A vulnerability in Android called Stagefright was exposed at the 2015 Black Hat conference in early August. You may have heard of it, if only because the media frenzy that followed claimed that hundreds of millions of phones could be hacked with a single text – but is any of that true? If that were the case, surely Google, the developer of the popular operating system, would have fixed it by now…right?
AV-Comparatives is one of the most reputed, independent antivirus testing organizations. At the end of each year they release a summary report to comment on the performance of all the tested security programs, based on the product’s performance throughout the year. We are proud to announce that Emsisoft was classified as one of the few “top rated” products this year, receiving five advanced+ awards in total.
Consistent Advanced+ Protection
Emsisoft is top rated this year, with five advanced+ awards. It impressed us with it’s completely new user interface
Advanced+ is the highest rating issued by AV-Comparatives to the best performing, top tier security products. We are definitely very happy to be in that category. Consistency has always been one of our top priorities and the five advanced+ awards we received this year reflects that. We have received advanced+ ratings in the following categories :
You can view the AV-Comparatives chart for details and other categories tested. –
Ransomware CryptoLocker was one of the most infamous malware families of the years 2013 and 2014 and although the operation behind the original CryptoLocker malware family has been dismantled in 2014, it’s still a name that frightens a lot of users and system administrators alike. It is therefore not surprising that other malware authors try to capitalize on CryptoLocker’s reputation by releasing copycats.
One of the most recent copycats that we became aware of is a ransomware named PClock that showed up just a day ago. Unlike CryptoLocker though, which was a somewhat complex and sophisticated piece of malware, PClock is quite primitive by nature.
72-hour countdown timer to pay USD$300 ransom
Like all file encrypting ransomware (also known as crypto malware) PClock’s main goal is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files. Like CryptoLocker it gives the user a 72-hour ultimatum to pay the ransom of 1 bitcoin (approximately USD $300). Otherwise it claims to destroy the keys required to decrypt the user’s files:
– See more at: http://blog.emsisoft.com/2014/10/29/using-gmail-drafts-to-command-and-control-your-computer/#sthash.dZS6fBdx.dpuf
For those who (over) think before they email, the Drafts folder can be both blessing and a curse. Anyone who has ever accidentally sent an unfinished draft to a coworker, new contact, or friend will probably even go one further: unfinished drafts that reveal what you’re thinking before the thought is polished and ready to be sent can be embarrassing and unprofessional. Thanks to the unending nefariousness of malware writers, the email drafts folder can now also be considered dangerous.
Researchers have uncovered a variant of the Icoscript RAT that uses Gmail draft folders to issue commands to and collect data from infected computers. Many types of malware do this latter part – that is, connect to a “command and control” server, to provide updates and steal information – but the use of draft emails to make this happen adds a new layer of stealth to the process.
According to reports, attackers are able to pull this off because they can use the remote access trojan to open an invisible instance of Internet Explorer on the infected computer. Windows is built to allow programs to do this, to perform behind the scenes information gathering. With Icoscript, attackers are leveraging this capability to log into an anonymous Gmail account and issue C&C commands through an unsent draft. Conversely, the malware is also designed to place stolen data in drafts for cybercriminals to collect. In effect, attackers have created a malware communication channel, with a trusted program, where nothing is ever actually sent. This makes the malware much harder to detect than programs that perform C&C communication through other protocols, on many of which strange activity will be detected by anti-malware.
Those who have discovered this clever little draft trick – that’s also sometimes used by people who have affairs to exchange messages on a shared email – stress that “there’s no easy way to detect its surreptitious data theft without blocking Gmail altogether.” For end users, this means that protection hinges on prevention. Icoscript may be good at hiding itself, but it still has to work its way onto your machine. If you’re using an anti-malware that processes roughly 225,000 new malware samples every single day, and you’re well-versed in all the ways cybercriminals use to trick people into installing their creations, it is very unlikely that this will occur.
You will still need to be careful about spilling your heart out in an email draft, though 😉
Have a nice (malware-free) day!
– See more at: http://blog.emsisoft.com/2014/10/29/using-gmail-drafts-to-command-and-control-your-computer/#sthash.0H7g6xqY.dpuf
In Alerts & Outbreaks by steve on October 22, 2014 | English
– See more at: http://blog.emsisoft.com/2014/10/22/widespread-windows-zero-day-affecting-microsoft-office-files/#sthash.g5VZQ18G.dpuf
Last week, Emsisoft published details on The Sandworm Team, and how this group of hackers has been using vulnerability CVE-2014-4114 to remotely execute malicious code through shared Microsoft Office files. Microsoft has since issued a patch for this vulnerability; however, it has been discovered that there is still a way to exploit Microsoft Office files to serve malware. This new zero day vulnerability has been designated CVE-2014-6352, and it allows attackers to remotely execute malicious code on all supported versions of Windows, excluding Windows Server 2003. This unpatched zero day has been used by The Sandworm Team, and it is currently also being used by cybercriminals across the Internet. Observed attacks have involved targeted emails containing malicious Powerpoint attachments. In theory, this vulnerability could also be leveraged in any scenario where Microsoft Office documents are shared.
The most concerning aspect of CVE-2014-6352 is that it affects the most recently patched versions of Windows. Microsoft is currently investigating the issue, but it could be nearly 3 weeks before the vulnerability is formally patched. In the meantime, cybercriminals will be sure to exploit the vulnerability to serve malware to as many users as they can.
To stay protected, Emsisoft recommends:
Due to the facts that 1) sharing Microsoft Office files is for many people an everyday task and 2) that Microsoft’s Suggested Actions are somewhat technical, it is likely that CVE-2014-6352 will allow cybercriminals to infect a lot of users with malware. Furthermore, because a vulnerability is essentially a doorway into your PC, the malware served in such attacks will widely vary.
User running Emsisoft should know that, as was the case with CVE-2014-4114 and The Sandworm Team, your security solution does offer automatic protection from this latest zero day. If you are running one of our products, no further action is required: simply allow your computer to update whenever Microsoft issues a formal patch.
For those not using protection, we recommend giving Emsisoft Anti-Malware a try. You can actually test it for 30 days, at no cost – meaning that even if you hate it (which we’re pretty sure you won’t 🙂 it will guarantee protection from this latest zero day until Microsoft fixes the problem. After the vulnerability is patched, you can then simply uninstall your trial – or you can keep it, to ensure that you’re protected the next time an application vulnerability (inevitably) pops up.
– See more at: http://blog.emsisoft.com/2014/10/22/widespread-windows-zero-day-affecting-microsoft-office-files/#sthash.g5VZQ18G.dpuf
What’s been around for 6 whole years, has infected roughly 500,000 Windows-based PCs, and has intercepted information from over 800,000 online banking transactions, including account credentials? Zeus? Guess again.iBanking? Nope. Dyre? No, it’s not that one either – although it does have an equally unusual name. This time around, the culprit is called Qbot, and according to researchers it’s a highly successful botnet operation specifically targeting people who use older versions of Windows in the United States and Europe.
Qbot is a family of malware that spreads through compromised WordPress sites. Once these sites are compromised, they are reprogrammed to exploit visiting computers that contain application vulnerabilities.Once these vulnerabilities are exploited, the computer is instructed to download Qbot, a malicious program that connects the machine to a botnet and that can steal banking credentials.
According to recent reports, Qbot has an eye for the outdated. Since 2008, 52% of observed infections occurred on Windows XP; 39% of observed infections occurred Windows 7; and, 7% of observed infections occurred on Windows Vista. In all that time, 59% of Qbot banking interceptions occurred when a user accessed a website of one of the 5 largest banks in the United States.
Qbot is currently alive and well, with 75% of its 500,000 infected bots residing in the United States.
With headlines reading that the security of nearly 83 million JPMorgan Chase accounts has been compromised by Russian hackers and that 56 million people who shopped at Home Depot between April and September 2014 will need to get a new credit card, 500,000 might not seem like a lot. But a stolen banking password is still a stolen banking password, and in addition to credential theft Qbot also allows attackers to rent out your computer to cybercriminals looking for a zombie horde to commit malicious deeds (think spam or taking down a competitor’s website by overloading it with traffic).
What can you do to stay protected?
Well, a quick look at the stats should make the steps to prevention pretty clear. Don’t run an outdated OS filled with applications that haven’t been updated in years… and if you do, don’t use it to bank online. If you’re unfamiliar with why doing so is generally unsafe, we’d recommend this article on application vulnerabilities.After that, you can also check out the Emsisoft Security Knowledgebase to learn How to perform online-banking securely.
Want an automated solution instead? Then check out the brand new Emsisoft Internet Security. It can block Qbot variants in 3 different ways and also features an online banking mode specifically designed to harden browser software against vulnerabilities the malware attempts to exploit.
Have a great (Qbot-free) day!
For more on Qbot, see this recent featured article from SC Magazine.
Thursday evening, JPMorgan Chase confirmed a system compromise by hackers that affects approximately 76 million households and 7 million small businesses. According to the official statement, both customer contact information and “internal JPMorgan Chase information” relating to users has been compromised.
There is currently no evidence that suggests account information, such as account numbers, passwords, user IDs, dates of birth, or social security numbers, was compromised. The bank also states that they have not found any instances of customer fraud related to the hack.
The extent of this intrusion makes it one of the largest financial data breaches in U.S. history, and the confirmed count of affected customers dwarfs the company’s original estimate of roughly 1 million when the hack was first discovered in July 2014. Speculation as to who carried out the attack currently points to hackers from Southern Europe, with possible ties to the Russian government.
For the full report, see The New York Times. For additional precaution, Emsisoft recommends that any JPMorgan Chase customer reading this alert change their password as soon as possible.
Have a great (cyber-crime-free) day!