The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Events|Shirahama Symposium 2011

Kaspersky Lab Expert
Posted May 31, 03:49  GMT
Tags: Conferences, Cloud Computing

”The 15th Cyber Crime Symposium, Shirahama" with theme "Cloud Security" was held on May 26th - 28th at the "Big U" Information Exchange Center in Wakayama Prefecture, Japan. Approximately 220 people, including government delegates, information security researchers, lawyers, law enforcement and academia attended the event. Experts were presenting about topics like benefits and security risks of cloud computing as well as other related technical matters.

Besides the presentations in the official program, there was also plenty of chance for human networking, with the venue surrounded by beautiful nature and cultural heritage, hot springs and delicious Japanese cuisine.

During the presentations, which were also broadcasted via ustream, tweets tagged with #sccs2011 were shown cycling on a separate screen. This yearly event is targeting Japanese audience and no translation services were offered. If you plan to attend this event in the future, be sure to brush up your Japanese, it most certainly is worth it. Past content of the same event covered themes like “Threat of Malware/Virus” (2009) and “How can we protect the children and ourselves from harmful contents” (2010).

Comment      Link

The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

Virus Watch|MAX++ sets its sights on x64 platforms

Vasily Berdnikov
Kaspersky Lab Expert
Posted May 24, 14:46  GMT
Tags: Rootkits

In the last few days experts at Kaspersky Lab have detected new samples of the malicious program MAX++ (aka ZeroAccess). This Trojan first achieved notoriety for using advanced rootkit technology to hide its presence in a system. Back then, MAX++ only worked on x86 platforms; now it is capable of functioning on x64 systems!

Computers are infected using a drive-by attack on a browser and its components via the Bleeding Life exploit kit. In particular, Acrobat Reader (CVE 2010-0188, CVE 2010-1297, CVE 2010-2884, CVE 2008-2992) and Java (CVE 2010-0842, CVE 2010-3552) modules are prone to attack.

Fragment of the exploit kit code responsible for attacking a specific version of Acrobat Reader

Events|Fake virustotal website propagated java worm

Jorge Mieres
Kaspersky Lab Expert
Posted May 24, 00:48  GMT
Tags: Botnets, DDoS, JavaScript

The infection strategies using java script technology are on the agenda and that because of his status as a "hybrid", criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.

In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of "detection".

During this weekend, we encountered a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through the methods mentioned above.

Events|“You sh0t the sheriff”

Fabio Assolini
Kaspersky Lab Expert
Posted May 20, 18:26  GMT
Tags: Conferences

This week I had the chance to deliver a presentation at one of the most famous and prestigious security conference in Brazil called “You sh0t the sheriff” now in its 5th edition.


Since yesterday I've been attending the annual Hack-in-the-Box Quad-Track Security Conference in Amsterdam/NL. There's a very nice and open atmosphere here at the conference, besides the beautiful city of Amsterdam.

First, Joe Sullivan (CSO at facebook), held a very interesting keynote about the development of security innovations at facebook. For him innovation is „these hacking culture, we think about each day at facebook“. After explaining some of the newer security innovations (https-only, login notifications, login approvals [if e.g. geo-location of a user is suspicious], recognized devices, recent activity) he talked about the recent fb-scams with malicious scripts. „No one would do that, copying and pasting a script into the browser! - Yes, they do...“, he said.

Also a remarkable talk I attended was about binary planting, given by Mitja Kolsek (CTO at ACROS Security). In "Binary Planting: First Overlooked, Then Downplayed, Now Ignored" Mitja also showed a new method he called "advanced binary planting", which uses a feature from Windows' special folders (like control panel, printers, etc.) and clickjacking to make it possible to own the users' computer.

In the winter garden of the conference hotel there's a technology showcase area. Hackerspaces from all over Europe and the Netherlands are showcasing their projects here. There also is a capture-the-flag competition happening, a lock-picking and (sponsor) companies-showcase.

For more informations please see the conference website.

Comment      Link

Incidents|Rootkit Banker - now also to 64-bit

Fabio Assolini
Kaspersky Lab Expert
Posted May 20, 12:58  GMT
Tags: Internet Banking, x64

Yesterday Kaspersky Lab detected the first rootkit banker created to infect 64-bit systems. It was detected in a drive-by-download attack made by Brazilian cybercriminals.

We found a malicious Java applet inserted in a popular Brazilian website. The attack was made using a malicious applet in such a way as to infect users running old versions of the JRE (Java Runtime Environment) and was prepared to infect users running versions of both 32 and 64 bits systems.

Inside this applet we found some interesting files:

The entire malicious scheme is simple yet interesting. The file add.reg will disable the UAC (User Account Control) and modify the Windows Registry by adding fake CAs (Certification Authorities) in the infected machine:

News|Smart money?

Kaspersky Lab Expert
Posted May 20, 11:19  GMT
Tags: Electronic Payments

The BBC today reported the announcement of the first UK 'mobile wallet', allowing people to pay for things using their mobile phone.

It sounds very convenient. I use my mobile phone for so many other things these days - why not as an alternative to cash? And on the face of it, isn't this just an extension of the same concept behind the Oyster Card? For those not familiar with the Oyster Card, it's an alternative to buying tickets to travel across London. You use a card instead: you put credit on the card at your convenience and the cost of the trip is debited automatically when you travel.

There's a key difference of course. If I lose my Oyster Card my loss is limited to the credit I've put on the card. The consequences could be far more serious if it's my smartphone, since someone could get access to my entire online identity. If my phone is my wallet too, it becomes even more of a target - to real-world criminals as well as cybercriminals.

We know from experience that convenience typically wins out over security. Keep watching.

Comment      Link

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be blacklisted.


We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users’ profiles, you see the following:

Translation: Wow, it really works! Find out who is viewing your profile!

The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here’s what it looks like:

Basically, there are 2 steps.

  • The first one is to copy a Javascript code using CTRL+C
  • The second is to visit Facebook.com, paste the Javascript in your address bar and press “Enter”.


For business travelers, the use of a laptop to stay connected to access business documents and connect to office resources is an absolute necessity. In this Lab Matters webcast, Kaspersky Lab malware researcher Stefan Tanase provides some general travel tips and advice to assist in protecting you, your laptop and your corporate data while you are on the road.

Comment      Link

Incidents|Return of the Playstation Network

Kaspersky Lab Expert
Posted May 17, 15:28  GMT
Tags: Gaming Consoles, Sony

Today is May 17, almost exactly a month after the massive breach of Sony’s PSN network. If you live in North America then you may be pleased to know that the Playstation network has finally come back online. Due to the enormous amount of subscribers to the service, the restart has been a bit shaky, with reports of password reset emails clogging ISP mail servers. Despite the hiccups, it seems that the service is gradually returning.

If you are a customer of the Sony service, you will need to immediately change your password as well as install a firmware update to your system. Sony has pledged a much stronger security environment to its customers and partners, and this appears to be the beginning of many changes. Sony has previously stated that they have rebuilt the entire network from scratch and moved their PSN infrastructure to a new data center in an undisclosed location. I’m not sure why this emphasis on security wasn’t a focus of the original model, but maybe Sony can prevent future mishaps. Perhaps all the additional outside scrutiny will help, but only time will tell.


A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered.

So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

Research|Botnet management from Peru

Jorge Mieres
Kaspersky Lab Expert
Posted May 16, 15:16  GMT
Tags: Botnets

Undoubtedly the cybercrime strategy is not just an eastern European matter. These attacks are committed through web applications like Malware Kits or Exploit Packs which look not only to centralize the stolen information, but also look to have a base platform that allows cybercriminals a place for rapid configuration (sometimes known as a Command and Control, or C&C).

Latin America has ceased to be a neglected region for cyber-attacks and has since become a suitable area for the local development of crimeware for managing botnets. This is further evidenced by the discovery of a criminal program, developed in Latin America (possibly from Peru), and called S.A.P.Z (Sistema de Administración de PCs Zombi - Zombie PCs Administration System).


The Virus Lab recently came across a very interesting sample – a downloader containing two drivers and which downloads fake antivirus programs developed for both PC and Mac platforms. The malicious program is downloaded and installed using the BlackHole Exploit Kit. The latter contains exploits targeting vulnerabilities in JRE (CVE-2010-0886, CVE-2010-4452, CVE-2010-3552) and PDF.

Both drivers are standard rootkits with rich functionality. One of them is a 32-bit and the other a 64-bit driver. The 64-bit driver is signed with a so-called testing digital signature. If Windows – Vista and higher – was booted in ‘TESTSIGNING’ mode, the applications can launch the drivers signed with a testing signature. This is a special trap-door which Microsoft has left for driver developers so they can test their creations. Cybercriminals have also made use of this loophole: they execute the command ‘bcdedit.exe –set TESTSIGNING ON’ which allows them to launch their driver without a legitimate signature.

The following description refers to both rootkits because, apart from the platforms, their functionality is identical. Once the driver is successfully loaded and running on the system, it’s difficult to get rid of it. The rootkit blocks the launch of drivers belonging to anti-rootkit and antivirus products. This is done by using lists of file names for specific drivers and strings for which the rootkit searches the Security section of the DataDirectory array of the image being loaded. If the rootkit detects an “untrusted” driver being loaded, the bytes at the entry point of the image are changed, preventing it from loading correctly.

Fragment of the rootkit containing search strings used to block antivirus drivers

The rootkit protects the “main” application by hooking ZwOpenProcess / ZwOpenThread in SDT (only on 32-bit versions of Windows) and using object manager callbacks to access “trusted” applications. The file system is also monitored by connecting to file system stacks and the registry – by using registry callbacks.

This rootkit is yet more proof (after TDSS) that it’s unnecessary to bypass Patch Guard-а in order to implement rootkit functionality on 64-bit platforms.

The downloader is written in C++ and is itself not protected. Its main task is to install and launch the relevant driver (32- or 64-bit), then download and launch a list of files from URLs. Interestingly, one link leads to Hoax.OSX.Defma.f which we recently wrote about. Most importantly, the rootkit tries to run it…under Windows! It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don’t really understand what it is they are supposed to install on users’ computers.

Fragment of the malicious code that downloads and launches the file

Kaspersky Lab products successfully detect and neutralize both Trojan-Downloader.Win32.Necurs.a and Rootkit.Win32.Necurs.a / Rootkit.Win64.Necurs.a.

Comment      Link

Yesterday several new pieces of malware were found in the Android Market by AegisLab. The first big outbreak of malicious software in the Android Market happened more than 2 months ago and there are some things in common between these cases:

  • First of all, the March and May outbreaks were likely performed by Chinese hacker(s).
  • Secondly, there were several pieces of malware in the official market in both cases.

The malware itself is not very interesting. It will send one SMS message to a Chinese number and after that it writes a marker “Y” in order to prevent further SMS sending.

SMS sending routine

All of the malicious applications were published by the same developer named ‘zsone’. The malware was removed by Google from the Android Market immediately after its malicious nature was discovered. But there is some evidence that some of the applications developed by ‘zsone’ and identified as malicious were uploaded to the Android Market a long time ago.


My colleagues Fabio Assolini and Vicente Diaz wrote two blog posts recently regarding the Rogue AVs for MAC OSX. After executing it on a test machine, and playing with it, I noticed there was some hidden information in the About Window as can be seen below:

I was interested by the “Support” information, but it’s only available to registered customers. I also wanted to confirm a few things such as the “cleaning” of the fake threats once registered, and to see if the “infected” popups would stop.


When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?

That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?

Opinions|Chromebook - A New Class of Risks

Costin Raiu
Kaspersky Lab Expert
Posted May 12, 12:53  GMT
Tags: Google

We are certainly living in interesting times. It was less than a week ago that a rumor appeared that Apple is going to switch to ARM processors for its next generation of laptops.

Obviously, this has very interesting implications for the future of computing and seems to indicate the increasing need for a computing platform that uses less power and that can be used for a day without the need for charging.

Earlier today, Google surprised the world by announcing the Google Chromebook – a netbook (huh, aren’t netbooks dead?) computer concept, built for now by Samsung and Acer around the Atom N750 CPUs. With 2GB of RAM and 16GB of SSD storage, the specifications are somehow low-end, however, this might not be a problem because as Google says in their promo, the web has more storage space than any computer. The price, when these will be available, is believed to be in the range of $400-$500.

When I saw the announcement, I thought to myself – why would anybody ever buy something like this?


In this newest edition of Lab Matters, Director of Kaspersky Lab's Global Research and Analysis Team Costin Raiu offers some predictions about what we will see in the second half of 2011. Raiu's predictions include a surge in malicious activity on mobile device app stores.

Comment      Link

Events|Quiet Tuesday

Kaspersky Lab Expert
Posted May 10, 17:06  GMT
Tags: Adobe, Microsoft

After last month's mega patch Tuesday this month's can only be described as very quiet. A total of three vulnerabilities are getting patched in two bulletins, MS011-035 and MS011-036.

MS011-035 deals with a remote unauthenticated vulnerability in the WINS service which can lead to code execution running with SYSTEM privileges. This vulnerability affects the Microsoft Server products. Though consistent exploit code seems unlikely it looks rather easy to DoS the service.

MS011-036 deals with two vulnerabilities in Powerpoint. CVE-2011-1269 will likely see consistent exploit code, while Microsoft believes there won't be functioning exploit code for CVE-2011-1270. As pointed out by Kurt Baumgartner here Microsoft is introducing a new exploitability index this month.


Yesterday the US government released some home videos of Osama Bin Laden in his Pakistani hideout. Screenshots from the video were used for malicious blackhat SEO via Google Images.
Many legitimate nginx-based Web sites were attacked and exploited by taking advantage of the CVE-2009-2629 vulnerability. The compromised sites were injected with the following script:

Spam Test|Spam and the death of Osama bin Laden

Posted May 06, 14:47  GMT
Tags: Spam Letters

As we mentioned in a previous blog post, every time there is news of global interest, cybercriminals try to exploit that interest for their own malicious purposes. The death of Osama bin Laden was no exception – it was used in spam as well as black hat SEO.

We have detected two spam mailings capitalizing on the news of Bin Laden’s death, both of which were used to distribute malware.

One included a password-protected ZIP archive. The message subject was: “pictures of osama bin laden dead?”

What is strange about the mailing is that the text was taken from a standard spam message which is supposedly sent by a girl who wants to introduce herself to a man and is asking him to have a look at pictures of her that are attached.

News|Microsoft Exploitability Index Changes

Kurt Baumgartner
Kaspersky Lab Expert
Posted May 05, 23:03  GMT
Tags: Adobe, Microsoft, Apple, Oracle

Microsoft is making changes to its exploitability index to help clarify vulnerability issues in its software to its customers, keeping its program far ahead of other major vendors. Still, no system is perfect.

Microsoft's Security Response Center team has a steep uphill climb to conquer the mountain of vulnerability handling in their software that slowly but surely are publicly discovered, exploited and discussed. It is not an enviable task.

In just five days, the team will roll out a couple of changes. One change splits exploitability ratings for their newest product versions from all older releases. The two updates for the upcoming Patch Tuesday will also provide information for the bugs even if they do not provide remote code execution, and instead provide a surface for denial of service attacks.

Incidents|Malvertising on ImageShack

David Jacoby
Kaspersky Lab Expert
Posted May 04, 16:12  GMT
Tags: Antivirus Updates, Malvertizing

Today while conducting research on the alleged Latvian power hack, I came across some interesting malvertising on imageshack, where pictures of the purported hack have been hosted.

Advertising on the page loads a exploitable Java vulnerability that Kaspersky recognizes as Exploit.HTML.CVE.2010-4452.m, which then tries to download Trojan.win32.TDSS.cgir. TDSS as some of you may recognize is a rootkit that can access Windows at its lowest levels and can prove extremely difficult to remove.

Upon opening the page, the advertisement loads, and a connection to http://--removed--ediagroup.com/enc/jv.html is made. This launches the actual exploit. A second page http://--removed--ediagroup.com/load.php?2 is loaded which drops the Trojan containing the TDSS malware.

Kaspersky already detects both the exploit, as well as the Trojan payload. This serves as a reminder of the importance of keeping your Anti-virus up to date.

We will update with further details as they become available.

Comment      Link

Webcasts|Lab Matters - Password Security: Dos and Don'ts

Ryan Naraine
Kaspersky Lab Expert
Posted May 04, 11:39  GMT
Tags: Passwords

There are countless firms that sell expensive computer security products and gear. But most experts will tell you that the one step you can take to most improve the security of your home or work computer is to have and follow strict password security. But what makes a password strong (or weak)? And what tricks might hackers, malware authors and cyber criminals play to get you to part with yours? Paul Roberts of Threatpost speaks with David Emm of Kaspersky Lab about proper password hygiene and the steps you need to take to secure access to your critical online and offline accounts.

Comment      Link

As we published last year, the first Internationalized domain names (IDN) using non-Latin characters appeared on the internet; these contain characters from Cyrillic, Arabic and other languages. We also started to see some news domains using diacritics such as “à, á, â, ã, é, ê, í, ó, ô, õ, ò, ú, ü, ç” in their names, or accents, for instance as seen in http://amarylliscomunicação.com.br.

It’s also important to point that some browsers and mail readers aren’t prepared to show these characters correctly. A domain in Arabic such as http://وزارة-الأتصالات.مصر/ might be shown as http://xn--4gbrim.xn----ymcbaaajlc6dj7bxne2c.xn--wgbh1c in your mailbox. We call this alternate way to show non-latin characters punycode.

During our regular monitoring of malicious activities in Brazil, we discovered an interesting and legitimate URL shortener service which is using the diacritics “ó.ò” in his name:

Incidents|Osama's death in Twitter

Vicente Diaz
Kaspersky Lab Expert
Posted May 03, 17:21  GMT
Tags: Social Networks, Twitter

Continuing our investigation on the Osama's death campaign, we were especially concerned about the potential distribution of malware on social networks, because of their speed of propagation. So we have been monitoring Twitter, getting some million tweets and a huge number of URLs too. No surprise here as during the last 24 hours the average was 4.000 tweets per second related to this topic. Here you can see how even Internet traffic was affected.

Analyzing these URLs, we found some interesting stuff.

The first one is a Facebook scam campaign posing as Osama's death video:

Virus Watch|Monthly Malware Statistics, April 2011

Kaspersky Lab Expert
Posted May 03, 08:34  GMT
Tags: Malware Statistics

The following statistics were compiled in April using data from computers running Kaspersky Lab products:

  • 221,305,841 network attacks blocked;
  • 73,211,764 attempted web-borne infections prevented;
  • 189,999,451 malicious programs detected and neutralized on users’ computers;
  • 86,630,158 heuristic verdicts registered.

DDoS attack on LiveJournal

The DDoS attack that targeted LiveJournal.com at the end of March continued into early April and was big news in Russia. The fact that we had been monitoring one of the botnets responsible for the attack meant we discovered quite a few details about the incident.

Initially, every computer in the botnet received commands to attack one or two links per day. On 4 April, however, the bots received a list of 36 links that included http://livejournal.com and http://livejournal.ru. The other links in the list led to popular pages in the Russian-language blogosphere. The pages in question were unavailable at various times on 30 March, 4 and 6 April. The attacks stopped after 6 April.

The botnet we monitored was based on the popular Optima bot which appeared for sale at the end of 2010. Several indicators suggest that the zombie network behind the DDoS attacks brought together tens of thousands of machines infected with Optima. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files to infected computers and stealing passwords for a number of popular programs.


Not only Windows users are a target of bad guys that want to distribute rogueware. Now they are also attacking Mac users using the same and old blackhat SEO techniques, poisoning search results in popular search engines.

During our research about Osama Bin Laden's death we saw the same malicious domains serving two rogueware applications specific to Mac OSX, called Best Mac Antivirus and MACDefender.

When doing searches the user can be redirected to some malicious domains, like this for example: ***-antivirus.cz.cc/fast-scan2/

So the malicious pages check for: browser agent (it must be Safari), the IP address (only US domains now) and the referrer (if it is Google or other search engine). After these checks the malicious page will show a fake scan screen:

Incidents|Osama Bin Laden Spam/Ads on Facebook

David Jacoby
Kaspersky Lab Expert
Posted May 02, 09:15  GMT
Tags: Social Networks, Facebook

I guess the news about the death of Osama Bin Laden is starting to reach everyone around the world. We have noticed that every time something big as this happens, people get curious and start searching on the Internet. This is something that my colleague Fabio also noticed. During his research he found that cybercriminals are spreading Rogueware via Blackhat SEO and Google Images. You can read more about his finding here.

This triggered me to do a quick search on Facebook and see what was happening over there. I directly saw that Facebook ads are already spreading using videos of the death of Osama Bin Laden as a trigger. On one Page we can see multiple users posting the same URL, with the following message:"Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!" or "2 Southwest Plane Tickets for Free - 56 Left Hurry" and then a link to a short URL service (http://tiny.cc/).


As always, when big news appear in the press the bad guys start blackhat SEO campaigns in popular search engines trying to lure users to install Rogueware.

It's not different this time, with the top news about Osama's Bin Laden death being everywhere. The bad guys were quite fast and started to poison searches results in Google Images.

Some of the search results are now leading users to malicious pages: