Entries with tag kaspersky lab.

Security Researchers: Computer Virus Targets Venezuelans

Researchers from security vendor Kaspersky Lab have announced the discovery of a virus that targets Venezuelans and steals their online credentials. Victims download the virus after clicking on a link— “listas-fraude-electoral.pdf.exe” (which means “electoral fraud lists”).—that purportedly connects to information about that nation’s recent presidential election. Dmitry Bestuzhev, Kaspersky’s head of Latin America research, said the malware spreads via e-mail and affected at least 75 of the company’s customers. The virus lets criminals steal victims’ banking information and their online credentials for Comisión de Administración de Divisas, the nation’s currency agency. “Being that this malware is quite simple and also targeting only Venezuelan banks and CADIVI, we can strongly assume that the cybercriminals who produced it are from Venezuela, too," Bestuzhev wrote.
(PhysOrg)(The Associated Press @ The Washington Post)(Kaspersky Lab SecureList)

Researchers Reveal New Details about Flame’s Malicious Capabilities

Security researchers have provided new information about the innovative approaches the sophisticated Flame malware used in its attacks on computers in the Middle East earlier this year. Analysis by researchers from Kaspersky Lab, Symantec, CERT-Bund/BSI, and the International Telecommunication Union’s Impact Alliance showed that Flame’s creators disguised the malware’s command-and-control servers as content publishing platforms that ran a fake content-management application. This allowed it to run without attracting attention because it resembled an operation that a news operation or blogger might use. The researchers say the Flame campaign started as early as 2006 and included the creation of at least three other pieces of malware that have yet to be discovered. The attack was also more widespread than previously believed and infected perhaps as many as 10,000 machines. Forensics revealed the names or code names of four of Flame’s developers. In May Kaspersky Lab reported it had discovered the Flame virus—which it describes as part of an espionage toolkit—after the United Nations’ International Telecommunications Union requested help with computer infections targeting Iran’s oil ministry. Flame attacks carefully selected computers, steals data, and opens a backdoor to infected systems that the hacker can use to update the malware. Researchers say the malware is so complex, they might need a decade to analyze it. (Ars Technica)(Reuters)(Wired)(Kaspersky Lab Threatpost)(Computing Now NewsFeed – 29 May 2012)
 

Detection Tools Released for Gauss Malware


Malware researchers have released tools to detect the newly discovered Gauss banking malware. Kaspersky Lab and CrySyS (Laboratory of Cryptography and System Security) Lab devised Web-based tools that let anyone determine if they’ve been infected by Gauss, which retrieves secure information, including banking data. Detection relies on the presence of a font called Paladi Narrow found in the malware. Its significance is not yet known.  Kaspersky reported it has found about 2,500 occurrences of Gauss—which it estimates has been live since the fall of 2011—primarily in Lebanon. (The Washington Post)(Kaspersky Lab)

Kaspersky: Apple Mobile Application Contains Malware

Researchers with Kaspersky Lab have discovered an application in Apple’s App Store that contains  a Trojan. It is reportedly the first time an infected application has been found in the Apple store. The Find and Call application purported to make contact management easier for users, but it actually uploaded an infected user’s contacts to a remote server. The information was used to distribute spam via SMS. These SMS messages also featured a link to download the infected application. The application also uploaded GPS coordinates from an infected phone to the malware author’s server.  It was originally assumed the worm spread through text messages, but researchers found it to have originated with a Trojan. The malware was also discovered in Android’s Google Play. The application has been removed from both stores. (ZDNet)(Wired)(CNET)(Securelist -- Kaspersky Lab)

Researchers Discover Link between Flame, Stuxnet

Kaspersky Lab researchers claim they have found evidence showing the creators of the Stuxnet, Duqu, and Flame cyberweapons cooperated at least once. The researchers found a module known as Resource 207 that appears in the Stuxnet worm and is similar to code used in the Flame malware toolkit. The finding prompted researchers to rescind their previous assertion that the two attacks were unrelated. They also determined that Flame existed originally as a platform within Stuxnet as early as 2008. Alan Woodward, a security expert and University of Surrey professor , told the BBC that the findings are interesting but do not clearly indicate the party behind the attacks. “The fact that they shared source code further suggests that it wasn’t just someone copying or reusing one bit of Stuxnet or Flame that they had found in the wild, but rather those that wrote the code passed it over,” he said. “At the very least, it suggests there are two groups capable of building this type of codeFlame, Stuxnet, Kaspersky Lab, University of Surrey but they are somehow collaborating, albeit only in a minor way.” (BBC)(Securelist – Kaspersky Lab blog)

Flame Creators Trip Self-Destruct Command

Symantec researchers report that the creators of the Flame malware toolkit issued a so-called “suicide command” earlier this week to have it remove itself from some infected computers. Symantec observed the command using honeypot computers specifically designed to observe Flame and said the command removed all Flame files, then overwrote their locations in memory with gibberish to stymie researchers investigating the infection. Symantec claims the code was written in early May. Meanwhile, in an address before a security conference in Tel Aviv, Eugene Kaspersky of Kaspersky Lab, which discovered Flame, said this sort of cyberterrorism is frightening. “It’s not cyberwar, it’s cyberterrorism, and I’m afraid it’s just the beginning of the game ... I’m afraid it will be the end of the world as we know it,” Kaspersky said. “I’m scared, believe me. … Flame is extremely complicated but I think many countries can do the same or very similar, even countries that don't have enough of the expertise at the moment. They can employ engineers or kidnap them, or employ ‘hacktivists.’” (BBC)(Computerworld)(Symantec Security Response Blog)(Reuters)
 

Flame Malware Authors Wanted to Steal Iranian Technical Drawings

Initial analysis of the Flame malware toolkit by Kaspersky Lab researchers shows the attackers sought technical drawings from Iran. The researchers also reported that the network went dark within an hour of the operation being made public last week but not before the authors updated infected machines. Kaspersky Labs used a technique called sinkholing to obtain its information. “Sinkholing is a procedure when we discover a malicious server—whether it is an IP address or domain name—that we can take over with the help of the authorities or the [domain] registrar,” Kaspersky senior researcher Vitaly Kamluk told the BBC. “We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them.” This was how they determined that the attackers targeted Iran and sought AutoCAD schematics, as well as some PDF and text files. The attackers reportedly used complex false identities to carry out their plans and registered at least 86 domain names for their command-and-control infrastructure since 2008. The Kaspersky analysis shows that the command-and-control server network moved regularly and was in locations such as Germany, Hong Kong, Turkey, and the UK.  Kaspersky has not determined if Flame is related to a virus that targeted the Iranian oil ministry in April but they think it was created by the same nation-state responsible for the Stuxnet malware attacks. (Wired)(BBC)(Securelist)

Showing 7 results.