In China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.

Because of this, many Chinese cyber-criminals changed their business from stealing QQ numbers or virtual assets in online games to stealing money during the online trading. In October, People-s Daily, the official newspaper of the Communist Party of China, reported that a group of cybercriminals were arrested in connection with a Trojan targeting the e-commerce users. The Trojan, detected by Kaspersky Lab as trojan-Banker.Win32.Bancyn.a, was named -Floating Cloud-, and was used to steal several millions of dollars from e-commerce users.

The name -Floating Cloud-, -浮云- in Chinese, comes from a very popular saying among Chinese internet users -神马都是浮云-. The direct translation is -God horses are always floating clouds-, which means everything flows away in haste like floating clouds. But here, the floating cloud is not a God horse but a Trojan horse. And the -Floating Cloud- was written in EAZY programming language in which programs can be written totally in Chinese.

To distribute the Trojan, cyber-criminals often masquerade as sellers. When the customer/target asks for information about the merchandise, they send a zip archive with the names like -detail information- which purports to contain a few pictures depicting the merchandise. But among these pictures, there is an executable file with the icon of image files. If the customer wants to take a look at this -picture- file and double clicks it, the Trojan will run.

Right after the Venezuelan presidential elections cybercriminals launched a new credential stealing malware joined by a social engineering campaign saying that supposedly the last election was a fraud. The name of the malicious file is “listas-fraude-electoral.pdf.exe” which is translates to “Fraud elections lists” and it spread via a fake Globovision Venezuelan news TV station.

The mentioned malware is quite simple and it sets out to disable the UAC system, which allows the criminals to run administrative commands under restricted users accounts.

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

    There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

In this edition of the Lab Matters webcast, Kaspersky Lab's senior anti-malware researcher Kurt Baumgartner discusses the use of ROP (return-oriented programming) techniques in vulnerability exploit packs. Baumgartner talks about how exploit packs and infected web sites launch drive-by attacks and provides a glimpse at the obfuscation tricks used by cyber-criminals.

Just few hours ago Twitter officially announced the launch of their new iPhone application called “Twitter for iPhone”. The news quickly became a trendy topic in Twitter and as it used to be the criminals took advantage of this one more time. The difference this time is that the criminals behind this particular attack didn’t want to use Rogue AV malware but a Worm with dropper functions to deliver Trojan banker malware to the users machine.

This is an example of detected malicious twitts by us:

The initial Trojan is downloaded to the victim machine by a malicious Java archive file. It has several malicious features, for example: spreading through USB devices; it disables Windows task manager, the regedit application and also notifications from Windows Security Center. Also it creates a copy of itself in the system with the name of Live Messenger. The criminals even included an anti-virtualization feature. The worm checks if the hard drive of infected system is virtualized or not. If found to be in a virtual system, the malicious code won’t be executed.

As I mentioned the main goal of this Trojan is to steal on-line bank credentials of the victims!

This malware is very harmful since credit cards and on-line banking credentials are in the game. Please, be really careful specially with trend topics (searches) since in many cases they are being used by criminals.

Kaspersky Anti-Virus detects the threat as Worm.Win32.VBNA.b

    Some time ago I wrote an article about how Brazilian banker Trojans work but time is running out and Brazilian coders are trying to improve their skills, making more complex methods of infection. The proof of this is the sample I worked on today. The infection scheme is the classic one:


A new (for Brazil) concept takes place between second and third stages when the Trojan.Downloader downloads and installs the Banker. On the one hand Brazilian coders obfuscate the download links using several techniques and on the other hand now they also crypt the Banker to be downloaded to the system.

For example, if you deobfuscate the malicious links and try to download the Trojans behind them you will see something like this:

It’s a crypted (specially packed) PE file. The coders from Brazil use this technique to prevent an automated malware analysis and monitoring mode by AV companies. This sample downloaded as it is on the server won’t be functional on the user machine unless it’s decrypted. The decryption mechanism in this case is included into the initial Trojan.Downloader, which first downloads malware, and then decrypts it to be able to infect the user machine:

Now spot the difference: It’s the same file but after decryption looks like a standard malicious PE file and can be used to infect the victim:

    This particular sample is detected by Kaspersky Anti-Virus as Trojan-Banker.Win32.Banker.aumz and it attacks customers of the 3 most largest banks of Brazil.

HMRC [Her Majesty's Revenue & Customs] has mislaid two disks containing personal data on large numbers of people in the UK. It seems the disks became lost in transit between HMRC and the National Audit Office. The disks contain data on Child Benefit recipients and, according to a BBC report the Chancellor of the Exchequer puts the
number affected at '25 million individuals and 7.25 million families'.

Anyone concerned about the potential impact of this data loss can find advice on the web site of APACS, the UK payments association.

APACS has pointed out that 'sort code and bank account, national insurance number, date of birth, name and address details are not enough in themselves for an ID fraudster to access your bank account - as additional security information and passwords are always required'

Nevertheless, this data would represent an attractive haul for cyber criminals and provide a range of essential building-blocks needed to build up a comprehensive profile on potential victims.

You can find some basic guidelines for staying safe online here.