Tag Archives: Heimdal

Updates: Facebook, AggregateIQ, and some ransomware resources

Updates to Anti-Social Media 

[4th/5th April 2018]

Updates to: Ransomware Resources

[4th/5th April 2018]

David Harley

New information/resource page: [anti-]social media

[This article is itself the first entry on the new page Anti-Social Media.]

Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)

However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:

David Harley

Heimdal’s Anti-Ransomware Protection Plan

Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.

I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.

David Harley

Two ‘need to know’ ransomware articles

Here are a couple of ‘what you need to know’ articles on ransomware. At some point I might come back to make a few comments about individual points, but in general, if you’re still puzzled as to what it’s all about, you might find some useful thoughts here.

David Harley

Fake IRS refund carries Kovter ransomware downloader

To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.

According to Heimdal’s Andrea Zaharia, the spam message looks something like this:

From: [spoofed / fake return address]

Subject Line: Payment for tax refund # 00 [6 random numbers]

Attached:
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js

Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign

Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware

Added to Ransomware Resources page.

David Harley