Securelist / All Updates

Blog: Carolina Dieckmann, Brazilian cybercrime legislation and la “Viveza criolla”

webmaster@securelist.com (Dmitry Bestuzhev) — 16 May 2012 22:58:22 +0400

Brazil is finally on the way of new cybercrime legislation, at the same time Carolina Dieckmann, a famous Brazilian actress, recently became the victim of cyber attacks that allowed cybercriminals to steal personal property - nude pictures of her- from her computer.

Analysis: Spam in Q1 2012

webmaster@securelist.com (Darya Gudkova, Maria Namestnikova) — 15 May 2012 18:25:00 +0400

Kaspersky Anti-Spam protects users all over the world

Blog: Public points of data loss

webmaster@securelist.com (Dmitry Bestuzhev) — 14 May 2012 15:18:34 +0400

In an airport lounge during my last trip I came across some cool tab devices running on Android integrated with an external keyboard available for public use and connected to the Internet. I performed a quick check of downloaded files, most visited sites and browser history and found a huge list of sensitive information. Here are some examples:

Analysis: Monthly Malware Statistics: April 2012

11 May 2012 17:33:00 +0400

280 million malicious programs were detected and neutralized

Blog: Is ‘SexyDefense’ The Future of Anti-Espionage?

webmaster@securelist.com (Roel) — 01 May 2012 22:39:58 +0400

At the recent SOURCE Boston conference, one presentation that caught my attention was called SexyDefense - Maximizing the home-field advantage

Descriptions: Porn-Tool.Win32.StripDance.d

webmaster@securelist.com () — 27 Apr 2012 16:36:00 +0400

This malware displays adult-content video clips. It is a Windows dynamic library (PE DLL file). It is 1 959 592 bytes in size. It is written in C++.

Descriptions: Hoax.HTML.OdKlas.a

webmaster@securelist.com () — 27 Apr 2012 16:32:00 +0400

When the user opens the fraudulent resource in the browser, this HTML document opens in a frame on the main page. The domain names of such fraudulent resources nearly match the "Odnoklassniki.ru" site...

Descriptions: Hoax.HTML.Agent.i

webmaster@securelist.com () — 27 Apr 2012 16:29:00 +0400

This hoax program imitates the download of Opera browser updates. It is an HTML page containing Java Script. It is 15 184 bytes in size.

Descriptions: not-a-virus:AdWare.Win32.Sushi.a

webmaster@securelist.com () — 26 Apr 2012 13:04:00 +0400

This adware is designed to redirect user's search queries to other web resources. It is a Windows application (PE EXE file). It is 1 416 432 bytes in size. It is written in C++. Installation This...

Descriptions: Trojan-Clicker.JS.Agent.op

webmaster@securelist.com () — 26 Apr 2012 12:57:00 +0400

When an infected page is opened, the Trojan launches its malicious script for execution. The Trojan then adds "mouseup" and "beforeunload" event handlers to this page. The malware tracks three user...

Descriptions: Trojan.JS.Redirector.os

webmaster@securelist.com () — 26 Apr 2012 12:54:00 +0400

When an infected page is opened in the user's browser, the following HTML document is displayed: After the user sends an SMS to the premium rate number, nothing will change on this page. The...

Descriptions: Trojan.JS.Fraud.ba

webmaster@securelist.com () — 25 Apr 2012 14:39:00 +0400

When an infected page is opened in a browser, the user will be shown a message about malicious activity on the computer. The infected page then imitates an antivirus scanner, which finds...

Descriptions: not-a-virus:AdWare.Win32.WhiteSmoke.a

webmaster@securelist.com () — 25 Apr 2012 14:10:00 +0400

This program downloads various malware from the Internet and installs it without the user's knowledge. It is a Windows application (PE EXE file). It is 129 288 bytes in size. It is packed using UPX....

Descriptions: Trojan-GameThief.Win32.Nilage.ipj

webmaster@securelist.com () — 25 Apr 2012 14:01:00 +0400

When the following files are available, the Trojan launches them for execution: C:\EEQQ\QQE.exe C:\EEQQ\EEQ.exe In a separate thread the Trojan searches for the following windows class names:...

Blog: Update to "DNSChanger - Cleaning Up 4 Million Infected Hosts"

webmaster@securelist.com (Kurt Baumgartner) — 24 Apr 2012 21:22:24 +0400

The Fbi's "Operation Ghost Click" announcement in Nov 2011, involving the Rove Digital botnet delayed cleanup efforts that we previously discussed, continues to haunt both the internet networks and the mass media. A Forbes article and a Times article yesterday brought the apparition back to the front, with some claiming that the site offered by the DNSChanger Working Group is a new one, which it is not. The 2011 Operation being described, and the temporarily outsourced DNS server replacements and delayed cleanup, is the same. This phantom is nothing supernatural, so why all the discussion? The federal judge's extension allowing the Fbi to run these replacement DNS servers still cuts off access in early July. When those replacement servers are removed in early July, the infected systems resolving DNS queries at these previously-owned Rove Digital servers will simply not be able to resolve DNS requests. July 9th will arrive soon, and notifications continue to go out related to the hundreds of thousands of systems in the US alone that are still infected.

In the simplest terms, connectivity will not be severed for DNSChanger-infected systems, but internet communications will not function for infected systems that have not been cleaned up. In the US, government agencies, home users, and other organizations still infected with the malware will have systems that effectively can't get online, can't send email, etc. It will look like they are connected to their network, but they just won't communicate with anything.

Descriptions: Trojan-Downloader.JS.Agent.ftu

webmaster@securelist.com () — 24 Apr 2012 17:15:00 +0400

Once launched, the Trojan uses additional JS scripts to strip obfuscations from its main malicious code. The Trojan then determines the operating system version, the current browser and the plugins...

Descriptions: Trojan-Downloader.Java.OpenConnection.df

webmaster@securelist.com () — 24 Apr 2012 17:12:00 +0400

This Trojan downloads files from the Internet without the user's knowledge. It is a Java class file. It is 2555 bytes in size.

Descriptions: Trojan-Downloader.Java.OpenConnection.dd

webmaster@securelist.com () — 24 Apr 2012 17:09:00 +0400

The malware is a component of a Trojan downloader from the "Trojan-Downloader.Java.OpenConnection" family and includes a class file named "bear", which downloads a file from the Internet, from a link...

Descriptions: Trojan-Downloader.Java.OpenConnection.dc

webmaster@securelist.com () — 23 Apr 2012 18:30:00 +0400

The malware is a component of a Trojan downloader from the "Trojan-Downloader.Java.OpenConnection" family and includes a class file named "monoid", which downloads a file from the Internet, from a...

Descriptions: Trojan-Downloader.Java.OpenConnection.cx

webmaster@securelist.com () — 23 Apr 2012 18:20:00 +0400

The malware is a component of a Trojan downloader and includes a class file named "a", which downloads a file from the Internet, from a link sent to it. The file is saved in the current user's...

Descriptions: Trojan-Downloader.Java.OpenConnection.cg

webmaster@securelist.com () — 23 Apr 2012 18:17:00 +0400

This malware is a component of a Trojan, which downloads files from the Internet without the user's knowledge. It is a Java class file. It is 672 bytes in size.

Descriptions: Trojan-Downloader.HTML.Agent.sn

webmaster@securelist.com () — 20 Apr 2012 16:30:00 +0400

When an infected page is opened in the browser, the Trojan launches a Java applet placed on the same server: http://<site>/games/tetris.jar Where <site> is the infected site's domain...

Descriptions: Trojan-Downloader.HTML.Agent.sl

webmaster@securelist.com () — 20 Apr 2012 16:21:00 +0400

This Trojan opens different websites in the browser without the user's knowledge. It is an HTML page. It is 61 048 bytes in size.

Descriptions: Trojan-Clicker.JS.Agent.om

webmaster@securelist.com () — 20 Apr 2012 16:16:00 +0400

Once an infected HTML page is opened, the Trojan sets a "cookie" in the browser until the year 2037 named "cook15" with the current date and time. The Trojan, in order to test the "cookies"...

Blog: OS X Mass Exploitation - Why Now?

webmaster@securelist.com (Kurt Baumgartner) — 19 Apr 2012 17:32:33 +0400

Market share! It’s an easy answer, but not the only one.

In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break - Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2012 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened.

Analysis: The anatomy of Flashfake. Part 1

webmaster@securelist.com (Alexander Gostev) — 19 Apr 2012 16:38:00 +0400

Flashback/Flashfake is a family of malware for Mac OS X.

Analysis: Spam report: March 2012

webmaster@securelist.com (Maria Namestnikova) — 19 Apr 2012 12:12:00 +0400

The share of spam in email traffic decreased by 3.5 percentage points compared to February and averaged 75%.

Blog: SOURCE Boston Security Conference and Training 2012 Day 2 - Dan Geer Keynote, Android Modding and Cloud Security

webmaster@securelist.com (Kurt Baumgartner) — 19 Apr 2012 07:46:09 +0400

Dan Geer's Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks were Jeremey Westerman's "Covering *aaS - Cloud Security Case Studies for SaaS, PaaS and IaaS", and Dan Rosenberg's "Android Modding for the Security Practitioner".

Blog: New Spam campaign on Twitter Leads to Rogue AV

webmaster@securelist.com (Nicolas Brulez) — 18 Apr 2012 20:17:31 +0400

Early today, Kaspersky Lab discovered a new ongoing spam campaign on Twitter. hundreds of compromised accounts are currently spamming malicious links, hosted on .TK and .tw1.su domains, leading to Rogue Anti Virus softwares.

Blog: SOURCE Boston Security Conference and Training 2012 - Hacktivism, Duqu and Building Successful Security Programs

webmaster@securelist.com (Kurt Baumgartner) — 18 Apr 2012 09:47:01 +0400

2012 SOURCE Boston kicked off the first of three days with an opening talk on hacktivism and the Anonymous movement, Costin Raiu and Vitaly Kamluk presented the latest in Duqu C2 research, and Vercode's Shyama Rose talked about strategic success in security program buildouts.

Analysis: Monthly Malware Review, March 2012

16 Apr 2012 13:33:00 +0400

The investigation into the Duqu Trojan is into its sixth month, and March brought further progress as we were able to establish which language was used for its Framework code.

Blog: New Version of OSX.SabPub & Confirmed Mac APT attacks

webmaster@securelist.com (Costin Raiu) — 16 Apr 2012 01:17:24 +0400

Late last week, we found evidence of a possible link between a Mac OS X backdoor trojan and an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192.152.*) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks. For the past two days, we have been monitoring a “fake” infected system - which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it.

Blog: SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

webmaster@securelist.com (Costin Raiu) — 14 Apr 2012 18:59:48 +0400

we can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits. This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

Blog: Patch Tuesday April 2012 - Patching Multiple Web Based Client Side and Spearphishing Exposures

webmaster@securelist.com (Kurt Baumgartner) — 10 Apr 2012 21:30:04 +0400

This month's patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software. Six bulletins have been created to address eleven exploitable flaws. Two of the bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control.

Blog: Beware of deceptive in-app advertising

webmaster@securelist.com (Tim) — 10 Apr 2012 20:51:24 +0400

I really like the new app by OMGPOP called Draw Something. I play this game with my friends possibly a little too much. Draw Something has attracted more than 50 million downloads, and was just acquired by Zynga for $200 million dollars. It was surprising the other day when I noticed an advertisement at the bottom of the screen for a battery optimizer app. In fact it even told me two upgrades were available!

Descriptions: Trojan.JS.Iframe.rg

webmaster@securelist.com () — 10 Apr 2012 19:26:00 +0400

The malicious user injects this script into infected HTML pages. Once launched, the Trojan decrypts its body, then in a hidden frame it opens the resource placed on the same server, where the infected...

Descriptions: Trojan.JS.Agent.bte

webmaster@securelist.com () — 10 Apr 2012 19:00:00 +0400

This program has a malicious payload. It is an HTML document containing Java Script. It is 66 821 bytes in size.

Descriptions: Trojan.Java.Agent.ak

webmaster@securelist.com () — 10 Apr 2012 18:56:00 +0400

This malware is a component of a Trojan from the "Trojan-Downloader.Java.OpenConnection" family and it is a class file named "Unicode", which contains the "lopiyo" function. This function is designed...

Descriptions: Trojan-Downloader.OSX.Flashfake

webmaster@securelist.com () — 10 Apr 2012 17:00:00 +0400

A family of malware for Mac OS X. The first versions of this type of threat were detected in September 2011. In March 2012 over 600 000 computers worldwide were infected by Flashback. The infected...

Descriptions: Trojan-Downloader.OSX.Flashfake.ab

webmaster@securelist.com () — 10 Apr 2012 17:00:00 +0400

A family of malware for Mac OS X. The first versions of this type of threat were detected in September 2011. In March 2012 over 600 000 computers worldwide were infected by Flashback. The infected...

Blog: Flashfake Removal Tool and online-checking site

webmaster@securelist.com (Aleks) — 10 Apr 2012 02:08:00 +0400

After intercepting one of the domain names used by the Flashback/Flashfake Mac Trojan and setting up a special sinkhole server last Friday, we managed to gather stats on the scale and geographic distribution of the related botnet. We published information on this in our previous blog entry

Blog: 10 Simple Tips for Boosting The Security Of Your Mac

webmaster@securelist.com (Costin Raiu) — 09 Apr 2012 20:33:00 +0400

At the moment, there are more than 100 million Mac OS X users around the world. The number has grown switfly during the past years we expect this growth to continue. Until recently, Mac OS X malware was a somehow limited category and included trojans such as the Mac OS X version of DNSChanger and more recently, fake anti-virus/scareware attacks for Mac OS X which boomed in 2011. In September 2011, the first versions of the Mac OS X trojan Flashback have appeared, however, they didn’t really become widespread until March 2012. According to data collected by Kaspersky Lab, almost 700,000 infected users have been counted at the beginning of April and the number could be higher. Although Mac OS X can be a very secure operating systems, there are certain steps which you can take to avoid becoming a victim to this growing number of attacks.

Here’s our recommendation on 10 simple tips to boost the security of your Mac:

Descriptions: Exploit.JS.Stylesheeter.b

webmaster@securelist.com () — 09 Apr 2012 20:05:00 +0400

This program has a malicious payload. It is an HTML document containing Java Script. It is 77 309 bytes in size.

Descriptions: Exploit.JS.Pdfka.ddt

webmaster@securelist.com () — 09 Apr 2012 20:00:00 +0400

This Trojan downloads another program to the computer and launches it for execution without the user's knowledge. It is an XFA form containing Java Script. It is 9166 bytes in size.

Descriptions: Exploit.Java.CVE-2010-0840.b

webmaster@securelist.com () — 09 Apr 2012 19:03:00 +0400

A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class...

Blog: Flashfake Mac OS X botnet confirmed

webmaster@securelist.com (Igor Soumenkov) — 06 Apr 2012 20:54:00 +0400

Earlier this week, Dr. Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

Descriptions: Trojan-GameThief.Win32.Magania.dbtv

webmaster@securelist.com () — 06 Apr 2012 19:06:00 +0400

Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body,...

Descriptions: Trojan-Dropper.Win32.Agent.aiad

webmaster@securelist.com () — 04 Apr 2012 20:50:00 +0400

Once launched, the Trojan performs the following actions: It deletes the following file: %Program Files%\Internet Explorer\JavaNe64.Bet It copies its body to a file: %Program Files%\Internet...

Descriptions: Trojan-Dropper.Win32.Agent.dcbd

webmaster@securelist.com () — 04 Apr 2012 20:42:00 +0400

Once launched, the Trojan performs the following actions: It extracts files from its body and saves them in the system as: %System%\<rnd1>.dll (56 320 bytes; detected by Kaspersky Anti-Virus...

Descriptions: Trojan-Dropper.Win32.Small.gfa

webmaster@securelist.com () — 04 Apr 2012 20:26:00 +0400

After launching, the Trojan extracts a file from its body and saves it in the system under the following name: %WinDir%\Downloaded Program Files\spoolv.exe (3740 bytes; detected by Kaspersky...