Friday, 20 December 2013

What To Expect After the Target Card Data Breach

Online Holiday Shopping If you braved the crowds and went shopping at Target on Black Friday this year, or bought something from the retailer in the weeks since, you need to check your credit card statements. You may be among the 40 million customers affected by what may turn out to be the largest financial breach of 2013.
Unfortunately, beyond being careful and frequently checking your banking and credit card statements for suspicious transactions, there really is not much consumers can do. The vigilance needs to last beyond this month and January, though, as the impact of this theft will be felt for months, if not years, experts warned. There may also be phone and email-based scams on the way taking advantage of the breach.
Did You Get a Deal?Shoppers who took advantage of Target's Black Friday specials and other holiday deals in the physical stores from Nov. 27 to Dec. 15 were affected. Thieves obtained customer names, credit or debit card numbers, card expiration dates, and the three-digit CVV security codes printed on the cards, according to the retailer. Customers who shopped at Target's online store don't appear to have been impacted by the breach.
Security writer Brian Krebs first reported the breach on Wednesday, and Target released a statement on Thursday confirming the theft. Target hasn't provided much information about the breach, beyond stating the problem has been fixed and it is still in the middle of its forensic investigation. Experts said these investigations can take months.
"We can't say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized," an anti-fraud analyst told Krebs.
Impact on CustomersTarget is asking customers to check their card statements for fraudulent activity and to report all suspicious transactions. Remember, this breach impacts all credit and debit cards that may have been used at the physical stores during this time period, not just Target cards.
Beyond that, there is really not much customers can do to about this breach beyond canceling the card and getting a new one, said Wolfgang Kandek, CTO of Qualys who shopped at Target during the time period and is one of the millions affected. Instead of getting a replacement card, which would be "a hassle," Kandek is keeping an eye on all the transactions hitting his credit card by frequently logging into his credit card account online, he said.
Kandek, like many of the other customers, has to trust the fraud detection algorithms that the credit card companies use, and hope that the companies will honor their promise to reverse any unknown charges. "There is not much a customer can do in such a situation," Kandek said.
Customer Vigilance NeededIf the customers aren't going to cancel their cards, it's critical that they keep monitoring their accounts and keep a close eye on transactions. Thieves may sit on bank details for a while and wait for the customers to stop being so vigilant.
"Not finding any indications of third party activity doesn't necessarily mean you're in the clear," said Lee Weiner, senior vice-president of products and engineering at Rapid7.
The fraudulent transactions may also appear for months, if not years. The thieves may be planning to sell the details instead of using them directly, which means a lot of different buyers will be using these numbers at different times. Criminals can also use the information to create physical credit or debit card clones. These counterfeit cards can be used anywhere cards are accepted until the card's expiration date.
"The potential for widespread online ordering fraud which can be particularly nasty considering we're in the midst of the holiday season," said James Lyne, global head of security research at Sophos.
Just because your card was included in the breach doesn't necessarily mean criminals will exploit your information. The number has to be sold or actually used. In many cases, cyber-criminals look at how much the shoppers spent to know who has the most liquid assets, said Grayson Milbourne, security intelligence director at Webroot. This breach should be a "huge wake-up call for consumers to understand they need to take their personal security more seriously," he said.
Piggyback AttacksCyber-criminals frequently launch "piggyback" attacks after a breach to take advantage of people confused and worried about the security of their information. Attackers can impersonate the card issuing company over the phone or via email and claim there may be a problem because of the Target breach. These scammers can ask users for their banking information or online credentials. Users may be asked to visit a malicious link.
"If you receive any communication around the incident, treat it with caution," warned Weiner. Instead of sharing information on the phone or email, call the card issuing company directly using the number on the back of your card, or go directly to the bank's Website, Weiner recommends.
What's Next?
Monitoring all the financial transactions can be challenging, and you may not be sure if you are missing anything. Placing a freeze on your credit cards and using a monitoring service such as one provided by Lifelock can help keep track of your accounts.
Considering the increase in financial-based malware and attacks, Target's data breach is not isolated. You need to be vigilant and protect your financial details as best as you can.
On the other hand, if you find yourself dealing with a lot of fraudulent transactions appearing on your card because the criminals are using your data, it might be less of a hassle to just cancel that card and start over.

Phone Companies Got Millions For Selling Your Information To Police

Via Flickr user KaCey97007
Earlier this year, Massachusetts Senator Edward Markey requested that the American telecom providers answer a series of questions about the information they provided to  law enforcement. These included everything from wire taps to controversial "cell-tower dumps." What may surprise you is that the telecoms often charge investigators fees for that information—which amounted to well over $26,594,000 in 2012. But what that number really means is actually far more complicated.
Wait—How Much?
That's a rough estimate, taken from the documents published by Senator Markey. Here's the breakdown for number of information requests and fees collected in 2012:
AT&T: 297,500 requests, and $10,298,000
Verizon: 270,000 requests, and "Less than $5 million"
T-Mobile: 297,350 requests, and $11,000,000
Cricket: 59,000 requests, but did not disclose the money earned
C Spire: 2,350 requests, and "less than $55,000"
US Cellular: "Over 20,588 requests," and $241,000
Sprint declined to reveal the requested information publicly, saying it preferred to discuss the issue face to face. With that in mind, $26,594,000 is a low estimate.
What Kind of Information?
For the most part, this is the kind of data collection we like. We want the cops to catch the bad guys, to tap the bad guy's phone to catch more bad guys, and so on. Though most of the major telecoms are cooperating with the NSA's mass surveillance programs, those seem to fall squarely outside these figures.
But there's a dark side to these figures. For instance, they include the "cell tower dumps," where law enforcement defines a period of time and the telecoms provide a list of every number that connected to that tower in a given period. While certainly smaller than the NSA's programs, it is still massive. Cricket, one of the smallest companies, reported that their cell tower dumps are limited to two hours, but that they observe about 175 calls per hour. Scale that up many times over for Verizon or AT&T.
Geolocation information is also part of the requests processed by the telecoms. AT&T, for instance, said it fielded 77,800 geolocation requests in 2012. Of these, 31,000 were historical and 46,800 were provided in real-time. But at a glance, pen registers (that is, recordings of what numbers were called by a particular line) and associated observations tend to make up the bulk of requests.
Worse yet, as we reported earlier, these cell tower dumps and other observations are sometimes authorized without a warrant. That means that there's no judge or authority beyond the requesting law enforcement agency observing the requests.
Interestingly, Senator Markey inquired if the telecoms were aware of law enforcement agencies utilizing their own tracking equipment, such as "Stingray phone trackers." All but one of the telecoms denied such knowledge, except C Spire. "C Spire is aware that several federal law enforcement agencies and at least one municipal police department have access to their own tracking equipment," the company wrote.
What Does It Mean?
In their responses, each of the telecoms used careful wording to explain that they are authorized to collect fees from law enforcement in order to offset the cost of aiding investigations. Many also point out that they frequently do not charge law enforcement.
Many of the telecoms assert, and they are almost certainly correct, that they do not actually make money from handing over information. "AT&T's charges are intended to recoup at least a portion of our costs incurred in providing these [required] responses, and we believe we fall short of our actual costs," wrote AT&T. "For example, the scope of providing CALEA compliance alone is so broad and touches so many different areas within our company that capturing actual costs is virtually impossible." Ah, our old friend CALEA.
It's possible that the telecoms are releasing this information (sometimes highly detailed information) because they want to play ball with the powers that be. AT&T, Verizon, and their ilk have a lot at stake with a forthcoming spectrum auction and threats to break apart monopolistic phone companies.
It's also possible that the telecoms are perfectly happy to release this information because they don't want to be collecting it in the first place. AT&T says that they employ "100 full time workers" 24 hours a day, seven days a week in order to comply with requests and reject 1,300 requests last year. Cricket employs a third party agency in order to handle all their requests. No doubt these companies prefer not to be burdened with sifting through information requests, and having to determine which are legal and which are improper.
But all that aside, one thing is certain: a lot of data, and a lot of money, is changing hands.

Outbidding the Crooks: One Way to End Exploits

Bidding at Auction
When a burglar throws a brick through a jeweler's window and makes off with the stock, his gains are substantially less than the jeweler's losses. The thief will have to fence the items below their actual value, since they're "hot." The jeweler has not only lost the value of the merchandise, he has to pay for a new window. By the same token, a cyber-crook who steals a million credit card numbers might sell them for a few thousand bucks; notifying a million customers and setting them up with new cards will cost the card issuer vastly more.
This disparity sparked an idea for Stefan Frei, Research Vice President at NSS Labs. Most cyber-attacks crack the victim company's security by exploiting some type of vulnerability in the operating system or other software. What if we could take that tool away from the crooks? In a detailed research paper, Frei and fellow analyst Francisco Artes spell out the bold idea of creating an International Vulnerability Purchase Program (IVPP) that would pay more for vulnerabilities than the crooks can afford.
Running the Numbers
Different pundits offer different estimates of financial losses worldwide due to cybercrime, but they range between tens of billions and hundreds of billions. Frei ran the numbers on vulnerabilities published in 2012 and found that the cost to purchase each for $150,000 would have been vastly lower than the amount of financial damage they caused.
First, let's look at the highest cost and the lowest return. Suppose the IVPP paid $150,000 for every vulnerability regardless of severity or prevalence of the software involved and thereby avoided ten billion in financial losses. The cost of purchase is just under 8 percent of the losses in this worst-case scenario.
However, fully one third of exploited vulnerabilities were found in programs by the top ten vendors. Just paying for those, and accepting an estimate of 100 billion for losses, the cost goes down to 0.3 percent of the lost value. A graduated scale of payment based on severity would also reduce costs. As a comparison, the report notes that retail companies in the US expect to lose 1.5 to 2.0 percent of annual sales to pilferage or "inventory shrinkage."
The report also found that the cost of buying all vulnerabilities in 2012 would have been about 0.005 percent of the U.S. GDP or the European Union's GDP, and under 0.3 percent of total revenue for the software industry.
Security Holes Are Here to Stay
Part of the paper reviews the current situation as regards software vulnerabilities. Simply put, even if it were possible to write flaw-free software, it wouldn't be profitable. The big cost of a data breach falls on the company that was breached, not on the purveyor of the flawed software. In business terms, that cost is a "negative externality" for the software vendor, and "profit-driven businesses do not invest in eliminating negative externalities."
Conceivably users could force the issue by refusing to purchase software from vendors of software containing security holes. In practice, though, vulnerabilities are the norm. We all expect them, and they're not going away. The report notes that "there is no legal liability for the quality of software, and this is unlikely to change anytime soon."
The researcher who discovers a new security hole can quietly submit it to the vendor, announce it publicly, or sell it to the highest bidder. An earlier NSS Labs study reported a thriving resale business for black market exploits. The report notes that things would be a lot worse but for the fact that many security researchers altruistically refrain from selling to black marketers.
Crooks Can't Compete
In a supply-and-demand world, you might think that the crooks would just compete with the good guys, bidding more for brand-new vulnerabilities. The report points out that the same disparity between small gain for the crooks and big loss for the victims means that the crooks simply can't compete. They can't offer more than their maximum anticipated revenue, while an IVPP could pay much more to avoid colossal losses.
In fact, the substantial reward for newly-found security holes would likely lead to more discoveries. A researcher whose only potential reward is a pat on the back, T-Shirt, or a few hundred dollars just isn't as motivated. When grabbing the brass ring gets you $150,000, that's a different story.
Big Plans
The full report offers a detailed proposal for just how an International Vulnerability Purchase Program would work. It covers everything from who would pay, to how reporting would happen, to the full organizational structure, and more.
Will it happen? That remains to be seen. But this very thoroughly thought-out report convinces me that it really could work.

Qadars – a banking Trojan with the Netherlands in its sights


A new banking Trojan has been making its round in the past few months. First publicly discussed by LEXSI, this banking Trojan has been very active, infecting users throughout the world. Its modus operandi is banking fraud through web injection. While this approach has been present for a long time in various banking Trojan families, it is still effective. Win32/Qadars uses a wide variety of webinjects, some with Android mobile components, used to bypass online banking security and to gain access to user’s bank account. Usually, banking Trojans either target a broad array of financial institutions or focus on a much smaller subset, usually institutions of which the user base is geographically close. Win32/Qadars fall in the second category: it pinpoints users in specific regions and uses webinject configuration files tailored to the banks most commonly used by the victims.  As we have been monitoring its evolution, we have seen six main countries affected by Win32/Qadars:
  • Netherlands
  • France
  • Canada
  • India
  • Australia
  • Italy
While most of the attacks directed to users in these countries were launched in waves, users in the Netherlands were targeted throughout the monitoring period. This threat caught our attention because:
  • It is still very active after six  months and is continuously updated
  • It targets very specific regions of the world
  • It uses a wide range of webinjects, some of which were also used by another banking Trojan family in a completely unrelated campaign
  • It uses Android/Perkele to bypass mobile based two-factor authentication systems

Historical Perspective

The first sign we saw of this malware was in mid-May 2013. The following graph shows the daily detection for Win32/Qadars.
Figure 1 : Win32/Qadars Daily Detections
Figure 1 : Win32/Qadars Daily Detections
Although the first detections occurred in May, the first true wave of infections occurred in late June. Interestingly, the authors seem to have been through a testing phase since the next detection spike was seen weeks later with barely any detections in between. Also, Italian users were mainly targeted in the first wave while the subsequent campaign mainly targeted Dutch users. We believe that this kit is either kept private or being sold only to selected people. We have seen a handful of different campaigns, but most of the infections we’ve analyzed are from the same campaign and thus share the same command and control (C&C) servers.
We can track the evolution of the malware through the build number that is embedded in the executable. The first version we saw was and the latest one is The steady release of new versions indicates that this malware is in constant maintenance and development. The following graphs shows the date each version was first seen by our telemetry data.
Figure 2 : Build Number Evolution Throughout the Monitoring Period
Figure 2 : Build Number Evolution Throughout the Monitoring Period

Technical Analysis

Win32/Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud. Just like Win32/Spy.Zbot, Win32/Qadars injects itself into browser processes to hook selected APIs. Using these hooks, it is able to inject content into pages viewed by the user. This injected content can be anything, but is usually a form intended to harvest user credentials or JavaScript designed to attempt automatic money transfers without the user’s knowledge or consent. Webinject configuration files are downloaded from the C&C server and contain the URL for the target webpage, the content that should be injected into the webpage and finally where it should be injected. This configuration file format is very similar to all the other banking Trojans out there. Once downloaded, the configuration is kept AES-encrypted in the computer’s registry keys. Currently, Win32/Qadars is able to hook two different browsers so as to perform content injection: Firefox and Internet Explorer. There is some stub for Chrome in the code, so we might see support for this browser in the future.
Once the malware is installed on a machine, the bot herder can control his bots through different commands, most of which are listed in the table below.
Table 1:  Commands and Description
Table 1: Commands and Description
One addition that was made in version is an FTP credential stealer. It supports a wide array of FTP clients and tries to open up their configuration files and steal the user’s credentials. Interestingly, in order to steal user credentials, it integrates some known static passwords that some of these FTP clients use by default to encrypt their configuration file. This behavior is not new and has already been seen in Win32/PSW.Fareit (Pony Loader), for example.

Network Communications

Win32/Qadars uses AES in ECB mode to encrypt its network communications. Before sending a message, the client will generate a random string of nine (9) characters and will use its MD5 hash as the AES key to encrypt it. It will also generate another random string which it will embed in the message sent to the server. This key will be used by the server to encrypt its response. To securely transfer the AES key used to encrypt the message to the server, the client will further encrypt it, two characters at a time, and append it to the message. Finally, the overall message is encoded using base64 and sent to the server. The following figure depicts this process and lists the different fields present in the messages sent to the server.
Figure 3 : Client-to-Server Communication
Figure 3 : Client-to-Server Communication
The server response is encrypted using the server key embedded in the client request. It also appends the MD5 digest of the message as an error detection mechanism. The following figure shows the structure of the server response.
Figure 4 : Server-to-Client Communication
Figure 4 : Server-to-Client Communication
Examining the different message IDs used by Win32/Qadars tells us more about its functionalities. The table below lists most of the different message IDs and their description.
Table 2 : Message IDs and Description
Table 2 : Message IDs and Description
Knowing the network protocol used by Win32/Qadars greatly enhanced our ability to track the botnet and study its behavior.

Infection Vector

Win32/Qadars’ webinject configuration file changes frequently and targets specific institutions. To maximize their success with these webinjects, the malware authors try to infect users in specific regions of the world. In the following section, we will show which countries were the most targeted, but let’s first take a look at the infection vectors the malware author chose so as to target specific countries. From May to October, it is not clear how the malware was spreading. Through our telemetry system, we found several hints that they might have bought compromised hosts in the countries they were interested in. We draw this conclusion because all of the compromised computers we analyzed also had Trojan downloaders and other infamous Pay-per-Install (PPI) malware such as Win32/Virut.
Beginning in November, we saw that Win32/Qadars is now also being distributed through the Nuclear Exploit Kit. Below are a couple of URLs that were used to distribute it at the beginning of November. The Nuclear Exploit Kit pattern used at the time is clearly visible:
Both of these infection vectors allow the bot masters to choose where the computers they compromise are located.

Regional Targets

Win32/Qadars has focused mainly on six countries up until now: the Netherlands, France, Canada, Australia, India and Italy. The following graph shows the geographical distribution of the detection in the period May 2013 to November 2013.
Figure 5 : Detection Distribution
Figure 5 : Detection Distribution
Win32/Qadars clearly seeks to infect Dutch computers as 75% of detections come from this region. Analysis of the times when it was detected show that there were several infection waves.
Figure 6: Win32/Qadars Daily Detections by Countries
Figure 6: Win32/Qadars Daily Detections by Countries
Detections in the Netherlands always show the highest prevalence, followed by detections reported in France. The case of Canada is particularly interesting as all of the detections in this country occurred in the last fifteen (15) days of October. Of course, the webinject configuration file downloaded by the bots at this time contains code that targeted the main Canadian financial institutions.
The webinject downloaded by the bots targets financial institutions in the 6 countries mentioned above with varying degree of sophistication. Some webinjects will just collect extra information whenever a user tries to login to his bank’s secure website. This is done through the injection of an extra form or elements asking the user for private information whenever he logs into his bank. An example form is shown below.
Figure 7 : Phishing-like Webinject
Figure 7 : Phishing-like Webinject
Other webinjects are much more complicated and can perform transactions automatically and bypass the two-factor authentication systems implemented by banks.


The webinjects used by banking Trojans can be obtained in several different ways. They can be directly coded by the cybercriminals who operate the botnet, or they can be bought. There are several coders offering to sell public webinjects or to produce them tailored to the customer’s wishes. There are many such offers and some will even ask for a different price depending on the features needed. When analyzing webinjects used by Win32/Qadars, it is clear that they were not all written by the same people as the techniques and coding styles are quite different. In fact, we believe that they were all bought on various underground forums. One webinject platform they use has a distinctive way of fetching external content such as scripts and images. The URL in the injected JavaScript will look something like this:
The “data=” portion of the URL is base64 encoded. When decoded, this string reads “project=mob-ingnl-fand&action=file&id=css”, which clearly gives away the target as well as which file it is trying to retrieve. Interestingly, we found the exact same kind of syntax in webinjects used by a campaign targeting Czech banks and using Win32/Yebot (alias Tilon) as the banking Trojan. Although we found no trace of this particular webinject platform in the underground forums we looked at, we did find several other offerings.

Automatic Transfer System (ATS)

ATS, now commonly used in banking Trojans, is a term applied to webinjects that aim to initiate an automatic transfer once a user accesses his bank account through a compromised computer. It will usually contain code to automatically find the account with the highest amount and initiate a transfer to an attacker/money mule controlled account. The code will usually contain some tricks (read social engineering) to defeat two-factor authentication systems that are sometimes imposed by banks when performing transfers. We have found several coders in underground forums selling public or private ATS for several banks around the world. In the underground forums, a “public” webinject is one that is sold to anyone by the vendor while a “private” one is customized to the buyer’s need and is usually not resold by the coder. In general, buyers of private webinjects will get the source code and the rights to redistribute it to others. We know that Win32/Qadars authors are buying some webinjects because we found one public ATS that they had integrated into their webinject configuration file. Like many other offerings, this coder sells, along with the webinject, an administrator panel (shown below) to let the cyber criminals control several aspects of how the automatic transfer should be carried out.
Figure 8 : ATS Webinject Administration Panel
Figure 8 : ATS Webinject Administration Panel
This particular offering is targeting a French bank and the coder claims that it can bypass the SMS two-factor authentication system put in place by the bank to prevent fraudulent transfers.


In several ATS we have analyzed, like the one described above, the malware must intercept an SMS so to make the transfer go through. This is necessary because the bank sends a transaction authorization number (TAN) to the user’s mobile whenever he initiates a money transfer. The user must input this TAN in his browser before the transfer is authorized. The usage of a mobile component by a banking Trojan is not new. Zeus-in-the-mobile, or ZitMo, and others have been around for quite some time. What is particularly interesting in this case is that several webinject coders are actually bundling such mobile malware with their webinjects. This means that a bot master can now buy very complex webinjects that are not only JavaScript code, but also contain an administration panel and some mobile malware customized to the targeted bank.
In the case of Win32/Qadars, the mobile component we’ve seen bundled with the webinject is Android/Perkele, mobile malware that can intercept SMS messages and forward them to the cybercriminals. This kit has already been profiled by Brian Krebs. The webinject takes care of everything in this case: when the user logs into his bank account, content is injected into his browser asking him to specify his mobile brand and to download a “security” application onto his mobile phone. Since the user sees this content while he is accessing his account, he is more likely to believe that this message is genuine and that the application truly comes from his bank. In one sample we analyzed, once the banking application is installed on the phone, it sends an SMS message to a phone number in the Ukraine.
Figure 9 : Screenshot of Android/Perkele Targeting a French Banking Institution
Figure 9 : Screenshot of Android/Perkele Targeting a French Banking Institution
Android/Perkele supports the Android, Blackberry and Symbian operating systems, but we have seen only the Android component used in conjunction with Win32/Qadars. Once the application is installed on the user’s phone, the automatic transfer can be attempted, since the SMS containing the required TAN can be obtained by the fraudster. This webinject offering is a good example of malware commoditization. The botnet master can now buy a complete solution that will allow him to conduct automatic transfers and bypass two-factor authentication systems in a totally automated fashion. All he needs to provide is a way to inject content into the user’s browser. This functionality is implemented in all modern banking Trojans.
The mobile malware Android/Perkele, once installed on a user mobile, is used by fraudster to intercept SMS messages and hide them from the user. It is interesting to see that Google is taking a proactive stance in order to defeat this kind of threat. The newest Android OS, dubbed KitKat, has changed how the applications on the phone can receive SMS messages and hide them from the user. It will now be much more complicated to hide SMS because there is only one application that will be able to do that, and by default that is the system messaging application. Thus, users infected by threats like Android/Perkele will have a much better chance of spotting the infection if they are running the latest android OS.


We have seen lately a resurgence of new banking Trojans being spread in the wild. Win32/Napolar, Win32/Hesperbot and Win32/Qadars have all appeared in the last few months. It is probably no coincidence that there is now a plethora of banking Trojan source code available following the leaks of Win32/Zbot and Win32/Carberp source code. Another interesting development to watch for is the thriving webinject coder scene. These people are offering ever more sophisticated pieces of code that can bypass a wide range of two-factor authentication systems. It will be interesting to see whether at some point the market matures enough for us to see the emergence of popular webinject kits, in much the same way as happened in the exploit kit scene.
Special thanks to Hugo Magalhães for his contribution to this analysis.
SHA1 hashes
Win32/Qadars (Nuclear Pack):    F31BF806920C97D9CA8418C9893052754DF2EB4D
Win32/Qadars (         DAC7065529E59AE6FC366E23C470435B0FA6EBBE
Android/Perkele:            B2C70CA7112D3FD3E0A88D2D38647318E68f836F

The Death of Anti-Virus: conference paper

Death of a Sales Force: Whatever Happened to Anti-Virus? is a paper written by Larry Bridwell and myself for the 16th AVAR conference in Chennai, which was kindly presented by ESET’s Chief Research Officer Juraj Malcho, as neither Larry nor myself were able to attend the conference in the end. The paper is also available from the ESET Threat Center Resources page here.
Here’s the abstract:
Anti-Virus is, it seems, an ex-parrot. We’ve seen so many announcements of the death of anti-virus we’ve taken to carrying black ties around with us, ready for the next one. This paper probably won’t have much impact on the ludicrously funereal tone of some commentary, but will take an informed look at the reasons most often given for the imminent demise of the AV industry and in the hope of achieving a balanced view of the present role and future evolution of malware analysis.  Reports of the (near-) death of static signature detection may not be exaggerated, but anti-malware technology has moved far beyond simple signatures. We consider in depth the accuracy of some of the basic contentions that keep turning up ad infinitum in memoriam…
  1. Conclusions based on detection testing and pseudo-testing statistics
  2. Anti-virus is ok if you don’t have to pay for it
  3. Heuristic detection has gone the way of the static signature
  4. Spammed out malware is less important than targeted malware
  5. New (mobile) platforms require new defensive paradigms
Catching or blocking malware is just part of the security challenge, at home or in the workplace, and malware detection is a very different technology to what it was 20 years ago, but does that mean it’s obsolescent? We look at the three primary functions of AV:
  • protection in the form of proactive detection and blocking through a range of heuristic, reputational and generic countermeasures
  • detection of known malware
  • remediation where something is detected and has managed to gain a foothold
We contend and demonstrate that while emphasis has undergone an irreversible shift from detection by signature, to remediation of signature-detected malware, to more generic detection by technologies such as heuristics, behaviour analysis, and reputation, a complete solution addresses all those issues. AV is dead, or at best comatose: at any rate, self-replicating malware is a small part of a much larger problem, while signature detection is primarily a fallback technology that helps with remediation rather than a primary layer of protection.
Anti-malware technology moved on long ago. Customer and media perception, though, has lagged way behind. Could it be that when other sectors of the security industry, driven by commercial agendas, engage in inaccurate and at best misinformed anti-AV commentary, that they are also putting their own interests and those of the community at large at risk? Would a world without the mainstream anti-malware industry be such a good place to live?

Target down? “Biggest data breach ever” leaks 40 million credit and debit cards from retailer at height of shopping season

Details of 40 million customer debit and credit cards may have leaked in a data breach at Target – which began on November 27 and ended on December 15.
“Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013,” the retailer said in a statement. The data stolen is reportedly “track data” which can be used to clone cards, according to Brian Krebs.
“Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”
The story initially broke via security expert Brian Krebs’ site, Krebs on Security, leaked to him via officials at 10 credit card issuers.
It’s still unclear which stores were affected, and who the attackers are. Krebs quotes one unnamed anti-fraud analyst at a card issuer as saying, “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
According to ABC News, the U.S. secret service is currently investigating, but declined to provide further details. The report said that the attack hit the height of the shopping season, and described it as “one of the largest data breaches of all time”. ABC’s report said that unnamed security experts did not expect the incident to be resolved until “well into the new year.”
The data stolen was “track data”, according to Krebs’ sources. This, Krebs warns, is exactly what cybercriminals need to clone credit cards – but the damage caused by the breach may depend on whether the criminals also have access to PIN numbers.
“The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs,” Krebs said.
ESET Senior Research Fellow David Harley warns that even if the criminals do not have access to this data, the security of Target customers will be impacted.
Harley says, “Even if your PIN or password is well chosen, your security is reduced – not necessarily completely compromised – if  data such as track data are compromised by other means.”
“It’s not clear exactly how the data were stolen in this case, and therefore whether PIN data for debit cards were also stolen. Still, it’s always worth trying to make it harder for a crook to guess PINs: the PINs people actually tend to use are more stereotyped than you might think. See this blog for more details.
The store issued a statement via its website, saying, “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.”
 ”You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.  If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions.”

Target breached: 5 defensive steps shoppers should take now

As you may have heard from the copious news coverage (including our own post this morning) Target’s stores in the US were the target of a security breach which has given criminals access to the data from the magnetic strips on customers’ credit and debit cards. This data includes the customer’s name, credit or debit card number, the card’s expiration date and CVV (the three-digit security code).
Indications are that this breach began near the end of November, though some sources say it may have begun as early as mid-November, and it was closed on December 15. If you shopped in a Target store during that period of time, you may be wondering how to identify or mitigate problems caused by this breach. Here are a few steps you can take now:

1. Check your account for suspicious activity

The first, and most important thing you can do is to check the transactions for the credit and debit cards you used at Target stores during this time period. If you see activity that you do not recognize, it is important that you notify the card issuer immediately.
Keep in mind that it is likely the criminals will not have used or sold all of the data they have stolen yet. In order not to flood the market and devalue the data, they are likely to sell it over the course of several months. You will need to be vigilant with these accounts for a while.
Reports are that the site for Target’s REDcard are overwhelmed, and may not be responding, so you may need to be patient and try again periodically.

2.  Ask for a replacement debit/credit Cards

If you would rather not wait for the hammer to drop on criminals potentially selling your stolen data, especially if the card in question is a debit card which pulls funds directly from your bank account, you may wish to ask for a replacement card. Keep in mind that if you have any auto-pay accounts that reference this account number, you will need to update that information. By asking for a replacement card, you will have more outlay of time now, in the hopes of preventing a bigger outlay of time in the future, if your card data does get stolen.

3.  Choose a stronger debit PIN

If the card that was used was a debit card, you may wish to change your PIN. There is no indication at this time that that information was part of what was intercepted in the breach, but many people use weak PINs that are easy to guess. Making this change is a small step that can greatly improve your security.

4. Check your credit report

Criminals could take the data they have stolen and combine it with other data to wreak more havoc. It is a good idea to regularly monitor your credit report, to identify and then report any fraudulent transactions. Target has provided detailed contact information for the three credit reporting agencies. You may also want to look into setting up a fraud alert or a credit freeze if you want additional protection against fraudsters trying to get credit in your name. Be aware that these steps will also mean you have to go through additional verification if you wish get credit, for the duration of the alert or freeze.

5. Change your password

There is no indication that was compromised, but this incident is a good reminder to be vigilant about choosing strong passwords and changing them often.

Bonus tip

Beware of scams: Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams. Some folks may, ironically, be more apt to fall for social engineering tactics that prey on this fear of their cards being compromised. Be sure not to click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.

Cryptolocker 2.0 – new version, or copycat?

In our previous blog, Filecoder: Holding your data to ransom, we published information about the resurgence of file-encrypting ransomware since July 2013. While the majority of these ransomware families are most widespread in Russia, there are families that are targeting users (especially business users) globally.
Cryptolocker, detected by ESET as Win32/Filecoder.BQ, is one of the most infamous examples and has received widespread public and media attention in the past two months. As shown by the ESET LiveGrid® detection statistics below, the country most affected by this family is the United States.
Last month we discovered another Filecoder family, which caught our attention because it called itself “Cryptolocker 2.0”. Naturally, we wondered if this is a newer version of the widespread ransomware developed by the same gang. In this blog post, we will provide a comparison between this “Cryptolocker 2.0” – detected by ESET products as MSIL/Filecoder.D and MSIL/Filecoder.E – and the “regular” Cryptolocker.

Cryptolocker 2.0 vs. Cryptolocker

Both malware families operate in a similar manner. After infection, they scan the victim’s folder structure for files matching a set of file extensions, encrypt them and display a message window that demands a ransom in order to decrypt the files. Both use RSA public-key cryptography. But there are some implementation differences between the two families.
There are three visible differences between the two families. Cryptolocker uses (as mentioned in the ransom message) RSA-2048, whereas Cryptolocker 2.0 claims to use RSA-4096 (though in reality it uses RSA-1024). Cryptolocker 2.0 displays the deadline by which the private key will supposedly be deleted, but doesn’t show a countdown timer like Cryptolocker. And, interestingly, Cryptolocker 2.0 only accepts the ransom in Bitcoins, whereas different variants of Cryptolocker have also been accepting MoneyPak, Ukash or cashU vouchers.
More implementation differences were revealed after analyzing the malware. The first and most obvious difference is in the programming language used – Cryptolocker was compiled using Visual C++, whereas Cryptolocker 2.0 was written in C#. The files and Registry keys used by the malware are different, and, more interestingly, so is the list of file extensions that the ransomware seeks to encrypt. Cryptolocker appears to be more “business-user-oriented” and doesn’t encrypt image, video and music files, whereas Cryptolocker 2.0 does – its list of targets includes file extensions such as .mp3, .mp4, .jpg, .png, .avi, .mpg, and so on.
When the malware is run, it contacts the C&C server to request a unique RSA public key. Then, each file that meets specific criteria (matching file extension, file path not in exclusion list) is encrypted using a different randomly-generated 3DES key, and this key is then encrypted using the RSA public key received from the server. The encrypted key is then written to an auxiliary file, with the same filename and extension as the encrypted file and an appended second extension “.k”:
Thus, decryption of the files would only be feasible if the RSA private key was known, which would allow the decryption of the 3DES keys.
The original Cryptolocker works in a similar fashion, with some subtle differences. For example, it uses AES instead of 3DES. Also, the encrypted key is saved to the end of each encrypted file, not in a separate file.
Cryptolocker (Win32/Filecoder.BQ) also contains a domain-generation-algorithm for C&C addresses, whereas the new Cryptolocker 2.0 doesn’t contain such a feature. An overview of the differences between the two malware families is presented in the table below.
In addition to this, the recently-discovered trojan contains some features unrelated to the ransomware functionality. The application includes windows that mimic “activators” or cracks for proprietary software, including Microsoft Windows, Microsoft Office, Team Viewer, Adobe Photoshop or even ESET Smart Security.
The application chooses which window to display depending on the binary’s file name. After launch, it is installed on the system, and subsequently the malware operates in the “ransomware mode” as described above. This technique of masquerading as software cracks serves as an additional spreading mechanism for the trojan. Aside from the legal issues, this demonstrates the increased risks entailed when using pirated software.
Cryptolocker 2.0 is also capable of spreading via removable media by replacing the content of .exe files they contain with its own body.
The list of functionalities present in the trojan code is quite extensive and also includes stealing Bitcoin wallet files, launching the legitimate BFGMiner application or running DDoS attacks against a specified server. However, we were unable to establish whether this functionality was actually being used at present.

Tech chiefs meet Obama to outline PRISM spying concerns

The White House
Leaders of some of the world’s biggest tech companies including Twitter, Google and Apple met with president Obama on Tuesday to discuss their concerns about the PRISM spying revelations that have come to light this year.
The meeting was billed by the White House as a chance to discuss numerous tech issues including the flawed website, but the tech leaders were only there to discuss surveillance issues, the Guardian quoted one executive as saying.
“That is not going to happen,” they said. “We are there to talk about the NSA.”
The tech leaders issued a joint statement that called on Obama to make sure surveillance oversights are reformed.
"We appreciated the opportunity to share directly with the president our principles on government surveillance that we released last week and we urge him to move aggressively on reform," they said in a widely reported statement.
The White House also issued a statement, acknowledging the importance of ensuring the internet remains a protected sphere.
“This was an opportunity for the president to hear from CEOs directly as we near completion of our review of signals intelligence programs, building on the feedback we’ve received from the private sector in recent weeks and months,” it said.
“The president made clear his belief in an open, free and innovative internet and listened to the group’s concerns and recommendations, and made clear that we will consider their input as well as the input of other outside stakeholders as we finalise our review of signals intelligence programs.”
Yahoo CEO Marissa Mayer, chief operating officer of Facebook Sheryl Sandberg and Dropbox founder and chief Drew Houston were also in attendance.
The tech industry has been outraged since the news of mass survelliance broke earlier in the year and firms have been using their collective might to put pressure on the government to change the way data on citizens is gathered.
Earlier this week a US judge branded spying as Orwellian, and added that the US government had failed to prove that it had directly helped to stop any terrorist attack.

Amazon to trial cloud computing services from Chinese data centres in 2014

Cloud computing
Amazon Web Services (AWS) is to begin a preview of a China Region for its cloud computing platform early next year. The move will be important for businesses using AWS who may be looking to expand into the growing Chinese marketplace.
Announcing the limited preview coming in early 2014, Amazon said it is partnering with local Chinese providers, including ChinaNetCenter and Sinnet. These companies will provide the necessary data centre hosting and internet connectivity for the Chinese AWS platform.
While this is Amazon's fourth AWS Region in Asia Pacific and the tenth region globally, the move means customers inside China and international companies looking to target the Chinese market will be able to host some services locally.
With the launch of the new AWS China Region, these customers will be able to run their applications on infrastructure hosted in mainland China. This significantly reduces latency to local end users and enables companies with requirements to store their data in China to easily do so, Amazon said.
Andrew Jassy, Amazon Web Services senior vice president, said customers had been pressing for a local AWS Region in China.
"China represents an important long-term market segment for AWS. We are looking forward to working with Chinese customers, partners and government institutions to help small and large organisations use cloud computing to innovate and deploy faster, save money, expand their geographic reach, and do so without sacrificing security, availability, data durability and reliability," he said.
AWS said it also maintains a local technical support operation in China, as part of the AWS global network of support centres. This is ready to help customers of all sizes with a support channel that is staffed 24x7, all year round with experienced and technical support engineers.
International customers are likely to have some concerns regarding security, especially in the wake of the PRISM scandal. However, AWS has already been stepping up data security in areas such as its CloudHSM platform, which gives customers control over encryption keys used to protect data stored on AWS.

ICO urges data privacy awareness before Christmas app download frenzy

The Information Commissioner’s Office (ICO) has issued a warning to mobile phone and tablet owners to be on their guard against data-stealing app downloads over the festive period. The watchdog has also warned developers to ensure they adhere to data protection legislation.

With millions of devices expected to be activated after being given as gifts, eager owners will then rush to download new apps, with 328 million downloaded on Christmas Day last year, the ICO said.

However, despite this demand for apps, many users are concerned that they don’t know about the data they are giving up when they agree to terms and conditions, usually having not read the contract at all.

A survey by YouGov, commissioned by the ICO, found that 62 percent of people are concerned about this issue and 49 percent said they have not downloaded an app due to privacy concerns.
ICO principal policy advisor for technology Simon Rice said the findings underlined the importance of being aware of what sort of data you are handing over to an app and the company behind it.
“Apps often work by using personal information. This can include information you would not normally choose to give out to a stranger, such as the contact details of friends and relatives, and details of your location,” he noted.
To counter the risks this could pose the ICO has issued four pieces of guidance for device owners to bear in mind this Christmas.
  • Only download apps from official and trusted app stores. Be extremely careful of using untrusted sources.
  • Read the information available about an app in the app store before you download it. Check you are happy about the personal information it will be using.
  • Have a regular clearout. Many of us have downloaded an app and only used it once. If you no longer use the app, uninstall it.
  • Consider downloading mobile security software to help keep your device secure.
As well as warning consumers about the issues of privacy, the ICO also gave developers a reminder of their obligations to protect the user data they gather with a detailed document outlining the requirements around data protection.
“The app development industry is one of the UK’s fastest-growing industries, but our survey shows almost half of app users have rejected an app due to privacy concerns. It is important that developers tackle this issue by making sure their apps look after personal information correctly," he said.
“Our guidance will help them achieve this by explaining the legal requirements when using personal information. That includes how to obtain lawful consent, the measures required to keep people’s information secure and advice on carrying out routine testing and maintenance."