But why is it that ESET, a company built on the licensing of intellectual property, a company that fights running battles with counterfeiters, is opposed to ACTA and the closely related TPP or Trans-Pacific Partnership?

Three months ago I posted an open letter to congress on this blog in which I expressed ESET’s opposition to a number of provisions in a pair of bills, the Stop Online Piracy Act (SOPA), and the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT-IPA or PIPA). I thought it was important for people to know that ESET, whose software is used by more than 100 million people in over 180 countries, had serious reservations about legislation that threatened to undermine the reliability and security of the Internet in the name of preventing piracy.

As a growing number of high-tech companies and concerned individuals spoke out against SOPA, legislators backed down. After a massive day of action in which 75,000 websites participated and 162 million people viewed the Wikipedia protest page, the chief sponsor of SOPA pulled the bill and a Senate vote on PIPA was postponed. However, the same interests who backed SOPA and PIPA have heeded neither public opinion nor the concerns of many hi-tech companies; they are still seeking to use international trade agreements as a “backdoor” to impose SOPA-style laws, not just on America, but on the rest of the world.

The Anti-Counterfeiting Trade Agreement and the intellectual property protection provisions of the Trans-Pacific Partnership are complex documents* that were written without legislative oversight. Now that ACTA is receiving greater public scrutiny it is increasingly clear that much of its language has been crafted to meet the business interests of the same firms and trade groups that backed SOPA. As a result, countries that agree to ratify ACTA could, at the same time, weaken legal safeguards that currently exist to protect innovation, competition, and even personal privacy. For this reason, ESET is opposed to ratification of ACTA. If you agree, I urge you to act now and make your voice heard.

* For further information check out the Wikipedia entry on ACTA and the one-page briefing documents published by the European Digital Rights organization about the impact of ACTA on innovation, competition, and fundamental rights.

There is a macro trend flooding the interwebs that almost EXPECTS users’ information to be fed and cross-fed elsewhere online. When I signed up on pinterest.com, it expected (and indeed required) me to provide Facebook or Twitter logins, so the ooze of my information back and forth begins, in order to give me customized output based on it.

This “frictionless sharing” can make it devilishly difficult to control personal privacy sprawl. I have a friend who – a few years back – determined to keep his own identity completely off of the internet. This included no pictures, signing up for mandatory online services using aliases, etc. It was simpler then. Moving forward, my friend will have quite a time as more and more online services move to a 2-factor authentication scheme where users have to provide things like passwords, along with – you guessed it – Facebook/Twitter logins, which are then linked to everything else.

Aside from the obvious parallel of my friend feeling like he’s being forced to sign up for the Matrix, mostly to volunteer to be invaded by curiously personal floods of advertising, should he have a right to keep his own private life pretty much to himself?

Advertisers, on the other hand, are creatively looking for ways to get in front of more targeted eyeballs than just wide net venues like traditional TV. One of those ways is invading the app world and embedding revenue models into things people are already doing, and monetizing the data. Your data. Well, sort of, really more like a snapshot of someone just like you, aggregatized and sold as a pile of targeted data. My friend would argue that doesn’t seem very anonymous in the traditional sense. And he wouldn’t be alone.

For those who value their own privacy, it’s a tough road ahead. Someone remarked that we are seeing the end of the age of privacy, but at what price? Those who have had experiences with personal information spreading wildly out across the internet to those they don’t know, ala racy tropical vacation pictures involving margaritas and double-dares, know the pain incurred and subsequent reputation damage that can happen firsthand. But what can you do once your data is out there besides change your identity, and possibly lay off the margaritas? Good question, and one that lots of folks will wrestle with as the app sprawl goes wild, taking your information with it, and then trying to get it back.

My colleague Stephen Cobb points out an article showing how a single breached Facebook account became a potential leverage point for scams aimed at the myriad friends that account owner had. This highlights that your security/privacy is only as strong as its weakest link, which might be a close friend who’s not particularly interested in either privacy or security – until they get burned, and then you do too.

Furthermore, as we improve endpoint security technology, the people that use the endpoints will be targeted more and more by bad guys who see end users as the weak link in our data defenses. To put it another way, the real endpoint is between the ears. You need security-savvy users on your side as well as good security technology on your endpoints.

That's my take on why all aspects of endpoint security are so important today and I just finished recording a webinar that captures my thoughts on the subject quite well. You can access the recording of the webinar here.

When you have some time–about 50 minutes or so–I hope you can take a look and a listen. I''m keen to know what you think about this theory, and the practical advice I offer towards the end of the webinar about how to protect endpoints today. You will need to register to see the webinar but it only takes a moment and you won't have to divulge a whole lot of information to do so.

BTW, that same link will lead you to a range of recorded information security webinars that may be of interest, as well as notices about upcoming sessions you might like to attend. We also have a page that provides links to all the latest ESET security resources in one place. We hope you find it helpful.

1. VeriSign, Credit Card Processor, Hacked Multiple Times

2. Mega Upload Website Shutdown by U.S. Department of Justice

3. Is The Stop Online Piracy Act Good or Bad for Businesses and Consumers?

4. Hacker Activist Group Anonymous Strikes Again

5. Can We Use Good Malware To Catch The Bad Guys

We hope you get a chance to take a listen to them. We'd love to know what you think. Also, if you have a suggested topic for a future program, drop us a line here in the comments section. Enjoy!

Malware authors, always eager to exploit their victims' susceptibility and curiosity, see great potential for “romantic” hyperlinks that lead, allegedly, to greetings cards, poems, songs or videos. On the right you can see an early example of such a "card of love" received in the run-up to Valentine’s Day, 2012, analyzed by our research team in Latin America:

Apart from the disappointment that the victim might experience when he realizes that the secret admirer is no such thing, there’s also the significant issue of the risk to all his sensitive financial information.

As you can see from the picture on the right, the victim receives an email “greetings card” that purports to be a declaration of love which appeals directly to the reader’s romantic spirit, trying to make him believe that he is someone’s One and Only. Then, to encourage him to download malware, the letter ends with three ellipses and the link inviting him to read the “full message”, which in reality leads to malicious content.

If you were to follow this link it would try to download a malicious program that is detected heuristically by ESET products as a variant of Win32/Injector.HVG Trojan. (According to the information gathered by our Latin America researchers, the threat in question was downloaded approximately 430 times between January 20 and 24).

If there is no antivirus software running on the victim's computer and this Trojan file is downloaded and executed, then Injector.HVG proceeds to modify the victim’s hosts file in order to divert him from certain Chilean banking sites to pages that look similar to the original, but are actually phishing sites created by cybercriminals with the sole purpose of tricking the victim into disclosing his bank details.

As February 14 approaches we are likely to see more malware using love and roses to reel in more victims. This time last year, ESET Latin America put together a blog post with more examples of Valentine scams, so that readers would be better prepared when surfing the Internet. What follows is a summary of their advice.

1. Malware in social networks

Social networks are a major vector for attacks using social engineering. We hate to pour water on romantic inclinations, but all posts in social media relating to the Valentine theme, especially eye-catching messages about special offers and exclusive gifts should be regarded with suspicion, in order to avoid infection and forestall potential threats.

While this example is from Twitter, various kinds of scams exploiting gift cards and other special offers are also seen frequently on Facebook.

In particular, be wary of messages that direct you to web pages using shortened hyperlinks, such as this one from bit.ly. While bit.ly is a very reputable service, it can be abused by the bad guys, looking for a way to mask the final destination of a link. In fact, these types of links have become a fundamental component of the attacker’s toolkit. If you feel you really need to check out where a bit.ly link goes without clicking it, enter a plus sign on the end of the link in the browser URL field (like this: http://bitly.com/w5LAnh+) and you will get a page at bitly.com that shows you the final address.

2. BlackHat SEO

After social networks, search engines are the primary means used by the attackers to lure users to malicious sites. This is done using BlackHat SEO (Search Engine Optimization) techniques, intended to ensure that malicious websites come at or near the top in Google and other searches on keywords related to Valentine's Day. We have a short video that explains this type of search engine poisoning. Sometimes poisoned SEO results lead to sites that simply waste your time with survey scams while executing click-jacking to defraud advertisers. Remember, nobody is going to give you a $1,000 gift card for your opinion about Pepsi v. Coke or how often you use the Internet.

3. Fake Greetings Cards

If there is a cybernetic gift preferred by lovers, it is the Valentine's Day greetings card. Cybercriminals are well aware of this, which is why they circulate fake cards and fake weblinks purporting to point to such cards: in fact, they’re pointing to malicious code.

4. Privacy and theft of information

Malware isn’t the only type of threat to keep in mind. For reasons related to Valentine's Day, there are many applications associated with social networks (especially Facebook) that take advantage of their victims’ romantic susceptibilities to trick them into giving them access to far too much information.

As with any applications, either on Facebook or on your smartphone, be careful and check what permissions new applications are demanding before accepting!

5. “Russian Bride”

Of course, Valentine's day is not just for couples. For many single people, this is a date on which they too are more susceptible to romantic feelings and advances. So it’s not surprising that we also tend to see greater volumes of emails trying to deceive them:

While these examples, all including Russian web-links, indicate a particularly frank sexual content, we often see emails where the content is less physical and more romantic. These scams are purportedly made on behalf of beautiful women in search of love: however, it’s your money they love rather than you.

ESET Latin America

André Goujon and Sebastian Bortnik

David Harley and Stephen Cobb

All that was six or seven years ago, but the online safety of the younger generation is an ongoing concern. However, Urban Schrott, my colleague at ESET Ireland, while considering the same issue, came up with an angle with an unexpected resonance. A teacher is expected to act to some extent "in loco parentis" during school hours – that is, to take on some of the role of a parent, though exactly what that means is open to debate, and indeed varies widely according to which part of the world you live in – but sometimes teachers feel that their role has been extended far beyond education and into areas that are closer to the role of a nanny or au pair. Urban's article, though concerned with IT issues rather than the pastoral side of education, asks, rather pertinently, "Has the web become a nanny for Irish parents?"

ESET Ireland commissioned a survey from Amárach Research, to find out how Irish parents supervise their kids’ activities online. It may not surprise you that 73% out of a sample population of over 1000 parents said that they don't supervise their children's access to the web. However, you might be surprised to see how many children surf unsupervised at a much younger age: certainly I was.

Urban suggests, convincingly, that "most parents will probably say “But my child knows much more about computers than I do!”, so how to stay on top of what’s going on?" My experience suggests that many teachers (even some who spend at least some of their time teaching IT-related subjects) would probably also subscribe to the view that their students are more internet-savvy than they are. And all too many teenagers are convinced they know more about everything than their parents and their teachers. But are they more security-savvy?

There's a big difference between knowing your way round Facebook and being a computer science hotshot. (Bear in mind that the lowest age-groups here shouldn't even have a Facebook account.) And it's another big leap to being at home in the world of backdoor Trojans and buffer overflows. However, Urban suggests a number of countermeasures that are more common sense than technical knowledge, and I'd consider it a parent's job to help younger children to develop those on-line life skills:

• Know (and discuss) the dangers. I'd suggest that with younger children, learning about safety issues could be a family project where parents and children could learn from each other.
• Issues such as piracy aren't just moral issues (important though moral issues are): they have dangerous practical implications, too.
• The web (and especially social media sites) are about social interaction with people you or your children may never have met. The idea of Facebook as a paedophile's playground may be overstated, but it's not fiction.

It's harder, in some ways, to keep your children safe online nowadays, than it was when my child was in this age-group: they're likelier to have their own computers and iGadgets (as we're never tired of reminding you, a smartphone is a computer, and more and more cellphones are smartphones), so it's not just a matter of locking down the family PC. But do you really want to leave it to your children to take care of their own safety? It's not just a matter of taking care of them, either: in a complex, interconnected online world, your child's online misadventures can have impact on you in ways you may never have thought of.

I think I may feel a blog series coming on.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Traditionally, the barriers of entry for developers in the Android ecosystem have been low to get their apps placed in the official Market. This was by design, allowing Android to sprint past other smartphone platforms in adoption rates, since many apps that users wanted were likely to be there before they hit other platforms. The downside is that app authors choosing to bundle malicious, or borderline malicious apps had an easier time with distribution.

By contrast, the iPhone ecosystem represented a more closed, vetted, and more expensive environment for developers to launch their apps. This resulted in steady growth, but the more rigid process of an app making it to their official App Store deterred the more unsavory app developers from spending the extra effort to circumvent controls. In short, it was easier to spread bad things, or borderline bad things on the Android smartphones.

The new effort, called Bouncer, aims to silently scan the marketplace for rogue and borderline apps, largely transparently to the user. When a new app upload is attempted by the developer, Bouncer will do a preliminary scan to determine whether it acts malicious, or borderline.

Hiroshi Lockheimer, VP of Engineering, Android, explains in his blog on the subject that the effort “provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.”

Bouncer aims to run each app in a simulated cloud-base environment to watch for malicious activity. It will also scan for changes in existing apps. If it detects an app has changed, it will red flag it for scanning, keeping existing apps (hopefully) more malware-free. Additionally, developers exhibiting a pattern publishing malicious apps may be blacklisted. Is it working? In the second half of 2011, Mr. Lockheimer says “we saw a 40% decrease in the number of potentially-malicious downloads from Android Market,” so progress seems positive.

With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done. But this also speaks toward the success and ubiquity of the platform, and perceived value to users. In that department, Android has done quite well indeed.

Update 2: just to clarify, Aleksandr and Eugene should get the credit for the analysis, as is usual with our collaborations. I'm just the scribe/editor round here.

Update 3: you can get ESET's stand-alone cleaner for Win32/Olmarik here.

[ New data from my colleagues in Moscow.]

This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.

This time TDL4 uses the ncrypt.dll module for implementing the attack and to install a bootkit on the system with trusted process privileges. We wonder how long this bug will be on our tail?

The next interesting finding is its mechanism for escalating privilege using a COM Elevation technique trick on 64-bit systems.

Everyone remembers the trick for bypassing HIPS with the AddPrintProvidor() WinAPI function, but this time the technique relies on a new function AddMonitor() for loading the malicious module in the address space of the trusted system process.

The names of all stored modules have been changed in the hidden file system. The hidden container is now stored without encryption. This modification may have been made in order to bypass cleaning and detection algorithms in security software.

Next, some small changes have been made to the fake kdcom.dll module (Win32/Olmarik.AWO): before this update the malicious driver was loaded in a modified KdDebuggerInitialize1() using the ExQueueWorkItem() system function, in order to create the system worker thread and give control to the malicious routine.

In the latest version the modified KdDebuggerInitialize1()function call straightaway sets a notify routine. It’s possible that this modification is also intended to bypass static signature detection by security software.

The new name for the configuration file is “Purple Haze”, on account of the  inclusion of a header string from of the song same name by Jimi Hendrix. :)  

Only one encrypted file is stored in the hidden file system, the file containing C&C domain names. The encryption algorithm used is RC4 with the constant key “phs [file name of encrypted file]”.

And finally, we would like to mention a string constant applied to the pdb file path within compiled modules. We have already written (Evolution of Win32Carberp: going deeper) about how this string can disclose some information about the projects path on the developer’s computers. J This time, however, the developer has used randomly generated names for his projects.

I foresee a whole bunch of Hendrix song titles in forthcoming security blogs. ..

Aleksandr Matrosov
Eugene Rodionov
David Harley

You may recall that a company called CarrierIQ recently became the center of attention after a user found their application quietly installed on his Android, seemingly behind the scenes. He characterized the software as a rootkit, because it seemed to be capturing low-level information as it was being entered by the user, and was there without his knowledge. The story grabbed its share of the headlines. Later, as CarrierIQ explained in more detail what their software did and for whom–gathered diagnostic data for mobile carriers–some of the headlines subsided.

But the whole CarrierIQ incident raised concerns among the public about what else might be going on behind the scenes on their Androids, iPhones, and other mobile devices. Naturally, users want to know and understand what is being collected, by whom, and what was being done with Personally Identifiable Information (PII) often found on mobile devices. And a lot of people want a requirement in place that capture and/or transfer of such data only happens with their explicit consent.

This has prompted lawmakers to take note. Now Democratic Representative Edward Markey has drafted a “Mobile Device Privacy Act” and placed it before the House, where it will begin the protracted journey toward becoming law. This can be a lengthy process, but it sends a signal to the industry that legislation may be coming. Whether this particular iteration of the bill becomes a law remains to be seen, but expect more activity surrounding privacy protection and security for the smartphone ecosystem going forward.

In the meantime, it’s a good idea to take your smartphone security into your own hands by being careful what apps you install, and where they came from. Since your Android (or other smartphone) packs such an amazing amount of processing power, it acts more and more like the traditional OS you have on your laptop. Because malware authoring is a numbers game, expect more malware to be released as the platform’s adoption increases in the coming months. Also, some security vendors are releasing security suites for various smartphone platforms (ESET included), for those who prefer an always-on solution to keep an eye on the security of their devices. In the end, though, there’s no substitute for keeping your eyes open for scams and protecting yourself through your own awareness.

When you activate Login Approvals and Login Notifications on your Facebook account–using the steps listed below–you are required to give a name to any device you use to access Facebook. This enables Facebook to notify you whenever a new device logs into your Facebook account, using an email like this:

In this case, I was setting up Facebook access on my new Kindle Fire tablet. As you can see, I was doing this in San Diego on New Year's Day. Note that Facebook provides a link to click if you do not recognize the device as one you have approved. The approval of a new device requires a one-time security code that Facebook sends to your mobile phone as a text mesage. Here's what that looked like on my iPhone (yes, that's my dog in the background).

To register the Kindle Fire as an approved device on my Facebook account I had to enter the code from the SMS message when prompted to do so by Facebook on the Kindle.

In computer security we call this technique "out of band authentication" because credentials are supplied through a different communication channel or band from the system to which you are authenticating. While out of band authentication is not impossible to defeat, it adds a significant hurdle to someone trying to compromise your acount.

Suppose I had received the email above but did not recognize the device name and/or location. I would then be able to investigate what was happening and take steps to protect my account (you can choose to get notifications via email or SMS or both).

Setting up Login Approval on Facebook is relatively straighforward once you know it is there. The only prerequisite is that you have a mobile phone registered to your Facebook account (something you can do in your Account Settings). The following diagram shows you the steps required to activate Login Approvals. After activation you will be prompted to approve each of your devices the next time you use them to access Facebook. You should also make sure that the Login Notifications setting is also enabled.