It's holiday time, and of course the bad guys know that shopping is a popular activity during this period, particularly in Europe and the US. And it's in these regions that most people pay for their purchases either using credit cards, or e-payment systems like PayPal, WebMoney etc.

In order to target this data, cybercriminals create "universal" malicious programs, which will intercept all financial data, whether it related to credit cards, bank accounts, or e-payment systems.

A recent case shows this clearly: a botnet made up of several thousand machines was used to install Trojan.Win32.Vilsel.qhw on 972 victim machines, all of which are located in the US.

It seems likely that this botnet was rented specially in order to install this malware – a common practice in the cybercriminal world. There are plenty of places on the Internet which offer this "service", as the screenshot below shows. In order to deliver the Trojan to 972 machines in the US, the bad guys would have had to pay around $100.

So where's the profit in this? Well, the malware in question will intercept Internet transactions made using Internet Explorer and the new(ish) Chrome browser. That covers a huge percentage of Internet users, and because the malware targets a whole range of payment options, it won't make any difference if payment is made by credit card or PayPal – confidential data will still get logged and then sent onwards to the bad guys.

Additionally, once it's been run for the first time on the victim machine, this malware deletes its original file (to hide traces of infection); prevents access to Task Manager at system registry level, and also blocks Regedit, making it more difficult to manually check the system and identify and delete the malware.

According to VirusTotal, at the time of writing only 6/40 (15%) of antivirus vendors detected this threat, and a lot of the big names were among those missing.

I blogged a week ago about a Trojan for mobile devices called Sejweek. We've just detected a new version – what's changed in the course of a week?

First, the URL has changed: Sejweek.b (the latest variant) downloads an XML file from http://unique*****.com/*****/get.php, which is a different URL from the one used by the previous version.

Second, the XML file which the link leads to has been modified – now the file looks like this:

And third, although Sejweek still sends SMS message to a short, premium-pay number, it's now sending them to 7122 (a different number to that used by the previous variant), and each SMS costs $10.

The one thing that hasn't changed is that Sejweek will still send SMS messages every 11 seconds, so there'll still be a severe impact on your account balance. And finally, do be careful: Sejweel disguises itself as a whole range of applications, so don't download anything unless you're sure you know what you're getting.

The day before yesterday, our industry colleagues wrote about how searches on "Brittany Murphy" using search engines brought up sites containing links to malware. So it's the usual situation, with the bad guys exploiting the death of a famous person, just like they did with Michael Jackson.

Yesterday we identified some Twitter accounts that are being used both to send "make money on the Internet" spam, and also to spread links to malware. In both cases, they used Brittany Murphy's name.

Here's a couple of examples:

The actual text of messages of this type can vary. What characterizes them is that the first link is genuine, i.e. it leads to a site which really does talk about the topic tweeted. The second link though, leads to standard spam advertising sites which tell you how to earn money on the Internet, offer various goods, etc.

mwcollectd v4, a next-generation low-interaction malware collection honeypot, has just been released. It's written in C++, but the easy integration of additional Python modules means that malware researchers around the world can easily extend the honeypot with new protocols and features.

We're happy to be sponsoring this project, which was mainly developed by Georg Wicherski (one of our virus analysts in Germany) and Mark Schloesser, from RWTH Aachen University. It's published under the LGPL license. If you want to take a look at mwcollectd, it's here, and libemu, which is used by mwcollectd, is here.

Crime traditionally increases during the holiday season, and cybercrime is no different. The malware writers, spammers and scammers are out in force. They've recently hit "Odnoklassniki" with this message:

"Hi! I've got a New year surprise for you [emoticon] send 2133 279 (must be with a space) to 4460 and you'll be pleasantly surprised! If you don't take a look, I'll be very grouchy with you [emoticon]"

This message is clearly designed to make the bad guys a bit of holiday cash: an SMS sent to the number given in the message costs between $5 and $12 dollars, depending on the mobile service provider.

With similar messages going out on other social networks like VKontakte, Facebook and MySpace, the scammers could do nicely out of this one. And because the messages might come from friends or contacts who've had their accounts hijacked, it's easy to be fooled.

Enjoy the holidays, enjoy spending time with your family and friends, and enjoy the Internet – just be careful and keep safe!

I was just looking at Facebook to check for spam and scams when I found this:

I've blurred out a few things for privacy, and, most crucially, safety. The point of this post is the domain name. The spaces around the dot and the zero in "C0M" are just as they were in the original spam message. If spammers are going to the trouble to obfuscate their messages, it seems to show that Facebook's spam filters are having some effect. Malformed links mean that you have to make an serious effort to actually go and visit the spammer site. And consequently, if someone's going to go through all that trouble, they're more likely to buy into whatever scam is at the other end.

My colleague Tanya has just posted over on our Russian site about losses caused by Internet fraudsters in England and Wales. If you want to practice your Russian, hop over there, and take a look!

Even though we're a Russian company, we know that most people in the UK (including me!) prefer to get their news in English. So here's a few facts and figures:

In a recent statement, the Office of Fair Trading estimated that losses caused by Internet fraud amounted to £14 billion per year. That's a lot of money! It's also a lot of victims!

The OFT statement quotes research carried out by the University of Portsmouth, commissioned by ACPO (Association of Chief Police Officers) and NRA (National Fraud Authority):

• 70,000 people fell victim to a single Nigerian e-mail scam
  
• 38,000 people a year fall victim to fake prize draws
  
• 10,000 people a year fall victim to investments scams
  
• 14,000 people a year fall victim to fake lotteries
  

The report indicates that many people are reluctant to report fraud of this kind - because they're ashamed, embarrassed, angry or simply confused.

The first thing to remember is that you should be very, very wary of 'get-rich-quick' schemes: if something looks too good to be true, it almost certainly is! Please don't hand over money to complete strangers and avoid disclosing any personal information unless you know eactly who you're dealing with. The NRA gives a helpful list of the '12 scams of Christmas' so if you're in any doubt, check this list out.

If you do fall victim to an Internet scam, please do report it - you can do that here. Nobody's going to judge you - on the contrary, the more reports are made, the better we can quantify the threat! Remember, we can't begin to really manage the problem of Internet fraud and cybercrime unless we can measure it effectively.

The holidays are nearly here! If you're still searching for the final perfect present, and are thinking of buying online, here's a few practical tips to help keep your last-minute purchases secure:

1. Keep your Internet Security solution updated, not just to the day but to the hour! We release frequent updates to make sure you're protected from the very newest malware. Scan your system before you start shopping.

2. Don't forget to use our Kaspersky Virtual Keyboard which is integrated in Kaspersky Internet Security products for all your online transactions, especially when you’re asked to input any personal data like your names, numbers (credit card, pin, date of birth, zip code, etc) or address.
   

   Using the virtual keyboard prevents Trojans from stealing information which you enter via the keyboard or other input device.

3. Don’t shop from public WiFi networks which aren't secured using WPA2. These networks can be easily hijacked by cybercriminals, and your sensitive financial data could be compromised.

4. Make sure your system is up-to-date! You should make it a habit to download and install updates not just for your operating system but also for third party applications like:
   
   
   
   
   • Browsers like IE, Firefox, Opera, Safari, Google Chrome or any other you use
     
   • Adobe system applications.
     
   • Media players like Realpayer, Winamp, etc.
     
   
   
   You can use the Kaspersky Vulnerability Scan integrated in Kaspersky Internet Security product to check your system for vulnerabilities.

5. Check that the sites you shop on are secure! A secure online shopping site will have a valid digital certificate which is used to encryption and secure your online transaction and it will have an icon showing a closed padlock in the bottom or the top of your browser.
   

   The address bar should have an ‘https’ string before the page address.

   

   Remember - NEVER shop on a page which doesn’t have ‘https’ in the address bar:

   

   or if the padlock is open or broken, or if you get a warning regarding the digital certificate of the page you’re on!

   
   
   

Wishing you safe online shopping and happy holidays!

As you've most probably read by now search engines providers have been working on providing so called real time search results. These results include queries to, for instance, Facebook, Twitter and Myspace.

We may not all realize this, but we have just turned yet another technological corner. Everyone will have exponentially more and faster access to personal information now including data from social networks. Everyone naturally includes cybercriminals.

In my opinion, cybercriminals now have a great new opportunity to combine two major threat vectors - Black Hat Search Engine Optimization and social networks. Now turnaround will be faster and more people will see the malicious links created by black hat SEO – something search engines have already failed to control.

This is important, because to date attacks via social networking sites aren't yet as prevalent or sophisticated as they could be. The gang behind Koobface has recently stepped up their game but overall isn't really technically advanced. In fact, from where I sit, the development of malware that's targeting social networks is really reminiscent of that of IM-Worms some years back. It's the same situation: your friend's compromised account is used to persuade you to click on a malicious URL. So we'll probably soon see the social engineering approaches used to spread social networking threats following a similar evolutionary path.

I'm also concerned about how real time search results will affect our online privacy.

Clearly, it's no coincidence that Facebook introduced their new set of privacy guidelines just days before Google introduced real time search. The recommended Facebook settings - which surely will be used by the vast majority of the Facebook community - put a lot of information into the public and semi-public domains.

Yes, this approach will definitely make real time search results more effective. But I definitely think that the recommended settings expose too much PII.

What does this hold for the future? I'm convinced that real time search is just in its infancy. I'm positive that soon enough search engine providers will offer everyone the opportunity to use real time search with their Facebook/Twitter/MySpace/etc. credentials. This would then allow people to more effectively crawl what their friends - or friends of friends - are up to. An opportunity that the cyber criminals will surely not let go to waste.

New programs targeting mobile devices rarely hit the headlines anymore; we've got used to smartphone malware. But occasionally something comes along that stands out a bit: right now, it's Trojan-SMS.WinCE.Sejweek.a, a new program designed to send SMS messages from an infected device. What makes it different from other SMS Trojans? Let's take a look.

Most malware which sends SMS messages to premium-rate numbers use a number and a message text which are coded into the malware itself. Sejweek is a bit different though – when run, the Trojan tries to download an XML file to the smartphone from http://today*******.cn/*****/*****/get.php. At the time of writing, the file looked like this:

This file contains the premium-rate number (surrounded by the <phone> tag); the SMS text (<text>); and how long should elapse between each SMS message being sent (<interval>). Putting the number in a separate file, rather than in the malware itself, makes it easy to change the number if the first one gets blocked, extending the whole money-making cycle and maximizing profits.

If the XML file gets downloaded correctly, the malware decrypts "YGLYGLMKTYGL" and "YGLYGL" (i.e. the number SMSs get sent to, and the time between SMSs) and gets "1151" and "11". In other words, messages saying 60*** are sent to the 1151 premium-rate number with an interval of 11 seconds between messages. With one SMS sent to 1151 costing around 40 roubles (a bit over $1) owners of infected devices will quickly start counting their losses!

We've just detected a wave of mp3 spam. There aren't any links in the message: all the information is in the audio file attached to the message.

Play the file, and you get 4 seconds of a female voice giving a web address for Viagra and similar medications. In the background there are passionate sighs and groans (presumably to persuade you that by purchasing Viagra, you'll reach unparalleled heights of bliss!)

Just in case you can't make out what the woman's saying, the key words 'CHEAP VIAGRA' and the site address are included in the name of the track.

Spam in mp3 format first appeared in autumn 2007, pushing pump and dump shares. Audio spam never took off because of a whole range of limitations such as the large file size, and the poor quality of the recordings. Today's mailing, though, shows that spammers are having another go at using this technique to push their goods and services.

A couple of months I blogged about how the creators of rogue AV solutions are keeping a close eye on developments in the antivirus market. And my colleague Vyacheslav recently wrote a whole article about rogue AV which highlighted, among other things, the huge increase in this type of malware.

Last week I looked at some samples which showed that the bad guys behind this stuff are ratcheting their efforts up a notch. Here's the GUI of Trojan.Win32.FraudPack.acji:

And here's the product it's imitating:

There are two points which attracted my attention:

• The interface of the rogue AV is a very close copy of the genuine solution
• The logo isn't the same, but the rogue incorporates the Windows Security Center logo, and reinforces the perception that it's a genuine product by using the name of a legitimate free AV solution.

In other words, the rogue AV guys are getting closer and closer to creating exact copies of real AV solutions, at least in terms of the GUI. This makes it much more difficult to determine at a glance whether or not a solution is rogue, for novices and more experienced users alike.

This example shows that maybe we're not so far from the time when rogue AV solutions will visually be exact copies of legitimate security software. And with the FBI estimating losses caused by scareware at around $150 million dollars, the stakes are getting higher all the time.

There's a lot of talk these days about how important it is to act locally: use local services, and you'll need your car less, buy local produce, and you'll support small businesses. All of which is good for the environment.

Even though the AV world might not seem to be connected to the physical world, it's just important for us in the industry to act locally. For instance, in a case last week, we noticed that Brazilian virus writers are moving on up. Until recently, they've been sending the same piece of spam containing links to the same malicious file regardless of which country the victim was in. But now they've started to differentiate, and they're now targeting their mailings (and consequently their malware) on a country-by-country basis.

This screenshot comes from one such mailing:

Look at the addresses, and you can guess that this mailing is targeting victims based in Ecuador. As for 'international' addresses like hotmail.com, the bad guys can easily work out which country the owner of the address. They just send a simple "POST" request to a remote web server running a PHP script which uses GeoIP functions, e.g. server.com POST/ln.php.

The way in which the bad guys steal these email addresses is pretty simple: by launching code on victim machines which reads addresses from the email client database. For example, if the victim is using Outlook Express, then the .wab file gets read.

This latest move demonstrates that Brazilian virus writers and cybercriminals are looking to break new boundaries by sending out malware tailored to specific countries. In doing this, they reduce the chances of their malware falling into the hands of antivirus vendors who don't have a local presence. In the case of the message above, 2 days after we intercepted it only 9 out of 41 vendors (or 21.96%) were flagged by Virustotal as detecting it.

Just goes to show that thinking globally and acting locally isn't just about keeping our physical environment clean and secure, but our digital one as well.

This month Microsoft released 6 bulletins to plug 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of them are rated Critical and the other three Important. These bulletins affect all supported versions of Windows and IE; regarding Office the bulletins impact Project, Word and Works 8.5. The other important piece of information is that all of the updates require a reboot so plan accordingly.

MS09-072 covers Security Advisory 977981 (HTML Object Memory Corruption) and due to the fact that the vulnerability was publicly disclosed and affects IE 6 and IE 7 Microsoft put this at the top of the priority list. It's the only bulletin that has both a critical severity rating and the maximum Exploitability rating. Those users running IE 8 on any version of Windows and IE 5.01 on Windows 2000 are not affected by this vulnerability. With that said how many people are still running IE 5.01 on systems? I'd like to think that sometime in the last 8 years most if not everyone has updated their systems.

MS09-070 resolves two reported vulnerabilities in Windows which allow maliciously crafted HTTP request to an ADFS-enabled Web server. However for the attack to be effective valid log on credentials are needed – because of this, Microsoft placed this lower on the deployment list. This patch is for any machine running Windows Server 2003 32 and x64 Edition, Windows Server 2008 and Windows 2008 x64 Edition.

MS09-071 addresses vulnerabilities in the Internet Authentication Services where if a message is copied incorrectly into memory when handling PEAP authentication attempts it could allow compromise. This security update is rated Critical for Windows Server 2008 for 32-bit Systems Service Pack 2 and Windows Server 2008 for x64-based Systems Service Pack 2 and for other versions of Windows the rating drops to either Important or Moderate. However those running Windows 7 or Server 2008 R2 x64 or Itanium versions are not affected.

MS09-073 patches a vulnerability in Microsoft's WordPad and Office text converters. For users to be affected by this they would need to open a malicious Word 97 file in either WordPad or MS Word. This security update is rated Important for WordPad on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. It's also rated Important for all supported editions of Microsoft Office Word 2002 and Microsoft Office Word 2003, Microsoft Office Converter Pack, and Microsoft Works 8.5. This does not affect Vista SP1, SP2 32 or x64, Windows 7 32 or x64, Server 2008 R2x64 or Itanium versions of windows.

MS09-074 covers a vulnerability in Microsoft Project where if a user opens a maliciously crafted project file the attacker can get complete control of the affected system. This has a Critical rating for MS Project 2000 SP1 and an important rating for MS project 2002 SP1 and MS Project 2003 SP3.

MS09-069 fixes a vulnerability in Local Security Authority Subsystem Service (LSASS) that could allow for a denial of service (DNS) attack. For this to take place the attacker would have to send ISAKMP messages to the LSASS communicating through Internet Protocol security (IPsec). This is rated Important for all supported Windows 2000, Windows XP and Windows Server 2003.

I also want to highlight the rerelease of MS08-037. This addresses the vulnerability in both DNS client and DNS server that could allow spoofing. This is for Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. For Windows 2000 users, if you've downloaded and installed this already, you need to install it again to be completely updated.

As I always say, no matter what the severity rating from Microsoft you should download and install all the updates needed for your system.

For more detailed information, take a look at the Microsoft blog about these updates.

Today the UK Council on Child Internet Safety [UKCCIS] is launching its Child Internet Safety Strategy. The strategy is designed to encourage children not to disclose personal information, to block unwanted messages on social networks and to report inappropriate behaviour.

As part of the strategy, Internet safety will be made a compulsory part of the National Curriculum for children aged five upwards. There will also be a new digital code for Internet safety.

UKCCIS is also launching its 'Click Clever, Click Safe' public awareness campaign.

It's good to see government lending some weight to education of young people. Cybercriminals so often try to exploit human weaknesses. And I believe that finding ways to 'patch' our human resources is every bit as important as securing our computing devices. Education isn't a quick fix. It's a bit like housework - we know it's essential if we want to live comfortably, and we know that it has to be done regularly. And exactly the same goes for education throughout our lives.

Are you one of those people who's always wondering what other people are talking about, or why the person in the cubicle next to you always takes certain phone calls in a whisper, or who your partner is sending emails to late at night? Call it curiosity, call it nosiness, call it paranoia: whatever you call it, there are plenty of people like this around.

Recently the bad guys showed us yet again how aware they are of human psychology, and how ready they are to exploit any and all human weaknesses.

This piece of Russian spam offers the curious, the nosy, or the paranoid the opportunity to read other people's messages sent via Russian social networking sites, a range of web mail services, and ICQ. How? By brute-forcing their account passwords.

We've now analyzed more than 600 MB of collected data related to the recent resurrection of the Gumblar threat. Overall, we've identified 2000+ Infectors (computers hosting the malicious *.php files and payload) and 76100+ 'Redirectors' (computers with links leading back to the malicious sites). Most Infectors are also part of the group of Redirectors, they serve one *.php file and additionally contain the link to another Infector in their own entry page.

(If you're interested in the structure of the Gumblar threat, my colleague Vitaly gives more details here)

Comparing the stats below with those from a month ago, you can see how the threat has spread and evolved. These latest numbers are a snapshot of November 30th and are continuing to increase steadily.