11 Dec The inevitable move - 64-bit ZeuS has come enhanced with Tor Dmitry Tarakanov
10 Dec Microsoft Updates December 2013 - Patching Critical 0day Exploited in the Wild Kurt Baumgartner
05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And whatís the most notorious banking malware? ZeuS, of course Ė the trendsetter for the majority of todayís banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared Ė but we didnít expect it to happen quite so soon.
Thatís because cybercriminals donít actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers Ė even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.
Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And itís turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.
This month Adobe's realing fixes for both Flash Player and Shockwave.
The vulnerabilies for Flash Player affect all platforms and concern two CVEs - CVE-2013-5331 and CVE-2013-5332, which both allow for remote code execution. Eploitation of CVE-2013-5331 using Microsoft Word as a leverage mechanism has been observed in the wild. Though Flash 11.6 introduced Click-to-Play for Office, users may still be socially engineered into running Flash content in Office documents. Make sure to apply this patch promptly.
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
Companies are increasingly falling victim to cyber-attacks. According to a recent survey conducted by Kaspersky Lab and B2B International, 9% of the organizations polled were the victims of targeted attacks - carefully planned activity aimed at infecting the network infrastructure of specific organization. The extensive use of digital devices in business has created ideal conditions for cyber-espionage and the deployment of malware capable of stealing corporate data.
The full report is available here.
Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.
In October, the attackers sent out fake notifications claiming to be from T-Mobile, a telecoms operator in Germany, which told users that they had received an MMS. To make the email look legitimate, the sender address contained the official company domain although the email itself was sent from a different address. The body of the email included a contact phone number for sender of the MMS and some general information related to sending and receiving multimedia messages.
The supposed photo named ‘23-10-2013 13_64_09.jpeg.exe’ was not in the body of the email but in the attached archive ’23-10-2013 43_69_10.zip’. The scammers used the popular JPEG image file format in the name of the malicious file in the hope that it would convince recipients that the archive did in fact contain the photo. However, alert users would notice that the file extension is really .exe. This executable file is detected by Kaspersky Lab as Backdoor.Win32.Androm. This bot program allows the fraudsters to remotely execute commands on the infected computer, for example, downloading and running other malware without the owner's knowledge.
Last week, Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers. The messages we detected used the product and service names belonging to Kaspersky Lab, McAfee, ESET NOD32 and many others.
The text and general layout of each letter followed the same template; only the senders’ names and the IT security solutions mentioned in the text were different. In their messages, the cybercriminals invited the reader to install an important security update for his/her security solution to guarantee protection against a new piece of malware supposedly ravaging the web. To do so, the user simply needed to open the attached ZIP archive and launch the executable file in it. Not surprisingly, the writers urged their victims to act immediately rather than spend time thinking about who might be behind this sudden urgent letter.
Once again, it's time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let's start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
The full report is available here.
Itís december. While itís getting colder and people prepare and shop for christmas, here in Bergen, a city in Norway, experts from several countries come together talking about Passwords Ė something youíre using while buying christmas presents online for example Ė at the PasswordsCon. This one held at the University of Bergen in the Auditorium Pi.
In early November Typhoon Haiyan devastated the Philippines, with a catastrophic numbers of victims – several thousand were reported killed, while hundreds of thousands were evacuated. A few days after the typhoon struck we detected the first “Nigerian letters” in which scammers were exploiting the tragedy for their own selfish ends. The author of the letter below pretended to be a driver at a local security company. The tale of how he became a multi-millionaire sounds plausible enough.
The typhoon supposedly left the driver alone with a cargo of $11.5 million. Realizing he had lost his security escort and that the money was probably presumed lost, he decided to make the most of his predicament and conveyed the money to an associate at another security company. In the letter he is asking the recipient to help transfer the valuable cargo out of the Philippines in return for a generous reward. To add a touch of authenticity, the scammer added real links to news about the typhoon – mostly to the BBC. The news articles are the only reliable information provided in the letter. This amazing story of a newly-made millionaire, along with his name and surname are merely trying to deceive an unsuspecting recipient.