The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Virus Watch|Downloader + file virus - a new approach?

Kaspersky Lab Expert
Posted July 29, 14:33  GMT

A few days ago we got another Trojan-Dropper.

When we analyzed it, we found out that it installs 4 files to the system. Nothing out of the ordinary for a dropper. But then we discovered that while one of the files it drops is detected as Trojan-Downloader.Win32.VB.jl, our scanner told us that the other three are infected with Virus.Win32.Parite.b

What's all this about? Someone is trying to spread Parite? We've known about this virus for a number of years, and it's still one of the most widespread classic file viruses found in the wild. But we haven't seen it being deliberately spread for a long time.

The answer was simple, and unexpected. When we cleaned the virus from the infected files, we discovered that underneath the Parite infection, the files were infected with three other Trojan-Downloaders - WinAD.c, IstBar.is and Small.aqt, which Kaspersky Anti-Virus has detected for a long time.

All of these programs are designed to download adware onto the victim machine. So it seems likely that whoever created the original dropper didn't know that the machine he used was infected with Parite.

On the other hand, it could just be another attempt on the part of virus writers to prevent their creations being detected by dedicated anti-adware and anti-spyware solutions, which can't detect standard file viruses.

Comment      Link

Opinions|Unsubscribing from spam - still not a good idea

Kaspersky Lab Expert
Posted July 26, 12:13  GMT
Tags: Spammer techniques

Today I ran across an interesting piece of spam. The ending contained an offer to unsubscribe by clicking "here". Naturally, I clicked and landed on a web page (HTML) that supposedly checked my name against a database. The page then showed me the following message: "your address has been removed from the mailing list".

Sounds reasonable, doesn't it? But ... the end of the HTML file contains Exploit.HTML.Mht which uses the MHTML URL Processing Vulnerability to download malware: in my case it was Trojan-Dropper.Win32.Small.gr and Trojan-Spy.Win32.Banker.s.

Good reminder - never, ever unsubscribe from spam. At best you let the spammer know your address is live, and at worst you end up with an infected computer.

Read more:

Malware Evolution: January to March 2005
Microsoft Security Bulletin MS04-013

Comment      Link

Exactly two years ago we introduced our extended databases.

These databases protect against AdWare, RiskWare and PornWare. Some people like to refer to the extended databases simply as anti-spyware protection, but we actually detect much more than just that with the help of these databases, most notably RiskWare programs.

Back then we still had cumulative updates and the extended databases consisted of three components: advware.avc, riskware.avc and pornware.avc.

Later two of those names changed to adware.avc and obscene.avc. Since the beginning of this year we simply have combined them into extxxx.avc database, where the x stands for a decimal figure. However, we've actually been detecting these types of threats for much longer than two years.

Before we introduced the extended databases the detection of AdWare etc. was included in x-files.avc.

Two years ago it was special to have a separate option to cover such threats, now it is a much more common feature for antivirus programs.

You can select the extended databases by going to KAV's settings, clicking on Threats and exclusions, and then selecting the extended database.

Screenshot of KAV Personal with Threats and exclusions window open

Be sure to read the pop-up message when choosing a database from the dropdown list.

Comment      Link

Incidents|Classical viruses ITW – never say die

Kaspersky Lab Expert
Posted July 22, 17:05  GMT
Tags: History of Malware

Over 2 years have gone by since we've seen a true virus in the wild. Since the meaning of a "true" virus may be simply forgotten in today's flux of Internet worms, by "true virus" we mean the good old file infectors, also called parasitic viruses which attach themselves to executable files on your disk. Yes, like CIH or Funlove for example. And yet...

On July 13 we received the first sample of Tenga – a true blue virus. We were surprised, but we let it it go. Tenga.a was followed by Tenga.b and finally Tenga.c, which arrived just yesterday. Tenga is a classic appending virus, but it has borrowed features from more modern malware: it can spread like a worm given the opportunity and also has a downloader function.

But modern features aside, Tenga is a good old classic virus, where the main goal is to self-replicate as much as possible. Once your machine is infected, you can end up with hundreds of infected files, all of which will then attempt to download Trojan-Downloader.Win32.Small.bdc.

It now remains to be seen whether this is a fluke or whether more virus writers will return to true viruses.

Comment      Link

News|Microsoft pays up

Kaspersky Lab Expert
Posted July 09, 16:49  GMT
Tags: Cybercrime Legislation

Microsoft has announced that the $250,000 reward which was on the head of the Sasser author will be handed out to the two people who have lead to the arrest of Sven Jaschan.
The money will be split in two, which means each person gets $125,000.

This is a bit surprising as shortly after Jaschan's arrest, sources claimed that MS wouldn't pay up due to an alledged connection between Jaschan and the two individuals. Apparently this is not the case.

I'm still in doubt whether Jaschan would have received a (significantly) higher punishment if he had been 18 instead of 17.

In the AV industry there are some very young individuals at pretty important places which require quite some sense of responsibility.
Yet the verdicts which young blackhats, minor or no minor, receive are mild. Their age, and lacking sense of responsibility because of that age, play a great part in the judges their rulings.

Those things don't add up to me.

Comment      Link

News|Verdict in Sasser trial

Costin Raiu
Kaspersky Lab Expert
Posted July 08, 12:45  GMT
Tags: Sasser, Cybercrime Legislation

Sven Jaschan, the teenager who became notorious for writing the Sasser and Netsky worms was sentenced today by the court in Verden, Germany. The decision of the court, softened by the fact that Jaschan was a minor at the time he authored the viruses, is 18 months suspended sentence and 30 hours of community service. Initially, the prosecutors asked for a two year suspended sentence and three years of probation. However, even though the criminal trial is over, Jaschan still faces civil cases against him - four plaintiffs have already asked for compensation for damage caused by the teenager's creation.

The decision - a fair one in my opinion - will no doubt play an important role in Sven Jaschan's life. With all the "celebrity" gained from the process and given the fact that he already has a job in the security field, Jaschan could have a very bright future ahead - Mitnick's roadshows bear witness to that. On the other hand, I'm sure the judges would not be so tolerant if Jaschan wrote another piece of malware and unleashed it on the Internet.

Comment      Link

News|Sasser author goes on trial

Costin Raiu
Kaspersky Lab Expert
Posted July 05, 12:24  GMT
Tags: Sasser, Cybercrime Legislation

Sven Jaschan was almost 18 years old when the police knocked on his door, last year, in May 2004.

He became famous as the self-confessed author of the original Sasser and Netsky worms, and his trial will start today in Verden, Germany. One of the main accusations is his creations caused losses to the tune of $157,000 USD.

Jaschan will be tried in juvenile court, which means his final sentence will be lighter than if he were tried as an adult.

2004 was a prodigious year, filled with arrests of virus writers and hacking groups. Maybe the most interesting cases were those of Jeffrey Lee Parson and Dan Dumitru Ciobanu, both arrested for authoring versions of the Blaster worm. Parson has already been sentenced to 18 months in prison, followed by three years of supervised release and 100 hours of community service. On the other hand, it appears the Ciobanu case is being pushed under the carpet.

Whatever happens, it's interesting to see if the outcome of Jaschan's trial will lead to the payout of the Microsoft US$250,000 bounty, the first of its kind, or if Microsoft will refuse to pay it, based on the argument that those who provided the lead to Jaschan were his associates.

Comment      Link

In December 2004 we reported about the first AdWare related file infector, Virus.Win32.Implinker.a.

The number of reports was significant enough for us to include detection and disinfection for this piece of malware in our klwk cleaner.

I was sure that Implinker would change the malware landscape, and it did.
In February 2005, the Virus.Win32.Bube saga started, with multiple variants appearing within a short period of time.
Bube is more advanced than Implinker, and also more difficult to remove.

After Bube's success, I was absolutely certain that it was only a matter of time before a massive outbreak would be caused by a file infector, most likely related to AdWare, and difficult to remove.

And this in the situation we are in now.

Virus.Win32.Nsag.a has been causing havoc across the globe for a couple of weeks now. As the outbreak involves malware which doesn't spread automatically over the internet, statistics are hard to gather. However, the number of reports shows that we're dealing with a massive amount of infected systems.

Nsag is the file infecting part of an infection which many people refer to as 'Smitfraud(.c)'. It seems that several pieces of malware (e.g. Trojan-Downloaders) are downloading and/or installing Nsag onto the system.

For more details of how it infects, see Virus.Win32.Nsag.a in the Virus Encyclopaedia.

Some important factors: dedicated anti-spyware solutions can't detect or disinfect infected files, the system is still (partly) infected even after such solutions have been run. Therefore Windows(explorer.exe) may not start properly.

Part of disinfecting wininet.dll has to be done manually. This prevents novice users from getting rid of the infection. (See Virus.Win32.Nsag.a in the Virus Encyclopaedia for removal instructions.)

So what is Smitfraud's real aim?

It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.

Naturally the program only disinfects the infection once the user has paid for it.

Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can't simply add detection for it to our databases.

So is this a new method of distributing Adware,Spyware and alledgedly legitimate software? Is it another nail in the coffin of dedicated anti-spyware solutions? Others have undoubtedly already seen Nsag's major success, and the methods it uses will certainly be copied.

Will av vendors have to change their traditional code of ethics, and start detecting software which had no malicious payload at all, but is almost certainly related to Trojans, viruses or other malware?

Worrying questions, with perhaps even more worrying answers...

Comment      Link

Incidents|High profile hacking

Costin Raiu
Kaspersky Lab Expert
Posted July 01, 11:36  GMT
Tags: Website Hacks, Online Games

I've never played the popular online game "The Legend of Mir". According to some of my friends - who are big fans - I'm really missing out. Yet, I may soon have to take a look, see it for myself. To understand what is driving the hundred of thousand players to desperate measures, even going so far as to kill each other, in real life, for virtual property connected with the game.

All popular places and flourishing economies attract the attention of the bad guys. So it's no surprise that online gaming sites, which sometimes receive as many as a hundred thousand visits a day, make excellent vectors to deliver malware.

During the past month, at least two high profile Korean websites, www.msn.co.kr and www.koreabaseball.or.kr have been hacked and turned into malware distribution points.

Earlier today, our Korean colleagues from Geot informed us that the trend is continuing. Worse, attacks directed at turning popular websites into malware distribution points are on the rise. A couple of websites which act as portals for the players of the online games Lineage, Hangame and Pmang have been hacked and turned into malware distribution points. The malware in question is Trojan-PSW.Win32.Turtle.a and Backdoor.Win32.GrayBird.bs. Both of them were being deployed through a set of scripts which attempted to exploit various Internet Explorer vulnerabilities - a standard approach.

For the time being, the websites have been cleaned and properly secured against future attacks, however, we are expecting more attacks directed at online gaming portals, especially in Korea but also worldwide.

If you are the administrator of a popular website, keep this in mind: the amount of attention you receive from the bad guys will be directly in proportion to the number of visitors to your site.

Comment      Link