The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.


Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. We thought that now would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.

What we see now is what we expected. The botnet is getting smaller and smaller - victims have been disinfecting or reinstalling their PCs over time. At the moment we're counting about 1000 unique bots on average per month:

Number of unique bots since March 2012

Due to the botnet’s peer-to-peer-design, there could still exist an independent subset of the initial botnet which never connected to our sinkhole. But we think that the bot-count for any such subset would have evolved in a similar way, because most likely the bot-herders would leave them alone as well and concentrate on establishing "Hlux 3".

Most of the bots are still running under Windows XP. But we also saw some bots running under Windows Server 2008:

OS (last 14 days)

Most of the infected clients are located in Poland:

Countries (last 14 days)

The group behind Hlux is known to be adept at quickly renewing their illegal infrastructure. Since the group is also known to be behind the Waledac botnet, we think that this is unlikely to be the last we hear about this gang.

Last but not least, a quick review about the story of Hlux/Kelihos:

In September 2011 we performed the first takedown of Hlux. The criminals responsible for that botnet didn´t show a major interest in taking counter-measures - they abandoned the botnet to its fate (of being under our control now) and immediately began to build a new botnet. So after a short time, Hlux 2 appeared on the radar and we did it again - poisoning the p2p-network to sinkhole it. And again, the criminals quickly rebuilt their botnet and Hlux 3 was born - within 20 minutes! In March 2013 the bad guys were faced with a new shutdown operation - initiated and performed live at the RSA Conference 2013 by our friends over at Crowdstrike.

Comment      Link

    While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia country located in in the eastern Caribbean Sea.

Our statistics confirm this trend.

Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.

How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer.

Follow me @dimitribest

Comment      Link

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

  • Trojan-Spy.Win32.Lurk
  • Trojan-Banker.Win32.iBank
  • Trojan-Banker.Win32.Oris
  • Trojan-Spy.Win32.Carberp
  • Trojan-Banker.Win32.BifiBank
  • Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.


Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th :


In our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.

In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.

The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.

The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:

Here is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP data. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic, it helps to understand the Madi reach:


Last week, we held our first Ibero-American virus analyst summit, to which we invited 34 journalists from 14 Latin American countries, as well as Spain and Portugal. Speakers and panelists included antivirus experts Fabio Assolini, Jorge Mieres, Vicente Diaz and Dmitry Bestuzhev.

Virus Watch|From Cocos Islands to Cameroon

Eugene Aseev
Kaspersky Lab Expert
Posted July 14, 15:01  GMT
Tags: Search Engines, Google, Malware Statistics

The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.

In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.

Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.

Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.

Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.

However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.

As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).

Virus Watch|Monthly Malware Statistics, April 2011

Kaspersky Lab Expert
Posted May 03, 08:34  GMT
Tags: Malware Statistics

The following statistics were compiled in April using data from computers running Kaspersky Lab products:

  • 221,305,841 network attacks blocked;
  • 73,211,764 attempted web-borne infections prevented;
  • 189,999,451 malicious programs detected and neutralized on users’ computers;
  • 86,630,158 heuristic verdicts registered.

DDoS attack on LiveJournal

The DDoS attack that targeted LiveJournal.com at the end of March continued into early April and was big news in Russia. The fact that we had been monitoring one of the botnets responsible for the attack meant we discovered quite a few details about the incident.

Initially, every computer in the botnet received commands to attack one or two links per day. On 4 April, however, the bots received a list of 36 links that included http://livejournal.com and http://livejournal.ru. The other links in the list led to popular pages in the Russian-language blogosphere. The pages in question were unavailable at various times on 30 March, 4 and 6 April. The attacks stopped after 6 April.

The botnet we monitored was based on the popular Optima bot which appeared for sale at the end of 2010. Several indicators suggest that the zombie network behind the DDoS attacks brought together tens of thousands of machines infected with Optima. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files to infected computers and stealing passwords for a number of popular programs.

Research|The smart screensaver

Sergey Golovanov
Kaspersky Lab Expert
Posted January 25, 08:42  GMT
Tags: Malware Statistics, Vulnerability Statistics

Kaspersky Security Network is an integral part of Kaspersky Lab technology. With its ‘cloud’ architecture KSN automatically detects and blocks unknown malware and infected/dangerous websites, filters spam, protects children from unwanted content and lots more. Our aim is for users to always have as full a picture as possible of the current threat landscape around the world. That’s why we have come up with the Irida screensaver. It displays statistics about the latest threats that have been detected and blocked using KSN and is updated every 12 hours.

Install our screensaver and discover the full potential of Kaspersky Security Network! Download at: http://irida.kasperskyclub.com/scr.zip
15 comments      Link

Research|Internal needs on the black market

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 17, 00:03  GMT
Tags: Malware Statistics, Campaigns, Email, ZeuS

At the end of 2010 I noticed a big wave of recruitment spam for money mule work. Initially, the criminals used spam sent from hacked email accounts. I even got some messages like this from people I know personally:

Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):

And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities. But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.

All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.

It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.
comments      Link