04 May “I want your clothes, shoes, and motorbike” Natalia Zablotskaya
23 Feb We help you to survive this crisis! Dmitry Bestuzhev
01 Apr Don't be an April Fool! Dmitry Bestuzhev
06 Feb Paris Hilton spam Roel
29 Aug Botnet losing ground VitalyK
28 Jun A green grin Costin Raiu
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
It’s a classic type of network fraud: you receive a letter asking you to send the login and password for your e-mail/online wallet/gaming account/etc. If you fail to comply, the phoney “support service” that sent the message threatens to limit or even block your access to the service.
Today our spam traps detected a letter like this in which the fraudsters were trying to swindle users out of out their activation codes for…Kaspersky Lab products! However, that’s not all – they also wanted to know the recipient’s residential address, mobile phone number and credit card number. They only stopped short of asking for the house keys.
“Dear User! Thank you for choosing our products. Unfortunately, recently more and more hackers have tried to use our name to steal information! Kaspersky Lab always cares about your security therefore we believe it is necessary to inform you about new malware! Please be informed that we have carried out preventive measures aimed at combating hackers! To confirm that you are using our licensed product please send us your full activation code information. Please also send your residence address, mobile phone number, credit card number (in order to pay for a license extension). Otherwise, our company will have to impose severe sanctions, including blocking access to your operating system. Best regards, Kaspersky Lab.”
Hopefully, our users are not naïve enough to fall for such a primitive scam. There’s no need to explain that Kaspersky Lab would never send out letters like this, especially such threatening messages. It’s nothing more than a crude attempt to obtain some confidential data from some unsuspecting user.
To be fair, the letter does contain a number of true statements. For instance, it states that hackers make use of our name, which they do. And the authors state that Kaspersky Lab cares about the security of its users. That’s also true.
There have been a lot of variants of Email-Worm.Win32.Iksmas around lately. Now that Valentine's Day is over, we might have expected to see a few less of them, but no.
There's been a new flood of mass mailings spreading Iksmas - instead of professions of endless love, these messages are offering money saving coupons. And who's going to say no to a special offer?
The name of the worm executable varies, but all the names have one thing in common - save.exe, nocrisis.exe, etc. all reference the economic situation.
Of course, special offers are great, and we could all use a bit more cash.But stick to offers you know are genuine; if you go for scams like this, you're just putting money in the spammers' pockets.
It's been clear for a long time that virus writers will take whatever opportunity they can to spread their malicious code. One popular approach is exploiting public holidays and other well-known days on the calendar – the St. Valentine's Day spam this year is a case in point.
The approach is particularly effective if the holiday is an international one – the result is an increased pool of potential victims.
Last night, on the eve of April Fool's Day, we started seeing a wave of new modifications of the notorious Zhelatin worm. At the time our mail pots started picking up on these messages, no antivirus company was detecting the latest version of the worm.
This latest attack took the usual approach:
1: Prepare the bot machines
2: Mass mail spam containing a link to a site
3: Malicious code is automatically downloaded to the victim machine when the site is viewed
Last week there was a lot of speculation going round that Paris Hilton has changed her sexual orientation. A couple of years ago when she was making the news, IM-Worm authors played on this. With these latest rumours – I am an AV researcher after all - I immediately thought that the bad guys would find some way to use these rumours. Unsurprisingly, this prediction turned out to be true. Over the last couple of days we've seen spam being sent out which contains a link in it claiming to be a Paris Hilton video.
The social engineering is obvious – although it's amusing that the video title mentions men rather than women. Putting this aside, it's rather an odd case from a technical point of view.
The URL leads to a simple Trojan-Downloader which is packed using FSG. It doesn't have any anti-AV functionality. In turn the Downloader downloads two files, one for harvesting email addresses from the victim machine and one for sending out spam. One of those is stuffed with anti-AV techniques.
Of course, using Trojan-Downloaders is extremely common these days. What's strange is the combination of such a simple Trojan-Downloader which downloads highly sophisticated malware.
And given that the Trojan-Downloader will be heuristically detected by quite a number of virus scanners, including ours, the chances of actually getting infected are slim. This leaves me wondering if this unusual combination was created by the authors by accident, or by some strange design.
Over the last couple of weeks we've been closely following the behaviour of a botnet with a C&C (command and control) center based on a popular web-based engine.
We waited for it to grow (see previous posts) and it was interesting to see the increase in the number of infected machines. And now the scale of the botnet is shrinking.
Today the botnet was made up of 6000 zombies, even though a week and a half ago there were more than 14 000! What happened? We took a look and found that there's a significant difference between the total number of infections and actual number of infected machines.
Let's take a look at the zombie network stats that we got today:
Subtract "GENERAL NUMBER BOTS" from "GENERAL NUMBER OF INFECTIONS" and there's a difference of about 10 000. This means the botnet is losing its bots!
Now let's compare the very same stats with the ones that we captured while the botnet was still growing:
The difference between "GENERAL NUMBER OF INFECTIONS" and "GENERAL NUMBER BOTS" is less than 500!
These differences are explained by the fact that AV companies have been busy detecting malicious files which were used to create the botnet. The time taken before all AV vendors detected the files was several days. During this time bots were detected and removed from PCs and this is why the botnet is losing its clients. And every day, as more and more users update their AV databases the botnet continues to lose ground...
Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago.
What's interesting about the mails is that along with the usual executable (which in this case is called "access.exe") the messages have a couple of PDFs attached.
The PDFs, which are otherwise harmless, contain alleged financial transactions. Here's an example:
If you get tricked by these and get to run the executable, it will contact kitinjderunhadsun.com and download another executable from there. This second exe is 91095 bytes in size, and we detect it as Email-Worm.Win32.Warezov.iq.
We detected the first version of Warezov almost one year ago and after all this time, the gang behind these worms is still roaming free. I'm really looking forward to the day they get caught.
We've been receiving a number of new samples of Trojan-Downloader.Win32.Delf.awg from users. It looks like this program, which will download Email-Worm.Win32.Scano, Trojan-Proxy.Win32.Xorpix and Trojan-PSW.Win32.LdPinch, has been widely spammed.
Delf.awg hides its network activity from firewalls by invading the svchost.exe process. The Trojan creates its own thread and uses it to download the malware, thus avoiding firewalls, which naturally allow network activity for svchost.exe.
The bad news is that you always need to be careful, and never open suspicious attachments. The good news is that KAV 6.0 and KIS detect these new modifications of Delf proactively. So even if you haven't managed to update recently, you're still protected.