Thursday, December 31, 2015

Meet Ransom32: The first JavaScript ransomware

Software as a service (or SaaS) is a relatively new model of how a lot of software companies are conducting their business today – often to great success. So it comes as no surprise that malware writers and cyber crooks are attempting to adopt this model for their own nefarious purposes. In the past year a whole bunch of these “Ransomware as a Service” campaigns appeared, like for example Tox, Fakben or Radamant. Today we want to spotlight the newest of these campaigns.


Meet Ransom32


At first glance Ransom32 looks like a dime a dozen among many similar malware campaigns. Signups are handled via a hidden server in the Tor network. A simple Bitcoin address where you want the funds generated by your ransomware to be sent to is enough to signup.


All you need to get your own customized ransomware is a Bitcoin address to send your earnings to

All you need to get your own customized ransomware is a Bitcoin address to send your earnings to



After you type in your Bitcoin address, you will get access to the rudimentary administration panel. In the admin panel, you can get various statistics, like for example how many people already paid or how many systems were infected. You can also configure your “client”, which is their term for the actual malware. It is possible to change the amount of Bitcoins the malware will ask for, as well as configure parameters like fake message boxes the malware is supposed to show during install.


Ransom32 admin

A web interface allows you to see how many systems the malware has infected, how many Bitcoins it earned and allows you to further customize the malware



A click on “Download client.scr” will then generate the malware according to the specifications and will start the download of the more than 22 MB large malware file. At this point it becomes evident that Ransom32 is very different to other ransomware, which rarely exceed 1 MB in size. In fact, most ransomware authors use the small size of their malicious files as some kind of unique selling point when advertising their campaigns in underground hacker communities. Ransom32 definitely had our interest.


Unwrapping the behemoth


After further examination the downloaded file turned out to be a WinRAR self-extracting archive:


The content of the Ransom32 SFX archive

The content of the Ransom32 SFX archive



The malware uses the script language implemented in WinRAR to automatically unpack the content of the archive into the user’s temporary files directory and execute the “chrome.exe” file contained in the archive. The files within the archive have the following purposes:


  • “chrome” contains a copy of the GPL license agreement.

  • “chrome.exe” is a packaged NW.js application and contains the actual malware code as well as the framework required to run the malware.

  • “ffmpegsumo.dll”, “nw.pak”, “icudtl.dat” and “locales” contain data that are required by the NW.js framework to function properly.

  • “rundll32.exe” is a renamed copy of the Tor client.

  • “s.exe” is a renamed copy of Optimum X Shortcut, a utility to create and manipulate Desktop and start menu shortcuts.

  • “g” contains the malware’s configuration information as configured in the web interface.

  • “msgbox.vbs” is a small script that displays a customizable popup message and is used to display the configured message box.

  • “u.vbs” is a small script that enumerates, and deletes all files and folders in a given directory.

The "g" file contains the malware

The “g” file contains the malware’s configuration formatted as JSON



The most interesting part by far in that package is the “chrome.exe”. Upon first inspection, “chrome.exe” looks suspiciously like a copy of the actual Chrome browser. Only the lack of a proper digital signature and version information hints that this file is not the actual Chrome browser. Upon further inspection, it turned out that this file is a packaged NW.js application.


Using modern web-based technologies for ransomware


So what is NW.js exactly? NW.js is essentially a framework that allows you to develop normal desktop applications for Windows, Linux and MacOS X using JavaScript. It is based upon the popular Node.js and Chromium projects. So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything “normal” programming languages like C++ or Delphi can do. The benefit for the developer is that they can turn their web applications into normal desktop applications relatively easily. For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms. So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and MacOS X.


This also means, that at least in theory, Ransom32 could easily be packaged for both Linux and Mac OS X. That being said at this point we haven’t seen any such packages, which at least for the moment makes Ransom32 most likely Windows-only. Another large benefit for the malware author is that NW.js is a legitimate framework and application. So it is no surprise that even almost 2 weeks after the malware was first created, signature coverage is still incredibly bad.


Once Ransom32 arrives on a system and is executed, it will first unpack all its files into the temporary files folder. From there it copies itself into the “%AppData%\Chrome Browser” directory. It uses the bundled “s.exe” file to create a shortcut in the user’s Startup folder named “ChromeService” that will make sure the malware is being executed on every boot. The malware will then start the bundled Tor client to establish a connection to its command and control server (C2 server) hidden inside the Tor network on port 85. After a successful connection with the C2 server to negotiate the Bitcoin address the affected user is supposed to send the ransom to, as well as exchanging the cryptographic key used for encryption, the malware will eventually display its ransom note.


The ransom note displayed by the malware

The ransom note displayed by the malware



It then starts encrypting the user’s files. All files with one of the following file extensions are being targeted:


*.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat


The malware will not attempt to encrypt any files if they are located in a directory that contains any of the following strings:


  • :\windows\

  • :\winnt\

  • programdata\

  • boot\

  • temp\

  • tmp\

  • $recycle.bin\

Files are being encrypted using AES with a 128 bit key using CTR as a block mode. A new key is being generated for every file. The key is encrypted using the RSA algorithm and a public key that is being obtained from the C2 server during the first communication.


Part of the custom protocol exchange between Ransom32 and its command and control server to exchange Bitcoin address (purple) and public key (length yellow, key green)

Part of the custom protocol exchange between Ransom32 and its command and control server to exchange Bitcoin address (purple) and public key (length yellow, key green)



The encrypted AES key is being stored together with the AES encrypted data inside the now encrypted file.


The malware also offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption. During this process the malware will send the encrypted AES key from the chosen file to the C2 server and gets the decrypted per-file AES key back in return.


How can I protect myself from Ransom32?


As explained in our recent ransomware article, the best protection remains a solid and proven backup strategy. Once again though, the behavior blocker technology used by Emsisoft Anti-Malware and Emsisoft Internet Security proved to be the second best defense, as all our users once again are protected from this and hundreds of different ransomware variants without the need of signatures.


Users of Emsisoft Anti-Malware and Emsisoft Internet Security are protected from Ransom32 and other ransomware families by the behavior blocker

Users of Emsisoft Anti-Malware and Emsisoft Internet Security are protected from Ransom32 and other ransomware families by the behavior blocker



We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.


On that note, the malware research team here at Emsisoft wishes everyone a happy and malware-free new year.


Last but not least, we want to thank our friends over at BleepingComputer, who brought this threat to our attention first. We also would like to extend our gratitude to xXToffeeXx of BleepingComputer in particular, for her invaluable help and input while researching and reverse engineering this particular ransomware.



Related Posts:


  • CryptoLocker – a new ransomware variant

  • New Ransomware Alert: CryptoLocker copycat PClock discovered

  • New Cryptolocker copycat PClock2 discovered that targets…

  • Malware Analysis: Ransomware “Linkup” Blocks DNS and…

  • PClock turns your WordPress blog into a malware command…




Meet Ransom32: The first JavaScript ransomware

Wednesday, December 30, 2015

Strong indications that ransomware devs don’t like Emsisoft

As reported by our friends at Bleepingcomputer, the developers of the Radamant Ransomware Kit have now released a new, third version of their ransomware. This comes after the Emsisoft lab, lead by our CTO Fabian Wosar, succesfully developed a decryptor for the previous two versions. The first version of Radamant encrypts data files with a RDM extension, while the second version uses a RRK extension. There are now rumors of a third version that we have not seen yet. For the first two versions, our developed decryptor can recover a victim’s files  – for free. It comes to no surprise though, that the developer of the Radamant ransomware wasn’t very happy with Fabian and Emsisoft for interfering with his business.


Take a look at the embedded strings in the ransomware malware executables and the domain names for their Command and Control Servers: For example, in the latest version of the malware executable there are strings such as emisoft f**kedbastardsihateyou that shows the developers displeasure that are really similar to “Emsisoft”. But see for yourself:



 

The Radamant developer also included Emsisoft in the domain name of one of his Command & Control servers: emisoftsucked.top (typo included).


As stated in this post, Fabian does not appear to be insulted, but rather quite the opposite:



“I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that. Just next time, please try to get the company name right. But it’s a common mistake, so I let that one slide.”- Fabian Wosar



If you’re a victim of the Radamant ransomware and would like to recover your files and download our decrypter, please read and visit the forum thread at Bleepingcomputer in which you can find the most recent info and instructions.


thumb_rdm_150x150Please note, that Emsisoft Anti-Malware running on the server won’t stop any infected clients from encrypting files on the shares. As of now, all variants can be successfully decrypted. We’ll keep you posted!



Related Posts:


  • New Ransomware Alert: CryptoLocker copycat PClock discovered

  • CryptoDefense: The story of insecure ransomware keys and…

  • How it’s done right: Emsisoft’s Behavior Blocker

  • New Cryptolocker copycat PClock2 discovered that targets…

  • Ransomware “Locker” automatically decrypts all…




Strong indications that ransomware devs don’t like Emsisoft

2015 Recap: What happened in the Internet security scene and at Emsisoft

A letter from our CEO, Christian Mairoll:


When I started out collecting facts for this 2015 Recap, I had a look at last year’s edition. A frightening experience, like a deja-vu suddenly hit me: All major threats described in the 2014 Recap are still valid and very current for this year too, just the numbers have slightly shifted.


2015 – at the malware protection front:


  • Threats and attacks increased in numbers as usual, but there are some general trends becoming more and more visible. Malware separates in two big groups:zomb_f2The first one is the “we want to convert your computer into a zombie and sell its computing power”-group. You typically won’t see any particularly different behavior from your computer when it gets infected. The malware sits quietly and well hidden in the core of your operating system and waits patiently for commands from its master. Common commands are e.g. orchestrated DDoS attacks together with tens of thousands of other infected computers to bring down a specific website or service; or using the hardware/computing power to send spam emails or mine Bitcoins. But here’s the good news: Several independent antivirus testing labs again confirmed that Emsisoft strengthened its place in the top league of providing efficient protection from all these threats.zomb_ransomThe second group of actors in today’s threat landscape is the “we will encrypt your data and sell you back the encryption password for a ransom”-group. Crypto ransomware authors became smarter, making less coding mistakes than before. Our lab was able to create decrypters for many common ransomware families last year, but the passwords of the latest families became near impossible to crack, as they are stored on (hacked) webservers that are usually not accessible for our research team. Though, on the positive side, our protection capabilities against crypto ransomware improved significantly throughout the year and we’ve made a name for being experts when it comes to ransomware. See how it’s done right: Emsisoft’s behavior blocker vs. 20 common crypto ransomware families.

  • Viruses are now officially to be considered dead – until further notice. Our research in the most spread malware categories earlier this year revealed that only 0.2% of the total infections happen to be from viruses. A much bigger group of 14% Trojans/Backdoors/Bots/Rootkits is only topped by the 79% Potentially Unwanted Programs. These programs, often referred to as PUPs or PUAs, are not malware from a legal point of view, but are usually misleading and tricking users into bad purchases or slow down the computer with plenty of extra ads.150314_antipup_typesofinfections

    Emsisoft earned a reputation of being one of only a few anti-malware protection software providers who keep honest and ethical business principles high. Our research article “Has the antivirus industry gone mad?” caused a great stir when we revealed that 7 out of 8 tested antivirus products come with unwanted bundles in 2015.

2015 – at Emsisoft


  • Growth and money isn’t why we do what we do. From the start – 12 years ago – Emsisoft grew organically without any external funding and has by now reached a team size of 30. From being the underdog in the industry that nobody knows, we managed to become a respected small sized member of the industry who performs consistently well in independent tests such as conducted by AV-Comparatives and VirusBulletin’s VB100.

    Emsisoft team members and local representatives 2015



    The 100% virtual structure of the company helps us to serve customers across all time zones. We are a truly international and multi-cultural team, working together as we would if we were in the same office. Instead of creating another short-living tech stock we aim for building from the ground up a solid long-term company that provides the best customer support possible.


  • Major releases this year were plentiful. In May, Emsisoft Anti-Malware 10 and Emsisoft Internet Security 10 were released. They both came with serious scanning speed improvements. Version 10 series also shows that we’re serious about protecting your data and your privacy. We have created a new settings panel that provides access to various software options that may have an impact on your privacy. With Emsisoft Emergency Kit 10 we released the fastest portable dual-engine malware cleaning toolset on the market. It’s the ideal second opinion scanner and free of charge for private use.release_logo_10thumb_v11beta Just a few weeks ago, we have announced the availability of Emsisoft Anti-Malware & Emsisoft Internet Security 11. They mark a leap in protection technology and are not only the first native x64 editions of our software but also come with heavily improved behavior detection of ransomware and other current threats.

  • Windows 10 was big in the news in 2015. Microsoft broke with their old habits and changed the Windows platform to a product-as-a-service model, which means the system doesn’t get outdated anymore. Just like with Emsisoft, you will always receive the latest software version via online updates, which is great for security. All the included cloud connections come at a price though: Privacy. Earlier this year we have analyzed the potential impacts of Windows 10 on your privacy.

Outlook on 2016:


  • It may sound a bit boring, but next year we plan to do what we always did: Improve the protection level, make the product smarter and less intrusive, improve speed and reduce resource usage. We expect that exploits and ransomware will most likely continue to be the top threats, requring special attention.

  • Another item high on our priority list is participating in even more independent tests to get as much feedback as possible on how to further improve our technology.

  • We also plan to increase our efforts in building protection software for small- and medium-sized businesses and establish a world-wide network of local representatives so we get closer to you.

Rest assured, we don’t intend to rest on our success but continue to do whatever is necessary to keep hackers out of your computer!


 


Have a great and malware-free 2016!


 



Related Posts:


  • 2014 Recap: What Happened in Internet Security and at…

  • A leap in technology: Emsisoft Anti-Malware 11 available…

  • Antivirus, Anti-Malware, Anti-PUP? What is Emsisoft really?

  • How it’s done right: Emsisoft’s Behavior Blocker

  • Antivirus software: Protecting your files, at the price of…




2015 Recap: What happened in the Internet security scene and at Emsisoft

Wednesday, December 23, 2015

How it’s done right: Emsisoft’s Behavior Blocker vs. 20 crypto ransomware families

For most of us the idea of losing all our data sends ice cold shivers down our spines. For thousands of companies as well as home users daily this nightmare becomes reality. The reason? Malicious software accurately referred to as “ransomware” encrypted their files. Today we want to take another look at what most people see as one of the biggest threats today, show how to protect yourself from it, and also give you some insights into how Emsisoft helped victims of ransomware to recover millions of encrypted files over the past year.


What is crypto ransomware anyway?


Ransomware is a type of malware (malicious software), that tries to take your files, business data and personal memories stored on your computer hostage. In general there are two types: Screen lockers and crypto ransomware. The idea behind screen lockers is simple: Prevent the user from using his computer by displaying some kind of password prompt that they can’t get around unless they pay for the correct unlock code. This type of ransomware was wildly popular just a couple of years ago, but is almost extinct nowadays as it has been replaced by its newer and much more devious sibling; the crypto ransomware. Crypto ransomware doesn’t lock you out of your computer. Instead it locks you out from accessing your files and all the precious information and memories stored within them by the use of encryption.


The idea of ransomware isn’t a particularly new one. In fact the first publicly documented case of ransomware, the “AIDS” trojan, can be traced back to the year 1989, when home computing was still in its infancy. The idea of “AIDS” was to encrypt all the file names on your computer. To restore your system back to normal, you would have to pay a ransom of $189. The malware author was quickly identified back then, as the only way to receive money was to have victims wire or mail it to him, leaving behind an easy to trace paper trail. The success and widespread usage of anonymous currencies like Bitcoin however, makes following the money almost impossible, which allows ransomware gangs to often operate in the shadows for years without being caught.


Once a crypto ransomware makes it onto your system, it will look for files that it finds interesting, like for example pictures, videos, save games, databases, documents and music. It will then encrypt these files using some form of cryptography. The type of cryptography used ranges from easy to break self-made algorithms and methods to impossible to break military grade encryption. After all your files have been encrypted, it will usually get rid of backups and shadow copies of your files, so you can’t just restore them. Last but not least it will leave ransom notes behind all over your computer, making you wildly aware of what just happened and outlining how to pay the ransom to get your files back.


How can you protect yourself from ransomware?


The best defense from ransomware is a good set of backups – stored on a disconnected device. Backups are one of these things we all know we should do, but we rarely do until it is too late, even though they not only protect you from ransomware but more mundane threats like hard disk failure or computer theft as well. As mentioned before, a lot of ransomware will target your backups specifically. That is why it is important to store your backups somewhere, where your computer can’t usually touch them. An external disk drive, that is usually detached from your computer or some kind of cloud based file storage or backup system are a good idea. You can also find a backup buddy and store your backups at a friend’s computer and vice versa. No matter what option you choose, make sure you do them regularly, preferably daily, and also make sure you tested the restoration process at least once.


Your next best bet: Emsisoft


Over the past couple of years, we managed to build a certain reputation when it comes to ransomware. Our malware research team, which is deeply embedded into various major technical support communities like BleepingComputer or Trojaner-Board to monitor new malware trends and outbreaks closely, is quite proud of the fact, that none of the major or minor ransomware outbreaks in the last 5 years affected Emsisoft users in a significant way. To give you an idea of just how effective our products are at keeping even new and yet unknown ransomware from harming your system and the files on it, we thought it would be a good idea to let twenty different ransomware families have a go on a system protected by Emsisoft Anti-Malware.


To make things a bit harder for us, we disabled both the Surf Protection, so the malware can communicate with its command and control server freely, as well as the File Guard, so that signature based detection is removed from the equation, as signatures most likely didn’t exist yet at the time the ransomware was first released. We hope you enjoy watching Emsisoft Anti-Malware squash some of the biggest ransomware threats out there, without the help of any signatures, just as much as we do, knowing your system is well protected from all of these and hundreds more.



Click the full screen button to see the details of the alerts


Emsisoft

Emsisoft’s behavior blocker versus CryptoFortress ransomware.



Emsisoft

Emsisoft’s behavior blocker versus ZeroLocker ransomware.



 


clearfloat


We are here to help


Our commitment to combat ransomware goes far beyond just protecting our users from getting infected by it. In the past couple of years we managed to break dozens of different ransomware variants, helping to decrypt millions of files and allowing tens of thousands of users get back access to their invaluable data. Unlike other companies we provide these services completely free of charge, no matter whether you are an Emsisoft customer or not. So even if your other anti-virus or anti-malware software let you down, we will gladly see if we can help out. Just get in touch with us.


 



Related Posts:


  • Copycat Ransomware “Locker” Emerges

  • Ransomware “Locker” automatically decrypts all…

  • Ransomware – The no. 1 threat for 2013

  • Warning: File Encrypting Ransomware, Now on Android

  • Ransomware Cryptowall makes a comeback via malicious help…




How it’s done right: Emsisoft’s Behavior Blocker vs. 20 crypto ransomware families

Monday, December 14, 2015

What security risks are hidden in your Christmas presents this year?

security risks in Christmas presents


Once upon a time, a Christmas tree surrounded by elaborately wrapped gifts represented a security threat because the festive season has traditionally been the busiest time on the burglar’s calendar. These days, if the festive wrapping paper, gift boxes, cellophane and ribbons under your tree disguise tech toys and mobile devices, the threat could be more invisible – and potentially even more costly.


Tech toys, WIFI enabled games, wearable devices, tablets, mobile phones and even big-ticket items like laptops are already predicted to be among some of the most popular gifts this Christmas.


The Toy Retailers Association has revealed its list of the 12 toys expected to be most popular at Christmas 2015 in the UK, predicting the number one gift could be Vtech’s Baby Toot-Toot Friends Busy Sounds Discovery House. Did we just say Vtech?


According to gizmag, today’s kids expect their toys to connect to the internet, pair with smart devices, and let them join in the latest tech trends, often before their parents. However, while there are good reasons parents should think twice before buying tech toys for their kids, as you will read below, security risks aren’t just confined to gadgets for children.


Christmas gifts could be the equivalent of the Trojan Horse


As the concept of the Internet of Things (IoT) rapidly becomes reality as more and more objects are embedded with electronics, software, sensors and network connectivity that enables them to collect and exchange data, how many of your Christmas gifts could be the equivalent of the Trojan Horse? It was a decisive end to the Trojan War when the Greeks used subterfuge to enter the city of Troy, hiding some of their army inside a huge wooden horse. After pretending to sail away, the unsuspecting Trojans pulled the horse into their city as a victory trophy. Later that night the Greek force crept out of the horse and opened the city gates for the rest of the Greek army to enter and destroy the city. What attackers could be potentially unleashed in your Christmas gifts?


 


Think twice before buying the following gifts


From big brand gaming consoles to experimental wearable devices, many manufacturers are struggling to keep up with hackers and attackers.


Christmas Security Risk #1: Gaming consoles that ask for too many personal details


video-controller-336657_playstation


Gaming consoles can be hacked and personal data stolen. According to many commentators, Sony’s Playstation is most likely to be targeted by hackers after personal details about millions of Playstation Network (PSN) users were stolen back in 2011. Many believe that Sony has not responded appropriately and continues to ask for the type of personal and financial data that banks do, without the same security measures in place. Recently some hackers set out to prove that that cyber security at Sony remains weak by unleashing a massive distributed denial of service (DDos) attack.


 


Christmas Security Risk #2: Tablets and apps that store data on the manufacturer’s server


VTech_ELPs_011


When tablets, or apps that run on them, ask children for any personal data (such as names, addresses and birthdates), ask them to upload a profile photo, record audio conversations or store chat logs, it potentially puts your family at risk if these files are stored on the manufacturer’s servers.


A hacker took advantage of this last month, stealing data from 4.8 million customers including gigabytes worth of profile photos, audio files and chat logs sitting on Chinese electronic toy manufacturer VTech’s servers, after VTech had encouraged parents to take the headshots of both themselves and their children and use them with apps like Kid Connect that enable them to interact with each other. The hacker then downloaded almost 200 gigabytes’ worth of these photos as well as chat logs and recordings of conversations. Many have questioned why VTech stored the data on its servers in the first place and while the company responded by switching off the servers, blogger Dan Goodin says “it was of little help to the millions of people already affected by this epic privacy blunder”.


Christmas Security Risk #3: Wi-Fi enabled dolls, teddy bears and toy robots


pMAT1-hellobarbie


Wi-Fi enabled dolls, teddy bears and toy robots pose a risk because hackers can extract information including Wi-Fi network names, account IDs and MP3 files. Hackers could also hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password. But this is just the tip of the iceberg. Attackers could also intercept communication between a child and his or her toy. For example, Hello Barbie enables real-time conversations between children and the doll by recording audio and uploading it to the cloud for instant processing of artificial intelligence-based responses. Security researcher Matt Jakubowski recently managed to hack the Hello Barbie operating system and says the information he’s been able to extract would enable the attacker to find someone’s house, access their home network and retrieve everything that the toy has recorded.


Christmas Security Risk #4: Smartwatches


iphone-1021292_1920


A research study conducted by Hewlett-Packard released in July this year analyzed 10 smartwatches and found that every single one of them contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns. The top selling smartwatch for kids last Christmas was the Vtech Kidizoom, designed for 6-12 year olds. While it wasn’t included in the HP research study, Vtech’s recent security breach with its tablet (see #3 above) should put parents on watch.


Christmas Security Risk #5: Fitness trackers


Nike-FuelBand-SE


Wearable devices for grown-ups like Fitbit Force, Jawbone Up, Fitbug Orb, Nike FuelBand SE store vast amounts of personal data about the user. The devices link the gathered information to a user profile connected to a laptop or smartphone through a Bluetooth connection and also send the information to the cloud for safekeeping. The potential for a hack exists during the data exchanges. While a lot of the information from the device (such as number of miles run) is not sensitive, it gives hackers backdoors into laptops and smartphones loaded with personal information.


Christmas Security Risk #6: Gaming consoles that don’t turn off


books-493252_emsi


There is a risk that hackers could exploit gaming consoles while they are apparently lying idle. Some believe this risk is much greater now that there are an army of devices that not only allow, but also expect, to be remotely controlled and reprogrammed, like the Nintendo Wii, which can communicate with the Internet even when the power is apparently turned off. This is because “off” doesn’t always mean “off”, it can mean “on standby”. Security experts advise that if users expect the Nintendo Wii to be truly off, they need to pull both the power plug and Ethernet cable. If it’s battery powered or you’re on WIFI the only way to know you are completely secure when not using the Wii is to switch off the wireless network.


Christmas Security Risk #7: Smartphones and their apps


mobile-605439_emsi


A few years ago, the European Union Agency for Network and Information Security identified the top 10 security risks for smartphone users and these pretty much remain the same today, although the popularity of apps like WhatsApp that have attracted more scammers, elevating the risk of phishing to a new high.


Here’s what we think are today’s top risks:


  1. Phishing attacks – an attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or text messages and emails that seem genuine. See our recent WhatsApp blog.

  2. The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.

  3. The smartphone is decommissioned improperly allowing an attacker access to the data on the device.

  4. The smartphone has spyware installed, allowing an attacker to access another’s data but actually making them just as vulnerable. The majority of these “spy apps” are actually scams that load malware onto the would-be-spy’s phone.

Christmas Security Risk #8: Toys with microphones and cameras


android-994910_1920


Toys that contain microphones and cameras could theoretically listen in on conversations, spy on children and control home appliances without parental permission.


Google has recently patented technology that enables all of this.


 


Christmas Security Risk #9: Giving someone a hug


cat-289591_emsi


With all the risks inherent in digital gifts, why not try a non-digital gift like a “hug” this festive season? The only security risk is that you might get a hug in return! Actually, Christmas is not about giving gifts, but giving. So think about not only giving someone a hug, but also giving the gift of your own presence, spending time with your children, family and friends, instead of just buying another gadget to have them entertained.


And if we’ve completed scared you off buying a physical gift entirely and you’d rather donate money to a charity on behalf of your loved ones, then follow these precautions because scammers can take advantage of those who are trying to be generous this Christmas:


  1. Always verify that the organization is authentic and not a fake clone of a well-known charity

  2. Never donate if some unknown entity/person asks you do so by email

  3. Do a Google search to see if there are any reports that the charity is a scam, or has been targeted by scammers.

Christmas Security risk #10: Socks that aren’t made with natural fibres


socks-73925_emsi


Socks that aren’t made with wool or cotton come with their own inherent risks. You might have to open every door and window to air out the house because of bad foot odour, making you vulnerable to an old fashioned domestic burglary!


Speaking of burglaries, see our list of other cyber-related Christmas security threats below…


 


Other cyber-related security threats at Christmas


Cyber-related security threats at Christmas don’t just come neatly wrapped. It’s important to be security conscious wherever you’re shopping – whether it’s online or at a bricks and mortar store – and when you’re not home.


  1. Always remember you should NEVER send your full credit card details (name, number, expiry date and security code) by any non-encrypted channels such as email. The details must be sent exclusively via encrypted websites that use “https” instead of “http” in the website address.

  1. If you’re using a credit or debit card either in-store or online, check your bank statements regularly – even now that chip technology, which stores data on integrated circuits rather than magnetic stripes, has become the gold standard, stolen card data can still be used for fraud in situations where a card is not physically present because other people can use the stolen card details for online purchases.

  1. Many security experts also believe retailers are more at risk during the festive season. Perhaps reconsider shopping online during the Christmas peak-trading period, when DDoS traffic could be disguised as peak sales traffic and may not be identified as related to an attack.

  1. Many retailers now encouraging you to download their in-store apps, so be aware that these can also be vulnerable to attacks and security breaches. Ask questions about how your personal data will be protected. Use only the tried and tested apps – be very wary of being an early adopter in these cases. (You might also want to ensure you’ve got the latest version of Emsisoft Mobile Security installed.)

  1. With online shopping becoming more and more commonplace, never give permission for deliveries to be left outside in a visible place as it provides a clear signal to would-be burglars that nobody is home.

  1. Don’t leave discarded boxes of expensive items (e.g. TVs, tablets, desktop computers) outside the house after Christmas. They are to burglars what honey is to bees – and if a thief is trying to decide which house to break into in the street, it makes you the most obvious target.

What to do before you connect…


While unwrapping a shiny new gadget might well bring joy on Christmas day, some security experts believe the problems could really start when people try to connect such devices to their home or office networks. There have been recent reports of so-called “trojanised adware” affecting Android phones and a new iOS malware called XcodeGhost. Usually applications are not allowed to access the files created by other applications, however with root access, which is enabled by both the Android and iOS malware, those limitation are easily bypassed. A team of Security experts are concerned it is only a matter of time before sophisticated attacks can exploit the potential of mobile devices to act like a backdoor to office networks.


If you are planning on buying either yourself or someone you love a shiny new Windows computer or laptop,  it’s a good idea to invest in some solid protection. When you’ve got the latest version of Emsisoft Anti-Malware installed, you can be worry-free about malware this holiday season.


christmas-993304_emsi




Related Posts:


  • Merry Christmas from Emsisoft

  • Got a new Android for the Holidays? Malware may have come…

  • Sony got hacked (again!) – no Playstation this…

  • Emsisoft Mobile Security 1.0 released!

  • Beware of these popular WhatsApp scams




What security risks are hidden in your Christmas presents this year?

Thursday, December 3, 2015

Why we believe it’s not ethical to sell antivirus software for Windows XP any longer

A few weeks ago, Windows XP turned 14.


Have you heard about the concept of dog years? It’s based on the belief that one dog year is equivalent to seven human years. Well, there’s also a theory that one computer year equals 20 human years. When you apply the concept of dog years to computers, a 14-year-old computer would be 280 years old in human years – and it’s difficult to argue with the idea that an operating system is any different. In fact, hardware usually outlives software, which should remove all doubt that XP has passed its use-by date.


Microsoft clearly thinks so, given that it wound up support for XP in April 2014.


dog-734689_1920


Yet, according to the latest newmarketshare data, XP is still the second most popular operating system, with an 11.68% market share in October 2015. While this falls well behind current market leader Windows 7, which has 55.71% of market share, it’s still a significant number.


Only about five per cent of Emsisoft users are still running XP. While this is far fewer than the proportion still using XP in the general population (showing how savvy our customers are), we think it’s still too many. If you are still running XP or Vista, or know someone who is, read on – it could save you thousands of dollars and innumerable hours of anxiety.


 


Prepare to dodge the bullets if you’re being told you’re still protected


Old operating systems like XP and Vista are not only insecure because of their age but also because they lack several operating system kernel features that help anti-virus and anti-malware providers deliver their critical security features.


As tech writer and all-round geek Chris Hoffman says, Windows XP is the security equivalent of Swiss cheese. Not only does Microsoft no longer support XP, as of July this year, it no longer provides virus definitions and updates for its Malicious Software Removal Tool. There are new threats all the time. This year, there’s been an increase in ransomware along with a super-critical bug that opens a doorway, through an OpenType fonts vulnerability, and gives attackers full access to your PC.


7050959_s


Even with the best anti-virus or anti-malware solution in place, you’re vulnerable to attack. It’s a bit like installing a state-of-the-art home security system and then leaving all your doors and windows open when you go away for the weekend.


Put simply, it’s no longer ethical to sell antivirus software that pretends to protect XP and Vista when both lack significant security features in their core structures.


 


What have frogs got to do with XP and Vista?


You know how many developing countries leapfrog technologies and end up more equipped than some so-called developed nations? Think of Bangladesh, which has gone from having very few telephones to almost everybody owning a cell phone, skipping landline phones altogether. Some new cities in China have adopted solar power, completely bypassing fossil fuels.


One of the reasons Windows XP has remained so popular is that its successor Windows Vista was so unpopular. And even though Microsoft released Vista’s successor Windows 7 back in 2009, it took a few years to be embraced – only overtaking XP in total market share at the end of 2011.


However, if you are one of those who have been reluctant to upgrade to either Windows 7 or 8.1, it is now time to leapfrog the majority of Windows users and switch to Windows 10.


Just like these leapfrogging countries and cities, moving from XP to Windows 10 is an opportunity to skip inferior technologies and more directly to a more advanced system.


5570130_s


According to Dan Graziano at CNET, Windows 10 “isn’t like the horrors you may have heard about with Windows 8”. In fact, it isn’t all that different from Vista or XP from a visual standpoint. As well as a return to the familiar Start button and desktop interface that XP and Vista users know and love, Windows 10 offers a huge range of new features.


If you’ve heard rumours about how Windows 10 is spying on its users, check out ‘The truth about Windows 10 spying on almost everything you do’ for our detailed analysis. There are several steps you can take to maximize your privacy while using Windows 10, and we encourage you to explore these options.


And, like Emsisoft, Microsoft’s latest operating system operates as a service rather than a single product that will inevitably become obsolete. Effectively, you sign up as a customer for ongoing updates to its features and functionality. All Windows 10 devices will continue to receive updates “for the supported lifetime of the device”. In other words, it will be updated for as long as your hardware meets the specifications.


If you’re running XP or Vista, buying a license today for Windows 10 Home will cost $119 (£99). The Professional version costs $199 (£189).


Once you’ve installed Windows 10, you will be able to automatically upgrade to Emsisoft Anti-Malware and Emsisoft Internet Security version 11, which was released on 12 November and represents another leap in technology. You can find out more about the features here. As always, all customers who already own a valid Emsisoft license will receive this new version at no cost.


 


Watch your computer speed up with a new OS


If you’re worried that some of your software programs won’t run on Windows 10, a virtual machine environment (or the XP compatibility mode that’s included in Windows 10) could be the solution. This means you can keep using your XP software and hardware while at the same time knowing you’re doing so on a modern, supported, secure operating system.


Even though this is a good option, some of you may still wonder whether it would be better to buy a new PC or laptop, but that’s generally unnecessary – most people are pleasantly surprised how much faster their computer runs with a new operating system.


757417_s


However, some older machines may not be capable of running it. Basically, you will need the following:


  • Processor: 1GHz CPU or faster

  • RAM: 1GB (32-bit) or 2GB (64-bit)

  • Disk space: 16GB (32-bit) or 20GB (64-bit)

  • Graphics: DirectX 9-capable video card with WDDM driver

If your computer doesn’t meet these specifications, you may wish to consider buying a new PC or laptop.


 


The sun is setting


Emsisoft Anti-Malware 11 and Emsisoft Internet Security 11 will not run on XP and Vista, but the good news is that we will keep providing daily updates for XP and Vista users running Version 10 of our security suites until April 2016 as planned, so you have a little more time to upgrade.


Since Microsoft first announced that it was no longer backing XP back in April 2013, Emsisoft has been committed to giving our customers this decent “sunset provision”. However, even with our extended protection your Windows XP computer will still be vulnerable to an attack. If someone discovers a flaw in the operating system and decides to exploit it, Microsoft will not issue a patch.


With Windows 10 now available, is there really any good reason to delay? Consider upgrading today.


new-zealand-149_1280_crop



Related Posts:


  • Support for Windows XP and Vista will end April 2016

  • Reminder: Microsoft Ends Support for Windows XP April 8th,…

  • Emsisoft Extends Protection for Windows XP

  • Patch Tuesday: It Doesn’t Apply to Windows XP

  • Emsisoft supports Windows 10




Why we believe it’s not ethical to sell antivirus software for Windows XP any longer

Friday, October 30, 2015

20 things that can go terribly wrong when you ask the wrong peer for security advice

Millions of people every year fall victim to scams, hackers, and malware. You’ve heard it all before, right? Instead of lecturing you about the importance of security software with a lengthy essay, we decided to take the issue to the public. We hand-picked 20 of your peers and this is what they had to say on the matter:


A great-great-grand mother



A search engine



A good friend



A doctor



A neighbor



An email provider



A straight-forward-guy



A master chef



An architect



A security guard



A lonely person



An entertainer



A freeware addict



A patriot



A politician



A journalist



A surveillance firm



The big guys



A true believer



Dave



Have more? Let us have it!



Related Posts:


  • Vulnerabilities in Oracle Java Cloud Publicly Disclosed

  • Is it ethical to sell zero day exploits?

  • Top 10 senior citizen scams that affect the whole family

  • Antivirus, Anti-Malware, Anti-PUP? What is Emsisoft really?

  • When a surveillance state hacking firm gets hacked




20 things that can go terribly wrong when you ask the wrong peer for security advice