English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.3
 

This is one of those scenarios where the user looks for protection but only finds problems. Sergio de los Santos, a friend of mine, has shared with me a link to a false App that pretends to be AdBlock Plus, the well-known and useful application that many users have in their web browsers. At the time of its download, the application was active in Google Play and all who downloaded it, instead of the App blocking non-desired ads on their web browser, received the exact opposite- more ads and more problems related to data privacy.

0.2
 

Kaspersky Lab congratulates the royal couple on the birth of their new baby boy and wish them all well for the future. It is truly joyous news that is being celebrated in the UK and in the rest of the world.


However because it is such big news, it didn't take long for malicious elements to misuse it as follows: "The Royal Baby: Live updates" promises an email arriving at our spam traps today. A link named "Watch the hospital-cam" is the contained trap which leads to ... nowhere because it seems that it has already been cleaned. By the looks of it, it may be a compromised legitimate website which got cleaned.

But we are still interested in what the malicious content could be and we didn't need to search for long. Exactly _one_ hit for our web search was shown at the time of writing this article.

Incidents|Boston Aftermath

Michael
Kaspersky Lab Expert
Posted April 17, 04:02  GMT
Tags: Spam Letters, Social Engineering, Malvertizing
0.3
 

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.



Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.



The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples:
5EA646FFDC1E9BC7759FDFC926DE7660
959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

comments      Link
0.7
 

Just a quick note, it's only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.

Follow me on Twitter

As for Kaspersky users, our automatic exploit prevention (AEP) is generically preventing the 0day. Surprisingly, while there doesn't appear to be a high level of server-side polymorphic obfuscation in the class files themselves, the hosted exploit files are being updated and changing since yesterday. Instead, the Blackhole developers and operators put a lot of effort behind shifting domain names.

Update (2012.01.10 3:30 p.m. MT) - Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422.

Research|Malicious ads on security websites

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted February 07, 14:53  GMT
Tags: Rogue Security Solutions, Malvertizing
0
 

Perhaps the worst possible scenario is when a bank website is hosting malicious ads: you never know what can be installed and when on your computer if you click on the ad banners.
Something similar happens with security websites hosting malicious ads. They are supposed to be for security information. The people browsing such sites trust the content to be safe, but in actual fact because of the ad banners the resources may be anything but trustworthy.

0.2
 

It is clear that cybercriminals do not have any code of ethics. Consequently, even the most innocent are not exempt from a malicious attacker’s perspective, and are often used as a means to allow them to generate higher economic returns, in this case, through the abuse of clicks.

The following image provides clear evidence of this. Designed with an interface that’s "user friendly" for kids, this website invites you to download a threat detected by Kaspersky Lab as not-a-virus: AdWare.Win32.BHO.tbz.

Incidents|Malvertising on ImageShack

David Jacoby
Kaspersky Lab Expert
Posted May 04, 16:12  GMT
Tags: Antivirus Updates, Malvertizing
0.5
 

Today while conducting research on the alleged Latvian power hack, I came across some interesting malvertising on imageshack, where pictures of the purported hack have been hosted.

Advertising on the page loads a exploitable Java vulnerability that Kaspersky recognizes as Exploit.HTML.CVE.2010-4452.m, which then tries to download Trojan.win32.TDSS.cgir. TDSS as some of you may recognize is a rootkit that can access Windows at its lowest levels and can prove extremely difficult to remove.

Upon opening the page, the advertisement loads, and a connection to http://--removed--ediagroup.com/enc/jv.html is made. This launches the actual exploit. A second page http://--removed--ediagroup.com/load.php?2 is loaded which drops the Trojan containing the TDSS malware.

Kaspersky already detects both the exploit, as well as the Trojan payload. This serves as a reminder of the importance of keeping your Anti-virus up to date.

We will update with further details as they become available.

Comment      Link
0.5
 

Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits.

Spotify's advertising network was most recently outed (note that it is the third party banner ads rotating through the client's ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren't on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.