The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.

Some groups have been arrested. Some have had their operations and entire call support centers shut down.
Some groups attracted too much attention, picked off the low hanging fruit and eventually walked away from their botnets.
In some cases, the groups just weren't very skilled at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn't keep up with the changes in anti-malware technologies, weren't exactly dedicated to the effort, and simply fell off the map.

However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like TDSS (and its extreme complexities) or the more recent Black Internet (also known as "Trojan-Clicker.Win32.Cycler") support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.

Interesting news on Trojan SMS Blockers (Winlock etc). These programs block Windows and demand a ransom in the form of a text message which is sent to short number for a fee. It's a very popular type of racket at the moment, both in Russia and a few other countries.

The whole affair has now reached the General Prosecutor’s office of Russia – the criminals have been identified and detained (or so it seems) and will be prosecuted in Moscow soon.

Altogether the criminals have earned an estimated 790,000 roubles, or $25K. Moreover, they have caused other damages by blocking or crashing a yet to be determined number of personal and company PCs. Very often people have needed to re-install the OS and all software and then restore data from backups - even after paying the ransom.

But I wanted to focus on the outcome – or the possible outcome of this incident, not on the investigation, arrests and so forth.

In a long overdue move, Twitter turned off basic authentication for third-party applications, while enforcing OAuth for all apps. This is a move that should be applauded by anyone concerned about the security of their Twitter account.

This latest move covers a potential vulnerability in the process of giving read/write access to third-party applications, which could lead to a Twitter account being compromised. Well, not anymore. You don't need to give your username and password to third-party developers anymore if you want to use their application on your Twitter account.

Being always concerned about security, I salute Twitter's move to enforce OAuth. This lets me use an application without having to share my Twitter username and password with an unknown entity. Also, hats off to all developers that updated their applications in time and made this change as seamless as possible for the majority of users.

However, keep in mind that OAuth doesn't protect against local attacks - stealing passwords straight from the users' machines. Make sure you use a clean computer when you log-in to Twitter. Also, for more tips on staying safe, I invite you to read my quick How to Avoid Getting Your Twitter Account Hacked guide on Threatpost.

Since the beginning of August, our Japan office has seen 900+ mails of a certain kind in their spam traps.

We noticed two common patterns in all of the mail. First, the links in these spammed messages all point to compromised servers. Also, the file names of the redirectors are all dictionary words followed by two digits. The files redirect the users to online pharmacy sites and fake watch stores. Here is a screen capture of a directory hosted on one of these online sites:

You might wonder why this caught our attention. The answer is simple: about half of these files contained links to 'gumblar.x' servers.

The upper red link points to a pharmacy site, the lower one is a gumblar.x URL.

So basically an unsuspecting (and unprotected) user who will click these links in their mail will experience a typical 'gumblar-attack' while browsing a pill catalog. The recent peak of such hybrid attacks may be a sign that the cybercriminal(s) who’ve been slowly but surely growing the Gumblar botnet worldwide, and who up until now have been keen to fly under the radar, are now starting to monetize it. The first test runs of mixed pharmacy/gumblar pages were actually identified by our experts as early as April 2010, when we noticed a few mails of this kind, with subjects like "Twitter 61-213".

On further investigation of the involved servers, it turned out that plenty of them have additional malicious code injected directly into their www root. We counted mostly gumblar.x but also some 'pegel.*' and other obfuscated code containing iframers or other redirectors.

Additionally, almost ALL of these domains contained a link to 'hxxp://nuttypiano.com/*.js' at the end of the file.

There are more than 300 different .js files in circulation on such servers, the content of these is obfuscated and similar to known 'pegel' threats. To make our researchers' task more difficult, the malicious code will only be sent once to the same IP address. However, we have managed to download several samples from the same locations and identified polymorphic-like structures.

These are redirecting to other :8080 locations, which in turn try to push more malware onto the victim's machine.

Here is a quick summary of such injected sites, sorted by country: #1 is the US, followed by FR, DE, TR and JP. Affected webmasters should consider changing their compromised ftp credentials, clean the machines which led to the leak, and investigate their server logs for more details.

We all know that cybercriminals will target anything and everything they can reach. And at Kaspersky, we also know that a lot of IT admins don’t look after their Internet resources. Sad but true – ask an admin if their servers are protected, and you’ll often get the answer, “Oh, come on, who needs my SQL server?”

A few months ago we set up a new honeypot (http://www.mwcollect.org) in our Japanese research centre in Tokyo. The honeypot is mainly used to collect malicious Windows executables, which it does pretty well by emulating shellcode when it finds network exploits. A side effect of using the honeypot to listen on all ports is that we get statistics (as well as unexpected data) coming in on various network ports of the host, which has a global IP address.

This graph shows the number of attacks and unwanted connections on specified ports of our server. It shows the ten ports most commonly used, but even the least commonly targeted port (in this case, port 1130) gets about 16 connections a day.

Here’s a table of the common services using each port:

Hopefully, this proves what seems to us to be obvious – there’s someone on the Internet who wants your SQL server! (And a few other things besides…) And the data above shows that there are a lot of bad guys looking for backdoored orphaned hosts on the internet. Some of them are trying to find Backdoor.Win32.Noknok, while others are trying to break in through legitimate services like Radmin and Windows Remote Desktop.

Maybe you’re wondering just who it is who is looking for badly protected resources? Here’s another graph with those details, showing how many connections different countries make to our honeypot every day:

Take a minute to compare it to the previous graph! You can see that the number of MSSQL attack attempts is mirrored by attacks coming from China. And recently, South Korean hosts have joined this massive attempt to exploit the service.

Running a honeypot helps us get valuable data; we’re kept busy analyzing it and crunching the numbers, and finally, it’s a cheap form of entertainment. Our honeypot is running on 500MHz Pentium III CPU with 384 Mb RAM, which nowadays probably costs less than $100. So if you’re thinking of throwing out some really old, slow hardware, consider setting up a honeypot! ;-)