Category Archives: Uncategorized

Social media memes and secret questions

Back in 2012, Virus Bulletin published an article of mine called Living the Meme about how meme-ish things shared on social media might be an invitation to give away information that could be useful to an attacker.

If I can quote myself (of course I can!)

Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.

In a recent article Brian Krebs makes a similar point, but cites a number of up-to-date examples where ‘seemingly innocuous little quizzes, games and surveys’ ask for information similar to that used for online accounts as ‘secret questions’: Don’t Give Away Historic Details About Yourself.

David Harley

Advertisements

Resource updates: April 5th-7th 2018

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Meltdown/Spectre – Related Resources

Only distantly related, but…

Updates to Specific Ransomware Families and Types

[3rd April 2018] Peter Kálnai and Anton Cherepanov for ESET: Lazarus KillDisks Central American casino – “The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets.”

Updates to Mac Virus

 

David Harley

17th March 2018 resources and article updates

Specific Ransomware Families and Types

Cryptocurrency/Crypto-mining News and Resources

Mac Virus (now linked from AVIEN portal): Android antics and MacOS malware

David Harley

Black Ruby

[February 9th 2018]

Bleeping Computer: Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure

“A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.”

Not currently decryptable.

David Harley

BitPaymer/FriedEX

 for ESET: FriedEx: BitPaymer ransomware the work of Dridex authors

“Recent ESET research shows that the authors of the infamous Dridex banking trojan are also behind another high-profile malware family – a sophisticated ransomware detected by ESET products as Win32/Filecoder.FriedEx and Win64/ Filecoder.FriedEx, and also known as BitPaymer.”

David Harley

‘AdultSwine’ – Android malware with a dirty mind

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.

David Harley

The Mechanisms of Support Scamming

Dial One for Scam: A Large-Scale Analysis of Technical Support Scams is an academic paper, but interesting*. While it doesn’t tell seasoned scam watchers much we weren’t already aware of, it does take a systematic look at how the scheme is implemented, and hopefully that will be useful to someone in a better position to pursue more fundamental approaches than the occasional analyses from the anti-malware industry that this paper dismisses as ‘ad hoc’.

Sid Kirchheimer’s article from April 2017 for AARP – From Pop-Up Warnings to $9 Million Payout: Inside the Tech Support Scam – includes an easily-digestible summary of some of the main points of the paper.

Hat tip to Mich Kabay for bringing the article to my attention, and to Fat Security for flagging the paper for me some time ago.

David Harley

*However, it’s irritating to see in section VII a paper of which I was co-author apparently credited to Malwarebytes. Reference [5] is to this paper for a Virus Bulletin conference – My PC has 32,539 Errors: how Telephone Support Scams really Work – and I appreciate having our work referenced.

Nevertheless, although Steve Burn, one of the authors, was indeed working for Malwarebytes, I was working for ESET, Martijn Grooten was working for Virus Bulletin, and Craig Johnston was an independent researcher. It is, of course, perfectly true that Malwarebytes researchers have done much useful research in this are.

LG TV ransomware revisited

In case you were wondering what happened as regards the story I previously blogged here – Smart TV Hit by Android Ransomware – it appears that LG has decided after all to make the reset instructions for the TV public rather than requiring an LG engineer to perform the task for only twice the price of a new set… Note that this was an old model running Android, not a newer model running WebOS.

Catch-up story by David Bisson (following up on his earlier story for Metacompliance) for Graham Cluley’s blog: How to remove ransomware from your LG Smart TV – And the ransomware devs go home empty-handed!

The article quotes The Register’s article here, which details the instructions, but also links to a video on YouTube by Darren Cauthon – who originally flagged the problem – demonstrating the process.

[Also posted at Mac Virus]

David Harley

 

Decrypters info

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Added to the Specific Ransomware Families and Types and Ransomware Recovery and Prevention pages.

Remove ransomware infections from your PC using these free tools – A how-to on finding out what ransomware is squatting in your PC — and how to get rid of it.

Ransomware listed includes: Al-Namrood, Apocalypse, ApocalypseVM, Autolocky, BadBlock, Bart, Bitcryptor, Cerber v.1, Chimera, CoinVault, CrypBoss, CryptoDefense, CryptInfinite, CryptXXX v.1 & 2, CryptXXX v1, 2, 3, 4, 5, DMALocker, DMALocker2, Fabiansomware, FenixLocker, Gomasom, Globe, Harasom, HydraCrypt, Jigsaw, KeyBTC, Lechiffree, Marsjoke | Polyglot, Nemucod, Nemucod, MirCop, Operation Global III, TeslaCrypt, PClock, Petya, Philadelphia, PowerWare, Rakhni & similar, Rannoh, Shade v1 & 2, SNSLocker, Stampado, TeslaCrypt v1, 2, 3, 4, UmbreCrypt, Vandev, Wildfire, Xorist, 777

Ransomware updates (1)

I can’t say that the ransomware landscape hasn’t been busy for the past week or two, but so have I, on entirely different issues. I have been adding links etc. to resources pages, and they’re not all referenced here, but here’s an update on some stuff I’ve added today.

(1) Cylance’s analysis of AlphaLocker. (HT to Artem Baranov for drawing my attention to it.) Useful stuff, despite the customary AV-knocking.

(2) Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

(3) Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

 Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

David Harley