Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

How cybercriminals create and operate Android-based botnets

Jun 28, 2013 | Industry Intel, Threat Lab

On their way to acquire the latest and coolest Android game or application, end users with outdated situational awareness on the latest threats facing them often not only undermine the confidentiality and integrity of their devices, but also, can unknowingly expose critical business data to the cybercriminals who managed to infect their devices.

How are cybercriminals achieving this in times when Google is automatically scanning all submissions to the Google Play store, and is also verifying the applications to prevent the abuse of potential installations from untrusted third-party stores/application download locations?

Easier than you to think, especially with the recent commercial availability of a DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse.

More details:

Self-propagating ZeuS-based source code/binaries offered for sale

Jun 27, 2013 | Industry Intel, Threat Lab

Like every ecosystem, the cybercrime ecosystem has its own set of market disrupting forces whose applicability and relevance truly shape the big picture at the end of the day. For years, cybercriminals have been porting, localizing (MPack/IcePack, FirePack) and further contributing to the the development of malware/crimeware/Web malware exploitation kits, either through direct cooperation with the original author of a particular release, or on the basis of leaked or commercially available source code.

With more high profile malware source code leaks continuing to take place, more cybercrime-friendly coders now have access to sophisticated antivirus detection bypassing techniques. Access to these techniques will definitely spark the introduction of “new” features within the coders’ own set of underground market releases in an attempt to catch up with the market leading competition.

Two weeks ago, we began monitoring a cybercrime ecosystem advertisement offering access to self-propagating ZeuS-based source code. It sparked several important questions in the overall context of today’s underground market – is coding custom malware for hire still a relevant monetization tactic? Do low/high profile leaks of malware source code actually allow virtually anyone with less sophisticated coding capabilities to re-purpose, brand and start selling their own malware? Or is the underground system still largely dominated by vendors ‘pushing’ their product/service strategies to meet the demand for these kinds of assets?

Let’s find out.

Top 5 Fake Security Rogues of 2013

Jun 27, 2013 | Industry Intel, Threat Lab

By Tyler Moffitt

We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money. read more…

Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)

Jun 26, 2013 | Industry Intel, Threat Lab

Following last week’s profile of yet another InstallCore Potentially Unwanted Application (PUA) campaign, we detected another rogue ad campaign this week. This time enticing E.U based users into downloading and installing a fake “Free Codec Pack”, with the users sacrificing their privacy in the process due to the additional toolbars that will be installed on their PCs.

More details:

Infographic: Malicious Mobile Apps

Jun 25, 2013 | Industry Intel, Threat Lab

The workplace technology landscape has changed dramatically over the past five years, and the security threats have changes along with it. Here are the growing factors that IT professionals can’t afford to ignore, all in a beautiful infographic. read more…

SIP-based API-supporting fake caller ID/SMS number supporting DIY Russian service spotted in the wild

Jun 25, 2013 | Industry Intel, Threat Lab

One of the most common myths regarding the emerging TDoS (Telephony Denial of Service) market segment, portrays a RBN (Russian Business Network) type of bulletproof infrastructure used to launch these attacks. The infrastructure’s speculated resilience is supposed to be acting as a foundation for the increase of TDoS services and products. Fact or fiction? Keep reading.

In this post, we’ll profile a SIP-based, API-supporting fake caller ID/SMS number supporting DIY service, and discuss its relevance in the overall increase in TDoS underground market propositions.

More details:

Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)

Jun 24, 2013 | Industry Intel, Threat Lab

Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore.

More details:

Adobe Flash spoof leads to infectious audio ads

Jun 21, 2013 | Threat Lab

By Tyler Moffitt

We’ve seen quite a few audio ads infecting users recently. We think it’s a good idea to go over an in-depth look at how they infect your computer and how to remediation them.

As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.

You might not be able to see, but the “f” is a little off on the tiny icon at the top left. Either way it looks quite legitimate. It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.

So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background. By now users start to worry about foul play with their computer so here’s a look at what’s going on at this point.

The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound. You can give it a listen by clicking below.

[soundcloud url=”http://api.soundcloud.com/playlists/6977174″ params=”” width=” 100%” height=”300″ iframe=”true” /]

The motivation is for this virus, other than being very obnoxious, is that the hundreds of IP addresses being resolved from the PC will generate a tick on the visit counter and generate ad revenue.

To remove this sample is actually quite simple. Since this starts as soon as the computer starts if you take a look at the startup entries you should find something similar to this.

Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious.
All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
“qogrpr”=””C:\Windows\System32\rundll32.exe” “C:\Users\”youruserfolder”\AppData\Roaming\qogrpr.dll”,GetGlobals”

“ntrti”=””C:\Windows\System32\rundll32.exe” “C:\Users\”youruserfolder”\AppData\Roaming\ntrti.dll”,NewMember”

As always, you can install Webroot SecureAnywhere and we’ll remove it with ease.

That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR. Please contact Webroot Support if additional assistance is needed in remediating this infection.

New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild

Jun 21, 2013 | Industry Intel, Threat Lab

A recently released subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool is poised to empower cybercriminals with advanced Bitcoin mining capabilities to be used on the malware-infected hosts that they have direct access to, or have purchased through a boutique cybercrime-friendly E-shop selling access to hacked PCs.

Let’s take a peek at the DIY Bitcoin mining tool, and discuss some of its core features.

New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin

Jun 20, 2013 | Industry Intel, Threat Lab

Thanks to the buzz generated over the widespread adoption of the decentralized P2P based E-currency, Bitcoin, we continue to observe an overall increase in international underground market propositions that accept it as means for fellow cybercriminals to pay for the goods/services that they want to acquire.

In this post, I’ll profile yet another recently launched E-shop selling access to thousands of malware-infected hosts, which compared to the previous E-shops that we’ve profiled, is directly promoting the use of ransomware, click fraud facilitating bots and bitcoin mining tools on the malware-infected hosts purchased through the service.

More details:

Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process

Jun 19, 2013 | Industry Intel, Threat Lab

Our sensors have just detected yet another rogue advertisement served through the Yieldmanager ad network, this one enticing users into downloading a rogue video player known as the ‘Oops Video Player’. What’s particularly interesting about this rogue ad campaign is that the PUA (Potentially Unwanted Application) attempts to visually trick users by mimicking Adobe Flash Player’s installation process.

More details:

New boutique iFrame crypting service spotted in the wild

Jun 18, 2013 | Industry Intel, Threat Lab

In a series of blog posts shedding more light into the emergence of the boutique cybercrime ‘enterprise’, we’ve been profiling underground market propositions that continue populating the cybercrime ecosystem on a daily basis, but fail to result in any widespread damage or introduce potential ecosystem disrupting features. Despite these observations, the novice cybercriminals behind them continue earning revenue from fellow cybercriminals, continue generating and maintaining their botnets, and, just like small businesses in a legitimate economy model, continue to collectively occupy a significant market share within the cybercrime ecosystem.

In this post, I’ll profile a self-service type of boutique iFrame crypting cybercrime-friendly operation and discuss why its perceived short product/service life cycle is still a profitable cybercrime ecosystem monetization tactic, despite these services’/products’ inability to differentiate their proposition from the market leading competitors whose ‘releases’ remain a major driving force behind the mature state of the underground market in 2013.

More details: