How Microsoft’s Windows 10 Privacy Update Could Impact You
Windows Insider Program participants will now be able to view and manage their Microsoft accounts via a newly released, diagnostics-based privacy dashboard. Dubbed “The Windows Diagnostic Data Viewer,” the new dashboard (which is still in beta) gives Microsoft Windows 10 users the ability to see, search, and make changes to diagnostic data associated with their accounts. For example, users will be able to monitor the different operating systems associated with the account, including which version of the OS is installed, on which devices the OS is installed, and how the devices are performing—both from a network management and a physical hardware perspective. This dashboard gives families and small businesses the ability to monitor their Microsoft account for deviations from normal performance. Say, for example, that your account is being accessed by a device in a foreign country to which you’ve never traveled. The dashboard lets you proactively disable the account or contact Microsoft to further investigate; the same can be said for unknown Wi-Fi and Bluetooth connections. The Windows Diagnostic Data Viewer also provides some oversight into which applications, services, settings, and preferences have been installed on the device. Users will see a list of the characteristics and can take appropriate action if something appears to be amiss. All features and data listed in the dashboard can be searched and filtered to provide users with a more streamlined approach to investigating. “We believe in the timeless value of privacy. We are on a journey with our customers and fully committed to putting them in control of their data, and providing the information they need to make informed decisions about their privacy,” said Marisa Rogers, Windows & Devices Group (WDG) Privacy Officer at Microsoft. “The Diagnostic Data Viewer is the next step in helping customers and customer advocates verify the commitments in our online documentation,” Rogers continued. “The Activity History in the dashboard provides a new aggregated view of the data associated with a customer’s Microsoft account. We will continue to listen to input from our customers and customer advocates to refine privacy experiences for our customers.” Mcrosoft Privacy Dashboard The company also added new features to its pre-existing Microsoft Privacy Dashboard. Users can now view and manage data consumption on the same page as product and service activity. This gives users an easier way to compare and contrast normal usage versus anomalies within the system (as opposed...
Read MoreESET wins two Cyber Defense Magazine InfoSec Awards at RSA 2018
April 16, 2018 As RSA 2018 kicks off in San Francisco, Cyber Defense Magazine announced today that IT security leader ESET is taking home two of their annual InfoSec Awards. ESET was the sole winner in the InfoSec Research category, and one of the winners in the Best Endpoint Security category. In its 30 years of business, ESET has excelled in both technology innovation and malware research, and now protects over 110 million users across the globe. ESET’s global research team has long been revered for the work it has done tracking, analyzing and communicating cyber threats. From cyber-espionage groups, to nation-state attackers, ESET has been behind some of the most important and influential research including Industroyer and Petya/NotPetya. In June 2017, ESET released its findings on Industroyer (discovered by ESET), which was the first piece of malware that demonstrated the ability to control electrical substations. Industroyer caused a blackout in Kiev, Ukraine. ESET’s discovery was critically important in the realm of industrial control cybersecurity (ICS) as it exemplified how malware can negatively impact physical ICS controls. ESET Endpoint Security is used by some of the most iconic brands in the world, and has steadily incorporated layered technology and machine learning. Gartner recently awarded ESET with the Gartner Peer Insights Customer Choice Award for Endpoint Protection Platforms. ESET Endpoint Security was also one of the few security products that actually stopped the spread of the outbreak of WannaCry due to its innovative AI-based Network Attack Protection module, a layer of security that ESET introduced in 2015. “With cybercrime continuing to gain momentum, surpassing global drug crime last year and reaching over $600 billion in theft and damages, we are proud to see this company as an award-winning innovator, offering a new approach to defeat these criminals,” said Pierlugi Paganini, editor in chief, Cyber Defense Magazine. ...
Read MoreResearchers Uncover Polymorphic AutoRun Worm
W32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee. Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6. This family of malware generally compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm. W32/Autorun.worm.aaeb-h is the most complicated virus among known members of this family.Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve notes that earlier variants stored much of their code in plain-text. The initial infection requires that users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine is compromised, the malware writes an “autorun.inf” file so that it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server. The worm is also changing relevant directories so that they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables. Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware...
Read MoreJoomla Sites Hit by IFrame Injection Attacks
Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform. The SANS Internet Storm Center received numerous reports that Joomla sites, as well as WordPress sites, had been compromised and iFrames had been injected that were pointing visitors to malicious sites. “The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability, but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” said ISC handler John Bambenek. Joomla sites built with extensions were, in particular, being exploited, Bambenek said. The ISC report identified a pair of IP addresses, 78.157.192.72 and 108.174.52.38, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers. German security and tech site The H reports that the German Computer Emergency Response Team (CERT-Bund) also confirmed attacks emanating from Joomla sites. CERT-Bund said the iFrame points visitors to a Sutra Traffic Distribution System that eventually lands them on a site hosting an exploit kit. In September, Joomla warned of a series of automated attacks against the Joomla Content Editor versions 2.0.11 and earlier that were infecting websites with malicious content. The attacks were dropping malicious GIF images; attackers were able to attack the front end without authentication, Joomla said at the time in an advisory. The GIF is a PHP shell which gives the attacker a launchpad for further Java exploits such as redirecting visitors to a malicious site, spam or phishing attacks, or unauthorized database access. The H added that the use of the traffic redistribution systems, which are channels used by attackers that buy and sell Web traffic. Visitors clicking on a particular link would be redirected by the TDS to the vendor, which would sell the traffic to the attacker in this...
Read MoreNew Linux Rootkit Emerges
A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks. The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine. “To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware. “The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.” The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites. The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method. “The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious...
Read MoreShamoon Malware Steals Data
A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring. The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point. “Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said. However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it. “The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis. After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said. The intent of the attackers behind the...
Read More