Category Archives: Resources

Reporting cybercrime

I haven’t checked the links yet, but Yasin Soliman’s article for Graham Cluley’s site looks really useful. How to report a cybercrime – Who you gonna call? includes a table with contact points in the US appropriate to several categories: I’m guessing that followers of this blog will find the links for ‘Internet fraud and SPAM’ particularly relevant. There are also links to agencies in other parts of the world.

The trouble with compiling such lists of links (which I’ve done many times over the years, in a variety of contexts) is that the links change over time, not only because web pages get changed around, but because agencies (like security companies) are renamed or replaced, or disappear altogether. Right now, though, this looks like an excellent resource.

David Harley

Europol says ‘No More Ransom’

Europol, the European Union’s law enforcement agency, has announced an initiative to address the ransomware issue. (Hat Tip to Kevin Townsend, who first brought it to my attention.)

The agency’s announcement tells us that:

No More Ransom(www.nomoreransom.org) is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to the cybercriminals…

…The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

The site includes:

  • Crypto Sheriff – a form for helping victims try to find out which malware they’re affected by and whether a decrypter is available. Sounds like a potentially useful resource, even though the little graphic reminds me a little of the late, lamented Lemmy rather than a hi-tech search facility. Somewhat similar to MalwareHunter’s ID Ransomware facility.
  • A Ransomware Q&A page
  • Prevention Advice
  • An About page
  • Advice on how to Report a Crime
  • And a limited range of decryption tools from Kaspersky (mostly) and Intel.

Infosecurity Magazine’s commentary notes that:

‘In its initial stage, the portal contains four decryption tools for different types of malware, including for CoinVault and the Shade Trojan. In May, ESET claimed that it had contacted TeslaCrypt’s authors after spotting a message announcing they were closing their ‘project’ and offered a decryption key.

‘Raj Samani, EMEA CTO for Intel Security, told Infosecurity that both Intel Security and Kaspersky had developed decryption tools to apply against Teslacrypt, and these will be posted to the website shortly.

Well, I’m not in a position to compare the effectiveness of various TeslaCrypt decrypters, and I do understand that it’s important for the “The update process for the decryption tools page …[to]… be rigorous.” Kaspersky in particular has a good reputation for generating useful decrypters. And the AVIEN site is certainly not here to pursue ESET’s claim to a portion of the PR pie. Still, there are decrypters around from a variety of resources apart from the companies already mentioned (see Bleeping Computer’s articles for examples). I hope other companies and researchers working in this area will throw their hats into the ring in response to Europol’s somewhat muted appeal for more partnerships, so that the site benefits from a wider spread of technical expertise and avoids some of the pitfalls sometimes associated with cooperative resources. As it states on the portal:

“the more parties supporting this project the better the results can be, this initiative is open to other public and private parties”.

Here are some links for standalone utilities that I’ve listed on the ransomware resource pages here. [Note, however, that these haven’t been rigorously checked, or not by me at any rate.]

Standalone Decryption Utilities

I haven’t personally tested these, and they may not work against current versions of the ransomware they’re intended to work against. Note also that removing the ransomware doesn’t necessarily mean that your files will be recovered. Other companies and sites will certainly have similar resources: I’m not in a position to list them all.

Bleeping Computer Malware Removal Guides

ESET standalone tools

Included with tools for dealing with other malware.

Also: How do I clean a TeslaCrypt infection using the ESET TeslaCrypt …

Kaspersky Tools

CoinVault decryption tool
CryptXXX decryption tool

Trend Micro Tools

Emsisoft Decryptors

18-4-2016 [HT to Randy Knobloch] N.B. I haven’t tested these personally, and recommend that you read the ‘More technical information’ and ‘Detailed usage guide’ before using one of these.

David Harley

 

 

Added to the support scam resources page

An about.com article by Andy O’Donnell on Beware of the ‘Ammyy’ Security Patch Phone Scam: A new twist on an old scam. Rather a narrow AMMYY- and US-centric view of how tech support scams work, but has some suggestions that may be useful to all those people who ask what to do when they’ve allowed a support scammer access to their PC.

Link added to the AVIEN PC ‘TECH SUPPORT’ COLD-CALL SCAM RESOURCES page.

HT to Patrick Nolan.

David Harley 
ESET Senior Research Fellow

Another tech support scam resources update

An article by me for ESET: Support Scams: we don’t really write all the viruses…

Which includes commentary on and references to this article by Eddy Willems of GData: A curious phone call – when a help desk scammer offers you a job

Both added to PC ‘Tech Support’ Cold-Call Scam Resources, of course.

David Harley
ESET Senior Research Fellow

Anti-malware testing resource

Testing security software has been part of my life for almost as long as I’ve been involved with computing: not only in terms of evaluating the efficiency of products and technologies for the organizations I worked for, but as an independent tester (especially of Mac AV) way back in the 90s. I stopped testing when I began to foresee a time when I simply wouldn’t have the time or resources to do justice to what even then was a difficult job. There was a time around 2006 when I was discussing roles on both sides of the vendor/tester divide, but for better or worse, I went over to the dark side and focused on supplying consultancy services to the AV industry (primarily ESET). However, I didn’t escape the testing controversy, being involved almost from the beginning in in the Anti-Malware Testing Standards Organization (AMTSO) and even serving for nearly three years on its Board of Directors.

While I’m still in sympathy with the ultimate aims of AMTSO, when the organization decided that the blog I set up on behalf of the Board no longer met its needs, I found myself needing a platform where I could continue to provide independent commentary on testing issues. Hence, the Anti-Malware Testing blog. While most of the material there right now consists of articles I originally posted to the AMTSO blog (as an independent commentator, not on behalf of AMTSO) that are no longer available elsewhere, it’s primarily intended for new articles. (I am, however, currently working on a resource page similar to the one on the extinct amtso.wordpress.com blogsite, with links to useful articles, papers and other testing-related resources.)

Right now there are three new articles there:

  • Explaining the Anti-Malware Testing Blog is what the title suggests it is.
  • Imperva-ious to Criticism looks at Imperva’s continued defence of its flawed quasi-test methodology, which inappropriately tried to use VirusTotal as a measure of the detection abilities of anti-virus/anti-malware products.
  • A Little Light Relief is a little lighter in tone. Literally. It points to an entertaining article by Robert Slade. After all, if I had to take testing seriously all the time, I’d get very depressed.

Compliments of the season to all our readers, and very best wishes for the New Year.

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus
ESET Senior Research Fellow

Support scams: new resources

Well, not new resources, unfortunately. Just a couple of blogs I haven’t got around previously to flagging here: PC ‘Tech Support’ Cold-Call Scam Resources. I have lots of other material to add, but no time to edit it down to be readable at the moment, unfortunately.

Still you might find the additions (and the resources elsewhere that they point to) of some use and interest.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

PC Support Scam Resources Page – some additions

Also on the resources page, of course, but these are the additions.

Tech support scammers claiming to be from Creative Solutions Online

Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: creativesolutionsonline.net.

Whocallsme.com came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet

Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia

REGISTRANT CONTACT INFO
Sibyl Technology Solution
Rubel Debnath
339, purbasinthi
kolkata
west bengal
700030
IN
Phone: +91.9230062065
Email Address:

Also added to support scam resources page in case someone is interested in following up on data like this.

David Harley

 

 

Recent scam resources page updates

It occurs to me that I haven’t flagged here a couple of updates to the scam resources page that I’ve made this month. 

  • Misrepresenting System Utility Output [6th August]
  • Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

I need to put in some anchors to those sections, but at the moment they’re at the top of the page anyway.

David Harley CITP FBCS CISSP
AVIEN Chief Dogsbody
ESET Senior Research Fellow