The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Events|VB2012 day 2

Vicente Diaz
Kaspersky Lab Expert
Posted September 28, 17:28  GMT

One of the things I donīt like from conferences is when there are two talks you want to attend scheduled at the same time. And this is what happened to me in VB2012.

Fortunatelly David was on the stage for a whole hour, so I attended his first half and then I switched to Fabioīs talk.

Incidents|A race against the spammers

Posted September 28, 15:02  GMT

A few days ago, the latest VBSpam results were published. The testing, conducted by Virus Bulletin in August, saw Kaspersky Linux Mail Security 8.0 detect 99.93% of all the spam messages used in the test. This is a new record for Kaspersky of which we are very proud (if the number of congratulatory emails flying back and forth between us is anything to go by). Eugene Kaspersky also mentioned the result in his blog (http://eugene.kaspersky.com/2012/09/27/kaspersky-server-anti-spam-no-longer-the-underdog-more-top-dog/)  – he’s proud of us too :)


Greetings from Dallas, Texas, where the anti-malware industry is meeting for the 22nd edition of Virus Bulletin.

Incidents|Hotmail: Your password was too long, so we fixed it for you

Costin Raiu
Kaspersky Lab Expert
Posted September 21, 16:04  GMT
Tags: Microsoft

Earlier this year, about 6.5 million LinkedIn account password hashes were published on a hackersí forum. The hashes were simple SHA1 digests computed from the userís passwords, as stored into the LinkedIn backend infrastructure.

It didnít take long for hackers to start cracking them, with over half of them cracked in almost no time.

There are two main reasons why such fast cracking was possible:

* the usage of the SHA1 function itself
* fast GPUs

Letís take a look look at both.

Events|EuSecWest 2012: That thing in your pocket

Ryan Naraine
Kaspersky Lab Expert
Posted September 20, 12:45  GMT

AMSTERDAM -- As part of my job monitoring security threats and trends for Kaspersky Lab's global research team, I'm exposed to a healthy dose of paranoia from white hat researchers who find it trivial to hack into modern operating systems and platforms.

After a few days of hanging out in the hallways with exploit writers, I find myself clutching my laptop to my chest a little tighter and constantly peeking at my mobile phone to make sure nothing out of the ordinary is happening.

None of this paranoia is misplaced. Just pay attention to the lessons from the Pwn2Own challenges organized by the CanSecWest/EuSecWest folks (shout-out to Dragos Ruiu for putting together top-notch events) and you get a real-world understanding of why it's near impossible to keep away a motivated adversary.

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

Incidents|Full Analysis of Flame's Command & Control servers

Kaspersky Lab Expert
Posted September 17, 13:00  GMT
Tags: Targeted Attacks, Flame, Cyber espionage

Our previous analysis of the Flame malware, the advanced cyber-espionage tool that's linked to the Stuxnet operation, was initially published at the end of May 2012 and revealed a large scale campaign targeting several countries in the Middle East.

The Flame malware, including all of its components, was very large and our ongoing investigation revealed more and more details since that time. The news about this threat peaked on 4th June 2012, when Microsoft released an out-of-band patch to block three fraudulent digital certificates used by Flame. On the same day, we confirmed the existence of this in Flame and published our technical analysis of this sophisticated attack. This new side of Flame was so advanced that only the world's top cryptographers could be able to implement it. Since then, skeptical jokes about Flame have disappeared.

Later in June, we definitively confirmed that Flame developers communicated with the Stuxnet development team, which was another convincing fact that Flame was developed with nation-state backing.

We also published our analysis of the Flame command-and-Control (C&C) servers based on external observations and publicly available information. That helped our understanding of where the C&C servers were located and how they were registered.

With this blog post, we are releasing new information that was collected during forensic analysis of the Flame C&C servers. This investigation was done in partnership with Symantec, ITU-IMPACT and CERT-Bund/BSI.

News|Spam one step ahead of iPhone 5 release

Posted September 12, 09:01  GMT
Tags: Apple iPhone, Apple

Apple fans are eagerly awaiting the arrival of iPhone 5 which is due out today. Each unveiling of an iDevice is accompanied by a global buzz of excitement which usually attracts the attention of spammers: every new iPad or iPhone inevitably becomes the bait in numerous fake lotteries and other fraudulent emails.

However, customers are not only interested in Apple’s devices but also their accessories. This year’s first registered mass mailing dedicated to the new iPhone came from a Chinese company that has decided to fill this niche.

The advertiser, having first apologized for any inconvenience that may be caused by the email, offers users the chance to buy a case for the new iPhone 5 which has not even been officially presented.

Considering the sort of promises that usually appear in spam, one can only wonder why the sender didn’t offer an actual iPhone 5 or, better still, an iPhone 6 (or whatever it’ll be called in 2013? iPhone 5v?).

comments      Link

Incidents|Shamoon The Wiper: further details (Part II)

Dmitry Tarakanov
Kaspersky Lab Expert
Posted September 11, 14:30  GMT
Tags: Targeted Attacks, Wiper

There have been persistent media reports that the Shamoon wiper malware we previously covered is linked to attacks against Saudi Aramco.

The hardcoded date in the body of destructor matches exactly the declaration by a hacker group about the date and time when the Saudi Aramco company would had been hit but we still cannot definitively confirm that Shamoon was to blame for those attacks.

And just about two weeks later, another energy company in the Middle East (RasGas) fell victim to another malware attack and the media has logically asked questions about whether Shamoon was responsible.

We leave the speculation up to others and concentrate strictly on sharing technical details. This is the continuation of our investigation into Shamoon:


The main Shamoon module has a resource PKCS7:113 that maintains an executable which is saved to disk as %WINDIR%\System32\NETINIT.EXE and this program poses a module to communicate with CNC. This program waits for parameters to be run with. The author was not too creative and coded a handling of just two argument values which can be ?0Ā or ?1Ā.

If ?0Ā, the program takes a second argument and treats it as a data to be passed to CNC. With this argument value, the malware connects to CNC just once and stops executing. We have not located any place in the Shamoon code where netinit.exe would be run with argument ?0Ā.

But as you would recall, we did locate the place where netinit.exe is launched with a command line ?netinit.exe 1Ā. The program then enters into a loop until another destructive module creates a file %WINDIR%\ inf\netfb318.pnf signaling that the time has come to wipe data and kill the operating system. While netinit.exe waits for that file it regularly connects to CNC to report itself and receiving commands.

Events|Thoughts from the Nordic Security Conference

David Jacoby
Kaspersky Lab Expert
Posted September 10, 08:17  GMT

Yabbadabba doo!!

The Nordic Security Conference on Iceland is now over, and i must say that it was an amazing conference with several top notch presentations from both local and international researchers. The line up for a conference that was running for the first time was very impressive, and i am pretty sure that history in the Nordic IT-security industry was written this weekend.

I was asked by the organizers to do the keynote and open the conference with the presentation A Diary From A Security Geek which i felt very honored to do. The presentation was the same which i gave in South Africa at the IDC Security Roadshow just some days ago. What i understood from the conversations during the breaks and also after the conference it seems that the keynote was very well received and the majority of the other speakers also made some nice references to it in their talks.

The Nordic Security Conference was located on Iceland, in Reykjavik. Even that the excursion was cancelled due to the bad weather (storm) i must say that Iceland is a very beautiful country. Even before you land and are sitting in the plane looking over Iceland you can see the amazing nature that country have. You can see everything from glaciers, volcanos, hot geysers.


How easy is it for bad guys to buy valid digital certificates from CAs using fake data and then start signing Trojan bankers with them? In Brazil it appears to be very easy.

Today most software developers digitally sign their programs. The process involves Certification Authorities (CAs) that must verify the authenticity of the files and issue a certificate to the developers.

As we know, valid or stolen digital certificates are used by some malware authors to create files that can go undetected for some time and be recognized as legitimate. Now Brazilian cybercriminals have started using this technique in their malware in an attempt to gain more time to spread files undetected. Recently we found a Trojan banker signed with a valid digital certificate issued by a CA. It appears that fake company data was used to obtain the certificate.

How easy is it for a CA to check if the data they receive is legitimate or not? Brazilian cybercriminals registered a domain called gastecnology.org, copying the name of a well-known and trusted local software company. This is the data used to register the domain: