With every passing year, we entrust our digital devices to store more of our personal information, with the internet turning into the backbone of the modern world. This has brought immeasurable benefit to billions of people around the world, but it’s also opened a huge opportunity for those that want to hurt us. Crime is no longer bound by geography — someone you’ve never met, from a country you’ve never been to, may be targeting you.
Some threats we have become familiar with (phishing, viruses, and spam) are now staples of our online lives. However, each passing year brings with it a new set of technologies, with new exploits in tow. We’ve collected together some of the most important security threats of 2017, and what you can do about them.
What It Is: A worm used to download additional malware, harvest banking credentials, and receive commands from a remote command-and-control server.
Pinkslipbot is a well-known and dangerous threat
Pinkslipbot is a well-known threat on the malware landscape, mainly due to its specific targeting. Its authors aren’t going after regular users, but have historically targeted North American companies, especially those in lucrative industry sectors, such as corporate banking, financial institutions, treasury services, and others.
What It Does: Pinkslipbot aims to collect and harvest all financial and banking credentials through a collection of tools like keyloggers, MITM browser attacks, and digital certificate theft. Although Pinkslipbot has been around since 2007, McAfee discovered a newly updated variant in 2017. The malware was first designed to harvest login credentials for online banking and other digital financial services. The new variant has been updated so that it now acts as a Trojan, a worm, and as part of a botnet. It is estimated that Pinkslipbot controls over 500,000 computers.
You Will Be Affected If: Malware can be downloaded from a number of different sources, but is often from malicious or compromised websites. Another major infection point is phishing emails and their dangerous attachments.
How to Check for It: As Pinkslipbot has been around in various forms for over a decade, most modern antivirus software should be able to immediately remove the threat. However, should you still need reassurance, McAfee has released a tool that will scan for any detect any instance of Pinkslipbot.
How to Clean It: Your antivirus should be able to remove the malware after it is detected. However, the updated 2017 variant also changes your port-forwarding options to keep your computer operational as part of its botnet. Your antivirus will likely not detect these changes and they can be hard to spot. The McAfee tool is also able to remove the malware, and if you follow the user manual, will be able to correct any port-forwarding issues Pinkslipbot created.
What It Is: A malicious ad library pre-installed in a number of Android apps.
What It Does: The Xavier ad library is part of a malvertising campaign aimed at infecting your device with malware and stealing data. The malicious ads are able to install APKs on your phone without notification on older Android devices. Xavier allows remote code execution, giving hackers full access to your phone. On top of this, it is also able to harvest your personal data, device make and model, SIM card identifiers, and a list of installed apps.
According to Trend Micro’s blog post:
“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.”
You Will Be Affected If: Trend Micro identified 75 apps that were serving Xavier malvertising to your Android phone. If you installed any of these apps then you are affected. However, the ad library was available to any Android developer and may have been served by more than just those identified by Trend Micro.
How to Check for It: Compare any apps you have installed against Trend Micro’s list. Even if you managed to avoid the listed apps, there is still a chance that you were affected. To be safe, keep an eye out for any signs your Android device has been infected with malware.
3. OSX/Dok Malware
What It Is: macOS-specific malware that can intercept and read all HTTPS traffic.
What It Does: By abusing a signed developer certificate, the malware is able to install without any issue. Once it has installed, it replaces your system’s AppStore Login with its own so that the malware runs every time your system reboots. It then alerts you that a security issue has been found, and asks for your admin password to update. After entering your password, the malware has administrator rights for your system. It uses this to route your internet traffic through a proxy server, and impersonate any website using fake security certificates.
OSX/Dok by Check Point, spreads via a phishing attack that Check Point says mostly targets European users. One message shown is in German and the signature portion says it’s from the Swiss tax office. The email contains a ZIP file attachment which has to be saved, opened, and an item within it launched. It’s unclear from the description whether a user has to enter an administrative password, although based on the steps, this would seem likely. On execution, the malware performs various nefarious deeds, such as copying itself and running shell commands, as well as installing a startup item so it will launch at each reboot.
You Will Be Affected If: The original infection comes from an email attachment named Dokument.zip. If you downloaded and tried to open it, the malware displays a fake “package is damaged” error message, while still copying itself into the /Users/Shared folder.
How to Check for It: The infection originates with the email attachment named Dokument.zip. If you attempted to open this file, and the above scenario sounds familiar, then you are likely infected. Apple has already revoked the original fake developer certificate. However, the malware creators have been able to find ways around this so that the threat still exists.
What It Is: A strain of rapidly spreading ransomware that rose to prominence in 2017.
The NotPetya virus superficially resembles Petya in several ways: it encrypts the master file table and flashes up a screen requesting a Bitcoin ransom to restore access to the files.
What It Does: Ransomware is a particularly vicious form of malware. Once your computer is infected, the malware will encrypt all your files — on your hard drive and in the cloud. It will then demand a ransom to be paid before unlocking them. Even once payment is made, there is no guarantee that your files will actually be released. A similar ransomware known as WannaCry hit many government institutions and large businesses globally in mid-2017.
- NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention.
- NotPetya encrypts everything. The NotPetya malware goes far beyond the original Petya trick of encrypting the master boot record, going after a number of other files to seriously screw up your hard drive.
- NotPetya isn’t ransomware. This is in fact the most shocking — and important — thing about NotPetya. It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet.
You Will Be Affected If: Ransomware can affect anyone if you are unlucky enough to become infected. NotPetya infects computers indiscriminately, paying no attention to your personal circumstances. However, as with all malware, there may be signs that your computer is infected.
How to Check for It: There is no need to check for NotPetya, or any other ransomware, they will let you know they are there. In most cases the attacker has no interest in your files — they are after the ransom money.
What It Is: Ransomware for your Android phone.
What It Does: Most ransomware variants infect your device, encrypt your files, then demand a ransom to unlock them again. LeakerLocker instead targets your Android phone’s lock screen. It gathers up all data on your device and blackmails you into paying the ransom in order to unlock the device and prevent your data from being leaked.
You Will Be Affected If: McAfee discovered LeakerLocker lurking in two specific Android apps: Wallpapers Blur HD and Booster & Cleaner Pro. Cumulatively these apps had around 15,000 downloads when the malware was discovered. If you had installed either of these apps then you may have been affected. However, as previously noted, ransomware pretty quickly lets you know that it’s there.
How to Check for It: Although it was hidden inside those two specific apps, there may be other infection points that weren’t initially discovered. The malware runs on Android phones as Android/Ransom.LeakerLocker.A!Pkg. If you see this running on your device, then you have been infected by LeakerLocker.
Malware Is All Around
Ransomware has extended its reach in 2017, with more criminals attempting to con you out of money. Greater access to ransomware tools has made it easier for traditional criminals to enter the digital age. Fortunately, there are ways to protect yourself.
Have you experienced any of these new security threats? How did you overcome them? Are there any you think we missed? Let us know in the comments!