Securelist / Blog

AutoRun. Reloaded

webmaster@securelist.com (Konstantin Markov) — 13 Jun 2013 15:17:00 +0400

Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well.

Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun. They are also detected by heuristic methods as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic respectively.

These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload.

For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation. However, in the last three months we have seen a dramatic rise in the number of new Worm.Java.AutoRun modifications.

Detection levels for unique script worms, AutoRun script worms, and heuristically detected AutoRun script worms April 2012 - May 2013

The most sophisticated Android Trojan

webmaster@securelist.com (Roman Unuchek) — 06 Jun 2013 19:01:00 +0400

Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Lab�s products detect this malicious program as Backdoor.AndroidOS.Obad.a.

�

Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a�s in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan.

The Trojan�s quirks

The creators of Backdoor.AndroidOS.Obad.a found an error in the popular DEX2JAR software � this program is typically used by analysts to convert APK files into the more convenient Java Archive (JAR) format. This vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan.

"NetTraveler is Running!" - Red Star APT Attacks Compromise High-Profile Victims

webmaster@securelist.com (GReAT) — 04 Jun 2013 18:01:18 +0400

Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance.

The name �NetTraveler� comes from an internal string which is present in early versions of the malware: �NetTraveler Is Running!� This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.

The NetTraveler builder icon

Security policies: portable applications

webmaster@securelist.com (Kirill Kruglov) — 03 Jun 2013 17:08:00 +0400

Everyone has their own preferences in choosing applications: a favorite browser or instant messenger, media player or email client, etc. Many users are so accustomed to them in everyday life that they feel uncomfortable without access to their favorite programs at work or in college. As a result, they come to use the portable applications which we will discuss in this article.

Portable applications, stored on removable media, are very convenient: they need no installation and can be used in almost any environment. For users, this means their favorite tools are always at hand, and ready to do anything from playing movies and music to analyzing and restoring the system.

However, such applications can also pose a threat to information security. Users who do not have local administrator rights cannot install software on the PC, but they can bypass this restriction by taking advantage of portable applications that do not require installation. Since these applications are mobile and are stored on removable media, they often go undetected by auditing applications on the LAN. This makes it more difficult to investigate incidents related to the use of portable applications as the information about removable media and software installed on it is often unavailable to the IT security specialists.

Case study

An analytical company engaged in processing large amounts of personal information offered part-time work to students and non-IT-specialists: a couple of days a week they would transfer data from paper into electronic forms, recheck the available data for errors and contact people for further information.

What are children doing online?

webmaster@securelist.com (Konstantin Ignatev) — 03 Jun 2013 13:14:00 +0400

Kaspersky Lab’s mission is to protect the world from viruses. But the company also believes it has a duty to safeguard our children from content which could be harmful to youngsters. In order to carry out this important task, Kaspersky Lab’s products integrate a special component named Parental Control.

This component allows caring parents to control their children’s computer and Internet activity. For example, Parental Control allows parents to easily restrict the time their children spend using the computer or surfing the web.

In addition, Parental Control enables parents to restrict the launch of certain applications and to monitor their children's activities on social networks and chat sites. One of the most important functions of this module is to limit access to potentially harmful web resources. Many of these, of course, are adult content sites. However, social networks, forums and even online stores can also pose a threat. The module currently includes 14 different categories of sites, enabling parents to decide which are undesirable for their child. Here are the categories:

Pornography, erotic materials
Illegal software
Drugs
Violence
Explicit language
Weapons
Gambling
Forums and chats
Web mail
Online stores
Social networks
Anonymous proxy servers
Payment systems
Casual games

About a year ago we described how Parental Control worked with different web resources. At that time the statistics only considered resources which had been blocked by the Parental Control tools. Since then we have improved the mechanism of collecting statistical data and now we can identify the categories of sites which are most popular with youngsters, regardless of whether Parental Control allows them to visit or not.

That is why our worldwide statistics on the sites most frequently visited by children in 2013 varies considerably from the previous year’s figures.

The sites most often visited by children worldwide

Jumcar. Peruvian navy? Who could be behind it? [Third part]

webmaster@securelist.com (Jorge Mieres ) — 03 Jun 2013 05:44:05 +0400

We know that the family of malware called Trojan.MSIL.Jumcar and Trojan.Win32.Jumcar was developed in Peru with the primary aim of attacking Peruvian users. We also know that Chilean and Peruvian users have latterly been targeted as well. You can read more about this in our preliminary reports:

Jumcar. From Peru with focus on Latin America [First part]

Jumcar. Timeline, crypto, and specific functions [Second part]

During the initial investigation we saw a very striking series of strings from the source code of the first variants: "Armada Peruana". This is the Peruvian navy.

String "Armada Peruana" observed in decompilation of the Jumcar variant.

Caution! Fraud!

webmaster@securelist.com (Darya Gudkova) — 30 May 2013 13:39:00 +0400

Lately, our traps have been catching emails like these:

In them someone with a very English name is asking to book a hotel or air tickets for their family. A naïve recipient would think “Ah, wrong address”.

Jumcar. Timeline, crypto, and specific functions. [Second part]

webmaster@securelist.com (Jorge Mieres ) — 27 May 2013 16:48:06 +0400

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar

Jumcar. From Peru with a focus on Latin America [First part]

webmaster@securelist.com (Jorge Mieres ) — 20 May 2013 08:06:07 +0400

�Jumcar� is the name we have given to a family of malicious code developed in Latin America � particularly in Peru � and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries

NoSuchCon 2013

webmaster@securelist.com (Stefano Ortolani) — 18 May 2013 16:00:51 +0400

Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)) .

Espace Oscar Niemeyer

Malicious PACs and Bitcoins

webmaster@securelist.com (Fabio Assolini) — 17 May 2013 17:58:17 +0400

Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.

The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new � we�ve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victim�s connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When it�s used in drive-by-download attacks, it becomes very effective.

After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:

Microsoft Updates May 2013 - Slew of Internet Explorer Critical Vulnerabilities, Kernel EoP, and Others

webmaster@securelist.com (Kurt Baumgartner) — 14 May 2013 22:06:28 +0400

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Telecom fraud - phishing and Trojans combined

webmaster@securelist.com (Dong Yan) — 13 May 2013 11:15:00 +0400

In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.

Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.

So how does the scam work? How was the victim deceived?

First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:

CeCOS VII

webmaster@securelist.com (Michael) — 27 Apr 2013 00:49:47 +0400

The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day. The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.

Security policies: remote access programs

webmaster@securelist.com (Kirill Kruglov) — 25 Apr 2013 19:44:00 +0400

The experience of many information security officers shows that only a small portion of security incidents take place as a result of meticulously planned and sophisticated targeted attacks, while most incidents are due to a lack of effective security and control measures. This post begins a series of publications about IT security threats associated with the use of legitimate software.

TeamViewer

Hugely popular, easy-to-use and practical, remote access tools have been appreciated by system administrators and developers alike, as well as by anyone who has ever needed to log on to a work computer from a remote location, whether traveling on business, working from home, or caught out by an emergency while on vacation. However, unregulated use of this software poses a threat to corporate security and may lead to security incidents.

Lock, stock and two smoking Trojans-2

webmaster@securelist.com (Sergey Golovanov) — 22 Apr 2013 20:24:00 +0400

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

Trojan-Spy.Win32.Lurk
Trojan-Banker.Win32.iBank
Trojan-Banker.Win32.Oris
Trojan-Spy.Win32.Carberp
Trojan-Banker.Win32.BifiBank
Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

Is digital marketing the new spam?

webmaster@securelist.com (Vicente Diaz) — 22 Apr 2013 09:54:12 +0400

What a week for being in Boston! I was heading to Source Conference the very same day the blast happened. It�s hard to describe all the intense emotions when I arrived. As president Obama said today to the city of Boston: �You will run again�. All my best to you guys, stay strong.

In my presentation in Source I talked about fraud in Twitter. These days we find a lot of spam bots in this social network, both blindly sending unsolicited direct messages to other users or doing some previous semantic analysis, depending on your tweets, for a more targeted message.

Boston Aftermath

webmaster@securelist.com (Michael) — 17 Apr 2013 08:02:51 +0400

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan. Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples: 5EA646FFDC1E9BC7759FDFC926DE7660 959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

Winnti returns with PlugX

webmaster@securelist.com (Dmitry Tarakanov) — 15 Apr 2013 16:30:00 +0400

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used.

After discovering that the company-s servers were infected, we began to clean them up in conjunction with the company-s system administrator, removing

malicious files from the corporate network. This took a while because it was not clear at first exactly how the cybercriminals had penetrated the corporate

network; we couldn-t find a way to completely stop attacks penetrating the network and malicious files kept appearing. An analysis performed by the gaming

company itself led us to the conclusion that the infection started after establishing working contacts with a South Korean gaming company. This was also

confirmed by our research: as we wrote before, the Winnti group is most active in East Asia and we identified 14 infected gaming companies in South Korea.

In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these

files were samples of Winnti malware. As soon as information about the malicious files was added to our antivirus databases, our products were used to remove

Winnti malware from the gaming company-s corporate network. However, the attackers reacted very rapidly: new malware samples mysteriously appeared on

computers from which the infection had been completely removed the previous day. Eventually, though, our efforts proved successful and further access to the

gaming company-s computers was denied to the attackers.

However, just as we expected, it was too early to celebrate. Exactly one month after the gaming company-s network had been cleaned, the Winnti group

returned. The system administrator sent us suspicious files, which had been attached to messages sent to company employees. This was run-of-the-mill

spearphishing: the attackers introduced themselves as computer game developers and pretended to be looking for opportunities related to working with large

publishers.

Hello from Infiltrate 2013

webmaster@securelist.com (Roel) — 12 Apr 2013 21:51:22 +0400

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach. It's my first time at Infiltrate and so far I've been really impressed with the quality of the conference.

The opening keynote by Chris Eagle definitely set the tone for the rest of the con, with a very clear focus on offense. Chris shared his own view on various issues concerning how the US Armed Forces - and the Navy in particular - deal with educating people on cyber.

One of the bits I found particularly interesting was the Title 10 issue. Many of the experts creating cyber-tools, which would make them best equipped to handle them, are civilians. However under Title 10, only military personnel can actually 'pull the trigger'. You can see how this can be problematic.

Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups

webmaster@securelist.com (Kurt Baumgartner) — 12 Apr 2013 04:31:18 +0400

A new-ish Flash exploit has been on the loose for attacks around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading backdoors signed with Winnti stolen certificates delivered with Flash exploits - the compromised web site is the NGO "Tibetan Homes Foundation". Previously, FireEye identified similar "Lady Boyle" related malicious swf exploiting CVE-2013-0634. A notification has been sent to the contacts of the web site, but apparently the malicious footer.swf file is still hosted at the Foundation's web site, so please do not visit it just yet. Also, be sure to update your Flash player to the latest version.

This site certainly appears to be a classic example of a "watering hole" attack. F-Secure pointed out another Lady Boyle watering hole set up against a related Uyghur group, which has been targeted in tandem following the early March World Uyghur Congress. The delivered backdoors are shown to be signed with Winnti-stolen digital certificates in the F-Secure post, including the stolen MGAME certificate.

Here is an example of those same stolen certs reused for the backdoors in the Tibetan Homes Foundation incident. We see both the MGAME cert and the ShenZehn certs signing the backdoors, here are screenshots of the latter:

Our products detect the Flash exploit+payload as Exploit.SWF.CVE-2013-0634.a. Here is a heatmap of our worldwide detections. Note that not all of these detections are Lady Boyle related, I estimate that at least a third of them are:

Other sites hosting the Lady Boyle swf exploit over the past couple of months have included "tibetangeeks.com", who recently cleaned up their site and posted a cooperative plea to their attackers, and "vot.org" or the "Voice of Tibet" which is also cleaned up. Currently cleaned up but previously serving "Exploit.SWF.CVE-2013-0634.a" were Uyghur related sites "istiqlaltv.com" and "maarip.org", with the same "LadyBoyle" swf path as the Tibetan Homes Foundation, i.e.:
hxxp://maarip.org/uyghur/footer(.)swf

So, what we have is an active watering hole campaign implementing a fairly new Flash exploit and abusing digital certificates that were stolen as a part of the ongoing Winnti targeted attack campaigns on game developers and publishers.

Related md5:
BD9FD3E199C3DAB16CF8C9134E06FE12
215CEC7261D70A5913E79CD11EBC9ECC
12181311E049EB9F1B909EABFDB55427

The Winnti honeypot - luring intruders

webmaster@securelist.com (Dmitry Tarakanov) — 11 Apr 2013 17:23:00 +0400

During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.

Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.

1^st attempt: virtual machine #1

At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.

This is what we managed to learn at this stage of our monitoring.

First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown� command, having typed ?shutdown /t /r 1� (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1�.

Microsoft Updates April 2013 - 3 Critical Vulnerabilities

webmaster@securelist.com (Kurt Baumgartner) — 09 Apr 2013 22:23:20 +0400

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

An avalanche in Skype

webmaster@securelist.com (Dmitry Bestuzhev) — 04 Apr 2013 18:40:19 +0400

There is a new malicious ongoing campaign on Skype. It�s active and kicking yet. The infection vector is via social engineering abusing infected Skype by sending massive messages to the contacts like these ones: i don't think i will ever sleep again after seeing this photo http://www.goo.gl/XXXXX?image=IMG0540250-JPG tell me what you think of this picture i edited http://www.goo.gl/XXXXX?image=IMG0540250-JPG Goo.gl short URL service shows that at the moment there are more than 170k clicks on the malicious URL and only 1 hour ago there were around 160k clicks. It means the campaign is quiet active with around 10k clicks per hour or with 2.7 clicks per second! The most of victims come from Russia and Ukraine: �

Virus calendar wallpapers for 2013

webmaster@securelist.com (David) — 04 Apr 2013 12:06:20 +0400

Some of you may remember the virus wallpaper calendars that we published in previous years, listing a selection of significant events in the history of the IT security industry.

Well, we're posting new versions for 2013.

April's wallpaper is here.

clickable!

But be sure to check our calendar page each month as we'll be adding new wallpapers as we go through the year.

We hope they'll be an interesting background for your desktop, as well as highlighting key security events from the past.

The Biggest DDoS Ever that "Almost Broke the Internet"?

webmaster@securelist.com (Roel) — 30 Mar 2013 08:25:45 +0400

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why." Well, "a bit more sluggish" for limited sets of communications in parts of Europe for a few days is not a broken internet, and is certainly not close to a critical infrastructure disaster.

There's been a lot of attention for the recent reports regarding a DDoS attack against Spamhaus which reached a peak of 300gbps. Yes, such enormous amount of throughput definitely makes this one of the biggest DDoS attacks ever seen. DDoS attacks have seen an increase in popularity in recent times and there's no sign they'll go away anytime soon. Cyber-criminals, competitors, hacktivists and nation-state sponsored actors all have their motives to use DDoS attacks. In this case, a suspected entity behind these attacks is a Dutch hosting company called CyberBunker, whose owner denies being responsible, but claims to be a spokesman for the attackers. The conflict between Spamhaus and CyberBunker goes back to 2011 and has now escalated after Spamhaus blacklisted CyberBunker earlier this month. The timing and conflict is uncanny. And, Spamhaus is certainly under attack from some determined group capable of generating massive amounts of traffic, forcing them to move to hosting and service provider CloudFlare, known for effectively dissipating large DDoS attacks.

Military Hardware and Men�s Health

webmaster@securelist.com (Ben Godwood) — 29 Mar 2013 16:40:47 +0400

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).

The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:

REGISTRANT CONTACT INFO liu runxin No.1,Nanjing Road Shanghai Shanghai 200001 CN Phone:         +86.2164415698 Email Address: lishd2011@163.com

The documents are in three categories:

The first group of documents are related to articles on the Men�s Health website. These are some example filenames:

EAT FOR BETTER SEX.doc How to last longer in bed.doc 6 Awkward Sex Moments, Defused.doc 9 ways to have better,hotter,and more memorable sex.doc 10 Ways to Get More Sex.doc

The second group are military related:

Stealth Frigate.doc The BrahMos Missile.doc How DRDO failed India's military.doc

The third set have Cyrillic filenames:

приоритеты сотрудничества.doc Список участников рабочей группы(0603-2013).doc Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc

Android Trojan Found in Targeted Attack

webmaster@securelist.com (Costin Raiu) — 26 Mar 2013 16:14:19 +0400

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage

webmaster@securelist.com (GReAT) — 20 Mar 2013 21:23:19 +0400

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the implications of such an attack, Kaspersky Lab�s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

The end of MSN Messenger, the beginning of attacks

webmaster@securelist.com (Fabio Assolini) — 19 Mar 2013 15:27:02 +0400

Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.

MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.

In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker: