android users have their mobiles protected by antivirus, followed by 27% of iPhone users and 26% of Windows phone users.

Am01

But the picture completely changes when it comes to Data Leakage Protection. The Irish, so it seems, are barely aware of data leaks being a problem at all, as 74% answered they don’t know, while about a third of Linux users use some protective measures, as does one in four Windows/Mac users.

Am02

So, while malware awareness seems to have reached a certain satisfactory level among computer users, it is still lacking for mobile devices, even though mobile devices are as much targets of malware as are computers, since they’re increasingly used for accessing social media, various apps and offer various purchasing functionality, which could be compromised by malware, causing the victim direct financial damage.

More surprising is the complete lack of awareness about data leakage, particularly with the amount of coverage the media have already given various data leaks in the past. With BYOD (bring your own device) becoming increasingly popular, this could cause many companies’ sensitive data being at risk of getting lost or stolen.

So, mobile users should give installing an antivirus on their device some thought and all computer and mobile device users would be wise to start paying attention to information on data leakage a bit, if they wish to avoid related trouble.

Follow

Get every new post delivered to your Inbox.

Join 72 other followers