ESET Threat Blog

There are quite a few reports currently about particularly ugly development son the fake AV front. The Register’s John Leyden has referred to a "double dipping" attack, in which the notorious Antivirus 2009 is implicated in an attack that goes beyond offering useless rogue anti-malware to inflicting actual damage on user data files, in order to force the victim to pay for another "utility" in order to recover them. FireEye implicates Vundo (Virtumonde), the equally notorious adware Trojan, which is often used to push fake security software. The attacks ESET is seeing involve the dropping of a malicious executable called fpfstb.dll – which we, among others, detect as Xrupter- into the system directory (%sysdir%), and creating or changing a number of registry keys. This one ensures that the program is run at every startup.

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ "AppInit_DLLs" = "% Sysdir% \ fpfstb.dll"

Xruptr is a Trojan application that looks for data files in the "My Documents" folder and encrypts them. As you can see from the list of file types below* this attacks types of file that may be critically important for personal or business reasons to the victim.

 The victim then sees messages like these in the system tray:

"Windows File Protection

Windows has detected that the following files seems to be corrupted. To prevent future data corruption, click Repair button below. "

"FileFix Professional 2009

Please, register your copy of FileFix Professional 2009 to repair all corrupted files. Click here to open Buy now page. "

FileFix does decrypt the affected files so that they’re accessible again, but only at a price (and it only decrypts the files that Xrupter has weakly encrypted: it’s useless as a general decryption utility and may well be used for other malicious purposes in the future). Furthermore, its home web site is currently offline, so if you fall victim to this scam, you may not be able to access it anyway. 

Fortunately, a number of sources have made alternative (and free!) decryption utilities available. Symantec’s is here, and FireEye’s is here,

There’s nothing new about ransomware of course: in fact, it was Dr. Popp’s AIDS Trojan, which encrypted the victim’s hard disk and then demanded money to get it fixed, which was my introduction to anti-malware research in 1989.

And fake anti-malware is almost as old – one of the Black Baron’s malicious packages was made available as "antivirus" in the 1990s.

However, the combination of fake security software and data-diddling as a means of extortion as two prongs of the same attack seems, somehow, particularly unpleasant. Nonetheless, I’m sure we’ll see more of such attacks.

* The Trojan looks for files with the following filetypes (filename suffixes – that is, the part of the filename that follows the last period character, for example mynewnovel.doc):

doc
docm
docx
dotm
dotx
jpeg
jpg
mdb
mp3
pdf
png
potm
potx
ppam
ppsm
ppsx
ppt
pptm
pptx
pst
wma
xlam
xls
xlsb
xlsm
XLSX
xltm
xltx

 (Thanks to Paolo Monti, my colleague at Future Time/ESET.it, Hon Lau of Symantec, and Alex Lanstein of FireEye for some of the information on Xrupter used here.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

One of the security best practices is to back up your data regularly. This is sound advice as it helps mitigate the damages from many different threats. Lots of people think of data loss when they think of viruses, but very few viruses actually tried to cause data loss. There have been a few that encrypt data in an attempt to extort ransom money so the user can get their data back, but this is relatively rare. Today, most of the threats are not about destroying data, they want to collect your data so they can steal your money or identity. Still, backing up your data may help reduce losses if you are wit with some malicious programs.

What else causes data loss? Sometimes improperly configured antivirus products themselves cause data loss. A couple of years ago one of the largest antivirus vendors in the world had a false positive problem that deleted many Microsoft office files. False positives happen to all of us from time to time, but files should be quarantined so that if it is a false positive the data can be recovered. The product in question was revised to make quarantine the default setting after so many of their customers who did not perform proper backups lost a lot of data.

Fingers are high up on the list. Did you ever accidentally delete something and not have a back up?

Hard drive failures can also cause massive data loss. A recent event that our own Aryeh Goretsky brought to my attention is what made me decide to write this blog entry. Hard drive failures are typically fairly rare, but there is a biggie out there now.

It seems that Seagate has released droves of 1 terabyte hard drives that have a problem causing them to die. Having good backups may be the only way to recover your data without spending a few thousand dollars in such a situation.  

There are about 18 pages of comments on a Seagate forum (as of this writing). The drives may be working fine for 3 months and then die instantly.

Below are a few links about the issue. The last link is the Seagate forum I mentioned.

http://www.techreport.com/discussions.x/16232

http://www.theinquirer.net/inquirer/news/374/1050374/seagate-barracudas-7200-11-failing 

http://www.dslreports.com/forum/r21737309-AVOID-seagate-ST31000340ASSD15-drives 

http://forums.seagate.com/stx/board/message?board.id=ata_drives&thread.id=3668&view=by_date_ascending&page=1

It is unfortunate that Seagate refuses to comment on the situation. Late last year it was discovered that Seagate had shipped about 1,800 brand new drives with malware on them.

If your data is important enough to put on a hard drive, be sure you back it up. There are many threats to your data, and viruses are the least of those threats.

Randy Abrams
Director of Technical Education

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Well, not so much about punishment, but I’m sitting in the lounge with Andrew Davies’s version of Dr. Zhivago in the background, so I’m in a Russian mood…

My colleague Jeff Debrosse, Director of Research in our San Diego office, drew my attention to the latest FBI challenge at http://www.fbi.gov/page2/dec08/code_122908.html. Like many people in this business, I’m fascinated by encryption and decryption, but I don’t have a particular talent for it, so I probably won’t attempt the challenge. I was interested enough to follow this link, though, which is a short primer on "Analysis of Criminal Codes and Ciphers" by Daniel Olson, a cryptanalyst forensic examiner with the bureau. As an introduction to some basic cryptographic techniques with some real-life (criminal) applications, it looks very readable. If you’re interested in something a bit more comprehensive but not particularly technical/mathematical, Simon Singh’s "The Code Book" is also very readable. Bruce Schneier has written a couple of books that are still practical rather than theoretical, if you fancy something with a bit more meat to it…

Speaking of Jeff Debrosse, he was recently featured on Fox 5 News, talking about cybercrime. We posted a link here. Nice one, Jeff. And since we’re blowing our own trumpets here, thank you Paul Lilly for a very positive review of ESET Smart Security in MaximumPC.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence