23 Apr Easter bunnies for all occasions Tatiana Kulikova
23 Apr An SMS Trojan with global ambitions Roman Unuchek
17 Apr New threat: Trojan-SMS.AndroidOS.Stealer.a Victor Chebyshev
16 Apr Would you like some Zeus with your coffee? Maria Vergelis
13 Apr SyScan 2014 Michael
09 Apr The omnipresent dad Maria Rubinstein
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Nullsoft have released Winamp 5.13 in response to the critical 0 day exploit we blogged about previously.
We urge you to update Winamp as soon as possible.
Get it from here.
Today some sources announced that a new 0 day vulnerability has been identified in the popular Winamp mediaplayer.
The vulnerability is related to parsing of .pls (playlist) files and allows for arbitrary code execution.
The extra danger is that by default .pls files are automatically opened when they are downloaded.
This is not the first time that Winamp has suffered from this kind of vulnerability.
I can actually remember an incident from many months ago where I happened to be in an IRC channel and more and more messages with the same link came by.
Naturally I took a look at what was going on and it turned out that blackhats were using a brand new exploit to execute arbitrary code using Winamp.
We advise you to check the "Confirm open after download" box from "Folder Options"/"File Types" and to only use .pls files from trusted sources.
Update: Next to .pls files, the same issue also applies to .m3u files as they are also playlists. You will need to follow the same actions for .m3u extension as for .pls.
On 26th January, we intercepted a new variant of GPCode, Virus.Win32.GPCode.ac.
This program, like its predecessors, encrypts users' files. The author of the program demands payment for decrypting the files.
The new variant of GPCode was widely spammed throughout the Russian segement of the Internet. In spite of our warnings not to open attachments to email if you don't know the sender, we've received a large number of reports from infected users.
Yesterday we added decryption for encrypted files to our antivirus databases. However, GPCode uses a number of encryption keys. It may be that some users' data has been encrypted by keys which we haven't seen yet. These users therefore won't be able to use our antivirus to restore their data. We'd therefore urge anyone who's been hit by this new version of GPCode to contact us.
In conclusion, as we've said many times before: sending money to the author(s) of these programs simply provides motivation to create another variant. Don't ever send money to a cyber criminal. Send your infected files to us instead.
We've got another version of GPCode. We're currently looking at the encryption algorithms, and we'll get back to you with the full story in the near future.
Back in November we reported on limitations in the UK's e-crime legislation that prevented a spammer from being convicted, and led to the magistrate adding that DDoS attacks could not, under current legislation, be considered illegal.
Yesterday, the UK government outlined its new Police and Justice bill. If the bill becomes law, cyber criminals who make unauthorised modifications to a computer could receive up to 10 years in prison. Those who gain unauthorised access to computers could receive sentences of up to two years.
In addition, a recent report suggests that the government is also planning to amend section three of the 1990 Computer Misuse Act. This would make DDoS attacks a criminal offence.
We live in a fast-changing technological world. It's important for cyber crime legislation to be frequently updated to keep pace with technological developments, and to prevent cyber criminals from slipping through the net.
We've just released detection for Trojan-Downloader.Win32.Small.cgx and Email-Worm.Win32.Bagle.fg. Samples of these have just appeared on a number of websites which most likely indicates upcoming Bagle activity during the next hours.
MD5s for these two are:
ce61b0e6d81fc51d9b4d5d81311f1bde - Trojan-Downloader.Win32.Small.cgx
35bdca59203212a44de95369238e4e50 - Email-Worm.Win32.Bagle.fg
We've just issued an alert for Nyxem.e, due to the number of reports we've been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month.
According to our data, the outbreak seems to be more or less localized. We are still receiving reports from countries such as the US and Germany, but the number of reports from (eg.) Russia is becoming very small.
With the public Nyxem.e counter having well passed 1,000,000 hits at the moment, there is no doubt that some people will have unpleasant surprises on 3rd of February. If you do not have an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it's too late.
I recently came across an interesting IRCBot which KAV detects as Backdoor.Win32.IRCBot.lo.
When I took a closer look at it, I found out that it's quite an advanced bot with a lot of features.
The thing which interested me most was the ability of the bot to spread via IM. There's support for just about every IM-client.
It also started me thinking about the way malware which spreads via IM has evolved over the last year, specifically the shift from IM-Worm+IRCBot to 'IM-Bot' - an IRCBot which also includes IM-Worm functionality.
We'll have an article about this on viruslist in the near future.
It's two years to the day that the antivirus industry first encountered Bagle - Email-Worm.Win32.Bagle.a. Depending on your point of view, two years could be a long time, or a short time. But whatever position you take, one thing is certain - Bagle has evolved from a single worm into a criminal infrastructure, which is constantly searching for new victims to infect. Bagle has become a business, which is making real profits - clear motivation for cyber criminals. The authors of Bagle have continued to develop the worm's defences against its main enemy, the anti-virus industry. We've seen Bagle evolve from using primitive polymorphic code, to saving the password to an infected archive in graphical form, to the use of BlackLists. These last list users such as e.g. antivirus and network activity monitoring companies who are likely to attempt to download the latest Bagle variant via malicious links. If a user whose address is blacklisted attempts to download the latest Bagle, an error message will be returned instead of the malicious file.
Over the last two years we've detected more than 400 modifications of Bagle-related malware. All these malicious programs (Trojan-Proxies, Email-Worms, Trojan-Downloaders, SpamTool etc) are designed to steal information from victim machines, conduct mass mailings and other criminal activity.
As our users know, Kaspersky Lab releases two types of antivirus database update - standard updates, and urgent updates. Urgent updates provide rapid protection against possible epidemics and spamming of malicious programs. The graph below shows the number of urgent updates (axis Y) released every three days (in order to highlight the virus epidemics) throughout 2005 (axis X) we get the following picture:
It's clear that the highest number of urgent updates were released on days when Bagle was very active. During one attack, 21 new modifications were detected. The figures clearly show that users should continue to take the threat posed by Bagle seriously.
Mark Russinovich, who is well known as an IT security expert, and who was a major player in the Sony rootkit scandal, is now suggesting that we use 'rootkit' technology in our products. His comments have been picked up in a PCWorld article (http://www.pcworld.com/news/article/0,aid,124365,00.asp). He said that "the techniques used by ... Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC".
Our products do use a technology called iStreams, which is what Russinovich seems to be worried about. But this isn't a rootkit.
We started using iStreams technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the user's system. If a checksum remains unchanged from one scan to another, KAV products know the file has not been tampered with and do not, therefore, require a repeat scan.
To view NTFS Alternate Data Streams you need special tools. When KAV is active it hides its streams because they are its internal data only. Just because you can't see them either automatically or with a special tool, it doesn't mean that they're malicious. It also doesn't mean that a product which uses and hides these streams is using rootkit technology.
Yesterday information about another Windows' WMF handling vulnerability was published.
This time two different functions are exploited, "ExtCreateRegion" and "ExtEscape". This is in contrast to the "SetAbortProc" function which has been exploited very actively by the vulnerability we have recently blogged about.
This doesn't look too good for Microsoft, with a new vulnerability in the same file that a patch was just released for.
However it's not as bad as it seems, as this time it's not possible to execute arbitrary code. The exploitation is limited to Denial of Service.
In other words, the program which is trying to view the malformed WMF file will crash and that's it.
Microsoft has announced the release of its patch for the much publicised WMF vulnerability. The company planned to release the patch on January 10th, as part of the normal patch cycle, but is releasing it early because of customer demand and because it has completed testing on the fix earlier than anticipated.
The patch is available for download here. Install it now - this vulnerability is too critical not to take seriously.
As we've stated elsewhere, Sober.y is programmed to start updating itself after 00:00 hrs (GMT) on 6th January - that's tonight.
Although everyone in the antivirus world is watching with baited breath, the anticipated epidemic may not hit for a while. Some of the sites which could host the malicious binary files may be shut down successfully before the trigger time. Additionally, it's up to the bad guys to choose the real activation date by placing (or not) the update on the net.
In short, no-one can tell exactly what the impact of 6th January on virus history will be.
We always recommend that users be on the lookout for suspicious activity. Given the uncertainty about exactly when Sober will start updating, this is going to be even more important for the next couple of days, or even weeks.
We're on the lookout, high alert, and will keep you posted.
At the moment, the number of different WMF exploits we've seen has gotten well past a hundred and more are coming every hour.
But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.
Not surprisingly, we haven't taken a break either. We released an update to our heuristics which deals not only with the most recent exploits but also with a few tricky ways to exploit the vulnerability which haven't been used in attacks - yet. Just as a precaution, you know.
At the same time, some people, Microsoft included, are busy develping fixes. Our friends from F-Secure have blogged about Ilfak Guilfanov's patch, which is currently the most popular one.
A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.
Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one we can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. Ilfak, who is the author of the popular IDA disassembler, knows what he's doing, and the work he's put into developing the patch is admirable.
And finally, you should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.