Ransomware Part III: another drop of the Irish
Where to find more information about current trends in international ransomware design.
Education? Academic background in modern languages, social sciences, and computer science.
Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.
Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.
What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.
Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...
What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.
When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)
Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.
Where to find more information about current trends in international ransomware design.David Harley
More on the Gaelic ransomware, and how to spot ransomware in your own language, even if you aren't Irish.David Harley
Nitol versus Michelangelo: the supply chain is much more than the production line.David Harley
Information about the August Global Threat Report and where to find other ESET resourcesDavid Harley
Well, that was a little unexpected. The Irish Times has reported the discovery of the “first Irish language virus“. (Further checking suggests that the story may have originated with the Donegal Daily.) Actually, it sounds less like a virus – there’s no indication of whether it self-replicates – than the kind of ransomware that we’veDavid Harley
The odds against losing money may be better with cash machines than fruit machines, but why neglect simple, obvious precautions?David Harley
AV companies obey the law and cooperate actively with law enforcement. That doesn't mean they turn a blind eye to government spyware.David Harley
More information about how tech support scammers have been using the Quervar/Dorifel outbreak to trick Netherlanders into giving them access to their systems and credit cards.David Harley
Ammyy is eager to disassociate its service from Indian tech support scammers misusing it, and has some good advice for victims and potential victims.David Harley
Carbon Black assert that if an AV company doesn't detect malware within six days of its being flagged on Virus Total, it probably won't after a month. Is that as dangerous as it sounds?David Harley
Phish, Phowl, and Passwords I spend a lot of time defending educational as opposed to purely technical solutions to security. Not that I don’t believe in the usefulness of technical solutions: that is, after all, ESET’s basic business. However, there are many people in the security business who believe that education is a waste ofDavid Harley
The threat of the Dorifel/Quervar malware spreading in the Netherlands is being used by telephone scammers to trick local PC users into paying for 'protection'.David Harley
Scammer Anna claims to be from Global PC Helpline, and certainly that site seems to be confused about what it is and where it operates from.David Harley
After Event Viewer, ASSOC, INF, PREFETCH and Task Manager, it seems that VERIFY is the latest system utility to be misused by PC tech support scammers.David Harley
Jonathan Brossard describes an 'undetectable, unremovable' attack on firmware through gimmicked hardware or a subsequent malware attack. David Harley isn't convinced.David Harley
Giving a support scammer access to your PC can give you more problems than any imaginary virus, especially if you refuse to pay for his 'service'.David Harley
If a service leaks your credentials, your options are limited, but changing all your passwords to something harder to guess/break is never a bad idea.David Harley
First the panic, then the accusations of hype. Can we really estimate the impact of DNSchanger yet?David Harley
Some brief answers to questions about the server shutdown that will affect tens/hundreds of thousands of DNSChanger victims on 9th July.David Harley
More cold-call/support scam information.David Harley
Gadi Evron drew my attention in an article for Dark Reading to a piece in IT Pro by Asavin Wattanajantra. The piece quotes Dr. Steve Marsh, of the UK’s Cabinet Office (the Office of Cyber Security, to be precise) as saying that botnet operators are interested in money-generating attacks on the private sector, not causingDavid Harley
Strangely enough, I’m actually encouraged to contribute to other blog pages, perhaps in the hope that I’ll stop cluttering this page with rubbish about iPhones. Today I’ve finally remembered that I’m supposed to contribute regularly to the AVIEN blog page at http://avien.net/blog/. You might find these a little lighter in tone than I tend toDavid Harley
Now that the end-of-year security conference season is winding down, we’re able to start making available some of the presentations and papers that we’ve been building up in the past few months, but haven’t been able to make publicly available ahead of the events for which they were written. We’ve already made available a slideDavid Harley
Will No-One Rid Me Of This Turbulent Hacker Tool? (http://en.wikipedia.org/wiki/Thomas_Becket) I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it’s a significant development (see http://www.eset.com/threat-center/blog/2009/11/12/iphone-hack-tool-a-postscript), there comes a point where the sheer volume of discussion of the subject gives it more importanceDavid Harley
Update: there’s more information on the Windows 7 exploit mentioned below in a Register article at http://reg.cx/1FcX. Update 2: I keep seeing references to this as a virus or worm. However, the code I’ve seen does not contain any self-replicative functionality. It’s not even a Trojan, as such. Following an extract from one of myDavid Harley
In my previous blog on this topic (http://www.eset.com/threat-center/blog/2009/11/11/hacker-tool-exploits-vulnerability-in-jailbroken-iphones), I said that I didn’t know if this hacking tool worked under Windows as well as OSX/Unix and Linux. I’ve subsequently exchanged email with Philippe Devallois at Intego, who tells me (thanks, Philippe!) that in principle, it will work fine with Windows. It’s written in Python (asDavid Harley
I don’t really want to keep banging on about jailbroken iPhones when there are threats out there that affect many more people (though according to Intego, 6-8% of iPhones are, in fact, jailbroken, so I don’t want to minimize the threat either). I’m quoting Intego because they’ve just blogged (http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/) what I think is aDavid Harley
Inevitably, the source code for the ikee worm I mentioned in a previous blog (http://www.eset.com/threat-center/blog/2009/11/10/iworm-ikee-sex-and-drugs-and-rick-and-roll) has crept back out from under its rock. It’s probably equally inevitable that there’ll be more script-kiddy attempts to produce variants and it will be easier for heavy-duty malware creators to produce new malware using similar techniques, if they’re so-minded. If youDavid Harley
I was asked about malware infection in the UK (especially with reference to Conficker), and(a) if the situation is really as bad as we, the AV vendors make out, and what the real infection rate is; and (b) whether government and ISPs etc could do more to help. You can now find a link hereDavid Harley
The iPhone, it seems, is under siege: a recent worm exploits a known (and previously exploited) vulnerability that affects the owners of “jailbroken” phones on which OpenSSH has been installed. (Jailbreaking allows iPhone users to install and use unapproved applications.) Of course, there’s been an enormous amount of media coverage on this already (I’ve justDavid Harley
As I already mentioned briefly in a blog about our October Threat Trends Report, researchers Christopher and Samir came up with an interesting idea at the First International Workshop on Aggressive Alternative Computing and Security, held under the auspices of ESIEA Laval (École Supérieure d’Informatique, Electronique et Automatique). They took a handful of scanners (including NOD32),David Harley
As usual, ESET has released its monthly Global Threat Trends Report, which will be available in due course at http://www.eset.com/threat-center/index.php. There are no surprises in the top five malicious programs, which have the same rankings as in the September report. Clearly, not enough people are taking our accumulated advice on reducing the risk from Conficker,David Harley
The anti-malware industry isn’t a suitable environment for the thin-skinned. We get used to receiving “more kicks than ha’pence” (see http://www.virusbtn.com/spambulletin/archive/2006/11/vb200611-OK).. In particular, I’ve grown accustomed to the fact that many people expect all the following from an AV product: Absolute Protection Absolute Convenience Absolutely no False Positives Absolutely no charge False positives (FPs) areDavid Harley
We told you to watch out, didn’t we? (see Randy’s blog at http://www.eset.com/threat-center/blog/2009/10/23/this-is-the-funniest-video-ever). But it’s not just Michael Myers, zombies and vampires you need to watch out for. It’s also Funny Halloween Costumes, Harvey Milk, Pumpkin Carving Stencils, candy, Pokemon, and McDonalds Monopoly online. Yes, the fake/rogue AV gang have started on their Halloween special,David Harley
It won’t come as a surprise to regular readers of this blog that there’s a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media. That’s to be expected: journalists tend to love facts and figures. Anti-malwareDavid Harley
[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft’s update site, but is clearly not to be trusted. So theDavid Harley
I came across an interesting article today on “Breaking the conventional scheme of infection” at the evil fingers blog site. Actually, it’s by my colleague in Argentinia, ESET Latin America Security Analyst, Jorge Mieres, but I didn’t realize that at first. (The original blog is in Spanish, and if your command of that language isDavid Harley
The AMTSO (Anti-Malware Testing Standards Organization) meeting in Prague, which took place at the beginning of this week, proved to be rather more exciting than you might expect from a group with the word “Standards” in its name. One of the issues that caused particularly lively debate centred around the question of what constitutes AMTSODavid Harley
One of the less obvious tasks associated with blogging is that every so often we have to find time to go through the comments that have been posted to our blogs. Inevitably, some are examples of blog spam that have slipped through our filters. Some are comments to blogs we posted long ago, and whileDavid Harley
I was quoted last month in an article at PC Retail (http://www.pcr-online.biz/features/305/The-truth-about-cyber-crime), which is nice. However, I just came across the notes I made at the time of the original enquiry/interview, most of which wasn’t used, so here are my full responses to the questions Andrew Wooden asked, in case they’re of interest. (Actually, they’re slightly expanded and I’veDavid Harley