Win32/Hodprot: Hot off the Press
A week or so ago we promised you a full paper expanding on our Hodprot is a Hotshot blog. That paper is now available.
Education? Academic background in modern languages, social sciences, and computer science.
Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.
Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.
What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.
Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...
What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.
When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)
Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.
A week or so ago we promised you a full paper expanding on our Hodprot is a Hotshot blog. That paper is now available.
David HarleyWhat we're lacking here is a clear differentiation between types of "hacktivist" or, indeed, "activist": much of the commentary that's around at the moment seems to assume that all hacktivists are the same.
David HarleyIn fact, the real interest of the document lies in the extensive overview (12 closely-typed pages without graphics and such) of the DHS view of its own cybersecurity mission.
David Harley...one Yasuhiro Kawaguchi was arrested yesterday on suspicion of "saving a virus on his computer," though the story suggests distribution of malware too...
David Harley...the scammer doesn't need you to edit the registry to find the CLSID he's looking for. He simply has to persuade you to run the ASSOC command...
David Harley...there are (over) 2,095,006,005 Internet users nowadays (due credit to www.internetworldstats.com). Inevitably, some of them are going to have the same name as real celebrities and fictional characters...
David HarleyIn their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 -- one of the best presentations of the workshop, in my unbiased opinion ;-) -- Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence.
David HarleyAlthough the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the prices per installation the primary target of the group is the US.
David HarleyI've stopped maintaining Stuxnet resource pages recently, but occasionally I come across an article that adds something useful to the mix, or simply summarizes aspects of the Stuxnet story neatly and accurately. Besides, its authors must be feeling a little left out with all that fuss about TDL4. ;-) A recent report in Wired gives
David HarleySo who's to blame? First and foremost, the victimizers. Well, persistent victims, yes. And anyone in the security industry who pushes the TOAST principle, the idea that all you have to do is buy Brand X and you never have to take responsibility for your own security. Though, of course, "who's to blame?" is the wrong question: what matters is "how do we fix it?"
David HarleyHere's something I noticed today on the ESET Facebook page at http://www.facebook.com/esetsoftware. (There is, of course, also an ESET North America page at http://www.facebook.com/esetusa, but this is the European page. There are lots of local ESET pages too, too many to list here.) As Facebook continues to attract more pages and videos containing malware, we
David HarleyAt a time where the West is, generally speaking, not at the top of its game economically, I can see why defence contractors, like anyone else, are anxious to save money, but outsourcing critical systems purely for economic advantage in the hope of submitting the lowest tender is a risky strategy.
David HarleyI don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It's introduced new twists on old ideas like P2P networks and hiding malware.
David HarleyThe TDSS botnet, now in its 4th generation, is seriously sophisticated malware, which is why we've spent so much time writing about it: the revision of the paper The Evolution of TDL: Conquering x64 that will be up on the white papers page shortly runs to 54 pages and includes some highly technical analysis, including the detail on
David HarleyRecently ... our TDL tracker picked up a brand new plugin for TDL4 kad.dll (Win32/Olmarik.AVA) which we haven’t seen earlier ... we discovered that it implements a particularly interesting network communication protocol ...
David Harley...And therein lies a problem that goes beyond support scams. The telephone network, like the Internet, isn't very good at recognizing national boundaries. Which is why I have a couple of rules of thumb when it comes to cold callers...
David Harley...what I had principly in mind at that point was the impact of some 4,800 of its customers whose businesses may have been threatened when data, sites and email on four of its servers were lost...
David Harley"Infrastructure Attacks: The Next Generation?" now includes the speaker notes, which hopefully makes it more interesting and useful.
David Harley...It's a 419 (Advance Fee Fraud) message, of course. Stripped of the pseudo-governmental flim-flam, the core of the message is that they want you to forward them this...
David HarleySo, a (long) while ago I wrote about the Haiti earthquake, with some commentary about the intersection between natural disasters, Black Hat SEO, scare tactics for education in good security practice, plus some links relevant to the earthquake. Well, I'm certainly not ashamed of that blog, though I haven't thought about it for a long time,
David HarleyTalking of the C-worm (“Will no-one rid me of this troublesome malware?”) I mentioned in a blog from a couple of days ago that Jose Nazario supplied some useful information on an issue I was checking into. The issue concerned reports from a Russian news site of Distributed Denial of Service attacks on Russian sites:
David HarleyIf it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.) In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about
David HarleyThe Register’s John Leyden has harsh words to say today about problems with security software: “Once, running Windows anti-virus was like driving down a dual carriageway. These days, it’s more like an unpaved road.” Well, I can understand his viewpoint, though given the sheer volume of security products these days, I’m not sure a small
David HarleyI remember the days when the major anti-virus companies (back when they called themselves that) actually included links to the informational sections of competitive web sites (especially the threat encyclopaedias). Sadly, that doesn’t seem to be the world we live in any more. Still, we’re always pleased when someone we know comments here, even competitors, and
David HarleyMicrosoft issued an advisory last week – Microsoft Security Advisory (969136) “Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution” – that “could allow remote code execution if a user opens a specially crafted PowerPoint file.” The advisory uses very similar language to Microsoft’s recent advisory on an Excel vulnerability, referring to “only…limited and
David HarleyWhen I write about Mac issues, I usually find myself abused by individuals convinced that there are no Mac viruses, never were any Mac viruses, and never could be any Mac viruses. Less advanced cases sometimes admit that there is Mac malware (and malware that isn’t Mac-specific, but can affect Mac users), but buy into
David HarleyGood morning. Is there anyone still out there and connected? Thought so. While one or two people who comment here seem to think I’m personally responsible for developing, maintaining, and marketing ESET products (and in at least one case writing the malware as well) I’m afraid I didn’t spend April 1st crouched over a rack
David HarleySo, nothing happened? Well, yes. Our labs, who’ve been monitoring carefully, note that Conficker changed communication protocols, just as the code said it would. No doubt in the fullness of time, the botnet will start doing what botnets do: it would be bizarre to put this much effort into a project and then not try
David Harley…as I write, it’s past midnight here in the UK. In some parts of the world it’s already been April 1st for nearly 14 hours. I have yet to hear any reports of melted PCs, disappearing internets, or institutions DDoS-ed into insolvency by Conficker. I’ve just received email from a colleague in Sydney, where it’s business as
David HarleyI can already hear a chorus of “Not ANOTHER Conficker blog?”, but some of you will want to know about this development. The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks. Furthermore, the tool
David HarleyI thought I’d blogged myself to a standstill over the weekend, but it seems there’s plenty of life left in the Tibet/China story, even if it’s only the East and the West exchanging accusations. A China Daily headline claims that “Analysts dismiss ‘cyber spy’ claims”, though in fact the quotes in the article talk about exaggeration
David HarleyAround the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written
David HarleyI’ve mentioned here before that targeted malware, often delivered by “spear phishing” carried by apparently “harmless” documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term “whaling” rather than “spear phishing” to reflect the
David Harley[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.] I’m sure you’re almost as bored with this issue as I am with the
David HarleyThis wouldn’t normally be the place to discuss the ongoing decline of the fortunes of the British Government, but there have been several IT-security-related stories coming out of the Mother of Parliaments worth a closer look. Back on March 10th, The Register reported that MP (Member of Parliament) Alun Michael had reported to the police that he
David HarleyResponding to a request for information about phishing and malware distribution mechanisms this morning, I happened upon a link on the Anti-Phishing Working Group site to the Silver Tail blog The site has been running a series of blogs on “Online Fraud from the Victim’s Perspective”. Author Laura Mather tells the story of two victims,
David HarleyThere are quite a few reports currently about particularly ugly development son the fake AV front. The Register’s John Leyden has referred to a “double dipping” attack, in which the notorious Antivirus 2009 is implicated in an attack that goes beyond offering useless rogue anti-malware to inflicting actual damage on user data files, in order to force the victim
David HarleyWell, I’ve still had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to Adobe’s Security Notification Service. However, the RSS feed here does work. Which is how I know that Acrobat Reader 9.1 and 8.1.4 for Unix were released yesterday, right on time. As expected, these address the
David HarleyI just picked up a comment made today on a post Randy made about the comparative security of Macs and PCs. Since the original post goes back to 2006, it seems a pity to bury the comment on a page most people won’t get to. In fact, since the comment reproduces an article in PC
David HarleyThe BBC published a self-justification of sorts over the Click fiasco on Friday 13th March: when I came upon it the following morning, I posted a comment there, pointing out Mark Perrow had addressed the issues this industry hadn’t complained about, and ignored the issues that we were concerned about. My comment is number 14,
David Harley