The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Virus Watch|From Cocos Islands to Cameroon

Eugene Aseev
Kaspersky Lab Expert
Posted July 14, 15:01  GMT
Tags: Search Engines, Google, Malware Statistics

The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.

In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.

Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.

Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.

Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.

However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.

As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).

Research|Pegel now in banners

Eugene Aseev
Kaspersky Lab Expert
Posted September 17, 15:11  GMT

We're still monitoring Pegel, and we've come across something which piqued our interest: redirects to malicious websites hosting exploits weren't only coming from infected legitimate sites, but also from flash ads on legitimate sites. Not really standard, so we decided to take a closer look.

The browser displays flash ads which are used in this way just like a normal banner, and if you click, you do end up on an advertising site.

But when we analyzed the ActionScript code of the ad, we found the following script which runs when the ad is loaded:

So when the banner's displayed, a script on the cybercriminals' server is run, and it's this script that redirects the user to a web page hosting exploits. It looks as though the static banners had been replaced with a very specific type of flash ad. Only one question remained: how was this done?

Research|Adobe yet again

Eugene Aseev
Kaspersky Lab Expert
Posted March 15, 13:13  GMT
Tags: Adobe PDF

Vulnerabilities continue to be detected and successfully exploited in Adobe’s most popular products - Acrobat and Reader.

Some days ago we received an interesting PDF file (detected as Exploit.JS.Pdfka.bui) which contained an exploit for the CVE-2010-0188 vulnerability, which was originally discovered back in February in Acrobat/Reader version 9.3 and earlier.

The first thing that catches the eye is the intentionally malformed TIFF image inside the PDF file.

The vulnerability – a buffer overflow – manifests itself when the field containing the image is accessed. The attack is carried out using ‘heap spraying’, a technique popularly used by many exploits on products capable of running JavaScript code, the recent Aurora attack being a good example of this technique in action.