Bitcoin, and other digital currencies such as Litecoin and Peercoin, will change the way we exchange money. But they come with a major flaw: they can also be used to turn infected computers into devices that "print" money.
The beauty of the algorithm behind Bitcoin is that it solves two main challenges for cryptocurrencies - confirming transactions and generating money without causing inflation - by joining them together. Confirmations are given by other members of the peer-to-peer network, who in return are given new Bitcoins for their labour. The whole process is known as "mining".
When Bitcoin was young, mining was easy. You could earn Bitcoins by mining on a home computer. However, as the currency's value grew (from $8 to $1000 during 2013) - more people applied to do it, and, in response, mining became (mathematically) harder and required more powerful computers. Unfortunately, those computers don't have to be your own. Some of the largest botnets run by online criminals today are monetized by mining. Any infected home computer could be mining Bitcoins for a cybercrime gang.
Using botnets to mine is big business. The second-largest botnet in the world, ZeroAccess made tens of thousands of dollars a day by using the infected machines to mine for cryptocurrencies. This is especially effective when the infected machines have a high-end GPU chip on its video card.
Mining botnets such as these do not require a human user - just processing power and a network connection. The internet of things will bring millions more connected computers on to the web, embedded in devices such as cars and rubbish bins. And not all of them will have to have as high a spec as even a Windows PC to mine money: Litecoin, for example, uses more memory-intensive algorithms that can be run on a regular CPU rather than on high-end GPUs.
The mythical internet-connected fridge may at last have found an - admittedly criminal - reason to exist.
Mikko Hypponen Originally published in Wired UK 12/2013
1. The price of Bitcoin has been wildly volatile lately. And that type of commodity volatility affects Bitcoin's ability to act as a currency because prices are quickly driven out of whack. Even for ransomware such as CryptoLocker.
Here's a screenshot from a November 20th variant:
The price of decryption is now 0.5 BTC.
Just a few weeks ago, the going rate was two Bitcoin.
2. This is the wallpaper CryptoLocker sets:
While the text shown above notes the destruction of "your private key" — it isn't actually destroyed.
The site from which CryptoLocker can be downloaded also offers a "Decryption Service" that can be accessed after the countdown. (But you'll have to pay more.) Because the service isn't tied to a particular computer, a file must be uploaded in order for the service to match it with a key.
Uploading a file includes "Pac-Man" animation while you wait:
Yesterday's CryptoLocker post mentioned that it's spreading via spam. It's actually a spam campaign that installs an intermediary, and then CryptoLocker is installed. But in any case, the first link in the chain that results in a CryptoLocker infection is spam.
And here's a fresh example of the message being used: "Please kindly find our new PO per attachment. Could you provide your PI for confirmation. Our Order file is password protected and can be opened/accessed with password: TRADING"
The company from which the message claims to be from (blurred in the example above) is of course an innocent bystander whose good name is being abused as part of this scheme.
Note that the attachments are password protected. This allows the threat to bypass gateway security measures. If you're an information security manager, don't take it for granted that the people in your organization know not to open attachments.
If you haven't heard much about "CryptoLocker" yet… you will.
Unlike much of the ransomware we've written about in the past, CryptoLocker doesn't attempt to use police themed trickery or other sleight of hand. It's strictly business. It infects via e-mail attachments (zip files containing supposed PDF files) and then sets about encrypting all of your personal data files — photos, music, documents, et cetera.
And then… you have three days to pay the ransom. Or else.
It's largely a problem in English-speaking countries because that's the language used in the e-mail bait. For now. It's certainly only a matter of time because somebody decides to expand into other languages.
And here's the kicker. One of the ways in which you can pay? Bitcoin.
That's right, CryptoLocker accepts everybody's favorite cryptocurrency as payment. And that's why this could be a tipping point. One of the biggest factors keeping ransomware at bay is the difficulty it takes to get paid. Thanks to Bitcoin and other similar digital currencies… that barrier is eroding fast.
Ransomware economics: the more frictionless Bitcoin becomes — the more prevalent CryptoLocker will become.
What do Inteqno, Altran Strategies, Deticaconsulting and Nezux have in common?
Well, first of all, they are all one and the same. Or actually, none of them are real companies at all. They are phony online shells run by online criminals. They only serve one purpose: to make it appear that these companies are legitimate, that they really exists and that they have a history. These are needed so they have enough credibility to try to hire people.
So what kind of people are phony companies hiring? Specifically, they are hiring money mules (definition). Of course, these companies don't label positions as "money mules", they call the job position "Customer Assistant" or "Operations Assistant"…
Sites involved with money mule scams used to be very easy to tell at first glance. No Google history. WHOIS data hidden with Privacy Protect. Site content lifted directly from a real company. Robots.txt preventing site indexing. None of those are true for these sites. Nevertheless, avoid them like plague.
F-Secure App Permissions, our Android permissions dashboard, launched on November 1st. And in just under one week, there are thousands of installs and extremely positive feedback. Thank you! The developers are very pleased and have been busy implementing some additional features based on the input. Today they released version 1.2.5.
Here's what's new:
Some screen shots of the app:
Best of all — App Permissions requires ZERO permissions.
The Word document in the video has been used in real attacks and is one of the exploits analyzed by McAfee and Alient Vault. The attack has been recreated on an isolated test network with a vulnerable system running Office 2007 on 64-bit Windows 7. As the video demonstrates, the exploit interception feature in DeepGuard 5 (our behavioral engine) prevents the system from getting infected.
Moreover, DeepGuard would have proactively protected our customers from this zero-day exploit already prior to the Microsoft advisory and without us ever having seen the first samples.
Furthermore, we did not need to add or modify any DeepGuard detections — it blocked the current zero-day with the same set of detection rules as the previous Microsoft zero-day about a month ago.
That is the power of proactive, behavior-based exploit protection.
We received a letter sent by Bits of Freedom and signed by 25 different parties, who were interested in our policy on the use of our software for the purpose of state surveillance. The same letter was sent to 15 other antivirus companies.
They had four questions in particular:
1. Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?
2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?
3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?
4. Could you clarify how you would respond to such a request in the future?
Some folks (mostly women from what we've seen) even tweak their names just a bit, so they'll be unsearchable.
Whatever your privacy tactics, if you have a Facebook account, now is a good time to review the settings at facebook.com/settings/?tab=privacy. We recommend turning off: Do you want other search engines to link to your timeline?
Updated to add: By the way, do you know somebody who needs some privacy settings advice?
Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents you're storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).
According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays, they're everywhere.
A good targeted attack case example is the one made against RSA in 2011, which our own Timo Hirvonen analyzed. This post tells the whole story of Timo looking for the original source of the infection in RSA's network, which he eventually found:
RSA was breached with a document sent as an e-mail attachment to an employee. The document contained an embedded exploit that infected the employee's computer, which gave the attacker the foothold needed to infiltrate. From that computer, they moved on to compromising the rest of the network.
Timo found the document from the files we receive via Virustotal, which is an online service where you can submit files to be scanned with several antivirus engines. The user gets to see the scanning results, thus the likelihood of maliciousness, and the file is sent to antivirus companies for further analysis. Virustotal sees hundreds of thousands of files submitted every day.
We spend a lot of effort analyzing the files submitted through Virustotal, as we want to make sure we detect anything malicious. In addition to the day-to-day malware, we also analyze the exploit documents that suspicious users submit for scanning.
All these documents contained exploit code that would have automatically installed malware onto a user's computer had they opened them with a vulnerable document reader. They give us a small glimpse into the targets as well: who are the people that would expect to receive attachments like this?
The word cloud on the left is from documents we categorized as being political in theme. The one on the right is from documents we felt were corporate-themed. The clouds give you a hint of what kind of sectors are interesting to attackers.
The same tricks won't work forever, though. If you send enough e-mails with exploit attachments your targets will learn and adapt. And so we've seen new tricks in the form of "watering hole" attacks. Here's how they work: the attacker finds a website that he thinks his targets would be likely to visit. If you want to target software companies such as Twitter, Facebook or Apple, perhaps you choose a mobile development website. If you are going after government agencies, you might drop a zero-day exploit for IE8 on the US Department of Labor website. Then you simply wait for your targets to visit the site and get infected.
And then there's the good old trick with USB drives.
We don't have any information to confirm the news that the USB drives given to G20 leaders actually contained malware. If it's true, at least you can't blame the attackers for lack of optimism.
So, defending is simple: don't open e-mail attachments from your colleagues, don't browse the Internet and leave those USB drives alone. In reality, you of course have to remember many other things too. Defending against a motivated attacker is very, very difficult. You have to get everything right, every single day, while the attacker just has to find one mistake you made. The bad guys have it too easy and that's why so many of the organizations out there are under attack.
P.S. For some tips to protect against attacks like this, see the presentation Jarno Niemelä gave at Virus Bulletin this fall.
All Hallows' Eve was yesterday — a.k.a. Halloween. And so naturally, there's an app for that. Or many apps as the case may be.
Here's a series of apps designed to "scare your friends".
This one has more than 10 million downloads.
Even these copycats have several hundred thousand downloads.
Android doesn't really help differentiate between them.
But if we use our permissions dashboard (App Permissions in Google Play) then we can see some big differences.
The most popular app only wants three permissions while the copycats want 21! And worse yet, those permissions include the ability to see your personal information. That's what the copycat apps are after — your personal details.
Given that the "legit" version of the app is "borrowing" images from Hollywood films… there's nobody with an incentive to police the copycats. And Google, an advertising company, doesn't appear to have much incentive to police them either.
And so several hundred thousand people shared their personal details.