A gift from ZeuS for passengers of US Airways

Starting with 20 March a spam campaign targeting passengers of US Airways was being conducted. The criminals were banking on any recipients flying on the flight mentioned in the email clicking on the link “Online reservation details”. After clicking the link a series of redirects led to domains hosting BlackHole Exploit Kit. Exploiting vulnerabilities criminals attempted to infect users with ZeuS variant – GameOver. Read Full Article

LANDesk Interchange 2011, Poison Ivy, and US Incidents

LANDesk Interchange 2011 is winding down in Las Vegas today. The event gathered partners and displayed newer technologies offered by the decade old systems management company. It was interesting hearing from IT “old-timers” that have worked with the technology, describing the company’s impact on the industry – its spinoff from Intel, the original LANDesk AV product that wound up in another vendor’s product, and what they like about Kaspersky Lab technologies integration into the security suite. We were happy to present at our partner’s conference with “The Dark Side of Unmanaged Desktops”, where I described 2011 incidents that both I and our Global Emergency Response Team have investigated and remediated, some incidents in the news, and some of the IT mismanagement issues that enabled these incidents to occur. Read Full Article

ZeuS-in-the-Mobile for Android

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android. Read Full Article

Tracking bugs in Zeus campaigns

I found an interesting “bug” in the malicious .php script on the .cc domain. For example, instead of clicking on http://3cm.kz/example, just put at the end http://3cm.kz/example+ or http://3cm.kz/example* or any other and for each new special char you will get the binary. One special char per one new download. The second short URL service used by the criminals is http://shortn.me Read Full Article