CVE-2011-3544

In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...

'Panda Emissary' group has an appetite for defence projects

Black Hat 2015 An alleged Chinese advanced hacking group has been found cherry-picking data from high-profile governments and corporations, p0wning many within six hours according to Dell researchers. The group, codenamed TG-3390 or Panda Emissary, is thought to operate from China and have an appetite for defence-related aerospace projects. Its techniques mean domain credentials and multiple systems are compromised with six hours of gaining access to an environment. Watering holes are the group'...

Based on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects the victims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain an attachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also inf...

Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage of another delivery vector in the Red October attacks. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 – ‘NewsFinder.jar’), known as the ‘Rhino’ exploit (CVE-2011-3544). We know the early February 2012 timeframe that ...

New Java exploit can be yours for $5,000

Unpatched Java installations may have helped spread the malware responsible for the recently uncovered "Red October" cyber-spying campaign, researchers at Seculert have revealed. Kaspersky Labs first disclosed the existence of Red October on Monday, claiming that the program had been responsible for attacks on systems in Eastern European countries, former Soviet republics, and Central Asian nations over the last five years. The primary vectors used to install the malware were emails containing a...

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, govern...

Market share! It’s an easy answer, but not the only one. In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break – Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2011 and later in May 2011, which no longer seem to be such an odd...

The investigation into the Duqu Trojan is into its sixth month, and March brought further progress as we were able to establish which language was used for its Framework code. This discovery was made with the help of the international IT community, from which we received several hundred possible explanations and hypotheses. The Duqu Framework was written in C and compiled with MSVC 2008 with the options “/O1” and “/Ob1”. Its creators most probably used the object-oriented extension of th...

Infected machines, not blank-eyed shuffling fanbois

The Mac-specific Flashback Trojan created a zombie army of 550,000 Mac machines by exploiting a Java hole that Apple only patched on Tuesday, six weeks after Microsoft plugged it up on Windows machines. This is according to Russian anti-virus firm Dr Web, which arrived at the figure after it successfully managed to sinkhole one of the command-and-control servers used to control Mac machines hit by the latest attack. The legions of compromised zombies were mostly located in the US (56.6 per cent,...

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways: There is a brief description of the check-in procedure and a confirmation code is provided for online reservation. The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link “Online reservation details”. Different emails contained different links — for ...

On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story. Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums. Here is a recent offer for the ‘multifunctional bankbot’, wh...

Exploit found in Russian adware invades process, doesn't install files

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs. The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exp...

In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive. The infection mechanism used by this malware proved to be very difficult to identify. The websites use...

This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet? Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines a...

On 3 December, we noted a rapid growth in the number of detections for exploits targeting the vulnerability CVE-2011-3544 in Java virtual machine. The vulnerability was published on 18 October, but malicious users have only recently begun to make active use of it. It can be used by exploits in drive-by attacks to download and launch malicious programs. Number of unique detections of Exploit.Java.CVE-2011-3544 According to KSN data, most of the exploits targeting CVE-2011-3544 are used in the Bla...