5 Systems Admin relationship tips (so you’re on talking terms again)

If you’ve spent much time interacting with system administrators, you know how unlikely it would be for them to host a relationship-fixing TV show. Were they born like this, or did IT support requests just grind them into jaded powder? With a combination of endless patches, glitches, and caffeinated techno pulsing in the background, they do get edgy (and court the look of pallor). Want to mend your sysadmin relationship? On this Systems Administration appreciation day, we give you a few tips to help mend fences.

  1. Own your problem – Sure, they get hired to fix stuff, but they don’t think they got hired to fix you. You fix you. If you keep plugging your Ethernet cable into your USB port and then calling support, don’t be surprised when they feign a foreign language and change the phone number in the company directory. You have a > 50/50 chance of causing stuff to break, and if you do, a simple “sorry” and a bit of listening will go a long ways to help. If you just can’t resist the urge to plug stuff in wrong, be very nice to them. They’ll continue to fix stuff. Butter them up, your stuff will work better for longer, and they’ll probably even take the voodoo doll – you know, the one in their cubicle that looks an awful lot like you, with all the pins in it – off the shelf. You might even take yours down too.
  2. Don’t spill > 30 ounces of Coke on your computer – Ask me how I know. Customer complained of sticky keys. If you really just did “something bad” and you’ve observed tip #1, you might be in clear…ish. You see, stuff happens, and they know this. Self-deprecation (if for sake of winning the war) is definitely at play here. Snarky self-deprecation for < 5 seconds can help them WANT to peel the Coke-infested computer bits apart like a soggy term paper, and get it back to you sometime before the next time you need a haircut. Be mean, and you’ll definitely need the haircut first.
  3. If something bad happens, tell them sooner rather than later. If your computer suddenly and inexplicably starts shredding its own file system, next Tuesday would not be a good time to drop a line. Sure, you can brace yourself for the response you might get, but right now there’s at least some chance of triaging your data and averting a larger smoking hole of a disaster in the radius around your workplace. Wait until Tuesday and that will almost certainly not improve the situation, unless you want to live-stream their reaction and upload it to sysadmins-behaving-badly.com to share with others similarly situated.
  4. Spend more than 5 seconds researching before you call – My colleague Bruce Burrell is fond of recommending lmgtfy.com – go ahead, I’ll wait here until you get back – as a support tool. The Internet is wonderful. At the very least, it will help you formulate your questions, in case you catch IT in a spiky phase (some spiky phases last longer than others).
  5. Fight the urge to click on stuff – While it is possible that you’ve made millions and they need to ship it to you, don’t click on the attachment that purports to have the details. Phishing attempts succeed with startling regularity. And they get more convincing all the time, especially if scammers can mine data about people who might normally send you requests. If, however, you are overcome by temptation and your computer hemorrhages immediately after you click and starts eating your file system, see tip #3.

Bonus: buying caffeinated things for sysadmins usually helps. If $4 in coffee can make your life simpler in the long run, it’s worth it, even if you don’t get any relationship advice from them. One day soon, you might need it. Also, you may be able to get rid of that voodoo doll.

by Cameron Camp, ESET malware researcher

Operation Potao Express: Analysis of a cyber-espionage toolkit

Attackers spying on high-value targets in Ukraine, Russia and Belarus, and their TrueCrypt-encrypted data

We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.

Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.


ttack Timeline

The attacks conducted using the Win32/Potao malware family span the past 5 years, the first detections dating back to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by ESET in July 2015.

The timeline below lists a selection of Potao attack campaigns and other related events.


Among the victims identified, the most notable high-value targets include Ukrainian government and military entities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a Ponzi scheme popular in Russia and Ukraine.

Malware Techniques

When the criminals shifted their focus from attacking targets in Russia to others in Ukraine, they began sending personalized SMS messages to their potential victims to lure them to landing pages hosting the malware, disguised as postal tracking sites.

We haven’t noticed Win32/Potao employing any exploits and the malware isn’t particularly technically advanced. (Shouldn’t call it an APT then, right?) Yet it does contain a few other interesting techniques that ‘get the job done’, like the mechanism for spreading via USB drives and disguising executables as Word and Excel documents, as in the following examples:

Figure 3 – Potao droppers with MS Word icons and file names used in attacks against high-value Ukrainian targets to capture the interest of recipients

Trojanized TrueCrypt

An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt.

We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren’t of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia’s domain was also used as a C&C server for the malware.


The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims’ systems in a number of cases.

FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims’ encrypted drives.


In addition to the selective targeting (deciding to whom to serve the trojanized version instead of the clean one), the backdoor code also contained triggers that would only activate the malicious data-stealing functionality for active, long-term TrueCrypt users. These were surely contributing factors to the malware’s going unnoticed for such a long time.

Further details on both Win32/Potao and Win32/FakeTC, including a technical analysis of the malware, description of plugins, infection vectors, C&C communication protocol and other spreading campaigns not mentioned in this blog post are included in our comprehensive whitepaper.

Indicators of Compromise (IOC) that can be used to identify an infection can be found in the whitepaper or on github: https://github.com/eset/malware-ioc/tree/master/potao

Before Moving to Windows 10, Make Sure You Have the Latest Version of ESET


Upgrading to a newer version of ESET products for home or business is free

ESET home and business products for Windows are compatible with the newest version of Microsoft’s operating system. However, users who still have older versions of ESET security products are recommended to upgrade them to newer versions before moving to Windows 10.

ESET Smart Security and ESET NOD32 Antivirus are both Windows 10-compatible from version 7 onwards. ESET recommends that its users upgrade their ESET security software before moving to Windows 10. “With ESET, all upgrades are free, so you don’t have to worry about any additional payments.” said Martin Semjan, Consumer Security Product Manager at ESET.

Businesses which have decided to upgrade their endpoints to Windows 10 are advised to make sure that ESET Endpoint Security and ESET Endpoint Antivirus are updated to latest the builds of versions 5 or 6. Older versions are not compatible with Windows 10. “All settings and license credentials will work after the migration with latest builds,” said Martin Kralik, ESET’s, Business Endpoint Security Product Manager.

For both home and business users, ESET has prepared a dedicated support web page that answers questions about moving to Windows 10: http://www.eset.ie/ie/windows10-compatibility-free-update/

Valve Steam bug enables accounts to be hacked

A serious bug in Valve’s Steam engine has allowed cybercriminals to steal user credentials over the past week, according to reports.

Kotaku reports that although the fallout makes it sound like a complex issue, the bug appears to be pretty basic – a video in the Kotaku post shows that from the “lost password” section of Steam support all an attacker needed was your account name, and from there they could reset your password, choose a new one and get access to your account, with no verification or email address needed.

Valve fixed the issue after it was brought to light, but many users have complained that their accounts had been hacked in the interim.

Valve issued a statement, according to TrustedReviews, saying: “To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified. We apologise for any inconvenience.”

Steam is regularly targeted by hackers due to its considerable popularity. As we reported recently, attackers have resorted to hiding malware on fake game pages to compromise gamers.

Porn clicker keeps infecting apps on Google Play

Lately we informed you how a fake Dubsmash application has been uploaded to Google Play Store at least nine times, which have tens of thousands of installs. This porn clicker Trojan, which we detect as Android/Clicker, has once more become available for download from Play Store. After we notified Google and published an article about these fake Dubsmash Trojans, we discovered other fake Dubsmash versions being uploaded again infected with the same porn clicker. We detected yet another 51 Trojan porn clickers accessible for the users to download. Four of them had more than 10,000 installs and one of them had more than 50,000 installs.

This 51 together with 9 fake Dubsmash we reported in the previous article users were able to download 60 different Trojan clicker applications from Google Play. These Trojan clickers were downloaded at least 210,000 times in the last three months. In the weeks after our article was published, these apps were installed more than 106,000 times.

This time not only were fake versions of Dubsmash uploaded by the same developer, we also found Download Manager, Pou 2, Clash of Clans 2, Subway surfers 2, Subway surfers 3, Minecraft 3, Hay Day 2, various game cheats and Video Downloaders being infected with the same Trojan Clicker.

Figure 1 Fake Subway Surfers 2

Figure 2 Fake Dubsmash 2

Figure 3 Fake Dubsmash V3

ESET is still seeing occurrences of this infiltration on Google Play and, after more than a month, these fake Trojan Clickers are still managing to evade Google’s Bouncer malware filter and potentially exposing millions of users to risk.

Figure 4 Porn clicker apps from Google Play

Interestingly, none of the fake applications will add a Dubsmash app icon to the app menu after installation. Instead the malicious apps pretend to be arcade games like Flappy Birds Family, board games or system applications.

Figure 5 Examples of Trojan app icons

Following ESET’s notification, Google has pulled the malware from the Play Store and also reports some of them as potentially harmful applications using its built-in security service.

Figure 6 Google security service notification of potentially harmful app


Even though the malicious applications were available for download for at most a week, tens of thousands of people still installed them. Hopefully, Google is doing its best to fix this issue and find a way to prevent the developers of these porn clickers from publishing them to the Play Store. To reduce the risk from malicious apps that may have slipped through Google’s filtering, we advise Play Store customers to take careful note of reviews by other customers, and to ensure that their security software is kept up to date.

Hackers demonstrate Jeep security hack

Hackers have demonstrated an exploit that can take remote control of a Jeep, to the extent of cutting the transmission and controlling the throttle.

The two hackers, Charlie Miller and Chris Valasek, demoed the exploit – the result of a year’s work – to a Wired journalist, who wrote: “The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles.”

“Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country,” continued the Wired report.

Although only intended as a proof of concept, any Chrysler that has Internet functionality through “Uconnect,” which includes hundreds of thousands of vehicles, is susceptible to a similar real-life attack, according to Siliconbeat.

It’s reported that Chrysler has released a “software update to improve vehicle electronic security,” and though it is unknown if the patch fixes the vulnerabilities Miller and Valasek exploited, it’s recommended that owners patch their vehicles anyway.

The patch is available here – you’ll need your vehicle ID and a USB drive to transfer the downloaded patch to your Chrysler via the dashboard port. Owners can also visit a Chrysler dealership, where their vehicles will be updated for free.

Miller and Valasek are set to present their findings at the Black Hat security conference in Las Vegas next month in a talk entitled: ‘Remote exploitation of an unaltered passenger vehicle’.

According to the Wired story, the pair have developed a suite of attack tools that enable a wide range of in car-actions, from controlling the air-con and audio, through to killing the engine, disabling the brakes and even hijacking the wheel (currently only possible in reverse), as well as triggering in car GPS to track the location in realtime.

Photo: lexan / Shutterstock.com

10 security mistakes you probably keep on making

When it comes to data security, attackers continue to exploit the biggest weakness of all – people. We look at 10 security mistakes humans continue to make on a daily basis.

1. Poor patching

The sad reality is that most data breaches owe not only to a human mistake, like clicking on a malicious link, but also to a computer system that is running on outdated software.

For instance, attackers routinely exploit flaws in Microsoft Office and Adobe Player that have not been fixed, in order to find their way onto users’ PCs. Other more advanced attackers, will leverage so-called ‘zero-day’ flaws for which there is not yet a patch published.

Patch management remains a bane for many users, including enterprise system administrators, but the good news is that it is now getting easier. Microsoft is making Patch Tuesday a thing of the past with Windows while most mobile operating systems, including Android and iOS, now have an auto-update feature for mobile applications so users don’t have to do anything.

2. Too trustworthy

People are still too trusting in the digital world. We may have got better at ignoring unsolicited calls and text messages as well as salesmen at our front door, but we are still opening emails and links from people we don’t know.

Too often people open these emails and download attachments – some of which may have been weaponised with malware, or alternatively click to open shortened links on Twitter, LinkedIn or Facebook. Some of these sometimes redirect to compromised websites.

3. Reusing passwords

The biggest faux-pas computer users continue to make is weak and/or reused passwords, which can be cracked by attackers with brute force attacks.

Passwords are a pain to manage – one study revealed that, in the UK alone, the average person has passwords for 19 different accounts.

The rise of password managers and biometrics has alleviated some of these problems, but password security is likely to continue to be a problem for some users.


4. Oversharing on social media

Generations Y and Z are on Twitter, Facebook, Instagram and other social platforms on a daily basis, as well as WhatsApp, Viber and likeminded instant messaging services.

These younger generations are sharing almost every intricate detail of their lives online, leading to the possibility that this information is intercepted, stolen or simply sold onto nefarious actors.

Additionally, this information can be sold to third-party marketers, while cyber-criminals will likely use the same publicly-available information for social engineering attacks like phishing emails and links.

5. No security solutions

Anti-virus has changed and evolved in recent years, and its goal is to proactively detect and remove viruses, Trojans, worms and other types of malware in order to keep you safe.

Yet some people still don’t have a security solution, even though is one of the first line of defense together with ‘good practices’ and keeping systems up-to-date.

6. ‘It won’t happen to me’

One of the biggest problems people have with information security is not something they ignore, like patching or downloading a security solution, but rather the perception they are not the intended target.

Individuals and businesses continue to take the approach of ‘it won’t happen to me’, ignore essential security practises and thus express surprise when they lose data, money or information as a result of a hack.

7. Leaving devices unattended

A simple mistake many of us continue to make is leaving desktop computers or laptops unattended and unlocked. The same also applies to personal devices like smartphones and tablets.

The biggest risk of course is the theft of the device, but unlocked devices could also leave users exposed to data theft or ‘shoulder surfing’ spying.


8. Browsing on unsecured connections

We all demand free Wi-Fi anywhere we go, whether that’s so we can surf the web, check-in on Twitter or Facebook, buy products online, monitor our online banking or make a VoIP call.

But sometimes we connect to insecure and open Wi-Fi hotspots, like at coffee shops for example. This Wi-Fi is open, not password protected, and visits to unencrypted HTTP (those not HTTPS) websites can potentially allow for an attacker to conduct a Man-in-the-Middle (MiTM) attack to sniff all web traffic and steal information, like passwords for online banking. If you’re going to be dealing with sensitive materials online, it’s always best to always use your secure home WiFi connection.

9. Ignoring SSL certificate warnings

Ever visited a website only to be greeted by a security warning that it was an unsafe connection? You probably have at some point, and might well have continued onto that unsafe website.

This means that the SSL certificate is either invalid or has expired, making the connection unsafe and more likely to be compromised by a third-party.

Indeed, researchers at Carnegie Mellon University said back in 2009 that digital certificate warnings in web browsers are not an effective security measure, with many ignored. Google recently redesigned its security warnings after finding that Chrome users ignore 70% of warnings.

10. Downloading apps from third-parties

It’s less common now, but some smartphone and tablet owners do still download applications from third-party websites and application stores, and this represents a massive risk.

Some of these stores contain applications that are malicious or which appear legitimate, but which have in fact been repackaged with malicious code.


Get every new post delivered to your Inbox.

Join 103 other followers