In January we published the first of our malware wallpaper calendars. Here's the latest wallpaper.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

Hopefully you'll find it eye-catching and it gives you the chance to see at-a-glance some of the significant malware-related events from the past.

TV Series such as “The Simpsons” are hugely popular and have hundreds of thousands of fans around the world. Unlike “Southpark” - another hugely popular series - not all of them are freely available on the web though. As such, there is a high demand on the web for such episodes and as usually happens, scam tactics appear around them. Here’s one such example that we have seen recently on the popular website Dailymotion:

Over the last few days, we received numerous reports of computers infected with fake anti-virus (scareware). The name of this particular culprit is Antivirus 8.

The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.

I installed ICQ and noticed the following after letting it run for a couple of minutes to fetch ads:

This page is hosted on [snip]charlotterusse.eu.

Going by the added iframe, it looks like this store's ad server was hacked, right? Not quite. I did some digging around and found that none of these servers - other than charlotterusse.com - are actually related to this brand of clothing.

This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.

However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn't them who's responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.

This is another example of how trusted programs can be a used to attack computers. It goes to show that anti-malware protection is needed no matter what the circumstance.

We've sent a notification to yieldmanager, who is the ad distributor in this case. We've not heard back from them at the time of writing.

Kaspersky Security Network is an integral part of Kaspersky Lab technology. With its ‘cloud’ architecture KSN automatically detects and blocks unknown malware and infected/dangerous websites, filters spam, protects children from unwanted content and lots more. Our aim is for users to always have as full a picture as possible of the current threat landscape around the world. That’s why we have come up with the Irida screensaver. It displays statistics about the latest threats that have been detected and blocked using KSN and is updated every 12 hours.

Install our screensaver and discover the full potential of Kaspersky Security Network! Download at: http://irida.kasperskyclub.com/scr.zip

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being blacklisted in our products.

Here are some of the technical details:

1. Redirection Chains

   Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

   

   This html page will then redirects users to a static domain with a Ukrainian top level domain:
   

   

   As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

   

   This IP address will then do its final redirection job, which leads to the Fake AV website:

   

At the end of 2010 I noticed a big wave of recruitment spam for money mule work. Initially, the criminals used spam sent from hacked email accounts. I even got some messages like this from people I know personally:

Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):

And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities. But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.

All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.

It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.

Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.

A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.

Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.

Keygen window

While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.

One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.

Cybercriminals like to register domain names that are very similar to actual, well known domain names but with one or more letters changed. In many cases a potential victim will mistype a letter and in this way arrives at a fake Web site instead of the original one.

Here is just one example of this: a copy of the official Russian Web page of Kaspersky. The criminals added just one small line inside of the ‘downloads’ tab promoting a fake download for a free, one year copy of Kaspersky Internet Security 2011.

Instead of KIS 2011 the victim gets malware. This is ransomware which, after the installation, forces a reboot of your PC. Upon completing the reboot the malware shows a fake message that you’ve won a prize of a Samsung Galaxy S cellphone for just 1200 rubles (40 USD)! To claim this prize, you should pay via SMS text or, optionally through one of the popular on-line payments systems in Russia.

Kaspersky Anti-Virus detects this threat as Trojan-Ransom.MSIL.FakeInstaller.e In the time of writing of this blogpost the malicious site was still on-line and also detected by Kaspersky Internet Security Web Anti-Virus as a fraudulent one.

What happens when all of your personal data is readily available for use by a cybercriminal?

Last November we published a blog talking about Brazilian phishing attacks that displayed the victims’ CPF numbers - the Natural Persons Register, the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc.

But this incident was just the tip of the iceberg.

Due to our constant monitoring of malicious activities, we found some bad guys offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim. The database is complete and contains data about every Brazilian, including myself.

The search results display your full name, date of birth, address, filiations, city, zip code, etc – all easily available to a cybercriminal.

We found 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys – it’s a service that we call C2C (cybercriminals to cybercriminals).

Using such data it is possible for a cybercriminal to impersonate a victim and steal their identity in order to access resources or obtain credit and other benefits in that person's name. Another example of malicious use involves Internet banking access – if you are performing an online operation, your bank will probably ask for some personal information to confirm your identity. Having access to this information provides the cybercriminals with the first step towards a targeted attack using your data.

You are probably wondering how the cybercriminals obtained this kind of information. Basically, it occurred through incidents of data leakage – not only from governmental departments, but via e-commerce and other corporate entities that have had their databases attacked and their data stolen, too.

Nowadays, we see that the problem of protecting private information is not just confined to users, but applies equally to governments and corporations alike. Brazil isn’t the only country in the world facing such problems either. Over the course of time, governmental and corporate databases in many other nations have reported similar instances of sensitive information about citizens or employees being leaked.

The Brazilian authorities are currently investigating this incident.

Last week I got the chance to drop by the IIT campus in Mumbai, India, for the Techfest 2011 conference.

This was a great opportunity to meet some of the world’s brightest students and to listen to some very interesting lectures from people such as Richard Stallman – who needs no introduction, William Baker – the structural engineer for the famous Burj Khalifa, KS Pua – the inventor of the pen drive, or Jaap Haartsen, the engineer who developed the Bluetooth specification. For a full lineup of the speakers, you can go here: http://www.techfest.org/lectures/

Today my colleague Jorge Mieres found some interesting information related to the new HLux botnet.

This new worm is propagating via e-mail with a backboned administration through a crimeware pack called BOMBA. The scam messages come with a message to a fake eCard requiring installing Flash Player (an old scammers trick).

 
After the infection, the newly installed malware downloads a malicious update which is detected by Kaspersky as Email-Worm.Win32.Hlux.c and establishes a connection with BOMBA’s server reporting statistics about the infection.

 
Our statistics for Jan 5 show countries with the highest infection attempts are the U.S., Germany and the U.K.
 

We’ll keep researching this issue and will keep you updated.

A new year has broken - a new peer-to-peer botnet is on the rise. It shares some commonalities with the infamous Waledac bot that was taken down in a exemplary effort by Microsoft early last year. Although this new bot has a different code base, it uses the same spreading strategy and also seems to maintain a multi-relay (or peer-to-peer) infrastructure just like its predecessor. Our friends over at ShadowServer have posted an excellent blog entry about this new threat and how it relates to earlier bots.

We are currently analyzing the new family and can confirm peer-to-peer-like behavior. When started, the bot loads a list of 20 hard-coded peers. Each entry contains a unique ID, the peer's IP address and a TCP port it is listening on: