Category Archives: Antivirus Vendors

Antivirus Vendors

It Isn’t Ransomware, But It Will Take Over Your Server Anyway

In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway.

A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong.

First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such.

Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains:

  • BySH01.exe (executable through AutoIt)
  • 7za.exe (goodware, the well-known free tool 7zip)
  • tcping.exe (goodware, a tool for performing TCP pings)
  • MW_C.7z (a compressed password-protected file), which contains:
    • An application –goodware for bitcoin mining
    • An application –goodware for blocking the Windows desktop

The attacker runs the BySH01.exe file, and the following interface appears:

Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker

With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list.

Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs.

Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2.

Desktop Lock Express 2, the application used by the attackers.

We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors.

Tips for the System Admin

In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP:

  • Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time.
  • Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds.

The post It Isn’t Ransomware, But It Will Take Over Your Server Anyway appeared first on Panda Security Mediacenter.

What You Need To Know About The iMessage Security Flaw

With everything that’s gone down in 2016 it’s easy to forget Tim Cook’s and Apple’s battle with the FBI over data encryption laws. Apple took a strong stance though, and other tech giants followed suite leading to a victory of sorts for (the little guy in) online privacy. In this era of web exposure, it was a step in the right direction for those who feel our online identities are increasingly vulnerable on the web.

All of this stands for little though when a security flaw in your operating system allows carefully encrypted messages to be effectively decrypted offline. That’s what happened to Apple with its iOS 9.2 operating system. Though the patches that ensued largely fixed the problem, the whole issue has understandably left iOS users with questions. What really happened and are we at immediate risk?

What Is The iMessage Security Flaw?

A paper released in March by researchers at John Hopkins University exposed weaknesses in Apple’s iMessage encryption protocol. It was found that a determined hacker could intercept the encrypted messages between two iPhones and reveal the 64-digit key used to decrypt the messages.

As iMessage doesn’t use a Message Authentication Code (MAC) or authenticated encryption scheme, it’s possible for the raw encryption stream, or “ciphertext” to be tampered with. iMessage instead, uses an ECDSA signature which simulates the functionality. It’s still no easy feat exploiting the security flaw detailed by the researchers. The attacker would ultimately have to predict or know parts of the message they are decrypting in order to substitute these parts in the ciphertext.

Using this method, a hacker can gradually figure out the contents of a message by replacing words. If they figure out, for example, that they have successfully replaced the word “house” in the message for “flat” they know the message contains the word “house”. Knowing whether the substitution has been successful though, is a whole other process which may only be possible with attachment messages.

It may sound simple, but it really isn’t. The full details of the security flaw, and the complex way it can be exploited are detailed in the John Hopkins paper.
The paper includes the recommendation that, in the long run, “Apple should replace the entirety of iMessage with a messaging system that has been properly designed and formally verified.

Are iMessage Users At Immediate Risk?

Despite the recommendation, the answer is no. It is very unlikely. One thing that should be made clear is that these weaknesses were exposed as a result of months of investigation by an expert team of cryptologists. The type of hacker that would take advantage of these weaknesses would undeniably be a sophisticated attacker. That of course doesn’t mean that Apple shouldn’t take great measures to eradicate this vulnerability in their system.

Your messages, though, are not immediately at risk of being decrypted, and much less if you’ve installed the patches that came with iOS 9.3 and OS X 10.11.4 (though they don’t completely fix the problem). Tellingly, the flaws can’t be used to exploit numerous devices at the same time. As already mentioned, the process that was exposed by the John Hopskins paper is incredibly complex and relies on various steps that are by no means easy to complete successfully.

All of this means that it would take a very sophisticated attacker a complex and lengthy process (up to and beyond 70 hours) to decrypt one message. iMessage has a supported base of nearly one billion devices and handles more than 200,000 encrypted messages per second. We’ll let you do the math there but it seems highly unlikely that a hacker would try to exploit this weakness unless they’re trying to uncover very sensitive and important data.

A hacker would most likely carefully vet their target as someone who possesses valuable information that could then be contained within that person’s messages. If a hacker’s investing 70 hours of their time to uncover cat pics, the joke’s really on them.

Could this have any connection with the FBI encryption dispute?

Matthew D. Green, the well-known cryptographer and leader of the John Hopkins research team, has spoken with the Washington Post about the implications of his team’s research. “Even Apple, with all their skills -and they have terrific cryptographers- wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.

So you’d probably need the resources of say, the FBI, to pull off an attack exploiting the vulnerability exposed in the John Hopkins paper. It seems very unlikely that individuals would be targeted en masse. 2016 has been such a surreal year though, who are we to say what is and isn’t possible?

The post What You Need To Know About The iMessage Security Flaw appeared first on Panda Security Mediacenter.

Pirate Party: the Future of Politics?

Could Iceland’s Hacker-founded Pirate Party be the Future of Politics?

So, Donald Trump is president of the leading world power. Yes, that really happened. While the jury is still out on the reasons behind the new president’s rise to power, many believe it’s down to a sense of apathy towards left wing politicians, in this case Hillary Clinton and the Democrats, who would otherwise be the traditional harbingers of progress and change.

One political movement however, is trying to do away with this apathy by embracing something that we’re all about here at Panda Security: online privacy and security on the web!

Introducing Iceland’s wing of the Pirate Party.

Okay, you’ve most likely heard of them already as 2016 is looking to have been a watershed year for them, having tripled their seats in Iceland’s parliament during October’s elections.

This party have really caught our attention though, and that of many others worldwide, with the way they are embracing technology and highlighting how it can play a much much larger role in the future of democracy.

The Pirate Party can be considered a worldwide movement, with branches cropping up all over, including in the UK, Australia and the US.

The first iteration of the party was founded in Sweden by Rick Falkvinge in 2006 after the Pirate Bay torrent website was raided by police. The fact that visitors to the website more than doubled due to media exposure following the raid, was enough of a signal that legislation was out of touch with public opinion when it came to online distribution and surveillance laws. And so was named, Sweden’s Pirate Party.

How did Iceland’s Pirate Party become so popular?

Iceland’s Pirate Party is based on the Swedish party’s model, however, it has its own ideas about issues like data protection as well as how Iceland should be run as a country. Their propositions seem to be appealing to an Iceland that is increasingly looking to break from the status quo.

Birgitta Jónsdóttir, a former Wikileaks volunteer, co-founded Iceland’s Pirate Party in 2012 along with other prominent activists and hackers. According to Jónsdóttir, Iceland’s Pirate Party can sense the winds of change and they see a future of technology-centered upheaval. In a recent interview she said, “we have to be innovative to fight against political apathy”.

But what does she mean by this? Well, the Pirate Party are very much working within the political system to advocate a peaceful political revolution based on greater political transparency, and a grass roots approach to politics. Think Mr.Robot gone mainstream.

The Pirate Party want to increase public participation in common-decision making by giving them direct access to the process via the Internet. Under their system, the public would be able to propose and veto legislation using the party’s online voting system.

Jónsdóttir has also gone on record saying the Pirates would implement propositions such as the United Nations’ proposed resolution, ‘The right to privacy in the digital age’. The resolution, aimed largely at addressing and curbing world governments’ illegal surveillance methods has, for all intents and purposes, been largely ignored by world governments.

The party’s success and recent popularity also comes after the backlash the traditional parties in Iceland have suffered following the 2008 financial crisis and, most recently, the stepping down of the country’s prime minister, Sigmundur Davíð Gunnlaugsson, following his implication in the Panama Papers scandal. Many Icelanders feel it’s time for change and that the Pirate Party are

But they’re hackers!

In a recent interview, Jónsdóttir said “we do not define ourselves as left or right but rather as a party that focuses on [reforming] the systems. In other words, we consider ourselves hackers.”

But what questions does this bring up? Hackers are bad right?

Well, yes and no. A hacker can be defined in various ways; it could be someone who breaks down firewalls and retrieves information, often illegally, or someone who finds simple solutions –a hack- to everyday problems. The Pirate Party propose themselves as the latter, a party that will introduce simple hacks to problems they feel the current system refuses to deal with.

Many questions still arise as to how their vision of Iceland’s future would function in the real world. Increasing democratic reach through the use of the Internet seems like a logical step in this technological age, but what are the dangers? In this future world, could a DDOS attack bring government to a halt? Could a malicious hacker bypass encryption and twist legislation by altering online poll results in their favor? Would transferring the democratic process onto the web empower hackers in new unconceivable ways?

In a recent interview, Ben de Biel, a spokesperson for Berlin’s Pirate Party claimed, “the established parties browse the Internet but we work with it.” Whilst any Pirate Party coming to power would lead to unprecedented change, Iceland’s is the closest to getting there. Their plans, if put into action, could lead to very positive change in digital privacy laws, however, they would also bring to light an increasing necessity for cyber security in an age that is becoming more and more technology reliant.

The post Pirate Party: the Future of Politics? appeared first on Panda Security Mediacenter.

Why Your Business Needs a Security Strategy for Social Networks

In 2017, it’s not easy to find a company that doesn’t have any sort of presence on social networks. A Twitter account, a Facebook page, and a lot of Instagram photos come standard in any business’s digital communications pack.

Added to this are all of the employees who access their own accounts during work hours. Despite all this activity, there are still plenty of corporations that don’t regulate it, putting their own security at risk.

According to a recent study by the Pew Research Center, around 50% of the companies analyzed have no briefing for social media use within the company.

Businesses that don’t take this security issue seriously are exposing themselves to a diversity of threats. First, they may witness their own employees leaving negative posts about the company from their work stations. Worse still, they could publish confidential corporate data.

Aside from avoiding potential scenarios in which lead to a corporate crisis, the main goal of a social network strategy should be too clearly define what your employees are permitted to do on them during work hours. One of the premises that should be clearly established is to not follow links whose origin is unknown or untrusted.

In that way, and with the right protection, it is possible to avoid some of the risks hiding in the deepest corners of social networks. Phishing attacks, spam, or any type of malware could jeopardize corporate secrets. A clear policy for Twitter & Company is critical.

Best social network practices could also increase productivity. This is demonstrably true, according to the same Pew Research study, as we see that 40% of employees at a company with no such policy use social platforms to relax a bit.

On the other hand, when a clear policy is in fact in place we see the number drop to 30%. Not only, then, are we avoiding risks, but also promoting a more professional work environment. Does your business have rules for the use of social networks in the workplace?

The post Why Your Business Needs a Security Strategy for Social Networks appeared first on Panda Security Mediacenter.

The Trojan horse of smart home security

Every year before the biggest consumer holidays: Black Friday, Cyber Monday and Christmas, technology blogs rush to create lists with the hottest gadgets and the best deals to watch for. The end of 2016 was no exception, only this year, everything on those lists seemed to have “Smart” attached to it – thermostats, vacuum cleaners, security cameras, voice control virtual assistants, lights, doorbells, TVs – all “Smart”.

This is just the tip of the iceberg, as the market for smart home devices is estimated to be $83 billion by the end of this year, rising to $195 billion by 2021. Gartner predicts the average family house will contain more than 500 smart devices by 2022. I think it’s safe to say that the smart home devices are here to stay.

While the advantages of having a connected home are clear: Starting your vacuum from miles away or automatically turning on your lights when you arrive home, many people are not aware of security risks that come from welcoming such connected devices into our homes.

The problem is that many of these devices have serious security flaws. A simple Google search on “IoT hack” or “smart device hacks” reveals an unbelievable amount of vulnerable devices and ways to hack them. Problems range from having no traffic encryption, to hidden back doors into the firmware, to “super secure” default username/password combinations such as admin/admin. All these security flaws make it easy for hackers to take control of these devices.

This could translate into more than just someone turning your lights on in the middle of the night. By compromising one device, hackers could get access to your entire network, and by snooping on your internet activity they could get access to personal info such as your bank account, social media profile, emails, or personal photos. Needless to say that that would be a bit more than a mild inconvenience.

So how can you protect your network?

Meet ALLY, a smart and secure router ready for the growing security needs of the connected home. ALLY is developed by Amped Wireless and secured by AVG.

We believe the best way to protect your family and your smart devices is by securing your connected home right at the internet access point, the router. This is why we worked together with Amped Wireless, the leading manufacturer of high power, long range wireless solutions, to provide a router that is both capable of delivering Wi-Fi in every corner of your home and offering great security for all your IoT devices.

Thanks to AVG’s security solution, ALLY can stop threats in their tracks blocking malware links before they even load on your devices.

Having AVG security embedded on the router, you are adding an extra layer of security for all your connected devices. This is especially important for those vulnerable devices which cannot be protected by an antivirus such as webcams, thermostats, lights, doorbells, …

And there’s even more. Ally also comes with an easy-to-use smartphone app that lets you access useful parental control features such as content blocking, app blocking, scheduled internet curfews, and pausing the internet during family dinners.

Take the first step into protecting your smart home.

Check out ALLY now.

ALLY is a product built on Chime

Shadow IT and "No" versus "Know"

In an information-based economy where bring-your-own devices (BYOD) and, increasingly, bring-your-own applications (BYOA), are the norm, IT groups are struggling to enable their organizations to be fast and flexible while protecting their digital assets. Shadow IT,  also  referred to as rogue or cockroach IT, emcompasses the devices, software, and services outside the ownership or control of IT groups. While Shadow IT poses a significant threat to the management and security of organizations, it can also be a source of speed, agility, and freedom to enable business success.

The Cruelest Ransomware Propagates Like a Meme

A link shows up in your inbox from a colleague that you never really hit it off with, or a cousin you’re on the outs with. You open it, and the cat’s out of the bag: you’ve been infected with a ransomware that has abducted all of the files on your computer.

This new malicious software is called Popcorn Time and its purpose is to get the victim to collaborate with the cybercriminal to infect new users. It is particularly cruel because, aside from demanding a 1 bitcoin payment (about $900 as of this writing) to return access to the encrypted files, the victim is offered the chance to recover the files for free if they contribute to its propagation.

Infecting Others to Free Yourself

The victim will be able to share the Popcorn Time download link with other users. If two of the newly infected decide to pay the ransom or pass the chain along, the accomplice will receive a code to unblock their files.

Essentially, Popcorn Time works like any other ransomware — it infects computers and encrypts its files. The twist lies in the morbid way it spreads itself that enables cybercriminals to take advantage of the word-of-mouth phenomenon.

“The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” explains Kevin Butler, security expert at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”

How can you protect yourself from Popcorn Time?

Dissemination strategies like this one may not have such a significant impact as they seem to have at first glance. Is it easier to propagate a malware by asking for the collaboration of users, or by sending mass emails that get to many recipients quickly and at the same time?

One way or another, it’s crucial to be protected in the face of such dangerous threats as Popcorn Time, whether or not they propagate as a viral phenomenon. Keeping our operating systems updated, not clicking on suspicious links — even if an acquaintance has sent it — and keeping a good cybersecurity solution installed — this is some of the advice to be followed if you want to avoid having your files abducted by a cybercriminal.

The post The Cruelest Ransomware Propagates Like a Meme appeared first on Panda Security Mediacenter.