Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Old Chinese Hack Tool Used for New Tricks

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090513-zxarps_windowThis week’s installment of what’s-old-is-new-again in the world of malware comes from one of the many groups making and distributing phishing Trojans in China. Earlier this year, someone discovered a hacktool called ZXArps, and began distributing it in earnest as a payload from another malicious downloader.

Unlike most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss Army knife, giving its users a great deal of control over not only the computer on which it’s running, but the immediate network environment in which that computer sits.

In essence, the tool is designed to inject specially-crafted data packets into the network, and some of those packets can manipulate the behavior of the infected computer as well as others on its network. In most networks, a router or gateway acts as a sort of traffic cop, directing information between computers on that network and other networks, and to/from the Internet. The power of ZXArps comes from its ability to impersonate that traffic cop, fooling the network into directing traffic wherever the malware-maker wishes.

And in this case, infected PCs are directed to Web sites hosted in China which, when visited, infect the computer with even more malware. It’s a nasty trick, and it works beautifully. Read on for its damage potential. read more…

Malware targets mobile IMers

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090507_sms_comeon1Once in a while, you don’t have to do anything at all and malware just drops into your lap. That happened to me the other day, when I received a buddy request from a total stranger in my decade-old ICQ instant messenger account. It’s never failed to be a rich source for malicious links, SPIM, and other fun stuff (that is, from a malware research perspective).

ICQ is a multi-lingual community, and this request was written in the Cyrillic alphabet. My client didn’t render it properly, so I couldn’t read the text of the come-on. But I could read the plain-ASCII URL that was linked at the bottom. So, curious, I took a look. The page looks pretty basic, with text (badly translated to English) which reads “There is my candid photos))do you will hear me on him?” and a link to download a file.


I’m a sucker for grammatically tortured social engineering, so I couldn’t resist. Yes, I thought to myself, I do will hear you on him.

read more…

April 2009 wrapup: Thumbdrives under threat

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

We’ve just tallied the top 10 threats Webroot’s consumer products detected during the month of April, and some interesting trends appear to be shaping up.

Conficker aside, the first quarter of 2009 seemed to be dominated by worms that spread not only over a network, but to virtually anything you can plug into a USB port to store files. Thumbdrives and portable hard drives immediately come to mind, but so do  MP3 players, digital picture frames and memory cards — like the kind you’d use in cameras, cellphones, or videogame players.

April proved to be no different. It’s very much a case of what’s old is new again, reminiscent of the era when sharing an infected floppy disk could wreak havoc.

We’re also seeing malware distributors still trying to use old vulnerabilities to try to infect computers. Even JPEG image files containing the MS04-028 vulnerability code — a bug that was fixed in Windows four and a half years ago, are still floating around the net trying to take advantage of older, unpatched system, as are scripts attempting to exploit the ADODB.Stream vulnerability. If you ever needed a reason to run Windows Update, this is it.

Click onward to read the entire list. read more…

Botnet malware targets MyYearbook

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The team here at Webroot has picked up on a Trojan that appears to target a relatively new social networking site:

The site caters to the high-school-age crowd with activities that include various kinds of person-to-person challenges, streaming TV, and a kind of virtual matchmaker service for the tween-and-above set. We’re calling the malware that targets the site Trojan-Myblot.

We received our copy via a malicious BitTorrent download, which purportedly distributed a Windows utility. Instead, we received a file that downloaded several payloads, eventually landing our infected system firmly in the clutches of Myblot.

So what does it do? The trojan, unusual in that it requires the .Net Framework to run and was written in Microsoft’s Visual C#, runs silently in the background. While it’s running, it sends back information about the locally installed bot’s identity, whether the user of the infected system uses Gmail, and whether the infected system has received an updated bot client. It does these update checks about every 15 to 45 seconds.

Myblot reconnaisance data

Myblot reconnaisance data

Myblot phones home several times a minute

Myblot phones home several times a minute

One of MyYearbook’s activities is just called “Battles” — it’s basically a way for people to post photos of themselves, or others, and earn some sort of online cred for being voted “Scariest rollercoaster face” or “Most emo.” As if. The malware spawns popup ads that look like a Battles “IQ challenge” invitation from a teenage girl who needs to put some more clothes on. When clicked, the browser redirects the user through an ad Web site called

The fake MyYearbook Battles window

The fake MyYearbook Battles window

There is some good news for victims. First, the infection is easily removed, whether you sweep with Webroot Spy Sweeper or delete the file manually. The malware is also pretty badly coded, so unless all the required pieces are in exactly the right location, the Trojan fails to execute, or just throws a .Net error message and quits. Clearing your Temp folder is another way to get rid of it.

Unfortunately, there’s also bad news for users of infected machines: The server that hosts the fake Battles ad also has a tendency to redirect the browser elsewhere. In particular, the browser on my test system was pushed through two separate Web sites that used browser exploits and obfuscated Javascript code to eventually infect the system with another obnoxious piece of malware, Trojan-Relayer-Jolleee.

Jolleee quietly sends spam from infected machines to unsuspecting users, getting lists of victims and the message text from servers it contacts. So while it looks like we can easily stamp out Myblot, it doesn’t want to go out quietly, without putting up a fight.

Do you Think Security First?


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In an era when virtually all businesses use the Internet, in one form or another, to get work done, it’s worth asking the question posed in the title of this blog entry. Think Security First is an organization dedicated to helping spread security gospel to businesses — via chambers of commerce. Their goal: to create a Neighborhood Watch for the Internet, organized around these local business groups.

On Monday, I and several other speakers had the opportunity to address representatives of chambers of commerce at a panel discussion organized by Neil O’Farrell, the group’s founder and chief evangelist. Webroot is a sponsor of the group, along with several other security software companies, credit reporting agency Experian, Microsoft, and various law enforcement agencies. Among the other speakers were former white house cybersecurity czar Andrew Purdy; Dyann Bradbury, the director of the FBI’s Infragard program; and Michael Levin, a cybercrime expert who worked for the Secret Service and helped run Homeland Security’s National Cyber Security Division.

Though all the speakers brought their perspectives to the panel, the bottom line from all the panelists ended up in virtually the same place: Businesses, and the people who run them, have to make fundamental changes about to how they address security concerns, putting thought from the ground up into the security of their own systems and data, and privacy of customer information.

As someone who’s beat that drum for more than a decade, it was both refreshing to hear a chorus of agreement, and frustrating that — eight years after the organization was founded — security evangelists say they feel stuck in a kind of Groundhog Day-esque repetition of the same advice, over and over, while at the same time are constantly reminded that businesses fail to adhere to good security practices every time news breaks about worm infections taking down networks, or a laptop full of customer data vanishes from a bag or is left in an airport/train seat/unlocked car.

Phishing Trojan Targets Russian Finance Websites

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090410_russian_banksFor a long time, we’ve heard about phishing attacks originating in Russia or eastern Europe that target western banks. There’s nothing surprising there. Latter-day Willie Suttons typically target big US or European banks because, well, that’s where the money is.

That’s why I was kind of surprised to stumble across a phishing Trojan that targets some of Russia’s largest online financial Web sites, including RBK Money (formerly known as RUPay), Yandex, Moneymail, and OSMP — one of Russia’s Paypal-alternatives. Aside from e-gold, I hadn’t seen this many Russia-specific websites listed as targets within a phishing trojan before.

Is Russia suddenly “where the money is?” According to Forbes, it is. The magazine reported last year that its most recent list of the world’s richest people included 87 Russian billionaires — a year-over-year increase of 64% — and 136,000 millionaires. So, maybe it makes sense for the people who build these malicious tools to target Russian banks and online payment sites. read more…

Inane Shenanigans with Worm-Shiv

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

It’s been a long time since I’ve worked on a malware file as singularly obnoxious as Worm-Shiv, a new worm we defined a few weeks ago. There isn’t anything especially technically avant-garde or advanced about the worm, nor was it especially difficult to detect or remove. It just exhibits behavior that, to be blunt, is about as annoying as it possibly can be.

The infection process starts with a small self-extracting RAR archive executable. When run, it drops and executes another .exe file, which in turn drops and executes yet another .exe file. Sounds pretty unobtrusive so far, right?

Well, even though the worm might have snuck by unnoticed, it would be hard to characterize its operational behavior as “staying below the radar.” The worm puts a copy of a file named wsock32.dll into every single folder on the hard drive. Every. Single. One. On my test system there were more than 200 copies left behind.

Then the fun begins.

read more…

Someone Confick-rolled the Internet

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Well, the big Conficker.c launch day is upon us and…nothing. So far, anyway. Someone should start selling “I blogged about Conficker and all I got was this lousy T-shirt” shirts. Cafepress, are you listening?

We’ve been keeping to the back of the room about Conficker, not joining the rising hysteria chorus. It’s not that we don’t care, but I’ll tell you why we’re not making a lot of noise: Webroot’s malware removal solution effectively deals with Conficker on PCs. That’s it. As long as you’ve got the File System Shield and the Execution Shield enabled in your application (click the Shields button on the left side of the Webroot Antivirus/Internet Security Essentials window, and look for a little picture of a shield next to those labels in the Windows System Shields category), and definitions updated as long as two months ago, we’ve got your PC’s back.

The only people who need to be concerned about this worm are people with no legitimate malware protection — and no, a copy of the rogue application Antivirus 2008/2009/2010 doesn’t count — and who haven’t checked in with Windows Update since last fall. And even those people only need to worry about the worm’s code attaching itself to their PC. As far as we know, that’s the only thing it’s good at. Oh yes, and pranking the computer security community and the world’s press.

So, since we’re mentioning it, now would be a good time to head over to Microsoft and check to make sure you have those updates you so sorely are missing. And if you have a copy of our product, click the Options button, then the Update tab, and make sure you have both the latest definitions files and the latest version of the application. If you need either, or both, it’ll only take a few seconds on a broadband connection to pull them down.

Then you can get back to life, and stop worrying about whether Conficker is going to destroy the world, kick your cat, and push a baby stroller into the street — or fizzle like a wet firecracker.

From Pixels to Phishers

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

File variations (crop)Over the past year, we’ve seen a huge jump in the number of mass downloader spyware. These small executable files have just one job, and they do it very well: They pull down huge numbers of additional installers, which in turn place a large number of password stealing Trojans, ad-clickers, and still more downloaders on the unfortunate victim’s PC.

The trend appears to be that most of the servers from which these phishing Trojans originate are registered within China’s .cn top-level domain, and the phishers themselves target (mostly) the login details for online multiplayer videogames played, primarily, in China, and in some cases, more widely in Asia.

Putting aside the rationale for what the phishers target (the goal may be purely financial, but that’s a discussion for another time), what’s really interesting is how the techniques to massively infect a victim’s PC have evolved, possibly to avoid network-based signature detection techniques that can identify Windows executable files while they’re traveling over the wire. It also seems that the various groups appear to compete with one another, even going so far as to block the domains used by competing groups’ downloaders once they’ve infected the machine.

So not long ago, another interesting mass downloader development seemed to drop into my work queue. These downloaders pull down bitmap images — not just executables with a different file extension, but real graphics files — then convert the color data into binary code, which transforms the data in the picture file into a small executable phisher installer.
read more…

Adware Purveyors Panning for Search Gold

SnappyAdz money noose

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

We know most adware companies are shameless in their pursuit of revenue, but it’s been a while since we’ve seen anything as bizarre (or hilariously bold) as the sales pitch from a relative neophyte to the world of adware, which calls itself SnappyAds. On its homepage, SnappyAds posits the hypothetical glee of two business-suited online ad men counting the thousands of dollars they’ve allegedly earned from their allegedly lucrative venture.

Behind the SnappyAds facade, however, is an adware client we (and a few other AV companies) call SearchPan. The installer for the adware client application is hosted on SnappyAds’ webserver, and it modifies both the IE and Firefox browsers to add code which redirects searches through a number of search engines of dubious distinction.

There really isn’t a whole lot to discuss technically about SnappyAds. It really only came to our attention because the Threat Research group as a whole just couldn’t stop laughing when we all saw the pictures of the guy leaning back in his cushy leather chair counting out his Benjamins. They do arrive, as SnappyAds claims, by the ton. So make sure you invest in a forklift before you sign up as a SnappyAds affiliate. You’ll need one to move your palette-loads of cash.

read more…

New Malware Ruins Firefox

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Late last year, we read all the buzz about ChromeInject, a malicious DLL that was being billed as the first malware specifically targeting Firefox. It was interesting to see Installashunthat someone built a phishing Trojan for a different browser platform, but ChromeInject was also clearly an early phase in Firefox malware development: It was fairly obvious, and it was easy to eliminate, because it generated an entry in the Plugins menu called “Basic Example Plugin for Mozilla” which you could simply disable with a single mouse click.

Well now it looks like the bar’s been raised. In the past few weeks, we’ve seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn’t due to any problem or negligence on Mozilla’s part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target.

read more…

As Web 2.0 explodes, does IT security implode?

By Jesse McCabe

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Social media sparked a revolution in how we communicate. From best friends to business owners, more of us every day are using a social networking site to connect with people. Facebook welcomes 700,000 new members daily, and an estimated 4-5 million people are now reading tweets on Twitter.

istock_000000590930_med_lockedkeyboard01And cybercriminals are having a field day exploiting the vulnerabilities social networks have exposed in our Internet security practices.

By and large, Internet security at the network level has recently consisted of on-premise URL filtering mechanisms used by organizations to enforce company Internet use policies and improve employee productivity.  These solutions also offered protection by blocking access to sites classified as containing malware. For a while, this approached appeared to work.

read more…