G DATA Software
It seems that these days, ransomware seems to be the weapon of choice for many cyber criminals due to the havoc and rewards they reap. But despite a tendency of these criminals to abandon banking malware in favor of ransomware, there is no reason to let down your guard. Researchers at G DATA Advanced Analytics have observed a recent increase in the number of infections resulting from banking Trojans, particularly ZeuS Panda.
One of the key ingredients of Banking Trojans are called web injects. In short, a web inject adds HTML code into the network traffic of a browser, and these web injects usually consist of multiple stages. In the case of ZeuS, Stage 1 is a pretty generic inject responsible for downloading further target specific code. Then, in Stage 2, the inject manipulates the contents of a website to display all manner of fabricated data. This fabricated data may consist of messages about ‘accidental’ transactions the user is expected to ‘refund’, which blend in very well with the look and feel of the targeted banking site to fool victims into hanging over personal data.
For an in-depth look at the technical details behind Zeus Panda, head over to the G DATA Advanced Analytics blogOpens a new window to see under the hood.
G DATA wants to address some concerns regarding a research paper that was published recently concerning HTTPS. The paper, entitled The Security Impact of HTTPS InterceptionOpens a new window, states that multiple security vendors "break" encrypted data traffic by forwarding it with a weaker sort of encryption. This makes connections susceptible to attacks against security flaws in the encryption, such as the POODLE Opens a new window(Padding Oracle On Downgraded Legacy Encryption) exploit. Naturally, these findings left G DATA users concerned about the security of their encrypted data, so our team contacted the authors to set the record straight.
After analyzing the data, it has been established that there was an error in the data processed by the researchers. In fact, none of G DATA's solutions touches HTTPS traffic in any way. Only unencrypted connection data (IP addresses and domain names) is checked. These are checked against a blacklist of known malicious IP addresses and domains.
An updated version of the paper will be made available soon, and we would like to thank the research team for their smooth communication and cooperation on this matter. For more information, you can read the full statement in English hereOpens a new window, and in German hereOpens a new window.
As you may have heard, yesterday was Safer Internet DayOpens a new window, an annual international event that promotes safe internet use and raise awareness of emerging online issues such as cyber-bullying, trolling, and even security threats like malware and data theft. Starting as an initiative of the EU SafeBorders project in 2004, Safer Internet Day (SID) has expanded tremendously over the years and is now celebrated in over 100 countries worldwide.
On the occasion of the Safer Internet Day 2017, which features the motto, "Be the change: Unite for a better internet", G DATA has put together a list of expert tips on how you can contribute to the cause of internet safety and help protect yourself (and those around you) from online threats.
Check out the full list as well as other helpful FREE security tools hereOpens a new window (German) and hereOpens a new window (English)!
There is an ongoing trend in the health care industry towards increasing connectivity. This connectivity promises benefits for patients and medical professionals alike. Imagine routine healthcare tasks can be performed remotely without even having to step foot in a doctor's office. This level of connectivity opens a lot of doors, especially for those patients unable to travel easily.
But with the advent of ransomware, a chilling possibility has emerged: that criminals might one day be able to extort money from patients and health care facilities by threatening to disable life support systems. Researchers have discovered that the stationary transmitter used by a specific type of pacemaker suffers from a vulnerability which may have been exploitable remotely. The manufacturer released a software update to fix the flaw and the FDA released a note to inform patients and medical practitioners to take the required steps to update the software.
This is just one example. Read how research and hedge funds might influence the security of connected medical devices HEREOpens a new window.
Well, we've arrived at the end of the "Kings In your Castle" series. Over the past few months, we've shared the findings of Security analysts Marion Marschalek and Raphael Vinot as theydiscuss the tools at the disposal of analysts, dataset and feature extraction, zero-days, using hashes, and what sophistication means from an analyst's perspective.
The fifth and final part of the series talks about analyzing modern advanced persistent threats (APTs) deals with the naming and attribution of APTs. This is far less trivial than it sounds. Analysts are often facing the same enemy all over again without realizing it.
Why is naming a group so important, you might ask. Well, the answer is surprisingly simple: when looking at all the attacks stemming from different (yet identical) groups and then establishing a timeline, you get a very precise picture of how the groups have developed their target approach over time.
Head over to the G DATA Advanced Analytics BlogOpens a new window to learn more about how analysts attribute attacks to certain groups and catch up on all 5 parts of the "Kings In Your Castle" series!
Well, 2017 is already on a roll with new strains of ransomware. One of the latest to be discovered, called Spora, is a sophisticated threat with an interesting business model: more encrypted files = higher ransom.
Spread via USB drives, Spora operates by generating a pair of RSA keys, C1 and C2 (1024 bit), for encrypting files. This newly generated public RSA key C2 is used to encrypt the per-file AES keys which are also generated by Spora. The generated private RSA key C1, on the other hand, is stored in the .KEY file - which is only decryptable by the ransomware authors.
Using this encryption scheme, Spora does not have to obtain a key from a command and control server and can work offline. The user has to upload the .KEY file to the payment site. After uploading the .KEY file to Spora's payment website, the ransom amount will be calculated depending on the number of encrypted files. You can see examples of these rates in our latest Security Blog HEREOpens a new window.
What do you think of this ransomware model? Could the sophistication of this threat make it the new Locky?
With each new year come endless lists of New Year's resolutions. When it comes to making resolutions for your business data however, digital security should be the one resolution you really stick with.
Here are G DATA’s resolutions for increasing their personal digital security that can save users a lot of regrets in 2017 and beyond:
Install all updates: The operating system and all installed applications on office computers, smartphones, and tablets should be brought up to date. Software that is no longer being supplied with updates by the provider should be deleted or replaced with new software.
Back up critical data: Without regular backups, ransomware attacks and PC breakdowns can cause you to permanently lose your data. Powerful security solutions such as G DATA Total Security and G DATA Internet Security usually include a backup module and anti-ransomware technology, so there is no need to buy additional software.
Apps only from secure sources: Applications should only be downloaded from trustworthy app stores belonging to manufacturers and providers. The permissions requested with every download should be carefully checked.
Install a security solution: Powerful security software is part of the basic set-up for PCs, Macs and mobile devices. It should include extensive protection against malware and other cyber threats.
- Use strong passwords: Passwords should always be at least eight characters long and consist of a combination of lower and upper case letters plus numbers and eventually special characters. In addition, the same password should never be reused on multiple online platforms. A password manager such as the one included in G DATA Total Security can help with this.
In part 4 of Marion Marschalek's and Raphael Vinot's series “The Kings In Your Castle”, we’re back with the question, what does 'sophistication' even mean? Their 4th entry focuses on answering this question by demonstrating what sophistication looks like from a malware analyst’s perspective, including techniques such as code obfuscation, packers, and software crypters. Marion and Raphael also present their findings on commodity Remote Access Trojans (RATs) within the corpus of malware that they analyzed as part of their research presented the Troopers conference last March.
Pop over to the G DATA Advanced Analytics blogOpens a new window to catch part 4 and the previous entries in "The Kings In Your Castle" series.
From Locky and Petya to TeslaCrypt and GoldenEye, ransomware was one of the main topics in IT security in 2016. These types of malware have proven exceptionally profitable for cyber criminals, and as a result, more and more advanced ransomware variants are surfacing. With 2017 being just days away, it's certainly no time to sound the "all clear."
Securing critical infrastructure and IoT devices are seen as one of the major IT security challenges for the year. The problem is that many devices which are connected to the web were never designed with internet connections in mind and connectivity was retrofitted later. In 2017, G DATA Security Evangelist Tim Berghoff predicts, "With the increased need for privacy on one side and the increased demand for IoT devices on the other, the discussion about data protection will be heating up further."
To read Tim's IT security forecast for 2017, check out our latest post HEREOpens a new window.
This particular strain is called Maktub, which is an Arabic term that roughly translates to "as it is written" or "this is fate." What makes this particular ransomware strain stand out is its creators' attention to the GUI design. According to Bleeping Computer, the decryption site broken up into 5 separate pages, each with its own color scheme and artwork. You can find screenshots of each page on their website hereOpens a new window.
Unfortunately, as of today, files encrypted by Maktub cannot yet be decrypted without paying the ransom. However, we strongly advise paying the ransom, as there is no guarantee that your files will actually be recovered. For more information on Maktub and how to protect yourself, visit our Security Blog HEREOpens a new window.
If you've been following our Kings In Your Castle series these past few weeks, you've learned about the intricacies of targeted attackOpens a new windows and about some of the tools and the data used by analystsOpens a new window, such as Indicators of Compromise (IoC's). In part 3 of Marion Marschalek's and Raphael Vinot's series on modern APTs, they will shine some light on the prevalence of Zero-Day vulnerabilities and how Hashes can enable analysts to detect the reuse of source code in other places.
According to their research, the use of Zero-Days is actually far less common than many would expect. Attacks such as the one by Stuxnet which use multiple zero-day vulnerabilities are not something that researches see on a daily basis. In fact, APT groups in some cases exploit vulnerabilities that are a couple of years old. To add some numbers to it: among the 326 cases Marschalek and Vinot have examined, the lead position in terms of exploits was based on a vulnerability which was discovered in 2012. Therefore, the risk of facing an attack which uses an old exploit is significantly higher. This emphasizes the importance of organizations regularly installing current updates and plugging known security holes.
If you are interested in more information, head on over to the G DATA Advanced Analytics blog Opens a new windowto learn more!
Last month, about 900,000 customers of Deutsche Telekom found themselves without a working internet connection thanks to an attack against the ISP’s customer routers. According to analyses by several international researchers (such as ComsecurisOpens a new window), a Denial of Service (DoS) vulnerability in the affected devices is to blame for the outage. But who is responsible for the attack, and what was their motivation for executing attacks on routers?
“Attacks which attempt to exploit vulnerabilities of routers are extremely lucrative for attackers,” says Tim Berghoff, G DATA Security Evangelist. “If attackers succeed in exploiting security holes, they are capable of performing manipulations such as changing the DNS settings. This would put criminals in a positions to intercept personal data such as credit card details or login data for online platforms and services.”
Experts estimate that the attack that has just been discovered is just the tip of the iceberg – and more attacks on routers and IoT devices can be expected in the future. To find out more about the attack, read Tim's full article in the G DATA SecurityBlog HEREOpens a new window.
A few weeks ago, we introduced you to the first of 5 articles written by G Data Principal Malware Analyst Marion Marschalek and Raphael Vinot of the Computer Incident Response Center Luxembourg (CIRCL). This series of write-ups, called "The Kings in Your Castle", delves into the intricacies of targeted attacks and the challenges that await researchers.
Part 2 of Marion and Raphael's article series deals with questions that surround the tools and the data used by analysts, while also shining a light on some of the challenges facing analysts when it comes to Indicators of Compromise (IoC's). TechTarget defines IoC as "pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network."
On most vendor pages, there is a list of IoC's at the end of an analysis, and most of time, these consist of data points such as IP addresses, which are contacted by the analyzed piece of malware. The advantage of these data points is that they are easy to create and base a response on. The drawback of those IoC's is that some of the data points are relatively volatile. For an effective strategy, other metrics are required which are less easy to create.
If you are interested in learning about the nature of the analysis data set and feature extraction, head on over to the blog of G DATA Advanced AnalyticsOpens a new window and read the full article there. You can also check out Part 1 of the series HEREOpens a new window.
Since the release of open source ransomware Hidden TearOpens a new window in August 2015, researchers have published several ransomware projects in the name of education and freedom of knowledge.
Educational ransomware comes either as binary or source code, which are published with the proclaimed intent to showcase potential risks, prevent infections, reduce potential damage, and/or improve security products and behavior guidelines. G Data SecurityLabs has distinguished roughly 4 different flavors of educational ransomwareOpens a new window, including:
Ransomware Simulators (like this one by KnowBe4)
Partially Functional Open Source Ransomware
Fully Functional Open Source Ransomware
Closed Source Proof-of-Concept Binaries
However, the question of the usefulness of these open-source projects has sparked debates among security enthusiasts and researchers. Especially with fully functional open source ransomware projects like Hidden Tear, the disadvantages are clearly perceptible and can outweigh any potential (or imaginary) gains. Most of the advantages can be achieved by publishing only parts of the source code or providing it only to the people that need to know it to improve their security products.
What do you think - Should ransomware be used for educational purposes?
Mobile devices, especially smartphones, are a very lucrative target for cyber criminals because they are a fixture of everyday private and working life. Researchers at VUSec Labs, the University of California, and Graz University of Technology have succeeded in exploiting a security hole in Android smartphone hardware. Experts have dubbed the attack vector “Deterministic Rowhammer” (Drammer for short). In the wrong hands, this can be used to develop powerful malware that can take over the entire smartphone, acquiring extensive rights (root access) for unauthorized individuals.
Like Rowhammer.js, Drammer shows that theoretical attacks such as Rowhammer have become increasingly easy to carry out in the past two years. In the past, user interaction was still required when installing an app; with the current malware, this is no longer necessary. G DATA experts describe this change through the use of drive-by infections in the current Mobile Malware ReportOpens a new window.
Learn more about Drammer and how researchers are using it to highlight weaknesses in the security architecture of modern mobile devices HEREOpens a new window.
Customize Header Background
Customize Page CSS
This is the CSS that will be included for all tabs for this vendor page.