The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Research|More on Yxe

Kaspersky Lab Expert
Posted February 25, 14:45  GMT
Tags: Mobile Malware

So what else have we found out about Yxe.e, which we discovered yesterday? It spreads via MMS, but attaches a skull and crossbones image to the message, rather than its body. The message includes a link - http://tran******.com - and suggests the recipient has the opportunity to view private information about a Chinese actress called Zhang Zii.

Following the link from a victim device results in an offer to download and install a file called LanPackage.sisx, which is 57573 bytes in size. But following the link from a browser installed on a computer simply results in a 404:

In other words, the server's checking whether the request to connect to the site is coming from a mobile device browser.

Virus Watch|Return of the Yxe worm

Kaspersky Lab Expert
Posted February 24, 15:17  GMT
Tags: Mobile Malware

Just over a year ago Worm.SymbOS.Yxe appeared – this was the first malicious program for smartphones running Symbian S60 3rd edition which had a valid digital signature. From time to time subsequent versions of this worm appeared - the latest variant, Yxe.d was detected in July 2009.

Today we detected a new variant, Worm.SymbOS.Yxe.e, which also has a valid digital signature. Previous modifications of the worm:

  • Spread via SMS messages which contained a link to the worm
  • Used social engineering in order to trick victims
  • Harvested data about the smartphone from the device
  • Sent the harvested data to a cybercriminal server
  • Attempted to terminate third party applications designed for working with the smartphone’s file system or with active applications.

The latest modification does all of the above and more. It also:

  • Sends MMS messages containing a link to itself, and, attached, a black and white skull and crossbones image (Skuller, a Trojan which first appeared in 2004, also used a skull and crossbones)
  • Connects to a Chinese social networking site
  • Downloads files
  • Block the smartphone’s Software Manager, making it more difficult to delete the malware

We’re still analysing Worm.SymbOS.Yxe.e in detail – we’ll keep you posted.

Comment      Link

The football World Cup kicks off in South Africa in June and it’s just the type of global event that Nigerian spammers can’t resist exploiting.

We are constantly receiving “Nigerian letters” and emails notifying us that we have won some lottery or other linked to the World Cup.

As a mark of just how important this festival of football is, those behind the Nigerian letters have even started attaching files with more details about “lottery wins”. If you look at the screenshot above, you’ll see four messages stating that additional information has been attached. The “confidential document” is only attached to two of the emails though – no doubt due to the carelessness of the sender.

As well as huge money prizes, some of the messages also offer free World Cup match tickets!

It has to be said that the Winter Olympics have failed to catch the imagination of the spammers in quite the same way, even though they are already underway and the World Cup is still months away. Just remember, if you do receive a message stating you’ve won millions in an Olympic or World Cup lottery, you haven’t struck it rich, you’ve just been targeted by fraudsters.

Comment      Link

Incidents|Cascading false positives

Posted February 16, 12:00  GMT
Tags: Antivirus Technologies

Security researchers work together and share information in many ways and in many contexts that aren't constrained by company boundaries, but it's unusual for security researchers working for different vendors to join forces in a company blog.

However, John Leyden of The Register contacted us both when he was writing an article on the controversy following Kaspersky Lab's dramatic demonstration of the way in which false positives can cascade from one vendor to another. This is a major issue, because it can and does introduce a serious bias into comparative detection testing and analysis. After responding to John's questions, we continued the discussion subsequently by email and found that we (along with most of the AV industry) were in agreement on all major points, and decided that it was more important to clarify those points, than to continue debating the detail of the demonstration.

The fact that the demonstration used Virus Total as a channel for cascading the "artificial" false positives to other vendors should not be seen as in any way detrimental to Virus Total. Hispasec have never endorsed the use of the service as a substitute for comparative testing or for sample validation, either of which are very likely to generate misleading results.

Multiple scanners are not in themselves the problem, whether they're hosted on public sites, specialist resources, or used by testers or anti-malware companies in-house. As tools for comparative analysis or precursors to more detailed analysis, they have a great deal of value. However, that value depends on the user's knowledge and understanding of how to make the most appropriate use of them.

Mainstream testers and security vendors have extensive understanding of these issues: however, many tests do not take them sufficiently into account. The Kaspersky Lab experiment did at least bring the issue to the attention of some of the press and publishers who most need to be aware of it, and who would probably have taken far less notice of a less controversial presentation.

As supporters of AMTSO, the Anti-Malware Testing Standards Organization, we are in emphatic agreement that away from static testing and toward dynamic testing is a positive direction. We hope that more reviewers now appreciate that dynamic testing with small but properly validated sample sets offers more realistic assessment of detection capability with less risk of unintended bias. If more people realized this, it would allow vendors to spend more time on real threats and less on making sure they detect samples that shouldn't be included in a test set.

Magnus Kalkuhl, Senior Virus Analyst, Kaspersky Lab
David Harley, ESET Research Fellow & Director of Malware Intelligence

Comment      Link

Incidents|Need a Valentine‘s gift?

Kaspersky Lab Expert
Posted February 15, 11:42  GMT
Tags: Spam Letters, Social Engineering

It’s the same every year: as soon as Valentine's Day gets close, all the spammers concentrate on this event to spread unsolicited mails – sometimes with malicious little gifts.

An alltime favorite gift when it comes to Valentine's Day: flowers! This spam offers great savings when you buy flowers, but tries to trick you into a subscription, where you’ll get charged $9.95 every month via your credit card. Make sure you don't fall for it!

Opinions|On the way to better testing

Kaspersky Lab Expert
Posted February 01, 14:09  GMT
Tags: Antivirus Testing

Have you ever found a false positive when uploading a file to a website like VirusTotal? Sometimes it happens that not just one scanner detects the file, but several. This leads to an absurd situation where every product which doesn't detect this file automatically looks bad to users who don't understand that it's just false positives.

Sadly you will find the same situation in a lot of AV tests, especially in static on-demand-tests where sometimes hundreds of thousands of samples are scanned. Naturally validating such a huge number of samples requires a lot of resources. That's why most testers can only verify a subset of the files they use. What about the rest? The only way for them to classify the rest of their files is using a combination of source reputation and multi-scanning. This means that, like in the VirusTotal example above, every company that doesn't detect samples that are detected by other companies will look bad - even if the samples might be either corrupted or absolutely clean.

Since good test results are a key factor for AV companies, this has led to the rise of multi-scanner based detection. Naturally AV vendors, including us, have been scanning suspicious files with each others’ scanners for years now. Obviously knowing what verdicts are produced by other AV vendors is useful. For instance, if 10 AV vendors detect a suspicious file as being a Trojan downloader, this helps you know where to start. But this is certainly different to what we're seeing now: driven by the need for good test results, the use of multi-scanner based detection has increased a lot over the last few years. Of course no one really likes this situation - in the end our task is to protect our users, not to hack test methodologies.

This is why a German computer magazine conducted an experiment, and the results of this experiment were presented at a security conference last October: they created a clean file, asked us to add a false detection for it and finally uploaded it to VirusTotal. Some months later this file was detected by more than 20 scanners on VirusTotal. After the presentation, representatives from several AV vendors at the event agreed that a solution should be found. However, multi-scanner based detection is just the symptom - the root of the problem is the test methodology itself.