| |
Home / Weblog
Analyst's Diary
| Maria | November 19, 2009 | 10:04 GMT |
comment
|
Geocities.com has been gone for a month now, and you'd have thought the spammers would be missing it. But one of the messages we got today shows that on the contrary, the spammers are looking forward to the future. Here's the message we got today – with tomorrow's date on it. As most people configure their mail client to sort incoming messages by date, putting a future date on an email will ensure maximum visibility by putting it right at the top of the inbox. The links in these messages lead to new Twitter accounts: Which in turn link to a site looking very like a news portal. But the only working links here reference making money by working from home. The account shown above also has tweets with links to typical Viagra and weight loss sites. It's clear that spammers may be moving with the times by changing the tools they use, but they haven't changed their message. And why should they, as long as there's profit to be made?
The link between high speed and cybercrime |
| Costin | November 18, 2009 | 10:03 GMT |
comment
|
At the moment I’m in Johannesburg, South Africa, talking at the opening of our local office about security and mitigation strategies. Despite being a booming city, Johannesburg, tribute to its distant location from the information centers of the world, has remained somehow behind others in terms of internet connectivity. This may change very soon, though. Source: Seacom HQ c/o Linda Carter Meet Seacom. Seacom is a fiber optic network which connects a large part of the African continent with UK, France, Egypt, UAE and India. One of the interesting issues raised by some of the journalists during the past days is the link between cybercrime and Seacom. A long time ago, when people used 2400bps modems (do you still remember those?), one could pretty much “hear” where there was something odd going on, for instance, a hacking attempt, with their machine. Similarly, there used to be a time when I could tell if a computer was infected by just listening to the sound of the hard drive spinning while executing a clean file. Nowadays, with fiber optic and SSD drives, such things are but long forgotten stories. Over a regular fiber optic link, it can take less than a few minutes to transfer one full GB of confidential information from a compromised machine. Or, it might take a few microseconds to inject a backdoor into an unpatched Windows machine. It is hard to predict if there will be a major raise in cybercrime in South Africa in the very near future due to Seacom. Yet, one needs to keen in mind what increased bandwidth brings: • P2P applications, file sharing and exchange
• Illegal music and movie downloads
• Pirate software While these are not necessarily directly connected to cybercrime, a vast amount of pirate software nowadays contains trojans, both for the PC and Mac. Similarly, leaks caused by P2P applications are known to have caused serious incidents all around the globe. Spam is another problem. Even the network attacks, which have decreased in amount during the recent years, seem to benefit from increased bandwidth. What about mitigation? As usual, prevention is better than the cure. I’ve compiled a short list of security tips that I constantly recommend in my presentations: • Install and run an Internet Security Suite
• Don’t assume a website is safe because it is high profile
• Use an up-to-date, modern browser: IE8, FF 3.x, Chrome, Opera 10
• Keep Windows up-to-date
• Always run the latest versions of Adobe Reader, Flash Player, MS Word, etc…
• Be wary of messages from social networks There are a lot of good things that increased bandwidth will bring, just make sure you’re not going to fall victim to its unwanted side effects.
Facebook isn't always fun |
| David | November 16, 2009 | 17:38 GMT |
comment
|
National Anti-Bullying Week is kicking off in the UK today. This year the focus is on combating cyberbullying, with lots of resources for schools, a roadshow, and videos discussing the problem of bullying. It’s great to see this issue being addressed - media reports and research show that with Facebook, MySpace, text messaging and other technologies now part of our daily lives, the problem of cyberbullying is becoming increasingly widespread. There are lots of resources for kids, educators and parents out there: check out our Stop Cybercrime guide, which includes a section on how to help your children stay safe online.
| Aleks | November 13, 2009 | 13:57 GMT |
comments (1)
|
Happy Friday 13th! Friday 13th! If you're at all superstitious, today is bad news. But for those of us in the antivirus industry, Friday 13th is a special day. It's not an officially recognized holiday, and of course we're not taking the day off: we're here 24/7/365. But Friday 13th is when we remember when and why the antivirus industry really started... 22 years ago, in October 1987, a new file virus which infected COM and EXE files was identified in Jerusalem. Like similar, earlier programs, it was able to self-replicate, but it also had an additional, malicious payload which triggered on Friday 13th: when an attempt was made to run any program, the program file would be deleted, and DOS would say that the file couldn't be found. This meant that any file called using the Exec function got deleted. The virus spread widely (even though neither the Internet or email had really caught on at that stage) on disks which got passed around and BBS.
13th May 1998 was D-day: thousands of messages about the virus started pouring in from around the world, and particularly from the US, Europe, and the Middle East. Jerusalem had become one of the first MS-DOS viruses to cause a pandemic. The virus had managed to spread unnoticed to thousands of computers: antivirus software wasn't commonly used, and lots of people simply didn't believe that computer viruses were real. And it was in the same year that Peter Norton, a guru of the computing world, said that computer viruses were an urban legend, comparing them to the crocodiles which supposedly live in the sewers of New York. (This bold statement didn't deter Symantec, however, from developing its own antivirus software – Norton Anti-Virus.) It was a watershed: new companies developing antivirus software started appearing, most of them of the "two men and a dog" variety. The antivirus programs themselves were nothing more than the simplest scanners which used contextual search to detect unique strings of virus code. "Immunizers" were popular too; these modified programs so that malware would think the programs were already infected, and not "re-infect" them.
Jerusalem's malicious payload went beyond deleting files: dozens of other viruses appeared which also had payloads designed to trigger on Friday 13th. Not surprisingly, those in the computer world started to associate Friday 13th with viruses; some people thought it was safer not to switch a computer on when the fateful date cycled round, and some altered the date on their machines, to the 12th or the 14th. The virus writers picked up on this and started playing the same game, producing "Thursday 12th" and "Saturday 14th" viruses. As for us – well, today we want to wish everyone in the antivirus industry a happy Friday 13th! Yes, we have our differences - in ideology, philosophy, opinion and market share. But let's remember what we have in common, and why we're in this game in the first place. If we can't do that – then what are we doing here?
| VitalyK | November 11, 2009 | 11:20 GMT |
comments (1)
|
We've been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat. Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files. The malicious code injection in HTML pages (which is a simple insertion of <script> tag in every file having HTML) was done by downloading all files from the server that could have HTML, changing them and uploading back. We call the websites modified in this way “redirectors”, because they simply redirect browsers to the website spreading malware. The injected script refers to another website hosting exploits and registering all attacked clients. These websites have to support php, because the backend is implemented in php. We call these websites infectors, because they host the exploits and malicious executable file for Windows. The malicious Windows executable is pushed when the attack is successful. The executable waits for the user to enter FTP credentials. We've been able to find where the server code for redirectors and infectors websites was coming from. And we've found an additional tier of infrastructure - a set of compromised websites which we call “injectors”. These websites host a generic php backdoor which lets the owner execute any php code on the webserver. All the websites from all tiers seem to be legitimate but compromised websites not connected to the Gumblar group. The whole set of compromised hosts was split into at least 3 non-intersecting groups which were used for different purposes. The injectors are not acting on their own. This tier seems to be used to proxify the injection tasks. This means that there is another set of machines, which actually issue code and commands to infect the webpages on the compromised webservers. We call these machines "dispatchers". There isn't a lot of information about them yet and it's unclear if they're compromised as well. So the Gumblar tiers look like this: Why is Gumblar so widespread? The answer is quite simple: it's a fully automated system. It's a new generation of self-building botnets. This system is actively attacking visitors of a website and once these visitors have been infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP accounts are then used to infect every webpage on new webservers. This way the system extends the number of infected pages, thus attacking more and more computers. The entire process is automated and the owner of the system just needs to adjust the system and update the Trojan executable which steals passwords and the exploits used to attack the browser. The system works in a constant loop of attacking new computers, getting new FTP accounts and infecting new servers. The illustration below includes the roles of the compromised hosts:
| Bo | November 10, 2009 | 21:13 GMT |
comment
|
The first patch Tuesday since the release of Windows 7 wasn’t as historic as last month – this time Microsoft released 6 patches addressing 15 vulnerabilities. Today’s patches did not include a patch for Windows 7 but there is one for Vista. Could this be an indication of things to come or I should say not to come? Four of today's patches address issues in pre-Win7 versions of Windows and Windows Server and the other two are for Office products. Three of the six patches are considered critical with the other half labeled important.
Microsoft considers MS09-065 the most critical of the bunch. This patch mitigates 3 vulnerabilites, one of which has been publicly disclosed. This patch prevents users running Windows 2000 SP4, XP SP2 and SP3 or Server 2003 SP2 from being exploited when visiting specifically crafted maliscious websites. If you are running Windows Vista or a more recent OS this is not critical and lowered to a severity rating of important as the impact is only Elevation of Privilege. The other two updates included in this patch require the attacker to have valid logon credentials to successfully exploit. MS09-063 affects Windows Vista and Windows Server 2008 and is for Web Services on Devices API (WSDAPI). This is the service that allows Windows clients to discover and access remote devices such as PDAs, cameras, printers and other devices. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. The key here is that the attacker will need to be on the local subnet to exploit this vulnerability. MS09-064 affects only Windows 2000 Server SP4 and addresses the License Logging Service (LLS) which is enabled by default. Microsoft suggests that administrators with Windows 2000 Servers on public facing networks should put this patch higher on the list in priority. MS09-067 and MS09-068 are the Microsoft Office patches. In this case the exploit will only work with some user interaction, specifically if the user opens a malicious excel or word file. Because those of us who run Office 2003 or later are prompted to open, save or cancel before opening any files from emails, Microsoft lowered the severity and deployment priority. I would like to point out here that if you don’t know who sent you the file or why they would have sent it, you might want to hold off on opening it. Clearly it is too early to say Window 7 has been the improvement Microsoft says it is and over the next few months it should be interesting to see how things go for Win7. As always I suggest downloading and installing the patches, but I would like to note that 4 out of the 6 patches will require a reboot so make sure to plan accordingly. For more information on these patches please visit Microsoft’s blog.
| Maria | November 06, 2009 | 11:12 GMT |
comment
|
If you're looking for Internet security software online, you'll see we're right up there in the ratings. And it seems that we're №1 with spammers too. You might think we'd be happy to have our name all over this spam – pretty good advertising. But because we're in the security business, we take a dim view of this type of thing: spam is criminal, spreads malware and hogs bandwidth. The link leads to a site selling all sorts of cheap (i.e. pirate) software: This is advertising we don't need. Sure, we want people to buy our product, because we know it's good. And on a more banal note, yes, our product is our bread and butter. You might save money buying a pirate version, but think of the consequences. You get a product which won't work properly (leaving your computer at risk) and you'll be egging the cybercriminals, malware writers and spammers on to new heights.
| Costin | November 05, 2009 | 15:05 GMT |
comments (1)
|
Out of the four major AV Security Conferences out there, that is, EICAR, The CARO Technical Workshop, Virus Bulletin, AVAR is the last throughout the year. Its current edition started yesterday, in the ancient city of Kyoto, the imperial capital of Japan. The program features a number of prominent speakers, among them our very own Eugene Kaspersky and Stefan Tanase. With current flu epidemics running around the world, we must salute the organizer's initiative to distribute masks together with the delegate packs. Here's the Kaspersky team, looking prepared for the worst: From left to right: Costin, Stefan, Andrey, Aleks and Michael, with Nikita behind the lens. Until the next time, sayonara from Kyoto, and have a good and germ-free weekend!
| Michael | November 02, 2009 | 11:11 GMT |
comment
|
As expected, we can confirm more compromised machines. Our current count looks as follows:
7798 UNITED STATES
1765 INDIA
1332 ARGENTINA
1244 TURKEY
1094 RUSSIAN FEDERATION
1084 GERMANY
968 SPAIN
950 ISLAMIC REPUBLIC OF IRAN
881 REPUBLIC OF KOREA
878 MOROCCO
822 CANADA
815 PERU
792 JAPAN
712 THAILAND
689 AUSTRIA
678 ROMANIA
655 POLAND
654 ISRAEL
628 SWEDEN
599 ITALY
These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer's environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.
| Maria | October 30, 2009 | 13:55 GMT |
comment
|
Halloween's almost here. And it's not just the witches, ghosts and ghouls you need to watch out for, but the latest wave of Internet scams. As ever, the spammers are out in force, offering cheap software: costumes and personalized gifts: and even e-cards! If you want to send a card, you need to install a special browser utility. Do this, and as long you're in the US, Canada, or a number of other Western countries, the spammer will get paid by the guys who developed the utility. If you're coming from a Russian IP address, though, you'll see this message: and get redirected to a lottery site: If you're a regular reader of this blog, you might find the last two screen shots familiar; in fact, the scam is identical to one I wrote about back in June this year. The spammers haven't changed their tried and trusted methods for this holiday, and we haven't changed our advice – take up an offer like the ones above, and you'll be putting money into spammers' pockets, giving away your personal details, or opening the door to malware. And I think all of that is a lot scarier than any Halloween monster...
| |
