The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Virus Watch|From Cocos Islands to Cameroon

Eugene Aseev
Kaspersky Lab Expert
Posted July 14, 15:01  GMT
Tags: Search Engines, Google, Malware Statistics

The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.

In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.

Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.

Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.

Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.

However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.

As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).


Yesterday the US government released some home videos of Osama Bin Laden in his Pakistani hideout. Screenshots from the video were used for malicious blackhat SEO via Google Images.
Many legitimate nginx-based Web sites were attacked and exploited by taking advantage of the CVE-2009-2629 vulnerability. The compromised sites were injected with the following script:


Instantly this news became  very fruitful  for all kinds of cybercriminals. Here is  some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability”. The exploit drops into the system a malicious executable file which is a password stealer malware. 

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .  Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which  actually  is quite  aggressive in blocking Internet access and extorting money for the activation

(Note: the third option anyway doesn’t allow browsing)

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

Comment      Link

In this latest installment of the Lab Matters webcast, senior malware analyst Denis Maslennikov provides an inside look at the mobile threat landscape.

Maslennikov discusses the recent surge in SMS trojans targeting the Android platform, the use of search engine optimization techniques to spread mobile malware and the financial incentives involved.

He also talks about how attacks differ between mobile platforms and offer some startling predictions about what we'll see in the coming years.

Comment      Link

Android users searching for pornography on their smart phones could be in for a costly surprise.

During the course of researching the origin for the first SMS Trojan for Android devices, I found a new Android package masquerading as a porn media player but which instead sends SMS messages to premium rate numbers.

The SMS messages cost $6 each and are sent silently in the background without the user's knowledge.

The latest Android malware (detected as Trojan-SMS.AndroidOS.FakePlayer.b) is being distributed via clever search engine optimization (SEO) techniques, a clear sign that cyber-criminals are making every effort to infect mobile devices. The use of SEO is a significant development that confirms our belief that mobile malware - especially on Android devices - is a potentially lucrative business for malicious hackers.


During my recent research into PHP backdoors, bots and shells, I came across a few IRC servers which looked pretty suspicious. After lurking in these channels I noticed that most of them were all about controlling botnets, automated exploitation and credit card fraud. This isn’t news – channels and IRC servers like this have been a hot media topic for the last five years. The question is, though, how can we find them so we can shut them down?

Digging a bit deeper in some of the channels, and looking the websites people were talking about in these channels, I started to see patterns. For example, some of the websites use the same words, phrases and layout. By combining these terms and creating a simple rotation algorithm I could use search engines to find websites offering illegal stuff such as credit card data and skimming tools.

Opinions|Where will real-time search take us?

Kaspersky Lab Expert
Posted December 17, 20:27  GMT
Tags: Social Networks, Search Engines

As you've most probably read by now search engines providers have been working on providing so called real time search results. These results include queries to, for instance, Facebook, Twitter and Myspace.

We may not all realize this, but we have just turned yet another technological corner. Everyone will have exponentially more and faster access to personal information now including data from social networks. Everyone naturally includes cybercriminals.

In my opinion, cybercriminals now have a great new opportunity to combine two major threat vectors - Black Hat Search Engine Optimization and social networks. Now turnaround will be faster and more people will see the malicious links created by black hat SEO – something search engines have already failed to control.

This is important, because to date attacks via social networking sites aren't yet as prevalent or sophisticated as they could be. The gang behind Koobface has recently stepped up their game but overall isn't really technically advanced. In fact, from where I sit, the development of malware that's targeting social networks is really reminiscent of that of IM-Worms some years back. It's the same situation: your friend's compromised account is used to persuade you to click on a malicious URL. So we'll probably soon see the social engineering approaches used to spread social networking threats following a similar evolutionary path.

I'm also concerned about how real time search results will affect our online privacy.

Clearly, it's no coincidence that Facebook introduced their new set of privacy guidelines just days before Google introduced real time search. The recommended Facebook settings - which surely will be used by the vast majority of the Facebook community - put a lot of information into the public and semi-public domains.

Yes, this approach will definitely make real time search results more effective. But I definitely think that the recommended settings expose too much PII.

What does this hold for the future? I'm convinced that real time search is just in its infancy. I'm positive that soon enough search engine providers will offer everyone the opportunity to use real time search with their Facebook/Twitter/MySpace/etc. credentials. This would then allow people to more effectively crawl what their friends - or friends of friends - are up to. An opportunity that the cyber criminals will surely not let go to waste.

Comment      Link

Research|The Google variable

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 05, 17:38  GMT
Tags: Rogue Security Solutions, Search Engines, Google

Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer.

And what could be easier than to use Google? Everybody does – so why shouldn’t virus writers? Recently we’ve been seeing attacks which work in the following way.