The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Research|Malware in metadata

Vicente Diaz
Kaspersky Lab Expert
Posted December 19, 10:07  GMT
Tags: JavaScript, Security Websites, Campaigns, PHP

One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.

There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.

However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!


    I was browsing through compromised websites used for spreading malware and found one from Argentina which belongs to a veterinary supplier. The admin panel got p0wned and, worst of all, it had a tab with the personal details of people who had posted their CVs (curriculum vitae). So, what exactly has happened? Well, basically lots of confidential information has been leaked and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on. Here are just a few examples of real CVs uploaded and saved on the compromised site:


I'm here at Defcon watching the hacker masses share their information. As usual, it's incredibly crowded, but the new venue at the Rio hotel is a welcome upgrade. Las Vegas is as hot and crazy as ever. It's never a boring visit.

So far there have been some great talks, and I'd like to highlight a few favorites.

The talk by Moxie Marlinspike; "SSL and the Future of Authenticity" covering the shortcomings of the Certificate Authority system, was an eye-opening look into how broken this system is. As always, Moxie is an engaging and relevant speaker, and his solution is based around a distributed system with multiple authorities verifying the site you're connecting to. With a few kinks still to work out, it's an interesting idea, and certainly it's time to move away from the current model.

Another talk, by Daniel Garcia, called "UPnP Mapping" demonstrated an issue quite widespread on the internet. UPnP (Universal Plug and Play) is a interoperability system developed by Microsoft, with the idea that devices could added to a network with zero setup. It's never worked very well at best, and at worst, it can provide a remote party all sorts of information about your device from the Internet. Mr. Garcia demonstrated a tool where he was able to scan a network block, create a list of vulnerable routers, and then even issue commands. In some cases these routers could be used as an open proxy, or many other more malicious purposes.


Cloud Computing providers offer gigabytes of storage for free, and the cybercriminals use to maintain and spread malware of all the kind. At the same time, many legitimate services are not free, but are still very attractive to cybercrime gangs. In the case of Amazon, Amazon Simple Storage Service (Amazon S3) does the trick.

Despite being a paid service, the cost is not an obstacle for profitable attackers. In fact, my colleague Dmitry Bestuzhev recently told us about the spread of malware exploiting this service to "the cloud".

The truth is that these cases are not isolated. According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks.


Since yesterday I've been attending the annual Hack-in-the-Box Quad-Track Security Conference in Amsterdam/NL. There's a very nice and open atmosphere here at the conference, besides the beautiful city of Amsterdam.

First, Joe Sullivan (CSO at facebook), held a very interesting keynote about the development of security innovations at facebook. For him innovation is „these hacking culture, we think about each day at facebook“. After explaining some of the newer security innovations (https-only, login notifications, login approvals [if e.g. geo-location of a user is suspicious], recognized devices, recent activity) he talked about the recent fb-scams with malicious scripts. „No one would do that, copying and pasting a script into the browser! - Yes, they do...“, he said.

Also a remarkable talk I attended was about binary planting, given by Mitja Kolsek (CTO at ACROS Security). In "Binary Planting: First Overlooked, Then Downplayed, Now Ignored" Mitja also showed a new method he called "advanced binary planting", which uses a feature from Windows' special folders (like control panel, printers, etc.) and clickjacking to make it possible to own the users' computer.

In the winter garden of the conference hotel there's a technology showcase area. Hackerspaces from all over Europe and the Netherlands are showcasing their projects here. There also is a capture-the-flag competition happening, a lock-picking and (sponsor) companies-showcase.

For more informations please see the conference website.

Comment      Link

The World Cup 2010 is the most popular event running right now. The cyber criminals didn’t want to lose such “good” opportunity for them and already took advantage in some ways like sending spam leading to phishing sites, to spread malware and so on. All that attacks go through the end-point machines stealing personal information of the users. This is the most common “modus operandi” of the cyber criminals.

However today we found an interesting attack apparently not related to money. The attack was on the Indonesian government Web server. The gang behind the attack put a defacement on the hacked Web server clearly related with the World Cup activities:

If you visit the hacked Web site you will also be listening an official WorldCup song. In the past we saw a lot of cases when the Web servers were hacked based on political, racial and other motivations. Today we see sport related motivations joined by competitive spirit are also an influence on cyber criminals for launching offensive campaigns.

In the time when the cyber criminal’s activity is higher than usual, please pay special attention to your security. If you don’t want to be a victim, just use the following basic security tips:

  1. Keep your Security solution updated
  2. Don’t click on any Twitts with shortened URLs
  3. If you get an email related to the World Cup 2010 don’t click on embedded links and don’t open any attachments it may contain.
  4. If you want to follow World Cup news, use your preferred and trusted News agency Web site. Don’t try to visit unknown sites that you found searching the Internet.
  5. Don’t click on any links in instant messages you may receive, even from your friends or colleagues.

Stay safe!

Comment      Link

News|Named & shamed!

Kaspersky Lab Expert
Posted March 25, 12:53  GMT
Tags: Security Websites

StopBadware.org, launched in January by Harvard University's Berkman Centre and the Oxford Internet Institute, is designed to put pressure on purveyors of 'badware' programs by 'naming and shaming' them. 'Badware', according to the organization's site, is 'malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads'. The project is supported by Google, Sun and Lenovo.

StopBadware.org positions itself as 'a "Neighbourhood Watch" campaign aimed at fighting badware.' The project will 'seek to provide reliable, objective information about downloadable applications in order to help consumers make better choices about what they download onto their computers.' It also 'aim[s] to become a central clearinghouse for research on badware and...[those] who spread it, and become a focal point for developing collaborative, community-minded approaches to stopping badware.'

Yesterday StopBadware.org issued its first reports, naming and shaming Kazaa, MediaPipe, SpyAxe and Screensaver.com as applications that 'contain annoying or objectionable behaviors'.

Comment      Link

Incidents|Be careful out there!

Kaspersky Lab Expert
Posted March 10, 13:27  GMT
Tags: Internet Banking, Security Websites

Lots of today's malware is designed to steal confidential data and a recent APACS press release indicates that 'card-not-present' fraud is on the rise. We think it's always useful to flag ways in which users can minimize the risks of falling victim to fraud, and we've written about this several times in the past.

Today's Handler's Diary at the Internet Storm Center provides some useful pointers to staying safe online.

For other useful guides, check out Get Safe Online and Bank Safe Online.

Comment      Link