04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
03 Dec PasswordsCon in Bergen Marco
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
18 Nov A typhoon worth millions Tatyana Shcherbakova
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
I came across something interesting today: a macro virus which we’ve named Virus.StarOffice.Stardust.a
You might wonder what's interesting about this - viruses have been around for a long time, and are starting to fade from the scene.
But if you look more closely at the name, you can see why I'm interested: Stardust is a macro virus written for StarOffice, the first one I’ve seen. Macro viruses usually infect MS Office applications.
Stardust is the first virus I know of which is theoretically capable of infecting StarOffice and/ or OpenOffice. It's written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.
We’ll have a description of it in the Virus Encyclopaedia soon.
I thought I’d blog today because of the interest that some Internet users are showing in a so-called vulnerability in KIS 6.0.
We know that there’s a glitch in the handling of specially crafted HTTP requests. And we’ll be putting out a hotfix to correct it.
However, whether this is really a vulnerability - much less a critical one, as was announced on certain discussion lists on the Internet - is another question. Calling it a critical vulnerability isn’t really accurate - the only malicious action that this vulnerability can be used for is the download of a malicious program. Although this file, when downloaded, bypasses the Web antivirus monitor, the file is detectable by our products, and cannot be activated once downloaded.
Added to this, we know that the most commonly used browsers such as Internet Explorer, Mozilla Firefox and Opera never send requests to servers in this form. A request crafted in this way can only be launched outside the browser by another malicious program, one which we classify as a Trojan-Downloader. Such a combination of circumstances is extremely unlikely. However, even if the malicious file is downloaded successfully, it doesn’t present any serious threat the user as it will be blocked by other KIS 6.0 modules.
It’s great that this loophole has been identified. But I’m a bit surprised at the way in which it was made public. Surprising, because everyone - including the original poster - in the security world should be aware of the unwritten rules of vulnerability disclosure: when a vulnerability is detected, the developers of the affected software should be informed BEFORE details of the vulnerability are made public. The developers then usually have at least 7 days to respond and/or patch the error before the vulnerability is disclosed to the public. The person who posted information about the HTTP handling issue on the internet didn’t contact us first. As I said above, this is surprising, and even a bit depressing.
So, a message to all our blog readers: if you find glitches, vulnerabilities, or anything untoward in any Kaspersky Lab products - contact us! It’ll help us fix the issue quicker, and ensure that you remain protected.
Earlier tonight we released an urgent update for Trojan-PSW.Win32.Sinowal.u.
Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.
Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.
Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.
Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.
The email looks like this:
From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!
Achtung! Wichtige Nachrichten von Microsoft Windows Update!
Sehr geehrte Benutzer Microsoft Windows XP!
Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer "hängt" genau nach einer Minute nach dem nächsten Hochfahren.
Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.
Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.
Mit freundlichen Grüßen,
Rough translation to English:
"Warning! Important notifications from Microsoft Windows Update!
Dear user of Microsoft Windows XP!
Yesterday unknown hackers have distributed a new worm-virus. When your system has been infected it will spread to people in your adress book and all your contacts will be infected. When infected the system will become unstable and will hang exactly one minute after boot.
To protect the people using Microsoft Windows XP our security specialists have developed an update.
You should run the attached file to protect yourself from the new worm."
As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.
And don't forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.
A couple of worried users have contacted us to ask if KAV is going to drop detection for old boot/DOS viruses in the future, or for extinct Trojan downloaders.
At the moment, we've got no plans to do that. It could compromise detection and actually, given the way our engine works, dropping detection for DOS viruses would result in an insignifiant speed increase - less than 5% faster.
The risk of getting infected by Michaelangelo is probably pretty small nowadays, but it can't be entirely discounted. So rest assured, we'll keep on detecting those old boot and DOS viruses and the dead Trojan downloaders.
War driving and trainspotting are two urban phenomena which don’t seem to have anything in common. Trainspotters can be found at stations, at engine depots, and alongside the rails themselves, noting down train and engine serial numbers. Trainspotting is most popular in the UK and the USA, although trainspotters can be found in other countries.
The point of this seemingly pointless hobby is to ‘spot’ and record the serial numbers of all engines (and, for the true enthusiast, carriages as well) currently in use. Trainspotters exchange information about routes among themselves, and trainspotting became something of a cult activity after the release of the film of the same name.
So what has this got to do with wardriving? At first glance, absolutely nothing. But while I was in London researching WiFi networks, I started to notice some similarities:
Trainspotters and wardrivers have the same goal: to collect the maximum amount of data possible, whether it’s access points or engine numbers.
They can both be found outside in any weather, at any time of the year.
They use the same tools: laptops, mobile phones and PDAs.
The only difference is that trainspotters tend to stay in one place, whereas wardrivers are in constant motion, trying to cover as big an area as possible.
While I was in London, I felt I had to go and pay my respects to these dedicated hobbyists, and travelled to the trainspotters’ Mecca: King’s Cross and St Pancras stations. The trainspotters quietly, concentratedly entered data into their PDAs, and my wardriving laptop hummed quietly in my backpack, constantly scanning the surrounding digital environment. A meeting of two very different, but very similar, worlds.
You can read more about my London wardriving here
Out of all instant messaging clients out there, ICQ is probably the easiest to spam, because the accounts are based on relatively small integer numbers. From what we've seen, we suspect the bad guys have already created robots which randomly pick out ICQ numbers and send URLs to them.
That's why we've started experimenting with an ICQ honeypot - a custom software which is monitoring about 10 ICQ accounts and logs all received messages into a database for later inspection. So far we've been receiving about 30 malware URLs per month, which most of the time point to HTML pages filled with exploits which download and install trojans.
Of these, an URL received last Friday caught my attention. When I first tried to fetch the page with WGET, it went like this:
So, why would anybody spam a page which is 0 bytes long? Loading the page on a goat machine running IE and connected to the Internet brought a slighly different result: a trojan was downloaded in the system, installed, then it went out and fetched another trojan. Could it be that the guys behind that page check for the type of agent which comes to them and only send out the exploit for the "right" browser?
I wondered what would happen if we went to that page using WGET but faking an IE 6.0 user agent header? This time it works - we get a 3043 bytes page.
But what's inside?
The script inside the encrypted script which you only see when you fetch page with IE goes to another page and loads (between other things) a Java Applet.
Welcome to the malware matrioshka.
The Internet Storm Center is reporting a new zero day vulnerability in Microsoft Word. We don't yet know if the exploit is being widely used. However, early reports indicate a limited, targeted, attack.
Malware which spreads via email is exploiting the vulnerability as a specially crafted MS-Word .DOC attachment.
If the attachment is launched, this triggers a process which results in a backdoor being installed.
We know of a case where the attacker designed the email to fool the recipient into thinking the message was from a co-worker. At the moment, we're only aware of one business, and maybe 5-10 people within that business, who have been targeted. Yes, it's a new vulnerability, and new malware targeting that vulnerability, but as far as we know, it's not being widely exploited at the moment.
We've released detection for the malware, a dropper and backdoor. As ever, users should update their databases as soon as possible. Kaspersky products will detect the dropper as Trojan-Dropper.MSWord.1Table.bd, and the backdoor as Backdoor.Win32.Gusi.a.
We'll post more information once we've conducted a detailed analysis.
There’s been a lot of media interest in the demise of Blue Security, the Israeli company which launched antispam campaigns in 2005. As a spam analyst, I’m also interested in the topic - I think that the criminalization of the Internet in the form of spam, hackers, and virus writers, is often underestimated. Spammers, hackers and virus writers all have access to powerful technologies which pose a threat to Internet users. One example of this was the Blue Security case.
Kaspersky Lab doesn’t have data which lets us draw conclusions about the nationality of a spammer, and this makes it difficult for us to confirm the assertions issued by Blue Security representatives. However, Kaspersky Lab does have samples of threatening spam which was sent to Blue Security users.
It’s interesting that the wording of these samples seem to show the spammers justifying themselves, with the words ‘we don’t want to, but BlueSecurity is forcing us’.
The messages also included threats saying that the targets would effectively be subjected to a DoS attack: ‘you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally. How do you make it stop? Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again’
I don’t think that any spam analyst was really surprised that Blue Security came to a sticky end. Of course, we’re not happy that the spammers appear to have won this round. But destabilizing sites if the site names are mentioned in spam is a very dubious tactic - it’s neither ethical or really legitimate.
I think that the path Blue Security chose was more or less doomed, if not to failure, then at least to causing a lot of Internet users, not just spammers, to react negatively. Why go down this road at all? There are plenty of spam filters available on the market. And ultimately, spammers should be punished by law enforcement bodies in accordance with legislation. In my view, users taking matters into their own hands is an unacceptable form of vigilantism.
Earlier today, one of our ICQ malware collecting robots was spammed with a suspicious-looking URL:
The machine hosting the page was a home PC located in Herndon, Virginia. The index page on this machine runs a fairly common set of exploits for IE and Mozilla, which attempt to execute Trojan-Downloader.Win32.Harnig.bq.
This trojan downloader is an interesting specimen. At the time we obtained a copy, it was undetected by almost all AV products we tried. My colleague Nikita took it apart and found the following piece of code:
What's happening here is that after unpacking the FSG outer shell, emulators hit a decryptor which make heavy use of FPU instructions, as can be seen from the snippet of code above. This makes it pretty hard to emulate which explains the low heuristic detection rate.
The first virus to make use of FPU instructions in a decryptor was Virus.DOS.Bashar.670, which appeared in 1997. It will be interesting to watch if this technique will become widespread as a means of avoiding heuristic detection in upcoming malware.
Back in November we raised concerns about the limitations of UK cyber crime legislation.
We highlighted the ruling of a UK court that the actions of a teenager accused of sending millions of emails to his employer could not be considered a breach of the Computer Misuse Act (CMA), since it did not cause unauthorised changes to a computer as defined in the act.
A recent report indicates that the Court of Appeal has now overruled the original decision and decided that the case should be re-tried.
With new legislation announced in January 2006, and an update to the CMA in the pipeline, UK cyber criminals will be increasingly called to answer for their misdeeds.
Statistics show that the contemporary malware landscape is, in the main, somehow connected with Trojans: Backdoors, Trojan-Downloaders, Trojan-Droppers, etc.
Although we are still seeing the same kind of viruses as we were seeing 10 years ago, written by cyber hooligans, every now and then we find old style methods being incorporated into more serious malware.
Almost a year ago we wrote about Tenga, a classic file infector with worm and trojan-downloader functionality.
Recently we added detection for something similar: Virus.Win32.Virut.4960. While its name doesn't sound very interesting, or pretty for that matter, this is quite an interesting sample.
Like Tenga, Virut.4960 is a classic appending virus. This file infector infects .exe and .scr files by attaching its (encrypted) code.
The interesting part is that the encrypted code contains IRCBot functionality. When an infected sample is executed it tries to connect to a certain IRC server.
The IRCBot functionality is very limited, and simply downloads a file of the attacker's choice. However, even such restricted functionality is enough to introduce more malware onto the victim system.
Using this kind of attack has some clear advantages; most significantly, that only virus scanners will be capable of detecting it. So malware which uses such strategies will be able to bypass, for example, anti-spyware solutions, which don’t have an antivirus engine, and therefore can’t detect and disinfect virus infected files.
Although the use of file infecting techniques still isn’t particularly common, it’s an interesting trend, which will continue evolving - because dedicated antispyware solutions will be unable to combat such threats.
On Saturday "Linuxtag 2006" closed in Wiesbaden (Germany). According to the organisers, it’s Europe's biggest Linux Expo.
At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.
Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do.
But such thinking overlooks some important facts:
- You don’t need to have root privileges to delete a user’s home directory of a user or access his personal data - you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
- The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
- To access a system, a virus writer doesn’t need 300 vulnerabilities - one is enough.
- Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
- Only a perfect system can offer perfect security. In his "Areas for Improvement in the 2.6 Kernel Development Process" Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.
Just to avoid any misunderstanding: of course Linux is currently more secure than the average Windows installation. This is due to things like user/root separation, a smaller number of installations, and rapid reaction to reported vulnerabilities. And currently, given the relatively small number of malicious programs for Linux, installing a virus scanner is more a gesture of friendship towards the Windows users you share files with. But taking all of this, and coming to the conclusion that your own system is practically invulnerable will make it easy for malware to spread on Linux systems in the future.
Let's take a look at what history teaches: In 2000, the VBS.Loveletter worm took just a few hours to spread across unsecured Windows computers around the world. So far, nothing on this scale has hit the Linux world. But the question is: when the day comes, will users and companies have enough time to choose and install a reliable virus scanner before their systems are hit?