IT News

January 28 was Data Privacy Day, but for Malwarebytes Labs, it was Data Privacy Week. As such, we’re packed with more privacy coverage than you can shake a stick at, starting with some practical steps on how to make your online life private and secure, and why privacy is core to a safer internet. We also covered news on Grindr facing a huge GDPR fine due to privacy concerns and Google’s new privacy-friendly technology called FLoC (Federated Learning of Cohorts) that could replace cookies in cross-site ad trackers.

To cap the week off, we invited a panel of experts from Mozilla, DuckDuckGo, and EFF to talk about Internet users’ experiences with the internet and online privacy, in a special episode of the Lock & Code podcast.

Lastly, we touched on DDoS attacks spawned by the abuse of RDP, the mighty take down of the Emotet botnet, and the Emotet update written by law enforcement that’s meant to remove it from infected computers.

Other cybersecurity news

• Serco, the company behind the UK’s Test and Trace app, was hit by the Babuk ransomware. (Source: Sky News)
• In another win for the good guys, a Canadian national was charged in relation to the NetWalker ransomware. (Source: Threatpost)
• The state of Utah has introduced legislation to make “catfishing” a criminal offense. (Source: Threatpost)
• After being disrupted by cybersecurity companies before 2020 ended, Trickbot is back with fresh phishing campaigns. (Source: ZDNet)
• A new Microsoft Office 365 phishing campaign homed in on executives. (Source: Help Net Security)
• An “NHS Coronavirus vaccination program” scam was found making rounds. (Source: Belfast Live)
• Instagram scams—yikes! (Source: The Daily Express)
• According to a report, phishing links targeted at Steam players rose by 250 percent, between November and December 2020. (Source: TechRadar)

Stay safe, everyone!

The post A week in security (January 25 – January 31) appeared first on Malwarebytes Labs.

Ransomware gangs deciding to pack their bags and leave their life of crime is not new, but it is a rare thing to see indeed.

And the Fonix ransomware (also known as FonixCrypter and Xinof), one of those ransomware-as-a-service (RaaS) offerings, is the latest to join the club.

Fonix was first observed in mid-2020, but it only started turning heads around September-October of that year. Believed to be of Iranian origin, it is known to use four methods of encryption—AES, Salsa20, ChaCha, and RSA—but because it encrypts all non-critical system files, it’s slower compared to other RaaS offerings.

Encrypted files usually bear the .FONIX and .XINOF (Fonix spelled backwards) file extensions; however, the .repter extension was also used. The Desktop wallpaper of affected system is changed to the Fonix logo.

The same account that announced the end of Fonix later tweeted an apology:

And a promise to “make up for our mistakes”:

That promise came in the form of the master decryption keys needed to decrypt .FONIX and .XINOF files, and an administration tool, which can only decrypt one file at a time. Cautious readers may want to wait for more useful decryption tools, written by more legitimate organisations, before trusting code released by known cybercriminals.

This isn’t the first time a ransomware group has displayed a conscience—that is assuming we take their word they will continue to “use our abilities in positive ways”. In 2018, developers of the GandCrab ransomware, another RaaS that also made a public announcement of shutting down its operations in mid-2019, made a U-turn and released decryption keys for all its victims in Syria after a Syrian father took to Twitter to plead with them. GandCrab had infected his system and encrypted photos of his two sons who had been taken by the war.

In 2016, when TeslaCrypt made an exit from the RaaS scene, a security researcher reached out to its developers and asked if they would release the encryption keys. They did release the master key that helps decrypt affected systems for free.

It remains to be seen if the Fonix gang will keep their word. If some or all of them change their minds and go back to a life of crime, they wouldn’t be the first ransomware gang to do so. Any ransomware group packing up and leaving is good news. However, while Fonix appears to have left the building, it was only one small player in a vast criminal ecosystem. The threat of ransomware remains.

The post Fonix ransomware gives up life of crime, apologizes appeared first on Malwarebytes Labs.

We have talked about RDP many times before. It has been a popular target for brute force attacks for a long time, but attackers have now found a new way to abuse it.

Remote access has become more important during the pandemic, with as many people as possible try to work from home. Which makes it all the more important to configure RDP services in a secure way.

Quick recap of RDP

RDP is short for Remote Desktop Protocol. Remote desktop is exactly what the name implies, an option to control a computer system remotely. It almost feels as if you are actually sitting behind that computer. Because of the current pandemic, many people are working from home and may be doing so for a while to come.

All this working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

We warned about one of the consequences of exposing RDP in our post Brute force attacks increase due to more open RDP ports. And we provided some security measures in our post How to protect your RDP access from ransomware attacks. But this time we are going to talk about a different kind of attack that makes use of open RDP ports.

RDP as a DDoS attack vector

The RDP service can be configured by Windows systems administrators to run on TCP (usually port 3389) and/or on the UDP port (3389). When enabled on a UDP port, the Microsoft Windows RDP service can be abused to launch UDP reflection attacks with an amplification ratio of 85.9:1.

The traffic that is set off by this amplification attack is made up of non-fragmented UDP packets sourced from the UDP port and directed towards UDP ports on the victim’s IP address(es). From logs, these attack-induced packets are readily discernible from legitimate RDP session traffic because the amplified attack packets are consistently 1,260 bytes in length and are padded with long strings of zeroes.

Open RDP ports

At the time of writing, the Shodan search engine, which indexes online devices and their services, lists over 3.6 million results in a search for “remote desktop” and NetScout identified 33,000 Windows RDP servers that could potentially be abused in this type of DDoS attack.

The consequences of such an attack

The owner of the destination IP address(es) will experience a DDoS attack. DDoS stands for Distributed Denial of Service. It is a network attack that involves hackers forcing numerous systems to send network communication requests to one specific server. If the attack is successful, the receiving server will become overloaded by nonsense requests. It will either crash or become so busy that normal users are unable to use it.

A DDoS attack can cause:

• Disappointed users
• Loss of data
• Loss of revenue
• Lost work hours/productivity
• Damage to the businesses’ reputation
• Breach of contract between a victim and its users

We have discussed preventive measures for DDoS targets in our post DDoS attacks are growing: What can businesses do?

But there are consequences for the abused service owners as well. These may include an interruption or slow-down of remote-access services, as well as additional service disruption due to an overload of additional network hardware and services.

How to avoid helping a DDoS attack

There are a few things you can do to avoid being roped into an RDP DDoS attack. They are also useful against other RDP related attacks.

• Put RDP access behind a VPN so it’s not directly accessible.
• Use a Remote Desktop Gateway Server, which provides some additional security and operational benefits like 2FA, for example. Also, the logs of the RDP sessions can prove especially useful.
• If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is recommended to disable RDP via UDP.

Logging of the traffic will not be effective as a preventive measure, but it will enable you to figure out what might have happened and assist you in closing any gaps in your defenses.

Stay safe, everyone!

The post RDP abused for DDoS attacks appeared first on Malwarebytes Labs.

This blog post was authored by Hasherezade and Jérôme Segura

Emotet has been the most wanted malware for several years. The large botnet is responsible for sending millions of spam emails laced with malicious attachments. The once banking Trojan turned into loader was responsible for costly compromises due to its relationship with ransomware gangs.

On January 27, Europol announced a global operation to take down the botnet behind what it called the most dangerous malware by gaining control of its infrastructure and taking it down from the inside.

Shortly thereafter, Emotet controllers started to deliver a special payload that had code to remove the malware from infected computers. This had not been formally clarified just yet and some details around it were not quite clear. In this blog we will review this update and how it is meant to work.

Discovery

Shortly after the Emotet takedown, a researcher observed a new payload pushed onto infected machines with a code to remove the malware at a specific date.

That updated bot contained a cleanup routine responsible for uninstalling Emotet after the April 25 2021 deadline. The original report mentioned March 25 but since the months are counted from 0 and not from 1, the third month is in reality April.

This special update was later confirmed in a press release by the U.S. Department of Justice in their affidavit.

On or about Janury 26, 2021, leveraging their access to Tier 2 and Tier 3 servers, agents from a trusted foreign law enforcement partner, with whom the FBI is collaborating, replaced Emotet malware on servers physically located in their jurisdiction with a file created by law enforcement

BleepingComputer mentions that the foreign law enforcement partner is Germany’s Federal Criminal Police (Bundeskriminalamt or BKA).

In addition to the cleanup routine, which we describe in the next section, this “law enforcement file” contains an alternative execution path that is followed if the same sample runs before the given date.

The uninstaller

The payload is a 32 bit DLL. It has a self-explanatory name (EmotetLoader.dll) and 3 exports which all lead to the same function.

If we look inside this exported function, we can see 3 subroutines:

The first one is responsible for the aforementioned cleanup. Inside, we can find the date check:

If the deadline already passed, the uninstall routine is called immediately. Otherwise the thread is run repeatedly doing the same time check, and eventually calling the deletion code if the date has passed.

The current time is compared with the deadline in a loop. The loop exits only if the deadline is passed, and then proceeds to the uninstallation routine.

The uninstall routine itself is very simple. It deletes the service associated with Emotet, deletes the run key, and then exits the process.

As we know by observing the regular Emotet, it achieves persistence in two alternative ways.

Run key

This type of installation does not require elevation. In such a case, the Emotet DLL is copied into %APPDATA%

.

System Service

If the sample was run with Administrator privileges, it installs itself as a system service.. The original DLL is copied into C:WindowsSysWow64

.

For this reason, the cleanup function has to take both scenarios into account.

We noticed the developers made a mistake in the code that’s supposed to move the law enforcement file into the %temp% directory:

GetTempFileNameW(Buffer, L"UPD", 0, TempFileName) 

The “0” should have been a “1” because according to the documentation, if uUnique is not zero, you must create the file yourself. Only a file name is created, because GetTempFileName is not able to guarantee that the file name is unique.

The intention was to generate a temporary path, but because of using the wrong value in the parameter uUnique, not only was the path generated, but the file was also created. That lead to the further name collision and as a result, the file was not moved.

However, this does not change the fact that the malware has been neutered and is harmless since it won’t run as its persistence mechanisms have been removed.

If the aforementioned deletion routine was called immediately, the other two functions from the initial export are not getting run (the process terminates at the end of the routine, calling ExitProcess). But this happens only if the sample has been run after April 25.

The alternative execution path

Now let’s take a look at what happens in the alternative scenario when the uninstall routine isn’t immediately called.

After the waiting thread is run, the execution reaches two other functions. The first one enumerates running processes, and searches for the parent process of the current one.

Then it checks the process name if it is “explorer.exe” or “services.exe”, followed by reading parameters given to the parent.

Running the next stage

The next routine decrypts and loads a second stage payload from the hardcoded buffer.

Redirection of the flow to the decrypted buffer (via “call edi“):

The next PE is revealed: X.dll:

After decrypting the payload, the execution is redirected to the beginning of the revealed buffer that starts with a jump:

This jump leads to a reflective loader routine. After mapping the DLL to a virtual format, in the freshly allocated area in the memory, the loader redirects the execution there.

First, the DllMain of X.dll is called (it is used for the initialization only). Then, the execution is redirected to one of the exported functions – in the currently analyzed case it is Control_RunDll.

The execution is continued by the second dll (X.dll). The functions inside this module are obfuscated.

The payload that is called now looks very similar to the regular Emotet payload. Analogical DLL, and also named X.dll such as: this one could be found in earlier Emotet samples (without the cleanup routine), for example in this sample.

The second stage payload: X.dll

The second stage payload X.dll is a typical Emotet DLL, loaded in case the hardcoded deadline didn’t pass yet.

This DLL is heavily obfuscated and all the used APIs are loaded dynamically. Also their parameters are not readable – they are dynamically calculated before use, sometimes with the help of a long chain of operations involving many variables:

This type of obfuscation is typical for Emotet’s payloads, and it is designed to confuse researchers. Yet, thanks to tracing we were able to reconstruct what APIs are being called at what offsets.

The payload has two alternative paths of execution. First it checks if it was already installed. If not, it follows the first execution path, and proceeds to install itself. It generates a random installation name, and moves itself under this name into a specific directory, at the same time adding persistence. Then it re-runs itself from the new location.

If the payload detects that it was run from the destination path, it takes an alternative execution path instead. It connects to the C2 and communicates with it.

The current sample sends a request to one of the sinkholed servers. Content:

L"DNT: 0rnReferer: 80.158.3.161/i8funy5rv04bwu1a/rnContent-Type: multipart/form-data; boundary=--------------------GgmgQLhRJIOZRUuEhSKorn"

The following image shows web traffic from a system infected via a malicious document downloading the special update file and reaching back to the command and control server owned by law enforcement:

Motives behind the uninstaller

The version with the uninstaller is now pushed via channels that were meant to distribute the original Emotet. Although currently the deletion routine won’t be called yet, the infrastructure behind Emotet is already controlled by law enforcement, so the bots are not able to perform their malicious action.

For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed.

Pushing code via a botnet, even with good intentions, has always been a thorny topic mainly because of the legal ramifications such actions imply. The DOJ affidavit makes a note of how the “Foreign law enforcement agents, not FBI agents, replaced the Emotet malware, which is stored on a server located overseas, with the file created by law enforcement”.

The lengthy delay for the cleanup routine to activate may be explained by the need to give system administrators time for forensics analysis and checking for other infections.

The post Cleaning up after Emotet: the law enforcement file appeared first on Malwarebytes Labs.

It’s Data Privacy Day—the perennial event that many internet users may have never heard of, but have strong feelings and opinions about the very things that birthed it in the first place.

Originally created to help businesses learn about why online privacy matters, its reach has since extended to other public organizations, governments, communities, and families on a global scale—yes, even when they continue to say “I have nothing to hide!”

Many high-traffic websites have improved on the aspects of security and privacy these past few years, so it shouldn’t surprise you to see privacy features when you visit your account settings. You just have to make use of them.

Here are three simple, practical, and sensible steps you can take now, to achieve a more private—and secure—online life.

1. Check your browser’s privacy options

Your browser is your gateway to the Internet. Unfortunately, few of them have ideal privacy and security settings set by default, even if they’re present.

It is in your best interest then to go ahead and tinker with your browser’s settings, carefully making sure that options are set in a way that are acceptable to you, privacy-wise.

You can read about some popular browsers’ privacy settings here:

• Google Chrome privacy settings
• Firefox privacy and security settings
• Microsoft Edge, browsing data, and privacy
• Safari privacy preferences

While you’re reviewing your settings, you may want to clear out your browser history, too, and review your extensions—you might actually find one or several there that you have already forgotten—and remove those you hardly, or never, used. Vulnerable or malicious add-ons can easily become a privacy and security risk.

Do a browser settings review on your mobile devices as well. You can learn more about them here:

• Chrome for Android privacy settings
• Safari for iOS privacy

Now, if you find that what’s in there by default lacks the privacy and security settings you hope for, it’s time to ditch that browser for a new one.

Thankfully, most (if not all) desktop browsers that made taking care of your privacy their business, too, have mobile versions. Start by looking up Firefox, Brave, DuckDuckGo, and even the Tor Browser on the Google Play and Apple App stores.

2. Review your social privacy settings

If you use a lot of different social media sites, choose one platform you’re most active on and start there.

(It’s Facebook, isn’t it?)

With privacy in mind, update settings of certain fields in your profile that you feel would less likely make you a target of identity theft. You might also want to limit the way other users of that platform can reach you, such as a total stranger who doesn’t have connections within your closest circle adding you as a friend. To learn more about your options, read Facebook’s basic privacy settings and tools page.

Disable that feature wherein anyone can look you up using an email address or phone number tied to you. Lastly, if you have a friend or family member who likes tagging you on every photo they upload (even if you’re not on the photo), feel free to un-tag yourself. You won’t regret it.

3. Start sharing with caution

Sharing might be caring—not to mention, fun—but in some cases, that doesn’t really apply, especially in social media.

I think by now we’re quite familiar with the scenario of someone publicly sharing their vacation plans on social media only to find themselves a victim of robbery when they got back.

Yes, we should think twice before sharing such information. And not only that, we should also make it a habit to ask permission when sharing photos with other people in them, or stories that involve somebody else. This is not only polite, but this also demonstrates that you care about other people’s privacy, too. They are your friends and family after all.

Every day is data privacy day

Data Privacy Day may only be one day, but looking after our personal data and keeping it safe should be an everyday affair for every Internet user.

You have the tools; we have equipped you with the know-how. Improving your data privacy doesn’t have to be rocket science.

So, let’s take a little bit of our busy time to review and make changes to those settings. These changes might be slight but are incredibly significant overall.

Remember, eyes open, and stay safe!

The post 3 tips to top up your privacy appeared first on Malwarebytes Labs.

As thoughts turn to Data Privacy this week in a big way, GDPR illustrates it isn’t an afterthought. Grindr, the popular social network and dating platform, will likely suffer a $12 million USD fine due to privacy related complaints. What happened here, and what are the implications for future cases?

What is GDPR?

The General Data Protection Regulation is a robust set of rules for data protection created by the European Union (EU), replacing much older rules from the 1990s. It was adopted in 2016 and enforcement began in 2018. It’s not a static thing, and is often updated. There’s plenty of rules and requirements for things such as data breaches or poor personal data notifications. Crucially, should you get your data protection wrong somewhere along the way, big fines may follow.

Although mostly spoken of in terms of the EU, its impact is global. Your data may be sitting under the watchful eye of GDPR right now without you knowing it, which…would be somewhat ironic. Anyway.

The complaint

On the 24th January, Norway’s Data Protection Authority (NDPA) gave Grindr advance notification [PDF] of its intention to levy a fine. This is because they claim Grindr shared user data to third parties “without legal basis”. From the document:

Pursuant to Article 58(2)(i) GDPR, we impose an administrative fine against Grindr LLC of 100 000 000 – one hundred million – NOK for

– having disclosed personal data to third party advertisers without a legal basis, which constitutes a violation of Article 6(1) GDPR and

– having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in Article 9(1) GDPR

That doesn’t sound good. What does it mean in practice?

Noticing the notification

The Norwegian Consumer Council, in collaboration with the European Center for Digital Rights, put forward 3 complaints on behalf of a complainant. The complaints themselves related to third-party advertising partners. The privacy policy stated that Grindr shared a variety of data with third-party advertising companies, such as:

[…] your hashed Device ID, your device’s advertising identifier, a portion of your Profile Information, Location Information, and some of your demographic information with our advertising partners

Personal data shared included the below:

Hardware and Software Information; Profile Information (excluding HIV Status and Last Tested Date and Tribe); Location and Distance Information; Cookies; Log Files and Other Tracking Technologies.

Additional Personal Data we receive about you, including: Third-Party Tracking Technologies.

Where this all goes wrong for Grindr, is that NDPA object to how consent was gained for the various advertising partners. Users were “forced to accept the privacy policy in its entirety to use the app”. They weren’t asked specifically if they wanted to share with third parties. Your mileage may vary if this is worth the fine currently on the table or not, but it is a valid question.

Untangling the multitude of privacy policies

Privacy policies can cause headaches for developers and users alike, in lots of different areas besides dating. For example, there are games in mobile land with an incredible amount of linked privacy policies and data sharing agreements. Realistically there’s no way to genuinely read all of it [PDF, p.4], because it’s too complicated to understand.

Does the developer roll with a “blanket” agreement via one privacy policy to combat this, because thousands of words across multiple policies is too much? If so, how do they cope at a granular level where smaller decisions exist for each individual advertiser?

Removing an advertiser from a specific network might warrant a notification from an app, to let the user know things have changed. Even more so if replaced by another advertiser, entirely unannounced. Does the developer pop notifications every single time an ad network changes, or hope that their blanket policy covers the alteration?

Considering the imminent fine, many organisations may be racing to their policy teams to carve out an answer. A loss of approximately 10% of estimated global revenue isn’t the best of news for Grindr. It seems likely the fine will stick.

Batten down the data privacy hatches

Data privacy, and privacy policies, are an “uncool” story for many. Everyone wants to see the latest hacks, or terrifying takeovers. Yet much of the bad old days of Adware/spyware from 2005 – 2008 was dependent on bad policies and leaky data sharing. While companies would occasionally be brought before the FTC, this was rare.

GDPR is a lot more omnipresent than the FTC is in terms of showing up at your door and passing you a fine. With data being so crucial to regulatory requirements and basic security hygiene, GDPR couldn’t be clearer: its here, and it isn’t going away.

The post $12m Grindr fine shows GDPR’s got teeth appeared first on Malwarebytes Labs.

Cookie tracking is dying and Google needs a replacement. It’s betting on FLoC, an ad tracking technology that lets it understand people’s behaviour while respecting their privacy.

Google has announced that its tests show promising signs that FLoC is working. Is this a milestone on the road to more privacy, or just better concealed tracking technology? Let’s have a look.

What are cookies?

Cookies are small pieces of information that websites store in your browser. If they contain a unique ID, they can be used to track you. That tracking can be used to provide information about your browsing behavior to the websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It is how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are a critical part of the advertising ecosystem that knows which ads are most likely to draw your attention.

Why replace cookies at all?

Several browsers, including Google Chrome, have announced privacy changes that aim to share less data with ad companies, and other third parties. And cookies are essential to the way third-party data is gathered and used by the websites you visit. Also good to know is that Chrome is trailing behind the competition, mainly Firefox and Safari, in this regard. And not only that, but privacy-focused browsers are becoming more popular, and more of them are entering the browser landscape.

What is FLoC?

The Federated Learning of Cohorts (FLoC) is a privacy-focused solution intent on delivering relevant ads “by clustering large groups of people with similar interests”. Accounts are anonymized, grouped into interests, and most importantly, user information is processed on-device rather than broadcast across the web.

FLoC runs in the browser and uses machine learning algorithms to analyze a user’s browser history. According to Google, it might look at “the URLs of the visited sites, on the content of those pages, or other factors.”

It then bundles the user with thousands of others into a group, called a Cohort. The data gathered locally from the browser is never shared. Instead, websites can ask the browser what Cohort it belongs to. In this way, the data about the much wider group of thousands of people is shared, instead of the individual user, and used to target ads.

How do users benefit?

Does that mean that sites are going to run advertisements based on what your Cohort is interested in, and not targeted at you, the individual? Ideally, yes, and that would be progress. But cookies aren’t the only way to track somebody. It may be possible to convert collective data into personalized data by using fingerprinting techniques. Browser fingerprints include details such as browser name, operating system, timezone, and much more. So, will these details be blocked as well?

Once advertisers have figured out how FLoC’s machine learning algorithms operate, they will become smarter at showing you the advertisements that are the most effective based on your interests. Informed readers will remember how popular SEO poisoning was before Google improved its search algorithms.

FLoC will make it harder for advertisers to find out any personal information about you. But that is something you can accomplish right now, by using other tools like a more privacy oriented browser or an ad tracking blocker, which are still more trustworthy companions in our opinion.

What are the downsides?

Of course, there is always a downside. The FLoC solution should be designed so that nobody can access your personal data before it is anonymized and grouped. That includes the users themselves, which denies them any control over the data stored locally. As annoying as some of us may find them, cookies are easy to control.

You are grouped with people of similar interests, but machine learning is a “black box”, so it’s likely there will be no way of you knowing what the criteria were. Does one wrong click get you in a group with interests that you find repulsive? Bad luck, and good luck figuring out how to get out of that group.

Advertisers, and the sites that earn revenue from ads, may feel that Chrome is taking some of their power away in order to take control over their visitors themselves. As it is, this may be Google’s compromise between owning a browser and living off advertising. A compromise other tech giants didn’t have to make since they live predominantly on one side of the privacy fence or another.

What’s the verdict?

FLoC will open for testing in March. For now, let’s wait and see how this pans out. Advertisers and users will have something to say when the technology is worked out, fine tuned, and implemented. Trying to please both sides will end up in a compromise for sure. There is no way yet to try out the final version, but at least now you have some idea about what’s on the horizon, and why.

Guard your privacy, everyone!

The post Google FLoC puts ad trackers on a cookie-free diet appeared first on Malwarebytes Labs.

In a coordinated action, multiple law enforcement agencies have seized control of the Emotet botnet. Agencies from eight countries worked together to deliver what they hope will be a decisive blow against one of the world’s most dangerous and sophisticated computer security threats.

The Emotet threat

In a statement announcing the action,  Europol described Emotet as “one of the most significant botnets of the past decade” and the world’s “most dangerous” malware.

The malware has been a significant thorn in the side of victims, malware researchers and law enforcement since it first emerged in 2014. Originally designed as a banking Trojan, the software became notorious for its frequent shapeshifting and its ability to cause problems for people trying to detect it. This lead to it being used as a gateway for other kinds of malware. Emotet’s criminal operators succeeded in infiltrating millions of Windows machines, and then sold access to those machines to other malware operators.

Taking down Emotet’s infrastructure not only hobbles Emotet, it also disrupts an important pillar of the malware delivery ecosystem.

The takedown

Successful botnets are typically highly distributed and very resilient to takedown attempts. Effective law enforcement cooperation is therefore vital, so that all parts of the system are tackled at the same time, ensuring the botnet can’t reemerge from any remnants that go untouched.

In this case, that meant tackling hundreds of servers simultaneously. Describing the level of cooperation required, Malwarebytes’ Director of Threat Intelligence, Jerome Segura said:

Going after any botnet is always a challenging task, but the stakes were even higher with Emotet. Law Enforcement agencies had to neutralize Emotet’s three different botnets and their respective controllers.

Although it gives few details, the Europol press release hints that a novel and sophisticated approach was used in the action, stating that the Emotet botnet was compromised “from the inside”. According to the agency, “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Segura added:

Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet. This is a very impactful action that likely will result in the prolonged success of this global takedown.

It remains to be seen if this is the final chapter of the Emotet story, but even if it is, we aren’t at the end of the story just yet.

This action removes the threat posed by Emotet, by preventing it from contacting the infrastructure it uses to update itself and deliver malware. However, the infections remain, albeit in an inert state. To complete the eradication of Emotet, those infections will need to be cleaned up too.

The knockout?

In a highly unusual step, it looks as if the clean up isn’t going to be left to chance. A few hours after the takedown was announced, ZDNet broke the news that law enforcement in the Netherlands are in the process of deploying an Emotet update that will remove any remaining infections on March 25th, 2021.

The post Pow! Emotet’s down. Is it out? appeared first on Malwarebytes Labs.

You can read our full-length blog here about the importance of Data Privacy Day and data privacy in general

Today is a special day, not just because January 28 marks Data Privacy Day in the United States and in several countries across the world, but because it also marks the return of our hit podcast Lock and Code, which closed out last year with an episode devoted to educators and the struggles of distance learning.

For Data Privacy Day this year, we knew we had to do something big.

After all, data privacy is far from a new topic for Malwarebytes Labs, which ramped up its related coverage more than two years ago, giving readers in-depth analyses of the current laws that shape their data privacy rights, the proposed legislation that could grant them new rights, the corporate heel-turns on privacy, the big-name mishaps, and the positive developments in the space, whether enacted by companies or authored by Congress members.

Along the way, Malwarebytes also released products that can help bolster online privacy, and we at Labs wrote about some of the many best practices and tools that people can use to maintain their privacy online.

We’ve been in this space. We know its actors and advocates. So, for Lock and Code, we thought we’d give them the opportunity to talk.

Today, in the return of our Lock and Code podcast, we gathered a panel of data privacy experts that includes Mozilla Chief Security Officer Marshall Erwin, DuckDuckGo Vice President of Communications Kamyl Bazbaz, and Electronic Frontier Foundation Director of Strategy Danny O’Brien.

Together, our guests talk about the state of online privacy today, why online privacy information can be so hard to find, and how users can protect themselves. Tune in to hear all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

The post Why Data Privacy Day matters: A Lock and Code special with Mozilla, DuckDuckGo, and EFF appeared first on Malwarebytes Labs.

Our Lock and Code special episode on Data Privacy Day, featuring guests from Mozilla, DuckDuckGo, and Electronic Frontier Foundation can be listened to here.

Today, January 28, is Data Privacy Day, the annual, multinational event in which governments, companies, and schools can inform the public about how to protect their privacy online.

While we at Malwarebytes Labs appreciate this calendar reminder to address data privacy head-on, the truth is that data privacy is not a 24-hour talking point—it is a discussion that has evolved for years, shaped by public opinion, corporate mishap, Congressional inquiry, and an increasingly-hungry online advertising regime that hoovers up the data of non-suspecting Internet users every day. And that’s not even mentioning the influence of threat actors.

The good news is that there are many ways that users can reclaim their privacy online, depending on what they hope to defend. For users who want to prevent their personally identifiable information from ending up in the hands of thieves, there are best practices in avoiding malicious links and emails. For users who want to hide their activity from their Internet Service Provider, VPNs can encrypt and obscure their traffic. For users who want to prevent online ads from following them across the Internet, a variety of browser plug-ins provide strong guardrails against this activity, and several privacy-forward web browsers include similar features by default. And for those who want to keep their private searches private, there are services online that do not use search data to serve up ads. Instead, they simply give users what they want: answers.

Today, as Malwarebytes commemorates Data Privacy Day, so, too, do many others. First conceived in 2007 by the Council of Europe (as National Data Protection Day), the United States later adopted this annual public awareness campaign in 2009. It is now observed in Canada, Israel, and 47 other countries.

Importantly, Data Privacy Day serves as a reminder that data privacy should be a right, exercisable by all. It is not reserved for people who have something to hide. It is not a sole function for covering up wrong-doing.

It is, instead, for everyone.

Why does data privacy matter?

Privacy is core to a safer Internet. It protects who you are and what you look at, and it empowers you to go online with confidence. By protecting your data privacy, the sites you visit, the videos you watch, even the devices you favor, will be nobody’s business but your own.

Unfortunately, data privacy today is not the default.

Instead, every-day online activities lead to countless non-private moments for users, often by design. In these “accidentally unprivate” moments, someone, somewhere, is making a dollar off your compromised privacy.

When you sign up to use a major social media platform or mobile app, the companies behind them require you to sign an end-user license agreement that gives them near-total control over how your data is collected, stored, and shared.

Just this week, the editorial board for The New York Times zeroed in on this power imbalance between companies and their users, in which companies “may feel emboldened to insert terms that advantage them at their customers’ expense.”

“That includes provisions that most consumers wouldn’t knowingly agree to: an inability to delete one’s own account, granting companies the right to claim credit for or alter their creative work, letting companies retain content even after a user deletes it, letting them gain access to a user’s full browsing history and giving them blanket indemnity.”

Separate from potentially over-bearing user agreements, whenever you browse the Internet to read the news, shop online, watch videos, or post pictures, a cadre of data brokers slowly amass information to build profiles about your search history, age, location, interests, political affiliations, religious beliefs, sexual orientation, and more. In fact, some data brokers scour the web for public records, collating information about divorce and traffic records and tying it to your profile. The data brokers then serve as a middleman for advertisers, selling the opportunity to place an ad in front of a specific type of user.

Further, depending on where you live, your online activity may become the interest of your government, which could request more information about your Internet traffic from your Internet Service Provider. Or perhaps you’re attending a university that you would like to shield from your Internet traffic, as you may be questioning your sexuality or personal beliefs. Who we are online has increasingly blurred with who we are offline, and you deserve as much privacy in one realm as in the other.

In every situation described above, users are better equipped when they know who is collecting their data and where that data is going. Without that knowledge, users risk entering into skewed agreements with the titans of the web, who have more resources and more time to enforce their rules, whether or not those rules are fair.

Are you fighting alone?

You are not alone in fighting to preserve your data privacy. In fact, there are four major bulwarks aiding you today.

First, many tools can help protect your online privacy:

• Certain browser plug-ins can prevent online ad tracking across websites, and they can warn you about malicious websites looking to steal your sensitive information
• VPNs can prevent ISPs from getting detailed information about your Internet traffic
• Private search engines can keep your searches private and your search data away from any advertising schemes
• Privacy-forward web browsers can default to the most private setting, preventing advertisers from following you around the web and profiling your activity

Second, several lawmakers across the United States have heeded the data privacy call. Since mid-2018, Senators and Representatives for the country have introduced at least 10 data privacy bills that aim to provide meaningful data privacy protections for Americans. Even more state lawmakers have forwarded statewide data privacy bills in the same time period, including proposals in Washington, Nevada, and Maine—which successfully turned its bill into law in 2019.

Across the world, the legislative appetite for data privacy rights has outpaced the United States. Since May 2018, more than 450 million Europeans have been protected by the General Data Protection Regulation (GDPR), which demands strict controls over how their data is used and stored, and violations are punishable by stringent fines. That law’s impact cannot be understated. Following its passage, many countries began to follow suit, extending new rights of data protection, access, portability, and transparency to their residents.

Third, a variety of organizations routinely defend user rights by engaging directly with Congress members, advocating for better laws, and building grassroots coalitions.  Electronic Frontier Foundation, American Civil Liberties Union, Fight for the Future, Common Sense Media, Privacy International, Access Now, and Human Rights Watch are just a few to remember.

Fourth, a handful of companies increasingly recognize the value of user privacy. Apple, Mozilla, Brave, DuckDuckGo, and Signal, among others, have become privacy darlings for some users, implementing privacy features that have angered other companies, and sometimes pushing one another to do better. Companies that have taken missteps on user privacy, on the other hand, have drawn the ire of Congress and suffered dips in user numbers.

Through many of these developments, Malwarebytes has been there—providing thoughtful analysis on the Malwarebytes Labs blog and releasing products that can directly benefit user privacy. We know the companies who care, we talk to the advocates who fight, and we embrace a pro-user stance to guide us.

Which is why we’re proud to present today a special episode of our podcast, Lock and Code, which you can listen to here.

The future of data privacy

Data privacy has only increased in importance for the public with every passing year. That means that tomorrow, just like today and just like the many yesterdays, Malwarebytes will be there to defend and advocate for data privacy.

We will cover the developments that could help—or could be detrimental—to data privacy. We will release tools that can provide data privacy. We will talk to the experts in this field and we will routinely take pro-user stances because it is the right thing to do.

We look forward to helping you in this fight.  

The post Why Data Privacy Day matters appeared first on Malwarebytes Labs.