Spearphishing APT-itude Test
My latest blog for SC Magazine's Cybercrime Corner looked at the recent APT (Advanced Persistent Threat) attack on RSA, in the light of Uri Rivner's blog on the implementation of the attack. Unfortunately, the exact nature of the target and damage remains somewhat obscure, so while I certainly consider Rivner's blog worth reading, I also found myself clarifying why I don't find the APT buzzword particularly useful (hat tip to SC Magazine UK's Dan Raywood for turning my thoughts in that direction).Randy Abrams subsequently raised another point worth thinking about, though. Rivner's blog classifies the targeted attack as spear-phishing, and like a number of other commentators, I've taken his word for it.
San Diego, CA, April 6, 2011, David HarleyThreat Trends Report
The March Threatsense report at http://www.eset.com/us/resources/threat-trends/Global_Threat_Trends_March_2011.pdf includes, apart from the Top Ten threats:a feature article on Japanese-disaster-related scamming by Urban Schrott and myselfnews of the Infosec Europe expo in London on the 19th-21st April, the AMTSO and CARO workshops in Prague in May, and the EICAR Conference in Austria that followsthe story of a fake AV package passing itself off as an ESET productcommentary on a premature requiem for the firewallcommentary on a lo-tech ATM scam reported by Randy AbramsWhile the top ten ran like this:INF/AutorunWin32/ConfickerWin32/PSW.
San Diego, CA, March 31, 2011, David HarleyMore SC Magazine Blogs
In Giving the cybercriminals a helping hand, Randy Abrams discusses how most Facebook app developers are making session hijacking too easy for the cybercriminals.In A tsunami is also a crime wave I talk about the range of cybercrimes that have come out of the Japan earthquakes and tsunami.And in Supporters Club I return to the topic of support desk scams, offering to sell you services to deal with malware that isn't on your system.David Harley CITP FBCS CISSPESET Senior Research Fellow.
San Diego, CA, March 30, 2011, David HarleyTDSS: The Next Generation
Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years.TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.In a new ESET white paper on The Evolution of TDL: Conquering x64, Eugene Rodionov and Aleksandr Matrosov look at the GangstaBucks gang that has been distributing TDSS since DogmaMillions shut up shop, then dive deeper into analysis of the bootkit.You may also find their previous white paper TDL3: The Rootkit of All Evil? and Virus Bulletin article Rooting about in TDSS* of interest.
San Diego, CA, March 30, 2011, David HarleyThe Stuxnet Train Rolls On…
… albeit more slowly than previously. Added to the resources page at http://blog.eset.com/2011/01/23/stuxnet-information-and-resources-3 today:A nice article by Mark Russinovich on Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1.
San Diego, CA, March 24, 2011, David HarleyFining Support Scammers
The Australian Communications and Media Authority is planning to impose harsh penalties on support desk scammers. (Hat tip to Andrew Hayter for drawing my attention to that item.)According to chairman Chris Chapman, nearly half of all the complaints they've received about calls to numbers on the Do Not Call Register have been about cold-calling scam calls of this type. So they aim to impose penalties of up to $110,000 AUS on telemarketers offering online virus removal and technical support.
San Diego, CA, March 24, 2011, David HarleySC Magazine: Cybercrime Corner
You may not be aware that ESET writers have been supplying blogs to SC Magazine for a while now. Recently, Randy Abrams and I were drafted in after the original contributors moved on, and we started contributing this week:Poachers and Gamekeepers considers whether there is a conflict of interest when AV companies work with companies and individual s who are or have been active in the malware research field to the point of writing "malicious" code, in response to some very pertinent ethical questions asked by Kurt Wismer.Randy asks Who are the cybercriminals?, observing that there are many more types of cybercriminal than those who make the big splash headlines.AV company, heal thyself looks in more detail at a fake security package that I've mentioned here before, and places it a wider context.
San Diego, CA, March 24, 2011, David HarleyFacebook Ads: the Likes of You
Many Facebook users are annoyed to discover that their names and faces can be used in sponsored FB ads. Indeed, according to Dan Tynan in IT World, the next phase will to allow 3rd-party advertisers to do the same thing inside Facebook apps.I'm not a great fan of the FB principle of all your datum are belong to us, but I suppose it isn't unreasonable to make use of your Likes as long as you agree to it. Or in this case, don't opt out.
San Diego, CA, March 24, 2011, David HarleyAnother VB Cybercrime Seminar
One that will be of most interest to our readers in the UK, I guess.Our friends at Virus Bulletin are holding another "Securing Your Organization in the Age of Cybercrime" seminar, this time on the Open University Campus at Milton Keynes on the 24th May. The full agenda is already available on that page, and includes some excellent speakers. I was at the previous seminar, which ESET sponsored (and at which our own Juraj Malcho presented), and it was well worth the trip.
San Diego, CA, March 17, 2011, David HarleyMore unflattering imitation
Last October, my colleague Tasneem Patanwala blogged about rogue antivirus masquerading as an ESET product. In that instance it was a product calling itself Smart Security, and Tasneem's blog includes lots of useful information about that particular malware, and fake AV in general.Looking through my huge backlog of mail just now, I notice mail from Aryeh Goretsky, another of my colleagues, about a program calling itself E-Set Antivirus 2011. I'll be looking at in more detail later, but I can tell you now that it has nothing to do with ESET, which has not changed its name and does not have a product called Antivirus 2011.
San Diego, CA, March 15, 2011, David HarleyHacking by Proxy
The BBC program Panorama last night investigated claims that the News of the World hired a hacker to break into a subject's PC to steal emails. In fact, it appears that the unnamed hacker installed a Trojan on the victim's PC. Which sounds like a fairly unequivocal breach of the Computer Misuse Act, which outlaws unauthorized access and unauthorized modification.I haven't seen the program yet (UK viewers can see it on iPlayer using the link above), so I don't know if the BBC inquisitors who fired questions at Alex Marunchak made any reference to the legality or otherwise of the BBC's own Click programme, which apparently paid several thousand dollars a while ago to rent a botnet in the name of investigative journalism.
San Diego, CA, March 14, 2011, David HarleyBingDings* Force Change of Tune
* Sorry, but I couldn't resist a Crosby reference.I was more than a little irritated over the weekend – see Faith, Hope, Charity and Manipulation - by Microsoft's use of the Japanese disaster to give the Bing search engine a little extra exposure using a chaintweet technique:How you can #SupportJapan – http://binged.it/fEh7iT. For every retweet, @bing will give $1 to Japan quake victims, up to $100K.
San Diego, CA, March 12, 2011, David HarleyThe Hole in the Wall Gang*
We've already discussed a lo-tech but surprisingly effective attack on ATM users here and elsewhere.However, Brian Krebs has recently posted on more conventional skimming attacks: Green Skimmers Skimming Green. An interesting and useful comment thread too. However, in view of the mentions there of chip and pin technology, it's worth pointing out that while chip and pin has been pretty successful in Europe and elsewhere in mitigating fraud, it's not the complete answer, as discussed previously here and here.
San Diego, CA, March 12, 2011, David HarleyDisaster Scams and Resources
I've added some commentary and resources on the Japan earthquake/tsunami disasters to an independent blog I maintain that specializes in hoaxes, scams and so forth, but here are a few of the same resources that aren't already included in my recent blogs here on the topic:Analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.htmlGuy Bruneau at Internet Storm Center: http://isc.
San Diego, CA, March 11, 2011, David HarleyDisasters: Getting Involved
From my friend Rob Slade.He was writing at the time of the Haiti earthquake over a year ago, but the advice still stands, and not just for those who are uncomfortably near all those fault lines that seem to have been particularly restless in the last year or two.Thoughts on Haiti, Olympics, and other disastersThere's even an information security angle, though that may seem less significant at times like this.David Harley CITP FBCS CISSPESET Senior Research Fellow.
San Diego, CA, March 11, 2011, David HarleyJapanese Earthquake: inevitable SEO
As you'd expect, there have already been reports of Black Hat SEO (Search Engine Optimization) being used to lure people looking for news of the earthquake and subsequent tsunami onto sites pushing fake AV. (Stop me if you've heard this before…)My colleague Urban Schrott, however, offered some pretty good advice on what to look out for on the ESET Ireland blog even before I started to see reports of actual abuse.I recommend that you take a look at his blog, but I hope he won't mind if I reproduce his short but to-the-point list of things you shouldn't do:DO NOT click on social media and email “shocking news” or “shocking video” links.DO NOT go to untrusted websites for news.
San Diego, CA, March 9, 2011, David HarleyStuxnet, SCADA and malware
Kelly Jackson Higgins in a Dark Reading article tells us that Malware Attacks Decline In SCADA, Industrial Control Systems, quoting a report published by the Security Incidents Organization drawing on its Repository of Industrial Security Incidents (RISI) database.One aspect that's attracted attention on specialist lists is the mention of a large US power company that experienced infections of 43 operator and programming stations.Added to the Stuxnet resources blog at http://blog.eset.
San Diego, CA, March 9, 2011, David HarleyRelying on GPS: which way is the washroom?
The Royal Academy of Engineering yesterday released a report on Global Navigation Space Systems: reliance and vulnerabilities as reported by Sophie Curtis in eWeek Europe in an article on Britain’s GPS Reliance Could Lead To ‘Loss Of Life’ (who quoted me, by the way, on what could happen in the event of a criminal attack). Well, it's not an entirely hypothetical issue: there are a number of scenarios where jammers are used to disrupt signals for criminal purposes, and there's no absolute reason why the approach couldn't be used for a more dramatic 21st century Italian Job (I think I feel a movie script coming on).Why, apart from the vehicle larceny that already happens, would you (or a criminal version of you) do something like this? Well, one obvious possibility is to disrupt logistics. It doesn’t take much imagination to think of ways in which a victim might, with a combination of a satnav deadspot and physical interference, might be herded into a vulnerable location, or law enforcement might be diverted from an active crime scene.
San Diego, CA, March 9, 2011, David HarleyGinger Rogers hoax
I've been coming across several references to an email and Facebook hoax relating to a YouTube that's claimed to show 92-year-old Ginger Rogers dancing with her great-grandson. Of course, it isn't: she died in 1995 in her 80s.This isn't a threat: it's a genuine movie and an interesting enough story to stand on its own, so I won't go into it all on the ThreatBlog. However, if you're interested in hoaxes in general and this story in particular, you might want to check out my blog here.
San Diego, CA, March 8, 2011, David HarleyEmail malware: blast from the past
It is, as Aryeh Goretsky remarked to me recently in a slightly different context, almost like Old Home Week. He was referring to recent work by a number of luminaries formerly prominent in antivirus research like Eugene Spafford, Ken van Wyk, and even Fred Cohen.But today I'm waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….
San Diego, CA, March 5, 2011, David HarleyStuxnet analyses: more jaw-jaw*, more cyberwar, less precision
Added 5th March 2011 to the Stuxnet resources page at http://blog.eset.com/?p=5945.Myriam Dunn Cavelty at Parliamentary Brief Online (29 October 2010): The real cyberwar is about beating the crooks and the spooksMyriam Dunn Cavelty and Oliver Rolofs for Munich Security Conference: MSC Booklet Paper: From Cyberwar to Cybersecurity: Proportionality of Fear and CountermeasuresHat tip to @vmyths, especially for the first article, which I hadn't spotted previously.
San Diego, CA, March 4, 2011, David HarleyLangner, Stuxnet, US and Israel.
Added to the Stuxnet resources page at http://blog.eset.com/2011/01/23/stuxnet-information-and-resources-3 on 4th March 2011:Ralph Langner at the TED Conference, as summarized by the BBC: US and Israel were behind Stuxnet claims researcher.As previously mentioned at http://blog.
San Diego, CA, March 4, 2011, David HarleyHere’s my support desk!
I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.It's Raining Men (And Wooden Horses)You didn't know I had a virus problem? Neither did I, but he assured me that I was spraying malware all over the part of town I live and work in. Well, I suppose that explains why I tripped over a Conficker and got fake AV all over my trousers on the way back from the library.
San Diego, CA, March 4, 2011, David HarleyFacebook Spam: the Fifth Wave
My colleague from ESET Ireland, Urban Schrott, reports that the company has seen a megawave of Facebook spams: five separate spams in 24 hours.I've no idea of the numbers involved, but Urban's "think before you click" message is well worth repeating. The post is to ESET Ireland's CyberThreats Daily blog post: the company also has a Facebook page at http://www.facebook.
San Diego, CA, March 3, 2011, David HarleyWhere’s your IT support desk when you need it?
First of all, the guys at ESET North America have just added a paper to the ESET white papers page at http://www.eset.com/us/documentation/white-papers:Hanging on the Telephone By David Harley, Urban Schrott and Jan Zeleznak, February 2011As if fake anti-virus products weren’t bad enough, nowadays we have unsolicited phone-calls from fake AV helpdesks. ESET researchers tell you more about support scams.
San Diego, CA, March 3, 2011, David HarleyNice Stuxnet Commentary and Hype Deflation
Some extra resources:J. Oquendo takes a cold, clear look on Infosec Island at some of the hype that surrounds the Stuxnet story: Cyberterrorism – As Seen On TVWhile Visible Risk, while by no means entirely negative about the Vanity Fair Stuxnet story (see http://blog.eset.com/2011/03/02/more-on-stuxnet), makes an entirely reasonable point about Irresponsible Sensationalism.
San Diego, CA, March 3, 2011, David HarleyAndroids and Gingerbread Men
[Update: Just spotted another useful blog, this time by Vanja Svajcer, on the Aftermath of the Droid Dream Android Market malware attack.]Further to my post yesterday about Android malware, there's an additional resource by Costin Raiu and Denis Maslennikov that you may find interesting and useful, if you have a slightly techie turn of mind.If not, you may be reassured by the fact that all the relevant malware they've seen uses exploits that are restricted to Android OS 2.2 and below: if you have 2.
San Diego, CA, March 3, 2011, David HarleySocial Security Numbers: deja vu all over again
My attention was just grabbed by a Infosec Island post on Social Security Numbers Easily Cracked, by Robert Siciliano. That's because I remembered quite a lot of fuss about it being made back in 2009.And it turns out that the article, though posted today, is actually referring back to an article from July 2009 by Robert Westervelt for SearchSecurity: Researchers predict SSNs, crack algorithm putting identities at risk. Which is fine: there's still an issue, and Siciliano makes one or two interesting points.
San Diego, CA, January 13, 2011, David HarleyStuxnet Resources Update
Added to the resources blog at http://blog.eset.com/2011/01/03/stuxnet-information-and-resources:Report of a Stuxnet-unrelated vulnerability in SCADA softwareA speculative cyberwar link Some links on Iranian post-Stuxnet "cybermilitia" recruitment.http://www.
San Diego, CA, January 12, 2011, David HarleyChanges at ESET
This isn't really Threatblog fodder, but I'd like to take the opportunity to congratulate Richard Marko and Andrew Lee on their accession to ESET CEO superstardom.Richard has been appointed as global CEO of the ESET group, while Andrew has returned to ESET LLC as its CEO. It's good to know, though, that Miroslav Trnka and Anton Zajac, who formerly occupied those positions, will continue to be active within the companies.David Harley CITP FBCS CISSP.
San Diego, CA, January 12, 2011, David HarleyThanks for your support scam
...In fact, while the season for the traditional end of year crystal ball-gazing is pretty much over, I'll venture a few extra predictions based on recent observations of the support scam business...
San Diego, CA, January 10, 2011, David HarleySoothsaying, Forsooth!
If you haven't yet had enough of the crystall balls that have been bouncing all over the media and the blogosphere in the past few weeks...
San Diego, CA, January 7, 2011, David HarleyFacebook Security Lockdown Guide
..."It" is a ZDNet article - well, more like a slide show - by Zack Whittaker, called January 2011: The Definitive Facebook Lockdown Guide...
San Diego, CA, January 4, 2011, David HarleyStuxnet Analysis 1.31 and TDSS article
...version 1.31 of "Stuxnet Under the Microscope" is now available on the white papers page ... Until now Rooting about in TDSS was only available to VB subscribers, but it too is now available on the ESET white papers page.
San Diego, CA, January 3, 2011, David HarleyStuxnet Information and Resources
The Stuxnet analysis "Stuxnet Under the Microscope" ... has, unlike most ESET white papers, been subject to a number of revisions as we've come to know more about the malware itself, and as the purposes of its perpetrators have become clearer. However, since all the known vulnerabilities exploited by Stuxnet have now been patched, version 1.3x of the document is likely to be the last substantial revision.
San Diego, CA, January 2, 2011, David HarleyComment Spammers Welcome
...one interesting trend in blog comment spam that I
Quick Links: Store | Renew | Activate | Free Trial | Online Scanner | ESET vs. Competition | Press Center | Blog | Threat Center | Support
© 2012 ESET North America. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET spol. s r.o. or ESET North America. All other names and brands are registered trademarks of their respective companies.
ESET – globálna centrála, Aupark Tower, Einsteinova 24, 851 01 Bratislava, Slovenská republika, Spojovateľka: +421 (2) 322 44 111
Obchodné oddelenie: +421 (2) 322 44 250 (obchod@eset.sk), Fax: +421 (2) 322 44 109
Technická podpora: +421 (2) 322 44 444