The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Research |An SMS Trojan with global ambitions

Roman Unuchek
Kaspersky Lab Expert
Posted April 23, 11:00  GMT
Tags: Mobile Malware, Malware Descriptions, Google Android, SMS Trojan

Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.

But this is not all. Another Trojan, Trojan-SMS.AndroidOS.FakeInst.ef, targets users in 66 countries, including the US. This is the first case we have found involving an active SMS Trojan in the United States.

Research |Absolute Computrace: Frequently Asked Questions

Kaspersky Lab Expert
Posted February 13, 19:32  GMT
Tags: Vulnerabilities

In response to numerous requests for comments and clarifications after our presentation at the Kaspersky Security Analyst Summit 2014, we have created this FAQ with some answers to the most commonly asked questions.

1. Why did you decide to expand this research after the presentation about Absolute Computrace in 2009?

Kaspersky Lab decided to undertake full research on this topic after discovering several privately owned laptops of Kaspersky Lab security researchers had the Computrace agent running without prior authorization. Such unauthorized activations quickly became alarming when our reverse engineering revealed serious vulnerabilities in the Computrace agent protocol design.


What exactly is Careto / "The Mask"?

The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.

What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

The Mask also uses a customized attack against older Kaspersky Lab products in order to hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time. This and several other factors make us believe this could be a state-sponsored operation.


Malicious macro-enabled Microsoft Office document
The last interesting item found on the same malicious cybercriminal server is a .docm file (a macro-enabled document according to Microsoft Office standards).

It is a malicious file that when opened shows its victims the following content:


    To complement the already mentioned findings, the same cybercriminal’s server contains additional interesting things but before mentioning them, I want to give a little bit more information about the email database used to spam victims to infect them with the Betabot malware.

E-mail database
How big is the list of email addresses to spam victims? It has 8,689,196 different addresses.  It is a very complete database. Even if only 10% of the machines of the people included in this list get infected, cybercriminals would gain more than 800,000 infected PCs!

The geographic distribution of the emails is already published here. If we just look at the number of the most interesting domains belonging to governments, educational institutions and such used to spam and to infect, they are still very high numbers:

Domain    number of emails
org            13772
edu            2015
gov            1575
gob            312

Research |From Latin America with love, Jumcar strikes again

Santiago Pontiroli
Kaspersky Lab Expert
Posted January 23, 14:21  GMT

A new sample was submitted to the Virus Total system on January 18th which was quickly spotted by my colleague Dmitry Bestuzhev. Interestingly enough, it seems that a new variant of the Jumcar malware family has appeared and a lot of changes have been made to the original source code. As this is Latin American custom made malware there are lots of strings written in Spanish, some of them which we won’t mention since they are meant to insult security researchers while they inspect the code.

They first thing that caught our attention was the presence of some debug information still available in the executable file. After a very basic analysis we confirmed that we were dealing with a Microsoft .NET application and the string we found was the original path where the malicious work was being debugged in the developer’s system. Apparently “Victor” was testing his new creation against several antivirus engines since the sample was submitted by himself to Virus Total.

Disguised as an innocent “Facebook” application, Jumcar lures the user into double-clicking the file to infect the system and deliver the malicious payload.

Seems pretty innocent, right?

After the executable has been launched, it will appear as a “Facebook” utility in the process monitor while it starts to perform some network connectivity tests to determine if it’s able to download the second stage of the malicious code. In this case it checks using Google (using both the domain name and IP address) to see if an Internet connection is available and downloads another file needed for the infection.

If everything goes as expected, Jumcar will try to get a text file from a server located in Chile which contains the name of the banks it will try to steal information from. This list is also conveniently renamed as a “robots.txt” standard exclusion file so that IT administrators won’t notice anything out of the ordinary while checking their log entries.

With this list downloaded, the following step is to use it to overwrite the Windows hosts information located in %systemroot%\system32\drivers\etc\. So now, every time the user tries to access any of the domains included in the malicious hosts list, he will be redirected to another IP and presented with a fake version of the desired website instead. Currently this IP is offline, but since the file is retrieved dynamically by the malware this can be easily changed by replacing the “robots.txt” file.

In previous versions of Jumcar, the targets were banking institutions, mainly from Peru. In this variant, the code has been customized to attack Bolivian banks, but there's nothing to stop the malware creators from expanding this list. This makes sense since the Assembly name for the .NET executable was “newbol”, which might indicate a new Bolivian variant.

A lot of cryptographic functions are being used within the code (nothing new here, since previous versions relied heavily on crypto) to add a layer of obfuscation and thwart analysis efforts. Fortunately by inspecting the network traffic and disassembling the .NET source code we are able to gain a sneak peek of how the internal development of this threat was done. This latest version includes a number of embedded strings which get decrypted using a method called GenerateRSAreverse(), taking each string and generating a clear text version that will be used for different tasks of the malware.

For example, from the following section of RSA encrypted text, Jumcar will obtain the file name to use for persistence (using “winlogon.exe” in the CurrentVersion\Run registry key), the IP address of the server where it needs to obtain the “robots.txt” file and more.

The main logic of this threat remains quite simple and relies on quickly infecting the system and replacing the hosts file to allow data theft. Even though it's not very sophisticated, it does seem to be highly effective and allows attackers to make code modifications quickly, generating new variants on demand.

It’s not very common to find malware developed in Latin America, or using .NET technology. However in recent months we have seen that the benefits of rapid code development and framework usage are tempting enough to convince cybercriminals to adopt software development best practices. With Ploutus, an ATM malware also created from scratch in the region in .NET it seems that the Spanish speaking malware world is just about to get interesting. For the moment, this appears to be just an attempt of the malware creator to test detection rates, but we’ll need to keep an eye open since the real threat can emerge at any moment. From Latin America with love, Jumcar is here again.

Kaspersky Anti-Virus detects all mentioned samples heuristically as Trojan.Win32.Fsysna variants.

Follow me on Twitter: @spontiroli

Comment      Link

Research |WhatsApp for PC - a guaranteed Trojan banker

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 21, 04:54  GMT
Tags: Internet Banking, Social Engineering, Campaigns, Oracle

We just received a spam message in Portuguese stating the following:

In short, this message says that WhatsApp for PC is finally available and that the recipient already has 11 pending invitations from friends in his account. This is what the email looks like:

Research |Big box LatAm hack (1st part - Betabot)

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 16, 01:42  GMT
Tags: Botnets, Spammer techniques, Malware Technologies, Passwords

Last week a good friend (@Dkavalanche) mentioned in his twitter account his findings of a Betabot malware which was spammed via fake emails in the name of Carabineros of Chile. It piqued my attention so I dug a little bit and this is what I found:
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity; however, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later. First, let’s speak about the initial malicious binary spoofed via email and then about other things. I will only focus on the most interesting details.

This is the name of the original binary. Translation to English is the “Criminal complaint”.
The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.



Today we got a spam message with a fake e-card in Portuguese leading to an interesting piece of malware:

Header translation: You got a Christmas e-card. Somebody very special has sent this Christmas e-card for you. In case you are not able to visualize it, click here. Much better than any present is a happy family.

Research |Malware in metadata

Vicente Diaz
Kaspersky Lab Expert
Posted December 19, 10:07  GMT
Tags: JavaScript, Security Websites, Campaigns, PHP

One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.

There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.

However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!