We've just held the first European edition of our international student conference, IT Security for the Next Generation. Young researchers, masters and PhD students, professors and Kaspersky Lab experts all presented and discussed different issues relating to cybercrime at the beautiful University of East London.

I was involved as a member of the program committee and had to evaluate students' research reports and papers. To be honest, it wasn't an easy task to choose the best from so many different interesting topics: incidents caused by botnets, analysis of drive-by download attacks, measuring malware & spam, psychology of cybercrime, etc...

The event gave young IT professionals to attend lectures and workshops led by Kaspersky analysts and experts: my colleague, Denis Maslennikov made an interesting workshop about mobile malware, Georg Wicherski let participants into some of the basics of malware analysis, Eddy Willems talked about the human factor and security, and Sergey Golovanov revealed how he became a Kaspersky expert.

But the conference wasn't just about lectures and learning: we had two days full of fun, drive, meeting new people and great teambuilding, as well as surviving the English weather!

It's sad that the conference is over, but we'll be running more events like this on a regular basis around the world. And I'm sure that meetings like this inspire everyone to new challenges, new research, new opportunities, and that everyone who came is motivated to be with us on the light side!

Back in April we detected a program for smartphones running Symbian S60 2nd edition (not-a-virus:Porn-Dialer.SymbOS.Pornidal.a) which calls premium-pay numbers to get access to pornographic material.

Today we added detection for a new variant of the program – not-a-virus.Porn-Dialer.SymbOS.Pornidal.c. Just like its predecessor, this application can be harmful for two reasons:

• if you install software like this and don't pay attention to what you're doing, you won't know that the program will call premium-pay numbers;
• the program could be modified by cybercriminals to result in a clearly malicious program.

This new variant doesn't really differ that much from the previous one – it's also got a EULA – except that it works on devices running Symbian S60 3rd edition and has a digital signature.

Americans having been planning their Thanksgiving meal for a while, and the spammers haven't been idle.

They've not only been offering recipes:

but the ingredients for them too! Order a mass mailing, and get coupons for a free turkey! (What's kind of intriguing is that the mass mailing on offer is traditional, paper-based advertising, rather than the electronic kind.)

Geocities.com has been gone for a month now, and you'd have thought the spammers would be missing it. But one of the messages we got today shows that on the contrary, the spammers are looking forward to the future.

Here's the message we got today – with tomorrow's date on it. As most people configure their mail client to sort incoming messages by date, putting a future date on an email will ensure maximum visibility by putting it right at the top of the inbox.

At the moment I’m in Johannesburg, South Africa, talking at the opening of our local office about security and mitigation strategies.

Despite being a booming city, Johannesburg, tribute to its distant location from the information centers of the world, has remained somehow behind others in terms of internet connectivity. This may change very soon, though.

Source: Seacom HQ c/o Linda Carter

Meet Seacom. Seacom is a fiber optic network which connects a large part of the African continent with UK, France, Egypt, UAE and India. One of the interesting issues raised by some of the journalists during the past days is the link between cybercrime and Seacom.

National Anti-Bullying Week is kicking off in the UK today. This year the focus is on combating cyberbullying, with lots of resources for schools, a roadshow, and videos discussing the problem of bullying.

It’s great to see this issue being addressed - media reports and research show that with Facebook, MySpace, text messaging and other technologies now part of our daily lives, the problem of cyberbullying is becoming increasingly widespread.

There are lots of resources for kids, educators and parents out there: check out our Stop Cybercrime guide, which includes a section on how to help your children stay safe online.

Happy Friday 13th!

Friday 13th! If you're at all superstitious, today is bad news. But for those of us in the antivirus industry, Friday 13th is a special day.

It's not an officially recognized holiday, and of course we're not taking the day off: we're here 24/7/365. But Friday 13th is when we remember when and why the antivirus industry really started...

22 years ago, in October 1987, a new file virus which infected COM and EXE files was identified in Jerusalem. Like similar, earlier programs, it was able to self-replicate, but it also had an additional, malicious payload which triggered on Friday 13th: when an attempt was made to run any program, the program file would be deleted, and DOS would say that the file couldn't be found. This meant that any file called using the Exec function got deleted.

The virus spread widely (even though neither the Internet or email had really caught on at that stage) on disks which got passed around and BBS.
13th May 1998 was D-day: thousands of messages about the virus started pouring in from around the world, and particularly from the US, Europe, and the Middle East. Jerusalem had become one of the first MS-DOS viruses to cause a pandemic.

The virus had managed to spread unnoticed to thousands of computers: antivirus software wasn't commonly used, and lots of people simply didn't believe that computer viruses were real. And it was in the same year that Peter Norton, a guru of the computing world, said that computer viruses were an urban legend, comparing them to the crocodiles which supposedly live in the sewers of New York. (This bold statement didn't deter Symantec, however, from developing its own antivirus software – Norton Anti-Virus.)

It was a watershed: new companies developing antivirus software started appearing, most of them of the "two men and a dog" variety. The antivirus programs themselves were nothing more than the simplest scanners which used contextual search to detect unique strings of virus code. "Immunizers" were popular too; these modified programs so that malware would think the programs were already infected, and not "re-infect" them.

Jerusalem's malicious payload went beyond deleting files: dozens of other viruses appeared which also had payloads designed to trigger on Friday 13th. Not surprisingly, those in the computer world started to associate Friday 13th with viruses; some people thought it was safer not to switch a computer on when the fateful date cycled round, and some altered the date on their machines, to the 12th or the 14th. The virus writers picked up on this and started playing the same game, producing "Thursday 12th" and "Saturday 14th" viruses.

As for us – well, today we want to wish everyone in the antivirus industry a happy Friday 13th! Yes, we have our differences - in ideology, philosophy, opinion and market share. But let's remember what we have in common, and why we're in this game in the first place. If we can't do that – then what are we doing here?

We've been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.

Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.

The malicious code injection in HTML pages (which is a simple insertion of <script> tag in every file having HTML) was done by downloading all files from the server that could have HTML, changing them and uploading back. We call the websites modified in this way “redirectors”, because they simply redirect browsers to the website spreading malware.

The injected script refers to another website hosting exploits and registering all attacked clients. These websites have to support php, because the backend is implemented in php. We call these websites infectors, because they host the exploits and malicious executable file for Windows. The malicious Windows executable is pushed when the attack is successful. The executable waits for the user to enter FTP credentials.

We've been able to find where the server code for redirectors and infectors websites was coming from. And we've found an additional tier of infrastructure - a set of compromised websites which we call “injectors”. These websites host a generic php backdoor which lets the owner execute any php code on the webserver.

The first patch Tuesday since the release of Windows 7 wasn’t as historic as last month – this time Microsoft released 6 patches addressing 15 vulnerabilities.

Today’s patches did not include a patch for Windows 7 but there is one for Vista. Could this be an indication of things to come or I should say not to come?

Four of today's patches address issues in pre-Win7 versions of Windows and Windows Server and the other two are for Office products. Three of the six patches are considered critical with the other half labeled important.

Microsoft considers MS09-065 the most critical of the bunch. This patch mitigates 3 vulnerabilites, one of which has been publicly disclosed. This patch prevents users running Windows 2000 SP4, XP SP2 and SP3 or Server 2003 SP2 from being exploited when visiting specifically crafted maliscious websites. If you are running Windows Vista or a more recent OS this is not critical and lowered to a severity rating of important as the impact is only Elevation of Privilege.

The other two updates included in this patch require the attacker to have valid logon credentials to successfully exploit.

MS09-063 affects Windows Vista and Windows Server 2008 and is for Web Services on Devices API (WSDAPI). This is the service that allows Windows clients to discover and access remote devices such as PDAs, cameras, printers and other devices. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. The key here is that the attacker will need to be on the local subnet to exploit this vulnerability.

MS09-064 affects only Windows 2000 Server SP4 and addresses the License Logging Service (LLS) which is enabled by default. Microsoft suggests that administrators with Windows 2000 Servers on public facing networks should put this patch higher on the list in priority.

MS09-067 and MS09-068 are the Microsoft Office patches. In this case the exploit will only work with some user interaction, specifically if the user opens a malicious excel or word file. Because those of us who run Office 2003 or later are prompted to open, save or cancel before opening any files from emails, Microsoft lowered the severity and deployment priority.

I would like to point out here that if you don’t know who sent you the file or why they would have sent it, you might want to hold off on opening it.

Clearly it is too early to say Window 7 has been the improvement Microsoft says it is and over the next few months it should be interesting to see how things go for Win7.

As always I suggest downloading and installing the patches, but I would like to note that 4 out of the 6 patches will require a reboot so make sure to plan accordingly.

For more information on these patches please visit Microsoft’s blog.

If you're looking for Internet security software online, you'll see we're right up there in the ratings. And it seems that we're №1 with spammers too.

Out of the four major AV Security Conferences out there, that is, EICAR, The CARO Technical Workshop, Virus Bulletin, AVAR is the last throughout the year.

Its current edition started yesterday, in the ancient city of Kyoto, the imperial capital of Japan. The program features a number of prominent speakers, among them our very own Eugene Kaspersky and Stefan Tanase.

With current flu epidemics running around the world, we must salute the organizer's initiative to distribute masks together with the delegate packs. Here's the Kaspersky team, looking prepared for the worst:

From left to right: Costin, Stefan, Andrey, Aleks and Michael, with Nikita behind the lens.

Until the next time, sayonara from Kyoto, and have a good and germ-free weekend!

As expected, we can confirm more compromised machines. Our current count looks as follows:

7798    UNITED STATES
1765    INDIA
1332    ARGENTINA
1244    TURKEY
1094    RUSSIAN FEDERATION
1084    GERMANY
968      SPAIN
950      ISLAMIC REPUBLIC OF IRAN
881      REPUBLIC OF KOREA
878      MOROCCO
822      CANADA
815      PERU
792      JAPAN
712      THAILAND
689      AUSTRIA
678      ROMANIA
655      POLAND
654      ISRAEL
628      SWEDEN
599      ITALY

These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer's environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.