05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
03 Dec PasswordsCon in Bergen Marco
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A new piece of ransomware, called Ransom.a by most AV vendors, has been spotted in the wild.
Evidence received so far suggests that this Trojan can be found on P2P networks.
The malware poses as a Windows Mobile application, despite that description it will only work on Win32.
When the user is infected and reboots his machine, he will be greeted with a full screen message when he logs on.
The screen tries its best to stay on top of all windows and is highly annoying, it also shows pornographic images.
The message which is presented to the user is quite long, but in short: Pay $10.99 via Western Union otherwise you will keep getting this screen.
One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code.
Antivirus software can not detect this virus, nor can it detect the hidden folders in which the deleted files are stored.
When entering a false unlock code there's also a message stating that the hard drive will crash in 3 days.
However there's a catch: None of these destructive routines actually work!
I think we have an interesting development going on here, I think there are two different types of ransomware.
Real ransomware, which encrypts your data or does other nasty stuff.
And malware which claims to do all sorts of nasty stuff but actually doesn't. It's bluffing, like bluff poker.
How is an average user going to check if all of his files are still there? He's not.
Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up.
Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.
I just hope that people have remembered the most important thing about ransomware: Do not pay up, contact us and we will do our utmost best to help you.
The first quarter of 2006 marks a turning point in mobile malware development. The era of quantitative development, with its numerous, but primitive Trojans for Symbian OS has ended. The quality of mobile malware has changed visibly.
Let’s consider a chronological list of mobile viruses that appeared in early 2006:
We see that writers of mobile malware have begun to use new programming languages: .NET (".MSIL.") and Java (".J2ME.").
Moreover, a new fashion seems to be emerging: a bias towards cross-platform viruses. For example, Worm.MSIL.Cxover, infects mobile devices that can be accessed via ActiveSync when it is executed on a PC. Yet it also infects the PC using the same mechanism when launched on a mobile device.
Then we have Trojan-Spy.SymbOS.Flexispy: a commercial Trojan that collects information about phone calls and SMS messages. Of course, it is only one example, but it is enough to show that the industry of mobile viruses has at last made headway into commerce on the one hand and into spying on the other.
And I think this is just a beginning.
Last week there was some coverage about a new P2P worm, which is highly polymorphic and infects other files.
Many antivirus vendors detected this piece of malware as Polipos, and this name has been widely used.
But should the worm really be called this?
The body of the worm contains the following text:
Win32.Polipos v1.2 by Joseph
Calling this piece of malware Polipos, which most antivirus vendors are doing, raises an ethical dilemma.
On the one hand, there's a high degree of uniformity.
Changing the name could lead to a situation similar to that with Nyxem/Blackworm/CME-24; no one wants to see that naming confusion repeated.
On the other hand, there's a serious ethical dilemma: One of the antivirus industry's unwritten rules is that malware should never be called by the name the author intended.
We've therefore decided to rename this worm from Polipos to Polip, and I hope that other antivirus vendors will follow suit.
Early this morning we released an update for Net-Worm.Win32.Mytob.eg.
Since then we've been seeing a clear increase in the number of samples.
This variant doesn't really differ from earlier variants, it's just a very basic Mytob. However, it is spreading which means that users should be on the lookout.
It spreads via email and contains a limited IRCBot which only has support for basic features such as downloading files.
As is usually the case with Mytob, the email message that brings the worm closes with a statement purporting to be from an antivirus company, saying that no viruses have been found.
This variant is spreading actively, so be smart, don't be fooled.
The spring seems to be a prolific time for new ideas and proof of concept viruses. However, not all of them are a cause for concern.
For instance, we've received a new virus which infects Microsoft Publisher (*.pub) documents. You can find a description of Avarta here.
Due to its crude replication method and obvious payload, Avarta has zero chances of getting in the wild. Three or four years ago, this might have been an innovative piece of malware. But now macroviruses are virtually extinct, making Avarta proof of concept for something that will never become a threat.
Over the last few days new variants of Trojan-PSW.Win32.LdPinch have been spreading actively on the Russian internet. This Trojan has been mass mailed, and also spreads via ICQ. Email and ICQ messages may be from unknown users (usually a woman), or from users on your contact list.
There’s nothing really new here. New variants are included in the antivirus database updates we release every hour. So why are we writing about it?
The answer’s simple: lots of users have been careless enough to launch the attachment which contains the Trojan, or to click on the link in the ICQ message which leads to the Trojan. And then, as its name indicates, LdPinch steals passwords from the victim machine.
If you’re one of these users, to prevent any further damage you should:
We’ve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a
The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.
Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Infected files contain the following text strings:
This is Sepultura signing off...
This is The Soul Manager saying goodbye...
Greetz to: Immortal Riot, #RuxCon!
The infector itself contains the following strings:
[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!
The virus doesn’t have any practical application - it’s classic Proof of Concept code, written to show that it is possible to create a cross platform virus.
However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received.
Like us, you might have seen a recent discussion about antivirus vendors response times.
Just like the vendors involved, we believe that speed of response to new threats and update frequency are vital.
That's why we provide hourly updates. Day in, day out, regardless of whether a particular threat makes headlines. This ensures that our users have access to effective protection against the 200+ new threats which appear ever day.
Even though our response times weren’t included in the discussion mentioned above, we consistently deliver a fast response. And that’s what’s most important.
It's been a while since Nigerian spam, aka 419 scam emails, came only from Nigeria. Spammers use every method they can to hook trusting users - they're ready to make use of any region or country which is perceived as being corrupt or volatile in any way.
At the end of March, spam analysts at Kaspersky Lab encountered a mass mailing of 419 messages, which traditionally include a request for help in transferring funds, or cashing assets in return for a substantial percentage of the overall sum mentioned. In this case, the scammers are going under the guise of a Russian financial analyst. Of course, this analyst doesn't actually exist. And any user who thinks that s/he'll be able to make an easy profit by contacting the scammers is mistaken - s/he is very very unlikely to receive the promised sum and is more likely to find his/ her bank account emptied.
This is a typical 419 scam. However, it has a couple of interesting points:
But let's call things by their real names. This is a 419 scam, no doubt about it - it just takes a slightly different approach.