The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Events|Defcon is 20 Years Old in 2012

Kurt Baumgartner
Kaspersky Lab Expert
Posted July 30, 17:40  GMT
Tags: Microsoft, ARM

Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.

The Dark Tangent welcomed Mark Weatherford. an ex-Navy and Raytheon security guy that became the CISO of the State of Colorado and California and then CSO at the highly regulated NERC before recently moving on to a top spot at the Department of Homeland Security. Weatherford provided some insight into the amount of attacks he sees every day, and then moved on to explaining that some of the best people he is working with don't have a college degree and some recruiting - they are hiring.
The next, huge name that Dark Tangent brought out was General Keith Alexander, Commander of the US Army CyberCom and Director of the NSA/CSS. It seems to be a sign of the times that the hacker community would be approached by the individual building out what is becoming the largest group of "cyberwarriors" in the world, attempting to draw shared principles and parallels between the groups. The guy was genuinely funny, rolling out jokes throughout his talk and Q&A answers, inviting kids onstage and showing off multiple tshirts. Aside from the explanation of their mission and the recruiting talk, a couple other interesting topics came up. According to Alexander, folks should know better than claiming that the NSA maintains files on every individual in the US, and he thinks that the Cybercom doesn't need to become larger than the current US Navy, partly because of the power that automation and smart work provides. Oh, and they are hiring. It was a repeated theme this past week.

A couple of the talks were shocking in their presentation. FX from Phonoelit and Recurity Greg analysed just how bad Huawei router code really is from a security perspective, it was almost unbelievable for a product line from a $21 billion company. Their preso began with a Code Quality slide that they claimed was almost left empty. Every slide's content made it seem like Huawei security practices and implementation couldn't be worse than suggested by the previous slide, but it did. And it was bad. After pouring over the router codes' open services and inability to be disabled, they described a lack of security advisories and updates, interrupt tables with RWX access, a Chinese-only debug interface, a lack of any communication channel whatsoever for reporting vulnerabilities, and a lack of real security development lifecycle throughout the code development, they followed Huawei's lead and copy/pasted their decades old Cisco IOS exploit code into exploits developed for these Huawei routers, targeting 90s style vulnerabilities. The company clearly has't also taken security lessons learned from Cisco's experience in this space.

At first, I was disappointed that the "Dr Strangelove" nuclear power plant SCADA system talk was cancelled without notice to attendees until arrival at the talk. It was replaced with a talk on SCADA HMI (or human-machine interfaces) security issues from Wesley McGrew titled "SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor". At face value, it sounded comparably uninteresting. But, it was eye-opening. The talk itself weaved through known, commonly approached technical problems that were met with disturbingly juvenile, incorrect security implementations - these systems are critical infrastructure and security requirements are not being met. This talk was complemented by Alberto Garcia Illera's pen-testing adventures in the transportation systems of Spain, using simple, unforeseen flaws in publicly accessible systems, to peel layers back until they reached the poorly protected SCADA systems called "How to Hack All the Transport Networks of a Country". The first talk revealed incredibly weak implementations in SCADA systems, and the second revealed exactly why those weaknesses need to be fixed and better understood by their developers and vendors.

Events|Looking back at BlackHat

Kaspersky Lab Expert
Posted July 28, 04:22  GMT
Tags: Conferences

BlackHat USA may have been wrapped up for the year but DEFCON is in full swing. I didn't stay around for DEFCON though, which means I finally have some time to reflect on BlackHat.

This year featured the first time Apple presented at BlackHat, about iOS security. While the presentation lacked the details usually seen in BH talks it definitely showed Apple is trying to open up. Being (more) communicative is vital to doing security response right.

This is of particular importance for Apple as there were quite a few talks focusing on Apple's security. Ranging from attacks on iOS to Mac-oriented EFI rootkits.


The Blackhat 2012 keynote started the event with Shawn Henry, former Executive Assistant Director of the Fbi, painting a grim, seemingly unspeakable picture of cyberespionage in the US. It was interesting that he continually spoke about the gravity of the situation and the need to apply what he learned at the Fbi to protecting digital assets, but he couldn't describe a single concrete example. At the same time, other than a weapon of mass destruction, he claimed that cyber threats are the single biggest problem facing this nation. This inability to convey concrete details during the Blackhat keynote only highlights some of the problem in understanding the cyber problem. And it's the problem of overclassification of computer network exploitation (CNE) incidents and a tangled set of dynamics that silence breach data sharing and exchange. There is a long way to go here to fixing it.

While parts of the talk were very interesting, especially discussion of creating a hostile network for your adversaries and taking intrusion tolerance a step further, it was criticized for being a bit self-promoting. All across the twittersphere, tweets like this one protested signs of this year's corporate influence.

The two days of talks explored some new territory. Day 1 included "Advanced ARM Exploitation", where Stephen Ridley and Stephen Lawler provided some more indepth Android exploitation details and the quirks in exploring the software and developing exploits on the platform. For example, ROP techniques are required even to perform the ancient ret2libc technique on Android. They poured over data manipulation on ARM and particular assembly level tricks, specifics of discovering ROP pivots and pushing data into the stack on ARM for control. The talk provided content from their hands-on, 650+ slides across 12 decks, 80 page lab manual, multi-day course "Practical ARM Exploitation".


In our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.

In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.

The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.

The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:

Here is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP data. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic, it helps to understand the Madi reach:

Virus Watch|New malware for Mac: Backdoor.OSX.Morcut

Sergey Golovanov
Kaspersky Lab Expert
Posted July 26, 13:31  GMT
Tags: Apple MacOS

Yesterday lots of antivirus labs got a sample of the new antivirus program targeting MAC OS X users. This sample named Backdoor.OSX.Morcut was distributed using social engineering techniques via a JAR file with the name AdobeFlashPlayer.jar and allegedly signed by VeriSign Inc.

Notification from the JAVA virtual machine about the launch of the untrusted applet


Last night, we received a new version of the #Madi malware, which we previously covered in our blog.

Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong.

The new version appears to have been compiled on July 25th as it can be seen from its header:

It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing ?USAĀ and ?govĀ in their titles. In such cases, the malware makes screenshots and uploads them to the C2.

Here's a full list of monitored keywords:

"gmail", "hotmail", "yahoo! mail" , "google+", "msn messenger", "blogger", "massenger", "profile", "icq" , "paltalk", "yahoo! messenger for the web","skype", "facebook" ,"imo", "meebo", "state" , "usa" , "u.s","contact" ,"chat" ,"gov", "aol","hush","live","oovoo","aim","msn","talk","steam","vkontakte","hyves", "myspace","jabber","share","outlook","lotus","career"

Incidents|The Madi Campaign - Part I

Kaspersky Lab Expert
Posted July 17, 13:00  GMT
Tags: Microsoft Windows, Adobe PDF, Targeted Attacks, Microsoft, Madi

For almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe.

Together with our partner, Seculert, we-ve thoroughly investigated this operation and named it the ?MadiĀ, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.

The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.

This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don't want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.


We speak about attacks on online providers that result in the leak of personal usersí passwords. Just recently we saw the leak of 6.46 million Linkedin user passwordss. Right after this we saw a leak of 400 thousand Yahoo Voices passwords. These are not isolated cases; nowadays we see many successful attacks that lead to personal data leaks. One more example of this is the leak of personal information of users of one of the popular Android forums and finally the hack of the NVIDIA developer forum. Itís worth saying that many successful attacks are just not announced and the Internet community doesnít find out about them.

So, how do we deal with cases when our passwords can be leaked? Obviously the end user canít do much to protect his on-line service provider and prevent the leak, but there are some basic tips on how to avoid a big disaster when our passwords are compromised.

1.†† †Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised.
2.†† †Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better.
3.†† †Sometimes our online service providers donít let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok.

For some users itís hard to remember complex passwords, in which case a good solution would be to use a password manager like Kaspersky Password Manager.

Remember, you canít stop your service provider being hacked, but you can avoid a bigger disaster when all of your accounts get compromised at once just because you used the same password!

Comment      Link

=== Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.

Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.

Events|Patch Tuesday July 2012 - Focus on the Browser

Kurt Baumgartner
Kaspersky Lab Expert
Posted July 10, 17:49  GMT
Tags: Microsoft

This month's patch Tuesday brings a set of three "critical" bulletins focused on Windows/web browser component vulnerabilities and six other bulletins rated "important". In other words, two of the critical components are considered "Windows" components, but most likely would be attacked through the web browser. Also, the top priority bulletin patches the CVE-2012-1889 vulnerability being exploited not only by attackers targeting high value targets, but common-off-the-shelf/commodity exploit packs.

Kaspersky products detect malicious web pages exploiting CVE-2012-1889 with "HEUR:Exploit.Script.Generic". Addition of a working exploit targeting MSXML Core Services 3.0 within IE6 and IE7 XPSP3 to the Metasploit Framework on June 12th helped make this one more mainstream. While it may seem that targeting XP would limit its reach, it's important to note that various market share surveys and reports show that Windows XP continues to take major OS market share. Interestingly, the MS12-043 Bulletin addressing this vulnerability patches MSXML Core Services 3, 4, and 6, leaving out version 5. Versions 3 and 6 ship with Windows itself. Accordingly, msxml3.dll and msxml6.dll reside in c:\windows\system32 across all supported versions of Windows, while the other versions are installed by Microsoft Office and other software.

Also patching the potential for web client-side drive-by's, MS12-045 addresses an MDAC vulnerability, reminiscent of MS06-014, one of the longest lasting, reliable, most heavily targeted client-side vulnerabilities in Microsoft technology. It was taken advantage of for years by the Russian Business Network, purchasers of MPack, and later others, distributing Torpig and Rustock, while the nascent exploit kit market was solidifying back in 2006. It continues to be included in some of the live exploit pack control panels that we see. We'll see how this new MDAC issue compares.

The third of the bulletins fighting "critical" rated web client side vulnerabilities fixes a couple of newer vulnerability types being targeted ("Cached Object Remote Code Execution Vulnerability - CVE-2012-1522", "Attribute Remove Remote Code Execution Vulnerability - CVE-2012-1524") introduced by Internet Explorer version 9 itself. Versions 6, 7 and 8 do not maintain the vulnerable code.

With that, we leave you to your regularly scheduled patching.

Follow me on Twitter

Comment      Link

Events|DNSChanger - Last Call on Cleanup

Kurt Baumgartner
Kaspersky Lab Expert
Posted July 08, 08:12  GMT

UPDATE (7/9/2012):
Thank you Barry Greene and the DCWG. The DCWG-run DNS servers have been taken down:

"On 12:01 Eastern Time on Monday July 9th 2012, the DCWG stop responding to DNS queries from infected machines. This is in compliance with the US Justice Department Court Order authorizing the clean DNS servers.

At 12:23 Eastern Time on Monday July 9th 2012, the server started to reply to all DNS request with an ICMP Unreachable. This would help infected computers troubleshot their problem is they find they cannot access DNS servers."


Here we are. It's the last call on DNSChanger cleanup. On Monday, the Fbi-run replacement DNS servers are coming down because the court-ordered extension is coming to an end, and your systems may using these servers for resolution. There are a set of sites that may unreliably help you identify whether your machine or router continues to maintain DNS settings to the "DNSChanger" operators' servers. This unreliability is partly because upstream major internet backbone providers have created unintended confusion, and partly because of poor/ineffective web-side detection implementations.

In the US, 60k hosts are reported to require that their DNS settings remain to be changed. How many of those systems are truly "infected"? No one knows. And, the number could be inflated. It could be that none of these systems are infected. Or all of them could be infected. Perhaps all LAN-side systems behind home and corporate routers, or systems cleaned of malware that may still maintain artifacts of this infection, continue to use Rove Digital servers for DNS resolution.

In other words, it doesn't mean you have pneumonia, but you still have a cough. And it makes you extraordinarily more likely to get sick again. Some vendors' products, like here at Kaspersky, have been detecting the artifact DNSChanger settings on effected machines and offering to reconfigure these settings to a set of "clean" DNS servers. This DNS reset routine is presented by Kaspersky Endpoint Security 8.0 and 2010+ home products with this popup for "Trojan.Multi.DNSChanger.Gen":

Just click on "Yes" and your system's DNS settings will be reconfigured to use DHCP-assigned or clean, open DNS services. After host-side reconfiguration, it still would be interesting to visit the www.dns-ok.us sites to find out if your home router is still maliciously configured.

Incidents|The end of DNS-Changer

Kaspersky Lab Expert
Posted July 06, 13:28  GMT
Tags: Botnets, Infected Files and Devices, DNS, Microsoft

FBI's “Operation Ghost Click” was discussed earlier by my colleague Kurt here and here and now it comes to an end.

Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines – one can wonder, what will happen to them?

Computers in the internet have their own address – the IP-address. There are two versions:

  • IPv4 which is a 32-bit address e.g. and
  • IPv6 which is a 128-bit address e.g. 2001:db8:85a3:8d3:1319:8a2e:370:7347

You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.

The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release

The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.

Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.

This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.

Of course, if you know the address of the server you can still use it instead of the name e.g. is “securelist.com” but this is not easy solution.

We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple – read below for more.

First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.

The good news is that the infections were blocked and the number of infection attempts is going down.

For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.

So, how to check if you are infected with DNSChanger?

The DNS Changer Working Group provides helpful information on their website – unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.

If you are infected, you can change your DNS entries to the free DNS-Servers from Google: and OpenDNS also offers two: and, which we also recommend for additional security features.

The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.

Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection

comments      Link

Incidents|Find and Call: Leak and Spam

Kaspersky Lab Expert
Posted July 05, 12:26  GMT
Tags: Mobile Malware, Google, Google Android, Apple

Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.

However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.

The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.

Find and Call in the Apple Store

Find and Call in the Google Play

All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:

Angry Birds comments


Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet.

You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.

On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”:


Browsing is a risky activity from a security point of view. The good old times when we could identify a bunch of suspicious sites and avoid them are gone forever. Massive infections of websites are common nowadays, blindly infecting as many sites as possible. Once these sites are compromised, the access is usually sold to cybercriminals. At this point the site hosts malware or redirects victims to some exploit kit.

We have seen this hundreds of times, for example the recent example such as the distribution of Flashfake through compromised Wordpress blogs.

Thanks to KSN we have nice stats of the sites browsed by our customers and detected as malicious. And thanks to KIS/KAV protection, users can happily continue browsing without further inconvenience.

I have been analyzing compromised sites with ES TLD during the last month, wondering what the most dangerous sites for Spanish users are. These are the top 5 verdicts: