Tag Archives: Kaspersky Lab

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Russia Gets Serious About Its Virus Writers?

Is Russia finally getting serious about its virus writers?

Kaspersky Labs and F-Secure, two anti-virus manufacturers, report that Evgenii Suchkov (or Eugene Suchkov, sometimes known as Whale or Cityhawk) has been found guilty of writing two viruses, Stepar and Gastropod. Suchkov was sentenced in the Russian republic of Udmurtia, and while he was only fined 3,000 rubles ($100) — a sentence which has attracted some derision — Kaspersky’s analyst reckons now “Russian virus writers know that they are not always going to be able to hide from the law. And the world knows that Russia is doing something about virus writing”.

Suchkov, it appears, is no small fish. He’s believed to be a member of 29A, a notorious virus writing group, according to Kaspersky, which also believes he’s a member of the HangUp Team, a group I’ve tried to look more carefully at for their alleged role in phishing. Interestingly, a Czech member of 29A was recently recruited by a Czech software company, a move which has ignited some controversy, not least because it would appear to make virus writing a good way to prepare a CV for more legitimate work.

I tend to agree that hiring these guys might not be the best idea. Beyond the moral hazard issue — why should virus writers care about getting caught if they know it will lead to a job anyway? — there’s the issue of where this guy’s loyalties may lie. Is he going to try to stop his old buddies from doing their thing? Or tracking them down? And even if he did want to do good work for his new employer, he’s going to be a marked man for his former buddies who it’s believed, have active links to the Russian mafia.

The point to remember is that virus writing is now an industry, or sub-industry, of the criminal underworld. So no longer could one argue that these guys are just lonely geeks trying to get some attention. They do what they do for money, which means a virus, worm or trojan is a piece of code designed to do something specific. It’s probably done to order. If one of these virus writers is now working for the other side, I would hope his new employers take a good hard look at his motives: If he’s a good virus writer he could probably command significant amounts of money. Is he going to say goodbye to all that?

Finally, Mikko Hypponen of F-Secure suggests that there may also be traffic the other way. “F-Secure also has evidence which suggest that spammers have succesfully recruited anti-spam software developers to their side,” Hypponen says in a recent email. He points out that “spammers make money from their efforts; that’s why they can actually afford to invest in making their attacks better.” Anti-spammers going to the dark side? There must still be good money in it somewhere. I’ll try to find out more.

Phishing Gets Proactive

Scaring the bejesus out of a lot of security folk this weekend is a new kind of phishing attack that doesn’t require the victim to do anything but visit the usual websites he might visit anyway.

It works like this: The bad guy uses a weakness in web servers running  Internet Information Services 5.0 (IIS) and Internet Explorer, components of Microsoft Windows, to make it append some JavaScript code to the bottom of webpages. When the victim visits those pages the JavaScript will load onto his computer one or more trojans, known variously as Scob.A, Berbew.F, and Padodor. These trojans open up the victim’s computer to the bad guy, but Padodor is also a keylogging trojan, capturing passwords the victim types when accessing websites like eBay and PayPal. Here’s an analysis of the malicious script placed on victims’ computers from LURHQ. Think of it as a kind of outsourced phishing attack.

Some things are not yet clear. One is how widespread this infection is. According to U.S.-based iDEFENSE late Friday, “hundreds of thousands of computers have likely been infected in the past 24 hours.” Others say it’s not that widespread. CNET reported late Friday that the Russian server delivering the trojans was shut down, but that may only be temporary respite.

What’s also unclear is exactly what vulnerability is being used, and therefore whether Microsoft has already developed a patch — or software cure — for it. More discussion on that here. Microsoft is calling the security issue Download.Ject, and writes about it here.

Although there’s no hard evidence, several security firms, including Kaspersky, iDEFENSE and F-Secure, are pointing the finger at a Russian-speaking hacking group called the HangUP Team.

According to Kaspersky Labs, we may be looking at what is called a Zero Day Vulnerability. In other words, a hole “which no-one knows about, and which there is no patch for”. Usually it has been the good guys — known in the trade as the white hats — who discover vulnerabilities in software and try to patch them before they can be exploited, whereas this attack may reflect a shift in the balance of power, as the bad guys (the black hats) find the vulnerabilities first, and make use of them while the rest of us try to find out how they do it. “We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,” commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

In short, what’s scary about this is:

  • we still don’t know exactly how servers are getting infected. Everyone’s still working on it;
  • suddenly surfing itself becomes dangerous. It’s no longer necessary to try to lure victims to dodgy websites; you just infect the places they would visit anyway;
  • Users who have done everything right can still get infected: Even a fully patched version of Internet Explorer 6 won’t save you from infection, according to Netcraft, a British Internet security company.

For now, all that is recommended is that you disable JavaScript. This is not really an option, says Daniel McNamara of anti-phishing website CodePhish, since a lot of sites rely on JavaScript to function. A better way, according to iDEFENSE, would be to use a non-Microsoft browser. Oh, and if you want to check whether you’re infected, according to Microsoft, search for the following files on your hard disk: kk32.dll and surf.dat. If either are there, you’re infected and you should run one of the clean-up tools listed on the Microsoft page.

Viruses And The Russian Connection

As feared, MyDoom seems to come from Russia. Or does it?

The Moscow Times quotes Kaspersky Labs as saying they used location-sensing software to trace the first e-mails infected with MyDoom back to addresses with Russian Internet providers. “It’s scary, but most serious viruses are written in Russia,” said Denis Zenkov, spokesman for Kaspersky, the country’s largest anti-virus software company.

This is not the first. Russians have long been virus writers. Dumaru, Mimail and Stawin may have Russian origins.

But what has changed in the last year or so, it seems, is the commercialisation of Russian virus writing. These viruses are no longer the product of idle, alienated, out-of-work minds, but of folk working for professional spammers and scammers. Another Kaspersky expert, Alexander Gostiyev, is quoted by AFP as saying the creators of MyDoom were not aiming to disrupt Internet traffic but to use infected computers to distribute unsolicited junk mail. The attack “was very well planned and prepared, perhaps for several months, and at least 1,000 computers were infected in advance,” Gostiyev said. “The virus could be of use above all to criminal groups seeking to distribute spam,” he added.

Spam, however, may be the least of it. There’s not much money to be made from spam, whereas there is from theft. Stawin, for example, records keystrokes when infected victims access their bank accounts, and sends the results to a Russian email address. British police are investigating the possibility that a wave of extortion attempts against gambling sites may come from Russia or Eastern Europe, according to Reuters. These attacks are related to the Superbowl: Those who don’t pay up are brought down by massive traffic, called a Distributed Denial of Service attack, or DDOS. A site dedicated to online betting has recorded at least 20 sports betting sites appeared to have been brought down over the weekend. With all the work that went into something like MyDoom, I can’t believe it’s only spam the creators are after.

Of course, this could all be a feint.

Agence France Presse quotes Kaspersky as saying “there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia” as a ruse. And it’s not entirely clear what Kaspersky means by ‘location sensing software’. This could mean more or less anything, and, as some folk have pointed out, the fact that Kaspersky is based in Russia makes it likely they will receive copies of the virus from Russian email addresses.

And it still leaves us with the fact that the virus was in part tooled to launch an attack on the website SCO, a company that has riled the Open Source community by claiming copyright over parts of the Linux operating system. The virus was designed to launch an attack on their website starting February 1: The website is presently down, apparently overwhelmed by traffic.

One final thing: There seems to be some confusion between the first and second MyDoom virus: Variations often follow when folk get inspired by the success of a virus, but that doesn’t mean the same guy, or guys, wrote both viruses. The presence of a note in English inside the second version of the virus, — sync-1.01; andy; I’m just doing my job, nothing personal, sorry — appears to have confused some folk. The source, and purpose, of the first MyDoom remains a mystery.

The Mob Moves In

You know if AccountancyAge are reporting it, there’s money involved. According to the bean-counters, organised crime is looking at how it can make money from spam and virus writing, which means attacks may become less common than now but more dangerous. Quoting Russian antivirus expert Eugene Kaspersky, the latest MiMail worms were the first in a new type of attack aimed at deriving financial profit from viruses and malware.

Recent MiMail variants collected and forwarded PayPal account details to the worms’ creators. ‘The business of the mafia is business, and there could be a lot of money to be made from malware and spamming. As they consolidate control, the business of hacking and virus writing they will squeeze out independents. Spam will be an early target,’ he said.

What’s the interest for the mafia? Stealing commercial valuable secrets, bringing down networks for extortion, grabbing money from PayPal accounts.