It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

• Trojan-Spy.Win32.Lurk
• Trojan-Banker.Win32.iBank
• Trojan-Banker.Win32.Oris
• Trojan-Spy.Win32.Carberp
• Trojan-Banker.Win32.BifiBank
• Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th :

In our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.

In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.

The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.

The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:

Here is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP data. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic, it helps to understand the Madi reach:

Last week, we held our first Ibero-American virus analyst summit, to which we invited 34 journalists from 14 Latin American countries, as well as Spain and Portugal. Speakers and panelists included antivirus experts Fabio Assolini, Jorge Mieres, Vicente Diaz and Dmitry Bestuzhev.

The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.

In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.

Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.

Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.

Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.

However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.

As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).

The following statistics were compiled in April using data from computers running Kaspersky Lab products:

• 221,305,841 network attacks blocked;
• 73,211,764 attempted web-borne infections prevented;
• 189,999,451 malicious programs detected and neutralized on users’ computers;
• 86,630,158 heuristic verdicts registered.

DDoS attack on LiveJournal

The DDoS attack that targeted LiveJournal.com at the end of March continued into early April and was big news in Russia. The fact that we had been monitoring one of the botnets responsible for the attack meant we discovered quite a few details about the incident.

Initially, every computer in the botnet received commands to attack one or two links per day. On 4 April, however, the bots received a list of 36 links that included http://livejournal.com and http://livejournal.ru. The other links in the list led to popular pages in the Russian-language blogosphere. The pages in question were unavailable at various times on 30 March, 4 and 6 April. The attacks stopped after 6 April.

The botnet we monitored was based on the popular Optima bot which appeared for sale at the end of 2010. Several indicators suggest that the zombie network behind the DDoS attacks brought together tens of thousands of machines infected with Optima. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files to infected computers and stealing passwords for a number of popular programs.

Kaspersky Security Network is an integral part of Kaspersky Lab technology. With its ‘cloud’ architecture KSN automatically detects and blocks unknown malware and infected/dangerous websites, filters spam, protects children from unwanted content and lots more. Our aim is for users to always have as full a picture as possible of the current threat landscape around the world. That’s why we have come up with the Irida screensaver. It displays statistics about the latest threats that have been detected and blocked using KSN and is updated every 12 hours.

Install our screensaver and discover the full potential of Kaspersky Security Network! Download at: http://irida.kasperskyclub.com/scr.zip

At the end of 2010 I noticed a big wave of recruitment spam for money mule work. Initially, the criminals used spam sent from hacked email accounts. I even got some messages like this from people I know personally:

Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):

And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities. But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.

All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.

It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.

As regular readers of viruslist will have noticed, we've been tracking the evolution of mobile malware with interest. This, naturally, includes collecting statistical data on the prevalence of individual threats. Of course, malicious code for mobile devices is relatively new, and there’s been a lot of discussion about whether or not it poses a real threat.

Data we've collected shows some interesting trends. For instance, the number of infected MMS messages is already close to the amount of malicious code found in mail traffic: 0.5% - 1.5% of MMS traffic is made up of infected messages.

Of course, it's difficult to monitor mail traffic for malicious code across the whole web. In contrast, scanning mobile traffic for malicious content can make a real difference.

Six months ago, BeeLine, the biggest Russian mobile network operator, implemented protection for MMS messages. Since then, the number of infected messages has fallen from 1.46% of MMS traffic to a record low of 0.46% at the end of October.

It’s also been interesting to track the ups and downs in the number of infected MMSs - for instance, at the end of the summer holidays, there was a sharp, though shortlived, rise in the number of infected messages to 1.72%, following by an equally sharp drop.

The vast majority of infected messages are due to Worm.SymbOS.Comwar.a and Worm.SymbOS.Comwar.c, although of course there are quite a lot of other programs circulating as well.

It’s clear from these statistics that mobile malware is a real threat. It’s equally clear that it's a threat that can be tackled successfully.

It's two years to the day that the antivirus industry first encountered Bagle - Email-Worm.Win32.Bagle.a. Depending on your point of view, two years could be a long time, or a short time. But whatever position you take, one thing is certain - Bagle has evolved from a single worm into a criminal infrastructure, which is constantly searching for new victims to infect. Bagle has become a business, which is making real profits - clear motivation for cyber criminals. The authors of Bagle have continued to develop the worm's defences against its main enemy, the anti-virus industry. We've seen Bagle evolve from using primitive polymorphic code, to saving the password to an infected archive in graphical form, to the use of BlackLists. These last list users such as e.g. antivirus and network activity monitoring companies who are likely to attempt to download the latest Bagle variant via malicious links. If a user whose address is blacklisted attempts to download the latest Bagle, an error message will be returned instead of the malicious file.

Over the last two years we've detected more than 400 modifications of Bagle-related malware. All these malicious programs (Trojan-Proxies, Email-Worms, Trojan-Downloaders, SpamTool etc) are designed to steal information from victim machines, conduct mass mailings and other criminal activity.

As our users know, Kaspersky Lab releases two types of antivirus database update - standard updates, and urgent updates. Urgent updates provide rapid protection against possible epidemics and spamming of malicious programs. The graph below shows the number of urgent updates (axis Y) released every three days (in order to highlight the virus epidemics) throughout 2005 (axis X) we get the following picture:

It's clear that the highest number of urgent updates were released on days when Bagle was very active. During one attack, 21 new modifications were detected. The figures clearly show that users should continue to take the threat posed by Bagle seriously.