Malware Alerts

Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)).

Malicious PACs used by Brazilian bad guys aiming to steal bitcoins

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

In China telecom fraud has become an increasingly common crime.

The percentage of spam in total mail traffic was up by 0.5 percentage points in the first quarter, averaging 66.5%.

The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day. The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires (Argentina).

This article is based on technical data from KL experts and their analysis of the Korablin and Morcut malicious programs. A number of conclusions based on open source data.

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality.

In my presentation in Source I talked about fraud in Twitter. These days we find a lot of spam bots in this social network, both blindly sending unsolicited direct messages to other users or doing some previous semantic analysis, depending on your tweets, for a more targeted message.

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site between tons of other places where various malicious Java applications were detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in statistics among not so many search results. Well, to be honest it was a false positive in terms of search criteria, but in this case it was a lucky mistake.

The percentage of spam in email traffic was down 1 percentage point compared with February and averaged 70.1%

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds. Today we already started receiving emails containing links to malicious locations with names like "news.html".

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used. After discovering that the company’s servers were infected, we began to clean them up in conjunction with the company’s system administrator, removing malicious files from the corporate network. This took a while because it was not clear at first exactly how the cybercriminals had penetrated the corporate network; we couldn’t find a way to completely stop attacks penetrating the network and malicious files kept appearing. An analysis performed by the gaming company itself led us to the conclusion that the infection started after establishing working contacts with a South Korean gaming company. This was also confirmed by our research: as we wrote before, the Winnti group is most active in East Asia and we identified 14 infected gaming companies in South Korea.

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach. It's my first time at Infiltrate and so far I've been really impressed with the quality of the conference.

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

During our research on the Winnti group we have managed to discovered quite a considerable amount of Winnti samples targeting different gaming companies. With the help ofUsing thisat sophisticatedcomplicated malicious program cybercriminals gained remote access to infected workstations and then carried out further they activityed manually.

Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.