In the video I take a closer look at one example, DarkComet RAT, the capabilities of which include using the victim's webcam and microphone to spy on them. This capability was recently added to another piece of modular, point-and-click malware–SpyEye–as described in a recent story in PC World.

The video is an expanded recording of a slide presentation I gave several times at Interop in Las Vegas earlier this month and includes a description of the role that antivirus software can play in defeating this type of malware. After the presentations I had numerous requests for copies of the slides from people who wanted to use them in their own security awareness programs. I was happy to oblige because I think that seeing these pictures will have more impact on employees and executives than reading yet another article that merely states: "malware infections are to be avoided because they can compromise data." That statement is true but sometimes you need to see something to take it to heart.

Note that ESET products detect SpyEye as Win32/Spy.SpyEye and Dark Conet RAT as Win32/Fynloski. If you think your Windows computer is infected with either of these pieces of malware or any other malicious code or spyware you might want to scan it with ESET's Free Online Scanner.

The Infosecurity Magazine article is here: AMTSO has credibility gap for anti-virus testing standards

Whether AMTSO's  new executive team will agree, is another question. I look forward to seeing how that initiative pans out.

But for myself, I continue to consider it essential for AMTSO – or an organization including or replacing it – to have better credibility than it does right now: if this initiative fails, testing is, in my eyes, close to useless because there will be no impartial authority to hold testers to account for the accuracy of their conclusions, and in the long run that will hurt their credibility. Hat tip to @imaguid for forcing me to crystallize that thought, unpalatable though it is.

David Harley  CITP FBCS CISSP
ESET Senior Research Fellow

It always comes at somewhat of a surprise, though, when we hear about something as old-fashioned as a phone solicitation scam that involves a different pitch. I myself, though, became far less enamored after receiving the call for the third time.

Sorry, Wrong Number

Over the past month, I have received several automated telemarketing calls from "John" of "Political Opinions of America." What robo-John wanted me to do was to take a "short, thirty second research survey." In exchange for that half -minute of my time, though, I would be granted a free two-day cruise for two people to the Bahamas.

The first time this happened to me was on Thursday, April 24th at 5:24PM. The Caller ID on my cell phone displayed a number of +1 (503) 468-5989, and when I picked it up, I heard the automated system tell me that I had been randomly selected to answer five political questions, that it would take less than thirty seconds to do so, and that in exchange for my efforts I would receive my free trip to the Bahamas. By mashing buttons on my phone I was able to make it through the survey in order to get transferred to a "travel fulfillment specialist" to assist me with my reward.  All this did, though, was to play several call hold announcements before disconnecting the call.

I received two more calls from the scammers, though, this time while at work. I did not pick up the calls, though, so you can listen to the messages they left in my inbox here:

04/26/2012 09:14AM from +1 (503) 468-5144 [link to WAV file] [link to MP3 file]

05/02/2012 17:23PM from +1 (206) 496-0951 [link to WAV file] [link to MP3 file]

Searching on these phone numbers returns many results reporting scams, telemarketers and fraudulent activity.

Likewise, searching on Political Opinions of America also returns many interesting search results.  They even have a web site, although I would not recommend visiting it as it may be unsafe to do so.  Here’s what it looks like:

Although it may be difficult to read from the above image (and, again, I do not want to link directly to their web site), it is littered with the sorts of grammatical mistakes one typically associates with phishing and other scam web sites.  Others "tells" that show that there is something wrong with this "telephone surveyor" include:

• The domain’s contact information is obscured through Domains by Proxy, a service which hides the legitimate owner of a domain name.  While privacy on the Internet is an important issue, one would think that any legitimate business would have its contact information listed prominently in their domain registration information.
• There is no address, telephone number, press releases, client list or any of the other kinds of information a reputable survey organization would have on its web site in order to promote itself and generate further business. 

A Scam Within a Scam?

So what exactly is the scam?  Well, according to some reports, it is to generate sales for cruises in the Caribbean; however, according to the law firm of Shapiro Haber & Urmy,  people don’t even get their cruises:  The law firm claims that instead, the lucky survey recipients receive… pitches for vacation timeshares.

The “quick survey” in front of the sales pitch seems to be geared to get around the FTC’s rules on telemarketers, which still allow for calls from political organizations, charities and telephone surveyors, although they have to be introduced by a live person and not a recording.  That does not seem likely to stop the above law firm from following through, though, and is not likely to impress the Federal Trade Commission.

Outfoxing the wily telephone scammer

As with any phone scam, there are a few actions you can take:

1. To prevent “reputable” telemarketers from contacting you, register your phone numbers in the National Do Not Call database.  While this does not prevent all telemarketing calls, it will reduce the amount you receive, and you can try requesting to any of the remaining callers to put your phone number on their “do not call” list.
2. Hang up.  As simple as it seems, the quickest way to end a call from a phone scammer is to get off the call by hanging up.  You may continue to receive repeat calls, though.
3. Don’t hang up.  Depending upon the amount of free time you have, you may choose to engage in dialog with a phone scammer.  Some people make an art of such “scambaiting,” seeing how long they can keep the telemarketer on the phone call.  While it is not clear if this will prevent you from receiving repeat calls, it does mean they won’t be making any money for the time they spend with you on the phone.

While phone scams have become less frequent, they have not disappeared in the Internet age, and many modern technologies and services (VoIP, overseas call centers and so forth) make it less expensive for scammers to reach out and touch someone by phone.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

 In a recent blog I linked to my recent EICAR paper on AMTSO, but I also referred to an upcoming AMTSO workshop (last week in Munich, which explains the entirely gratuitous photograph taken at the Weihenstephan brewery) in which I anticipated a great deal of discussion about future directions.

Having returned a few days ago from that workshop, I put my first reactions to those discussions in an article for SC Magazine's Cybercrime Corner called AMTSO turns pro, which was put up today.

I've also updated the AMTSO resources page and the AMTSO blog's slightly different resources page to include not only that EICAR paper, but also some earlier resources, as described on the AMTSO blog Resources updates.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

1. Go to www.twitter.com in your web browser and make sure you are logged in.

2. Click on the tiny inverted triangle just to the right of the head-and-shoulders icon on the right of your browser window (circled in red in the screenshot on the right).

3. Choose Settings from the drop-down menu.

4. Scroll down to the Personalization setting (marked by the yellow arrow on the right). Make sure the box labeled "Tailor Twitter based on my recent website visits" is not checked/ticked.

5. Click "Save changes" and you are done.

If you are already at your browser and logged-in to Twitter then you can click here to go direct to your Settings page.

Note that you do lose something if you turn off "Tailor Twitter based on my recent website visits". One use of the information collected and stored by Twitter when this Setting is turned on makes possible a Twitter feature that suggests people for you to follow based on them being "frequently followed by other Twitter users that visit the same websites."

There is a simple logic to this feature: If you allow us (Twitter) to track which sites you and other Twitter users visit then we can find people who tend to visit the same websites. So, if you have trouble finding people to follow on Twitter then this feature could be helpful. What you give to Twitter in order to get this feature is a lot of data about your web surfing habits, data that has value because some marketing companies would pay to get it, or Twitter could use it to tailor other content to you, like adverts.

The choice is yours, and I respect Twitter for making that Choice fairly clear in its documentation of this feature. As I have noted in previous posts, Choice is part of the second of the Fair Information Practice Principles which were drawn up to guide companies on the handling of personal information. Whether or not Twitter is doing a good job on the first principle, Notice/Awareness, is up to you to decide. For example, did you know that Twitter might be tracking your visits to websites within what it calls the "Twitter ecosystem"?

Do Not Track Preferences and Settings

The "Twitter ecosystem" is defined as websites "that have integrated Twitter buttons or widgets". Twitter says that using the Do Not Track (DNT) feature in your web browser will block Personalization tracking within the Twitter ecosystem, in addition to blocking other cross-site tracking.

Note: You can read about Do-not-track in Firefox, in Google Chrome, and in Internet Explorer 9, The DNT feature is available in some versions of Safari (this link might be helpful). Use the following link to see if your browser has a Do Not Track preference currently in effect.

Bear in mind that Do Not Track only works when websites install the DNT code. Twitter recently joined the DNT crowd, which includes Yahoo, when it confirmed that it will support the standard. This distinguishes Twitter from Facebook and Google which do not (yet) honor the DNT settings in your browser.

Also bear in mind that DNT is browser and device specific. So, if you log into Twitter on a friend's computer and their browser does not have DNT turned on, and you have left the Twitter Personalization turned on, Twitter may be able to track the Twitter ecosphere websites that you visit.

On the right you can see a screenshot of a free browser add-on called Do Not Track Plus which displays the tracking activity which happens when you visit some websites, in this case when you visit huffingtonpost.com (very similar results are seen at cnn.com).

Eco-tracking vs. cross-site tracking vs. on-site tracking

I am inclined to use the term "eco-tracking" to describe the button-and-widget based-tracking that Twitter uses to personalize "Follow" recommendations. This is just like tracking which is done by other companies such as Facebook and Google whose buttons and widgets have been installed on a large number of websites to form these various branded "ecosystems." (There is a short video by Brian Cooley on CNET that might help you understand this eco-tracking.) Note that this is very different from the "tracking" that a single website does when you visit. For example, when you shop at an online store like QVC.com or amazon.com those site may track many things, such as which products you look at, for internal purposes. Think of this "internal" tracking as a shopkeeper paying attention to a customer in her store.

Eco-tracking is a bit like the shopkeeper following you around the mall to see which other stores you visit. And third party, cross-site tracking used by ad networks and data brokers is like someone tailing you all the time, even when you leave the mall and go to the library or anywhere else. While eco-tracking is arguably less invasive than third party tracking, eco-tracking is still aggregating a lot of data about your surfing habits and this raises the issue of trust.

Companies can say that they don't share the data, or that they do anonymize it, or that they delete it after X number of days, but you have to trust that's true and will remain true. As in other areas of life, trust needs to be earned. One way to earn trust is to be open about what you are doing and Twitter seems keen to take this approach.

Of course, the Internet is ever-changing and you may be familiar with the Russian phrase that Ronald Reagan liked to quote: Trust, but verify. When it comes to multi-billion dollar Internet companies, the trust part is up to you, but we will do our best to help you with the verify part.

Sending messages designed to trick the recipients into clicking on a deceptive link was once reserved for fake but real-looking scam emails trying to fool users into visiting malicious sites on their PC, but scammers have realized there are (on average) far fewer protections on smartphones, and no small number of potential victims.

It had to happen, just a few years back you only used your mobile phone to make calls, but now it’s become much more. For everything from surfing the web, to sending emails, viewing videos and listening to music, your mobile device is more like a computer that just happens to make phone calls. It also happens to contain a lot of your personal information, making it readily available.

If a scammer can trick you into visiting a malicious site that attempts to get you to install malicious snooping or premium-rate SMS apps which may be wrapped around legit apps, that may just be the beginning of trouble. Many users wouldn’t notice an app silently sending premium-rate SMS texts to some far-flung country, until they got the bill. But things can get dicey when you try to convince your cell provider to reverse the charges. And the app you downloaded may look and function the same as the legitimate app by the same name, so you’d be none-the-wiser, at least at first.

In our example above you can see the domain name looks legit, until you realize that the end of the URL belongs to a website very different from Wal-Mart. But if you’re in a hurry would you spot this?

Of course, one thing we should note in this example: it’s extremely unlikely that Wal-Mart has suddenly decided to dole out $1000 gift cards to a lucky few. This one even creates a fake sense of urgency by claiming you’d better act before the remaining 161 are claimed. Sound fishy (pun intended), but hey, these things propagate because similar SMSishing campaigns worked, and the numbers seem to be growing. With falling rates for sending SMS texts these days, and an increasing number of target smartphones, there is an attractive and target-rich environment for cyber-scammers.

Defending Against Smish

So what can you do to protect yourself? The first thing I suggest is restricting your mobile app downloading to the official marketplace for your device, not some third party website. The official marketplace portals, such as Google play for Android, increasingly have scanners in place to detect and remove malicious or scam apps, giving you a margin of safety.

Also, in the same way it’s not a good idea to just click on email links without thinking, you should think twice about clicking on SMS text links before you do. It’s easy enough to open a link in your mobile browser and navigate directly to the website in question – without following the link.

You might also want to lock down your device using its security setttings or even install security software that can spot scams before you fall for them. If you beef up your security on the device, it will help reduce the access potential scammers have to your personal information, and make you a tougher target to exploit – via SMSishing or any of a variety of other scams that are targeting mobile devices.

FYI: ESET Mobile Security for Android is now available through the Google play store.

I mention that paper because it makes for an interesting contrast with the paper I presented last week at EICAR 2012. Since the new paper is very much focused on AMTSO, I guess EICAR has got over its sensitivity to 'advertising' the other non-profit organization.  (And in fact, there has been a fair amount of subsequent and rational discussion between individuals involved with both organizations.) Though I have to admit that it lacks some of the optimism of the earlier paper –  unsurprisingly, given that an awful lot has happened in and to AMTSO in the interim. But it feels like a good time to ask whether AMTSO still has enough credibility to achieve substantially more than it already has. Can the organization go beyond the substantial repository of resources it’s already compiled, to resume monitoring and commenting on tests and testers? (The short answer is probably, but not all by itself, and in any case we'll have more idea about future directions after the discussions at the workshop that begins today: watch this blog for more information.)

Here’s the abstract for the new paper:

After AMTSO: a funny thing happened on the way to the forum

Imagine a world where security product testing is really, really useful.

• Testers have to prove that they know what they’re doing before anyone is allowed to draw conclusions on their results  in a published review.
•  Vendors are not able to game the system by submitting samples that their competitors are unlikely to have seen, or to buy their way to the top of the rankings by heavy investment in advertising with the reviewing publication, or by engaging the testing organization for consultancy.
• Publishers acknowledge that their responsibility to their readers means that the claims they make for tests they sponsor should be realistic, relative to the resources they are able to put into them.
• Vendors don’t try to pressure testers into improving their results by threatening to report them to AMTSO.
• Testers have found a balance between avoiding being unduly influenced by vendors on one hand and ignoring informed and informative input from vendors on the other.
• Vendors don’t waste time they could be spending on enhancing their functionality, on tweaking their engines to perform optimally in unrealistic tests.
• Reviewers don’t magnify insignificant differences in test performance between products by  camouflaging a tiny sample set by using percentages, suggesting that a product that detects ten out of ten samples is 10% better than a product that only detects nine.
• Vendors don’t use tests they know to be unsound to market their products because they happened to score highly.
• Testers don’t encourage their audiences to think that they know more about validating and classifying malware than vendors.
• Vendors and testers actually respect each others work.

When I snap your fingers, you will wake out of your trance, and we will consider how we could actually bring about this happy state of affairs.  For a while, it looked as if AMTSO, the Anti-Malware Testing Standards Organization, might be the key (or at any rate one of the keys), and we will summarize the not inconsiderable difference that AMTSO has made to the testing landscape. However, it’s clear that the organization has no magic wand and a serious credibility problem, so it isn’t going to save the world (or the internet) all on its own. So where do we (the testing and anti-malware communities) go from here? Can we identify the other players in this arena and engage with them usefully and appropriately?

And here’s the abstract for the earlier paper.

Who Will Test The Testers? (2008 Abstract)

The anti-malware industry has been plagued since its earliest days by one poorly designed comparative test after another. In 2007, some of the best anti-malware researchers, comparative testers and product certification specialists took the first steps towards raising product testing standards with the formation of a group specifi cally focused on establishing standards and methodologies, educating both consumers and testers in discrimination between good and bad practice, and providing objective analyses of current testing practices. This paper summarizes current initiatives by the Anti-Malware Testing Standards Organization and other groups, but also considers next steps, going beyond objectifying methodology, educational issues and blowing away the fog of misinformation and fallacy, to the next level. Underlying these vital issues is a question: is it possible to make testers and certifying authorities more accountable for the quality of their testing methods and the accuracy of the conclusions they draw based on that testing?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

A few months ago we highlighted Facebook security settings and how to enable various protections. In this post, we delve more into granular control of your data privacy. By ratcheting down your privacy settings, you can have more control over who can get to your data, helping to keep your social networking experience positive, and potentially preventing problems before they occur.

Protect Yourself

When you log into your account, you can view or modify your privacy settings on a pulldown menu under “Home” on the top right of the page. Here’s what mine looks like:

When you get to the Privacy landing page, you might notice your default settings are set to “Public”, here we update them.

Notice this is targeted at your default sharing options, you can also change them for specific items on the site by using the inline audience selector, but here it’s a good idea to select “Custom” and specify what fits your needs, here’s what’s shown by default:

That’s a little too public for many, so I make the default visibility to “Only Me”, keeping in mind that you can use the inline audience selector to widen the audience of particular data you want to share, but if you don’t, the default will be to keep it more private.

Notice you can also explicitly list people or lists you DON’T want to share things with, a sort of data sharing blacklist, which you may find useful if you opt to share with others but want to restrict certain aspects more granularly. If you select this option you are also presented with a note saying:

That means if you tag someone in a photo, for example, they will be able to view the photo, even though you don’t explicitly opt to share it.

Now let’s look at ways other people can access your profile information. We start by selecting the “Edit Settings” link back on the Privacy Settings page:

The default settings show “Everyone”, shown below:

These default settings are a little too permissive for my tastes, so I ratchet them down like this:

This setting keeps my profile a little more private. Back at the Privacy home page, let’s take a look at “Profile and Tagging” to control how information gets tagged and shared:

Here we can ratchet down who can post to your wall, who can see posts tagged in your profile, and so on. Below is the default:

I would prefer to restrict more content to friends only, so I change it to reflect that preference:

Also, you might want to control who can tag you in their content by enabling “Review posts friends tag you in before they appear on your profile” if you choose to restrict that.

Next we restrict past post visibility, which is a good idea if you’ve had a lot of posts in the past, and you’d prefer more granular control over how that information is shared:

When you edit this section, you are presented with a screen warning you about restricting past posts, warning that since it’s a global change, you may also choose to just restrict specific posts, rather than across your whole profile. Continue past this warning by selecting “Limit Old Posts.” You will be asked to confirm this choice, warning that this change may not be easy to undo.

Next we take a look at “Blocked People and Apps”, a sort of blacklist for specific functionality:

Click on “Manage Blocking” link, which opens the following dialog box:

This functionality can come in handy if you have been getting unwelcome interactions from someone on your friend list. Also, note that once you add a user to your Restricted List, they aren’t notified of the change, which is handy for dealing with potentially pestering friends wanting to know why you’ve changed your settings.

Summary

These are some of the basic protections that will help control the data sprawl of your private information. Of course, Facebook updates its security and privacy settings on fairly regular intervals, so we will provide updates from time-to-time. In combination with our earlier security post, this privacy primer should go a long way toward keeping your social networking safer and prevent problems with your personal data spreading further than you planned or expected. If you find this post helpful, or have any Facebook privacy tips you'd like to share, please let us know in the Comments below.

Below the list are some additional strategies and one example of what not to do with your laptop and your car, wherever you happen to be driving. If you have more suggestions we would love to hear them. Please use the Comment section below to share.

1. Make sure your operating system and antivirus software are updated before you go on the road.
2. Backup your data before you head out (and store the backup in a safe place).
3. Consider leaving some data behind or move sensitive data from your laptop hard drive to an encrypted USB stick.
4. Make sure you have password protection and inactivity timeout engaged on all devices including laptops, tablets, and smartphones.
5. If possible, only use reputable hotel Internet service providers (ask the hotel who their provider is before you book).
6. If the hotel Internet asks you to update software in order to connect, immediately disconnect and tell the front desk.
7. If you use hotel Internet to connect to your company network use a VPN.
8. Do not use WiFi connections that are not encrypted with WPA (avoid WEP encrypted connections which are easily hacked).*
9. Consider getting a 3G or 4G hotspot and using that instead of hotel Internet.
10. Avoid online banking and shopping while on any hotel or public Internet connection.
11. Disable pop-ups in your web browser.

Bonus tip #1: If you are on the road and suspect that your Windows laptop has become infected you can get a free online scan from ESET.

Bonus tip #2: Don't assume your laptop is safe from malware when traveling just because it is a Mac. Consider installing a reputable antivirus product, for example, you could install a free 30-day trial of ESET Cybersecurity for Mac OS X before you head out on your travels.

What not to do when on the road with your laptop

Do not park your car and then place your laptop in the trunk. Place your laptop in the trunk before you reach the place you are going be parking.

The reason? Someone who sees you place a computer in the trunk and then walk away from the vehicle knows the car is worth breaking into or stealing. A former colleague learned this the hard way in Venice Beach in 1996, back when a high-end laptop could cost over three grand.

WEP/WPA? How to know which encryption scheme an access point offers

If you are using a Windows 7 laptop you can see the encryption type for any available access point when you display the list of access points from the network icon in the Taskbar (typically lower right of the screen). You may have to hover over the point in the list to see the information.

If you are using a MacBook you can Option-Click the Airport icon for a list that will display the encryption type of your current connection and, on hover, other connections, as shown on the right.

(With many thanks to Aryeh Goretsky and Cameron Camp for their contributions to the tip list.)

According to statistics from M86 Security Labs, Win32/Festi is one of the three most active spam botnets in the world. Thanks to plugin modules that we describe in our analysis Win32/Festi is also capable of being used for distributed denial of service (DDoS) attacks. The malware's kernel-mode driver implements backdoor functionality and is capable of:

1. Updating configuration data from the C&C (command and control server);
2. Downloading additional dedicated plugins.

As show in the diagram on the right, the Win32/Festi kernel-mode driver periodically contacts the C&C server and requests plugins and configuration information. The downloaded plugins perform the bot’s main tasks, such as sending spam.

In an interesting twist, these plugins are kernel-mode drivers which aren’t saved on any storage device in the system and are volatile in memory. Thus, when the infected computer is switched off or rebooted, which a victim might do if they sense something is wrong with their system, the plugins vanish from system memory. This makes forensic analysis of the malware significantly harder since the only file stored on the hard drive is the main kernel-mode driver, and this contains neither the payload nor information regarding which sites to attack or target with spam.

Each plugin is dedicated to performing certain kinds of work such as performing DDoS attacks against a specified network resource or sending spam. The plugins communicate with the main driver through a well-defined interface which we have documented in our white paper.

Another interesting aspect of Win32/Festi that we describe in our analysis is the malware's ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. To communicate with C&C servers and send spam and perform DDoS attacks, Win32/Festi relies on a TCP/IP stack implemented in Microsoft Windows OS in kernel-mode. However, the bot uses a custom implementation of the ZwCreateFile system service to send IRP requests directly to the transport driver.

Other evasive techniques that Win32/Festi employs include detecting whether it is running inside a VMware virtual machine and checking for the presence of a kernel debugger. We describe these in our detailed Win32/Festi analysis (.pdf).

Eugene Rodionov, Malware Researcher
Aleksandr Matrosov, Security Intelligence Team Lead