English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|The Icefog APT Hits US Targets With Java Backdoor

Costin Raiu
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
VitalyK
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
Igor Soumenkov
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
0.3
 

In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and ship-building groups.

Icefog, also known as the "Dagger Panda" by Crowdstrike's naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.

Since the publication of our report, the Icefog attackers went completely dark, shutting down all known command-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as "Javafog".


Meet "Lingdona"

The Icefog operation has been operational since at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:

  • The "old" 2011 Icefog – sends stolen data by e-mail; this version was used against the Japanese House of Representatives and the House of Councillors in 2011.
  • Type "1" "normal" Icefog – interacts with command-and-control servers via a set of ".aspx" scripts.
  • Type "2" Icefog – interacts with a script-based proxy server that redirects commands from the attackers to another machine.
  • Type "3" Icefog – a variant that uses a certain type of C&C server with scripts named "view.asp" and "update.asp"
  • Type "4" Icefog – a variant that uses a certain type of C&C server with scripts named "upfile.asp"
  • Icefog-NG – communicates by direct TCP connection to port 5600

In addition to these, we also identified "Macfog", a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.

Research|Malware in metadata

Vicente Diaz
Kaspersky Lab Expert
Posted December 19, 10:07  GMT
Tags: JavaScript, Security Websites, Campaigns, PHP
0.4
 

One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.

There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.

However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!

0.3
 

On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.

0.5
 

This is the topic that cybercriminals are speculating about and using as a hook to infect victims. The campaign stems from malicious emails that are sent in bulk to victims:

0.4
 

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

0.7
 

Recently, we came across web malware that – instead of injecting an iframe pointing to a fixed existing address – generates a pseudo-random domain name, depending on the current date. This approach is not new and is widely used by botnets in C&C domain name generation, yet it's not very common for the web malware we’ve seen so far.

After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the sid=botnet2 as argument:

Spam Test|Phishers are lovin’ McDonald's

Darya Gudkova
Kaspersky Lab Expert
Posted September 13, 14:34  GMT
Tags: Social Engineering, JavaScript
0.1
 

Today we came across a new, very sophisticated type of phishing. The user receives a message that, at first glance, appears to be from McDonald's. It states that the recipient has won the chance to participate in a survey and immediately receive remuneration of $80 for doing so.

Events|Fake virustotal website propagated java worm

Jorge Mieres
Kaspersky Lab Expert
Posted May 24, 00:48  GMT
Tags: Botnets, DDoS, JavaScript
0.6
 

The infection strategies using java script technology are on the agenda and that because of his status as a "hybrid", criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.

In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of "detection".

During this weekend, we encountered a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through the methods mentioned above.

Incidents|Live Twitter XSS

Georg 'oxff' Wicherski
Kaspersky Lab Expert
Posted September 21, 11:41  GMT
Tags: XSS, Website Hacks, JavaScript
0.5
 

It's one of these days where I just had one of these "Oh no..." moments when I logged into my Twitter account and suddenly a message box with my cookie popped up.

Apparently, there is an actively exploited XSS vulnerability on Twitter. From my first preliminary analysis, you'll have to hover over a link to activate it and so far I have just seen some proof of concepts from people I follow. However, this vulnerability looks at least semi-wormable, so better turn JavaScript off on Twitter for now!

Update (14:05 CEST): This vulnerability is confirmed to be exploitable with no user interaction automatically. Turn off JavaScript for Twitter!

Update 2 (14:13 CEST): It is possible to load secondary JavaScript from an external URL with no user interaction, which makes this definitely wormable and dangerous.

Update 3 (14:24 CEST): Worm code for this vulnerability has been posted on IRC, making the rounds.

Update 4 (14:36 CEST): Worm is live already...

Update 5 (14:59 CEST): It appears Twitter now properly escapes links, that specific vulnerability seems closed.

Update on Infection Rates (posted by Costin): During the peak of the infection, we noticed roughly 100 posts per second which seemed to be related to the exploit. Thanks to Paul Roberts who pointed out a simple way of looking at the outbreak using Twitscoop:

The graph suggests 93 posts per second, which is not far from the peak we observed.

Although accurate numbers are hard to extrapolate from the existing data, the total number of malicious posts could have easily exceeded half a million.

Comment      Link

Incidents|Twitter XSS in the wild

Stefan Tanase
Kaspersky Lab Expert
Posted September 07, 08:00  GMT
Tags: Social Networks, XSS, JavaScript
0.5
 

A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.

The malicious JavaScript payload that's being distributed is rather simple. It uses an XSS (Cross-Site Scripting) vulnerability to steal the cookie of the Twitter user, which is transferred to two specific servers. Essentially, any account which clicked on the malicious links is compromised.

But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.

All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:

Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.

We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.

UPDATE: Twitter has confirmed the vulnerability is fixed now.

comments      Link