The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.


For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian - mail.bg.
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:


The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:


We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
                               The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.                               

Research|SpyEye vs. Tracker

Dmitry Tarakanov
Kaspersky Lab Expert
Posted October 17, 16:02  GMT
Tags: Botnets, Spyware, ZeuS, SpyEye

It has become clear that the creator of the banking Trojan SpyEye have added plugin support to their code. In this new design, these plugins can be used by third parties to add extra functions to the core bot. The plugins are DLLs stored in the bot’s configuration file. Among the core plugins created for SpyEye is customconnector. As its name implies, this supports the bot’s communications with the botnet C&C or its collector. The collector is a malicious server which receives data harvested from the victim’s computer; it can be distinct from the C&C server. Since the creator of SpyEye has outsourced the botnet’s links to the C&C server, different SpyEye operators can create unique protocols governing communications between bot and server. Naturally, these protocols could make it more difficult to track the activity of SpyEye botnets. Despite this, cybercriminals have not, so far, rushed to take advantage of this opportunity: SpyEye’s old protocol in the basic customconnector.dll is still in use. Even so, we have recently spotted some changes related to this plugin.

Each plugin has a configuration file attached. If the plugin is customconnector.dll, its configuration file will be customconnector.dll.cfg. Cybercriminals can insert plain-text fragments into this config file containing settings for the plugin’s functions. Since customconnector.dll is a communication plugin, its config file has always identified the botnet’s C&C servers. The botnet operator could easily switch to a new C&C server by introducing the new URLs into the text file and updating the configuration file in the botnet.

Here is a sample configuration file:

Figure 1. A configuration file for customconnector.dll


The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

Opinions|Legal spyware

Kaspersky Lab Expert
Posted October 12, 08:00  GMT
Tags: Spyware

The Swiss newspaper “Schweizer Sonntagszeitung” recently published an article on malware experiments conducted by the Swiss Department of the Environment, Transport, Energy and Communications. The full article, in German, can be found here.

The department is clearly considering the use of spyware that has been specifically developed for tapping into encrypted Voice-over-IP connections (e.g. Skype). It is still unclear whether using such a tool could be made legal. In any event, a judge would have to approve each case in advance, similar to the procedure for monitoring normal telephone calls.

The Swiss company that develops the program (and rather ironically offers installation services for antivirus software on their website) has made some interesting statements. They say that the spyware would only be given directly to the Swiss authorities, and that their program would be undetectable by any firewall or antivirus solution. Of course, the latter statement cannot be verified without a sample, but personally I don't believe it anyway. We all know, that not only signature-based methods can detect malware, but also heuristic and proactive technologies, which antivirus vendors are continuously improving.

On the other hand, even if the spyware could fool all antivirus solutions, it would be highly irresponsible to use such software “in the wild”, no matter what the reason. Sooner or later it would be discovered by other malware developers, and be modified and abused for illegal purposes.

So far this spyware is not in use, and hopefully, that will not change any time soon.

Comment      Link

In December 2004 we reported about the first AdWare related file infector, Virus.Win32.Implinker.a.

The number of reports was significant enough for us to include detection and disinfection for this piece of malware in our klwk cleaner.

I was sure that Implinker would change the malware landscape, and it did.
In February 2005, the Virus.Win32.Bube saga started, with multiple variants appearing within a short period of time.
Bube is more advanced than Implinker, and also more difficult to remove.

After Bube's success, I was absolutely certain that it was only a matter of time before a massive outbreak would be caused by a file infector, most likely related to AdWare, and difficult to remove.

And this in the situation we are in now.

Virus.Win32.Nsag.a has been causing havoc across the globe for a couple of weeks now. As the outbreak involves malware which doesn't spread automatically over the internet, statistics are hard to gather. However, the number of reports shows that we're dealing with a massive amount of infected systems.

Nsag is the file infecting part of an infection which many people refer to as 'Smitfraud(.c)'. It seems that several pieces of malware (e.g. Trojan-Downloaders) are downloading and/or installing Nsag onto the system.

For more details of how it infects, see Virus.Win32.Nsag.a in the Virus Encyclopaedia.

Some important factors: dedicated anti-spyware solutions can't detect or disinfect infected files, the system is still (partly) infected even after such solutions have been run. Therefore Windows(explorer.exe) may not start properly.

Part of disinfecting wininet.dll has to be done manually. This prevents novice users from getting rid of the infection. (See Virus.Win32.Nsag.a in the Virus Encyclopaedia for removal instructions.)

So what is Smitfraud's real aim?

It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.

Naturally the program only disinfects the infection once the user has paid for it.

Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can't simply add detection for it to our databases.

So is this a new method of distributing Adware,Spyware and alledgedly legitimate software? Is it another nail in the coffin of dedicated anti-spyware solutions? Others have undoubtedly already seen Nsag's major success, and the methods it uses will certainly be copied.

Will av vendors have to change their traditional code of ethics, and start detecting software which had no malicious payload at all, but is almost certainly related to Trojans, viruses or other malware?

Worrying questions, with perhaps even more worrying answers...

Comment      Link

Opinions|No such thing as spyware

Kaspersky Lab Expert
Posted March 03, 18:21  GMT
Tags: Spyware

The rising number of cyber-criminals creating more and more different malicious programs, attacks and cyber-frauds have resulted in the media and public paying more attention to security issues. New solutions and services, such as patch and vulnerability management, intrusion prevention, etc., appeared during the last year or so.

New threats are appearing as well. But are they really all that new?

Spyware is a brand new word in the threats list and it is being used widely. Everyone is talking about spyware: many dedicated anti-spyware products have appeared on the market, all of them brand new.

But what exactly is spyware? What threats does new term cover? My favorite definition of the term can be found at Information week.

"Spyware is software that's installed without your informed consent. Spyware communicates personal, confidential information about you to an attacker. The information might be reports on your Web-surfing habits, or the software might be looking for even more sinister information, such as sniffing out your credit card numbers and reporting those numbers."

Exactly. This is a good definition which we can use to describe software designed to spy on user actions and report on infected machines.

Did we have such software in the past? Of course we did. The first malicious software designed to spy and steal confidential information was detected back in 1996 - the AOL Password-Stealing Trojans.

Have we already seen other malicious programs which can be described as spyware? Certainly! There are many different kinds of Trojans designed to:

  • steal passwords/logins (including bank account information)
  • log user activity (keyboard, screenshots, applications being run)
  • backdoor trojans which have spy abilities

Thus, what people are calling spyware is not new at all...

Anything else that can be called spyware? Yes. Numerous advertising tools (adware/advware) which report such information as visited Web pages and Web search requests. Sometimes this information is confidential.

And there's even more. Legitimate keyloggers for example, freeware/shareware/commercial utilities which log keystrokes and/or monitor other user activities.

Are we done? No, there are still more programs that report user information to outside sources. For example, if you post to a forum your email client will report your email address. If you are browsing the Internet your IP address, Windows and browser version can all be logged as you surf.

Can we or should we class these programs as spyware? Definitely not. This is where we reach the border between so-called spyware and non-spyware.

And the border is fuzzy. Because the issue is not always what the program does, but how it's being used. We call the border-line programs riskware, and detect many of them as 'not-a-virus'. We leave it up to users to decide what to do next: if they want or need the program, they can keep it. However, if it was installed without their consent or is doing something they don't want or need, we find it for them, so they know what's going on in their computer and can make an informed choice.

So, technically speaking, spyware simply doesn't exist as a stand-alone cyberthreat.

The programs which are being called spyware are, from a technical point of view, simply a limited sub-set of Trojans, advertising software and some riskware:

  • Trojan spies and some backdoors
  • most adware
  • riskware – potentially hostile programs that require users to make conscious choices about using them

In short, there is no such thing as spyware.

On the other hand there are many anti-spyware programs produced by vendors who actively promote their products as dedicated anti-spyware solutions.

An interesting review was published in latest PC Magazine {USA edition, Feb 22 2005, pages 82-91}. They compared how a number of security suites (anti-viruses) and dedicated anti-spyware products removed so-called spyware. Guess what? Some traditional solutions are better at removing these threats than dedicated ones.

Unfortunately, there are no adequate consumer tests to separate effective solutions from ersatz-security programs. In the PC Magazine tests, there were only 24 "spyware" samples tested. In reality, there are hundreds of malicious programs in the wild that fit into this category. For instance, we know of over 200 adware families (with numerous variants in each). We need better and more in-depth tests in the future.

To cut a long story short, the term spyware is basically a marketing gimmick: just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.

We need to avoid this trap. There is nothing worse for the computer security community than false alarms and/or users with a misplaced sense of safety.

Comment      Link

Software|MS AntiSpyware and file locations

Kaspersky Lab Expert
Posted January 11, 14:47  GMT
Tags: Antiviruses, Spyware

Microsoft has released a beta version of its antispyware program.
Response from the IT community has been mixed so far, not surprisingly.

For instance, today we received a report about MS AntiSpyware flagging
a suspicious file:

"c:\winnt\system32\notpad.exe" was detected as a Remote Administration Tool.

This file - which was a French version of notepad - would normally be called notepad.exe. For some reason, we don't know why, the file was renamed as notpad.exe.

When we looked closely, it was clear what this file was. So we figured that MS AS had a faulty signature meaning this particular French version of notepad is detected as ItEye RAT.

Not every version (language, build) of every (Windows) file gets tested to check for false alarms, so this might have slipped by.

However we quickly realized that it was the combination of file name/location that made MS AntiSpyware go off.

In fact, the beta version of MS AntiSpyware detects any file with the name "notpad.exe" - even a completely empty one - residing in %sysdir% as being this particular RAT.

So at least a part of the "ItEye RAT" detection is strictly based on filename/location, which can result in situations like these.

Because of this, we think it's best to detect files by file signatures, not location.

Comment      Link

Software|I, Spy

Costin Raiu
Kaspersky Lab Expert
Posted January 06, 17:36  GMT
Tags: Antiviruses, Spyware

Microsoft has just announced the availability of their Anti-Spyware software tool, based on previous code purchased at the end of the past year from NY-based "Giant". The software download is a 6.4MB executable which can be obtained from:


Keep in mind that as any other beta software, this may have unexpected results. Test it on a spare system before running it on your production servers!

Also keep in mind that KAV can detect and remove many kinds of spyware by simply activating the download and usage of 'extended databases', in the Updater Configuration panel.

Comment      Link