CVE-2010-0886

The Virus Lab recently came across a very interesting sample – a downloader containing two drivers and which downloads fake antivirus programs developed for both PC and Mac platforms. The malicious program is downloaded and installed using the BlackHole Exploit Kit. The latter contains exploits targeting vulnerabilities in JRE (CVE-2010-0886, CVE-2010-4452, CVE-2010-3552) and PDF. Both drivers are standard rootkits with rich functionality. One of them is a 32-bit and the other a 64-bit driver....

Last week, we published a blog post regarding the ongoing spam campaign using the recent earthquake in Japan to infect users. This is a follow up blog describing the exploits used. According to our analysis, it seems that the malicious links from the spam emails lead to websites hosting the Incognito Exploit Kit. Here is an interesting picture from the servers hosting the exploit kit: You can see below another example from the spam campaign, this time pretending to be an email from Twitter: The ...

On 25 October 2010, the Dutch police force’s Cybercrime Department announced the shutdown of 143 Bredolab botnet control servers. The next day at Armenia’s Yerevan international airport, one of those formerly responsible for running the botnet was arrested. While it is certainly possible that this marked the end of Bredolab, the technologies behind it remain and can, unfortunately, still be used to create new botnets. Malicious programs from the Backdoor.Win32.Bredolab family were first dete...

The third quarter of 2010 turned out to be more eventful than the preceding quarter. Over 600 million attempts to infect users’ computers with malicious and potentially unwanted programs were blocked during this period; an increase of 10% on the second quarter of this year. Out of all of the objects detected, over 534million were malicious programs. There was an emergence of ultra- sophisticated malware in this quarter too. This was the first time we have seen malware which used not one, but f...

Kaspersky Lab presents its malware rankings for September. There are relatively few new malicious programs in either ranking. It is, however, worth highlighting a new ‘bundle’: Trojan-Dropper.Win32.Sality.cx which installs Virus.Win32.Sality.bh to an infected computer. The dropper spreads using a vulnerability in WinLNK files (i.e., Windows shortcuts). It’s also worth noting that in September the number of exploits targeting CVE-2010-1885 (the Windows Help and Support Center vulnerability)...

In August, there was a significant increase in exploits of the CVE-2010-2568 vulnerability. Worm.Win32.Stuxnet, which notoriously surfaced in late July, targets this vulnerability, as does the Trojan-Dropper program which installs the latest variant of the Sality virus – Virus.Win32.Sality.ag. Unsurprisingly, black hats lost no time in taking advantage of this latest vulnerability in the most commonly used version of Windows. However, on 2 August Microsoft released MS10-046 which provides a pa...

The majority of the biggest malware incidents that took place in the second quarter of 2010 were linked in some way to botnets. New bots were created and existing bots further developed, such as TDSS, an article on which has been published by our virus analysts, and Zbot (ZeuS), which we discuss below. The evolution of the ZeuS (Zbot) Trojan, which is used to build botnets, is worth describing. A new modification of the malicious program was detected in late April. It included file virus functio...

The first Top Twenty list below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time. The first ten places on the above list remain virtually unchanged from last month, with the Kido network worm and the Sality virus continuing to occupy the top four places. Fifth place saw the appearance of Exploit.JS.Agent.bab, which shunted the next five programs down one place, but we’ll talk more abou...

The first Top Twenty list immediately below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time. During May there were five new entries to the list. Variants of the CVE-2010-0806 exploit left the Top 20 list as swiftly as they had joined it a month ago. However, malware writers are nowhere near through with exploiting the CVE-2010-0806 vulnerability. In May, Trojan.JS.Agent.bhr, a component...