Kelihos: not Alien Resurrection, more Attack of the Clones
How the Kelihos botnet survived a stake through the heart, and some alternatives to garlic and silver bullets.
Education? Academic background in modern languages, social sciences, and computer science.
Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.
Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.
What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.
Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...
What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.
When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)
Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.
How the Kelihos botnet survived a stake through the heart, and some alternatives to garlic and silver bullets.
David HarleyAnd you should also bear in mind that some of the security experts who are denigrating AV en masse right now have their own commercial agendas to push, in favour of other technologies that are not the 100 Per Cent Solution either.
David HarleyESET is seeing a new step of evolution for the Rovnix bootkit family.
David HarleySecurity can't be purely the responsibility of the government, the police, the security industry, the ISPs, the public sector, private industry, or any permutation thereof.
David HarleyLike everyone else, law enforcement is expected to perform miracles of efficiency. But it's not all about financial analysis: there is no such thing as victimless crime.
David HarleyDo you know what your children are doing online, and do they know the risks out there?
David HarleyA new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.
David HarleyFacebook fraud, Carberp, statistics and a DDoS plugin.
David HarleyFacecrooks has flagged a scam that has apparently already tricked 300,000 people into Liking a scam page.
David HarleyWhat was number one when you were born? Facebook survey scammers aren't going to tell you.
David HarleyStatic passwords: if we can't kill them off, can we at least improve them? Yes, but here's a not of caution.
David HarleyWPS, Reaver, and what you can expect from anti-virus by way of vulnerability scanning
David HarleyDo Xmas shopping and porn surfing account for a spike in Win32/Scrinject detections?
David HarleyZeuS-related malware appears to be sent by US-CERT and also misuses the name of APWG (the Anti-Phishing Working Group).
David HarleyThe two most prevalent threats over 2011 were still INF/Autorun and Conficker: ESET's December ThreatSense Report looks at threat trends in the new year.
David HarleyESET Ireland's Urban Schrott has found an Ireland-targeted 419 with a Spanish twist.
David HarleyESET researchers examine the evolution of bootkit threats targeting 64-bit Windows over 2011.
David HarleyDazzlepod is saying ... if your account name comes up, change your current password ... why not assume that your account is compromised and go ahead and change it anyway and everywhere?
David Harley...there's an uptick today in rogue "Eat for Free at Cheesecake Factory!" wall posts...it's a survey scam with no payoff. Well, not for you. The scammers seem to be doing quite nicely out of it.
David HarleyAn updated version of the paper "Ten Ways to Dodge CyberBullets", addressing the question "what are the top 10 things that people can do to protect themselves against malicious activity?"
David HarleyPC World has reported that Janakan Arulkumarasan, the creator of Fan Check says it’s non-viral, safe and legitimate, in an interview with IDG News Service. The article quotes him as saying: “FanCheck is NOT a malicious app. Unfortunately, some malicious developers have been spreading a lie that it is — and encouraging people to download fake
David HarleyMicrosoft’s advisory on the SMB driver issue is now available. As expected, it includes some comments on mitigation, but they’re rather fluffy. It advocates “Firewall best practices and standard default firewall configurations”, which “can help protect networks from attacks that originate outside the enterprise perimeter,” and suggests exposing a “minimal number of ports”. Well, duh… I’d expect any firewall
David HarleySome traffic has crossed my radar concerning a 0-day exploit that apparently enables a remote attacker to crash a Vista or Windows 7 system with SMB enabled (and according to subsequent reports, Server 2008). The original post and exploit are claimed to demonstrate the possibility of a Blue Screen Of Death (BSOD) and (normally) an automatic reboot when
David HarleySomewhere back in the Dark Ages, I wrote some articles for Computer Weekly in the UK, as part of a series of articles called Security Zone. This is a regular series where the contributors are all members of (ISC)2, the International Information Systems Security Certification Consortium*. Some of those articles are accessible from the Computer
David HarleyUpdate: Lysa Myers, of West Coast Labs, has confirmed that she knows of a number of people who’ve used the application and didn’t see anything fishy happening. It did offer to send emails outside Facebook but didn’t insist on it, so it’s hard to see where the messages from unapproved contacts are coming from. I’ll
David HarleyI was passed a query from a journalist in the UK about Win32/Induc.A, the Delphi infector both Randy and I have blogged about previously, asking whether ESET has figures supporting my contention that this “harmless” malware actually has the potential to cause significant damage, as he had seen no reports of “even minor disruption.” While
David Harley(1) Websense, our neighbour in San Diego, has reported a fake anti-malware scam centred on Labor Day social engineering. The scam uses malicious SEO (Search Engine Optimization) techniques, sometimes referred to as index hijacking or SEO poisoning, to misdirect potential victims. When the victim uses Google to search for Labor Day sales (apparently these are very
David HarleyThe Register has reported that it cost Ealing Council, in London (UK) some £500,000 in lost revenue and repairs after a “virus infection” in May. According to El Reg’s John Leyden, the virus in question was Conficker-D, though because of differences in Conficker variant naming, it’s difficult to say exactly which variant that would refer to.
David HarleyAn interesting comment was made to my last blog on Snow Leopard, Mac malware and all that. I’ve approved the comment, but since people who read the blog earlier won’t necessarily go back to see what comments it’s attracted, I’ll answer it here, at more length. Mac User said that “Currently, the only way to get
David HarleyI’ve just returned from Canterbury in the UK. One of the reasons I was there was to present a paper on malware naming at CFET 2009 (3rd International Conference on Cybercrime Forensics Education & Training). It was an excellent conference, and I’ll have more to say about that later (and the paper will be available shortly
David HarleyI forwarded this to myself from another account yesterday because I thought it was one of the laziest 419 scam messages I’d ever seen. From: British Tobacco Company Sent: 27 August 2009 19:46 Subject: Contact Mr Paul Adams Congratulations! Your e-mail ID was among the selected lucky winners of £1,000.000.00 GBP in our BRITISH TOBACCO
David HarleyMac User has reported in a little more detail than I’ve seen elsewhere so far on the Trojan detection in Snow Leopard, quoting freelance OS X and iPhone developer Matt Gemmell. In fact, the meat of the story is Gemmell’s tweets, which state that:the system checks for only two known Trojans, RSPlug and iServices, and
David HarleyI feel like the learned judge in the ’60s who asked, in the course of a trial, “What is a Beatle?” since until recently I couldn’t have given you an accurate answer to the question “What is a Jessica Biel?” In fact, I’d probably have said something like “”Wasn’t she in Flashdance?” (The answer is
David HarleyCristian Borghello, Technical and Education Manager at ESET Latin America, tells us that they’ve noted quite a few sites that pretend to provide information on the fire crisis in Athens, Greece, but actually download malware onto the user’s PC. (Mistakes in translation are down to DH!) The criminals are using Black Hat SEO (Search Engine
David HarleyA number of new papers have been added to the white papers page: Cristian Borghello’s “Playing Dirty” is a translation of his original Spanish paper, available on the ESET Latin America web site, and describes in detail how criminals make money out of stealing online gaming credentials and assets. My paper Social Security Numbers: Identification is
David HarleyThis is part two of a recent email interview with a Turkish web site, with part one made available here for the benefit of those of us who don’t speak Turkish. I’ve done a little editing on parts one and two, primarily for cosmetic reasons. Question (4): What the golden rules for using the Internet with
David HarleyThis is a research blog, not a marketing blog. Not that there isn’t a place for marketing (that’s what pays our salaries, in a sense!) and marketing blogs, but my guess is that most of our readers here would get bored quite quickly if we spent too much time on press-release type material, our latest
David HarleyRegular readers will be aware that, unlike many people in the security industry, people in this research team tend to be enthusiastic supporters of security education for end users, both inside and outside business: not as The Answer To Everything, not in terms of turning everyone who uses the Internet into a security expert, but
David HarleySo, back in harness. I’ve been away for a couple of weeks: not on holiday as such, though I did take some days out, but concentrating on writing: it didn’t hurt that I didn’t have a full-strength internet connection to distract me, though. Before I left, I was interviewed by a Turkish security site. It
David HarleyI was amused (and not the only one, either) to notice that the UK’s Cabinet Office has recently launched a “Template Twitter strategy for Government Departments”: I wonder if they’re thinking of reconsidering in view of the proven fragility and security-shakiness of Twitter, but I suspect not. I am tempted to make a cheap shot related
David Harley