The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Research|FAQ: Disabling the new Hlux/Kelihos Botnet

Kaspersky Lab Expert
Posted March 28, 14:23  GMT
Tags: Botnets

Q: What is the Hlux/Kelihos botnet?
A: Kelihos is Microsoft's name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers.

Q: What is a peer-to-peer botnet?
A: Unlike a classic botnet, a peer-to-peer botnet doesn't use a centralized command and control-server (C&C). Every member of the network can act as a server and/or client. The advantages from the malicious user’s point of view is the omission of the central C&C as a single-point-of-failure. From our point of view, this makes it a lot harder to take down this kind of botnet.

Architecture of traditional botnet vs P2P:

Traditional botnet with centralized C&C

Traditional botnet with centralized C&C

Architecture of a P2P botnet

Architecture of a P2P botnet


Last September, in partnership with Microsoft’s Digital Crimes Unit (DCU), SurfNET and Kyrus Tech, Inc., Kaspersky Lab successfully disabled the dangerous Hlux/Kelihos botnet by sinkholing the infected machines to a host under our control.

A few months later, our researchers stumbled upon a new version of the malware with significant changes in the communication protocol and new “features” like flash-drive infection, bitcoin-mining wallet theft.

Now, we are pleased to announce that we have partnered with the CrowdStrike Intelligence Team, the Honeynet Project and Dell SecureWorks to disable this new botnet.

Incidents|The mystery of Duqu: Part Ten

Kaspersky Lab Expert
Posted March 27, 15:48  GMT
Tags: Targeted Attacks, Duqu

At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20.

There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new "in-the-wild" driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.

So, the authors of Duqu are back after a 4 months break.

Duqu is back

The newly discovered driver does not contain any new functionality compared to its previous versions. The code contains only minor modifications, and they were most likely done to evade detection from antivirus programs and detection tools such as the CrySyS Duqu Toolkit. Here’s a list of changes compared to older versions:

  • The code was compiled with different optimization settings and/or inline attributes of functions.
  • The size of the EXE stub that is injected with the PNF DLL was increased by 32 bytes.
  • The LoadImageNotifyRoutine routine now compares the module name with “KERNEL32.DLL” using hash checksums instead of simple string comparison.
  • The size of the encrypted configuration block was increased from 428 to 574 bytes. There are no new fields in in the block, but the size of the registry value name (“FILTER”) field was increased. This makes the registry value name easily modifiable - probably for future use.
  • The algorithm of the two subroutines that decrypt the encrypted config block, registry value and PNF DLL has been changed. This is the third known algorithm used in the Duqu encryption subroutines.
  • The algorithm of the hash function for the APIs has changed. All the hash values were changed correspondingly.

Old hash function, used in previous versions of the Duqu driver:

New hash function:

The fact that the new driver was found in Iran confirms that most of Duqu incidents are related to this country.


On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.

Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.

Here is a recent offer for the ‘multifunctional bankbot’, which appeared on 21 March:


Since November 2011, according to recent statistics, Google Chrome has become the most popular browser in Brazil (more than 45% of the market share).

The same has is true for Facebook, which now is the most popular social network in Brazil, with a total of 42 million users, displacing Orkut.

These two facts are enough to motivate Brazil’s bad guys to turn their attentions to both platforms. This month we saw a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile” and some bordering on social engineering such as “Learn how to remove the virus from your Facebook profile”:

1) Click on Install app, 2) Click on Allow or Continue, 3) Click on Install now, After doing these steps, close the browser and open again

This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension it’s hosted at the official Google's Chrome Web Store. If the user clicks on “Install aplicativo” he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”:

Research|The mystery of Duqu Framework solved

Igor Soumenkov
Kaspersky Lab Expert
Posted March 19, 13:42  GMT
Tags: Duqu

The Quest for Identification

In my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu – the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. As technical experts, we found this question very interesting and puzzling and we wanted to share it with the community.

The feedback we received exceeded our wildest expectations. We got more than 200 comments and 60+ e-mail messages with suggestions about possible languages and frameworks that could have been used for generating the Duqu Framework code. We would like to say a big ‘Thank you!’ to everyone who participated in this quest to help us identify the mysterious code.

Let us review the most popular suggestions we got from you:

  • Variants of LISP
  • Forth
  • Erlang
  • Google Go
  • Delphi
  • OO C
  • Old compilers for C++ and other languages

Sweden recently experienced a large banking scam where over 1.2 million Swedish kronor (about $177,800) were stolen by infecting the computers of multiple victims. The attackers used a Trojan which was sent to the victims and, once installed, allowed the attackers to gain access to the infected computers. Luckily these guys were caught and sentenced to time in jail, but it took a while to investigate since over 10 people were involved in this scam.

It's possible that these attacks are no longer as successful as the bad guys would like, because we are now seeing them use other methods to find and exploit new victims. For quite some time now we have seen how hijacked Facebook accounts have been used to lure the friends of whose account has been hijacked to do everything from click on malicious links to transfer money to the cybercriminals’ bank accounts.

Please note that this is not a new scam - it has been out there for quite some time. But what we are now seeing is the use of stolen/hijacked accounts, or fake accounts, becoming very common on Facebook. So common, in fact, that there are companies creating fake accounts and then selling access to them to other cybercriminals. As you might expect, the more friends these accounts have, the more expensive they are, because they can be used to reach more people.

The problem here is not just technical – it’s primarily a social problem. We use Facebook to expand our circle of friends. We can easily have several hundred friends on Facebook, while we in real life we may only have 50. This could be a problem because some of the security and privacy settings in Facebook only apply in your interactions with people who you are not friends with. Your friends, on the other hand, have full access to all the information about you.


The twitter infosec sphere last night and the blogosphere this morning is in a bit of a frenzy about the public leak of a DoS PoC targeting CVE-2012-0002, the RDP pre-auth remote. This vulnerability was highlighted at our previous Securelist post on this month's patch Tuesday "Patch Tuesday March 2012 - Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!". First off, patch now. Now. If you can't, use the mitigation tool that Microsoft is offering - the tradeoff between requiring network authentication and the fairly high risk of RCE in the next couple of weeks is worth it. You can see the list of related links on the side of this page, one was included for MS12-020.

Some interesting additional information has surfaced about the vulnerability, including the fact that the bug was generated in May of 2011 and "reported to Microsoft by ZDI/TippingPoint in August 2011". The researcher, Luigi Ariemma, discusses that this work wasn't disclosed by him (often, he fully discloses his work). After some careful investigation of the poorly coded "rdpclient.exe" posted online in Chinese forums, he found that it was a cheap replica of the unique code he provided to ZDI and in turn, Microsoft, when privately reporting the bug. This is bad. And already, researchers with connections to Metasploit open source exploit dev like Joshua Drake are tightening up the code, developing and sharing improved PoC. As Microsoft pointed out, confidence in the development of a reliable public exploit within 30 days is very high.

Regardless, the implications of a leak in the highly valuable MAPP program could hinder strong and important security efforts that have been built on years of large financial investment, integrity, and maturing operational and development processes. Thoughts and opinions on the leak itself can be found over at Zero Day. At the same time, I think that this event may turn out to be nothing more than a ding in the MAPP program's reputation, but it's important that this one is identified and handled properly. With the expansion of the program, an event like this one is something that certainly should have been planned for.

UPDATE: Early this afternoon over at the MSRC blog, Microsoft acknowledges that the PoC leaked on Chinese forums "appears to match the vulnerability information shared with MAPP partners", note that an RCE exploit is not publicly circulating just yet, advises patching or mitigating with the Fix-It, and initiates investigation into the disclosure.

Comment      Link

In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.

The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.

Events|Is Google confused about Android security?

Kaspersky Lab Expert
Posted March 16, 14:45  GMT
Tags: Google

While Google is obviously trying to create a safer environment in regard to the Android operating system, some of these changes are leaving me a bit confused. I recently discovered some interesting behavior in regard to the default email client in 4.0 Ice Cream Sandwich.

It seems that if you try to download or open a zip file attachment from within the email client, Google warns of the possibility of malware:


Post was updated 19.03.2012 (see below)

In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively.

Numerous dropper files have been identified that were signed on various dates between December 2011 and 7 March 2012. In all those cases a certificate was used that was issued for the Swiss company Conpavi AG. The company is known to work with Swiss government agencies such as municipalities and cantons.

Information about the Trojan-Dropper.Win32.Mediyes digital signature


Patch Tuesday March 2012 fixes a set of vulnerabilities in Microsoft technologies. Interesting fixes rolled out will patch a particularly problematic pre-authentication ring0 use-after-free in Remote Desktop and a DoS flaw, a DoS flaw in Microsoft DNS Server, and several less critical local EoP vulnerabilities.

It seems to me that every time a small and medium sized organization runs a network, the employees or members expect remote access. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations. RDP best practices should be followed requiring strong authentication credentials and compartmentalized, restricted network access.

Some enterprises and other large organizations continue to maintain a "walled castle" and leave RDP accessible for support. The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public wifi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk. Once infected, they bring back the laptop within the walled castle and infect large volumes of other connected systems from within. To help enterprises that may have patch rollout delays, Microsoft is providing a fix-it that adds network layer authentication to the connection, protecting against exploit of the vulnerability.

This past fall, we observed the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute force password guessing. It was spreading mainly because of extremely weak and poor password selection for administrative accounts! The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately. The fact that it's a ring0 use-after-free may complicate the matter, but Microsoft's team is rating its severity a "1" - most likely these characteristics will not delay the development of malicious code for this one. Do not delay patch rollout for CVE-2012-0002.

Finally, for less technical readers, allow me to explain a little about what a "Remote Desktop pre-auth ring0 use-after-free RCE" really is. Remote Desktop is a remotely accessible service that enables folks to connect remotely to a Windows system and open a window to the desktop in an application as though you were sitting in front of the computer. Usually, you need to log in to the system to do that, so the system is fairly protected. Unfortunately, this bug is such that a remote attacker that can connect to the system's Remote Desktop service over the network can successfully attack the system without logging in. The "ring0" piece simply means that the vulnerable code exists deeply in the Windows system internals, or the kernel, of the operating system (most applications running on a system run in "ring3", or "user-mode"). "Use-after-free" is the type of vulnerability enabling the exploit, and this type of flaw is something that continues to be extremely difficult to weed out as predicted years ago, even as many of the more traditional low hanging stack and heap overflows have been stomped out by automated code reviews and better coding practices. And finally, RCE applies to the type of exploit enabled by the vulnerability, or "remote code execution", meaning an attacker can deliver malicious code of their choosing to the system and steal everything. There you go, "pre-auth ring0 use-after-free RCE".

Opinions|CanSecWest: Let's talk about non-targeted attacks

Kaspersky Lab Expert
Posted March 10, 05:33  GMT
Tags: Targeted Attacks, Facebook

Today is the last day of CanSecWest - a security conference taking place in Vancouver, Canada. On Wednesday I filled in for Costin Raiu and talked about our forensics work into Duqu's C&C servers.

As I'm writing this, Google Chrome just got popped. Again. The general feeling is that $60k, even with a sandbox escape, isn't a whole lot of money for a Chrome zero-day. So, to see multiple zero-days against Chrome is quite the surprise, especially when considering the browser's Pwn2Own track record.

Separately, I found the Q&A session following Facebook's Alex Rice’s presentation immensely intriguing.

Research|The Mystery of the Duqu Framework

Igor Soumenkov
Kaspersky Lab Expert
Posted March 07, 15:58  GMT
Tags: Duqu

While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code.

Code layout

At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++. This function is called from the PNF DLL and it is actually the “main” function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them. The most interesting is how this logic was programmed and what tools were used.

The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of “slices” of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions and user-written code, except the biggest slice that contains most of C&C interaction code.

Layout of the code section of the Payload DLL file

This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. We call it the Duqu Framework.

Incidents|Elections 2012 and DDoS attacks in Russia

Kaspersky Lab Expert
Posted March 07, 08:14  GMT
Tags: DDoS

As Eugene Kaspersky had written earlier, we were expecting new DDoS attacks on resources covering the Russian presidential election. So, as the country went to the polls on 4 March, we were on the lookout for new DDoS attacks.

We were surprised to hear a news report from one mass media source that claimed a series of attacks from foreign countries had targeted the servers responsible for broadcasting from polling stations. The announcement came at about 21:00, but there was no trace of any attack on our monitoring system. The media report did not clarify exactly what sort of attacks had been staged. Instead of a DDoS attack, the journalists might have been referring to a different method of seizing unauthorized access, such as an SQL injection.


The internet is full of infected hosts. Let's just make a conservative guesstimate that there are more than 40 million infected victim hosts and malware serving "hosts" connected to the internet at any one time, including both traditional computing devices, network devices and smartphones. That's a lot of resources churning out cybercrime, viruses, worms, exploits, spyware. There have been many suggestions about how to go about cleaning up the mess, the challenges are complex, and current cleanups taking longer than expected.

Mass exploitation continues to be an ongoing effort for cybercriminals and a major problem - it's partly a numbers game for them. Although exploiting and infecting millions of machines may attract LE attention at some point, it's a risk some are willing to take in pursuit of millions of dollars that could probably be better made elsewhere with the same effort. So take, for example, the current DNSChanger cleanup. Here is a traditional profit motivated 4 million PC and Mac node malware case worked by the Fbi, finishing with a successful set of arrests and server takedown.

Research|Where is my privacy?

Vicente Diaz
Kaspersky Lab Expert
Posted March 02, 13:21  GMT
Tags: Privacy

When we upload something embarrassing about ourselves to, lets say Facebook, thats completely our fault. But there are other subtle ways to get information about us. Lets say a few words about tracking.

Every time you visit a website you request HTML that will be rendered in your local browser. This code may include external references, so you will request them as well. Nothing to be afraid of so far.