ESET discovers new USB-based data stealing malware

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” Mr. Gardoň notes.

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,”

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,”

“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.

When reading about new malware, the first question that comes to mind is ‘What is the goal of its creator?’. What is your take on the USB Thief?

We can guess their intentions from the capabilities implemented in the malware. Because it is USB-based, the malware is capable of attacks on systems isolated from the internet. Another benefit of being run from a USB removable device is that it leaves no trace – victims don’t notice that their data has been stolen.

Another feature – and one that makes this malware unusual – is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn’t be duplicated or copied. This binding, combined with its sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it, makes it very difficult to detect and analyze.

Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?

Traditionally, malware is often encrypted, and the obvious reason is that encryption prevents the malware from being detected or – if it gets detected – from being analyzed. In this case, encryption also serves the purpose of binding the malware to a particular device.

As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.

To sum up, to me it seems that this malware has been created for targeted attacks.

Malware capable of targeted attacks against systems isolated from the internet – it’s quite a dangerous tool, isn’t it?

Well, taking into account that organizations isolate some of their systems for a good reason … yes. Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous. More so if it is able to disappear without leaving any trace.

How can organizations prevent attacks based on such malware from succeeding?

This malware is unique because of some particular features but the defense against it still falls within the capabilities of general cybersecurity measures.

Most importantly, USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use. It’s highly desirable for staff at all levels to undergo cybersecurity training – including real-life testing – if possible …

… Not to get tricked into running the malware, right?

Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on. It can be stored as a plugin source of portable applications or just a library – DLL – used by the portable application. And therefore, whenever such an application is executed, the malware will also be run in the background.

But people should understand the risks associated with dealing with USB storage devices from sources that may not be trustworthy. Several surveys have shown that people are surprisingly likely to insert every thumb drive they may find into their computers.

Of course, other means of protecting data should be also deployed – from perimeter protection to encryption to data backup.

When we talk about air-gapped systems, these may also be industrial systems, right? This malware is not that serious of a threat to industrial systems as it is only capable of stealing data …

Well, there are many ways in which bad guys could damage a system once they get into it. And this malware’s payload can be redesigned, moving away from data stealing to any other kind of malicious action.

Mr. Gardoň has delivered a technical analysis of the trojan here.

ESET assists law enforcement in mumblehard takedown

One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016.

ESET is operating a sinkhole server for all known Mumblehard components. We are sharing the sinkhole data with CERT-Bund, which is taking care of notifying the affected parties around the world through their national CERTs.

Collaboration with law enforcement and external entities was crucial in making this operation a success. ESET would like to thank the Cyber Police of Ukraine, CyS Centrum LLC and CERT-Bund. We are proud of our efforts to make the internet a safer place. Mumblehard might not be the most prevalent, the most dangerous or the most sophisticated botnet out there, but shutting it down is still a step in the right direction and shows that security researchers working with other entities can help reduce the impact of criminal activity on the internet.

ESET has not seen any new variants of Mumblehard, or any activities from this malware group, since the takedown.

For more details on the Mumblhard virus, the botnet and its takedown – please read the article on ESET’s blog or this article on

Selecting Protection for your PC

We’ve been an ESET Partner and Reseller for 13+ years. We are one of the original resellers for ESET in the USA.

So why do we continue to sell their product – and – more importantly – why do we use ESET protection on our own machines here in the Computer Security Solutions Office?

Choosing the best Antivirus/Anti-Malware solution for your needs is fraught with challenges. Every IT scenario is different – some have modern, superfast machines, while others might run aging PCs given to them as donations – a common scenario for non-profits.

Protection needs vary – but there are a few factors we consider:

  1. How well a product detects KNOWN threats.
  2. How effectively a product detect NEW & EMERGING threats.
  3. How many system resources are used or System Impact on the user.
  4. How easy it is to INSTALL the software in your environment.
  5. How easy is it to REMOVE the software if you choose to change.
  6. Are the management tools provided by the manufacturer extra cost or included?
  7. Does the vendor charge more for Upgrades for minor/major upgrades?
  8. How honest the product vendor is in their advertising + marketing.
  9. Does the vendor have a proven and consistent track-record in protection?
  10. What % of revenue does a vendor spend on marketing vs research + development?

When we evaluate all these factors in-house.

We install and use the products ourselves, we evaluate the vendor, the vendor reps, the vendor distributors and we use industry standard antivirus testing lab reports for some very in-depth technical testing criteria (like the reactive + proactive testing).

There are a TON of lab reports to choose from – and we have delved deeply into the testing methodologies used by these labs. Some tests are nothing more than paid endorsements – others are fair and have solid test procedures which we trust. Some have a balances approach in one test, but not so much in another. For these reasons we weight our lab reports and the TOP TWO we use are: VirusBulletin – and AV-Comparatives – in that order.

We also weight one-off passes or failures in testing against the longevity and consistency of a product. That means, a single amazingly good, or very bad test does not automatically mean we drop or rave about a product.

A quick comparison – PCMatic

Marketing hype is common in all industries – in the antivirus industry this is no different, and marketing spin might even be more prevalent than many other industries. To check out a competitor, we look at PCMatic, a product vendor that spends a LOT of money on TV commercials.

So are PCMatic promising the moon and delivering, or are they pushing hype + bluster?

PCMatic says it performs well in VB100 Awards – we check out the marketing claim:

Rob Cheng - Founder + CEO likes to claim that PCMatic does well in the "VB100 RAP Test"

Rob Cheng – Founder + CEO likes to claim that PCMatic does well in the “VB100 RAP Test”

First – there is no ‘VB100 RAP Test’ – the RAP Quadrant is a combination report of two tests – the Reactive And Proactive tests.  When someone talks about a VB100 RAP Test, it makes us a little concerned.  Do they really understand the tests, or are they spinning the results?  We will see….

Virus Bulletin Results Over Time:

OK – let’s take a look at the last 10 VB100 tests of PCMatic:

The Last 10 PCMatic Tests for VirusBulletin (VB100)

The Last 10 PCMatic Tests for VirusBulletin (VB100)

10 test = 5 fails, 5 VB100 Awards

Compare that to the last 10 VB100 tests of ESET:

The Last 10 ESET Tests for VirusBulletin (VB100)

The Last 10 ESET Tests for VirusBulletin (VB100)

10 tests = 0 Fails, 10 VB100 Awards

Now look closer at those results.  Things to note:

  1. what is the machine impact – shown in the VB100 test as ‘system impact’ – lower scores are better.  PCMatic has VERY large scores.
  2. ESET gets 10 VB100 awards in 10 test – PCMatic gets 5 and misses 5 (ie, they have 5 fails)
  3. Stability rating – ESET scores a SOLID in each test – and PCMatic scores FAIR
  4. RAP Score – the score that PCMatic even says they get 30% more than their competitors – ESET consistently scores 80-91% – PCMatic scores high 80’s to 92%.  Does that look like a 30% higher score for PCMatic than their competitors?  It doesn’t look that way to us.


ESET products have received solid VB100 awards since the start of testing by VirusBulletin – PCMatic has a spotty test result – failing about 50% of the tests (mostly for false positives).

ESET is a solid and stable product – PCMatic is rated ‘fair’ – not exactly ‘SOLID’.

PCMatic makes wild claims about their performance vs the competition – ESET is quiet and goes about the business of building better solutions in a low-key way.

Have you come to realize why we don’t sell PCMatic at all??  We think the choice is clear…

Critical fixes for Windows, Flash and Java

Window, Java and Flash Updates!

Window, Java and Flash Updates!

Window, Flash and Java Updates![/caption]Windows users and those with Adobe Flash Player and/or Java installed, it’s time to update again!

Microsoft just released 13 updates to address more than three dozen unique security vulnerabilities.

Adobe issued security fixes for Flash Player that plugs at least 22 security holes in the widely-used browser plugin.

According to Krebs:

One big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

Patch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Check out the Krebs On Security Article for Tutorials

Java 8 Update 71

By now we hope that you've updated your Java to Java 8, Update 71

By now we hope that you’ve updated your Java to Java 8, Update 71

Last week Oracle shipped an update for its Java software (Java 8 Update 71) that fixes at least 8 critical security holes. If you have an valid use for Java, update to the latest version; if you’re not sure why you have Java installed, it’s probably time to remove the program once and for all.

Many websites which used to require Java, no longer do so. You can also disable Java for a period and see how it impacts your internet experience. If you don’t miss Java – remove it.

According to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication. This means, that they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit and click the “Do I have Java?” link on the homepage.

If you really need and use Java for specific Web sites or applications, take the time to update this software. Otherwise, seriously consider removing Java altogether.

Retailers targeted by sophisticated ModPOS malware

Point of Sale System - modPOS Malware Attacking POS

Point of Sale System – modPOS Malware Attacking POS

CSO Online is reporting that the ModPOS malware has already hit multiple national retailers and compromised millions of cards, according to new research released this morning, but there are likely to be more infections still out there since this particular malware is extremely difficult to detect.

“The way that the malware is able to hide itself makes it extremely difficult for retailers to detect with existing capabilities,” said Stephen Ward, senior director at Dallas-based cyber threat intelligence firm iSight Partners, Inc.

It took months for researchers to get a clear view of this malware and reverse engineer it, he said, and then the researchers have spent a month informing retailers about how to spot it.

This POS malware is sophisticated with a VERY extensive toolkit:

As its name suggests, ModPOS is a highly modular malware that targets point of sale systems with keylogging, RAM scraping, credential theft and network reconnaissance functions.

“What we’re seeing is shell code which consists of up to 600 functions, which is astronomical,” said Maria Noboa, iSight’s senior threat analyst. By comparison, typical shellcode would have just a handful of functions, she said.

ModPOS malware is basically a rootkit:

The ModPOS framework also involves hacked kernel drivers and that, Noboa said, is what makes this malware family very dangerous.

“They are essentially rootkits,” she said. “Difficult to detect.”

It isn’t all bad news though:

The one bright spot about this malware, so far at least, is that its creators are not selling it on underground forums or otherwise distributing it to the public.

“We have researchers around the world looking for any sign of people trying to share the code,” she said.

So far, there haven’t been any.

“This gives us an indication that the authors are holding it close to their chest because it’s a profit center for them,” she said. “We categorize this as author-slash-operator because we believe that the people who wrote the malware are the ones operating it.”

Isn’t EMV the answer? Maybe – maybe not…

EMV is not enough

Many retailers are currently in the process of converting to EMV, which allows them to accept more secure chip-based payment cards at the point of sale terminal.

That could help companies defend against ModPOS — but only if they do it right.

“There is a tendency to think that if you have EMV terminals set up, you’re good to go,” Noboa said. “But it has to be implemented correctly, with true end-to-end encryption in place, including encrypting data in memory. That’s key here, because point-of-sale malware capitalizes on data in memory. If it’s not encrypted, ModPOS can still grab that data in clear text.”

In addition, the rest of a company’s infrastructure might still be vulnerable to attackers, she added, including other databases, intellectual property, financial documents.

“The modularity allows them to use it as a Swiss Army knife,” said Ward.

Original Article.

Save 20% on Carbonite until End of September

Carbonite-Home-300x300Save 20% on our most popular Carbonite home products. These products are not often discounted so buy NOW!

Limited-time Promotional Offer of 20% discount is available only to new Carbonite customers.


Carbonite Basic – 1 Year

  • Automatic cloud backup
  • U.S.-based support, 7 days a week
  • Sync, share and access files remotely with free apps
  • Award Winning Carbonite Protection for 1 Year

Carbonite Basic Home – 1 PC or 1 Mac – 1 Year- Regularly: $59.99 – NOW: $47.99

Carbonite Basic – 2 Years

  • Automatic cloud backup
  • U.S.-based support, 7 days a week
  • Sync, share and access files remotely with free apps
  • Award Winning Carbonite Protection for 2 Years

Carbonite Basic Home – 1 PC or 1 Mac – 2 YearRegularly: $119.98 – NOW: $95.98

But hurry – this discount ends on Wednesday 09/30/2015 !!

Save 20% on Carbonite Home Thru August 31st

Carbonite-Home-300x300Save 20% on our most popular Carbonite home products. These products are not often discounted so buy NOW!

Limited-time Promotional Offer of 20% discount is available only to new Carbonite customers.


Carbonite Basic

  • Automatic cloud backup
  • U.S.-based support, 7 days a week
  • Sync, share and access files remotely with free apps

Carbonite Basic Home – 1 PC or 1 Mac – Regularly: $59.99 – NOW: $47.99


Carbonite Personal Plus

  • Automatic cloud backup
  • U.S.-based support, 7 days a week
  • Sync, share and access files remotely with free apps
  • External hard-drive backup
  • Mirror Image backup

Carbonite Personal Plus – 1 PC or 1 Mac – Regularly: $99.99 – NOW: $79.99

But hurry – this discount ends on Monday 08/31/2015 !!

ESET Offers Free Android Stagefright Detector

ESET®, a global pioneer in proactive internet security for 25-years, today announced the availability of a free Android app – ESET Stagefright Detector – which helps users determine if their Android device is affected by the critical Stagefright exploit. The app is available in the Google Play Store now.

ESET makes available a free Android Stagefright Detector

ESET makes available a free Android Stagefright Detector

First discussed at Black Hat 2015 last week, the Stagefright vulnerability allows attackers to gain control of Android phones via the Stagefright library, an open-source media player used by 95 percent of Android devices. The vulnerability gives attackers access to most of the victim’s phone data including email, photos, and personal information by simply sending an MMS (Multimedia Messaging Service) message to the victim’s Android smartphone.

ESET StageFright Detector works with Android 4.0 and older versions of the Android operating system which includes {insert names of the Android OS versions… using the names would be appropriate for SEO and for a more general audience}. The new ESET app alone cannot repair the vulnerability, however once users activate the app and determine whether their Android smartphone is vulnerable they can click on the “Learn More about Stagefright” icon. This takes users to the ESET Knowledgebase article which provides safety steps to protect their data.

ESET recommends all Android smartphone users follow these steps to ensure their data is safe:

  • Enable automatic updates on their device(s) to ensure they receive the latest patches from the device manufacturer or carrier
  • Block MMS from unknown senders
  • Disable automatic MMS retrieval in the Messaging setup
  • Use a browser that is not vulnerable to Stagefright (for example, Firefox 38+)


ESET discovers another porn clicker in Google Play

2015-05-30 14_55_52-Android Apps on Google PlayRecently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Original ESET Article