Securelist / All Updates

Analysis: Spam in April 2013

webmaster@securelist.com (Tatyana Shcherbakova, Darya Gudkova) — 23 May 2013 17:40:00 +0400

The percentage of spam in email traffic was up 2.1 percentage points compared with March and averaged 72.2%
The percentage of phishing emails decreased by a factor of three compared with March, dropping to 0.002%
In April, malicious files were found in 2.4% of all emails, a decrease of 1.6 percentage points

Blog: Jumcar. From Peru with a focus on Latin America [First part]

webmaster@securelist.com (Jorge Mieres ) — 20 May 2013 08:06:07 +0400

�Jumcar� is the name we have given to a family of malicious code developed in Latin America � particularly in Peru � and which, according to our research, has been deploying attack maneuvers since March 2012.

Blog: NoSuchCon 2013

webmaster@securelist.com (Stefano Ortolani) — 18 May 2013 16:00:51 +0400

Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)).

Blog: Malicious PACs and Bitcoins

webmaster@securelist.com (Fabio Assolini) — 17 May 2013 17:58:17 +0400

Malicious PACs used by Brazilian bad guys aiming to steal bitcoins

Analysis: IT Threat Evolution: Q1 2013

webmaster@securelist.com (Denis Maslennikov) — 16 May 2013 17:06:00 +0400

According to KSN data, Kaspersky Lab products detected and neutralized 1 345 570 352 threats in Q1 2013.
A total of 22,750 new modifications of malicious programs targeting mobile devices were detected this past quarter - that’s more than half of the total number of modifications detected in all of 2012.
Some 40% of the exploits seen in the first quarter of this year target vulnerabilities in Adobe products.
Nearly 60% of all malicious hosts are located in three countries: the US, Russia, and the Netherlands.

Blog: Microsoft Updates May 2013 - Slew of Internet Explorer Critical Vulnerabilities, Kernel EoP, and Others

webmaster@securelist.com (Kurt Baumgartner) — 14 May 2013 22:06:28 +0400

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

Blog: Telecom fraud - phishing and Trojans combined

webmaster@securelist.com (Dong Yan) — 13 May 2013 11:15:00 +0400

In China telecom fraud has become an increasingly common crime.

Analysis: Spam in Q1 2013

webmaster@securelist.com (Darya Gudkova) — 08 May 2013 15:00:00 +0400

The percentage of spam in total mail traffic was up by 0.5 percentage points in the first quarter, averaging 66.5%.

Blog: CeCOS VII

webmaster@securelist.com (Michael) — 27 Apr 2013 00:49:47 +0400

The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day. The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires (Argentina).

Blog: Security policies: remote access programs

webmaster@securelist.com (Kirill Kruglov) — 25 Apr 2013 19:44:00 +0400

Analysis: Spyware. HackingTeam

webmaster@securelist.com (Sergey Golovanov) — 23 Apr 2013 14:43:00 +0400

This article is based on technical data from KL experts and their analysis of the Korablin and Morcut malicious programs. A number of conclusions based on open source data.

Blog: Lock, stock and two smoking Trojans-2

webmaster@securelist.com (Sergey Golovanov) — 22 Apr 2013 20:24:00 +0400

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality.

Blog: Is digital marketing the new spam?

webmaster@securelist.com (Vicente Diaz) — 22 Apr 2013 09:54:12 +0400

In my presentation in Source I talked about fraud in Twitter. These days we find a lot of spam bots in this social network, both blindly sending unsolicited direct messages to other users or doing some previous semantic analysis, depending on your tweets, for a more targeted message.

Blog: An ambush for peculiar Koreans

webmaster@securelist.com (Dmitry Tarakanov) — 19 Apr 2013 14:24:37 +0400

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site between tons of other places where various malicious Java applications were detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in statistics among not so many search results. Well, to be honest it was a false positive in terms of search criteria, but in this case it was a lucky mistake.

Analysis: Spam in March 2013

webmaster@securelist.com (Tatyana Shcherbakova, Darya Gudkova) — 18 Apr 2013 15:54:00 +0400

The percentage of spam in email traffic was down 1 percentage point compared with February and averaged 70.1%

Blog: Boston Aftermath

webmaster@securelist.com (Michael) — 17 Apr 2013 08:02:51 +0400

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds. Today we already started receiving emails containing links to malicious locations with names like "news.html".

Blog: Winnti returns with PlugX

webmaster@securelist.com (Dmitry Tarakanov) — 15 Apr 2013 16:30:00 +0400

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used. After discovering that the company-s servers were infected, we began to clean them up in conjunction with the company-s system administrator, removing malicious files from the corporate network. This took a while because it was not clear at first exactly how the cybercriminals had penetrated the corporate network; we couldn-t find a way to completely stop attacks penetrating the network and malicious files kept appearing. An analysis performed by the gaming company itself led us to the conclusion that the infection started after establishing working contacts with a South Korean gaming company. This was also confirmed by our research: as we wrote before, the Winnti group is most active in East Asia and we identified 14 infected gaming companies in South Korea.

Blog: Hello from Infiltrate 2013

webmaster@securelist.com (Roel) — 12 Apr 2013 21:51:22 +0400

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach. It's my first time at Infiltrate and so far I've been really impressed with the quality of the conference.

Blog: Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups

webmaster@securelist.com (Kurt Baumgartner) — 12 Apr 2013 04:31:18 +0400

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

Blog: The Winnti honeypot - luring intruders

webmaster@securelist.com (Dmitry Tarakanov) — 11 Apr 2013 17:23:00 +0400

During our research on the Winnti group we have managed to discovered quite a considerable amount of Winnti samples targeting different gaming companies. With the help ofUsing thisat sophisticatedcomplicated malicious program cybercriminals gained remote access to infected workstations and then carried out further they activityed manually.

Blog: Winnti FAQ. More than just a game

webmaster@securelist.com (GReAT) — 11 Apr 2013 17:21:16 +0400

Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

Analysis: Winnti. More than just a game

11 Apr 2013 17:00:00 +0400

The study shed light on the activities of a group that has persistently targeted online gaming companies for several years.

Analysis: Winnti 1.0 technical analysis

webmaster@securelist.com (Dmitry Tarakanov) — 11 Apr 2013 16:28:00 +0400

The favorite tool of the attackers has been malicious program we called "Winnti". It has evolved since the first use, but we divide all variants into two generations: 1.x and 2.x. Our publication describes 1.0 variant of this tool.

Blog: Microsoft Updates April 2013 - 3 Critical Vulnerabilities

webmaster@securelist.com (Kurt Baumgartner) — 09 Apr 2013 22:23:20 +0400

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other rated "Important". It appears that the two Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

Blog: Absent-minded spammers

webmaster@securelist.com (Tatiana Kulikova) — 09 Apr 2013 17:42:00 +0400

Blog: Skypemageddon by bitcoining

webmaster@securelist.com (Dmitry Bestuzhev) — 04 Apr 2013 23:28:00 +0400

Cybercriminals mine Bitcoins via abusing CPU of the victims by infecting users via Skype

Blog: An avalanche in Skype

webmaster@securelist.com (Dmitry Bestuzhev) — 04 Apr 2013 18:40:19 +0400

New very active malicious campaign in Skype with almost 3 clicks (potential infections) per second

Blog: Virus calendar wallpapers for 2013

webmaster@securelist.com (David) — 04 Apr 2013 12:06:20 +0400

Virus calendar wallpapers for 2013

Blog: The Biggest DDoS Ever that "Almost Broke the Internet"?

webmaster@securelist.com (Roel) — 30 Mar 2013 08:25:45 +0400

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

Blog: Military Hardware and Men�s Health

webmaster@securelist.com (Ben Godwood) — 29 Mar 2013 16:40:47 +0400

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product.

Blog: Android Trojan Found in Targeted Attack

webmaster@securelist.com (Costin Raiu) — 26 Mar 2013 16:14:19 +0400

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits. Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

Analysis: Spam in February 2013

webmaster@securelist.com (Tatyana Shcherbakova, Darya Gudkova) — 21 Mar 2013 16:00:00 +0400

The percentage of spam in email traffic was up 12.8 percentage points compared with January and averaged 71.1%.

Blog: The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage

webmaster@securelist.com (GReAT) — 20 Mar 2013 21:23:19 +0400

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified. Considering the high level classification of the attack, Kaspersky Lab�s Global Research & Analysis Team performed a detailed technical analysis of the campaign and related malware samples. You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

Blog: South Korean 'Whois Team' attacks

webmaster@securelist.com (GReAT) — 20 Mar 2013 16:09:52 +0400

Earlier today, reports of a number of cyberattacks against various South Korean targets hit the news. (see http://www.nknews.org/2013/03/south-korean-banks-broadcasters-paralyzed-by-cyber-attack/) The attackers, going by the handle �Whois Team� left a number of messages during the defacements

Blog: The end of MSN Messenger, the beginning of attacks

webmaster@securelist.com (Fabio Assolini) — 19 Mar 2013 15:27:02 +0400

Attacks already started using the end of MSN Messenger to infect users

Blog: Hello from Malaysia

webmaster@securelist.com (Roman Unuchek) — 15 Mar 2013 18:48:00 +0400

Blog: Highlights from BlackHat Europe 2013 in Amsterdam

webmaster@securelist.com (Stefano Ortolani) — 15 Mar 2013 18:41:50 +0400

Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year�s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn�t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here�s a summary of the best talks at BlackHat Europe 2013.

Blog: Reminder: be careful opening invoices on the 21st March

webmaster@securelist.com (Ben Godwood) — 14 Mar 2013 19:23:00 +0400

On March 4^th we spotted a large number of unusual emails being blocked by our Linux Mail Security product.

Blog: New Uyghur and Tibetan Themed Attacks Using PDF Exploits

webmaster@securelist.com (Costin Raiu) — 14 Mar 2013 14:55:00 +0400

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy". Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same 'Divine Comedy' PDF exploits. In the meantime, we've come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists. Together with our partner at AlienVault Labs, we analyzed these new exploits.

Blog: March 2013 Microsoft Security Bulletins - Low Impact from Pwn2Own, Watch USB Drives for Another Stuxnet

webmaster@securelist.com (Kurt Baumgartner) — 12 Mar 2013 21:13:01 +0400

Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much every consumer running Windows, and lots of Microsoft shops, should be diligently patching systems today.

Blog: Miniduke: web based infection vector

webmaster@securelist.com (Igor Soumenkov) — 11 Mar 2013 15:43:45 +0400

Together with our partner CrySyS Lab, we've discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim's PC.

Blog: The Brazilian Phishing World Cup

webmaster@securelist.com (Fabio Assolini) — 11 Mar 2013 15:19:17 +0400

The 2014 FIFA World Cup has already kicked off, at least for Brazilian bad guys. Next year�s big event in Brazil has become one of the most prominent tactics used by Latin American cybercriminals as they unleash a real avalanche of phishing messages, fraudulent prizes and giveaways, malicious domains, fake tickets, credit card cloning, banking Trojans and a lot of social engineering.

Blog: CIA "DELETED" Venezuela's Hugo Chavez?

webmaster@securelist.com (Dmitry Bestuzhev) — 08 Mar 2013 21:28:29 +0400

This is the topic that cybercriminals are speculating about and using as a hook to infect victims. The campaign is based on the Blackhole v2.0

Blog: AlbaBotnet, another new crime wave in Latin American cyberspace

webmaster@securelist.com (Jorge Mieres ) — 05 Mar 2013 03:06:09 +0400

After the recent emergence of the criminal PiceBOT in Latin America, AlbaBotnet has joined the growing ranks of regional IT crime.

Analysis: Mobile Malware Evolution: Part 6

webmaster@securelist.com (Denis Maslennikov) — 28 Feb 2013 13:00:00 +0400

The fifth part of our regular overview of mobile malware evolution was published one year ago, and now it’s time to review the events of 2012 to see just how accurate our forecasts were

Blog: The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor

webmaster@securelist.com (GReAT) — 27 Feb 2013 18:00:00 +0400

New Adobe PDFs exploiting CVE-2013-0640 drop sophisticated malware known as "MiniDuke".

Analysis: Spam in January 2013

webmaster@securelist.com (Tatyana Shcherbakova, Darya Gudkova) — 21 Feb 2013 12:54:00 +0400

The percentage of spam in email traffic was down 7.7 percentage points compared with December and averaged 58.3%

Analysis: Application Control: the key to a secure network. Part 1

webmaster@securelist.com (Andrey Efremov, Vladimir Zapolyansky) — 19 Feb 2013 20:43:00 +0400

Corporate network security is one of the most pressing issues for companies today

Analysis: Application Control: the key to a secure network - Part 2

webmaster@securelist.com (Andrey Efremov, Vladimir Zapolyansky) — 19 Feb 2013 20:00:00 +0400

It’s brilliant - but is it user-friendly?

Blog: Trust but verify: when CAs fall short

webmaster@securelist.com (Stefano Ortolani) — 19 Feb 2013 12:31:39 +0400

We�ve recently experienced yet another case of a root certificate authority (CA from now on) losing control of its own certificates. And yet again, we have been waiting for either the CA or the browser to do something about it. This whole mess stems, once again, from both a governance and a technical problem. First, only the very same CA that issued a certificate can later revoke it. Second, although web browsers implement several techniques to check the certificate�s revocation status, errors in the procedure are rarely considered hard failures.