Site Transfer

This site is in the process of being transferred to the AVIEN portal here. Pages that have already been transferred now just contain a link to the corresponding page, but there’s still a lot of housekeeping to do.

In the meantime, however, new blog articles will now be posted only to the new site so this may well be the last article to be posted here.

Sorry for any discrepancies and inconveniences, but I thought it was better to do the job piecemeal than to wait till I found a window of a few days where I can concentrate purely on the transfer, since bitter experience suggests that I’ll never find such Window until I’m retired and won’t care anyway. 🙂

David Harley

17th March 2018 resources and article updates

Specific Ransomware Families and Types

Cryptocurrency/Crypto-mining News and Resources

Mac Virus (now linked from AVIEN portal): Android antics and MacOS malware

David Harley

16th March 2018 resources updates

Added to the AMD section of the Meltdown/Spectre resource page, which for administrative reasons has now been moved here

Added to the Intel section:

John Leyden waxes satirical at Intel’s expense in The Register: Intel: Our next chips won’t have data leak flaws we told you totally not to worry about – “Meltdown, Spectre-free CPUs coming this year, allegedly”

Added to the Microsoft/Windows section:

Richard Chirgwin for The Register: Microsoft starts buying speculative execution exploits – “Adds bug bounty class for Meltdown and Spectre attacks on Windows and Azure”

David Harley

13th March 2018 resources updates

(1) New section on Trend Micro Resources in Meltdown/Spectre – Related Resources

Trend Micro: Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters
“We worked on a detection technique for attacks that exploit Meltdown and Spectre by utilizing performance counters available in Intel processors. They measure cache misses — the state where data that an application requests for processing is not found in the cache memory — that can be used to detect attacks that exploit Meltdown and Spectre.”

(2) Cryptocurrency/Crypto-mining News and Resources

David Harley

12th March 2018 resources updates

Specific Ransomware Families and Types

Ransomware Resources

Cryptocurrency/Crypto-mining News and Resources

(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?

(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:

I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.

If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.

Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes.

David Harley

8th March 2018 resources updates

Specific Ransomware Families and Types

Ransomware Resources

An article on ransomware I  contributed to ESET’s Trends 2018 report has been republished as a blog article on WeLiveSecurity. Trends 2018: The ransomware revolution

Cryptocurrency/Crypto-mining News and Resources (or Cryptocurrency/Crypto-mining News and Resources)

Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…

March 7th 2018 resources update

Updates to Cryptocurrency/Crypto-mining News and Resources

Update to Meltdown/Spectre – Related Resources

David Harley

March 5th 2018 resources update

Update to Ransomware Recovery and Prevention

Update to Cryptocurrency/Crypto-mining News and Resources

Update to Specific Ransomware Families and Types

Update to Meltdown/Spectre – Related Resources

David Harley

Memcached,DDoS, RDoS, DDoS-for-Bitcoin

Catalin Cimpanu for Bleeping Computer: Some Memcached DDoS Attackers Are Asking for a Ransom Demand in Monero. Basically, more on the Memcached story but with a little background on earlier DDoS for ransom attacks.

Cimpanu says that “according to Daniel Smith, a Radware security researcher who spoke with Bleeping Computer, paying the Monero ransom won’t help … because attackers have used the same Monero address for multiple DDoS attacks against different targets.”

Link added to Specific Ransomware Families and Types.

Here are the links again for the Brian Krebs (et al) story I flagged yesterday:

  • Brian Krebs: Powerful New DDoS Method Adds Extortion
    “Attackers have seized on a relatively new method for executing distributed denial-of-service (DDoS) attacks of unprecedented disruptive power … Now evidence suggests this novel attack method is fueling digital shakedowns in which victims are asked to pay a ransom to call off crippling cyberattacks.” Cites:

    • Experts from Cybereason and other sources. According to Krebs, Cybereason have seen Memcached attacks where the payload is a demand for 50 XMR (Monero).

David Harley

March 3rd 2018 resources update

Updates to Specific Ransomware Families and Types:

David Harley