Category Archives: ESET

27th July 2018 Resource updates

Updates to Cryptocurrency/Crypto-mining News and Resources 

John Leyden for The Register: Criminal mastermind injects malicious script into Ethereum tracker. Their message? ‘1337’ – “The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.”

SecureList (Kaspersky): A mining multitool – “Symbiosis of PowerShell and EternalBlue for cryptocurrency mining… The creators of PowerGhost …  started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.”

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Updates to Tech support scams resource page

ZDnet: US makes an example of Indian call center scam artists with stiff sentences – “The worst offenders have been thrown behind bars for up to 20 years… a number of call centers were established in Ahmedabad, India, in which operators impersonated the IRS and USCIS… in order to threaten US victims with arrest, prison, fines, and deportation unless they paid money they apparently owed.”

Updates to Chain Mail Check

An excellent article has just been published by my ESET colleague Lysa Myers. Companies actually compound the phishing problem when they send poorly thought-out messages that are indistinguishable from phishing messages, both to their own staff and to customers (some banks are particularly culpable here). As a result, recipients of such messages are conditioned into accepting without suspicion messages that don’t conform to good practice, and are more susceptible to being taken in by phishing messages. Hook, line, and sinker: How to avoid looking ‘phish-y’  In addition, Lysa points out an issue I hadn’t really considered: “An increasingly common scenario is phishy-looking emails sent by Software as a Service (SaaS) apps like those for fax or shipping services, human resource or accounting portals, collaboration tools, newsletters or even party planners.”

Another colleague (and long-time friend), Bruce P. Burrell, expands on the story I referred to briefly here – Sextortion and leaked passwords – with this article: I saw what you did…or did I? – “It might seem legit but there are several reasons why you should not always hit the panic button when someone claims to have your email password.” Not just a rehash of the news story, but the precursor to what I expect to be a very useful second article with advice from a seasoned security researcher.

Updates to Mac Virus

[update:  for ESET – Fake banking apps on Google Play leak stolen credit card data – “Fraudsters are using bogus apps to convince users of three Indian banks to divulge their personal data”]

Catalin Cimpanu: Chrome Extensions, Android and iOS Apps Caught Collecting Browsing Data – “An investigation by AdGuard, an ad-blocking platform, has revealed a common link between several Chrome and Firefox extensions and Android & iOS apps that were caught collecting highly personal user data through various shady tactics.”

Pierluigi Paganini: CSE Malware ZLab – APT-C-27 ’s long-term espionage campaign in Syria is still ongoing. After ESET’s Lukas Stefanko revealed the existence of a repository containing Android applications, researchers from CSE Cybsec Z-Lab identified spyware that was “part or the arsenal of a APT group tracked as APT-C-27, aka Golden Rat Organization.” In recent years the group has been focusing its activities in Syria. Here’s the ZLAB Malware Analysis Report.

The Hacker News: iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known – “India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.”

Sophos: Red Alert 2.0: Android Trojan targets security-seekers – “A malicious, counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT.”

David Bisson for Tripwire: Exobot Android Banking Trojan’s Source Code Leaked Online -“Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric…Exobot is a type of malware that targets Android users via malicious apps. Some of those programs made their way onto the Google Play Store at one point.”

David Harley

Advertisements

Coercive Messaging

It’s not all about tech support scams, but Microsoft’s announcement about beefing up detection of ‘coercive messaging’ in Windows Defender is certainly related to some approaches used by tech support scammers, such as the use of malware that directs victims to a scam-friendly ‘helpline’.

Coercive messaging? As indicated in Microsoft’s evaluation criteria for malware and unwanted software,  that would be messages that ‘display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.’ That includes exaggerating or misrepresenting system errors and issues, claiming to have a unique fix, and using the well-worn scamming technique of rushing the victim into responding in a limited time-frame.

Certainly that’s all characteristic of the way that fake tech support is monetized, but it’s also characteristic of the lower-profiled but persistent issue of useless ‘system optimizers’.

Microsoft’s article actually strongly resembles some of the hot potatoes topics addressed by the Clean Software Alliance, which describes itself as ‘a self-regulatory organization for software distribution and monetization’. Unsurprisingly, since Microsoft had a great deal to do with the launching of the initiative. Anyway, it covers a great many issues that are well worth considering. I don’t think Microsoft and Windows Defender will be able to fix all these problems all on its/their own, but any movement in this direction is a Good Thing.

Shorter article focused more on coercive messaging from Barak Shein, of the Windows Defender Security Research Team: Protecting customers from being intimidated into making an unnecessary purchase.

Commentary by Shaun Nichols for The Register: Windows Defender will strap pushy scareware to its ass-kicker machine – Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc

On behalf of the security industry, which provides a large chunk of my income, maybe I should stress that not all programs that claim to rid PCs of viruses are junkware. 🙂 But perhaps it’s worth remembering that the difference between legitimate and less legitimate marketing is sometimes paper-thin. And talking about papers, here’s one on that very topic. 🙂 However, since that ESET paper for an EICAR conference goes back to 2011, maybe I should consider revisiting the topic.

David Harley

Securing Infrastructure

A few months ago, I was invited to contribute a short essay to an eBook published by Mighty Guides on ‘What are the greatest challenges you face in securing your network and applications infrastructure?’

Well, it’s been a while since I was directly involved in securing a major organization’s infrastructure, but I figured the principles haven’t changed much in the last ten years or so… I was a bit taken aback to find that the publication was sponsored by one of ESET’s competitors and that it would only be available at first by registering with that competitor’s web site. Not that I have a problem with the company concerned getting some return on its investment, but Mighty Guides should really have made clear to all the contributors that there might be a problem for people who work for other companies. (Fortunately I’m a freelancer, so there’s no conflict of interest as such, but some people who do what I do are employees.)

However, the section to which I contributed is now available without registration on Slideshare – as is at least one other section – and will eventually be available in full on the Mighty Guides site. If you can’t wait and don’t mind registering in order to get a full copy, you can find it here.

David Harley
ESET Senior Research Fellow

Support Scam Resources Update

Added a link to the AVIEN support-scam resources page: to be precise, an article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog: Support Scam Cold-Calling: the Next Generation.

Also referenced in the article and well worth a read is a recent post by Jean-Ian Boutin (also for ESET).

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Recent scam resources page updates

It occurs to me that I haven’t flagged here a couple of updates to the scam resources page that I’ve made this month. 

  • Misrepresenting System Utility Output [6th August]
  • Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

I need to put in some anchors to those sections, but at the moment they’re at the top of the page anyway.

David Harley CITP FBCS CISSP
AVIEN Chief Dogsbody
ESET Senior Research Fellow

‘Tech Support’ Scam Resources Page updated

I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.

Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.

Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.

David Harley CITP FBCS CISSP
AVIEN & Small Blue-Green World Dogsbody
ESET Senior Research Fellow

Sick of Stuxnet?

Even if you’re not thoroughly sick of the word Stuxnet, you may well be pretty confused as to what “the truth” about it is. I know I am…

I think it will probably be a while before we get the whole picture, though there are a couple of last minute presentations scheduled for the Virus Bulletin conference in Vancouver next week that should be very interesting indeed: well, for sad Geeks like me, anyway. (I hope to see some of you there, maybe at the pre-drinks reception.)

I’ve spent quite a lot of the past couple of weeks working with some colleagues from ESET on a Stuxnet paper (67 pages long, so you’d think I’d be all Stuxnetted out by now). While we can’t predict all the surprises those papers will unfold, there’s some fairly detailed analysis and some observations that go a little against the “cyberwar on Iran” flow. Stuxnet Under the Microscope, by Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, September 2010 is available on the ESET white papers page at http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Changing Passwords: Should You Pass On It?

I’m seeing a lot of traffic about a story in the Boston Globe and taken up elsewhere suggesting that changing passwords is “a waste of time”. Well, actually, the study by Cormac Herley doesn’t exactly say that, and I suggest that you read the actual study to see what it does say. It’s actually well worth reading and makes some excellent points, though it’s not a particularly new paper, and some of the points it makes are much older. 

Should you stop changing passwords? Well, you probably don’t have much choice, in general. You should certainly use strong passwords, where possible (some systems actively work against you in that respect, by only accepting limited password options). Randy Abrams and I wrote a paper for ESET last year that discussed some password strategies, and one of the points made there was: 

 “It’s sometimes useful to consider whether frequent changes are really necessary or desirable. After all, if you’re encouraging the use of good password selection and resistance to social engineering attacks, and making it difficult for an attacker to use unlimited login attempts, a good password should remain a safe password for quite a while.”

I don’t think that the “change passwords every thirty days” mantra has been as universally enthused over by security specialists as the Globe suggests. System administrators (not always the same thing as security specialists) do often enforce such measures, of course. But while I was working on some notes for a journalist today on social engineering, I came across this quote in a paper I presented at EICAR in 1998. (I’ll have to put that paper up somewhere: it’s actually not bad, and not particularly outdated.)

“Documented research into social engineering hasn’t kept pace with dialogue between practitioners, let alone with real-world threats. Of course password stealing is important, but it’s [also] important not to think of social engineering as being concerned exclusively with ways of saying “Open, sesame…..”

Even within this very limited area, there is scope for mistrusting received wisdom. No-one doubts the importance of secure passwords in most computing environments, though the efficacy of passwording as a long-term solution to user authentication could be the basis of a lively discussion. Still, that’s what most systems rely on. It’s accepted that frequent password changes make it harder for an intruder to guess a given user’s password. However, they also make it harder for the user to remember his/her password. He/she is thus encouraged to attempt subversive strategies such as:

  • changing a password by some easily guessed technique such as adding 1, 2, 3 etc. to the password they had before the latest enforced change.
  • changing a password several times in succession so that the password history expires, allowing them to revert to a previously held password.
  • using the same password on several systems and changing them all at the same time so as to cut down on the number of passwords they need to remember.
  • aides-memoire such as PostIts, notes in the purse, wallet or personal organizer, biro on the back of the wrist…..

How much data is there which ‘validates’ ‘known truths’ like “frequent password changes make it harder for an intruder to guess a given user’s password”? Do we need to examine such ‘received wisdom more closely?”

Nor do I claim that those thoughts were particularly original: luminaries like Gene Spafford and Bruce Schneier have made similar observations. That doesn’t mean you should accept uncritically what they, or I, say. But it’s always worth wondering if received wisdom is really wise.

And as Neil Rubenking points out, an attacker isn’t going to waste time on trying to crack your password with brute force if he can trick you into telling it to him, or into running a keylogger. Which takes me right back to that social engineering paper… [Update: now available at http://smallbluegreenblog.wordpress.com/2010/04/16/re-floating-the-titanic-social-engineering-paper/]

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Mac Virus
Small Blue-Green World

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com