CVE-2010-1885

It is very interesting to see how short the lifespan of an exploit kit is. Some kits that were once popular and infected thousands of users are no longer being used. Even more interesting is the fact that some old kits make a comeback rearmed with fresh new exploits and reach the top of the rankings in serving malware. However, the most interesting area of study is how current exploits are used and their targets. In order to get some perspective, let?s start by analyzing the situation in 2010. T...

When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned? That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites. I recomme...

Yesterday the US government released some home videos of Osama Bin Laden in his Pakistani hideout. Screenshots from the video were used for malicious blackhat SEO via Google Images. Many legitimate nginx-based Web sites were attacked and exploited by taking advantage of the CVE-2009-2629 vulnerability. The compromised sites were injected with the following script: It leads to a malicious .cc domain site with an exploit for the CVE-2010-1885 vulnerability (the same vulnerability used recently for...

Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits. Spotify’s advertising network was most recently outed (note that it is the third party banner ads rotating through the client’s ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren’t on their networks, but the groups have been active ...

Last week, we published a blog post regarding the ongoing spam campaign using the recent earthquake in Japan to infect users. This is a follow up blog describing the exploits used. According to our analysis, it seems that the malicious links from the spam emails lead to websites hosting the Incognito Exploit Kit. Here is an interesting picture from the servers hosting the exploit kit: You can see below another example from the spam campaign, this time pretending to be an email from Twitter: The ...

The following statistics were compiled in February using data from computers running Kaspersky Lab products: February saw considerable growth in the use of Cascading Style Sheets (CSS) that contain partial data for script downloaders, a new method for spreading malware that makes it much harder for many antivirus solutions to detect malicious scripts. This method is currently being used in the majority of drive-by download attacks and allows cybercriminals to download exploits to users’ machin...

The third quarter of 2010 turned out to be more eventful than the preceding quarter. Over 600 million attempts to infect users’ computers with malicious and potentially unwanted programs were blocked during this period; an increase of 10% on the second quarter of this year. Out of all of the objects detected, over 534million were malicious programs. There was an emergence of ultra- sophisticated malware in this quarter too. This was the first time we have seen malware which used not one, but f...

The security was tight enough, but the raider knew exactly where the weak point in the system was. He had undergone special training to help him slip unnoticed through loopholes like these and infiltrate the network. The raider creates the loophole that lets others in — spies, thieves or secret agents, who then force the system to operate according to their bosses’ wishes. As long as the loophole stays open… This is not a scene from a computer game, this type of scenario is played out usin...

Kaspersky Lab presents its malware rankings for September. There are relatively few new malicious programs in either ranking. It is, however, worth highlighting a new ‘bundle’: Trojan-Dropper.Win32.Sality.cx which installs Virus.Win32.Sality.bh to an infected computer. The dropper spreads using a vulnerability in WinLNK files (i.e., Windows shortcuts). It’s also worth noting that in September the number of exploits targeting CVE-2010-1885 (the Windows Help and Support Center vulnerability)...

In August, there was a significant increase in exploits of the CVE-2010-2568 vulnerability. Worm.Win32.Stuxnet, which notoriously surfaced in late July, targets this vulnerability, as does the Trojan-Dropper program which installs the latest variant of the Sality virus – Virus.Win32.Sality.ag. Unsurprisingly, black hats lost no time in taking advantage of this latest vulnerability in the most commonly used version of Windows. However, on 2 August Microsoft released MS10-046 which provides a pa...

The majority of the biggest malware incidents that took place in the second quarter of 2010 were linked in some way to botnets. New bots were created and existing bots further developed, such as TDSS, an article on which has been published by our virus analysts, and Zbot (ZeuS), which we discuss below. The evolution of the ZeuS (Zbot) Trojan, which is used to build botnets, is worth describing. A new modification of the malicious program was detected in late April. It included file virus functio...

The first Top Twenty list below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time. The first half of this list remained unchanged from last month, with viruses such as Sality and Virut and the infamous Kido worm all maintaining their positions. The second half, however, threw up a few surprises with six new entries. Let’s look at each of them in turn. Worm.Win32.Autoit.xl, in twelfth pl...

The vulnerability in the Windows Help and Support Center (CVE-2010-1885) has been a constant irritation to antivirus experts for the third week in succession. I will try to provide an analysis of the problem with the help of KSN. We first detected samples of the exploit on 10 June and at the time of writing, over 14,000 attacks using CVE-2010-1885 have been registered. The graph above shows the number of detections per day. However, the most important feature is the figure indicating the exploit...

99 to 1, study finds

New research pours scorn on the comforting but erroneous belief that Windows surfers who avoid smut and wares on the web are likely to avoid exposure to malware. A study by free anti-virus firm Avast found 99 infected legitimate domains for every infected adult web site. In the UK, Avast found that more infected domains contained the word "London" (such as the blog section of http://kensington-london-hotels.co.uk) than the word "sex". Among the domains labelled as infected by Avast was the sma...