| |
Home / Weblog / February 2009
Analyst's Diary
We help you to survive this crisis! |
| Dmitry | February 23, 2009 | 11:48 GMT |
comments (1)
|
There have been a lot of variants of Email-Worm.Win32.Iksmas around lately. Now that Valentine's Day is over, we might have expected to see a few less of them, but no. There's been a new flood of mass mailings spreading Iksmas - instead of professions of endless love, these messages are offering money saving coupons. And who's going to say no to a special offer? The name of the worm executable varies, but all the names have one thing in common - save.exe, nocrisis.exe, etc. all reference the economic situation. Of course, special offers are great, and we could all use a bit more cash.But stick to offers you know are genuine; if you go for scams like this, you're just putting money in the spammers' pockets.
| Costin | February 16, 2009 | 09:40 GMT |
comments (1)
|
Hello from Havana, the capital of Cuba, where the 13th edition of the ‘Informatica’ convention and trade fair is taking place. The first days of the show were dedicated to various aspects of information technology deployment in Cuba, with an emphasis on the associated security issues. Our Cuban partner, Segurmatica www.segurmatica.cu had a number of interesting technical presentations, including on the detection and removal of the Polip and Virut viruses, something which they’ve implemented in their product, SegAV. Of course Friday 13th is a memorable date in the history of computer viruses. Which is why Jose Bidot, the organizer of the convention, chose Friday 13th, 2009 as the day for the international conferences on malware and computer security. Among the speakers were Ero Carrera from Hispasec/Virustotal, who might be familiar to some of you, our own Dimitry Bestuzhev and myself. The Friday 13th presentations focused on both the huge growth of malware and the increased sophistication and increase in attacks against users from Latin America and around the world.
The next edition of ‘Informatica’ will be in 2011, until then, ‘Hasta Luego!’ from the sunny Havana.
What really happened to usa.kaspersky.com/support |
| VitalyK | February 09, 2009 | 21:25 GMT |
comments (6)
|
We have seen quite a few different and controversial comments regarding the recent attack on usa.kaspersky.com/support. People have questions and want answers: what really happened and what risk did the penetration create? As a member of group dealing with the incident analysis I would like to share our results. We confirm that the vulnerability existed in the new version of usa.kaspersky.com/support. We analyzed the log files and found requests with SQL injection. There were several attackers with IP addresses from Romanian ISPs. The requests were initially made with an automated tool - the screenshots showed that the hackers used a variant of an Acunetix tool. Once the initial probes told the attackers that this section was vulnerable they attempted to manually exploit the vulnerability to get data about the structure of the database. They used an Information_Schema database to query existing table names and table columns. After collecting field names the attackers made a few attempts to extract the data from tables. Those queries failed because the attackers specified the wrong database. The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE,INSERT,DELETE... were logged. After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email - on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response. To sum up:
- We are lucky the hackers proved to be more interested in fame than in causing damage
- Secure development MUST be a key priority for web development - anywhere, anytime and all the time, and
- It is a lesson to us all - check, check and re-check your processes and your code.
| Aleks | February 06, 2009 | 16:32 GMT |
comments (1)
|
Back in December 2007 we blogged about how the Russian Federal Security Service identified and arrested the authors of Pinch. Yesterday a whole bunch of media in different countries referenced PrevX, who were saying that the Pinch Trojan is still very active, infecting thousands of users around the world every day. One particularly interesting article came from The Register, a UK publication, which says: "The two suspected authors of the virus creation toolkit were arrested and questioned by Russian police in December 2007 but never prosecuted." These words have been reproduced in some form or another by other publications, particularly Russian ones. And of course, such statements beg the question “why haven’t the authors of Pinch been sentenced?” As we’ve always been on the front line in the fight against Pinch, and we tracked the history of Pinch very carefully indeed, of course we’re able to answer this question. The people who created and spread Pinch were identified, and the surnames given in the media – Ermishkin and Farkhutdinov – belong to these people. A criminal case was raised, with the investigation being carried out throughout 2008. The fact that the investigation took so long reflects the complexity of the Pinch story. At the end of December 2008, a court case started at the Kalinskii regional court in the town of Chelyabinsk.
The two defendants, who went under the names of damrai and Scratch, were accused of creating Pinch, Pinch2Pro and Parser. damrai (Farkhutdinov) was the main developer, while Scratch (Ermishkin) was responsible for Parser. The two conducted their criminal activity between 2005 – 2007. The defendants created a range of sites – pinch2pro.ru, pinch3.ru, pinch3.com and pinch3.net – in order to sell their creations. damrai and Scratch admitted spreading dozens of modifications of Pinch, Pinch2Pro, Pinch3 and Parser between the start of 2005 and June 2007. In electronic payments they made around 20,000 roubles a month, amounting to a total of 600,000 roubles. The defendants were sentenced on 29th December 2008. The court statement read as follows: Farkhutdinov Damir (DOB 1986)(aka damrai) and Ermishkin Alexey (DOB 1985)(aka Scratch) have been found guilty in accordance with part 1, Article 273 of the Criminal Code of the Russian Federation and are sentenced as follows: Farkhutdinov D. is sentenced to a prison term of 1 year 6 months and a fine of 30,000 roubles. Ermishkin A. is sentenced to a prison term of 1 year and a fine of 20,000 roubles. In accordance with Article 73 of the Criminal Code of the Russian Federation, the prison terms take the form of a 2 year conditional sentence for each defendant. During sentencing, the court took into account the defendants’ admission of guilt, regret, help accorded to investigators, and the fact that the defendants gave themselves up. The sentence came into force on 12th January 2009.
| February 06, 2009 | 12:40 GMT |
comments (1)
|
Just a couple of weeks ago we blogged about Symbian malware in Indonesia – Trojans that use SMS messages to transfer money from the user’s account to a cyber criminal’s account. We’ve just detected a new malicious program with a similar payload: Trojan-SMS.J2ME.GameSat.a. As you can guess from the name, it’s targeting phones running J2ME – this move really widens the pool of potential victims (and the potential profits!) The Trojan passes itself off as an app offering fun features like chat and dating – but once it’s launched, it sends an SMS to 151, the same number used by the last lot of Trojans. Of course, it doesn’t tell the user that the SMS is going to cost 5000 rupiah (0.45USD), and there’s no indication that this money is going straight from the user’s account into the cyber criminal’s account. So that’s 6 new pieces of mobile malware in the space of just over two weeks, a move from Symbian to J2ME, and a clear financial motive behind the attacks. We await developments...
| Aleks | February 05, 2009 | 13:04 GMT |
comments (2)
|
If you drop by phpbb.com, you’ll be greeted by this notice, which has been there for 5 days now: 
So yes, there is a problem – a big one, because it turns out there’s a vulnerability in the realization of “register_globals” in PHP. Hosting providers are starting to fix the bug; last night Masterhost, the biggest Russian hosting provider, sent the following message to all its clients: Уведомляем Вас, что в понедельник 9 февраля 2009 г. будет
изменена конфигурация серверов виртуального хостинга.
Директива PHP register_globals будет отключена, согласно
рекомендациям разработчиков PHP и специалистов по
безопасности. Изменение затронет следующие площадки и домены:
xxx, xxx, xxx
Если Ваши сайты используют последние версии популярных CMS
(таких как Joomla, Wordpress, Drupal, Bitrix и т.д.), то
изменение пройдет незаметно и не скажется на
работоспособности ресурсов. Рекомендуем при возможности
произвести обновление Ваших скриптов. Если это сделать
невозможно или у Вас возникают любого рода сомнения, то Вы
можете обезопасить себя и включить register_globals для
сайта, добавив в директорию www файл .htaccess со следующей
директивой:
php_flag register_globals on
Информация о директиве register_globals на сайте
разработчиков PHP:
http://ru.php.net/manual/ru/ini.core.php#ini.register-globals Translation: This is to inform you that on 9th February 2009 the configuration of virtual hosting servers will be modified. The PHP register_globals directive will be disabled in line with recommendations from PHP developers and security specialists. The changes will affect the following sites and domains:
XXX
If your sites are using the most recent versions of popular CMS (such as Joomla, Wordpress, Drupal, Bitrix etc.) then you won’t notice the changes taking place and they won’t affect resource productivity. We recommend that you update your scripts when possible. If this is not possible or if you are in any doubt, you can secure yourself by enabling register_globals for the site by adding the .htaccess file to the www directory with the following directive:
Php_flag register_globals on
There is information about the register_globals directive on the PHP developers’ site:
http://ru.php.net/manual/ru/ini.core.php#ini.register-globals The moral of this story? Check your sites, update your sites, tell your IT guys. And while you’re doing this, we’ll be keeping an eye out for the next Big Chinese Hack – the exploit for this vulnerability was released more than two weeks ago, but most hosting providers are still unpatched; a lot of Internet resources are going to take a beating over the next few days and weeks, and botnets are going to be increasing (again) in size. All the more so with the approach of February 14th, traditionally a time when the bad guys mobilize...
| |
