Slashdot Mirror

An anonymous reader writes: Karspesky security researcher Sergey Golovanov writes about recent cybertheft incidents involving hardware backdoors planted by criminals. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks, which caused damage estimated in the tens of millions of dollars. Hardware backdoors are cheap and immune to antivirus. A firmware modified OpenWrt based router can provide covert remote access, painless packet captures, and secure VPN connections with the flip of a switch. Will a flashlight and a ladder be common tools of computer security someday? After the cybercriminals entered a organization's building, connected a device to the local network and scanned the local network seeking to gain access to the resources, they proceeded to stage three. "Here they logged into the target system and used remote access software to retain access," writes Golovanov. "Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks (PDF) and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely."

A North Korea-linked hacking group, dubbed Lazarus, deployed malware for macOS in an effort to infiltrate cryptocurrency exchanges. "In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware," reports SecurityWeek. Their malware was designed to target macOS in addition to Windows, marking the first time Lazarus has been observed using malware for Apple's OS, according to Kaspersky. The malware was reportedly pushed via an update. Slashdot reader asjk writes: The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. It's an all-in-one style cryptocurrency trading program which installs malicious code via an update. "... [the program] was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image," reports SecurityWeek. "Based on the server's response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file."

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.

An anonymous reader quotes a report from Newsweek: Security researchers have discovered a new form of powerful malware that secretly mines cryptocurrency on a person's smartphone, which can physically damage the device if it is not detected. Researchers from the Russia-based cybersecurity firm Kaspersky investigated the malware, dubbed Loapi, which they found hiding in applications in the Android mobile operating system. The malware works by hijacking a smartphone's processor and using the computing power to mine cryptocurrency -- the process of confirming cryptocurrency transactions by completing complex algorithms that generate new units of the currency. Loapi physically broke a test phone used to study the malware, after two days of the device being infected with it. "Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover," the Kaspersky blog states.

According to recent warnings issued by Avira, CSIS Security Group, and Kaspersky Lab, a virulent spam campaign has hit Facebook Messenger during the past few days. "The Facebook spam messages contain a link to what appears to be a video," reports Bleeping Computer. "The messages arrive from one of the user's friends, suggesting that person's account was also compromised." From the report: The format of the spam message is the user's first name, the word video, and a bit.ly or t.cn short-link. Users that click on the links are redirected to different pages based on their geographical location and the type of browser and operating system they use. It's been reported that Firefox users on Windows and Mac are being redirected to a page offering a fake Flash Player installer. Kaspersky says this file installs adware on users' PCs. On Chrome, the spam campaign redirects users to a fake YouTube page pushing a malicious extension. It is believed that crooks use this Chrome extension to push adware and collect credentials for new Facebook accounts, which they later use to push the spam messages to new users.

An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos, ESET, MalwareHunter, Kaspersky Lab, and others, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory. Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware.

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.

tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.

An anonymous reader quotes a report from Ars Technica: Two former employees of the National Security Agency -- including exiled whistleblower Edward Snowden -- are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement. Both Snowden and Dave Aitel, an offensive security expert who spent six years as an NSA security scientist, are speculating that Monday's leak by a group calling itself Shadow Brokers is in response to growing tensions between the U.S. and Russia over the hacks on the Democratic groups. As this post was being prepared, researchers with Kaspersky Lab confirmed that the tools belong to Equation Group, one of the most sophisticated hacking groups they've ever investigated. "Why did they do it?" Snowden wrote in a series of tweets early Tuesday morning. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack." In a brief post of his own, Aitel agreed that Russia is the most likely suspect behind both the Democratic hacks and the leaking of the NSA spying tools. He also said the NSA data was likely obtained by someone with physical access to an NSA secure area who managed to walk out with a USB stick loaded with secrets.

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.

An anonymous reader writes: During the past years, malware aimed at stealing game inventory items from Steam accounts and logging Steam login credentials has become extremely sophisticated, but [has] remained at a lower-tier pricing range on underground hacking forums, rarely going above $10, never over $30. Valve says that it receives 77,000 complaints a month for hacked accounts, and Steam Stealers are responsible for most of them. [The] most targeted game is Counter-Strike: Global Offensive, while Kaspersky Lab says that most of the cyber-gangs behind these malware families are of Eastern European origin, mostly Russian.

msm1267 writes: Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla's activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others. Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.

itwbennett writes: The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012. After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. However, its attacks resumed in 2014 and have since intensified, according to separate reports released Wednesday by Kaspersky Lab and Symantec.

Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

An anonymous reader writes: Analyzing more than 2,000 Stuxnet files collected over a two-year period, Kaspersky Lab can identify the first victims of the Stuxnet worm. Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn't yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities. Kaspersky Lab analysis sheds light on these questions.

itwbennett (1594911) writes "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post."

msm1267 (2804139) writes Controversial spyware commercially developed by Italy's Hacking Team and sold to governments and law enforcement for the purpose of surveillance has a global command and control infrastructure. For the first time, security experts have insight into how its mobile malware components work. Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting Hacking Team's Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. Adds reader Trailrunner7: [T]he report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device's microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.

An anonymous reader writes "Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux. 'While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.' Adobe has reportedly patched the bug for all platforms. Researchers first detected the bug from attacks performed on seven Syrian computers. The attacks seem to have been hosted on the Syrian Ministry of Justice website, which has led to speculation that these are state-sponsored vulnerability exploits. This speculation is further supported by evidence that one of the exploits was 'designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.'"

itwbennett writes "An archive containing transaction records from Mt. Gox that was released on the Internet last week also contains bitcoin-stealing malware for Windows and Mac, say researchers at Kaspersky Lab who have analyzed the 620MB file called MtGox2014Leak.zip. The files masquerade as Windows and Mac versions of a custom, back-office application for accessing the transaction database of Mt. Gox. However, they are actually malware programs designed to search and steal Bitcoin wallet files from computers, Kaspersky security researcher Sergey Lozhkin said Friday in a blog post."

msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

msm1267 writes "Researchers recently have seen a major increase in the volume of autorun malware in some countries, thanks to a couple of new worms infecting those older machines. The two new worms, Worm.JS.AutoRun and Worm.Java.AutoRun, both take advantage of the autorun functionality to spread, and the JavaScript worm has other methods of propagation, as well. Researchers at Kaspersky Lab say that the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware."

chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."

Nerval's Lobster writes "Kaspersky Lab has completed a detailed analysis of "Winnti," a group of Asian hackers who target servers hosted by gaming companies, copying their source code and surreptitiously stealing money or virtual goods over time. In findings published April 10, the security firm said it had completed the latest phase of its eighteen-month investigation. A more detailed account of an actual attacks was published separately (PDF). Winnti has attacked two gaming companies in North America, two in Germany, two in Russia, and fourteen in South Korea. Although the Winnti group has been around for years, it first came to light in 2011, when Trojans began appearing on the PCs of users playing MMORPGs, online computer games which usually require a monthly subscription. Those Trojans, which included RAT (Remote Administration Tool) functionality, had been "signed" with the digital certificate of KOG, a South Korean gaming company. In the course of its investigation, Kaspersky discovered that the gaming companies (which often share resources, partner, and subcontract out work to one another) had provided an opportunity for the Winnti team to secure access to otherwise legitimate digital certificates, which could be used to sign malware. Malware signed by Japanese gaming company YNK Japan was used to attack the servers of social networks Cyworld and Nate in South Korea in 2011."

Nerval's Lobster writes "Kaspersky Lab has completed a detailed analysis of "Winnti," a group of Asian hackers who target servers hosted by gaming companies, copying their source code and surreptitiously stealing money or virtual goods over time. In findings published April 10, the security firm said it had completed the latest phase of its eighteen-month investigation. A more detailed account of an actual attacks was published separately (PDF). Winnti has attacked two gaming companies in North America, two in Germany, two in Russia, and fourteen in South Korea. Although the Winnti group has been around for years, it first came to light in 2011, when Trojans began appearing on the PCs of users playing MMORPGs, online computer games which usually require a monthly subscription. Those Trojans, which included RAT (Remote Administration Tool) functionality, had been "signed" with the digital certificate of KOG, a South Korean gaming company. In the course of its investigation, Kaspersky discovered that the gaming companies (which often share resources, partner, and subcontract out work to one another) had provided an opportunity for the Winnti team to secure access to otherwise legitimate digital certificates, which could be used to sign malware. Malware signed by Japanese gaming company YNK Japan was used to attack the servers of social networks Cyworld and Nate in South Korea in 2011."

Trailrunner7 writes "Android attacks have become all the rage in the last year or two, and targeted attacks against political activists in Tibet, Iran and other countries have been bubbling up to the surface more and more often. Now, those two trends have converged with the discovery of a targeted attack campaign that's going after Tibetan and Uyghur activists with a spear-phishing message containing a malicious APK file. Researchers say the attack appears to be coming from Chinese sources. The new campaign began a few days ago when unknown attackers were able to compromise the email account of a well-known Tibetan activist. The attackers then used that account to begin sending a series of spear-phishing messages to other activists in the victim's contact list. One of the messages referred to a human rights conference in Geneva in March, using the recipients' legitimate interest in the conference as bait to get them to open the attachment. The malicious attachment in the emails is named 'WUC's Conference.apk.'"

puddingebola writes "The Guardian reports that hackers have been targeting officials from over 20 European governments with a new piece of malware called 'MiniDuke.' 'The cybersecurity firm Kaspersky Lab, which discovered MiniDuke, said the attackers had servers based in Panama and Turkey – but an examination of the code revealed no further clues about its origin (PDF). Goverments targeted include those of Ireland, Romania, Portugal, Belgium and the Czech Republic. The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.' Eugene Kaspersky says it's an unusual piece of malware because it's reminiscent of attacks from two decades ago. 'I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world.' The computers were corrupted through an Adobe PDF attachment to an email."

L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."

L3sPau1 writes "Iran's computer emergency response team is reporting new malware targeting computers in the country that is wiping data from partitions D through I. It is set to launch on only particular dates. 'Clearly, the attacker was trying to think ahead. After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure. Next to these BAT2EXE files there's also a 16-bit SLEEP file, which is not malicious. 16-bit files don't actually run on 64-bit versions of Windows. This immediately gives away the malware's presence on a x64 machine.' While there has been other data-wiping malware targeting Iran and other Middle East countries such as Wiper and Shamoon, researchers said there is no immediate connection."

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases. Which OS/OSs do you run?
by magic maverick

While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g., run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

Eugene Kaspersky: I'm afraid my answer's nothing special — I've got Windows 7 on my laptop + Kaspersky Internet Security 2013. To put it short, I've no need for any other operating systems like Ubuntu or Mac OS, and some software I need is available only under Windows.

Special thing about my devices is that I don't have a smartphone. I use a good old Sony Ericsson, whose most advanced feature is its (handy) flashlight. A simple phone like this is the safest mobile you could ever choose!

On this topic I also have a few tips I can share with you:

• Outside the KL corporate network I always use a VPN connection. If you have the possibility to use VPN — do so. It's a very useful way to minimize risks.
• Always use quality security software and keep it updated (automatically). That is an absolute must.
• I prefer using browsers with a relatively high security level (e.g., Chrome) and I disable scripts in it.
• And finally, the most important rule — also the simplest: always — always — use your head. I'm certain that the above + common sense is perfectly sufficient for secure personal use.

What color is your hat?
by eldavojohn

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

EK: No, no and no. We don't develop malware and we don't publish exploits. Both happen to be illegal — and amoral. I don't recommend you doing either too.

Firemen don't start fires, doctors don't infect people, and antivirus companies don't create viruses. Any at all.

We detect 200,000 new threats every day as it is. Keeping on top of them all is quite a task. And another thing — we don't hire ex-hackers. Our business is built on trust, and we apply the highest standards in sensitive areas of our work: in malware analysis, product development, etc. Like a homicide detective doesn't need to kill to investigate a murder more effectively, a good expert doesn't need to be on the dark side to analyze viruses and predict what may come next.

Why do we still use the black list security model?
by Zaphod-AVA

Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.

EK: Actually we do use a whitelist security approach. Modern antiviruses are not simply based on signature analysis; they are sophisticated pieces of software containing whitelisting as well. Faced with constantly increasing malicious activity, the AV industry needs to seriously toughen up and come up with new approaches. One such new approach is the application of whitelisting technology.

Whitelisting takes a different view of computer files. It doesn't look for the bad things on your PC like with the traditional pattern-based approach, instead it just checks if files are safe based on whether such files are already whitelisted — already in the whitelist database of known-to-be-ok software. Any files that aren't already whitelisted are marked as potentially bogus. Our whitelist of ok'ed files is now populated by more than 530 million green-lighted files.

Now, depending on the settings you make in the antivirus program, files not included in the whitelist directory can be either automatically blocked (particularly useful in a corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. For the suspicious ones, a further stage of analysis can be performed by running them in Safe Run — an isolated sandbox environment from which maliciousness can't contaminate the computer's environment proper. Alternatively, right-clicking a file gives you its reputation info from our cloud-based KSN (video, details), which incidentally gets 400,000 file-checking requests per second!

The traditional pattern-based approach by its nature needs to catch 100% of all the maliciousness on a computer to be effective. Besides, every instance of malware needs to be analyzed and entered into a database, which takes time, and this is a crucial moment if we talk about epidemics. Whitelisting, on the other hand, isn't bothered about bogusness directly — it's not its concern. It concentrates instead on simply detecting possibly bogus files — files not included in the whitelist, just in case, as it were. And this task is completed in seconds — much quicker the traditional approach's task. Since today we detect around 200,000 malware samples every day, and this figure is only going to keep on increasing, just in case becomes crucially important, and isn't just some new bell/whistle addition to traditional antivirus.

Of course, let the pattern approach keep at it with the baddies, which it is doing, valiantly. But also let whitelisting do its thing with goodies. The result? Superior overall protection — a lot quicker. Kind of what we're all after, after all .

Re: Assembly code and vulnerability of Apple
by dave562

We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OS X, they get a bunch of home computers and some audio visual professionals.

Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc.) is written in Assembly, do you foresee any tipping point coming where OS X will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and widespread deployment of Windows?

EK: Cybercrime today is no game; it's a very successful business. Its underlying principle is simple: risks are taken and attacks are invested in only if lots of money can be earned. The more users you can reach — the more money you may get. Simple. These days Mac OS market share is high enough to be attractive to the bad guys. In 2011 it was estimated that Apple had over 5% of worldwide desktop/laptop market share. And figures by web-tracking company Net Applications for the month of August 2012 show that Apple's combined share of the desktop market — counting versions 10.4 and after of OS X — is 7.11%, while Windows Vista for example takes 6.1%! This is a significant figure already, and that's why cyber criminals are turning their heads towards Apple.

The Flashfake epidemic, the first global Trojan for Mac OS, highlighted two things:

First, it showed that the most popular Windows attack scenario can be easily copied for Mac: a Trojan spreads via drive — by downloads — no user interaction needed, no clicks, no admin password. Just surf to a hacked website and the malware gets installed onto your computer automatically.

Second, epidemics are indeed now possible for Mac: if you compare the number of computers infected by Flashfake with the overall number of Macs, you'll find out that the "iBotnet" can be compared to Conficker — the biggest PC-botnet in history!

In sum this all means that we've reached the stage where attacks on Mac OS have become a usual phenomenon — not unusual as claimed in the past. And the scale will only increase. The Apple marketing people may not like it, but it's time to admit it — yes guys, your system is as vulnerable as Windows. Don't ignore the lesson of Flashfake. Think serious about security, not just different [sic].

Re: Healthcare/industry-specific software?
by HideyoshiJ

Many pieces of software and hardware used in healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?

EK: What works best in these circumstances is whitelisting. We realized the importance of whitelisting a long time ago when we started our whitelisting program. Like many technologies, whitelisting is not a solution by itself, but in terms of more completely protected machines in healthcare it really does help. What's more, because such machines generally go unchanged the whitelisting rules can be extra strict. In our experience this works very well, especially in combination with technologies such as exploit prevention.

Anonymous Internet IDs
by AaronLS

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

EK: Firstly, in my opinion, Internet IDs aren't necessary for every type of Internet activity. Let me clarify in what cases I think Internet ID is needed. I believe the World Wide Web should be divided into three zones. Red zone is for critical processes: voting in elections, online banking, interactions with official bodies, and other critical transactions. For operations in this zone an Internet ID should be necessary. This is in everyone's interest — no one wants to lose private data which in some cases may lead to losing money, for example. Then comes the grey zone, where minimal authorization is needed. For example, age verification for online shops selling alcohol or adult stores. I don't think an Internet ID is necessary for this zone. You're right — Open ID is enough. And finally — the green zone: blogs, social networks, news sites, chats ... — everything related to your freedom of speech. No authorization required.

I suggest using special proxies for surfing in the red zone. You register using your Internet ID and then you use a nickname. Nobody can see your real name. If you break the law, your identity is subject to disclosure after legal procedures and a court decision. I want to stress that nobody can discover your real identity if you observe the law.

Re: Online anonymity
by gallondr00nk

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organizing resistance and circumventing censorship or oppression. In light of that have you modified your views on the "Internet ID"?

EK: My position on Internet ID is developing. The more governments speak about regulation of the Internet, the more liberal I become. I'm really worried that one day governments will go too far in their attempts to control the WWW and its users.

After the Arab spring I've slightly changed my views on the subject. I still think that Internet IDs are required for certain operations, but as I've explained above, you don't need them when, say, surfing social networks. And as far as I know it was specifically Twitter and Facebook that were used as communication tools for protesters during the Arab Spring.

Re: "Approved" Spyware
by Fnord666

I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you, offer a version of your products that identified and disabled this spyware?

EK: There is nobody who can forbid me from discussing this topic, so here you go. The short answer is no — we don't have relations with state sponsored agencies in the way you describe. Nor ever will.

Reputation is an extremely important asset in our business. If you let somebody be your bodyguard you need to be 100% sure that you can rely on this guy. And it's the same for users and companies when choosing security software. Trust is everything for us. If we had such a skeleton in the closet, our rep would go into nosedive. And believe me, such a skeleton would be found if it ever existed: I'm pretty sure that our products are analyzed scrupulously by competitors, cyber criminals and governments. No, secret agreements with state agencies like the one you imagine — there's never been such a thing nor ever will be.

Kaspersky's relationship with the government
by swb

Does Kaspersky have a relationship with the Putin administration or the FSB? Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus? Should a security minded person be concerned with the geographic origin of security software?

EK: Firstly, we have relations with law enforcement agencies in many countries, not only in Russia, as per which we provide expertise. Moreover, all the world's leading security companies — Symantec, McAfee/Intel, and Kaspersky Lab — we all collaborate with law enforcement bodies in our own countries and worldwide — to help fight cybercrime. CERTs, the FBI, FSB, Interpol, etc. — our duty is to help them investigate criminal cases.

Without the expertise of security professionals, successful law enforcement operations would be an unattainable dream. When cybercrime cases are domestic, IT Security companies work with their law enforcement agencies to assist in investigations. When they're international, they work with the appropriate law enforcement authorities of the affected countries to abide by legal policies and federal jurisdictions. This cooperation is crucial in fighting cybercrime worldwide, and we are proud to be a part of the process.

Secondly, Kaspersky Lab is a private international company which registered its holding in Great Britain in 2006. This means that our financial reporting is completely transparent and freely available to anyone. As a private company we act independently. There's no organization that could influence our business or product development.

And finally, regarding origin: Paranoia can be useful sometimes, but you should have good reasons for it. Should the security minded person be concerned that his/her laptop is assembled in China? Or that Intel, which produces most processors, has plants not only in the US, but also in Israel, Ireland and China too? Many other chip companies of course design their chips but have them produced by third parties — mostly in Taiwan and China. Should one be worried that one of the leading Microsoft R&D centers is situated in Israel? Or that the SAP headquarters is in Germany, Sony's in Japan, and Acer's in Taiwan?

We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It's simply not a question of origin any more.

In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody took much notice of our product quality, but only in its origin. However, I think that was because of lack of information about our company and the products we supplied. With years the situation has changed: it's impossible for a superior quality product to stay ignored.

Are you safe Mr. Kaspersky?

by Lieutenant_Dan

You're operating out of the same country that has a ton of botnet operators raking in some decent dough with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

EK: Botnet operators? Cyber criminals? I'd say they're the most tamed animals in our zoo! In recent years we've been discovering much wilder, more dangerous stuff — more and more viruses that can be classified as cyber weapons, created by nation states or by private companies sponsored by them.

Though you can never be absolutely safe, our staff hasn't been threatened, and I hope never will be. This may be because we fight malware, we don't conduct criminal investigations. This is what the police should do.

Re: Your secure OS
by lister king of smeg

You plan on making a secure OS for industrial/infrastructure systems; do you plan on basing it on preexisting open kernels, such as BSD, Linux, Haiku, or Mach? Will it be Unix/Posix like? Will it be a monolithic or micro kernel? Or are you thinking more of a hypervisor that hosts and monitors the guest OS for SCADA systems?

It will not be based on Linux or any other OS. Existing operating systems weren't created with security in mind. Security is an extra option for many of them, and vulnerabilities are inevitable. Of course existing systems have a lot going for them — and we recognize that. But I think that their level of security isn't high enough to cope with today's threats.

We're developing our OS at the micro kernel level.

We support the POSIX standard to the extent it does not contradict with our security principles. Our main target is to create a development platform for those interested in producing software or hardware with very high levels of security. As for a hypervisor, its creation is not our original intent, although we're not completely disregarding such a development path.

Re: Your exploit-free OS
by eldavojohn

Recently you confirmed you're working on an exploit-free OS following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch but I can't find many details on what it's going to look like architecturally. You say: "Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won't allow an intruder to gain control over it or to run malicious code."

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian, and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable, but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

EK: This highly-complex project is extremely time consuming. We are still writing the code but we already have several working prototypes.

Don't believe the skeptic inside you. It is possible. Our OS will guarantee the possibility to run just preliminarily and explicitly declared functionality. I'm afraid I'm not ready to disclose much information at this stage — our rivals are watching. We are also currently collaborating with hardware manufacturers. Where there is a need for a superior level of security we plan to provide an integral, reliable computer appliance developed by our own team of specialists. Regarding architecture, we're not restricting ourselves to anything specific such as x86 or ARM. The hardware will definitely have to meet some specific requirements because it will have a direct bearing on the ability to ensure the required security guarantees. Follow our news — it's going to be interesting.

Re: The importance of programming language to SCADA security?
by Anonymous Coward

How important will the process of choosing a "language-based system" be to ensure the security of the operating system you envision? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from: Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-name Midori).

EK: Using a type-safe language is an interesting and promising approach, although we're not using it in our micro-kernel. We give a higher priority to tailoring OS architecture along with our security principles, which do not depend on the implementation language. More details on the approaches we use we'll share later.

Re: Malware's history and future?
by Anonymous Coward

You've been in computer security a long time, and have seen many things come and go. DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else). What's changed? What's remained the same? What about the malware creators — has their motivation changed? Where do you believe things are headed?

EK: Twenty years ago malware was a curious toy for programmers. Ten years ago it was a criminal instrument for bad guys who wanted to earn some money. Today it's a cyber weapon for governments. And that is the main and the most dangerous tendency of recent years.

Recent malware — Stuxnet, Duqu, Flame, Gauss — proved that cyber weapons (i) are relatively cheap to produce, (ii) are effective, (iii) mostly go undetected, (iv) leave their authors anonymous, and (v) can be easily replicated. And they're hard to protect against. They look like perfect weapons to some governments. In the meantime, Pandora's box is now wide open.

The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst case scenario is when a cyber weapon aimed at a specific industrial object — like, say, Stuxnet — isn't actually able to accurately pick out its victim — either down to a mistake in the algorithm or a banal error in the code. As a result of such an attack the targeted victim — let's say a nuclear power station — would not be the only one affected: all the other nuclear stations in the world built with the same design would be too. Sounds scary, doesn't it? And without control from an international body, it could become more than scary: catastrophic.

As concerns home/consumer users, the defining feature of the next decade will be an enormous shift to mobile OS — and all the cyber criminals will be there already to greet them. The more financial transactions we conduct using smartphones, the more cyber criminals will target them. Future developments are likely to see more mobile botnets and drive-by downloads. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We're also likely to see more mobile botnets, of the sort created using the RootSmart backdoor.

Digital concepts young people should learn?
by davecrusoe

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc.). But what interests me is what we should be teaching our young people (children in primary and secondary school) with respect to the expertise we wished all adults possessed. In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc.)?

EK: The most important advice I can give to young people is to always use your head. It might sound too simplistic, but if everyone who surfs online followed this rule the risks would be minimized. Don't download suspicious applications, and use social networks with caution. The largest portion of viruses is being spread with the use of social engineering, so never open links or files from unknown persons. Never ever! And even if you know the person, double check before doing so. Another way is to open suspicious files or links in a Sandbox mode.

Also, always use up-to-date quality security software. Free AV products are not a solution. Don't forget to update your system regularly. Install all the patches from the software developer and don't ignore update notifications.

By following these few simple rules you can minimize the risks online. As I mentioned, I've got standard Windows running with Internet Security, and I don't experience any problems with online surfing.

wiredmikey writes with this excerpt from Security Week: "The Disttrack/Shamoon malware, while destructive, appears to be the work of amateurs and not elite and sophisticated developers, according to the latest analysis. The malware proved that it was possible for developers to subvert legitimate kernel-mode applications for malicious purposes, but it appears that the malware could have been even more destructive and dangerous, if it had not been for a series of programming mistakes in the code, according to recent analysis from Kaspersky Lab. Other suggestions that the developers behind the Shamoon malware are not high-profile programmers include that the command-and-control server is hard-coded as two addresses, which limits the tool since if the address ever changes, the infected machine can no longer receive instructions. The developers were most likely motivated by political reasons, as the malware overwrote existing files with a fragment of an image of a burning American flag. The Malware has also been reported to be linked to the recent Saudi Aramco attack, which some reports have suggested that insiders may have been partly involved. Saudi Aramco hasn't officially said what type of malware hit its systems."

An anonymous reader writes "A new spear-phishing attack targeting a number of specific companies in a few industries, including the energy sector, has been spotted by several security companies. Dubbed 'Shamoon' due to a string of a folder name within the malware executable, the attack ends up with delivering destructive malware on the targeted computers that ends up making them unusable. The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the master boot record of the computer."

An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out." Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."

EliSowash writes "A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to Kaspersky researchers. Gauss is a nation-state-sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations. Just like Duqu was based on the 'Tilded' platform on which Stuxnet was developed, Gauss is based on the 'Flame' platform."

wiredmikey writes "Despite its significant user base within enterprises, BlackBerry devices have managed to stay off the radar for malware writers. That may be ending, as four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy have been found. Zitmo, which hit Android devices back in July 2011, refers to a version of the Zeus malware that specifically targets mobile devices. Denis Maslennikov, a security researcher at Kaspersky Lab, also identified a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. While previous Android variants have been primitive, the latest .apk dropper, which shows up as an app 'Zertifikat,' looks 'more similar to "classic" Zitmo,' he said. When executed, it displays a message in German that the installation was successful, along with an activation code. The Android sample also included a self-issued certificate that indicates it was developed less than a month ago."

EliSowash writes "A new version of the MaControl malware has been reported in the wild. More information on the malware, its behavior, and the attack campaign is available from Kaspersky Labs, who discovered this variant. As more malware authors become motivated to attack OS X it is likely that we will continue to see targeted attacks such as this in the future. Just like with PC malware, a combination of exploits and social engineering tricks are generally the most effective; it won't be surprising to see a spike in such attacks soon."

sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."

An anonymous reader writes "Wired is reporting on a massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Kaspersky Lab, the company that discovered the malware, has a FAQ with more details."

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

snydeq writes "A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. 'What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory. ... It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs.'"

An anonymous reader writes "DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines."

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

Trailrunner7 writes with an update in the saga of Duqu and Stuxnet. From the article: "Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009. An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS ... There also is some evidence that the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially."

wiredmikey writes "Millions of people in Brazil have potentially been exposed to malware, as a result of a nationwide DNS attack. Additionally, several organizations in Brazil are reporting that network devices are also under attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic. In those cases, when employees of the affected companies tried to open any website, they were asked to execute a malicious Java applet, which would install malware presented as 'Google Defence' software."

itwbennett writes "Researchers from Kaspersky Lab have discovered that the R2D2 surveillance Trojan, which is used by German law enforcement to intercept Internet phone calls, is capable of monitoring traffic from popular browsers and instant messaging applications. 'Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,' said Tillmann Werner, a security researcher with Kaspersky in Germany. 'Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.'"

An anonymous reader writes "New research shows that the TDSS/TDL-4 botnet, widely considered one of the largest and most sophisticated, can be rented via a Web storefront available to all comers. Researchers from Kaspersky found that the latest version of TDSS installs a file that sets the machine up as a proxy for anonymous browsing, and then phones home to awmproxy.net, which rents the proxies for rates from $3 per day to $300 a week. The curators of this service even created a Firefox add-on to help customers. 'Interestingly, AWMproxy says it accepts payment via PayPal, MasterCard, and Visa.'"