Securelist / Blog

Lab Matters - The death of browser trust

webmaster@securelist.com (Ryan Naraine) — 02 Feb 2012 16:15:00 +0400

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

Kelihos/Hlux botnet returns with new techniques

webmaster@securelist.com (Maria Garnaeva) — 31 Jan 2012 15:00:00 +0400

It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages - it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.

Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:

Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:

№	Old Hlux	New Hlux
1	Blowfish with key1	Blowfish with new key1
2	3DES with key2	Decompression with Zlib
3	Blowfish with key3	3DES with new key2
4	Decompression with Zlib	Blowfish with new key3

CVE-2012-0003 Exploit ITW

webmaster@securelist.com (Kurt Baumgartner) — 27 Jan 2012 21:44:43 +0400

S. Korean handlers are slow to take down the publicly distributed malicious code exploiting CVE-2012-0003, a vulnerability patched in Microsoft's January 2012 patch release MS12-004. We have discussed with reporters that the code has been available since the 21st, and a site appears to have been publicly attacking very low numbers of Korean users over the past day or so. The site remains up at this time.

Brazilian cybercriminals’ daily earnings - more than you’ll ever earn in a year!

webmaster@securelist.com (Dmitry Bestuzhev) — 20 Jan 2012 17:20:50 +0400

�� How much do you earn per day? If we look at how much a cybercriminal from Brazil earns every day, we’ll understand why Brazil is one of the main sources of malware in the world. Brazilian cybercriminals really like to use short URLs to track infections and have their own stats. Here is the profile of one criminal using Bitly as a URL shortening service.

Malware wallpaper calendars for 2012

webmaster@securelist.com (David) — 19 Jan 2012 19:42:48 +0400

As some of you may remember, during 2011 we published a malware calendar wallpaper for each month of the year.

We're doing so again this year, with updated information from 2011. However, we've decided to take a slightly different approach this year and publish all 12 wallpapers in one place. You can find them all here.

We hope you like this year's designs and find the data interesting.

Lab Matters - The threat from P2P botnets

webmaster@securelist.com (Ryan Naraine) — 19 Jan 2012 17:35:00 +0400

Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.

Two-pronged attack: Argentine site hit by malware and data leak

webmaster@securelist.com (Dmitry Bestuzhev) — 18 Jan 2012 17:13:10 +0400

�� I was browsing through compromised websites used for spreading malware and found one from Argentina which belongs to a veterinary supplier. The admin panel got p0wned and, worst of all, it had a tab with the personal details of people who had posted their CVs (curriculum vitae). So, what exactly has happened? Well, basically lots of confidential information has been leaked and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on. Here are just a few examples of real CVs uploaded and saved on the compromised site:

The Zappos Breach and Textual Password Based Authentication

webmaster@securelist.com (Kurt Baumgartner) — 17 Jan 2012 18:42:32 +0400

Following their major database breach, Zappos leadership is doing the right thing by what seems to be quickly and clearly communicating what data was accessed and what was not - there are no unexplained delays or confusion on their part about the event. It's like another Aurora moment in my book, when Google extraordinarily opened up about their breach while the other 30-odd Aurora-breached major corporations did the opposite, aggressively maintaining NDA's to hide their Aurora incidents and hide their heads in the sand. Zappos reset 24 million customers' passwords and emailed all of them about the problem last night.

A School for Cybercrime: How to Become a Black Hat

webmaster@securelist.com (Fabio Assolini) — 17 Jan 2012 17:40:47 +0400

Life looks good for Brazilian hackers: the absence of a specific law against cybercrime leaves them feeling so invulnerable that the bad guys are shameless about publicizing their thefts and showing off the profits of a life of crime. We showed some of this in a presentation at the latest Virus Bulletin Conference, and it’s commonplace to find YouTube clips of Brazilian bankers and carders reveling in their ill-gotten gains and rubbing their easy money in the faces of hard-up victims (there’s one example here, and several more out there). It’s also common to find bad guys’ profiles on social networks such as Twitter, Tumblr, etc. Everything is done out in the open, without fear of being caught.

To help new “entrepreneurs” or beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses. Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how. On a website dedicated to selling these courses and promoting the “school”, a careful search turns up courses like “How to be a Banker”, “Kit Spammer” or “How to be a Defacer”.

IRC bot for Android

webmaster@securelist.com (Denis) — 13 Jan 2012 22:36:42 +0400

Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation.

The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file "AndroidBotAcitivity" maintains this dropper functionality. It creates a ‘/data/data/com.android.bot/files’ directory and sets ‘777’ permission (read/write/execute for all users). After that it extracts three files - ‘header01.png’ (root exploit), ‘footer01.png’ (IRC bot), ‘border01.png’ (SMS Trojan) - into this directory. Then it sets ‘777’ permission on the root exploit file and executes it. Finally, it displays the text ‘(0x14) Error - Not registred application’ on the screen.

If the exploit is executed successfully and the device is rooted, it launches the IRC bot ‘footer01.png’.

First of all, the IRC bot will try to delete ‘etc/sent’ using the ‘rm’ command:

Facebook Security Phishing Attack In The Wild

webmaster@securelist.com (David Jacoby) — 13 Jan 2012 15:38:00 +0400

At the time of writing there is a new Facebook phishing attack going on. It will not just try to steal your Facebook credentials; it will also try to steal credit card information and other important information such as security questions.

This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website. It will reuse the stolen information and login to the compromised account and change both profile picture and name. The profile picture will be changed to the Facebook logo and the name will be translated to “Facebook Security” but containing special ascii characters replacing letters such as “a” “k” “S” and “t”.

Once an account is compromised it will also send out a message to all contacts of the compromised account. The message looks like this:

Lab Matters - Cloudy with a chance of stolen data

webmaster@securelist.com (Ryan Naraine) — 12 Jan 2012 16:08:00 +0400

Director of Kaspersky Lab's global research and analysis team Costin Raiu appears on Lab Matters to discuss the security ramifications of the growing dependence on cloud computing. The discussions center on the convenience of using consumer cloud services and some of the risks involved with outsourcing security to third-parties.

Windows Security Phone Scam Now Targeting Sweden

webmaster@securelist.com (David Jacoby) — 09 Jan 2012 16:04:35 +0400

Earlier today, I was sitting at home working on a Linux server that was compromised while suddenly, I hear my home phone ringing. Actually, someone has been calling me and just hanging up around the same time everyday for three or four days now. I thought that it was just some telemarketing company profiling me to figure out if I’m home or not, but this time it was different.

When I picked up the phone I heard this guy introducing him as a technician from the Windows Security Support Department. The connection was VERY bad and I could not hear everything he said, I don't know if this was intended or not.

When I started to talk to him he asked me in English with a indian accent if I had a computer at home, and of course I said “yes”. Then he started to explain that my computer had been compromised and that my firewall was just protecting me against external threats and not internal threats. At this time I knew that something strange was going on, and I started to ask more questions about the malware and trying to get more information about them, then at this point he immediately hung up the phone.

Just after he hung up I realized that this was one of those scams where they trick people to install Remote Access software to be able to control the machines. Once they got access to the machines, they install rootkits and obtain full access to your computer.

In the outside world, I this is quite an effective scam because they called me during the day, and I guess the people who are at home by this hour are not your average security researcher from Kaspersky Lab but maybe people who are sick, or the elderly.

I want to warn everyone about these scams, and at this time I can confirm that they are currently attacking Sweden. Previously, such scams appeared to target UK/US users mostly (http://money-watch.co.uk/8183/windows-support-scam-worsens), but it seems their business is expanding.

Please let us know if somebody calls you and claims they are from “Windows Security” (or such) and asks you to install remote access software. Most important of all, do not install the software which they recommend!

The Top 10 Security Stories of 2011

webmaster@securelist.com (Costin Raiu) — 04 Jan 2012 13:08:35 +0400

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

BuzzMania - ClickJacking / LikeJacking spam on Facebook!

webmaster@securelist.com (David Jacoby) — 03 Jan 2012 13:22:22 +0400

When logging into Facebook this morning I saw that many of my friends posted a link to a video on their wall, and also everyone liked the link. The video was of a girl with a nice butt and it had the title "Laura Frisian: the most beautiful ass in the world!", it was pretty obvious that it was a scam because it looked like all the other Facebook scams we have seen, but because soo many of my friends were posting this video I still decided to take a look at it.

I quickly ended up in a JavaScript hell, with obfuscated code and multiple domains. It seems that the server used in this scam is hosting about 300 pages similar to the one im writing about. All of the pages look the same, but have many different videos, a few examples are:

If you like Nutella, never look this video!!!

Drill a tooth abscess! Disgusting :s

Compilation of Embarrassing and Busted! Photos, Awesome :D

Transgender 10-Year-Old, Boy Happier As A Girl !

A Really Giant Baby ! Amazing it looks so real :D

Air Race Plane Crashed in the crowd during a show !

The worst thing that can happen to a girl!

A fisherman catches a couple when they make ... :D

ASP.NET Holiday Patches

webmaster@securelist.com (Kurt Baumgartner) — 30 Dec 2011 02:24:20 +0400

It's the end of 2011 as we know it, and Microsoft feels fine finishing out the year with a handful of out-of-band holiday patches. This round is important not because the vulnerabilities directly impact massive numbers of customers and their online behavior on Windows laptops, tablets, and workstations, but because ASP.NET maintains vulnerable code enabling easy DoS of hosting websites, authentication bypass techniques, and stealth redirections to other websites (most dangerously those sites hosting phish and hosting client side exploits and spyware). All of this could curdle your eggnog in the coldest of weather.

Android malware: new traps for users

webmaster@securelist.com (Denis) — 29 Dec 2011 14:52:18 +0400

There is no secret that cybercriminals try to intimidate users very often in order to infect their machines. We’ve seen a lot of examples of cybercriminals using black SEO for redirecting users to web pages which emulate AV scanning. And there is no surprise that the results of such ‘scanning’ show that the user’s machine is infected with a lot of dangerous malicious apps and it is very essential to download and install a brand new ‘antivirus program’ which is actually fake AV.

But what about smartphones and mobile phones? Cybercriminals have started to use almost the same techniques in order to force users to download and install malware. But in this case we talk about SMS Trojans with fake AV rudiments. Here are some details.

When looking for some popular mobile apps (e.g. Opera Mini) in Google via a smartphone, several search results will redirect users to a web page which may look like this:

Or this:

The Mystery of Duqu: Part Seven (Back to Stuxnet)

webmaster@securelist.com (Aleks) — 28 Dec 2011 20:37:29 +0400

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Despite the large volume of data obtained (most of which has yet to be published), we still lack the answer to the fundamental question - who is behind Duqu?

In addition, there are other issues, mostly to do with the creation of the Trojan, or rather the platform used to implement Duqu as well as Stuxnet.

In terms of architecture, the platform used to create Duqu and Stuxnet is the same. This is a driver file which loads a main module designed as an encrypted library. At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection.

This platform can be conventionally named as ‘Tilded’ as its authors are, for some reason, inclined to use file names which start with "~d".

We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers.

Several other details have been uncovered which suggest there was possibly at least one further spyware module based on the same platform in 2007-2008, and several other programs whose functionality was unclear between 2008 and 2010.

These facts significantly challenge the existing "official" history of Stuxnet. We will try to cover them in this publication, but let us first recap the story so far.

Continue reading

“Profile me” bot on Twitter

webmaster@securelist.com (Dmitry Bestuzhev) — 25 Dec 2011 06:02:45 +0400

�� There is a bot activity in Twitter and at the moment is related to the new followers gaining only. What is happening is “profile me” bot is exploring all Twitpic hosted pictures replying to the authors with the same text phrase:

The bot started working on Friday, Dec 23 at 9 pm (GMT -05:00) with the highest peak on Saturday, 3 am the same GMT zone with 0.19% of all Twitter traffic. In spite of the bot being used to gain followers and to promote porno content via bio user information, potentially it could be used for any other malicious purpose - like malware spreading via adding additional short URLs to the twits. We’re monitoring it.

Lab Matters - Brazil Banks in the Malware Glare

webmaster@securelist.com (Ryan Naraine) — 22 Dec 2011 16:54:00 +0400

Fabio Assolini talks about the explosion of banker Trojans in Brazil and explains why it is so difficult to fight back against cyber-crime in the Latin American region.

Cybercriminals celebrate Christmas with festive fraud

webmaster@securelist.com (Dmitry Bestuzhev) — 20 Dec 2011 17:47:17 +0400

�� This year cybercriminals haven’t been particularly active in exploiting the upcoming holiday season to snare victims with their scams. The first evidence of a growing trend of festive fraud only began to emerge about a week ago. Interestingly, this year’s attacks are somewhat different from previous years. This time round cybercriminals aren’t just going for hard cash - they are also looking for other assets that can be converted into money, such as air miles.

Thousands of European cards blocked following payment processor breach

webmaster@securelist.com (Stefan Tanase) — 19 Dec 2011 21:21:30 +0400

Several Eastern European banks have started notifying their customers in the beginning of last week that their cards have been blocked and will be replaced with new ones. Most of the banks did not give out any more details about what happened, and in many cases even failed to notify their customers prior to actually blocking their cards. Is it just another day in the payment processing business? Based on the rushed response from banks and the lack of information surrounding the case, I would say no.

It all started one week ago after the state-owned Romanian bank CEC Bank blocked ~17,000 cards in response to a security breach at one of VISA’s European payment processor.

The reaction of other banks followed soon. The Romanian branch of ING Bank also confirmed to have blocked compromised cards, but didn’t put out a number. They say they’ve only blocked a few cards, but are closely monitoring the situation.

A few days later, Serbian banks also started blocking thousands of cards for security reasons. Raiffeisen Bank, Komercijalna and Societe Generale confirm they have been informed by VISA about some of their customer’s cards being compromised. Very similar to what happened in Romania.

Rumors indicate the European branch of an electronic payment services provider, Euronet Worlwide, to be the source of this breach. This information has been going around Romanian business media (1, 2) - and though it hasn’t been confirmed officially, it would explain why customers from different banks in different countries were affected.

It’s very hard to assess the severity of this security breach, as the banks’ reaction to these events was very mixed. Some banks proceeded immediately to blocking and replacing all affected cads, while others decided to monitor the situation more closely.

Currently, it’s very hard to get a full picture of what is going on, but as it usually happens, these are unlikely to be isolated incidents. Actually, these stories could be just the tip of the iceberg. If you have recently received such a notification from your bank, we’d like to hear from you, especially if it’s outside Serbia and Romania.

Meanwhile, make sure to follow these 3 basic steps to make sure you don’t become a victim of credit card fraud:

Check your statements as often as possible. Make sure all payments showing up are actually made by yourself. In case you suspect a fraudulent transaction, get in touch with your bank as soon as possible.
Enable instant SMS notifications if your bank offers it. Some banks offer it for free, others charge for this option. No matter what, it’s worth it. You’ll be able to get instant reports of payments made with your cards.
Make sure you keep most of your money in an account that has no card linked to it. Having to move money from an account to another on a weekly or monthly basis might seem annoying, but it can save you a great deal of pain in case your card gets compromised.

Last, but not least, we know it’s the holiday season and shopping is on everyone’s mind. So if you want to keep your money safe when doing online shopping, this insightful article we’ve put together is for you: Online shopping made safe and convenient.

Patch Tuesday December 2011

webmaster@securelist.com (Kurt Baumgartner) — 14 Dec 2011 17:10:50 +0400

Microsoft finishes out this year of patching with a heavy release that's all over place. While techs were notified of an anticipated 14 bulletins, 13 were released for the month of December. Headline grabbing events and code are addressed in one of them, and while fewer are labelled "Critical", are they any less important?

Many speculative bits have been spilled on the group behind Stuxnet and its precursor Duqu, with our own researchers posting at least a half dozen Securelist writeups on Duqu findings alone. MS11-087 patches up the delivery vector for Duqu itself. This kernel mode vulnerability was publicly identified and confirmed at the beginning of November, but could well have been used quietly in attacks around the world for a year or more.

New Exploit Targeting Java Vulnerability Found in BlackHole Arsenal

webmaster@securelist.com (Vyacheslav Zakorzhevsky) — 13 Dec 2011 13:48:00 +0400

On 3 December, we noted a rapid growth in the number of detections for exploits targeting the vulnerability CVE-2011-3544 in Java virtual machine. The vulnerability was published on 18 October, but malicious users have only recently begun to make active use of it. It can be used by exploits in drive-by attacks to download and launch malicious programs.

Number of unique detections of Exploit.Java.CVE-2011-3544

According to KSN data, most of the exploits targeting CVE-2011-3544 are used in the BlackHole Exploit Kit, which is currently the most popular exploit pack.

We analyzed the latest BlackHole kits. The sites that carry out drive-by attacks with the help of BlackHole turned up quite an old exploit - a PDF file that targets the vulnerability CVE-2010-0188, and a new Java exploit targeting the vulnerability CVE-2011-3544. The corresponding files are circled in red in the screenshot below.

A screenshot of the list of files intercepted when visiting websites where BlackHole is installed

Brian Krebs reports that the creators of BlackHole have successfully integrated the new exploit into their kit. According to KSN statistics, the new exploits attack users in Russia, the US, the UK and Germany. This appears to be related to the fact that new exploits that are integrated in BlackHole and target the vulnerability CVE-2011-3544, install the Trojan Carberp that steals banking data, as well as SMS blockers. SMS blockers are mostly used in Russia, while Trojan bankers attack users in developed countries.

Once again we see that malware writers are forging ahead and are continually improving their creations. It is, therefore, critical that all users install Java updates from Oracle in a timely manner. The patch for (among other things) the CVE-2011-3544 vulnerability can be downloaded here.

Lab Matters - Java exploits percolate

webmaster@securelist.com (Ryan Naraine) — 08 Dec 2011 13:04:00 +0400

In this webcast, Kurt Baumgartner talks about the rise of exploits against vulnerabilities in Oracle’s Java software. The discussion centers around the exploitation of Java vulnerabilities in exploit kits and the poor state of patching on the Windows platform.

What to Do About Carrier IQ

webmaster@securelist.com (Tim) — 07 Dec 2011 20:41:20 +0400

There’s been a lot of talk about a piece of software installed on many mobile devices called Carrier IQ. The intended purpose of the software according to the manufacturer is to collect metrics to improve many functions of the device on which it’s installed. The uproar has been that this software has access to so much private user data.

Malware Calendar Wallpaper for December 2011

webmaster@securelist.com (David) — 07 Dec 2011 12:31:00 +0400

Here's the latest of our malware calendar wallpapers.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

Christmas brings many more people online since the Internet provides a quick and convenient way to buy Christmas gifts. This makes it the perfect time for cybercriminals to cash-in on online activity. So it's also a good time for a reminder about the basic things you can do to reduce the risk of cybercriminals spoiling your Christmas.

Install Internet security software and keep it updated.
Keep Windows and other applications up-to-date.
Backup your data regularly to a CD, DVD, or external USB drive.
Don’t respond to email messages if you don’t know the sender.
Don’t click on email attachments if you don’t know the sender.
Don’t click on links in email or IM (instant messaging) messages. Type the address directly into your web browser.
Don’t give out personal information in response to an email or other message, even if it looks official.
Only shop, bank or socialise on secure sites. Make sure the URL starts with ‘https://’.
Use a different password for each web site or service you use. Don’t recycle them (e.g. ‘jackie1’, ‘jackie2’). Don’t make them easy to guess (e.g. mum’s name, pet’s name). Don’t tell anyone your passwords.

Malicious Boot loaders

webmaster@securelist.com (Fabio Assolini) — 06 Dec 2011 22:21:23 +0400

Cybercriminals are always looking for new ways to infect systems - ideally without being noticed until it’s too late. The sky is the limit for their creativity, as the latest wave of malicious boot loaders shows. The kit has been pioneered by Brazilian Trojan bankers who aim to remove security software.

This non-traditional infection only affects systems using ntldr, the default boot loader on Windows NT up to and including Windows XP and Windows Server 2003. This choice was no coincidence - XP is still the most popular OS in several countries, including Brazil, where it runs on nearly 47% of all machines.

Lab Matters - Analyzing the Android security ecosystem

webmaster@securelist.com (Ryan Naraine) — 01 Dec 2011 12:30:00 +0400

Kaspersky Lab security researcher Tim Armstrong looks at the security posture of the Android platform and discusses current and future threats to Android-powered devices.

The Mystery of Duqu: Part Six (The Command and Control servers)

webmaster@securelist.com (VitalyK) — 30 Nov 2011 19:10:54 +0400

Over the past few weeks, we have been busy researching the Command and Control infrastructure used by Duqu.

It is now a well-known fact that the original Duqu samples were using a C&C server in India, located at an ISP called Webwerks. Since then, another Duqu C&C server has been discovered which was hosted on a server at Combell Group Nv, in Belgium.

At Kaspersky Lab we have currently cataloged and identified over 12 different Duqu variants. These connect to the C&C server in India, to the one in Belgium, but also to other C&C servers, notably two servers in Vietnam and one in the Netherlands. Besides these, many other servers were used as part of the infrastructure, some of them used as main C&C proxies while others were used by the attackers to jump around the world and make tracing more difficult. Overall, we estimate there have been more than a dozen Duqu command and control servers active during the past three years.

Before going any further, let us say that we still do not know who is behind Duqu and Stuxnet. Although we have analyzed some of the servers, the attackers have covered their tracks quite effectively. On 20 October 2011 a major cleanup operation of the Duqu network was initiated. The attackers wiped every single server they had used as far back as 2009 - in India, Vietnam, Germany, the UK and so on. Nevertheless, despite the massive cleanup, we can shed some light on how the C&C network worked.