English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.1
 

††† While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia country located in in the eastern Caribbean Sea.

Our statistics confirm this trend.

Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.

How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe itís time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer.

Follow me @dimitribest

Comment      Link
0.3
 

Since yesterday I've been attending the annual Hack-in-the-Box Quad-Track Security Conference in Amsterdam/NL. There's a very nice and open atmosphere here at the conference, besides the beautiful city of Amsterdam.

First, Joe Sullivan (CSO at facebook), held a very interesting keynote about the development of security innovations at facebook. For him innovation is „these hacking culture, we think about each day at facebook“. After explaining some of the newer security innovations (https-only, login notifications, login approvals [if e.g. geo-location of a user is suspicious], recognized devices, recent activity) he talked about the recent fb-scams with malicious scripts. „No one would do that, copying and pasting a script into the browser! - Yes, they do...“, he said.

Also a remarkable talk I attended was about binary planting, given by Mitja Kolsek (CTO at ACROS Security). In "Binary Planting: First Overlooked, Then Downplayed, Now Ignored" Mitja also showed a new method he called "advanced binary planting", which uses a feature from Windows' special folders (like control panel, printers, etc.) and clickjacking to make it possible to own the users' computer.

In the winter garden of the conference hotel there's a technology showcase area. Hackerspaces from all over Europe and the Netherlands are showcasing their projects here. There also is a capture-the-flag competition happening, a lock-picking and (sponsor) companies-showcase.

For more informations please see the conference website.

Comment      Link
0.1
 

††† There have been several reports about malware hosted on Mozilla and Google code servers. Now we also found malware hosted on My Opera community servers. The screenshot below shows an example of this:

It’s a PHP based IRC botnet. Analyzing the code I found some evidences that it comes from Brazil.

We can see that criminals appreciate and actively use any and all available free web space. Based on the statistics from one of our proactive web crawlers, I took a look at which free web hosts are most popular among criminals for uploading and spreading malware. The following graph shows the top 10 free web hosts used by criminals during the last 8 months:

Fileave is a really well known server for hosting tons of different kinds of malware. I noticed that some secure DNS providers block access to the domains listed above and show an alert message stating that these sites are known sources of phishing and malware. So, what does that tell us? The usual - when you browse the internet always check links before clicking, and if the domain is suspicious, don't. Just don't click. And if you’re owner of a web site, make sure to secure your server properly to prevent the criminals from compromising it easily.
Comment      Link
0.3
 

††† Some months ago I wrote a blog post called “Rogue AV raising the stakes” which mentioned a new trend in the graphical user interfaces of Fake Anti-viruses. Our predictions were correct, as today my colleague Fabio Assolini found a Web site with an interface very similar to Kaspersky Anti-Virus. See for yourself:


This isn’t the first time we’ve found this kind of fake imitation of our solutions. The interesting part is that during our research we found fake versions of other Anti-Virus solutions on the same malicious host. Can you spot the difference?





These are just some of the examples. Since some Internet users know what the most popular Anti-Virus solutions look like they can be confused and pay for a Rogue AV solution. This is the main goal of the criminals; to confuse as many people they can, and to get as much money as possible.

On this same malicious server we found 256 different malicious rogue domains with different content but with the same intention: to cheat people by making them pay money for nothing.
Please be careful and always check the domain of the page you're visiting. Don't be a victim of criminals!
comments      Link

Virus Watch|Malware Miscellany, December 2008

Yury
Kaspersky Lab Expert
Posted January 22, 07:23  GMT
Tags: Malware Miscellany
0
 


  • Greediest Trojan targeting banks
    Trojan.Win32.Qhost.gn wins this category, by redirecting clients of 39 different banks to phishing sites.
  • Greediest Trojan targeting payment systems and payment cards
    Just like last month, a single piece of malware comes out top in these two categories. This time, it’s Trojan.Win32.Agent.eii, which targets users of three payment systems and 4 payment cards simultaneously.
  • Stealthiest malicious program
    Trojan-PSW.Win32.LdPinch.auv is packed with 10 different packers.
  • Smallest malicious program
    Trojan.BAT.Shutdown.g is a mere 20 bytes, but it’s still able to reboot the infected computer in spite of its minute size.
  • Largest malicious program
    Trojan-Banker.Win32.Banbra.bby is 27 MB in size.
  • Most common malicious code which exploits a vulnerability
    In December, exploits for an SWF vulnerability made up 12% of all malicious content.
  • Most common malicious code on the Internet
    Trojan-Downloader.HTML.IFrame.wf accounted for nearly 8% of all malicious traffic this month.
  • Most common Trojan family
    1499 previously unknown modifications make Backdoor.Win32.Hupigon the winner of this category in December.
  • Most common virus/ worm family
    Worm.Win32.AutoRun came up with 312 new modifications this month, putting it at the top of this class.

Comment      Link

Virus Watch|Malware Miscellany, November 2008

Yury
Kaspersky Lab Expert
Posted December 19, 11:05  GMT
Tags: Malware Miscellany
0
 


  • Greediest Trojan targeting banks
    Trojan-Spy.Win32.Egoldan.az targets the users of 20 banking systems (a relatively low number when compared to previous winners of this category.)
  • Greediest Trojan targeting payment systems and payment cards
    Trojan.Win32.Obfuscated.gen wins both categories in November by targeting 4 payments systems and 3 payment card systems simultaneously.
  • Stealthiest malicious program
    Trojan-PSW.Win32.LdPinch.beo is packed with 9 different utilities.
  • Smallest malicious program
    The 22 bytes of Trojan.BAT.Shutdown.g enable it to automatically launched and then force the victim machine into constantly rebooting.
  • Largest malicious program
    Trojan-Banker.Win32.Banker.kum is 19MБ in size, which is very small in comparison with previous winners of this category.
  • Most widespread malicious code which exploits a vulnerability
    Exploit.JS.RealPlr.nn made up more than 8% of all malicious content in December.

  • Most common malicious program on the Internet
    Trojan-Downloader.JS.Iframe.yv was responsible for 4% of all malicious content detected on the web during November 2008.
  • Most common Trojan program
    There were 1723 new modifications of Trojan.Win32.Agent this month.
  • Most common virus/ worm family
    Again, Worm.Win32.AutoRun wins this category, but with only 337 new modifications – a significant increase on October’s 75 new modifications.

Comment      Link

Virus Watch|Malware Miscellany, October 2008

Yury
Kaspersky Lab Expert
Posted November 24, 12:54  GMT
Tags: Malware Miscellany
0
 

  1. Greediest Trojan targeting banks
    Now that autumn is into its stride, there’s been a change in this category; October’s winner is Trojan-Spy.Win32.Bzub.cqz, rather than a member of the Banker family. Bzub.cqz targets clients of 34 different banks.
  2. Greediest Trojan targeting payment systems
    Trojan.Win32.Agent.afhy comes out top, attacking 4 different epayment systems at once.
  3. Greediest Trojan targeting payment cards
    The Agent family wins again in this category, with Trojan.Win32.Agent.agyz searching out users of 5 card systems.
  4. Stealthiest malicious program
    The Hupigon family, which makes frequent appearances in this category, takes the lead in October; one modification of Backdoor.Win32.Hupigon.btlis packed with 8 different packers.
  5. Smallest malicious program
    In spite of being a mere 20 bytes in size, Trojan.BAT.KillAll.an is able to delete all files from disk.
  6. Largest malicious program
    Trojan.Win32.Haradong makes a return this month – modification .ga weighs in at more than 200MB.
  7. Most common vulnerability on the Internet
    In October, Exploit.SWF.Downloader.hn accounted for 2.3% of all malicious content detected on the Internet.
  8. Most common malicious program on the Internet
    Trojan-Downloader.Win32.IstBar.cx was the most common malicious program on the Internet in October, accounting for a “modest” 2.1% of all malicious content detected.
  9. Most common Trojan family
    Backdoor.Win32.Hupigon puts in yet another appearance in this category, this time with 3891new modifications.
  10. Most common virus/ worm family
    There are no changes in this category either this month, with Worm.Win32.AutoRun taking the crown again. And its numbers are similar to those of last month – 651 new modifications in October as against September’s 655.

Comment      Link

Virus Watch|Malware Miscellany, September 2008

Yury
Kaspersky Lab Expert
Posted October 15, 11:35  GMT
Tags: Malware Miscellany
0
 

  1. Greediest Trojan targeting banks
    This month, the nomination goes to Trojan-Banker.Win32.Banker.xkz, from the same family that won this category last month. This particular sample targets the users of 28 banks at once.
  2. Greediest Trojan targeting payment systems
    September's winner is Trojan.Win32.Agent.adtp which has its sights set on four e-payment systems simultaneously.
  3. Greediest Trojan targeting payment cards
    It's been a long time since we've seen a malicious program which wins out in more than one category. Autumn has brought a surprise entrant, with Trojan-Banker.Win32.Banker.xkz making an appearance in this category as well - in addition to going after 28 banks, it also targets five different payment cards.
  4. Stealthiest malicious program
    Autumn has brought about a change in this category - instead of the customary Hupigon, September features a modification of Backdoor.Win32.Netbus.160.e, which is packed with nine different packers.
  5. Smallest malicious program
    September's winner, just like August's, is 31 bytes in size, but has a different payload - it's a new modification of Trojan.BAT.MouseDisable.c. And its name tells you everything you need to know - this Trojan will block the mouse.
  6. Largest malicious program
    Yet another Trojan-Banker wins the crown in this category: Trojan-Banker.Win32.Banbra.dkj weighs in at 34MB.
  7. Most common vulnerability on the Internet
    In September, this category was taken by Exploit.Win32.PowerPlay.a - it made up 6% of all vulnerabilities identified on web pages that were used to deliver malicious code to victim machines.
  8. Most common malicious program on the Internet
    Trojan-Downloader.Win32.Small.aacq, which won this category last month as well, still triumphs here; it's involved in 20% of all cases, which is a pretty high number!
  9. Most common Trojan family
    Once again, this category is taken by an old familiar: Backdoor.Win32.Hupigon.c, which came over the finish line in September with 3072 new modifications.
  10. Most common virus/ worm family
    There's also been no change in this category - as we move into autumn, Worm.Win32.AutoRun continues to reign, with 655 new modifications.

Comment      Link

Virus Watch|Malware Miscellany, August 2008

Yury
Kaspersky Lab Expert
Posted September 16, 15:09  GMT
Tags: Malware Miscellany
0
 


  1. Greediest Trojan targeting banks
    Trojan-Banker.Win32.Banker.rqk leads this month, even though it only attacks 26 banks, a relatively low number.
  2. Greediest Trojan targeting payment systems
    In August, a new modification of Backdoor.Win32.Agobot.gen won this category by targeting four payment systems simultaneously.
  3. Greediest Trojan targeting payment cards
    Trojan-Banker.Win32.Banbra.vf targets four payment card systems.
  4. Stealthiest malicious program
    Following last month's victory, the Hupigon family makes another appearance with Backdoor.Win32.Hupigon.nqr – a program packed with seven different packers.
  5. Smallest malicious program
    Trojan.BAR.Tiny.a is a mere 31 bytes in size; it searches the system for applications and runs any it finds.
  6. Largest malicious program
    Trojan-Banker.Win32.Banker.qwp is only 27 MB in size – not particularly large for this category, but it still manages to take the prize.
  7. Most widespread malicious code which exploits a web vulnerability
    Trojan-Clicker.HTML.IFrame.uu.
  8. Most common malicious program on the Internet
    Trojan-Downloader.Win32.Small.aacq, the winner of this category which was introduced last month, is responsible for every 20th infection.
  9. Most common Trojan program
    Backdoor.Win32.Hupigon makes another appearance in this miscellany with 1044 modifications this month.
  10. Most common virus/ worm family
    August brought 75 modifications of Worm.Win32.AutoRun, a relatively small number for the winner of this category.

Comment      Link

Virus Watch|Malware Miscellany, July 2008

Yury
Kaspersky Lab Expert
Posted August 21, 11:44  GMT
Tags: Malware Miscellany
0
 


  1. Greediest Trojan targeting banks
    This month, the winner is a modification of Trojan-Spy.Win32.Bzub.bvq – it's quite modest in its ambitions, targeting a mere 36 banks, a relatively low number for malware in this category.
  2. Greediest Trojan targeting payment systems
    Trojan-Banker.Win32.Banker.qhq targets three payment systems simulaneously
  3. Greediest Trojan targeting payment cards
    Trojan-Spy.Win32.Banker.qdo targets three payment card systems – exactly the same number as its close relative in the previous category
  4. Stealthiest malicious program
    July's nomination in this category was taken by Backdoor.Win32.Hupigon.cqzq – notwithstanding the program being packed seven times, it still got added to our antivirus databases
  5. Smallest malicious program
    In July, Trojan.BAT.KillWin.vx demonstrated its dislike of Windows by using its 36 bytes to delete winlogon.exe, a system file.
  6. Largest malicious program
    The 203MB of Trojan-Win32.Haradon.ga, this month's winner, were spread in the guise of a screensaver.
  7. Most common vulnerability on the Internet
    The category 'Most malicious program', a fixture in previous Miscellanies, is no longer particularly indicative of the malware landscape. So this month we've introduct a new category – 'Most cmmon vulnerability on the Internet', i.e. the one most exploited by malicious users. This month the victory goes to Trojan.Clicker.HTML.Iframe.sy, which makes up more than 12% of all vulnerabilites found on web pages used by malicious users to infect victim machines.
  8. Most common malicious program on the Internet
    The category 'Most common malicious program in email traffic' has also changed. Readers of this column may remember that the winner of that nomination remained unchanged over several months. In order to give a more representative picture, this cateogory is now called 'Most common malicious program on the Internet. Trojan.Win32.Agent.sav wins out in July, as it was involved in 5.52% of all attempts to infect users.
  9. Most common Trojan family
    Trojan-Downloader.Win32.Zlob makes an appearance this month, with a relatively low 1217 modifications.
  10. Most common virus/ worm family
    This category again features Worm.Win32.AutoRun with another 126 new modifications in July.

Comment      Link