English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

12 Jul Patch Tuesday July 2011 Kurt Baumgartner

20 Mar Cabir, the star of the show Magnus

20 Dec Mobile malware and the Muscovites Aleks

14 Jun Cabir's first year Aleks

18 Jan Cabir in the UK David

15 Jan Smartphone clean up Yury

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.3
 

Discussion of this month's patch Tuesday is overshadowed by the massive releases from spearphishing, web and SQLi attacks reported in the media. Four bulletins are being released to address 22 CVE records, or sets of vulnerabilities.

Two of the vulnerabilies immediately enabling remote code execution is the Bluetooth related vuln, however unreliable attacking it may be, and a Visio vuln. A set of vulnerabilities in the CSRSS leading to elevation of privilege and a long set of win32k flaws are impacted.

Microsoft prioritizes deployment of the Bluetooth patch on Vista and Windows 7 client platforms highest. Servers should not be effected. I suppose that in close working environments, it could potentially enable a worm. But the likelihood of another Cabir is low. High value targeted attacks seem to be more of a risk.

The Visio vulnerability was publicly known and PoC released since at least August of last year. Some of our generic detections most likely would have prevented exploitation of this vuln. We are researching for any evidence of related exploitation and will update accordingly.

If you see any problems from the kernel level patches, please comment below, I am interested. Win32k modifications have caused users problems in the past. Cheers to problem free patching!

comments      Link

Events|Cabir, the star of the show

Magnus
Kaspersky Lab Expert
Posted March 20, 13:10  GMT
Tags: Mobile Malware, Conferences, Exhibitions, Cabir
0
 

Tomorrow will be the last day of CeBIT and everyone's extremely busy. We still found the time to visit the Physikalisch-Technische Bundesanstalt (the national meteorology institute providing scientific and technical services) in Braunschweig together with a German TV crew.

And why did we go there? Although the room may look like a big recording studio, the spikes on the wall aren’t to ensure clean sound, but to disperse all radio waves inside the room. Additionally, the metal plated walls and floor create a Faraday cage, making sure that all waves stay inside the room. In short, it’s a perfect location for mobile malware testing.

This gave us the opportunity to show the cameras just how Cabir, the first known smartphone virus, spreads. There are only a few known cases of Cabir infections in the wild in Germany, but everyone in the room understood that mobile malware is a real threat.

The chances of getting infected in your home country may be low. But there are other regions – like parts of Asia – where Cabir is more widespread. And that’s why we never tire of repeating the security professionals mantra: never install a program on your mobile phone if you're not sure where it came from, and if you don't need Bluetooth, turn it off! Even (or perhaps especially) at CeBIT.

Comment      Link

Incidents|Mobile malware and the Muscovites

Aleks
Kaspersky Lab Expert
Posted December 20, 13:29  GMT
Tags: Mobile Malware, Cabir, Bluetooth
0
 

Yesterday one of our employees was out for the evening. And naturally enough, used the metro. As you may know, the Moscow Metro is one of the busiest mass transit systems in the world, transporting approximately 9 million people a day.

With so many passengers, a number of whom now have smartphones, what are the chances of infection by Cabir or another virus for mobiles? Hard to tell exactly - all we do know is that while descending to the station, our employee detected an attempt by Cabir to infect her phone.

This is the third time she's experienced this in two months. You may think that this is a low frequency. You may also wonder why an employee of Kaspersky Lab is walking around with a phone in 'visible to all' mode.

In my opinion, it shows that Cabir has already spread far and wide, in Moscow if not in other regions of Russia. OK, three times in two months, when compared to the daily attacks which PCs are subjected to, isn't that high a frequency. And Cabir doesn't, theoretically, pose that much of a danger.

But this case illustrates the way in which mobile malware is gathering momentum. I don't want to think about what will happen when someone - and this will happen sooner, rather than later - releases a viable worm for mobiles which is written with the intention of doing serious damage. Seems like the Metro might become a very dangerous place for smartphone owners.

Comment      Link

News|Cabir's first year

Aleks
Kaspersky Lab Expert
Posted June 14, 11:30  GMT
Tags: History of Malware, Cabir
0
 

Today, Cabir celebrates its first birthday. One year ago, 29a sent a sample of their latest creation to AV vendors worldwide via Virusbuster, a Spanish virus collector. Kaspersky Lab was first to detect this proof of concept malware, which turned out to be a worm that targeted mobile phones running under the Symbian 60 OS with Bluetooth capabilities.

The source code for the original Cabir appeared on the Net in late December 2004, which led to a number of copycat variants appearing in the wild. Cabir infections have been registered in over 30 countries to date.

In addition, there are now close to 100 malicious programs targeting mobile phones, most of which are Trojans. This highlights two important aspects: operating systems for mobile devices are very insecure thus far, and users need to realize that mobile devices are vulnerable to the same type of attacks as regular PCs.

So, how soon will it be before the proof-of-concept trickle turns into a flood? It's difficult to be sure. However, there are two issues to consider. First, experience has shown that malware authors target systems that are commonly used. Ownership of mobile devices hasn't yet reached critical mass; but when it does, they will prove an irresistible target. Second, it's clear from developments during the last two years that the computer underground has realized the potential for making money from malicious code in a world where Internet connectivity has become central to business.

Today's threats are largely geared towards making money illegally: through fraud, unwanted advertising (including spam) and extortion. Since mobile devices offer users the same capabilities as PCs, they also offer the same rewards for the criminal underground.

Comment      Link

Incidents|Cabir in the UK

David
Kaspersky Lab Expert
Posted January 18, 14:59  GMT
Tags: Mobile Malware, Cabir
0
 

Our UK support department has now had reports of Cabir. Looks like the virus is continuing to spread: this brings the tally to 10 countries.

Comment      Link

Software|Smartphone clean up

Yury
Kaspersky Lab Expert
Posted January 15, 13:18  GMT
Tags: Mobile Malware, Cabir
0
 

We have put together a new removal tool that detects and disinfects malware on smartphones and other mobile devices running Symbian OS.

This new version cleans up after Lasco and Skuller as well as Cabir.

It's available for download and is effective until May 1, 2005.

System Requirements:

OS Supported: Symbian OS 6.1, 7.0.
Devices supported: Series 60 smartphones.

Note: This version was tested on Nokia 3650, Nokia 7650, Nokia 6600, Siemens SX1.

Download the utility directly to your smartphone via WAP or download it to your PC and copy it to the device(size is 9.2 KB).

Install it as a common Symbian application package by opening the message that you recieve when downloading the file.

You will need to download and install the utility again every time you would like to update the antivirus databases (we recommend that you do this when you hear of new malware for Symbian OS).

Comment      Link

Incidents|Cabir spreading in Moscow

Yury
Kaspersky Lab Expert
Posted January 13, 14:18  GMT
Tags: Mobile Malware, Cabir
0
 

Once we at Kaspersky confirmed a Cabir infection here in Moscow, we've had several more reports of Cabir on the loose. In fact, someone has reported that they were infected as far back as 2 weeks ago.

In all cases, infected users had their Bluetooth set to 'visible to all'. We really do urge all users to turn the 'visible to all' option off and to take advantage of our Cabir removal tool available on our wap site.

Comment      Link

News|Cabir reaches Moscow

Aleks
Kaspersky Lab Expert
Posted January 12, 10:49  GMT
Tags: Mobile Malware, Cabir, Malware Statistics
0
 

Today someone brought us a Nokia 7610 phone infected by Cabir. After analysis, it proved to be Cabir.a. This is first documented infection by Cabir in Russia.

Mikko Hypponen from F-Secure has also told us that they've received reports about Cabir from Turkey and Vietnam, so Russia moves to ninth place in the list of countries where Cabir has been spotted in the wild:

1. The Philippines
2. Singapore
3. United Arab Emirates
4. China
5. India
6. Finland
7. Turkey
8. Vietnam
9. Russia

Comment      Link

Incidents|Cabir source code published

Aleks
Kaspersky Lab Expert
Posted December 28, 13:12  GMT
Tags: Cabir
0
 

Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways.

Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone.

As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group's electronic journal.

However, it looks that someone has already got access to the code, and now it's public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries.

Comment      Link

News|More on Cabir.e

Aleks
Kaspersky Lab Expert
Posted December 24, 10:09  GMT
Tags: Cabir
0
 

We have tested Cabir.e. The author has simply removed the MessageBox that Cabir.a opened when infected phones were switched on. The dialog box with a request to approve installation after worm files have been received via Bluetooth still opens.

So far, Cabir.e is not in the wild. We will monitor the situation and alert users if Cabir.e does escape.

Comment      Link