The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Webcasts|Lab Matters - The Ups and Downs of Mitigating Botnets

Ryan Naraine
Kaspersky Lab Expert
Posted April 06, 11:26  GMT
Tags: Botnets, Kido

In this edition of the Lab Matters webcast, malware researcher Tillmann Werner and Ryan Naraine discuss the ongoing battle to control the Conficker/Kido botnet and the need for the computer security industry to consider newer approaches to mitigating the botnet epidemic.

Comment      Link

Research|Watching the Kido/Conficker P2P Network

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted April 15, 21:10  GMT
Tags: Botnets, Kido

While analysing Kido network behaviour we’ve been able to develop an application that helped us to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period, we’ve been able to identify 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts.

This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.

In terms of global distribution, we’re seeing the picture expected from initial infection counts. Brazil and Chile clearly stand out as regions in terms of peer counts:

Virus Watch|Bot-watching 2

Kaspersky Lab Expert
Posted April 10, 14:56  GMT
Tags: Botnets, Rogue Security Solutions, Kido

We just described what happens on Kido controlled machines when the spambot Iksmas is installed and launched. However, Kido is also downloading a fake antivirus named SpywareProtect2009. Owners of infected computers can see the effects of the SpywareProtect2009 activity.

This is what happens: the fake antivirus starts to show messages every couple of minutes about purported infections as it supposedly ‘detects’ viruses, network attacks, browser issues and so forth:

Virus Watch|Bot-watching

Kaspersky Lab Expert
Posted April 10, 14:31  GMT
Tags: Botnets, Kido

As we wrote yesterday, the Kido botnet has installed another well-known worm – Iksmas, aka Waledac – on infected computers.

Iksmas was downloaded from the server goodnewsdigital.com, a resource that researchers have known about for some time and which is currently one of the main sources used to distribute Iksmas.

The variant that was downloaded by Kido was detected proactively by Kaspersky Anti-Virus as HEUR:Worm.Win32.Generic using heuristic technology. The new version of Kido (Worm.Win32.Kido.js) was also detected by the same heuristics and with the same verdict.

We decided to keep tabs on the botnet to see what the spambot worm Iksmas would do once it was installed on infected computers.

Opinions|Kido/Conficker: a sobering thought

Kaspersky Lab Expert
Posted April 02, 18:05  GMT
Tags: Botnets, Kido, DDoS

It's the second of April all over the world and the Internet still works. So far so good. :-)

There's been a huge amount of attention around Kido/Conficker/Downadup this week. As the vast majority of experts anticipated nothing happened on the first of April.

All the hype actually reminded me of Sober, which strangely enough didn't get mentioned in the tons of stories I've been reading over the last few days. Just over three years ago we were dealing with a big epidemic - Email-Worm.Win32.Sober.y. Costin wrote about it here.

When Sober.y was ready to update the whole world was watching, just like now. And, just like now nothing happened on the first day. It will be interesting to see where and when the parallels between this side of Sober and Kido/ Conficker will end.

A lot of the mainstream media have asked if the anticipated Kido update could just be a seasonal joke. The answer is a definite no. However, if you've heard rumours of the arrest of the authors - unfortunately, that was an April fool.

Comment      Link

As already reported by F-Secure earlier, criminals are using the Kido/ Conficker hype to bring their rogue Anti-Virus amongst the people. Their solution will sometimes display false alerts on clean systems and try to lure their victims into buying a fake cleaning program for $39.95 from them. Opposed to what they were claiming on remove-conficker.org (website already taken down), their solution fails to detect Kido:

Software|Kido, you ain't kidding

Costin Raiu
Kaspersky Lab Expert
Posted January 23, 07:33  GMT
Tags: Kido

On January 13th we raised the alert level for the Kido family to orange: moderate risk. It's been quite a while since an 'old school' network worm has caused such a stir - Kido's managed it by not only relying on critical Windows SMB vulnerabilities to spread but it also bruteforces weak passwords in order to gain access to other machines in a local network.

Because of this (along with a few other things) Kido can be very painful to get rid of. That's why we've decided to release a free tool which can be used to clean infected machines.

You can grab our KidoKiller tool here.

Feel free to give it a try.

Comment      Link