May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Strategies of Defending Microsoft Windows against Malware


Recommended Links Recommended Books Spyware Malware Defense History
Articles Malicious Web Sites Internet as intelligence collection tool
Windows Disk Protection Free Windows Registry Tools Windows Process Viewers Microsoft Power Toys Norton Ghost Alternatives to Norton Ghost Windows Integrity Checkers Windows Security
Compromised Web sites gallery Web Scanning Zombies Filesystems Recovery Data Recovery Free Windows Registry Tools Microsoft Registry Tools Registry Backup Registry Monitoring
Softpanorama Spyware defense strategy Malicious frame attack False positives Spyware Removal Fighting Network worms History Humor Etc

Introduction to the topic became too big and was converted into a separate article on Dec 1, 2012. See Architectural approaches for increasing Windows resistance against malware:

Top updates

Softpanorama Switchboard
Softpanorama Search


Old News ;-)

2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999
Microsoft is closely monitoring the situation, and is committed to helping customers have a safe, enjoyable computing experience.

From the quotes of the day

"the Windows dominance produced a computer monoculture with all the same problems as other monocultures."

"Anti-virus companies have always been seen as ambulance chasers, and sometimes, it's true," said Dan Schrader, the chief security analyst at Trend Micro. "Because this is an industry that has been built on hype and alerts and pretensions of being good citizens, the industry doesn't have a lot of credibility."

The Virus 'Ambulance Chasers

The preoccupation with computer "hacking" is a way for physically unattractive males to enter the mainstream of society.


[Sep 26, 2015] Intelligent System Hunts Out Malware Hidden In Shortened URLs

Sep 26, 2015 |
Posted by timothy
An anonymous reader writes: Computer scientists at a group of UK universities are developing a system to detect malicious code in shortened URLs on Twitter. The intelligent system will be stress-tested during the European Football Championships next summer, on the basis that attackers typically disguise links to malicious servers in a tweet about an exciting part of an event to take advantage of the hype.

Anonymous Coward

Shouldn't browsers be changed to not simply follow the redirect, but ask the user first?

Zontar The Mindless

For TinyURL, you can enable preview of the full URL here []. Uses a cookie, though.

Anonymous Coward on Saturday September 26, 2015 @06:37AM (#50603143)

I can connect to the server and retrieve the redirect information manually. Works for all of them. But it's a) inconvenient, and b) not something everyone is able to do. Some addons seem to be available, but they don't do things nicely.

1) Patch the page directly (not just retrieve the data on mouse over), making it less original

2) Even retrieve the title of the redirection target (just that connection is enough to validate the existence of an email address)

My requirements are:

- shall not connect to the host of the shortened url (or any other -- no distinction between "normal" and shorted urls) unless clicked

- shall not connect to the the redirect target unless confirmed by the user, or the target is on the same host

Zontar The Mindless

Whatever. I despise shorteners, don't use them myself, and generally refuse to follow shortened URLs. Just bored and trying to be helpful.

[Aug 30, 2015] Ashley Madison's Female Subscribers Barely Exist, Analysis Concludes


"A detailed look at leaked Ashley Madison data suggests there were practically no women active on the site.

It was already known that male profiles outnumbered female ones on the site by a ratio of roughly six to one. And it had been previously alleged that Ashley Madison was creating fake profiles of female users.

But a detailed look at the data leaked last week by The Impact Team hackers (or hacker), carried out by Annalee Newitz at Gizmodo, found the number of active women on the site to be so low that it's statistically insignificant....

Of 5.5 million accounts identified as female, only 1,492 had ever checked their inbox, Newitz' analysis found, compared to 20.2 million male accounts that had checked their inbox at least once.

It also found 80,805 profiles linked to an IP address that indicates a local computer, suggesting those accounts were made inside Avid Life Media, the Toronto-based company that owns Ashley Madison.

"This isn't a debauched wonderland of men cheating on their wives," Newitz concluded. "Instead, it's like a science fictional future where every woman on Earth is dead, and some Dilbert-like engineer has replaced them with badly-designed robots."

[Aug 23, 2015] Ashley Madison Hackers Speak Out: 'Nobody Was Watching'

August 21, 2015 | Motherboard

MOTHERBOARD: How did you hack Avid Life Media? Was it hard?

The Impact Team: We worked hard to make fully undetectable attack, then got in and found nothing to bypass.

What was their security like?

Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.

When did you start hacking them? Years ago?

A long time ago. [Note: in a README file in the first data dump, the hackers wrote that they had been collecting information from the company "over the past few years."]

What other data from Avid Life Media do you have?

300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison user pictures. Some Ashley Madison user chats and messages. 1/3 of pictures are dick pictures and we won't dump. Not dumping most employee emails either. Maybe other executives."

[Jul 22, 2015] Registering on shady sites is a huge risk

"Large caches of data stolen from online cheating site have been posted online by an individual or group that claims to have completely compromised the company's user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is 'Life is short. Have an affair'" [Krebs on Security]. And just before they were going to, er, go public…

[Jun 16, 2015]US Navy Solicits Zero Days

Jun 15, 2015 | Slashdot

msm1267 writes:

The US Navy posted a RFP, which has since removed from, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors. The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others. The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. "Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild," the RFP said.

quenda (644621) on Monday June 15, 2015 @07:50PM (#49917853)

Ask the NSA (Score:4, Interesting)

So much for post-911 interagency cooperation. While one agency is inserting weaknesses, another is having to buy then on the open market. Though the Navy approach is probably cheaper.

Taco Cowboy (5327) on Monday June 15, 2015 @09:17PM (#49918315)

This has been happening since day one (Score:2)

How many years it officially took the hackers to stumble across the existence of the embedded NSA backdoor inside MS Windows??

Way before the news of that 'discovery' was told to the world, a friend of mine found it, but was told to 'shut up or else' by his then boss

Apparently they (and many other people) already knew about it for quite a while, but none of them bother to tell the world about it

Luthair (847766) on Monday June 15, 2015 @08:01PM (#49917925)

Why.... (Score:2, Interesting)

does every agency and division of the military need to do this? Seems like the classic not invented here syndrome and a colossal waste of tax payer money.

onproton (3434437) <> on Tuesday June 16, 2015 @12:34AM (#49919171)

and yet real secuirty research is all but outlawed (Score:2)

I am finding it harder and harder to accept that the people in charge of these types of programs aren't aware of just how glaringly hypocritical they are []. I can't help but be reminded of the quote:

We grow up in a controlled society, where we are told that when one person kills another person, that is murder, but when the government kills a hundred thousand, that is patriotism.

- Howard Zinn

Find a zero day and report it to someone who might fix it, that is criminal. Find a zero day and report it to the navy, you've done a service for your country. There is a unfortunate disconnect when the things the government does in the name of keeping us safe, end up making us all decidedly less safe in the end [].

[Feb 26, 2015] 3 Million Strong RAMNIT Botnet Taken Down

Windows should probably be prohibited for security-sensitive applications or use special install that can be wiped and restored daily. We have this powerful, all knowing NSA and multi-million botnets simultaneously. If this a coincidence?
February 25, 2015 |
An anonymous reader writes The National Crime Agency's National Cyber Crime Unit worked with law enforcement colleagues in the Netherlands, Italy and Germany, co-ordinated through Europol's European Cybercrime Centre, to shut down command and control servers used by the RAMNIT botnet. Investigators believe that RAMNIT may have infected over three million computers worldwide, with around 33,000 of those being in the UK. It has so far largely been used to attempt to take money from bank accounts.

XB-70 (812342) on Wednesday February 25, 2015 @08:32PM (#49133439)

Thanks (Score:5, Insightful)

In many of my posts, I have been highly critical of the seeming non-efforts by government agencies to deal with SPAM, malware, phishing etc. etc.

It is wonderful to hear this great news about good works being done for the greater good. Thank you to all the investigators for your many hours and hard work to shut this down.

rtb61 (674572) on Wednesday February 25, 2015 @10:51PM (#49134091) Homepage

Re:Thanks (Score:2)

It's internet janitorial work. No fame, no money and no promotions, so basically everyone does not much at all about it. Consider the NSA hacking all over the place, noticing all of this stuff, doing basically nothing about it (basically who gives a fuck it's a defensive security issue) except of course seeking to exploit it. So how come various governments are not going to their security agencies and saying why you do bloody nothing, why you bloody ignore it, why you pretend it doesn't exist, why you so busy hacking all politicians, activists and journalists communications that you basically ignore in your face criminal activity, apart from the odd effort and only at the behest of a major corporation, all other citizens can basically fuck off with the computer security problems.

[Nov 24, 2014] Regin, new computer spyware, discovered by Symantec

Nov 24, 2014 | BBC News

A leading computer security company says it has discovered one of the most sophisticated pieces of malicious software ever seen.

Symantec says the bug, named Regin, was probably created by a government and has been used for six years against a range of targets around the world.

Once installed on a computer, it can do things like capture screenshots, steal passwords or recover deleted files.

Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.

It has been used to spy on government organisations, businesses and private individuals, they say.

Researchers say the sophistication of the software indicates that it is a cyber-espionage tool developed by a nation state.

They also said it likely took months, if not years, to develop and its creators have gone to great lengths to cover its tracks.

Sian John, a security strategist at Symantec, said: "It looks like it comes from a Western organisation. It's the level of skill and expertise, the length of time over which it was developed."

Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the US and Israel to target Iran's nuclear program.

That was designed to damage equipment, whereas Regin's purpose appears to be to collect information.

[Nov 21, 2014] Court Shuts Down Alleged $120M Tech Support Scam

November 19, 2014 |

wiredmikey writes A federal court has temporarily shut down and frozen the assets of two telemarketing operations accused by the FTC of scamming customers out of more than $120 million by deceptively marketing computer software and tech support services. According to complaints filed by the FTC, since at least 2012, the defendants used software designed to trick consumers into believing there were problems with their computers and then hit them with sales pitches for tech support products and services to fix their machines.

According to the FTC, the scams began with computer software that claimed to improve the security or performance of the customer's computer. Typically, consumers downloaded a free, trial version of the software that would run a computer system scan. The scan always identified numerous errors, whether they existed or not. Consumers were then told that in order to fix the problems they had to purchase the paid version of the software for between $29 and $49. In order to activate the software after the purchase, consumers were then directed to call a toll-free number and connected to telemarketers who tried to sell them unneeded computer repair services and software, according to the FTC complaint.

The services could cost as much as $500, the FTC stated.

Amnesty International Releases Tool To Combat Government Spyware

Nov 20, 2014 |
Posted by timothy
from the doing-the-right-thing dept.

New submitter Gordon_Shure_DOT_com writes

Human rights charity Amnesty International has released Detekt to tool which finds and removes known government spyware programs. Describing the free software as the first of its kind, Amnesty commissioned the tool from prominent German computer security researcher and open source advocate Claudio Guarnieri, aka 'nex'.

While acknowledging that the only sure way to prevent governments surveillance of huge dragnets of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool ( downloadable here ) a useful countermeasure versus spooks. According to the app's instructions, it operates similarly to popular malware or virus removal suites, though systems must be disconnected from the Internet prior to it scanning.

mmell (832646) <> on Thursday November 20, 2014 @04:42PM (#48429681)

Don't bother. (Score:3)

If you're interesting enough that the NSA is watching what you do on your computer, the NSA is already watching what you do on your computer.

Now that you have detected this, other (possibly less subtle) methods will be used to ensure that you are appropriately monitored . . . but kudos to you for catching the NSA! X^D

Oh, and First Post!

by Anonymous Coward on Thursday November 20, 2014 @05:23PM (#48429999)

The NSA is watching whether you're interesting or not.

Apparently you didn't get the memo...

[Aug 15, 2014] "Please don't do anything evil" by Dan Goodin

July 31 2014 | Ars Technica

"If you put anything into your USB [slot], it extends a lot of trust," Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil."

In many respects, the BadUSB hack is more pernicious than simply loading a USB stick with the kind of self-propagating malware used in the Stuxnet attack. For one thing, although the Black Hat demos feature only USB2 and USB3 sticks, BadUSB theoretically works on any type of USB device. And for another, it's almost impossible to detect a tampered device without employing advanced forensic methods, such as physically disassembling and reverse engineering the device. Antivirus scans will turn up empty. Most analysis short of sophisticated techniques rely on the firmware itself, and that can't be trusted.

"There's no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you," Nohl explained.

Most troubling of all, BadUSB-corrupted devices are much harder to disinfect. Reformatting an infected USB stick, for example, will do nothing to remove the malicious programming. Because the tampering resides in the firmware, the malware can be eliminated only by replacing the booby-trapped device software with the original firmware. Given the possibility that traditional computer malware could be programmed to use BadUSB techniques to infect any attached devices, the attack could change the entire regimen currently used to respond to computer compromises.

"The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected," Nohl said. He said the attack is similar to boot sector infections affecting hard drives and removable storage. A key difference, however, is that most boot sector compromises can be detected by antivirus scans. BadUSB infections can not.

The Black Hat presentation, titled BadUSB—on accessories that turn evil, is slated to provide four demonstrations, three of which target controller chips manufactured by Phison Electronics. They include:

Mr.StR34kSmack-Fu Master, in training

Abresh wrote:

So, does turning off autoplay on USB devices mitigate or prevent this attack or are we still screwed even if it is turned off and someone plugs a malicious USB thing into our computer?
Yes, I read the article but by the middle I was going "Wha?" and scratching my head puzzling over this.

My understanding is that if you plug it in, it will infect, auto play or not, and that this is not limited to any one operating system. This attack vector uses the actual firmware on the USB device, which tells the computer the type of device being plugged in. So you plug in an infected usb storage device, and it tells the computer that it's also a keyboard. Then it types commands as though you were doing it at your actual keyboard.

Scarily clever.....

OmoronovoWise, Aged Ars Veteran

Sneaky wrote:

Call me thick, but wouldn't it be rather obvious that your USB memory stick is being a keyboard, because it can't also be a memory stick. i.e. where the hell have all my files gone?

You aren't being thick, but you're wrong in thinking a USB device can only be one thing. There's nothing stopping a USB Flash Drive being fully functional as a USB Flash Drive whilst also surreptitiously acting as a keyboard if it's firmware has been modified to advertise it as such. A USB device can have multiple device ID's and able to process commands as any of them.

Back in the early days of 3G dongles, they would show up as both the dongle itself and as a virtual CD drive from which to install the device driver from. This attack vector is the same concept, only for malicious intent and not built into the device intrinsically.

andrewd18Ars Centurion

dfjdejulio wrote:

andrewd18 wrote:

Step 1: Build a convenient USB "charging station" for an airport.
Step 2: Insert BadUSB firmware exploit
Step 3: Wait for people to charge their phones.
Step 4: ???
Step 5: Profit!

This one, people can protect themselves from by using charging cables that do not actually have the data pins. Which are a good idea to carry while traveling, if you're not bringing your own trusted charging devices with you.

I have a hard enough time convincing my parents-in-law to stay off the "Free WIFI" SSIDs at the airport; now I need to convince them to use a special charging cable because of "malicious USB ports"? Ha. Fat chance. That's not only a behavior change but also an expenditure of money, all for a threat they can't identify.

Hacks where there is no visual difference in the operation of the device, like this one, are completely stealthed to the majority of end users. Trying to explain it just sounds like paranoia. "See? My phone is charging just fine and I can play my games, check my bank balance, and everything."

[Aug 15, 2014] Watch a Cat Video, Get Hacked


New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

bbn (172659) <> on Friday August 15, 2014 @04:38PM (#47681107)

https is useless (Score:5, Insightful)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

heypete (60671) <> on Friday August 15, 2014 @05:00PM (#47681287) Homepage

Re:https is useless (Score:5, Informative)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

PopeRatzo (965947) on Friday August 15, 2014 @05:57PM (#47681721) Homepage Journal

Re:https is useless (Score:5, Insightful)

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

SQLGuru (980662) on Friday August 15, 2014

Reduced rights (Score:3)

This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

vux984 (928602) on Friday August 15, 2014 @04:48PM (#47681195)

Re:Reduced rights (Score:3)

This is one of the reasons that I don't use an admin/root level account for normal activity.

A good practice to be sure.

While that also won't prevent all hacks, it drastically reduces my exposure.

Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

Re:Reduced rights (Score:2)

by SQLGuru (980662) on Friday August 15, 2014 @04:54PM (#47681239) Journal

They also have a harder time installing executable code.....if my browsing user can't install code, then they've only got memory to play with.

Reply to This Parent Share
Share on Google+
Flag as Inappropriate


not entirely true. It just can't install it in c:\program files or your platforms equivalent. It can drop executables in folders you DO have access to though, and run them from there. And even get them to auto run if it puts the start command in a settings file you can edit as that user.

MightyMartian (840721) on Friday August 15, 2014 @05:04PM (#47681319)

Well, there have been a whole host of attacks associated with vulnerable versions of Flash and Java that could at least cripple a profile. I ran up against one of them around 2010. One of the staff at one of our remote locations suddenly had all their files supposedly disappear, desktop wiped out and the like, and a notification about a ransom if they wanted the files back. The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched. What had happened is the auto updater for the workstation had failed.

Now, while it's true that the operating system itself was not compromised, and no other systems or users on the network were compromised, certainly there was enough control to potentially view confidential data on shared drives. While this was relatively unsophisticated ransomware, it did teach me than merely obsessing about privilege escalation does not lead to a secure system. User profiles and directories can still potentially be vulnerable even if the malware can't root the system.

AmiMoJo (196126) * <> on Friday August 15, 2014 @05:38PM (#47681607)

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.

by Animats (122034) on Friday August 15, 2014 @04:59PM (#47681273)

Flash vulnerability? (Score:4, Interesting)

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Didn't look at the source of a Youtube page, did you? Look for "". Videos can also play with "HTML5 video", but there's Flash code there to be executed.

timeOday (582209) on Friday August 15, 2014 @06:15PM (#47681803)

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection.

Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

raymorris (2726007) on Friday August 15, 2014 @05:30PM

Simpler way: virtualization + snapshot (Score:3)

You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

raymorris (2726007) on Friday August 15, 2014 @05:24PM (#47681489)

Not wrong, or stupid, or insecure, just run Flash (Score:2)

TFS says:

> many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited by an ISP].

Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)

Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. For many years, there has been precisely one site for which I ever had any interest in having Flash installed, that was Youtube. Not anymore.

Youtube no longer requires Flash. []

[Jun 17, 2014] Zeus Trojan alternative hits the underground market By Lucian Constantin

June 11, 2014 | Computerworld/IDG News Service

Extensibility could help a new Trojan program called Pandemiya see wider distribution despite its high price, researchers say

A new Trojan program that can spy on victims, steal login credentials and interfere with browsing sessions is being sold on the underground market and might soon see wider distribution.

The new threat is called Pandemiya and its features are similar to that of the infamous Zeus Trojan program that many cybercriminal gangs used for years to steal financial information from businesses and consumers.

Zeus source code was leaked on underground forums in 2011, allowing other malware developers to create Trojan programs based on it, including threats like Citadel, Ice IX and Gameover Zeus, whose activity was recently disrupted by an international law enforcement effort.

"Pandemiya's coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.," researchers from RSA, the security division of EMC, said Tuesday in a blog post. "Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C."

The new Trojan program can inject rogue code into websites opened in a local browser, a technique known as Web injection; grab information entered into Web forms; steal files; and take screenshots. Because it has a modular architecture, its functionality can also be extended through individual DLL (dynamic link library) files that act as plug-ins.

Some of Pandemiya's existing plug-ins allow cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files. Its creators are also working on others to enable reverse Remote Desktop Protocol connections and to allow the malware to spread through hijacked Facebook accounts, the RSA researchers said.

"Like many of the other Trojans we've seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers," the researchers said.

The new threat is being advertised on underground forums for US$1,500 for the core application and $2,000 with additional plug-ins, a relatively high entry price for cybercriminals. This aspect and the fact that it's new have kept Pandemiya from gaining popularity so far, but because it can easily be expanded with DLL plug-ins "could make it more pervasive in the near future," the RSA researchers said.

[Jun 10, 2014] Massive botnet takedown stops spread of Cryptolocker ransomware by Gregg Keizer

See also Cryptolocker Trojan (Win32/Crilock.A)
Jun 10, 2014 | Computerworld
The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.

But replacements already stand in the wings, prepared to take Cryptolocker's place.

"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker

.... ... ...

On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.

... ... ...

Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.

... ... ...

Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.

... "This is a well-written piece of software," said Jarvis. "And they got the encryption right. There are no loopholes and no flaws."

Earlier examples of ransomware were often sloppy, and in some cases their lock-out mechanisms could be circumvented. Not so with Cryptolocker. Once run, it left victims with only two options: Pay the ransom or restore the now-inaccessible data from backups.

... ... ...

[Jun 02, 2014] Wham bam Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet

So it took more then half-a-year (8 months) to get to the bottom; and at the end it was Symantec researchers, who "poisoned" the botnet. I think all federal officials in three letter agencies responsible for that should be fired...
Computerworld Blogs
"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cybercrimes that you might not believe if you saw them in a science fiction movie," reported the DOJ.

By secretly implanting viruses on computers around the world, they built a network of infected machines – or "bots" – that they could infiltrate, spy on, and even control, from anywhere they wished. Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States.

And then the criminals turned that information into cash by emptying the victims' bank accounts and diverting the money to themselves.

Justice Department Assistant Attorney General Leslie Caldwell stated:

Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.

US-CERT (United States Computer Emergency Readiness Team) also issued a GameOver Zeus P2P Malware alert today.

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

[Jun 02, 2014] Game Over for 'Gameover' Malware

Two of the most insidious and widespread types of malware have been "disrupted," and at least one man allegedly behind them has been indicted, according to an announcement today (June 2) by the United States Department of Justice.

In a partnership with security companies, experts and other countries' law-enforcement agencies, the Department of Justice helped orchestrate "Operation Tovar," a mission to identify the criminals behind the Gameover banking Trojan and the botnet it controls, as well as the Cryptolocker ransomware, and sabotage the associated crimeware campaigns.

According to Deputy U.S. Attorney General James Cole, the Gameover operation was successful and the group's alleged leader, Russian citizen Evgeniy Mikhailovich Bogachev, has been indicted by a federal grand jury in Pittsburgh.

Gameover, adapted from the infamous ZeuS banking Trojan after the ZeuS source code was released in 2011, infects Windows computers worldwide and corrals them into a botnet, intercepts users' passwords and other financial information and uses the stolen credentials to make or redirect wire transfers from the bank accounts of infected users to accounts controlled by the criminals behind the malware. According to Cole, Gameover has been implicated in the theft of more than $100 million dollars from American victims alone.

The Gameover botnet has also been identified as the primary distributor of Cryptolocker, a type of ransomware which holds infected computers "ransom" by using encryption to render the files on them unreadable.

The 14-count indictment against Bogachev, who is believed to be in southern Russia, accuses him of acting as the administrator of the Gameover botnet. The counts include conspiracy, computer hacking, wire fraud, bank fraud and money laundering.

At the same time, an Omaha, Nebraska criminal complaint charges Bogachev with conspiracy to commit bank fraud in a separate case invovling a variant of the ZeuS malware called "Jabber ZeuS," after the instant-messaging software it used to communicate with its handlers.

A third civil injunction filed by the United States in the Pittsburgh federal court alleges that Bogachev is the leader of a cybercrime gang responsible for creating and operating both Gameover and Cryptolocker.

In addition, the Pittsburgh court also authorized U.S. law enforcement to intercept traffic between computers infected with Gameover and Cryptolocker and the servers controlling these malicious programs. For example, the FBI can collect the IP addresses of computers infected with these types of malware in order to help study them and devise defenses against them.

"At no point during the operation did the FBI or law enforcement access the content of any of the victims' computers or electronic communications," the Department of Justice announcement states.

However, judging by similar situations, it is highly unlikely that Bogachev will actually face trial in the US.

[Jun 02, 2014] Fed Cyber Sleuths Stop 'Gameover Zeus' and 'Cryptolocker' Crime Sprees

ABC News

The Justice Department has disrupted what it calls one of the most sophisticated cyber threats ever, and they are now trying to capture the man behind it all, federal prosecutors announced today.

Over the weekend, federal cyber cops essentially paralyzed a massive computer virus known as "Gameover Zeus," which diverted millions of dollars from companies' bank accounts, and blocked another virus known as "Cryptolocker," which first took control of a user's computer files and then demanded ransom in return for the user's own files, according to federal prosecutors. Both viruses were the work of an overseas criminal gang allegedly run by Russian hacker Evgeniy Bogachev, who is now among the FBI's most-wanted cyber criminals.

"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cyber-crimes that you might not believe if you saw them in a science fiction movie," the head of the Justice Department's Criminal Division, Leslie Caldwell, told reporters in Washington. "By secretly implanting viruses on computers around the world, they built a network of infected machines – or 'bots' – that they could infiltrate, spy on, and even control, from anywhere they wished."

Starting in 2011, Bogachev, 30, allegedly used "spear-fishing" – or fake – emails to infect computers with the "Gameover Zeus" virus. Once infected, Bogachev would "hijack computer sessions and steal confidential and personal financial information" that could then be used to funnel money overseas, the according to U.S. Attorney for the Western District of Pennsylvania David Hickton.

In October 2011, a Pennsylvania composite materials company was hit, and "within a matter of hours after banking credentials were compromised, hundreds of thousands of dollars were being siphoned from the company's bank accounts," Hickton said.

More than two years later, in November last year, the police department in Swansea, Mass., became a victim of the "Cryptolocker" virus when an employee opened an email that looked like it was from a "trusted source," Hickton said. When "Cryptolocker" strikes, a timer often appears on victims' computer screens, giving them 72 hours to pay hundreds of dollars if they want their files back – from family photos to business records, law enforcement officials said.

In the case of the Swansea police department, the department paid the ransom and contacted the FBI, according to law enforcement officials.

As of April 2014, "Cryptolocker" had attacked more than 200,000 computers, and more than half of those attacks occurred in the United States, Deputy Attorney General Jim Cole said. In addition, in its first two months of operation alone, the criminals behind "Cryptolocker" collected an estimated $27 million in ransom payments from victims, he said.

As for the "Gameover Zeus" virus, security researched estimate that between 500,000 and 1 million computers around the world have been infected with it, and a quarter of the victims are inside the United States, according to Cole. In total, federal authorities believe U.S. victims, often small and mid-size businesses, have lost more than $100 million to "Gameover Zeus."

Federal authorities believe the man running the Eastern European criminal gang responsible for the two viruses is now in Russia, and they are hoping the Russian government will help bring him to justice.

The Justice Department unsealed criminal charges in Pittsburgh, Pa., and in Omaha, Neb., charging Bogachev with computer hacking, wire fraud, bank fraud, money laundering and other violations of U.S. law.

To keep "Gameover Zeus" from being reconstituted, federal authorities have obtained court approval to redirect communications from "malicious servers" to substitute servers, and both U.S. and foreign law enforcement officials seized computer servers integral to "Cryptolocker," authorities said today.

[Jun 02, 2014] Global police operation disrupts aggressive Cryptolocker virus by Tom Brewster & Dominic Rushe

[Jun 02, 2014] The Guardian

US authorities named Russian national Evgeniy Bogachev as the face of a malicious software scheme responsible for stealing millions from people around the world, after a successful campaign to disrupt two major computer networks.

Digital police from across the globe announced they had seized control over the weekend of two computer networks that had been used to steal banking information and ransom information locked in files on infected computers. But they warned people with infected computers to take action now to prevent further attacks.

US and European officials announced they had managed to crack the malicious software (malware) known as Gameover Zeus that had been used to divert millions of dollars to bank accounts of criminals. The authorities have also cracked Cryptolocker – a malware that shutout hundreds of thousands of users from their own computers and ransomed the data.

... ... ...

The US authorities identified Bogachev, of Anapa in the Russian Federation, as Gameover Zeus's main administrator. At a press conference, deputy attorney general James Cole called him "a true 21st-century criminal who commits cybercrimes across the globe with the stroke of a key and the click of a mouse …These crimes have earned Bogachev a place on its list of the world's most-wanted cyber criminals."

According to the FBI's "cyber most wanted" list Bogachev has been using variants of the Zeus malware since 2009 and communicates using the online monikers "lucky12345" and "slavik". Gameover Zeus (GOZ) started appearing in 2011 and is believed to be "responsible for more than one million computer infections, resulting in financial losses in the hundreds of millions of dollars".

"He is known to enjoy boating and may travel to locations along the Black Sea in his boat," according to the FBI.

The Cryptolocker software locked PC users out of their machines, encrypting all their files and demanding payment of one Bitcoin (currently worth around £300, or $650) for decryption.

It's believed Cryptolocker, which the FBI estimated acquired $27m in ransom payments in just the first two months of its life, has infected more than 234,000 machines.

A chief suspect from Russia has been identified, but is still at large, Troels Oerting, head of Europol's European Cyber Crime Centre (EC3) told the Guardian. He said other arrests related to the operation were "in progress".

The global effort to stop the spread of the Cryptolocker ransomware has focused on its delivery method, GOZ. The malware connected infected machines by peer-to-peer connections – in theory making it harder for the authorities to track and stop.

GOZ was designed to steal people's online banking login details, who were usually infected by clicking on attachments or links in emails that looked innocuous. However, it also dropped Cryptolocker on their computers.

"Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals," said Andy Archibald, deputy director of the NCA's National Cyber Crime Unit.

... ... ...

Not-for-profit body Get Safe Online has worked with the NCA to launch a dedicated section of its website to provide guidance and tools, although at the time of publication the website appeared to be offline.

Behind the scenes, the law enforcement groups have been taking over points of control in GOZ's peer-to-peer network: an action known as "sinkholing" in the security world. By doing this, they have been able to cut off criminal control over the infected computers.

Dismantling peer-to-peer operated malware is difficult, but it has been done before: for example one case of a data-stealing virus called ZeroAccess, which infected as many as 1.9m PCs in 2013.

In that case, security researchers from Symantec managed to send lists of fake peers to infected machines, which meant they could no longer receive commands from the controllers of the malicious network, known as a botnet.

Symantec researchers said today that key nodes in GOZ's network had been disabled, along with a number of the domains used by the attackers.

... ... ...

wombatman -> Worried9876

I read it was hackers from both Russia and Ukraine started it off, it is just that now the USA have a filed a case just against one individual who is Russian (Evgeniy Mikhailovich Bogachev).

Clearly however this was not a one-person operation, but cynical people may say the USA would not like to name any Ukrainian defendents in this case. The complaint even names him as the alleged leader of the criminal enterprise.


<quote> "Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals,"</quote>

...with the exception of the criminals von NSA/NCHQ?

Katagami -> Ninetto

...with the exception of the criminals von NSA/NCHQ?

Oh ffs change the record.

This is about criminal organisations screwing over people like me and you. It's got nothing to do with intelligence agencies collecting data and if anything they should be given some credit here.

Wake up and stop attributing blame to something you (probably) know very little about.

tr1ck5t3r -> Jack Jazz

This only affects Windows PC's.

If people want to install a safe operating system on their computer, Ubuntu has achieved the highest rating out of all the operating systems when reviewed by an arm of GCHQ.

And whilst the report focuses on Ubuntu 12.04 LTS, the new Ubuntu 14.04 LTS is available to download with even more privacy and security enhancements.

It wont cost you a penny


Very poor publicity by the NCA. It's not merely this article which is confusing: the NCA's own announcement fails to explain the significance of this "two-week opportunity".

wombatman -> Sheepless

The authorities disrupted the command and control (C&C) servers that were managing the major network distributing the GameoverZeuS Trojan and the Cryptolocker ransomware. It's only a matter of time before those behind the botnet set up new C&C servers and regain control. Though that may even happen in days and not the 2 weeks.

Ortho -> wombatman

Yeah, the 'two weeks' thing is just a random estimate. Not at all helpful.
What they should be saying is 'get your computer protected NOW- and keep it up to date in future'.


On AVG there is a blog post from October 2013 detailing how this came to light Sep'13. Someone above wrote "Symantec may be able to act that fast..." Almost a year after the fact?? Seriously - who is this targeted at?


Some viruses have been undiscovered for several years.

Antivirus is next to useless for zero day exploits.


It's my belief that these viruses come from the security software houses. It is their way of keeping us buying their software. LOL

I don't see what difference 2 weeks will make.

Paul Tunstead -> RobDeManc

Wow, your onto how big pharma works, well done you.

consciouslyinformed -> RobDeManc

And who says a little suspicion does anyone harm? I agree with your concerns, and have stated comments like yours. Worked in marketing companies for a few years prior to university, and this is indeed the type of gnarly stuff companies do, in order to continue making $$$$ from established customers!!


Meh, worst case it needs a fresh install, anyone with half a brain should have back-ups of important stuff.


The sort of person who doesn't have adequate protection is often the same sort of person who, when you ask about what they use for backing up, says, 'backing up?'.


Installing is time consuming. You need everything you are used to as well as the OS. It takes me about 2 weeks to get a formatted drive back to how I like it by re-installing everything.

No hassle with Clonezilla though (about 1 hr to get my machine back). Don't even need to install anything. Just image regularly.


Unfortunately - if you are already infected, as soon as you connect your memory stick or external drive, the trojan will start encrypting its content.

[Feb 07, 2014] Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked Story; NBC Doubles Down In Response Techd

Earlier this week, NBC "reported" that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel's cellphone and laptop being compromised "before he even finished his coffee."

All very scary but all completely false.

Errata Security points out that the entire situation was fabricated.

The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.

They aren't in Sochi, but in Moscow, 1007 miles away.

The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.

The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.

...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update].

While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn't have disabled the default locks on their phone, as Robert Graham at Errata Security points out.

silverscarcat (profile),

Stupid people do stupid things!

News at 11!

Anonymous Coward

You trusts mainstream media these days?

[Jan 14, 2014] Chrome 32 launches with better malware blocking

Google today released Chrome version 32 for Windows, Mac, and Linux. The new version includes tab indicators, a new look for Windows 8 Metro mode, and automatic blocking of malware downloads. You can update to the latest release now using the browser's built-in silent updater, or download it directly from

...The third point refers to a change in the company's Safe Browsing service, which warns users about malicious websites and malicious files. Added to the Chrome dev build back in October, Google's browser will now automatically block malware files, letting you know in a message at the bottom of your screen. You can "Dismiss" the message, and Google says you can circumvent the block but it will take more steps than before.

[Jan 14, 2014] N.S.A. Devises Radio Pathway Into Computers

This is not very efficient as it requires close proximity of an expensive relay station to the target (within a couple of miles) and easily defeated by Faraday cage. It's also self-limiting as relay needs to be installed in the vicinity and will disconnect if, say, laptop trevels outside the area. So it probably is used only against high value targets. But the idea is devious. Will those technologies now migrate downsteam ? See a good summary of NYT article at Modern spying 101 How NSA bugs Chinese PCs with tiny USB radios

"What's new here is the scale and the sophistication of the intelligence agency's ability to get into computers and networks to which no one has ever had access before," said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. "Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it's never had before."

... ... ...

One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer "through a covert channel" that allows "data infiltration and exfiltration."

Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer's user enjoys the false confidence that being walled off from the Internet constitutes real protection.

... ... ...

"Continuous and selective publication of specific techniques and tools used by N.S.A. to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies," Ms. Vines, the N.S.A. spokeswoman, said.

But the Iranians and others discovered some of those techniques years ago. The hardware in the N.S.A.'s catalog was crucial in the cyberattacks on Iran's nuclear facilities, code-named Olympic Games, that began around 2008 and proceeded through the summer of 2010, when a technical error revealed the attack software, later called Stuxnet. That was the first major test of the technology.

One feature of the Stuxnet attack was that the technology the United States slipped into the Natanz plant was able to map how it operated, then "phone home" the details. Later, that equipment was used to insert malware that blew up nearly 1,000 centrifuges, and temporarily set back Iran's program.

[Jan 02, 2014] Unencrypted Windows Crash Reports a Blueprint For Attackers

January 02, 2014 | Slashdot


An anonymous reader writes "According to Forbes online- up to 1 Billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Anonymous Coward

Oh, b.s. troll & here's how + why

You CAN security-harden Windows (just as well as anything else) via this guide I wrote up in 1997-2008 -> []

I truly don't *think* that you "p.r. fanboys" for other alternate *NIX based OS understand something - when you post b.s. online, SOMEONE will spot it, and shred you for it... I mean, for YEARS here all you heard was (more or less) "*NIX = invulnerable & Windows = vulnerable"... well, new news: Look @ ANDROID (yes, it's a Linux) - it's being infested FAR FASTER than any Windows EVER WAS in the SAME timeframe. That tell you anything boys?

Well, then these results ought to (as a SINGLE example of many I've seen as a result, especially after CIS Tool usage which makes it cake to do & FUN in a nerdy kind of way):


"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.
Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, need system local)" from -> []


It works, & is PROOF of my statements here.


P.S.=> Additionally - IF you trust SeLinux? Better think again - look who created it (NSA)... apk


Re:Not everything is about software security. (5, Informative)

If you're really concerned about security on your individual systems, DONT USE WINDOWS. There, fixed it for ya.

Ubuntu does the same, if not worse. []

pport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.

It currently supports

- Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler (in piping mode)
- Unhandled Python exceptions
- GTK, KDE, and command line user interfaces
- Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for, or modified gconf settings for GNOME programs)
- apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
- Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation of fully symbolic stack traces (apport-retrace)
- Reporting bugs to Launchpad (more backends can be easily added)

Anonymous Coward

This was so obvious 10 years ago (0)

I should consider making a list of obvious things that will prove to be security risks in the future for everyone to be aware of it. This was so expected.

breaking news:
- the NSA tampers with scripts hosted on 90% of the internet impacted.

At least with the gifted nose i have for smelling crap i must say none of the Snowden's revelations made me bat an eye or change any passwords.


Duh (5, Funny)

Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Wait, you mean my crash reports include a list of devices?!?

The horror.


Reading the article, it says that each time you plug in a new USB device, it automatically sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft, your computer is still phoning home each time you install a new USB device.

Duh, how does it search for drivers on Windows Update then? Turn off that functionality and then check, if it still does, then it's news.

Next you will tell me that my browser is broadcasting an IP Address.


Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

Am I wrong?

Windows typically checks Windows Update for drivers for all newly-connected devices, then look for locally-installed drivers if the Windows Update check didn't find anything. Certain devices (like USB mass storage devices, for example)) are installed using local drivers first, as most people want their USB flash drives to work as soon as possible but are willing to wait a few tens of seconds for other devices.

Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play" and this benefits users. Similarly, while a driver might be included on a CD that comes with a device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.

Anonymous Coward | 7 hours ago

There are two cases where it will do this, both are optional:
1. to install a driver for the device
2. for a shiny graphic in Explorer/Device Stage

You can control both trivially:

[Dec 29, 2013] The NSA's 50-Page Catalog Of Back Door Penetration Techniques Revealed

Dec 29, 2013 | Zero Hedge
While the world may have become habituated to (and perhaps revels in, thank you social media exhibitionist culture) the fact that the NSA is watching anyone and everyone, intercepting, recording, and hacking every electronic exchange regardless if it involves foreign "terrorists" or US housewives, the discoveries from the Snowden whistleblowing campaign continue. The latest revelation from the biggest wholesale spying scandal since Nixon, exposed by Germany's Spiegel which continues the strategy of revealing Snowden leaks on a staggered, delayed basis, involves a back door access-focused NSA division called ANT, (which supposedly stands for Access Network Technology), described by Spiegel as "master carpenters" for the NSA's TAO (Tailored Access Operations, read more about TAO here). The ANT people have "burrowed into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell." More importantly, thanks to Spiegel (and Snowden of course), the NSA's 50-page catalog of "backdoor penetration" techniques has been revealed.

The details of how the NSA can surmount any "erected" walls, via Spiegel:

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives -- from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

Nothing quite like an extensive, taxpayer funded catalog listing back-door entry strategy imaginable. Say you wanted to have some backdoor fun with Juniper Networks, the world's second largest network equipment manufacturer (which claims the performance of the company's special computers is "unmatched" and their firewalls are the "best-in-class.")

In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs... Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."

It gets better, because when simple penetration is not enough, the NSA adds "implants."

In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

So what exactly is to be found in the 50-page catalog?

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable" -- in other words, over the Internet. Others require a direct attack on an end-user device -- an "interdiction," as it is known in NSA jargon -- in order to install malware or bugging equipment.

The conclusion here is an easy one, and one we have repeated ever since before the Snowden revelations: Big Brother is bigger and badder than ever, he knows exactly what you've been doing, and the second the NSA wants to nuke your computer out of orbit and/or destroy your digital life, it can do so in a millisecond. What is more amusing is that with each passing disclosure, it is increasingly clear that the NSA has gotten its inspiration for its dealings with the US public from a Danielle Steel book at best, or a Vivid Video bootlegged tape at worst.


NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets.

One of the most striking reported revelations concerned the NSA's alleged ability to spy on Microsoft Corp.'s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies.

[Dec 10, 2013] Meet Paunch: the Accused Author of the BlackHole Exploit Kit

December 08, 2013 | Slashdot


tsu doh nimh writes

"In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits.

As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years.

A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"

platypussrex (594064)

Re:I am confused. (Score:5, Informative)

it gets even better. In the linked article it explains that Paunch sells ads that appear in the control panels for all the renters, so not only does he get income from renting the system, he he also gets the income from that ads that are popping up in your system after you rent it from him!

[Dec 06, 2013] Europol, Microsoft Target 2-Million Strong ZeroAccess Click Fraud Botnet -

December 06, 2013 | Slashdot


tsu doh nimh writes

"Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture in which new instructions and payloads are distributed from one infected host to another.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft.

While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."

[Dec 06, 2013] FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

December 06, 2013


chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

'Neverquest' trojan threatens online banking users - Computerworld

IDG News Service

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.

This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.

Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.

"Of all of the sites targeted by this particular program, -- owned by Fidelity Investments -- appears to be the top target," Golovanov said. "This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims."

The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.

Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.

The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. "These emails are typically designed to look like official notifications from a variety of services," Golovanov said.

In addition, Neverquest steals account log-in information for a large number of social networking websites and chat services accessed from infected computers. Those accounts could be used to spread links to infected websites with the intention to further spread Neverquest, even though Kaspersky Lab hasn't seen this method being used yet.

"As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent," Golovanov said. "We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft."

[Nov 23, 2013] NSA hacked over 50,000 computer networks worldwide

Public sources show that TAO employs more than a thousand hackers. The task force has been active since at least 1998, according to Washington Post. That's the end of any trust in Windows as we know it. Sorry Microsoft...
RT News

The US National Security Agency hacked more than 50,000 computer networks worldwide installing malware designated for surveillance operations, Dutch newspaper NRC reports citing documents leaked by Edward Snowden.

The latest round of revelations comes from a document dating from 2012 that shows the extent of the NSA's worldwide surveillance network.

Published by Dutch newspaper NRC Handelsblad, it points out more than 50,000 locations, where the NSA used 'Computer Network Exploitation' (CNE) and implanted malicious software into the networks.

According to the NSA website CNE "includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks."

Once the computer has been infected, the 'implants' act as digital 'sleeper cells' that can be remotely turned on or off with a single push of a button, the Dutch paper reported. The malware can remain active for years without being detected, the newspaper added. The malicious operations reportedly were carried out in many countries including China, Russia, Venezuela and Brazil.

The hacking is conducted by the Tailored Access Operations (TAO), a special unit within the NSA tasked with gaining access to foreign computer systems.

According to the Dutch media, one of the examples of the CNE operation is the reported attack against Belgian telecom company Belgacom that was discovered in September 2013. The attack was previously reported to have been carried out by British intelligence agency GCHQ that worked in cooperation with its American counterpart.

GCHQ injected malware in the Belgacom network to tap their customers' telephone and data traffic. The agency implemented a technique known as Quantum Insert, placing Belgacom's servers in strategic spots where they could intercept and redirect target traffic to a fake LinkedIn professional social network's website.

Public sources show that TAO employs more than a thousand hackers. The task force has been active since at least 1998, according to Washington Post.

Documents acquired by the NRC newspaper also reveal that NSA spied on the Netherlands from 1946 to 1968. However the report does not indicate the specific intentions.

Dutch interior affairs minister Ronald Plasterk has recently confirmed that the NSA monitors mail and phone traffic in the Netherlands and exchanges data with Dutch security organization AIVD.

[Nov 12, 2013] Interview with Vyacheslav Medvedev, Dr. Web

This interview took place during celebration of Doctor Web, Ltd's twenty years of product development (and simultaneously 10 years since creation of the company -- Doctor Web, Ltd). For additional information about the anniversary see Doctor Web Anniversary Match and Facebook Community Page about Doctor Web.

The leading analyst of Doctor Web, Ltd Mr. Vyacheslav Medvedev kindly agreed to talk about current security problems with the editor of Softpanorama. Mr. Medvedev is a frequent speaker on various security conferences, where he often represents the company.

[Nov 12, 2013] IE Zero-Day Exploit Disappears On Reboot

November 11, 2013 | Slashdot

samzenpus nk497 writes:

"Criminals are taking advantage of unpatched holes in Internet Explorer to launch 'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot — provided it hasn't already taken over your PC — making it trickier to detect, though easier to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,' the company said. '

This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods.'"

[Nov 11, 2013] GCHQ spoofed LinkedIn site to target global mobile traffic exchange and OPEC

Injection of malware is possible due to privileged position of servers on Internet backbone...
November 11, 2013 | RT
The UK's electronic spying agency has been using spoof version of LinkedIn professional social network's website to target global roaming data exchange companies as well as top management employees in the OPEC oil cartel, according to Der Spiegel report.

The Government Communications Headquarters has implemented a technique known as Quantum Insert, placing its servers in strategic spots where they could intercept and redirect target traffic to a fake website faster than the legitimate service could respond.

A similar technique was used earlier this year to inject malware into the systems of BICS, a subsidiary of Belgian state-owned telecommunications company Belgacom, which is another major GRX provider.

In the Belgacom scandal first it was unclear where the attacks were coming from. Then documents from Snowden's collection revealed that the surveillance attack probably emanated from the British GCHQ – and that British intelligence had palmed off spyware on several Belgacom employees.

The Global Roaming Exchange (GRX) is a service which allows mobile data providers to exchange roaming traffic of their user with other providers. There are only a few dozen companies providing such services globally.

Now it turns out the GCHQ was also targeting networking, maintenance and security personnel of another two companies, Comfone and Mach, according to new leaks published in the German magazine by Laura Poitras, one of few journalists believed to have access to all documents stolen by Snowden from the NSA.

Through Quantum Insert method, GCHQ has managed to infiltrate the systems of targeted Mach employees and successfully procured detailed knowledge of the company's communications infrastructure, business, and personal information of several important figures.

A spokesman for 'Starhome Mach', a Mach-successor company, said it would launch "a comprehensive safety inspection with immediate effect."

The Organisation of Petroleum Exporting Countries was yet another target of the Quantum Insert attack, according to the report. According to a leaked document, it was in 2010 that GCHQ managed to infiltrate the computers of nine OPEC employees. The spying agency reportedly succeeded in penetrating the operating space of the OPEC Secretary-General and also managed to spy the on Saudi Arabian OPEC governor, the report suggests.

LinkedIn is currently the largest network for creating and maintaining business contacts. According to its own data the company has nearly 260 million registered users in more than 200 countries. When contacted by The Independent, a LinkedIn spokesman said that the company was "never told about this alleged activity" and it would "never approve of it, irrespective of what purpose it was used for."

According to a cryptographer and security expert Bruce Schneier, Quantum Insert attacks are hard for anyone except the NSA to execute, because for that one would need to "to have a privileged position on the Internet backbone."

The latest details of GCHQ's partnership with the NSA were revealed just last week, after the reports emerged that GCHQ was feeding the NSA with the internal information intercepted from Google and Yahoo's private networks.

The UK intelligence leaders have recently been questioned by British lawmakers about their agencies' close ties and cooperation with the NSA.

The head of GCHQ, Sir Ian Lobban, lashed out at the global media for the coverage of Edward Snowden's leaks, claiming it has made it "far harder" for years to come to search for "needles and fragments of needles" in "an enormous hay field" of the Internet.

However, the intelligence chiefs failed to address public fears that Britain's intelligence agencies are unaccountable and are operating outside the law.

[Oct 26, 2013] Cryptolocker (Win32/Crilock.A)

In a way it is a game changer. This is the only Trojan that went to Malware Defense History in 2013...

This is a game changing Trojan, which belong to the class of malware known as Ransomware . It seriously changes views on malware, antivirus programs and on backup routines. One of few Trojan/viruses which managed to get into front pages of major newspapers like Guardian.

Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets backups of your data on USB and mapped network drives. If you offload your backups to cloud storage without versioning and this backup has an extension present in the list of extensions used by this Trojan, it will destroy (aka encrypt) your "cloud" backups too.

It really encrypts the data in a way that excludes possibility of decryption without paying ransom. So it is very effective in extorting money for decryption key. Which you may or may not get as servers that can transmit it from the Command and Control center might be already blocked; still chances are reasonably high -- server names to which Trojan connect to get public key changes (daily ?), so far at least one server the Trojan "pings" is usually operational. So even on Oct 28 decryption was possible). At the same time the three days timer is real and if it is expire possibility of decrypting files is gone. Essentially you have only two options:

Beware snake oil salesmen, who try to sell you the "disinfection" solution. First of all disinfecting from Trojan is trivial, as it is launched by standard CurrentVersion\Run registry entry. The problem is that such a solution does not and can't include restoration of your files.

It was discovered in early September 2013 (around September 3 when domains to reach C&C center were registered, with the first description on September 10, see Trojan:Win32/Crilock.A.). Major AV programs did not detect it until September 17, which resulted in significant damage inflicted by Trojan.

Here is the screen displayed when the Trojan finished encrypting the files (it operates silently before that, load on computer is considerable -- encryption is a heavy computational task):


[Oct 23, 2013] Fiendish CryptoLocker ransomware

The Register

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back," adds the firm. "But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Re: Already seen this

"You can't kill this virus in normal ways."

So, it manages to run despite having a software restriction policy in place preventing any vaguely executable code from running outside of program files or authorised network shares?

I've been receiving the companies house emails regularly. I've had a few users run them with nothing more harmful than the standard SRP prohibited text since outlook opens attachments in a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.

Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will vanish overnight because the users can't run the bloody things if they try.

Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer instead of task manager and PSKILL to kill things instead of the "end task" button in task manager. If you want malware dead, don't allow it to gracefully close through a task manager request to close. That's just letting it run more instructions. Figure out where the file and all it's dependencies are from process explorer and then either suspend or terminate it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete it.

It encrypts .doc, .dwg etc

So what? In the corporate world those files should be held in some kind of version control and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not be the master, they should be the published version of a document under proper control (also, users don't need write access to *everything*). As for local files that are being worked on; well, those are backed up as well aren't they?

And why the HELL do people open an attachment without first scanning it? When coming in from outside, open it on a machine which has actual work files on it. Are they totally mentally deficient? Run Outlook in a separate VM. Problem solved.

If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame, look in the mirror.

Then call MS and ask them why their software is so shit.

I can see this being a serious worry for home users. Top-tip: stop opening random files.

Re: It encrypts .doc, .dwg etc

How naeve can you get? ! Obviously never worked for a large corporation then. The idea that they do things properly always is just naivety. Release documents will (should) be in a document management system, but there are always many documents which are not.

Reality check

And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?

Re: It encrypts .doc, .dwg etc

I really hope your not an IT support guy, Users are .... users... they are not IT experts, the same way that IT Experts are not brain surgeons. Yes good practice is always good, but...

Cloud backup

If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?

It'd be recoverable if you had a cloud locker with version control, but still annoying.

Re: Cloud backup

DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week.


It never ceases to amaze me how many people open and click on links in emails without knowing who they're from. Even my employer (who shall remain nameless) has become infected despite there being a fairly recent and high profile campaign targetting computer security and phishing emails. Some people are just dumb.

Mike Bell

To be fair, a bit of social engineering is involved here by making the file look like something that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs are normally harmless viewable documents. If they possess a little geekiness, they might know that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and they'd know that executables can be camouflaged like this.

I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need a life.


I was talking to someone a week ago who got a popup in their browser warning they were downloading pirated software and to click to acknowledge this. The sad thing is that while they didn't click, they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which would just be malware of some kind.

I assume the criminals wouldn't bother with these scams if people didn't fall for them.

Wild Bill

From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't take place until the virus is able to phone home to one of its many servers, which have their domains automatically created using a Domain Generation Algorithm.

Is there not any software that can block all domains which are obviously gobbledygook and are therefore likely to have been automatically generated by a nasty? It appears DGAs are used by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).

Cryptolocker Hijack program - Page 5 - General Security

Its a game changing virus. Seriously changes views on malware and on backup routines.

Education is really the only way to prevent this unfortunately. Without education people will continue to open email attachments they shouldn't, use weak passwords, and provide little or no network security.

These types of encrypting malware are the new breed of moneymakers for malware developers, especially as they be created by individuals, or small groups, rather than larger organizations. In the past it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that method was pretty much eliminated. Ransomware, such as this Cryptolock, ACCDFISA, and DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now BitCoins.

As always, I suggest noone pay them if they can avoid it as it just encourages them to continue. On the other hand, I know that not everyone has a backup of their data for whatever reason and that it is necessary to get this data back by any means.



We have been able to remove this by creating a Kaspersky Rescue Disk:

Once booted into this you can use the File Manager and register editor to remove the start up entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate the random file (this will also show you where on the system this is loading from. Remove this reg entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Once the reg entry is deleted the use the File Manager function to browse to where this file is located and delete this file.

Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker screen appears, you should then run a scan with your current AV software or download Malwarebytes: and run a scan with this. It maybe best to run this scan with the computer in safe mode.

[Oct 23, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013


tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet.

WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off.

MalwareBytes Pro and Avast stop the virus from running.

Sysadmins in a domain should create this Software Restriction Policy which has very little downside (you need both rules).

The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup (including versioning-based cloud backups), or be SOL.

... ... ...

Vectors: In order of likelihood, the vectors of infection have been:

[Oct 23, 2013] Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know. sysadmin

Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.

For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here.

Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it.

Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.

Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed.

[Oct 23, 2013] Vulnerabilities in some Netgear routers open door to remote attacks by Lucian Constantin

"Do not turn on remote administration ever, for any device," Cutlip said. "That's the number one attack surface, and it's the one we usually find bugs in."
Oct 23, 2013 | IDG News Service

Vulnerabilities in the management interfaces of some wireless router and network-attached storage products from Netgear expose the devices to remote attacks that could result in their complete compromise, researchers warn.

The latest hardware revision of Netgear's N600 Wireless Dual-Band Gigabit Router, known as WNDR3700v4 and shown above, has several vulnerabilities that allow attackers to bypass authentication on the router's Web-based interface, according to Zachary Cutlip, a researcher with security consultancy firm Tactical Network Solutions.

"If you browse to http:///BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface," Cutlip said Tuesday in a blog post. "But not only that, authentication remains disabled across reboots. And, of course, if remote administration is turned on, this works from the frickin' Internet."

That opens the door to many attack possibilities. For example, an attacker could configure the router to use a malicious DNS (Domain Name System) server, which would allow the attacker to redirect users to malicious websites or set up port forwarding rules to expose internal network services to the Internet.

"Additionally, any command injection or buffer overflow vulnerabilities in the router's web interface become fair game once authentication is disabled," Cutlip said.

In fact, the researcher already found a vulnerability which, when exploited together with the authentication bypass one, allows an attacker to obtain a root prompt on the router.

"Once the attacker has root on the router, they can easily sniff and manipulate all the users' Internet-bound traffic," Cutlip said Thursday.

The BRS_02_genieHelp.html vulnerability is actually a combination of two separate issues. One is that any interface pages whose names start with "BRS_" can be accessed without authentication.

This is a vulnerability in itself and can lead to sensitive information disclosure. For example, a page called "BRS_success.html" lists the access passwords for the 2.4GHz and 5GHz Wi-Fi networks configured on the router.

The second issue is that when accessed, the BRS_02_genieHelp.html page switches a router configuration setting called "hijack_process" to 1. This disables authentication for the entire web interface. The value for the "hijack_process" setting when the router is configured properly is 3.

The same vulnerability was found by researchers from Independent Security Evaluators (ISE) in April in the firmware of the Netgear CENTRIA (WNDR4700) router model. However, the vulnerable URL ISE identified at the time was http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html.

Other routers may be affected

Netgear patched the vulnerability in the WNDR4700 firmware version that was released in July. However, it seems the company failed to check if other router models are also vulnerable.

The latest firmware version for WNDR3700v4 is; Cutlip performed his tests on the older version. However, static code analysis of the firmware indicates that it is also vulnerable, the researcher said Thursday.

The older WNDR3700v3 hardware revision does not appear to be affected, Cutlip said, adding that he hasn't analyzed the firmware for the much older v1 and v2 revisions yet.

The researcher also discovered a separate authentication bypass vulnerability in the WNDR3700v4 firmware that's not related to the BRS_* issue. "Appending the string 'unauth.cgi' to HTTP requests will bypass authentication for many, if not most, pages," he said.

Cutlip didn't test if WNDR4700 is also vulnerable to this second flaw.

Netgear did not immediately respond to a request for comment.

A search for WNDR3700v4 routers that have their web interface exposed to the Internet returned over 600 devices on the SHODAN search engine.

"Do not turn on remote administration ever, for any device," Cutlip said. "That's the number one attack surface, and it's the one we usually find bugs in."

To avoid local attacks, administrators should secure their wireless networks with strong WPA2 passphrases and make sure strangers are not allowed on their local networks, the researcher said.

[Oct 17, 2013] Dr. Web Anniversary Match

Dr Web, one of the key players on the Russian and European AV software markets celebrated 20 years of the product development (Igor Danilov started distribution of his malware scanner via Dialog Nauka in 1992) and 10 years since creating a company.

The match was the central point of celebration which took place in Yalta Inturist hotel. Dr.Web St. Petersburg team played against Dr. Web Moscow team. Moskovites won...

There were also huge fireworks in the evening which Yalta residents can probably took for a for the celebration of some new Ukrainian holiday ;-)

Disclaimer: I was invited as a guest...

[Aug 13, 2013] Malware taps mobile ad network to siphon money By Antone Gonsalves

Congratulations, in addition to all our troubles, advertisement networks can now be used as hidden channel for installing spyware. In other words, adware provides a channel for installing malware.
August 13, 2013 | Network World
Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims.

The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading code.

"It's a very, very clean infection vector," said Wade Williamson, a senior security analyst at Palo Alto Networks who discovered the new trickery.

In legitimate partnerships between ad distributors and developers, the latter embeds the former's software development kit (SDK) into the app, so it can download and track ads in order to split revenue.

Unfortunately, how well developers vet the ad networks they side with varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high.

Wiliamson found one such network's SDK embedded in legitimate apps provided through online Android stores across Asian countries, such as Malaysia, Taiwan and China. Once installed, the SDK pulls down an Android application package file (APK) and runs it in memory where the user cannot easily discover it.

The APK typically waits until another app is being installed before triggering a popup window that seeks permission to access Android's SMS service.

"It doesn't have to go through the whole process of doing a full install," Williamson said. "It just sits there and waits on the smartphone to install something else and then piggybacks in."

Once installed, the APK takes control of the phone's messaging service to send text to premium rate numbers and to download instructions from a command and control server. The majority of Android malware today, 77 percent, wring money from victims through paid messaging services, said Juniper Networks' latest mobile threat report.

Williamson has seen more than a half dozen samples of the latest malware, which he believes is coming from one criminal group, while acknowledging multiple groups is possible.

Android users in Asia and Russia are more susceptible to Android malware, because many apps are downloaded from independent online stores. In the U.S., most Android users take apps from the Google Play store, which scans for malware and malicious ad networks.

Because of the effectiveness of the latest malware, Williamson expects criminals in the future to use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored.

The same pathway could also be used to steal credentials for entering corporate networks.

"As soon as you have a vector like this, the difference between creating malware that sends spoof SMS messages versus looks for the network and tries to break in is just malware functionality," Williamson said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

[Jul 27, 2013] Man gets ransomware porn pop-up, goes to cops, gets arrested on child porn charges by Cyrus Farivar

July 26 2013 | Ars Technica

21-year-old walked into police station with computer in hand, cops searched it.

A man from just outside of Washington, DC turned himself in to local police—with his computer in tow—after receiving a pop-up message from what he believed was an "FBI Warning" telling him to click to pay a fine online, or face an investigation.

While specific details on the case are scant as of yet, it appears that the suspect here fell victim to a type of ransomware that has been proliferating for years now—raking in millions for the scammers behind it.

Police said Jay Matthew Riley, 21, of Woodbridge, Virginia, walked into Prince William's Garfield District Station on July 1, 2013 to "inquire if he had any warrants on file for child pornography."

According to the local police department's press release, posted on its own Facebook page on Thursday, July 25, 2013:

The accused voluntarily brought his computer to the station and, following a search, several inappropriate messages and photos of underage girls were recovered. Detectives were able to identify one of the girls as a 13 year old from Minnesota. A search warrant was obtained and executed at the home of the accused. As a result, computers and other electronic devices were seized.

Following the investigation, the accused was subsequently arrested on July 23rd. The FBI message that the accused had originally received was determined to be a virus and not a legitimate message. The investigation continues.

The Prince William County police also noted that Riley is now being held without bond. He was charged with "3 counts of possession of child pornography, 1 count of using a communication device to solicit certain offenses involving children, and 1 count of indecent liberties with a minor."

[Jul 26, 2013] There's No Hiding

The danger of rogue software updates in Windows is very real. Typical Windows installation contains at least a dozen of updaters. Microsoft update, Adobe update, Mozilla updaters, almost all applications implement updates independently, and each update channel is essentially a covert channel that can deliver malware to your PC.
Zero Hedge

... Are we sure that what we download from Apple or any other such phone producer is a bone fide update, these days? Are phone companies providing access today via downloads to our cell phones and mobile devices?

... ... ...

Anyhow, I have probably unknowingly typed one of the 70, 000 keywords that launches Prism onto my back and gets me monitored today in this article. Wonder who can get the list of them?

[Jun 14, 2013] U.S. Agencies Said to Swap Data With Thousands of Firms

Corporatism is on the march...

Microsoft Bugs

Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation.

In an e-mailed statement, Shaw said there are "several programs" through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.

Willing Cooperation

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge's order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.'s major spy agencies, the people familiar with those programs said.

... ... ...

Committing Officer

If necessary, a company executive, known as a "committing officer," is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.

Intel Corp. (INTC)'s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.

Such a relationship would start with an approach to McAfee's chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.

McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.

McAfee's Data

McAfee (MFE)'s data and analysis doesn't include information on individuals, said Michael Fey, the company's worldwide chief technology officer.

"We do not share any type of personal information with our government agency partners," Fey said in an e-mailed statement. "McAfee's function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity."

In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.

In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.

... ... ...

The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.

... ... ...


That metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.

"It's highly offensive information," said Glenn Chisholm, the former chief information officer for Telstra Corp (TLS)., one of Australia's largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.

According to Snowden's information, Blarney's purpose is "to gain access and exploit foreign intelligence," the Post said.

It's unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge's order.

... ... ...

Einstein 3

U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems' architecture or equipment schematics so the agencies can analyze potential vulnerabilities.

"It's natural behavior for governments to want to know about the country's critical infrastructure," said Chisholm, chief security officer at Irvine, California-based Cylance Inc.

Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.

Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn't authorized to discuss the matter.

AT&T, Verizon

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn't be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn't meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

[Jun 06, 2013] Banking Malware, Under the Hood


"What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

3.5 stripes

Well, you were dumb enough (Score:1, Insightful)

to click on the attachment in the first place, you've already set the bar for your intelligence


Re:Well, you were dumb enough (Score:5, Insightful)

Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.


Re: Well, you were dumb enough (Score:4, Insightful)

There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.

I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).


Re:Nice try? (Score:4, Informative)

BofA actually has VERY good online security.

If setup right, you should be shown a picture you choose to confirm that you are on the legit site. Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.

Anonymous Coward

It's Quite A Bit More Than That (Score:1)

So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

It's quite a bit more than that. Perhaps you should RTFA.


Re:Most of the exploits.. (Score:5, Informative)

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date. Don't install toolbars or weather apps from unknown sources.


I Fixed One Of These Recently (Score:5, Interesting)

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use

When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

[May 25, 2013] Scanner Identifies Malware Strains, Could Be Future of AV

May 25, 2013

An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."

[Apr 19, 2013] Gozi banking Trojan

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.

... ... ...

Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.

... ... ...

The new Gozi MBR rootkit component waits for Internet Explorer to be launched and then injects malicious code into the process. This allows the malware to intercept traffic and perform Web injections inside the browser like most financial Trojans programs do, Maor said.

[Mar 22, 2013] Decade-old espionage malware found targeting government computers

Mar 20 2013 | Ars Technica

"TeamSpy" used digitally signed TeamViewer remote access tool to spy on victims.

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab.

Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns," CrySyS researchers wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half of 2012."

They added: "The attackers surely aim for important targets. This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high-profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc."

The attackers relied on a variety of methods, including the use of a digitally signed version of TeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the compromised program also provides attackers with a backdoor to install updates and additional malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon. The TeamSpy operation also relies on more traditional malware tools that were custom-built for the purpose of espionage or bank fraud.

According to Kaspersky, the operators infected their victims through a series of "watering hole" attacks that plant malware on websites frequented by the intended victims. When the targets visit the booby-trapped sites, they also become infected. The attackers also injected malware into advertising networks to blanket entire regions. In many cases, much of that attack code used to infect victims was spawned from the Eleonore exploit kit. Domains used to host command and control servers that communicated with infected machines included,,,, and

The discovery of TeamSpy is only the latest to reveal an international operation that uses malware to siphon sensitive data from high-profile targets. The most well-known campaign was dubbed Flame. Other surveillance campaigns include Gauss and Duqu, all three of which are believed to have been supported by a well-resourced nation-state. Last year, researchers also uncovered an espionage campaign dubbed Mahdi.

Decade-Old Espionage Malware Found Targeting Government Computers


Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe. TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as 'secret' from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed 'Hungarian high-profile governmental victim.'


Suspiscious based on what criteria?

  1. We aren't allowed to use open source and so we have to "trust" every 'signed binary' which executives and leaders want to use. If we could use open source, we could at least read the source and even compile it to ensure the source we read was the binary which was compiled.

  2. When the malware doesn't do "harm" to anything, the sympoms of malware are non-existant. No pop-up ads, no unusual crashing (see note about being unable to use open source... the 'other' operaitng system crashes often enough for inexplicable reasons that no one suspects malware as the cause any longer) and when a commonly used utility program which performs remote access is used, how can it be detected as malware?

Arguably, that it was proprietary and commercial software which was exploited is pretty disturbing. But at the same time, that software makers (and other device and product makers, and service providers too) frequently enter into deals with government to spy on people is unfortunately very common. That the "white-hat" (heh, I accidentally typed "white-hate"... apropos?) nation called the USA has compromised global communications with Echelon and more recently with the much celebrated NSA wiretapping, does not help matters.

I think no one appreciates the value of trust. Once it's lost, it's lost. What amount of trust in government... any government... may have existed, it is gone for most of us.

The unenlightened? Well... they still watch MSM (mainstream media, I have come to know these initials). What hope have they against that?

Anonymous Coward

Re:A strong push for open source in government (Score:1)

I suspect that as more malware and backdoors are discovered in systems used by government, the penny will begin to drop more frequently. Closed source is incompatible with security, by definition, since you cannot validly trust what you cannot see

Bullshit. Open or closed source has no direct bearing on the ability of an attacker to infect a binary. Open source provides more eyes on a given bug or problem, but once compiled and running its the exact same problem.

The article mentions use of a modified signed binary. So tell me how open source is going to remedy that? Unless you're recompiling from scratch (your entire tool chain, plus dependencies) on each launch, you're just as fucked as the next guy. Are you going to checksum the binary in memory each time a method is called? Are you going to encrypt/decrypt on each call? What's to stop an attacker from modifying your checksum code in the same manner as CD checks on games are trivially broken?

The only thing open source is really going to do for you is ensure that if you compile from source, the attack didn't originate from that source. So what?

Anonymous Coward

The fact it's open source IS (or can be) the pathway. If it's a small piece of software that does a specific function that's not of use to many people, your million eyeballs shrink rapidly. And what you're left with (IMO) is a handful of eyeballs thinking "I don't have the time/skills for this, it's open source, I'm sure someone will have looked over it" while no one actually does.

Or someone auditing the code but not the stuff around it, or maybe the code as distributed is clean and will compile into a clean and functioning binary, but the scripts around it actually add some malicious steps if certain criteria are met.

Open source isn't a magic bullet.

[Feb 28, 2013] Computer Virus Computer virus that activates webcam spreads, finds East Tennessee victims by Jennifer Meckles

Oct 5, 2012 |
Authorities are tracking a new computer virus that uses a fake "FBI" message in an attempt to extort money from its victims.

Called "Reveton Ransomware," officials say the virus is installed on a computer when a user visits a compromised website. The computer then locks, while displaying a warning that the FBI or Department of Justice has identified the computer as being involved in criminal activity. The fake message instructs users to pay a fine using a prepaid money card service, which will unlock the computer.

The computer's webcam is also activated, showing the user a live picture of themselves.

"We started seeing versions of this virus last year, but of course, like all scams, it morphs over time," said FBI Supervisory Special Agent Marshal Stone, of the Knoxville Division.

Stone says FBI officials do not conduct business in that fashion, and would never demand payment to unlock a computer.

The virus has already found victims in East Tennessee. Sean Woods of "Computer Solutions" in Seymour says he has worked three cases within the past week.

"In this case, a person will lose everything that they've ever had. If it's not backed up, it's gone," he said.

Officials have not confirmed which websites lead to the virus, but Woods says he is connecting some trends. He believes users are picking up the virus through shared files, illegal downloads, or websites commonly linked to bugs.

"You don't know who's going on your computer and what they're doing," he said, cautioning users to be careful who they share a computer with."They download content such as music… they're out there for you to go view, this is where you're getting hit."

Woods says users should also keep their virus protection software up to date.

The FBI encourages any victims of the virus to file a complaint with the Internet Crime Complain Center at

Google under fire for sending users' information to developers by Thom Holwerda

"Sebastian Holst makes yoga mobile apps with his wife, a yoga instructor. The Mobile Yogi is sold in all the major mobile app stores. But when someone buys his app in the Google Play store, Holst automatically gets something he says he didn't ask for: the buyer's full name, location and email address.

He says consumers are not aware that Google Inc. is sharing their personal information with third parties. No other app store transmits users' personal information to third-party developers when they buy apps, he said." Oh Google.


Hopefully this applies only when "buying" an app.

If so, then I should be safe. This kind of privacy violation is just... wrong. Google seems to think that their customers automatically trust third parties or something... if anything, this demonstrates that Google themselves should not be trusted.


RE[2]: Obviously a bug by darknexus

"If it had been a certain fruit company everyone would be rioting.

Man, it's so hard to be persecuted, eh? "

Much as I hate to be defending Apple this time, the OP is absolutely correct. There's definitely a double standard in place for Apple in the tech media, particularly though not exclusively when compared to Google.

If Apple had been the one doing this, everyone would have been up in arms, torches lit, ready to burn down Apple HQ and any other buildings around them just to make sure the deed was done.

When Google does it, not only do we get some people giving them the benefit of the doubt but we even have some that claim Google are in the right to do this. If that's not a double standard, I don't know what is. For myself, I say no app store should give

[Feb 16, 2013] The Antivirus Industry's Dirty Little Secret

Video, you need Ad
obe Flash to view it...
Feb. 14, 2013 | Businessweek

-- Bloomberg Businessweek's Jordan Robertson discusses why the antivirus industry has so many customers in the face of its ineffectiveness. He speaks on Bloomberg Television's "Market Makers." (Source: Bloomberg)

[Feb 13, 2013] Welcome to the Malware-Industrial Complex By Tom Simonite

February 13, 2013 | MIT Technology Review

The U.S. government is developing new computer weapons and driving a black market in "zero-day" bugs. The result could be a more dangerous Web for everyone.

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven't been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a "zero-day" vulnerability, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran's nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet's many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it's involved even more complex techniques (see "The Antivirus Era Is Over"). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects' computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero day vulnerability receives a monthly payment as long as a flaw remains undiscovered. "As long as Apple or Microsoft has not fixed it you get paid," says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok-based security researcher who goes by the name The Grugq tweets about acting as a middleman and has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In an argument on Twitter last month, he denied that his business is equivalent to arms dealing, as critics within and outside the computer security community have charged. "An exploit is a component of a toolchain," he tweeted. "The team that produces & maintains the toolchain is the weapon."

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it

"provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions."

Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google's Chrome browser, but they turned down Google's offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.

General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. "Part of our defense has to consider offensive measures," he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing "Cyberspace Warfare Attack capabilities" that could "destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage." And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. "In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs," she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.

Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country's vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a "digital Pearl Harbor" could result (see "U.S. Power Grids, Water Plants a Hacking Target").

Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. "It's a growing area of the defense business at the same time that the rest of the defense business is shrinking," says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. "They've identified two growth areas: drones and cyber."

Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to "plan, execute and assess an Offensive Cyberspace Operation (OCO) mission," and many current positions at Northrop ask for "hands-on experience of offensive cyber operations." Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: "Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies."

The new focus of America's military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.

"Every country makes weapons: unfortunately, cyberspace is like that too," says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. "I think maybe the civilian courts ought to get together and bar these kinds of attacks," he says.

The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there's a strong chance that a copy will remain somewhere on the victim's system—by accident or design—or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see "Stuxnet Tricks Copied by Criminals").

"The parallel is dropping the atomic bomb but also leaflets with the design of it," says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: "There's a lot of people playing this game."

[Jan 11, 2013 ] Adobe Flash Virus - McAfee Security Scan Plus Scam

Adobe Engaging in a Detestable Practice
Adobe has began a new campaign of evil. They are installing unrequested software without the user's permission. Although the software may seem fairly benign and even helpful, it isn't. It is actually fairly harmful to the computing experience.

... .... ...

Please close Firefox to continue installation... flash player installed...McAfee Security Scan Plus installed....WHAT? I never gave permission to install McAfee. I watched very carefully to make sure I unchecked any boxes that asked me for permission to install additional software. Well, maybe I missed it. Besides, it sounded fairly benign. I decided to let it go.

Problems with McAfee - May Adobe Die

I began noticing some new problems with my computer. This was very strange as I hadn't tried any new programs yet. The only security that I use for my computer is WinPatrol and the only new program it showed running in the background was McAfee. Programs and sound files would freeze for about a tenth of second and I worried about a hardware problem caused by working on my computer. Even YouTube videos would stutter. I even opened up my computer again and made sure everything was seated tight and no cables bumping against the wrong thing. I couldn't find any physical problems though.

Luckily, I got around to uninstalling McAfee. It is easy to remove, just click on start, all programs tab, then McAfee tab. There will be an option to uninstall McAfee and it runs without any problems.

After removing McAfee, the next time I booted up my computer it ran perfect again. This got me curious. I went online and discovered that I am not the first to have problems with Adobe and their unwanted software. Other IT users noticed that McAfee was installed without any check boxes or warnings. It might be in the EULA, but who reads that. The EULA may protect them legally, but in my book it doesn't mean that what they are doing is moral. It only means that Adobe knows how to legally scam people while protecting itself.

I heard that McAfee has caused some serious problems on other people's computers too. Recently, it would cause computers to constantly reboot after installation. How many people would know how to fix that problem?

Why would Adobe do such a thing? Well, it turns out that the McAfee installation isn't a full working version. It may detect viruses, but you will have to pay money to upgrade to a full version that removes them. Basically, Adobe and McAfee are trying to bleed people for money.

I suspect in the long run, this will work against Adobe

... ... ... ...

[Jan 11, 2013 ] McAfee VirusScan - Wikipedia, the free encyclopedia

Customer support criticisms

Reviewers have described customer support for McAfee products as lacking, with support staff slow to respond and unable to answer many questions.[9]

2010 reboot problem

On April 21, 2010, beginning approximately at 2 PM GMT, an erroneous virus definition file update from McAfee affected millions of computers worldwide running Windows XP Service Pack 3. The update resulted in the removal of a Windows system file (svchost.exe) on those machines, causing machines to lose network access and, in some cases, to enter a reboot loop. McAfee rectified this by removing and replacing the faulty DAT file, version 5958, with an emergency DAT file (version 5959) and has posted a fix for the affected machines in its consumer "KnowledgeBase".[11]

2012 update issues

An August 2012 update to McAfee Antivirus caused the protection to turned off and users to lose internet connections. McAfee was criticised for not notifying users promptly of the issues when they learned about it.[13]

[Jan 05, 2013] Foreign Policy Group Gets Hacker Happy New Year Discovery News

See also Sirefef and Win32/Tracur.AV. Using IE 8 became really dangerous those days.
Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.

The CFR is a non-partisan policy group, known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer.

... ... ...

The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessesed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The javascript is hidden in a file on the system that is usually used for a completely different purpose," he said.

Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.

Users of Internet Explorer 9 and later aren't vulnerable.

While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.

[Jan 03, 2013] Antivirus Makers Work on Software to Catch Malware More Effectively

"The traditional signature-based method of detecting malware is not keeping up." : it was known for 20 years or so. Nothing changed.
Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.

"The bad guys are always trying to be a step ahead," said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems. "And it doesn't take a lot to be a step ahead."

Computer viruses used to be the domain of digital mischief makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.

In 2000, there were fewer than a million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests antivirus products.

The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company's trade secrets, erasing data or emptying a consumer's bank account.

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva's chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.

On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates — Avast and Emsisoft — are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.

"Existing methodologies we've been protecting ourselves with have lost their efficacy," said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers. "This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept."

Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its "signature" — unique signs in its code — before they can write a program that removes it.

That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years.

Mikko H. Hypponen, chief researcher at F-Secure, called Flame "a spectacular failure" for the antivirus industry. "We really should have been able to do better," he wrote in an essay for after Flame's discovery. "But we didn't. We were out of our league in our own game."

Symantec and McAfee, which built their businesses on antivirus products, have begun to acknowledge their limitations and to try new approaches. The word "antivirus" does not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.

"Nobody is saying antivirus is enough," said Kevin Haley, Symantec's director of security response. Mr. Haley said Symantec's antivirus products included a handful of new technologies, like behavior-based blocking, which looks at some 30 characteristics of a file, including when it was created and where else it has been installed, before allowing it to run. "In over two-thirds of cases, malware is detected by one of these other technologies," he said.


Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

Interviews and reviews

FAT32 New Problems for Viruses or Anti-Virus -- a sober look on problems with interaction between scanners and file systems. You will never read this in ZD publications ;-)

The Virus Creation Labs - An excerpt from Dr. George C. Smith's book -- an interesting book about interaction between virus writers and AV industry (see also Crypt Newsletter) . Here is except from Rob Rosenberger (the author of False Authority Syndrome) review. In his Recommended books & publications he wrote:

The media portrays virus writers as teenage prodigies whose temper tantrums threaten the world. The media portrays antivirus companies as serious business professionals who work closely with competitors and international agencies to keep virus writers at bay. If you listen to the media, it's a World War with clear lines drawn between good & evil. The media doesn't have a clue. "Drunken brawl" most accurately describes the virus/antivirus conflict. You can't always tell the good guys from the bad guys (they occasionally switch sides) and it's every man for himself. Virus writers rarely advance the state of the art -- but antivirus firms profit by declaring them deadly computer terrorists. Few books about viruses delve into this bizarre soap opera, and most of those only cover it briefly. Crypt Newsletter editor George C. Smith's entire book exposes an insane world where everybody claws at each others' throats -- and where even the virus writers have marketing departments. 172 pages written with an utterly cynical sense of humor & irony. I read The Virus Creation Labs for the first time while sitting in an airport terminal and I repeatedly embarrassed myself with bursts of laughter.

Microsoft Office 97 Visual Basic Programmer's Guide -- one cannot understand macro virus problem without understanding VBA

Microsoft: Your one stop shop for macro viruses.

Crypt Newsletter supplied this short paper to a consumer group in Washington, D.C., that's trying to prevent the software industry from running over consumers in the area of product liability law. The industry's position is, obviously, "It's your neck if you buy, use or download our products and then wind up hosed in any way."

Most people with even half a brain grasp the point that this is a profoundly anti-consumer stance.

In America, only the computer software industry has this carte blanche ticket to screw with people unapologetically. If any other type of company in your hometown were caught ignorantly putting saltpeter into the water supply for years, you could go after them. Maybe you could even get the media outraged, too!

If this analogy isn't clear enough, consider the recent case of Williamson Sales of San Diego and the distribution of hepatitis A contaminated strawberries. Now, you should know hepatitis A -- if you're going to get hepatitis -- is the hepatitis to get. The virus that causes it is, relatively speaking, mild. Some people who contract the disease often don't know they have it; symptoms vary widely and may never appear noticeably. Children, who were the consumers of Williamson's strawberries, generally don't get as sick as adults. Victims may become extremely jaundiced or not at all.

In no cases during the media firestorm over the virus-contaminated strawberries were company officials caught saying things like "It's not our fault, there's no liability, you broke the shrinkwrap and ate the strawberries," or It's just a minor hepatitis virus (not B or non-A/non-B which are extremely bad), a relative prankster, no one will get very sick, perhaps not at all." Can you imagine what would have happened if any had? A vice-president of Williamson, or it's parent, Epitope, would have been ceremonially lynched by the media.

However, the software industry lives in a kind of mystic never-never land where these conditions do not apply. By the same token, the industry is allowed to drown everyone in ads creating the impression that products will take you anywhere you want to go, educate your children, revivify your moribund career, make you more appealing to women, earn riches for you . . . well, you know the drill.

Keep in mind as you read what follows that Microsoft's distribution of Concept and Wazzu macro viruses are one reason these viruses have become two of the most widely reported macro virus infections in the wild. Keep in mind, a hundred crazed virus writers busily uploading virus-infected uuencoded binaries to alt.cracks or couldn't accomplish in five years what Microsoft facilitated in two. Keep in mind that the level of technical attention to detail and preventive measures needed to prevent these mass distributions was well within the capability of Bill Gates' minions.

That's Not a Virus! -- an important from the historical perspective paper by Chengi Jimmy Kuo, Director of AV Research at McAfee Associates (in 2996 he left McAfee's AVERT research team to join the Microsoft. He has been with McAfee since 1995, when McAfee's AVERT lab team started). Paradoxically McAfee was the best virus hype propagandist in the world and owns a large part of his fortune to it.

Mythinformed -- an interesting article on the False Authority Syndrome. See also False Authority Syndrome

Wolfgang Stiller, an internationally recognized virus expert and author of the Integrity Master anti-virus program, says "Computer security experts today--people who deserve that title--tend to have a good background on how viruses operate. They can dispense some good advice."

But he chooses his words carefully when asked to comment on virus expertise among computer security personnel. "They're a little more likely than the average person to understand viruses," Stiller notes. "Some would say they're a lot more likely to understand them, but I've met a fair number who don't know a thing about viruses, or, even worse, they've got misconceptions. In light of the fact they are computer security experts, their misconceptions carry a lot more weight than the average person. Errors are much more damaging when they come out of the mouths of these people."

Stiller sums up False Authority Syndrome among computer security experts by stating "Put me on a panel with a computer security person, and I won't claim to have his level of security expertise. But the computer security guy will invariably claim to have my level of virus expertise. How can you convince the audience in a diplomatic way that he doesn't?"


The anti-virus industry likes to think of itself as a team of collegial white knights riding to the rescue of all beset by computer viruses. In truth, it's a mutually antagonistic, factious business where everybody wakes up hoping everybody else has failed the night before. Case in point: the recent series of lawsuits between McAfee Associates and Symantec.

Far from unique, such lawsuits are beginning to look like just another turd in the anti-virus industry punchbowl. The difference in this latest news is that McAfee Associates has attempted to attach a billion-dollar price tag to the squabble by suing Symantec for defamation.

While I won't go into great detail about the method Microsoft uses (alas, "the enemy" is everywhere), I can say that the SR-1 modifications are quite effective in preventing the spread of most existing Word macro viruses. The SR-1 changes stop almost all Word 97 macro virus "upconverts" - viruses originally written for Word 6 and 95 that have been automatically converted to infect Word 97 documents - dead in their tracks. Even better, the technique doesn't rely on identifying individual viruses and counteracting them; instead, Microsoft has discovered a way to prohibit the most common method viruses use to propagate. Think of it as birth control for Word macro viruses. These new anti-virus routines work not only on current viruses, but also on viruses that haven't yet been created. It's a very significant step in the right direction.

Office 2000 has introduced digital signatures to help users distinguish legitimate code from undesirable and viral code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros wrote them. You can choose to trust all macros signed by this person by checking the Trust all macros from this source checkbox. From then on, Office will enable the macros without showing a security warning for any document with macros signed by this trusted source.

Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the chance that a user “accidentally” enables a virus-infected document, the high security level helps reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users do not even need to see the security warning without digital signature information.


Nikolai Bezroukov. Malware Defense History (slightly outdated -- I was active in virus research from 1987 till 1991 when I published Computer Virology -- one of the first academic-style books devoted to computer viruses; then I returned to this field in 1996 and generally finished my AV career in 1998 with periodic splashes of interest since then...

Microsoft Office 97 Visual Basic Programmer's Guide -- one cannot understand macro virus problem without understanding VBA

FAT/FAT32 materials (some old file and boot viruses were FAT-specific).

FAT32 New Problems for Viruses or Anti-Virus -- a sober look on problems with interaction between scanners and file systems. You will not read this in ZD publications ;-)

Understanding Virus Behavior in the Windows NT Environment -- a rare decent paper about the topic

A white paper on Office 2000 vulnerability to macro viruses.-- Symantec white paper "Microsoft Office 2000 and Security Against Macro Viruses" by Darren Chi. Local copy Reprints/o2secwp.pdf

Office 2000 Macro Security -- Microsoft paper. See also HTML variant here

Office 2000 has introduced digital signatures to help users distinguish legitimate code from undesirable and viral code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros wrote them. You can choose to trust all macros signed by this person by checking the Trust all macros from this source checkbox. From then on, Office will enable the macros without showing a security warning for any document with macros signed by this trusted source.

Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the chance that a user “accidentally” enables a virus-infected document, the high security level helps reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users do not even need to see the security warning without digital signature information.

Nikolai Bezroukov. Computer Virology (zip archive of the book -- in Russian).



FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  


Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least

Copyright © 1996-2015 by Dr. Nikolai Bezroukov. was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down currently there are two functional mirrors: (the fastest) and


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: September 27, 2015