Posts Tagged ‘Kaspersky Labs’
Monday, November 18, 2013 @ 07:11 PM gHale
A second version of the Hlux/Kelihos botnet is still making the rounds and researchers say its size is getting smaller, currently counting around 1,000 bots per month. However, a second set of researchers say the bot is growing.
The first set of researchers feel most of the remaining bots are running Windows XP, said researchers at Kaspersky Labs. In addition, 44 percent of the bots are in Poland, and close to 10 percent in Turkey. Others are in Spain, Hungary, Romania, Thailand, Vietnam, the United States, India, Italy, Germany, Malaysia and the Russian Federation.
Researchers said there might be an independent subset of the botnet not connected to their sinkhole. However, they believe the bot herders have likely abandoned them to concentrate on creating version 3 of Hlux/Kelihos.
Kaspersky teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in March 2012 to try to take down the second variant of the botnet.
The second set of researchers, Whitehat security research group MalwareMustDie said the figures could be misleading.
They said the number of infections is much higher than 1,000. They claim most are in Ukraine (52,000), Russia (18,000), Japan (9,800), India (6,000) and Taiwan (4,600).
“Growth is still happening, even now we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday,” MalwareMustDie said in a blog post published on Full Disclosure.
Monday, October 28, 2013 @ 05:10 PM gHale
Two of the PHP Group’s servers ended up hacked and set up to serve malware, researchers said.
The hackers compromised the server that hosts php.net, git.php.net, and static.php.net, and the one that hosts bugbs.php.net, according to The PHP Group’s own analysis.
Services migrated to new, secure servers. In addition, since the attackers may have accessed the private key for the php.net SSL certificate, the certificate ended up revoked.
PHP users will not feel any affect of the breach, officials said. However, the passwords of individuals committing code to svn.php.net and git.php.net ended up reset. PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.
PHP developers said their Git repository did not suffer from the hack. Currently, it’s unknown how the hackers managed to break into the PHP servers.
Security researchers from Kaspersky Labs, Trustwave, Panda Security, Avast, and Barracuda Networks analyzed the attack. Kaspersky’s Fabio Assolini identified a malicious iframe pointing to the Magnitude Exploit Kit set up to serve the Tepfer Trojan, a piece of ransomware designed to encrypt files.
Panda’s Bart Blaze has also analyzed some of the payloads served in this attack. In addition to ransomware, he has also identified versions of Fareit, ZeroAccess and ZeuS.
Thursday, September 26, 2013 @ 05:09 PM gHale
An Advanced Persistent Threat (APT) team is targeting South Korean and Japanese companies, which is resulting in hitting the supply chain for Western companies, researchers said.
The operation, discovered by Kaspersky Labs, started in 2011 and has increased in size and scope over the last few years.
Dubbed Icefog by the researchers, the hit and run nature of the attacks show a new emerging trend: Smaller hit-and-run gangs that go after information with laser-like skill. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.
This could be a future trend, said Costin Raiu, director, global research & analysis team at Kaspersky.
• Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
• Research indicates the attackers were targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
• The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
• While in most other APT campaigns, victims remain infected for a longer period of time to steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once they get the desired information, they leave.
Kaspersky researchers sinkholed 13 of the 70 domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them.
In addition to Japan and South Korea, there were sinkhole connections in other countries, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.
Click here for the complete report.
Tuesday, July 23, 2013 @ 04:07 PM gHale
Cyber criminals are increasingly relying on .lc domains in their malicious campaigns.
The .lc domain is a country code top level domain for Santa Lucia, a sovereign island country in the eastern Caribbean Sea.
The number of malicious URLs on the .lc domain has increased considerably over the last year, said researchers at Kaspersky Labs.
Cyber bad guys from all over the world are abusing such domains, said Kaspersky’s Dmitry Bestuzhev. In addition, cyber criminals from Brazil are abusing free web hosting services from Santa Lucia.
Most Internet users have never and will probably never access websites hosted on .lc domains. This is why experts recommend to filter access to such domains.
In addition to .lc domains, experts have also warned of the increasing use of .pw (Palau) domains by cyber criminals.
Friday, June 21, 2013 @ 02:06 PM gHale
Go to any industry function and look at what people are working on as they roam the halls: iPhones and iPads. That is great news for Apple as the technology is becoming ubiquitous throughout the industry.
That is also incredible news for hackers because there is quite a bit they can do with the ID data of Apple customers. Attackers can gain access to victims’ personal information and make purchases.
In addition, in some cases, bad guys that attempt to phish out Apple IDs also try to gain access to payment card details.
As Apple’s popularity grows, it becomes a big target for malicious cyber schemes.
In 2011, the company’s security products detected only around 1,000 daily instances in which their customers accessed Apple phishing websites, according to Kaspersky Labs. Since the beginning of 2012, the number of daily detections skyrocketed to an average of around 200,000.
On December 6, 2012, Kaspersky detected close to 1 million detections, and on May 1, 2013, over 850,000 fake apple.com detections ended up recorded.
Experts said the massive surges in cybercriminal activity are usually a result of a major Apple-related event. For instance, in December 2012, the iTunes Store launched in 56 countries worldwide, which explained the large number of phishing site detections.
Cybercriminals use various methods to lure Apple customers to phishing websites, but the most popular method comes via spam emails.
A simple “we need to verify your Apple ID” message usually does the trick. Many users don’t hesitate to click on the links contained in such notifications and once they see the website they are on looks like Apple’s legitimate site, they provide their details without giving it too much thought.
In many cases, the URLs of these websites look like the legitimate Apple domains. It’s easy for the crooks to place their phishing pages on subdomains such as “apple.com.[maliciousdomain].com.”
The most dangerous phishing scams are the ones designed to harvest financial information as well. Users can protect their Apple accounts by activating two-factor authentication.
However, if the crooks get a hold of your banking details, Apple’s security feature can’t do anything to protect you. That’s why the best thing to do is be cautious whenever you receive suspicious-looking Apple notifications.
Monday, April 22, 2013 @ 05:04 PM gHale
A new spam campaign is out that leverages the name of Australian telecom company TPG Telecom in an effort to distribute a variant of the ZeuS Trojan.
Bearing the subject “Restoration of Mobile Phone Deposit,” researchers at Kaspersky Labs found the faux email reads:
The balance of your Mobile Phone Deposit has dropped below $5.00, and we have initiated a debit of $16.95 to restore the balance to $20.00. Please refer to the attached report with detailed status of your account.
Thank you for using the TPG mobile phone service. Your customer ID is 5212306”
The file attached to these malicious emails appears to be a harmless document. However, in reality, it’s an executable identified by Kaspersky as Trojan-Spy.Win32.Zbot.jqye, a threat designed to steal sensitive information from infected computers.
It’s worth noting that Trojan-Spy.Win32.Zbot.jqye is one of the most famous ZeuS variants.
If you come across such emails, be sure to ignore them. If you’ve already opened the attachment, scan your system immediately with an updated antivirus solution.
Friday, April 5, 2013 @ 05:04 PM gHale
Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.
There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process:
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.