The wedding of Kate Middleton and Prince William is by far the most popular topic of conversation today. It’s virtually impossible to look at a newspaper or a blog without seeing some mention of the royal newlyweds. And now we are getting in on the act.

And it’s not because we here at Kaspersky Lab take a major interest in the private lives of the British royals. But spammers obviously do – take a look at the offer we received today:

Yes, fake Swiss watches and iPads are so passé – what you need is a replica of Kate Middleton’s engagement ring, originally given to Lady Diana by William’s father Prince Charles. The spammers claim you now have the chance to “own a piece of British royal history”. This royal family heirloom also comes complete with a “certificate of authenticity”.

In the past few days we have read about how the Playstation Network has been hacked, and very sensitive information such as credit card information has been stolen. We are now seeing more activity in the underground community. According to a forum post at PSX-scene rumors are spreading that the stolen information also includes the CCV2 numbers. A user on the underground forum Darkode says that the format of the stolen data would supposedly be:fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date

But In a statement from Sony on their playstation-blog they write that the hacker does not have access to the CCV2 code, the statement follows:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”

The question is who is correct?

I would recommend everyone with a PSN account to request a new card from your bank, and if you use the same password for Facebook, MSN, email or forums that you used on the PSN I would recommend thatyou change it on those other sites.

Here's the latest of our malware wallpaper calendars.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

One of this month's highlighted malware incidents is the Morris worm. This worm was released on 2 November 1988 and by the following day was causing major problems for computers on the Internet. This would be nothing out of the ordinary in today's world. But it certainly was then. The worm quickly infected about 10 per cent of all computers connected to the Internet and, due to a programming error, made them unstable. Of course, in 1988 the Internet was made up of only 6,000 or so computers - it was an esoteric system used almost exclusively by government and academic institutions. So the Internet worm’s time had not yet come. But even so, the Morris worm was one of the first warnings of the importance of applying security patches in a timely fashion.

Instantly this news became  very fruitful  for all kinds of cybercriminals. Here is  some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability”. The exploit drops into the system a malicious executable file which is a password stealer malware. 

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .  Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which  actually  is quite  aggressive in blocking Internet access and extorting money for the activation

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

Yesterday, we read a blogpost about a new, fake security solution for mobile phones which fraudulently uses the Kaspersky Lab logo in order to better fool potential victims.

This is rather old news. We have detected this fake AV since August 6 2008, as not-a-virus:FraudTool.J2ME.KaspAV.a.

Here’s a link to our blogpost from 2008, with a small video that shows how it works:

http://www.securelist.com/en/blog/208187561/Antivirus_Fraudware_Goes_Mobile

After a long service black out Sony reported yesterday that their PSN gamer network has been compromised. Sony further admitted that all kinds of user data had become available to an unknown attacker.  Some of the personal details available to the attackers include your name, address, and email address, date of birth, PSN login name and password.  In fact even password security answers may have been obtained.  In addition to these items Sony stated “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."  Sony does not speculate on when their network may come back online but states that they are rebuilding it, and undergoing external security audits.

In some Eastern European countries (Russia and Ukraine especially), there are legal loopholes that allow the use of SMS premium rate numbers anonymously. In addition, some Russian mobile operators allow people to transfer money from prepaid SIM cards to bank accounts or credit cards. When combined, these two things allow cyber-crime activity that generate illegal profits. In this issue of Lab Matters webcast, Kaspersky Lab malware researcher Denis Maslennikov discusses this component of mobile security and talks about the ways cyber-criminals are maliciously exploiting prepaid SIM cards and money transfers. Maslennikov also describes the main pillar of the underground economy and ecosystem of his type of fraud.

    Last week I participated in a student workshop at the “Pontífica Universidad Católica del Ecuador” – PUCE http://www.puce.edu.ec/ . The workshop wasn’t geared only for technical students but was also aimed at students studying law and jurisprudence. During the sessions, we discussed ways to obtain and to join electronic evidence related to malware attacks, how to interpret them and to present to law enforcement for prosecution of cyber criminals.

We also analyzed the ongoing merging of classic (traditional) crime to cybercrime in terms of document-cloning, grooming and other crimes.

I believe these initiatives are very important for current students and future law professionals to get a clear understanding of the modern attacks, the legal limitation the reform that is needed to improve the battle against cyber crime.

The revolutions spreading across the Arab world have grabbed the attention of people across the globe, including cybercriminals: so-called ‘Nigerian’ spam emails have recently appeared claiming to be from a variety of “relatives” of Gaddafi and Mubarak. There’s absolutely nothing new about the messages they send: the ‘Nigerians’ don’t always introduce themselves as the solicitor of some anonymous oil tycoon or a dying widow of an innocent civil servant who was murdered; increasingly, they are legally-appointed executors or relatives of well-known people who have suffered in one way or other at the hands of political opponents.

For instance, some time ago we received an email from an Olga Patarkatsiashvili who wrote in poor English asking to help her transfer the millions of the late Badri Patarkatsiashvili (a Georgian businessman and presidential candidate who died in 2008), emphasizing that she herself has been denied access to his funds. Following the wave of protests affecting Arab countries there has been a steady stream of Egyptian- and Libyan-themed ‘Nigerian’ spam.

A certain Barrister Alexander James Williams, who claims to be a representative of Hosni Mubarak, asks for help in transferring 29 million pounds. He claims that a UK resident is required to process the transaction, but the email was sent to a Russian resident who has an account with the Russian email service mail.ru.

Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.

Earlier today, at 10 am sharp, Europe’s number one security event – InfoSec – opened its doors at Earl’s Court Hall, in London, UK.

As usual, Kaspersky Lab has prepared a few interesting things for you, with half-hourly security briefings from the company’s top security experts (full schedule here - http://www.kaspersky.co.uk), and a speech from the company CEO and founder, Eugene Kaspersky.

In addition to this, tonight we’re going to the SC Magazine awards ceremony, where Kaspersky Lab is shortlisted in three categories:

• Information Security Person of the Year
• Best Anti-Malware Solution – Kaspersky Open Space Security 2010
• Information Security Vendor of the Year

If you happen to be in the vicinity, please drop by and visit us at stand C41!

Security researchers from around the world are digesting the weekend's fare at Infiltrate2011, organized by security outfit Immunity. "No policy or high-level presentations, just hardcore thought-provoking technical meat" was promised, and presenters served it up sizzling.

The sessions folded in a variety of topics slicing up current offensive security issues with some defensive interest mixed in. Discussions spread from technical wizardry attacking hardened linux kernels to general network exploration and reconnaisance. Infiltrate2011 itself follows somewhat on the Blackhat/Defcon conference model, but reduces the corporate marketing at those conferences. The peer reviewed set of presentations and research sponsored by one of the best known offensive security/penetration testing groups in the business sets the bar high and undistracted for the level of technical content. The final agenda is listed here.

Head of Content Analysis and Research Darya Gudkova joins Ryan Naraine on this episode of Lab Matters to talk about the use of spam e-mails to launch malware attacks.

This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.

About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.

Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.

With Microsoft's newer products there's been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.

Microsoft will also be releasing two advisories this month. One for Windows and one for Office.

Almost exactly one month ago we warned about a zero-day in Flash which was being exploited in targeted attacks. Back then, malicious SWF files were embedded inside Microsoft Excel files. Excel was used strictly as a delivery vehicle.

This month, it's Microsoft Word's turn. The malicious .doc referenced by Brian Krebs shares a lot of commonalities with the malicious Excel sheet from last month. So if they aren't the same gang as before the attackers were at least inspired by this previous incident.

The .co.cc domains, littered with malicious sub domains hosting exploit pages and malicious java applets for the past several months, are now hosting FakeAv pages and "BestAntivirus2011.exe”.

Here's the latest of our malware wallpaper calendars.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

This month's calendar highlights the use of malware for a range of cybercriminal activities. These include the use of a keylogger to steal data directly from individuals, the hacking of a business in order to acquire customer financial details and the use of a Trojan to conduct industrial espionage.

In this edition of the Lab Matters webcast, malware researcher Tillmann Werner and Ryan Naraine discuss the ongoing battle to control the Conficker/Kido botnet and the need for the computer security industry to consider newer approaches to mitigating the botnet epidemic.

I don’t have a LiveJournal account, but sometimes I’ll have a quick read of the blogs during breaks. On 4 April, however, an official announcement by LiveJournal Russia stated that the service had been subjected to a DDoS and was unavailable.

This massive DDoS attack is the second to target LiveJournal over the last few days. Russia’s online mass media is currently awash with rumors and speculation about the reasons and aims of the attacks.

We don’t know exactly how many botnets took part in the latest attack but we definitely know of one botnet that was involved. It is based on the Optima/Darkness DDoS bot that is currently popular on the Russian-speaking cybercrime black market. Not only are the Trojan programs (bots) themselves on sale, but also infected computer networks that are built with the help of such programs and services offering to carry out DDoS attacks on any given Internet resource.

We have been monitoring one of these Optima botnets for some time now.

Analysis of the data acquired showed that the first DDoS attack on LiveJournal occurred on 24 March. The botnet’s owners gave the command to launch an attack on the blog address of the renowned anti-corruption figure Alexey Navalny: http://navalny.livejournal.com. On 26 March, the bots received commands to attack another resource belonging to Navalny: http://rospil.info, and on 1 April, http://www.rutoplivo.ru, another site with a political slant, was targeted.

We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.

Fragment of the NSIS script for Trojan-Downloader.NSIS.Agent.jd

The dropper Rootkit.Win32.Fisp.a is among the files downloaded by the Trojan-downloader. This malicious program infects the hard drive’s boot sector. More specifically, it saves the old MBR to the third sector and replaces it with its own. Starting with the fourth sector, it installs an encrypted driver and the remaining code.

Fragment from the start of the hard disk infected by Rootkit.Win32.Fisp.a