Home Tags Greece

Tag: Greece

BrandPost: 5 Things to Consider Before an IT Refresh

By Bharath Vasudevan, HPE Product Manager, Software-defined and Cloud GroupHeraclitus, a Greek philosopher, is quoted as saying "change is the only constant in life." And he wrote that in 500 B.C.
I wonder what he would say today about the constant change brought about by technology.The pace of change in business is extraordinary – and if you don’t keep up, you’ll be left behind. Yet how do you know when change is needed for your business — particularly your infrastructure? And how do you decide what change will make you more competitive?A tech refresh is a chance for a business to evaluate the direction of its IT infrastructure and weigh the costs and benefits of trying something new.
It’s a good time to look at the current IT environment and research what other options are available that may better suit the needs of the organization.To read this article in full or to leave a comment, please click here

The future of solar power technology is bright

From photovoltaic paint to thermal fuel, we peek at a future beyond today's solar cells.

KopiLuwak: A New JavaScript Payload from Turla

A new, unique JavaScript payload is now being used by Turla in targeted attacks.

This new payload, dubbed KopiLuwak, is being delivered using embedded macros within Office documents.

The Oracle of Delphi puts a board game Odyssey on your...

Stefan Feld's newest board game is a blast from the past.

Shamoon Can Now Destroy Virtual Desktops, Too

Enlarge / A computer infected by Shamoon System is unable to find its operating system.Palo Alto Networks reader comments 19 Share this story There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said. The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus.

The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name. According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to include legitimate credentials to access virtual systems, which have emerged as a key protection against Shamoon and other types of disk-wiping malware.

The actor involved in this attack could use these credentials to manually log into so-called virtual management infrastructure management systems to attack virtual desktop products from Huawei, which can protect against destructive malware through its ability to load snapshots of wiped systems. "The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers wrote. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment." Several of the usernames and passwords are included in official documentation as administrator accounts for Huawei’s virtualized desktop products, such as FusionCloud.

The researchers still aren't sure if Shamoon attackers obtained the credentials from an earlier attack on the targeted network or included the default usernames and passwords in an attempt to guess the login credentials to the VDI infrastructure. In addition to the virtualization-defeating update, the variant found by Palo Alto Networks also contained hardcoded Windows domain account credentials that were specific to the newly targeted organization.

The credentials met Windows password complexity requirements, a finding that suggests the attackers obtained the credentials through a previous breach. Like the previous Shamoon variant, the new one spread throughout a local network by "logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload." The Shamoon update was set to begin overwriting systems on November 29, 2016 at 1:30am.

The timing aligns with previous Shamoon strains, which attempted to maximize their destructive impact by striking when the targeted organization would have fewer personnel and resources available on site. Post updated in the headline and third paragraph to make clear VDI systems are manually accessed.

Shamoon disk-wiping malware can now destroy virtual desktops, too

Enlarge / A computer infected by Shamoon System is unable to find its operating system.Palo Alto Networks reader comments 14 Share this story There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said. The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus.

The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name. According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to attack virtual desktops, which have emerged as one of the key protections against Shamoon and other types of disk-wiping malware.

The update included usernames and passwords related to the virtual desktop infrastructure products from Huawei, which can protect against a destructive malware through its ability to load snapshots of wiped systems. "The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers wrote. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment." Several of the usernames and passwords are included in official documentation as administrator accounts for Huawei’s virtualized desktop products, such as FusionCloud.

The researchers still aren't sure if Shamoon attackers obtained the credentials from an earlier attack on the targeted network or included the default usernames and passwords in an attempt to guess the login credentials to the VDI infrastructure. In addition to the virtualization-defeating update, the variant found by Palo Alto Networks also contained hardcoded Windows domain account credentials that were specific to the newly targeted organization.

The credentials met Windows password complexity requirements, a finding that suggests the attackers obtained the credentials through a previous breach. Like the previous Shamoon variant, the new one spread throughout a local network by "logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload." The Shamoon update was set to begin overwriting systems on November 29, 2016 at 1:30am.

The timing aligns with previous Shamoon strains, which attempted to maximize their destructive impact by striking when the targeted organization would have fewer personnel and resources available on site.

DoD Warns Contractors About Iran-Linked Malware

Shamoon, a piece of malware that tries to turn infected computers into unusable bricks, is back. Earlier this month, a number of cybersecurity firms reported that hackers had used the malware against thousands of computers in Saudi Arabia's civil aviation agency and other government bodies. According to Bloomberg, the attacks, like previous ones involving Shamoon, seemingly originated from Iran. Now, the Defense Security Service (DSS), part of the US Department of Defense, has issued a bulletin to cleared contractors warning them of the threat. “Between 2 and 7 December 2016, DSS was given information from another government agency regarding Indicators of Compromise (IOC) associated with a Shamoon malware variant and may be used in computer network exploitation attempts,” the bulletin, distributed on Thursday and obtained by Motherboard, reads. It does not specify the government agency that provided the information. These bulletins are sent to contractors to alert them to threats from foreign intelligence entities (FIEs), and in particular, FIEs' infrastructure, malware, tactics, techniques or procedures. “This information is being shared by DSS in order to enable potential targets of possible espionage activity to detect, disrupt or deny FIE's exploitation of cleared contractor information systems, networks or personnel,” it reads. In 2012, the “Cutting Sword of Justice,” a suspected Iranian hacking group, used Shamoon to aggressively wipe tens of thousands of computers belonging to Saudi Aramco. Aramco is the state-owned oil company of Saudi Arabia. In the wake of the attack, Armaco had to take itself entirely offline. “No emails, no phones, nothing,” Chris Kubecka, a consultant who worked with Aramco, told an audience at the Black Hat hacking conference last year. The hackers also replaced emails and documents with a picture of a burning American flag, according to The Register. The new version of Shamoon, however, displays a picture of a Alan Kurdi, the 3-year-old Syrian boy who drowned while trying to cross from Turkey to Greece, according to a report from security company Symantec. Neither the FBI or the Department of Defense provided comment in time for publication, and the NSA did not respond to a request for comment.

Microdemocracy is the next logical step for the United States

Enlarge / Cover detail from Infomocracy, by Malka Older.Will Staehle reader comments 48 Share this story Whether or not you think American democracy is broken, you can probably come up with some ways to improve it.

The country gets less than 50-percent voter turnout; the Electoral College has disagreed with the popular vote twice in the past five election cycles; there are referenda with explanations that take 10 minutes to read and still don’t make any sense; and don’t forget all the special interests and pork-barrels and legislative gridlock.
Surely we can do better. With all the technology we’ve developed in the centuries since the Founding Fathers set up our system, we have the capacity to make voting much more convenient. Plus, we can manage an almost unlimited number of voter concerns simultaneously. With all this technological capacity, what are the possible next steps for democracy? One idea is microdemocracy.

As the name suggests, this is about getting democracy to a more granular, local scale, although there are different suggestions for how to do so.
In the 1990s, the term arose in academic literature exploring whether democratic practices at the civil society level could support democratic transitions in authoritarian regimes such as Zimbabwe. Today, organizations like The Right Question Institute, which calls itself “a catalyst for microdemocracy,” think microdemocracy could work in countries that are already democratic.

They suggest that if citizens engage critically and demand accountability at the most local of levels—PTA meetings, community clinics—they will then “begin to move along the continuum of democratic action from an individual encounter at the agency to attending public hearings, joining with others through organizing, and exercising their right to vote.” In other words, the solution to low voter turnout and political apathy is to get people to make their voices heard where public policy meets their direct interest and work their way up from there.
Information technology will make this process easier and more accessible, especially when it makes initial information gathering and post-engagement followup far less onerous. Microdemocracy can also be used to describe a system that gives people power to vote, not just on their representatives and a few referenda, but on nearly every element of their government, from how their taxes are apportioned to individual pieces of legislation. More commonly known as direct democracy, this intensive involvement in government decision-making is similar to the ancient Greek model, but very rare today. Although Switzerland uses direct democracy instruments, requiring voters to approve every law passed by the legislature, most other modern democracies are representative: citizens elect representatives, who then make most of the decisions for them.

This is partly because the 18th-century trailblazers of modern democracy were also wary of democracy.

They wanted some elite roadblocks in front of rule by the masses. But representative democracy was also preferable because of logistical issues. When it took weeks to travel to the capital, it was hardly feasible for everyone, or even all free landholding men, to do so every time something needed to be voted on. Now, however, we have the communications technology to enable the rapid spread of information and immediate, verifiable voting from the comfort of your home, or car, or as you’re walking down the street. Political technology of the future In my recent science-fiction novel Infomocracy, I offer yet another definition of microdemocracy.

The book is set some sixty years in the future, when the nation-state is (mostly) dead and the basic political unit is a “centenal” of 100,000 people.

Each centenal can vote for any government it wants, from anywhere in the world.

This both makes politics very local—you only have to convince 50,000 of your closest neighbors to support your choice in order to win–and decouples it from geography—if the form of government you prefer originated in Denmark, you can vote for it without emigrating from your home in Tampa. Centenal-based microdemocracy naturally requires extensive use of technology.
In my book, it’s provided through a massive international bureaucracy known as Information, which offers voters data about the thousands of possible governments and helps those governments manage what may be far-flung territories once they’re elected. Although I included some cool-sounding tech gadgets to make all this more interesting, it’s really not so much of a leap, technologically. We already have countries governing territory that is not geographically contiguous–Alaska, Gibraltar, Ceuta, Oecusse. We already have multiple choices in the ballot box, and most of us have access to all the information we could want about those choices.

As with direct democracy, what makes the scenario improbable is lack of political will or, to put it another way, entrenched power structures. These various definitions of microdemocracy have a few points in common.

They all point toward improving democracy through getting more citizens more involved and tying the complex, big-picture forces of government directly to people’s day-to-day interests.

They all see technology as a means of facilitating democracy, bringing people closer to their government.

And they all believe that this will make governance—or quality of life, or life itself—better, buying into a central assumption of democracy: that it leads to better government. Decentralization and freedom The rationale behind microdemocracy is not so different from that behind a less cutting-edge concept that has been extremely popular over the last few decades: decentralization. Pushing power down to local areas has been one of the common prescriptions for countries transitioning out of authoritarianism since the 1980s: if you disperse power through the regions of a country, it becomes harder for one person—or ethnic group, say, or religion—to dominate the whole. As with The Right Question Institute’s theory of microdemocracy, many proponents of decentralization argue that getting citizens involved at the local level will translate into greater participation, and democracy, throughout the government.
In a 1999 paper on decentralization, political scientists Arun Agrawal and Jesse Ribot write: Most justifications of decentralization are built around the assumption that greater participation in public decision making is a positive good in itself or that it can improve efficiency, equity, development, and resource management. [...] At its most basic, decentralization aims to achieve one of the central aspirations of just political governance-democratization, or the desire that humans should have a say in their own affairs. Despite these lofty and seemingly logical aims, as well as the enthusiasm with which the strategy has been pursued, evidence on the results of decentralization is mixed.

For one thing, what is called decentralization is often not; it’s easy enough to attach a buzzword to a toothless public policy.
Some governments use the concept as a way of pushing fiscal and administrative responsibilities onto lower levels of government without giving local governments more decision-making power. While decentralization does help to disperse power away from the network of a central authoritarian figure, it also holds other risks.
It might consolidate the power of local or regional elites. Kent Eaton and Ed Connerley write: In many developing countries that have completed the national transition to democracy but that contain enclaves of persistent authoritarianism at the subnational level, decentralization has the unfortunate effect of transferring power and authority from units of government that are more democratic to units of government that are less democratic or nondemocratic. But this is not only true of developing countries: consider the Civil Rights struggle in the United States. Microdemocracy, in any of its forms, faces many of the same difficulties as decentralization.

As an attractive term that suggests greater accountability and transparency, it can be strategically deployed to produce the opposite.
In disempowering some elites it offers power to others–those who care more about the issues, for example, or those who are more comfortable with the technology it uses. We certainly have the necessary technology to improve democratic functioning in any number of ways.

But these initiatives are likely to require close attention and considerable calibration to make sure they are working the way we hoped.
Since this means trial and error, the sooner we can get started, the better. Malka Older is a writer and political scientist.
She was named Senior Fellow for Technology and Risk at the Carnegie Council for Ethics in International Affairs for 2015 and has more than a decade of experience in humanitarian aid and development. Her doctoral work on the sociology of organizations at the Institut d’Études Politques de Paris (Sciences Po) explores the dynamics of multi-level governance and disaster response using the cases of Hurricane Katrina and the Japan tsunami of 2011. Her 2015 novel
Infomocracy was named one of the best science fiction novels of the year by the Washington Post.

Shamoon wiper malware returns with a vengeance

Enlargereader comments 5 Share this story A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation." The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran.
Several Saudi government agencies were among the organizations attacked. New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye.
It isn't yet clear how the malware's "dropper" has gotten into the networks it has attacked.

But once on a victim's Windows system, it determines whether to install a 32-bit or 64-bit version of the malware.

According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17. The wiper malware itself uses RawDisk, a commercial software driver from EldoS that gives direct access to the disk drives of the infected system to write data—or in this case, overwrite data.

The same driver was used in the "wiper" attacks against Sony Pictures in 2014.

Before beginning the wipe, the malware sets the system clock of the infected computer back to a random date in August of 2012, according to a report from FireEye—likely to bypass code in the EldoS driver from checking for a valid license. "Analysis suggests this might be for the purposes of ensuring the [EldoS driver] that wipes the Master Boot Record (MBR) and Volume Boot Record (VBR) is within its test license validity period," the FireEye research team wrote. The new Shamoon variant attempts to spread across the network by turning on file sharing and attempting to connect to common network file shares, and it disables user access controls for remote control sessions with a Windows Registry change.

The malware attempts to connect to ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the target systems with the local user's current privileges first.
If they aren't enough to gain access to those shares, it starts trying stolen credentials—credentials that have been hard-coded into the malware samples, indicating that the attackers had previously managed to penetrate the targeted networks and harvest user credentials for Windows domain administrators and other high-level accounts. When it finds these shares available, it copies itself into the Windows directory of the other system. While these latest malware attacks have included code to communicate with a command-and-control system, the attackers apparently disabled the code, leaving it pointed at a nonexistent server.

There was clearly no desire to exfiltrate information—though information may well have already been stolen before Shamoon was activated, and the disk wiper may have been left as a parting gift by the attackers.

SpeedCast Introduces SIGMA Net

A new standard in cloud-based vessel management with security by design

Sydney, Australia, November 30, 2016 - SpeedCast International Limited (ASX: SDA), a leading global satellite communications and network service provider, today announced the official release of SIGMA Net, the new standard for shipping and remote site network management designed specifically for VSAT and MSS.

SIGMA Net is a small but powerful industrial-grade VSAT and MSS network management device designed for ships and remote sites, providing automated and efficient management of multiple WAN links. Cyber security is at the heart of SIGMA Net, which incorporates a stateful firewall and Virtual Private Networking between the vessel and the Internet plus unique methods to regulate Internet access, including rejection of update services to Windows or mobile devices. Voice calling across multiple satellite equipment is simplified via SIGMA Net’s integrated VoIP server, allowing a caller to choose the outbound call route via a prefix. National numbers can also be allocated, allowing for cost-effective calling from shore to a vessel. Feature and performance enhancements are automatically applied, ensuring that the SIGMA Net’s software is always kept up to date.

SIGMA Net offers flexible crew services, including innovative pre-paid PIN-based BYOD (Bring Your Own Device) Internet and voice calling services, allowing for simplified voucher generation and management from shore. SIGMA Net provides managed network segmentation between business critical, crew or M2M networks at the remote location.

The cloud-based SIGMA Net Portal brings a vessel or remote site closer to IT management through its innovative and secured portal. The browser-based SIGMA Net Portal provides remote management and configuration of SIGMA Net from shore. Any configuration changes made from the portal are instantly replicated to one or more SIGMA Net terminals, with full auditing of amendments recorded. Reliability and redundancy is a primary feature of SIGMA Net, with its configuration securely synchronized and stored to the portal. The portal also presents fully-featured and interactive reporting of all data transferred via the SIGMA Net WAN links onboard.

“SIGMA Net has introduced a new degree of connection and network management to the Danaos fleet,” said Mr V Fotinias, Vessel IT Manager at Danaos Shipping, Greece. “The SIGMA Net Portal provides a web interface that enables remote configuration of SIGMA Net terminals across our fleet. The reporting provided by the SIGMA Net Portal gives us full visibility on traffic sent and received via the WAN links. Our vessel IT support team is able to easily and quickly resolve problems on board via SIGMA Net. The Danaos crew are extremely happy with the SIGMA Net prepaid vouchers for Internet access or crew calling.”

Danaos Shipping is one of the world’s largest containership owners, with a modern fleet of 59 container ships operating globally.

“SIGMA Net is a robust and secure cloud-based management platform that will both revolutionize and simplify vessel IT administration, both for shore-based support staff and a vessel’s crew,” said Dan Rooney, Maritime Product Director for SpeedCast. “The highly-configurable and flexible prepaid voucher services allow for time-consuming administrative tasks such as voucher generation to be managed centrally, rather than relying upon the Captain.”

About SpeedCast International Limited
SpeedCast International Limited (ASX: SDA) is a leading global satellite communications and network service provider, offering high-quality managed network services in over 90 countries and a global maritime network serving customers worldwide. With a worldwide network of 42 sales and support offices and 39 teleport operations, SpeedCast has a unique infrastructure to serve the requirements of customers globally. With over 5,000 links on land and at sea supporting mission critical applications, SpeedCast has distinguished itself with a strong operational expertise and a highly efficient support organization. For more information, visit http://www.speedcast.com/.

Social Media: Twitter | LinkedIn | Facebook

SpeedCast® is a trademark and registered trademark of SpeedCast International Limited. All other brand names, product names, or trademarks belong to their respective owners.

© 2016 SpeedCast International Limited. All rights reserved.

For more information, please contact:
Media:
Clara So
SpeedCast International Limited
clara.so@speedcast.com
Tel: +852 3919 6800

About Danaos Corporation
Danaos Corporation is one of the largest independent owners of modern, large-size containerships. Our current fleet of 59 containerships aggregating 353,586 TEUs, including four vessels owned jointly with Gemini Shipholdings Corporation, is predominantly chartered to many of the world's largest liner companies on fixed-rate, long-term charters. Our long track record of success is predicated on our efficient and rigorous operational standards and environmental controls. Danaos Corporation's shares trade on the New York Stock Exchange under the symbol "DAC". Please visit www.danaos.com for more information.

IT threat evolution Q3 2016. Statistics

 Download the full report (PDF) Statistics All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. Q3 figures According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc. Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers. Crypto ransomware attacks were blocked on 821,865 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 1,520,931 malicious installation packages; 30,167 mobile banker Trojans (installation packages); 37,150 mobile ransomware Trojans (installation packages). Mobile threats Q3 events Pokémon GO: popular with users and hackers One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers. But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system. We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times. Trojan.AndroidOS.Ztorg.ad in the official Google Play store Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps. Screenshot of the app that prompts the user to install the Trojan for 5 cents According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access. Ad with a Trojan The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold. Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did. Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device. Bypassing protection mechanisms in Android 6 In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls. Trojan ransomware in the Google Play store In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection. Trojan-Ransom.AndroidOS.Pletor.d in Google Play The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it. Mobile threat statistics In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter. Number of detected malicious installation packages (Q4 2015 – Q1 2016) Distribution of mobile malware by type Distribution of new mobile malware by type (Q2 2016 and Q3 2016) In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter. Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter. The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below). At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%. TOP 20 mobile malware programs Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63 * Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked. First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected. In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking Tweet With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps. It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times. Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet. The geography of mobile threats The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place. The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st. The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware. The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%). Mobile banking Trojans Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2. Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions(Q4 2015 – Q3 2016) Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June. The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family(June-September 2016) Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Geography of mobile banking threats in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter. In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users. Mobile Ransomware In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab(Q4 2015 – Q3 2016) The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%. Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016 The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany. Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device. Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country. In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices. In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport Tweet In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it. Vulnerable apps exploited by cybercriminals In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter. RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market. This is the overall picture for the use of exploits this quarter: Distribution of exploits used in attacks by the type of application attacked, Q3 2016 Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3. Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. Online threats in the banking sector These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031). The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks. Number of users attacked by financial malware, Q3 2016 In Q3, the activity of financial threats grew month on month. Geography of attacks To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country. Geography of banking malware attacks in Q3 2016 (percentage of attacked users) TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77 These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers. Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks. In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport Tweet Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth. The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware. The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively. The TOP 10 banking malware families The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked): Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79 * The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware. The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original. The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors. The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money. Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter. Ransomware Trojans Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners. A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection. The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter. The number of newly created cryptor modifications, Q1 – Q3 2016 Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users. Remote launching of cryptors by cybercriminals We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan. Dcryptor/Mamba Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument. During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers. This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data. Xpan/TeamXRat ransomware Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand. Ransomware in scripting languages Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python: HolyCrypt (Trojan-Ransom.Python.Holy) CryPy (Trojan-Ransom.Python.Kpyna) Trojan-Ransom.Python.Agent Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language. The number of users attacked by ransomware In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter. Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016) The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system. Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users) Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56 * We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country. As in the previous quarter, Japan topped this rating. Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way. Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51 * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3) Crysis Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications. Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims. Polyglot/MarsJoke This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. 83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q3 2016 The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%). Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport Tweet Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23 These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country. On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter. Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked) The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%). Local threats Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries. In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport Tweet Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85 These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products. An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter. The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

Aporeto Rolls Out Open-Source Security Project for Kubernetes, Docker

Network isolation isn't the only way to secure application containers anymore, so Aporeto unveils a new security model for containers running in Docker or as part of Kubernetes cluster. Dimitri Stiliadis co-founded software-defined networking (SDN) vendor Nuage Networks in 2011 in a bid to help organizations improve agility and security via network isolation.
In the container world, however, network isolation alone isn't always enough to provide security, which is why Stiliadis founded Aporeto in August 2015. On Nov. 1, Aporeto announced its open-source Trireme project, providing a new security model for containers running in Docker or as part of a Kubernetes cluster.The name "Trireme" holds particular significance and is directly aligned with the naming of Kubernetes.
In Greek, the word "Kubernetes" ("κυβερνήτης") refers to the pilot of a ship."Trireme is an ancient Greek attack boat that has three rows of rowers that is usually driven by a Kubernetes," Stiliadis, who is CEO of Aporeto, told eWEEK.Kubernetes in the technology world is an open-source effort, originally created by Google and now operated under the auspices of the Linux Foundation's Cloud Native Computing Foundation (CNCF), for container orchestration and management.

The Trireme project is an attempt to build a new type of security system for Kubernetes and Docker that relies on authentication and authorization, rather than just network isolation. "With just a few thousand lines of code, we can do application segmentation irrespective of network infrastructure and without the use of a firewall or VLANs," Stiliadis said. The basic challenge of application segmentation is providing the ability to restrict communications between one application and another if there is no proper policy in place that permits the communication.

The overall goal of application segmentation is to reduce the potential attack surface as well as reduce the potential for collateral damage.
If, for example, one application on a given host is compromised, it shouldn't necessarily need to impact all the other applications on the same host or container cluster.With network segmentation approaches, the solution to application isolation is to make sure that applications are placed on different network segments that can't connect to each other, Stiliadis said.
In his view, the network isolation approach doesn't scale easily and adds increased complexity."The root fallacy in the network isolation approach to security is that network reachability means authorization," Stiliadis said. "The fact that one container can somehow connect to another, however, doesn't mean that that two containers are in fact authorized to talk to each other."The Trireme approach is different from network isolation, as it introduces authorization and authentication steps.

The promise of Trireme, according to Stiliadis, is a transparent authentication and authorization layer that is easy for developers to use and doesn't change the underlying applications.The way Trireme works is it first associates an identity with an application or a particular service.

That identity can be a Kubernetes label or Docker manifest information, as well as user-defined attributes.
Stiliadis explained at the simplest level, a policy is created that defines when containers are able to connect to other containers as identified by a given attribute."When a container makes a request to connect to another container, Trireme grabs the attributes and signs them digitally," he said. "We then attach that signature to the TCP SYN packet to essentially overlay a security process to the network connection."The second container validates the signature and the attributes against the policy to determine if a connection request will be granted, Stiliadis said. He emphasized that in the Trireme approach two container workloads will only be able to communicate with each other if they have the right identity and if the policy allows the connection to occur.In Kubernetes, there are a number of security constructs already in place with the recent 1.4 milestone, and more capabilities are set to debut. Work is ongoing in the Kubernetes community for a technology called Pod Security Policy, which aims to protect users from running containers that are not secure.

According to Stiliadis, the Trireme approach is somewhat different from the Pod Security Policy in that Trireme is an effort to enable end-to-end authorization.The Trireme project is still in its early days, and there are other things that Stiliadis wants to do both in terms of open source and for his commercial company Aporeto."As a company we have a series of other things that we're doing in order to build an actual product, but we're not ready to announce the details yet," he said.As an open-source effort, Stiliadis however is encouraging developers to participate in the Trireme project.

Additionally, he noted that he has already started to talk to the CNCF about the project and how it might fit in."There is a lot of room for community participation," Stiliadis said. "We see Trireme as a way to start the conversation with the community about how to properly approach security for micro-services."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.