A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine. TrickBot is a banking Trojan that attempts to steal online banking credentials, cryptocurrency wallets, browser information, and other credentials saved on your PC and browser. When TrickBot is executed it first starts a loader that gets the system ready by disabling Windows services and processes associated with security software and performing elevation to gain higher system privileges. When that is completed, it will load the "core" component by injecting a DLL that then downloads modules used to steal information from the computer, contains the communication layer, and perform other tasks. Prior to this version, the TrickBot loader would perform a basic targeting of Windows Defender, soon to be called Microsoft Defender. Because that wasn't enough, in a new TrickBot sample found by security researchers MalwareHunterTeam and Vitali Kremez, who reverse-engineered it, it is seen that the Trojan has added further attempts to disable Windows Defender. As you can see below, TrickBot has now added 12 additional methods to target and disable Windows Defender and Microsoft Defender APT in Windows as shown below. These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences. When TrickBot detects certain security programs installed, it will configure a debugger for that process using the Image File Execution Options Registry key. This causes the debugger to launch before the program that is executed, and if that debugger does not exist, the expected program will fail to launch. More complete details can be found on OUR FORUM.

Europe’s top court has made a ruling that could affect scores of websites that embed the Facebook  ‘Like’ button and receive visitors from the region. The ruling by the Court of Justice of the EU states such sites are jointly responsible for the initial data processing — and must either obtain informed consent from site visitors prior to data being transferred to Facebook or be able to demonstrate a legitimate interest legal basis for processing this data. The ruling is significant because, as currently seems to be the case, Facebook’s Like buttons transfer personal data automatically, when a webpage loads — without the user even needing to interact with the plug-in — which means if websites are relying on visitors’ ‘consenting’ to their data being shared with Facebook they will likely need to change how the plug-in functions to ensure no data is sent to Facebook prior to visitors being asked if they want their browsing to be tracked by the ad tech giant. The background to the case is a complaint against online clothes retailer, Fashion ID, by a German consumer protection association, Verbraucherzentrale NRW — which took legal action in 2015 seeking an injunction against Fashion ID’s use of the plug-in which it claimed breached European data protection law. Like ’em or loathe ’em, Facebook’s ‘Like’ buttons are an impossible-to-miss component of the mainstream web. Though most Internet users are likely unaware that the social plug-ins are used by Facebook to track what other websites they’re visiting for ad targeting purposes. The Fashion ID case predates the introduction of the EU’s updated privacy framework, GDPR, which further toughens the rules around obtaining consent — meaning it must be purpose-specific, informed and freely given. Today’s CJEU decision also follows another ruling a year ago, in a case related to Facebook fan pages, when the court took a broad view of privacy responsibilities around platforms — saying both fan page administrators and host platforms could be data controllers. Complete details can be found on OUR FORUM.