Last night, we received a new version of the #Madi malware, which we previously covered in our blog.

Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong.

The new version appears to have been compiled on July 25th as it can be seen from its header:

It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing ?USA and ?gov in their titles. In such cases, the malware makes screenshots and uploads them to the C2.

Here's a full list of monitored keywords:

"gmail", "hotmail", "yahoo! mail" , "google+", "msn messenger", "blogger", "massenger", "profile", "icq" , "paltalk", "yahoo! messenger for the web","skype", "facebook" ,"imo", "meebo", "state" , "usa" , "u.s","contact" ,"chat" ,"gov", "aol","hush","live","oovoo","aim","msn","talk","steam","vkontakte","hyves", "myspace","jabber","share","outlook","lotus","career"

Early today, Kaspersky Lab discovered a new ongoing spam campaign on Twitter. hundreds of compromised accounts are currently spamming malicious links, hosted on .TK and .tw1.su domains, leading to Rogue Anti Virus softwares.

Here is an analysis of the infection at a given time. Keep in mind that it is just a snapshot of the infection, and that the numbers are actually lower than reality.

We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users’ profiles, you see the following:

Translation: Wow, it really works! Find out who is viewing your profile!

The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here’s what it looks like:

Basically, there are 2 steps.

• The first one is to copy a Javascript code using CTRL+C
• The second is to visit Facebook.com, paste the Javascript in your address bar and press “Enter”.

A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered.

So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

My colleagues Fabio Assolini and Vicente Diaz wrote two blog posts recently regarding the Rogue AVs for MAC OSX. After executing it on a test machine, and playing with it, I noticed there was some hidden information in the About Window as can be seen below:

I was interested by the “Support” information, but it’s only available to registered customers. I also wanted to confirm a few things such as the “cleaning” of the fake threats once registered, and to see if the “infected” popups would stop.

Back in November 2010, we wrote a blog post about a new variant of the Gpcode Ransomware.

Kaspersky lab discovered a new variant today, in the form of an obfuscated executable. Please review the technical details for further information. The threat was detected automatically thanks to the Kaspersky Security Network as UDS:DangerousObject.Multi.Generic.

Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn

The infection occurs when a malicious website is visited. (drive by download)

Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:

Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.

For those who may have missed the two first blogs, you can read them here and here However, today we discovered than some of the payloads were not the usual Trojan-Downloader.Win32.CodecPack.*.

Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.

Victims are asked to pay a 100 euros fine to unlock the machine.

As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.

Last week, we published a blog post regarding the ongoing spam campaign using the recent earthquake in Japan to infect users. This is a follow up blog describing the exploits used.

According to our analysis, it seems that the malicious links from the spam emails lead to websites hosting the Incognito Exploit Kit.

Here is an interesting picture from the servers hosting the exploit kit:

Kaspersky Lab has detected a malicious spam campaign using the recent earthquake in Japan to infect users. These emails contain malicious URLs:

Kaspersky Lab recently discovered a new ongoing spam campaign on Twitter. A Twitter account is actively sending tweets to random people with links to a video. Here’s one of the messages: