The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.


On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called “CODE BLUE”, a new international information security conference originating from Japan.

Even though this conference was being held for the first time, no less than 400 visitors attended, with people coming from about 10 different countries.

The overall atmosphere at the event was kind and friendly and everything seemed to go smooth and swiftly.

Topics on the first day were the keynote by Jeff Moss, followed by presentations about “The Current State of Automotive Security”, “A Security Barrier Device”, “Remote linux exploits” and hard-/software related hard disk matters.

For the Japanese speakers among you there’s a more detailed review of the event here.


A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.

We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.

This post provides a technical analysis of the exploits and payload that we discovered.

All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:


All of the exploits exploit the same vulnerability and all are unpacked SWF files. All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7x64, 2008 R2, 2008, 8, 8x64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64.

Operating system version check algorithm


Malicious macro-enabled Microsoft Office document
The last interesting item found on the same malicious cybercriminal server is a .docm file (a macro-enabled document according to Microsoft Office standards).

It is a malicious file that when opened shows its victims the following content:


    To complement the already mentioned findings, the same cybercriminal’s server contains additional interesting things but before mentioning them, I want to give a little bit more information about the email database used to spam victims to infect them with the Betabot malware.

E-mail database
How big is the list of email addresses to spam victims? It has 8,689,196 different addresses.  It is a very complete database. Even if only 10% of the machines of the people included in this list get infected, cybercriminals would gain more than 800,000 infected PCs!

The geographic distribution of the emails is already published here. If we just look at the number of the most interesting domains belonging to governments, educational institutions and such used to spam and to infect, they are still very high numbers:

Domain    number of emails
org            13772
edu            2015
gov            1575
gob            312

Incidents|A cross-platform java-bot

Anton Ivanov
Kaspersky Lab Expert
Posted January 28, 14:30  GMT
Tags: Apple MacOS, Botnets, Malware Technologies, Sun Java, Linux

Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.

Initializing and decrypting strings

To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.

String initialization and decryption is implemented in the static initializer code (<clinit>).

Encrypted string initialization


Last week a good friend (@Dkavalanche) mentioned in his twitter account his findings of a Betabot malware which was spammed via fake emails in the name of Carabineros of Chile. It piqued my attention so I dug a little bit and this is what I found:
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity; however, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later. First, let’s speak about the initial malicious binary spoofed via email and then about other things. I will only focus on the most interesting details.

This is the name of the original binary. Translation to English is the “Criminal complaint”.
The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.

Incidents|Trojan ChePro, the CPL storm

Fabio Assolini
Kaspersky Lab Expert
Posted December 27, 12:37  GMT
Tags: Internet Banking, Malware Technologies

Malware using the .CPL extension is nothing new for us, but it’s still interesting that almost all the banking malware currently originating in Brazil is distributed in this format. It doesn't matter whether it's a drive-by download or a simple attack based on social engineering, users find themselves at the epicenter of a real CPL storm every day. We decided to look into this trend and find out why Brazilian cybercriminals now favor this approach.

CPL files are applets used in Windows Control Panel. Once executed, rundll32.exe is used to launch a wide variety of actions defined in DLLs. Among the many things it can do is invoking Control Panel applets. When Windows first loads a Control Panel item, it retrieves the address of the CPlApplet() function and subsequently uses that address to call the function and pass messages to it.

Each cybercriminal has a preferred modus operandi to distribute this kind of malware. Most of them like to put the CPL file inside a ZIP, but we have also found it inserted inside RTF files. This kind of malware belongs to the Trojan-Banker.Win32.ChePro family, first detected in Russia in October 2012.

Typical distribution of ChePro samples: inside a ZIP file


We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it-s still a rare feature.

Lately Tor has become more attractive as a service to ensure users- anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure. This capability was added to Zeus recently, as reported by my colleague Dmitry Tarakanov here. In addition, the CrimewareKit Atrax and the botnet-based on Mevade became known because of this.


    Yesterday morning we received a sample from Cuba of a malware that looks for the following audio and video file extensions after infecting a victim’s machine: .mp3, .mp4, .mpg, .avi, .mkv, .vob, .dat, .rmvb, .flv, .wav


Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. We thought that now would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.

What we see now is what we expected. The botnet is getting smaller and smaller - victims have been disinfecting or reinstalling their PCs over time. At the moment we're counting about 1000 unique bots on average per month:

Number of unique bots since March 2012

Due to the botnet’s peer-to-peer-design, there could still exist an independent subset of the initial botnet which never connected to our sinkhole. But we think that the bot-count for any such subset would have evolved in a similar way, because most likely the bot-herders would leave them alone as well and concentrate on establishing "Hlux 3".

Most of the bots are still running under Windows XP. But we also saw some bots running under Windows Server 2008:

OS (last 14 days)

Most of the infected clients are located in Poland:

Countries (last 14 days)

The group behind Hlux is known to be adept at quickly renewing their illegal infrastructure. Since the group is also known to be behind the Waledac botnet, we think that this is unlikely to be the last we hear about this gang.

Last but not least, a quick review about the story of Hlux/Kelihos:

In September 2011 we performed the first takedown of Hlux. The criminals responsible for that botnet didn´t show a major interest in taking counter-measures - they abandoned the botnet to its fate (of being under our control now) and immediately began to build a new botnet. So after a short time, Hlux 2 appeared on the radar and we did it again - poisoning the p2p-network to sinkhole it. And again, the criminals quickly rebuilt their botnet and Hlux 3 was born - within 20 minutes! In March 2013 the bad guys were faced with a new shutdown operation - initiated and performed live at the RSA Conference 2013 by our friends over at Crowdstrike.

Comment      Link