ESET Cyber Threat Trend Report. India & GlobeQuarter I, 2012Table of ContentsTHE TOP TEN THREATS IN INDIA, QUARTER I, 2012 2TOP THREATS (INDIA) IN BRIEF 3THE TOP TEN THREATS (GLOBAL) 5TOP THREATS (GLOBAL) IN BRIEF: 6SIZING UP THE BYOD SECURITY CHALLENGE 8WIN32/CARBERP GANG ON THE CARPET 10CARBERP: THE RUSSIAN TROJAN BANKER NOW AIMS FACEBOOK USERS 11FROM GEORGIA WITH LOVE: WIN32/GEORBOT INFORMATION STEALING TROJAN AND BOTNET 12FAKE SUPPORT, AND NOW FAKE PRODUCT SUPPORT 13SUPPORT SCAMMERS (MIS)USING INF AND PREFETCH 15RECENT ESET PUBLICATIONS IN INDIA 17ABOUT ESET 18ADDITIONAL RESOURCES 18
TOP Threats (India) in brief: 4. Win32/Ramnit.A.1. INF/Autorun.gen. Win32/Ramnit.A is a file infector. Files are infected by adding a newA detection for autorun.inf files that may be used by worms when section that contains the virus. The virus acquires data andspreading to local, network, or removable drives. commands from a remote computer or the Internet. It can executeWhen copying themselves to a drive, these worms also create a file the following operations: capture screenshots, send gatherednamed autorun.inf in the root of the targeted drive. The information, download files from a remote computer and/or theautorun.inf file contains execution instructions for the operating Internet, run executable files, shut down/restart the computer.system which are invoked when the drive is viewed using WindowsExplorer, thus executing the copy of the worm. 5. LNK/Autostart.A Exploit:Win32/CplLnk.A is a generic detection for specially-crafted,2. HTML/ScrInject.B.Gen malicious shortcut files that exploit the vulnerability that is currentlyGeneric detection of HTML web pages containing script obfuscated or exploited by the Win32/Stuxnet family. When a user browses a folderiframe tags that that automatically redirect to the malware that contains the malicious shortcut using an application that displaysdownload. shortcut icons, the malware runs instead.3. Win32/Sality 6. INF/AutorunSality is a polymorphic file infector. When run starts a service and This detection label is used to describe a variety of malware using thecreate/delete registry keys related with security activities in the file autorun.inf as a way of compromising a PC. This file containssystem and to ensure the start of malicious process each reboot of information on programs meant to run automatically whenoperating system. removable mediaIt modifies EXE and SCR files and disables services and process (often USB flash drives and similar devices) are accessed by arelated to security solutions. Windows PC user. ESET security software heuristically identifiesMore information relating to a specific signature: malware that installs or modifies autorun.inf files as INF/Autorunhttp://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality unless it is identified as a member of a specific malware family._am_sality_ah
7. HTML/Iframe.B 9. Win32/Toolbar.BabylonVirus . HTML/Iframe.B is generic detection of malicious IFRAME tags This class of threats ESET classifies as OUA (Potentially unwantedembedded in HTML pages, which redirect the browser to a specific application). A potentially unwanted application is a program thatURL location with malicious software. contains adware, installs toolbars or has other unclear objectives. There are some situations where a user may feel that the benefits of a8. Win32/Autoit potentially unwanted application outweigh the risks. For this reason,Win32/Autoit is a worm that spreads via removable media, and some ESET assigns them a lower-risk category compared to other types ofof it variants spread also thru MSN. It may arrive on a system as a malicious software, such as trojan horses or worms. While installingdownloaded file from a malicious Web site. It may also be dropped your ESET security software, you can decide whether to enableby another malware. After infecting a system, it searches for all the detection of potentially unwanted applications.executable files and replace them with a copy of itself. It copies tolocal disks and network resources. Once executed it downloads 10. Win32/Virut.NBPadditional threats or variants of itself. Win32/Virut.NBP is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely. The virus searches for executables with one of the following extensions: .exe, .scr. Executables are infected by appending the code of the virus to the last section. The host file is modified in a way that causes the virus to be executed prior to running the original code.
product/service. After purchasing the product/service, the malwareTOP Threats (Global) in brief: removes itself from the computer. Trojan is probably a part of other1. HTML/ScrInject.B (see above) malware.2. INF/Autorun (see above) 6. JS/Iframe.AS3. HTML/Iframe.B JS/Iframe.AS is a trojan that redirects the browser to a specific URLHTML/Iframe.B is generic detection of malicious IFRAME tags location with malicious software. The program code of the malware isembedded in HTML pages, which redirect the browser to a specific URL usually embedded in HTML pages.location with malicious software. 7. Win32/Sirefef Win32/Sirefef.A is a trojan that redirects results of online search4. Win32/Conficker engines to web sites that contain adware.The Win32/Conficker threat is a network worm originally propagated 8. Win32/Sality (see above)by exploiting a recent vulnerability in the Windows operating system.This vulnerability is present in the RPC sub-system and can be remotely 9. Win32/Dorkbotexploited by an attacker without valid user credentials. Depending on Win32/Dorkbot.A is a worm that spreads via removable media. Thethe variant, it may also spread via unsecured shared folders and by worm contains a backdoor. It can be controlled remotely. The file isremovable media, making use of the Autorun facility enabled at run-time compressed using UPX.present by default in Windows (though not in Windows 7). The worm collects login user names and passwords when the userWin32/Conficker loads a DLL through the svchost process. This threat browses certain web sites. Then, it attempts to send gatheredcontacts web servers with pre-computed domain names to download information to a remote machine. This kind of worm can be controlledadditional malicious components. Fuller descriptions of Conficker remotely.variants are available at 10. JS/Redirectorhttp://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en. JS/Redirector is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is5. JS/Agent usually embedded in HTML pages.The trojan displays dialogs that ask the user to purchase a specific
Threats India vs Globe (January, Febryary, March 2012)
Sizing Up the BYOD Security Challenge Stephen Cobb, ESET Security Evangelist On the plus side of BYOD known you may get more workfrom people when they can work in more places and at more timesof the day (from the breakfast table in the morning to the kitchentable at night and the coffee shop in between). There can be costsavings too: equipment outlays can be reduced if employees usetheir own devices instead of the company buying them. At the same time, IT security managers must weigh thosebenefits against the security risks that come with these devices,plus the cost of bringing them into line with existing securitypolicies and compliance standards. For example, what are the legalramifications of an employee’s personal laptop going missing whenit contains your customer list or sensitive internalcorrespondence? To help companies get a handle on the scale andscope of these risks, ESET engaged Harris Interactive to surveysome 1,300 adults in America who are currently employed. Wefound more than 80 percent of them “use some kind of personallyowned electronic device for work-related functions.” Many ofthese devices are older technologies like laptop and desktopcomputers, but smartphones and tablets are already a significantpart of the BYOD phenomenon.
Unfortunately, the survey paints a worrying picture of securityon these devices; for example, encryption of company data is only So it is not good news to learn that only 25 percent ofhappening on about one third of them. One third of those smartphone users, and less than 10 percent of tablet users, saysurveyed responded that company data is not encrypted when it is they have enabled auto-locking on these devices (the feature thaton their personal devices and the remaining third did not know locks the device after a period of inactivity and requires aone way or the other, which is worrying in itself. You can see more password or code to unlock). Overall, we found that less than halfof the findings in the accompanying infographic. of all devices in the BYOD category are protected by basic security One particular area of concern is small devices—like tablets measures. On the bright side, BYOD security could be boostedand smartphones—that are easier to steal than laptops and cheaply and quickly if companies did the following:desktops but pack tremendous processing, storage, and Mandate auto-locking with password protection on allcommunication capabilities. Consider the Microsoft Word devices.document in which the results of ESET’s BYOD survey werepresented. This file takes up 170 kilobytes of storage space and Enable remote lock/wipe to protect data on any stolen devices.contains 17 pages of charts, tables, and text that summarize themost important findings from this not inexpensive research. That Enable encryption of company data on all devices.means you could easily store more than 70,000 similar reports on Make sure up-to-date anti-malware protection is active on all devices.16 gigabyte smart phone or microSD card. A smartphone couldtransmit all 70,000 documents to the other side of the world in In summary, now would be a good time to check how yourmatter of minutes on a WiFi or 4G/LTE connection (the latter could company is handling BYOD security. With roughly two thirds of ourprove costly, but the recipient might be happy to pay the data survey respondents reporting that their employer had not yetoverage). implemented a BYOD policy, or provided any security training, those would be good places to start.
Win32/Carberp Gang on the CarpetOn March, 20 Group-IB, ESET’s partner in Russia providing establish the entire criminal chain, including the head of thiscomprehensive investigation of IT security incidents and breaches of group and owner of a botnet, those conducting fraudulentinformation security, announced the results of its joint investigation transactions, and those directly involved in cashing the stolenwith the Federal Security Service (FSB) and the Ministry of the Interior funds. In all, a total of eight individuals comprised the group. It(MVD) of Russia resulting in the arrest of a gang of eight accused of should be noted that in addition to stealing funds from bankoffences under the Russian Federations Criminal Code including accounts, the criminals were also involved in carrying outlarceny, creation and distribution of malicious software, distributed denial of service (DDoS) attacks.and unauthorized access to computer information. The fraudsterswere engaged in online banking fraud, affecting the clients of The criminals hacked websites actively using accountant servicesover a hundred banking institutions worldwide within last 2 in their operations, as well as popular news media websites andyears. The group of hackers manages to steal over 130 million online stores, infecting them with malware. Having establishedrubles just within a quarter. remote access to the computer of a potential victim, and having detected online banking details on that computer, the criminalsGroup-IB have identified them as using Win32/Carberp and created a fraudulent payment order to transfer funds to aWin32/RDPdoor in pursuit of criminal profit, going beyond specially prepared account. Then the stolen funds were cashedstealing banking credentials and plundering bank accounts to via bank cards, established for dummy individuals or legalDDoS (Distributed Denial of Service) attacks. entities. In order to have a comfortable working environment, anIts been suggested that if convicted, they can expect sentences office was opened by the criminals, functioning as a dataof up to 10 years. The investigation of the botnet and its servers, recovery company.obtained as a result of interaction with specialized organizationsin various countries, including Holland and Canada, helped “Our experts did an enormous amount of work, which resulted inprevent theft of funds from clients of over a hundred banking identifying the head of this criminal group, the owner andinstitutions worldwide. operator of a specialized banking botnet, identifying the controlFor the first time in international practice it was possible to
servers, and identifying the directing of traffic from popular ESET researchers noted that Win32/Carberp used bootkitwebsites in order to spread malware infection,” noted Ilya components from malware called Ronix, which was also theSachkov, Group-IB CEO in company’s press release. “The subject of scrutiny in February.investigations conducted by our Forensics Lab confirmed the use The article specifies different kind of information about thisof the Win32/Carberp and Win32/Rdpdor malware by the threat such as:criminals in order to carry out theft of funds.” Fake Facebook Lockout Demanding e-CashESET whitepaper on Win32/Carberp is available here: Faking Facebookhttp://go.eset.com/us/resources/white-papers/carberp.pdf . Web-Injects Carberp Detection in Russia Global infection statistics Bypassing DDoS Prevention SystemsCarberp: the Russian Trojan banker The complete description can be read from Facebooknow aims Facebook users Fakebook: New Trends in Carberp Activity. Also, there was a related post to new trends in CarberpDavid Harley and a Russian research colleague, Aleksandr Activity is Rovnix Reloaded: new step of evolution whichMatrosov, explain that the most widely spread banking trojan in explains the new developments of this threat. This is detectedRussia is now trying to steal money from Facebook users. as Win32/Rovnix.B trojan, this appears to be the first bootkit to employ VBR (Volume Boot Record) infection.
From Georgia With Love: Win32/Georbot information stealing trojan and botnetby Righard Zwienenberg Senior Research FellowMalicious software that gets updates from a domain belonging to the Win32/Georbot features an update mechanism to get new versionsEurasian state of Georgia? This unusual behavior caught the attention of the bot as an attempt to remain undetected by anti-malwareof an analyst in ESETs virus laboratory earlier this year, leading to scanners. The bot also has a fall-back mechanism in case it can’t reachfurther analysis which revealed an information stealing trojan being the C&C (Command and Control) server: in that case it will thenused to target Georgian nationals in particular. After further connect to a special webpage that was placed on a system hosted byinvestigation, ESET researchers were able to gain the Georgian government. This does notaccess to the control panel of the botnet created automatically mean that the Georgianwith this malware, revealing the extent and the government is involved. Quite often people areintent of this operation. not aware their systems are compromised. It should be also noted that the Data ExchangeFinding a new botnet is not unusual these days and Agency of the Ministry of Justice of Georgia andmost are not particularly interesting from a nerdy, its national CERT were fully aware of thetechie point of view, but it turns out that this one situation as early as 2011 and, parallel to their(dubbed Win32/Georbot) is both unusual and own – still ongoing – monitoring, haveinteresting. Amongst other activities, it will try to cooperated with ESET on this matter.steal documents and certificates, can create audio and videorecordings and browse the local network for information. One Win32/Georbot uses various obfuscation techniques to make staticunusual aspect is that it will also look for “Remote Desktop analysis more difficult, but for experienced malware analysts that isConfiguration Files” that enables the people receiving these files to not much of a problem to overcome, and Win32/Georbot was wellconnect to the remote machines without using any exploit. That worth the time it took to undertake a detailed analysis. The full whiteapproach will even bypass the need for RDP exploits such as the one paper containing the detailed analysis available as a PDF file.that was revealed last week (MS12-20).
Fake Support, And Now Fake Product SupportDavid Harley Senior Research FellowTheres a blog article Ive been wanting to write for a few days, but It appears from a recent Avast! blog that Avast! customers are sufferinghavent so far been able to make time for. However, Martijn Grooten a similar experience, receiving phone calls from “Avast customerdrew my attention to a blog on much the same topic from our friends at service” reps who need to take control of their computer to resolveAvast! and one of ESETs partners alerted me to a very relevant and some issue and who, for a fee, wish to charge them for this privilege.related post by Brian Krebs, so Ive pushed it to the top of the stack. Unfortunately, according to Brian Krebs, "users are reporting that the incidents followed experiences with iYogi, the company in India that isI first became aware of the plague of Indian companies operating PC handling Avast’s customer support." (The relationship is confirmed byand anti-virus support scams because one of our competitors advised an Avast! blog here.)me that one of them was apparently carrying out unethical marketingon ESETs behalf. (They werent, of course, anything to do with ESET: While someone describing himself as the co-founder and president ofsee this blog series and this paper.) marketing at iYogi has strongly denied any connection with the usual gang of out-and-out scammers, the use, as described by Krebs, of theI recently learned from my colleagues at ESET UK that cold-callers Event Viewer ploy characteristic of Indian support scams means thatfrom Mumbai have developed a new twist on this cold-calling scam, iYogi is going to have to work hard to prove its innocence. My guess iscalling people in the UK and apparently claiming to offer paid support in that if Avast!, a company with an excellent reputation previously,response to problems that dont exist, because, they claim, "ESET discovers that iYogi is indeed operating on the side of the non-angels,doesnt offer free support." (Dont panic! For genuine ESET customer heads – and outsourcing contracts – will roll.support, there are contact details on the web page for the ESET partneror distributor responsible for the region in which you live. In India ESET Support services for anti-virus products obviously vary according tois obviously provoding support to all customers, the contacts are the vendor and product. Free one-to-one support may not be available forfollowing: www.esetindia.com, https://www.facebook.com/esetindia, free products, and other support may range from free but basic, toToll Free Phone 1800-209-1999). cattle-class, to business class or de luxe. However, reputable security
companies do have standards that should apply at all points on the Unless, of course, they partner with a support organization that doesntspectrum: see the difference between legitimate marketing and outright misrepresentation and fraud. If Avast! has, in fact, fallen into that trap, They dont make unsolicited phone calls to tell you about viruses you they have my sincere sympathy. But it will be hard for them to recover dont have. Sorry, but I cant guarantee that you wont get from that misstep, and the reputation of the rest of the AV industry has marketing calls but they should be within acceptable legal and also taken a blow. We can only hope that some good will come out of ethical boundaries, and that doesnt include pretending to see this, like real progress on effective legal action against support scams. malware on a system they dont have access to. They wont use nasty semi-fraudulent techniques to "prove" Paying for third-party support for a free product may sound like a good you have a virus problem like telling you that Event Viewer, or idea in principle, since AV companies dont dont normally offer one-to- ASSOC (the CLSID trick described here), or "Prefetch virus" or one support for free products. But its generally safer to upgrade to a INF is listing malicious files. (Those last two tricks are paid version, especially if you already suspect that you have malware on now summarized in a separate blog article here.) your system. The problem here is that sometimes people dont get AV If youre subscribed to some form of premium package that until they have a problem, and at that point, saving money with a free attracts a subscription rate, theyre not likely to try to gouge solution may be a false economy. even more cash or financial data out of you by ringing you up to Cold-calling (or spamming support forums) to offer paid support for scare you to death. products that already offer free support to paying customers may not They wont try to get direct access to your system free versions sound particularly ethical (well, it doesnt to me). Worse, it may actually of commercial remote access software so that they can upload cause damage to your system which may even, depending on the various free/limited functionality security packages: if a vendor and the actual circumstances, compromise your ability to professional AV company needs access to your machine, they get the legitimate support youve already paid for. But it isnt wont do it by misusing free licences for another companys necessarily fraudulent. (Or illegal, though it may go against privacy software. legislation covering "Do Not Call" lists, for example, though if the Krebs story is correct, the existence of a pre-existing support relationship may
be used to get round that. And unfortunately, cold-callers from India Support Scammers (mis)using INF andtend to ignore local do-not-call lists: in fact, some legitimate companies PREFETCHseem to be taking advantage of offshored support to bypass such lists.) David Harley Senior Research FellowBut if the call is made on the basis of reports of malware that you dont Teres a quick summary of the PREFETCH and INF ploys I mentionedhave, or at some stage the caller tries to persuade you that utilities like above. These are alternatives (or supplements) used by supportINF, PREFETCH, ASSOC and EVENTVWR are proof that you have scammers from India to the Event Viewer and ASSOC/CLSID ploys alsomalware issues, the intent is clearly fraudulent. used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.Personally, Id suggest that you regard any unsolicited phone call from acompany claiming to offer antivirus support, even for a product you The "Prefetch" command shows the contents of C:WindowsPrefetch,actually have, as a probable scam. containing files used in loading programs.
The "INF" command actually shows the contents of a foldernormally named C:WindowsInf: it contains files used ininstalling the system.INF and PREFETCH are legitimate system utilities: so how arethey misused by scammers? By asking a victim to pressWindows-R to get the Run dialogue box, then asking them totype in something "prefetch hidden virus" or "inf trojanmalware". When a folder listing like those above appears, thevictim believes that the system is listing malicious files. In fact,neither of these commands accepts parameters in the Run box.You could type "inf elvish fantasy" or "prefetch me a gin andtonic" and youd get exactly the same directory listing, showinglegitimate files. Neat trick: but dont you fall for it!
Recent ESET publications in IndiaESET researchers and speakers are often invited to contributefor other publications, in India and worldwide. Here’s a selection of fewarticles that have appeared in Indian media this quarter.SME Channels, Mar 28, 2012 ESET’s Caveat Against Sharing Facebookhttp://smechannels.com/news/eset-s-caveat-against-sharing-facebook.aspxEFYtimes.com Employee’s Facebook Passwords Can Be Dangerous For Your Companyhttp://efytimes.com/e1/80931/Employees-Facebook-Passwords-Can-Be-Dangerous-For-Your-CompanyInformation Week, April 12, 2012 , Humans and Heuristics: Making people part of information security solutionshttp://www.informationweek.in/Security/12-04-12/Humans_and_Heuristics_Making_people_part_of_information_security_solutions.aspxBusiness Standard Jan 23, 2012Cyber crime is now a booming industryhttp://www.business-standard.com/india/news/cyber-crime-is-nowbooming-industry/462549/PCQuest January 09, 2012 Future Outlook of Cyber Crime & Securityhttp://pcquest.ciol.com/content/topstories/futureoutlook/2012/112010908.aspBiztech2.com 18th February, 2012 Cybercrime Predictions 2012http://biztech2.in.com/blogs/industry-expert/cybercrime-predictions-2012/125402/0
About ESETFounded in 1992, ESET is a global provider of security solutions for businesses and consumers. ESET’s flagship products ESET NOD32 Antivirus, ESETSmart Security and ESET Cybersecurity for Mac are trusted by millions of global users. ESET NOD32 Antivirus holds the world record for the numberof Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. The Companyhas global headquarters in Bratislava (Slovakia), with regional distribution headquarters in San Diego (U.S.), Buenos Aires (Argentina), andSingapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Prague (Czech Republic), Krakow (Poland), Montreal (Canada),Moscow (Russia), and an extensive partner network in 180 countries.In India ESET products are exclusively supplied and supported by "ESS Distribution Pvt Ltd". The sales of ESET products are executed through theChannel Partners across India.Additional resourcesKeeping your knowledge up to date is as important as keeping your AV updated. For these and other suggested resources please visit the ESETThreat Center to view the latest: ESET India Facebook ESET India Twitter ESET White Papers ESET Blog ESET Podcasts Independent Benchmark Test Results Anti-Malware Testing and Evaluation