18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
25 Apr Security policies: remote access programs Kirill Kruglov
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The Parental Control component in our products has already been described in detail. The component’s main task is to help parents safeguard their children from the hidden dangers of uncontrolled use of computers and the Internet. By default the component is not enabled – it has to be activated by the parents themselves.
Parental Control puts parents in charge of all their children’s online activities. This includes scheduling the days and hours the computer can be used and the Internet accessed, restricting how your child can communicate in chat rooms and social networks as well as saving any correspondence, and, importantly, blocking access to websites with harmful or undesirable content.
There are 14 such categories of sites in Kaspersky Lab products. Parents can decide which type of sites their child will not be able to access. When Parental Control is activated, access to the following categories of websites is blocked automatically:
Any of the above categories can be unblocked if necessary, while the following categories can also be added to the list:
Kaspersky Security Network (KSN) helps us gather statistics from users of Kaspersky Lab products, including alerts triggered by the Parental Control component.
It should be noted that the breakdown depends not only on the number of attempts to access websites from a category blocked by Parental Control but also on the specific categories that have been flagged by parents.
The Top 10 includes those categories of sites that are flagged automatically when the Parental Control component is activated, plus two of the categories that have to be activated by parents – ‘Social networks’ and ‘Online shopping’. Three categories lead the others by a wide margin, with ‘Pornography, erotic materials’ way out in front. Every month KSN registers 60 million attempts to access sites from this category on computers where this category was flagged in Kaspersky Lab’s Parental Control component. ‘Social networks’ is in second place with 16 million alerts per month, followed closely by ‘Illegal software’ (14.3 million alerts per month).
Does the breakdown of Parental Control alerts differ from country to country? To find out, we compared the alerts triggered by the component in countries from different parts of the world, namely Russia, Germany, the UK, the US, Japan, Brazil and Saudi Arabia.
In April 2012, several stories were published about a mysterious malware attack shutting down computer systems at businesses throughout Iran.
Several articles mentioned that a virus named Wiper was responsible. Yet, no samples were available from these attacks, causing many to doubt the accuracy of these reports.
Following these incidents, the International Telecommunication Union (ITU) asked Kaspersky Lab to investigate the incidents and determine the potentially destructive impact of this new malware.
After several weeks of research, we failed to find any malware that shared any known properties with Wiper. However, we did discover the nation-state cyber-espionage campaign now known as Flame and later Gauss.
It is our firm opinion that Wiper was a separate strain of malware that was not Flame. Although Flame was a highly flexible attack platform, we did not see any evidence of very destructive behavior. Given the complexity of Flame, one would expect it to be used for long-term surveillance of targets instead of direct sabotage attacks on computer systems. Of course, it is possible that one of the last stages of the surveillance was the delivery of a Wiper-related payload, but so far we haven-t seen this anywhere.
The Java 0day activity that we have been monitoring and preventing for almost the past week has been irresponsibly reported on other blogs, with early posts publicly linking to known sites serving the 0day. In itself, the race to publish on this 0day that will be assigned CVE-2012-4681 (a problem with processing access control within "protection domains"), has been irresponsible. Would you encourage folks to walk down a mugger's dark alley with no protection or would you work to communicate the muggers' whereabouts to the right folks and work on lighting the alley or giving better directions? Would you provide muggers with some new weapons that they haven't considered? The efforts this time around seem misplaced.
Anyway, initial sites hosting the exploit were unique and spreading known APT related toolset components, including a Poison Ivy variant. Here is a somewhat unexpected heat map of early, related PIvy detections.
All the related malware that I have seen to this point targeted Windows systems. The exploits are effective against Java 7 and since the initial targeted attacks, news and the samples spread throughout the broader security community and the exploits made their way to metasploit developers, who added PoC to the open source framework. In turn, the Blackhole authors added the exploit to their COTS. So the attacks are widespread at this point. The first victim regions to be hit with the Blackhole stuff were the US, the Russian Federation, Belarus, Germany, the Ukraine and Moldova. But, in relation to the other exploits included in the pack, victims are getting hit only a fair number of times with the 0day. Internet Explorer users are being hit the most, followed by Firefox, Chrome, and Opera, and then a variety of other applications that handle URLs within their documents and eventually pass the malicious .jar on to a Java client, like Adobe Reader.
We are using a variety of detections and techniques to identify the malicious sites, the web pages involved, the exploit code, and the backdoor payloads delivered by these sites. Even though this particular Java 0day is getting hyped, other older exploits in the Blackhole exploit pack continue to get hit on victim systems with higher volume. So our community is protected from the Blackhole sites themselves, the Blackhole webpages serving the Blackhole Java 0day, compromised sites redirecting to the Blackhole sites, the more prevalent older Blackhole exploits and their delivery pages, and the trojans being delivered by these Blackhole sites. In addition to all that, Kaspersky "Advanced Exploit Prevention" adds another runtime/behavioral layer of protection against the 0day itself with with "Exploit.Java.Generic". This addition is the most interesting to myself - exploit pack authors have been focused on improving their Java exploit server-side polymorphism, and this AEP feature defeats those efforts. So, our user community will see access denied altogether for current Blackhole sites, individual Blackhole web pages detected with variations on "Trojan-Downloader.JS.Agent", the backdoors detected with "Trojan.Win32.Generic" and others (i.e., 61A3CE517FD8736AA32CAF9081F808B4, DEC9676E97AE998C75A58A02F33A66EA, 175EFFD7546CBC156E59DC42B7B9F969, 0C72DF76E96FA3C2A227F3FE4A9579F3), and the 0day Java exploit code detected with "HEUR:Exploit.Java.Agent.gen" (i.e. E441CF993D0242187898C192B207DC25, 70C555D2C6A09D208F52ACCC4787A4E2, E646B73C29310C01A097AA0330E24E7B, 353FD052F2211168DDC4586CB3A93D9F, 32A80AAE1E134AFB3D5C651948DCCC7D) among others, along with the runtime AEP prevention. So while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innaccurate claims that "AV is dead!" or "AV can't detect it", you should take them for the grain of salt that they are. The real story about client side mass exploitation is more complex than those claims. Some researchers call the various points in a delivery vector a kill chain, and Kaspersky products are killing it.
At the same time, Oracle needs to step it up and deliver an OOB patch, which historically they have failed to do. Maybe this event will provide even more pressure to step up their security update delivery process. They have been snapping up some good security research talent and beginning to reach out, which is a start. A very late start.
UPDATE (2012.08.30): Oracle patches CVE-2012-4681 and two other client side RCE vulnerabilities. It is probably a better idea for Windows users to go to their control panel, find the Java applet, and use the Java update software to manually get the latest JRE 7 and 6 releases - the default delay for the Java Update package to check is currently one week for the Java 7 installer.
It was not a closed-door event; we had guests from 13 countries of the region including our panelists from law enforcement agencies who work every day in the fight against cybercrime:
Greetings from the IDC Security Roadshow in Johannesburg, South Africa! I am sitting here in the hotel lobby looking out at the Nelson Mandela Square listening to the explosive track from DJ Fresh - The Feeling (Ft. RaVaughn) (Metrik Remix), reflecting on the last couple of days and the discussions Ive had with various people.
I have been giving a few interviews and I was also presenting at the IDC security conference; my presentation is called The Diary of a Security Geek and it includes material from a one year long research project I have had. It basically contains observations made during these conferences and some really interesting facts on how security managers see IT security, how they prioritize and some interesting false perceptions on IT security and risks. I know that some of you might be interested in this research, so dont worry - I will publish my research at a later date and I will also be giving the same presentation on quite a few conferences around the world this year.
Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company.
The samples are especially interesting because they contain a module with the following string:
Of course, the ?wiper reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.
The malware is a 900KB PE file that contains a number of encrypted resources:
NULL != encSection
NULL != pathVar && curPos < pathVarSize
NULL != progFilesDirs && curPos < progFilesDirsSize
NULL != isExpected
NULL != key
(NULL != result) && (NULL !=str1) && (NULL != str2)
The files also contain an encrypted resource 100 that seems to be the actual payload, given the relatively small size of the encrypted sections. It is most likely that the section .exsdat contains the code for decrypting the resource and executing its contents.
After the publication of our whitepaper about the Gauss cyber-attack, we have been asked if there is an easy way for users to check their system for infection. Of course the most reliable way is to download and install our antivirus solution or use the free Kaspersky Virus Removal Tool.
If someone needs to double-check or for some reason cannot download full antivirus package, we offer a quick and easy way to check for the presence of Gauss component.
The idea of checking the system using a webpage comes from the wellknown Hungarian research lab, known as CrySyS. They have also introduced a web-based method to check your system for Palida Narrow. Their test webpage is currently available here: http://gauss.crysys.hu.
We used the same idea and tried to improve the detection method. Now it works without server interaction.
Yesterday it was a dark day for many companies in Europe, but especially in the Netherlands. A piece of malware known as Worm.Win32.Dorifel infected over 3000 machines globally, and 90% of infected users were both from public and business sector organizations based in the Netherlands. We have seen government departments and hospitals being victims. The other countries with a large amount of infections were detected in Denmark, the Philippines, Germany, the United States and Spain. All users running Kaspersky Labs Products are protected from this threat.
The malware is initially distributed via email to victims. It uses a Right To Left vulnerability to hide its original file extension. The malware then downloads another malware which encrypts documents and executes them on the infected computer. Dorifel also attempts to encrypt files found on network shares.
When I was sitting down and investigating the Dorifel malware I noticed that the servers hosting the Dorifel malware was not configured properly and allowed for example directory listing in certain directories. This triggered me to search for more interesting directories, which I did and to my surprise I noticed that the server was hosting a lot more malicious components and not just the Dorifel malware. It is very difficult to say if this scam is complex and advanced since it uses many different components with different complexity level. Some of the interesting things I found includes:
What is Gauss? Where does the name come from? Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:
The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange.The module named Gauss is the most important in the malware as it implements the data stealing capabilities and we have therefore named the malware toolkit by this most important component.
|Variant||Path to project files|
|Dec 2011-Jan 2012||c:\documents and settings\flamer\desktop\gauss_white_1|
Ten months ago weve published an article about ZeuS-in-the-Mobile which contains an overview of everything we knew about ZitMo at that moment. The paper finishes with the following prediction: they [attacks involving ZitMo] will become more specifically targeted against a smaller number of victims. This prediction appears to have been correct. Its not that often when we hear/find new wave of ZeuS-in-the-Mobile (or SpyEye-in-the-Mobile) attack. So every new piece of information about these types of malware and/or attacks involving them is very important and helps to understand the evolution of one of the most interesting threats in mobile space so far. Just a small reminder: ZeuS-in-the-Mobile is almost 2 years old. And this blog is about new samples (and probably new wave of attack)) of ZitMo for Android and Blackberry.
New samples overview
Weve got 5 new files of ZitMo: 4 for Blackberry and 1 for Android. As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally weve got a ZitMo dropper file for Blackberry.
As for Android, there is only one .apk dropper. But this ZeuS-in-the-Mobile for Android has been modified and now looks like a classic ZitMo with same commands and logic.
Countries and C&C numbers
All samples of ZitMo weve seen so far target users from various European countries (Spain, Poland, Germany, etc). This case is no exception. Here is a list of countries from which users are threatened by new ZeuS-in-the-Mobile with C&C number from the sample.
To summarize, there are 3 countries (Germany, Spain and Italy) and 2 C&C numbers (both are Swedish). We found out that these cell phone numbers belong to Tele2 mobile operator in Sweden.
Im pretty sure that most of you guys know about the recent phone scam which is circulating right now. They have been calling a lot of people in countries such as Germany, Sweden, the UK and probably more. The scam is pretty simple; they pretend to be from a department within Microsoft which has received indications that your computer is infected with some malware. They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected.
I just want to mention that there is no such department at Microsoft, and they would never call up customers offering this. So if you ever get a call from Microsoft stating that there are some indications that your computer is broken or infected - please hang up!
Well, they have called me several times, and finally Ii got fed up with this and started to play along. At the same time I had my virtual machines running and was recording everything that they were doing. The goal was to find out who they were and exactly what the scam was. Luckily I was able to get hold of information such as their internal IP addresses, the PayPal accounts used to wire money and the numbers they are calling from.
Probably the two most important security conferences in the world are held in Las Vegas during the same week, gathering more than 15,000 attendees and offering dozens of talks. Even if you are here, you will find a situation where you want to attend 2 or 3 talks at the same time, or the frustration of attending one talk only to find there is no room left for you in the next one you wanted to attend.
So I thought it would be useful, whether you were in Las Vegas or not, to highlight the most relevant things that happened there during these 2 weeks, in my opinion:
The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but weve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.
Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:
But if the potential victim somehow visits the same website using an Android device, a porn web site will be optimized for the smartphone:
Recently, we came across web malware that instead of injecting an iframe pointing to a fixed existing address generates a pseudo-random domain name, depending on the current date. This approach is not new and is widely used by botnets in C&C domain name generation, yet it's not very common for the web malware weve seen so far.
After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the
sid=botnet2 as argument: