Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 1 hour 57 min ago

Long live REcon – my 10th REcon anniversary

Wed, 07/01/2015 - 11:12

I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.

Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.

I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies

The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:

  • Introducing Dynamic IDA Enrichment framework (a.k.a DIE):

    DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.

    As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.

    With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.

    After the framework was explained, 3 live demos showed how to use the tool.

    The slides are available here:
    The framework can be downloaded here:

  • Totally Spies!

    This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.

  • The M/o/Vfuscator

    Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).

    The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.


Other interesting talks included:

  • This Time Font can hunt you down in 4 bytes
  • Hooking Nirvana
  • One font vulnerability to rule them all
  • Reversing the Nintendo 64 CIC

You can find the full conference schedule at

Slides and the videos from every talk will be uploaded soon on the REcon website.

See you next year at REcon 2016!

One night to hack in Paris

Tue, 06/30/2015 - 12:11

The past Saturday we had the privilege of participating in this year’s edition of “Nuit du Hack”, a French security conference which brings together professionals and amateurs of all skill levels for a series of lectures and challenges. It’s a full day (and night) of hacking goodness. A cloudy day set the perfect mood at the venue, the Academie Fratellini, in the marvelous and beautiful city of Paris.

With an interesting mix of security talks, capture the flag challenges, bug bounty programs, and workshops, the audience was welcome to join in any activities they chose. It was a security professional’s vision of heaven: learning about the latest security trends and issues while enjoying a beer and even getting a glimpse of the legendary Captain Crunch walking around. It’s also a great place for people of all ages and backgrounds to get involved.

The event started at full throttle with a memorable keynote from the director of ANSSI (National Agency for the Security of Information Systems) Guillaume Poupard, who spoke about local cyber security risks such as industrial espionage, electronic warfare and infrastructure sabotage. Moreover, he emphasized the importance of maintaining a balance between security and legality, an ethical dilemma that many security practitioners are facing right now in their daily activities.

The content of the talks was undoubtedly varied, including some that were more technically oriented, while others focused exclusively on the analysis of current security trends, malware and vulnerabilities.

David Melendez spoke about how he was able to build drone control system from scratch, basing his architecture and design on a GNU/Linux OS. Using a regular home Wi-Fi router and conventional hardware materials such as Wii accelerometer, he demonstrated a plausible way to control the drone’s flight using nothing more than an everyday gaming joystick. By sending commands and establishing a secure communication channel between the drone and the pilot, he successfully implemented a new protocol based on the 802.11 standard so as to prevent man-in-the-middle attacks.

The Internet of Things (IoT) is a topic that cannot be ignored any security event. With a very interesting approach, Guillaume Greyhound put on the table a hypothetical scenario about what would happen if some disaster were to damage the current technological infrastructure of a country. How could we face the impending chaos?

Faced with this situation, he exposed how IoT technologies can play a very important role in the implementing low-cost solutions that rely, for example, on Raspberry Pi devices or custom built drones and antennae to maintain a backup communication network that can ensure the exchange of goods and services.

Afterwards, Karsten Nohl introduced us to the world of mobile communication vulnerabilities. Showing a wide array of different technologies and mobile communication protocols such as SS7 and 3G, and how these can be compromised, he grabbed the audience’s attention right from the start. The presentation made it clear that the basic security level for mobile networks is not the same in every country around the world, he explained that some regions are evidently more exposed to intervention and eavesdropping. He also shared some specific tools to evaluate a network’s security, asking attendees to join him in his effort to protect free speech and the privacy of every individual that uses this type of communication (everyone). Interestingly, he also showed some solutions to defend against such attacks, once again highlighting the importance of protecting and defending privacy in digital communications.

My colleague Santiago Pontiroli and I presented our joint research into the evolution of .NET and PowerShell malware, which we titled “The TAO of .NET and PowerShell Malware analysis”. In our talk, Santi showed how malware development on .NET and PowerShell has increased more than 6,000% since 2009 (unique detections), all while presenting a detailed analysis several samples built with these technologies. Everything from devious ransomware campaigns such CoinVault to more complex and persistent threats used by pro-government Syrian hacking groups was shown to the audience.

From my side, I shared another side of the seemingly benevolent PowerShell, demonstrating its powerful incident response and forensics capabilities for us security researchers, and how malware developers are using these same methods for anti-forensics and code protection. As they seek to avoid detection and extend a particular piece of malware’s functionality in post exploitation activities, a plethora of offensive frameworks depending on PowerShell are amongst the bad guys’ favorite weapons of choice.

In addition, I tried to explain how malware developers could be using different penetration testing frameworks as a way to develop malware more rapidly. Certainly, we have found enough evidence in a considerable amount of malware samples showing the usage of SET and other offensive frameworks in the development of everyday malware and APTs, such as the case with the previously reported Machete.

I raised a question with the crowd, asking about the risks involved in the growing trend of cross-platform software development… Will the ability of running a piece of software between different platforms easily enable cybercriminals to create the ultimate multi-platform malware?

In summary, this was a great event with exceptionally exciting talks and very interesting with professionals from all over the world (having Captain Crunch there was an added bonus). As they say…we’ll always have Paris. And Nuit du Hack, of course.

Games are over

Mon, 06/22/2015 - 10:19

For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically. But we’ve seen information indicating that the scope of targets can be wider and is not limited to the entertainment business. We track samples of Winnti malware all the time, but had not been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have been telecommunication companies, rather large holdings, but at least one of their businesses was in some way related to the production or distribution of computer games.

In April Novetta released its report on Winnti malware spotted in the operations of Axiom group. And Axiom group has been presented as a Chinese universal hacking actor carrying out espionage APT attacks against a whole range of different industries. So this report was another source of intelligence that Winnti was already not focused just on online games. Finally, we received a sample proving this.

The sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name w64.dll and the exported functions work_end and work_start. Since, as usual, this component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library includes two drivers compiled on August 22 and September 4 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe:

Pic.1 Configuration block

Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised:


One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a stolen certificate of a division of a huge Japanese conglomerate. Although this division is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs and medicine equipment as well.

Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma.

Here are the samples in question:

8e61219b18d36748ce956099277cc29b –
5979cf5018c03be2524b87b7dda64a1a –
ac9b247691b1036a1cdb4aaf37bea97f –


Uncovering Tor users: where anonymity ends in the Darknet

Thu, 06/18/2015 - 07:02

Unlike conventional World Wide Web technologies, the Tor Darknet onion routing technologies give users a real chance to remain anonymous. Many users have jumped at this chance – some did so to protect themselves or out of curiosity, while others developed a false sense of impunity, and saw an opportunity to do clandestine business anonymously: selling banned goods, distributing illegal content, etc. However, further developments, such as the detention of the maker of the Silk Road site, have conclusively demonstrated that these businesses were less anonymous than most assumed.

Intelligence services have not disclosed any technical details of how they detained cybercriminals who created Tor sites to distribute illegal goods; in particular, they are not giving any clues how they identify cybercriminals who act anonymously. This may mean that the implementation of the Tor Darknet contains some vulnerabilities and/or configuration defects that make it possible to unmask any Tor user. In this research, we will present practical examples to demonstrate how Tor users may lose their anonymity and will draw conclusions from those examples.

How are Tor users pinned down?

The history of the Tor Darknet has seen many attempts – theoretical and practical – to identify anonymous users. All of them can be conditionally divided into two groups: attacks on the client’s side (the browser), and attacks on the connection.

Problems in Web Browsers

The leaked NSA documents tell us that intelligence services have no qualms about using exploits to Firefox, which was the basis for Tor Browser. However, as the NSA reports in its presentation, using vulnerability exploitation tools does not allow permanent surveillance over Darknet users. Exploits have a very short life cycle, so at a specific moment of time there are different versions of the browser, some containing a specific vulnerability and other not. This enables surveillance over only a very narrow spectrum of users.

The leaked NSA documents, including a review of how Tor users can be de-anonymized (Source:

As well as these pseudo-official documents, the Tor community is also aware of other more interesting and ingenuous attacks on the client side. For instance, researchers from the Massachusetts Institute of Technology established that Flash creates a dedicated communication channel to the cybercriminal’s special server, which captures the client’s real IP address, and totally discredits the victim. However, Tor Browser’s developers reacted promptly to this problem by excluding Flash content handlers from their product.

Flash as a way to find out the victim’s real IP address (Source:

Another more recent method of compromising a web browser is implemented using the WebRTC DLL. This DLL is designed to arrange a video stream transmission channel supporting HTML5, and, similarly to the Flash channel described above, it used to enable the victim’s real IP address to be established. WebRTC’s so-called STUN requests are sent in plain text, thus bypassing Tor and all the ensuing consequences. However, this “shortcoming” was also promptly rectified by Tor Browser developers, so now the browser blocks WebRTC by default.

Attacks on the communication channel

Unlike browser attacks, attacks on the channel between the Tor client and a server located within or outside of the Darknet seem unconvincing. So far most of the concepts were presented by researchers in laboratory conditions and no ‘in-the-field’ proofs of concept have been yet presented.

Among these theoretical works, one fundamental text deserve a special mention – it is based on analyzing traffic employing the NetFlow protocol. The authors of the research believe that the attacker side is capable of analyzing NetFlow records on routers that are direct Tor nodes or are located near them. A NetFlow record contains the following information:

  • Protocol version number;
  • Record number;
  • Inbound and outgoing network interface;
  • Time of stream head and stream end;
  • Number of bytes and packets in the stream;
  • Address of source and destination;
  • Port of source and destination;
  • IP protocol number;
  • The value of Type of Service;
  • All flags observed during TCP connections;
  • Gatway address;
  • Masks of source and destination subnets.

In practical terms all of these identify the client.

De-anonymizing a Tor client based on traffic analysis

This kind of traffic analysis-based investigation requires a huge number of points of presence within Tor, if the attacker wants to be able to de-anonymize any user at any period of time. For this reason, these studies are of no practical interest to individual researchers unless they have a huge pool of computing resources. Also for this reason, we will take a different tack, and consider more practical methods of analyzing a Tor user’s activity.

Passive monitoring system

Every resident of the network can share his/her computing resources to arrange a Node server. A Node server is a nodal element in the Tor network that plays the role of an intermediary in a network client’s information traffic. In this Darknet, there several types of nodes: relay nodes and exit nodes. An exit node is an end link in traffic decryption operation, so they are an end point which may become the source of leaking interesting information.

Our task is very specific: we need to collect existing and, most importantly, relevant onion resources. We cannot solely rely on internal search engines and/or website catalogs, as these leave much to be required in terms of the relevance and completeness of contained information.

However, there is a straightforward solution to the problem of aggregation of relevant websites. To make a list of the onion resources that were recently visited by a Darknet user, one needs to track each instance of accessing them. As we know, an exit node is the end point of the path that encrypted packets follow within the Darknet, so we can freely intercept HTTP/HTTPS protocol packets at the moment when they are decrypted at the exit node. In other words, if the user uses the Darknet as an intermediary between his/her browser and a web resource located in the regular Internet, then Tor’s exit node is the location where packets travel in unencrypted format and can be intercepted.

We know that an HTTP packet may contain information about web resources, including onion resources that were visited earlier. This data is contained in the ‘Referrer’ request header, which may contain the URL address of the source of the request. In the regular Internet, this information helps web masters determine which search engine requests or sites direct users towards the web resource they manage.

In our case, it is enough to scan the dump of intercepted traffic with a regular expression containing the string ‘onion’.

There is a multitude of articles available on configuring exit nodes, so we will not spend time on how to configure an exit node, but instead point out a few details.

First of all, it is necessary to set an Exit Policy that allows traffic communication across all ports; this should be done in the configuration file torrc, located in the Tor installation catalog. This configuration is not a silver bullet but it does offer a chance of seeing something interesting at a non-trivial port.

>> ExitPolicy accept *:*

The field ‘Nickname’ in the torrc file does not have any special meaning to it, so the only recommendation in this case is not to use any conspicuous (e.g. ‘WeAreCapturingYourTraffic’) node names or those containing numbers (‘NodeNumber3′) that might suggest an entire network of such nodes.

After launching a Tor server, it is necessary to wait until it uploads its coordinates to the server of directories – this will help our node declare itself to all Darknet participants.

An exit node in operation

After we launched the exit mode and it began to pass Tor users’ traffic through itself, we need to launch a traffic packet sniffer and intercept the passing traffic. In this case, tshark acts as a sniffer, listening to interface #1 (occupied by Tor) and putting the dump into the file ‘dump.pcap':

>>tshark –i 1 –w dump.pcap

Tshark intercepts packets that pass through the exit node in unencrypted format

All the above actions must be done on as many servers as possible to collect as much information of interest as possible. It should be noted that the dump grows quite quickly, and it should be regularly collected for analysis.

Thus, once you receive a huge dump, it should be analyzed for onion resources. Skimming through the dump helps to categorize all resources visited by Tor users by content type.

It should be noted that 24 hours of uninterrupted traffic interception (on a weekday) produce up to 3GB of dump for a single node. Thus, it cannot be simply opened with Wireshark – it won’t be able to process it. To analyze the dump, it must be broken into smaller files, no larger than 200 MB (this value was determined empirically). To do so, the utility ‘editcamp’ is used alongside with Wireshark:

>> editcap – c 200000 input.pcap output.pcap

In this case, 200,000 represents the number of packets in a single file.

While analyzing a dump, the task is to search for strings containing the substring “.onion”. This very likely will find Tor’s internal resources. However, such passive monitoring does not enable us to de-anonymize a user in the full sense of the word, because the researcher can only analyze those data network packets that the users make available ‘of their own will’.

Active monitoring system

To find out more about a Darknet denizen we need to provoke them into giving away some data about their environment. In other words, we need an active data collection system.

An expert at Leviathan Security discovered a multitude of exit nodes and presented a vivid example of an active monitoring system at work in the field. The nodes were different from other exit nodes in that they injected malicious code into that binary files passing through them. While the client downloaded a file from the Internet, using Tor to preserve anonymity, the malicious exit node conducted a MITM-attack and planted malicious code into the binary file being downloaded.

This incident is a good illustration of the concept of an active monitoring system; however, it is also a good illustration of its flipside: any activity at an exit node (such as traffic manipulation) is quickly and easily identified by automatic tools, and the node is promptly blacklisted by the Tor community.

Let’s start over with a clean slate

HTML5 has brought us not only WebRTC, but also the interesting tag ‘canvas’, which is designed to create bitmap images with the help of JavaScript. This tag has a peculiarity in how it renders images: each web-browser renders images differently depending on various factors, such as:

  • Various graphics drivers and hardware components installed on the client’s side;
  • Various sets of software in the operating system and various configurations of the software environment.

The parameters of rendered images can uniquely identify a web-browser and its software and hardware environment. Based on this peculiarity, a so-called fingerprint can be created. This technique is not new – it is used, for instance, by some online advertising agencies to track users’ interests. However, not all of its methods can be implemented in Tor Browser. For example, supercookies cannot be used in Tor Browser, Flash and Java is disabled by default, font use is restricted. Some other methods display notifications that may alert the user.

Thus, our first attempts at canvas fingerprinting with the help of the getImageData()function that extracts image data, were blocked by Tor Browser:

However, some loopholes are still open at this moment, with which fingerprinting in Tor can be done without inducing notifications.

By their fonts we shall know them

Tor Browser can be identified with the help of the measureText()function, which measures the width of a text rendered in canvas:

Using measureText() to measure a font size that is unique to the operating system

If the resulting font width has a unique value (it is sometimes a floating point value), then we can identify the browser, including Tor Browser. We acknowledge that in some cases the resulting font width values may be the same for different users.

It should be noted that this is not the only function that can acquire unique values. Another such function is getBoundingClientRect(),which can acquire the height and the width of the text border rectangle.

When the problem of fingerprinting users became known to the community (it is also relevant to Tor Browser users), an appropriate request was created. However, Tor Browser developers are in no haste to patch this drawback in the configuration, stating that blacklisting such functions is ineffective.

Tor developer’s official reply to the font rendering problem

Field trials

This approach was applied by a researcher nicknamed “KOLANICH”. Using both functions, measureText() and getBoundingClientRect(), he wrote a script, tested in locally in different browsers and obtained unique identifiers.

Using the same methodology, we arranged a test bed, aiming at fingerprinting Tor Browser in various software and hardware environments.

To address this problem, we used one author’s blog and embedded a JavaScript that uses the measureText() and getBoundingClientRect()functions to measure fonts rendered in the web browser of the user visiting the web-page. The script sends the measured values in a POST request to the web server which, in turn, saves this request in its logs.

A fragment of a web-server’s log with a visible Tor Browser fingerprint

At this time, we are collecting the results of this script operating. To date, all the returned values are unique. We will publish a report about the results in due course.

Possible practical implications

How can this concept be used in real world conditions to identify Tor Browser users? The JavaScript code described above can be installed on several objects that participate in data traffic in the Darknet:

  • Exit node. A MITM-attack is implemented, during which JavaScript code is injected into all web pages that a Darknet resident visits in the outside Web.
  • Internal onion resources and external web sites controlled by the attackers. For example, an attacker launches a ‘doorway’, or a web page specially crafted with a specific audience in view, and fingerprints all visitors.
  • Internal and external websites that are vulnerable to cross-site scripting (XSS) vulnerabilities (preferably stored XSS, but this is not essential).

Objects that could fingerprint a Tor user

The last item is especially interesting. We have scanned about 100 onion resources for web vulnerabilities (these resources were in the logs of the passive monitoring system) and filtered out ‘false positives’. Thus, we have discovered that about 30% of analyzed Darknet resources are vulnerable to cross-site scripting attacks.

All this means that arranging a farm of exit nodes is not the only method an attacker can use to de-anonymize a user. The attacker can also compromise web-sites and arrange doorways, place a JavaScript code there and collect a database of unique fingerprints.

The process of de-anonymizing a Tor user

So attackers are not restricted to injecting JavaScript code into legal websites. There are more objects where a JavaScript code can be injected, which expands the number of possible points of presence, including those within the Darknet.

Following this approach, the attacker could, in theory, find out, for instance, sites on which topics are of interest to the user with the unique fingerprint ‘c2c91d5b3c4fecd9109afe0e’, and on which sites that user logs in. As a result, the attacker knows the user’s profile on a web resource, and the user’s surfing history.

In place of a conclusion

At Tor project’s official website, the developers posted an answer to the question “why is JavaScript allowed by Tor Browser?”:

Tor Browser’s official answer to a question about JavaScript

It appears from this answer that we should not expect the developers to disable JavaScript code in TorBrowser.

The Spring Dragon APT

Wed, 06/17/2015 - 03:07

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”.

The group’s capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years. Instead, the group is known to have employed half day spearphish exploits, strategic web compromises, and watering holes employing fake Flash player update re-directions. The group’s spearphish toolset includes PDF exploits, Adobe Flash Player exploits, and the common CVE-2012-0158 Word exploits including those generated from the infamous “Tran Duy Linh” kit. While ongoing attacks by the Spring Dragon APT take us back to a focus on Vietnam, they appear to have rolled out a steady mix of exploits against defense subcontractors around the world and government related organizations in VN, TW, PH, and other locations over the past few years. Let’s take a quick look at a couple more examples of their intrusion capabilities that haven’t been mentioned elsewhere.

Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned. But Spring Dragon’s infiltration techniques there were not simply 0158 spearphish, they also compromised sites. In one case, they replaced specialized font installers needed to render Myanma font. You can see an image here of the “Planet Myanmar” website in late 2012 distributing such a package. All of the zip links were redirected to a poisoned installer zip file. The download name was “”, and it dropped a “setup.exe” that contained several backdoor components, including an Elise “wincex.dll” (a42c966e26f3577534d03248551232f3, detected as Backdoor.Win32.Agent.delp). It beacons out with the typical Elise GET request “GET /%x/page_%02d%02d%02d%02d.html”, as documented in the Lotus Blossom paper.

Another APT later abused this exact site to deliver malicious VBS (CVE-2014-6332) exploits in November of 2014 with a Lurid variant payload. And that same group also served a malicious PDF exploit (CVE-2010-2883) from this site in June 2012 as “Zawgyi Unicode Keyboard.pdf”. Even earlier than that, they spearphished with that same PDF exploit object later hosted on the website under different file names. In November 2011, they used filenames appropriate for their spearphishing targets with this exploit like “台灣安保協會「亞太區域安全與台海和平」國際研討會邀 請 函_20110907.pdf” (“Taiwan Security Association International Seminar Invitation – the Asia-Pacific regional security and peace in the Taiwan Strait”), “china-central_asia.pdf”, “hydroelectric sector.pdf”, and various governmental related proposals. In this case, there was unexpected overlap from two APT.

Another interesting technique that we observed in use against government targets was a campaign that lured recipients to a site redirecting users to a spoofed Flash installer site.

This site in turn redirected users to a Flash installer bundled with the common Elise backdoor, eventually communicating with and its usual “GET /14111121/page_321111234.html HTTP/1.0″.

hxxp:// → redirected to
hxxp:// (Trojan-Dropper.Win32.Agent.ilbq)

While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past, Spring Dragon employs more involved and creative intrusive activity as well.

The Duqu 2.0 persistence module

Mon, 06/15/2015 - 10:30

We have previously described how Duqu 2.0 doesn’t have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.

During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.

In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.

We described one of these drivers in our whitepaper about Duqu 2.0 (see “The ”portserv.sys” driver analysis” section). Let us repeat some of the most important details. The driver listens to the network and expects a special secret keyword (“romanian.antihacker” in that case). After that, it saves IP of the host that passed the correct secret keyword and starts redirecting all packets from port 443 to 445 (SMB) or 3389 (Remote Desktop) of that server. This effectively allows the attackers to tunnel SMB (i.e. remote file system access) and Remote Desktop through the gateway server while making it look like HTTPS traffic (port 443).

In addition to the “romanian.antihacker” driver, we have discovered another one which did a similar job, however, supporting more connections in a more generic way:

  1. If the driver recognizes the secret keyword “ugly.gorilla1” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 445 (SMB)
  2. If the driver recognizes the secret keyword “ugly.gorilla2” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 3389 (RDP)
  3. If the driver recognizes the secret keyword “ugly.gorilla3” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 135 (RPC)
  4. If the driver recognizes the secret keyword “ugly.gorilla4” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 139 (NETBIOS)
  5. If the driver recognizes the secret keyword “ugly.gorilla5” then all traffic from the attacker’s IP will be redirected from port 1723 (PPTP) to 445 (SMB)
  6. If the driver recognizes the secret keyword “ugly.gorilla6” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 47012 (currently unknown).

We would like to note that one port here looks quite suspicious: 47012. So far, we haven’t seen any other Duqu 2.0 components using this port, nor have we found any other common malware, backdoor or legitimate software using this port (also according to SANS). However, considering that this port number was hardcoded into the malware this may be a good indicator of compromise for Duqu 2.0.

Part of the malware with array of secret keywords

This 64-bit driver contains an internal DLL name, “termport.sys”, while the filename in the filesystem was “portserv.sys”. This most likely means that the attackers change filenames for different operations and detection of this attack should not solely rely on names of the files. The compilation timestamp is apparently fake here: “Jul 23 18:14:28 2004”. All the discovered driver files were located in “C:\Windows\System32\drivers\”.

Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by “HON HAI PRECISION INDUSTRY CO. LTD.(also known as “Foxconn Technology Group”, one of the world’s largest electronics manufacturers).

Digital signature of attacker’s driver

According to the information from the driver it was signed at 20:31 on 19.02.2015. Below are some more details provided by SysInternal’s sigcheck utility:

Verified:              Signed
Signing date:   20:31 19.02.2015
Description:        Port Optimizer for Terminal Server
Product:               Microsoft Windows Operating System
Prod version:   6.1.7601
File version:   6.1.7601 built by: WinDDK
MachineType:   64-bit
MD5:     92E724291056A5E30ECA038EE637A23F
SHA1:   478C076749BEF74EAF9BED4AF917AEE228620B23
PESHA1: F8457AFBD6967FFAE71A72AA44BC3C3A134103D8
PE256:  2891059613156734067A1EF52C01731A1BCFB9C50E817F3CA813C19114BFA556
SHA256:  BC4AE56434B45818F57724F4CD19354A13E5964FD097D1933A30E2E31C9BDFA5

According to Wikipedia “Foxconn Technology Group” is the world’s largest electronics contract manufacturer and is headquartered in Tucheng, New Taipei, Taiwan.

Major customers of Foxconn include or have included some of the world’s largest enterprises:

  • Acer Inc.
  • Apple Inc.
  • BlackBerry Ltd.
  • Cisco
  • Dell
  • Google
  • Hewlett-Packard
  • Huawei
  • Microsoft
  • Motorola Mobility
  • Nintendo
  • Nokia
  • Sony
  • Toshiba
  • Xiaomi
  • Vizio

Foxconn manufactures several popular products including BlackBerry, iPad, iPhone, Kindle, PlayStation 4, Xbox One and Wii U.

The same certificate was used by the manufacturer to sign several WatchDog Timer Kernel drivers (WDTKernel.sys) for Dell laptops in February 2013.


During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs). Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.

Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.

Finally, it’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.

Both Verisign and HON HAI have been informed about the use of the certificate to sign the Duqu 2.0 malware.


Sample MD5 (portserv.sys): 92e724291056a5e30eca038ee637a23f

Serial number of Foxconn certificate used by Duqu attackers:

‎25 65 41 e2 04 61 90 33 f8 b0 9f 9e b7 c8 8e f8

Full certificate of the malicious driver:


The Mystery of Duqu 2.0:a sophisticated cyberespionage actor returns

Wed, 06/10/2015 - 08:00

Duqu 2.0 Technical Paper (PDF) can be found here
Indicators of Compromise (IOC) can be found here

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.

More details can be found below:

Duqu 2.0: Frequently Asked Questions
Press release

Duqu 2.0 – Indicators of Compromise (IOCs) MD5s

Action loaders:





Yara rules rule apt_duqu2_loaders { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 samples" last_modified = "2015-06-09" version = "1.0" strings: $a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide $a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide $a8="SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide $a9="SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide $a7="SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide $b1="MSI.dll" $b2="msi.dll" $b3="StartAction" $c1="msisvc_32@" wide $c2="PROP=" wide $c3="-Embedding" wide $c4="S:(ML;;NW;;;LW)" wide $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} condition: ( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) or ( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) } rule apt_duqu2_drivers { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 drivers" last_modified = "2015-06-09" version = "1.0" strings: $a1="\\DosDevices\\port_optimizer" wide nocase $a2="romanian.antihacker" $a3="PortOptimizerTermSrv" wide $a4="ugly.gorilla1" $b1="NdisIMCopySendCompletePerPacketInfo" $b2="NdisReEnumerateProtocolBindings" $b3="NdisOpenProtocolConfiguration" condition: uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 }

To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.

Microsoft Security Updates June 2015

Tue, 06/09/2015 - 17:37

Microsoft releases eight security bulletins today, updating a set of forty five software vulnerabilities. This month’s updates touch a smaller set of Microsoft software, but two of the Bulletins address kernel-level vulnerabilities and require a restart. Some are being exploited as a part of serious targeted attack activity:

  • Windows Kernel, win32k.sys (MS15-061)
  • Internet Explorer – critical
  • Windows Media Player – critical
  • Microsoft Common Controls
  • Microsoft Office
  • Active Directory Federation Services
  • Exchange Server

Two are rated Critical (MS15-056 for Internet Explorer and MS15-057 for Windows Media Player) because of their remote code execution severity. The Internet Explorer bulletin alone fixes over 20 memory corruption vulnerabilities in the IE codebase.

Most interesting of all the bulletins this month turns out to be MS15-061, patching eight different software flaws in the kernel. In particular, cve-2015-2360 was a difficult find, and this 0day was reported by our own talented colleague Maxim Golovkin. This issue presented itself within win32k.sys, which fails to properly free memory after use. It might be rated “Important” as an escalation of privilege vulnerability, but defending against its deployment as a part of targeted attack activity is most certainly critical.

Please update your Windows systems asap.

Infosecurity Europe 2015

Thu, 06/04/2015 - 04:23

This week we joined droves of vendors and executives in celebrating InfoSecurity Europe’s 20 year anniversary. The venue, the London Olympia, is a behemoth filled wall-to-wall with company banners, awkward sales pitches, gimmicky totebags, gift lightsabers, and ‘free’ prosecco readily exchanged for cloud security pitches.

Security vendors, security vendors everywhere

This year, the organizers wisely decided to add a small conference annex under the banner of ‘Intelligent Defence’ with the intention of attracting a more content-oriented crowd. The talks were largely research-oriented and included a fair serving of IoT bashing and malware hunting.

Here we presented our ongoing research project on whitelisting titled ‘Wolf in Sheep’s Clothing: Your next APT is Already Whitelisted’ – stay tuned for an extensive analysis!

Intelligent Defence included notable presentations by Andrew Hay (OpenDNS), Daniel Mende (ENRW), and Sergey Bratus (Dartmouth). Hay gave us a preview of his ‘labor of love’ paper on IoT beaconing in the enterprise (found here), an extensive research into the domain queries common IoT products perform out of the box and their unregulated penetration into industry verticals.

Daniel Mende walked us through performing an analysis of proprietary network protocols, effectively lifting the veil of security by obscurity by not just showcasing the failure of this particular nameless protocol but also providing the crowd with a sense of the relative ease with which these protocols can be probed, dismantled, and effectively obviated.

Finally, Sergey Bratus shared a brilliant exposition of the complex relationship between defensive and offensive computing, partially defined in terms of ‘weird machines‘  to ease a widespread difficulty in describing the dynamics that enable fruitful InfoSec research  – that difficulty subsequently leads to problematic regulatory over simplifications like the expansion of the Wassenaar arrangement currently under consideration.

Intelligent Defence is a strong step in the right direction for Europe’s largest InfoSec conference. We hope to see you there next time.

Mobile Forensics World 2015

Sun, 05/31/2015 - 18:52

A little discussed but well-attended dual-lineup conference on forensics and investigations started today in Myrtle Beach, South Carolina as “Mobile Forensics World” and the “Techno Security and Forensics Investigations Conference”. Presentation content here mostly focuses on technologies used in fighting cybercrime malware and the general misuse of mobile and computing power for serious criminal activities. Some of the talks focused on the new complexities and challenges in working with ubiquitous SSD storage technologies. One of the notable talks on SSD was from our colleagues at Belkasoft, developers of a set of reliable and effective memory dump and analysis tools. We met some of Yuri Gubanov‘s squirrels that help drive much of their tool development (a “belka” is a squirrel).

Other talks and vendors today brought to light problems and solutions for dealing with Tor, remote system access, data wiping tools, forensically acquired drives that require startup, iPhone and Android encryption and lockout technologies, and others that require examination. Upcoming talks provide discussion around audit strategies and methods, investigation and forensic tools, and more.

Lessons learned from Flame, three years later

Fri, 05/29/2015 - 07:08

Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. At the same time we published our FAQ, CrySyS Lab posted their thorough analysis of sKyWIper. A few days earlier, Maher CERT published IOCs for Flamer. In short, Flame, sKyWIper and Flamer are different names for the same threat, which took the world by surprise as the first major discovery after Stuxnet and Duqu.

Since the discovery of Flame, we reported on many other advanced malware platforms, including Regin and Equation, yet Flame remains special in terms of being one of the most complex, surprising and innovative malware campaigns we have ever seen.

Looking back at the discovery of Flame, here are some lessons we learned.

  1. High-end, government-grade malware can be big. A fully deployed set of Flame modules took about 20 megabytes, which was a lot. Previously, sophisticated malware would range in the order of kilobytes or hundred of kilobytes; most people would discard a 6MB executable file as “uninteresting”. Not anymore.
  2. Jumping airgaps. Flame was one of the first malware to implement a mechanism to bypass airgaps through the use of USB sticks. When a USB stick was plugged into a Flame infected computer without connection to the Internet, the malware saved stolen information into a hidden file on the stick. This file was invisible to most file explorers and contained up to 16MB of stolen documents and other information from the victim’s machine. When such a stick was connected to a machine infected by Flame connected to the Internet, the hidden information was taken off the stick and sent to its C&Cs.
  3. Dozens of C&Cs. With Flame, we ended up counting almost 100 different command and control servers. For a targeted malware, this is both unusual and a very large number. The authors of Flame created different versions of the malware connecting to many C&Cs in order to limit the impact of a takedown.
  4. Capturing Bluetooth audio. One of the Flame modules attempted to identify Bluetooth devices in the vicinity of the compromised machine and use them to record audio from the room. This is a rare type of attack pioneered by Flame.
  5. The age of mass surveillance. We believe the main purpose of Flame was to facilitate mass surveillance. The malware was designed to automatically collect everything from infected machines, ranging from documents to screenshots, keystrokes and audio. The C&C servers of Flame did not include a provision for a manual operation of the malware; everything happened automatically.
  6. MD5 is dead. One of the most interesting features of Flame was the way it infected other computers in the local network. The attack involved the almost magical re-engineering of a certificate that could be used to sign Windows updates. The certificate relied on an MD5 signature, which the attackers managed to fake, indicating they had the ability to break arbitrary MD5 hashes.
  7. Subversion of trust in Windows updates. One of the most interesting modules in Flame performed what eventually described as a “God mode” exploit – subversion of Windows updates by hijacking Windows update requests. For years, we told people to update Windows, as well as any other third party, as often as possible. Flame took advantage of the trust people have put into updates, effectively subverting it.
  8. The tip of the iceberg. After we discovered Flame, our generic detection started to trigger on other samples as well. By code similarity, we found two other malicious programs from the same group: Gauss and MiniFlame. This made us realize that there are many other undiscovered malware and it will probably take years to find them all.
  9. Everything’s connected. When we discovered Flame, most people asked – “is it related to Stuxnet?”. We’ve said, “no, there are no signs”. We were wrong. Weeks later, we found a Flame module that was also used by the 2009 version of Stuxnet for replication. Essentially, the 2009 Stuxnet was built to replicate using an exploit from Flame. This indicates the two were indeed connected. At the same time, Stuxnet was connected to Duqu and, as we found more recently, the Equation group, through their exploits originally used by the Fanny worm. Sometimes it takes longer to see all the connections, even if they are not obvious in the beginning.
  10. “Flame is lame”. When Kaspersky and CrySyS Lab published our analyses of Flame, some people discarded it as uninteresting. “A 20 megabytes malware can be l33t? Impossible!”. (The complaints died when the Microsoft Windows Updates attack and MD5 collision was found and patched). Mikko Hypponen from F-Secure has a wonderful blog on this topic:

Finally, we’d like to end with a recording of a fantastic speech by privacy rights activist Chris Soghoian, titled “Lessons from the Bin Laden Raid and Cyberwar: Immunizations and Security Updates”.

His take on Flame begins at 5:00, however, we recommend you watch the entire clip. As Chris puts it in the clip: “no matter the short term intelligence advantage to hacking software updates, it isn’t worth it”. We concur and add, subverting security will always backfire.

Statistics on botnet-assisted DDoS attacks in Q1 2015

Fri, 05/29/2015 - 05:00

Statistics on botnet-assisted DDoS attacks in Q1 2015 [pdf]


A DDoS (Distributed Denial of Service) attack is one of the techniques mostly often used by cybercriminals. It is intended to reduce an information system, typically a website, to a state where it cannot be accessed by legitimate users. One popular DDoS scenario is a botnet-assisted attack.

Kaspersky Lab has long-standing, recognized expertise in combatting cyberthreats, including DDoS attacks of different types and varying degrees of complexity. The company’s experts, in particular, monitor botnet activity with the help of the DDoS Intelligence system (a part of Kaspersky DDoS Protection solution), which allows them to continuously improve our DDoS attack protection technologies. The DDoS Intelligence system is based on analyzing commands that arrive to botnets from C&C servers; it does not require a bot to be present on a user device, nor commands from the C&C server to be executed.

There are different approaches to analyzing DDoS activity. One of these is to focus on attacks against specific web resources, typically those belonging to clients protected against DDoS attacks by security service providers. However, the analysis of botnet activity in this report provides a different view of this problem, compared to the individual client-based approach.

This report presents DDoS Intelligence statistics collected from 1 January to 31 March 2015 (or Q1 2015), which is analyzed in comparison with the equivalent data collected within the previous 3-month period (1 October to 31 December 2014, or Q4 2014).

In this report, a single DDoS attack is defined as an incident during which there was no break in botnet activity lasting longer than 24 hours. Thus, if the same web resource was attacked by the same botnet after a 24-hour gap that would be regarded as two separated DDoS attacks. Attacks on the same web resource from two different botnets are also regarded as individual attacks.

The geographical distribution of DDoS victims and command & control servers is determined according to their IP addresses. In this report, the number of the unique DDoS targets is defined based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be borne in mind that botnets are only one of the tools for carrying out DDoS attacks; thus, the data presented in this report does not cover every last DDoS attack that has occurred within the specified time period. 

Main findings
  • In Q1 2015, 23,095 botnet-assisted DDoS attacks were reported, which is 11% lower than the 25,929 attacks in Q4 2014.
  • There were 12,281 unique victims of DDoS attacks in Q1 2015, which is 8% lower than the 13,312 victims in Q4 2014.
  • China, the USA and Canada were the countries that faced the largest number of DDoS attacks.
  • The most prolonged DDoS attack in Q1 2015 lasted for 140 hours (or about 6 days). The most frequently attacked resource faced 21 attacks within the 3 months.
  • In Q1 2015, SYN DDoS and HTTP DDoS were the most common scenarios for botnet-assisted DDoS attacks.
Geography of attacks

In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countries. The number of attacks was down 11% against Q4 2014 (25,929). There was an increase (76 against 66 in Q4 2014) in the number of countries where DDoS targets were located.

In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countries


Most DDoS attacks targeted web resources in China, the USA and Canada – this was no change from Q4 2014. There were some changes in the order of the 10 most frequently attacked countries, but there were no new additions to that list.

Figure 1. The 10 most frequently attacked countries in Q4 2014 and Q1 2015

As seen in the above diagram, there has been a significant decrease in the number of attacks against the web resources in China and the United States of America; however, there was an increase in the number of attacks against Canadian servers. There was also an increase in the number of attacks against web resources in Russia, South Korea and France.

If we consider the number of DDoS attack victims in each country, the top 10 looks the same as the previous one. In Q1 2015, botnets attacked a total of 12,281 victims, which is 8% lower than the 13,312 targets in Q4 2014.

Figure 2. TOP 10 countries with the highest numbers of unique DDoS victims in Q4 2014 and Q1 2015

In Russia, South Korea and France, the number of attacked web resources has increased compared with Q4 2014, and so did the number of attacks on all targets located in these countries. In Canada, the number of attacks has increased, but the number of targets has decreased, which suggests that cybercriminals are more actively attacking a limited number of web resources in the country.

China, the USA and Canada were the countries that faced the largest number of DDoS attacks


The fact that China and the USA lead the two rankings, both in terms of numbers of DDoS attacks and in numbers of victims, is explained by the relatively low web hosting prices in these two countries that encourage many companies to use hosting providers there.

In in Q1 2015, the maximum number of attacks carried out on the same web resource reached 21:

Number of DDoS attacks The targeted web resource 21 A Russian-language web-site (a group of investment companies) 16 A Vietnamese web-site (wedding services provider) 15 A hosting provider in the USA

Figure 3. TOP 3 most frequently attacked web resources in Q1 2015

Although China, the USA and Canada sustained the highest number of DDoS attacks in Q1 2015, the top two most frequently attacked web resources were respectively a Russian and a Vietnamese web-site. Only one of the top three, a US hosting provider, is based in the most frequently attacked trio of countries. 

Time variations in the number of DDoS attacks

In Q1 2015, there were substantial time variations in the numbers of DDoS attacks*. In late January there was a peak in botnet activity and the low point came in mid-February.

Figure 4. Number of DDoS attacks over time in Q1 2015

*DDoS attacks may last for several days. In this graph, the same attack may be counted several times along the timeline, i.e. one time for each day of its duration. This results in a larger total number of DDoS attacks (30,064) than if each uninterrupted attack is counted as one (23,095).

As seen in the chart below, last December saw a dramatic increase in the number of botnet-assisted DDoS attacks. The number of attacks declined steadily through January and February, but then began to rise again in March. The December peak could be linked to the Christmas / Near Year holidays, when the cybercriminals redoubled their efforts to disrupt the operation of websites and services popular with users.

Figure 5. Monthly numbers of DDoS attacks in Q4 2014 and Q1 2015.

In Q1, Thursday became the most active day of the week in terms of numbers of botnet-assisted DDoS attacks, rather than Monday in Q4 2014. Sunday remains the quietest day for cybercriminals.

Figure 6. Numbers of DDoS attacks performed on each day of the week in Q4 2014 and Q1 2015

Types and duration of DDoS attacks

The duration and the scenario of a DDoS attack are among its most important characteristics, as they define the extent of the damage inflicted on the target. Within the analyzed time period, the vast majority of attacks lasted less than 24 hours. In Q4 2014, some attacks lasted for up to two weeks; in Q1 2014, there were no attacks that would last this long.

Attack duration, hours Number of targets in
Q4 2014
Number of targets in Q1 2015 150+ 5 0 100-149 8 3 50-99 299 121 20-49 735 433 10-19 1679 703 5-9 2161 1426 Less than 4 8425 9594

Figure 7. Duration of DDoS attacks in Q4 2014 and Q1 2015

The type of a DDoS attack is defined by the format of junk requests sent to the target web resource. SYN DDoS was the most popular method of performing a DDoS attack in Q1 2015, just like in Q4 2014. TCP DDoS attacks were overtaken by HHTP DDoS attacks in second place.

Figure 8. The most frequently used types of DDoS attacks in Q4 2014 and Q1 2015

C&C servers and botnet types

The C&C servers used by cybercriminals to control botnets may be located in different countries. Their locations are not typically related to the cybercriminals’ physical location(s) or to the geographic distributions of the botnets controlled via these C&C servers. The USA, China and the UK host the largest numbers of C&C servers that were active in Q1 2015.

Figure 9. Numbers of botnet C&C servers by country, Q1 2015

In Q1 2015, just like in Q4 2014, bots designed to infect Linux servers were more active than those targeting Windows devices. At the same time, there was virtually no change in the number of attacks launched using Windows botnets, while the number of attacks from Linux botnets has decreased.

Figure 10. The number of attacks launched from Windows and Linux botnets in Q4 2014 and Q1 2015

Although there are far fewer Linux-based botnets, the number of attacks launched from them is larger than that of the attacks launched from Windows-based botnets; also, the attacks from Linux-based botnets are more powerful. This is because a successful infection of a Linux-based server provides the cybercriminals with vast opportunities to manipulate network protocols. In addition, infected servers typically have faster internet connections than individual computers, so more powerful attacks can be carried out.

Besides, Linux-based botnets have much longer lives than Window-based botnets do. This is because Linux-based botnets are more difficult to detect and deactivate, since Linux servers are much less likely than Windows-based servers and devices to be equipped with dedicated security solutions.

It should be also pointed out that 93.2% DDoS targets in Q1 were attacked by just one family of bots. In 6.2% cases, two families of bots simultaneously participated in an attack, and three or more participated in 0.6% cases. In such cases, either the cybercriminals simultaneously used several different bot families to perform the attack, or the clients used the services of several attackers at once.


The number of botnet-assisted DDoS attacks has declined in Q1 2015 against Q4 2014; so has the number victims of these attacks. At the same time, this type of threat has grown to target more countries. Historically, most attacks target web resources located in the USA and China, as these two countries offer the cheapest prices for web hosting, and many web resources are located there. However, the 10 most frequently attacked targets also include victims from Europe and the APAC region. These statistics demonstrate that botnet-assisted DDoS attacks are relevant for most diverse web resources irrespective of their geographic location. Moreover, this threat is increasingly expanding its boundaries.

The cybercriminals who use botnets to carry out DDoS attacks are willing to persevere: the longest DDoS attack reported in Q1 2015 lasted for about 6 days, and the most frequently attacked web resource survived 21 attacks within the three month period. However, study shows that even a short, one-off attack may render an unprotected web resource inoperable. One such attack may cost the victim up to $444,000, not including the reputational damage associated with the unsatisfied users who failed to receive the service they expected.

Internet security companies make their contribution to combating DDoS attacks and botnets: among other things, they detect new pieces of malware and add signatures for them to the appropriate databases, protect servers from being compromised, protect computers against infections, curb C&C server activities, etc. Nevertheless, DDoS attacks remain a very popular tool with cybercriminals, so companies must take proactive care of their security. A junk traffic filtration service will allow an online resource to remain accessible for legitimate users even during a long and powerful attack.

Links that may be of interest:

The botnet ecosystem
The economics of Botnets
IT Security Risks survey 2014: DDoS
Kaspersky DDoS Protection webpage
Kaspersky DDoS Protection whitepaper


A bot is a malicious program that performs various actions at a cybercriminal’s command.

A family of bots is an aggregate of bots sharing the same source code. In other words, these are different versions of the same bot, even if they are serviced by different C&C servers.

A botnet is an aggregate of devices infected with the same bot that is serviced by the same C&C server. Cybercriminals distribute special malicious programs which turn servers, computers or mobile devices into remotely managed ‘zombies’ (or bots).

A C&C (command and control) server is a server used by cybercriminals to send orders to bots and to receive reports from them. In the case of a DDoS attack, cybercriminals command bots to simultaneously send requests directly to the targeted web resource or via third-party servers, and thus carry out a ‘distributed attack’.

SYN DDoS is an aggregate of DDoS attack scenarios which exploit peculiarities in the implementation of the TCP (Transmission Control Protocol). A TCP connection is established in three steps, which resembles the process of a handshake. The client sends a packet with the SYN flag. The server receives the SYN packet and replies with a packet with the headers SYN and ACK. Then the client sends an ACK packet, and thus validates the connection. In a SYN flood attack, the attacker sends packets with a SYN flag but does not require a response packet with SYN+ACK flags to establish a connection; this causes the targeted server to waste resources on processing these requests and sending response packets.

TCP DDoS is an aggregate of attack scenarios which, just like a SYN flood, exploit peculiarities in the implementation of the TCP protocol, but establish a connection to the targeted server. In a TCP flood-type attack, once the handshake procedure is completed successfully, the attacker side uses the established connection to send a lot of junk data, or send junk data in a very slow fashion. This overloads the attacked server, so it cannot allocate resources to legitimate users.

ICMP DDoS is an aggregate of attack scenarios using the ICMP (Internet Control Message Protocol). This protocol is normally used to send messages about errors or other exceptional situations that occur while transmitting data. In the case of an attack, the attacker sends plenty of ICMP requests to the victim side, forcing it to use its computational resources to process junk requests in place of legitimate requests.

UDP DDoS is an aggregate of attack scenarios that use UDP (User Datagram Protocol), which does not require a connection to be established. The attacker sends plenty of UDP packets to the victim’s side. Each packet requires processing resources from the targeted server and its communication equipment; this overloads the victim’s computational resources.

HTTP DDoS includes all types of DDoS attacks which have web applications as their target. While carrying out an attack, the attacker may send simple GET/POST requests to the main page of the web application as well as non-typical requests, such as requests to search for information in the web application’s database, execute scripts on the web server side, etc. Extra headers or cookie files may be inserted in the request body; this is done to bypass the filters that determine a legitimate user by the presence of cookie files. Besides, the attacker may open the browser on an infected device in order to imitate the activities of a regular website visitor, and thus prevent the security systems on the victim side from detecting bots in the general visitor traffic.

Grabit and the RATs

Wed, 05/27/2015 - 22:00

Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers. The malware calls itself Grabit and is distinctive because of its versatile behavior. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The timestamp seems valid and close to the documented infection timeline. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.

All of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft .NET Framework (Visual Basic/C#). Files were compiled over the course of three days, between March 7th and 9th of 2015. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation.

Malware compilation timeline

The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations.

Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.

Along with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The proprietary obfuscated string, methods and classes made it rather challenging to analyze. ASLR is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure. This type of work is known as a mitigation factor for threat actors to keep their code hidden from analysts’ eyes.

During our research, dynamic analysis showed that the malicious software’s “call home” functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. It means that whoever programmed the malware did not write all the code from scratch. A well trained knight would never go to war with a blazing shield and yet a stick for a sword.

Looking into the “call home” traffic, the Keylogger functionality prepares files that act as a container for keyboard interrupts, collecting hostnames, application names, usernames and passwords. However, the interesting part lies here.

The file names contain a very informative string:

HawkEye_Keylogger_Execution_Confirmed_<VICTIM> 3.10.2015 6:08:31 PM

HawkEye is a commercial tool that has been in development for a few years now; it appeared in 2014, as a website called HawkEyeProducts, and made a very famous contribution to the hacker community.

In the website, the product shows great versatility as it contains many types of RATs, features and functionality, such as the traditional HawkEye Logger or other types of remote administration tools like Cyborg Logger, CyberGate, DarkComet, NanoCore and more. It seems to support three types of delivery: FTP, SMTP and Web-Panel.

As seen, the malware uses a number of RATs to control its victims or track their activity. One of the threat actor’s successful implementations contained the well-known DarkComet. This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine. The DarkComet samples are more complicated than the traditional HawkEye logger. One instance had a random key generator which sets an initialization vector of the first 4 bytes of the executable file and appends a random 5 byte key that unpacks another PE file, less than 20Kb in size. The PE file then contains another packer with an even more challenging obfuscation technique. The last sample we tested had still more complicated behavior. The code itself had the same obfuscation technique, though traffic was not transferring in clear text. Stolen data was packed and sent encrypted over HTTP random ports. This means that the group is trying to produce other types of malicious samples with different RATs.

Approximately 10,000 stolen files have been collected. Companies based in Thailand and India had the largest percentage of infected machines. By looking at the stolen credentials, it is very clear that employees sent the malware to one another, as stolen host names and internal applications are the same.

The following is the full chart, updated to May 2015:

Malware distribution by country

Demonstrating the effectiveness of their simple Keyloggers, one C2 (on May 15th) maintained thousands of victim account credentials from hundreds of infected systems.

To sum it up, Grabit threat actors did not use any sophisticated evasions or maneuvers in their dynamic activity. It is interesting to see the major differences between the core development of the malware and the actual functionality it uses.

Some malware samples used the same hosting server, and even the same credentials. Could it be that our threat actor was in a hurry?
Our guess is that we are looking at a group and not an individual. Some members of the group are more technical than the others and some are more security oriented and aware of the risks they might expose themselves to.

Back nj square one:

From what we have seen so far, the malware is being delivered as a Microsoft Office Word (.doc) email attachment, containing a malicious macro called AutoOpen. This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a .doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text.

The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP/SMTP server’s credentials.

Malware derivatives are mainly located in:

C:\Users\ <user> \AppData\Roaming\Microsoft

Phishing extensions: .doc



Icons: .pdf, .doc, .ttf, .xls, .ppt, .msg, .exe

Stealer: .txt, .jpeg, .eml

Additional Executable names:


Malware extensions: .zip or .exe
















IP Addresses:

Does CCTV put the public at risk of cyberattack?

Wed, 05/27/2015 - 04:00

The research was originally presented at DefCon 2014. It has been published as part of Kaspersky Lab’s support of Securing Smart Cities – a global not-for-profit initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, not-for-profit initiatives and individuals across the world.

Thomas Kinsey from Exigent Systems Inc. contributed to this report.

Late one night, a colleague and I decided it would be a good idea to climb up a public fountain in the middle of a city. Suddenly a disembodied voice from the heavens boomed out: “PLEASE GET DOWN FROM THE FOUNTAIN.” We were shocked, until we noticed a number of cameras – complete with speakers attached – pointing to us from various lamp-posts in the city. This was the first time we’d ever felt so closely monitored so we decided to take a look at how the systems worked.

It is nothing new that police departments and governments have been surveilling citizens for years with the help of security cameras set up throughout various cities. These days most of us accept this as a fair tradeoff that we are willing to make, sacrificing a measure of privacy in the hope that it will keep us safer from criminals and terrorists. However, we also expect that our private data, in this case video feeds of our public life, will be handled responsibly and securely to ensure that this surveillance does not end up doing more harm than good.

In our recent research, we came across many cities that use wireless technology for their security cameras and infrastructure, rather than the hard-wired setups that were common in the past. This change makes things more cost and time effective for the city authorities.

Unfortunately, the problem is that right now wireless technology is not as secure as it could be. As security-conscious people, we instantly saw that handling data in this manner could potentially be vulnerable to a number of attacks, and so we started looking into whether these systems were implemented in a way that handled our data safely, or whether the data could be easily manipulated for malicious intent.

Although wireless technology itself can be vulnerable, there are still many additional improvements which can be implemented to add a sufficient level of security. Ideally, there should be many levels of security in place, so if a hacker clears one hurdle, he must then face a greater challenge at the next. However that was not the case in this instance.


Our research started on the physical level: we traveled to various locations around the city, looking at how the hardware was set up, and finding the first sign that the city really had not put enough thought and effort into properly handing their own systems.

The security system

As the picture shows, the security system was set up in a sloppy way. The units that will be carrying our data have not been masked at all; on some units we could clearly see the name and model of the hardware needed in order to identify the devices and begin the research.

Why it is so important to protect the labeling of the hardware that you use? I will provide an example to help illustrate why this is such a major flaw. When there is a server that needs to be secured, a major factor in preventing it from being exploited is that the server binary is not publicly available. The reason for this is that if a researcher can get his hands on the binary, it can be reverse engineered and studied to find bugs and vulnerabilities. It is rare that a vulnerability can be discovered without being able to look at the code implementing the service. This is why not covering up the device labeling, seemingly a small mistake, actually has a massive effect.

Returning to the camera network: if a hacker was to crack the wireless security of these systems (which only implement your standard WEP or WPA wireless protections), he would at this point only be able to see unknown protocols, headers, and wireless packets with no reference to what system they belong to. In our analysis, we initially had no idea what software was generating these packets, as it is a proprietary system. Without getting our hands on the actual code, it would have been more or less impossible to reverse the protocol they use, which is really the only way to properly examine the network. At this point, our work was cut out for us.

Encryption modules had not been set up and clear text data was being sent through the network#SmartCitySecurity


Having obtained the hardware, we realized, despite the fact that the police department’s setup was weak, the hardware they chose was actually not the problem at all. The mesh nodes were actually a very complex and well-made solution, and there are modules built into it to secure communications beyond the outlying wireless security. It just needed a sufficiently knowledgeable person to implement this technology and ensure it was properly set up. Unfortunately, having inspected many of the packets, we quickly realized that these encryption modules had not been set up and were not being implemented at all. Clear text data was being sent through the network for any observer who could join. There was no encryption to subvert, so we knew that it would just be a matter of recreating our own version of this software in order to manipulate the data traveling across it.

A quick comparison of how the mesh network works to transport video feeds will help give an understanding of what exactly we learned in order to manipulate the system. In a traditional Wi-Fi network, each device is typically connected to a router that serves as a central point. In order to send one piece of data to another part of the network, you would send it to that address, and it would travel via the router to the connected device. This works well in close proximity, but in order to be able to communicate over a long distance, the camera network used a topology and protocol that we will not name in this article.

Traditional topology of a home wireless network. Clients can be any device connected to the Internet

An attacker tells the user he is the router, and tells the router he is the user, thus intercepting traffic to and from the web server

In general, being on any wireless network – a home wireless network, for example – makes it possible for anyone connected to perform regular Man-in-the-Middle attacks by using methods such as ARP poisoning. This essentially enables the user to alter any data sent to and from the router. Because of the nature of the mesh software, however, this standard method would not be very valuable if attempted in the vanilla form. Basically, each node in the mesh network can only have a direct line of sight to a few of the many nodes that exist in the network. In order to send a packet to a device that is not within range, the packet must travel from the origin point, through several other nodes, and eventually reach the destination node. The hardware vendor’s system implements a pathfinding algorithm in order to efficiently transport data and to be able to find the most reliable route to destination. The algorithm is very similar to that which is commonly used in video games to determine the path a character will take to get to his destination, avoiding obstructions.

The Pathfinding algorithm find routes for characters to travel based on variables such as difficulty of terrain

The pathfinding algorithm used for the cameras relies on a number of variables, but most important is the signal strength between one node and the next and the number of nodes it travels through in order to reach to the destination.

Packet originates from Node A and travels through B to C and finally to Destination (Simulated police station). Meanwhile, all other nodes travel through a completely different path and thus cannot be intercepted by listening in at a single location

With that set up, a classic man-in-the-middle scenario is possible on the video data #SmartCitySecurity


This is exactly what we took advantage of. By lying to the other nodes, telling them that we had a direct line of site to the simulated police station and would behave as a node by forwarding the packets along, the cameras set up in proximity actually began forwarding their packets directly to us because of the A* implementation. With that set up, a classic Man-in-the-Middle scenario is possible, but now on a very wide range of video feeds. A good analogy here with the RTS game above would be like building a bridge across the lake, so all characters would follow that path, rather than traveling around the shore of the lake.

So what are the implications?

We are not in the business of hacking, we simply wanted to create a proof of concept to demonstrate that this kind of attack is possible, to expose that a vulnerability exists, and ultimately to alert the authorities to a weakness that needs to be fixed. Because of that, our research was done on our own private lab setup, replicating the systems the police had in place, and did not actually harm their network in any way.

As frequently seen in Hollywood movies, if hackers with criminal intent were to take advantage of the problems which we have shown, many dangerous scenarios could unfold. Being able to launch Man-in-the-Middle attacks on the video data is a short step away from replacing real video feeds with pre-recorded footage. In this scenario a cybercriminal gang could lead the police department to believe that a crime is taking place in one area of the city, and wait for the department to dispatch officers there. This would leave a window of opportunity for crime in another region of the city where there are no officers available. This is just one way in which someone could maliciously use these systems to actually assist them in committing crimes much more efficiently than if they were not in place at all. Unfortunately, this is not just a Hollywood scenario. We successfully replicated this functionality in our lab.

It is a short step away from replacing real video feeds with pre-recorded footage #SmartCitySecurity


We trust the proper authorities to access our private data, but when those authorities do not spend the time and resources necessary to responsibly handle this data we are better off without this technology at all. Thankfully, after we alerted them to the problem, the cities involved expressed their concern and have since acted to increase security.

The unfortunate truth here is that everything is connected these days, and as new technology is being implemented across the board to modernize older technology, it will inevitably introduce new vulnerabilities. Aside from just the surveillance systems which we analyzed today, there are many more systems which are, and will be, vulnerable to various attacks. The race is on for “the good guys” to test security, before “the bad guys” can use it for malicious intent. Our task is to continue in this effort, to keep the world a safer place.


The following considerations are necessary to bring a mesh network to a reasonable level of security:

  • Although still potentially crack-able, WPA with strong password is a minimum requirement to stop the system from being an easy target.
  • Hidden SSID and MAC filtering will also weed out unskilled hackers.
  • Make sure all labels on all equipment are concealed and enclosed to deter attackers who do not have insider information.
  • Securing video data using Public-key cryptography will make it more or less impossible to manipulate video data.

Fraudsters can have rights, too

Thu, 05/21/2015 - 06:00

We have recently come across a method of getting personal information that was interesting from the technical point of view. Our customer received an email saying that someone had used his Live ID to distribute unsolicited email, so his account would be blocked. The email suggested that, to prevent the account from being blocked, the customer should follow the link and fulfill the service’s new security requirements.

This sounds very much like a typical phishing email. The victim is expected to click on the link that will take him to a fake site imitating the official Windows Live page, enter data which will be sent to the scammers, etc. However, to our surprise, the link from the scam email actually led to the Windows Live website and the cybercriminals did not make any attempt to get the victim’s login and password. Their scam was much more sophisticated than that.

The scam

Then why is it dangerous to follow the link if it does lead to the official Microsoft service?

The scam email

This is because the Live ID account can also be used for authorization with other services – Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger, OneDrive, etc. The attack does not result in the fraudster getting direct access to these services on behalf of his victim, but it does enable the attacker to steal personal information contained in the user profiles for these services and subsequently use it for fraudulent purposes.

Having followed the link in the email, we are taken to the official service, where we are asked to authenticate using our login and password.

After successful authentication, the user’s login and password are not intercepted by the fraudsters as one might suppose (and as it usually happens); the user does get authenticated on But after this they receive a curious prompt from the service:

Some application requests permission to automatically log into our account, view our profile information and contact list and access the list of e-mail addresses. By clicking “Yes” we assign it these rights – in effect providing its creators with our personal information, our contacts’ email addresses, our friends’ nicknames and real names, etc.

Do not give the right to access your personal data to applications that you do not know or trust


Since in this case we know nothing about the application or its authors, we can only assume that the data collected will be used for fraudulent purposes. Once again – the login and password do remain confidential.

How it works

Technically, this is not very complicated. There is a special open protocol for authorization, OAuth, which allows resource owners to give third parties limited access to their protected resources without sharing their credentials. The protocol is commonly used by the developers of web applications for social networks if these applications require some data for their operation, such as the ability to access the contact list. It is convenient for users because once they are authenticated with the service they do not have to enter their credentials every time an application requests authorization.

This is the first time we have come across a phishing email used by fraudsters to put these techniques into practice


The security flaws of the OAuth protocol have been known for quite a while: in early 2014, a student from Singapore described possible techniques for stealing user data after authentication. However, this is the first time we have come across a phishing email used by fraudsters to put these techniques into practice.

In our case, after clicking on the link hxxps://, which was received in a scam email, a user is taken to the authentication page where (s)he is asked to assign certain rights to an application. The list of rights requested is encoded in the link’s parameters. If the user agrees, (s)he is redirected to a landing page (hxxp:// whose URL includes an “access token” (hxxp:// after the “code” parameter, which is then intercepted by the application right from the address bar. The “access token” is then used by the application to access protected resources. It is worth noting that the capabilities offered by OAuth are not limited to authentication and authorization. A token received during authorization can be used for integrating a web service’s or social network’s functionality into your own resource, including the ability to read and write posts, access the news feed, the Wall, etc.

Link parameters

If you take a closer look at the link, you can see the following parameters: wl.signin, wl.basic, wl.emails, and wl.contacts_emails. These parameters are used to encode the permission levels requested by the application:

  • wl.signin – single sign-in enabling users who are logged into Windows Live to automatically log into any web site that supports this type of authorization;
  • wl.basic gives permission to read basic information in the user profile, such as the user’s nickname, first and last name, sex, age, country of residence, as well as giving access to the user’s contact list;
  • wl.emails – gives reading access to the user’s personal, preferred and business email addresses;
  • wl.contacts_emails gives access to the email addresses of all people on the user’s contact list.

There are many other parameters, which give permissions to access the user’s and their contacts’ photos, date of birth, the list of meetings and important events. In fact, a scammer can use this information to create a person’s profile, including information on what the user’s activities are when going out, the user’s friends and people (s)he meets, etc. This profile can then be used for criminal purposes.

The victim's information is gathered in order to send spam or to launch spear phishing attacks


Further research enabled us to find a few similar phishing emails containing links to the official Microsoft service. In all cases, attackers asked the user to provide the same information (profile data, email addresses, contacts). Only the addresses of the landing pages hosting the scammers’ application were different.





It should be noted that some applications designed for social networks also use the OAuth protocol.

Example of rights assigned to an application on Facebook

An application created by scammers might request the victim’s permission to publish posts and pictures on the Wall, to read and send private messages, to add entries in guest books. These features can be used to distribute spam or links to phishing or malicious sites.


In the case discussed above, information is most likely gathered in order to send spam to the contacts in the victim’s address book or to launch spear phishing attacks.

To avoid falling victim to scammers, do not follow links received by email or in private messages on social networks. Most importantly, do not give the right to access your personal data to applications that you do not know or trust. Before you agree, carefully read the descriptions of the account access rights which the application will get and assess the threat level. You can also search the Internet for information and feedback on the application requesting these rights. Any social networking site or web service also allows users to view the rights of currently installed applications in account/profile settings and cancel some of the permissions if necessary.

Example of Google access rights assigned to an application

If you have found out that an application is already distributing spam or malicious links on your behalf, you can send a complaint to the administration of the social networking site or web service and the application will be blocked. If you want to log on to a service or social networking site, it is best to go directly to the official website by manually entering its address in the browser. And, of course, keep the databases of your antivirus software with integrated anti-phishing protection up to date.

The Naikon APT and the MsnMM Campaigns

Wed, 05/20/2015 - 23:58

The MsnMM Campaigns [pdf]

For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea. It maintained a heavy offensive focus on Myanmar, Vietnam, Singapore, the Philippines, Malaysia, and Laos. Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others.

Parts of the campaigns have been publicly discussed according to the nature of their tools. For example, the MsnMM backdoors started out with internal names like “WinMM” and “SslMM”, and their file naming spoofed MSN Talk and Msn Gaming Zone. The backdoor term “naikon” was derived from the User-Agent string “NOKIAN95″. But msnMM, naikon, sakto, and rarstone backdoors are all used by the same actor that we call the Naikon APT. Their second stage tools largely remained unknown.

The Naikon attackers attempted to exfiltrate sensitive geo-political, military, and economic data; to intercept communications and to maintain surveillance on their victims throughout the MsnMM campaigns. Their toolset and techniques changed over time in many minor ways, and appear to be run by Chinese-speaking individuals. The group’s infrastructure, reliant on web apps located mostly via dynamic dns domains, overlapped across these campaigns. As previously described, the APT’s methods and technologies are simple, but highly effective against its targets’ defenses. We do not find 0-days here.

Much of Naikon’s spear-phish and decoy document content, as well as its deployment, coincided approximately with highly-charged geopolitical events. The consistent list of military, economic, and political targets gave away the actor’s interests. Naikon’s earliest campaigns deployed the exe_exchange, winMM, and sys10 backdoors, and the codebase was later built out into more custom tools. The MsnMM campaigns were waged into the start of 2014, and then dropped off before picking up again later in the year and into 2015.

Regarding interaction with other APTs, it’s interesting to note that Naikon APT victims overlap with Cycldek APT victims.  Cycldek is another persistent, but weaker APT. In addition, not only does the APT30 target profile match the Naikon APT, its toolset also features minor but noticeable similarities. And the later Naikon campaigns led to an all out APT v APT confrontation with the Hellsing APT, when “the empire struck back.”

Although aspects of the malware set have been discussed on some blogs and in other papers, there hasn’t been an accurate report bringing together details of the MsnMM, Sys10, and Naikon campaigns as the work of one crew, the Naikon APT. Finally, while this report looks into their past activity, the Naikon APT remains active, deploying a more recent codebase. The top targets for 2015 that we are aware of include organizations in Myanmar, Cambodia, Vietnam, Thailand, and Laos.

The Naikon APT

Wed, 05/13/2015 - 23:00

Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT.  Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did.

The Naikon group was spear-phished by an actor we now call "Hellsing"


The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t discovered any exact matches. It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.

The Naikon group has for 5 years mined victims, apparently in search of geo-political intelligence


This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010.

Noteworthy operational and logistical characteristics of this APT include:

  • At least five years of high volume, high profile,  geo-political attack activity
  • Geographical  focus – per-country, individual operator assignment and proxy presence
  • Dynamic, well organized infrastructure
  • Reliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder, and an exploit builder
  • High success rate in infiltrating national organisations in ASEAN countries
Highly Focused and Effective Around the South China Sea

In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT. The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.


An attack typically starts with an email carrying an attachment that contains information of interest to the potential victim. The document may be based on information from open sources or on proprietary information stolen from other compromised systems.

This bait “document”, or email attachment, appears to be a Word document, but is in fact an executable file with a double extension exploiting CVE-2012-0158 so it can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer at the same time as a decoy document is displayed to the user; fooling them into thinking they have simply opened a document.


The Naikon tool of choice generates a special, small, encrypted file which is 8,000 bytes in size, and contains platform-independent code to be injected into the browser along with configuration data. With the help of a start-up module, this whole file is injected into the browser memory and decrypts the configuration block containing the following:

  • C&C server
  • Ports and path to the server
  • User-agent string
  • Filenames and paths to its components
  • Hash sums of the user API functions

The same code then downloads its main body from the C&C server using the SSL protocol, loads it independently from the operating system functions and, without saving it to the hard drive, hands over control to the XS02 function. All functionality is handled in memory.


The main module is a remote administration utility. Using SSL, the module establishes a reverse connection to the C&C server as follows: it sets up an outgoing connection to the C&C server and checks if there is a command that it should execute. If there is, it executes the command and returns the result to the C&C. There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer.  This includes taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.

The main module supports 48 commands, which the attackers can use to control the victim machine


Here is the complete list of commands:


Several modifications of the main module exist. There are no fundamental differences between modifications; it’s just that extra features get added to the latest versions, such as compression and encryption of transmitted data, or the piecemeal download of large files.

d085ba82824c1e61e93e113a705b8e9a 118272 Aug 23 18:46:57 2012 b4a8dc9eb26e727eafb6c8477963829c 140800 May 20 11:56:38 2013 172fd9cce78de38d8cbcad605e3d6675 118784 Jun 13 12:14:40 2013 d74a7e7a4de0da503472f1f051b68745 190464 Aug 19 05:30:12 2013 93e84075bef7a11832d9c5aa70135dc6 154624 Jan 07 04:39:43 2014 CC-Proxy-Op

C&C server operations are characterized by the following:

  • Low maintenance requirements
  • Organized geo-specific task assignments
  • Different approaches to communication

The C&C servers required only a few operators to manage the entire network. Each operator appears to have focused on their own particular set of targets, because a correlation exists between C&C and the location of targets/victims.

There is a geo-specific correlation between the location of Nikon C&Cs and that of targets/victims


Communication with victim systems changed depending on the target involved. In some cases, a direct connection was established between the victim computer and the operator system. In other cases, the connection was established via dedicated proxy servers installed on dedicated servers rented in third countries. In all likelihood, this additional setup was a reaction to the network administrators in some targets limiting or monitoring outbound network connections from their organizations.

Here is a partial list of C&C servers and victim locations, demonstrating the geo-specific correlation:

ID Jakarta ID Jakarta ID Jakarta ID ID Bandung ID Bandung ID Jakarta JP Tokyo KH KH Phnom Penh MM MM MM MM Yangon MM MM MM MY MY MY MY MY Putrajaya MY Putrajaya PH Caloocan PH Caloocan PH PH PH PH PH PH PH SG Singapore SG Singapore VN Hanoi VN Hanoi VN Hanoi VN Dong Ket VN Hanoi VN Hanoi VN Hanoi VN Hanoi VN Binh Duong VN Binh Duong VN Hanoi VN Hanoi VN Hanoi VN Hanoi VN Hanoi XSControl – the Naikon APT’s “victim management software”

In the Naikon scheme, a C&C server is essentially  specialized XSControl software running on the operator’s machine. It can be used to manage an entire network of infected clients. In some cases, a proxy is used to tunnel victim traffic to the XSControl server. A Naikon proxy server is a dedicated server that accepts incoming connections from victim computers and redirects them to the operator’s computer. An individual Naikon proxy server can be set up in any target country with traffic tunnelling from victim systems to the related C&C servers.

XSControl is written in .NET with the use of DevExpress. Its main capabilities are:

  • Accept initial connections from clients
  • Provide clients with the main remote administration module
  • Enable them to remotely administer infected computers with the help of a GUI
  • Keep logs of client activity
  • Keep logs of operator activity
  • Upload logs and files to an FTP server

The operator’s activity logs contain the following:

  • An XML database of downloaded files, specifying the time of operation, the remote path and the local path
  • A database of file names, the victim computer registry keys for the folders and sections requested by the operator
  • A history of executed commands
Country X, Operator X

Now let’s do an overview of one Naikon campaign, focusing on country “X”.

Analysis revealed that the cyber-espionage campaign against country X had been going on for many years. Computers infected with the remote control modules provided attackers with access to employees’ corporate email and internal resources, and access to personal and corporate email content  hosted on external services.

Below is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X.

  • Office of the President
  • Military Forces
  • Office of the Cabinet Secretary
  • National Security Council
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • Federal Police
  • Executive/Presidential Administration and Management Staff

A few of these organizations were key targets and under continuous, real-time monitoring. It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support  real-time outbound connections and data exfiltration from high-profile victim organizations.

In order to obtain employees’ credentials, operator X sometimes used keyloggers. If necessary, operator X delivered them via the remote control client. In addition to stealing keystrokes, this attacker also intercepted network traffic. Lateral movements included copying over and remotely setting up winpcap across desktop systems within sensitive office networks, then remotely setting up AT jobs to run these network sniffers. Some APTs like Naikon distribute tools such as these across multiple systems in order to regain control if it is lost accidentally and to maintain persistence.

The Naikon group took advantage of cultural idiosyncrasies in its target countries


Operator X also took advantage of cultural idiosyncrasies in its target countries, for example, the regular and widely accepted use of personal Gmail accounts for work. So it was not difficult for the Naikon APT to register similar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and links to google drive.

The empire strikes back

Every once in a while the Naikon group clashes with other APT groups that are also active in the region. In particular, we noticed that the Naikon group was spear-phished by an actor we now call “Hellsing”. More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost: “The Chronicles of the Hellsing APT: The Empire Strikes Back”.

Spam and Phishing in the First Quarter of 2015

Wed, 05/13/2015 - 08:00

Spam: features of the quarter New domain zones

In January 2014 the New gTLD program of registration for new generic top-level domains designated for certain types of communities and organizations was launched. The main advantage of this program is the opportunity for organizations to choose a domain zone that is clearly consistent with their activities and the themes of their sites. The new business opportunities provided by the New gTLD program were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.

Spammers and cybercriminals were quick to react: for them new domains are an excellent tool for promoting illegitimate campaigns. As a result, new domain zones almost immediately became an arena for the large-scale distribution of advertising spam, phishing and malicious emails. Cybercriminals either registered domains to spread spam mass mailings, hacked existing sites to place spam pages, or used these and other web resources in chains that redirect users to spam sites.

According to our observations, email traffic in Q1 2015 saw a considerable increase in the number of new domains that sent out spam of different content. In general there wasn’t much connection between the theme of the spam and the domain name, but in some cases there was an evident logical connection between them. For example, emails sent from the .work domains contained offers to carry out various types of work such as household maintenance, construction or equipment installation. Many of the messages from the .science domains were advertising schools that offer distance learning, colleges to train nurses, criminal lawyers and other professionals.

Q1’s spam traffic also featured many emails sent from color domains like .pink, .red, or .black. Basically they were used to advertise Asian dating sites. At the same time, the top-level domains used in mass mailings exploiting the dating theme were generally empty and did not contain any content related to this subject. They were only used in the chain of redirects leading to the main sites. It should also be noted that the first-level domains of the main sites were created recently and are constantly changing, in contrast with their content, which is still designed according to the same typical spam patterns.

The second- and lower-level domains in such messages are usually generated automatically and appear in the form of a random combination of alphanumeric characters. Meanwhile we are still seeing well-known .com, .org, .info, etc. used as domain zones as well as ones from the New gTLD program.

New domains, old themes

As for spam categories on new domains and Q1 spam in general insurance was one of the hottest topics, both in terms of the number of messages and the number of changing domains seen in mass mailings. This covers all types of insurance - life, health, property, cars, animals, and funeral insurance. Spam offering insurance services used newly-created top-level domains as well as compromised or expired ones. And even though the domains were new, spammers continued to use their old tricks, for example, they substituted domains of well-known organizations such as @ or @ in the From field.

The emails we came across generally followed the same template:

  • very little text (the email generally contains a typical header consisting of several words which is exactly repeated in the body of the message)
  • one or more links which load a brightly decorated picture (sometimes in parts) with all the necessary advertising data (a more detailed advertising text plus contacts: website address, phone number, company name)
  • another long link that leads to a resource that corresponds to the content of the email
  • additional ‘white noise’ text to bulk out the email

The latter consists of random phrases or single words in any language which may not be the same as the language of the mass mailing. This text is generally invisible to the reader of the email as it is written in white or pale color on a standard white background. This technique is used in many types of mass mailing.

The source code of a page containing a random set of words to ‘noise’ an email

Spammer tricks

To bypass antispam filtering scammers often noise emails with the large pieces of text written in white lettering on a standard white background to create the illusion of a non-spam text message.

In Q1 spammers exploited yet another technique, deliberating distorting spammer site addresses by writing them separately or adding extra characters. At the same time the message text always contained the name of a second-level domain where the spammer site is hosted, as well as instructions about how to use it with the domain zone: for example, "remove all the extra characters, and copy to the address bar" or "enter in the address bar without spaces". In fact, the addressee of the email is encouraged to create the address of spam site of his own and enter it in the address bar.

Macros in malicious spam

Spam is getting more and more dangerous for Internet users. Cybercriminals are coming up with new tricks and are also reverting to the well-known but now forgotten methods. Thus, in the first quarter of 2015 the fraudsters used spam to distributed macro viruses, programs written in the macro languages built into data processing systems (text and graphic editors, spreadsheets, etc.).

In the Q1 2015 was the malicious program most often distributed via email


Malicious emails contained attachments with a .doc or .xls extension. These launched the VBA script when the attachment was opened. This script downloaded and installed other malicious programs, such as the banking Trojan Cridex, in the system. The micro viruses registered by Kaspersky Lab belong to the Trojan downloaders: Trojan-Downloader.MSExcel.Agent, Trojan-Downloader.MSWord.Agent and Trojan-Downloader.VBS.Agent.

Basically, malicious attachments imitated various financial documents: notifications of a fine or a money transfer, unpaid bills, payments, orders and complaints, e-tickets, etc.

Among these fraudulent notifications were fake messages written on behalf of public services, stores, hotel, airlines and other well-known organizations.

One interesting example of a fake notification was the confirmation of payment sent allegedly on behalf of the employee of the leading British supplier of water coolers for offices. The design of the fake message was a perfect imitation of an official email containing full contact details, logos and legitimate links.

Earlier this year, we came across a mass mailing that contained malicious attachments in Microsoft Word or Excel. Instead of the promised detailed information, the attachment contained a Trojan downloader (Trojan-Downloader.MSExcel.Agent or Trojan-Downloader.MSWord.Agent) that downloaded and ran other malicious software. The emails in the mass mailing were based on a single template; only the sender address and the amount of money specified in the subject and the body of the message varied.

The content of the document with a macro virus may look like a set of random characters similar to an incorrect display of coding. Fraudsters use this technique as a pretext: under the pretense of correcting the coding they tried to convince their potential victims to enable macros because back in 2007 Microsoft disabled the automatic activation of macros in files for safety reasons.

In addition to the mass mailings in which the malicious script had been inserted as macros we came across emails in which the script had been inserted as an object. The authors of one of these emails informed recipients they should pay a debt within a week or face legal action that would bring additional financial expenses.

The attached file was also in Microsoft Word while the malicious VBS script (according to the Kaspersky Lab verdict - Trojan-Downloader.VBS.Agent.all) had been inserted into it as an object. To deceive the user the inserted script was displayed as an Excel file: the scammers used the icon of this program and added.xls to the name of the file.

The first macro virus was registered in August 1995 in MS Word "Concept" documents and quickly infected tens of thousands of computers around the world. Despite its 20-year history, this type of malware is still popular largely due to the fact that the VBA language developed to create macros is one of the most simple and accessible, but at the same time functional, programming languages.

The Top 3 countries most often targeted by mailshots: Great Britain, Brazil and USA


Most macro viruses are active not only when opening or closing the infected file but as long as the user is working with the editor (text or table). Macro viruses constitute a threat because they infect not only the initially opened file but any other files that are directly addressed.

The active distribution of macro viruses via email is aided by the simplicity with which they can be created and by the fact that users are constantly working with text and spreadsheet applications – often without being aware of the potential danger of macro viruses.

Malicious email attachments

Top 10 malicious programs sent by email, first quarter of 2015

In the first quarter of 2015 was the malicious program most often distributed via email, according to our ranking. This downloader, which was as low as the sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Next came Trojan-Spy.HTML.Fraud.gen. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc.

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 p.p. lower than in the previous quarter


Trojan-Downloader.HTML.Agent.aax and are in fourth and seventh positions respectively. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered to download Binbot — a binary option trading bot, which has lately been popular on the net. The two malicious programs spread via email attachments and only difference between them is the link which redirects users to rigged sites.

Sixth comes Trojan.Win32.VBKrypt.sbds. It is just a common Trojan downloader designed to download a malicious file to the victim’s computer and run it.

Eighth and ninth places are occupied by downloaders from the Upatre family - Trojan-Downloader.Win32.Upatre.fbq и Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.

It should be noted that if popular malware families rather than specific malicious programs are ranked, Upatre heads the Q1 rating. In most cases, malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) banker, as a result of which this family also leads our rating of most widespread banking threats.

The Andromeda family, which headed last year’s rating, moved down to second position in Q1 2015. As we have mentioned before, these malicious programs allow cybercriminals to secretly control infected computers, which are often made part of a botnet.

The MSWord.Agent family occupies third position in the Top 10. These malicious programs are.doc files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.

In the Q1 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail


Malware from the ZeuS/Zbot family, which are among the most popular and readily available programs used to steal banking information and therefore users’ money, came only seventh in Q1.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q1 2015

In the first quarter, there were major changes in the Top 3 countries most often targeted by mailshots. Brazil unexpectedly moved up to second place with 7.44% (compared to 3.55% in 2014), pushing Germany down in the ranking. Britain tops the rating (7.85%). The USA is in the third place (7.18%). Germany, which headed the rating for a long time, dropped to fourth position (6.05%).

It is also worth mentioning Australia: it climbed to sixth place in the first quarter with 4.12%.

As for Russia, on the one hand, it dropped two positions in the rating (from 8th to 10th), but on the other hand, the percentage of malicious programs targeting the territory of Russia increased in Q1 (from 3.24% in 2014 to 3 36% in the first quarter of 2015).

Statistics Proportion of spam in email traffic

Proportion of spam in email traffic, October 2014 – March 2015

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 percentage points lower than in the previous quarter. The share of spam gradually decreased: the largest amount of spam was sent in January (61.68%) and the smallest in March (56.17%).

Spam sources by country

Countries that were sources of spam, Q1 2015

In the first quarter of 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail. Russia was in second place with 7.27%. Ukraine came third with 5.56% of the world's spam.

Vietnam (4.82%), China (4.51%) and Germany (4.39%) followed the leaders of the rating. India brought up the rear in the Top 10 with 2.83% of all spam distributed worldwide.

Spam email size

Spam email size distribution, Q4 2014 and Q1 2015

The distribution of spam emails by size remained stable. The leaders were very small emails of up to 2 KB (73.99%), which are easy to handle in mass mailings. The proportion of such emails decreased by 3.28 percentage points.

The proportion of emails in the size range of 2 KB — 5 KB increased by 5.4 percentage points, reaching 16.00%, while the percentage of spam in the 5-10 KB range decreased by 2.28 percentage points to 2.20%. The share of emails sized 10-20 KB saw hardly changed from the previous quarter.


In the first quarter of 2015, the Anti-Phishing system was triggered 50,077,057 times on computers of Kaspersky Lab users. This is 1 million times more than in the previous quarter.

For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q1 of 2015 the number (18.28%) was down by 2.74 percentage points.

Geography of phishing attacks*, Q1 2015

* Number of users on whose computers the Anti-Phishing system was triggered as  a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

  Country % of users 1 Brazil 18.28 2 India 17.73 3 China 14.92 4 Kazakhstan 11.68 5 Russia 11.62 6 UAE 11.61 7 Australia 11.18 8 France 10.93 9 Canada 10.66 10 Malaysia 10.40

There was a noticeable increase in the proportion of users attacked in India (+1.8 pp). At the same time, we registered a slight decrease in the number of users attacked in Russia (-0.57 pp), Australia (-2.22 pp) and France (-2.78 pp).

Organisations under attack

The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.

Although the share of the “Email and search portals” category in the rating of organizations attacked by phishers diminished considerably in Q3 2014, the category (25.66%) still occupies the top position in the rating in 2015. The share of this category increased by a mere 0.40 percentage points from Q4 2014.

Distribution of organizations affected by phishing attacks, Q1 2015.

In the first quarter of 2015 the share of "Online shops" (9.68%) increased by 2.78 pp. Although the percentage of the "Online games" category (3.40%) rose by 0.54 percentage points, it yielded its place to the “IMS” category (3.92%), which saw its share grow by 1.69 pp.

In Q1 2015, we included a new category, “Delivery companies”, in our rating. Despite the fact that currently the contribution of this category is only 0.23%, it has recently demonstrated a growth (+0.04). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often attacked by phishers.

Distribution of phishing attacks on delivery companies, Q1 2015

In a number of emails the scammers offer users to purchase goods with delivery provided by a well-known logistics company. If you agree, they require an advance payment for delivery and provide fake invoices with the logo of the relevant delivery company. Having received the money, the fraudsters disappear.

Additionally, phishing messages sent on behalf of logistics firms often contain malicious attachments. Generally, an email includes a delivery notice; to receive the goods the recipients are expected either to open the attachment, which turns out to be malicious, or to go to the website and enter their personal data. The latter method is used to collect valid email addresses and other personal information of users.

Phishing email sent on behalf of FedEx

Phishing page imitating a DHL personal account login page

Phishing page imitating UPS personal account login page

Phishing page imitating FedEx personal account login page

Top 3 organizations attacked

The Top 3 organizations most often attacked by phishers remained the same as in the last quarter of 2014.

  Organization % of phishing links 1 Facebook 10.97 2 Google 8.11 3 Yahoo! 5.21

The top three organizations targeted by phishers are Facebook (+0.63 pp), Google (+1.51 pp) and Yahoo! (5.21%). The percentage of attacks on the latter continues to slowly decrease (-1.37 pp).


The share of spam in email traffic in the first quarter of 2015 was 59.2%, which is 6 percentage points less than in the previous quarter. The percentage of spam gradually declined during the quarter.

Spam traffic in Q1 of 2015 included a large number of mass mailings with Microsoft Word or Excel attachments containing macro viruses. Fraudsters tried to lure users into opening malicious files by disguising them as various documents, including financial. The fake messages often imitated notifications from well-known organizations and services.

In Q1 of 2015 the results of the New gTLD program of registration for new generic top-level domains launched in 2014 became especially noticeable. The new domains are registered daily but not always for legitimate purposes. We expect further growth in the number of new top-level domains used in mass mailings. The increase in the volume of mass mailings sent from new domains which have evident logical connection between the type of goods and services advertised and the domain name is also possible, although this can hardly be considered a trend.

The three leading source countries for spam sent across the world are the USA (14.5%), Russia (7.27%) and Ukraine (5.56%).

In the Q1 2015 the Anti-Phishing system was triggered more than 50 mln times


In the first quarter of 2015 was the malicious program most often distributed via email, according to our ranking. The Upatre downloaders, which are used to download the Trojan banker Dyre/Dyreza, became the most popular malware family of Q1. Britain tops the rating of countries most often targeted by mailshots with 7.85% of all mail antivirus detections.

In Q1 2015, the Anti-Phishing system was triggered on the computers of Kaspersky Lab users 50,077,057 times. The largest percentage of users affected by phishing attacks was in Brazil.

Microsoft Security Updates May 2015

Tue, 05/12/2015 - 19:40

Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 38 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.

  • Internet Explorer (MS015-043) critical
  • GDI+ drivers handling fonts (MS015-044) critical
  • Windows Journal (MS015-045) critical
  • Microsoft Office
  • Sharepoint Server
  • Silverlight
  • .NET Framework
  • JScript and VBScript Scripting Engines
  • MMC file format
  • Schannel (Microsoft's network crypto libraries)

Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.

This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 - IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft's new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.

Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the "Tablet PC Options Components" Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:

takeown.exe /f "%ProgramFiles%\Windows Journal\Journal.exe"
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe" /deny everyone:(F)

And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It's 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:


According to Microsoft, "When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers". Which may be mincing words, because Microsoft's cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.

How to mitigate 85% of threats with only four strategies

Tue, 05/12/2015 - 07:00

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as the most of the others from Top35 ASD’s list.

Many respected technology-focused organizations have already developed strategies for coping with targeted attacks. Gartner, for example, has issued guidelines for dealing with social engineering techniques, including keeping pace with an evolving threat landscape through ongoing information security education1. While no ICT infrastructure can ever be 100% secure, there are reasonable steps every organization can take to significantly reduce the risk of a cyber-intrusion.

Among all the available strategies, here at Kaspersky Lab we consider the Australian Signals Directorate (ASD) document to be the best publicly available guidelines from a government organization on how to successfully fight APTs. But we don’t just like this list of strategies; we also want to make sure that Kaspersky Lab technologies cover as many of them as possible. Please check the list below.  Bear in mind, of course, that not all technologies have something in common with security software:

The Australia’s Signals Directorate’s full Mitigation Strategies list comprises 35 points.

This list of mitigation strategies can be roughly divided into four logical types, according to the implementation approach:

Measures Brief description Administrative Training, physical security Networking These measures are easier to  implement at  a network hardware level System administration The OS contains everything needed for implementation Specialized security solutions Specialized security software is applicable

Through comprehensive, detailed analysis of local attacks and threats, ASD has found that at least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies. Three of them are related to specialized security solutions. Kaspersky Lab products include technological solutions to cover these first three major strategies:

  • Use application whitelisting to help prevent malicious software and unapproved programs from running
  • Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
  • Patch operating system vulnerabilities
  • Restrict administrative privileges to operating systems and applications, based on user duties2.

In addition, over half of the ASD list could be implemented using our specialized information security solutions. Take a look at the strategies (those related to specialized security solutions) mapped to Kaspersky Lab technologies. We have highlighted the ones that ASD believes account for 85% mitigation:

ASD rank Mitigation strategy, short name Kaspersky Lab technologies 1 Application whitelisting Dynamic whitelisting 2 Patching application vulnerabilities Vulnerability Assessment and Patch Management 3 Patching OS vulnerabilities 5 User application configuration hardening Web control (blocking scripts in web-browsers) , Web Anti-Virus 6 Automated dynamic analysis of email and web content Mail Anti-Virus and Web Anti-Virus, Security for Mail Server, Security for Internet Gateway, DLP for Mail and Collaboration add-ons 7 OS generic exploit mitigation Automatic Exploit Prevention 8 HIDS/HIPS System Watcher and Application Privilege Control 12 Software-based application firewall for incoming traffic Advanced Firewall 13 Software-based application firewall for outgoing traffic Advanced Firewall 15 Computer event logging Kaspersky Security Center 16 Network activity logging Kaspersky Security Center 17 E-mail content filtering Kaspersky Security for Mail Sever 18 Web content filtering Web Control 19 Web domain whitelisting Web Control 20 Block spoofed e-mails Anti-Spam 22 AV software using heuristics and automated Internet-based reputation ratings Anti-Malware 26 Removable and portable media control Device Control 29 Workstation inspection of Microsoft Office files Anti-Malware 30 Signature-based AV software Anti-Malware

ASD Strategies that can be implemented effectively using Kaspersky Lab’s product range.

For more detailed data about ASD strategies please consult the mitigation strategies document in the Securelist encyclopedia: part 1, part 2 and part 3. We hope that this information will be useful for system administrators, CIO/CISOs and researchers fighting targeted cyber intrusions.

1 Gartner: Best Practice for Mitigating Advanced Persistent Threats (document ID G00256438). >>>
2 Australian Signals Directorate, Strategies to Mitigate Targeted Cyber Intrusions >>>