English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Incidents|Pirate episodes scam

Costin Raiu
Kaspersky Lab Expert
Posted January 26, 12:18  GMT
Tags: Social Engineering
0.2
 

TV Series such as “The Simpsons” are hugely popular and have hundreds of thousands of fans around the world. Unlike “Southpark” - another hugely popular series - not all of them are freely available on the web though. As such, there is a high demand on the web for such episodes and as usually happens, scam tactics appear around them. Here’s one such example that we have seen recently on the popular website Dailymotion:

Events|Techfest Mumbai 2011

Costin Raiu
Kaspersky Lab Expert
Posted January 11, 05:36  GMT
Tags: Conferences, Exhibitions, Numerology, Trainings
0.3
 

Last week I got the chance to drop by the IIT campus in Mumbai, India, for the Techfest 2011 conference.


Follow me on Twitter This was a great opportunity to meet some of the world’s brightest students and to listen to some very interesting lectures from people such as Richard Stallman – who needs no introduction, William Baker – the structural engineer for the famous Burj Khalifa, KS Pua – the inventor of the pen drive, or Jaap Haartsen, the engineer who developed the Bluetooth specification. For a full lineup of the speakers, you can go here: http://www.techfest.org/lectures/

Incidents|iPhone Jailbreaking, Greenpois0n and SHAtter Trojans

Costin Raiu
Kaspersky Lab Expert
Posted September 20, 11:24  GMT
Tags: Apple MacOS
0.6
 

When iPhone jailbreaking was declared legal earlier this year, in June, Apple fans from all around the world rejoiced. Sites such as Jailbreakme.com appeared, which make it simple and straightforward to jailbreak older iPhones.

Indeed, the keyword here is "older" - when Apple started selling the new iPhone 4G, it also patched the vulnerabilities that made it possible for users to jailbreak it.

This is why until now it's been impossible to jailbreak newly purchased iPhones that come with iOS 4.0.2 or iOS 4.1.

News|LNK patch is out

Costin Raiu
Kaspersky Lab Expert
Posted August 03, 13:41  GMT
Tags: Microsoft
0.1
 

Just a short notice and heads-up to all - the Microsoft Security Bulletin MS10-046 which deals with the LNK vulnerability originally exploited by Stuxnet is now out. If you haven't patched yet, you should. This is a critical vulnerability which is being actively exploited in the wild.

Humour|My vacation photos

Costin Raiu
Kaspersky Lab Expert
Posted July 30, 13:19  GMT
Tags: Social Networks, Apple iPhone, Data leaks
0.2
 

Yes, it’s that time of the year again! People from all around the world try to escape the heat and pollution of the big cities and find much more enticing options. Once the vacation is over and we are all back to work, what does everybody do first?

Publish photos, of course!

0.2
 

Last night, Verisign acted promptly and revoked the second stolen certificate used to sign a version of the Stuxnet rootkit driver. As previously mentioned, this certificate belonged to JMicron Technology Corp, a popular Taiwanese hardware company.

We have prepared a short FAQ about Stuxnet and the revoked stolen certificates:

1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?

Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it.

2. How many stolen certificates are we talking about?

So far, we’ve seen Stuxnet drivers signed with certificates from JMicron Technology Corp and Realtek Semiconductor Corp. Both companies seem to have offices in the Hsinchu Science and Industrial Park, which could indicate an insider job. It is also possible that the certificates were stolen using a dedicate Trojan, such as Zeus, meaning, there could be more.

3. I have a Realtek/JMicron motherboard/network card in my computer. Does it mean that I am at risk?

So far, we haven’t found anything suspicious in the Realtek/JMicron hardware drivers.

4. Now that Microsoft and Verisign revoked the Realtek/JMicron certificates, does it mean that my Realtek/JMicron drivers will stop working?

No. Due to the way certificates and signatures work, the revoking doesn’t have any effect on already signed drivers. Both companies were issued new certificates, which they can use to sign upcoming drivers.

5. Are we going to see more signed malware in the future?

Most likely, yes. There are currently tens of thousands malicious programs that have been signed – that’s a fact. For more information, I encourage everyone to view Jarno Niemelä’s excellent presentation “It's Signed, therefore it's Clean, right?“, presented earlier this year at the CARO Workshop.

Comment      Link

Incidents|Stuxnet and stolen certificates

Costin Raiu
Kaspersky Lab Expert
Posted July 20, 13:12  GMT
Tags: Malware Technologies, Rootkits
0.4
 

Yesterday, our colleagues from ESET discovered a new version of Stuxnet, which has its driver signed by yet another trusted party - "JMicron Technology Corp.".

JMicron is a rather well known hardware producer, I've myself owned about three or four different computers which had JMicron components inside.

The initial RT certificate was suspicious, but another stolen certificate raises interesting questions.

One possibility here is that both JMicron and Realtek got infected with a trojan such as Zeus, that steals digital certificates. Then, the cybercriminals who got the certificates, either re-sold them on the market or used them by themselves to sign the Stuxnet drivers.

To be honest, the fact that trojans were stealing digital certificates did not really seem that impressive when I have first seen this capability.

Now, coupled with the Stuxnet story, it begins to make sense.

Comment      Link
0.1
 

During the weekend, the maintainers of the Unreal IRCd Server source discovered a backdoor in the publicly available kit form their mirrors. Full announcement can be found on their website, but here’s an important quote which grabbed my attention:

“It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.”

Practically, this means the trojanized software was available for download for about 8 months before it was discovered.

Incidents|YouTube Toolbars

Costin Raiu
Kaspersky Lab Expert
Posted June 10, 09:00  GMT
Tags: Google
0.3
 

Yesterday I uploaded my first ever HD movie to YouTube. Once this was finished, I immediately got an email from YouTube saying “Congratulations on your first YouTube upload!” along with further hints and tips on getting the best out of it. Only a couple of hours later, I got another email, this time, saying “Hello, Have you tryed YouTube Toolbar?”

The typo in the subject line should be a good indication to anyone that this was most likely not from YouTube. Indeed, the message - which was rather poorly formatted - contained a link to a Backdoor.IRC.Zapchast variant.

Backdoor.IRC.Zapchast.i spam email
Backdoor.IRC.Zapchast.i spam email

Opinions|Google abandoning Windows for Linux and MacOS

Costin Raiu
Kaspersky Lab Expert
Posted June 02, 13:40  GMT
Tags: Google
0.2
 

Earlier this week, a few stories appeared about Google dropping Windows inside their corporate network, in favor of MacOS and Linux. This seems to have been triggered by the famous targeted attack now known as the "Aurora" operation. Of course, this looks like a huge blow to the security image of Microsoft products, however, does it really make any sense?

First of all, Google didn't get broken into because they were running Windows. They got hacked because they used IE6, a product that is 9 years old. Google fell victim to the attack because they didn't follow the most basic security advice we recommend for our users, which is, patch and use a modern browser, like IE8 or Firefox.