Posts Tagged ‘Kaspersky Labs’

Monday, April 21, 2014 @ 05:04 PM gHale

In this year’s first quarter, one Trojan was responsible for 25 percent of attempted infections on Android devices.

Trojan-SMS.AndroidOS.Stealer.a accounted for almost a quarter of attempted infections on Android devices which have the company’s security solutions installed on them, said researchers at Kaspersky Labs.

Android Trojan Relies on Inattentive Users
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare
Android Malware Hits Windows PCs

Most of the infections ended up spotted in Russia, but researchers said Trojan-SMS.AndroidOS.Stealer.a is capable of targeting users from numerous countries, including Belgium, France, Latvia, Lithuania, Ukraine, Belarus, Germany, Armenia, Azerbaijan, Kyrgyzstan and Kazakhstan.

The Trojan, which cybercriminals distribute by disguising it as legitimate Android apps, contacts its command and control server (C&C) and waits for commands. The C&C can command it to change the server, send SMSs, delete incoming messages, update itself, upload information on the phone and applications, and intercept messages.

The threat’s configuration file ends up distributed along with the malware, instead of being somewhere online. This enables the Trojan to operate even if it can’t find a connection to the Web.

The configuration file can order the malware to open a web page, get geographic coordinates, send SMSs with a certain message to a specified number, install applications, create shortcuts and more.

A complete description of the commands accepted by Trojan-SMS.AndroidOS.Stealer.a is available on Kaspersky’s Securelist blog.

Monday, November 18, 2013 @ 07:11 PM gHale

A second version of the Hlux/Kelihos botnet is still making the rounds and researchers say its size is getting smaller, currently counting around 1,000 bots per month. However, a second set of researchers say the bot is growing.

The first set of researchers feel most of the remaining bots are running Windows XP, said researchers at Kaspersky Labs. In addition, 44 percent of the bots are in Poland, and close to 10 percent in Turkey. Others are in Spain, Hungary, Romania, Thailand, Vietnam, the United States, India, Italy, Germany, Malaysia and the Russian Federation.

Automated Hacking Tools Visit Login Pages
Malware Targets SAP Users
Chrome Search Leads to Malware
Tough Ransomware Sinkholed

Researchers said there might be an independent subset of the botnet not connected to their sinkhole. However, they believe the bot herders have likely abandoned them to concentrate on creating version 3 of Hlux/Kelihos.

Kaspersky teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in March 2012 to try to take down the second variant of the botnet.

The second set of researchers, Whitehat security research group MalwareMustDie said the figures could be misleading.

They said the number of infections is much higher than 1,000. They claim most are in Ukraine (52,000), Russia (18,000), Japan (9,800), India (6,000) and Taiwan (4,600).

“Growth is still happening, even now we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday,” MalwareMustDie said in a blog post published on Full Disclosure.

Monday, October 28, 2013 @ 05:10 PM gHale

Two of the PHP Group’s servers ended up hacked and set up to serve malware, researchers said.

The hackers compromised the server that hosts,, and, and the one that hosts, according to The PHP Group’s own analysis.

Teen Hacked, Blackmailed
Old Trojan Remains Effective
Exploit Kit Without an Exploit
New Revenue Stream for Ransomware

Services migrated to new, secure servers. In addition, since the attackers may have accessed the private key for the SSL certificate, the certificate ended up revoked.

PHP users will not feel any affect of the breach, officials said. However, the passwords of individuals committing code to and ended up reset. PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.

PHP developers said their Git repository did not suffer from the hack. Currently, it’s unknown how the hackers managed to break into the PHP servers.

It appears that a piece of JavaScript malware ended up served between October 22 and October 24. However, The PHP Group said only a small percentage of users have felt the impact.

Security researchers from Kaspersky Labs, Trustwave, Panda Security, Avast, and Barracuda Networks analyzed the attack. Kaspersky’s Fabio Assolini identified a malicious iframe pointing to the Magnitude Exploit Kit set up to serve the Tepfer Trojan, a piece of ransomware designed to encrypt files.

Panda’s Bart Blaze has also analyzed some of the payloads served in this attack. In addition to ransomware, he has also identified versions of Fareit, ZeroAccess and ZeuS.

Thursday, September 26, 2013 @ 05:09 PM gHale

An Advanced Persistent Threat (APT) team is targeting South Korean and Japanese companies, which is resulting in hitting the supply chain for Western companies, researchers said.

The operation, discovered by Kaspersky Labs, started in 2011 and has increased in size and scope over the last few years.

APT Targets India from Midwest
Espionage Program Still in Full Swing
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

Dubbed Icefog by the researchers, the hit and run nature of the attacks show a new emerging trend: Smaller hit-and-run gangs that go after information with laser-like skill. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.

This could be a future trend, said Costin Raiu, director, global research & analysis team at Kaspersky.

Kaspersky found:
• Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
• Research indicates the attackers were targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
• The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
• While in most other APT campaigns, victims remain infected for a longer period of time to steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once they get the desired information, they leave.

Kaspersky researchers sinkholed 13 of the 70 domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them.

In addition to Japan and South Korea, there were sinkhole connections in other countries, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.

Click here for the complete report.

Wednesday, August 14, 2013 @ 03:08 PM gHale

A “loophole” in Google Cloud Messaging (GCM) lets attackers control some nasty Android Trojans.

Cyber criminals use Google Cloud Messaging, the service that allows Android developers to send data from their servers to their apps installed on Android devices, as a command and control (C&C) server for their malware, said researchers at Kaspersky labs.

Mobile Alert: Android Woes Continue
Mobile Malware: Organized, Profitable
Record Malware Growth Globally
Cracking iOS Mobile Hotspot Passwords

Most of these pieces of malware send SMS messages to premium rate numbers, steal messages and contacts, and display shady advertisements that might lead to other malicious elements.

One example is Trojan-SMS.AndroidOS.OpFake.a, which, according to Kaspersky, ended up installed over 1 million times on Android devices, particularly by users from Russia and other Commonwealth of Independent States (CIS) countries.

The threat is capable not only of sending SMS messages to premium rate numbers, but also of stealing messages and contacts, deleting SMSs, and sending out messages with links to malicious applications. The malware can also start and stop its activity automatically, and it can even update itself.

The malicious applications go out as popular applications and games.

Once an Android device suffers infection, the cyber criminals use the Google service to send out commands to the Trojans and record their activities. Because attackers use GCM, experts warn it’s impossible to block access to the C&C directly from the infected smartphone.

Kaspersky said the only way to block these attacks is for Google to terminate the developer accounts utilized by the cybercriminals. The company notified the search engine giant and provided it with the GCM developer IDs utilized in the malware attacks.

Kaspersky researchers said they identify over 12,000 new samples of mobile malware each month and 97 percent of these threats target the Android platform.

Tuesday, July 23, 2013 @ 04:07 PM gHale

Cyber criminals are increasingly relying on .lc domains in their malicious campaigns.

The .lc domain is a country code top level domain for Santa Lucia, a sovereign island country in the eastern Caribbean Sea.

Backdoors Embedded into Image Files
Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

The number of malicious URLs on the .lc domain has increased considerably over the last year, said researchers at Kaspersky Labs.

Cyber bad guys from all over the world are abusing such domains, said Kaspersky’s Dmitry Bestuzhev. In addition, cyber criminals from Brazil are abusing free web hosting services from Santa Lucia.

Most Internet users have never and will probably never access websites hosted on .lc domains. This is why experts recommend to filter access to such domains.

In addition to .lc domains, experts have also warned of the increasing use of .pw (Palau) domains by cyber criminals.

Friday, June 21, 2013 @ 02:06 PM gHale

Go to any industry function and look at what people are working on as they roam the halls: iPhones and iPads. That is great news for Apple as the technology is becoming ubiquitous throughout the industry.

That is also incredible news for hackers because there is quite a bit they can do with the ID data of Apple customers. Attackers can gain access to victims’ personal information and make purchases.

Quick Apple iOS 7 Beta Bypass
Security Advisories for BlackBerry
Mobile Security Costs Companies
BYOD Dilemma: Risky Apps

In addition, in some cases, bad guys that attempt to phish out Apple IDs also try to gain access to payment card details.

As Apple’s popularity grows, it becomes a big target for malicious cyber schemes.

In 2011, the company’s security products detected only around 1,000 daily instances in which their customers accessed Apple phishing websites, according to Kaspersky Labs. Since the beginning of 2012, the number of daily detections skyrocketed to an average of around 200,000.

On December 6, 2012, Kaspersky detected close to 1 million detections, and on May 1, 2013, over 850,000 fake detections ended up recorded.

Experts said the massive surges in cybercriminal activity are usually a result of a major Apple-related event. For instance, in December 2012, the iTunes Store launched in 56 countries worldwide, which explained the large number of phishing site detections.

Cybercriminals use various methods to lure Apple customers to phishing websites, but the most popular method comes via spam emails.

A simple “we need to verify your Apple ID” message usually does the trick. Many users don’t hesitate to click on the links contained in such notifications and once they see the website they are on looks like Apple’s legitimate site, they provide their details without giving it too much thought.

In many cases, the URLs of these websites look like the legitimate Apple domains. It’s easy for the crooks to place their phishing pages on subdomains such as “[maliciousdomain].com.”

The most dangerous phishing scams are the ones designed to harvest financial information as well. Users can protect their Apple accounts by activating two-factor authentication.

However, if the crooks get a hold of your banking details, Apple’s security feature can’t do anything to protect you. That’s why the best thing to do is be cautious whenever you receive suspicious-looking Apple notifications.

Monday, April 22, 2013 @ 05:04 PM gHale

A new spam campaign is out that leverages the name of Australian telecom company TPG Telecom in an effort to distribute a variant of the ZeuS Trojan.

Bearing the subject “Restoration of Mobile Phone Deposit,” researchers at Kaspersky Labs found the faux email reads:

Spam Campaign Hits Snapchat
Spam Not as Visible, but More Severe
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare

“Dear Customer,

The balance of your Mobile Phone Deposit has dropped below $5.00, and we have initiated a debit of $16.95 to restore the balance to $20.00. Please refer to the attached report with detailed status of your account.

Thank you for using the TPG mobile phone service. Your customer ID is 5212306”

The file attached to these malicious emails appears to be a harmless document. However, in reality, it’s an executable identified by Kaspersky as Trojan-Spy.Win32.Zbot.jqye, a threat designed to steal sensitive information from infected computers.

It’s worth noting that Trojan-Spy.Win32.Zbot.jqye is one of the most famous ZeuS variants.

If you come across such emails, be sure to ignore them. If you’ve already opened the attachment, scan your system immediately with an updated antivirus solution.

Friday, April 5, 2013 @ 05:04 PM gHale

Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.

There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.

Live Kelihos Botnet Takedown
Stronger, Smarter Botnet Appears
Nap Trojan Copies Times Attack
New Exploit Kit: Whitehole

The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.

“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.

Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.

Here’s how the Bitcoin Project explains the mining process:

“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.

The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.

Monday, February 18, 2013 @ 05:02 PM gHale

It doesn’t take long. Adobe PDF Reader and Flash Player Fresh vulnerabilities are now suffering from exploitation.

There is a PDF Zero Day being exploited, said researchers from FireEye who found successful exploitation on the Adobe PDF Reader versions 9.5.3, 10.1.5, and 11.0.1.

Adobe Mitigation Plan for Zero Day
Adobe Patches Two Zero Days
Trojan a Work of ‘Poetry’
Ransomware Encrypts Data

“Upon successful exploitation, it will drop two DLLs,” the researchers said. “The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.

“We have already submitted the sample to the Adobe security team. Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files.”

In addition, Kaspersky Labs identified a Zero Day vulnerability in Adobe Flash Player (CVE-2013-0633) actively exploited in targeted attacks. This impacts Windows, Mac OS X and Linux operating systems, as well as a number of earlier versions of Android.

“The vulnerability was being used in a series of targeted attacks that were designed to trick victims into opening a spear-phishing email with a Microsoft Word document, which contained malicious Flash (SWF) content,” Kaspersky researchers said. “The majority of attacks analyzed by Kaspersky Lab were targeted against human rights activists and political dissidents from Africa and the Middle East.”

Adobe released a security update for this issue, saying it was aware of reports of this vulnerability undergoing exploitation in the wild.

Archived Entries