Monthly Threat Report: July 2013

Top_10_ELG_julio_13_eng

The Top Ten Threats

1.  WIN32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.78%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. HTML/ScrInject

Previous Ranking: 2
Percentage Detected: 2.30%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

3. INF/Autorun

Previous Ranking: 3
Percentage Detected: 2.23%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

4. Win32/Sality

Previous Ranking: 5
Percentage Detected: 2.18%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah


5. HTML/Iframe

Previous Ranking: 6
Percentage Detected: 2.04%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.75%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 8
Percentage Detected: 1.71%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. JS/Chromex.FBook

Previous Ranking: n/a
Percentage Detected: 1.55%

JS/Chromex.FBook is a trojan that posts messages to user profiles on Facebook. Depending the variant of the family, the threat could be a malicious Google Chrome or Mozilla Firefox extension/plugin.

9. Win32/Ramnit

Previous Ranking: 9
Percentage Detected: 1.41%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

10. Win32/Qhost

Previous Ranking: 10
Percentage Detected: 1.26 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

Keyboards and Keywords

David Harley, ESET Senior Research Fellow

A version of this article also appeared on the Anti-Phishing Working Group blog.

The Wikipedia entry for ‘error message’ includes a number of infamous (and confusing) error messages, though it doesn’t include my all-time favourite:

Keyboard not found! Press any key to continue

And no, that’s not an urban legend. While I’m not sure that was the exact wording, I did see more or less that same error message two or three times back in the days when user support was part of my job.

The reason that I was scouring the web for links related to ‘error messages’ and  ‘security alerts’ is this: I happened across an article on the American Psychological Association web site that told me that Gary Brase (a psychologist) and Eugene Vasserman (a computer security researcher), of Kansas State University, have been given a $150,000 grant for research into developing more effective online alerts. I don’t know how many security companies have explored this approach – though I don’t believe for a moment that no security company has ever involved psychologists, focus groups, and ergonomists (amongst others with interest and expertise in aspects of human-computer interaction) in the development of a product and its user interface – but I’m sure we’ve all seen enough in the way of confusing software-generated alerts to agree that some software could do with a little more attention to the HCI dimension. There is a special place in my heart for the sort of alert that we often see along the lines of ‘EICAR test virus not-a-virus detected’.

In fact, while I may be biased – my own academic background was originally in social sciences, computer science being a later add-on – I don’t think that computer security that’s focused entirely on bits and bytes is ever going to solve the world’s problems with cybercrime, cyber-espionage, and all the other cyber-issues du jour. Certainly the kind of security alert that leaves the user wondering “What the heck does that mean? What does the darn thing want me to do?” is failing some kind of usability test.

The APA article includes a couple of examples cited by Brase:

“Do you want to trust this signed applet?” or “This application’s digital signature has an error; do you want to run the application?”

Frankly, I’ve seen far more confusing examples guaranteed to have the end user running to the nearest wall to bang his head against it. Such as any message that includes an error code or a hex string, or something like ‘unknown error scanning file [filename]’, or even a blank message box, but these examples do finger an essential problem with security alerts that I’m not sure $150k is going to be enough to fix.

The problem with Brase’s examples isn’t the wording, it’s conceptual. If the algorithm behind the program isn’t able to make a reliable determination of the risk, why should we expect the everyday user to be able to? Actually, he might: maybe he knows that a site is (normally) OK, even if he can’t be sure that it hasn’t been compromised in some way. Software has the disadvantage that it can only deduce intent from the programmatic characteristics of a program, or from automated textual analysis. And while filtering has progressed immeasurably from the days when phrases like ‘magna cum laude’ or the name Scunthorpe triggered porn detection algorithms all over the globe, there are still many contexts where an informed human being can make a better decision than an email or web filter. But ‘informed’ people aren’t the main target for research like this: rather, Brase states that “Good security alerts should be tailored for all types of users, no matter what their intent,” which suggests a wide range of skill/knowledge levels, as well as a wide range of target sites. There’s an important point there: I’m in agreement with being in touch with the intent of the user as well as that of the malefactor. In fact, Jeff Debrosse and I wrote a paper a few years ago in which we suggested that security companies could increase their effectiveness by incorporating analysis of the user’s behaviour into the software as well as analysis of programmatic behaviour – Malice Through the Looking Glass: Behaviour Analysis for the Next Decade – though I’m not holding my breath waiting for that approach to catch on. It is one way, potentially, of addressing another of Brase’s points: i.e. that ‘user education has not kept pace with the increasing complexity of Internet transactions.’ That, at least, is perfectly true. I’m all for making computers people-literate (the very apposite title of a book by Elaine Weiss).

The logical flaw here, though, is this: improving the presentation of security alerts won’t make security software (or other software with some security functionality, such as a browser using technology like Google’s Safe Browsing, for example) any more capable of discriminating between human motivation than it already is. That’s not such a negative comment as it sounds: programmatic filters don’t in themselves ‘detect’ malicious intent, but they do reflect the programmer’s understanding of some behaviour – programmatic or semantic – characteristic of malicious intent. But malicious behaviour is not a constant, not static. The average security program is a long way from achieving the same discrimination in analysing textual content that a moderately psychologically-aware human being is capable of.

The Google technology is actually a pretty good illustration of the limitations of technology for countering attacks that are primarily social engineering. Google tells us that Safe Browsing currently flags an impressive 10,000 sites per day as malicious, data that it now draws on for its Transparency Report. Yet phishing is considered to be a more effective attack than ever, many years after it first came to prominence as a major threat, though email is no longer its primary entry point, whereas web browsers and web-hosted services such as social media account for a high proportion of phish delivery.

This is by no means a criticism of Safe Browsing, which is a very useful layer of protection for web users (not just Chrome users – the technology is used by Firefox and Safari too), and I applaud their efforts. After all, anti-malware technology isn’t capable of detecting 100% of malicious programs and URLs either: if it were, this would be a very different world. For a start, we wouldn’t need to pop up any alerts asking users to answer questions they don’t understand: we’d simply tell them that the site or application they were trying to access would not be allowed to run, as the app believed it to be malicious.

But here in the real world, we need to bear in mind that there are plenty of malicious sites and other vectors out there – our lab processes several hundred thousand threats per day, and they don’t all come from those 10,000 web sites. So while Google’s Transparency Report statistics may prove interesting and useful – and no doubt have some PR value – end users should continue to be vigilant and take care in selecting which sites they visit, rather than assuming that they can click where they like because they have protection.

It’s not all bad news, though. I’ve just seen what may be the most inept 419 scam email of all time.

  • The sender is one Gen Peter Blay
  • The subject line reads “1”
  • The body text: well, technically, there is no body text. However, there is a signature: “your retrieve donation”

It’s hard to believe that there is anyone naïve enough to fall for that. Not least because it’s unclear from that what the scam actually is (presumably some form of advance fee fraud, though), let alone what the scammer needs the victim to do in order to execute the scam.

In other contexts, I’d probably write this off as an example of a spammer/scammer test run. In this case, though, I’m in some doubt as to whether he’ll work out how to do a 419 spam run before he expires from starvation. But perhaps I’m doing him an injustice. In that case, Gen Pete, just send the million dollars to me care of the ESET North America office.

Monthly Threat Report: June 2012

1. INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.28%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://blog.eset.com/?p=94 ;  http://blog.eset.com/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Conficker

Previous Ranking:  4
Percentage Detected: 3.65%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://blog.eset.com/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

3. HTML/ScrInject.B

Previous Ranking: 3
Percentage Detected: 3.57%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

4. HTML/Iframe.B

Previous Ranking: 2
Percentage Detected: 3.55%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. JS/Iframe

Previous Ranking: 5
Percentage Detected: 2.72%

JS/Iframe.AS is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

6. Win32/Sirefef

Previous Ranking: 6
Percentage Detected: 2.57%

Win32/Sirefef.A is a trojan that redirects results of online search engines to web sites that contain adware.

7. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 9
Percentage Detected: 2.10%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

8. Win32/Sality

Previous Ranking: 8
Percentage Detected: 1.87%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

9. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.83%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

10. Win32/Ramnit

Previous Ranking: 10
Percentage Detected: 1.13%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer

Monthly Threat Report: September 2011

Backup strategy for home users

David Harley CITP FBCS CISSP, ESET Senior Research Fellow

A shorter version of this article previously appeared in SC Magazine’s Cybercrime Corner.

Years ago, when I was a security analyst/administrator at a medical research organization in the UK, one of the units (not one I was personally responsible for, fortunately) had a nasty experience with a server. All its PCs were being dutifully backed up to the server in question, but unfortunately, it hadn’t occurred to anyone to back up the server. Not, at any rate, until problems hit both a PC and the server that resulted in the loss of data. Not critical data, perhaps, since the unit and the organization are still around, but significant enough to threaten managerial heads with a sudden migration from neck to guillotine basket, though to the best of my knowledge, no heads did roll in the end.

In fact, the history of security is littered with failed backup strategies. Here are a few horrible examples from Practical UNIX and Internet Security, by Simson Garfinkel and Eugene Spafford.

A researcher at DEC who lost ten years worth of email because the DAT tape on which it was backed up had never been verified and failed to work because of a bad block right at the beginning.

A project group that had to retype in a system from printout because it turned out that their home-brewed backup utility only backed up the first 1024 bytes of each file.

As Garfinkel and Spafford said: “Making backups and verifying them may be the most important things that you can do to protect your data…” And losing data can be just as disastrous to a home user (especially a home business user) as it is in the enterprise. To replace stolen or mangled hardware is just a matter of spending enough money. Replacing data that is no longer accessible is another matter, and it can be the difference between survival and non-survival for a business, or even a household, financially speaking. But if hardcore IT professionals can get it wrong, what chance does the everyday home user have of ensuring that their data are safe?

We all pay lip service to the idea of backup, but until you actually lose some data that you hadn’t backed up you may not really appreciate how important it is. In fact, consideration of backup strategies and mechanisms is generally a major component of generalist security courses and certifications, as it should be. Backup strategy and implementation in business is a more complex issue than you might think, and not every system administrator and/or IT manager gets it right all the time. What do you do if you’re a home or small business user, with no professional system administrator to explain/set you up with RAID, hot sites, replication, and all the other esoteric paraphernalia of disaster recovery?

Unfortunately, security professionals talking to end users are apt to emphasise the need to back up without going into the practical details of how to do it. ESET’s Aryeh Goretsky, however, has put together a short paper that addresses that need for the home/SOHO audience without lapsing into gratuitous marketing. He avoids overly-esoteric technical detail and uebergeek jargon, but manages to pack in enough information on a complex and difficult topic to give a home user a good grasp of what they need to know in order to take their first steps towards business continuity and disaster recovery in the home and small business.

Options for backing up your computer won’t turn you into a business continuity specialist. However, if you’ve never been quite sure of what you need to do in case a fire, burglary, hard disk failure or other disaster threatens the electronic data that so many of us are dependent on nowadays, you’ll understand the issues much better after reading it.

Table of Contents:

Both hardware and software needed to back up your computer
Hardware backup

Software backup

The value of archive programs

Syncing up

Disk imaging programs for backing up

Blended backups

Cloud-based data backup

Choosing which data to backup

How often to back up your computer

Diversify your backup methods

Where to store your backups

Replace your backups periodically

Data recovery services as a last option 

A paper has been posted to ESET’s “Staying Secure Online” page, which links to other material that may well be of interest to many people.

The Art of Security

Stephen Cobb, CISSP, ESET Security Expert

Wandering among art exhibits in a park on a sunny Saturday in September might not sound like computer security research, but it is actually possible to learn a lot the San Diego’s annual Artwalk on the Bay.

Securing Our eCity In the May issue of the Global Threat Report, it has been published an article about Securing Our eCity in which it is possible to know that it is a community initiative to raise computer security awareness, led by ESET but supported by a wide range of companies, civic groups, and law enforcement agencies. More information about SOeC can be found in http://securingourecity.com/,A short definition of SOeC is a wide security awareness and education community.

What makes this event a valuable excursion for malware research activity, is the opportunity to chat about computer security with a random sample of consumers in a relaxed setting. It has been discovered that a wide range of awareness levels when it comes to the current state of malware and other online threats. An encouraging number of people were using some form of anti-virus software. A slightly smaller number understood that such software would not protect them against revealing their private data on a bogus website to which they were led by an apparently legitimate email

At the Securing Our eCity booth people could enter a draw to win an iPad2 by writing down one thing they were doing to protect themselves online. Most people had no difficulty coming up with an answer, which was encouraging. That may be a reflection of the sentiment revealed by a recent ESET/Harris Interactive poll of more than 2,200 American adults: 91 percent feel vulnerable to some type of cyber attack.

In the findings of the report—as highlighted by Dan Clark, ESET’s VP of Marketing, in that Dark Reading article—it is possible to see that the drumbeat of high-profile security breaches is having an impact on consumer sentiment. More than half of those surveyed said that their faith in the ability of companies to protect their personal data had been diminished. Another finding in the poll reflected a view that was expressed by several people were at the art event; more than 90 percent of those polled by Harris said that cybersecurity education should be part of a student’s curriculum. In the meantime, major companies continue to be penetrated by attacks that rely on user ignorance and social engineering, sometimes as a vector for malware distribution, sometimes as a direct entrée into internal systems. When information system security at firms like Mitsubishi Heavy Industries and RSA, or facilities like Oak Ridge National Laboratory, can be compromised by an employee making a bad decision to follow a deceptive link in a dubious email, you know the world needs a lot more security awareness and training than it is getting. That’s why the latest versions of ESET’s flagship products come with security training, and why ESET is supporting initiatives like Securing Our eCity. Only when security technology is backed by widespread security awareness can we hope to repel the rising tide of cyber attacks.

Dead Certs?

David Harley and Róbert Lipovský

Are we seeing the decline and fall of SSL and the Certificate Authority model?

ESET has had a few press enquiries lately about attacks on SSL/TLS/HTTPS, though really these attacks are more about trust issues with Certificate Authorities like DigiNotar and GlobalSign than about weaknesses in the underlying protocols. So Róbert Lipovský (malware researcher at ESET’s mothership in Bratislava) and David Harley decided to pool their thoughts on the subject as a sort of FAQ.

  1. What is an SSL attack?

The “SSL attacks” that have been mentioned recently are actually attacks on the SSL certificate scheme, against the specific certificate authority (i.e. stealing the certificate), or in the form of a man-in-the-middle (MITM) attack against the user (which is the ultimate goal). Or it could be said that they refer to all these aspects combined.

SSL is a cryptographic protocol used for secure transactions on the Internet. Very simply put, it’s the underlying technology that’s being used when it is possible to see https:// in the address bar (rather than http://), for example when logging in to an online banking system. (HTTP stands for Hyper Text Transfer Protocol, and HTTPS stands for HTTP Secure.) These secure sites should have a valid digital certificate (or an SSL certificate) issued by a certificate authority (CA): this certificate is intended to prove that the entity (e.g. a bank) is really who or what it says it is, not an attacker just posing as the entity.

The problems arise when an attacker is able to steal such a certificate, which gives him veneer of credibility, when executing a man-in-the-middle attack (intercepting communication between you and the bank), running a (digitally signed) phishing site, and so on.

  1. What does this mean for the end user?

Well, the user should be cautious (as always) but there’s no cause for panic. The implication for him is that if someone can impersonate the server with which they’re communicating, in other words, something that looks like a trusted communication channel is not, in fact, trustworthy. But in order to do that, the attacker has to get inside the communication channel between the user and the server (e.g.bank). Simply put, the SSL attack enables the attacker can say “hey, I’m your bank”. But he first needs to find a way to ensure that the victim will be connecting to his server instead of the real bank server. If he can do that, then the transaction has already been compromised, with or without the SSL “vulnerability”.

  1. What can the end user do to protect himself?

An end user should at least check whether that lock icon is displayed in the web browser (bearing in mind that tricks for counterfeiting that icon are almost as old as phishing). The user should ensure that his connection is https:// over port 443, not http:// over port 80. If he’s using a modern browser (and it’s not a good idea to continue using older, less well-supported and –patched browsers) he should see everything’s green in the address bar and watch out and check for extended information about the connection. And most importantly, he shouldn’t proceed with the connection (as too many users do) if something looks fishy. Obviously, the regular advice still applies – that they should use multi-layered protection, keep their anti-virus and operating system software updated and patched, and (most of all) use common sense.

  1. What is a trustworthy connection?

One where:

  • There is an up-to-date, fully patched browser that implements HTTPS correctly populated with trustworthy certification authorities installed and correctly configured so that it will know when certificates are revoked and CAs no longer considered trustworthy.
  • The web site to which the user is connected offers a valid, up-to-date signed certificate.
  • The site matches the certificate and its holder’s name.

If it is not possible to be sure that this all applies, or that the transaction is routed through a “safe” series of hops, or that the protocol itself is robust enough to withstand attacks on the encryption, it can’t be consider the connection trustworthy.

  1. Is it time to ditch the CA system?

Perhaps that time is approaching. The problems aren’t so much with the technicalities of SSL, though, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust. According to the Electronic Frontier Foundation, there are effectively over 650 CAs trusted by the main browsers. Looking at http://www.eff.org/files/colour_map_of_CAs.pdf it is possible to see who and where those CAs are, the question is this: how many of them are known by the user? There is no global authority that can be trusted to authenticate that mixture of state-owned, commercial and indeterminate authorities. Who, to coin a phrase, should authenticate the authenticators? Can users trust market forces, vested interests and political expediency to keep them safe where the system assumes that they will trust the provider even though there is no overarching mechanism to ensure that trust invested in CAs is justified.

  1. Is there an alternative?

There is DNSSEC, though in such a case users are just investing trust in the same registrars who are (intentionally or not) providing the bad guys with malicious domains along with the legitimate domains that their victims use, and in ICANN and the same authorities that already administer Top Level Domains.

The Convergence/Moxie Marlinspike model of “trust notaries” using consensus from multiple notaries to authenticate is an interesting idea and it will be interesting to see how much traction it gets. However, it’s not a solution that spares the user the need to think for himself, and it has to compete with an entrenched commercial model.

  1. Are the DigiNotar attacks really more significant than Stuxnet?

While a Stuxnet-type attack might, in principle, cause a major physical disaster (note that we’re not saying that’s likely, and certainly not with the Stuxnet code that we’ve actually seen), it does seem to have been a highly-targeted attack which has been hyped to blazes (pun not entirely unintentional).

DigiNotar is significant in itself because of the range of affected targets, but even more so as a symptom of a more generalized attack against an infrastructure we’ve been conditioned into regarding as secure, and clearly isn’t. Will anyone who reads the news ever trust those little padlock icons again, when there are so many virtual bolt cutters around?

PDF Trojan Appears on Mac OS X

During this month a new threat targeting Mac OS X users has appeared. This Trojan aims against the Macintosh Chinese-language user community.  The trojan appears to the user to be a PDF containing a Chinese language article on the long-running dispute over whether Japan or China owns the Diaoyu Islands.

At the moment that the user opens the “PDF” file, it attempts to mask the installation of a malicious payload by opening an actual PDF document that directs the user’s attention to the story.  As our friends at Sophos note, while the user is focused on the article, the malware completes installation of a payload designed to give the attacker remote access to the victim’s computer.

This type of PDF exploit is common on Windows where it is often seen as .pdf.exe double-extension files.  However, this type of attack is new to the Mac platform and reminds Mac users that they should be aware that files appearing to be PDFs may not be what they seem.

Best practices to reduce the risk of infection are to:

  1. Never open file attachments in email that you did not expect to receive without first confirming the file was actually sent to you by the mailer
  2. When downloading files online, don’t trust sites that are not reputable outlets for content.
  3. Run antivirus/Internet security software on all your devices

ESET Cybersecurity for Mac detects these threats as OSX/Revir.A Trojan and OSX/Imuler.A Trojan. More information about this attack can be found in http://blog.eset.com/2011/09/23/pdf-trojan-appears-on-mac-os-x

The Good News About Security and Privacy Breaches: An Opportunity to Learn

During the last week of september there was a report of a “health data breach” at Indiana University School of Medicine, hot on the heels of the “medical privacy breach” the week before at Stanford Hospital in Palo Alto, California. In the Stanford breach, a commercial website was found to contain data relating to 20,000 emergency room patients including “names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009.” (New York Times)

The Indiana breach involved an unencrypted laptop from the department of surgery at the Indiana University School of Medicine. This laptop was “apparently” stolen from a physician’s car in August according to the report in Health Data Management. The laptop contained health information related to more than 3,000 people, including name, age, gender, and diagnosis. In addition, for some 178 patients, the records included Social Security numbers.

While both incidents are regrettable and should never have happened, they are quite different in several respects. For a start, the Stanford data was published online, and stayed online, for nearly a year. That is serious exposure. Even though criminal intent does not appear to be a factor in the data showing up online, there is no way to predict the intent of people who may have seen and/or downloaded the data while it was exposed. The Indiana data has not, as far as we know, been published, and it is quite possible that access to the data was not the motive for the theft.

The one “good” thing that both incidents have in common is the potential to educate individuals and organizations about information security and data privacy. The Stanford case, as detailed by Kevin Sack in the excellent New York Times coverage cited earlier, highlights the importance of outside contractor security and speaks to a well-established cybersecurity best practice: Any organization that uses outside contractors needs to make sure that those contractors adhere to the same standards of information security as the organization itself.

Stanford Hospital transferred patient data to a billing contractor that apparently failed to afford the data adequate protection because it showed up online in a spreadsheet used by a homework assistance website called Student of Fortune (as sample data in an example of how to produce bar graphs). This breach is bad news for the contractor, but also for Stanford Hospital, even though the hospital spokesperson is quoted in the New York Times as saying: “there is no employee from Stanford Hospital who has done anything impermissible.”

If the hospital does not routinely follow best practices and obtain written assurances from its contractors that they have specific and well-documented policies and procedures in place to prevent exposure of personally identifiable information. The hospital would also need to show that it has been diligent in verifying those assurances and auditing those policies and procedures.

Regarding to the Indiana incident, the lessons are perhaps more straightforward. Reports of the incident state that the laptop was password-protected, but a system access password alone does not prevent a person from getting to data on the hard drive. Although the HIPAA Security Rule does not require patient data on a hard drive to be encrypted there are compelling reasons to use encryption, not least of which is avoiding the embarassing and costly exposure of patient data.

Furthermore, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which introduced mandatory notification of patients in the event that their records are exposed by a security breach, specifically exempts encrypted health data from these notification requirements. In other words, encrypted heath information is not considered, under HIPAA, to be at risk if it falls into the wrong hands. (If you handle medical data, the American Medical Association has a very useful document on encryption here.)

Hopefully, both hospitals are wiser now, and other hospitals have learned from these incidents. If you don’t exercise due care with medical data shared with contractors or encrypt such data when it is stored on laptops, then the consequences can be damaging, to patients and to hospitals, and to society in general. After all, security failures like these undermine the potential of information systems to deliver benefits such as reduced healthcare costs and increased productivity.

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.49%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 3.65%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

3. Win32/Dorkbot

Previous Ranking: 4
Percentage Detected: 3.23%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

4. Win32/Sality

Previous Ranking: 5
Percentage Detected: 2.29%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. HTML/Iframe.B

Previous Ranking: 3
Percentage Detected: 1.97%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

 6. Win32/Autoit

Previous Ranking: 7
Percentage Detected: 1.65%

Win32/Autoit is a worm that spreads via removable media, and some of it variants spread also thru MSN. It may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware. After infecting a system, it searches for all the executable files and replace them with a copy of itself. It copies to local disks and network resources. Once executed it downloads additional threats or variants of itself.
In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry.

7. HTML/ScrInject.B

Previous Ranking: 6
Percentage Detected: 1.56%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

8. Win32/Ramnit

Previous Ranking: 10
Percentage Detected: 1.09%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/PSW.OnLineGames

Previous Ranking: 8
Percentage Detected: 1.09%

This is a family of Trojans used in phishing attacks aimed specifically at game-players: this type of Trojan comes with keylogging and (sometimes) rootkit capabilities which gather information relating to online games and credentials for participating. Characteristically, the information is sent to a remote intruder’s PC.

These Trojans are still found in very high volumes, and game players need to remain alert. While there have always been unpleasant people who will steal another gamer’s credentials just for the heck of it, trading in virtual cash, treasure, avatars and so on is now a major source of illegal income for cybercriminals. It’s also important that participants in MMORPGs (Massively Multi-player Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses” like Second Life, continue to be aware of the range of other threats like griefing ranged against them. The ESET Research team considered gaming malware in detail in the ESET 2008 Year End Global Threat Report, which can be found at http://www.eset.com/threat-center/threat_trends/EsetGlobalThreatReport(Jan2009).pdf

10. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 9
Percentage Detected: 1.00%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

Monthly Threat Report: August 2011

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.40%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://blog.eset.com/2010/05/20/autorun-and-windows-7) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://blog.eset.com/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 4.22%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

3. HTML/Iframe.B.Gen

Previous Ranking: 5

Percentage Detected: 2.38%

Type of infiltration: Virus
HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

4. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 2.22%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

5. Win32/Sality

Previous Ranking: 3
Percentage Detected: 2.10%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

6. HTML/ScrInject.B

Previous Ranking: 6
Percentage Detected: 1.79%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Autoit

Previous Ranking: 8
Percentage Detected: 1.45%

Win32/Autoit is a worm that spreads via removable media, and some of it variants spread also thru MSN. It may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware. After infecting a system, it searches for all the executable files and replace them with a copy of itself. It copies to local disks and network resources. Once executed it downloads additional threats or variants of itself.
In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry.

8. Win32/PSW.OnLineGames

Previous Ranking: 4
Percentage Detected: 1.23%

This is a family of Trojans used in phishing attacks aimed specifically at game-players: this type of Trojan comes with keylogging and (sometimes) rootkit capabilities which gather information relating to online games and credentials for participating. Characteristically, the information is sent to a remote intruder’s PC.

These Trojans are still found in very high volumes, and game players need to remain alert. While there have always been unpleasant people who will steal another gamer’s credentials just for the heck of it, trading in virtual cash, treasure, avatars and so on is now a major source of illegal income for cybercriminals. It’s also important that participants in MMORPGs (Massively Multi-player Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses” like Second Life, continue to be aware of the range of other threats like griefing ranged against them.

9. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: n/a
Percentage Detected: 1.12%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

10. Win32/Ramnit

Previous Ranking: 41
Percentage Detected: 0.98%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

Monthly Threat Report: July 2011

Real Men Don’t Do Safe Hex

Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

Expressions based on puns about practicing Safe Hex – always use protection! – seems to have lost their popularity nowadays, even though security hygiene remains as important as sexual hygiene (though in very different contexts).

When an antivirus message pops up, do you do what it says or ignore it? Do you visit web pages flagged as dangerous by the antivirus? Do you run programs the antivirus recognizes as dangerous?  These are the sort of questions ESET Ireland asked Irish computer users in their latest computer security survey carried out by Amarách research.

The results were a bit shocking, as it turns out that 34% of the surveyed computer users (n=1000) ignore the alerts their antivirus shows them. Furthermore, according to detailed demographic statistics:

  • The worst (riskiest) behavior is displayed by a young male from the Dublin area (54% of age group 15-24, 35% of males and 41% in Dublin ignore warnings)
  • The safest behavior is displayed by a female over 55 from Connaught or Ulster (only 23% of age group 55+, 33% of females, and 31% in the north ignore warnings)
  • While 4% of the survey sample don’t use any antivirus software at all. (8% of the young and 5% of Dubliners)

If the data collected in the survey are truly representative of the Irish population in general, they suggest that up to 1.2 million Irish computer users might be prepared to infect their computers intentionally. While women are proving more careful, a large percentage of young men won’t be told what to do and will click on anything they please. This sort of behaviour results in thousands of lost documents, computer reinstallations, frustration and many wasted work hours. But, as David Harley observed in another article: “Surveys tell us a lot about attitudes, if they’re well-designed, but they don’t usually generate universally authoritative statistics in the context of populations this large.”

As I commented elsewhere:

“The relation between risk factor and demographics implies that the more someone considers themselves an experienced computer user or feels ‘they know what they are doing’, which certainly would be the case with young urban males, the more they are willing to take the chance of getting infected, just to run that program or view that website they wanted, no matter how risky it could be. It may seem like a paradox, but less computer savvy users are treating security much more carefully. Because, unfortunately, no matter how good your antivirus program is, it serves little purpose if you ignore its warnings or reverse its security protocols.”

David Harley remarked subsequently:

Years ago, when much of my job was 2nd/3rd line support, I’d regularly come across end users who wouldn’t or couldn’t update their antivirus. Then there were people who’d log a call for a virus-unconnected problem, but when I got there I’d routinely check their AV and find it was either disabled or even replaced with another product. And there were the real superstars who opened something apparently malicious just to see what would happen.

Urban’s observations actually map to my own experience in corporate support. People who are slightly nervous about technology, follow recommended practices, and ask when they’re not sure may ring the service desk more often, but their problems tend to be easier to solve. It’s the self-styled guru who doesn’t call for help until he’s already trashed his system (or worse, someone else’s) who is likeliest to have you spending your weekend rebuilding systems.

The Russia House

David Harley, ESET Senior Research Fellow

There’s a lot of excellent research coming out of ESET Russia’s labs these days, spearheaded by Aleksandr Matrosov and Eugene Rodionov. As readers of this newsletter, you’re probably aware of the contribution they made to research into Stuxnet, though that contribution is sometimes underestimated by the media, as I discussed here very recently. Then there’s their ongoing research into the TDSS malware family. The TDSS botnet, now in its 4th generation, is seriously sophisticated malware, and we recently revised their paper The Evolution of TDL: Conquering x64 to reflect the latest changes. Perhaps I can say “we” here: while it’s a long time since I did much in the way of hands-on research myself, the guys in the labs in Russia and Slovakia graciously let me play Dr. Watson to their Sherlock Holmes, though in truth Watson contributed more as a chronicler than I do. Anyway, I was asked for a non-technical explanation of the significance of TDL4’s shift to a peer-to-peer (P2P) model, so here it is again.

When a PC is infected by a bot, it becomes part of a network of other compromised machines which we call a botnet. So now the criminal who is managing the botnet needs to be able to issue instructions to the malware on each infected machine (zombie). And, of course, communication often needs to go the other way: depending on what the botnet is being used for, it may well have to return data to the “botmaster”. A very common way of implementing two-way communication is by setting up some machines as “Command & Control” (C&C) server: this is a malicious version of the client/server model, where a single server may provide services to many client PCs. And it still works very well, but there is a drawback to this approach, as far as the criminals are concerned.

If we’re able to trace and close down some or all of the C&C servers which are supplying information to the infected “zombie” PCs and telling them what to do, then we cut the head off the dragon: the zombies that rely on a server for their instructions are no longer able to carry out the wishes of the botmaster. (Or dragonmaster, if you prefer…)

Using the Kademilia P2P protocol, TDSS-infected machines are both client and server. All botnets use a perverted form of distributed processing, but this approach makes good use of distributed data, too. The information is shared between all the machines in the network. A compromised PC can get the information it needs from its neighbours, and it knows where they are because it keeps a sort of virtual phonebook hidden on the hard disk, only contacting the C&C server when the number of neighbouring nodes drops below ten (like a householder who realizes that his neighbours are all moving away and he needs to order a new telephone directory).

This doesn’t make TDL4 invulnerable, by any means, but it does mean that it’s harder to disable large swatches of the botnet at a stroke.

Unfortunately, the idea subsequently spread that the switch to P2P does make the botnet indestructible. Randy Abrams remarked:

“Calling the botnet indestructible is tantamount to calling the Internet unsustainable … I suspect that, in time, we’ll discover the ‘T’ in TDL stands for ‘Titanic,’ and a currently unseen iceberg will sink it.”

I agree that there’s no such thing as an indestructible botnet, though this one may not be as susceptible to immediate takedown as Rustock, for example.  However, TDSS has introduced new twists on old ideas like P2P networks and hiding malware – just as previous malware has used sectors marked as bad, slack space, or streams, TDL uses a hidden file system.

It’s also very adaptive, and its use of Pay Per Install (PPI) business model rather like that used for distribution of browser toolbars via affiliates like DogmaMillions and GangstaBucks, as described in our article at, has been very effective – and so has ruthlessly eliminating some of the competition. But there is no indestructible malware.

More recently a cybercrime group called “Ready to Ride” has attracted their attention, by distributing malware of the Win32/Cycbot family. This group started in the fall last year, judging from the domain name registration date – readytoride.su was registered on 8th September 2010. Its primary activities were substitution (index hijacking) of search engine results (Google, Bing, Yahoo), and clickjacking. Although the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the prices per installation (see figure 1) the primary target of the group is the US.

Win32/Cycbot is also distributed using a PPI (Pay Per Install) scheme, but doesn’t currently use a P2P botnet model. To download the malicious executable each partner uses the URL it has paid for and after activation submits its current status to the C&C (Command and Control) server from which it gets its instructions. The C&C URLs are hardcoded into the Win32/Cycbot executable and are updated when a new version of Win32/Cycbot is downloaded. By means of injecting java script, diverting web searches, and modifying HTML code Cycbot is able to pass itself off as a user surfing web pages, so as to counteract systems intended to block clickjacking. It is able to modify the settings of the most popular browsers (Internet Explorer, Opera, Firefox). Win32/Cycbot is a multithreaded application and just a single instance of the bot can handle dozens of tasks, clicking advertisements or poisoning web searches.

Their latest discoveries relate to Win32/Hodprot, a malware family previously referred to in a presentation “Cybercrime in Russia: Trends and issues” delivered at CARO2011 by Robert Lipovsky, Aleksandr Matrosov and also Dmitry Volkov of Group-IB. (An excellent presentation, by the way: one of the best of the workshop, in my unbiased opinion…)

In each case of bank fraud connected with Win32/Hodprot, a great deal of money was stolen. On average each fraudulent operation pulls in several hundred thousand USD.

More interestingly, the Win32/Hodprot botnet is connected to other botnets working in the field of bank fraud in Russia. In particular, it is Win32/Hodprot that was used to download Win32.Sheldor, Win32/RDPdoor and Win32/Platcyber onto the victims’ machines. The period of time when Win32/Sheldor and Win32/RDPdoor appear to have been most active matches that of Win32/Hodprot.

Taking into account its implementation details Win32/Hodprot is a very complex threat, designed to deeply penetrate into an infected system and stay hidden for a long time. The main modules of the malware are stored in the system registry (HKLM\SOFTWARE\Settings) rather than being stored as files in the file system. This makes forensics much more difficult: it is very difficult to find the malicious payload as there is no corresponding file in the file system, and the payload relies on an intricate customized encryption algorithm. Win32/Hodprot uses advanced techniques to infect the system and stay hidden which distinguish it from other malware: the Russian lab will be releasing a detailed analysis of the threat shortly.

1 in 20 mobile devices infected next year?

The mobile devices of late have more compute power than the full desktop PC of yesterday year, and they fit it your pocket, great news for folks “on the go.” And since you’re so multi-tasked anyway, why not load it up with things to make your life easier; after all, it’s really a phone with a few embellishments, right? During the app install (while you wait for the trolley) it asks inane questions about permissions, but you plow right through and get on the trolley, can’t miss the trolley, right?

Problem is, many folks “on the go” carry more and more personal information on these handy devices, and eventually they have your whole life on them. I’ve turned around and driven miles back home to get my Android if I’ve forgotten it, we’re glued to them. Turns out prying eyes have also figured this out, so now you can be robbed while in traffic, using nothing more than a malicious app. You download an app, use it a few times and forget it, or move on to the next one. But in the background, it’s potentially harvesting the rich personal information you have typed, touched and tapped in, building a profile and sending it down the line to the highest bidder, all without you knowing.

A recent report from Trusteer points this out. According to their estimate, 1 in 20 mobile devices of various families will be infected with financial malware in the next 12 months, not too shabby for nasty hackers, very bad for the rest of us. According to Trusteer CEO Mickey Boodaei, “Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we’ve ever seen. They are lacking just one thing – customer adoption.” But don’t worry, customers are snapping up the latest fangled mobile devices in droves, and moving their lives slowly (or sometimes quickly) to center around the technology.

As they become more prevalent and we become more integrated with them, we will transact more and more with vendors using our mobile devices. This is where the environment gets “target rich.” Mr. Boodaei continues along this vein, “The number of users who bank online from their mobile devices is still relatively low. Additionally, transactions are not yet enabled for mobile devices on many banks’ websites. Since online fraud is mostly a big numbers game, attacking mobile bankers is not yet an effective fraud operation. But expect a change. In a year from now this is all going to look completely different as more users start banking from their mobile phone and fraudsters release their heavy guns.”

So how do you protect yourself and your financial information in the wake of this disconcerting trend? 2 simple steps will help you get headed in a good direction. These are targeted for people (like me) with short attention spans, you can do much more, but here are some quick ones that won’t cramp your style too much:

1)          Take 2 minutes (more if you have it) instead of 1 minute to look around a bit at what other users have to say about an app before you install it. Is the company reputable? Have users had issues?

2)          Be careful about allowing escalated privileges to the app when it prompts you instead of just clicking along until it installs. If it’s a simple app, it really shouldn’t be asking to probe the deep recesses of your device, or you should know why.

Also, various vendors are releasing anti-malware products for mobile devices, expect to see more hitting the market down the road. While there is no “magic bullet” for security, mobile or otherwise, an extra minute or 2 of research and a healthy dose of curiosity if something “just doesn’t seem right” will go along ways toward protecting your online life you’ve grown so fond of.

Stop spam/botnets? Follow the money

It’s no secret that spam/botnets are big business. There are a multitude of variations on a familiar theme, but after they trick unwitting users, what happens to the money? University of California wondered the same thing. In their recent report, “Click Trajectories: End-to-End Analysis of the Spam Value Chain” they analyze where the money goes, with a goal of stopping it at some major pinch point.

It seems the lowest hanging fruit is the few number of venues where operators can “cash out” after a spree of cyber-nastiness. The study found only a handful of banks are typically used by the whole sector. They found, in fact, that 95% of the operations use just 3 banking institutions. This is a much smaller link to disrupt than anywhere else in the chain; stop these, and the whole rest of the chain becomes precarious. Stopping botnets and other cyber-nonsense is an ongoing “Whack-a-mole” exercise, where as soon as one problem gets solved, another 10 pop up, but solve the money flow issue at the bank and they die of attrition, or so the theory goes.

They argue there are 3 distinct stages in the money flow chain:

1)     Advertising

2)     Click support

3)     Realization.

The advertising phase has received the most study due to the more numeric customer facing incidents it creates; flooding e-mail inboxes and the like. But it’s only one link in the chain. Increasingly, botnet operators rent out their botnet to the highest bidder, so they’re really only a provider for the larger operation.

Additionally, while many other aspects of the operation are fluid, it is more difficult and time consuming for the spam operator to change banking institutions, since “the replacement cost for new banks is high, both in setup fees and more importantly in time and overhead. Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay (several days or weeks).”

Banks who don’t ask many questions of online transactions seem to be highly concentration in very specific regions. The bulk is located in only four: St. Kitts, Azerbaijan, Latvia and Russia. Though there are others elsewhere, these process the bulk of the transactions studied. Seemingly, if these were targeted successfully, much of the spam ecosystem would be forced to regroup into other regions, which would take time and effort, causing profits to dip in the interim, having an effect on the profitability of the botnet operators.

While it seems like an obvious step, cracking down on financial institutions in far flung regions may not be the simplest endeavor. Still, it’s an interesting potential choke point, and one that could be an effective tool in the battle, if executed successfully.

Latin America chosen for Trojan bankers attack and Hotmail accounts

During the last month we have seen many campaigns using public figures such as presidents or famous artist in order to propagate these threats through Latin America.  Some of the countries selected for this purpose were Colombia, Guatemala, Brasil and Venezuela.

This month Colombia has been chosen as a target for Anonymous. This gang hacked into Juan Manuel Santos´s Facebook account and posted a Youtube video against the celebration of Colombian´s independence on july 20th. Also ex-president Álvaro Uribe´s Twitter account was compromised posting the same link to the video.

The Colombian actual president and the ex-president Uribe recognized what happened, and both of them complained about the actions performed by the hacktivist group.

One of the most important attacks were performed in Brazil, where two malware campaigns, created by the same group of ciber criminals stole more than 8000 Hotmail accounts trough a phishing attack aiming to Brazilian Banks. These stolen accounts were use to propagate this threat over the region, having success and more than 27000 visits to the fake websites in less than 5 days.

Actually this is one of many campaigns performed by the same group of criminals using Social Engineering, which activities are being followed since February. In every campaign they use the same methodology; fake emails are being sent through a hacked email account.

The malware industry development in Latin America has grown over the years and has begun to emerge attacks targeting users of many banking institutions in the region.Brazil is not only the leader in Latin America it is also one of the world´s leaders in phishing Trojan development.

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.51%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 3.88%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 2.03%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. Win32/PSW.OnLineGames

Previous Ranking: 4
Percentage Detected: 1.67%

This is a family of Trojans used in phishing attacks aimed specifically at game-players: this type of Trojan comes with keylogging and (sometimes) rootkit capabilities which gather information relating to online games and credentials for participating. Characteristically, the information is sent to a remote intruder’s PC.

These Trojans are still found in very high volumes, and game players need to remain alert. While there have always been unpleasant people who will steal another gamer’s credentials just for the heck of it, trading in virtual cash, treasure, avatars and so on is now a major source of illegal income for cybercriminals. It’s also important that participants in MMORPGs (Massively Multi-player Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses” like Second Life, continue to be aware of the range of other threats like griefing ranged against them. The ESET Research team considered gaming malware in detail in the ESET 2008 Year End Global Threat Report, which can be found at http://www.eset.com/threat-center/threat_trends/EsetGlobalThreatReport(Jan2009).pdf

5. HTML/Iframe.B.Gen

Previous Ranking: 6
Percentage Detected: 1.67%

Type of infiltration: Virus
HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

6. HTML/ScrInject.B

Previous Ranking: 9
Percentage Detected: 1.56%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Dorkbot

Previous Ranking: 11
Percentage Detected: 1.47%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

8. Win32/Autoit

Previous Ranking: 5
Percentage Detected: 1.27%

Win32/Autoit is a worm that spreads via removable media, and some of it variants spread also thru MSN. It may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware. After infecting a system, it searches for all the executable files and replace them with a copy of itself. It copies to local disks and network resources. Once executed it downloads additional threats or variants of itself.
In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry.

9. HTML/StartPage.NAE

Previous Ranking: 8
Percentage Detected: 1.08%

HTML/StartPage.NAE is a trojan which tries to promote certain web sites by modifying the window’s registry. The program code of the malware is usually embedded in HTML pages. The aim of this malware is to change the website that is first opened when running Microsoft Internet Explorer (only affected browser). This way it promotes a specific website, and the owner of it profits of the increasing amount of visitors. This specific variant of HTML/StartPage redirects the affected users to the following website: hxxp://duzceligenclik.com

10. VBS/StartPage.NDS

Previous Ranking: 48
Percentage Detected: 0.97%

It is a trojan that changes the home page of certain web browsers.

Analysis of ESET’s ThreatSense.Net®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 6.51% of the total, was scored by the INF/Autorun class of threat.

Monthly Threat Report: June 2011

Survey Reveals Chasm between Users’ Concerns and Behaviour

A recent Survey commissioned by ESET and conducted online by Harris Interactive from May 31-June 2, 2011 among 2,027 U.S. adults 18+ found a startling disconnect between user concerns about privacy and security and their actions on social networking sites.

The study found that 69% of online social networking account owners are concerned about security on social networking sites, yet 1/3 of them have never changed their passwords for their social networking accounts and another 15% last changed their password more than one year ago.



Moreover, the survey revealed that one in ten online Americans with social networking accounts have reported that an unknown party gained unauthorised access to their social networking account to spread malicious links and comments. This is particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts—we’ve seen countless examples, including recent scams around the death of Osama Bin Laden.

The survey also found that 67% of account owners claimed that they were concerned about privacy issues, yet 55% of the account owners update their privacy settings less often than once every six months, if ever. This can be problematic. For example, Facebook makes it extremely difficult to know when you need to change settings because they virtually never advise users when they are making changes that may affect user privacy.

While 69% of account owners were concerned about security and 67% expressed concern about privacy there were other significant concerns reported as well.

  • 37% of were concerned about someone creating a fake account in their name.
  • 95% of social networking account owners accept friend/follower/connection request always or sometimes.
  • 71% of social networking account owners are concerned that their personal information entered on social networking sites may be sold or shared without their knowledge for profit.
  • 17% were concerned about their children using social networking sites.

What can you do to secure yourself and your contacts on social networks?

A common misperception seems to have many users believing that social networking safety and privacy is entirely outside of their control. This is not the case—you can easily improve your online security if you follow these simple guidelines:

1. Use strong passwords

2. Know your options when it comes to privacy, and check back often.

3. Know who your real “friends” are.

When in doubt, seek help from outside resources.

Methodology
This survey was conducted online within the United States by Harris Interactive on behalf of Schwartz Communications from May 31-June 2, 2011 among 2,027 adults ages 18 and older, of whom 1,476 have social networking accounts. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated.

Ireland: Password Security Improving

Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

While hacking and data leakages are filling the headlines worldwide, we’ve looked at a more immediate aspect of personal security – passwords. Because hacking must invest at least a minimum of effort to get somewhere, it is an everlasting mystery why the vast majority of computer users would make the job so much easier for hackers by using the simplest and easiest to guess passwords. According to sources, globally the most widespread passwords are still “123456″ and “password” as well as other very simple ones.

This seemed just too terrible to us, so at ESET Ireland we had a survey carried out among Irish computer users, to see if they are any smarter than that. Well, we’re happy to say, yes they are! At least, a bit smarter. The survey was conducted to find out what sort of passwords the Irish use and how secure they are. We asked Irish computer users if their passwords resemble those in the several groups we made available, which reflect different levels of complexity and therefore increasing levels of protection.

Research was carried out by Amárach on behalf of ESET Ireland. In order to make a valid survey, a varied target audience, totalling 1000, was used. An 850 sample was derived online and a 150 sample was conducted face to face to ensure a fully representative sample.

The question we asked was What does your email password look like? and the optional answers given to the target audience were:

  • I use a combination of letters and numbers (examples: jimmy34, ron45xyz, ilrw12)
  • I use a simple word or sequence as password (examples: password, colin, 13435)
  • I use a fictitious word as password (examples: lianwer, gianron, cavoveti)
  • I use a lowercase and capital letters and numbers (examples: Roisin 75, OpeRal1982)
  • I use a lowercase and capital letters, punctuation marks and numbers combined (examples: MoCon-07, McBett0982!)
  • I use longer expressions (examples: Don’tforgettocallmother, Ican’tbebeaten)
  • I don’t know my password for my main email account, because the computer stores it

The results we got are shown in the chart: http://esetireland.files.wordpress.com/2011/06/eset_ie_survey_11.jpg

While the situation is not optimal in that we’d prefer to see the majority using complex passwords (according to the survey, only about 10% do), it is still a step in the right direction in that:

  • 38% are using a combination of letters and numbers for their passwords.
  • 10% are using complex passwords.
  • 10% more are using letters numbers and capitalization

That tells us that 58% of our respondents are in the category of users that don’t use the simplest “12345” passwords. So the constant attempts by ESET and others to raise awareness must have paid off, at least to a certain extent.

In a series of articles, David Harley has also been dealing with the issue of password security, but one worth pointing out in light of recent hacking events is the thought that “the best password in the world is of little use if the site or service or organization that you access with it isn’t taking proper care of it“, from the Password Strategies: Who Goes There article in SC Magazine.

So, while we do have a fantastically detailed and comprehensive White paper by David Harley and Randy Abrams available on Good Password Practice, and we do have the Irish example of computer users starting to take good practices to heart, further effort must be put into ensuring that service providers understand the importance of data protection and take adequate measures to ensure that confidential data stay confidential.

CTAC tile (staying in touch with ESET research)

Recently, we summarized on the ESET ThreatBlog a number of ways in which you can stay in touch with CTAC (the Cyber Threat Analysis Center). The ESET blog page is at http://blog.eset.com/ and has an RSS feed. Randy Abrams and David Harley write several articles a week for SC Magazine’s Cybercrime Corner. The ESET white papers page includes (among others) sections for:

  • ESET conference papers
  • Articles by or featuring ESET researchers
  • ESET white papers
  • ESET presentations

The latest additions to the white papers page are presentations by David Harley (in PDF format, but including speaker notes) from Infosecurity UK 2011 (Infrastructure Attacks: The Next Generation?) and EICAR 2011 (Security Software and Rogue Economics: The Presentation) – the EICAR conference paper is itself available here.

A number of Twitter accounts are used to flag ESET output:

@ESETresearch, @ESETLLC, @ESET_CTAC, and @dharleyatESET are directly linked to CTAC.

@esetkb retweets Knowledgebase articles and videos, and @ESET sometimes flags CTAC output.

There is also a CTAC Facebook page, an ESET USA Facebook page at http://www.facebook.com/esetusa, and an ESET global page http://www.facebook.com/esetsoftware. There are lots of regional ESET FB pages, too: too many to list here.

Also, you can find ESET Latin America’s research team (contents in Spanish language), on their blog (http://blogs.eset-la.com/laboratorio) or Twitter account (@esetla).

INF/Autorun: Threat Losing Thread?

Microsoft issued a blog this month about its success in slashing the volume of malware infections exploiting the Autorun facility: INF/Autorun is ESET’s generic detection covering a wide range of malware families that install or modify autorun.inf files in order to infect systems. We’ve been explaining for a long time why Autorun has presented such a problem in recent years – see the text relating to INF/Autorun in the Top Ten section below – and consistently appearing in the Top three in ESET’s ThreatSense.Net® monthly figures.

In recent years, Microsoft has taken steps to address this loophole: firstly by turning off Autorun by default in Windows 7, then by making patches available for XP, Vista and Windows Server, and finally by pushing the changes out through Windows Update so that many more systems would then be updated automatically. Better late than never, some would say: in fact, ESET’s Director of Technical Education Randy Abrams has described it as “a very late response to a well-known problem that had a very predictable response”.

However, if you regularly read these reports, you’ll notice something a little strange. The dramatic drop in Microsoft’s report isn’t reflected in the ThreatSense.Net® figures. Fundamentally, that’s because we aren’t measuring the same things: Microsoft tells us that it saw infections on XP and Vista reduced by 1.3 million between February and May, but the telemetry we use for these reports isn’t measuring infections, but detections. As Randy puts it, “We are tracking shots on goal where Microsoft is tracking goals.” Actually, the first chart in the Microsoft blog is doing the same thing, so Chart 1 and Chart 2 are actually not directly comparable even there. In fact, when ESET Distinguished Researcher Aryeh Goretsky used similar metrics, he observed a similar, generally downward trend to that reported by Microsoft.

There are other factors, too. While there’s obviously an overlap between Microsoft’s customer-base and ours (an awful lot of ESET customers are running Windows!), we’re obviously not monitoring identical populations. Consider, for instance, the fact that XP SP2 is out of support, so that the figures for machines that aren’t updated beyond that show only a small drop. But that doesn’t, of course, mean that they aren’t a channel for infection attempts. And while a generic detection like INF/Autorun is optimal from the end-user’s point of view because it catches a wide range of malware in high volumes, it’s not so well-suited for accurate categorization of individual threats and threat families: that would be a gargantuan task, and not actually very useful to the customer.

As for looking at infections versus infected machines, neither approach is “wrong”: they just look at the threatscape from different perspectives.

Support Scams Not Gone, Not Forgotten

David Harley, ESET Senior Research Fellow

It has been blogged a great deal in the last year or two the type of support scam where someone calls you out of the blue (“cold-calling”) to “help you” with a malware problem you didn’t know you had, or to help you check your system for problems – but the issue seems to have come to life in the media again following a survey by Microsoft enquiring into this “emerging” threat. Emerging doesn’t seem quite the right word for a threat that’s been around for well over a year, but the survey came up with some interesting if disquieting figures, as it has been discussed in a recent blog.

It’s assumed in the Microsoft press release  that if someone calls you out of the blue to tell you that you have a computer problem, it’s going to be a scam. Well, that’s probably generally true in the countries mentioned, but it’s actually more complicated than that. As we explained here, there are circumstances in which you might be cold-called legitimately in certain countries and in certain contexts. And in a white paper, we’ve tried to address some of the legal issues as well as providing a comprehensive picture of how the scams tend to work.

The press release contains some good advice but it didn’t mention a couple of things:

  • Most (though not all) of these scams rely on persuading you to run Event Viewer, which is pretty useless as a diagnostic tool unless you already know enough about Windows internals not to fall for the scam. It flags a whole bunch of transient errors that may frighten a technically-challenged victim, but don’t actually signify a real problem at all, so if someone tries to get you to run a program called EVENTVWR, that’s a pretty good scam heuristic in itself.
  • While the survey didn’t include Australia, that’s also a very commonly targeted population: CNET is incorrect (http://news.cnet.com/8301-1009_3-20071568-83/scammers-turning-to-phone-calls-to-gain-pc-access/ ) in saying that only the countries surveyed are seeing the problem at the moment. It’s true, of course, that other countries with a large English-speaking population could be targeted, and that the scammers might start targeting speakers of other languages.

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.72%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun useful, too.

2. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 3.82%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

3. Win32/Sality

Previous Ranking: 4
Percentage Detected: 1.98%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. Win32/PSW.OnLineGames

Previous Ranking: 3
Percentage Detected: 1.88%

This is a family of Trojans used in phishing attacks aimed specifically at game-players: this type of Trojan comes with keylogging and (sometimes) rootkit capabilities which gather information relating to online games and credentials for participating. Characteristically, the information is sent to a remote intruder’s PC.

These Trojans are still found in very high volumes, and game players need to remain alert. While there have always been unpleasant people who will steal another gamer’s credentials just for the heck of it, trading in virtual cash, treasure, avatars and so on is now a major source of illegal income for cybercriminals. It’s also important that participants in MMORPGs (Massively Multi-player Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses” like Second Life, continue to be aware of the range of other threats like griefing ranged against them. The ESET Research team considered gaming malware in detail in the ESET 2008 Year End Global Threat Report, which can be found at http://www.eset.com/threat-center/threat_trends/EsetGlobalThreatReport(Jan2009).pdf

5. Win32/Autoit

Previous Ranking: 8
Percentage Detected: 1.39%

Win32/Autoit is a worm that spreads via removable media, and some of it variants spread also thru MSN. It may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware. After infecting a system, it searches for all the executable files and replace them with a copy of itself. It copies to local disks and network resources. Once executed it downloads additional threats or variants of itself.
In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry.

6. HTML/Iframe.B.Gen

Previous Ranking: 7

Percentage Detected: 1.24%

Type of infiltration: Virus
HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

7. Win32/Bflient

Previous Ranking: 9
Percentage Detected: 1.13%

Win32/Bflient is a worm that spreads via removable media and contains a backdoor. It can be controlled remotely and ensures it is started each time infected media is inserted into the computer.

8. HTML/StartPage.NAE

Previous Ranking: 5
Percentage Detected: 1.04%

HTML/StartPage.NAE is a trojan which tries to promote certain web sites by modifying the window’s registry. The program code of the malware is usually embedded in HTML pages. The aim of this malware is to change the website that is first opened when running Microsoft Internet Explorer (only affected browser). This way it promotes a specific website, and the owner of it profits of the increasing amount of visitors. This specific variant of HTML/StartPage redirects the affected users to the following website: hxxp://duzceligenclik.com

9. HTML/ScrInject.B

Previous Ranking: 11
Percentage Detected: 0.92%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

10. Win32/AutoRun

Previous Ranking: 10
Percentage Detected: 0.86%

Threats identified with the label ‘AutoRun’ are known to use the Autorun.INF file. This file is used to automatically start programs upon insertion of a removable drive in a computer. The file itself doesn´t represent a threat, but combined with a binary file it turns into a deploying feature.

Monthly Threat Report: May 2011

Facebook privacy: security concerns

If Facebook was a country, it would be the third largest one in the world (http://blog.eset.com/2011/05/04/osama-bin-laden-is-alive-and-well-on-facebook). All those Facebook users are exposed to the many social networking risks and nuisances that are regularly reported nowadays. Paul Laudanski’s wrote a comprehensive blog article which is a timely and essential guide to a better and safer management of a Facebook account.

As Paul points out, breaches can and do occur, and the only way to truly protect the information is to not have it online. However, that would be a sort of defeat to the purpose of social networking. The best thing to do is to understand the risks and take all reasonable measures to protect oneself against scams and identity theft.

Cybersecurity symposium in San Diego

Securing Our eCity (SOeC ), originated in the city of San Diego, California (USA), has celebrated a new event that brought together various people connected with this interesting cyber security education initiative, which for more than two years it has been expanding.

On May 17th, all day, over a hundred people attended to the first of two annual symposiums organized by SOeC. ESET was there to attend conferences of various specialists in education, technology and cyber security sectors including governments, businesses and nonprofit organizations.

The presentations were all related to the initiative, such as the problems raise public awareness on cyber security, the same approach I business and the role of governments around the theme. Among the featured speakers were: Ernest McDuffie, leader of the national education initiative of the prestigious cyber security NIST (National Institute of Standards and Technologies), Ruben Barrales, CEO of the Chamber of Commerce San Diego Regional, Nathan Fletcher, California legislature, Darin Andersen, Chief Operating Officer (COO) of ESET North America and Duane Roth, CEO of Connect, an organization dedicated to supporting entrepreneurs.

The symposium featured three panels of experts: one focused on the problem especially in small and medium enterprises, the other on the laws and regulations relating to the business, and one on the need to prepare leaders who have the ability to handle the issue the future.

There were also two workshops, one of which was security at the household level, and the other on the resources required to create a framework in information security within an organization. The event ended with an awards ceremony and delivery of annual awards to executives in information technology.

Return of the password reset attack
Randy Abrams, director of technical education, ESET

Most people know about the Sony PlayStation Network/Qriocity Service breach by now. Probably most of those people know that they need to change those account passwords when they can access the network again. Many people might be aware that if they used the same password in other places, they need to change those passwords as well. Sony doesn’t seem to know if credit card details were breached, so many people are cancelling the credit cards used in conjunction with their Sony accounts.

The insidious threat that many people may miss is the compromise of the answers to password reset questions. That was some of the data that was reportedly compromised in the breach, and has perpetual consequences if you do not change your security reset answers on other sites as well.

The way the password reset attack works is that a hacker tries to log into your account. It may be an email account, a social networking account, a blogging account, or another type of online account. The hacker clicks the link for “I forgot my password” and is challenged with security questions. Having obtained the answers from the Sony data breach, the hacker knows the answers to the reset questions and is now able to commandeer your accounts, depending on the mechanism that particular sites use in conjunction with the security challenge questions.

If you are one of the victims of the Sony breach, do not overlook the significance of the challenge questions. You need to determine each site you are signed up with, and if they use any of the same security challenge questions that were used on the Sony site. Failure to change the answers may leave your other accounts vulnerable to cybercriminals performing password reset attacks.

The Top Ten Threats

1.  INF/Autorun

Previous Ranking: 1
Percentage Detected: 6.58%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

2. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 3.61%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

 3. Win32/PSW.OnLineGames

Previous Ranking: 3
Percentage Detected: 1.92%

This is a family of Trojans used in phishing attacks aimed specifically at game-players: this type of Trojan comes with keylogging and (sometimes) rootkit capabilities which gather information relating to online games and credentials for participating. Characteristically, the information is sent to a remote intruder’s PC.

These Trojans are still found in very high volumes, and game players need to remain alert. While there have always been unpleasant people who will steal another gamer’s credentials just for the heck of it, trading in virtual cash, treasure, avatars and so on is now a major source of illegal income for cybercriminals. It’s also important that participants in MMORPGs (Massively Multi-player Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses” like Second Life, continue to be aware of the range of other threats like griefing ranged against them. The ESET Research team considered gaming malware in detail in the ESET 2008 Year End Global Threat Report, which can be found at http://www.eset.com/threat-center/threat_trends/EsetGlobalThreatReport(Jan2009).pdf

4. Win32/Sality

Previous Ranking: 4
Percentage Detected: 1.88%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. HTML/StartPage.NAE

Previous Ranking: 17
Percentage Detected: 1.78%

HTML/StartPage.NAE is a trojan which tries to promote certain web sites by modifying the window’s registry. The program code of the malware is usually embedded in HTML pages. The aim of this malware is to change the website that is first opened when running Microsoft Internet Explorer (only affected browser). This way it promotes a specific website, and the owner of it profits of the increasing amount of visitors. This specific variant of HTML/StartPage redirects the affected users to the following website: hxxp://duzceligenclik.com

6. JS/Redirector

Previous Ranking: 11
Percentage Detected: 1.59%

JS/Redirector.NID is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages of compromised legit websites. As indicated by its name, it uses a JavaScript, usually obfuscated, to make the redirection to the malicious website. By doing this, it tries to download and execute malicious software on the clients computer, a distribution technique widely used.

7. HTML/Iframe.B.Gen

Previous Ranking: 7
Percentage Detected: 1.59%

Type of infiltration: Virus
HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

8. Win32/Autoit

Previous Ranking: 5
Percentage Detected: 1.28%

Win32/Autoit is a worm that spreads via removable media, and some of it variants spread also thru MSN. It may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware. After infecting a system, it searches for all the executable files and replace them with a copy of itself. It copies to local disks and network resources. Once executed it downloads additional threats or variants of itself.
In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry.

9. Win32/Bflient

Previous Ranking: 8
Percentage Detected: 0.85%

Win32/Bflient is a worm that spreads via removable media and contains a backdoor. It can be controlled remotely and ensures it is started each time infected media is inserted into the computer.

10. Win32/Autorun

Previous Ranking: 6
Percentage Detected: 0.96%

Threats identified with the label ‘AutoRun’ are known to use the Autorun.INF file. This file is used to automatically start programs upon insertion of a removable drive in a computer. The file itself doesn´t represent a threat, but combined with a binary file it turns into a deploying feature.

Top Ten Threats at a Glance (graph)

Analysis of ESET’s ThreatSense.Net®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 6.58% of the total, was scored by the INF/Autorun class of threat.

Follow

Get every new post delivered to your Inbox.

Join 75 other followers