Category Archives: Malware

Smoke Loader: malware exploiting meltdown/spectre fears

Tom Allen for V3: Fake website jumps on Spectre/Meltdown patch hype – Smoke Loader malware is hiding in plain sight

May pass itself off as a patch for AMD systems, and as info from the German Federal Office for Information Security.

David Harley

Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

Buhtrap and Ammyy

It’s common for tech support scams to be referred to as ‘the AMMYY scam’ or ‘the TechViewer scam’: not because these remote access utilities/services are not legitimate (they are), but because they are commonly misused by tech support scammers to access their victims’ systems. (Which is why some security products flag it as ‘potentially unwanted’ or potentially unsafe’.)They do this for two main reasons:

  • To fabricate ‘proof’ that the system is compromised by malware or otherwise at risk, so that the victim will pay for ‘assistance’ from the scammer.
  • To make changes to the victim’s system (or, sometimes, to pretend to make changes) that are meant to prove that the scammer is providing a chargeable service. Sometimes the scammer will add useful utilities, but in that case they’re usually applications that the victim could get for free elsewhere. Sometimes the additions are less useful, and might even be harmful.

In addition, the scammer will sometimes make changes to the system that are downright malicious: in particular, if the victim gives him access to his system but is reluctant to proceed with allowing the changes or making payment, the scammer will often deprive (or try to deprive) the victim of the ability to use the system at all.

The Buhtrap operation described in a blog by my ESET colleague Jean-Ian Boutin isn’t directly connected with tech support scams, as far as I know, but it did involve the misuse of the Ammyy Admin utility. People who downloaded the free version from the Ammyy site while it was compromised would, in Jean-Ian’s words have been served…

…a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.

It’s not clear how the site came to be compromised – Ammyy’s designers apparently never responded to ESET’s warnings – but it’s now clean: however, the malicious installation bundle was being served for about a week. Jean-Ian comments:

If you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the malware described above. Since we do not know exactly when the attack started nor if the site is still compromised, we recommend that you take precautionary measures and use or install a security product to scan and protect your computer.

Obviously, this could include tech support scam victims directed to that specific page, as if they hadn’t been victimized enough already. 😦

David Harley

Airport security and Defense in Depth

I know this Blog is devoted primarily to computer security, specifically emphasizing Malware issues. I’d like you to indulge me for a small side trip to another area of security that impacts most of us, and hopefully this will fire some stray neurons and perhaps give ideas and insight to how we do business.

This all started during one of my latest business trips. We’re told flying is a privilege, not a right, or necessity. I, like so many business travelers, get annoyed being treated as a criminal because I have the audacity to travel by air for business needs. So, let me get things right, I pay for the privilege of being treated as a potential terrorist because in the course of conducting commerce, my employer sees a business need for me to fly to my destination? I also have the honor of paying $25 to check a bag so I can have the luxury of clean clothes when I arrive at my destination? Now I have the honor of sitting next to someone whose weight is such that the seat back tray can not come completely down, while he’s overlapping my already too tight seat, forcing me into the aisle/ wall? Now, my noise-canceling ear buds are worth every penny I paid, but where can I get odor blocking nose buds to block the garlic and other odors emanating from my seatmate? Add in maintenance or weather flight delays, running to gates, layovers longer than three hours, and suddenly I’m not feeling so privileged, and am understanding why fewer people are flying.

It was about this point in my flight when I started playing the old game of “what if”. In this case, what if I owned a domestic airline? How would I address security while making the customer feel more comfortable? I think rather naturally, my first thought went to my seat-mate, and I thought, if you need a seatbelt extender, you need to buy a second seat. Sorry if this offends anyone, and I know they’re shrinking seat size to fit more people on already increasingly full flights, and people of average sizes are cramped but I’m thinking he had to be as uncomfortable as I was, and a second seat (while increased expense to him) would have alleviated that issue rather handily. Next and probably the most revealing thing came when I tried opening my baggie of “Mini Pretzels”. That baggie of airline supplied snacks did not want to open, and I was reduced to using my teeth to get a tear started. Now normally I’d reach into my pocket and pull out my Leatherman Brand multi-tool, and use the knife blade to cut open the bag, but due to security, it was in my checked baggage. Here we go I can hear the cries now, “what kind of uncivilized fool carries a knife in this day and age?”, “Typical Yank, needs his knife and gun”, etc. Well, according to my education, it’s uncivilized and unsanitary to use your mouth to open packages. If memory serves right, Miss Manners said something about the practice lacking proper etiquette. I was taught early it was simple tools like the knife that elevated us above animals, and made our behaviors less animalistic.

Proceeding on the line of thought, I thought about why these rules were in place. The answer came down to preventing skyjacking and making the flying public feel more secure in their flight. Well now, here I am in my element, SECURITY. So let’s take a look at the security and vulnerabilities of modern aircraft. As many have written previously, the flight deck is the weakest point of any aircraft. Like others before me I thought of the isolation of the bridge and flight crew, separate entry points, toilet facilities, rest facilities, etc.

Then a light bulb went off. The weak point isn’t the flight deck, but like in most security issues the personnel. The flight crew itself is the weak point. They are the ones who are directly attacked to gain control of the aircraft. So if we remove them (and flight controls) the aircraft is secure against any kind of take-over attack, right? So who flies the planes? Simple, the same people.

The fact is, most modern aircraft already fly from near take-off to landing by computer, add to this the advances on remotely manned aircraft (such as the ‘unmanned’ drones in the warzones), and the U.S. Air Force openly talking about unmanned fighters in the not so distant future, why not in commercial aircraft? I realize some people are not going to be comfortable without a face they can put “in control”, so it maybe necessary for the short term to have a flight trained deck officer with a manual override capability on each flight. However, as people become more accustomed to the technology, this need will go away. The manual override will need to be designed so that the on-board crew can not activate it themselves, unless some critical event occurs and the aircraft loses communications with the ground, or a ground controller agrees making a two-key type system.

Now, with no flight deck, box cutters, guns, or even bomb threats have no value. There’s no one to take control from. That being the case, there is no need for everyone to be treated as a criminal and go through metal detectors, have our bags scanned and searched, or even go through the full body scanners. The only legitimate threat is explosives, and the destruction of the aircraft.

Looking from a skyjacker/ terrorist point of view, they already know that after 9/11, passengers will not allow an aircraft to be taken over and used as a weapon again. That’s why we’re already seeing attacks like the shoe and underwear bombers. This threat can be addressed by a more cost effective low tech manner, namely well trained K-9s. Think of it, no more security lines, one (or more) dog team behind the baggage check to sniff checked baggage, and several roaming the facility and at congestion points and boarding gates.

So a quick recap, less security officers would be needed, less flight crews, pilots could work from central facilities (like the military drone operators do), enabling them to work 8 hour shifts with less pilot fatigue, and errors like overshooting airports due to pilot inattention. Pilots may even be able to monitor multiple simultaneous flights, if not, at least, moving from one flight to the next is under 5 minutes. Giving increased turn around time. Some will question the wisdom of not checking for knives and firearms. I ask you to use logic and not emotions. Most murderers want to get away; they’re not going on a killing binge on an aircraft where they are already a prisoner with no escape route. As for mass murder/ suicide, other passengers will not be defenseless, and will be able to stop an evil doer before it gets out of hand.

What about explosive decompression? The well educated know this is simply Hollywood hype and not a threat to a modern aircraft from a firearm.

I do believe this to be technically feasible. However I don’t think this will ever happen. Simply because it’s a real security solution, not security theater. Governments will lose control of some power over the traveling public. People will lose jobs, Unions will lose members (and the resulting income and power), and this does not play to people’s fears and emotions, nor provide a visual “security blanket”. Finally, like any security solution, it’s not perfect, but for once a real security solution, that would produce solid results at reduced costs and increased liberties.

Now I know this is already long, but to tie it to the computer security world, how many of our efforts are security theater, rather than actually addressing the root security issue? How many times do we have to put in a layer to provide a feeling of security with out being beneficial and inadvertently impacting our customers? Just something to think about next time we’re asked to “do something”, and if anyone from the airline wants to implement my ideas, I’d welcome it.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

Linux malware found in screensaver

I hate to say I told you so…actually, that’s not true. In this case, it was sadly obvious that it would happen, but the general attitude of the whole OS/Free Software crowd is still to claim the earth is flat when it comes to Malware.
Interested readers might like to Google my EICAR paper from 2002 called “The Emperor’s New Clothes: Linux and the myth of a virus free operating system”.

There I discussed that the very thing that makes the OSS model work is also its greatest weakness, there’s little control, little QA, and 99% of the time proletariat downloading a package won’t check it (nor would most be competent to), so it’s very easy to insert malware. It’s very likely there is a lot more malware out there lurking in small fringe packages such as the one mentioned in the OMGUbuntu article.
The fact is that with the rise ofthe netbook, Linux becomes a more desirable platform to attack, and at the moment, it’s way too easy. After all, who needs anti-malware software on Linux?

Possible probabilities

Rich at Securosis (@securityninja on Twitter) made an interesting post yesterday about the fact that, in referring to Mac security, the possibility of a threat doesn’t equate to there being a probability of it. While we can argue the toss about who in the security industry does or doesn’t have a clue about basic probability theory* the point made is none the less worth examining.

There’s definitely something in the fact that, as yet, the Mac OS has not been a great target for malware. This, as most people with any sense will acknowledge, is not due to the fact that Macs are automagically non-virusable, but rather due to the lower market penetration they currently hold, making them a somewhat lower priority for exploitation. Although there are signs that this is changing, particulary with the porting of the Zlob Trojan to Mac, to this point I agree with Rich, the risk is relatively low AS FAR AS GETTING INFECTED with something is concerned.

Where I have a problem with his post is that, in pointing out one logical fallacy, he makes another; that of confusing correlation and causation. The fact that you use a Mac may protect (to whatever limited extent) against certain types of threats, but that does not mean that you are not equally exposed to other threats – in fact, precisely because of your false sense of security, you may be even more so. Phishing, for instance is completely platform agnostic – having a Mac won’t protect you – because the thing being infected is the USER not the SYSTEM – there’s nothing to stop you getting caught out and putting your banking credentials onto a fraudulent website (unless of course you have some security suite that might warn you of the fact…oh, that’s right, you don’t need that on a Mac). To be fair, the fact that security against malware isn’t really all about getting an Anti-Virus program on your system is also something that should be emphasised more often and that’s something that probably is the fault of the industry.

Similarly, many have been predicting the rise of malware for mobile phones, with all sorts of dire prophecies of doom, however, as Mikko Hypponen (@mikkohypponen on Twitter) points out; at the moment the prevalence of mobile malware is falling because most phone OS vendors are tightly controlling the applications that go on their platforms. He goes on to point out something that should be blindingly obvious (even to the most devoted of Mac fanbois), but sadly isn’t – once you get past having the user involved in the infection cycle and start finding a way to exploit the OS itself (or an application running on it) – by discovering and exploiting vulnerabilities – the game changes.

I’ll leave you with a lovely image that demonstrates my general feeling about life, the universe and everything – – if there’s one thing I’ve learnt in my years in the Anti-malware industry, it’s that ‘There will be Malware”. And that’s more than just a possibility.

*For a great (and very funny/bitter) introduction to statistics and probability I recommend John A Paulos’ excellent book “Innumeracy: Mathematical Illiteracy and its Consequences”

Andrew Lee CISSP

Security Smörgåsbord

Wow! December already – well, it’s been a fast and furious year, kicking off with the media fest that was the Conficker worm, through various other disasters and debacles all of which have only confirmed to many of us in the industry that our utopian malware free world is not likely to arrive any time soon (sorry David, you’ll have to delay that retirement for a while).

Things haven’t slowed down much, and over the last days a few things have caught my ever roving eye,

Firstly, there was a rather amusing spat caused by software company Prevx firstly accusing Microsoft security patches for causing a ‘black screen of death’, (which of course was fixed by their own patch), and later retracting the statement when it became clear that it wasn’t the security patches, but more likely the actions of malware on the systems that causes the problem. (Link: One has to wonder how the Prevx patch was supposed to really fix the problem if they had no real idea of the cause – at least, they hadn’t checked whether it really was the fault of MS.

Secondly, there was the rather splendid news that the URL shortening service – among the most popular shorteners for users of sites like Twitter – has signed up with three major security vendors (Sohpos, Verisign and Websense) to try to block spam and malicious links on their site. This can only be a “Good Thing” (TM). (Link: Some of the other services offer previewing of the links, but this is extra annoyance for users and also pushes the decision on whether to visit the site to the user (not a Good Thing).

Thirdly, there is some heartening news from Facebook in that they’re going to offer more granular control over content privacy. There have been quite a few articles and papers on this subject, (including one by yours truly) so it’s good to see that the issues have been considered. I don’t know that it will solve all of the problems, but it may well highlight the privacy issue to more FB users who perhaps weren’t aware that, say, joining a Network exposes their content to all the members of that network unless they specifically block that (Link: Social networks are great things for keeping up with people, particularly if you’re a continent hopping researcher with friends all over the world, but the rapid explosion in their use has led to frequent lapses in security and the discovery that – as is often the case – security and privacy issues have been secondary to service development and uptake.

Lastly, and I hope you’ll forgive me for the quick tune on my own trumpet, I’m happy to announce that K7 Security Solutions are now available in German, and can be found at (Disclosure of interest: I am also the CTO of K7 Computing Ltd).

Andrew Lee CISSP

Paedophilia and the Trojan (or SODDI) Defence

I just had a look at the tricky issue of the “Some Other Dude Did It” defence against conviction for downloading/possessing child pornography. Not an issue on which I want to expend two lengthy blog articles in one day, so I’ll just give you the pointer to the ESET blog.
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at: