Farang I.T. Home:- computer service in Chiang Mai

Social-network update: Facebook up; Twitter slow?

Hackers did not take down Facebook today, as they had earlier claimed they would. Meanwhile, the pace of tweets appears to have slowed amid an ongoing Twitter boycott. And Twitter's lawyer responds.

Posted on 28 January 2012 | 7:01 pm

Pomera DM100 from Japan and iPhone make an odd couple

Already have an iPhone? Pick up the tiny Pomera DM100 for text input and drop that expensive, bulky MacBook.

Posted on 28 January 2012 | 5:53 pm

CNET Roadside Assistance 42: End of the CD player - Why you might care (podcast)

We examine the end of the in-car CD player, our supposed hatred of Chevys, how to upgrade the head unit in your Prius and the need (or not) for Android in your dash.

Posted on 28 January 2012 | 2:52 pm

Car Tech Live 249: BMW sews up touch sensitive fabric (podcast)

BMW says touch me, Ford takes mirrors high tech for quiet, the Chevy Volt is off the hook with the Feds, and how much would you pay for Obama's Chrysler 300? And we drive the Chrysler 300 SRT8.

Posted on 28 January 2012 | 2:36 pm

Gates sent dying Jobs a letter he kept bedside

An interview with with Microsoft's Bill Gates in The Telegraph is just the latest to show he and the late Steve Jobs had a strong relationship at the time of the Apple icon's death.

Posted on 28 January 2012 | 2:14 pm

A self-driving car, but thankfully a BMW

BMW has revealed that it, too, has entered the self-driving car arena, inserting self-driving technology in a 5 Series car.

Posted on 28 January 2012 | 12:52 pm

Android screen chaos: A feature, not a bug

Programmers using Google's mobile operating system must reckon with upfront work for the wide range of Android screens, but the benefit is flexibility.

Posted on 28 January 2012 | 12:42 pm

Google doodle animates world's biggest snowflake

Google's latest charming doodle commemorates an event of which few might be aware: a 15-inch diameter snowflake that attacked Montana.

Posted on 28 January 2012 | 12:13 pm

Can an MP3 sound better than a Blu-ray?

High-resolution formats define the upper limit of quality, but if the recording's mix was overcompressed and processed, a lossless file won't sound great.

Posted on 28 January 2012 | 10:35 am

This week in Crave: The Legonaut edition

Cartoony laptop bags, Legos in space, and a lost Jim Henson film. These are just a few of our favorites things from Crave this week. Catch up on all the news in our weekly roundup.

Posted on 28 January 2012 | 8:00 am

For Apple, best numbers yet, mixed press on how it got there

We talk record breaking earnings, and reports of trouble in Apple's supply chain that made that possible, in this week's edition of Apple Talk Weekly.

Posted on 28 January 2012 | 7:00 am

Adobe shows the raw, dark side of Photoshop CS6

Photoshop CS6 will get a dark gray interface by default and, of course it inherits Lightroom 4's new raw-image editing controls.

Posted on 28 January 2012 | 6:19 am

Twitter boycott looms with censorship accusations

When Twitter announced it would withhold tweets country-by-country based on local restrictions, it said it was being more transparent. But some users disagree.

Posted on 27 January 2012 | 10:53 pm

Anonymous takes aim over Europe's SOPA

Hackers are attacking sites and looking to expose information on European officials in response to the signing of the Anti-Counterfeiting Trade Agreement. ACTA critics say it's even worse than the Stop Online Piracy Act floated in the U.S.

Posted on 27 January 2012 | 9:36 pm

Microsoft's Kelihos botnet suspect says he's innocent

St. Petersburg, Russia-based Andrey N. Sabelnikov says he is "absolutely not guilty" of participating in the creation of the huge spam network that Microsoft shut down last September.

Posted on 27 January 2012 | 9:27 pm

Stickman games that shine on iOS

This week's collection of games relies less on graphics and more on solid gameplay. If you don't mind simple graphics and just want a good pick-up-and-play game, this is your collection.

Posted on 27 January 2012 | 8:25 pm

Windows 8 stable on ARM, going to developers soon, say sources

Windows 8 on ARM is coming along nicely, thank you, according to a couple of sources with whom CNET spoke.

Posted on 27 January 2012 | 8:25 pm

Take a tour of BMW's new Mog online music system

CNET takes a hands-on look at the new Mog online music system in a BMW 650i. Relying on an iPhone, the Mog interface lets the driver choose from 14 million tracks.

Posted on 27 January 2012 | 7:59 pm

What's a PS Vita game cost? Ask again tomorrow

The bean counters at Sony need to make up their minds on how they are pricing PS Vita games.

Posted on 27 January 2012 | 7:51 pm

D-Link HD Media 2000 DIR-827 router review: So many firsts

The D-Link DIR-827 is a very good true dual-band router that needs a firmware upgrade so it can live up to its potential.

Posted on 27 January 2012 | 7:49 pm

CVE-2012-0003 Exploit ITW

S. Korean handlers are slow to take down the publicly distributed malicious code exploiting CVE-2012-0003, a vulnerability patched in Microsoft's January 2012 patch release MS12-004. We have discussed with reporters that the code has been available since the 21st, and a site appears to have been publicly attacking very low numbers of Korean users over the past day or so. The site remains up at this time.

Posted on 27 January 2012 | 12:44 pm

Exploit.JS.Pdfka.dna

This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing XML Forms Architecture and Java Script. It is 26,393...

Posted on 26 January 2012 | 9:15 am

Trojan-Downloader.Win32.Genome.asvq

This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows application (PE EXE file). It is 21 504 bytes in size....

Posted on 26 January 2012 | 6:41 am

Trojan-Downloader.Win32.Genome.asut

This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows application (PE EXE file). It is 21 504 bytes in size....

Posted on 26 January 2012 | 5:54 am

Trojan.Win32.Slefdel.fpk

The Trojan creates a file named "Deleteme.bat" in its working directory and launches it for execution: %WorkDir%\Deleteme.bat The launched file deletes the Trojan's original body and deletes...

Posted on 26 January 2012 | 5:42 am

Trojan.Win32.Sasfis.rer

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 18 944 bytes in size. It is written in C++.

Posted on 25 January 2012 | 8:55 am

Trojan.Win32.Sasfis.ole

Once launched, the Trojan decrypts and extracts the following file from its body to the current user's temporary directory: %Temp%<rnd1>.tmp where <rnd1> is a random set of numbers and...

Posted on 25 January 2012 | 8:46 am

Trojan.Win32.Qhost.nhn

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 16 384 bytes in size. It is written in C++.

Posted on 25 January 2012 | 8:37 am

Trojan-SMS.J2ME.Agent.s

Òðîÿíñêàÿ ïðîãðàììà, ïîðàæàþùàÿ...

Posted on 24 January 2012 | 6:51 am

Trojan.Win32.Qhost.mxb

The Trojan creates a copy of the original "hosts" file under the following name: C:\h.tmp The Trojan writes the following string in the file created: 85.***.206.115 u070***010u.com It replaces the...

Posted on 24 January 2012 | 3:40 am

Trojan.Win32.Agent.fadd

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi. Installation Once launched, the...

Posted on 24 January 2012 | 3:31 am

Trojan.Win32.Agent.ezqu

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 48 650 bytes in size. It is written in Delphi. Installation Once launched, the...

Posted on 24 January 2012 | 3:20 am

Trojan.Win32.Agent.ezqk

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 47 114 bytes in size. It is written in Delphi. Installation Once launched, the...

Posted on 23 January 2012 | 7:18 am

Trojan.Win32.Agent.ezqg

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi. Installation Once launched, the...

Posted on 23 January 2012 | 7:11 am

Trojan.Win32.Agent.dfab

Once launched, the Trojan decrypts and extracts the following file from its body to the current user's temporary directory: %Temp%<rnd1>.tmp where <rnd1> is a random set of numbers and...

Posted on 23 January 2012 | 5:33 am

Brazilian cybercriminals’ daily earnings - more than you’ll ever earn in a year!

    How much do you earn per day? If we look at how much a cybercriminal from Brazil earns every day, we’ll understand why Brazil is one of the main sources of malware in the world. Brazilian cybercriminals really like to use short URLs to track infections and have their own stats. Here is the profile of one criminal using Bitly as a URL shortening service.

Posted on 20 January 2012 | 8:20 am

Trojan.Win32.Agent.daec

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 27 136 bytes in size. It is written in C++. Installation The Trojan copies its body...

Posted on 20 January 2012 | 7:14 am

Exploit.HTML.CVE-2010-1885.ad

This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML document containing Java Script scenarios. It is 11 723...

Posted on 20 January 2012 | 7:04 am

Backdoor.Win32.Bredavi.he

This malicious program provides a malicious user with remote access to the infected computer. It is a Windows application (PE DLL file). It is 25 600 bytes in size. It is written in...

Posted on 20 January 2012 | 6:58 am

Malware wallpaper calendars for 2012

As some of you may remember, during 2011 we published a malware calendar wallpaper for each month of the year.

We're doing so again this year, with updated information from 2011. However, we've decided to take a slightly different approach this year and publish all 12 wallpapers in one place. You can find them all here.

We hope you like this year's designs and find the data interesting.

Posted on 19 January 2012 | 10:42 am

Lab Matters - The threat from P2P botnets

Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.

Posted on 19 January 2012 | 8:35 am

Backdoor.Win32.Bredavi.anx

If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:...

Posted on 19 January 2012 | 7:10 am

Trojan-Spy.Win32.SPSniffer.a

This malicious program is designed to steal confidential data from users. It is a Windows PE EXE file. It is 53248 bytes in size. It is written in Visual Basic.

Posted on 19 January 2012 | 6:58 am

Trojan-Dropper.Win32.Sality.r

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. The program itself is a Windows PE DLL file. It is 76800 bytes in...

Posted on 19 January 2012 | 6:49 am

Two-pronged attack: Argentine site hit by malware and data leak

    I was browsing through compromised websites used for spreading malware and found one from Argentina which belongs to a veterinary supplier. The admin panel got p0wned and, worst of all, it had a tab with the personal details of people who had posted their CVs (curriculum vitae). So, what exactly has happened? Well, basically lots of confidential information has been leaked and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on. Here are just a few examples of real CVs uploaded and saved on the compromised site:

Posted on 18 January 2012 | 8:13 am

The Zappos Breach and Textual Password Based Authentication

Following their major database breach, Zappos leadership is doing the right thing by what seems to be quickly and clearly communicating what data was accessed and what was not - there are no unexplained delays or confusion on their part about the event. It's like another Aurora moment in my book, when Google extraordinarily opened up about their breach while the other 30-odd Aurora-breached major corporations did the opposite, aggressively maintaining NDA's to hide their Aurora incidents and hide their heads in the sand. Zappos reset 24 million customers' passwords and emailed all of them about the problem last night.

Posted on 17 January 2012 | 9:42 am

A School for Cybercrime: How to Become a Black Hat

Life looks good for Brazilian hackers: the absence of a specific law against cybercrime leaves them feeling so invulnerable that the bad guys are shameless about publicizing their thefts and showing off the profits of a life of crime. We showed some of this in a presentation at the latest Virus Bulletin Conference, and it’s commonplace to find YouTube clips of Brazilian bankers and carders reveling in their ill-gotten gains and rubbing their easy money in the faces of hard-up victims (there’s one example here, and several more out there). It’s also common to find bad guys’ profiles on social networks such as Twitter, Tumblr, etc. Everything is done out in the open, without fear of being caught.

To help new “entrepreneurs” or beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses. Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how. On a website dedicated to selling these courses and promoting the “school”, a careful search turns up courses like “How to be a Banker”, “Kit Spammer” or “How to be a Defacer”.

Posted on 17 January 2012 | 8:40 am

IRC bot for Android

Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation.

The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file "AndroidBotAcitivity" maintains this dropper functionality. It creates a ‘/data/data/com.android.bot/files’ directory and sets ‘777’ permission (read/write/execute for all users). After that it extracts three files - ‘header01.png’ (root exploit), ‘footer01.png’ (IRC bot), ‘border01.png’ (SMS Trojan) - into this directory. Then it sets ‘777’ permission on the root exploit file and executes it. Finally, it displays the text ‘(0x14) Error - Not registred application’ on the screen.

If the exploit is executed successfully and the device is rooted, it launches the IRC bot ‘footer01.png’.

First of all, the IRC bot will try to delete ‘etc/sent’ using the ‘rm’ command:

Posted on 13 January 2012 | 1:36 pm

Facebook Security Phishing Attack In The Wild

At the time of writing there is a new Facebook phishing attack going on. It will not just try to steal your Facebook credentials; it will also try to steal credit card information and other important information such as security questions.

This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website. It will reuse the stolen information and login to the compromised account and change both profile picture and name. The profile picture will be changed to the Facebook logo and the name will be translated to “Facebook Security” but containing special ascii characters replacing letters such as “a” “k” “S” and “t”.

Once an account is compromised it will also send out a message to all contacts of the compromised account. The message looks like this:

Posted on 13 January 2012 | 6:38 am

Lab Matters - Cloudy with a chance of stolen data

Director of Kaspersky Lab's global research and analysis team Costin Raiu appears on Lab Matters to discuss the security ramifications of the growing dependence on cloud computing. The discussions center on the convenience of using consumer cloud services and some of the risks involved with outsourcing security to third-parties.

Posted on 12 January 2012 | 7:08 am

Windows Security Phone Scam Now Targeting Sweden

Earlier today, I was sitting at home working on a Linux server that was compromised while suddenly, I hear my home phone ringing. Actually, someone has been calling me and just hanging up around the same time everyday for three or four days now. I thought that it was just some telemarketing company profiling me to figure out if I’m home or not, but this time it was different.

When I picked up the phone I heard this guy introducing him as a technician from the Windows Security Support Department. The connection was VERY bad and I could not hear everything he said, I don't know if this was intended or not.

When I started to talk to him he asked me in English with a indian accent if I had a computer at home, and of course I said “yes”. Then he started to explain that my computer had been compromised and that my firewall was just protecting me against external threats and not internal threats. At this time I knew that something strange was going on, and I started to ask more questions about the malware and trying to get more information about them, then at this point he immediately hung up the phone.

Just after he hung up I realized that this was one of those scams where they trick people to install Remote Access software to be able to control the machines. Once they got access to the machines, they install rootkits and obtain full access to your computer.

In the outside world, I this is quite an effective scam because they called me during the day, and I guess the people who are at home by this hour are not your average security researcher from Kaspersky Lab but maybe people who are sick, or the elderly.

I want to warn everyone about these scams, and at this time I can confirm that they are currently attacking Sweden. Previously, such scams appeared to target UK/US users mostly (http://money-watch.co.uk/8183/windows-support-scam-worsens), but it seems their business is expanding.

Please let us know if somebody calls you and claims they are from “Windows Security” (or such) and asks you to install remote access software. Most important of all, do not install the software which they recommend!

Posted on 9 January 2012 | 7:04 am

The Top 10 Security Stories of 2011

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

Posted on 4 January 2012 | 4:08 am

BuzzMania - ClickJacking / LikeJacking spam on Facebook!

When logging into Facebook this morning I saw that many of my friends posted a link to a video on their wall, and also everyone liked the link. The video was of a girl with a nice butt and it had the title "Laura Frisian: the most beautiful ass in the world!", it was pretty obvious that it was a scam because it looked like all the other Facebook scams we have seen, but because soo many of my friends were posting this video I still decided to take a look at it.

I quickly ended up in a JavaScript hell, with obfuscated code and multiple domains. It seems that the server used in this scam is hosting about 300 pages similar to the one im writing about. All of the pages look the same, but have many different videos, a few examples are:

• If you like Nutella, never look this video!!!
• Drill a tooth abscess! Disgusting :s
• Compilation of Embarrassing and Busted! Photos, Awesome :D
• Transgender 10-Year-Old, Boy Happier As A Girl !
• A Really Giant Baby ! Amazing it looks so real :D
• Air Race Plane Crashed in the crowd during a show !
• The worst thing that can happen to a girl!
• A fisherman catches a couple when they make ... :D

Posted on 3 January 2012 | 4:22 am

ASP.NET Holiday Patches

It's the end of 2011 as we know it, and Microsoft feels fine finishing out the year with a handful of out-of-band holiday patches. This round is important not because the vulnerabilities directly impact massive numbers of customers and their online behavior on Windows laptops, tablets, and workstations, but because ASP.NET maintains vulnerable code enabling easy DoS of hosting websites, authentication bypass techniques, and stealth redirections to other websites (most dangerously those sites hosting phish and hosting client side exploits and spyware). All of this could curdle your eggnog in the coldest of weather.

Posted on 29 December 2011 | 5:24 pm

Android malware: new traps for users

There is no secret that cybercriminals try to intimidate users very often in order to infect their machines. We’ve seen a lot of examples of cybercriminals using black SEO for redirecting users to web pages which emulate AV scanning. And there is no surprise that the results of such ‘scanning’ show that the user’s machine is infected with a lot of dangerous malicious apps and it is very essential to download and install a brand new ‘antivirus program’ which is actually fake AV.

But what about smartphones and mobile phones? Cybercriminals have started to use almost the same techniques in order to force users to download and install malware. But in this case we talk about SMS Trojans with fake AV rudiments. Here are some details.

When looking for some popular mobile apps (e.g. Opera Mini) in Google via a smartphone, several search results will redirect users to a web page which may look like this:

Or this:

Posted on 29 December 2011 | 5:52 am

The Mystery of Duqu: Part Seven (Back to Stuxnet)

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Despite the large volume of data obtained (most of which has yet to be published), we still lack the answer to the fundamental question - who is behind Duqu?

In addition, there are other issues, mostly to do with the creation of the Trojan, or rather the platform used to implement Duqu as well as Stuxnet.

In terms of architecture, the platform used to create Duqu and Stuxnet is the same. This is a driver file which loads a main module designed as an encrypted library. At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection.

This platform can be conventionally named as ‘Tilded’ as its authors are, for some reason, inclined to use file names which start with "~d".

We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers.

Several other details have been uncovered which suggest there was possibly at least one further spyware module based on the same platform in 2007-2008, and several other programs whose functionality was unclear between 2008 and 2010.

These facts significantly challenge the existing "official" history of Stuxnet. We will try to cover them in this publication, but let us first recap the story so far.

Continue reading

Posted on 28 December 2011 | 11:37 am

“Profile me” bot on Twitter

    There is a bot activity in Twitter and at the moment is related to the new followers gaining only. What is happening is “profile me” bot is exploring all Twitpic hosted pictures replying to the authors with the same text phrase:

Posted on 24 December 2011 | 9:02 pm

Lab Matters - Brazil Banks in the Malware Glare

Fabio Assolini talks about the explosion of banker Trojans in Brazil and explains why it is so difficult to fight back against cyber-crime in the Latin American region.

Posted on 22 December 2011 | 7:54 am

Cybercriminals celebrate Christmas with festive fraud

    This year cybercriminals haven’t been particularly active in exploiting the upcoming holiday season to snare victims with their scams. The first evidence of a growing trend of festive fraud only began to emerge about a week ago. Interestingly, this year’s attacks are somewhat different from previous years. This time round cybercriminals aren’t just going for hard cash - they are also looking for other assets that can be converted into money, such as air miles.

Posted on 20 December 2011 | 8:47 am

Thousands of European cards blocked following payment processor breach

Several Eastern European banks have started notifying their customers in the beginning of last week that their cards have been blocked and will be replaced with new ones. Most of the banks did not give out any more details about what happened, and in many cases even failed to notify their customers prior to actually blocking their cards. Is it just another day in the payment processing business? Based on the rushed response from banks and the lack of information surrounding the case, I would say no.

It all started one week ago after the state-owned Romanian bank CEC Bank blocked ~17,000 cards in response to a security breach at one of VISA’s European payment processor.

The reaction of other banks followed soon. The Romanian branch of ING Bank also confirmed to have blocked compromised cards, but didn’t put out a number. They say they’ve only blocked a few cards, but are closely monitoring the situation.

A few days later, Serbian banks also started blocking thousands of cards for security reasons. Raiffeisen Bank, Komercijalna and Societe Generale confirm they have been informed by VISA about some of their customer’s cards being compromised. Very similar to what happened in Romania.

Rumors indicate the European branch of an electronic payment services provider, Euronet Worlwide, to be the source of this breach. This information has been going around Romanian business media (1, 2) - and though it hasn’t been confirmed officially, it would explain why customers from different banks in different countries were affected.

It’s very hard to assess the severity of this security breach, as the banks’ reaction to these events was very mixed. Some banks proceeded immediately to blocking and replacing all affected cads, while others decided to monitor the situation more closely.

Currently, it’s very hard to get a full picture of what is going on, but as it usually happens, these are unlikely to be isolated incidents. Actually, these stories could be just the tip of the iceberg. If you have recently received such a notification from your bank, we’d like to hear from you, especially if it’s outside Serbia and Romania.

Meanwhile, make sure to follow these 3 basic steps to make sure you don’t become a victim of credit card fraud:

1. Check your statements as often as possible. Make sure all payments showing up are actually made by yourself. In case you suspect a fraudulent transaction, get in touch with your bank as soon as possible.
2. Enable instant SMS notifications if your bank offers it. Some banks offer it for free, others charge for this option. No matter what, it’s worth it. You’ll be able to get instant reports of payments made with your cards.
3. Make sure you keep most of your money in an account that has no card linked to it. Having to move money from an account to another on a weekly or monthly basis might seem annoying, but it can save you a great deal of pain in case your card gets compromised.

Last, but not least, we know it’s the holiday season and shopping is on everyone’s mind. So if you want to keep your money safe when doing online shopping, this insightful article we’ve put together is for you: Online shopping made safe and convenient.

Posted on 19 December 2011 | 12:21 pm

Patch Tuesday December 2011

Microsoft finishes out this year of patching with a heavy release that's all over place. While techs were notified of an anticipated 14 bulletins, 13 were released for the month of December. Headline grabbing events and code are addressed in one of them, and while fewer are labelled "Critical", are they any less important?

Many speculative bits have been spilled on the group behind Stuxnet and its precursor Duqu, with our own researchers posting at least a half dozen Securelist writeups on Duqu findings alone. MS11-087 patches up the delivery vector for Duqu itself. This kernel mode vulnerability was publicly identified and confirmed at the beginning of November, but could well have been used quietly in attacks around the world for a year or more.

Posted on 14 December 2011 | 8:10 am

New Exploit Targeting Java Vulnerability Found in BlackHole Arsenal

On 3 December, we noted a rapid growth in the number of detections for exploits targeting the vulnerability CVE-2011-3544 in Java virtual machine. The vulnerability was published on 18 October, but malicious users have only recently begun to make active use of it. It can be used by exploits in drive-by attacks to download and launch malicious programs.

Number of unique detections of Exploit.Java.CVE-2011-3544

According to KSN data, most of the exploits targeting CVE-2011-3544 are used in the BlackHole Exploit Kit, which is currently the most popular exploit pack.

We analyzed the latest BlackHole kits. The sites that carry out drive-by attacks with the help of BlackHole turned up quite an old exploit - a PDF file that targets the vulnerability CVE-2010-0188, and a new Java exploit targeting the vulnerability CVE-2011-3544. The corresponding files are circled in red in the screenshot below.

A screenshot of the list of files intercepted when visiting websites where BlackHole is installed

Brian Krebs reports that the creators of BlackHole have successfully integrated the new exploit into their kit. According to KSN statistics, the new exploits attack users in Russia, the US, the UK and Germany. This appears to be related to the fact that new exploits that are integrated in BlackHole and target the vulnerability CVE-2011-3544, install the Trojan Carberp that steals banking data, as well as SMS blockers. SMS blockers are mostly used in Russia, while Trojan bankers attack users in developed countries.

Once again we see that malware writers are forging ahead and are continually improving their creations. It is, therefore, critical that all users install Java updates from Oracle in a timely manner. The patch for (among other things) the CVE-2011-3544 vulnerability can be downloaded here.

Posted on 13 December 2011 | 4:48 am

Lab Matters - Java exploits percolate

In this webcast, Kurt Baumgartner talks about the rise of exploits against vulnerabilities in Oracle’s Java software. The discussion centers around the exploitation of Java vulnerabilities in exploit kits and the poor state of patching on the Windows platform.

Posted on 8 December 2011 | 4:04 am

What to Do About Carrier IQ

There’s been a lot of talk about a piece of software installed on many mobile devices called Carrier IQ. The intended purpose of the software according to the manufacturer is to collect metrics to improve many functions of the device on which it’s installed. The uproar has been that this software has access to so much private user data.

Posted on 7 December 2011 | 11:41 am

Malware Calendar Wallpaper for December 2011

Here's the latest of our malware calendar wallpapers.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

Christmas brings many more people online since the Internet provides a quick and convenient way to buy Christmas gifts. This makes it the perfect time for cybercriminals to cash-in on online activity. So it's also a good time for a reminder about the basic things you can do to reduce the risk of cybercriminals spoiling your Christmas.

1. Install Internet security software and keep it updated.
2. Keep Windows and other applications up-to-date.
3. Backup your data regularly to a CD, DVD, or external USB drive.
4. Don’t respond to email messages if you don’t know the sender.
5. Don’t click on email attachments if you don’t know the sender.
6. Don’t click on links in email or IM (instant messaging) messages. Type the address directly into your web browser.
7. Don’t give out personal information in response to an email or other message, even if it looks official.
8. Only shop, bank or socialise on secure sites. Make sure the URL starts with ‘https://’.
9. Use a different password for each web site or service you use. Don’t recycle them (e.g. ‘jackie1’, ‘jackie2’). Don’t make them easy to guess (e.g. mum’s name, pet’s name). Don’t tell anyone your passwords.

Posted on 7 December 2011 | 3:31 am

Malicious Boot loaders

Cybercriminals are always looking for new ways to infect systems - ideally without being noticed until it’s too late. The sky is the limit for their creativity, as the latest wave of malicious boot loaders shows. The kit has been pioneered by Brazilian Trojan bankers who aim to remove security software.

This non-traditional infection only affects systems using ntldr, the default boot loader on Windows NT up to and including Windows XP and Windows Server 2003. This choice was no coincidence - XP is still the most popular OS in several countries, including Brazil, where it runs on nearly 47% of all machines.

Posted on 6 December 2011 | 1:21 pm

Lab Matters - Analyzing the Android security ecosystem

Kaspersky Lab security researcher Tim Armstrong looks at the security posture of the Android platform and discusses current and future threats to Android-powered devices.

Posted on 1 December 2011 | 3:30 am

The Mystery of Duqu: Part Six (The Command and Control servers)

Over the past few weeks, we have been busy researching the Command and Control infrastructure used by Duqu.

It is now a well-known fact that the original Duqu samples were using a C&C server in India, located at an ISP called Webwerks. Since then, another Duqu C&C server has been discovered which was hosted on a server at Combell Group Nv, in Belgium.

At Kaspersky Lab we have currently cataloged and identified over 12 different Duqu variants. These connect to the C&C server in India, to the one in Belgium, but also to other C&C servers, notably two servers in Vietnam and one in the Netherlands. Besides these, many other servers were used as part of the infrastructure, some of them used as main C&C proxies while others were used by the attackers to jump around the world and make tracing more difficult. Overall, we estimate there have been more than a dozen Duqu command and control servers active during the past three years.

Before going any further, let us say that we still do not know who is behind Duqu and Stuxnet. Although we have analyzed some of the servers, the attackers have covered their tracks quite effectively. On 20 October 2011 a major cleanup operation of the Duqu network was initiated. The attackers wiped every single server they had used as far back as 2009 - in India, Vietnam, Germany, the UK and so on. Nevertheless, despite the massive cleanup, we can shed some light on how the C&C network worked.

Posted on 30 November 2011 | 10:10 am

Does Android Malware Exist?

I’m often asked about the real danger of Android malware. This is a difficult question as it has many factors to consider, such as your location, your device, how many apps you install, and how reckless you are with the apps that you choose.

There are two common factions often at odds with each other. There is one side of the argument that states that the threat to Android is overblown, and that because the number of malicious samples discovered so far is so small in comparison with Windows malware, it’s insignificant. In fact when a company discloses their findings and they show any type of marked growth in this sector, they’re often accused of scaremongering to generate sales.

Posted on 29 November 2011 | 5:00 pm

Choose your preferred Fake AV

    Isn’t it great when your forecasts come true? Well, sometimes. But maybe not this time. Today I found a malicious site specially designed to fake three antivirus brands. Kaspersky is top of the list. So, what does it look like?

Posted on 29 November 2011 | 9:48 am