Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 2 hours 18 min ago

Kaspersky Security Bulletin 2015. Overall statistics for 2015

Tue, 12/15/2015 - 06:46

 Download PDF version
 Download EPUB
 Download Full Report PDF
 Download Full Report EPUB

  1. Top security stories
  2. Evolution of cyber threats in the corporate sector
  3. Overall statistics for 2015
  4. Predictions 2016
The year in figures
  • In 2015, there were 1,966,324 registered notifications about attempted malware infections that aimed to steal money via online access to bank accounts.
  • Ransomware programs were detected on 753,684 computers of unique users; 179,209 computers were targeted by encryption ransomware.
  • Kaspersky Lab’s web antivirus detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.
  • Kaspersky Lab solutions repelled 798,113,087 attacks launched from online resources located all over the world.
  • 34.2% of user computers were subjected to at least one web attack over the year.
  • To carry out their attacks, cybercriminals used 6,563,145 unique hosts.
  • 24% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US.
  • Kaspersky Lab’s antivirus solutions detected a total of 4,000,000 unique malicious and potentially unwanted objects.
Vulnerable applications used in cyberattacks

In 2015, we saw the use of new techniques for masking exploits, shellcodes and payloads to make detecting infections and analyzing malicious code more difficult. Specifically, cybercriminals:

The detection of two families of critical vulnerabilities for Android was one of the more remarkable events of the year. Exploiting Stagefright vulnerabilities enabled an attacker to remotely execute arbitrary code on a device by sending a specially crafted MMS to the victim’s number. Exploiting Stagefright 2 pursued the same purpose, but this time using a specially crafted media file.

In 2015, there were almost 2M attempts to steal money via online access to bank accounts #KLReport #banking


Exploits for Adobe Flash Player were popular among malware writers in 2015. This can be explained by the fact that a large number of vulnerabilities were identified in the product throughout the year. In addition, cybercriminals used the information about unknown Flash Player vulnerabilities that became public as a result of the Hacking Team data breach.

When new Adobe Flash Player vulnerabilities were discovered, developers of various exploit packs were quick to respond by adding new exploits to their products. Here is the ‘devil’s dozen’ of Adobe Flash Player vulnerabilities that gained popularity among cybercriminals and were added to common exploit packs:

  1. CVE-2015-0310
  2. CVE-2015-0311
  3. CVE-2015-0313
  4. CVE-2015-0336
  5. CVE-2015-0359
  6. CVE-2015-3090
  7. CVE-2015-3104
  8. CVE-2015-3105
  9. CVE-2015-3113
  10. CVE-2015-5119
  11. CVE-2015-5122
  12. CVE-2015-5560
  13. CVE-2015-7645

Some well-known exploit packs have traditionally included an exploit for an Internet Explorer vulnerability (CVE-2015-2419). We also saw a Microsoft Silverlight vulnerability (CVE-2015-1671) used in 2015 to infect users. It is worth noting, however, that this exploit is not popular with the main ‘players’ in the exploit market.

Distribution of exploits used in cyberattacks, by type of application attacked, 2015

Vulnerable applications were ranked based on data on exploits blocked by Kaspersky Lab products, used both for online attacks and to compromise local applications, including those on mobile devices.

Although the share of exploits for Adobe Flash Player in our ranking was only 4%, they are quite common in the wild. When looking at these statistics, it should be kept in mind that Kaspersky Lab technologies detect exploits at different stages. As a result, the Browsers category (62%) also includes the detection of landing pages that serve exploits. According to our observations, exploits for Adobe Flash Player are most commonly served by such pages.

We saw the number of cases which involved the use of Java exploits decrease over the year. In late 2014 their proportion of all the exploits blocked was 45%, but this proportion gradually diminished by 32 p.p. during the year, falling to 13%. Moreover, Java exploits have now been removed from all known exploit packs.

At the same time, the use of Microsoft Office exploits increased from 1% to 4%. Based on our observations, in 2015 these exploits were distributed via mass emailing.

Online threats in the banking sector

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

The annual statistics for 2015 are based on data received between November 2014 and October 2015.

In 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,966,324 computers. This number is 2.8% higher than in 2014 (1,910,520).

The number of users attacked by financial malware, November 2014-October 2015

Number of users attacked by financial malware in 2014 and 2015

In 2015, the number of attacks grew steadily from February till April, with the peak in March-April. Another burst was recorded in June. In 2014, most users were targeted by financial malware in May and June. During the period between June and October in both 2014 and 2015 the number of users attacked fell gradually.

Geography of attacks

In order to evaluate the popularity of financial malware among cybercriminals and the risk of user computers around the world being infected by banking Trojans, we calculate the percentage of Kaspersky Lab users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

Geography of banking malware attacks in 2015 (users attacked by banking Trojans as a percentage of all users attacked by all types of malware)

TOP 10 countries by percentage of attacked users

Country* % attacked users** 1 Singapore 11.6 2 Austria 10.6 3 Switzerland 10.6 4 Australia 10.1 5 New Zealand 10.0 6 Brazil 9.8 7 Namibia 9.3 8 Hong Kong 9.0 9 Republic of South Africa 8.2 10 Lebanon 6.6

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

Singapore leads this rating. Of all the Kaspersky Lab users attacked by malware in the country, 11.6% were targeted at least once by banking Trojans throughout the year. This reflects the popularity of financial threats in relation to all threats in the country.

5.4% of users attacked in Spain encountered a banking Trojan at least once in 2015. The figure for Italy was 5%; 5.1% in Britain; 3.8% in Germany; 2.9% in France; 3.2% in the US; and 2.5% in Japan.

2% of users attacked in Russia were targeted by banking Trojans.

The TOP 10 banking malware families

The table below shows the Top 10 malware families most commonly used in 2015 to attack online banking users (as a percentage of users attacked):

Name* % users attacked** 1 Trojan-Downloader.Win32.Upatre 42.36 2 Trojan-Spy.Win32.Zbot 26.38 3 Trojan-Banker.Win32.ChePro 9.22 4 Trojan-Banker.Win32.Shiotob 5.10 5 Trojan-Banker.Win32.Banbra 3.51 6 Trojan-Banker.Win32.Caphaw 3.14 7 Trojan-Banker.AndroidOS.Faketoken 2.76 8 Trojan-Banker.AndroidOS.Marcher 2.41 9 Trojan-Banker.Win32.Tinba 2.05 10 Trojan-Banker.JS.Agent 1.88

* These statistics are based on the detection verdicts returned by Kaspersky Lab’s products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malicious program, as a percentage of all unique users targeted by financial malware attacks.

The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

The Trojan-Downloader.Win32.Upatre family of malicious programs remained at the top of the ranking throughout the year. The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family whose main aim is to steal the user’s payment details. Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app, in other words, by using a Man-in-the-Browser (MITB) technique. This malicious program is spread via specially created emails with an attachment containing a document with the downloader. In the summer of 2015, however, Trojan-Downloader.Win32.Upatre was spotted on compromised home routers, which is a testimony to how cybercriminals make use of this multi-purpose malware.

In 2015, #ransomware programs were detected on 753,684 computers of unique users #KLReport


Yet another permanent resident of this ranking is Trojan-Spy.Win32.Zbot (in second place) which consistently occupies one of the leading positions. The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages. They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts.

Representatives of the Trojan-Banker.Win32.ChePro family were first detected in October 2012. At that time, these banking Trojans were mostly aimed at users in Brazil, Portugal and Russia. Now they are being used to attack the users worldwide. Most programs of this type are downloaders which need other files to successfully infect the system. Generally, they are malicious banking programs, allowing the fraudsters to take screenshots, to intercept keystrokes, and to read the content of the copy buffer, i.e. they possess functionality that allows a malicious program to be used for attacks on almost any online banking system.

Of particular interest is the fact that two families of mobile banking Trojans are present in this ranking: Faketoken and Marcher. The malicious programs belonging to the latter family steal payment details from Android devices.

The representatives of the Trojan-Banker.AndroidOS.Faketoken family work in partnership with computer Trojans. To distribute this malware, cybercriminals use social engineering techniques. When a user visits his online banking account, the Trojan modifies the page, asking him to download an Android application which is allegedly required to securely confirm the transaction. In fact the link leads to the Faketoken application. Once Faketoken is on the user’s smartphone, the cybercriminals gain access to the user’s banking account via the computer infected with the banking Trojan and the compromised mobile device allows them to intercept the one-time confirmation code (mTAN).

The second family of mobile banking Trojans is Trojan-Banker.AndroidOS.Marcher. After infecting a device, the malware tracks the launch of just two apps – the mobile banking customer of a European bank and Google Play. If the user starts Google Play, Marcher displays a false window requesting credit card details which then go to the fraudsters. The same method is used by the Trojan if the user starts the banking application.

Tenth place in the 2015 ranking was occupied by the Trojan-Banker.JS.Agent family. This is the malicious JavaScript code that results from an injection into an online banking page. The aim of this code is to intercept payment details that the user enters into online banking forms.

2015 – an interesting year for ransomware

The Trojan-Ransom class represents malware intended for the unauthorized modification of user data that renders a computer inoperable (for example, encryptors), or for blocking the normal operation of a computer. In order to decrypt files and unblock a computer the malware owners usually demand a ransom from the victims.

Since its emergence with CryptoLocker in 2013, ransomware has come a long way. For example, in 2014 we spotted the first version of ransomware for Android. Just a year later, 17% of the infections we saw were on Android devices.

2015 also saw the first ransomware for Linux, which can be found in the Trojan-Ransom.Linux class. On the positive side, the malware authors made a small implementation error, which makes it possible to decrypt the files without paying a ransom.

Unfortunately, these implementation errors are occurring less and less. This prompted the FBI to state: “The ransomware is that good… To be honest, we often advise people just to pay the ransom”. That this is not always a good idea was also shown this year, when the Dutch police were able to apprehend two suspects behind the CoinVault malware. A little later we received all 14,000 encryption keys, which we added to a new decryption tool. All the CoinVault victims were then able to decrypt their files for free.

In 2015, 179,209 computers were targeted by encryption #ransomware #KLReport


2015 was also the year that marked the birth of TeslaCrypt. TeslaCrypt has a history of using graphical interfaces from other ransomware families. Initially it was CryptoLocker, but this later changed to CryptoWall. This time they copied the HTML page in full from CryptoWall 3.0, only changing the URLs.

Number of users attacked

The following graph shows the rise in users with detected Trojan-Ransom within the last year:

Number of users attacked by Trojan-Ransom malware (Q4 2014 – Q3 2015)

Overall in 2015, Trojan-Ransom was detected on 753,684 computers. Ransomware is thus becoming more and more of a problem.

TOP 10 Trojan-Ransom families

The Top 10 most prevalent ransomware families are represented here. The list consists of browser-based extortion or blocker families and some notorious encryptors. So-called Windows blockers that restrict access to a system (for example, the Trojan-Ransom.Win32.Blocker family) and demand a ransom were very popular a few years ago – starting off in Russia then moving west – but are not as widespread anymore and are not represented in the Top 10.

Name* Users percentage** 1 Trojan-Ransom.HTML.Agent 38.0 2 Trojan-Ransom.JS.Blocker 20.7 3 Trojan-Ransom.JS.InstallExtension 8.0 4 Trojan-Ransom.NSIS.Onion 5.8 5 Trojan-Ransom.Win32.Cryakl 4.3 6 Trojan-Ransom.Win32.Cryptodef 3.1 7 Trojan-Ransom.Win32.Snocry 3.0 8 Trojan-Ransom.BAT.Scatter 3.0 9 Trojan-Ransom.Win32.Crypmod 1.8 10 Trojan-Ransom.Win32.Shade 1.8

*These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users attacked by a Trojan-Ransom family relative to all users attacked with Trojan-Ransom malware.

First place is occupied by Trojan-Ransom.HTML.Agent (38%) with the Trojan-Ransom.JS.Blocker family (20.7%) in second. They represent browser-blocking web pages with various unwanted content usually containing the extortion message (for example, a “warning” from a law enforcement agency) or containing JavaScript code that blocks the browser along with a message.

In third place is Trojan-Ransom.JS.InstallExtension (8%), a browser-blocking web page that imposes a Chrome extension installation on the user. When attempting to close the page a voice mp3 file is often played: “In order to close the page, press the ‘Add’ button”. The extensions involved are not harmful, but the offer is very obtrusive and difficult for the user to reject. This kind of extension propagation is used by a partnership program. These three families are particularly prevalent in Russia and almost as prevalent in some post-Soviet countries.

When we look at where ransomware is most prevalent (not just the three families mentioned above), we see that the top three consists of Kazakhstan, Russia and Ukraine.

Cryakl became relatively active in Q3 2015, when we saw peaks of up to 2300 attempted infections a day. An interesting aspect of Cryakl is its encryption scheme. Rather than encrypting the whole file, Cryakl encrypts the first 29 bytes plus three other blocks located randomly in the file. This is done to evade behavioral detection, while encrypting the first 29 bytes destroys the header.

In 2015, @kaspersky web antivirus detected 121,262,075 unique malicious objects #KLReport


Cryptodef is the infamous Cryptowall ransomware. Cryptowall is found most often, in contrast to the other families discussed here, in the US. In fact, there are three times as many infections in the US than there are in Russia. Cryptowall is spread through spam emails, where the user receives a zipped JavaScript. Once executed, the JavaScript downloads Сryptowall and it starts encrypting files. A change in the ransom message is also observed: victims are now congratulated by the malware authors on “becoming part of the large Cryptowall community”.

Encryptors can be implemented not only as executables but also using simple scripting languages, as in the case of the Trojan-Ransom.BAT.Scatter family. The Scatter family appeared in 2014 and quickly evolved, providing itself with the functionality of Email-Worm and Trojan-PSW. Encryption makes use of two pairs of assymetric keys, making it possible to encrypt the user’s files without revealing their private key. It employs renamed legitimate utilities to encrypt files.

The Trojan-Ransom.Win32.Shade encryptor, which is also very prevalent in Russia, is able to request a list from the C&C server containing the URLs of additional malware. It then downloads that malware and installs it in the system. All its C&C servers are located in the Tor network. Shade is also suspected of propagating via a partnership program.

TOP 10 countries attacked by Trojan-Ransom malware Country* % of users attacked by Trojan-Ransom** 1 Kazakhstan 5.47 2 Ukraine 3.75 3 Russian Federation 3.72 4 Netherlands 1.26 5 Belgium 1.08 6 Belarus 0.94 7 Kyrgyzstan 0.76 8 Uzbekistan 0.69 9 Tajikistan 0.69 10 Italy 0.57

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
**Unique users whose computers have been targeted by Trojan-Ransom as a percentage of all unique users of Kaspersky Lab products in the country.


Even if today’s encryptors are not as popular among cybercriminals as blockers were, they inflict more damage on users. So it’s worth investigating them separately.

The number of new Trojan-Ransom encryptors

The following graph represents the rise of newly created encryptor modifications per year.

Number of Trojan-Ransom encryptor modifications in Kaspersky Lab’s Virus Collection (2013 – 2015)

The overall number of encryptor modifications in our Virus Collection to date is at least 11,000. Ten new encryptor families were created in 2015.

The number of users attacked by encryptors

Number of users attacked by Trojan-Ransom encryptor malware (2012 – 2015)

In 2015, 179,209 unique users were attacked by encryptors. About 20% of those attacked were in the corporate sector.

It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models.

Top 10 countries attacked by encryptors Country* % of users attacked by encryptors 1 Netherlands 1.06 2 Belgium 1.00 3 Russian Federation 0.65 4 Brazil 0.44 5 Kazakhstan 0.42 6 Italy 0.36 7 Latvia 0.34 8 Turkey 0.31 9 Ukraine 0.31 10 Austria 0.30

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
**Unique users whose computers have been targeted by Trojan-Ransom encryptor malware as a percentage of all unique users of Kaspersky Lab products in the country.

First place is occupied by the Netherlands. The most widespread encryptor family is CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion). In 2015 an affiliate program utilizing CTB-Locker was launched and new languages were added including Dutch. Users are mainly infected by emails with malicious attachments. It appears there may be a native Dutch speaker involved in the infection campaign, as the emails are written in relatively good Dutch.

A similar situation exists in Belgium: CTB-Locker is the most widespread encryptor there, too.

In Russia, Trojan-Ransom.Win32.Cryakl tops the list of encryptors targeting users.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

The TOP 20 malicious objects detected online

Throughout 2015, Kaspersky Lab’s web antivirus detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.

We identified the 20 malicious programs most actively involved in online attacks launched against computers in 2015. As in the previous year, advertising programs and their components occupy 12 positions in that Top 20. During the year, advertising programs and their components were registered on 26.1% of all user computers where our web antivirus is installed. The increase in the number of advertising programs, their aggressive distribution methods and their efforts to counteract anti-virus detection, continue the trend of 2014.

In 2015, @kaspersky solutions repelled ~800M attacks launched from online resources around the world #KLReport


Although aggressive advertising does annoy users, it does not harm computers. That is why we have compiled another rating of exclusively malicious objects detected online that does not include the Adware or Riskware classes of program. These 20 programs accounted for 96.6% of all online attacks.

Name* % of all attacks** 1 Malicious URL 75.76 2 Trojan.Script.Generic 8.19 3 Trojan.Script.Iframer 8.08 4 Trojan.Win32.Generic 1.01 5 Expoit.Script.Blocker 0.79 6 Trojan-Downloader.Win32.Generic 0.69 7 Trojan-Downloader.Script.Generic 0.36 8 0.31 9 Trojan-Ransom.JS.Blocker.a 0.19 10 Trojan-Clicker.JS.Agent.pq 0.14 11 Trojan-Downloader.JS.Iframe.diq 0.13 12 Trojan.JS.Iframe.ajh 0.12 13 Exploit.Script.Generic 0.10 14 Packed.Multi.MultiPacked.gen 0.09 15 Exploit.Script.Blocker.u 0.09 16 Trojan.Script.Iframer.a 0.09 17 Trojan-Clicker.HTML.Iframe.ev 0.09 18 Hoax.HTML.ExtInstall.a 0.06 19 Trojan-Downloader.JS.Agent.hbs 0.06 20 Trojan-Downloader.Win32.Genome.qhcr 0.05

* These statistics represent detection verdicts from the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all malware web attacks recorded on the computers of unique users.

As is often the case, the TOP 20 is largely made up of objects used in drive-by attacks. They are heuristically detected as Trojan.Script.Generic, Expoit.Script.Blocker, Trojan-Downloader.Script.Generic, etc. These objects occupy seven positions in the ranking.

Malicious URL in first place is the verdict identifying links from our black list (links to web pages containing redirects to exploits, sites with exploits and other malicious programs, botnet control centers, extortion websites, etc.).

The verdict (8th place) is assigned to script that cybercriminals place on infected web resources. It redirects users to other websites, such as those of online casinos. The fact that this verdict is included in the rating should serve as a reminder to web administrators of how easily their sites can be automatically infected by programs – even those that are not very complex.

In 2015, 34.2% of user computers were subjected to at least one web attack #KLReport


The Trojan-Ransom.JS.Blocker.a verdict (9th place) is a script that tries to block the browser by means of a cyclic update of the page, and displays a message stating that a “fine” needs to be paid for viewing inappropriate materials. The user is told to transfer the money to a specified digital wallet. This script is mostly found on pornographic sites and is detected in Russia and CIS countries.

The script with the Trojan-Downloader.JS.Iframe.djq verdict (11th place) is found on infected sites running under WordPress, Joomla and Drupal. The campaign launched to infect sites with this script began on a massive scale in August 2015. First, it sends information about the header of the infected page, the current domain, and the address from which the user landed on the page with the script to the fraudsters’ server. Then, by using iframe, another script is downloaded in the user’s browser. It collects information about the system on the user’s computer, the time zone and the availability of Adobe Flash Player. After this and a series of redirects, the user ends up on sites that prompt him to install an update for Adobe Flash Player that is actually adware, or to install browser plugins.

The TOP 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. The statistics do not include sources used for distributing advertising programs or hosts linked to advertising program activity.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In 2015, Kaspersky Lab solutions blocked 798,113,087 attacks launched from web resources located in various countries around the world. To carry out their attacks, the fraudsters used 6,563,145 unique hosts.

80% of notifications about attacks blocked by antivirus components were received from online resources located in 10 countries.

The distribution of online resources seeded with malicious programs in 2015

The top four countries where online resources are seeded with malware remained unchanged from the previous year. France moved up from 7th to 5th place (5.07%) while Ukraine dropped from 5th to 7th position (4.16%). Canada and Vietnam left the Top 20. This year’s newcomers, China and Sweden, were in 9th and 10th places respectively.

This rating demonstrates that cybercriminals prefer to operate and use hosting services in different countries where the hosting market is well-developed.

Countries where users face the greatest risk of online infection

In order to assess the countries in which users most often face cyber threats, we calculated how often Kaspersky Lab users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment facing computers in different parts of the world.

The TOP 20 countries where users face the greatest risk of online infection

Country* % of unique users** 1 Russia 48.90 2 Kazakhstan 46.27 3 Azerbaijan 43.23 4 Ukraine 40.40 5 Vietnam 39.55 6 Mongolia 38.27 7 Belarus 37.91 8 Armenia 36.63 9 Algeria 35.64 10 Qatar 35.55 11 Latvia 34.20 12 Nepal 33.94 13 Brazil 33.66 14 Kyrgyzstan 33.37 15 Moldova 33.28 16 China 33.12 17 Thailand 32.92 18 Lithuania 32.80 19 UAE 32.58 20 Portugal 32.31

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In 2015, cybercriminals used 6,563,145 unique hosts to carry out their attacks #KLReport


In 2015, the top three saw no change from the previous year. Russia remained in first place although the percentage of unique users in the country decreased by 4.9 p.p.

Germany, Tajikistan, Georgia, Saudi Arabia, Austria, Sri Lanka and Turkey left the Top 20. Among the newcomers are Latvia, Nepal, Brazil, China, Thailand, the United Arab Emirates and Portugal.

The countries can be divided into three groups that reflect the different levels of infection risk.

  1. The high risk group (over 41%)
    In 2015, this group includes the first three countries from the Top 20 – Russia, Kazakhstan and Azerbaijan.

  2. The medium risk group (21-40.9%)
    This group includes 109 countries; among them are France (32.1%), Germany (32.0%), India (31.6%), Spain (31.4%), Turkey (31.0%), Greece (30.3%), Canada (30.2%), Italy (29.4%), Switzerland (28.6%), Australia (28.0%), Bulgaria (27.0%), USA (26.4%), Georgia (26, 2%), Israel (25.8%), Mexico (24.3%), Egypt (23.9%), Romania (23.4%), UK (22.4%), Czech Republic (22.0% ), Ireland (21.6%), and Japan (21.1%).

  3. The low risk group (0-20.9%)
    The 52 countries with the safest online surfing environments include Kenya (20.8%), Hungary (20.7%), Malta (19.4%), the Netherlands (18.7%), Norway (18.3%), Argentina (18.3%), Singapore (18,2%), Sweden (18%), South Korea (17.2%), Finland (16.5%), and Denmark (15, 2%).

In 2015, 34.2% of computers were attacked at least once while their owners were online.

On average, the risk of being infected while surfing the Internet decreased by 4.1 p.p. over the year. This could be due to several factors:

  • Firstly, developers of browsers and search engines realized the necessity of securing their users and started to contribute to the fight against malicious sites
  • Secondly, users are using more and more mobile devices and tablets to surf the Internet.
  • Thirdly, many exploit packs have started to check if Kaspersky Lab’s product is installed on the user’s computer. If it is, the exploits do not even try to attack the computer.
Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). In addition, these statistics include objects detected on user computers after the first scan of the system by Kaspersky Lab’s file antivirus.

This section contains an analysis of the statistical data obtained based on antivirus scans of files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.

In 2015, 24% of web attacks neutralized by @kaspersky were carried out using malicious sites located in US #KLReport


In 2015, Kaspersky Lab’s antivirus solutions detected 4 million unique malicious and potentially unwanted objects, a twofold increase from the previous year.

The TOP 20 malicious objects detected on user computers

For this rating we identified the 20 most frequently detected threats on user computers in 2015. This rating does not include the Adware and Riskware classes of program.

Name* % of unique attacked users** 1 DangerousObject.Multi.Generic 39.70 2 Trojan.Win32.Generic 27.30 3 Trojan.WinLNK.StartPage.gena 17.19 4 Trojan.Win32.AutoRun.gen 6.29 5 Virus.Win32.Sality.gen 5.53 6 Worm.VBS.Dinihou.r 5.40 7 Trojan.Script.Generic 5.01 8 DangerousPattern.Multi.Generic 4.93 9 Trojan-Downloader.Win32.Generic 4.36 10 Trojan.WinLNK.Agent.ew 3.42 11 Worm.Win32.Debris.a 3.24 12 Trojan.VBS.Agent.ue 2.79 13 Trojan.Win32.Autoit.cfo 2.61 14 Virus.Win32.Nimnul.a 2.37 15 Worm.Script.Generic 2.23 16 Trojan.Win32.Starter.lgb 2.04 17 Worm.Win32.Autoit.aiy 1.97 18 Worm.Win32.Generic 1.94 19 HiddenObject.Multi.Generic 1.66 20 Trojan-Dropper.VBS.Agent.bp 1.55

These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who consented to submit their statistical data.

* Malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.

The DangerousObject.Multi.Generic verdict, which is used for malware detected with the help of cloud technologies, is in 1st place (39.7%). Cloud technologies work when the antivirus databases do not yet contain either signatures or heuristics to detect a malicious program but the company’s cloud antivirus database already has information about the object. In fact, this is how the very latest malware is detected.

In 2015, @kaspersky solutions detected a total of 4M unique malicious & potentially unwanted objects #KLReport


The proportion of viruses continues to decrease: for example, last year Virus.Win32.Sality.gen affected 6.69% of users while in 2015 – only 5.53%. For Virus.Win32.Nimnul these figures are 2.8% in 2014 and 2.37% in 2015. The Trojan-Dropper.VBS.Agent.bp verdict, which is 20th in the rating, is a VBS script that extracts Virus.Win32.Nimnul from itself and saves in to the disk.

In addition to heuristic verdicts and viruses the Top 20 includes verdicts for worms spread on removable media and their components. Their presence in this rating is due to the nature of their distribution and creation of multiple copies. A worm can continue to self-proliferate for a long time even if its management servers are no longer active.

Countries where users face the highest risk of local infection

For each country we calculated the number of file antivirus detections the users faced during the year. The data includes detected objects located on user computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. This statistic reflects the level of infected personal computers in different countries around the world.

The TOP 20 countries by the level of infection

Country* % of unique users** 1 Vietnam 70.83 2 Bangladesh 69.55 3 Russia 68.81 4 Mongolia 66.30 5 Armenia 65.61 6 Somali 65.22 7 Georgia 65.20 8 Nepal 65.10 9 Yemen 64.65 10 Kazakhstan 63.71 11 Iraq 63.37 12 Iran 63.14 13 Laos 62.75 14 Algeria 62.68 15 Cambodia 61.66 16 Rwanda 61.37 17 Pakistan 61.36 18 Syria 61.00 19 Palestine 60.95 20 Ukraine 60.78

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

For the third year in a row Vietnam topped the rating. Mongolia and Bangladesh swapped places – Bangladesh climbed from 4th to 2nd, while Mongolia moved from 2nd to 4th. Russia, which was not in last year’s Top 20, came third in 2015.

India, Afghanistan, Egypt, Saudi Arabia, Sudan, Sri Lanka, Myanmar, and Turkey all left the Top 20. The newcomers were Russia, Armenia, Somalia, Georgia, Iran, Rwanda, the Palestinian territories, and Ukraine.

In the Top 20 countries at least one malicious object was found on an average of 67.7% of computers, hard drives or removable media belonging to KSN users. The 2014 the figure was 58.7%.

The countries can be divided into several risk categories reflecting the level of local threats.

  1. Maximum risk (over 60%): 22 countries, including Kyrgyzstan (60.77%), Afghanistan (60.54%)

  2. High risk (41-60%): 98 countries including India (59.7%), Egypt (57.3%), Belarus (56.7%), Turkey (56.2%), Brazil (53.9%), China (53.4%), UAE (52.7%), Serbia (50.1%), Bulgaria (47.7%), Argentina (47.4%), Israel (47.3%), Latvia (45.9%), Spain (44.6%), Poland (44.3%), Germany (44%), Greece (42.8%), France (42.6%), Korea (41.7%), Austria (41.7%).

  3. Moderate local infection rate (21-40.99%): 45 countries including Romania (40%), Italy (39.3%), Canada (39.2%), Australia (38.5%), Hungary (38.2%), Switzerland (37.2%), USA (36.7%), UK (34.7%), Ireland (32.7%), Netherlands (32.1%), Czech Republic (31.5%), Singapore (31.4%), Norway (30.5%), Finland (27.4%), Sweden (27.4%), Denmark (25.8%), Japan (25.6%).

The 10 safest countries were:

Country % of unique users* 1 Cuba 20.8 2 Seychelles 25.3 3 Japan 25.6 4 Denmark 25.8 5 Sweden 27.4 6 Finland 27.4 7 Andorra 28.7 8 Norway 30.5 9 Singapore 31.4 10 Czech Republic 31.5

* The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

The appearance of Andorra, replacing Martinique, was the only change to this rating in 2015 compared to the previous year.

On average, 26.9% of user computers were attacked at least once during the year in the 10 safest countries. This is an increase of 3.9 p.p. compared to 2014.


Based on analysis of the statistics, we can highlight the main trends in cybercriminal activity:

  • Some of those involved in cybercrime are looking to minimize the risk of criminal prosecution and switching from malware attacks to the aggressive distribution of adware.
  • The proportion of relatively simple programs used in mass attacks is growing. This approach allows the attackers to quickly update malware which enhances the effectiveness of attacks.
  • Attackers have mastered non-Windows platforms – Android and Linux: almost all types of malicious programs are created and used for these platforms.
  • Cybercriminals are making active use of Tor anonymization technology to hide command servers, and Bitcoins for making transactions.

An increasing proportion of antivirus detections fall into a ‘gray zone’. This applies primarily to a variety of advertising programs and their modules. In our 2015 ranking of web-based threats, the representatives of this class of program occupy 12 places in the Top 20. During the year, advertising programs and their components were registered on 26.1% of all user computers where our web antivirus is installed. The growth in the volume of advertising programs, along with their aggressive distribution methods and attempts to counteract anti-virus detection, continues the trend of 2014. Spreading adware earns good money, and in the pursuit of profit the authors sometimes use the tricks and technologies typical of malicious programs.

In 2015, virus writers demonstrated a particular interest in exploits for Adobe Flash Player. According to our observations, landing pages with exploits are often downloaded by exploits for Adobe Flash Player. There are two factors at play here: firstly, a large number of vulnerabilities were detected in the product over the year; secondly, as a result of a data leak by Hacking Team, information about previously unknown vulnerabilities in Flash Player were made public, and attackers wasted no time in taking advantage.

The banking Trojan sphere witnessed an interesting development in 2015. The numerous modifications of ZeuS, which had continuously topped the ranking of the most commonly used malware families for several years, were dethroned by Trojan-Banker.Win32.Dyreza. Throughout the year, the rating for malicious programs designed to steal money via Internet banking systems was headed by Upatre, which downloads banking Trojans from the family known as Dyre/Dyzap/Dyreza to victims’ computers. In the banking Trojan sector as a whole, the share of users attacked by Dyreza exceeded 40%. The banker uses an effective of web injection method in order to steal data to access the online banking system.

Also of note is the fact that two families of mobile banking Trojans – Faketoken and Marcher – were included in the Top 10 banking Trojans most commonly used in 2015. Based on current trends, we can assume that next year mobile bankers will account for a much greater percentage in the rating.

In 2015, there were a number of changes in the ransomware camp:

  1. While the popularity of blockers is gradually falling, the number of users attacked by encryption ransomware increased by 48.3% in 2015. Encrypting files instead of simply blocking the computer is a method that in most cases makes it very difficult for the victims to regain access to their information. The attackers are especially active in utilizing encryption ransomware for attacks on business users, who are more likely to pay a ransom than ordinary home users. This is confirmed by the appearance in 2015 of the first ransomware for Linux, targeting web servers.
  2. At the same time, encryptors are becoming multi-module and, in addition to encryption, include functionality designed to steal data from user computers.
  3. While Linux may only now have attracted the attention of fraudsters, the first ransomware Trojan for Android was detected back in 2014. In 2015, the number of attacks aimed at the Android OS grew rapidly, and by the end of the year 17% of attacks involving ransomware were blocked on Android devices.
  4. The threat is actively spreading all over the planet: Kaspersky Lab products detected ransomware Trojans in 200 countries and territories, which is practically everywhere.

We expect that in 2016 cybercriminals will continue to develop encryption ransomware that targets non-Windows platforms: the proportion of encryptors targeting Android will increase, while others will emerge for Mac. Given that Android is widely used in consumer electronics, the first ransomware attack on ‘smart’ devices may occur.

Kaspersky Security Bulletin 2015. Evolution of cyber threats in the corporate sector

Thu, 12/10/2015 - 05:52

 Download PDF version
 Download EPUB

In late 2014, we published predictions for how the world of cyber threats may evolve in 2015. Four of the nine predictions we made were directly connected with threats to businesses. Our predictions proved accurate – three of the four business-related threats have already been fulfilled:

  • Cybercriminals embrace APT tactics for targeted attacks – yes.
  • APT groups fragment, diversify attacks – yes.
  • Escalation of ATM and PoS attacks – yes.
  • Attacks against virtual payment systems – no.

Let’s have a look back at the major incidents of 2015 and at the new trends we have observed in information security within the business environment.

The year in figures
  • In 2015 one or more malware attacks were blocked on 58% of corporate computers. This is a 3 p.p. rise on the previous year.
  • 29% of computers – i.e. almost every third business-owned computer – were subjected to one or more web-based attacks.
  • Malware exploiting vulnerabilities in office applications were used 3 times more often than in attacks against home users.
  • File antivirus detection was triggered on 41% of corporate computers (objects were detected on computers or on removable media connected to computers: flash drives, memory cards, telephones, external hard drives, or network disks).
Targeted attacks on businesses: APT and cybercriminals

2015 saw a number of APT attacks launched against businesses. The toolkits and methods used were very similar to those we observed when analyzing earlier APT attacks, but it was cybercriminals rather than state-sponsored groups who were behind the attacks. The methods used may not be characteristic of cybercriminals, but the main aim of their attacks remained the same: financial gain.

In 2015, one or more #malware attacks were blocked on 58% of corporate computers #KLReport


The Carbanak campaign became a vivid example of how APT-class targeted attacks have shifted focus to financial organizations. The campaign was one of bona fide bank robberies in the digital age: the cybercriminals penetrated a bank’s network looking for a critical system, which they then used to siphon off money. After stealing a hefty sum (anywhere between $2.5 million and $10 million) from a bank, they moved on to the next victim.

Most of the organizations targeted were located in Eastern Europe. However, the Carbanak campaign has also targeted victims in the US, Germany and China. Up to 100 financial institutions have been affected across the globe, and the total losses could be as a high as $1 billion.

It shouldn’t be forgotten that information can also be of great value, especially if it can be used when making deals or trading on the stock exchange, be it in commodities, securities or currency markets, including cryptocurrency markets. One example of a targeted attack that may have been hunting for such information is Wild Neutron (aka Jripbot and Morpho). This cyber-espionage campaign first hit the headlines in 2013 when it affected several reputable companies, including Apple, Facebook, Twitter and Microsoft. After these incidents received widespread publicity the actors behind the cyberespionage campaign suspended their activities. However, about a year later Kaspersky Lab observed that Wild Neutron had resumed operations.

Our research has shown that the cyberespionage campaign caused infections on user computers in 11 countries and territories, namely Russia, France, Switzerland, Germany, Austria, Slovenia, Palestine, the United Arab Emirates, Kazakhstan, Algeria and the US. The victims included law firms, investment companies, bitcoin-related companies, enterprises and business groups involved in M&A deals, IT companies, healthcare companies, real estate companies, as well as individual users.

It should be noted that Wild Neutron used a code signing certificate stolen from Acer.

Stolen Acer certificate in the Wild Neutron installer

The trend towards the diversification of APT attacks is well illustrated by the change in targets attacked by the Chinese cybercriminal group Winnti. It was a long-held belief that Winnti only attacked computer gaming companies. However, in autumn 2015 evidence began to emerge that showed the group had performed a test run of their tools and methods and were trying to make money by attacking new targets. Their attention is no longer limited to the entertainment industry, with recent targets including pharmaceutical and telecom companies. Analysis of the new wave of Winnti attacks has revealed that (as with Wild Neutron) the Winnti rootkit was signed with a stolen certificate that belonged to a division at a major Japanese conglomerate.

Another development in 2015 was the expanding geographies of both the attacks and the attackers. For example, when Kaspersky Lab experts were investigating a Middle East incident, they came across activity by a previously unknown group conducting targeted attacks. The group, dubbed the Desert Falcons, is the first Arab actor to conduct full-blown cyberespionage attacks. At the time the group was detected, its victims numbered around 300, including financial organizations.

Another group named Blue Termite attacked organizations and companies in Japan:

Information about targeted attacks on businesses is available in the following Kaspersky Lab reports: Carbanak, Wild Neutron, Winnti, DarkHotel 2015, Desert Falcons, Blue Termit, Grabit. More detailed research results are provided to subscribers of the Kaspersky Intelligence Service.

Analysis of these attacks has identified several trends in the evolution of targeted attacks on businesses:

  • Financial organizations such as banks, funds and exchange-related companies, including cryptocurrency exchanges, have been subjected to attacks by cybercriminals.
  • The attacks are meticulously planned. The cybercriminals scrutinize the interests of potential victims (employees at the targeted company), and identify the websites they are most likely to visit; they examine the targeted company’s contacts, equipment and service providers.
  • The information collected at the preparation stage is then put to use. The attackers hack legitimate websites that have been identified and the business contact accounts of the targeted company’s employees. The sites and accounts are used for several hours to distribute malicious code, after which the infection is deactivated. This means the cybercriminals can re-use the compromised resources again later.
  • Signed files and legitimate software is used to collect information from the attacked network.
  • Attacks are diversifying to include small and medium-sized businesses.
  • The geography of attacks on businesses is expanding: a massive attack occurred in Japan, the emergence of new APT groups in Arab countries.

In 2015, 29% of business-owned computers were subjected to one or more web-based attacks #KLReport


Although there are relatively few APT attacks launched by cybercriminals, the way they are developing will undoubtedly influence the methods and approaches employed by other cybercriminals in their operations against businesses.


The statistics for corporate users (including the geography of attacks and ratings for detected objects) tend to coincide with those for home users. This is unsurprising because business users do not exist in an isolated environment and their computers are targeted by cybercriminals who spread malware irrespective of the nature of the target. These types of attacks and malware constitute the majority, while attacks specifically targeting business users have little impact on the overall statistics.

In 2015, one or more malware attack was blocked on 58% of corporate user computers, which is a 3 p.p. rise on last year.

Online threats (Web-based attacks)

In 2015, almost every third (29%) computer in a business environment was subjected to one or more web-based attacks.

TOP 10 web-based malicious programs

Please note that this ranking includes malicious programs only, and no adware. Although intrusive and annoying for users, adware does not cause any damage to a computer.

Name* % of unique users attacked** 1 Malicious URL 57.0 2 Trojan.Script.Generic 24.7 3 Trojan.Script.Iframer 16.0 4 Exploit.Script.Blocker 4.1 5 Trojan-Downloader.Win32.Generic 2.5 6 Trojan.Win32.Generic 2.3 7 Trojan-Downloader.JS.Iframe.diq 2.0 8 Exploit.Script.Generic 1.2 9 Packed.Multi.MultiPacked.gen 1.0 10 Trojan-Downloader.Script.Generic 0.9

*These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
**The percentage of all web attacks recorded on the computers of unique users.

This Top 10 consists almost exclusively of verdicts assigned to malicious objects that are used in drive-by attacks – Trojan downloaders and exploits.

Geography of web-based attacks

Geography of web-based attacks in 2015
(percentage of attacked corporate users in each country)

Local threats

The file antivirus detection was triggered on 41% of corporate user computers. The detected objects were located on computers or on removable media connected to the computers, such as flash drives, memory cards, telephones, external hard drives and network drives.

TOP 10 malicious programs detected on user computers

This ranking includes malicious programs only, and no adware. Although intrusive and annoying for users, adware does not cause any damage to a computer.

Name* % of unique users attacked** 1 DangerousObject.Multi.Generic 23.1 2 Trojan.Win32.Generic 18.8 3 Trojan.WinLNK.StartPage.gena 7.2 4 Trojan.Win32.AutoRun.gen 4.8 5 Worm.VBS.Dinihou.r 4.6 6 Net-Worm.Win32.Kido.ih 4.0 7 Virus.Win32.Sality.gen 4.0 8 Trojan.Script.Generic 2.9 9 DangerousPattern.Multi.Generic 2.7 10 Worm.Win32.Debris.a 2.6

* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all attacked individual users.

First place is occupied by various malicious programs that were detected with the help of cloud technologies, and assigned the umbrella verdict of ‘DangerousObject.Multi.Generic’. Cloud technologies work when antivirus databases do not yet contain signatures or heuristics to detect a malicious program but the company’s cloud antivirus database already includes information about the object. When a client company cannot send statistics to the cloud, Kaspersky Private Security Network is used instead, meaning that network computers receive protection from the cloud.

In 2015, file @antivirus detection was triggered on 41% of corporate computers #KLReport


Most of the remaining positions in the ranking are occupied by self-propagating malware programs and their components.

Geography of local threats

Geography of local threat detections in 2015
(percentage of attacked corporate users in each country)

Characteristics of attacks on businesses

The overall statistics for corporate users do not reflect the specific attributes of attacks launched against businesses; the stats are influenced more by the probability of a computer infection in a country, or by how popular a specific malware program is with cybercriminals.

However, a more detailed analysis reveals the peculiarities of attacks on corporate users:

  • exploits for vulnerabilities found in office applications are used three times more often than in attacks on home users;
  • use of malicious files signed with valid digital certificates;
  • use of legitimate programs in attacks, allowing the attackers to go undetected for longer.

We have also observed a rapid growth in the number of corporate user computers attacked by encryptor programs.

In this particular context, the majority of cases are not APT attacks: “standard” cybercriminals are simply focusing on corporate users, and sometimes on a particular company that is of interest to them.

Use of exploits in attacks on businesses

The ranking of vulnerable applications is compiled based on information about exploits blocked by Kaspersky Lab products and used by cybercriminals, both in web- and email-based attacks, as well as attempts to compromise local applications, including those on mobile devices.

Distribution of exploits used in cybercriminal attacks by type of attacked application
(corporate users, 2015)

Distribution of exploits used in cybercriminal attacks by type of attacked application
(home users, 2015)

If we compare the use of exploits by cybercriminals to attack home and corporate users, the first obvious difference is that exploits for office software vulnerabilities are used much more often in attacks launched against businesses. They are only used in 4% of attacks on home users, but when it comes to attacks on corporate users, they make up 12% of all exploits detected throughout the year.

Web browsers are the applications targeted most often by exploits in attacks on both home and corporate users. When viewing these statistics, it should be noted that Kaspersky Lab technologies detect exploits at various stages. Detection of landing pages from which exploits are distributed are also counted in the ‘Browsers’ category. We have observed that most often these are exploits for vulnerabilities in Adobe Flash Player.

Distribution of exploits used in cybercriminal attacks by type of attacked application in 2014 and 2015

The proportions of Java and PDF exploits have declined significantly compared to 2014, by 14 p.p. and 8 p.p., respectively. Java exploits have lost some of their popularity in spite of the fact that several zero-day vulnerabilities that been found during the year. The proportion of attacks launched using vulnerabilities in office software (+8 p.p.), browsers (+9 p.p.), Adobe Flash Player (+9 p.p), and Android software (+3 p.p.) have risen.

In 2015, @Kaspersky solutions detected ransomware on more than 50K computers in corporate networks #KLReport


Investigations of security incidents have shown that even in targeted attacks on corporations, cybercriminals often use exploits for known vulnerabilities. This is because corporate environments are slow to install appropriate security patches. The proportion of exploits that target vulnerabilities in Android applications has risen to 7%, which suggests cybercriminals have a growing interest in corporate data stored on employees’ mobile devices.


Encryption Trojans were long considered to be a threat to home users only. Nowadays, however, we see ransomware actors paying more attention to organizations as targets.

In 2015, Kaspersky Lab solutions detected ransomware on more than 50,000 computers in corporate networks, which is double the figure for 2014. It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models.

The number of unique corporate users attacked by encryption Trojans in 2014 and 2015

There are two reasons for the surge in interest in businesses by ransomware actors. Firstly, they can receive much bigger ransoms from organizations than from individual users. Secondly, there is a better chance the ransom will be paid: some companies simply cannot continue their operations if information has been encrypted and is unavailable on critical computers and/or servers.

One of the most interesting developments of 2015 in this realm has been the emergence of the first Linux encryption malware (Kaspersky Lab products detect it as the verdict ‘Trojan-Ransom.Linux.Cryptor’), which targets websites, including online stores. The cybercriminals exploited vulnerabilities in web applications to gain access to websites, and then uploaded a malicious program to the sites that encrypted the server data. In the majority of cases, this brought the site down. The cybercriminals demanded a ransom of one bitcoin to restore the site. Around 2,000 websites are estimated to have been infected. Given the popularity of *nix servers in the business environment, it is reasonable to assume that next year there may be more ransomware attacks against non-Windows platforms.

TOP 10 encryptor Trojan families

Family % attacked users* 1 Scatter 21 2 Onion 16 3 Cryakl 15 4 Snocry 11 5 Cryptodef 8 6 Rakhni 7 7 Crypmod 6 8 Shade 5 9 Mor 3 10 Crypren 2

*The proportion of users attacked by malicious programs from this family, as a percentage of all attacked users.

Virtually all the ransomware families in the Top 10 demand ransoms in bitcoins.

The Scatter family of Trojans occupies first place. They encrypt files on the hard drive and leave encrypted files with the extension .vault. Scatter Trojans are multi-module, multi-purpose script-based malicious programs. This malware family has quickly evolved over a short period, developing new Email-Worm and Trojan-PSW capabilities on top of file encryption.

In second place is the Onion family of encryptors, known for the fact that their C&C servers are located within the Tor network. In third place is the Cryakl family of encryptors, which are written in Delphi and emerged back in April 2014.

In some cases, it may be possible to restore the data encrypted by these ransomware programs, usually when there are mistakes of some kind in their algorithms. However, it is currently impossible to decrypt data that has been encrypted by the latest versions of the malicious programs in the Top 10.

It is important for companies to understand that an infection by malware of this kind can interfere with business operations if critical business data is lost or a critical server operation is blocked due to encryption. Attacks like this can lead to huge losses, comparable to those caused by the Wiper malware attacks that destroyed data in corporate networks.

To address this threat, a number of measures should be taken:

  • deploy protection against exploits;
  • ensure behavioral detection methods are enabled in your security product (in Kaspersky Lab products, this is done in the System Watcher component);
  • configure a data backup procedure.
Attacks on PoS terminals

The security of point-of-sale (PoS) terminals has turned into another pressing issue for businesses, especially those involved in trading activities. Any computer with a special card reader device connected to it and the right software installed can be used as a PoS terminal. Cybercriminals hunt for these computers and infect them with malicious programs that allow them to steal the details of bank cards used to pay at the terminals.

Kaspersky Lab’s security products have blocked over 11,500 such attacks across the world. To date, there are 10 malware families in our collection that are designed to steal data from PoS terminals. Seven of these emerged this year. Despite the small number of attacks that are attempted, this risk should not be underestimated, because just one successful attack could compromise the details of tens of thousands of credit cards. Such a large number of potential victims is possible because business owners and system administrators do not see PoS terminals as devices that require protection. As a result, an infected terminal could go unnoticed for a long time, during which the malicious program sends the details of all the credit cards passing through the terminal to cybercriminals.

This problem is especially relevant in those countries where cards with EMV chips are not used. The adoption of EMV chip cards should make it far more difficult to obtain the data required to clone banking cards, although the adoption process could take a long time. In the meantime, there are some minimum measures that should be taken to protect PoS devices. Fortunately, for these devices it is fairly easy to configure the ‘default deny’ security policy, which blocks unknown programs from launching by default.

We expect that in the future cybercriminals will start targeting mobile PoS devices running under Android.


The data collected from Kaspersky Lab products shows that the tools used to attack businesses differ from those used against home users. In attacks on corporate users, exploits for office application vulnerabilities are used much more often, malicious files are often signed with valid digital certificates, and cybercriminals try to use legitimate software for their purposes, so they can go unnoticed for longer. We have also observed strong growth in the numbers of corporate user computers targeted by ransomware. This also applies to incidents not classified as APT attacks, where cybercriminals merely focus on corporate users, and sometimes on employees of specific companies.

The fact that cybercriminal groups use APT methods and programs to attack businesses takes them to a different level and makes them much more dangerous. Cybercriminals have begun to use these methods primarily to steal large sums of money from banks. They can use the same methods to steal a company’s money from bank accounts by gaining access to its corporate network.

@Kaspersky security products have blocked over 11.5K attacks on PoS terminals across the world #KLReport


Cybercriminals rely on exploiting known vulnerabilities to conduct their attacks – this is due to the fact that many organizations are slow to implement software updates on their corporate computers. In addition, cybercriminals make use of signed malicious files and legitimate tools to create channels for extracting information: these tools include popular remote administration software, SSH clients, password restoration software, etc.

More and more frequently, corporate servers are being targeted by cybercriminals. Besides stealing data, there have been cases when the attacked servers were used to launch DDoS attacks, or the data on the servers was encrypted for ransom. Recent developments have shown that this is true for both Windows and Linux servers.

Many of the organizations that suffered attacks have received ransom demands asking for payments in return for halting an ongoing DDoS attack, unblocking encrypted data, or for not disclosing stolen information. When an organization faces such demands, the first thing they should do is contact law enforcement agencies and computer security specialists. Even if a ransom is paid, the cybercriminals may still not fulfil their promise, as was the case with the ProtonMail DDoS attack that continued after a ransom was paid.


Growing numbers of attacks against financial organizations, financial fraud on exchange markets

In the coming year, we expect to see growing numbers of attacks launched against financial organizations, as well as a difference in the quality of these attacks. Besides transferring money to their own accounts and converting it to cash, we may also see cybercriminals employing some new techniques. These could include data manipulation on trading platforms where both traditional and new financial instruments, such as cryptocurrencies, are traded.

Attacks on infrastructure

Even if an organization is difficult to penetrate, it is now typical for organizations to store their valuable data on servers located in data centers rather than on the infrastructure located on their own premises. Attempts to gain unauthorized access to these outsourced components of a company’s infrastructure will become an important attack vector in 2016.

Exploiting IoT vulnerabilities to penetrate corporate networks

IoT (Internet of Things) devices can be found in almost every corporate network. Research conducted in 2015 has shown that there are a number of security problems with these devices and cybercriminals are likely to exploit them because they offer a convenient foothold at the initial stage of penetrating a corporate network.

More rigid security standards, cooperation with law enforcement agencies

In response to the growing number of computer incidents in business environments and the changes to the overall cyber-threat landscape, regulatory authorities will develop new security standards and update those already in effect. Organizations that are interested in the integrity and security of their digital values will cooperate more actively with law enforcement agencies, or find themselves obliged to do so by the standards mentioned above. This may lead to more concerted efforts to catch cybercriminals, so expect to hear about new arrests in 2016.

What to do?

In 2015, we have seen cybercriminals begin to actively use APT attack methods to penetrate company networks. We are talking here about reconnaissance that aims to identify weak spots in a corporate infrastructure and gathering information about employees. There is also the use of spear phishing and waterhole attacks, the active use of exploits to execute code and gain administrator rights, the use of legitimate software along with Trojans for remote administration, research of the targeted network and abuse of password restoration software. All this requires the development of methods and techniques to protect corporate networks.

As for specific recommendations, the TOP 35 cyber-intrusion mitigation strategies developed by the Australian Signals Directorate (ASD) should be consulted first of all. Through comprehensive, detailed analysis of local attacks and threats, ASD has found that at least 85% of targeted cyber intrusions could be mitigated by four basic strategies. Three of them are related to specialized security solutions. Kaspersky Lab products include technological solutions to cover the first three major strategies.

Below is a list of the four basic strategies that reduce the possibility of a successful targeted attack:

  • Use application whitelisting to help prevent malicious software and unapproved programs from running
  • Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
  • Patch operating system vulnerabilities
  • Restrict administrative privileges to operating systems and applications, based on user duties.

For detailed information about the ASD mitigation strategies, consult the threat mitigation article in the Securelist encyclopedia.

Another important factor is the use of the latest threat data, i.e. threat intelligence services (Kaspersky Lab, for example, provides its own Kaspersky Intelligence Service ). A timely configuration and checkup of the corporate network using this data will help protect against attacks or detect an attack at an early stage.

The basic principles of ensuring security in corporate networks remain unchanged:

  • Train staff. Maintaining information security is not only the job of the corporate security service but also the responsibility of every employee.
  • Organize security procedures. The corporate security system must provide an adequate response to evolving threats.
  • Use new technologies and methods. Each added layer of protection helps reduce the risk of intrusion.



Stepping out of the dark: Hashcat went OpenSource

Mon, 12/07/2015 - 11:17

While passwords are still an essential topic in IT-Security, the recovery and cracking of those is as well. There are several tools focusing on password recovery while two of them stand out of the crowd: Hashcat/oclHashcat and John-the-Ripper (JtR).

  • We already mentioned Hashcat in our blog on account password security here.
  • Jens Steube – the mind behind Hashcat -also supported our research on the Gauss malware by creating the oclGaussCrack.
  • Beginning of this year we also asked for help on the Equationgroup MD5 “e6d290a03b70cfa5d4451da444bdea39”. Jens Steube and Philipp Schmidt solved it as arabic word for “unregistered”.

Last Friday, a “cryptic” message was posted on Twitter by @hashcat

The MD5 revealed a major step for Hashcat: “hashcat open source” – Jens ‘atom’ Steube decided to go OpenSource with his well-known Password recovering/cracking tool Hashcat/oclHashcat. Over this weekend, the github repository of Hashcat was among the top trending and collected already more than 1,000 “stars“.

Screenshot by

Repository Official Announcement

Hashcat and oclHashcat

This project implements a rich set of features of attacks against a long list of algorithms. Hashcat is for CPU-based hash cracking while oclHashcat uses GPUs.

Why Password cracking tools and OpenSource?

There are many reasons why such tools are needed. One of the main user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules. OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g.  criminal evidence collection for an upcoming lawsuit.

The implemented functionalities also try to push for stronger security by revealing unsecure hash-algorithms or vulnerabilities and weak passwords. This is must not be underestimated, as driving the evolution and development of new secure algorithms is an important and necessary step. [see Collision Vulnerabilities in MD5SHA1 and SHA2.

Hashcat as OpenSource under the MIT License will now open possibilities of integrating other libraries and porting the software to other platforms. Hashcat may now also be integrated into Linux distributions and thereby opening up for a broader audience, since it’s even easier to use.

It’s difficult to foresee the future, but for sure we’ll see more development in this area – for a good reason.

Arabian tales by ‘Nigerians’

Mon, 12/07/2015 - 05:57

The war in Syria, which began several years ago, has recently become one of the most widely reported events in the media. Along with the growing interest of the international community in Middle East events, “Nigerian” scammers have also jumped on the bandwagon. Over the last few months, we have recorded an increase in the number of fraudulent emails utilizing the Syrian theme.

The authors of most of the emails introduced themselves as Syrian citizens seeking asylum in Europe, and requested assistance in investing large sums of money. The messages were either short, with just enough info to arouse the recipient’s interest, or provide a detailed description of the offer.

Fraudsters often send out emails on behalf of women whose husbands have supposedly been killed or died. This theme was exploited with little or no changes in the Syria-related emails. A “widow” writes that her husbands had been killed and now she has a large sum of money that she wants to transfer to another country – she usually wants to get out of Syria too.

Fraudsters can also distribute emails on behalf of employees or owners of companies. To make the email more convincing, the text may include the names of real organizations. The authors of the emails provide a variety of stories to hook the recipient. For example, one of them says he has successfully transferred his assets to France but could not get a visa, so he is asking for help in case he cannot get to Europe.

The scammers are trying not only to get recipients interested by promising financial rewards but to evoke pity and compassion. In particular, the pseudo-Syrian citizens complain of harassment by the president and ask for help transferring and preserving their money.

English is the most popular language with the “Nigerian” scammers; however, we have come across emails in other languages: German, French and Arabic. The author of a German-language email introduced himself as an officer of the Syrian army fighting against ISIS; he writes that he wants to move $16 million earned by selling oil out of the country, and asks the recipient to contact him for more information. In particular, the fact that the citizens of Syria and other Arab countries have large amounts of money is often explained by various stories related to oil deals.

An email in French is written on behalf of a young Syrian refugee whose relatives were killed in the war in Syria and who is now staying in Germany. She complains about the unbearable cold in the tent she lives in, and about the promises of the authorities to improve the living conditions which are never fulfilled. She asks the recipient to take her in in exchange for a large sum of money.

Finally, the emails in Arabic, the official language of Syria, tell a sad story about a widow from Damascus, whose husband and children were killed during a bombardment using chemical weapons. The tale of the unhappy woman is intended to evoke the recipient’s sympathy while also mentioning a large sum of money that should tempt the recipient to help.

“Nigerian” scammers are trying to make their stories believable so they are using a standard set of tricks: links to legitimate news sources, detailed emotive stories where real events are mentioned, including well-known personalities, etc. However, it is worth remembering that emails from unknown senders offering you millions of dollars cannot be genuine. Therefore, the best solution is to simply delete the email and not enter into correspondence with the scammers.

Sofacy APT hits high profile targets with updated toolset

Fri, 12/04/2015 - 05:59

Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.

Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.

At some point during 2013, the Sofacy group expanded its arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across four to five generations) and a few others. We’ve seen quite a few versions of these implants and they were relatively widespread for a time.

#Sofacy group has been active since 2008, targeting mostly military and government entities in NATO countries


Earlier this year, we noticed a new release of the AZZY implant which, at the time, was largely undetected by anti-malware products. We observed several waves of attacks using this version, most recently in October. The new waves of attacks also included a new generation of USB stealers deployed by the Sofacy actor, with the first versions dating back to February 2015, and which appear to be geared exclusively towards high profile targets.

Sofacy’s August 2015 attack wave

In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.

While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.

Two recurring characteristics of the #Sofacy group are speed and the use of multi-backdoor packages


The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors. The sample used in this attack (md5 A96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a pretty standard Sofacy x64 AZZY implant, which has the internal name “advshellstore.dll”.

Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor (md5: 9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015). This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.

This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll” (md5: CE8B99DF8642C065B6AF43FDE1F786A3).

The top level malware, CE8B99DF8642C065B6AF43FDE1F786A3 (named by its authors “msdeltemp.dll” according to internal strings, and compiled July 28th, 2015) is a rare type of the Sofacy AZZY implant. It has been modified to drop a separate C&C helper, (md5: 8C4D896957C36EC4ABEB07B2802268B9) as “tf394kv.dll“.

The dropped “tf394kv.dll” file is an external C&C communications library, compiled on July 24th, 2015 and used by the main backdoor for all Internet-based communications.

Decrypted configuration block of the C&C helper library “tf394kv.dll

This code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file. In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking.

In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well.

The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015. Older versions of these USBSTEALER modules were previously described by our colleagues from ESET.

One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c, which is named internally as msdetltemp.dll.

This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.


Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day.

At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.

Over the last year, the #Sofacy group has increased its activity almost tenfold, that spiked in July 2015


Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.

As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

More information about the Sofacy group is available to customers of Kaspersky Intelligent Services.

Is there a ‘silver bullet’ to protect yourself against Sofacy? Learn more on Kaspersky Business blog.

Technical analysis

Internal name: DWN_DLL_MAIN.dll
File format: PE32 DLL
MD5: ce8b99df8642c065b6af43fde1f786a3
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.07.28 13:05:20 (GMT)
Exported functions:

  • 10003F30: ?Applicate@@YGHXZ
  • 10004270: ?SendDataToServer_2@@YGHPAEKEPAPAEPAK@Z
  • 10003F60: ?k@@YGPAUHINSTANCE__@@PBD@Z

The library starts its main worker thread from the DllMain function.

Most of the strings inside the module are encrypted with a homebrew XOR-based algorithm. In addition to that, API function names are reversed, presumably to avoid detection in memory.

Once started, the code in the main thread resolves the basic API functions it needs and loads an additional library from the following location: “%TEMP%\tf394kv.dll”. If this file is not present, it is recreated from a hardcoded encrypted array inside the body of the DLL.

Next, the module enters an infinite loop. Every five minutes it collects basic system information and sends it to the C2 server:

  • Windows version number
  • Hardcoded string “4.3” (the backdoor’s internal version number)
  • List of running processes

The main thread also spawns a separate thread for receiving new commands from the C2 servers. Every 10 minutes, it sends a new request to the server. The server is expected to send back executable code and one of the following commands:

  • Write a new file “%LOCAL_APPDATA%\dllhost.exe” or “%TEMP%\dllhost.exe” and execute it, then delete the file
  • Write a new file “%LOCAL_APPDATA%\sechost.dll” or “%TEMP%\sechost.dll” and call its first exported function using “rundll32.exe” or Windows API, then delete the file
  • Run shellcode provided by the server in a new thread

While processing the commands, the backdoor logs all errors and execution results. The module also reads the contents of the file “%APPDATA%\chkdbg.log” and appends it to the results. It then sends the aggregated log back to the C2 server.

The module aborts the thread receiving C2 command after it fails to correctly execute commands more than six times in a row, i.e. if file or process creation fails.

The export called “k” is a wrapper for the “LoadLibraryA” API function.

The export called “SendDataToServer_2” does exactly what the name means: it encrypts all collected data, encodes it using Base64 encoding and calls its additional library to send the data to the C2 server. The names of the C2 servers are hardcoded.

Hardcoded C&C servers in the main module

The two C&C’s hardcoded in the configuration block of the main binary are:

  • intelnetservice[.]com
  • intelsupport[.]net

The export called “Applicate” runs a standard Windows application message loop until a “WM_ENDSESSION” message is received. It then terminates the main thread.

Internal name: snd.dll
File format: PE32 DLL
MD5: 8c4d896957c36ec4abeb07b2802268b9
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.07.24 12:07:27 (GMT)
Exported functions:

  • 10001580: Init
  • 10001620: InternetExchange
  • 10001650: SendData

This external library implements a simple Wininet-based transport for the main module.

The strings inside the binary are encrypted using 3DES and XOR and reversed.

The DllMain function initializes the library and resolves all required Windows API functions.

The “Init” export establishes connection to port 80 of a C2 server using Wininet API. The user agent string employed is “MSIE 8.0”.

The “SendData” export sends a HTTP POST request using a hardcoded URI “/store/“. The reply, if its length is not equal to six and its contents do not contain “OK” is returned back to the caller.

The “InternetExchange” export closes the established connection and frees associated handles.

Sofacy AZZY 4.3 dropper analysis

File format: PE32 EXE
File size: 142,336 bytes
MD5: c3ae4a37094ecfe95c2badecf40bf5bb
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.02.10 10:01:59 (GMT)

Most of the strings and data in the file are encrypted using 3DES and XOR.

The code makes use of the Windows Crypto API for 3DES and the decryption key is stored as a standard Windows PUBLICKEYSTRUC structure:

Part of the decryption algorithm

Header of one encrypted data buffer containing the hardcoded 3DES key

First, it creates a new directory: “%LOCAL_APPDATA%\Microsoft\Windows”. If the directory creation fails it tries to install into “%TEMP%” directory instead.

Next it writes a hardcoded binary from its body to “msdeltemp.dll” into the target directory. If the file exists it then moves it to “__tmpdt.tmp” in the same directory and continues the installation. Sets file creation timestamp to that of “%SYSTEM%\sfc.dll”

To ensure the dropped payload starts automatically on user log-in it creates the following registry key:


StartUpChekTemp=RUNDLL32.EXE “%path to msdeltemp.dll%”,#1

Next, it starts the dropped dll using the same command line:

RUNDLL32.EXE “%path to msdeltemp.dll%“,#1

Finally, the program removes itself by starting the following command: “cmd /c DEL %path to self%

The MD5 of the dropped file is f6f88caf49a3e32174387cacfa144a89

Dropper payload – downloader DLL

Internal name: msdetltemp.dll
File format: PE32 DLL
File size: 73 728 bytes
MD5: f6f88caf49a3e32174387cacfa144a89
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.02.10 07:20:02 (GMT)
Exported functions:
10002B55: Applicate

Most of the strings inside the binary are encrypted using a homebrew XOR-based algorithm and reversed.

The library is an older version of the “DWN_DLL_MAIN.dll” (md5: ce8b99df8642c065b6af43fde1f786a3).

The DllMain function is identical and starts the main thread; the “Applicate” function is identical to the one in the newer library. This version of the module does not rely on an external transport DLL for communicating with its C2 servers; instead it directly uses Wininet API functions.

The module contains the following hardcoded C2 server names:

  • drivres-update[.]info
  • softupdates[.]info

The module uses a hardcoded URL (“/check/“) for sending HTTP POST requests to its C2 servers.

The server is expected to send back executable code and one of the following commands:

  • Write a new file “%LOCAL_APPDATA%\svchost.exe” or “%TEMP%\svchost.exe” and execute it, then delete the file
  • Write a new file “%LOCAL_APPDATA%\conhost.dll” or “%TEMP%\conhost.dll” and call its first exported function using “rundll32.exe” or Windows API, then delete the file
  • Run shellcode provided by the server in a new thread
File collection module (“USB Stealer”)

Internal name: msdetltemp.dll (from resources)
File size: 50,176 bytes
File format: PE32 EXE
MD5: 0369620eb139c3875a62e36bb7abdae8
Linker version: 10.0, Microsoft Visual Studio
Linker timestamp: 2015.02.09 11:48:01 (GMT)

Most of the strings inside the binary are encrypted using 3DES and XOR and reversed.

The program creates the mutex “mtx” and an event named “WerTyQ34C”.

Upon start, it creates a window with the class name “Hello” and title “Program”, subscribes for device arrival notifications for that window and enters a standard Windows message processing loop. The message processing function waits for the WM_DEVICECHANGE event and starts a new thread on its arrival.

The module inspects every new disk volume attached to the system. For every disk it creates a “stash” directory in “%root stash directory location%\%volume serial number in hex%” with attributes FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM. The root stash directory location may be read from the configuration file or set to the default location which is “%MYPICTURES%”.

Then, it traverses the filesystem of the volume looking for files. Depending on the settings read from the configuration file, the scope may be narrowed to files with particular extensions and/or files created after a specified date.

It is worth noting that if the source file location contains the string “System Volume Information\S-1-5-21-1315235578-283289242\”, then the file is deleted after copying to the “stash” directory. There are known related samples that are able to create such directories on removable drives, i.e. the sample with md5: 8cb08140ddb00ac373d29d37657a03cc.

The configuration file is loaded from the same directory as the module and is expected to have a name “NvCpld.dat“. It is a text file that may contain the following configuration parameters:

  • Path – location of the root “stash” directory
  • Ext – search for files with one of these extensions only
  • Date – search for files not earlier than this date

Internal name: NvCpld.dll (from export table), msdetltemp.dll (from resources), IGFSRVC.dll (from resources)
File format: PE32 DLL
File size: 76,288 bytes
MD5s: 8b238931a7f64fddcad3057a96855f6c, ce151285e8f0e7b2b90162ba171a4b90
Linker version: 11.0, Microsoft Visual Studio
Linker timestamps: 2015.05.29 11:20:32 (GMT), 2006.11.25 04:39:15 (GMT)
Exported functions:
10002500: NvMswt
10002860: NvReg
10002880: NvStart
10002A80: NvStop

This library is a newer version of the file collection module (md5: 0369620eb139c3875a62e36bb7abdae8) wrapped in a DLL file.

There are two known variants of this module; they only differ in timestamp values and version information in the resource section.

The DllMain function only decrypts the data structures and initializes Windows API pointers.

The function “NvMswt” is a wrapper for the API function MsgWaitForMultipleObjects.

The function “NvReg” is a wrapper for the API function RegisterClassW.

The function “NvStart” is similar to the main function of the older module; it creates a window and enters the message loop waiting for device arrival notifications. The only difference introduced is that an event named “WerTyQ34C” can be signalled by the function “NvStop” to terminate the message loop and stop processing.

Indicators of compromise: AZZY 4.3 installer:


New generation (4.3) AZZY implants:


Dropped C&C helper DLL for AZZY 4.3:


File collectors / USB stealers:


Stand-alone AZZY backdoors:


C&C hostnames:
  • drivres-update[.]info
  • intelnetservice[.]com
  • intelsupport[.]net
  • softupdates[.]info
Kaspersky Lab products detect the malware mentioned here with the following names:
  • Trojan.Win64.Sofacy.q
  • Trojan.Win64.Sofacy.s
  • HEUR:Trojan.Win32.Generic

Kaspersky Security Bulletin 2015. Top security stories

Thu, 12/03/2015 - 05:59

 Download PDF version
 Download EPUB

Targeted attacks and malware campaigns

Targeted attacks are now an established part of the threat landscape, so it’s no surprise to see such attacks feature in our yearly review. Last year, in our security forecast, we outlined what we saw as the likely future APT developments.

  • The merger of cybercrime and APT
  • Fragmentation of bigger APT groups
  • Evolving malware techniques
  • New methods of data exfiltration
  • APT arms race

Here are the major APT campaigns that we reported this year.

Carbanak combined cybercrime – in this case, stealing money from financial institutions – with the infiltration techniques typical of a targeted attack. The campaign was uncovered in spring 2015: Kaspersky Lab was invited to conduct a forensic investigation of a bank’s systems after some of its ATMs started to dispense cash ‘randomly’. It turned out that the bank was infected. Carbanak is a backdoor designed to carry out espionage, data exfiltration and remote control of infected computers. The attackers used APT-style methods to compromise their victims – sending spear-phishing e-mails to bank employees. Once installed on a bank’s computer, the attackers carried out reconnaissance to identify systems related to processing, accounting and ATMs and simply mimicked the activities of legitimate employees. Carbanak used three methods to steal money: (1) dispensing cash from ATMs, (2) transferring money to cybercriminals using the SWIFT network and (3) creating fake accounts and using mule services to collect the money. The attackers targeted around 100 financial institutions, with total losses amounting to almost $1 billion.

One of most talked-about news stories of Q1 2015 surrounded the Equation cyber-espionage group. The attackers behind Equation successfully infected the computers of thousands of victims in Iran, Russia, Syria, Afghanistan, the United States and elsewhere – victims included government and diplomatic institutions, telecommunications companies and energy firms. This is one of the most sophisticated APT campaigns we’ve seen: one of the many modules developed by the group modifies the firmware of hard drives – providing a level of stealth and persistence beyond other targeted attacks. It’s clear that development of the code stretches back to 2001 or earlier. It’s also related to other notorious attacks, Stuxnet and Flame – for example, its arsenal included two zero-day vulnerabilities that were later to be used in Stuxnet.

While investigating an incident in the Middle East, we uncovered the activity of a previously unknown group conducting targeted attacks. Desert Falcons is the first Arabic-speaking group that has been seen conducting full-scale cyber-espionage operations – apparently connected with the political situation in the region. The first signs of this campaign date back to 2011. The first infections took place in 2013, although the peak of activity was in late 2014 and early 2015. The group has stolen over 1 million files from more than 3,000 victims. The victims include political activists and leaders, government and military organizations, mass media and financial institutions – located primarily in Palestine, Egypt, Israel and Jordan. It’s clear that members of the Desert Falcons group aren’t beginners: they developed Windows and Android malware from scratch, and skillfully organized attacks that relied on phishing e-mails, fake web sites and fake social network accounts.

#Carbanak combined stealing from financial institutions with techniques typical of a targeted attack #KLReport


In March 2015, we published our report on the Animal Farm APT, although information on the tools used in this campaign started appearing in the previous year. In March 2014, the French newspaper, Le Monde, published an article on a cyber-espionage toolset that had been identified by Communications Security Establishment Canada (CSEC): this toolset had been used in the ‘Snowglobe’ operation that targeted French-speaking media in Canada, as well as Greece, France, Norway and some African countries. CSEC believed that the operation might have been initiated by French intelligence agencies. A year later, security researchers published analyses (here, here and here) of malicious programs that had much in common with ‘Snowglobe’: in particular, the research included samples with the internal name ‘Babar’ – the name of the program mentioned by CSEC. Following analysis of the malicious programs, and the connections between them, Kaspersky Lab named the group behind the attacks as Animal Farm. The group’s arsenal included two of the three zero-day vulnerabilities that we had found in 2014 and that had been used by cybercriminals: for example, an attack from the compromised web site of the Syrian Ministry of Justice using CVE-2014-0515 exploits led to the download of an Animal Farm tool called ‘Casper’. One curious feature of this campaign is that one of its programs, ‘NBOT’, is designed to conduct DDoS (Distributed Denial of Service) attacks. This is rare for APT groups. One of the malicious ‘animals’ in the farm has the strange name ‘Tafacalou’ – possibly an Occitan word (a language spoken in France and some other places).

In April 2015, we reported the appearance of a new member of a growing ‘Duke’ family that already includes MiniDuke, CosmicDuke and OnionDuke. The CozyDuke APT (also known as ‘CozyBear’, ‘CozyCat’ and ‘Office Monkeys’) targets government organisations and businesses in the United States, Germany, South Korea and Uzbekistan. The attack implements a number of sophisticated techniques, including the use of encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family. However, one of its most notable features is its use of social engineering. Some of the attackers’ spear-phishing e-mails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as e-mail attachments. A notable example (one that gives the malware one of its names) is ‘OfficeMonkeys LOL’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers. The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and so many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.

The Naikon APT focused on sensitive targets in south-eastern Asia and around the South China Sea. The attackers, who seem to be Chinese-speaking and have been active for at least five years, target top-level government agencies and civil and military organisations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China. Like so many targeted attack campaigns, Naikon makes extensive use of social engineering to trick employees of target organizations into installing the malware. The main module is a remote administration tool that supports 48 commands designed to exercise control over infected computers: these include commands to take a complete inventory, download and upload data, install add-on modules and the use of keyloggers to obtain employees’ credentials. The attackers assigned an operator to each target country, able to take advantage of local cultural features – for example, the tendency to use personal e-mail accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer of data to the attackers’ Command-and-Control (C2) servers. You can find our main report and follow-up report on our web site

One of the many modules developed by the #Equation group modifies the firmware of hard drives #KLReport


While researching Naikon, we also uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia: most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US. In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the e-mail questioned the authenticity of the e-mail with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an e-mail back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities. In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual

Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of those behind targeted attacks. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files. There’s no question that every business is a potential target – for its own assets, or as a way of infiltrating another organisation

In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0’. In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal: the attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau. One of the most notable features of Duqu 2.0 was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that the attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory. The Duqu 2.0 technical paper and analysis of the persistence module can be found on our web site

In August, we reported on the Blue Termite APT, a targeted attack campaign focused on stealing information from organisations in Japan. These include government agencies, local government bodies, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and more. One of the most high profile targets was the Japan Pension Service. The malware is customized according to the specific victim. The Blue Termite backdoor stores data about itself – including C2, API name, strings for anti-analysis, values of mutexes, as well as the MD5 checksum of backdoor commands and the internal proxy information. The data is stored in encrypted form, making analysis of the malware more difficult – a unique decryption key is required for each sample. The main method of infection, as with so many targeted attack campaigns, is via spear-phishing e-mails. However, we have other methods of infection. These include drive-by downloads using a Flash exploit (CVE-2015-5119) – one of the exploits leaked following the Hacking Team security breach – several Japanese web sites were compromised this way. We also found some watering-hole attacks, including one on a web site belonging to a prominent member of the Japanese government

#Hellsing group found itself on the receiving end of a spear-phishing attack by #Naikon group & strike back #KLReport


The group behind the Turla cyber-espionage campaign has been active for more than eight years now (our initial report, follow-up analysis and campaign overview can be found on, infecting hundreds of computers in more than 45 countries. The attackers profile their victims using watering-hole attacks in the initial stages. However, as outlined in our latest report, for subsequent operations the group makes use of satellite communications to manage its C2 traffic. The method used by Turla to hijack downstream satellite links does not require a valid satellite Internet subscription. The key benefit is that it’s anonymous – it’s very hard to identify the attackers. The satellite receivers can be located anywhere within the area covered by the satellite (typically a wide area) and the true location and hardware of the C2 server can’t be identified easily or physically seized. It’s also cheaper than purchasing a satellite-based link and easier than hijacking traffic between the victim and the satellite operator and injecting packets along the way. The Turla group tends to focus on satellite Internet providers located in the Middle East and Africa, including Congo, Lebanon, Libya, Niger, Nigeria, Somalia and the UAE. Satellite broadcasts from these countries don’t normally cover European and North American countries, making it very hard for security researchers to investigate such attacks. The use of satellite-based Internet links is an interesting development. The hijacking of downstream bandwidth is cheap (around $1,000 for the initial investment and around $1,000 per year in maintenance), easy to do and offers a high degree of anonymity. On the other hand, it is not always as reliable as more traditional methods (bullet-proof hosting, multiple proxy levels and hacked web sites) – all of which Turla also uses. This makes it less likely that it will be used to maintain extensive botnets. Nevertheless, if this method becomes widespread among APT groups or cybercriminals, it will pose a serious problem for the IT security industry and law enforcement agencies

In August 2015, we published an update on the Darkhotel APT. These attacks were originally characterised by the misuse of stolen certificates, the deployment of HTA files using multiple methods and the infiltration of hotel Wi-Fi to place backdoors on targets’ computers

The #Turla group makes use of satellite communications to manage its C2 traffic #KLReport


While the attackers behind this APT continue to use these methods, they have supplemented their armoury, shifting their attention more towards spear-phishing of their chosen victims. As well as using HTA files, they are also deploying infected RAR files, using the RTLO (right to left override) mechanism to mask the real extension of the file. The attackers also use Flash exploits, including a zero-day exploit leaked as a result of the Hacking Team security breach. The group has also extended its geographic reach to include victims in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany

Data breaches

There has been a steady stream of security breaches this year. That such incidents have become routine is hardly surprising: personal information is a valuable commodity – not just for legitimate companies, but for cybercriminals too. Among the biggest incidents this year were attacks on Anthem, LastPass, Hacking Team, the United States Office of Personnel Management, Ashley Madison, Carphone Warehouse, Experian and TalkTalk. Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. It’s not simply a matter of defending the corporate perimeter. There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached, especially where someone on the inside is tricked into doing something that jeopardises corporate security. But any organisation that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data

On the other hand, consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically.

The issue of passwords is one that keeps surfacing. If we choose a password that is too easy to guess, we leave ourselves wide open to identify theft. The problem is compounded if we recycle the same password across multiple online accounts – if one accounts is compromised, they’re all at risk! This is why many providers, including Apple, Google and Microsoft, now offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – but only if it’s required, rather than just being an option

In 2015, there has been a steady stream of security breaches #KLReport


The theft of personal data can have serious consequences for those affected. However, sometimes there can be serious knock-on effects. The Hacking Team breach resulted in the publication of 400GB of data: this included exploits used by the Italian company in its surveillance software. Some of the exploits were used in APT attacks – Darkhotel and Blue Termite. Unsurprisingly, the breach was followed by a scramble to patch the vulnerabilities exposed by the attackers

Smart (but not necessarily secure) devices

The Internet is woven into the fabric of our lives – literally in the case of the growing number of everyday objects used in the modern home – smart TVs, smart meters, baby monitors, kettles and more. You may remember that last year one of our security researchers investigated his own home, to determine whether it was really cyber-secure. You can find a follow-up to this research here. However, the ‘Internet of Things’ encompasses more than household devices.

Researchers have been investigating the potential security risks associated with connected cars for some years. In July 2014 Kaspersky Lab and IAB published a study looking at the potential problem areas of connected cars. Until this year, the focus was on accessing the car’s systems by means of a physical connection to the vehicle. This changed when researchers Charlie Miller and Chris Valasek found a way to gain wireless access to the critical systems of a Jeep Cherokee – successfully taking control and driving it off the road! (You can read the story here)

This story underlines some of the problems with connected devices that extend beyond the car industry – to any connected device. Unfortunately, security features are hard to sell; and in a competitive marketplace, things that make customers’ lives easier tend to take precedence. In addition, connectivity is often added to a pre-existing communication network that wasn’t created with security in mind. Finally, history shows that security tends to be retro-fitted only after something bad happens to demonstrate the impact of a security weakness. You can read more on these issues in a blog post written by Eugene Kaspersky published in the aftermath of the above research

Some of the problems with connected devices apply also to ‘smart cities’ #KLReport


Such problems apply also to ‘smart cities‘. For example, the use of CCTV systems by governments and law enforcement agencies to monitor public places has grown enormously in recent years. Many CCTV cameras are connected wirelessly to the Internet, enabling police to monitor them remotely. However, they are not necessarily secure: there’s the potential for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site)

Unfortunately, there had been no attempt to mask the cameras, so it was easy to determine the makes and models of the cameras being used, examine at the relevant specifications and create their own scaled model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so an attacker would be able to create their own version of the software and manipulate data travelling across it. One way this could potentially be used by attackers would be to spoof footage sent to a police station, making it appear as if there is an incident in one location, thereby distracting police from a real attack occurring somewhere else in the city

The researchers reported the issues to those in charge of the real world city surveillance system and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in such networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and to encrypt footage as it travels through the network

The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered at the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind

International co-operation against cybercriminals

Cybercrime is now an established part of life, on the back of the ever-increasing online activities we engage in. This is now being reflected in official statistics. In the UK, for example, the Office for National Statistics now includes cybercrime among its estimates of the scale of crime, reflecting the fact that nature of crime in society is changing. While there’s no question that cybercrime can be lucrative, cybercriminals aren’t always able to act with impunity; and the actions of law enforcement agencies around the world can have a significant impact. International co-operation is particularly important, given the global nature of cybercrime. This year there have been some notable police operations

In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department ‘K’ supported by the INTERPOL National Central Bureau in Moscow. As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed that 190 countries had been affected by the botnet

In 2015, there have been some notable international police operations #KLReport


In September, the Dutch police arrested two men for suspected involvement in CoinVault ransomware attacks, following a joint effort by Kaspersky Lab, Panda Security and the Dutch National High Tech Crime Unit (NHTCU). This malware campaign started in May 2014 and continued into this year, targeting victims in more than 20 countries, with the majority of victims in the Netherlands, Germany, the United States, France and Great Britain. They successfully encrypted files on more than 1,500 Windows-based computers, demanding payment in bitcoin to decrypt data. The cybercriminals responsible for this ransomware campaign modified their creations several times to keep on targeting new victims. In November 2014, Kaspersky Lab and the Dutch NHTCU launched a web site to act as a repository of decryption keys; and we also made available online a decryption tool to help victims recover their data without having to pay the ransom. You can find our analysis of the twists and turns employed by the CoinVault authors here. Ransomware has become a notable fixture of the threat landscape. While this case shows that collaboration between researchers and law enforcement agencies can lead to positive results, it’s essential for consumers and businesses alike to take steps to mitigate the risks of this type of malware. Ransomware operations rely on their victims paying up. In September, an FBI agent caused controversy by suggesting that victims should pay the ransom in order to recover their data. While this might seem to be a pragmatic solution (not least because there are situations where recovery of data is not possible), it’s a dangerous strategy. First, there’s no guarantee that the cybercriminals will provide the necessary mechanism to decrypt the data. Second, it reinforces their business model and makes the further development of ransomware more likely. We would recommend that businesses and individuals alike make regular backups of data, to avoid being put in this invidious position

Attacks on industrial objects

Incidents caused by cybersecurity problems are a fairly regular occurrence at industrial objects. For example, according to US ICS CERT data, 245 such incidents were recorded in the US during the 2014 fiscal year, and 22 incidents in July and August 2015. However, we believe these numbers do not reflect the actual situation: there are many more cyber incidents than this. And while enterprise operators and owners prefer to keep quiet about some of these incidents, they are simply unaware of others

Let’s have a look at two cases that caught our attention in 2015

One is an incident that took place at a steel mill in Germany. Towards the end of 2014, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) published a report (see Appendix on English) which mentioned a cyber incident at a German steel mill. The incident resulted in physical damage to a blast furnace

This is the second cyberattack that we know of, after Stuxnet, to cause physical damage to industrial facilities. According to BSI, the attackers first used phishing emails to infect the enterprise’s office network, after which the hackers managed to infect a SCADA computer and attack the physical equipment. Unfortunately, BSI did not provide any additional information, so we do not know which malware was used and how it operated

This secrecy is bad for everybody: operators of other similar enterprises (with the possible exception of German facilities) will not be able to analyze the attack and implement countermeasures; cybersecurity experts are also in the dark and are unable to suggest security measures to their customers

Incident in Germany – the second cyberattack, after Stuxnet, to cause physical damage to facilities #KLReport


Another curious incident was an attack against the Frederic Chopin Airport in Warsaw in June 2015., The computer system responsible for preparing flight plans for LOT, Poland’s national airline, was taken down for about five hours one Sunday. According to Reuters, this caused delays to a dozen flights

The airport management provided no details and experts had to form their opinions based on their experience. Ruben Santamarta, Principal Security Consultant at IOActive, has previously called attention to IT security issues in aviation. Based on what the LOT representatives said, he suggested that the company had fallen victim to a targeted attack: the system couldn’t generate flight plans because key nodes in the back office were compromised, or perhaps the attack targeted ground communication devices, resulting in the inability to perform or validate data loading on aircraft (including flight plans)

Our experts also responded to the incident, suggesting there could be two possible scenarios. The incident may have been the result of human error or equipment malfunction. Alternatively, the incident at the relatively small Warsaw airport could be a precursor of larger-scale attacks in other, much larger, airports

It was later announced that a DDoS attack had taken place and that no penetration had actually taken place. Once again, no detailed information about the incident was disclosed and we can either believe the official information or guess at the real reasons and goals of the attack

Whoever was behind the attacks described above and whatever goals they pursued, these incidents clearly demonstrate how significant a part of our lives computers have become and how vulnerable infrastructure objects have become in recent years

Unfortunately, today many governments and regulators resort to a policy of secrecy. We believe that transparency and the exchange of information about cyberattacks is an important part of providing adequate protection for industrial objects. Without this knowledge, it is very hard to protect these objects against future threats

In conclusion, we would like to mention one more trend that is already relevant and will continue to affect us all in the coming years: the hardware used by industrial enterprises is being actively connected to the Web. The Internet may have appeared quite a long time ago, but it is only now that it is being introduced to industrial processes. It is no exaggeration to say that this represents a new industrial revolution: we are witnessing the birth of the ‘Industrial Internet of Things’ or Enterprise 4.0. As a result, enterprises receive a whole host of additional benefits and can improve their manufacturing efficiency

We are witnessing the birth of a new industrial revolution – the ‘Industrial Internet of Things’ #KLReport


In order to keep up with this trend, equipment manufacturers simply add sensors and controllers to proven, safe and reliable equipment originally developed for the ‘offline’ world, provide Internet connectivity for their devices and then offer this ‘new equipment’ to customers. They forget, however, that when online features are added to any device, this gives rise to new cybersecurity-related risks and threats. This is no longer a ‘physical’ device, but a ‘cyber-physical’ one

In the world of physical devices, all industrial devices, instruments, communication protocols, etc. were designed with safety in mind – in other words, they were built to be foolproof. This meant that if a device was designed to meet functional safety requirements, operating it without violating the safety rules would not result in any failures or damage to people or the environment

Enterprise 4.0 brings with it a new security dimension: IT security or protection against intentional external manipulation. You cannot simply connect an object or device from the pre-Internet era to the Internet: the consequences of this can be – and often are – disastrous

Engineers who embrace old ‘pre-revolutionary’ design principles often fail to realize that their devices can now be ‘operated’ not only by engineers, who know which actions are admissible and which are not, but also by hackers for whom there is no such thing as inadmissible remote object operations. This is one of the main reasons why today some well-established companies with many years of experience offer hardware that may be reliable from the point of view of functional safety, but which does not provide an adequate level of cybersecurity

In the world of cyber-physical devices, physical and cyber components are tightly integrated. A cyberattack can disrupt an industrial process, damage equipment or cause a technogenic disaster. Hackers are a real threat and anything that is connected to the Internet can be attacked. This is why equipment manufacturers, when designing new connected industrial equipment, should be as careful about implementing protection against cyberthreats as they are about designing functional safety features.


In 2015, perhaps for the first time in the entire history of the Internet, issues related to protecting networks and being protected online were discussed in connection with every sector of the economy and with people’s everyday life. Choose any sector of modern civilization – finances, industrial production, cars, planes, wearable devices, healthcare and many others – and you will be sure to find publications this year on incidents or cybersecurity problems related to that sector.

Regrettably, cybersecurity has now become inseparably linked with terrorism. Defensive, as well as offensive, methods used online are attracting lots of interest from various illegal organizations and groups.

Cybersecurity issues have risen to the level of top diplomats and government officials. In 2015, cybersecurity agreements were signed between Russia and China, China and the US, China and the UK. In these documents, governments not only agree to cooperate, but also accept the responsibility to refrain from any attacks on each other. At the same time, there was extensive discussion of recent changes to the Wassenaar Arrangement restricting spyware exports. A recurring theme of the year was the use of insecure email services by various political figures across the globe, including the then US Secretary of State Hillary Clinton.

All this has led to a huge surge in interest in cybersecurity issues, not only from the mass media but also from the entertainment industry. There were feature films and TV series produced, some of them starring cybersecurity experts, sometimes as themselves.

The word cybersecurity became fashionable in 2015, but this does not mean the problem has been solved. We are seeing what amounts to exponential growth in everything related to cybercrime, including increases in the number of attacks and attackers, the number of victims, defense and protection related costs, laws and agreements that regulate cybersecurity or establish new standards. For us, this is primarily about the sophistication of the attacks we detect. The confrontation is now in the active stage, with the final stage not even on the horizon.

To find out what to expect in the nearest future, read our predictions for 2016.

Wake up! You’ve been p0wned

Tue, 11/24/2015 - 07:11

Today I came across a popular app that is usually paid but just for today it was absolutely free for iOS users. It is a kind of “smart alarm clock” app which basically monitors your sleeping and wakes you up exclusively during your light sleeping cycle. Wow!

How does it do it? Well, the app enables your embedded mic and uses it during the night to monitor your sleeping cycles. In other words, it records your environment while you’re sleeping. When I read about it I just could not believe it. And that’s because of the variety of potential scenarios a threat actor could exploit with people who use similar apps.

Imagine if the company behind the app gets hacked and the app then transmits data, it will provide access to the private offline life of the people using the app. Or how about another scenario where no data is transmitted – what if the company gets hacked and the attackers edit the original code and then push a new version that does actually transmit recordings to a remote server?

In reality there are several scenarios an attacker could use. Worst of all, since this is a legit app available on AppStore, the attackers don’t even have to invest in expensive exploits for this OS.

Be careful when selecting apps and do not be too trusting when it comes to your much-loved devices. It’s hard to believe that something you trust with your personal life – your digital friend – can become your digital frenemy. But it does happen – and more often than you might think.

Russian financial cybercrime: how it works

Thu, 11/19/2015 - 05:57

 Download PDF version


The Russian-language cybercrime market is known all over the world. By ‘Russian-language market’ we mean cybercriminals who are citizens of the Russian Federation and some former USSR countries, predominantly Ukraine and the Baltic states. Why is this market known worldwide? There are two main factors: the first of these is frequent global media coverage of the activity of Russian-language cybercriminals. The second is the open accessibility of online platforms used by the cybercriminal community for communications, promoting a variety of “services” and “products” and discussing their quality and methods of application, if not for making actual deals.

Over time, the range of “products” and “services” available through this underground market has evolved, becoming more focused on financial attacks, and with an ever-increasing level of sophistication. One of the most common types of cybercrime was (and still is) the turnover of stolen payment card data. With the emergence of online stores and other services involving e-payment transactions, DDoS-attacks and financial cybercrime have become especially popular with the fraudsters whose main targets are users’ payment data or the theft of money directly from user accounts or companies.

Attacks on users’ and companies’ e-wallets were initiated by the Trojan ibank in 2006; then came ZeuS (2007) and SpyEye (2009) followed by the groups Carberp (2010) and Carbanak (2013). And this list is incomplete; there are more Trojans out there, used by criminals to steal users’ money and data.

With online financial transactions becoming more common, the organizations supporting such operations are becoming more attractive to cybercriminals. Over the last few years, cybercriminals have been increasingly attacking not just the customers of banks and online stores, but the enabling banks and payments systems directly. The story of the Carbanak cybergroup which specializes in attacking banks and was exposed earlier this year by Kaspersky Lab is a clear confirmation of this trend.

Kaspersky Lab experts have been monitoring the Russian hacker underground since it first emerged. Kaspersky Lab regularly issues reports on financial cyber-threats which track changes in the number of financial malware attacks carried out over time. Information on the number of attacks may indicate the extent of the problem but does not reveal anything about who creates them and how. We hope that our review will help to shed light on this aspect of financial cybercrime.

Between 2012-15, law enforcement agencies arrested over 160 Russian-speaking cybercriminals


The data presented in this article is compiled from dozens of investigations that Kaspersky Lab experts have participated in over the last few years, as well as their many years’ experience observing the Russian cybercrime market.

Situation overview

According to Kaspersky Lab, between 2012 and 2015, law enforcement agencies from a number of different countries, including the United States, Russia, Belarus, Ukraine and the EU arrested over 160 Russian-speaking cybercriminals who were members of small, medium-sized and large criminal groups. They were all suspected of being engaged in stealing money using malware. The total damage resulting from their worldwide activity exceeded $790 million dollars. (This estimate is based both on the analysis of public information about the arrests of people suspected of committing financial cybercrime in the period between 2012 and 2015 and on Kaspersky Lab’s own data.) Of this sum, about $509 million dollars was stolen outside the borders of the former USSR. Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount.

The number of arrests of Russian-speaking cybercriminals as officially announced during the period 2012 to 2015

Since 2013, Kaspersky Lab’s Computer Incidents Investigation team has participated in the investigation of more than 330 cybersecurity incidents. More than 95% of these were connected with the theft of money or financial information.

Although the number of arrests of Russian-language criminals suspected of financial cybercrime increased significantly in 2015 compared with the previous year, the cybercriminal market is still “crowded.” According to Kaspersky Lab experts, over the last three years Russian-language cybercrime has recruited up to a thousand people. These include people involved in the creation of infrastructure, and writing and distributing malware code to steal money, as well as those who either stole or cashed the stolen money. Most of those arrested are still not in prison.

We can calculate fairly precisely the number of people who make up the core structure of an active criminal group: the organizers, the money flow managers involved in withdrawing money from compromised accounts and the professional hackers. Across the cybercriminal underground, there are only around 20 of these core professionals. They are regular visitors of underground forums, and Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information.

The exact number of groups operating across Russia and its neighboring countries is unknown: many of those involved in criminal activities participate in several thefts and then, for various reasons cease their activity. Some participants of known but apparently disbanded groups continue their criminal activities as part of new groups.

Kaspersky Lab’s Computer Incidents Investigation Department can now confirm the activity of at least five major cybercriminal groups specializing in financial crimes. These are the groups whose activities have been monitored by the company’s experts over the last few years.

All five groups came to the attention of the company’s experts in 2012-2013, and are still active. They each number between ten and 40 people. At least two of them are actively attacking targets not only in Russia but also in the USA, the UK, Australia, France, Italy and Germany.

There are ~20 of people, who make up the core structure of an active criminal group


Since the investigation into these groups has not been completed, it is not possible to publish more detailed information on the activities of these groups. Kaspersky Lab continues to investigate their activity and is cooperating with the law enforcement agencies of Russia and other countries in order to curb their cybercriminal business.

Investigation into the activities of these groups has allowed Kaspersky Lab experts to form an idea about their methods of operation and the structure of the cybercriminal market.

The structure of the Russian-language cybercriminal market “A Range of products and services”

The cybercriminal market usually comprises a set of “services” and “products”, used for various illegal actions in cyberspace. These “products” and “services” are offered to users of dedicated online communities, most of which are closed to outsiders.

The “products” include:

  • Software designed to gain unauthorized access to a computer or a mobile device, in order to steal data from an infected device or money from a victim’s account (the Trojans);
  • Software designed to take advantage of vulnerabilities in the software installed on a victim’s computer (exploits);
  • Databases of stolen credit card data and other valuable information;
  • Internet traffic (a certain number of visits to a customer-selected site by users with a specific profile.)

The “services” include:

  • Spam distribution;
  • Organization of DDoS attacks (overloading sites with requests in order to make them unavailable to legitimate users);
  • Testing malware for antivirus detection;
  • “Packing” of malware (changing malicious software with the help of special software (packers) so that it is not detected by antivirus software);
  • Renting out exploit packs;
  • Renting out dedicated servers;
  • VPN (providing anonymous access to web resources, protection of the data exchange);
  • Renting out abuse-resistant hosting (hosting that does not respond to complaints about malicious content, and therefore does not disable the server);
  • Renting out botnets;
  • Evaluation of the stolen credit card data;
  • Services to validate the data (fake calls, fake document scans);
  • Promotion of malicious and advertising sites in search results (Black SEO);
  • Mediation of transactions for the acquisition of “products” and “services”;
  • Withdrawal of money and cashing.

Payments for such “products” and “services” on the cybercriminal market are generally made via an e-payment system such as WebMoney, Perfect Money, Bitcoin and others.

All of these “products” and “services” are bought and sold in various combinations in order to enable four main types of crime. These types can also be combined in various ways depending on the criminal group:

  • DDoS attacks (ordered or carried out for the purpose of extortion);
  • Theft of personal information and data to access e-money (for the purpose of resale or money theft);
  • Theft of money from the accounts of banks or other organizations;
  • Domestic or corporate espionage;
  • Blocking access to data on the infected computer for the purpose of extortion;

According to Kaspersky Lab experts, the theft of money is currently the most widespread type of crime. The rest of this report therefore focuses on this segment of the Russian-language cybercrime market.

The “labor market” of financial cybercrime

The variety of skills required for the creation of “products” and the provision of “services” has given rise to a unique labor market of professionals involved in financial cybercrime.

The list of key roles is almost exactly the same as that seen in any IT-related company:

  • Programmers / encoders / virus writers (for the creation of new malicious software and modification of existing malware);
  • Web designers (for the creation of phishing pages, emails, etc.);
  • System administrators (for the construction and support of the IT infrastructure);
  • Testers (to test the malicious software);
  • “Cryptors” (responsible for the packing of malicious code to bypass antivirus detection).

The list does not include the heads of the criminal groups, the money flow managers engaged in withdrawing money from compromised accounts, and the heads of money mules supervising the process of cashing the stolen money. This is because the relationship between these elements of the criminal groups is not an employer-employee one, but more of a partnership.

Depending on the type and extent of the criminal enterprise, the heads of the groups either employ “staff” and pay them a fixed salary or work with them on a freelance basis paying for a particular project.

An offer of employment posted on a semi-closed forum inviting a programmer to join a cybercriminal group. The job requirements include experience in writing complex bots.

“Employees” are recruited either via sites where those involved in criminal activity traditionally gather or via resources for those interested in non-standard ways of making money online. In some cases, the ads are placed on mainstream job search sites or on the labor exchanges for remote employees.

We can confirm the activity of at least 5 major cybercriminal groups specializing in financial crimes


In general, employees involved in cybercrime can be divided into two types: those who are aware of the illegality of the project or the work they are offered, and those who (at least in the beginning) know nothing about it. In the latter case, these are usually people performing relatively simple operations such as copying the interface of banking systems and sites.

By advertising “real” job vacancies, cybercriminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe.

A fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website. The job requirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications, and others. The organizer offers remote work and full employment with a salary of $2,500.

The idea of searching for “employees” in these regions is simple – they carry a saving because staff can be paid less than employees based in large cities. Criminals also often give preference to candidates who have not previously been involved in cybercrime activity.

Often, such job offers are presented as legitimate work, with the true purpose of the work only becoming clear once the task is received.

In this example, the organizer of the criminal group offers a job to a javascript programmer, masking it under a vacancy at a “Web-innovation studio specializing in the development of highly sophisticated Internet applications.”

In the case of illegal job search sites, less-experienced candidates are expected.

This vacancy invites a C ++ developer to develop “custom” software. In this context “custom” software means malicious software.

The second reason in favor of remote “personnel” is the organizer’s aim of making the activity of the group as anonymous as possible, and to ensure that no single contractor possesses complete information about the group.

Options for organizing a criminal group

Criminal groups involved in stealing money or financial information that will enable them to get access to money, differ in the number of participants and scope of activities. There are three main types of involvement:

  • Affiliate programs
  • Single dealers, small and middle-sized groups (up to ten members)
  • Large organized groups (ten or more participants)

This division is nominal. The scale of the group’s activity depends on the skillfulness of its participants, their ambition and the overall level of organizational abilities. In some cases, Kaspersky Lab experts came across relatively small criminal groups performing tasks that usually require a greater number of participants.

Affiliate programs

Affiliate programs are the easiest and least expensive method of getting involved in cybercrime activities. The idea behind an affiliate program is that the organizers provide their “affiliates” with almost all the tools they need to commit a crime. The task of the “affiliates” is to generate as many successful malware infections as possible. In return, the owner or owners of the affiliate program share the income received as a result of these infections with the affiliates. Depending on the type of fraudulent scheme this could be a share of:

  • The sums stolen from the accounts of Internet banking users;
  • The money paid by the user as a ransom when cybercriminals use ransomware Trojans;
  • The money stolen from the “prepaid” accounts of mobile device users by sending out SMS messages to premium mobile numbers with the help of a malicious program.

Creating and supporting an affiliate program for the purpose of stealing money is a cybercrime committed, as a rule, by a group of users. However, such projects are often carried out by large organized groups whose activity is analyzed later in this document.

This advertisement announces the launch of the beta testing of an affiliate program used to distribute encrypting ransomware. Judging by its characteristics, the group’s activity is focused on companies located in the US and the UK. This is indicated by the comment saying that the malware distributed via the partner network is able to encrypt files with 80 different extensions, many of which are files of applications used in companies. The text on requirements for candidates to participate in testing includes a demonstration of the presence of traffic or downloads from the United States and the United Kingdom.

According to Kaspersky Lab experts, affiliate programs are becoming less popular with Russian-language cybercriminals. The main driver of their popularity had been fraudulent schemes used to infect users’ mobile devices with malicious programs which then sent out SMS messages to premium numbers. However, in the spring of 2014, the Russian regulator introduced new requirements for the organization of such services, which included a need to secure additional confirmation of subscription to a particular paid mobile service. This change was instrumental in reducing the number of malicious mobile partner programs to practically zero. Nevertheless, this type of joint cybercriminal activity is still used by groups specializing in the distribution of encrypting ransomware.

Small Groups

What distinguishes this form of cybercriminal activity from an affiliate program is that in this instance the criminal or criminals organize their own fraudulent scheme. Most of the components needed for the attack, such as malware and its modifications (“re-packed” malware), the traffic, the servers, etc., are bought on the black market. Often, members of such groups are not experts in the field of computer and network technologies; they learn about the components and organization of financial attacks from public sources, usually forums. The abilities of such groups can be restricted by a number of factors. Specifically, the use of widely-available malware results in rapid detection by security solutions. This, in turn, makes cybercriminals invest more money in the distribution of malware and in its “re-packing” to bypass detection. The end result is a significant drop in profits for the attacker.

Mistakes made by this type of cybercriminal often result in their identification and arrest. However, as a relatively low cost entry into the world of cybercriminal activity (from $ 200), this “amateur” format continues to attract new dealers.

An example of such an “amateur” criminal organization is the group that in 2012 was convicted by the Russian court for stealing more than 13 million rubles (then worth about $422,000) from a Russian bank’s online customers. During a comprehensive investigation Kaspersky Lab experts were able to collect the information that allowed law enforcement authorities to identify those behind the theft.

The court sentenced two members of the criminal group, giving each a suspended sentence of four and a half years. However, this verdict did not stop the criminals, and they continued to commit crimes, stealing almost as much again over the next two and a half years. They were re-arrested in May 2015.

Large organized criminal groups

Large criminal groups differ from the other players, both through a larger scale of activity and through a more thorough approach to the organization and operation of criminal schemes. Such groups can comprise up to several dozen people (not including money mules used for cashing and “laundering” money.) The targets of their attacks are not limited to individual online banking customers: they also attack small and medium-sized companies, while the largest and most sophisticated of them, such as Carbanak focus mostly on banks and e-payment systems.

The operational structure of large groups differs significantly from smaller groups. To a certain extent, the structure reflects that of an ordinary, average-sized company engaged in software development.

In particular, large groups have some form of regular staff – a group of associates who perform organizational tasks in return for a regular, fixed payment. However, even in these large, professional groups some of the tasks are passed to third-party contractors. For example, the “re-packing” of malware can be performed by the staff or hired virus writers or via third-party services where the process is automated with the help of special software. The same is true for many other elements of the IT infrastructure required for committing crime.

Examples of large, organized criminal groups are Carberp, whose members were arrested in Russia and Ukraine in 2012 and 2013 respectively, and Carbanak, unmasked by Kaspersky Lab in early 2015.

Although the damage from the activity of partner programs and small groups can run into hundreds of thousands of dollars, the large criminal groups are the most dangerous and destructive. The estimated damage caused by Carberp reaches several hundred million dollars (up to a billion). In this regard, studying how these groups function and the tactics they use is extremely important, as it strengthens our ability to effectively investigate their activity and – ultimately – to suppress it.

Distribution of roles in a large cybercriminal group

A major financial cybercrime undertaken by criminal “experts” in security and the finance sector can result in multi-million dollar losses for attacked organizations. As a rule, such crimes are preceded by many months of preparation. This preparation includes constructing complex infrastructure, and selecting and developing malicious software, as well as a thorough study of the target organization in order to clarify the details of its internal operations and security vulnerabilities. Each member of the criminal group has their own responsibilities.

The following role distribution is typical for a criminal group involved in stealing money. The distribution of roles in groups that specialize in other types of cybercrime may be different.

Virus writer/Programmer

A virus writer or programmer is responsible for creating malicious programs, i.e. the programs that allow the attackers to gain a foothold in the corporate network of the target organization, download additional malware that will help to obtain the necessary information, and ultimately steal money.

The significance of this group member and the nature of their relationship with the organizers may vary from group to group. For example, if the group uses ready-made malware taken from open sources or bought from other virus writers, their functions may be limited to setting and modifying malicious programs to work in the infrastructure created specifically for a certain cybercrime, or to adapt it for attacks on specific institutions. The most advanced groups, however, tend to rely on their own “developments” since it makes a malicious program less visible to most security solutions and provides more opportunities for malware modification. Where this is the case, the virus writer’s role becomes more important as they are responsible for the architecture and feature set of a malicious program.

A virus writer can also take on responsibility for malware “re-packing”. But this happens only when the organizer wants to keep the maximum number of tasks within the group, and where original software is used for malware “re-packing”. In most cases, however, this procedure is shifted to third-party contractors or packing-services.


The function of testers in a criminal group is not that different from testers working in legal IT companies. In both cases, testers receive from their managers the specifications for testing programs in different environments (different versions of operating systems, different sets of installed applications, etc.) and execute them. If a fraudulent scheme involves fake interfaces of remote banking or e-payment systems, the task of testers also includes monitoring the correct operation of these fakes.

Web designers and Web programmers

Typically, web designers and web programmers are remote employees, whose tasks include creating phishing pages and websites, fake application interfaces and web injects, all of which are used to steal data to get access to e-payment and e-banking system.


Distributors aim to ensure the download of malicious software on as many devices as possible. The result is achieved by using several tools. Generally, the group organizer determines the profile of the users to be infected and buys the required type of traffic from the so-called traffic providers (services to attract users with certain characteristics to a particular website).

An advert offering to buy traffic. Cybercriminals are willing to pay only for the successful installation of malicious software at $ 140 per 1000 “call-backs” (a message that is sent by the malware to the command server after a successful infection).

The organizer can choose and order a spam mailing that will contain either an infected attached file or a link taking a victim to a malicious website. The organizers can also choose the site with the necessary target audience; involve hackers in breaking into it and placing the exploit pack on it. Of course, all these tools can be used in combination with each other.


Often, in the course of an attack, the exploits and other malicious software the organizer has to hand is not enough to infect all the computers necessary for the attack and to anchor in them. It may become necessary to hack into a specific computer or site. In such cases, the organizers involve hackers, people who have considerable skills in information security and are able to perform non-standard tasks. In many of the cases examined by Kaspersky Lab experts, hackers were occasionally involved and were paid on a fee-for-service basis. However, if hacking is required regularly (e.g., for targeted attacks on financial institutions), a hacker becomes a “team member” and is often one of the cybercriminal group’s key participants, along with the organizers and money flow managers.

System administrators

System administrators in cybercriminal groups perform near-identical tasks to their counterparts in legitimate businesses: they implement the IT infrastructure and maintain it in working condition. Cybercriminal system administrators configure management servers, buy abuse-resistant hostings for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks.

Call services

Social engineering is important for the success of the cybercriminal business. Especially when it comes to attacks on organizations that result in the theft of huge sums of money. In most cases, even if the attackers are able to establish control over the computer from which the transaction could be performed, confirmation of its legitimacy is required to successfully complete the operation. This is what the “call service” is for. At the specified time, its “employees” play the role of an employee of the attacked organization or a bank with which the organization works, and confirm the legitimacy of the transaction.

“Call services” can participate in a particular cybercrime both as a subdivision of the criminal group, or as a third-party organization, performing a specific task on a fee-for-service basis. The forums that users involved in cybercrime use to communicate with each carry plenty of ads offering such services.

This advertisement offers “call services” in English, German, Dutch and French. The group specializes in calls to Internet stores and banks, as well to duped mules. Also, the group offers the quick creation of local toll-free numbers used to imitate support services in fraudulent schemes, receiving SMS messages, and receiving and sending faxes. The criminals ask from $10 to $12 for one call, $ 10 for receiving SMS and from $ 15 for creating toll-free numbers.

According to Kaspersky Lab, large cybercriminal groups prefer to have their own “call services” so they hardly ever turn to third-party providers.

Money flow managers

Money flow managers are members of the cybercriminal group who come into play when all the technical tasks for organizing the attack (choosing and infecting the target and anchoring in its infrastructure) are fulfilled, and everything is ready to commit the theft. Money flow managers are the people who withdraw money from compromised accounts. However, their participation is not limited to pressing the keys; they play a key role in the whole process.

The list of key roles in financial cyber gangs almost mirrors IT-companies


Money flow managers usually thoroughly understand the internal rules of the attacked organization (they even know the lunch hours of the employee from whose computer the fraudulent transaction will be made). They know how the automated anti-fraud systems operate and how to bypass them. In other words, in addition to their criminal role of thieves, money flow managers perform “expert” tasks that are difficult or impossible to automate. Perhaps because of this special status, money flow managers are one of the few members of the criminal group who receive a percentage of the stolen money rather than a fixed “salary”.

Money flow managers often perform as botnet operators. i.e. members of the criminal group who analyze and classify the information obtained from infected computers (the access to the remote banking services, availability of money on the accounts which could be accessed, the organization where the infected computer is located, etc.).

Besides money loaders, these “working conditions” are only shared by the leaders of mule projects.

Head of Mules (Mule “project” leader)

Head of mules is a representative of the criminal group working closely with the people involved in the process of stealing money. The function of the mules is to get the stolen money, cash it and transfer to the criminal group its due share. To do this, the head of mules builds their own infrastructure, which consists of legal entities and individuals with their own bank accounts, to which the stolen money is transferred and from which it is later withdrawn and moved into the pockets of the fraudsters. The mule project leader cooperates with the organizer of the criminal group, and provides them with the numbers of the accounts to which the money loader sends the stolen money. Both mule project leaders and money flow managers work on commission which, according to the information obtained by Kaspersky Lab during the course of investigation, can amount to half the sum stolen.

Mule “projects”

Mule projects are a vital component of any financial cybercrime. Such groups comprise one or more organizers and up to several dozen individual mules.

A mule (or drop) is a holder of a means of payment who, on command from the money mules manager, cashes the money received into their/an account, or transfers it to another account as specified by the money mules manager.

Mules can be divided into two types: duped and non-duped. Duped mules are people who, at least at the beginning of their cooperation with the money mules manager, do not realize they are involved in a criminal scheme. As a rule, the task of getting and transferring money is presented to them under some plausible pretext. For example, the money mules manager can establish a legal entity and appoint to an executive position (the general or financial director, for example) a person who will perform the functions of the duped mule: such as signing corporate documents which will, in fact serve as a legal screen for withdrawing stolen money.

Non-duped mules are well aware of the real purpose of the money mules manager’s tasks.

The options used by the mule projects to withdraw money are manifold. Depending on the amount of money stolen, they may include individual credit card holders ready to cash money and give it to the representative of the money mules manager for a small fee, or specially created legal entities, whose representatives open “salary projects” (credit cards for transferring the salaries of company employees) at their corporate bank.

Yet another common method for constructing a mule scheme is for non-duped mules to open dozens of accounts at different banks.

This advert offers sets of payment cards (the card, the documents based on which the card was authorized, the SIM card with which the bank account of the card is associated) that can be used for cashing stolen money. For sale is the card issued by Russian banks and banks from neighboring countries, as well as banks from the countries of Europe, Asia and the United States. The Momentum-type set is costs 3000 rubles (less than $50), the set with the Platinum card – eight thousand rubles (about $120).

When the theft occurs outside of Russia, the role of the non-duped mules is performed by a citizen or group of citizens of an Eastern Europe country, who within a short period of time visit several countries on the continent and in each of them open accounts in their names. Then the non-dupe mules provide the money mules manager with the data to access all these accounts. These accounts are used later to withdraw the stolen money.

An example of an ad offering for sale a list of companies registered in the Russian Federation and in the offshore zone. The services of cybercriminals cost from $560 to $750.


The word “stuffer” comes from the word “stuff” (a colloquial word for “goods”). One way to withdraw stolen money is by buying goods in e-stores with the stolen money, reselling them and returning to the fraudsters their due percent. This is done by the stuffers, members of the cybercriminal groups engaged in spending money from compromised accounts on purchasing goods in online stores.

In fact, a stuffer is a variation of the money flow manager. Withdrawing money by purchasing goods is generally practiced if the stolen sums are relatively small. As a rule, the stuffers work in a team with the fences. Working “in tandem” often involves purchasing a certain type of goods, sometimes from a specific manufacturer or a clearly-defined model.


If we consider cybercrime as a project, the organizer of the criminal group is its general manager. Their duties usually include financing the preparatory phase of the attack, allocating tasks to executors, monitoring their performance and interacting with third-party agents such as mule projects and call services (if the group does not have its own). The organizer determines the targets for attacks, selects the necessary “specialists” and negotiates with them.

Stages of the attacks

It should be noted that the above classifications are not set in stone. In some cases, a single member of the criminal group can combine several roles. Nevertheless, regardless of how many people execute them, each of the roles described can be found when investigating almost every money-related cybercriminal incident. Here’s how they work in “real time.”

  1. Exploration. When it comes to targeted attacks on a specific company, the organizer first instructs the contractors to collect information about the company, which will help to develop a plausible social engineering scheme for the first stage of attack. If we are talking about an attack on individual users, the preliminary exploration stage is skipped or limited to choosing a “target audience” for the attack (for example, the users of the online banking service of a specific bank) and creating phishing emails and phishing sites with relevant content.

  2. Infection. Penetration of the corporate network is performed by spear-phishing or a phishing mass-mailing that contains an attachment with the special document or a malicious web-link. Opening the attachment or following the link leads to malware infection. Often, infection occurs automatically without the user’s awareness or participation – after clicking on the link, a malicious program is automatically downloaded on the user’s computer (drive-by download) and runs on it.

    In other cases, infection is carried out via compromised popular sites on which a tool is placed that invisibly redirects users to a third-party site containing a set of exploits. Once on this site, the user will be infected with malware.

    Once inside the system cybercriminals use a number of malicious tools to consolidate their presence. For example, to ensure that internal sites of compromised organizations have the malware reinstalled when the organization’s security software deletes the previous version. In addition, attackers are often set up within the infrastructure software of the attacked organization, enabling easy access to the internal corporate network from outside.

  3. Exploration and implementation. The programs for remote, hidden administration and management are downloaded onto compromised computers. They are used by cybercriminals to gain system administrators’ credentials. Legal programs for remote management and administration whose functionality is known to many users are often used for this.

  4. Money theft. In the final stage, cybercriminals access the financial systems of the targeted organization and transfer money from its accounts to the accounts of the mule projects or withdraw money directly at ATMs.


Financial cybercrime backed by Russian-speaking criminals has become widespread in recent years and this growth is due to a number of causes. The main ones are:

  • Not enough qualified staff in law enforcement agencies;
  • Inadequate legislation allowing criminals in many cases to avoid responsibility or to receive a lighter sentence;
  • A lack of established procedures for international cooperation between law enforcement agencies and expert organizations in different countries.

Unlike the real world, a robbery in cyberspace usually goes unnoticed and there is a very small window for collecting digital evidence after the crime. Further, criminals have no need to stay in the country where the crime is committed.

Unfortunately, for Russian-speaking cybercriminals current conditions are more than favorable: the risk of prosecution is low while the potential rewards are high. As a result, the number of crimes and the damage caused by them is growing, and the market for cybercriminal services is increasing momentum.

A relatively low cost of entry ($ 200) to cybercrime attracts new dealers


The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation.

Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate.

The international investigation of Carbanak’s activity, initiated by Kaspersky Lab, is the first example of successful international cooperation. If the world is to see a serious and positive change there should be more such cases.

Reference. What is Kaspersky Lab Computer Incidents Investigation?

Kaspersky Lab is a well-known developer of anti-malware security solutions. But the company provides comprehensive protection, and this also includes services for computer incidents investigation.

Evidence of an incident, mainly presented in the form of digital data, needs to be collected and recorded so that there are no grounds for doubt in the investigation and trial when a victim makes a court application.

Kaspersky Lab Computer Incidents Investigation is responsible for:

  • Responding to IT security incidents and providing a quick analysis of the situation;
  • Collecting digital evidence and determining the circumstances of IT security incidents in accordance with established procedures;
  • Analyzing the evidence collected, searching the information related to the circumstances of the incident on the Internet and fixing them;
  • Preparing materials for the victim’s application to law enforcement agencies;
  • Providing expert support to investigative operations.

A huge amount of data is processed when responding to IT security incidents and supporting investigative operations. The analysis of this data, in combination with statistics on malicious objects detected identifies the trends of criminal behavior in cyberspace.

The Kaspersky Lab Computer Incidents Investigation Department was established in 2011 and involves six forensic experts.

Kaspersky Security Bulletin. 2016 Predictions

Tue, 11/17/2015 - 11:03

 Download PDF version
 Download EPUB


As the year comes to an end, we have an opportunity to take stock of how the industry has evolved and to cast our predictions for the coming years. Taking advantage of a rare global meeting of our GReAT and Anti-Malware Research experts, we tossed ideas into the ring and I have the privilege of selecting some of the more noteworthy and plausible for both the coming year and the long-term future as we foresee it. The outlook for our rapidly evolving field of study is quite thought-provoking and will continue to present us with interesting challenges. By sticking to sober metrics, perhaps we can skip the usual science fiction fear mongering and come to some accurate predictions for both the short- and long-term.

No more APTs

Before you start celebrating, we should point out that we’re referring to the ‘Advanced’ and ‘Persistent’ elements – both of which the threat actors would gladly drop for overall stealth. We expect to see a decrease in the emphasis on persistence, placing a greater focus on memory-resident or fileless malware. The idea will be to reduce the traces left on an infected system and thus avoid detection altogether. Another approach will be to reduce the emphasis on advanced malware. Rather than investing in bootkits, rootkits, and custom malware that gets burned by research teams, we expect an increase in the repurposing of off-the-shelf malware. Not only does this mean that the malware platform isn’t burned upon discovery but it also has the added benefit of hiding the actor and his intentions in a larger crowd of mundane uses for a commercially available RAT. As the shine of cyber-capabilities wears off, return on investment will rule much of the decision-making of state-sponsored attackers – and nothing beats low initial investment for maximizing ROI.

APT: a decrease in the emphasis on persistence, a focus on memory-resident or fileless malware #KL2016Prediction

Tweet The nightmare of ransomware continues

We expect to see the success of Ransomware spread to new frontiers. Ransomware has two advantages over traditional banking threats: direct monetization and relatively low cost per victim. This amounts to decreased interest from well-resourced third-parties such as banks, as well as low levels of reporting to law-enforcement agencies. Not only do we expect ransomware to gain ground on banking trojans but we also expect it to transition into other platforms. Weak attempts at bringing ransomware to mobile (Simplelocker) and Linux (Ransom.Linux.Cryptor, Trojan-Ransom.FreeBSD.Cryptor) have already been witnessed, but perhaps the more desirable target platform is OS X. We expect ransomware to cross the Rubicon to not only target Macs but also charge ‘Mac prices’. Then, in the longer term, there is the likelihood of IoT ransomware, begging the question, how much would you be willing to pay to regain access to your TV programming? Your fridge? Your car?

We expect ransomware to gain ground on banking trojans and to transition into other platforms #KL2016Prediction

Tweet Betting against the house: financial crimes at the highest level

The merging of cybercrime and APT has emboldened financially motivated criminals who have gracefully transitioned from attacking end users to going after the financial institutions themselves. The past year has seen plenty of examples of attacks on point-of-sale systems and ATMs, not to mention the daring Carbanak heist that pilfered hundreds of millions of dollars. In the same vein, we expect cybercriminals to set their sights on novelties like alternate payment systems (ApplePay and AndroidPay) whose increasing rate of adoption should offer a new means of immediate monetization. Another inevitable point of interest is stock exchanges, the true mother lode. While frontal attacks may yield quick payoffs, we mustn’t overlook the possibility of more subtle means of interference, such as going after the black-box algorithms employed in high-frequency trading to ensure prolonged gains with a lower likelihood of getting caught.

Cybercriminals will set sights on novelties like alternate payment systems and stock exchanges #KL2016Prediction

Tweet Attacks on security vendors

As attacks on security vendors rise, we foresee an interesting vector in compromising industry-standard reverse-engineering tools like IDA and Hiew, debugging tools like OllyDbg and WinDbg, or virtualization tools like the VMware suite and VirtualBox. CVE-2014-8485, a vulnerability in the Linux implementation of ‘strings’, presents an example of the vulnerable landscape of nontrivial security research tools that determined attackers may choose to exploit when targeting researchers themselves. In a similar vein, the sharing of freeware research tools through code repositories like Github is an area ripe for abuse, as users will more often than not pull code and execute it on their systems without so much as a glance. Perhaps we should also be casting a suspicious glance towards popular implementations of PGP so eagerly embraced by the infosec community.

We foresee a vector in compromising reverse-engineering, debugging & virtualization tools #KL2016Prediction

Tweet Sabotage, extortion and shame

From dumps of celebrity nudes to the Sony and Ashley Madison hacks and the HackingTeam dump, there has been an undeniable increase in DOXing, public shaming, and extortion. Hacktivists, criminals, and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists, and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cybersecurity to feign hacker prowess. Sadly, we can only expect this practice to continue to rise exponentially.

Whom do you trust?

Perhaps the scarcest commodity in the current internet age is trust. Abuse of trusted resources will further drive this scarcity. Attackers will continue to enlist open-source libraries and whitelisted resources for malicious purposes. We expect another form of trust to be abused, that of a company’s internal resources: as crafty attackers seek to expand their foothold on an infected network, they may target resources limited to the company intranet such as waterholing Sharepoint, file server, or ADP portals. Perhaps we’ll even witness the furthest extension of the already rampant abuse of trusted certificates as attackers establish an entirely fabricated certificate authority to issue certificates for their malware.

Attackers will enlist open-source libraries and whitelisted resources for malicious purposes #KL2016Prediction

Tweet APT actors down the road

The profitability of cyberespionage has not escaped the attention of our foes and, as we expected, mercenaries have begun populating the scene. This trend will only increase to match the demand for cyber-capabilities by both companies as well as known APT actors looking to outsource less critical tasking without risking their tools and infrastructure. We could float the term ‘APT-as-a-Service’, but perhaps more interestingly we can expect the evolution of targeted attacks to yield ‘Access-as-a-Service’. The latter entails the sale of access to high-profile targets that have already fallen victim to mercenaries.

We'll see members of well-established APT teams potentially coming out of the shadows #KL2016Prediction


Looking further into the future of cyberespionage, we see members of well-established APT teams (‘APT 1%ers’, if you will) potentially coming out of the shadows. This would happen in one of two forms: as part of the private sector with the proliferation of ‘hacking back’, or by sharing their insights with the larger infosec community, perhaps by joining us at conferences to share the other side of the story. In the meantime, we can expect the APT Tower of Babel to incorporate a few more languages.

The future of the Internet

The infrastructure of the internet itself has shown signs of tension and cracks in recent years. Concerns over massive router botnets, BGP hijacking and dampening, DNS attacks en masse, or server-powered DDoSes betray a lack of accountability and enforcement on a global scale. Looking further down the line to long-term predictions, we can consider what the internet might look like if that narrative of a globally connected village continues to wither. We may end up with a balkanized internet divided by national borders. At that point, concerns over availability may come down to attacks on the service junctures that provide access between different sections, or perhaps geopolitical tensions that target the cables that connect large swathes of the internet. Perhaps we’ll even see the rise of a black market for connectivity. Similarly, we can expect that as technologies that power the internet’s underbelly continue to gain mainstream attention and widespread adoption, developers with a stake in shadow markets, exchanges, and forums are likely to develop better technologies to keep the underground truly underground.

The internet's cracked: we may end up with a balkanized internet divided by national borders #KL2016Prediction

Tweet The future of transportation

As investment and high-end research capabilities are dedicated to developing autonomous vehicles for both personal and commercial distribution, we will witness the rise of distributed systems to manage the routes and traffic of large volumes of these vehicles. The attacks may not focus on the distribution systems themselves, but perhaps on the interception and spoofing of the protocols they rely on (a proof of concept of the vulnerabilities of the widely adopted Global Star satcom system was presented by a Synack researcher at this year’s BlackHat conference). Foreseeable intentions behind these attacks include theft of high-value goods or kinetic damage resulting in loss of life.

Crypto: a breakdown in the reliability of standards and a need of 'post-quantum cryptography' #KL2016Prediction

Tweet The cryptopocalypse is nigh

Finally, we cannot overemphasize the importance of cryptographic standards in maintaining the functional value of the internet as an information-sharing and transactional tool of unparalleled promise. These cryptographic standards rely on the expectation that the computational power required to break their encrypted output is simply above and beyond our combined means as a species. But what happens when we take a paradigmatic leap in computational capabilities as promised by future breakthroughs in quantum computing? Though quantum capabilities will not be initially available to the common cybercriminal, it signals a breakdown in the reliability of current crypto-standards and a need to design and implement ‘post-quantum cryptography’. Given the poor rate of adoption or proper implementation of high-quality cryptography as it is, we do not foresee a smooth transition to counterbalance cryptographic failures at scale.

Spam and phishing in Q3 2015

Thu, 11/12/2015 - 05:58

 Download PDF version

Spam: features of the quarter Online dating

The dating theme is typical for spam emails, but in the third quarter of 2015 we couldn’t help but notice the sheer variety appearing in these types of mailings. We came across some rather interesting attempts to deceive recipients and to bypass filters, as well as new types of spam mailings that were bordering on fraud.

The main aim of spammers exploiting the dating theme is usually to advertise recently created dating sites that are still relatively unknown. The owners of these sites resort to spamming to attract the largest possible audience to their resource. The messages often address different categories of recipients, for example, dating sites for older people, married people or the religious.

Yet another type of advert is for marriage agencies offering a selection of brides (mainly from Russia and Ukraine) to foreign suitors. This type of spam is usually distributed in the English-language segment of the Internet. The messages contain an invitation to register on a site, a short text promising to find the perfect life partner and a link leading to the advertised site.

Q3 2015, the percentage of spam in email traffic accounted for 54.2% #KLReport #infosec


Similar emails can also be sent from a “bride”. This type of spam is closer to the fraudulent tactics used by ‘Nigerian letters’. The email is supposedly written by a girl who provides a few details about herself, about how hard her life is in the Russian hinterland, and her dreams of meeting Prince Charming. A photo is often attached, though not necessarily a photo of the “bride” – it could easily be taken from someone’s social networking page and attached to make the message look more convincing. That’s why emails from different girls may contain the same photos. However, the messages vary: a host of synonyms are used to bypass spam filters. The usual channel for receiving feedback is via email. The address is different for each email – they are obviously created in large quantities on free email services for each mass mailing. After replying, the user will, at best, receive a notification that the address is non-existent. The worst case scenarios will see his address targeted by further spam mailings and he may even get caught up in a scam where the girl asks for money to buy a ticket to come and see him. Once she gets the money, she disappears without a trace.

A similar method is used to advertise dating sites “for adults”. The emails contain either an invitation to register on the site and a promise of intimate dating, or a message from a girl who is looking for a partner for intimate relations plus a link to the resource with her alleged profile. This type of spam is often disguised as personal notifications on social networking sites, as well as image or audio files sent via instant messengers. As a result, the site is hidden, and the user cannot clearly identify what it is until he follows all the links. Of course, the contents of these messages aim to arouse the recipient’s interest and make him click the links, often due to the flirty content or heavy hints and intimate photos.

And finally, yet another type of spam we detected in Q3 was quite blatantly fraudulent. During the quarter we observed a mass mailing that prompted recipients to send a text message to a specific telephone number; in return a girl promised to send intimate photos of herself. The text of the emails varied, as did the mobile numbers specified in them. We sent messages to some of the numbers and found that they were not premium-rate numbers as might be expected, and users were not charged for sending a text message. We got a reply from a girl, but after a couple of answers it became clear we were dealing with a robot whose task was to make us download an application so we could continue chatting and receive the promised photos. As a result, we received several text messages containing short links that led to an article about useful mobile apps that appeared in a well-known American newspaper. During the redirect to the article an archive with mobile malware was downloaded to the user’s phone.

Seasonal malicious spam

The amount of seasonal spam traditionally increases in summer. This is true for both advertising and malicious spam. The holiday season saw spam with a travel theme: fake notifications from booking services, airlines and hotels were used to spread malicious programs.

Fake notifications from major international airlines and booking services were detected by Kaspersky Lab as Trojan-Downloader.JS.Agent.hhy and Trojan-Downloader.Win32.Upatre.

We came across similar emails supposedly sent by popular airlines that had messages in French. The text informed recipients that the attachment contained an e-ticket. In fact, the ZIP archive contained Trojan.Win32.Xtrat Trojan and the DDoS bot Nitol (the module used to organize DDoS attacks).

In July, fraudsters tried to trick users by sending fake notifications on behalf of hotels. The message thanked the recipients for staying in their hotel and asked them to view the attached bill. The attached archive actually contained Trojan-Downloader.Win32.Upatre.dhwi, which in turn downloaded and ran Trojan- Banker.Win32.Dyre (viewed as 98. ***. **. 39/cv17.rar) by clicking the links written in the body of the downloader.

In addition to fake emails sent on behalf of well-known companies we observed a message in English from an individual. The email contained a request to change a room booking because some friends had cancelled.

The text in the email could easily be seen as a legitimate request from a client; however, the ZIP attachment contained Trojan-Downloader.JS.Agent.hhi that downloaded Backdoor.Win32.Androm.

Spammer tricks

The text in a standard phishing email is usually in the body of the message, while personal information is entered on a web page that opens after clicking a fraudulent link in the text, or in the HTML fields of a page attached to the email, or is sent back in a reply email. The latter is most typical when asking recipients to confirm the address and the password for an email account.

Q3 2015, Top 3 biggest sources of spam globally were the #USA, #Vietnam & #China #KLReport


In Q3 2015, cybercriminals came up with a new way of distributing phishing emails and bypassing spam filters. The text of the phishing email and the fake link were included in a PDF document attached to the email. After clicking the link, a standard phishing page opened and the user was asked to enter his personal information. The majority of emails utilizing the new technique imitated bank notifications. The body of these messages usually contained a short text describing the problem; sometimes there was no text at all.

It should be noted that the spammers used well-known phrases and tricks in the text of the emails: notifications about an account being blocked, the need to pass a verification procedure, security issues, an investigation into phishing incidents, etc. As usual, the fraudulent links were masked by legitimate links and text fragments.

However, there were emails with detailed text in the message body providing genuine links to official bank resources. The phishing notification was included in the PDF attachment.

Our colleagues also came across a different type of phishing message using Mediabox objects in attached PDF files.

A Mediabox object is a document opened by a mouse click and used to redirect the user to a phishing website.

Statistics Proportion of spam in email traffic

Percentage of spam in email traffic, April-September 2015

After some relatively stable months in the second quarter the percentage of spam in global email traffic began to change again. A slight growth in July and August of 2015 was followed by a noticeable drop in September. As a result, the average percentage of spam in Q3 amounted to 54.19% – slightly higher than the average for the previous quarter.

Sources of spam by country

Sources of spam by country, Q3 2015

The US (15.34%) remained the biggest source of spam in Q3. Vietnam was second with 8.42% of global spam, compared to 3.38% in the previous quarter. China rounded off the Top 3 (7.15%) – its share remained unchanged from the previous quarter.

Russia’s share (5.79%) dropped by 2.03 p.p., pushing it from second to fourth position. It was followed by Germany (4.39%) and France (3.32%) – their shares changed only slightly compared to Q2.

Spam email size

Spam email size distribution, Q2 2015 and Q3 2015

The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew from the previous quarter (13.67 p.p.), while the share of emails sized 20-50 KB (3.32%) fell by approximately the same number of percentage points. The share of all other emails saw no significant change from Q2 of 2015.

Malicious email attachments

Top 10 malicious programs sent by email, Q3 2015

Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc.

Second and ninth places in the Top 10 are occupied by Trojan-Downloader.JS.Agent.hhi and Trojan-Downloader.JS.Agent.hfq, respectively. Both are an obfuscated Java-script. The downloaders use ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.

Trojan-Downloader.VBS.Small.lj and Trojan-Downloader.VBS.Agent.aqp came third and sixth, respectively. These VBS scripts, which also use the ADODB.Stream technology, download ZIP archives and run malware extracted from them.

Q3 2015, Upatre was the most common malware family sent by email #KLReport


Trojan-Downloader.MSWord.Agent.oq came fourth. This malicious program is a DOC file with embedded VBS macros that run when the document is opened. The macros download another malicious VBS script from the cybercriminals’ site and run it on the victim’s computer.

Email-Worm.Win32.Mydoom.l rounds off the Top 5. This network worm is spread as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also enables attackers to remotely control the infected computer.

Trojan-Downloader.HTML.Meta.ay, Trojan-Downloader.HTML.Agent.aax and were seventh, eighth and tenth in the rating, respectively. They all are HTML pages which, when opened, redirect users to a rigged site. Once there, a victim usually encounters a phishing page or is asked to download a program – Binbot, a binary option trading bot. The three malicious programs spread via email attachments and the only difference between them is the link which redirects users to the rigged sites.

Malware families

As in the previous two quarters, Upatre (9.46%) was the most common malware family. Malware from this family downloads the Trojan banker known as Dyre, Dyreza, Dyzap.

The MSWord.Agent family (5.55%) remained in second position. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.

In third place was the VBS.Agent (5.44%) family. Unlike MSWord.Agent, the malicious programs of this family use the embedded VBS script. To download and run other malware on the user’s computer they use the ADODB.Stream technology.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q3 2015

There were some significant changes in the Top 3 countries targeted most often by mailshots in Q3 2015. Russia’s appearance in third place (7.56%) was the biggest surprise: its share grew by 2.82 p.p., pushing it up two places from fifth.

Germany (18.47%) remained on top, although its contribution dropped by 1.12 p.p. compared to Q2. Brazil ended the quarter in second place (11.7%) – the amount of malicious spam originating from there almost doubled compared to Q2.

The UK (4.56%), which was second in Q2, ended Q3 in sixth place.

Special features of malicious spam

In spam traffic at the beginning of September we came across a large-scale malicious mass mailing containing emails imitating a non-delivery auto-reply sent by an email server. The text and subject of the message looked very similar to an automatic notification; however, the sender address belonged to an individual, which raised doubts about the legitimacy of the email. The attached ZIP archive named Google_drive_1711 was also suspicious because notifications from email services do not normally contain attachments. Closer inspection revealed that the archive included Trojan Trojan-Downloader.JS.Agent.hhi, which in turn downloaded Backdoor.Win32.Androm.

At the beginning of the third quarter cybercriminals were actively sending out emails in French containing macro viruses. The macros that we detected belonged to a category of Trojan downloaders and were used to download and install the banking Trojan Dridex on victim computers. To deceive the recipient, the fraudsters imitated a notification about the receipt of an order or an invoice.

In July, spammers exploited the theme of loans to spread malicious files that are now traditional for advertising spam. Some scammer emails offered a loan attracting potential customers with very favorable terms, low interest rates, etc. Other messages notified the recipient that his loan application had been approved. Interestingly, this content can also be seen in ordinary advertising spam, but malicious spam usually contains an attachment masquerading as detailed information about the loan.

Interestingly, malicious emails with Trojan-Downloader.Win32.Upatre in the attachment were sent to employees at different companies.


In Q3 2015, the Anti-Phishing system was triggered 36,300,537 times on computers of Kaspersky Lab users, which is 6 million times more than the previous quarter. Of them, 15,764,588 attempts were blocked by our heuristic detection components and 20,535,949 by signature detection components. 839,672 phishing wildcards were added to the Kaspersky Lab databases.

The country where the largest percentage of users is affected by phishing attacks was once again Brazil (21.7%). In Q3 2015, the share of those attacked increased by 11.33 p.p., meaning Brazil returned to the same sort of figures last seen in Q1.

Geography of phishing attacks*, Q3 2015

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Japan and China also grew considerably (+10.9 p.p. and +7.85 p.p., respectively), which saw these countries ranked second and third in the rating.

Top 10 countries by percentage of users attacked:

Country % of users 1 Brazil 21.07 2 Japan 16.86 3 China 15.08 4 Vietnam 14.5 5 Bangladesh 13.32 6 Nigeria 13.05 7 Russia 12.91 8 Kazakhstan 12.85 9 India 12.44 10 Columbia 12.25 Organizations under attack

The statistics on phishing targets is based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.

In the third quarter of 2015, the ‘Global Internet portals’ category (30.93%) topped the rating of organizations attacked by phishers although its share decreased by 11.42 p.p. from the previous quarter. The share of ‘Social networking sites’ (21.44%) increased by 6.69 p.p. In third place came ‘Banks’ with 18.07% (+4.65 p.p.). The ‘Online games’ category also increased by half and accounted for 4.02%.

Distribution of organizations affected by phishing attacks, by category, Q3 2015

The proportion of phishing attacks on organizations in the ‘Cloud data storage’ category increased by 0.26 p.p. and amounted to 1.06%. Users are increasingly using cloud storage technology, thus attracting the attention of cybercriminals. The stolen information is used for blackmail, sold to third parties or used in targeted attacks.

This type of phishing is often distributed via email or social networks in the form of a message inviting users to download a document allegedly uploaded to a popular cloud service. Messages can arrive from a compromised account from a user’s friend list or, in the case of email, on behalf of a cloud service administrator.

Q3 2015, Anti-Phishing system was triggered more than 36M times on computers of @Kaspersky Lab users #KLReport


Phishing pages imitating well-known cloud storage sites are used to distribute various malicious programs. In such cases, a user automatically downloads a malicious program to his computer by clicking the link on the page.

Below is an example of an attack where the user is asked to download an important PDF document. The link in the email leads to a phishing page imitating the site of the popular cloud service Dropbox.

Example of a phishing attack targeting users of Dropbox

In addition to stealing data stored in the cloud and spreading malware, cybercriminals often use the Dropbox name to steal the victim’s email account data.

Example of a phishing page using the Dropbox brand

Here is yet another example of phishing, with the scammers trying to steal the user’s AppleID and password for iCloud.

Example of a phishing attack on iCloud users

Among other things, if successful, the attackers gain access to any content purchased by the user as well as his email account.

Top 3 organizations attacked

Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular brands. In this way they are trying to increase the chances of success for their latest phishing attack. In more than half of cases the heuristic component of Anti-Phishing is triggered when a user follows a link to phishing pages hiding behind the names of more than 30 well-known companies.

The Top 3 organizations most often attacked by phishers account for 26.39% of all phishing links detected in Q3 2015.

Organization % of all detected phishing links 1 Yahoo! 15.38 2 VKontakte 9.44 3 Facebook 8.95

In Q3 2015, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top with 15.38%, although its share almost halved (-13.65 p.p.). The Russian social networking site VKontakte (9.44%) came second. Facebook (8.95%) fell by 1.49 p.p. and moved from second to third place.


In Q3 of 2015, the percentage of spam in email traffic accounted for 54.2%, a 0.8 p.p. drop from the previous quarter. The Top 3 biggest sources of spam distributed worldwide were: the US (15.3%), Vietnam (8.4%) and China (7.2%).

The holiday season saw an increase in tourism-related malicious spam. Cybercriminals sent out fake notifications from well-known booking services, airlines and hotels, as well as emails from individuals. They typically included attached archives with different Trojan downloaders.

Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. As in the previous two quarters, the rating of the most popular malware families was topped by Upatre. Germany topped the ranking of countries whose users were most often targeted by mailshots – 18.5% of antivirus detections were registered there.

A particular feature of Q3 was a new trick used in phishing emails – in order to bypass spam filters they placed the text of the email and fraudulent link in an attached PDF document rather than in the message body.

In Q3, Kaspersky Lab solutions blocked more than 36 million attempts to follow links to phishing pages, which is 6 million more than in the previous quarter. The country where the largest percentage of users is affected by phishing attacks was once again Brazil (21.7%).

Beaches, carnivals and cybercrime: a look inside the Brazilian underground

Wed, 11/11/2015 - 09:58

 Download PDF version


The Brazilian criminal underground includes some of the world’s most active and creative perpetrators of cybercrime. Like their counterparts in China and Russia, their cyberattacks have a strong local flavor. To fully understand them you need spend time in the country and understand its language and culture.

The Brazilian underground generates quite a lot of cyberthreats – mainly banking Trojans and phishing campaigns. These attacks can be quite creative and are designed to reflect the local landscape. In 2014, Brazil was ranked the most dangerous country for financial attacks, and the Brazilian banking Trojan, the ChePro family, was ranked the second most widespread Trojan after ZeuS.

Countries most affected by banking Trojans in 2014

The picture for phishing attacks is not that different, with Brazil also ranked in first place worldwide. Not surprisingly, quite a number of the brands and companies that feature in the most frequently attacked list are Brazilian.

Countries most attacked by phishing attacks in 2014

Brazilian cybercriminals are adopting techniques that they have imported from Eastern Europe, inserting it into local malware to launch a series of geo-distributed attacks. These can include massive attacks against ISPs and modems and network devices or against popular, nationwide payment systems such as Boletos.

To understand what is going on in the Brazilian cybercriminal underground, we would like to take you on a journey into their world, to explore their attack strategy and their state of mind. We will look at the underworld market for stolen credit cards and personal data, the new techniques used in local malware and the ways in which they are cooperating with criminal in other countries.

For many people, Brazil is a country famous for its culture, beaches, samba and carnivals. For security professionals, it is equally renown as a prominent source of Banking Trojans.

Like Bonnie and Clyde: living the crazy life

The first impression you get is that Brazilian criminals like to flaunt how much money they have stolen and the high life they lead as a result of this. They compare themselves to Robin Hood: stealing from the ‘rich’ (in their eyes the banks, the financial systems and the government), in favor of the ‘poor’ (themselves). This is a widely-held conviction: they don’t regard themselves as stealing from individuals who bank online, but from the banks, since, according to local laws financial institutions are obliged to reimburse the victim for any money lost through theft.

There is a widespread sense of impunity, especially because, until recently cyber-crime was not legally defined as criminal activity under Brazilian law. The Carolina Dieckman law (named after a famous actress whose nude pictures were stolen from her computer) was approved in 2013, but the law is not very effective in punishing cybercriminals as the penalties are too lenient and the judicial system is very slow. It is very common for attackers to be arrested three or four times only to be released again without charge. The lack of effective legislation to combat cybercrime and high levels of police corruption provide the icing on the cake.

A strong indicator of just how immune to prosecution the cyber-criminals feel can be seen in the fact that it’s very easy to find videos and pictures of them online or to access their profiles on social networking sites. Invariably, they can be seen flaunting what appears to be stolen money, celebrating the high life, paying for prostitutes in Rio during the carnival, and more.

Brazil has achieved worldwide notoriety as a place where many ‘Bonnie and Clyde’ types are living decadent lives. How much do they steal? Quite a lot. According to the Brazilian Federation of Banks (FEBRABAN), in 2012 local banks lost 1.4 billion of reais (around US$500 million) paying for fraud perpetrated via Internet banking, by telephone, or through credit card cloning.

The target audience for cybercrime in Brazil is significant: the country has more than 100 million Internet users, 141 million citizens eligible to use Brazil’s e-voting system and more than 50 million people who use Internet banking services daily.

There are online videos celebrating the criminal life, like this song, the “Hacker’s Rap”. The lyrics celebrate the life of the criminals who use their knowledge to steal bank accounts and passwords:

The lyrics say: “I’m a virtual terrorist, a criminal; on the internet I spread terror, have nervous fingers; I’ll invade your PC, so heads up; you lose ‘playboy’, now your passwords are mine”.

Card-skimmers also celebrate and flaunt their profits in the “Cloned credit card rap”, also available on Youtube:

The lyrics include the words: “You work or you steal, we cloned the cards, I’m a 171, a professional fraudster and cloner, we steal from the rich, like Robin Hood, I’m a Raul…”

Recently the Brazilian Federal Police arrested the owner of a three million reais luxury mansion bought with funds stolen using Boleto malware. In Brazil, cybercrime pays, and pays very well.

C2C: Cybercrime to Cybercrime

As is the case with other underground fraternities, Brazilian cybercriminals are organized in small or medium-sized groups, each with their own expertise, selling their services to each other or working together. ‘Independent’ criminals are also common, but in general, most need to collaborate to do business.

The most common channels used by the Brazilian underworld to negotiate, buy and sell services or malware are Internet Relay Chat (IRC) channels. Some of them also use social networks such as Twitter and Facebook, but most of the juicy content is hidden inside IRC channels and closed forums that you can only join by invitation or with endorsement from an existing member. In these IRC chats criminals exchange data about attacks, hire out services among themselves, and sell personal data from hacked websites, while coders sell their malware and spammers sell their databases and services. These are true C2C (Cybercrime to Cybercrime) operations. The two most popular IRC networks used for such activity are FullNetwork and SilverLords.

However, a very common problem among the criminal fraternity is what it calls “calote” or deadbeats – those people who steal from the thieves, who buy criminal services or software underground without paying the seller. Revenge is taken quickly and in one of two ways. Firstly, the bad player may be “doxed”: their real identity published with the aim of alerting Law Enforcement. Secondly, they may find their name added to a big reputation database of bad and good debtors. This ‘black’ and ‘white’ list enables the ‘community’ to protect itself by checking out the reputation of a customer before doing business with them.

An underground reputation system from protection against deadbeats

“Doxing” and other attacks on competing gangs are common among the Brazilian underground – some groups even celebrate the arrest of other cyber-crooks. That’s what happened with Alexandre Pereira Barros, responsible for the SilverLords network. He and three other cybercriminals were arrested by the Brazilian Federal Police in April 2013 after a series of fraud attacks against financial systems, credit card cloning, hacktivism attacks, and more. The group owned a lottery retailer in the state of Goias, responsible for theft of $250.000. To ‘celebrate’ their arrest, other criminals posted a video on Youtube, in revenge for unpaid debts:

Brazilian cybercriminals arrested in 2013 – unfortunately, they did not end up in jail after all

A typical Brazilian cybercrime group include four or five members, but some groups can be bigger than that. Each member has their own role. The main character in this scenario is the “coder”, the person responsible for developing the malware, buying exploits, creating a quality assurance system for the malware and building a statistical system that will be used by the group to count victims; and then putting everything in a package that can be easily negotiated and used by other criminals. Some coders don’t limit themselves to a single group and may work with several, and most prefer to not get their hands dirty with any stolen money. Their earnings come from selling their creations to other criminals. A coder could be a leader of a group, but this is not common. They are rarely arrested.

Every group has one or two spammers, responsible for buying mailing lists, buying VPSs and designing the “engenharia” (the social engineering used in the mail messages sent to the victims). Their role also involves spreading the infection as widely as possible. It´s common to find spammers with experience in the defacement of web servers that then allow them to insert a malicious iframe into infected websites. Spammers don’t have a fixed salary: their earnings come from the number of people infected. That is why the coder needs to build a victim-counter into the malware, as this information is used to calculate how much the spammer will receive.

The group also has a recruiter, responsible for hiring the money mules (also known as “laranjas”). This is a very important task because this person will be in direct contact with people or hold responsibility for external activities, such as for coordinating the things necessary for transferring the money or withdrawing it from ATMs, paying the bills (generally at a lottery house) or receiving the products bought online with the stolen credit cards – do the “correria” (foray). It´s common for the people in this role to recruit their own family members to work as money mules, as they can earn up to 30% of the sums stolen and distributed among the money mule accounts. Generally, the money mules are the first to be arrested in police operations, followed by the recruiter.

The real leader of the group is responsible for coordinating the other members and all the activites, negotiating new “KLs” (keyloggers) with a coder, requesting a new “engenharia” from the spammers, or do the “correria” with recruiters. They are also responsible for recruiting new members to the group and negotiating their wares in with other criminal groups. Roles are not fixed; some members may perform a number of functions and work with more than one group, and their earnings may vary. Some criminals prefer to work independently, selling their services and goodies to several groups.

And some criminals have opened web stores to sell their goods and promote their services in a better and more user-friendly way. In these stores one can buy cryptors, hosting services, coding services for new Trojans, etc. That was the purpose of the “BlackStore” (now offline). Let’s check the prices of their ‘goodies’:

A “crypter” 100% undetected, R$ 100 (U$ 30.00)

  • Compatible with Delphi and VB
  • 100% undetected by 30 AVs
  • Compatible with more than 98 RATs
  • Compatible with more than 73 botnets
  • 30 days of crypter services

Hosting: US$17
A perfect place to host your phishing attack or malware, or even a malicious script.

  • Fast hosting
  • Unlimited MySQL
  • Domain already included
  • Mail accounts
  • 24/7 support

Coding services: US$170
“We turn your idea in something concrete. Just bring us what you have in mind, your project or application, we’ll code it! We work with:
coding from desktop
web programming
compatible with all OSs
compatible with all browsers
system free of bugs
license system”

    Tester of stolen credit cards: US$130
    “Check out the most recent and updated credit card tester, made for the CCS test, without the CVV data”

    • Test Visa, Master, Diners, Elo
    • Clean and beautiful design
    • Source code clean, without bugs

    Check out the pictures of the application on our database!”

    DNS Network US$1500
    Most advanced system. The change of the DNS allows for real-time changes on the victim’s computer

    • Open popup when accessing a website
    • Open a fake page when visiting a certain website
    • Sniff all the communication server-client
    • Insert iframes with Adsense
    • Insert banners to of fakecredit card giveaways
    • Complete admin panel

    Malicious Java applet: US$25
    System most used to infect. Using Java applets you can infect dozens of people easily.

    • Control panel
    • Stats
    • More than 10 domains with direct link
    • 100% undetected

    Viral Facebook: US$20
    New viral on Facebook, the most versatile system to “Like” + “Share”. Spread a malicious link fast, using few “share” your viral spread quickly. We offer a complete pack + domain + hosting

      VPS Spam sender: US$20
      “The most powerful system to send spam at the moment. VPS sending 30.000 messages in 30 minutes.”

      • all configurations possible
      • reboot, format and turning off options
      • include scripts to send spam

      SPAM PHP system: US$10
      Spam PHP for those who want to make a small investment, great tool for those who want a basic spamming system, for beginners.

      • 20,000 spam per hour
      • 30 days warranty
      • 80% of messages delivered

      KL (Keylogger): US$ 300
      “Keylogger for those who want quality in stolen banking information. With an admin panel to check all infections, saving the info in your mail”

      Targeted banks:

      • HSBC
      • Itau
      • Caixa

      As a “professional” store, they also offer a receipt for your purchases:

      Honest thieves: proof of your underground purchases

      The professionalization of organized cybercrime, as observed in Eastern Europe, is now adopted by the Brazilian crime underground. Investment in technology and marketing is aimed at increasing their profits. In some closed forums criminals have even started advertising their services in a clear attempt to attract newcomers not used to developing their own tools:

      The text says: “Buying any social engineering kit you also earn kits for banker, credit card and frequent flyer miles. 1 million free spam messages, from Bruno Dias smart solutions”. Other services that are increasingly offered include websites offering “malware as service”, cryptors, FUDs (fully undetected malware) and a complete system to manage information about stolen banking accounts:

      “FUD as a service”, encryption service for already detected trojans

      An “admin panel” manages the complete system that allow attackers to control infected machines, collect banking data, and bypass two-factor authentication (2FA) in any form (SMS, token, OTPs (one-time password cards) and more). Some systems also allow for the control of websites and domains used to spread the malware and to send spam and manage mail lists, all in a single solution.

      Remote access tool sold on the underground intended to bypass the 2FA of Brazilian banks

      The goods on offer also include DDoS attacks. Using the power of thousands of infected computers it’s not difficult to perform a distributed denial of service for other criminals, using SYN flood, amplified UDP, and more. The prices are listed below: 300 seconds: $8.3; 450 seconds: $13; 1000 seconds: $28; 3600 seconds: $40.

      DDoS for hire: takedown your target paying by seconds of attacks

      How much does your credit card cost?

      Credit card dumps are among the most valuable data exchanged among criminals. These have often been cloned in different ways, including chupa cabras (skimmers) on ATMs and point-of-sale terminals, phishing pages, keyloggers installed on victims’ PCs, and more.

      Brazil has one of the highest concentrations of ATM terminals, according to the World Bank. There are more than 160,000 opportunities for fraudsters to install a skimmer (also known as a “Chupa Cabra device”), and they do this all the time. Even during the day you can see them hanging about, wearing flip-flops and beachwear and in a very relaxed mood, installing skimmers in a crowded bank:

      When it comes to credit card cloning, Brazil has some of the most creative and active criminals. Fortunately, most of the cards in use have CHIP and PIN technology built in. Despite recent news revealing some security flaws in this protocol, CHIP and PIN cards are still more secure and harder to clone than magnetic swipe cards. Because these EMV chips are used all over the country, most of the cloning activity happens online, using phishing attacks, fake bank pages, fake giveaways and compromised e-commerce portals, offering an expensive product for very attractive price. If you are engaged in any type of online business, sooner or later your card will be attacked: via phishing or through compromise of the e-commerce portal.

      These highly sought-after dumps are sold online through specialized websites or even through IRC channels. And it’s not just carders and cybercriminals who are involved in this underground business, but many ‘traditional’ criminals connected to drug trafficking and other illegal activities.

      The price of a cloned credit card depends in the bank, the country of origin, etc.

      • Infinity: flags such as American Express or international cards are sold at $42 apiece
      • Platinum: cards from multinational banks, $40 apiece
      • Black: cards by $30 apiece
      • Gold/ Premier: $25 apiece
      • Classic: from national banks, $22 apiece

      Ad of a criminal selling dumps of stolen credit cards: you can even pay for it with your own credit card

      Data breach incidents fueling cyberattacks

      The Brazilian underground is hungry for personal data – and this allows cybercriminals to monetize identity theft, offering opportunities to buy products using “laranjas” or money mules, or even collect this data to empty your bank account, as several online services ask for personal data to confirm a customer’s identity.

      Unfortunately, the country does not yet have specific laws in place to protect personal data – at this time politicians are still evaluating their options. As a result, data breaches in government organizations and private companies are widespread. Affected businesses currently are not obligated by law to contact customers affected by the breach or even to inform them that an incident has taken place.

      Recently, we observed some very serious data breach incidents affecting major websites, and involving databases from the government, Receita Federal (IRS) and other institutions. It is common to find leaked databases being sold underground, such as the database of DETRAN (Traffic Department), with data on five million citizens costing only US$50:

      Flaws on government websites are critical. In 2011 two very serious flaws in the Labor Ministry website exposed an entire database with six months’ worth of data on every citizen in the country. A flaw in the website’s security left sensitive data out in the open, with only a CPF number (Brazilian SSN) required to obtain further information about a person.

      The CPF is one of the most important documents for anyone living in Brazil. The number is unique and is a prerequisite for a series of tasks like opening bank accounts, to get or renew a driver’s license, buy or sell real estate, obtain loans, apply for a jobs (especially in the public sector), and to get a passport or credit cards. Leaked data makes it possible for a cybercriminal to impersonate the victim and to steal their identity in order to, for example, get a loan from a bank.

      This is a case of where a data leak meets the phishers. Information of such quality can only be obtained through data leak incidents. Not surprisingly, it is common for the Brazilian media to spot criminals selling CDs carrying data from the Brazilian IRS system which includes a lot of sensitive data, including the CPF numbers. You can find criminals selling CDs full of leaked database from several sources for a mere $100. As a result of such data breaches, Brazilian phishers have created attacks with messages displaying the complete name and the CPF number of the victim in an attempt to add legitimacy to a fake message. Attacks such this one have happened regularly since 2011:

      A phishing message displaying the complete name of the victim and their CPF number

      The abundance of personal data leaked from several sources has allowed Brazilian criminals to establish online services offering a searchable database with personal data from millions of citizens. Despite the efforts of the authorities to take down such websites, new services are created every month.

      Having the CPF number is enough to find all your personal data

      The problem of data brokers

      Another problem related to the bad management of personal data is “Data brokers”, companies that collect information and then sell it on to companies that use it to target advertising and marketing at specific groups; or to verify a person’s identity for the purpose of fraud detection; or to sell to individuals and organizations so they can research particular individuals.

      Local companies such as Serasa (now acquired by Experian) are a common target of phishers and malware authors. As they offer the biggest database in the country regarding fraud protection, and carry a complete profile of personal data for every citizen, the stolen credentials to access this database are valuable among fraudsters.

      So, not surprisingly many fraudsters resell the results of their access to data broker services using stolen customer credentials, in packs that cost US$30 per 15 days or US$50 for 30 days of full access:

      Other criminals go further, and build their own data broker services. Owners of these services market them to other fraudsters, offering a comprehensive package to search databases leaked from the government as well as those obtained from private sources. Such widespread activity gives the impression that in Brazil cybercrime will always be able to reach you, one way or another.

      Govern and Data broker’s database together in the same underground service

      To advertise their services, fraudsters use all channels, even social networks like Facebook. In a dossier published by Tecmundo they found evidence of public employees involved in the scheme, selling databases and credentials.

      Access to stolen data service advertised on Facebook

      How phishing attack compromised the Amazon forest

      Could you imagine a phishing attack compromising the biggest rainforest in the world? That is what happened with IBAMA, the Brazilian Institute of Environment and Renewable Natural Resources. IBAMA is responsible for limiting the cutting of hardwood trees in the Amazon region, ensuring that only authorized companies are able to do that.

      In a series of attacks against IBAMA’s employees (probably using phishing emails like the one below), Brazilian criminals were able to steal credentials and break into IBAMA’s online system. Then they unlocked 23 companies previously suspended for environmental crimes, allowing them to resume extracting wood from the forest. In just 10 days these companies extracted $11million in wood. The number of trees cut illegally was enough to fill 1,400 trucks.

      Phishing page of IBAMA: to steal credentials and cut woods in the forest

      Underground cooperation with Eastern Europe

      We have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other banking Trojans created in the region. This collaboration directly affects the quality and threat-level of local Brazilian malware, as its authors are adding new techniques to their creations.

      It’s not unusual to find Brazilian criminals on Russian underground forums looking for samples, buying new crimeware and ATM/PoS malware, or negotiating and offering their services. The first result of this cooperation can be seen in the development of new attacks such the one affecting Boletos payments in Brazil.

      Brazilian bad guy writing in (very bad) Russian, selling access to 400 infected PoS devices

      They have also started to use the infrastructure of Eastern European criminals, sometimes buying bulletproof hosting or renting it. “João de Santo Cristo” (a fictional character that appears in a popular Brazilian tune) was one of them, buying and hosting 14 Boleto malware domains in Russia:

      Not surprisingly we have started to see Russian websites hacked into and hosting fake Boleto websites:

      These facts show how Brazilian cybercriminals are adopting new techniques as a result of collaboration with their European counterparts. We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as Brazilian crime develops and looks for new ways to attack businesses and regular people.

      Advances in local malware

      The contact with Eastern European cybercrime affects the quality of Brazilian malware. For example, we found in Boleto malware exactly the same encryption scheme that is used in payloads by ZeuS Gameover.

      Encrypted payload of Boleto malware: the same encryption used by ZeuS

      We also saw, for the first time, Brazilian malware using DGA (Domain Generation Algorithm). Trojan-Downloader.Win32.Crishi was one of them, distributed in messages like this one:

      Further evidence of advances in Brazilian malware due to the cooperation with Eastern European criminals can be seen in the use of fast flux domains in Boleto attacks.


      Brazil is one of the most dynamic and challenging markets in the world due to its particular characteristics and its important position in Latin America. The constant monitoring of Brazilian cybercriminals’ malicious activities provides IT security companies with a good opportunity to discover new attacks related to financial malware. In some cases these attacks are very unique as happened with the usage of malicious PAC files.

      Message from bad guys in a malicious PAC file to yours truly: reaction due a good detection

      To have a complete understanding of the Brazilian cybercrime scene, antimalware companies need to pay close attention to the reality of the country, collect files locally, build local honeypots, and retain local analysts to monitor the attacks, mostly because it’s common for criminals to restrict the reach of the infection and distribution of their creations to Brazilian users. As happens in Russia and China, Brazilian criminals have created their own, unique reality that’s very hard to understand from the outside.

      Microsoft Security Updates October 2015

      Tue, 11/10/2015 - 17:13

      Microsoft posted four critical bulletins today, along with another eight rated Important and lesser. Microsoft’s summary is at the Technet site. All in all, the software maker is patching a large number of vulnerabilities this month, with 37 CVE listed vulnerabilities being fixed with the four critical Bulletins alone. On the bright side, Microsoft claims that none of these exploits are being publicly exploited at the time of notification.

      Software affected with Bulletins rated critical are listed here (MS15-112, MS15-113, MS15-114, MS15-115):

      • Web browsers Microsoft Edge and Internet Explorer
      • Windows Journal
      • Windows’ font handing code

      Software affected with Bulletins rated important are listed here (MS15-116, MS15-117, MS15-118, MS15-119, MS15-120, MS15-121, MS15-122, MS15-123):

      • Microsoft Office
      • Windows NDIS, IPSEC, Schannel, and winsock (network software)
      • Microsoft .NET Framework
      • Kerberos
      • Services on Sharepoint and Office Web Apps
      • Skype for Business and Microsoft Lync

      Of the Bulletins rated “Important”, 16 CVE listed vulnerabilities were being fixed.


      For you travelers aware of your own operational security and shunners of pgp, it’s interesting that Bulletin MS15-122 provides fixes against BitLocker-encrypted drive attacks.

      According to Microsoft, “Kerberos fails to check the password change of a user signing into a workstation. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker.
      An attacker who has physical access to a target machine could bypass Kerberos authentication by connecting a workstation to a malicious Kerberos Key Distribution Center (KDC).

      The following mitigating factors may be helpful in your situation:

      • This bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key.
      • A domain user must be logged on to the target machine for the attack to succeed.”

      Its reporter, Ian Haken, will be presenting the attack in a couple of days at BlackHat EU in Amsterdam.

      Significant updates today also include Google announcing their deprecation of support for the Chrome browser on Windows XP and Windows Vista, along with Mac OS X 10.6, 10.7, and 10.8. While some organizations in the ICS or health care space may want to continue running their investment into these systems on their plant floors or facilities, this deprecation is another reason to upgrade those systems.

      Disbanding the ‘Zoo’

      Tue, 11/10/2015 - 06:00

      Virtualized environments are exceptionally flexible, manageable, fault-tolerant and cost-effective. However, a number of difficulties have to be overcome to protect them from external threats. If this is not done successfully, problems will inevitably arise. This is true of individual virtual machines, as well as the data center as a whole.

      Unfortunately, malware infections are a common occurrence in virtualized systems, particularly in VDI environments: customers’ employees do whatever they like on their virtual workstations without worrying about cyber-hygiene, believing that both their own IT department and the service provider will effectively block any malware.

      It should be noted that, in most cases, the provider is not allowed access to customer machines and has to demand that customers use their own protection. Many customers, though not all, take a responsible approach and install endpoint protection solutions of their choice on their machines.

      Sometimes, however, in spite of the provider’s recurring requests, customers resign themselves to the risk and do absolutely nothing about protection. There is no doubt that the provider will ultimately have to deal with all the problems arising from this approach. As a result, this turns into a major undertaking for the provider, who will have to change its protection strategy completely. (More information about security-related business problems faced by data centers can be found here.)

      In virtualized data centers, information is stored and processed on virtual machines and in data storage systems. These are completely different technologies that require different approaches to protection, each having many subtle aspects.

      The nuances of protecting virtualized environments

      As mentioned above, if the service provider does not provide protection for customers’ virtual machines, customers will do it on their own, each in their own individual way. On the one hand, this is not a bad thing; each customer can choose a security solution that suits their needs. However, in practice, this approach is not only inefficient; the resulting chaotic ‘zoo’ of solutions on customer machines creates numerous problems of its own:

      • Excessive use of hardware resources. The security system on each machine includes a complete set of components: an antivirus engine, a signature database, a firewall, etc. Each takes up its share of CPU time, RAM and disk space.
      • ‘Storms’. If scanning for malware is performed or antivirus databases are updated on several virtual machines at the same time, this leads to a surge in resource consumption, which can result in degradation of the entire platform’s performance or even in denial of service. Security software can of course be manually configured to avoid storms, but the time required to do this for hundreds of virtual machines will be very significant.
      • Panic attacks. A security system is often configured to step up protection when malware is detected on a machine. A ‘paranoid’ set of security rules is activated and out-of-schedule scans are launched. This can increase the load on the host machine’s hardware and negatively affect the performance of neighboring virtual machines.
      • ‘Instant-on’ security gap. Virtual machines often remain inactive until they are started up when the need arises. While a machine is inactive, none of the security system components on it are updated and the machine remains vulnerable during the period from startup until an anti-malware solution update is completed.
      • Incompatibility. Virtual machines are similar to physical computers in many ways, but they are also different in some significant aspects of their operation. For example, they use dynamic hard disks and can migrate from one server to another without shutting down. Standard security systems for physical machines are not designed with virtualized systems in mind. This can lead to delays, faulty operation or even complete inability to operate.

      All these issues will ultimately have to be addressed by the service provider – and on a regular basis. There is only one way to avoid this – prevent this ‘zoo’ from being created in the first place by putting customers in a situation where they have to choose between several proven dedicated security solutions for virtualized environments.

      With or without an agent?

      The key advantage of virtualization security systems like Kaspersky Security for Virtualization lies in the fact that the engine and the anti-malware databases are hosted on a separate virtual machine (Security Virtual Appliance, SVA) which provides protection for all machines running on the hypervisor.

      This solution has obvious advantages: hundreds of machines can be protected by just one anti-malware engine running on the SVA, which operates all the time and receives timely updates. This means all machines receive a high level of protection, while the VM scanning schedule is designed to preclude any excess load on the environment.

      Virtualization security software can be implemented in two substantially different ways: agent-based (light agent) or agentless. Customers have the freedom to choose the one that best suits their needs, or even combine the two.

      The agentless security solution has all of its components running on the SVA, and has a number of serious limitations. It is only designed to operate in environments based on VMware products, and is not capable of working with processes running in virtual machine memories, so it only scans the file system and incoming network traffic. In other words, it can only scan files and block network attacks. In some cases, this is sufficient. An agentless solution also provides almost instant protection of virtual machines immediately after they are launched. No software needs to be installed on the customer’s machines.

      The agentless approach to securing virtual environments, based on the solution Kaspersky Security for Virtualization | Agentless

      The light agent-based security system provides the entire range of security technologies (working with memory processes, application control, web browser protection, etc.) without using up lots of resources, as the scan engine and the databases are hosted on the SVA. Such an approach provides the functionality similar to Endpoint Protection-class solutions, while also being optimized and tested for virtual environments. However, a lightweight agent needs to be installed on each virtual machine so that the security solution has full access to the system. This can be seen as inconvenience, but many virtualization scenarios allow the use VM templates; in this case, the agent can be pre-installed into the template, so every VM spawned from it would have the agent as well, receiving instant protection right after being started.

      The light agent-based approach to securing virtual environments, based on the solution Kaspersky Security for Virtualization | Light Agent

      The choice between these two types of solutions depends on the accompanying circumstances.

      Often the provider cannot guarantee the presence of a security solution at the customer’s facility, which potentially creates a gap in data center security. The customer may also have reasons for not allowing any third-party software to be installed on their machines. In this case, the agentless security solution is the optimal choice.

      In other cases, the provider and the customer agree from the outset that a security solution will be installed on the virtual machines from a shortlist of tested and approved solutions. In this case, it is best to use specialized light agent-based security systems for virtual environments. This will provide the maximum level of security with minimum collateral problems.

      A special case is that of a virtual desktop infrastructure (VDI) hosted in a data center. When virtual machines are used as workstations, each of them is exposed to a multitude of threats during everyday operations. An employee may pick up a malware program when visiting a dangerous website or receive an email with a malicious attachment, while it is not uncommon for malware to spread from a removable media device that has passed between other users.

      When such a broad range of potential infection vectors is present, an agentless solution will be insufficient: with its limited functionality, the risk of infection is much higher. If an infection is detected, it will most probably happen too late to prevent any damage. On the other hand, a light agent-based security system is capable of protecting against a much broader range of threats by checking programs that are launched, preemptively blocking a user’s access to dangerous websites, and controlling the processes running in the system.

      A third, more resource-intensive, protection option for virtual machines also exists – a ‘regular’, full-agent endpoint protection-class security product. This is a viable choice if there is no access to the hypervisor (e.g. in public clouds such as Amazon or Azure), or if a more obscure hypervisor is used at the data center that is incompatible with specialized security solutions. And finally, these ‘regular’ security systems are developed for a broader range of operating systems. For instance, they can be used to protect virtual machines running under Mac OS.

      It should be noted that a security system that is not designed to work in a virtual environment may not be fully compatible with specific virtual machines and may not work properly or may not work at all. Solving these types of issues can take considerable time.

      Taking care of data storages

      An infected network data storage puts the entire data center at risk, and if anything requires anti-malware protection, it is data storage systems. If this need is not fulfilled, an epidemic may break out, especially if not all the machines located at the data center are connected to a security solution for virtual environments.

      Storage Area Networks (SAN) are very easy to protect – all it takes is a security system on the server. This is no different from protecting any other server; in this case, a server solution is implemented, such as Kaspersky Security for File Servers. Things are different with Network Attached Storage (NAS), which all machines in the network are granted instant access to. In this case, a specialized NAS security solution is required.

      Network data storage types

      Data stored on NAS needs to be protected before it is available to customer machines, meaning support on the NAS side is required. Luckily, most NAS support a number of special protocols and are able to work with external security solutions.

      Diagram showing how a NAS protection solution works

      When a customer requests a file from NAS (1), the storage sends it to the security system’s server (2). The server scans the file and reports the result to the storage (3). Depending on the security solution’s verdict, NAS provides the file to the customer or denies access (4). For greater reliability, more than one security server can be present in a network. During normal operation, the data storage itself will balance the load between them.


      When it comes to securing virtualized data centers, there is no silver bullet solution, nor can there be one, that would ideally solve all problems. What is possible is to choose the optimum security system based on all the relevant factors.

      An agentless solution is best for protecting database servers, intranet web servers and machines that are not allowed to host any software besides a fixed set of applications.

      If the customer has a choice of several specialized security solutions pre-approved by the provider, a light agent solution is the best option. This will meet the needs of protecting web servers, virtual workstations, and sensitive data processing servers.

      Flexibility is particularly relevant when protecting virtual environments, so Kaspersky Lab provides both solutions – the agentless solution and the light agent solution – under one license. This gives the customer a choice between these two variants, and the capability to combine them when necessary, e.g. in environments with different hypervisors, or to address a variety of tasks more efficiently. More detailed information is available here.

      The most important thing is to ensure that protection issues are addressed before any annoying and costly problems arise.

      The Power of V&V

      Mon, 11/09/2015 - 04:57

      A secure system – especially a system that is used to provide security – has to be trusted. But what underpins that trust? What proof do we have that the main components of our trusted system are implemented properly and won’t fail at a critical moment? We mentioned this point in our last article about Secure OS and, as promised, we return to it here.

      Verification and validation (V&V) are applied to assure that software (or the whole system or appliance) truly possesses the stated properties. Although these terms (V&V) sound quite similar and are used in conjunction with each other, they have quite different meanings. Let’s recap.

      Verification is the process used to determine whether the outcome of a given stage of product development (i.e. software development) conforms exactly to the requirements set at the beginning of the stage.

      Validation is the process used to determine whether the product (computer program, operating system, appliance etc.) satisfies its intended use and user needs. Requirements, lifecycle processes and other supporting artifacts can also be validated for their conformance to the expected results.

      Put simply, verification asks, “Have we implemented the system properly?” while validation tries to find out “Did we implement the proper system?” And while the second question requires the involvement of an expert (whose opinion forms the basis for the whole scope of validation issues, from requirement validation to the final integration test), the first question has to be addressed mainly using formal methods.

      Indeed, the one cannot exist without the other. The system can only be verified with regard to a concrete property, for example, evidence that the program does not suffer from deadlocks. The fact that this property makes sense should be validated. Furthermore, verification can be performed in a trivial way by restricting the ability to lock resources – but this may disrupt the integrity of those resources. Therefore, we have to validate an additional condition. In some cases the property definition can also be the subject of verification if the expert requirements can be appropriately formalized into the verification goal.

      To envision the process of verification you can try imagining a sort of “magic evaluator” ready at the push of a button to perform an assessment of any given source code: Is the code valid or not? Is it safe or not? And so on. But even this sort of ideal raises a number of questions. The first of them being: what will we actually prove? What statements is verification capable of making evident? The correctness, completeness, data consistency, accuracy and safety of execution… It has been shown that all the properties might be represented as a composition of two basic properties – the ‘safety’ property and the ‘liveness’ property. The safety property stipulates that the system cannot reach a specific (unsafe) state. Put another way, this means “something bad will never happen”. The liveness property, on the other hand, guarantees that after a finite run the system will reach some defined state – in other words, “something good will definitely happen”.

      However, awareness of the decomposition possibility of the verification goal is one thing, while the correct and valid representation of such a decomposed goal without loss of sense is, clearly, another. Sometimes, attempting rule decomposition for a system model results in a negative effect: the model hangs in the safety part of the rule without being able to establish the liveness part. This imposes additional conditions on the decomposition process. In some other realistic scenarios, you have to address the “fairness property” in addition to safety and liveness (just like in real life).

      To formalize the criteria defined in such a manner, classical or temporal logic is often used and, to verify the system properties according to these criteria, the appropriate programming languages. In particular, for classical logic clauses Prolog is quite popular, while for temporal logic the Promela and SPIN languages are used. However, this is not the only way to define verification goals. The formal definition of correct program behavior and verification of this behavior is so specific and of such significance that in 1969 computer scientist and logician C. A. R. Hoare proposed a formal theory intended to establish the correctness of computer programs deductively. The basis of this theory is a set of logical rules defined in a way that imitates the semantics of imperative language constructions. Later, an approach to criteria specification was developed that even more closely resembles programming abstractions and supports further software design – design-by-contract programming.

      Another major issue is the choice of object for verification. Despite the fact that a verification procedure implies a precise evaluation, the right choice of object needs to be made for there to be confidence in the result.

      For example, one may choose a static system configuration – i.e. system parameters, applications and security policy restrictions – to verify. The evaluator accepts this data, performs the verification procedures according to the logical rules (based on expert knowledge) and generates ‘Pass’ or ‘Fail’ output. The evaluator may, for example, ascertain whether a certain kind of attack on the system is possible or if an unprivileged user can obtain unauthorized access to specific resources in the system, etc.

      The verification of system configuration can ensure system behavior is trusted if system components are configured properly. This means that all system services and applications should run as specified and contain no bugs or vulnerabilities that could be exploited to affect the functioning of the whole system.1

      However, the situation is often different in reality. Therefore, software internals need to be verified2. One thing is clear at this point – because software internals have a lot of representation layers, the need to make the right choice once again appears. What object is to be verified – the high-level source code or the sequences of machine instructions? Is it necessary to consider the program environment and how to model this environment? Is examining the specific dependencies of low-level execution from the hardware platform of any value…? And again, the choice depends on the verification goal and on the level of assurance provided for verification. Suppose you need to ensure the absence of a certain type of vulnerability in a piece of software (this example can be interpreted in most cases as the safety problem mentioned above). Testing and static code analysis intended to find typical dangers are not usually considered as formal verification methods3 due to the fact they tend not to cover all possible situations (although exceptions do exist). To solve this problem of the verification method, you need to perform logical computations with code constructions in order to make it evident that any continuous fragment on the program control flow graph (including all non-linear transitions) is not vulnerable to the given exploitation method. All that is required is to formalize, in a general way, the appropriate valid conditions and implement efficient evaluation algorithms for the entire program code.

      The issue may be further complicated by the lack of guarantees that a compiler will save the proven properties for the resultant machine code, and by the necessity of guaranteeing the properties originally defined for the low-level code. It is because of this complexity of verifying program code that the verification methods are applied to the code as simply and concisely as possible. Priority is given to the code of the operating system kernel and the code of the low-level services that underpin the security of the whole system.

      One promising approach to verification is by guaranteeing the security of some code properties (or setting the basis for such a guarantee) when the code is created. By demonstrating that a notation or programming language is capable of imparting the necessary characteristics to the program code, one can avoid the tedious checking procedures at least for these characteristics. Code generation minimizes human error (i.e. bugs) when creating software code. This is quite an effective approach that is currently only used for a limited number of algorithms in a specific context – at least until another more complicated task is solved. This task appears because we do not eliminate the code verification issue, but instead pass it to a higher level – the level of language (or compiler) verification. Therefore, we have to verify that the language is safe, meaning that all the constructions produced with this language are safe in the previous sense. This is a non-trivial task, but after being solved once it addresses verification issues for any code created using previously evaluated methods.

      Another approach to implementing the verifiability of program code as it is created is to use the design-by-contract approach (contract-based programming). In this case, implementation starts by determining precise formal specifications of programming interfaces that prescribe preconditions (obligations accepted by the clients of interfaces), post-conditions (obligations accepted by the interface supplier) and invariants (obligations for saving certain properties related to the interface). Many programming languages support design by contract natively or with third-party extensions (e.g. C and Java languages).

      “Laboratory verification” of the program code may cause complaints if the code behavior is affected to a large extent by the environment. Of course, it would be good if a system made from loosely coupled trusted components with properly defined interfaces could give a 100% guarantee that it will execute properly, but in real systems it is quite difficult to predict what influence the environment will have on individual components. In order to assess the correctness of the system it is necessary to resort to an analysis of the behavior of parallel components. Formal verification of whether a given logical formula is satisfied for the system with parallel execution architecture is referred to as model checking. This method brings together existing knowledge and expertise in the software verification field, and is widely used throughout the world to evaluate existing hardware and software systems. The Turing Award has been given twice for work in the field of model checking. The first time was in 1996 to Amir Pnueli “for seminal work introducing temporal logic into computing science and for outstanding contributions to program and systems verification”. The second time was in 2007 to the three scientists, Clarke, Emerson, and Sifakis “for their role in developing Model-Checking into a highly effective verification technology that is widely adopted in the hardware and software industries”).

      During the Turing Award ceremony in 2007, ACM President Stuart Feldman said about the model checking method: “This is a great example of an industry-transforming technology arising from highly theoretical research.” We can say with some certainty that if the future of all aspects of our life lies with technologies that are safe, secure and smart in all senses of the word, validation and verification methods provide the route to that future.

      It is impossible to cover all aspects of V&V in one article. For those who are particularly interested in the subject, we can recommend a paper by one of the pioneers of the model-checking approach, Edmund M. Clarke, ‘The Birth of Model Checking’, and his book ‘Model Checking’, co-authored with Orna Grumberg and Doron A. Peled, for a more in-depth exploration of the method. The best way to learn about aspects of safety, liveness and the other main properties is to refer to the original works listed in the paper by Ekkart Kindler, ‘Safety and Liveness Properties: A Survey’. The excellent monograph by G. Tel, ‘Introduction to distributed algorithms’, gives a detailed explanation of the formal representation and development of correct and dependable algorithms in complex systems.

      1This is the case when the validation of lifecycle processes (based on an awareness of possible vulnerabilities) may help to reject configuration verification as inappropriate or enter compensating measures (e.g. code analysis) to provide some guarantees for software implementation.

      2It should be noted that configuration verification and software verification are not interchangeable measures. While a check of the program code guarantees that it will be executed as expected, configuration checks ensure conformance to the required policy.

      3They are usually considered as validation methods.

      Surviving in an IoT-enabled world

      Thu, 11/05/2015 - 05:59

      Scare stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, who live for hacking and to make the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. But is this perception a good enough reason to stop using smart devices? We don’t think so; we believe that customers should be aware of the potential risks and know how to mitigate them before embracing the IoT-enabled world.

      More than a year ago, our colleague from the Global Research and Analysis Team, David Jacoby looked around his living-room, and decided to investigate how susceptible the devices he owned were to a cyber-attack. He discovered that almost all of them were vulnerable. So, we asked ourselves: was that a coincidence, or are the smart ‘IoT’ products currently on the market really that exposed? To find the answer, earlier this year we gathered up a random selection of connected home devices and took a look at how they work.

      The devices we chose for our experiment were as follows:

      • a USB-dongle for video streaming (Google Chromecast);
      • a smartphone-controlled IP camera;
      • a smartphone-controlled coffee maker; and
      • a home security system, also smartphone-controlled.

      The task we set ourselves was simple: to find out whether any of those products posed a security threat to their owner. The results of our investigation provide much food for thought.

      Google Chromecast. IoT hacking for beginners

      Risk: the content on the victim’s screen is streamed from a source owned by an attacker

      Chromecast, which has been recently updated with a more advanced version, is an interesting device. It’s an inexpensive USB-dongle that allows you to stream media from your smartphone or tablet to a TV- or other display-screen. It works like this: the user connects it to a television’s HDMI in order to switch it on. After that the Chromecast launches its own Wi-Fi-network for initial setup. Once it has established a connection with a smartphone or a tablet, it switches its own Wi-Fi off and connects to the user’s home Wi-Fi network. It’s very convenient and user-friendly.

      But this could become less convenient and decidedly unfriendly if there is a hacker nearby. The famous “rickrolling” vulnerability, discovered by security consultant, Dan Petro, proves that. It allows the content on the victim’s screen to stream from a source owned by an attacker. This is how it works: the attacker floods the device with special ‘disconnect’ requests from a rogue Raspberry Pi-based device and then, as the Chromecast turns on its own Wi-Fi module in response, Google Chromecast is reconnected to the attacker’s device making it stream the content the attacker wants.

      The only way to get rid of this is to switch off the TV, take the dongle out of range of your Wi-Fi hotspot and wait until the attacker gets bored and goes away.

      The only limitation to this attack is that the attacker needs to be within range of the Wi-Fi network to which the target Chromecast is connected. However, we discovered in our own experiment that this not necessarily a restriction if you have a cheap directional Wi-Fi antenna and some Kali Linux software. When we used that, we found that Chromecast can be “rickrolled” across a far greater distance than the normal signal range for domestic Wi-Fi networks. What this means is that, while in the original hack by Dan Petro, the attacker would run the risk of being spotted by an angry Chromecast owner, with a directional antenna that risk no longer exists.

      We don’t regard this “finding” as a new security discovery; it simply extends a previously-known and so far unpatched security issue. It’s an exercise for beginners in IoT hacking, although it could be used in a really harmful way – but we’ll get to that later. First we’ll go through the other findings of our brief research.

      Mitigation: Use in remote parts of your house as this will lower the risk of attacks with a directional antenna

      Status: Not patched

      IP camera Issue one

      Risk: attackers get access to the email addresses of all the camera users who have experienced technical issues

      The IP camera we investigated was positioned by its vendor as a baby monitor. You put the camera in a nursery, download an app on your smartphone, connect the camera to the app and the Wi-Fi, and off you go: you can watch your child whenever you want, from anywhere you like.

      Why would someone want to hack a baby monitor, you may well ask? Actually there are a number of recorded instances of baby monitor abuse dating back as early as 2013 ( with a similar issue reported in 2015 ( So yes, there are people who, for some reason want to hack baby monitors.

      When we investigated our camera (in the spring of 2015) there were two different apps available for customers that enabled them to communicate with the camera. Both contained security issues. We were later to learn from the vendor that one of these apps was a legacy app, however it was still being used by a number of camera owners. We discovered that this legacy app contained hardcoded credentials to a Gmail account.

      public static final String EMAIL_FROM = “*****”;
          public static final String EMAIL_PASSWORD = “*******”;
          public static final String EMAIL_PORT = “465”;
          public static final String EMAIL_SMTP_HOST = “”;
          public static final String EMAIL_TO;
          public static final String EMAIL_TO_MAXIM = “”;
          public static final String EMAIL_TO_PHILIPS = “*****”;
          public static final String EMAIL_USERNAME = “*****”;

      The vendor later told us that the account was used to collect reports on technical issues from the camera users.

      The problem here is that reports were being sent to this pre-installed account from users’ own email accounts. So an attacker would not even need to buy a camera; all they needed to do was download and reverse-engineer one of the apps to get access to the technical email account and to collect the email addresses of all the camera users who had experienced technical issues. Is it a big issue, that your email could have been exposed to a third party as a result of the exploitation of that vulnerability? It might be. However, realistically-speaking this vulnerability doesn’t appear to be a tempting target for mass-harvesting personal information, mainly because of its relatively small base of victims. Technical issues are rare and the app was old and not really popular at the time of our research. Baby monitors are also a niche product so not many email addresses are stored.

      On the other hand, if you are the owner of a baby monitor, you’re most likely a parent and that fact makes you (and by extension your email address) a much more interesting target should an attacker plan a specific, tailored, fraud campaign.

      In other words, this is not a critical security vulnerability but it could still be used by attackers. But that wasn’t the only vulnerability we found while investigating the camera and the app.

      Status: fixed

      Issue two

      Risk: full control of the camera by an attacker

      After looking at the legacy app we moved on to the more recent version and immediately discovered another interesting issue.

      The application communicates with the camera through a cloud service and communication between the app and the cloud service is https-encrypted. The application uses Session ID for authentication which is changed automatically each time a user initiates a new session. It might sound secure, but it is in fact possible to intercept the Session ID and to control the camera through the cloud or to retrieve the password for local access to the camera.

      Before the app starts streaming data from the camera, it sends an http request to the cloud service:


      This request contains the Session ID which could be intercepted as the request is unencrypted. The Session ID is then used to retrieve the current password. We found that it could be done by creating a special link with the Session ID in the end.


      In return for this link the cloud service would send the password for the session.

      https:// *****/*****/*****sessionId=100-U3a9cd38a-45ab-4aca-98fe-29b27b2ce280

      … “local_view”:{“password”:”N2VmYmVlOGY4NGVj”,”port”:9090} …

      Using the password it is possible to get full control of the camera, including the ability to watch the streamed video, listen to audio, and play audio on the camera.

      It is important to note that this is not a remote attack – the attacker must be on the same network as the app user in order to intercept the initial request, making exploitation less likely. However, app users should still proceed with caution, especially if they are using large networks that can be accessed by many people. For example, if the app user is connecting to their camera from public Wi-Fi, they could be exposing themselves to risk from an attacker on the same network. In such conditions it would not be hard to imagine a real-life app-usage scenario that involved a third-party.

      Status: fixed

      Issue three

      Risk: god mode – an attacker can do anything with camera firmware

      The third issue we discovered while investigating our smartphone-controlled camera resided not in the app but in the camera itself. And the issue is rather simple: a factory root password for SSH in the firmware. It is simple because the camera is running on Linux and the root password enables god-mode for anyone who has access to the device and knows the password. You can do anything with camera firmware: modify it, wipe it – anything. All the attacker needs to do in order to extract the password is to download and extract the firmware from the vendor’s website (although the attacker would need to be in the same network with the attacked device to get the URL from which the firmware is being downloaded), extract it and follow this path: \\ubifs\\home/.config. There it is: in plain text.



      What’s more worrying is that, unless they are a Linux expert, there is no way for an inexperienced user to remove or change this password by themself.

      Why the SSH password was there is a mystery to us, but we have some suggestions. The root access would be of use to developers and technical support specialists in a situation where a customer encounters an unexpected technical problem that could not be fixed over the phone. In this case, a specialist could connect to the camera remotely, use the SSH password to get root access and fix an issue. Apparently this is a common practice for new models of such devices, which can contain bugs that were not discovered and fixed at the pre-release stage. We looked at the firmware of some other cameras from an alternative vendor and also discovered SSH passwords in there. So the story is: developers leave the SSH password in the firmware in order to have the ability to fix unexpected bugs there and then, and when a stable version of firmware is released they just forget to remove or encrypt the password.

      Our second suggestion is that they just forgot it was there. As we discovered during our research, the part of the device where SSH passwords were found – the chipset – is usually shipped by a third-party vendor. And the third-party vendor leaves the SSH password in the camera by default for convenience, to make sure that the vendor of the end-product (the baby monitor) has the ability to tune up the chipset and to connect it with other hardware and software. So the vendor does this and then just forgets to remove the password. As simple as it sounds.

      Status: fixed

      Communications with the vendor

      It wasn’t hard to discover these vulnerabilities and we have to admit that it wasn’t difficult to report them to the vendor and help them to patch them. The camera we investigated was branded by Philips, but was actually produced and maintained by Gibson Innovations. The representatives of the company were extremely quick to react to our report. As a result all the issues we reported have been patched, both in the camera and in the apps (Android and iOS).

      This autumn, Rapid7 released a very interesting report about vulnerabilities in baby monitors, and a Philips product (a slightly different version of the camera we investigated) was on the list of vulnerable devices, with a number of vulnerabilities noted, some of them similar to those discovered in our research. But judging by the ‘from-discovery-to-patch’ timeline presented in the report, Gibson Innovations is one of only a few IoT vendors to treat security issues in their products seriously and to do so continuously. Kudos to them for such a responsible approach.

      But back to our research.

      One could say that the security issues we’ve discovered in the IP camera require access to the same network as the user of the camera or the camera itself, and they would be right. On the other hand, for an intruder that is not necessarily a major obstacle, especially if the user has another connected device in their network.

      A smartphone-controlled coffee machine What could possibly go wrong?

      Risk: leakage of the password to the home wireless network

      The coffee machine we’ve randomly chosen can remotely prepare a cup of coffee at the exact time you want. You just set the time and when the coffee is ready the app will send you a push-notification. You can also monitor the status of the machine through an app. For instance, it is possible to find out if it is brewing now or not, if it is ready for brewing or if it is time to refill the water container. In other words, a very nice device, which, unfortunately, gives an attacker a way to hijack the password of your local Wi-Fi network.

      Before you use it you have to set it up. It happens like this: when the device is plugged in, it creates a non-encrypted hotspot and listens to UPNP traffic. A smartphone running the application for communicating with the coffee machine connects to this hotspot and sends a broadcast UDP request asking if there are UPNP devices in the network. As our coffee machine is such a device, it responds to this request. After that a short communication containing the SSID and the password to the home wireless network, among other things, is sent from the smartphone to the device.

      This is where we detected a problem. Although the password is sent in encrypted form, the components of the encryption key are sent through an open, non-protected channel. These components are the coffee machine’s Ethernet address and some other unique credentials. Using these components, the encryption key is generated in the smartphone. The password to the home network is encrypted with this key using 128-bit AES, and sent in base64 form to the coffee machine. In the coffee machine, the key is also generated using these components, and the password can be decrypted. Then, the coffee machine connects to the home wireless network and ceases to be a hotspot until it is reset. From this moment on, the coffee machine is only accessible via the home wireless network. But it doesn’t matter, as by then the password is already compromised.

      Status: the vulnerability is still in place

      Communications with vendor

      We’ve reported our findings to the vendor of the coffee machine, and the vendor has acknowledged the issue and provided us with the following statement:

      “Both user experience and security are extremely important to us and we continually strive to strike the right balance between the two. The actual risks associated with the vulnerabilities you mentioned during set-up are extremely low. In order to gain access, a hacker would have to be physically within the radius of the home network at the exact time of set-up, which is a window of only a few minutes. In other words, a hacker would have to specifically target a smart coffee maker user and be around at the exact point of set-up, which is extremely unlikely. Because of this, we do not believe the potential vulnerabilities justify the significant negative impacts it will have on user experience if we make the suggested changes. Though no definite plans to change our set-up procedure are in the works, we are constantly reevaluating and wouldn’t hesitate to make changes if risks become more significant. Should something change in the near future we will let you know.”

      We don’t entirely disagree with this statement and have to admit that the attack window is extremely short. The vulnerability could be patched in several ways, but based on the conclusions of our own analysis, almost all of these ways would involve either hardware changes (the Ethernet port on the coffee machine or a keyboard for the password would solve the problem) or the provision of a unique pin code for each coffee machine including those that have already been sold, which is not easy from a logistical point of view. Such changes would considerably impact the user experience and the set up process would become less straightforward.

      The only software fix we can propose is to implement asymmetric encryption. In this case the coffee maker would have to send out the public encryption key to the user’s smartphone and only after that the sensitive data exchange would start. This, however, would still allow any user in a given Wi-Fi network, including the attacker, to take control of the coffee machine. The public key would be available to everyone, and the first user to receive it and establish the connection with the coffee maker will be able to control it. Nevertheless, the legitimate user of the coffee machine will at least have a clue that something is going wrong, as during/following? a successful attack they wouldn’t be able to communicate with the device. This is not the case with the current software running on the coffee machine.

      So we can say that to some degree we understand the vendor logic: the level of risk this issue brings doesn’t match the level of complexity of measures that must be implemented in order to eliminate the issue. Besides that, it would be wrong to say that the vendor didn’t think about the security of their product at all: as we said earlier, the password is transmitted in protected form, and you have to hold the antenna in a special way.

      However, the vulnerability still exists and for a smart criminal it wouldn’t be a problem to exploit it to obtain your Wi-Fi password. The situation is interesting: if you are a user of this coffee maker, every time you change the password for your home Wi-Fi network in order to make it more secure, you’re actually exposing this new password, because each time you implement a new password you have to set up the coffee machine again. And you would never know whether someone had sniffed your password or not. For some people this may not be an issue, but for others it is most certainly a security problem.

      For this reason, we will not disclose the vendor or model so as not to draw unwanted attention to the vulnerable product. However, if you are a user of a smartphone-controlled coffee maker and you’re worried about this issue, do not hesitate to contact the vendor and ask them if our findings have something to do with the product that you own, or are planning to purchase.

      Onto the final chapter of our journey into the insecure world of IoT.

      Home security system vs physics

      Risk: bypassing security sensors with no alarms

      App-controlled home security systems are pretty popular nowadays. The market is full of different products intended to secure your home from physical intrusion. Usually such systems include a hub that is connected to your home network and to your smartphone, and a number of battery-powered sensors that communicate wirelessly with the hub. The sensors are usually door/window contact sensors that would inform the owner if the window or door they guard has been opened; motion sensors; cameras.

      When we initially got our hands on a smart home security system we were excited. Previously we’d seen a lot of news about researchers finding severe vulnerabilities in such products, like the research from HP or another awesome piece of research on the insecurity of the ZigBee protocol used by such products, presented at this year’s Black Hat. We prepared ourselves for an easy job finding multiple security issues.

      But that wasn’t the case. The more we looked into the system the better we understood that, from a cyber-security perspective, it is a well-designed device. In order to set up the system, you have to connect the hub directly to your Wi-Fi router, and in order to make the app communicate with the hub, you have to create an account on the vendor’s website, provide your phone number and enter the secret pin code that is sent to you via SMS. All communications between the app and the system are routed through the vendor’s cloud service and everything is done over https.

      When looking at how the hub downloads new versions of firmware, we found that the firmware is not signed, which is a bit of an issue as it potentially allows you to download any firmware onto the device. But at the same time, in order to do so you’d have to know the password and the login of the user account. Also, when on the same network as the security system it is possible to send commands to the hub, but to understand what kind of commands it is possible to send, you’d need to reverse-engineer the hub firmware which is not really security research, but aggressive hacking. We’re not aggressive hackers.

      So from a software point of view – if you’re not intending to hack a device at all costs – the home security system we investigated was secure.

      But then we looked at the sensors.

      Defeating contact sensors with their own weapon

      Intrusion or contact sensors, included in the package, consist of three main parts: the magnet (the part that you put on a door or on the moving part of a window), the radio transmitter, and the magnetic field sensor. It works as follows: the magnet emits a magnetic field and the magnetic field sensor registers it. If the door or window is opened, the sensor will stop registering the magnetic field and will send a notification to the hub, indicating that the door/window is open. But if the magnetic field is there, it will send no alarms, which means that all you need to bypass the sensor is a magnet powerful enough to replace the magnetic field. In our lab we put a magnet close to the sensor, and then we opened the window, got in, closed the window and removed the magnet. No alarms and no surprises.

      One could say that it would only work with windows, where you can be lucky enough to locate easily the exact place where the sensor is placed. But magnetic fields are treacherous and they can walk through walls, and the simplest magnetic field detection app for the smartphone will locate a sensor precisely, even if you don’t have visual contact. So doors (if they’re not made of metal) are vulnerable too. Physics wins!

      Motion sensor

      Encouraged by an easy victory over contact sensors we moved on to the motion sensor and disassembled it to discover that it was a rather simple infrared sensor that detects the movement of a warm object. This means that if an object is not warm the sensor doesn’t care. As we discovered during our experiment, one would only need to put on a coat, glasses, a hat and/or a mask in order to become invisible to the sensor. Physics wins again!

      Protection strategies

      The bad news is that magnetic field sensor-based devices and low quality infrared motion sensors are used not only by the home security system we investigated. They’re pretty standard sensors which can be found in a number of other similar products. Just search the IoT e-shops and you’ll see for yourself. There is more bad news: it is impossible to fix the issue with a firmware update. The problem is in the technology itself.

      The good news is that it is possible to protect yourself from the burglars who didn’t bunk off Physics in school. The basic rules here are as follows:

      1. Do not rely only on contact sensors when protecting your home if you are using a system of the kind described above. Smart home security system vendors usually offer additional devices, like motion- and audio-sensing cameras, which are impossible to bypass with magnets. So it would be wise to supplement the contact sensors with some smart cameras even though it may cost more. Using contact sensors alone will turn your home security system into what is essentially a high-tech ‘toy’ security system.
      2. If you’re using infrared motion sensors, try to put them in front of a radiator in rooms a burglar will have to walk through, should they make their way into your home. In this case the intruder, no matter what clothes they are wearing, will overshadow the radiator and the sensor will notice the change and report it to your smartphone.

      Based on what we discovered during our brief experiment, vendors are doing their best not to forget about the cyber-security of the devices they’re producing, which is good. Nevertheless, any connected, app-controlled device that is usually called an IoT device is almost certain to have at least one security issue. However, the probability that they will be critical is not that high.

      At the same time, the low severity of such security issues doesn’t guarantee that they won’t be used in an attack. At the beginning of this article we promised to describe how the safe and funny “rickrolling” vulnerability could be used in a dangerous attack. Here it is.

      Just imagine that one day a TV with a Chromecast device connected to it, both belonging to an inexperienced user, starts showing error messages which report that, in order to fix this issue, the user has to reset their Wi-Fi router to factory settings. That means the user would have to reconnect all their devices, including their Wi-Fi-enabled coffee machine. The user resets the router and reconnects all the devices. After that the Chromecast works normally again as do all the other devices in the network. What the user doesn’t notice is that someone new has connected to the router, and then jumped to the baby monitor camera or other connected devices, ones that have no critical vulnerabilities but several non-critical ones.

      From an economic perspective it is still unclear why cybercriminals would attack connected home devices. But as the market of the Internet of Things takes off, and technologies are being popularized and standardized, it is only a matter of time before black hats find a way to monetize an IoT attack. Ransomware is obviously a possible way to go, but it’s certainly not the only one.

      Besides that, cybercriminals are not the only ones who might become interested in IoT. For instance, this summer the Russian Ministry of Interior Affairs ordered (RU) to research possible ways of collecting forensic data from devices built with the use of smart technologies. And the Canadian military recently published a procurement request for a contractor that can “find vulnerabilities and security measures” for cars and will “develop and demonstrate exploits”.

      This doesn’t mean that people should avoid using the IoT because of all the risks. The safe option is to choose wisely: consider what IoT device or system you want, what you plan to use it for and where.

      Here is the list of suggestions from Kaspersky Lab:

      1. Before buying an IoT device, search the Internet for news of any vulnerabilities. The Internet of Things is a very hot topic now, and a lot of researchers are doing a great job finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has been already examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
      2. It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already experienced several software updates.
      3. When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. If your home is the place where you store many items of material value, it would probably be a good idea to choose a professional alarm system that will replace or complement your existing app-controlled home alarm system; or set-up the existing system in such a way that any potential vulnerabilities would not affect its operation. Also, when choosing the device that will collect information about your personal life and the lives of your family, like a baby monitor, maybe it would be wise to choose the simplest RF-model, capable only of transmitting an audio signal, and without Internet connectivity. If that is not an option, than follow our first piece of advice – choose wisely!

      As for the vendors of IoT-devices, we have only one, but important suggestion: to collaborate with the security community when creating new products and improving old ones. There are initiatives like or OWASP Internet of Things project that could actually help to build an awesome connected device with no serious security issues. At Kaspersky Lab, we will also continue our research to get more information about connected devices and to find out how to protect people against the threats that such devices pose.

      Kaspersky DDoS Intelligence Report Q3 2015

      Tue, 11/03/2015 - 06:03

       Download PDF version

      Q3 events

      Of all the Q3 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats.

      • DDoS attacks targeting financial organizations for the purpose of extortion;
      • new techniques to increase the intensity of attacks by manipulating web pages;
      • active development of Linux-based botnets for DDoS attacks.
      Attacks on financial organizations

      In Q3 2015, there was increased activity by the cybercriminal group “DD4BC” responsible for a number of attacks on major banking organizations around the world. The group has been targeting banks, media groups and gaming companies since September, threatening to take down their customer websites unless they pay a ransom. The owner of the targeted resource is asked to pay between 25 and 200 bitcoins ($6,500 – $52,500), or have their servers disabled. Some of the first victims included organizations in Australia, New Zealand and Switzerland, while a warning was received by major financial institutions in Hong Kong. The Bank of China and the Bank of East Asia also reported that they were targeted by illegal activity. In the third quarter, a number of Russian financial institutions also received notifications from cybercriminals asking for a specific sum in cryptocurrency to terminate an attack.

      Unusual attack scenario

      The company CloudFlare reported a DDoS attack with an unusual scenario. A site belonging to one of CloudFlare’s customers was being subjected to an attack made up of 275,000 HTTP requests per second. Of particular interest was the fact that the attackers made use of malicious JavaScript embedded in adverts. An iframe with a malicious advert that contained the JavaScript was run on the browsers of lots of users, resulting in their workstations sending XHR requests to the victim. Experts believe that these malicious ads can also display some legitimate applications.

      XOR DDoS bot activity

      The specialists at Akamai Technologies witnessed growth in the capacity of a DDoS botnet consisting of Linux-based computers whose victims were mostly Asian sites belonging to educational institutions and gaming communities. A distinctive feature of the bot is the use of XOR-encryption both in the malicious program and for communication with the C&C servers. At the same time, in order to self-propagate the bot brute-forces passwords to the root account in Linux systems. Linux is often used as a server operating system, which means that the server also has the channel and computing resources that the attackers can use to launch DDoS attacks. Using SYN and DNS floods, this botnet has been successfully carrying out attacks with a capacity of 109-179 Gbps.

      The proportion of DDoS attacks from Linux-based botnets in Q3 2015 was 45.6% #KLReport


      According to Kaspersky Lab data, the botnets from Linux-based servers infected by the XOR DDoS bot actively attacked resources located in China.

      DDoS availability

      On the one hand, the software that is used for DDoS attacks is becoming more complicated; on the other hand, the tools for DDoS attacks are becoming more freely available and easier to use. As a result, setting up and launching a DDoS attack no longer requires any special technical knowledge. A fairly competent criminal could easily unleash a powerful attack.

      This fact is confirmed by attacks on the educational portal of the Republic of Tatarstan carried out by students attempting to block communication between teachers and parents. Throughout the year the attackers repeatedly tried to bring down the portal, which was protected by Kaspersky DDoS Protection. All their attempts were unsuccessful, but their persistence did succeed in attracting the attention of Kaspersky Lab’s experts.

      The longest DDoS attack in Q3 2015 lasted for 320 hours #KLReport


      The availability and ease of use of the tools for DDoS attacks has resulted in the range of targets growing. It is generally accepted that DDoS attacks are mainly focused on financial institutions, government agencies, businesses and the media. Now, however, any resource that has attracted the ire of an unscrupulous web user could be subjected to a DDoS attack – even an educational portal.

      Statistics of botnet-assisted DDoS attacks Methodology

      The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

      In this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

      In Q3 2015, 91.6% of resources, targeted by DDoS attacks, were located in 10 countries #KLReport


      The geographical distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

      It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

      Q3 Summary
      • In Q3 2015, botnet-assisted DDoS attacks targeted victims in 79 countries around the world.
      • 91.6% of targeted resources were located in 10 countries.
      • The largest numbers of DDoS attacks targeted victims in China, the US and South Korea.
      • The longest DDoS attack in Q3 2015 lasted for 320 hours (or 13.3 days).
      • SYN DDoS, TCP DDoS and HTTP DDoS were the most common DDoS attack scenarios.
      • Linux-based bots are actively used by cybercriminals; the proportion of DDoS attacks from Linux-based botnets in the third quarter was 45.6%.
      Geography of attacks

      In Q3, the targets of DDoS attacks were located in 79 countries around the world. 91.6% of attacked resources were located in 10 countries.

      Distribution of unique DDoS attack targets by country, Q3 vs Q2 2015

      China still leads the Top 10 ranking: in Q3 of 2015, 34.5% of DDoS attack targets were located there, an increase of 4.6 percentage points (p.p.) on the previous quarter. The US came second with 0.8%. South Korea remained in third place (17.7%) although its share increased considerably – by 7.9 p.p.

      The Netherlands (1.1%) re-entered the Top 10. A newcomer to the rating was Japan whose share accounted for 1.3% of all attacked resources. Germany (1.0%) and Hong Kong (0.9%) left the Top 10.

      If we look at the number of reported attacks, 92.3% of all attacks (an increase of 14.7 p.p. on Q2) had targets within the same Top 10 countries:

      Distribution of DDoS attack by countries, Q3 vs Q2 2015

      In the third quarter, China (37.9%), the US (22.7%) and South Korea (14.1%) remained in the leading three places. The Netherlands (1.1%) and Japan (1.3%) pushed France (0.9%) and Hong Kong (0.9%) out of the Top 10 in terms of the number of attacks. The biggest increase in the proportion of DDoS attacks in Q3 was observed in the US – the share of attacks grew by 5.4 p.p.

      In Q3 2015, the largest numbers of DDoS attacks targeted victims in China, the US & South Korea #KLReport


      The figures for the leading three countries in both rankings – the number of attacks and the number of targets – increased by more than they did for the other Top 10 countries. The continued leadership of China and the US in the rankings is due to cheap web hosting in those countries, which explains why so many targeted web resources are located there.

      The absolute leader in terms of the number of attacks was an IP address allegedly belonging to a data center in Hong Kong: throughout the quarter it was attacked 22 times.

      Changes in DDoS attack numbers

      In Q3 2015, DDoS activity was distributed unevenly, with two peaks: the first fell in mid-July, the second in late September. The quietest period was from early August to mid-September.

      Number of DDoS attacks over time* in Q3 2015.

      * DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.

      The peak number of attacks in one day was 1344, recorded on 24 September.

      Tuesday was the most active day of the week in terms of DDoS attacks.

      Distribution of DDoS attack numbers by days of the week

      The fact that Tuesday leads is probably due to a dramatic rise in the number of DDoS attacks on that day of the week on 14 July and on 22 September. Particularly active on those two days were botnets from Linux-based servers infected by the XOR DDoS bot that attacked resources in China.

      Types and duration of DDoS attacks

      99.3% of DDoS targets in Q3 2015 (vs. 98.2% in Q2) were attacked by bots belonging to one family.

      In only 0.7% of all cases cybercriminals launched attacks using bots from two different families (or the clients used the services of several attack agents). In 0.2% of cases, three or more bots were used.

      In Q3 2015, SYN DDoS (51.7%) remained the most popular attack method. TCP DDoS (16.4%) and HTTP DDOS (14.9%) were second and third respectively. ICMP-DDoS, whose contribution doubled over the last two quarters and accounted for 5.1%, was fourth.

      The distribution of DDoS attacks by types

      Once again, most attacks lasted no longer than 24 hours in Q3 2015. However, the number of attacks that lasted a week or longer increased considerably.

      The distribution of DDoS attacks by duration (hours)

      The longest DDoS attack in the previous quarter lasted for 205 hours (8.5 days); in Q3, this record was beaten by an attack that lasted 320 hours (13.3 days).

      C&C servers and botnet types

      In Q3 2015, South Korea took the lead in terms of the number of C&C servers located on its territory; its share grew from 34% to 56.6%. Noticeably, in South Korea this quarter the number of C&C servers that control Nitol bots increased significantly. Nitol began to use Dynamic DNS services more actively, in particular, and As mentioned above, the percentage of DDoS attacks targeting resources located in South Korea also increased.

      The proportion of C&C servers located in the US and China dropped significantly – from 21% to 12.4% and from 14% to 6.9% respectively.

      Distribution of botnet C&C servers by countries in Q3 2015

      The activity of Windows and Linux botnets continued to fluctuate. After the previous quarter’s reduction in the share of Linux-based botnets, in Q3 they regained ground – the proportion of attacks by Linux bots grew from 37.6% to 45.6%.

      Correlation between attacks launched from Windows and Linux botnets

      The increase in the proportion of Linux bot activity was most probably down to insufficient protection for Linux-based machines and, quite importantly, their higher Internet speeds. This makes Linux more attractive to cybercriminals despite the relative complexity in developing, acquiring and exploiting Linux bots.

      Attacks on banks

      The third quarter of 2015 saw the return of DDoS extortionists to the cybercrime scene. A number of major banking institutions in a variety of countries were targeted by DDoS attacks that were then followed by demands for a large payment in cryptocurrency to stop the attack. This particular aspect of the attacks suggests they are the work of the cybercriminal group DD4BC (Distributed Denial of Service for Bitcoin), which demands bitcoin ransoms.

      It appears the group has now reached Russia, where a number of financial institutions were also attacked. Some of the Russian banks that were targeted were either protected by Kaspersky DDoS Protection or quickly connected to the service as soon as the DDoS attacks began. This meant they avoided any damage and the banks’ websites and online banking systems continued to function smoothly.

      Kaspersky Lab registered a wave of lengthy DDoS attacks on the online banking systems of eight well-known financial institutions, with some banks repeatedly targeted.

      SYN DDoS, TCP DDoS and HTTP DDoS were the most common DDoS attack scenarios in Q3 2015 #KLReport


      For all attacks the cybercriminals used a complex combination of amplification attacks that disable online resource with minimal effort.

      Three types of attack were used to overload the channel: NTP amplification, SSDP amplification and RIPv1 amplification which reached 40 Gbps. In some cases, the attacks were supplemented by a HTTPS flood attack that reached 150 Mbps from a botnet with about 2,000 attacking hosts.

      The attacks lasted from one to four hours.

      The attackers not only demanded a bitcoin ransom but also threatened the banks with unprecedented terabit attacks. However, these threats have not been implemented in practice.

      We can assume that the peak attack parameters registered at the end of September were the attackers’ maximum – Kaspersky Lab experts recorded this particular aggregate capacity in simultaneous attacks on several banks.

      Unfortunately, this does mean the power of attacks will not increase in the future.


      The correlation between the number of attacks launched from Windows and Linux botnets marks an interesting trend, with criminals starting to actively use botnets from infected servers. There are several reasons for this.

      Firstly, servers have a significantly bigger Internet channel than domestic machines, making it possible to organize powerful attacks with only a few C&C servers.

      Secondly, the level of server protection is not always very high, leaving them vulnerable to hacking. If security patches are not regularly installed on the server, it quickly becomes an easy prey for cybercriminals: it does not take them long to discover such servers and exploit any known vulnerabilities. Then there is the expanded arsenal of available exploits that have appeared after a number of vulnerabilities were detected in open-source products such as exploits for the ghost vulnerability, which is still in use.

      Thirdly, the power of a server botnet can be increased by renting additional servers.

      In these circumstances, timely installation of security patches on servers becomes critical. For the owners of web resources, effective protection from DDoS attacks originating from server botnets is strongly recommended.

      IT threat evolution in Q3 2015

      Mon, 11/02/2015 - 05:31

       Download PDF version

      Q3 in figures
      • According to KSN data, Kaspersky Lab solutions detected and repelled a total of 235,415,870 malicious attacks from online resources located all over the world.
      • 75,408,543 unique URLs were recognized as malicious by web antivirus components.
      • Kaspersky Lab’s web antivirus detected 38,233,047 unique malicious objects: scripts, exploits, executable files, etc.
      • There were 5,686,755 registered notifications about attempted malware infections that aim to steal money via online access to bank accounts.
      • Kaspersky Lab’s file antivirus detected a total of 145,137,553 unique malicious and potentially unwanted objects.
      • Kaspersky Lab mobile security products detected:
        • 1,583,094 malicious installation packages;
        • 323,374 new malicious mobile programs;
        • 2516 mobile banker Trojans.
      Overview Targeted attacks Turla’s ‘eye in the sky’

      We’ve written about Turla several times over the last year or so (our initial report, follow-up analysis and campaign overview can be found on The group behind this cyber-espionage campaign has been active for more than eight years, infecting hundreds of computers in more than 45 countries. The organizations targeted include government agencies, embassies, military, education, research and pharmaceutical companies.

      The Turla group profiles its victims, using watering-hole attacks in the initial stages. However, as outlined in our latest report, for subsequent operations the group makes use of satellite communications to manage its C2 (Command-and-Control) traffic.

      Most people think of satellite communications as a means of broadcasting TV, but they are also used to provide Internet access. Typically, this is done in remote locations where other types of Internet access are slow, unstable or unavailable. One of the most widespread and least expensive means of obtaining satellite-based access is through a downstream-only connection.

      Turla gang turns to satellites for #cybercrime #KLRreport


      The method used by Turla to hijack downstream satellite links does not require a valid satellite Internet subscription. The key benefit is that it’s anonymous – it’s very hard to identify the attackers. The satellite receivers can be located anywhere within the area covered by the satellite (typically a wide area) and the true location and hardware of the C2 server can’t be easily identified or physically seized. It’s also cheaper than purchasing a satellite-based link and easier than hijacking traffic between the victim and the satellite operator and injecting packets along the way.

      In order to attack satellite-based Internet connections, both the legitimate users of these links, as well as the attackers’ own satellite dishes, point to the specific satellite that is broadcasting the traffic. The attackers exploit the fact that packets are unencrypted. Once an IP address that is routed through the satellite’s downstream link has been identified, the attackers start listening for packets coming from the Internet to this specific IP. Once a packet has been identified, they identify the source and spoof a reply packet back to the source using a conventional Internet line. At the same time, the legitimate user of the link just ignores the packet as it goes to an otherwise unused port (for instance, port 80 or 10080). You can find a graphical explanation of how Turla uses satellite links here.

      The Turla group tends to focus on satellite Internet providers located in the Middle East and Africa, including Congo, Lebanon, Libya, Niger, Nigeria, Somalia and the UAE. Satellite broadcasts from these countries don’t normally cover European and North American countries, making it very hard for security researchers to investigate such attacks.

      The use of satellite-based Internet links is an interesting development. The hijacking of downstream bandwidth is cheap (around $1,000 for the initial investment and around $1,000 per year in maintenance), easy to do and offers a high degree of anonymity. On the downside, it’s not always as reliable as more traditional methods such as bullet-proof hosting, multiple proxy levels and hacked web sites – all of which Turla also uses. This makes it less likely that it will be used to maintain extensive botnets. Nevertheless, if this method becomes widespread among APT groups or cybercriminals, it will pose a serious problem for the IT security industry and law enforcement agencies.

      Darkhotel extends its ‘guest’ list

      In November 2014, we reported on the Darkhotel APT. These attacks were characterized by the misuse of stolen certificates, the deployment of HTA files using multiple methods and the infiltration of hotel Wi-Fi networks to place backdoors on targets’ computers.

      Recently we published an update on Darkhotel. While the attackers behind this APT continue to use the above methods, they have also supplemented their armoury. They have shifted their attention more towards spear-phishing of their chosen victims. As well as using HTA files, they are also deploying infected RAR files, using the RTLO (right to left override) mechanism to mask the real extension of the file. The attackers also use Flash exploits, including a zero-day exploit leaked as a result of the Hacking Team security breach.

      In 2015, Darkhotel extended its geographic reach, to include victims in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

      Blue Termite

      In August, we reported on the Blue Termite APT, a targeted attack campaign focused on stealing information from organizations in Japan. These include government agencies, local government bodies, public interest groups, universities, banks, financial services, as well as companies working in sectors such as energy, communication, heavy industry, chemical, automotive, electrical, news media, information services, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation, and more. One of the most high profile targets was the Japan Pension Service.

      The malware is customized according to the specific victim. The Blue Termite backdoor stores data about itself – including C2, API name, strings for anti-analysis, values of mutexes, as well as the MD5 checksum of backdoor commands and the internal proxy information. The data are stored in encrypted form, making analysis of the malware more difficult – a unique decryption key is required for each sample.

      The main method of infection, as with so many targeted attack campaigns, is via spear-phishing e-mails. However, we have detected other methods of infection. These include drive-by downloads using a Flash exploit (CVE-2015-5119) – one of the exploits leaked following the Hacking Team security breach. Several Japanese web sites were compromised this way. We also found some watering-hole attacks, including one on a web site belonging to a prominent member of the Japanese government.

      Malware stories End of the line for CoinVault?

      On 14 September 2015, Dutch police arrested two men for suspected involvement in CoinVault ransomware attacks, following a joint effort by Kaspersky Lab, Panda Security and the Dutch National High Tech Crime Unit (NHTCU) – highlighting the benefit of collaboration between police and security researchers. This malware campaign started in May 2014 and continued into this year, targeting victims in more than 20 countries, with the majority of victims in the Netherlands, Germany, the United States, France and Great Britain. They successfully encrypted files on more than 1,500 Windows-based computers, demanding payment in bitcoin to decrypt data on victims’ machines.

      The cybercriminals responsible for this ransomware campaign modified their creations several times to keep on targeting new victims. We published our first analysis of CoinVault in November 2014, soon after the first sample of the malicious program appeared. The campaign then stopped until April 2015, when we found a new sample. In the same month, Kaspersky Lab and the Dutch NHTCU launched a web site to act as a repository of decryption keys. In addition, we also made available online a decryption tool to help victims recover their data without having to pay the ransom.

      Arrests made in #CoinVault #ransomware attacks by Dutch Authorities with assist from @Kaspersky #KLReport


      After publishing the site, Kaspersky Lab was contacted by Panda Security, which had found information about additional malware samples. We were able to confirm that the samples were related to CoinVault. We passed this information to the Dutch NHTCU.

      You can find our analysis of the twists and turns employed by the CoinVault authors here.

      Ransomware has become a notable fixture of the threat landscape. While this case shows that collaboration between researchers and law enforcement agencies can lead to positive results, it’s essential for consumers and businesses alike to take steps to mitigate the risks of this type of malware. Ransomware operations rely on their victims paying up. On top of anti-malware protection, it’s important to make regular backups of data, to avoid data loss and the need to make such ransom payments.

      A serpent in Apple’s walled garden

      The recent appearance of malicious apps in the App Store has made it clear that, contrary to what many people believe, iOS is not immune to malware.

      The malware, called ‘Xcodeghost’, infected dozens of apps, including WeChat, NetEase’s music download app, business card scanner CamCard and Didi Kuadi’s car-hailing app. The Chinese versions of Angry Birds 2 were also infected.

      The attackers didn’t hack the App Store, but hosted a malicious version of Apple’s Xcode. Xcode is a free suite of tools used by software developers to create iOS apps. It is officially distributed by Apple, but also unofficially by third parties: someone in China hosted a version of Xcode that contained XcodeGhost. Some Chinese developers choose to download development tools such as this from local servers because it is much quicker.

      Any apps created using the modified version of Xcode would be infected. The infected apps steal data from their victims and send it to the attackers. It was initially believed that 39 infected apps had bypassed Apple’s scanning process and had been successfully uploaded to the App Store. Infected apps have been removed by Apple. However, the compromised version of Xcode has been available for around six months, so the total number of infected apps could be much higher, not least because the source code for XcodeGhost has been published on Github.

      You can find an analysis of XcodeGhost by researchers at Palo Alto Networks here.

      The incident highlights the danger of programs being infected at source if tools used by developers are compromised.

      The Gaza cyber-gang

      At the end of September we reported on the activities of another regional APT, the Gaza cyber-gang. This is a politically motivated Arabic group operating in the MENA region (Middle East and North Africa) – mainly focused on Egypt, the UAE and Yemen. The group is interested in government agencies – especially embassies, where security and IT operations might not be well-established or reliable. The Gaza cyber-gang has been active since 2012, but became particularly active in the second quarter of 2015.

      The gang actively sends malware to IT and Incident Response (IR) staff in target organizations: the file names they use reflect IT functions and IR tools used to investigate cyber-attacks. It’s not hard to work out why. IT staff typically have greater access rights than other employees, because it’s their job to manage the corporate infrastructure. IR employees are likely to have access to sensitive data related to ongoing cyber-investigations, as well as extended access rights to help them look for suspicious activities across the network. This means the attackers not only gain access to the target organization but also extend their reach across the network.

      The main infection modules used by the group are widely used remote access Trojans (RATs): XtremeRAT and PoisonIvy. Their activities are heavily reliant on social engineering. They use filenames related to IT and IR functions and content and domain names that are likely to be of interest to their victims (e.g. ‘’).


      All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

      Mobile threats

      Displaying adverts to users is still the main method of making money from mobile threats. The number of programs displaying intrusive advertising on mobile devices (adware) continued to grow in the third quarter and accounted for more than half of all detected mobile objects.

      We have also observed a growing number of programs that use advertising as the main monetization method while also using other methods from the virus writers’ arsenal. They often root the device of a victim and use superuser privileges, making it very difficult, if not impossible, to combat them. In Q3 2015, these Trojans accounted for more than half of the Top 20 most popular mobile malware.

      In Q3, @Kaspersky mobile security products detected 323,374 new malicious mobile programs #klreport


      SMS Trojans are still relevant as a monetization method, especially in Russia. These programs send paid messages from an infected device without the user’s knowledge. Although their overall traffic share among mobile threats continues to fall, the malicious mobile Trojan-SMS still leads in terms of the number of new samples detected in the third quarter.

      The pursuit of profit is not limited to displaying adverts or sending paid text messages – cybercriminals are also very interested in users’ bank accounts. In Q3 2015, the total share of mobile bankers and spyware designed to steal personal information exceeded that of SMS Trojans in new mobile malware traffic by 0.7 p.p.

      The number of new mobile threats

      In Q3 2015, Kaspersky Lab mobile security products detected 323,374 new malicious mobile programs – a 1.1-fold increase on Q2 2015 and a 3.1-fold increase on Q1.

      The number of malicious installation packages detected was 1,583,094 – this is 1.5 times more than in the previous quarter.

      Number of malicious installation packages and new malicious mobile programs detected
      (Q1 2015 – Q3 2015)

      Distribution of mobile malware by type

      Distribution of new mobile malware by type, Q2 and Q3 2015

      Potentially unwanted advertising programs (adware) headed the ranking of detected objects for mobile devices in Q3 2015. In the previous quarter this category of programs occupied second place with 19%; in Q3 their share grew considerably and reached 52.2%.

      Second came RiskTool. The programs in this category are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses. RiskTool was knocked off top spot after its share decreased by 16.6 p.p. from the previous quarter.

      The percentage of SMS Trojans in the overall flow of mobile threats decreased by another 1.9 p.p. and amounted to 6.2%. Despite this, they are still among the leading mobile malicious programs.

      SMS Trojans were followed by Spy Trojans (5.4%). These programs steal personal data from users, including incoming text messages (mTANs) from banks.

      Q3 2015, @kaspersky detected 2,516 #mobile banker Trojans, which is a 4X increase on the previous quarter #KLReport


      In the third quarter of 2015, the biggest growth rates were demonstrated by Trojan-Banker whose share more than doubled and accounted for 1.5% compared to 0.6% in the previous quarter. In Q2, 630 of these programs were detected, while Q3 saw their number increase four-fold and exceed 2500.

      Top 20 malicious mobile programs

      Please note that the ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

      Name % of attacked users* 1 DangerousObject.Multi.Generic 46.6 2 Trojan.AndroidOS.Rootnik.d 9.9 3 Trojan-SMS.AndroidOS.Podec.a 7.4 4 Trojan-Downloader.AndroidOS.Leech.a 6.0 5 Trojan.AndroidOS.Ztorg.a 5.5 6 4.9 7 Trojan-Dropper.AndroidOS.Gorpo.a 3.3 8 Trojan-SMS.AndroidOS.Opfake.a 3.0 9 Trojan.AndroidOS.Guerrilla.a 2.9 10 Trojan-SMS.AndroidOS.FakeInst.fz 2.6 11 Trojan-Ransom.AndroidOS.Small.o 2.3 12 Trojan-Spy.AndroidOS.Agent.el 2.1 13 Trojan.AndroidOS.Ventica.a 1.9 14 Trojan.AndroidOS.Ztorg.b 1.9 15 Trojan.AndroidOS.Ztorg.pac 1.8 16 Trojan.AndroidOS.Fadeb.a 1.6 17 Trojan-SMS.AndroidOS.Smaps.a 1.5 18 Trojan.AndroidOS.Iop.a 1.5 19 Trojan.AndroidOS.Guerrilla.b 1.5 20 1.4

      * Percentage of users attacked by the malware in question, relative to all users attacked.

      The top position in the rankings was occupied by DangerousObject.Multi.Generic (46.6%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats. The proportion of DangerousObject.Multi.Generic increased almost three-fold: from 17.5% in Q2 to 46.6% in Q3.

      The number of Trojans that use advertising as the main means of monetization significantly increased from the previous quarter. In the second quarter of 2015 this Top 20 included six of these programs, while in Q3 their number increased to 11: three programs belong to the Trojan.AndroidOS.Ztorg family, and two each belong to the Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik.d, Trojan-Downloader.AndroidOS .Leech.a, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan-Spy.AndroidOS.Agent.el, Trojan.AndroidOS.Ventica.a and Trojan.AndroidOS.Fadeb.a families.

      Unlike the usual advertising modules, these programs do not contain any useful functionality. Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs. These Trojans can use superuser privileges to conceal their presence in the system folder, from where it will be very difficult to remove them.

      Of special note is Trojan-Spy.AndroidOS.Agent.el, which is even encountered in the official firmware of some developers.

      Trojan-SMS.AndroidOS.Podec.a (7.4%) has been among the Top 3 malicious mobile programs for four quarters in a row due to how actively it is spread. It is worth mentioning that the functionality of the latest versions of this Trojan has changed and no longer includes the sending of text messages. The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition.

      Seventeenth place is occupied by Trojan-SMS.AndroidOS.Smaps.a. Some of its versions are able to send spam upon receiving a command from the server via the Viber app if it is installed on the victim’s device. No special permission or actions on the part of the user are required by the Trojan to do this.

      The geography of mobile threats

      The geography of mobile malware infection attempts in Q3 2015 (percentage of all users attacked)

      Top 10 counties attacked by mobile malware (ranked by percentage of users attacked)

      Country* % of users attacked ** 1 Bangladesh 22.57 2 China 21.45 3 Nigeria 16.01 4 Tanzania 15.77 5 Iran 13.88 6 Malaysia 13.65 7 Algeria 12.73 8 Nepal 12.09 9 Kenya 11.17 10 Indonesia 10.82

      * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
      ** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

      Most secure country v. #Mobile #Malware Japan (1.13%) Where does your country rank? #KLReport


      The most secure countries in this respect are:

      Country % of users attacked ** 1 Japan 1.13 2 Canada 2.87 3 Denmark 3.20 4 Sweden 3.45 5 Australia 3.48

      Although Australia is included in the Top 5 most secure countries, when it comes to mobile malware infections the situation is not as safe as would be expected: in the third quarter of 2015, users in Australia were attacked by mobile banker Trojans more often than users in other countries (see below.).

      Mobile banker Trojans

      In Q3 2015, we detected 2,516 mobile banker Trojans, which is a four-fold increase on the previous quarter.

      Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q4 2014 – Q3 2015)

      Geography of mobile banking threats in Q3 2015 (number of users attacked)

      The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.

      Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)

      Country* % of users attacked by mobile bankers** 1 Australia 0.85 2 Republic of Korea 0.40 3 Russia 0.32 4 Cyprus 0.32 5 Czech Republic 0.31 6 Austria 0.27 7 Kyrgyzstan 0.26 8 Bulgaria 0.24 9 Romania 0.23 10 Uzbekistan 0.23

      * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
      ** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

      Australia, which was ranked eighth in the previous quarter, took the lead in Q3 2015. The percentage of users attacked by mobile bankers in Australia increased six-fold (from 0.14% to 0.85%). Such significant growth was caused by fraudsters making active use of This Trojan steals credentials used to enter the online banking system of one of Australia’s largest banks. It also tries to steal users’ credit card details (cardholder’s name, card number, CVV, card expiry date).

      At the same time, Korea, which topped the Q2 rating, saw its share decrease six-fold (from 2.37% to 0.4%) and dropped to second place in the ranking.

      Top 10 countries by the percentage of users attacked by mobile bankers relative to all attacked users

      An indication of how popular mobile banker Trojans are with cybercriminals in each country can be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the quarter, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking differs from the one above:

      Country* % of users attacked by mobile bankers, relative to all attacked users ** 1 Australia 24.31 2 Austria 7.02 3 Montenegro 5.92 4 Republic of Korea 5.69 5 France 5.66 6 Cyprus 5.56 7 Russia 5.09 8 Czech Republic 4.98 9 Sweden 4.81 10 Finland 4.56

      * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
      ** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country.

      In Australia, which topped the ranking, slightly less than a quarter of all users attacked by mobile malware were targeted by mobile bankers.

      The share of bankers among all mobile malware attacks in Russia halved – from 10.35% to 5.09%. This was due to a significant drop in the activity of the Trojan-Banker.AndroidOS.Marcher family which was one of the most popular in the country. In the third quarter the number of attacks using this malware fell almost ten-fold compared to the previous quarter.

      Vulnerable applications used by cybercriminals

      The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

      Distribution of exploits used in attacks by type of application attacked, Q3 2015

      Compared to Q2 2015, the following changes have taken place:

      1. The proportion of Adobe Flash Player exploits has risen by 2 percentage points (p.p.).
      2. The proportion of Adobe Reader exploits has decreased by 5 p.p.

      In Q3, just like the rest of the year, exploits for Adobe Flash Player were in demand. Their share was only 5%, but there are more of them ‘in the wild’ and at the current time nearly all exploit packs are using vulnerabilities in this software. As was the case in the previous quarter, the share of Java exploits (11%) has continued to decrease in Q3. We have not observed any exploits for this software included in recent exploit packs.

      In Q3, the most common exploit packs included exploits for the following vulnerabilities:

      1. CVE-2015-5560 (Adobe Flash; this exploit was described in a Kaspersky Lab article)
      2. CVE-2015-2419 (Internet Explorer)
      3. CVE-2015-1671 (Silverlight)

      The previous quarter saw a dramatic increase in the number of spam messages containing malicious PDF documents. This quarter, the number of these messages decreased significantly, so the proportion of Adobe Reader exploits also decreased.

      The overall trend so far for 2015 has continued in Q3: exploits for Adobe Flash Player and Internet Explorer are most popular with cybercriminals. In the pie chart above, the latter falls into the ‘Browsers’ category; the landing pages from which the exploits spread are also classified here.

      Online threats (Web-based attacks)

      The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

      Online threats in the banking sector

      These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

      In Q3 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the 625,669 computers. This number is 17.2 p.p. lower than in Q2 2015 (755,642). A year ago, in Q3 2014 this number was 591,688.

      Kaspersky Lab’s solutions produced a total of 5,686,755 notifications about attempted malware infections aimed at stealing money via online access to bank accounts in Q3 2015.

      Number of attacks by financial users, Q3 2015

      Geography of attacks

      To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

      Geography of banking malware attacks in Q3 2015 (percent of attacked users)

      Top 10 countries by the percentage of attacked users

      Country* % attacked users** 1 Austria 4.98 2 Singapore 4.23 3 Turkey 3.04 4 Namibia 2.91 5 New Zealand 2.86 6 Hong Kong 2.81 7 Australia 2.78 8 Lebanon 2.60 9 United Arab emirates 2.54 10 Switzerland 2.46

      * We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
      ** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

      In Q3 2015, Austria became the leader in terms of the percentage of Kaspersky Lab users who were attacked by banking Trojans. Singapore, last quarter’s leader, is now in second place. It should be noted that most countries in the Top 10 have significant numbers of online banking users, and this attracts the cybercriminals.

      In Russia, 0.71% of users encountered a banking Trojan at least once in Q3; this number is little different from the Q2 figure of 0.75%. In the US, the figure was 0.59%, which is 0.3 p.p. lower than in Q2. The countries of Western Europe also saw a small decrease in the percentages of users attacked by banking malware compared to Q2: Spain stood at 1.95%, or 0.07 p.p. less than in Q2; the UK (1.24%) was down 0.34 p.p.; Italy (1.16%) saw a decrease of 0.41 p.p.; while Germany (1.03%) was 0.13 p.p. lower.

      The Top 10 banking malware families

      The table below shows the Top 10 malware families most commonly used in Q3 2015 to attack online banking users:

      Name* Percentage of attacks** 1 Trojan-Downloader.Win32.Upatre 63.13 2 Trojan-Spy.Win32.Zbot 17.86 3 Trojan-Banker.JS.Agent 1.70 4 Trojan-Banker.Win32.ChePro 1.97 5 Backdoor.Win32.Caphaw 1.14 6 Trojan-Banker.Win32.Banbra 1.93 7 Trojan-Banker.AndroidOS.Faketoken 0.90 8 Trojan-Banker.AndroidOS.Agent 0.57 9 Trojan-Banker.Win32.Tinba 1.93 10 Trojan-Banker.AndroidOS.Marcher 0.55

      *These statistics are based on the detection verdicts returned by Kaspersky Lab’s products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
      **Unique users whose computers have been targeted by the malicious program, as a percentage of all unique users targeted by financial malware attacks.

      The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

      The Trojan-Downloader.Win32.Upatre family of malicious programs remains at the top of the ranking. The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family. The first malicious program from this family was detected in June 2014, and its main aim is to steal the user’s payment details. Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app. In the summer of 2015, however, Trojan-Downloader.Win32.Upatre was spotted on compromised home routers, which is a testimony to how cybercriminals make use of this multiple-purpose malware.

      Trojan-Spy.Win32.Zbot, in second place, has become a permanent resident of this ranking, and it is no coincidence that it consistently occupies a leading position. The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages. They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts. This gives the Trojans of the Trojan-Spy.Win32.Zbot family a technological edge over other malware programs.

      Third place in the Q3 ranking was occupied by the Trojan-Banker.JS.Agent family. This is the malicious JavaScript code that results from an injection into an online banking page. The aim of this code is to intercept payment details that the user enters into online banking forms.

      Of particular interest is the fact that three families of mobile banking Trojans are present in this ranking: Trojan-Banker.AndroidOS.Faketoken, Trojan-Banker.AndroidOS.Marcher (we wrote about these two in in the Q2 report), and a newcomer to this ranking – Trojan-Banker.AndroidOS.Agent. The malicious programs belonging to the latter family steal payment details from Android devices.

      The Top 10 operating systems attacked by banker Trojans

      In Q3, users of Windows operating systems encountered the largest number of financial malware attacks (which comes as no surprise given how widespread Windows devices are). That said, users of Windows 7 x64 Edition encountered banking Trojans more often, accounting for 42.2% of all banking Trojan attacks. Android also made it into the list of attacked operating systems.

      Operating system Percentage of attacks* Windows 7 x64 Edition 42.2 Windows 7 11.6 Windows 7 Home x64 Edition 5.5 Windows XP Professional 7.0 Windows 8.1 Home x64 Edition 3.7 Windows 8.1 x64 Edition 2.3 Windows 7 Home 1.3 Windows 10 x64 Edition 1.2 Android 4.4.2 0.6 Windows NT 6.3 x64 Edition 0.7

      *These percentage numbers are relative to all financial malware attacks detected on the computers of unique users who have consented to provide their statistical data.

      It should be noted that although the family of Mac OS X operating systems did not make it to the Top 10, users of this operating system should not see themselves as being immune: in Q3 2015, computers running under Mac OS X were attacked 12,492 times.

      TOP 20 malicious objects detected online

      In the third quarter of 2015, Kaspersky Lab’s web antivirus detected 38,233,047 unique malicious objects (scripts, exploits, executable files, etc.) and reported 75,408,543 unique URLs as malicious.

      In Q3 2015, @Kaspersky Lab's web antivirus detected 38,233,047 unique malicious objects #KLReport


      Of all malicious or potentially unwanted objects, we identified the 20 most active. These 20 accounted for 95% of all attacks on the Internet.

      Top 20 malicious objects detected online

      Name* % of all attacks** 1 Malicious URL 53.63 2 16.71 3 AdWare.Script.Generic 7.14 4 Trojan.Script.Generic 6.30 5 Trojan.Script.Iframer 3.15 6 Trojan.Win32.Generic 1.52 7 AdWare.Win32.SoftPulse.heur 1.31 8 1.09 9 AdWare.Win32.OutBrowse.heur 0.84 10 Trojan-Downloader.Win32.Generic 0.63 11 AdWare.NSIS.Vopak.heur 0.46 12 Exploit.Script.Blocker 0.46 13 Trojan-Downloader.JS.Iframe.diq 0.30 14 AdWare.Win32.Amonetize.aqxd 0.30 15 Trojan-Downloader.Win32.Genome.tqbx 0.24 16 AdWare.Win32.Eorezo.abyb 0.23 17 Hoax.HTML.ExtInstall.a 0.19 18 Trojan-Clicker.HTML.Iframe.ev 0.17 19 AdWare.Win32.Amonetize.bgnd 0.15 20 Trojan.Win32.Invader 0.14

      * These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
      ** The percentage of all web attacks recorded on the computers of unique users.

      The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs. This quarter, adware verdicts occupied nine positions in this ranking.

      Of interest is the verdict Hoax.HTML.ExtInstall.a, assigned to a web page which blocks the browser and urges the user to install a Chrome extension. When the user tries to close the page, the voice file ‘voice.mp3’ is often played – “Click on the ‘Add’ button to close this page”.

      Web page urging users to install a Chrome extension
      (translation: “Press ‘Add’ to continue”)

      The extensions that are offered do not cause any harm to users. However, the prompt is very intrusive and it is practically impossible for the user to reject it. This is why Kaspersky Lab products detect the corresponding web page with its popup window as malicious. There is a partnership program that uses this method to distribute the extension.

      Top 10 countries where online resources are seeded with malware

      The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

      In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

      The #USA is top country with malicious web-based attack resources in Q3 #KLReport


      In Q3 2015, Kaspersky Lab solutions blocked 235,415,870 attacks launched from web resources located in various countries around the world. 80% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

      Distribution of web attack sources by country, Q3 2015

      Q3 saw the US take over first place (with 26.9%) from Russia (18.8%). The Virgin Islands and Singapore have fallen out of the Top 10, while there are two newcomers – Sweden (1.43%) and Canada (1.42%).

      Countries where users faced the greatest risk of online infection

      In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.

      Country* % of unique users attacked** 1 Russia 38.20 2 Nepal 36.16 3 Kazakhstan 33.79 4 Ukraine 33.55 5 Syria 32.10 6 Azerbaijan 32.01 7 Belarus 30.68 8 Vietnam 30.26 9 China 27.82 10 Thailand 27.68 11 Armenia 27.65 12 Brazil 26.47 13 Algeria 26.16 14 Turkey 25.13 15 Mongolia 25.10 16 Kyrgyzstan 23.96 17 Macedonia 23.84 18 Lithuania 23.59 19 Bangladesh 23.56 20 Moldavia 23.36

      These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

      *These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
      **Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

      The leader of this ranking remained unchanged – it is still Russia with 38.2%. Since the previous quarter, Georgia, Croatia, Qatar, Bosnia and Herzegovina and Greece have left the Top 20. Newcomers to the ranking are Nepal, which went straight in at number two (36.16%), Brazil in 12th place (26.47%), Turkey in 14th (25.13%), Lithuania in 18th (23.59%), and Bangladesh (23.56%) in 19th.

      23.4% of computers connected to the Internet globally were subjected to at least one web attack during Q3 #KLReport


      The countries with the safest online surfing environments included Switzerland (17%), the Czech Republic (16%), the US (16.3%), Singapore (15%), Hungary (13.8%), Norway (13%), Ireland (12.2%), and Sweden (10.8%).

      On average, 23.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a 0.5 p.p. decrease on Q2.

      Local threats

      Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

      Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

      In Q3 2015, Kaspersky Lab’s file antivirus modules detected 145,137,553 unique malicious and potentially unwanted objects.

      Top 20 malicious objects detected on user computers

      Name* % of unique users attacked** 1 DangerousObject.Multi.Generic 19.76 2 Trojan.Win32.Generic 14.51 3 Trojan.WinLNK.StartPage.gena 5.56 4 WebToolbar.JS.Condonit.a 4.98 5 AdWare.Script.Generic 4.97 6 WebToolbar.Win32.Agent.azm 4.48 7 RiskTool.Win32.GlobalUpdate.dx 3.63 8 WebToolbar.JS.AgentBar.e 3.63 9 WebToolbar.JS.CroRi.b 3.32 10 Downloader.Win32.Agent.bxib 3.20 11 AdWare.Win32.OutBrowse.heur 3.13 12 Adware.NSIS.ConvertAd.heur 3.08 13 AdWare.Win32.Generic 3.06 14 Downloader.Win32.MediaGet.elo 2.98 15 Trojan.Win32.AutoRun.gen 2.92 16 AdWare.Win32.BrowseFox.e 2.91 17 2.82 18 AdWare.Win32.MultiPlug.heur 2.66 19 Virus.Win32.Sality.gen 2.61 20 RiskTool.Win32.BackupMyPC.a 2.57

      *These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
      **The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

      In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components, and to worms distributed on removable drives.

      The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q3 2015, Sality was in 19th place with 2.61%, which is a 0.25 p.p. decrease on Q2.

      Countries where users faced the highest risk of local infection

      For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

      Top 20 countries with the highest levels of computer infection

      Country* % of unique users** 1 Bangladesh 64.44 2 Vietnam 60.20 3 Nepal 60.19 4 Georgia 59.48 5 Somalia 59.33 6 Laos 58.33 7 Russia 57.79 8 Armenia 57.56 9 Afghanistan 56.42 10 Ethiopia 56.34 11 Rwanda 56.21 12 Syria 55.82 13 Mozambique 55.79 14 Yemen 55.17 15 Cambodia 55.12 16 Algeria 55.03 17 Iraq 55.01 18 Kazakhstan 54.83 19 Mongolia 54.65 20 Ukraine 54.19

      These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

      * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
      ** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

      The newcomers to this ranking are Mozambique in 13th position (55.8%), and Yemen in 14th (55.2%).

      42.2% of computers globally faced at least one local threat during Q3 2015 #KLReport


      The safest countries in terms of local infection risks were Sweden (21.4%), Denmark (19.8%) and Japan (18.0%).

      An average of 42.2% of computers globally faced at least one local threat during Q3 2015, which is 2.2% p.p. more than in Q2 2015.

      0xHACKED: Brown University Accounts Distributing Phishing Emails

      Wed, 10/28/2015 - 09:56

      “Ido, we will address this compromise with Miss. XXXX directly. Thank you for notifying us,” said the last email received from Miss. Patricia Falcon, Information Security Policy & Awareness Specialist at the University of Brown, Rhode Island. Suspected spear phishing campaign attempting to steal users’ credentials by sending phishing emails masquerading as Google recovery.

      From the beginning:

      When the first email arrived in one of my Gmail inboxes I thought it was just another phishing scam – report it and toss it into the trash. But then I thought, hold on… it made its way through all the Gmail spam filters, so why not take a quick look.

      That was on 5 October, an email with a “NO REPLY.” alias in the Sender field was marked as unread and after clicking it, a Google recovery email opened. Next to its subject was a profile picture of a person I didn’t know. Well, I thought, hackers don’t tend to post their pictures on their own phishing emails. So I checked the details and it was an email from Brown University, located in Rhode Island, United States.

      Could it be a spear phishing campaign against the university?

      On second thoughts, it was only one email. Maybe the person was lured by some appealing content into clicking a link where he simply entered his username and password to a fake form that hijacked his credentials.

      First incident: Yet another phishing email

      Browsing through the body of the email, I got the impression that it was very well written and was not some first-timer’s attempt. Not many obvious mistakes. Can you spot any?

      Fake email from Brown University compromised account

      1. Funny – the old Google logo is used.
      2. First line after “Hello” has a space before the first sentence starts.
      3. “The Google Accounts team“? Who are they? And a capital ‘T’, surely?
      4. Close my account because info is missing and then verify existing info to continue using it? Where’s the logic in that?
      5. The button should say “Verify Account Details” not “Verify Email Address”, right?

      We could spot some more, but that’s enough for now.

      With all that in mind, the picture is the first thing that immediately draws your attention. It’s because this is a valid Gmail account of a person named Ph****p P**g. This person works for Brown University and email servers are actually hosted by Google. That means that the compromised account can initially send phishing emails to any Gmail user account without them hitting the spam folder – not until it’s being reported as spam.

      After trying to notify Mr. P**g in every possible medium he existed in online, I finally gave up. We reported the phishing attempt registered as an short link that redirects to a domain named after a song by a Nigerian rapper, and hosted on GoDaddy.

      Two domain names have been identified so far; however, the IP address indicates massive use of phishing and even kits available for direct download and use. One of the domains found was the initial redirection URL from the malicious email short link and the other one was embedded in a PHP form action attribute, located within the phishing website’s /index.html page, masquerading as a legitimate Google recovery form.

      Fake Google recovery form

      Here is the chain of events from the victim’s point of view:

      1. Compromised Gmail account sends a message to the Gmail victim – Not spam.
      2. Victim clicks the fake “Verify” button and the embedded short link executes.
      3. Short link becomes a long link redirecting to hxxp://shokiti-bobo-crew[.]net/<your ip>/index.html. (Fake Gmail Recovery)
      4. The page sends a fake Javascript alert() that the victim’s Gmail account has been logged out.
      5. Clicking OK reveals a form similar to the Gmail login page, only with additional fields, such as recovery email, phone and date of birth.
      6. Submitting the PHP form sends the data to another malicious server – hxxp://owo-ni-boiz[.]net/auth.php
      7. After submitting the form, the page redirects back to Gmail – which was logged in the whole time – persuading the victim that the fake logout alert() message from step (4) was real.
      The second [Co]incident

      20 October, 8:00AM, another email arrived. To my surprise, it had the same origin – – but a different victim.

      It was now a woman. Her name is Q***h T**n, a former employee of the university and a current LinkedIn employee. Her account was immediately deleted after we reported the scam to LinkedIn.

      LinkedIn employee account deleted after Gmail account was compromised in the attack

      This email was different, suggesting that our threat actors have many templates at their disposal. However, the domains were the same. Since she is a former employee, it might mean her account was taken over while her account was disabled. It’s possible that the attackers took over a server that has modified privileges and they have managed to reactivate the dormant accounts of former employees.

      Second fake email to come from a former Brown University employee

      Issues spotted:

      1. No “Hello” this time – straight to the point.
      2. Non-US spelling: “take a look at the help centre or watch the video“
      3. Capital ‘R’ in ‘required’ is missing from subject.
      4. Russian? <img alt=”Логотип (Google Диск)” border=”0″>
      5. under “to bcc” there is a tiny button that was supposed to display a Google logo. Instead, it is broken and the HTML attributes are in Russian. “Logotip (Google Disk)”, says the alt.
      6. Lastly, this redirection is using, not

      This time the navigation is the other way around. If the first instance was redirecting to hxxp://shokiti-bobo-crew[.]net/ to submit a form that was sent to hxxp://owo-ni-boiz[.]net/, then this time the address hxxp://owo-ni-boiz[.]net/, redirects to hxxp://shokiti-bobo-crew[.]net/mission/xconactc.php

      We were the first to submit the URL to Virus Total, meaning it’s still fresh. No anti-viruses identified the link as malicious.


      OWO NI BOYS and SHOKITI BOBO are both songs by Nigerian rappers. This suggests that the attackers are influenced by rappers such as Olamide and Kida Kudz or are trying to create this false sense for analysts.

      The second piece of information was the Russian Google Drive logo found in second incident. Both creates assumptions about threat actors way of thinking, either by injecting false information or by making terrible mistakes.

      One thing is for sure – Brown University is suffering from a few compromised accounts and this attack is still active.