The 2014 mid-year threat review by Aryeh Goretsky discusses various cybersecurity threats, including the rise of Android malware, banking bots targeting cryptocurrencies, and vulnerabilities like Heartbleed affecting numerous websites. It highlights the Internet of Things (IoT) risks, such as smart TVs and routers being exploited for theft and spying, and notes that Windows XP has reached its end of life. The document emphasizes the ongoing challenges in cybersecurity and suggests measures for protecting devices against emerging threats.

1. 2014 Mid-Year
Threat Review
The good, the bad and the ugly

2. Presenter
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher
ESET North America
✉ askeset@eset.com
@eset (global)
@esetna (US + Canada)

3. About ESET
• Leading security solution provider for companies of all
sizes, home and phones
• Pioneered and continues to lead the industry in
proactive threat detection
• Presence in more than 180 countries worldwide
• Protecting over 100 million users
• Ten years of consecutive VB100 awards†
• 5th Largest Endpoint Security Vendor‡
†Source: Virus Bulletin Magazine
‡Source: IDC, Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor
Shares

4. What’s on the agenda?
• A brief look into ESET’s threat database
• Android malware
• Banking bots & Bitcoin thieves
• Heartbleed SSL vulnerability
• Internet of Things (IoT)
• Mac & iPhone
• Nation-state malware
• Windigo/Ebury malware campaign
• Windows XP reaches its end of life

5. What this presentation is not about
• BYOD & mobile device threats
• Data breaches (eBay, Target, …)
• Edward Snowden, NSA, et al
• Multifactor authentication
• Passwords and PINs
• Phishing, scams & social media
• Windows 8.1 Update

6. Threat Database Updates

7. Threat Database Updates
[CHART REDACTED]
To view this slide, please see the presentation at:
https://www.brighttalk.com/webcast/1718/110971

8. Android is becoming Windows

9. Android Malware
• Amount of malware continues to grow
• Can be deployed by Windows malware (q.v.)
• Reports of smartphones & tablets shipping with
pre-installed malware
• Everything old is new again:
– first worm discovered, Android/Samsapo
– first ransomware discovered, Android/Simplocker
• On the plus side
– Google plans to periodically re-scan installed apps
– Most malware originates outside of Google Play,
device or carrier stores

11. Android Malware
Have you seen any malware, potentially unwanted
applications or junk apps on your Android devices?
Yes
no

12. Banking bots & Bitcoin thieves
• Arrival of *coin mining and stealing on multiple
platforms, technologies (Android, BAT, MSIL, Win32,
VBS)
• Win32/Corkow banking Trojan targets Bitcoin
wallets, Android developers and Russian
business bank accounts
• Win32/Qadars banking bot now drops Android
iBanking component Android/Spy.Agent.AF via
Facebook webinject

13. Heartbleed SSL Vulnerability
• 2 year old flaw in OpenSSL allows eavesdropping
into communications
• About two-thirds of web sites were affected
• Also affected networking gear from Cisco,
Juniper and others; in VPN software, etc.
• Windows 8 inbox VPN clients, too
• May have been exploited for those 2 years before
being discovered

14. Internet of Things
• Smart TVs – “Red Button” bot in your living room?
– Script injection, credential theft, malware?
– all via broadcast (EU standard, soon in US)
• Smart TVs – the spy in your living room?
– Some have microphones and webcams
• Not apparent when they’re on; or how to turn off (or if)
• Can be remotely taken over (Samsung)
– Sent viewing habits, URLs, filenames of private videos (LG)
– Replace images/videos on screen (Philips)
• Tesla’s iPhone app, used to lock/unlock vehicle,
vulnerable to brute-forcing

15. IOiT: Routers and DVRs, etc.
• Residential gateway broadband routers under attack
from worms like Win32/RBrute
– DNS changing
• Browser injection
– Ad injection substitution, spying, etc.
• Credential theft
– bank fraud, shopping, social media, webmail …
• Search engine redirection
– Bing, Google, Yahoo redirect to sponsored & PPC searches
– coin mining (DVR, NAS...)
• Nowhere near as effective as PCs, but remember:
“Quantity has a quality all its own.” – Joseph Stalin

16. IOiT: Routers and DVRs, etc.
[LIST OF AFFECTED
VENDORS REDACTED]
To view this slide, please see the presentation at:
https://www.brighttalk.com/webcast/1718/110971

17. IOiT: Routers and DVRs, etc.
Reminder:
1. Disable access to admin settings on LAN and
wireless interfaces
2. Update firmware to latest version (manual check
may be required-do not rely on autoupdate)
3. Use a str0ng password

18. IOiT: Fighting router-based threats

19. Internet of Things
Do you use any of these Internet connected
devices?
 Home Automation (thermostat, fire/CO2
alarms, X10, Zigbee, etc.)
 Network Attached Storage (NAS)
 Next-gen gaming console
 Router / Wi-FI Access Point
 Smart TV and/or Digital Video Recorder (DVR)

20. Mac, iPad & iPhone
an Apple a day…
No major campaigns targeting OS X & iOS, but…
• GotoFail, a critical SSL vulnerability is patched
• Targeted attacks continue, such as against
Chinese and Tibetan advocacy groups
• Weird ransomware attacks target Australian and
New Zealand iPhones, iPads & Macs

21. Nation-state malware update
• OSX/Appetite trojan used against Falun Gong
and Tibetan activists
• MiniDuke (aka Win32/SandaEva) continues to be
used
– Targets include European governments, institutions
and NGOs
• Use of Win32/Agent.VXU against Ministry of
Natural Resources and the Environment in
Vietnam (US equivalent: EPA)

22. The Windigo Campaign
…anything but Windows
• Started with investigation into Linux/Ebury
– OpenSSH backdoor + credential stealer
– Malicious library and patch to OpenSSH binaries
– Took several steps to avoid detection
• Includes Linux/Cdorked, Perl/Calfbot and
Win32/Glupteba.M families
• Over 25,000 servers infected over past 2 years
• Affected Linux, FreeBSD, OpenBSD, Mac OS X
– Plus some Windows servers running Perl + Cygwin

23. Windows XP reaches EOL status
• On April 8th, support ended for Windows XP
– An update, MS14-021, released on 5/1/14 due to
extraordinary circumstances
– One-time event, don’t expect it again
• Globally, 30% of PCs still running XP
– Regionally, ranging from 11% to 61% usage
• If you’re still running XP:
– Patch systems to final set of updates
– Isolate
– Figure out migration strategy now

24. Resources: Android
ESET’s We Live Security (blog)
• Android malware worm catches unwary users
• Android malware? Google will be watching your every move
• Android phones and tablets ship “pre-infected” with malware
• ESET Analyzes First Android File-Encrypting, TOR-Enabled
Ransomware
ESET’s Virus Radar (threat encyclopedia)
• Android/Samsapo
• Android/Simplocker

25. Resources: Banking Bots & Trojans
ESET’s We Live Security (blog)
• Facebook Webinject Leads to iBanking Mobile Bot
• Corkow: Analysis of a business-oriented banking Trojan
• Corkow – the lesser-known Bitcoin-curious cousin of the Russian
banking Trojan family
• Surveillance cameras hijacked to mine Bitcoin while watching you
ESET’s Virus Radar (threat encyclopedia)
• Win32/Corkow
• Win32/Qadars
• Android/Spy.Agent.AF

26. Resources: Heartbleed
ESET’s We Live Security (blog)
• All eyes on Heartbleed bug: Worse than feared and could affect
“billions”
• Heartbleed claims British moms and Canadian tax payers as
victims
• Heartbleed encryption flaw leaves millions of sites at risk
• “I am responsible”: Heartbleed developer breaks silence

27. Resources: Internet of Things (1/4)
ESET’s We Live Security (blog)
• Attack on Samsung’s Boxee TV service leaks 158,000 passwords
and emails
• Channel Cybercrime: Bug allows hackers to hijack screen of
Philips TVs
• Fridge raiders: Will 2014 really be the year your smart home gets
hacked?
• Hacker amasses $620,000 in cryptocurrency using infected
computers
• LG admits that its Smart TVs have been watching users and
transmitting data without consent

28. Resources: Internet of Things (2/4)
ESET’s We Live Security (blog)
• ‘Major’ Smart TV vulnerability could allow mass wireless attacks
• More than 300,000 wireless routers hijacked by criminals in global
attack
• Mysterious ‘Moon’ worm spreads into many Linksys routers – and
hunts new victims
• Simplocker Ransomware: New variants spread by Android
downloader apps
• Smart TVs can be infected with spyware – just like smartphones

29. Resources: Internet of Things (3/4)
ESET’s We Live Security (blog)
• Stop TVs spying on us. U.S. Senator calls for safer Smart devices
• Surveillance cameras hijacked to mine Bitcoin while watching you
• Tesla shocker as researcher picks electric supercar’s lock
• The Internet of Things isn’t a malware-laced game of cyber-
Cluedo… yet
• Win32/Sality newest component: a router’s primary DNS changer
named Win32/Rbrute

30. Resources: Internet of Things (4/4)
ESET’s Virus Radar (threat encyclopedia)
• Win32/Sality
• Win32/Rbrute

31. Resources: Mac Malware
ESET’s We Live Security (blog)
• 10 years of Mac OS X malware
• Five tips to help control your privacy on Mac OS X
• iPhone and Apple ransom incidents? Don’t delay locking down
your i-stuff
• Master of Mavericks: How to secure your Mac using Apple’s latest
update
• Urgent iPhone and iPad security update, Mac OS X as well
ESET’s Virus Radar (threat encyclopedia)
• OSX/Appetite

32. Resources: Nation-State Update
ESET’s We Live Security (blog)
• 10 years of Mac OS X malware
• Miniduke still duking it out
ESET’s Virus Radar (threat encyclopedia)
• OSX/Appetite
• Win32/Agent.VXU
• Win32/SandyEva (MiniDuke)

33. Resources: Windigo Campaign
ESET’s We Live Security (blog)
• An in-depth Analysis of Linux/Ebury
• Interview: Windigo victim speaks out on the ‘stealth’ malware that
attacked his global company
• Operation Windigo – the vivisection of a large Linux server-side
credential-stealing malware campaign
• Over 500,000 PCs attacked every day after 25,000 UNIX servers
hijacked by Operation Windigo
• Windigo not Windigone: Linux/Ebury updated
ESET research papers
• Operation Windigo (PDF)

34. Resources: Windows XP EOL
ESET’s We Live Security (blog)
• 5 Tips for protecting Windows XP machines after April 8, 2014
• Goodbye, Windows XP!
• With just days to go, just how many PCs are still running Windows
XP?
• Windows exploitation in 2013
• XP-diency: beyond the end of the line

35. Special Thanks
Kudos to
Bruce P. Burrell
David Harley
Amelia Hew
Emilio Plumey
Javier Segura
Aaron Sheinbein
Marek Zeman
for their assistance with the ESET 2014 Mid Year Threat
Report!

36. I would like to request one of the following
Contact from ESET Sales
Business Edition Trial
PassMark® Competitive Analysis Report
Monthly Global Threat Report
Polling question:

37. Q&A Discussion