Ransomware Update

Yes, it has been a while since I posted anything here. Sorry about that, to both my readers. Here are a couple of things that have just come to my attention.

An article by Catalin Cimpanu for Bleeping Computer: It's Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software. It includes instances of a Remote Access Trojan and ransomware distributed as security software.

While KillDisk moves from disk-wiping to ransomware - avien.net/blog/2262-2/

David Harley

Support Scams and Diagnostic Services

Every so often I get requests for help from people with a computer problem that may or may not be malware-related.

When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.

Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems. I'm not sure it's that simple.

Support Scams and Diagnostic Services: an article for ITSecurity UK.

Apple Security News

News roundup on Apple security issues for Mac Virus.

Recent Apple security news

Includes links to articles on smishing, the move from HFS+ to Apple File System (AFS), and the iOS issue that allows hijacking of phones to make calls, such as the recent calls to 911 call centres. Or centers, if you must. ;) 

David Harley

TeleCrypt

Kaspersky Labs on Telecrypt: The first cryptor to exploit Telegram

Commentary from HelpNet Security: Telecrypt ransomware uses Telegram for command and control

Sounds as if data is recoverable without paying the crooks, at present. 

David Harley

Support scammers and TalkTalk

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on the AVIEN site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

David Harley

Ransomware FAQ from Kaspersky

Everything you need to know about ransomware by John Snow, for Kaspersky.  I think the title is a bit hyperbolic, but it could be a useful introduction. 

David Harley

Wire-Wire Scams: Evolution beyond the 419

West African cybercrime nowadays has moved on from unsophisticated 419s to technically-based, effective Wire-Wire attacks on businesses.

See my article at ITSecurity UK for more information and links: Wire-Wire Scams: Evolution beyond the 419

David Harley

HTML5 bug misused by support scammers

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley

AV-Comparatives 'next-gen' test

Independent testing of so-called 'next-gen' products is currently quite unusual: indeed, some next-gen vendors have suggested that their products cannot be tested by independent testers. Though apparently it's OK to do your own tests with the methodologies and samples provided by one of the vendors tested. The dangers of that approach are fairly obvious, but I'll certainly be back to that topic in due course.

AV-Comparatives, however, have bitten the bullet and tested four products:

• Barracuda NextGen Firewall VF100 7.0.1
• CrowdStrike Falcon Host 2.0.19.3908
• Palo Alto Traps 3.4.0.15678
• Sentinel One Endpoint Protection Platform 1.6.2.5021

The overall reviews and the Malware Protection Tests were performed by AV-Comparatives themselves, while the Exploit Test was performed by MRG Effitas.

This review, and others, are available from the AV-Comparatives Business Reviews page.

David Harley

Paying the ransom doesn't always pay

Article for AVIEN: To pay the ransom doesn't always pay off

According to Kaspersky, one in five users who pay the ransom don't get their files back.

David Harley

Symantec, next-gen and 'single technology'

I tend not to take much notice of product announcements, even ESET's. However, Kevin Townsend's commentary on Symantec's SEP14 is worth reading, and not only because it includes a quote from one of my articles on ITSecurity. ;)

Symantec Unveils Evolutionary Update to Endpoint Protection Offering

Perhaps I should point out that if there is a conspiracy in the so-called first-gen anti-malware industry to use the term 'single technology' as a marketing epithet to attack so-called next-gen products, I didn't get the memo. I suppose you could say that 'multi-layering' is as much a buzzword as 'machine learning', but it seems common sense to me not to put all your eggs in one layer, so to speak. Clearly, I'm not the only security researcher who holds this view, but I'm not in marketing, and my articles on ITSecurity should not be seen as representing anyone's views but my own.

David Harley

iOS 10.1.1 fixes Health data bug

Fix for iOS 10.1 health data bug:

https://macviruscom.wordpress.com/2016/10/31/fix-for-ios-10-1-health-data-bug/

David Harley

SANS, Signatures, Next-Gen and DIY Testing

An article by me for IT Security UK that examines how, while SANS has done some good work in security, its forthcoming webcast on next-gen product evaluation is based on fallacies.

SANS, Signatures, Next-Gen and DIY Testing

David Harley

'Expiring AppleID' phish

Graham Cluley describes a 'smishing' campaign (phishing via SMS texts) targeting Apple iOS users, trying to persuade them to access a malicious URL by telling them that 

     'Your AppleID is die to expire Today'.

As the clocks go back, UK Apple users targeted by smishing campaign - Think before you click, and you too can avoid phishers.

Flagged by Simon Rae-Scott: 

David Harley

Support Scam that Threatens to Delete Hard Drive

Article also posted to AVIEN: Support Scam Threatens to Delete Hard Drive 

Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line:

Tech support scams increasing in complexity - Tech support scammers have begun using code obfuscation to avoid detection.

The pop-up fake alert claims that the victim's system is infected with 'Exploit.SWF.bd' and that the hard drive will be deleted if he or her tries to 'close this page'. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don't panic! In principle, Javascript like this isn't able to do any such thing: that's a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there's no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, 'MacOS', UNIX or Linux, so that the alert can be tailored accordingly.

Commentary by David Bisson, writing for Graham Cluley's blog: Scare tactics! Tech support scam claims your hard drive will be deleted - Scammers tries to frighten you into phoning them up.

David Harley

Dumb scammers, smart suppliers

The sophisticated instant scam packages behind low-grade fake helpline scammers.

• Malwarebytes: Scamming As A Service - seriously 
• Commentary by me for AVIEN: Support Scams - the Supply Chain

David Harley

Trust me, I'm Facebook: I have standards...

Facebook has inconspicuously announced that it intends 'to begin allowing more items that people find newsworthy, significant, or important to the public interest — even if they might otherwise violate our standards.'

More commentary here. 

David Harley

Security Essentials or Support Scam? - AVIEN article

An article for AVIEN, where I run an information resource focused on tech support scams (and another focused on ransomware).

Security Essentials or Support Scam? is about a malicious program flagged by Microsoft. It passes itself off as Security Essentials, but is used to manipulate victims into ringing a fake tech support line in order to fix a fake Blue Screen of Death.

David Harley

Interest rates down, bitcoin stockpiles up

Blog article for AVIEN: Financial institutions amassing bitcoin in anticipation of extortion attacks: avien.net/blog/2163-2/

David Harley

Fighting fire with fire and hoaxes with hoaxes

NewsThump apparently attempts to reduce the number of Facebook hoaxes by generating a hoax of its own. Where would the internet be without satire?

Mark Zuckerberg to give everyone $1000 to stop sharing stupid Facebook hoaxes 

I thought of sharing this article on Facebook, but was torn between not wanting to mislead people who lack the hoax/satire recognition gene, and not wanting to offend people who would see right through it anyway by explaining that NewsThump isn't a real news site...

David Harley

Support Scams - victim demographics

Interesting statistics regarding the relative proportions of tech support scam victims in various parts of the world:

• Microsoft: Youngsters more likely to be scam victims than pensioners, study reveals
• Sophos: Tech support scammers preying on young Americans, study finds

David Harley

Machine Learning: Nextgen Hit or Myth?

For the Kaspersky blog, Alexey Malanov explodes some myths about the Machine Learning buzzword.

Commentary by me: Machine Learning: Hot or Hype?

David Harley

Do businesses really pay up ransom?

Can’t Pay, Won’t Pay?

Pointer on AVIEN to an article suggesting not. Katherine Richards is talking about businesses rather than home users: a reasonably good generalist article, though, with commentary from big names such as Ryan Naraine and Paul Vixie.

David Harley
ESET Senior Research Fellow

Decrypters Info added to AVIEN resources

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Added to the Specific Ransomware Families and Types and Ransomware Recovery and Prevention pages.

More info in Decrypters info on the AVIEN page. 

David Harley
ESET Senior Research Fellow

Backup, PR Pressure and Ransomware

Blog article for AVIEN on Backup, PR Pressure and Ransomware.

David Harley

Komplex OS X Trojan

David Bisson for Graham Cluley's blog: Aerospace industry warned of targeted attacks from the Komplex OS X trojan - OS X trojan horse spies upon unsuspecting Mac users.

David Harley
ESET Senior Research Fellow

Ransomware at UK universities and next-gen marketing

For IT Security UK: Ransomware at the University of Hard Knocks. Sometimes it's the data that aren't published that tell you most about a survey.

David Harley

Ethical Hackers - the Next Generation?

I just remembered my Dataholics blog, and put up a short and snarky item on Next-gen Ethical Hacking.

David Harley

The Hackable Human: Heimdal on social engineering

The Hackable Human – 6 Psychological Biases that Make Us Vulnerable

Article by Andra Zaharia for Heimdal Security.

Neat classification. Reminds me of a presentation I did for EICAR years ago that might be worth revisiting for a blog at some point. 

David Harley
ESET Senior Research Fellow

OPSWAT, AV-Test and AV-Comparatives: partners in testing

OPSWAT press release:

OPSWAT Partners with AV-TEST and AV-Comparatives for Enhanced Certification Program

More information about the *programme here.

*What, you expected me to use the US spelling?

David Harley

AV-Test looks at Android parental control apps

Here are the results of a recent test by AV-Test asking (and answering) the question  'Is security software for Android with parental control functions sufficient to protect our children or is it better to have a special parental control app?'

Test: Parental Control Apps for Android

David Harley
ESET Senior Research Fellow 
(This isn't an ESET blog, but since ESET did well in the test I guess I should point out that I work with ESET as a consultant, though I have nothing to do with their marketing or product development.)

VMWorld commentary from ESET

Cameron Camp for ESET:

VMWorld: Do you know where your data is?

David Harley
ESET Senior Research Fellow

OSX/Keydnap spread via Transmission app

ESET researchers say:

‘During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.’

OSX/Keydnap spreads via signed Transmission application

Trend Micro: Locky as encrypted DLLs

Trend Micro: Locky Ransomware Now Downloaded as Encrypted DLLs

Added to AVIEN resource page.

David Harley
ESET Senior Research Fellow

'Fairware' Linux Ransomware

Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

Added to AVIEN ransomware families page and platforms and devices page.

David Harley
ESET Senior Research Fellow

Support Scammers Taking the Shine off Chrome

For Malwarebytes, Jérôme Segura gives details of some tricks currently used by tech support scammers to deceive Chrome users. Tech support scams and Google Chrome tricks

Commentary from Help Net Security: Google Chrome users targeted by tech support scammers 

Added to the AVIEN support scam resources page.

David Harley
ESET Senior Research Fellow

Ransomware - reorganized AVIEN resource page

I’ve intended for a while to break out some of the scattered information in the ransomware resource page and sub-pages into its own Ransomware Recovery and Prevention page.

And finally got around to it.

Much of the same information (and more) remains in the Ransomware Resources page and/or sub-pages. (Sorry, but I’m happy to duplicate information where appropriate. If I had more time to spend on this page, there’d probably be less duplication, but I haven’t…)

However, the new(-ish) page is better organized and more immediately useful (I hope) for people who are interested in barebones recovery and prevention information.

David Harley
ESET Senior Research Fellow

SC Magazine & paying ransomware

In an article called Ransomware locks experts in debate over ethics of paying, Bradley Barth picks up on a point I made in my blog article for ESET - Ransomware: To pay or not to pay?. He quotes both my article for ESET and some subsequent commentary by my friend and colleague Stephen Cobb. I may come back to this elsewhere, possibly AVIEN.

David Harley
ESET Senior Research Fellow

Google: easier access to content on mobile

Google: Helping users easily access content on mobile

Takes two approaches, the latter maybe more security-related.

• One relates to the removal of the  mobile-friendly label, since most sites now meet that criterion, so the removal is seen as reducing clutter.
• The other introduces measures to reduce the impact of intrusive pop-ups and standalone interstitials that obscure the content. 

Commentary from the BBC here.  

HT to BPB

David Harley
ESET Senior Research Fellow

Quick round of ransomware links on AVIEN

Ransomware links posted on AVIEN: http://avien.net/blog/quick-links-roundup/

Also added to ransomware resources pages.

• Alma
• Globe
• Wildfire

David Harley

ESET Senior Research Fellow

Lysa Myers: staying safe on social media

Lysa Myers for ESET on how to improve privacy and security on social media: http://www.welivesecurity.com/2016/08/25/give-social-media-security-boost/

David Harley
ESET Senior Research Fellow

'Next-gen' survey fails to convince

Kevin Townsend: Vendor Survey Fails to Convey Prevalence and Effect of Ransomware

Next-gen propaganda marketing impersonating a survey... I suspect I'll be coming back to this.

DH

Android botnet controlled via Twitter

ESET: First Twitter-controlled Android botnet discovered

'Detected by ESET as Android/Twitoor, this malware is unique because of its resilience mechanism. Instead of being controlled by a traditional command-and-control server, it receives instructions via tweets.'

David Harley

DetoxCrypto ransomware

DetoxCrypto ransomware - AVIEN

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

Info added to resources pages.

David Harley
ESET Senior Research Fellow

Equation Group - NSA dumper native English speaker?

Darren Pauli for The Register: 'NSA' hack okshun woz writ by Inglish speeker trieing to hyde - Linguist says perps of zero day dump wanted to pose as gramatically-incorrect aliens.

He's summarizing linguistic analysis by Shlomo Argamon of text from 'ShadowBroker' as posted on Pastebin. Argamon concludes that '...the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors.'

You may not be convinced by the conclusion, especially if you're as wary of attribution as I am, but you may well find the analysis interesting nonetheless, if you're not familiar with textual analysis methodologies. And the theory would dovetail with the speculation that the perpetrator was actually an insider: Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump.

David Harley
ESET Senior Research Fellow

Ransomware: Paying v. Not Paying

An article by me for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack.

Read more here: Ransomware: To pay or not to pay?

David Harley
ESET Senior Research Fellow

Socket to Me: More IoT Insecurity

Bitdefender: Hackers Can Use Smart Sockets to Shut Down Critical Systems

Richard Chirgwin for The Register:

I got the power – over your IoT power-point - It never gets better, does it?

‘… a “smart” electrical outlet that's actually a whole-of-network attack vector.’

David Harley

ESET Senior Research Fellow

AV-Test on Android security apps

Davey Winder asks some interesting questions about AV-Test's latest test of Android security apps. Is Android as easy to secure as the latest AV-TEST results appear to suggest?

A number of people, including ESET's Mark James, attempt to answer those questions, but unfortunately the article boils them down to soundbites. Maybe I'll come back to this one.

David Harley
ESET Senior Research Fellow

Marcher Trojan Impersonating Android Update

David Bisson for Graham Cluley's blog on Marcher Trojan impersonating Android update: New firmware update? No, it's the devious Marcher Android trojan up to no good - Android-based malware comes with new tricks, bells, and whistles.

Based on ZScaler research: Android Marcher: Continuously Evolving Mobile Malware.

David Harley
ESET Senior Researcher

Apteligent Evaluating Android

https://macviruscom.wordpress.com/2016/08/19/apteligent-evaluating-android/

Prompt updating, crash rates...

David Harley
ESET Senior Research Fellow

ESET: Nemucod serves nasty package: Ransomware and ad-clickers

ESET: Nemucod serves nasty package: Ransomware and ad-clickers

David Harley

ESET Senior Research Fellow

Text fraud - parents told their child in hospital

SC Magazine: Text scam victimises parents, claiming kids have been in an accident

'Action Fraud says victims receive a text from a loved one saying they're in
a hospital and the only way to make contact is via text message.'

Commentary by David Bisson for Graham Cluley: A new low! SMS scammers prey on parents' fears to make a few bucks

David Harley
ESET Senior Research Fellow
Wheal Alice Music

AVIEN ransomware updates

As I'm a little busy elsewhere right now, this is just a roundup of
ransomware-related links:
http://avien.net/blog/ransomware-linksarticles-roundup/

David Harley
ESET Senior Research Fellow

New Amazon author page

Not sure what happened to my old author page on Amazon, but there's now another. Not that I plan on writing any more books right now.

David Harley
ESET Senior Research Fellow

Malwarebytes: Decrypting Chimera ransomware

Extract: 'We’ve recently wrote about the leak of keys for Chimera ransomware. In this, more technical post, we will describe how to utilize the leaked keys to decrypt files. Also, we will perform some tests in order to validate the leaked material.'

Decrypting Chimera Ransomware

Added to the AVIEN ransomware resources pages.

David Harley

ESET Senior Research Fellow

Cylance on the Satana ransomware

Interesting blog from Cylance on the Satana Ransomware – Devil in a Black Screen (of Death)

HT to Juan Carlos Vázquez

David Harley, ESET Senior Research Fellow