The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.


We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it-s still a rare feature.

Lately Tor has become more attractive as a service to ensure users- anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure. This capability was added to Zeus recently, as reported by my colleague Dmitry Tarakanov here. In addition, the CrimewareKit Atrax and the botnet-based on Mevade became known because of this.

Events|PasswordsCon in Bergen

Kaspersky Lab Expert
Posted December 03, 10:02  GMT
Tags: Passwords

Its december. While its getting colder and people prepare and shop for christmas, here in Bergen, a city in Norway, experts from several countries come together talking about Passwords something youre using while buying christmas presents online for example at the PasswordsCon. This one held at the University of Bergen in the Auditorium Pi.

Events|DefCon21 2013

Kaspersky Lab Expert
Posted August 03, 04:06  GMT
Tags: Conferences

Worlds largest Hacker conference is taking place these days in Las Vegas, just after BlackHat. Over the weekend thousands of hackers from all over the world come together to present their research, compete with each other in the various contests and enjoy playing with Hardware and Software in many ways. Its hosted at the Rio Hotel utilising more than just the convention centre. You will spot people with DefCon-Badges in every direction you may go while being in Vegas.

Events|Passwords13 (Hot Topic in Hot City)

Kaspersky Lab Expert
Posted July 31, 02:30  GMT
Tags: Conferences, Data leaks

Before BlackHat and DefCon taking place this week in Las Vegas, another conference attracts security experts: Passwords13. A free to attend conference about Passwords and Authentication from attackers and defenders perspective.

Events|Hot Topic in Icy Country

Kaspersky Lab Expert
Posted December 04, 08:03  GMT
Tags: Conferences, Trainings, Passwords

These days Passwords^12 is taking place in Oslo - a conference only dedicated to passwords and pin codes. With temperatures around -15 degrees (Celsius) outside, in the conference rooms of the University in Oslo, Department of Informatics, talks by well known security experts are given.

Every day you use passwords. While logging on to your computer, smartphone or tablet, accessing your emails or your social network site and also for online banking and online shopping. Recent database breaches of user logins show that there is a high demand for more security in this area. During these days talks and discussions only care about this.

Events|Welcome to Miami Hacker Halted USA

Kaspersky Lab Expert
Posted October 30, 03:26  GMT

The 5th Hacker Halted USA is now taking place in Miami under the slogan - Unravel the Enigma of Insecurity after hurricane Sandy passed Florida last weekend.

Day 1 is the keynote day, so luckily no splitted presentation-streams. After a nice conference opening by Eric Lopez (Conference Director), Jay Bavisi gave a good introduction about the challenges of the post-PC era. He described the evolution of the hardware landscape from classic PCs to small, mobile and smart devices and how the requirements for it-security change. Further this brings problems to forensics, more privacy risks and new social engineering attacks as well as other threats.

Incidents|The end of DNS-Changer

Kaspersky Lab Expert
Posted July 06, 13:28  GMT
Tags: Botnets, Infected Files and Devices, DNS, Microsoft

FBI's “Operation Ghost Click” was discussed earlier by my colleague Kurt here and here and now it comes to an end.

Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines – one can wonder, what will happen to them?

Computers in the internet have their own address – the IP-address. There are two versions:

  • IPv4 which is a 32-bit address e.g. and
  • IPv6 which is a 128-bit address e.g. 2001:db8:85a3:8d3:1319:8a2e:370:7347

You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.

The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release

The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.

Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.

This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.

Of course, if you know the address of the server you can still use it instead of the name e.g. is “securelist.com” but this is not easy solution.

We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple – read below for more.

First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.

The good news is that the infections were blocked and the number of infection attempts is going down.

For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.

So, how to check if you are infected with DNSChanger?

The DNS Changer Working Group provides helpful information on their website – unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.

If you are infected, you can change your DNS entries to the free DNS-Servers from Google: and OpenDNS also offers two: and, which we also recommend for additional security features.

The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.

Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection

comments      Link

Research|Apple's silent updates

Kaspersky Lab Expert
Posted March 22, 11:11  GMT
Tags: Apple MacOS, Antivirus Technologies

Apple has released MacOS X 10.6.7 with several bugfixes and security-patches. This patch bundle also includes a silent update to Apple‘s built-in Xprotect anti-virus functionality.

With the release of Snow Leopard (Mac OS X 10.6) Apple introduced a basic antivirus protection called „XProtect“. It scans and detect threats when files are downloaded through Safari, Mail, iChat, Firefox and a few more and afterwards executed. The Signature-List is updated via Apples Software Update.

Till now Xprotects database contained signatures for three well-known threats:
- OSX.RSPlug.A: changes local DNS-entries, came through fake video-codecs
- OSX.Iservice: attacks websites (DDoS), came bundled with pirated applications
- OSX.HellRTS: known as HellRaiser, tool which gives the attacker full access ofver the victims system. Version 4.2 public available, version 4.4 sold for 15$ by the creator in underground forums.

Research|Twitter, Leaks and Spam

Kaspersky Lab Expert
Posted December 13, 14:48  GMT
Tags: Spammer techniques

It's quite common to see attackers use hot topics on social networks to force users to click on malicious links. So what would be more interesting these days than using the term “Wikileaks”?

The following message arrived this weekend on one of my spam mail accounts. The subject “Wikileaks on Twitter!” caught my attention as I didn’t expect to see a spam mail with that keyword.

The design was cleverly done to trick users into thinking the mail was sent from Twitter. The Twitter logo is integrated and the text promises to be a service e-mail. All three links lead to the same “Canadian Health & Care” Website which is already known for Phishing/Web Forgery.

Events|When security gets hot

Kaspersky Lab Expert
Posted August 02, 04:30  GMT
Tags: Conferences

There are people who think that all hackers should be sent to the desert - well, once a year this dream comes true.
Greetings from Las Vegas where two major security conferences just ended.

As every year Black Hat took place here at the Caesars Palace. People from around the globe gave presentations about ATM-hacking, reverse-engineering and other security related topics distributed over 11 tracks in two days. The host casino offers for this event lots of space, so you walk long until you get in the target room where you want to attend the presentation.
At the vendor area you may always find interesting people to talk to or get information about security products and services. This year a big group of Kaspersky people attended Black Hat 2010 (from the US, Japan, Romania, France and Germany).