The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|Live Twitter XSS

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted September 21, 11:41  GMT
Tags: XSS, Website Hacks, JavaScript

It's one of these days where I just had one of these "Oh no..." moments when I logged into my Twitter account and suddenly a message box with my cookie popped up.

Apparently, there is an actively exploited XSS vulnerability on Twitter. From my first preliminary analysis, you'll have to hover over a link to activate it and so far I have just seen some proof of concepts from people I follow. However, this vulnerability looks at least semi-wormable, so better turn JavaScript off on Twitter for now!

Update (14:05 CEST): This vulnerability is confirmed to be exploitable with no user interaction automatically. Turn off JavaScript for Twitter!

Update 2 (14:13 CEST): It is possible to load secondary JavaScript from an external URL with no user interaction, which makes this definitely wormable and dangerous.

Update 3 (14:24 CEST): Worm code for this vulnerability has been posted on IRC, making the rounds.

Update 4 (14:36 CEST): Worm is live already...

Update 5 (14:59 CEST): It appears Twitter now properly escapes links, that specific vulnerability seems closed.

Update on Infection Rates (posted by Costin): During the peak of the infection, we noticed roughly 100 posts per second which seemed to be related to the exploit. Thanks to Paul Roberts who pointed out a simple way of looking at the outbreak using Twitscoop:

The graph suggests 93 posts per second, which is not far from the peak we observed.

Although accurate numbers are hard to extrapolate from the existing data, the total number of malicious posts could have easily exceeded half a million.

Comment      Link

Research|Different x86 Bytecode Interpretations

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted July 22, 16:17  GMT
Tags: Proof-of-Concept, Linux, x64

Working on an efficient generic shellcode detection engine and verifying results with randomly generated input, I've effectively ended up fuzzing different open source disassembler libraries. The disassembler library of choice for my current project is libdasm because of its comparatively long history and public domain license. But writing a sound and complete x86 disassembler is obviously not a trivial task due to the complex nature of the x86 instruction set.

libdasm used to have issues correctly disassembling certain floating point instructions in the past, but this was simply caused by an off-by-three error in the opcode lookup tables (three NULL rows missing) and thus the fix was comparatively easy.


Jose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some observed behaviour might be related to Peer-to-Peer C&C functionality. However, Jose's analysis was dynamic only and thus he was not certain about this when I contacted him (also thanks to Alex Cox for sharing network traces of his honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm Botnet [MP4 Video]), I had to take a deeper look.

The Heloag binaries I've looked at (6ede527bb5aa65eae8049ac955b1018d dropped by d9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C&C functionality! Instead, the bot rather speaks a very simple protocol over TCP with the following command types supported (encoded as the first byte of the packet):

  1. DDoS another host using different techniques:
    • TCP DDoS, connect(..) based (does not send data)
    • UDP DDoS, sendto(..) based (sends some random data)
    • HTTP DDoS requesting / with User-Agent "helloAgent", InternetOpenUrlA based
    • HTTP DDoS crawling links from / with User-Agent "Google page"
  2. Download and execute an URL of up to 0xA4 bytes, zero-padded URL
  3. Send the current computer name
  4. Stop with the currently executing DDoS command
  5. Disconnect from current server and connect to new C&C server

Disassembly for function 4

This means that even though during dynamic analysis, multiple C&C servers were observed, it is just some kind of hand-over to another C&C server which can be used for load-balancing or renting out bots. Since there is always only one server, the bot is connected to at a time, this does not add a lot to take-down resilience (phew!).

Incidents|Is there really a Storm out there?

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted April 30, 15:07  GMT

A new reincarnation of the infamous Storm Worm -- or Zhelatin as it is called by Kaspersky Lab - has been making the rounds in the news lately. Felix Leder, Mark Schlößer and Tillmann Werner have already posted an extensive analysis , where they conclude that the new samples spreading share about 66% of code with the original Storm worm. They were so kind to share detailed analysis results (their .idb for you technical folks) with me to look into this quickly and confirm their results.

The analysis shows that it seems to be only the spam and DDoS engines extracted from the original Zhelatin, surrounded by a HTTP C&C mechanism. The samples are calling back to one central command and control server (the IP is hardcoded at the end of the file) located in the Netherlands.

ShadowServer have already contacted the hoster for takedown, so this should be an easy threat to contain. Currently, we've seen only 139 detections for Trojan.Win32.Fraudload.apnh (our detection before that specific new threat) through our KLoud Security Network and therefore consider it a relatively moderate threat.

Number of detections of current Zhelatin

Geographical distribution of Zhelatin detections

comments      Link

As you've probably already heard, there's a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 3. Microsoft hasn't released a patch yet, but they have provided a work-around.

Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers. I put a bit of time into researching this -it very quickly became clear that this vulnerability doesn't rely on JavaScript, i.e. it can be exploited with JavaScript turned off:

The vulnerability allows arbitrary code execution and we therefore strongly recommend that you should apply the workaround from Microsoft's advisory or turn off ActiveX altogether. Otherwise you will be at risk of exploitation of Internet Explorer 6 and Internet Explorer 7.

We've added generic detection for the actual exploit as Exploit.Win32.Direktshow and the often accompanying JavaScript as Exploit.JS.Direktshow.

(08.07, 15.04: edited to correct typo in the Service Pack information.)

Comment      Link

Research|Watching the Kido/Conficker P2P Network

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted April 15, 21:10  GMT
Tags: Botnets, Kido

While analysing Kido network behaviour we’ve been able to develop an application that helped us to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period, we’ve been able to identify 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts.

This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.

In terms of global distribution, we’re seeing the picture expected from initial infection counts. Brazil and Chile clearly stand out as regions in terms of peer counts:


As already reported by F-Secure earlier, criminals are using the Kido/ Conficker hype to bring their rogue Anti-Virus amongst the people. Their solution will sometimes display false alerts on clean systems and try to lure their victims into buying a fake cleaning program for $39.95 from them. Opposed to what they were claiming on remove-conficker.org (website already taken down), their solution fails to detect Kido: