December 4, 2013 Leave a comment
November 28, 2013 Leave a comment
The Internet is a vast source of information for all of us, and naturally some people use that information for good, and some for ill, like grooming and stalking children. ESET Ireland has previously done research which revealed that up to 73 per cent of Irish children are left unsupervised online. So what things can you as a parent, teacher, or other concerned adult do to protect kids against online predators and solicitation? This is not intended to be an exhaustive guide, but to start a conversation where we can share comments and information.
I recently wrote about privacy and domestic violence survivors and one of the first things that struck me was how much of the advice out there was woefully outdated. For example, at this point I’m not sure how much use it is to tell people how to safely interact with AOL chat rooms. Likewise, a lot of the information about protecting children from online predators is from another Internet-era, before we were all carrying the Internet with GPS and hi-definition audio/video capabilities, in our pockets.
In searching for statistics, what I found (that wasn’t from a bygone era) was that online predators tend to glean a lot of information from social networking sites:
- In 82% of online sex crimes against minors, the offender used the victim’s social networking site to gain information about the victim’s likes and dislikes.
- 65% of online sex offenders used the victim’s social networking site to gain home and school information about the victim
But the specific means of gleaning information is less important than the prolific yet largely unwitting sharing of information with strangers. Predators may seek out children who are participating in attention-seeking behaviors as a way of finding connections with others. Sadly, these kids seeking connection are generally the ones least apt to have a concerned adult that they will feel to whom they feel they can turn, to report solicitation. These targeted kids may also not wish to report the behavior, as they may simply be glad for the interest and may naturally be naïve about the nature of the attention.
Understanding Online Solicitation
The following list from Microsoft describes the actions of online predators:
- Find kids through social networking, blogs, chat rooms, instant messaging, email, discussion boards, and other websites.
- Seduce their targets through attention, affection, kindness, and even gifts.
- Know the latest music and hobbies likely to interest kids.
- Listen to and sympathize with kids’ problems.
- Try to ease young people’s inhibitions by gradually introducing sexual content into their conversations or by showing them sexually explicit material.
- Might also evaluate the kids they meet online for future face-to-face contact.
Out of context, this starts out sounding like friendly behavior. But clearly there is a very unhealthy progression. In essence, this behavior is like long-term social engineering, because it is done with harmful intent. Solicitation preys on innocent, trusting people in order to get something that they would not freely give otherwise.
Protecting Children On- and Off-line
Tips for reducing the risk of children being victimized generally center around monitoring and controlling their access to the Internet in an age-appropriate way. But as this article from the San Diego Police Foundation points out, not all solicitation happens online, so more needs to be done to prepare kids to recognize the signs. It is essential to make sure that kids know from an early age what is appropriate information to share with others, even people who appear to be friends (as this is what predators make themselves out to be).
Establish rules about when it is okay to:
- Send or post photos
- Give contact or identifying information for themselves or family members
Let kids know it is best to:
- Socialize online only with kids they know in real life
- Avoid personal discussions with strangers online, especially conversations involving sex, violence, and illegal activities
As older kids become eligible for social networking sites, they may wish to meet in person some people that they have met online. It is important that a parent or guardian accompanies the teen to any first meeting, to determine whether the situation is safe and age-appropriate.
The idea of establishing rules is not to make a child fearful of strangers, but to instill in them an ability to scrutinize communications in a way that comes from a healthy sense of self-worth. There is a saying that is popular in the security industry: “Trust, but verify”. This means not blindly accepting someone’s words at face value, but doing additional research to determine if a communication is trustworthy.
Parental concern versus independence
Good parenting (or mentoring) is about finding that balance between providing children with the tools to become independent adults, and spending enough time with them that they feel loved and protected. When children are younger, you can safely lean towards being overprotective, until they can understand and internalize the reasons for the rules. Adults are targeted by confidence schemes and scams too, so learning to avoid them and protect their privacy will serve them throughout their lifetime.
Perhaps the most important thing you can do to protect kids from online predators is to establish a good rapport and open lines of communication with them. Social engineering relies on creating a strong feeling either of fear or of trust. If a child feels they can discuss their experiences with a trusted adult, without concern for punishment or judgment, they can verify whether questionable online communications are scams or solicitation. It is important to remember that even if children respond positively to online predators, they are still the victims in the same way that anyone who has fallen for a scam is a victim.
Communication and Curiosity
The FBI provides a guide for parents, which includes a considerable amount of additional information for parents about how to recognize when a child may be at risk for solicitation, and what to do if you suspect your child has been targeted. They also provide the following list of tips for how to improve communication with children about their online activities:
- Communicate, and talk to your child about sexual victimization and potential on-line danger.
- Spend time with your children on-line. Have them teach you about their favorite on-line destinations.
- Keep the computer in a common room in the house, not in your child’s bedroom. It is much more difficult for a computer-sex offender to communicate with a child when the computer screen is visible to a parent or another member of the household.
The general idea here is not to come from a place of accusing children, or scaring them about potential dangers. If you approach your child’s online activities with a sense of curiosity and interest, you can potentially see a problem before it becomes genuinely dangerous.
Children are naturally curious, and the Internet can be a great way for them to learn and explore, given reasonable boundaries to guide them. With proper adult guidance, they can gain the confidence to protect themselves throughout all their online and offline endeavors.
Here are some additional resources, should you wish to read more on the subject:
Author Lysa Myers, We Live Security
November 26, 2013 Leave a comment
Our recent survey about consumer opinion in the wake of the Snowden revelations about mass NSA electronic surveillance suggests that the economic implications could be deeper than experts have yet acknowledged, including negative impact on corporate profits and GDP. At the same time, like every economic challenge, the NSA revelations present some interesting opportunities for the enterprising.
[Update November 15: A podcast on this topic is now online.]
The digital economy takes a hit
How could the Snowden/NSA news damage GDP and profits? How about a reduction in online shopping and online banking. Our survey data suggests this reduction is not hypothetical, it is real, and not just a few percentage points. Close to one in five Americans we surveyed said they were doing less banking online as a result of the Snowden/NSA revelations. That’s a 20% hit to a trend that the retail banking sector has been counting on to achieve profitability targets: people shifting away from banking at costly branches and through postal mail. That trend could be stalling and those targets could now be in jeopardy.
Consumer spending drives the American economy and shifting that spending from brick-and-mortar stores to the digital realm has been a key strategy for retail firms.
Our survey indicates that, post-Snowden/NSA, retailers are looking at 14% of Americans doing less shopping online. That doesn’t necessarily mean less total shopping, but it does undermine the strategies and logistics behind the biggest retail spending period of the year, which is now well under way. I doubt that retailers have planned to staff and stock physical stores to cope with an unforeseen surge in foot traffic diverted from websites due to a drop in online trust sparked by news of government surveillance.
Beyond the obviously Internet-dependent sectors of banking and retailing, the drop in online technology confidence that we charted in our survey impacts all Internet-using entities in general, and technology firms specifically. For example, one in five Americans surveyed said that they were now less inclined to use email. Consider what that means for state and local governments, for email advertisers, for phone companies and other firms that rely on email for billing and support. And how about healthcare, where parties of all stripes have pinned their hopes for cost containment on greater leverage of the Internet?
Giant feet of clay
So you might be wondering what this means for two of the biggest plays in tech stocks, social media giants Facebook and Twitter. Yes, I know that Twitter has not IPO’d yet, but the IPO is coming and the “NSA factor” could influence pricing. How? Some 47% of people we surveyed said that they had changed how they used social media because of the Snowden/NSA revelations. Changed how? They agreed with the statement: “I am more careful about what I share via social media.” This does not mean a bunch of people are dropping social media, but I find it pretty shocking that almost half who do use it are now thinking differently about what they share.
Of course, one could quip that security professionals like myself have spent years trying to get people to be more careful about what they share on social media so we owe NSA a big “thank you” for achieving this sudden boost in awareness. But if the business plan of your social media company, or the one in which you’re thinking of investing, is predicated on people sharing more, not less, then I would be troubled, particularly since things are not likely to get any less scary for consumers, and assurances of privacy and confidentiality are easy to make while new revelations keep on appearing.
And this is where the NSA may have unwittingly poisoned the well for a broad swathe of technology companies, while undermining some of the pillars of cyberspace, like Google and Yahoo. Even before it was revealed that the NSA had tapped the fiber optic cables connecting the data centers used by these two Internet giants, a solid 50% of our survey respondents agreed with this statement: “I am now less trusting of technology companies, such as Internet service providers and software companies.”
Ouch! You don’t need a team of economists to tell you it’s not good for businesses or consumers or the country as a whole when technology companies, such as Internet service providers and software companies, lose that amount of trust. And you don’t need to be an expert in irony to see that knowledge of the actions of the NSA appears to be undermining the fabric of our cyber-based economy and society.
Actually, that team of economists might be handy for figuring out all the ways in which our responses to mass electronic surveillance impact our use of electronics, and what that will mean for businesses and consumers over the next few years. Hopefully politicians will consider those impacts as they try to restore the public’s faith in the branches of its government whose mission is supposed to be defending and enabling peace and prosperity.
If anyone at Google or Yahoo or Facebook or Twitter is wondering how to play this whole NSA thing, I would take my cue from that 74%. Taking a stand is clearly a chance to earn goodwill while you figure out how to get the public to do more with the Internet, not less.
[At the time I wrote the above paragraph I was not aware that Google's Eric Schmidt was giving an interview to the Wall Street Journal in which he would "take a stand" against the NSA, calling NSA surveillance outrageous. Maybe Google had done its own market research on this strategy. Personally, I think Mr. Schmidt was expressing genuine feelings that are widespread within his organization, employees of which have now made it clear how angry they are at the way the NSA was trespassing in its systems, trying to undo their hard work. Warning, this link about Google/NSA contains adult language.]
Of course, our survey was only a snapshot (first reported here). A bigger survey might show different results, although the news for high tech companies has only gotten worse since we did our polling.
Author Stephen Cobb,
We Live Security
November 8, 2013 Leave a comment
ESET Ireland’s latest survey reveals 22 per cent of Irish have already lost money to cybercrime, which could mean they have suffered up to €300 Million of financial loss because of it.
Everyone knows virus infections occur, cards get abused, scams happen. But the prevailing sentiment is still that it’s something that happens rarely and it’s primarily just a nuisance. ESET Ireland’s latest survey reveals it has likely happened to someone you know and it actually cost them money.
Cyber-threats can incur financial damage in many ways. From the costs of having an infected computer repaired, or having your credit card abused online, to the recent wave of ransomware infections, which lock your files and demand a ransom to unlock them.
ESET Ireland commissioned a survey in October, carried out by Amárach Research on a thousand Irish adults, which asked whether they ever suffered financial loss and how much, because of cyber-threats, consisting of repairing an infected computer, having their credit/debit card abused, being victim of an online/phone/text scam or a target of hacking, etc.
While 78% said they suffered no loss (or didn’t use a computer), the 22% who did, which is nearly one in four people, represent a very significant percentage. With 9% having lost up to €50 and the Irish population currently being at about 3,5 Million adults (the survey only covered the adult population), this translates into 315000 people having lost up to a total of over €15 Million just for the first group! And if we add up all the numbers and losses of all others, from the top 9% to the bottom 1% who lost over €3000 (if 10 out of 1000 told us they lost over €3000, in the whole of Ireland that could mean 35000 people with a total of over €105 Million in costs?), the final statistical estimate of Irish direct and indirect cyber-crime damages could be beyond €300 Million.
The demographic breakdown is also interesting. Dublin and the rest of Leinster seem to be the safest, with 19% having suffered losses, while Connaught and Ulster seem hardest hit, with 30% having lost money already. Females and the older generation seem to be more cautious, with 20% females versus 24% of males and the older age group of 45-54 with 19% versus the younger group of 25-34 with 27% having suffered financial consequences of their online activities. In one of our previous surveys we have found out that 54% of Irish computer users have already suffered a malware infection, 15% had their credit/debit card abused, and 14% were victims of online or phone scams.
All these numbers should really convince people to start taking computer security a bit more seriously, as a survey we did on online behaviour actually revealed the situation has decreased in the last 2 years!
What to do?
- Keep your system and your antivirus software patched and up to date.
- Don’t open suspicious files, go to suspicious websites or download suspicious pirated materials, and particularly if your antivirus warns you you’re about to open something dangerous, do take its warning seriously. Think before you click!
- Be very careful with your online banking and credit card information, if you’re unsure of anything you’ve received online, just ring your bank and ask!
- Stay informed about latest threats (on blogs like ours), so you know what to avoid. Bad guys that are after YOUR money are always thinking up new ways to scam you.
November 5, 2013 Leave a comment
The Top Ten Threats
Previous Ranking: 1
Percentage Detected: 3.9%
Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders:
Previous Ranking: 2
Percentage Detected: 2.1%
This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.
Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.
The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.
Previous Ranking: 3
Percentage Detected: 2.05%
Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
Previous Ranking: 4
Percentage Detected: 1.9%
Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.
Previous Ranking: 5
Percentage Detected: 1.78%
Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.
Previous Ranking: 6
Percentage Detected: 1.62%
Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine. This kind of worm can be controlled remotely.
Previous Ranking: 7
Percentage Detected: 1.61%
The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.
While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145
It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.
Previous Ranking: 8
Percentage Detected: 1.45%
It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.
Previous Ranking: n/a
Percentage Detected: 1.34 %
Win32/TrojanDownloader.Small.AAB is a trojan which tries to download other malware from the Internet. When executed, it copies itself into the %temp%\hcbnaf.exe location. The trojan contains a URL address, and it tries to download a file from the address.
Previous Ranking: 9
Percentage Detected: 1.09 %
This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.
November 4, 2013 Leave a comment
The detection and blocking of malicious code employed by modern threats, whether targeted attacks or mass-spreading campaigns, has been a game of cat-and-mouse with the perpetrators for some time now. And even though we are seeing shifts in the threat landscape and new malware trends, the “malware problem” is still very much with us. To be clear, most malware writing today is performed by, or purchased by, cross-border criminal organizations. We are no longer faced with a few over-enthusiastic individuals. That means most malware attacks are functional and to some degree effective, in other words: people get infected. These attacks are generally low-risk and often very profitable.
The development of anti-malware defenses
As malicious code threats have evolved over the years, so have the technologies deployed to protect against them. The traditional concept of an “anti-virus” program has evolved into more comprehensive “security suites.” These suites include, in addition to traditional anti-malware scanners, firewalls, HIPS (Host Intrusion Prevention Systems), and other technologies.
One of the reasons such multi-layered protection is necessary is that the “bad guys” have the advantage of only needing to find one hole in our defenses, while companies and consumers need protection across many different points of attack. Security companies like ESET are consistently monitoring the evolution of malware families and collecting new samples of malicious code. The servers in the ESET Security Research Lab receive over 200000 unique malicious binaries every day, malware detected proactively, that we have never seen before. Even so, we don’t really see all the cards in the game. Malware writers, on the other hand, have access to all of the commonly used security solutions. They use this access to tweak their code so that it is harder to detect when it is released.
Of course, our job is to defeat that process. We want to make it impossible, or at least more difficult and expensive, for malware writers to craft code that is not detected. This requires additional layers of security that introduce creative strategies that can catch malicious code which might evade basic defenses.
One strategy that has been around for some time is advanced heuristics, explained in detail by Righard Zwienenberg on WeLiveSecurity.com. There is also an ESET white paper on basic heuristics. In this article we expand on the heuristic approach, and introduce some additional strategies that security software can deploy to combat malware. We begin by explaining several particularly challenging techniques used by malware writers today.
The main technique employed by malware writers in order to avoid detection by antivirus software is the use of various “protectors” or run-time packers. You can think of these protectors as outer shells of the executables that hide the inner payload from inspection, and therefore detection, by basic anti-virus scanners.
That explains why, out of the many thousands of fresh malware samples that we see daily in our lab, relatively few contain new functionalities. Most of those daily unique samples are repackaged versions of existing malware families. The frequent repacking of malware variants is also known as server-side polymorphism.
An antivirus program that relies solely on simple hash-based signature detection of previously known malware can be defeated by the ever-changing malware. Furthermore, such detection is very inefficient. That is why a great amount of research has been done in order to crack that outer shell of malware protection using emulation. The idea is to run potentially malicious executables in a virtual environment or sand box, where they won’t be able to cause damage to the system and user, but will become unpacked and can be caught by the anti-virus engine.
While this might sound simple in theory, in reality there are several challenges that must be overcome for this to work, and a number of potential drawbacks that must be taken into consideration:
The malware can attempt to hinder emulation, for example by use of uncommon instructions or API functions, which the emulator didn’t expect and can’t handle correctly.
The malware can detect it is being run in a virtual environment and either stop executing or continue in a benign mode to avoid detection.
Even if the code is emulated correctly, it can still be obfuscated in such a way that it hides its malicious functionality and its detection is still problematic.
Emulation or any virtualization technology always carries with it some negative performance impact.
One significant method for improvement of emulation (with respect to the problematic aspects mentioned above) is by employing binary translation.
One of the most infamous banking Trojans, Zeus (detected by ESET as Win32/Spy.Zbot) is a good example of how repacking with various protectors has proven to be effective for the bad guys. This is malware that has been widely known for at least six years and its source code was leaked back in 2011. Yet Zeus often succeeds in evading detection by anti-malware scanners, because of the advanced packers used by the gangs that build and operate Zeus.
For cases when inspection of the protected and obfuscated sample prior to its execution is not successful, antivirus software has one last chance of detecting it: when it is running in memory in a decloaked state. Yet again, the challenge for security companies lies in triggering appropriate memory scanning as soon as possible, so that the malware causes minimal damage. This needs to be done with as little negative impact on system performance as possible.
Exploitation as an infection vector
Clearly, it is more desirable to prevent a malware infection even before it sets foot on the target system. There are many different infection vectors and, like malware itself, these have also evolved over time. However, generally they can be grouped into two categories:
With user interaction: the victim is led to the infection through social engineering
Without user interaction: mostly through exploits of software vulnerabilities
The subject of social engineering is a broad one and is a frequent topic of We Live Security blog posts. Here we will focus on software exploitation, without user interaction.
A typical scenario is that a user navigates to a webpage, subverted by an attacker, that contains a malicious script calling an exploit pack or exploit kit (something we have covered in various articles). Simply put, the exploit pack is a web app that will first check the potential victim’s software versions. This can be accomplished by legitimate scripts, such as PluginDetect. Then, if an unpatched, vulnerable version is detected, an exploit will be served and malicious code can be executed on the system without the user ever noticing anything. From the attacker’s point of view this is a very effective way of infecting even the more cautious users. For this reason, the underground market where cybercriminals buy exploit kits and new software vulnerabilities is thriving.
The obvious protection against these kinds of attacks is to patch the software vulnerabilities, but unfortunately people patch slowly and some don’t patch at all. Furthermore, patching is not effective against zero-day exploits, those that are unknown to the affected software vendor and for which no patch is available at the time of the attack.
Signature-based detection can be used to detect exploit code, but it suffers from the same shortcomings as when used against “regular” malware, so more generic detection and mitigation approaches are needed.
One example of a mitigation tool is EMET (Enhanced Mitigation Experience Toolkit) from Microsoft. EMET makes life much more difficult for exploits (in fact, renders many of them defunct) by protecting against common techniques used by exploits and forcing built-in Windows security measures, namely DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) and SEHOP (structured exception handler overwrite protection).
Modern antivirus solutions introduce a more generic behavior-based approach, inspecting the very act of exploitation and checking if, for example, a (malicious) process is spawned in a suspicious manner that‘s not typical for the host application. This technology can block advanced and reliable exploitation techniques, typically bundled in today’s professional exploit kits.
One of such examples is CVE-2013-0641, which was the winner of the 2013 Pwnie Awards at the BlackHat conference for the most technically sophisticated and interesting client-side bug. This exploit targeted Adobe Reader and was able to escape its sandbox. Apart from PDF readers, the other most exploited applications by malware include internet browsers and their plugins, Flash players, Java and MS Office components. This kind of approach can also help prevent zero-day exploits.
But blocking exploits doesn’t only have to take place at the process level. For example, many worms still rely on network protocol vulnerabilities in order to spread. While there are many more fresh examples of this, the most infamous one is probably the Conficker worm exploiting MS08-067 through a specially crafted RPC call. Despite the fact that this vulnerability has been patched for 5 years now, our LiveGrid telemetry shows us that the exploit is still widely used in the wild. This indicates that adding another, network layer to the protection stack, is also beneficial.
We’ve addressed some of the technical tricks that malware authors use to successfully infiltrate target systems without being detected. The descriptions above apply both to mass-scale attacks, as well as customized targeted attacks, with an important side-note. A targeted attack is much more difficult to prevent, since the attacker knows his victim and can tailor the attack using very focused social engineering and exploits against the exact software that the victim is running, and so on. Targeted attacks especially highlight the importance of multi-layered security and the usefulness of generic exploitation detection.
This article did not discuss the most widely used malware spreading technique today: the use of social engineering. We constantly see fresh evidence that this technique is easier and cheaper for attackers in many cases. But that’s for another article, or two.
Author Peter Stancik,
ESET We Live Security