Q: What is the Hlux/Kelihos botnet? A: Kelihos is Microsoft’s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Read Full Article
Botnet Shutdown Success Story – again: Disabling the new Hlux/Kelihos Botnet
Last September, in partnership with Microsoft’s Digital Crimes Unit (DCU), SurfNET and Kyrus Tech, Inc., Kaspersky Lab successfully disabled the dangerous Hlux/Kelihos botnet by sinkholing the infected machines to a host under our control. A few months later, our researchers stumbled upon a new version of the malware with significant changes in the communication protocol and new “features” like flash-drive infection, bitcoin-mining wallet theft. Now, we are pleased to announce that we have partnered with the CrowdStrike Intelligence Team, the Honeynet Project and Dell SecureWorks to disable this new botnet. Read Full Article
The mystery of Duqu: Part Ten
At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20. There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new in-the-wild driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012. So, the authors of Duqu are back after a 4 month break. Read Full Article
Carberp: it’s not over yet
On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan Read Full Article
Think twice before installing Chrome extensions
Brazilian bad guys are hosting malicious extensions on official Google’s Chrome Web Store Read Full Article
Spam report: February 2012
The amount of spam in email traffic was up 2.3 percentage points compared to January and averaged 78.5% Read Full Article
The mystery of Duqu Framework solved
In my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu – the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. Read Full Article
Fake or hijacked Facebook accounts used in scams to steal money are on the raise
Fake or hijacked Facebookaccounts used in scams to steal money are on the raise. The problem is not just a technical problem, but also a social problem. Read Full Article
Update to this Month’s Patch Tuesday Post on MS12-020/CVE-2012-0002
The twitter infosec sphere last night and the blogosphere this morning is in a bit of a frenzy about the public leak of a DoS PoC targeting CVE-2012-0002, the RDP pre-auth remote. First off, patch now. Now. If you can’t, use the mitigation tool that Microsoft is offering – the tradeoff between requiring network authentication and the fairly high risk of RCE in the next couple of weeks is worth it. You can see the list of related links on the side of this page, one was included for MS12-020.
Read Full ArticleIs Google confused about Android security?
While Google is obviously trying to create a safer environment in regard to the Android operating system, some of these changes are leaving me a bit confused. I recently discovered some interesting behavior in regard to the default email client in 4.0 Ice Cream Sandwich. Read Full Article