Tag Archives: Paul Ducklin

Ransomware: the (Unfortunately Not) Missing .LNK

Paul Ducklin describes in some detail the rising tide of ransomware arriving by email attachment in the form of a .LNK file, and how this bit of trickery works: Beware of ransomware hiding in shortcuts. It’s by no means a new approach to distributing malware, but evidently still successful, not least because ‘LNK files don’t follow the View file name extensions setting in File Explorer, and … they can show up with an icon that is at odds with their real behaviour…’

Fortunately, Paul includes a series of useful tips that mitigate your exposure to this particular malicious behaviour although it doesn’t block it completely. Including this one:

  • Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.”

As true now as it was years ago…

David Harley

Ducklin and Mustaca on Locky

Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there…

His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.”

If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know

David Harley

Paul Ducklin on ransomware options

These days, I don’t think you can have too many articles about what to do when you’re hit with ransomware, especially articles written by someone as knowledgeable as Paul Ducklin.

Got ransomware? What are your options?

He includes sections on:

  • Shortcuts to recovery
  • Longcuts to recovery
  • Cracking the encryption

And those cover most of the recovery options, which is what most people will probably want to know. Unfortunately, those options aren’t always there, hence the downbeat tone of the ‘What to do’ section:

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

I’m afraid I’m totally in agreement with that. However, he does follow up with a list of ‘useful ransomware precautions’, and we can never make too many of those recommendations either. This is certainly a case where prevention is a much better option than cure. In brief, his recommendations include, if I can summarize:

  • Good backup strategy
  • Disable macros
  • Consider viewer apps
  • Distrust attachments
  • Don’t routine run with admin privileges
  • ‘Patch early, patch often’

David Harley

Ransomware: Locky not Lucky

David Bisson reports on Graham Cluley’s blog about the ransomware commonly named Locky because of its use of a ‘.locky’ extension to files it has encrypted.

What does a .locky file extension mean? It means you’ve been hit by ransomware

The same story is covered by HelpNet Security:

Dridex botnet alive and well, now also spreading ransomware

Both articles refer to analysis by Palo Alto:

Locky: New Ransomware Mimics Dridex-Style Distribution

Paul Ducklin’s article for Sophos tells us about “Locky” ransomware: What you need to know. And John Leyden’s article for The Register also refers: Locky ransomware is spreading like the clap – Feeling Locky, punk? Well, do ya?

David Harley

Paul Ducklin on Cryptowall

Added to the ransomware resources page: link to an article for Sophos by Paul Ducklin on Ransomware evolution: Another brick in the CryptoWall. As you’d expect, good info on Cryptowall specifically, but also links to info on other ransomware. But also a link to a paper well worth your consideration on how ransomware evolved from 2014 to 2015.

David Harley

Japan Disaster: Commentary & Resources

[Further links added March 13th 2011 (and a couple more on the same day). Extra links and commentary appended March 14th. More commentary re the Bing chaintweet subsequently added. And yet more  on related scams added March 15th. More miscellaneous resources and commentary on 16th and 17th March. Additional links on 23rd March]

This is an attempt to bring together a number of disparate blogs highlighting resources I’ve been collecting over the past couple of days, relating to the Japanese earthquakes and tsunami. Apologies if there’s nothing here that’s new to you, but I think it’s important to spread this information as far as possible. This will now be my primary resource for putting up any further information I come across. I don’t, of course, claim that it will cover a fraction of the coverage that’s out there.

  • Some blogs of mine:
  • http://blog.eset.com/2011/03/11/japanese-earthquake-inevitable-seo 
  • http://chainmailcheck.wordpress.com/2011/03/12/earthquaketsunami-scam-resources/
  • http://blog.eset.com/2011/03/12/disaster-scams-and-resources
  • http://blog.eset.com/2011/03/11/disasters-getting-involved
  • And one more that I’ve referenced below…
  • Urban Schrott of ESET Ireland on do’s and don’t’s for safe browsing and disaster scam avoidance: http://esetireland.wordpress.com/2011/03/11/security-warning-japanese-earthquake-scams-will-send-tremors-through-the-web/
  • Paul Ducklin at Sophos on clickjacking by ibuzzu.fr: http://nakedsecurity.sophos.com/2011/03/12/japanese-tsunami-video-exploited-by-clickjackers/
  • Norman Ingal at Trend with some detail on observed BHSEO and fake AV: http://blog.trendmicro.com/most-recent-earthquake-in-japan-searches-lead-to-fakea/ 
  • Robert Slade at Securiteam with an older post (from the time of the Haiti earthquake – but still relevant) on training for disaster: http://blogs.securiteam.com/index.php/archives/1346
  • More analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.html
  • Paul Roberts at Threat Post: http://threatpost.com/en_us/blogs/experts-warn-japan-earthquake-tsunami-spam-031111
  • Guy Bruneau at Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10537&rss
  • Sean at F-Secure:  http://www.f-secure.com/weblog/archives/00002119.html 
  • Mike Lennon at Security Week: http://www.securityweek.com/massive-influx-scams-surrounding-japans-earthquake-and-tsunami-expected
  • spamwarnings.com is showing examples of spam related to this event: http://www.spamwarnings.com/tag/devastating-tsunami 
  • IRS online charities search: http://www.irs.gov/app/pub-78
  • Charity Navigator offers independent evaluation of charities: http://www.charitynavigator.org/
  • Google’s crisis response page: http://www.google.com/crisisresponse/japanquake2011.html
  • An old but much-to-the-point article on disaster scams from PC World: http://www.pcworld.com/article/61946/beware_of_online_scams_for_disasterrelief_funds.html
  • Phil Muncaster: http://www.v3.co.uk/v3-uk/news/2033668/google-twitter-facebook-step-help-japan-earthquake-survivors
  • Google’s People Finder service: http://japan.person-finder.appspot.com/?lang=en
  • Bing’s response page including several organizations offering relief initiatives: http://www.microsoft.com/about/corporatecitizenship/en-us/our-actions/in-the-community/disaster-and-humanitarian-response/community-involvement/disaster-response.aspx. A useful page, but there’s an aspect to Bing’s retweeting PR effort (see http://www.twitter.com/bing) that I can’t quite like, as explained at http://chainmailcheck.wordpress.com/2011/03/12/faith-hope-charity-and-manipulation/.
  • US-CERT: Japan Earthquake and Tsunami Disaster Email Scams, Fake Anitvirus and Phishing Attack Warning [Yes, the Anitvirus typo is on the web site: some useful links, nonetheless] 
  • Latest news from NHK World: http://www3.nhk.or.jp/nhkworld/ 
  • Graham Cluley: Japanese Tsunami RAW Tidal Wave Footage – Facebook scammers trick users with bogus CNN video
  • Morgsatlarge on Why I am not worried about Japan’s nuclear reactors
  • Real photos of the damage (hat tip to Rob Slade: http://www.nytimes.com/interactive/2011/03/13/world/asia/satellite-photos-japan-before-and-after-tsunami.html?hp; http://www.cbc.ca/news/interactives/japan-earthquake/index.html. Not exactly security-related, but the sort of thing that’s being used to decoy people onto unsafe sites.
  • One from the Register that I missed at the time, though it’s basically a pointer to the Trend article above: http://www.theregister.co.uk/2011/03/11/japan_tsunami_scareware/
  • World Nuclear News: Battle to stabilise earthquake reactors
  • Lester Haines for The Register: Threat to third Fukushima nuke reactor: Authorities using seawater to battle overheating
  • Apparently I wasn’t the only person upset at Microsoft’s use of the disaster to promote Bing: BingDings* Force Change of Tune.
  • Here’s another clickjack scam brought to my attention by Graham Cluley: as he rightly says, it’s not likely to be the last. Japanese Tsunami Launches Whale Into Building? It’s a Facebook clickjack scam 
  • While Lewis Page describes in The Register how the Fukushima plant is actually performing “magnificently”, given the unexpected scale of the stress to which Japanese nuclear facilities have been subjected in the past few days: http://www.theregister.co.uk/2011/03/14/fukushiima_analysis/ Even if you’re not totally convinced that this is an argument for more nuclear powerplants, it’s certainly a welcome corrective to the FUD-exploiting scareware SEO that I suspect we’ll see over the next few days.
  • Graham Cluley on an SMS hoax: Fukushima radiation hoax SMS message spreads in Philippines (clue: it’s the hoax that’s spreading, not radiation…)
  • Nuclear Energy Institute: Information on the Japanese Earthquake and Reactors in That Region
  • Lester Haines: Fukushima reactor core battle continues: May be heading for meltdown, but no Chernobyl likely
  • Stan Schroeder for Mashable: AT&T, Verizon offer free calls and texts to Japan from US 
  • Ben Parr for Mashable:  Japan Earthquake & Tsunami: 7 Simple Ways to Help
  • Technet Blog: Microsoft Supports Relief Efforts in Japan
  • USA.answers.gov summary: Current Situation in Japan
  • Christopher Boyd, GFI Labs: Another “Whale smashes into building” Tsunami scam on Facebook 
  • Allan Dyer has mentioned that SMS “BBC FLASHNEWS” hoaxes like the one Sophos flagged at http://nakedsecurity.sophos.com/2011/03/14/fukushima-radiation-scare-hoax-text-message-spreads-in-philippines/ have also been circulating in Hong Kong.
  • Urban Schrott with some more scam info from Facecrook and elsewhere
  • Sophos on tsunami charity scams
  • Lots more links suggesting that radiation risk is way overblown, but I think we have enough of those to get the gist. Just be sceptical about alarmist reports that you can’t verify from reputable sites.
  • Business Standard on Cybercrime sets sail on tsunami sympathy
  • Symantec on Phishers Have No Mercy for Japan describing a fake American Red Cross donation site.
  • I’m also seeing a number of posts and articles suggesting that the situation regarding affected nuclear facilities is getting worse: I’m not qualified to separate fact and fiction in many of these cases, so I won’t try to track them here.
  • Allan Dyer describes one of the SMS hoaxes and a donation scam message pretending to be from AT&T: http://articles.yuikee.com.hk/newsletter/2011/03/a.html
  • Graham Cluley describes several Japan-related video links that actually lead to malicious javascript and a Java applet, plus some fake twitter email notifications: Spammed-out Japanese Tsunami video links lead to malware attack. See also Chet Wisniewski’s post SSCC 52 – Twitter HTTPS, net neutrality, car hacking, tsunami scams and Pwn2Own.
  • Jimmy Kuo forwarded a reliable donation link at at http://www.jas-socal.org/, and here’s a post from Tracy Mooney on charitable giving .
  • A series of other blogs from McAfee: http://blogs.mcafee.com/mcafee-labs/world-record-for-disaster-scam-site; http://blogs.mcafee.com/consumer/robert-siciliano/tsunami-scam-warnings-keep-coming-in; http://blogs.mcafee.com/consumer/consumer-threat-alerts/japan-earthquake-scams-spreading-quickly
  • Christopher Boyd on Japan “Miracle Stories” scams on Youtube… and Rogue AV results lurk in contamination comparison searches and ICRC Japan donation scam mails and .tk URLs offering surveys, installs and fake Tsunami footage and Tips for avoiding the endless Japan disaster files and A Japan-themed 419 scam…
  • Crawford Killian is tweeting a lot of more general Japan-related stuff that might be useful to you as background rather than as direct security stuff. http://twitter.com/Crof (hat tip to Rob Slade.)
  • Nicholas Brulez: Japan Quake Spam leads to Malware
  • John Leyden for The Register: Fake Japan blackout alerts cloak Flash malware: Scumbags continue to batten on human misery
  • Not directly security-related, but I can see it being used as a social-engineering hook: Timothy Prickett Morgan on Japanese quake shakes semiconductor biz: Boards and chip packages hit too.
  • An article by Amanda Ripley that has no direct security implication that I can see offhand, but I thought was interesting anyway: http://www.amandaripley.com/blog/japan_and_the_cliche_of_stoicism/
  • I probably won’t continue to add too many resources to this page that don’t have a direct and compelling security dimension, but if you are interested in the sort of footage of exploding reactors, tsunami hits and so on that blackhats use as bait for fake AV and clickjacking, the BBC has quite a few relevant videos: I know that because I watch the news. 🙂 I haven’t looked up individual links, but a quick Google search brings up several at http://www.bbc.co.uk/: no doubt searches of CNN etc. would bring up similar results. There’s lots of this stuff out there: no need to click on dubious links from unknown sources!

    David Harley CITP FBCS CISSP
    AVIEN COO
    ESET Senior Research Fellow

    

    NTEOTWAWKI

    Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.

    Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script  that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.

    The upshot is that, as this page rightly points out (thanks to @securityninja for the link)

    “There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

    So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.

    In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?

    If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley

    UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying

    “There was no breach, intrusion, or penetration, by any means of the word.”

    Andrew Lee
    CEO AVIEN/CTO K7 Computing

    Transitive Phishing (updated)

    Paul Ducklin’s thoughtful blog on “Taxation scammers open the batting for 2010” highlights a tax phish that manages to get round the “why should I click on that link when that isn’t my bank?” issue by offering a choice of bank links leading to a clone site. Neat, and “transitive phishing” is a good label for it. But the answer is the same. Don’t trust a link in email (are you listening, eBay?) Go to a URL you know you can trust, and if it means typing it in by hand, do that.

    Update: Dmitry Bestuzhev has pointed out to me that he blogged on this scam a day before Duck’s blog was posted. Indeed he did, but it was the two-stage site-spoofing that I found interesting, rather than the fact that it’s a tax scam. Still, he’s right that it’s worth noting in itself that there is another round of tax scams, and the Analysts Diary blog is certainly a resource worth keeping an eye on.

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Director of Malware Intelligence, ESET

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com

    The Name Game – Duh…

    [Update: well, Sophos have, it seems, gone official on the name iPh/Duh, which I find quite unreasonably irritating. However, Paul’s latest blog (link below) includes some very useful info.]

    http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/

    Paul Ducklin, what have you done?

    Well, it’s not exactly Paul’s fault, as much as the industry’s: he referred at http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/ to the iBot thingie (yes, that again…) as Duh, since there’s no standardized name for it, and “because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm”.

    And so, already we have various media sources referring to the Duh worm or Ikee.B. Well, if naming really mattered, I suppose we’d have all the various iPhone malware bits and pieces properly categorized and named by now. Historically, every vendor would have used a different name, of course, but there would have been some minimal cross-referencing and a semi-standard CARO-ish alternative. And probably the latest example (I really don’t like to describe it as a variant) would not have been called Duh because we tend to avoid using the form of name the malware author might have wanted.

    Well, I haven’t changed my mind about naming, in general. In most cases, it’s largely irrelevant and often misleading, certainly in the Windows context. When you have many tens of thousands of unique binary samples coming in on a daily basis, accurately cross-referencing and naming them doesn’t seem much of a priority. (See  one of these papers for a more complete picture of why I say that.)

    http://www.eset.com/download/whitepapers/cfet2009naming.pdf 
    http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf

    So most companies don’t seem to have bothered to name these  at all, even though iPhone malware was obviously going to excite some media interest. Well, exact naming for fairly low-impact threats wasn’t an issue I could raise much interest in either. But the fact is, that journalists and their audiences need a name to hang a malware story on, and they don’t care about the complexities of CARO-like naming (why should they?). So Duh will do, I suppose, especially since Paul as good as endorsed it. (“Perhaps, in fact, Duh is a good name for this virus.”)

    What worries me is that at some point, someone is going to point to this as another example of how the AV industry can’t get its act together on naming, even on a platform with few enough threats to count on one hand. Well, we could have sorted this one out easily enough (and still could, in principle), but it will always be Duh now, so we probably won’t bother.

    David Harley FBCS CITP CISSP
    Chief Operations Officer, AVIEN
    Definitely not speaking for the AV industry…

    Also blogging at:
    http://www.eset.com/threat-center/blog
    http://dharley.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/