While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples:
5EA646FFDC1E9BC7759FDFC926DE7660
959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

The earthquake and tsunami related crisis in Japan is still far from over - so is the appearance of new cyber threats trying to exploit that same crisis.
Tens of thousands of people in Japan have lost their homes, and many their loved ones too. On top of that, radiation leaks are still a major concern for the country and its observers , while new tremors remind everyone of nature’s power on an almost daily basis. (At time of writing, a Magnitude 6.2 quake shook the place!).

Today we investigated another malicious webpage. This one states in Portuguese: "Novo tsunami atinge a região de Sendai e Japão declara estado de emegência em usina nuclear", which roughly translated means "New tsunami reaches the area of Sendai, Japan declares state of emergency at nuclear power plant".

In recent spam mails we have often noticed links to *.html files with random names. Another trend is that the cybercriminals do not even bother to register domains for their dirty deeds, but simply plant their malicious code on compromised hosts. "Simply?" one may ask, and sadly the answer seems to be "yes" based on our observations.

For example, we have collected some hundred mails of a certain type promoting online software shops - a small portion is shown in the animated gif image below.

All of the samples stick out by virtue of the fact that they contain colored text/links which point to compromised legitimate websites. The links also show that the locations of the files are directly on the root URLs and not in a subfolder of some vulnerable application as we usually see.

We can assume that the intruders have ‘write’ access, at least to the www root of the involved sites - a very worrying fact. We have also confirmed that in many cases not only were the abovementioned spam links stored on the victim’s servers, but additionally, malicious iframes or javascript snippets were injected into the main content of the sites.

Another sample reaching us today just confirms that the cybercriminals are not sparing with the domains they abuse, and indeed seem to have a pool of unknown quantity at their disposal. The capture below shows a spam mail where each of the 12 links in the mail body points to a unique site. All of these sites also contain malicious code in their root which we detect as 'Trojan-Clicker.JS.Agent.*'

Please do not attempt to visit these links shown if you are not sure of what you are doing.

Looking up definitions for 'iframe' does indeed give results about "... a constraint of the H.264 codec specified by Apple to ensure ease of consumer video editing.". Such iframes do contain all necessary rendering information and serve as reference to construct other frames. But here we discuss the other kind of iframes - HTML tags. Iframes can have several attributes and we often encounter them when analysing malicious sites. They are often used in a hidden way to construct drive-by downloads of malware. To hide even more, simple encryption (also called 'obfuscation') is often used, web browsers decrypt that on the fly. Knowing that, we can search for interesting websites. For example doing a web search for "#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65" (which decodes to 'document.write'), we instantly get 10,000+ results.

The first entry in our search results is a link to a torrent site where users discuss a malicious package. Ironically in between these search results we also noticed what seems to be an 'infected podcast' hosted at itunes.apple.com - which brings us back to the initial talk about iframes. The injected code contains an iframe redirecting to moshonken(dot)com, a host known for having spread exploits in the past. Currently that host appears to be not operational but malicious code trying to access it is still injected in many legitimate sites, as our search results showed. We detect this code as 'HEUR:Trojan.Script.Iframer' and have reported the problem via Apple's feedback form.

Here we are, gathered in Larnaca (Cypus) for the Security Analyst Summit 2010. Beautiful beaches, gorgeous weather - the first thing coming to mind would be jumping into any of the numerous pools or into the sea and have some fun.

WOULD be indeed. However, what came up instead was malware attacks while trying to login to the hotel's Wi-Fi network. Gumblar. It was our dear friend Gumblar, variant .x to be precise.

So... did we hit the beaches? No... we helped the hotel IT staff clean up the mess. Now we are at the beach – finally :-)))))))))

We've now analyzed more than 600 MB of collected data related to the recent resurrection of the Gumblar threat. Overall, we've identified 2000+ Infectors (computers hosting the malicious *.php files and payload) and 76100+ 'Redirectors' (computers with links leading back to the malicious sites). Most Infectors are also part of the group of Redirectors, they serve one *.php file and additionally contain the link to another Infector in their own entry page.

(If you're interested in the structure of the Gumblar threat, my colleague Vitaly gives more details here)

Comparing the stats below with those from a month ago, you can see how the threat has spread and evolved. These latest numbers are a snapshot of November 30th and are continuing to increase steadily.

As expected, we can confirm more compromised machines. Our current count looks as follows:

7798    UNITED STATES
1765    INDIA
1332    ARGENTINA
1244    TURKEY
1094    RUSSIAN FEDERATION
1084    GERMANY
968      SPAIN
950      ISLAMIC REPUBLIC OF IRAN
881      REPUBLIC OF KOREA
878      MOROCCO
822      CANADA
815      PERU
792      JAPAN
712      THAILAND
689      AUSTRIA
678      ROMANIA
655      POLAND
654      ISRAEL
628      SWEDEN
599      ITALY

These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer's environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.

Around October 20th we received mails from our office in Turkey about the "possible spread of a new virus". And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when 'gumblar' was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed - we identified more than 202 locations.

The following is a TOP 20 list of countries with 'injected' hosts who point to these malicious URLs:

7271    UNITED STATES*
704      RUSSIAN FEDERATION
675      REPUBLIC OF KOREA
619      ISLAMIC REPUBLIC OF IRAN
540      TURKEY
510      GERMANY
499      INDIA
487      JAPAN
400      THAILAND
382      POLAND
379      BRAZIL
345      ARGENTINA
298      CZECH REPUBLIC
187      HUNGARY
182      BELGIUM
173      ITALY
163      ROMANIA
159      UKRAINE
157      FRANCE
117      VIET NAM

*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.

It seems as if we can't turn around anymore without hearing about infected devices of all sorts. This week we've already seen HP admitting to shipping infected floppy/flash drives - see SANS Internet Storm Center for details.

In the meantime, one of my co-workers went on vacation and treated herself to an MP3 player.

She got home and plugged her new toy into a USB port in her PC and yes, you guessed - it was infected. Fortunately she had KIS installed:

On the one hand, we all enjoy using our smartphones, MP3 players, flash drives and so on. On the other hand, we can't ever be sure that our devices are clean. So protect those servers and laptops folks...cause portable devices aren't going away anytime soon. Nor are they secure.

A range of cases show that compromised computers can be found in almost any field of business. We have seen phishing pages hosted on school and university sites as well as banking and government websites. This week we came across a rather rare case of a Paypal phishing scam planted on a machine apparently belonging to a provider of IT security solutions.

This is one of the many examples that show that even if a network is maintained by qualified specialists, you can't let your guard down for a minute.

Of course we notified the company the minute we discovered the glitch and 8 hours later the phish had been removed.

Incidentally, the phishing setup contained "Trojan-Spy.HTML.Paylap.hp" as well as "Trojan-Spy.HTML.Paylap.hn", both of which are detected by Kaspersky products since January 2006.