Threat Lab

Shoring Up Your Network and Security Policies: Least Privilege Models

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Some notes on VirusTotal

Reading Time: ~ 2 min.

Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about new malware to show how widely a sample is detected by the AV community. We receive links to VirusTotal results via our support system and on the Webroot Community. Computer support forums will also suggest a user submit a file to VirusTotal in order to determine whether or not a file is malicious. VirusTotal can be a very useful service – if you know how the service works and how to interpret the results. A good place to start is the About page, paying special attention to the Important notes and remarks section of the page.

I’ve written before about how inconsistent the results for a file can be, and this makes a bit more sense when you understand more about how VirusTotal works. To put it simply, because of the way that VirusTotal works, files that show no detections in VirusTotal may actually be detected by the scanners used in real-world situations, and the opposite is also true. (Knowing how it works can also help understand why a next-generation cloud-based solution like Webroot SecureAnywhere is not one of the scanners used in VirusTotal.) I’ve seen many instances where a write-up on new malware shows few detections in VirusTotal, but a quick check of our database shows that we had seen and were detecting the sample prior to the date it was submitted. There have also been countless times where our own Webroot SecureAnywhere process showed as being detected by multiple scanners in VirusTotal.

As VirusTotal clearly states, “the service was not designed as a tool to perform antivirus comparative analyses” yet we see it used to gauge how widely detected a new malware sample is all the time. When looking at VirusTotal results, I tend to make two assumptions. The first is that I always assume that all of the scanners are set to their highest heuristic settings – what I like to refer to as “tin-foil hat heuristics” – which will cause a much higher number of False Positives.

The second assumption is that the scanners will be using their full Enterprise signature set which will detect various legitimate programs that administrators might not want on their networks such as administrative tools or remote access tools. Over time, you can become familiar with some of the more common detections and naming conventions used by the various scanners that can help make a more informed interpretation of the results.

As with any tool, knowing the intended use and limitations helps use it more effectively.

Threat Intelligence: An Overview

Reading Time: ~ 4 min.

Bring Threat Intelligence to the world of IoT

Threat Intelligence has become common throughout the cyber security landscape used in traditional information technology platforms from next generation firewalls, application load balancers, SIEM and other threat monitoring and prevention tools. With the pervasive growth of IoT initiatives and concerns around how to protect operational infrastructures from malicious actors an understanding of how existing threat intelligence can play a role in protecting an organization’s technology infrastructure is needed. Additionally, the existing methods for collecting and analyzing threat data do not directly translate to meet all of the potential security issues found in the IoT space. Therefore, a deep dive into what existing security technology can and cannot do for an organization’s operational infrastructure will help determine what can be done today and what technologies need to be developed to better secure entire ecosystems.

This five-part blog will walk through each aspect of threat intelligence from a general overview to help provide a basic understanding to the future of threat intelligence as it relates to IoT. Part 1 will give a high-level overview of what threat intelligence is, how it is gathered, analyzed and consumed. Parts 2 and 3 will focus on IP and URL data, how it can be applied to IoT and an example of implementing this data in an IoT Gateway. The last two articles will discuss what the future holds in store for protecting devices and creating purpose-built protection for the IoT.

Threat Intelligence: An Overview

Traditional Threat Intelligence consists of the collection and analysis of four main data types: IP Addresses, URLs, Files and Mobile Applications. The focus of this data collection and analysis revolves around protecting workstations and servers from becoming infected with malicious software, preventing command and control servers from activating dormant code living in an organization’s network and helping to identify and prevent the exfiltration of data. This was initially done through the use of human analysts who spent time manually identifying and evaluating threats but has now evolved to a more automated process through the use of machine learning and big data analytics.

As stated above, threats in the cyber security space can be broken down into four main components. Of course, there are other vectors a malicious actor can use to attack an organization but the elements below comprise the bulk of threats a typical organization will regularly face:

  • IP Addresses: IPv4 and IPv6 addresses that are typically analyzed for threats inbound to an organization. Typical attacks include spam sources, command and control servers, and botnet servers.
  • URL: Not often thought of as a threat category as many organizations consider URLs as policy control but they are heavily used as dynamic embedded delivery endpoints for phishing and malware. It should also be noted that URLs can contain IP addresses.
  • Files: Traditional malicious files, think viruses, used to encrypt user data, listen to user activity, destroy systems and/or exfiltrate data.
  • Mobile Applications: These have been identified separately from traditional files as they require special analysis due to their specific platforms and the functionality they provide in terms of network connectivity and application performance.

There are three main steps to any threat intelligence system:

  • Data Collection and Aggregation: There are three main ways to gather data in the wild for analysis.
  • Active: This includes web crawlers and IP port scanning techniques. Since it can be controlled this method provides a robust amount of data but does not typically result in identifying the high-value zero-day threats.
  • Passive: By deploying victim machines, web app honeypots, endpoint agents and other exploitable devices on the Internet it is possible to attracted attackers and record malicious activity as it occurs. This technique results in a better set of threat data but requires patients while waiting for a malicious actor to attempt to take advantage of weakened system.
  • 3Rd Party Data: There are several international, governmental and independent bodies that collect threat data for use by security teams. This data, though valuable, must be vetted for accuracy and often times because outdated quickly as threat actors subscribe to the same data sets and change or avoid the items published in these lists.
  • Classification: Once data has been gathered and aggregated it can be fed into purpose-built machine learning engines for analysis. This involves the creation and training of engines for each of the data types identified above. Analysts move from doing deep dive identification of threats to maintaining and tuning the engines for better accuracy. This is done by continually feeding the engines more highly refined data for the engine type.
  • Analysis and Consumption: Once the data has been collected and classified it is a simple Big Data issue of provided tools such as APIs or SDK to access each of the individual data types.

A relatively new component to the threat intelligence space is the generation of contextualized data made possible through advancements in big data analytics. Contextualization involves walking through disparate data sources looking for linkages between the data in an effort to help prevent future threats before they occur or allow an analyst to better understand the effect of an identified threat may have on an organization.

Typical applications of threat intelligence range from policy management in next generation firewalls to network traffic analysis in security operation centers. Depending on the type of threat data an organization uses and their ability to apply that data to their infrastructure will directly correlate with how well they can detect, identify and resolve threats.

Next week Part Two of this series will explore what traditional URL and IP data can and cannot do for the IoT.

Webroot’s Acceleration with Advancement of IoT

Reading Time: ~ 3 min.As a concept, the IoT (Internet of Things) has been with us since the late 1990’s, and has evolved from simple M2M (Machine-to-Machine) connectivity into a vision for Operational Productivity enabled by Interoperability.  Innovation and investment in new IoT technology and business models are driven by the pursuit of key operational benefits such as:

  • Provisioning Assets as Services
  • Efficiency through Automation
  • Resource Utilization
  • Environmental Impact
  • Safer and more productive Critical infrastructure

Next-generation IoT devices and platforms are now being deployed in critical infrastructures such as Integrated Transportation (auto, railway, airports,…), oil & gas operations, industrial & manufacturing facilities, energy distribution, and ‘SmartCity’ systems.  Operations are becoming dependent on these efficient and high-availability IP-aware systems.

New systems are being deployed and older non-IP based systems are being modernized with IP-aware functions at a rapid rate. Supporting this movement has driven device manufacturers to deploy new classes of devices and systems that can take advantage of direct and indirect internet connectivity in order to leverage public and private IoT Cloud Services Platforms.  Theses next-generation smart systems can perform many advanced functions such as data aggregation and storage, advanced analytics, prediction, prognostication, and even limited decision-making.   What was considered advanced data processing and decision- making in a data center just two years ago is now being deployed regularly in stand-alone IP-connected devices at the internet edge.   This along with rapid developments in semiconductor and control technology is paving the way for a new wave of robotics and autonomous systems where cloud processes like machine learning are being brought down to the edge (FOG computing).

In order to deliver the vision of IoT business models, the lines between traditional enterprise IT systems (IT) and the high-availability autonomous operational infrastructures are undergoing radical evolution with new standards and vendors.  As with many new waves of technology advancement, there are those who seek to leverage weaknesses for criminal exploit, state-sponsored espionage, or simply mischief on a grand scale.  These new systems are very enticing to those who specialize in advanced exploits.  Increasingly, malicious actors who have targeted personal computing with malware, viruses and phishing exploits, are now targeting critical infrastructure elements for profit and other motives.  Modern cyber attacks on critical infrastructure take advantage of compromised IP addresses (servers, websites, etc.) to carry out DDoS, botnet and other forms of remote command and control exploits.

Webroot deployed the cyber-security industry’s first, most advanced, and most effective real-time cloud-based Threat Intelligence.  We have been providing this service exclusively to leading Security Appliance, NGFW, and Access Point OEMs for over 5 years.  These OEMs are leaders in bringing the latest cyber security approaches to corporate and public IT enterprises.  This same technology, which has armed advanced networking equipment providers with a real-time defense against Internet launched attacks, is now made available to non-telecom equipment developers for cyber protection to support the growing new classes of IoT systems, such as connected automobiles, industrial automation, process control, aviation, railway, power management, and home energy management.

As system designers look to protect new and existing IoT devices and networks, they are increasingly applying techniques formerly used by the most advanced firewall and network security appliance manufacturers.   IoT gateways are emerging as this new class of OEM appliance. They are being designed to locally integrate single and multi-vendor platforms.  Common functions are real-time data stream analytics, protocol translations, networking control, endpoint control, storage, and manageability.  However, until recently, IoT gateways were being built without sufficient security or intelligence to properly protect critical infrastructure.  What is new and very exciting now is that non-security appliance vendors are now able to bring advanced cyber-security into IoT Gateways and offer Cyber-Security-as-a-Service to critical infrastructure. IoT Gateways can now utilize cloud-based cyber-security to securely connect legacy and next-generation devices to the Internet of Things.

I am pleased and excited to be part of the efforts by Webroot and our partners to ensure that the latest techniques are leveraged across these new IoT devices, appliances, systems and platforms.  We look forward to our continued dialogue with you in advancing collective threat intelligence.

As tax season approaches, beware of tax related scams

Reading Time: ~ 1 min.Tax season officially began on January 19th, and with tax season comes the inevitable rise in tax-related scams. Identity thieves tend to step up their game a bit during tax season, looking to get the ultimate prize – your Social Security Number. Scammers often use the threat of jail time for unpaid tax debt to trick you into giving out sensitive personal information. As with so many scams, seniors are a major target. Telephone scams are particularly popular, but as more people file their taxes electronically, phishing emails and malicious email attachments have become more prevalent.

Now is a good time to help educate your family members about these types of scams. It is important to pay extra attention to any email that is tax related. Be aware that the IRS will not contact you via email to request any personal or financial information. Don’t click on any links or download any attachments from emails claiming to be from the IRS. If you need tax related information, go directly to the official IRS website at instead of using a search engine.

For more information on taxes and security, the IRS have provided resources at:

A look at a typical macro infection

Reading Time: ~ 3 min.For over a decade, one of the most common ways to infect a computer with malware has been the implementation of “macros” in Word and Excel documents. Macros are small scripts that automate a series of commands in a document; most commonly they are used to automate legitimate repetitive tasks in applications like MS Excel and MS Word. Because of the security issues inherent to macros, Microsoft added security features in Office 2003 and all subsequent Office releases in order to curb macro abuses. In particular, the use of macros is disabled by default in Microsoft Office applications, requiring the user to manually turn macros on in order to use them.

Because of this, it is less likely to be infected by a document containing a malicious macro, but it is still possible. Typically, a document containing a malicious macro these days will be accompanied by instructions that ask the user to enable macros in their Office applications. Fortunately, these types of attacks are easy to detect if you know what to look for.

The first thing to be aware of is that unless you already use macros regularly in your work, you will probably never be sent a legitimate document that contains a macro script. In the case that you do use macros regularly, they will usually be similar types of documents that come from the same sources. If you receive a document via e-mail from an unknown sender, and the document contains macros, it is probably malware and should be deleted immediately.

The most popular type of malware infection these days comes in the form of a bogus shipping e-mail, such as a UPS Shipping Notice or a USPS “failed delivery” e-mail, as shown below:


In this example, we can see a few different things that would alert you to the fact that it is bogus. First, observe the “From” e-mail address. The e-mail claims to be from the USPS but the sender is from “” instead of a “” e-mail address. Secondly, because the e-mail address is an unknown or previously uncontacted sender, the fact that the message has a document attached is highly suspicious. We would recommend immediately deleting an e-mail like this and would especially advise not downloading or opening the attached document.

If this type of document is downloaded, it may not be immediately detected by security software because the document itself does not contain malware. It is only when macros are run that the malicious script is activated; usually this would trigger a download and launch of malicious software.

When this document is opened, what you will usually see in MS Word is something like this:


The document contains no real information but is meant to trick you into believing that you will not be able to read a message without enabling macros in MS Word. You can see that MS Word displays a yellow bar with “SECURITY WARNING: Macros have been disabled.”, also giving you the option to “Enable Content”. This is your clear warning that something is not right with this document. If you have opened a suspicious document and have gotten this far, you should immediately close and delete the document before going any further with it.


Knowing how to spot these types of attacks is the best way to avoid them, but there is one more thing you can do to ensure that a malicious macro document does not infect your computer. By default, the “Trust Center” setting for macros is “Disable all macros with notification”. This means that if macros are detected in a document, you will see that yellow “SECURITY WARNING” bar. We would recommend changing this setting to “Disable all macros without notification”, which will simply block the ability to use macros without prompting you to enable them:


This is especially useful if you share your computer with others who are not already trained in spotting these types of malicious documents. We hope that this helps you to pre-emptively detect and avoid these types of infections in the future.

Ransom32 – A RaaS that could be used on multiple OS

Reading Time: ~ 3 min.Update: We now have a soundbite of the music played after infection: 

The RaaS (Ransomware as a Service) business model is still seeing growth. Here is the latest cyber criminals have to offer and it could later on be used for Mac and Linux OS

As with all other RaaS platforms you sign up to create new samples from hidden servers in the Tor Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.

Once you input a deposit bitcoin address, you’ll be presented with a very easy to use portal with customization and stats. The customization allows you to fully lock the computer – which will make the lockscreen pop-up every few seconds and not be able to be minimized. What is interesting is that it even mentions to use caution with this feature as victims will find it difficult to check that their files have even been encrypted and will have to use another machine to pay the bitcoin ransom. The stats will show you how many people you are infecting and how many people are paying the ransom.

Once you click download it will generate the malware with your customized setting and payment amount. The size of the file is 22MB which is quite large for malware in general. This is because main malware component inside the payload, “chrome.exe” is a packaged NW.js application which contains the malware code. NW.js s a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on windows… for now. We suspect that Mac/Linux compatibility is in the works.

This is the infection lockscreen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.

As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Please see our community post on best practices for securing your environment against encrypting ransomware.

Top Security Predictions for 2016

Reading Time: ~ 2 min.As 2015 comes to an end, we all look back at the huge list of big-name data breaches that occured, from passwords revealed to full on dating identities. It was not a pretty year for companies with lacking security protocols to say the least. And while we can sit here and delve into what happened, as a security company we must continue looking forward to what is going to happen next. Lessons were learned in 2015, but there is still going to be breaches, security problems to be solved, and as technology advances, so will the vectors for attack.

To look forward, to continue preparing, we here at Webroot have works on a list of our top 4 security predictions for 2016.

  1. People Push Back:  Tools that prevent unintentional data collection – such as cookie blockers, microphones, malicious advertisements, and camera blockers – will be increasingly adopted by consumers. Many of these tools block ads indiscriminately which will have an impact on legit sites ability to fund themselves. Consumers will also require web companies to disclose consumer data use and how it is being protected.
  1. Increased Attacks on IoT Devices: As more common items add connectivity for convenience, and thus become part of the IoT, it is expected that hackers will take advantage of poorly implemented security. Weaknesses in passwords, firmware updates and the storage of user specific data make IoT devices a prime target and attacks against these devices will increase in 2016.
  1. More Breaches: Cybercriminals will double down on phishing attacks – whether via telephone, texts, tweets, Instagram, Snapchat and other social avenues. With rapid growth on the rise in 2015, attackers will create remote sessions into PCs disguised as a trusted account vendor.  Also, reps from fraudulent sites will offer support which results in a remote connection and users’ systems getting compromised.
  1. 2016 Presidential Elections: There will be a spike in cybercriminal activity that exploits the 2016 US presidential elections and causes mass disruption. The attacks will include spam emails, campaign donation scams, fake election sites and telephone-based threats, which have been on the rise in 2015. Attacks will target social media and will increase in activity as the election night approaches. As a result, candidates will need to be more security-aware than ever before.

With these in mind, this is not the limit of what we will see but more of the avenues that we feel will have the biggest impact on the global threat landscape. What predictions fo you have for this coming year? Share your ideas in the comment box below.

Quick Tips to Protect Your New (and old) Apple Devices

Reading Time: ~ 3 min.Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow ‘Macheads’. I myself, am a huge fan of Apple and have been for a quite some time; I still have my iBook, and it still works! My desk is home to an iMac, Macbook, and many other small Apple devices. The one thing that most people believe is that there is no need to worry about security for their beloved Apple devices, which is a bit over inflated. So here are a Full this holiday season.

Top Ten tips for OS X security

  1. Create a standard account (non-admin) for everyday use– Log into the standard account for your everyday activities, and to store your personal information. Whenever an administrator’s password is required, type the admin username, and the appropriate password. This will lead to more password requests than if you were working under an admin account. However these requests should make you think whether you should be entering your password.
  2. Set Gatekeeper to allow Mac App Store and identified developers– Gatekeeper resides under Preferences>Security & Privacy and its main function is to allow the user to control which apps can be run without further escalation and or attention. If you download an application that doesn’t meet the criteria you will not be able to run it.
  3. Stay current with OS X updates– Mac OS X has a built-in software update tool “Software Update”. It’s a good idea to run “Software Update” frequently and install updates when available.
  4. Disable automatic login– Automatic login means that anyone who can access your Mac only needs to start it up to have access to all of your files.
  5. Use the built in Firewall– The firewall can be tuned to your needs whether it be at home, work or travel.
  6. Use a password manager to help prevent phishing attacks– It’s important to create complex, unique passwords, however for most of us, the more complicated the password the easier it is for us to forget it.
  7. Use Mac FileVault for full-disk encryption– FileVault encrypts your entire hard drive using a secure encryption algorithm (XTS-AES 128). You should enable this feature on your Mac because if your hard drive isn’t encrypted, anyone who manages to steal your computer can access any data on it.
  8. Use a Mac anti-virus (WSA)– Let’s face it, Mac malware is real and only getting worse.
  9. Enable iCloud Mac locator and remote wipe– If your system is ever stolen you can log into or use the Find My iPhone app on an iOS device to locate your device, send it a command to lock it, have it issue a sound, or remotely wipe the device.
  10. Use “Secure Empty Trash” to remove data– By default files are simply marked for deletion and not really deleted making file recovery simple. Using Secure Empty Trash things get much more difficult to recover.

Tips to secure your iOS

  1. Enable Passcode Lock. This is one of the key security tips, The stronger the passcode the better. Apple has incorporated a fingerprint scanner in the newer iPhone models which allows users to use their fingerprints for authentication when unlocking their device and making purchases.
  2. Erase all data before selling, trading in, or sending off for repair.
  3. Update. By keeping your apps and operating system up-to-date, you will strengthen the security of your device. You can turn on the automatic downloads feature which will update apps in the background and without the need for you to do anything.
  4. Don’t Jailbreak. Sure, some of the Jailbreak tweaks are cool and can do some fun things but is the lack of security really worth it?
  5. Enable Safari security settings. These settings include blocking pop-ups, disabling autofill, fraud warnings, and the ability to clear cookies/history/cache. Alternatively, you can download Webroot’s secure web browser for iOS.
  6. Disabling Bluetooth/WiFi. There are several freeware tools designed to sniff for Bluetooth and WiFi signals then gather information from open devices. It is also best to not use public WiFi; you don’t really know what the guy sitting at the other table in Starbucks is doing on his computer.
  7. Find my iPhone. This should go without saying, this feature not only helps you find a lost or stolen phone, but it also makes wiping the phone a little harder. I had an iphone stolen and find my iPhone found it five months later… in Canada… someone sold it on ebay.
  8. Disable Siri on Lock screen. Siri is a great tool and assest but she can also talk to much, this will keep her quite until the correct person is able to unlock the device.
  9. Set up a VPN. A Virtual Private Network is a must-have and can bring extra security to anyone who uses their devices on different wireless networks. Some VPN services are free of charge, but some can cost several dollars a week which is more than a fair price for protecting your information.
  10. Turn on two-step verification for Apple ID and iCloud – a great way to prevent issues without someone knowing both the password and the 4-digit verification code.

Russians are not immune to Encrypting Ransomware

Reading Time: ~ 2 min.CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That’s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn’t that much of a surprise since we’ve always known these guys were Russian (at least the spam servers) and target mainly the US and Europe. But everyone is susceptible to encrypting ransomware so here’s a look at a recent encrypting ransomware what will target Russians.

While this encrypting ransomware may look a little different, it’s pretty much the same as the rest; encrypt your files from a phishing email and hold them ransom for bitcoin payment via tor browser. The encryption routine is done using GPG Tool which is an open source encryption tool and appends the file extension to “.vault”

Once you enter the Onion link into a tor browser you’ll be presented with the following pages

The bitcoin currency is continuing its climb

This is the payment portal – The victim is subject to a price increase after 4 days.

This variant also introduces the “freebie” structure where it allows you 4 free file decrypts. This is so you know what the decryption routine is like and know that you’ll get your files back if you do pay the ransom.

Once you’ve paid for the ransom you have access to download the decryption tool from the portal.

MD5 Analyzed:


Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.




What are the security risks with using a router provided by your ISP?

Reading Time: ~ 2 min.

Internet security isn’t just about your devices, but also what connects your devices to the internet.

Here at Webroot we have seen an influx of customers having problems with ads popping up on their devices while SecureAnywhere is reporting a clean scan. They report seeing multiple ads, some pornographic in nature, while connected to their home network—and only that network. Our advanced malware technicians have found that the DNS settings have been changed on the modem router and were causing these ads.

Getting a router from an ISP (Internet Service Provider) comes with several benefits and security risks. For benefits, the ISP technicians are trained on how to set up and support the modem, as well as being able to log into remotely using a backdoor they have set up to assist customers. This is not a setting you, as a user, can change or turn off.

Arris Cable modems are used by many major ISPs (Time Warner Cable, Comcast, Cox Communications, etc.) for this purpose. They are designed so a technician can login and help set up the router remotely for their customers. The backdoor they use has a password generated for it every day by a publically available algorithm ( or—even worse—it’s a hardcoded password. This is not your default username/password, but a backdoor created by the manufacturer.

Once hackers/non-support technicians have access to the router through the technician’s backdoor, they can change the DNS settings to show ads on any device connected to the router. Because all traffic is being routed through the DNS server, your information can be compromised. Router settings can also be changed to allow for telnet access later if they want to get back in for any reason.

There are several ways they can infect your router, but it is usually done remotely by scouring IP addresses and seeing of the username/password of the day set by the algorithm works. Once they have access to the router, they are free to change the DNS settings as they wish.

How can you tell if you have this kind of infection?

If there are devices on your network receiving ads while only connected to that network—not seeing ads when on other networks (such as at a coffee shop or at the office)—and your antivirus software is reporting no threats, this could indicate the router has been accessed by someone outside your ISP’s company.

What can you do to protect your self?

By buying your own router, there will be no backdoor for ISP technicians. The routers you buy tend to last longer and have better configurations (port forwarding, encryption, SSID). However, you will have to set it up yourself, as major ISPs will not support modems that they do not provide.

Securing cable modems is more difficult than other embedded devices as, in most cases, you cannot choose your own device/firmware, and software updates are almost entirely controlled by your ISP. Below is an incomplete list of suspicious routers. You can also contact your ISP and ask them to address this exploit and provide a firmware update OR provide a non-vulnerable modem. 

  • Arris CM820A
  • Arris DG860
  • Arris DG950A
  • Arris TM501A
  • Arris TM602A
  • Arris TM602B
  • Arris TM722G
  • Arris TM802G
  • Arris TM822G
  • Arris TG862
  • Arris TG862A
  • Arris WBM760A


What’s in a name?

Reading Time: ~ 1 min.Any time a malware variant hits the news we get numerous requests for information. It is typically quite difficult to provide any information based on names that have been given to threats. A simple way to illustrate this is by using a service such as Virustotal and seeing what name other AV companies use for the same threat. I found a recent article about a new threat that contained a link to a write-up by an AV company including MD5 hashes for the file samples used for the write-up. Below are screen shots of the Virustotal results for one of those files.

The first thing I noticed was that there are numerous names that this is detected as, and they are rather inconsistent. Many of the names used are generic, and there are quite a few heuristic detections included in the results. Another thing I noticed was that the name of the malware from the article and the write-up for this file is nowhere to be found. The AV company whose write-up I got the sample from does detect the file, just not by the name that was in the write-up.

What this shows is that, even though this malware sample was found with a specific name, it is widely detected by generic and heuristic detections. The name that it is detected as becomes rather irrelevant. Identifying new malware and taking it apart to determine how it works and what it does is certainly important, but at the end of the day, simply detecting a file as malicious and removing it is what really matters.

Is 2015 the Year of Mac Malware?

Reading Time: ~ 2 min.Lots of blogs, articles and posts have been circulating recently about the increase in mac malware, mostly due to the publishing of Bit9’s report. I think it is wise to clarify what is really happening in the world of malware for Macs. Yes, there has been an increase in malware but what category do they fall under? What the consumers should be aware of and what they should be less concerned with.

Most recently a Mac ransomware proof of concept was announced and as expected the media lost their minds. I have had the opportunity to speak with the creator of the POC and also was able to look into what it does along with what it means for future malware. The author is a threat researcher/developer named Rafael Marques from Brazil. His POC has brought massive attention to the security needs of OS X and the lack of concern that most people feel about Macs. His motive was not to create a malware to use in public mass but to help educate people that Macs are not as safe as they think. I asked him why he decided to create this and his response was to inform people “about the myth that there is no malware for mac”. I couldn’t agree more with him, I recently wrote a blog about the history of mac malware along with another one on how adware is bypassing popular ad-blockers. Although the program he wrote can do as intended, it would need to bypass a few security features thus making it a little more difficult but not impossible. A quote from Cory Doctorow best sums it up, “never underestimate the determination of a kid who is time-rich and cash-poor.”

This is where the public typically gets lost in the industry terms. The proof of concept that he created is malware, but most of the encounters that we come across on macs are not this intense, these are instead PUAs (potentially unwanted application). PUAs are still considered malware for the most part, but they are not really looked at as something to be as concerned with. 2015 has really been the year of PUAs. Every day I go through samples that contain a majority of these PUAs, most of which are adware. These adware programs will try to hide a legit programs and run in the background just to get you to click on annoying pop-ups. VSearch, Genieo, IronCore, Bundlore, Wedownload… These are just a few that we come across every day.

While these programs don’t cause any real harm to the system they do help in showing consumers that Macs are not invincible. Adware is more like a testing ground for malware authors, they create these to figure out ways around security and users. Once an author is aware of how to bypass all the security measures, what’s to stop them from writing a more complex threat? Of course one could argue that my intentions are to get people to buy anti-virus, but I didn’t go into this career to sell a product, I choose my path to help build security and promote it to the world. I think it is very important that people began taking Mac security serious. The next time a ransomware for mac comes out, it may not have a researcher like Rafael creating it to bring awareness, it may have someone wanting to make money on your expense.