How the "antimalware" XProtect for MacOS works and why it detects poorly and badly

Monday, May 6, 2019

Recently, MacOS included a signature in its integrated antivirus, intended to detect a binary for Windows; but, does this detection make sense? We could think it does, as a reaction to the fact that in February 2019 Trend Micro discovered malware created in .NET for Mac. It was executed by the implementation of Mono, included in the malware itself to read its own code. Ok, but now seriously, does it make sense? 

It might make sense to occasionally include a very particular detection that has been disseminated through the media, but in general the long-term strategy of this antivirus is not so clear, although it is intended to detect "known" malware. The fight that MacOS as a whole has against malware is an absolute nonsense. They moved from a categorically deny during the early years of the 21st century to a slight acceptance for finally, since 2009, lightly fight malware. However, since then it has not evolved so much.

Let’s continue with the detection of the Windows executable: the malware was detected in February, which means that it had been working for some time. Trend Micro discovered it and the media made it public, bringing down their reputation. On 19 April, Apple included its signature in XProtect. It is an unacceptable reaction time. On top of all this, it was the first XProtect signature update during all 2019. Is it possible that the malware dissemination was related to the signature inclusion? What is the priority level given to user’s security then? Do we know how much malware is detected by XProtect and how often this seldom-mentioned functionality is updated? Are Gatekeeper and XProtect a way in general to spare their blushes or are they really intended to help mitigate potential infections in MacOS?

New research: Docless Vietnam APT. A very interesting malware against Vietnam Government

Tuesday, April 16, 2019

We have detected a malware sent to some email accounts belonging to a Vietnam government domain. This email is written in Vietnamese and is dated March 13th, 2019. It seems to come from an account inside the organization (, maybe someone sending it to a security operator, because of resulting suspicious. The attached file resulted in a very interesting infection system. It uses a combination of techniques never seen before, making us think about a very targeted campaign, using interesting resources to specifically infect Vietnam government.

The global view of the threat schema is the following:

Global view of the threat schema image

Although it may look typical, the schema hides some very smart techniques to avoid detection and fool the system. 

New research: we discover how to avoid SmartScreen via COM Hijacking and with no privileges

Tuesday, April 2, 2019

COM Hijacking technique has a simple theoretical basis, similar to the DLL Hijacking one: What does it happen when an application searches for a non-existent COM object on the computer where it is being executed? Or when such object exists but it cannot be found on the registry key where it was searched? An attacker may create it by means of altered information. For instance, a path leading the victim to a DLL created by the attacker instead of to the searched one. We can benefit from the by-default order used by the program to search for this object: this is how we have managed to avoid SmartScreen on Windows.

Brief introduction
COM (Component Object Model) is a binary-interface standard for software components allowing communication between processes as well as dynamic creation of objects, regardless of the language used to program them. COM provides a stable ABI (Application Binary Interface) that does not change with compilers’ different versions. This is appealing for C++ developers when the code must be shared with clients using different compilers’ versions.

COM objects are commonly compiled as a DLL, but the way they are used is particular. COM objects must be unequivocally identifiable at execution time, so the GUID identification method is used.


Carrier Level Immutable Protection (CLIP): secure and trusted technology to empowering carriers.

Tuesday, March 26, 2019

A year ago, we were signing our partnership agreement with Rivetz, where we set the stage for the creation of a new decentralized model to enhance data security and management. Currently, we are in a position to talk about our first prototypes of a technology developed to provide security to all Movistar SIM-based mobile devices. To this end, we have used hardware components nowadays included in billions of devices: the so-called Trusted Execution Environments (TEE).

Alliance ElevenPaths Rivetz Wanchain Civic imagen

If you want to change your employees’ security habits, don’t call their will, modify their environment instead

Wednesday, March 13, 2019

You’re in a coffee bar and you need to connect your smartphone to a Wi-Fi, so you check your screen and see the following options. Imagine that you know or can ask for the key, in case it were requested, which one would you choose?

Wi-Fi networks image

Depending on your security awareness level, you will choose the first one: mi38, that seems to have the best signal; or v29o, that has not such a bad signal but is secured and requests a password. Imagine now that you are in the same coffee bar, but in this case you have the following list of Wi-Fi networks on your smartphone screen. Which one would you choose now?

In pursuit of the perfect phishing that would trick even you

Monday, March 4, 2019

Imagine that you flip a coin into the air (with no trick) six consecutive times: which of the three following sequences do you think is more likely to appear, considering that "heads" is represented by 1 and "tails" by 0?

    1. 1 0 1 0 1 0
    2. 1 1 1 1 1 1
    3. 1 0 1 1 0 1

Most of the people choose the third sequence ⸺1 0 1 1 0 1⸺ because it seems to be the most random one. First two sequences are too steady to match our intuitive idea of randomness. Actually, the three sequences are equally probable, with a probability of (1/6)6. However, as we are more used to see randomised than uniform sequences (since in fact they are larger), in some way the third sequence represents better our preconceived idea of how randomness must be.

This thought error is indeed called representativeness heuristic: we assume an example to be part of a class according to how well such example represents our stereotype (preconceived idea) of the class. For instance, if you see a man in leather jacket with a punk bracelet, it will be easier for you to imagine that he likes heavy metal rather than if he wore a suit and tie and used hair gel.

Don’t confuse the frequency of an incident with the ease you remember it

Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go running around the park next to your home, so these incidents will quickly come to your mind, and this fact will make you think about the probability of being a victim of a robbery (or something worse) in that park. Your mind will make the following association:

Park = Danger!!!

The images you have watched on the TV and the Internet will make you overestimate the probability that you may be the next victim in any other park from a different town. As a consequence, you could avoid going running around the park near your home (or any other park) until the media echo ends. Only when you stop thinking "Park = Danger!!", you will frequent parks again.

GSMA IoT Security Champion: Award to our IoT Security team

Wednesday, February 27, 2019

We have a lot to be happy about! Our IoT Security team, dedicated to cybersecurity specialized in the increasingly relevant world of the Internet of Things, has received a well-deserved award for its contribution to the dissemination and application of the IoT security guides of the GSMA, an entity that represents the interests of the most important mobile operators around the world and is in charge of the Mobile World Congress events around the world, among which is the Barcelona event that takes place this week.

The hugest collection of usernames and passwords has been filtered…or not (II)

Monday, February 4, 2019

Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing millions of passwords is announced, the reality is not entirely what it seems to be. After all, what it has been filtered is the collection of leaks, gathered over time by a certain group of people or by someone.

The leak we have examined has 640 Gb of content. We must clarify that it is not just the leak called "Collection #1" or the subsequent "Collection #2" and so on (the best-known ones). These types of collections are on the Internet, on several forums or uploaded on servers where anyone, with some patience, can access.

The post-quantum future is around the corner and we are still not prepared

Wednesday, January 30, 2019

Post-quantum future image

Every year we have more powerful computers with a higher calculation capacity, is that fact good or bad? Think twice before giving an answer. 

It depends. Because if global information security is based on the computing complexity of some functions, then the fact that computers are becoming ever faster will be very bad news.

In fact, the sword of Damocles is hanging over our public-key encryption systems: RSA, DSA, ECDSA. Their security relies on the difficulty of achieving certain mathematical problems currently considered as untreatable, such as factoring large integers or solving discrete logarithms. The quantum computing big promise is that these mathematical problems will be rapidly solved. Is cryptography mortally wounded? Is there a hope for the world? Will we be able to continue communicating securely after the first quantum computers? Let’s see it step by step.

The hugest collection of usernames and passwords has been filtered…or not (I)

Monday, January 28, 2019

Sometimes, someone frees by mistake (or not) an enormous set of text files with millions of passwords inside. An almost endless list of e-mail accounts with their passwords or their equivalent hash. Consequently, headlines start to appear again and again in the media: "Millions of passwords have been filtered…". Even if it is not a fake headline, sometimes it may be tricky. In particular, we are talking about the last massive leak, named "Collection #1".

We have analyzed this huge leak. Beyond the "Collection #1" that has reached the media, we have got a superset with more than 600 GB of passwords. It is so great that over our analyses we could count more than 12,000,000,000 combinations of unfiltered usernames and passwords. It is an astronomical figure. However, the important point here is that they are "in-raw". What is still interesting after having performed any cleaning? We must consider that a filtration of a filtration is not a filtration. If some months or years ago someone filtered a database of a given website, this is called “leak”. Conversely, if someone concatenates that file with other ones and publishes them, it is not a filtration: they are simply making available their particular collection of leaks on the Internet.

#CyberSecurityReport18H2: our new periodic report on cybersecurity

Monday, January 21, 2019

Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just launched an own cybersecurity report, summarizing the most significant information from the second semester 2018. The report’s philosophy is providing a global, targeted and useful vision on the most relevant data and facts on cybersecurity. It is addressed to cybersecurity professionals and enthusiasts, in a simple and visually-appealing format. Let’s go over some of the data from this first edition, that will be continued and, without a doubt, further improved.

Nowadays there is a flood of information on cybersecurity. Nevertheless, it does not mean that this flood of information is correctly understood and analyzed, thus such information is not properly exploited to improve processes and be less vulnerable. Lack of information is as harmful as its excess. To be updated and inform people is not enough, but it is also necessary to analyze and be able to prioritize, learn what is important and why.

Detected an extension in Chrome Web Store, active from February, that steals credit cards

Tuesday, January 15, 2019

We have detected an extension for Google Chrome, still active, that steals data from web site forms visited by the victims. This extension, which is still available on Chrome Web Store –the extension market for Chrome– has been active from February 2018. It is hidden within the searches performed on the Web Store, and it can only be accessed through a link that the attackers are spreading by means of JavaScript injection attacks on web sites that make them to be redirected to that extension using that link.

Chrome web store Javascript cybersecurity image

2019 won’t be the year when quantum computers replace the cryptography that we all use

Wednesday, January 9, 2019

 2019 won’t be the year when quantum computers replace the cryptography that we all use image

What would happen if a fully error corrected quantum computer of several thousands of logical qubits started working today? Public key infrastructures would fall down. The secrets of the world would be discovered. There would be chaos. How far or close that day is? How would it affect our cryptography? What to do to protect our sensitive information ahead of the forthcoming arrival of quantum computers?