Friday, 25 October 2013

Solutions to current antivirus challenges

The detection and blocking of malicious code employed by modern threats, whether targeted attacks or mass-spreading campaigns, has been a game of cat-and-mouse with the perpetrators for some time now. And even though we are seeing shifts in the threat landscape and new malware trends, the “malware problem” is still very much with us. To be clear, most malware writing today is performed by, or purchased by, cross-border criminal organizations. We are no longer faced with a few over-enthusiastic individuals. That means most malware attacks are functional and to some degree effective, in other words: people get infected. These attacks are generally low-risk and often very profitable.

The development of anti-malware defenses

As malicious code threats have evolved over the years, so have the technologies deployed to protect against them. The traditional concept of an “anti-virus” program has evolved into more comprehensive “security suites.” These suites include, in addition to traditional anti-malware scanners, firewalls, HIPS (Host Intrusion Prevention Systems), and other technologies.
One of the reasons such multi-layered protection is necessary is that the “bad guys” have the advantage of only needing to find one hole in our defenses, while companies and consumers need protection across many different points of attack. Security companies like ESET are consistently monitoring the evolution of malware families and collecting new samples of malicious code. The servers in the ESET Security Research Lab receive over 200000 unique malicious binaries every day, malware detected proactively, that we have never seen before. Even so, we don’t really see all the cards in the game. Malware writers, on the other hand, have access to all of the commonly used security solutions. They use this access to tweak their code so that it is harder to detect when it is released.
Of course, our job is to defeat that process. We want to make it impossible, or at least more difficult and expensive, for malware writers to craft code that is not detected. This requires additional layers of security that introduce creative strategies that can catch malicious code which might evade basic defenses.
One strategy that has been around for some time is advanced heuristics, explained in detail by Righard Zwienenberg on There is also an ESET white paper on basic heuristics. In this article we expand on the heuristic approach, and introduce some additional strategies that security software can deploy to combat malware. We begin by explaining several particularly challenging techniques used by malware writers today.

Malware protectors

The main technique employed by malware writers in order to avoid detection by antivirus software is the use of various “protectors” or run-time packers. You can think of these protectors as outer shells of the executables that hide the inner payload from inspection, and therefore detection, by basic anti-virus scanners.
That explains why, out of the many thousands of fresh malware samples that we see daily in our lab, relatively few contain new functionalities. Most of those daily unique samples are repackaged versions of existing malware families. The frequent repacking of malware variants is also known as server-side polymorphism.
An antivirus program that relies solely on simple hash-based signature detection of previously known malware can be defeated by the ever-changing malware. Furthermore, such detection is very inefficient. That is why a great amount of research has been done in order to crack that outer shell of malware protection using emulation. The idea is to run potentially malicious executables in a virtual environment or sand box, where they won’t be able to cause damage to the system and user, but will become unpacked and can be caught by the anti-virus engine.
While this might sound simple in theory, in reality there are several challenges that must be overcome for this to work, and a number of potential drawbacks that must be taken into consideration:
  • The malware can attempt to hinder emulation, for example by use of uncommon instructions or API functions, which the emulator didn’t expect and can’t handle correctly.
  • The malware can detect it is being run in a virtual environment and either stop executing or continue in a benign mode to avoid detection.
  • Even if the code is emulated correctly, it can still be obfuscated in such a way that it hides its malicious functionality and its detection is still problematic.
  • Emulation or any virtualization technology always carries with it some negative performance impact.
One significant method for improvement of emulation (with respect to the problematic aspects mentioned above) is by employing binary translation.
One of the most infamous banking Trojans, Zeus (detected by ESET as Win32/Spy.Zbot) is a good example of how repacking with various protectors has proven to be effective for the bad guys. This is malware that has been widely known for at least six years and its source code was leaked back in 2011. Yet Zeus often succeeds in evading detection by anti-malware scanners, because of the advanced packers used by the gangs that build and operate Zeus.
For cases when inspection of the protected and obfuscated sample prior to its execution is not successful, antivirus software has one last chance of detecting it: when it is running in memory in a decloaked state. Yet again, the challenge for security companies lies in triggering appropriate memory scanning as soon as possible, so that the malware causes minimal damage. This needs to be done with as little negative impact on system performance as possible.

Exploitation as an infection vector

Clearly, it is more desirable to prevent a malware infection even before it sets foot on the target system. There are many different infection vectors and, like malware itself, these have also evolved over time. However, generally they can be grouped into two categories:
  • With user interaction: the victim is led to the infection through social engineering
  • Without user interaction: mostly through exploits of software vulnerabilities
The subject of social engineering is a broad one and is a frequent topic of We Live Security blog posts. Here we will focus on software exploitation, without user interaction.
A typical scenario is that a user navigates to a webpage, subverted by an attacker, that contains a malicious script calling an exploit pack or exploit kit (something we have covered in various articles). Simply put, the exploit pack is a web app that will first check the potential victim’s software versions. This can be accomplished by legitimate scripts, such as PluginDetect. Then, if an unpatched, vulnerable version is detected, an exploit will be served and malicious code can be executed on the system without the user ever noticing anything. From the attacker’s point of view this is a very effective way of infecting even the more cautious users. For this reason, the underground market where cybercriminals buy exploit kits and new software vulnerabilities is thriving.
The obvious protection against these kinds of attacks is to patch the software vulnerabilities, but unfortunately people patch slowly and some don’t patch at all. Furthermore, patching is not effective against zero-day exploits, those that are unknown to the affected software vendor and for which no patch is available at the time of the attack.
Signature-based detection can be used to detect exploit code, but it suffers from the same shortcomings as when used against “regular” malware, so more generic detection and mitigation approaches are needed.
One example of a mitigation tool is EMET (Enhanced Mitigation Experience Toolkit) from Microsoft. EMET makes life much more difficult for exploits (in fact, renders many of them defunct) by protecting against common techniques used by exploits and forcing built-in Windows security measures, namely DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) and SEHOP (structured exception handler overwrite protection).
Modern antivirus solutions introduce a more generic behavior-based approach, inspecting the very act of exploitation and checking if, for example, a (malicious) process is spawned in a suspicious manner that‘s not typical for the host application. This technology can block advanced and reliable exploitation techniques, typically bundled in today’s professional exploit kits.
One of such examples is CVE-2013-0641, which was the winner of the 2013 Pwnie Awards at the BlackHat conference for the most technically sophisticated and interesting client-side bug. This exploit targeted Adobe Reader and was able to escape its sandbox. Apart from PDF readers, the other most exploited applications by malware include internet browsers and their plugins, Flash players, Java and MS Office components. This kind of approach can also help prevent zero-day exploits.
But blocking exploits doesn’t only have to take place at the process level. For example, many worms still rely on network protocol vulnerabilities in order to spread. While there are many more fresh examples of this, the most infamous one is probably the Conficker worm exploiting MS08-067 through a specially crafted RPC call. Despite the fact that this vulnerability has been patched for 5 years now, our LiveGrid telemetry shows us that the exploit is still widely used in the wild. This indicates that adding another, network layer to the protection stack, is also beneficial.


We’ve addressed some of the technical tricks that malware authors use to successfully infiltrate target systems without being detected. The descriptions above apply both to mass-scale attacks, as well as customized targeted attacks, with an important side-note. A targeted attack is much more difficult to prevent, since the attacker knows his victim and can tailor the attack using very focused social engineering and exploits against the exact software that the victim is running, and so on. Targeted attacks especially highlight the importance of multi-layered security and the usefulness of generic exploitation detection.

Cyberattacks against major firms “double in one year”, report warns

Cyber attacks have doubled in the year 2012-2013, according to a fraud report released by investigators Kroll – and a third of large companies still do not invest in security.
In a poll of senior executives from large, global companies, Kroll found that 35% of firms had been victims of external hackers. The figure for the previous year was 18%, according to a report by the Financial Times.
Cybercrime now hits one in five companies worldwide, according to data released by investigations firm Kroll – with information theft now causing major losses to many large companies.
Such attacks are typically “an inside job”, Kroll claims – in 39% of cases, the attacker is known to the firm, up from 37% last year.
Theft of information, such as in data breaches where usernames and passwords are stolen, is now second only to physical theft in terms of frauds suffered by companies worldwide.
It’s unclear, though,, whether such attacks are rising at enormous speed – or simply that companies are now aware they have happened.
“Companies are now far more aware of the situation and can identify what’s going on” said EJ Hilbert, Kroll’s UK head of cyber investigations. “But also there’s a lack of understanding of how [the attacks are] done.”
Just 68% of companies polled reported that they invested in IT security – with a third not investing at all.  Kroll said, “This  raises the question of how exposed the other third might be.”
ESET Researcher Stephen Cobb offers advice on securing valuable data in a blog here.
Kroll’s poll found that 75% of respondents felt “vulnerable” to hacking. Kroll polled 900 senior executives from large companies around the world, many with revenues over $500m.
Ironically, Kroll  may have been victims of information theft, according to a report by Brian Krebs – by hackers linked to the recent breach of Adobe’s systems.
“KrebsOnSecurity first became aware of the source code leak roughly one week ago,” Krebs wrote, “When this author – working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC – discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.”

Warning over “risky” behavior of under-12s online – and parents need to take action, safety group says

Children indulge in highly risky behavior online – with nearly one in five 9-11 year olds having physically met strangers they encountered online.
In half of those cases, the children went alone – and 18% of pupils surveyed reported feeling “personally uncomfortable” or upset when chatting with an online contact they have never met in real life.
The problem may lie with the relationship between young people their parents, and technology, the British ISC2 internet safety foundation said, in a release coinciding with Get Safe Online Week. In a poll of 1,162 pupils, 15% said their parents never checked their online activities.
Thirty per cent said that they had never received information on how to use the internet safely, from any source.
Many also lied about their age on social networks. The poll, carried out across 15 schools in England, found that 32% said they were 2-6 years older than their actual age and one in ten claimed they were 5-9 years older. Additionally, 8% were using accounts which said they were aged between 18 and 25.
Among 9-11 year olds, 43% use the Internet daaily, while one in five use the internet after 10pm. One in eight admit to having been late to school, due to late-night computer use.
“Many school children know far more about the internet than their parents do,” said Tim Wilson, who carried out the survey for ISC2, according to the BBC.
“Youngsters actually participate in a lot of risky behaviours that I don’t believe the parents know about. Not because of any ill will on behalf of the parents, it’s just that the parents do not understand technology.”
 Wilson said, in a report by IB Times  “As a result, their perception of safety is skewed when spending time online. For parents, there is a strong call to action to ensure they are engaged in how their children use the Internet. Bringing the family computer into the living room and having open conversations about potential online dangers will help them play a more active role in the relationships children are increasingly starting online.”
The most popular activities online were video games (23%) social networks (18%) and watching videos (17%). The most popular game, even among under-12s, was Call of Duty Black Ops 2, according to IB Times.
ESET Senior Research Fellow David Harley says the key to ensuring children use technology in a healthy way is a “gentle, guided introduction,” saying, “While I don’t advocate giving babes in arms immediate and unrestricted access to the cyberfrontier, it’s worth trying to give children a gentle, guided introduction: encourage them to try things, ask questions, and engage in constructive dialog: “It says here that…. do you think that’s really true? Should you therefore teach your children paranoia? Of course not: there are already too many people terrified to use computers.”
An in-depth ESET guide to how to keep children safe online can be found here.

Millions at risk as guest information from hotel Wi-Fi provider “goes on sale” in China

A huge amount of private information harvested via hotel Wi-Fi networks is on sale in China – including phone numbers, dates of birth and addresses from hotel guests who logged in to networks in their rooms.
The leak potentially affects millions – anyone who logged in in any of 450,000 hotel rooms serviced by one company.
 “People rushed to check hotel bookings by celebrities and their family members,” says Patrick Boehler, a journalist for the South China Morning Post, who worked on the story, speaking to WeLiveSecurity.
Despite the closure of two sites offering the data, private data on guests is still on sale today, according to Boehler.
“Today it emerged that that other hackers have obtained the data and are offering the info on other sites which as of this morning were still running,” Boehler said.
The amount of data on offer could be “substantial”, the South China Morning Post’s report said – CNWisdom services 450,000 rooms across 4,500 hotels. To register, guests enter their phone numbers, ID card, address, date of birth and workplace.
CNWisdom issued a statement saying that it was not responsible for the leak, as data from hotels it did not service was also on sale.
 “The leak was first discovered by a consultancy company in Beijing,” says Boehler.  “The company that manages the WiFi services for these hotel chains denied the report and then nothing happened until this website, appeared last week.”
Soon afterwards, a seller on TaoBao, a Chinese e-shopping site began offering 8GB of data for 2,000 Yuan, according to the South China Morning Post’s report.
Both of those sites closed – but the data is still on sale.
Personal data theft is common in China – but the authorities are attempting to clamp down on those who sell it, with new data protection rules coming into force on 1 September this year, according to The Register.
Hotel Wi-Fi is often a privacy risk – and has even been used to distribute malware. In a detailed guide to how to get online safely while traveling, ESET Researcher Stephen Cobb says, “Consider using a 3G or 4G hotspot instead of hotel Internet or free public Wi-Fi hotspots. If you are logging into a work network, use a VPN, and do not visit banking or shopping sites.”

Is this how Indonesia topped the malicious traffic charts?

As was reported on We Live Security last week, Indonesia has recently emerged as a potential source of malicious traffic that could rival China, although it’s important to point out that “malicious traffic” does not necessarily equate to “attack”, as we shall see. It’s not every day that an infographic sends you down a rabbit-hole of fascinating facts and figures, but it’s decidedly a good day when you find one. Content delivery network provider Akamai recently released such a creature, along with its State of the Internet report for second quarter of 2013.
The part of the picture that spurred my quest was a figure stating that 38% of “malicious traffic” originated from Indonesia. Indonesia? Really? A country with less than a quarter of its population online is causing that much trouble? That could not possibly be right, could it?
My first thought was to look for some sort of loophole – maybe there is some popular service or URL shortener or something that is figuring into this malicious traffic? But the more I looked into the current status of Indonesia’s use of the Internet, the more sensible the statistic seemed.
But before we get into any of that, what does this malicious traffic entail? I talked with Senior Security Advocate Martin McKeay from Akamai about what they were seeing coming from Indonesia, and here is what he had to say:
“The attack traffic that Akamai reports on in the State of the Internet report is based on traffic received on servers sitting on unadvertised IP space. Since there is no legitimate reason for a system to be making a connection to those IP addresses, all traffic coming to them is considered to be malicious at some level.”
That is a pretty good clue that this could be traffic from automated scans, potentially by malware-infected machines. Reinforcing this assumption is input we received from our colleagues at ESET Indonesia who confirmed that Internet cafes, notorious for their infection rates, are still heavily used in Indonesia.
That’s a Whole Lot of People
When you are looking into statistics, usually the best place to start is to try and get some context. What does it mean that such a large percentage of unwanted traffic is coming from one country? To begin with, how many Indonesian people need to be on the Internet in order to be contributing to such a large number worldwide? The answer to that question is where this story started to get interesting.
It was clear right from the start that the biggest factor in the rise of attack traffic in Indonesia is likely the recent and astronomical growth in Internet usage over there. Indonesia is the world’s fourth most populous country, behind China, India, and the U.SA. With a difference between America and Indonesia of only about 65 million people, they are surprisingly comparable in terms of population numbers, but availability of the Internet is a much more recent phenomenon in Indonesia than in America.
In 2011, 15% of Indonesians (or 45 million people) were using the Internet. At the end of 2012, that figure was 10 million more. That’s an increase of over 800,000 users every month, which is roughly equivalent to the entire population of San Francisco joining the Internet every 30 days. Predictions are that there will be 80 million Indonesian users by the end of 2013. That’s nearly double the number of users who were on the Internet two years ago, and 25 million more than last year which means slightly more than 2 million a month. That’s a whole lot of brand new users!
But still, compared with the number of users from the US that is still pretty miniscule: Only 15% of Americans do not use the Internet. So, that means there are almost as many Americans who do not use the Internet as Indonesians that do in Indonesia. And I would be surprised if Americans had not surpassed 15% Internet usage by the beginning of this century. Which is to say, a lot of people in America have been using the Internet for more than a decade, compared to just a few years for many of the users in Indonesia.
Risk Factors
Okay, so a lot of people are just getting on the Internet in Indonesia. What difference does that make in terms of malicious traffic? There are a lot of factors that go into raising or lowering risk levels, some of which we can examine with existing data. From the available data, a few things clearly differentiated the situation there from other countries around the world.
There are three things that are very notable about how Indonesians interact with the Internet that could be having a significant effect on their risk level. The first is why people access the Internet; the second is how they access it; and the third involves what software they access it with.
Why people use the Internet can tell us a lot about how trusting they might be. Checking the Alexa lists of top websites in Indonesia versus the US, things don’t look very different, at least not in the top five: Google, Facebook, YouTube – no big surprises there. But as you look a little deeper, things get more interesting. As of 2013, Indonesia is #4 in terms of the largest number of Facebook users (down from #2 in 2011) and #1 on Twitter as of 2013. So, considering the small number of users on the Internet at all there, this means a massive percentage of people are using these global social networking sites. Perhaps this is leading to a greater degree of trust and a more communal feel to their interactions, or it’s a reflection of a higher degree of trust in the real world that’s being carried into cyberspace.
How users are connecting can significantly affect risk level as well: Almost half the population is connecting at an Internet café rather than from private computers, although that’s changing rapidly as more and more users are connecting to the Internet via mobile phone. Users are naturally much less able to protect a computer they do not own, and café owners may not see the value in investing in security, either. It will be interesting to see how the balance shifts over time. If the total number of users continues to grow, and the percentage of users connecting via café continues to shrink, will the overall number of computers in cafés grow more slowly, or perhaps even begin to shrink?
And last but certainly not least, what software people are using in Indonesia is notable as well: As of 2011, 86% of the population was using pirated software. Compare this to the global rate of 42%, and 19% in the United States and again we have a pretty significant difference from the rest of the world. Many software companies will not provide software updates to unregistered software, so the odds are very good that what people are using is very outdated and full of unpatched vulnerabilities.
Infection Statistics 
Surely, if there is that much infection happening, it is going to show up in lots of threat reports. This is what initially led to me scratching my head when I first saw the Akamai report, as I did not recall ever seeing Indonesia being mentioned so prominently.
After checking a few of the more popular reports from security vendors, I confirmed that there was very little mention of Indonesia in any of them. But the Microsoft threat report showed something a little different: threat detections in Indonesia are more than double the global average. They also found that those machines with pirated software have a 63% rate of infection.
Suddenly the lack of data started to become part of the picture: Vendor reports typically come primarily (if not entirely) from detection statistics within their customer base. If vendors are not seeing high detection rates in certain countries, it is likely because few users in those countries are using full-fledged security products. That will certainly raise risk levels! And if few users are customers, even if a huge percentage of those users are detecting malware, it might show up as a small drop in the ocean of malware reports depending on how things are counted.
You can see this in our own Virus Radar map of detection percentages by country as well; Indonesia has nowhere near the worst percentage, even within Southeast Asia. But it does have a significantly higher detection percentage than most of the rest of the countries in the world.
In a country where nearly nine out of ten users have pirated software and almost two-thirds of computers have malware it quickly becomes clear how a relatively small absolute number of users could generate such a significant amount of unwanted traffic. I am inclined to think that unless something in the current trajectory changes, the problem is likely to get significantly worse. Perhaps if more people become aware of this phenomenon, it can spur people to action, to bring change for the better.

Nymaim: Browsing for trouble

Win32/TrojanDownloader.Nymaim is a Trojan downloader that also exhibits ransomware features. It is associated with a long–running DarkLeech/Black Hole exploit kit (BHEK) campaign, dubbed the home campaign. Although reports of the recent arrest of Paunch, the BHEK author, might have put a momentary end to this group’s operations, it was active for several months and has infected numerous high profile websites. Recently, an independent researcher going by the name of Kafeine posted some statistics taken from the group’s BHEK panel and showed that there have been more than 2.8 million infections since the beginning of this campaign.
We have already discussed how a system gets infected with Win32/Nymaim and the numerous flow obfuscation techniques it uses in order to hinder analysis by researchers. In this blog post, we reveal a new infection vector, a study of the different international locker designs and ransom prices as well as a complete technical analysis of its communication protocol.

Infection Vectors

Win32/Nymaim compromises a computer in two steps, using two different executables. The first executable (referred to as“Win32/Nymaim first stage”) only downloads and run the second executable (referred to as“Win32/Nymaim second stage”). Win32/Nymaim second stage can download additional malware or lock the computer. ESET detects both stages as Win32/Nymaim because they contain a lot of common code, including the obfuscation techniques described in the first blog post.
When we first discovered Win32/Nymaim, we were aware of only one infection vector: drive-by downloads using BHEK. We now know that there is at least one other way this threat is delivered to unsuspecting internet users.

Black Hat SEO

Starting towards the end of September and lasting for a couple of days, a large proportion of our Win32/Nymaim detections were files downloaded from the internet using a web browser. Looking through our logs, we found that Google is the referrer URL for most of these detections. It seems that users come in contact with these malicious files while searching for downloadable content on the web. Our analysis of some of the webpages that initiate these malicious downloads reveals that Black Hat SEO is used to make them appear as high as possible in the search results when people search for popular keywords.
The malicious websites that sometimes appear in the search results are only doorway pages. As such, they are constantly changing, most probably because their page rank diminishes as quickly as it initially increased. The doorway pages we have studied were trying to achieve higher rankings by highjacking popular pages. Once a user clicks on one of these search results, he can initiate the download of an archive whose name closely matches the search query, without any other interaction. The doorway page simply redirects the visitors to another site. This destination site has not changed during the time of our research. The following screenshot offers a visual explanation of this process.
As seen in the screenshot above, when the user clicks on a search result, his browser is first redirected to a second site, which redirects to the malicious archive. The user does not see any webpage loading; all he observes is an archive being downloaded and a blank page with a Google URL.
This archive contains an executable file. Once launched, it installs the malware on the computer. Since the user is already looking for downloadable content, he is more likely to execute the malicious file. As indicated earlier, the archive and the embedded executable file display a name that is closely related to the search query. Thus the same file can be downloaded with several different names. Sifting through our logs, the different names that a single file can have is quite revealing:
The multiple names listed above are all for the same file. When searching for downloadable content, especially illegal downloads, it is common to notice questionable websites in the search results. What is unusual in this case is to witness a malware downloaded right away when clicking on a Google result.
We have seen several malware families distributed through the same infrastructure. The payload changes frequently and delivers the same content for all users for a limited amount of time. Currently, it is delivering fakeAVs (detected by ESET as Win32/AdWare.SecurityProtection.A), but we have seen Win32/Sirefef (also known as ZeroAccess) as well as Win32/Nymaim.

Designs and Ransom Prices

Through the course of our research, we were able to collect several different lockscreen designs throughout the world. Win32/Nymaim has customized designs for countries in Europe and North America. The following list is not exhaustive , given we investigated cases in different countries throughout the world, but not all of them. That being said, we were able to obtain lockscreen designs from the following countries:
  • Austria
  • Canada
  • France
  • Germany
  • Ireland
  • Mexico
  • Netherlands
  • Norway
  • Romania
  • Spain
  • United Kingdom
  • United States
For countries where designs are not available, Win32/Nymaim second stage is downloaded and can be used at a later time by the malware author to download additional malware.
Interestingly, the ransom price is different from one country to another. The following graph shows the asking price per country, converted into USD, at the time of design collection in September.
ransom graph
For most of the countries examined, the ransom price is around 150 USD. That said, we have observed that United States residents are in for a much steeper price at 300 USD. Romania’s case is also quite interesting from a ransom perspective. The lockscreen states that the infected user can pay either 300 leu (Romanian currency) or 100 euros. Once both prices are converted to USD, it appears that the infected user gets a much better deal if the Romanian currency is chosen. This inconsistency in the Romanian ransom price is shown in the screenshot below. This specific discrepancy has been present in past designs of other police ransomware, such as Win32/Urausy (detected by ESET as variants of the Win32/Lockscreen family), and provides a good example of design reuse among different cybercriminal groups. ESET continues to advise that such ransom should never be paid by users.

Network Protocol

When Win32/Nymaim first infects a computer, it reaches out to a set of predefined proxies using IP addresses hard-coded into its binary. These proxies are used to download the second stage for Win32/Nymaim as well as the locker HTML code and any additional malware. As indicated previously, these proxies change quite frequently and seem to be a layer of infected computers, which are used to hide the true C&C server. If none of the proxies are available, the binary also contains a hard-coded URL that will be used as a last resort.
All Nymaim network communications are encrypted using a salted RC4 key. The following image shows the structure of an encrypted TCP packet.
The salt’s length is obtained by masking the first byte of the encrypted message with 0x0F. The encrypted data is then decrypted by appending the salt to the following static RC4 key “*&^V8trcv67d[wf9798687RY”.
Once decrypted, the data has the following structure:
As stated earlier, Win32/Nymaim will either lock the computer screen or download additional malware and install it on the infected computer. A second layer of encryption is used in the latter case. This encryption consists of an RSA encrypted header and a custom encrypted body. The encryption scheme is described in the following figure.
  1. RSA decryption is made on the first 0x80 bytes (RSA key was constant for all samples we have analyzed).
  1. Header and encrypted body integrity validation is performed.
  1. Two keys are obtained from the header data to decrypt the message body. The following figure illustrates the decrypting process :
  1. Decrypted body integrity validation is performed.
  2. Finally, the decrypted body is decompressed using the aPLib algorithm.


Now that the main infection vector, BHEK, is no longer operational due to its author’s reported arrest, the future of Win32/Nymaim and its distribution will no doubt be interesting. It appears inevitable that due to the complexity of this malware, we will encounter its variations again in the near future.
Special thanks to Mathieu Lavoie for his contribution to this analysis.
SHA1 hashes
Sample distributed through Black Hat SEO: 81E6B189E944BF199D88C7DD006F01151FCC1ED8

Why Mac security product testing is harder than you think

1997 was something of a watershed for me: my first Virus Bulletin conference paper, and indeed my first presentation at an international conference. Not that many people were there to see it: it was, after all, about Macs, and even in the AV industry at that time people tended to underestimate the significance of malware on the Mac. And in fact, a great deal of the paper was about macro viruses, which rarely had Mac-specific payloads, but most of which spread perfectly happily on Macs that supported WordBasic. Making Mac users – who rarely used anti-virus – something of a Typhoid Mary in the corner of academia and medical research that I worked in at that time.
That 1997 paper on Macs and Macros – the State of the Macintosh Nation is only of historic interest now, of course: even I only have one Mac that still runs a pre-OS X version of the Operating System, and I can’t remember the last time I used it. As it happens, while Mac security has played a large part in my professional life since, my next 12 Virus Bulletin conference papers made little or no reference to Mac issues.
However, number 14, presented a couple of weeks ago at Virus Bulletin’s 23rd annual conference by myself and co-author Lysa Myers returns to two of my favourite hobbyhorses – Mac security, and security product testing. Lysa was working with Mac security specialists Intego at the time we wrote the paper, but is now a colleague at ESET, I’m delighted to say. Not only does she have a longer track record in the commercial anti-malware industry than I do, but she also has considerable experience in product testing with West Coast Labs. The paper Mac Hacking: the Way to Better Testing? is now available from the ESET Threat Center Conference Papers page by kind permission of Virus Bulletin.
So what’s the new paper about? Primarily, the difficulties that face testers when they test security products on recent versions of OS X, introduced by Apple’s own countermeasures against malware: especially XProtect.plist. While these measures do enhance end-user security, they make it harder to move away from the static testing model that mainstream Windows product testing has to a large extent evolved beyond. Here’s the abstract:
Anti-malware testing on the Windows platform remains highly controversial, even after almost two decades of regular and frequent testing using millions of malware samples. Macs have  fewer threats and there are fewer prior tests on which to base a testing methodology, so establishing sound mainstream testing is even trickier. But as both Macs and Mac malware  increase in prevalence, the importance of testing the software intended to supplement the internal security of OS X increases too.
What features and scenarios make Mac testing so much trickier? We look at the ways in which Apple’s intensive work on enhancing OS X security internally with internal detection of  known malware has actually driven testers back towards the style of static testing from which Windows testing has moved on. And in what ways might testing a Mac be easier? What can  a tester do to make testing more similar to real-world scenarios, and are there things that should reasonably be done that would make a test less realistic yet more fair and accurate?  This paper looks to examine the testing scenarios that are unique to Macs and OS X, and offers some possibilities for ways to create a test that is both relevant and fair.
There’s also an article for Infosecurity Magazine that summarizes the paper at some length: Mac Product Testing: After the (Flash) Flood.
Lysa and I will be returning to the topic in a series of blog articles here in the next few weeks, with the intention of clarifying the difficulties and suggesting ways in which Mac testing can be made fairer and more accurate, as well as the implications for other testing platforms.
Small Blue-Green World
ESET Senior Research Fellow

Fake Grand Theft Auto V tempts thousands of PC users to download “malware”

Grand Theft Auto V sold more than $1 billion worth of units in a week – no wonder cybercriminals are tempted to cash in.
Thousands of PC gamers have been tempted by a torrent file on piracy sites, entitled “GTA V Full PC Game + Crack”, according to PC World. One fact that should perhaps have triggered an “alarm” signal is that the game has not been released – or even announced – for PC.
The scammers even went to the lengths of making the file convincingly large – it’s 18GB – and it has been downloaded “thousands” of times, according to WCCFTech, which originally reported the scam.
“The setup file is a realistic 18 GB and has an actual setup.exe file, one that works. Basically a malicious replica of the original setup file this one does not give out any hint of malicious activity,” says WCCFTech. “Only after you get on the registration window do you hit a snag. From there on, a .txt file located claims to have a key on a page where the user is forced to do surveys.”
PC Gamer says it’s not clear what exactly the 18GB of data is, but it may well be malicious – or just junk that clogs up your PC.
“And what about the 18GB worth of files itself? That’s less clear,” the site writes. “ In a best-case scenario, it’s just junk data that clogged your pipes and chewed up your bandwidth cap. In a worst-case scenario—and a more likely one—it’s probably infested with malware and other nasty stuff.”
 Forbes points out that offering torrents of popular and unreleased games is a relatively common scam, with the as-yet-unreleased sci-fi game Titanfall already “available” on several sites.
Rockstar has yet to comment on the scam.
Pre-release films and games are often used as bait to lure victims to spam pages, data-harvesting “surveys” or malware sites. Earlier this year, streams of hit films were offered via document-sharing service SlideShare – including then-unreleased titles such as Man of Steel and World War Z. The sites, of course, attempted to harvest information instead – and offered no video streams at all.

Weaponized Antivirus: When Good Software Does Bad Things

Dennis Batchelder of Microsoft The Black Hat conference drew well over 7,000 attendees this summer, and 25,000 attended the RSA Conference in the spring. Attendance of the 8th International Conference on Malicious and Unwanted Software, by contrast, is measured in dozens, not thousands. It's aimed at bringing forward the latest scholarly research in security, in an atmosphere that allows direct and candid interaction between all attendees. This year's conference (Malware 2013 for short) launched with a keynote by Dennis Batchelder, director of Microsoft Malware Protection Center, pointing out the hard problems that face the antimalware industry.
During the presentation, I asked Mr. Batchelder if he had any thoughts on why Microsoft Security Essentials scores at or near the bottom in many independent tests, low enough that many of the labs now treat it just as a baseline to compare with other products. In the photo at the top of this article he's miming how the Microsoft antivirus team members do not feel about that question.
Batchelder explained that's how Microsoft wants it. It's fine for the security vendors to demonstrate what value they can add over what's built in. He also noted that Microsoft's data shows just 21 percent of Windows users unprotected, thanks to MSE and Windows Defender, down from over 40 percent. And of course any time Microsoft can raise that baseline, third-party vendors will necessarily have to match or exceed it.
The Bad Guys Aren't Running Away
Batchelder pointed out significant challenges in three major areas: problems for the industry as a whole, problems of scale, and problems for testing. Out of this fascinating talk, one point that really struck me was his description of the way crime syndicates can trick antivirus tools into doing dirty work for them.
Batchelder explained that the standard antivirus model assumes that the bad guys are running away and hiding. "We try to find them in better and better ways," he said. "The local client or the cloud says 'block it!' or we detect a threat and try remediation." But they're not running away anymore; they're attacking.
Antivirus vendors share samples and use telemetry from their installed base and reputation analysis to detect threats. Lately, though, this model doesn't always work. "What if you can't trust that data," asked Batchelder. "What if the bad guys are attacking your systems directly?"
He reported that Microsoft has detected "crafted files targeting our systems, crafted files that look like some other vendor's detection." Once one vendor picks it up as a known threat, they pass it along to others, which artificially escalates the value of the crafted file. "They find a hole, craft a sample, and cause problems. They can inject telemetry to falsify prevalence and age, too," noted Batchelder. 
Can't We All Just Work Together?
So, why would a crime syndicate bother feeding false information to antivirus companies? The purpose is to introduce a weak antivirus signature, one that will also match a valid file needed by a target operating system. If the attack is successful, one or more antivirus vendors will quarantine the innocent file on victim PCs, possibly disabling their host operating system.
This type of attack is insidious. By slipping fake detections into the datastream shared by antivirus vendors, the criminals can damage systems that they've never laid eyes (or hands) on. As a side benefit, doing so may slow sharing of samples between vendors. If you can't assume a detection passed by another vendor is valid, you'll have to spend time re-checking it with your own researchers.
Big, New Problem
Batchelder reports that they're getting about 10,000 of these "poisoned" files per month through sample sharing. About a tenth of one percent of their own telemetry (from users of Microsoft's antivirus products) consists of such files, and that's a lot.
This one's new to me, but it's not surprising. Malware crime syndicates have tons of resources, and they can devote some of those resources to subverting detection by their enemies. I'll be quizzing other vendors about this type of "weaponized antivirus" as I get the opportunity.

Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot

Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment.  Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have opted-in to receive SMS notifications/phone verification, whenever a particular set of financial events take place on their bank accounts.
A new commercially available Android, BlackBerry (work in progress) — supporting mobile malware bot is being pitched by its vendor, with a specific emphasis on its potential to undermine modern E-banking security processes, like for instance, SMS alerts. Let’s discuss some of its core features and emphasize on an emerging trend within the cybercrime ecosystem, namely the ‘infiltration’ of Google Play as a service.

Sample screenshots from the mobile malware bot’s manual+the actual administration panel:
Android_BlackBerry_Malware_Bot Android_BlackBerry_Malware_Bot_01 Android_BlackBerry_Malware_Bot_02 Android_BlackBerry_Malware_Bot_03
Android_BlackBerry_Malware_Bot_04 Priced at $4,000, the bot’s features can be used to undermine two factor authentication/SMS alerts protection features offered by a financial institution, as well as result in a direct privacy violations once the integrity and confidentiality of the mobile device has been compromised.
Some of the bot’s core features include:
  • hijack incoming SMS messages and silently forwarding them to any given number in real-time
  • hijacking of any incoming calls and silently forwarding them to any given number in real-time
  • complete access to the SMS messages on the affected device
  • complete access to the Call History of an affected device
  • complete access to the Contacts found on an affected device
  • audio recording using the device’s microphone, the uploading the file to a server
  • sending an SMS on behalf of the infected device’s owner
  • call any number of behalf of the infected device’s owner
  • control the infected mobile device through an Internet connection, or through SMS messages in cases where no Internet connection is available
  • get the phone number, as well as the ICCID, IMEI, IMSI, Model and OS of the infected device
Based on requests from potential customers, the interface can be localized to their “favorite language”. What’s also worth emphasizing on regarding this particular commercially available mobile malware bot, is that, the vendor is also offering the option to have your malware variant directly made available to the millions of Google Play users. How does this take place to begin with? In a pretty simple way, taking into consideration the fact that cybercriminals continue to actively data mine their botnet’s ‘infected population’ in an attempt to monetize the outcome of their campaigns. Through the acquisition of compromised Google Play accounts, cybercriminals are perfectly positioned to abuse this access to a legitimate/verified developer’s account, for fraudulent and malicious purposes.
We’ll continue monitoring the development of this mobile malware bot, and post updates as soon as its vendor introduces any features that could continue adapting to current/emerging anti mobile banking fraud processes.

Fake ‘Important: Company Reports’ themed emails lead to malware

A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.

Sample screenshots of the spamvertised email:
Fake_Malicious_Rogue_Email_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering_Botnet_Company_Reports Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 – detected by 23 out of 48 antivirus scanners as Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH
Once executed, the sample starts listening on ports 3188 and 4964.
It then creates the following Mutexes:
And drops the following MD5s on the affected hosts:
MD5: 9319669e8561f184e9377153f763437c
MD5: 396eba6eaf5452072c2d09c1b74bee1e
MD5: adb551e9081900756f8794fef5e4794b
The sample then phones back to – on port 443, as well as to the following C&C servers:
Known to have been downloaded from the same IP ( are also the following malicious MD5s:
MD5: 623a3730c773871779b4d768e58904d7
MD5: f71d67cb677f567990992225446a07a3
The following MD5s are known to have phoned back to the same IP (
MD5: 0495c0ed5b53572fd271ba6ad1e3bdbe
MD5: 618381de2f1b41a0e82d0da777eb5f26
Sample malicious MD5s known to have phoned back to the same C&C servers over the last couple of days:
MD5: 1126e4ae1bae2f990e4e80b95d57e45a
MD5: 987416580af8cfe843ae5d9c744180ce
MD5: 63ff58a510b547ec7c10fa3e18a2008d
MD5: a06763422cb2b6dc272229acba4307e7
MD5: 16753b7a3923f10e7081cdb3a36c5d5c
MD5: 0495c0ed5b53572fd271ba6ad1e3bdbe
MD5: c732289e0f768b487d38ab4127f2dbf0
MD5: cd0348cf90a042975f1ad301aa477af3
MD5: bb7bd0541c877c87213803f1fb28ef6e
MD5: 1126e4ae1bae2f990e4e80b95d57e45a
MD5: c77788267424555791887ac7e32563c3
MD5: a06763422cb2b6dc272229acba4307e7
MD5: bce63fbf16883ad18c0af1f40f9d2ce7
MD5: 37d8633566787c6bed74e782e92a699a
MD5: 773d52d6fdc3d0345a35d40294641242
MD5: 10f11e6959f75dfb48e610d9209614d6
MD5: e007ba6d9fbe53bfac99f15111fa4da5
MD5: cd6ff96ecde6806f41e9336437f97c3c

Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)

"We’ve just intercepted yet another rogue ad campaign, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on catchy “Play Now, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns we’ve previously profiled. Let’s take a look at this new rogue ad campaign, and provide relevant threat intelligence on the infrastructure behind it." Webroot

Sample screenshot of the landing page:
EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy Landing URL: –
Domain name reconnaissance of the redirectors: –; –;
Known to have responded to the same IP (, are also the following domains:
Known to have responsded to ( are also the following domains:
Malicious MD5s known to have been downloaded from the same IP (
MD5: fd4195ef1af7fb49a673633ed57b87ab
MD5: c0d9713acfc46c2a466a9de77292636d
MD5: d3119ed48cb5896d41aeae4b51f2667a
MD5: c6799f5425fbe038778c4c4a22b35a41
MD5: 840fa1e6c0f81f6da1a347ecb3b2db2e
MD5: c27d4537d24aa55df9837479da2ae111
MD5: c77fc69c7b96c53ce762b87c98831327
MD5: dce1c89d7a267b2a4ae925b5a387e5cd
MD5: a868964e1fe66e4a7638f46ba7844b52
MD5: 2acc54f86694e8d7674e8e1afff86aa1
MD5: 5f078de83a9ce3ee2d9d2fe174cd234c
MD5: 0426e6c1fe2aa8681c683428bb3d2dd7
MD5: efcd92d3be23e624bca2db8515f0df20
MD5: 30ac6dd3290ab3c9281e81c2cba2097e
MD5: 9b35dcacd42e6ba1c596a8bc0425d646
Known to have responded to the same IP ( are also the following domains:
The following MD5 is also known to have been downloaded from the same IP (
MD5: bc44e23e46fa4c3e73413c130d4f2018
Detection rate for the sample ‘pushed’ by the rogue Download page: MD5: e8c9c2db3514f375f74b60cb9dfcd4ef - detected by 12 out of 47 antivirus scanners as PUP.Optional.InstalleRex; Installerex/WebPick (fs)
Once executed, the sample phones back to: – – –
Known to have responded to the same IP ( are also the following domains:
The following MD5s are also known to have phoned back to the same IP ( over the past 24 hours
MD5: df0961738c4f5848673f2c73fe9c7e4f
MD5: 69b6c2491627d41e6e2291eafd4b4942
MD5: 03c068aef9d8e9902c32f57142460402
MD5: 530a72084a90b2d97ee7eb6e5893cb1c
MD5: dc367e6991b56f1470b742b94854997d
MD5: cb86d60a248dd0d61d07840513a92b76
MD5: cacd889e777031adbdebd4f9a04fedb8
MD5: 2529463456de5e69d315842a322c4342
MD5: 7108933a95f91e2b0c094c259e4fbdbd
MD5: f35bf9fb0a6eaa3b256e9454f334719a
MD5: 330c40c3bf6b55f8cd425d03e2b4f157
MD5: c8a835831bb9ae1c5f7b335af6adf4f7
MD5: 12cab1cc907765bf141233608fa1ded7
MD5: 4dad0b23f4e7a133aa867df9d6adf3dd
Detection rate for the original EzDownloadpro executable: MD5: 292b53b745e3fc4af79924a3c11fcff0 – detected by 5 out of 48 antivirus scanners as Win32:InstalleRex-U [PUP]; MalSign.Skodna.Pick; PUP.Optional.EZDownloader.A
Sample screenshot of EzDownloadpro’s official Web site:
EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy_01 Unique PUA MD5s served based on multiple requests to the same URL (
MD5: 0e570830dc3b1b8bad9689ed6a310654
MD5: d4bfbf9f28c81386bfb4b68b8f9b76f1
MD5: 3bb72e9c5eefce176ef6dddea858ef82
MD5: 7985860dc060792ba77e06f312739b79
MD5: 4b829aa6df0904bc0aba7652a73ec71c
MD5: 335bca4c2c3f4c980b4c485be4e13a00
MD5: c400bf0affbb376298fb93e5b8aacf59
MD5: 9244841ab24c8769438f22c0b5c2c053
MD5: 9ae15b4efd424fb7640e9066d0abfe1a
MD5: 20d83dd867bedf1f03ccdc0b5b8d720f

Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware

"We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host." Webroot

Sample screenshots of the spamvertised malicious email:
Email_Spam_Malicious_Fake_Social_Engineering_Malware_Malicious_Software_Xerox_WorkCentre_Pro Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 – detected by 17 out of 48 antivirus scanners as TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89.
Once executed, the sample starts listening on ports 2544 and 7718.
It then creates the following Mutexes on the affected hosts:
Drops the following MD5s:
MD5: 1a339ecfac8d2446e2f9c7e7ff639c56
MD5: 17c78eb30d31161e9aed1ea25889e423
MD5: 09bbe8cd0cfe7770a62faa68723c8804
MD5: d1a55715c1360daab7882bf45e820b31
And phones back to: –
The following malicious domains are also currently responding to the same IP:
And the following malicious domains are known to have responded to the same IP:

Hackers found using Java malware on coding site after Google warning

Online Piracy
Hackers have been found exploiting a flaw in Java to serve malware to unsuspecting web users on the open source server coding site
The issue came to light after visitors to the site started receiving notifications from Google's safe browsing service that malware was on the site. This alerted the team who investigated the cause of the warnings.
They discovered that every so often a file within the servers used for the website was modified to serve malware to a user, before it reverted back to its original form. This made it especially hard to discover the issue, and it was only found thanks to Google's scanning system.
Work is now beginning to try and discover how the hackers managed to infect the systems used to run the website.
"We are continuing to work through the repercussions of the malware issue. As part of this, the systems team has audited every server operated by, and have found that two servers were compromised," it said in a post on the website.
"The server which hosted the, and domains, and was previously suspected based on the JavaScript malware, and the server hosting The method by which these servers were compromised is unknown at this time."
Users of the site will also be asked to reset their passwords although the firm said this is only a precautionary measure for those with projects hosted within the services affected.
The website said it is also acquiring a new SSL certificate in case the attackers had acquired private keys for the site's security systems.
"We are in the process of getting a new certificate, and expect to restore access to sites that require SSL (including and in the next few hours," it said.
The use of Java for the attack is not surprising as the software has been blamed for numerous incidents throughout 2013 and was recently the subject of a huge patch update from Oracle.

US tapped phones of 35 world leaders as spy drama grows

The US has been accused of tapping the phones of 35 world leaders following significant developments in the long-running PRISM scandal.
After accusations earlier in the week by the German government the NSA had monitored German chancellor Angela Merkel's mobile, it has now emerged the policy of tapping the phones of US allies was commonplace.
The allegations, published in the Guardian, seem to show US officials were encouraged to hand over their contact lists to fuel the NSA's espionage efforts. In one example, an unnamed official passed on more than 200 phone numbers including those of 35 as yet unidentified world leaders.
The Guardian's source was a 2006 memo issued to staff in the NSA's Signals' Intelligence Directorate, which said while most of the 200 numbers handed over were publicly available, 43 were "previously unknown" and would be "tasked". Despite their efforts, the memo admits phone tapping offered "little reportable intelligence".
White House press secretary Jay Carney told reporters: "The revelations have clearly caused tension in our relationships with some countries, and we are dealing with that through diplomatic channels," the Guardian said.
"These are very important relations both economically and for our security, and we will work to maintain the closest possible ties."
Both the French and German governments have urged the White House to make amends to ensure diplomatic relationships are not further damaged. Chancellor Merkel said: "Spying among friends: that cannot be. It's become clear that, for the future, something must change – and significantly."
French president François Hollande added: "What is at stake is preserving our relations with the United States. They should not be changed because of what has happened. But trust has to be restored and reinforced."
US spy agencies had already damaged its relations with the European Union, with reports earlier this year that it had monitored EU offices and tapped staff members' telephones.

DARPA Contest for Fully Automated Network Defense

What if computers had a "check engine" light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen?
To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) -- the first-ever tournament for fully automatic network defense systems. DARPA envisions teams creating automated systems that would compete against each other to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network. To succeed, competitors must bridge the expert gap between security software and cutting-edge program analysis research. The winning team would receive a cash prize of $2 million.

The Threat of Cybersquatters

Imagine if in the early days of the Internet boom someone other than Bruce Springsteen himself had purchased the domain Now imagine that that person used the website to use Bruce Springsteen’s name and image in some way to make money. You actually don’t have to imagine any of that because it really happened. The person who bought that domain was accused of cybersquatting — but successfully defended their case in court, which is presumably why the official Bruce Springsteen website is
But that’s the gist of cyberquatting: Snapping up a domain before another person or company does in the interest of leveraging it for profit.
Cybersquatters are, in short, the people who got there first on a given domain name and, by buying it, hold its title. But what separates a cybersquatter from an innocuous domain owner is that they have no intention of using the domain for legitimate purposes.
What separates a cybersquatter from an innocuous domain owner is that they have no intention of using the domain for legitimate purposes.
There are essentially two categories of cybersquatters. First, there are those who buy domains to essentially hold them for ransom, hoping that more legitimate prospective owners will buy be forced to buy them. The pressure to buy such sites can increase if they are used in ways that will embarrass the legitimate owner. Two years ago the governing body of Internet domains released a new field of domains, including .xxx. This promptly set off a flood of cybersquatting and a corresponding wave of legitimate purchases in an attempt to head them off in an effort to avoid what happened to the University of Colorado, which was left red faced when became a porn site, prompting lots of other major universities to buy up .xxx domains that could remotely be affiliated with their names to avoid similar fates.
The other kind of cybersquatting revolves around profiting directly from another’s identity by using the names or images of corporations or well-known individuals to essentially mislead consumers into giving them money. Eminem one a landmark suit against a company selling ringtones through nearly a decade ago, and Gucci recently won a $144.2 million suit against a group of similar sites that was selling counterfeit merchandise.
The trouble with cybersquatting is that there is a gray area between the legal and illegal, as seen with Bruce Springsteen. In that case it was determined that the owner of the site wasn’t trying to profit off of Springsteen’s name or image, which played a big hand in the determination of that case.
For obvious reasons cybersquatting is a bigger threat to corporations than individual users. But those corporations also have a leg up in winning disputes, which are handled by the Internet Corporation for Assigned Names and Numbers, because of their trademark rights. Individuals who own their own companies or have their own personal websites should make sure they own any domains affiliated with their names or ones that they may wish to use in the future, and they should also be diligent about renewing those domains before they expire, lest they fall into the wrong hands.