Viry a Červi

That link you clicked on? Yeah, it's actually Russian

The Register - Anti-Virus - 18 Duben, 2017 - 08:06
Didn't we fix this back in 2005? Apparently not

Click this link (don't fret, nothing malicious). Chances are your browser displays "" in the address bar. What about this one? Goes to "," right?…

Kategorie: Viry a Červi

Wave of Java-Based RATs Target Tax Filers - 17 Duben, 2017 - 21:13
A rash of Java-based remote access Trojans is targeting tax filers with bogus IRS attachments.
Kategorie: Viry a Červi

ShadowBrokers’ Windows Zero-Days Already Patched - 17 Duben, 2017 - 20:06
Microsoft eased some anxiety over the latest ShadowBrokers dump of Windows zero days with news most of the vulnerabilities had already been patched.
Kategorie: Viry a Červi

VMware Fixes Critical RCE in vCenter Server - 17 Duben, 2017 - 18:05
VMware patched a critical vulnerability in its vCenter Server platform late last week that could have let an attacker execute arbitrary code in some scenarios.
Kategorie: Viry a Červi

Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

The Register - Anti-Virus - 15 Duben, 2017 - 01:29
Microsoft claims it has patched most of the exploited bugs

Updated  The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.…

Kategorie: Viry a Červi

ShadowBrokers Expose NSA Access to SWIFT Service Bureaus - 14 Duben, 2017 - 23:08
The latest ShadowBrokers dump includes exploits that allowed the NSA to target SWIFT data managed by outsourced service bureaus in the Middle East.
Kategorie: Viry a Červi

All ready for that Easter holiday? Here's a mild MySQL security bug

The Register - Anti-Virus - 14 Duben, 2017 - 21:54
Panic over the Riddle flaw – or just update to version 5.7. Your choice. We're not your dad

A programming blunder has been uncovered in Oracle's MySQL that can potentially leak usernames and passwords to man-in-the-middle eavesdroppers.…

Kategorie: Viry a Červi

Google Making Life Difficult for Ransomware to Thrive on Android - 14 Duben, 2017 - 16:00
At the Kaspersky Lab Security Analyst Summit, Android Security Team malware analyst Elena Kovakina explained Google’s strategy for countering ransomware on Android.
Kategorie: Viry a Červi

Threatpost News Wrap, April 14, 2017 - 14 Duben, 2017 - 15:00
Mike Mimoso, Tom Spring, and Chris Brook recap Infiltrate Con in Miami last week, and Kaspersky Lab's Security Analyst Summit in St. Maarten
Kategorie: Viry a Červi

Stories From Two Years in an IoT Honeypot - 14 Duben, 2017 - 14:00
A researcher at this year's Security Analyst Summit staged a series of honeypots at his friends’ houses to record IoT traffic, exploit attempts and other statistics.
Kategorie: Viry a Červi

Exploit Kit Activity Quiets, But Is Far From Silent - 14 Duben, 2017 - 12:00
Here are the exploit kits to watch for over the next three to six months.
Kategorie: Viry a Červi

Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb'

The Register - Anti-Virus - 14 Duben, 2017 - 09:04
Always ensure the office laptop gets returned

A systems administrator is being sued by his ex-employer, which has accused the IT bod of planting a ticking time-bomb on company's servers to wipe crucial data.…

Kategorie: Viry a Červi

Linux remote root bug menace: Make sure your servers, PCs, gizmos, Android kit are patched

The Register - Anti-Virus - 14 Duben, 2017 - 03:25
Ping of pwn: Malicious UDP packets may take over gear

A Linux kernel flaw that potentially allows miscreants to remotely control vulnerable servers, desktops, IoT gear, Android handhelds, and more, has been quietly patched.…

Kategorie: Viry a Červi

FDA Demands St. Jude Take Action on Medical Device Security - 13 Duben, 2017 - 20:19
The FDA sent Abbott Laboratories a warning letter citing that it had inadequately addressed the security of the maligned Merlin@home Transmitter.
Kategorie: Viry a Červi

‘High Risk’ Zero Day Leaves 200,000 Magento Merchants Vulnerable - 13 Duben, 2017 - 18:51
A popular version of the Magento ecommerce platform is vulnerable to a remote code execution bug, putting as many as 200,000 online retailers at risk.
Kategorie: Viry a Červi

Cerber surpasses Locky to become dominant ransomware menace

The Register - Anti-Virus - 13 Duben, 2017 - 18:30
Ransomware-as-a-Service is a hit with the tech illiterate

Cerber eclipsed Locky as the most common ransomware pathogen doing the rounds in the first three months of 2017.…

Kategorie: Viry a Červi

Android malware creators throw up a roadblock to thwart the good guys

Sophos Naked Security - 13 Duben, 2017 - 18:15
Security practitioners often use emulators to dig into Android malware. So what happens when the bad guys work out how to spot that?

Google joins the efforts to halt the spread of fake news

Sophos Naked Security - 13 Duben, 2017 - 16:55
Tech giants' efforts to identify dubious stories are helpful, but the onus still lies with users

Callisto Group snoopers wreak havoc with leaked HackingTeam spyware

The Register - Anti-Virus - 13 Duben, 2017 - 16:30
Surveillance firm's toolset goes rogue in hands of cyberspooks

Leaked HackingTeam spyware was used by a cyber-spy group to collect intelligence.…

Kategorie: Viry a Červi

The security is still secure

Kaspersky Securelist - 13 Duben, 2017 - 15:49

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions.

The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry. The published report includes a description of vulnerabilities in software products that can be used to bypass protection and jeopardize users’ security.

Customers’ security is a top priority for Kaspersky Lab, and as such we take any information that could undermine users’ protection very seriously. We thoroughly investigate all reported vulnerabilities.

The published report contains descriptions of two vulnerabilities in Kaspersky Lab’s products that have already been fixed. It also includes a number of mentions related to the company’s technologies and past Advanced Persistent Threat (APT) research. I’d like to take this opportunity to address possible concerns regarding the report and provide reliable first-hand information to demonstrate that no current Kaspersky Lab products and technologies are vulnerable.

Vulnerabilities in security solutions

First of all, I’d like to emphasize that the vulnerabilities in Kaspersky Lab’s products listed in the report are related to older versions of the products, and they were publicly disclosed and fixed some time ago. The current versions of our products are not vulnerable to the tools and tactics listed.

The “heapgrd” DLL inject vulnerability was discovered and fixed in Kaspersky Lab products back in 2009. The vulnerability allowed a malefactor to load a third-party DLL instead of the WHEAPGRD.dll file and thus bypass protection. It was patched starting with Kaspersky Internet Security 9 and Kaspersky Antivirus for Workstations MP4. The products that were mentioned in relation to these vulnerabilities (Kaspersky Internet Security 7 and 8 and Kaspersky Antivirus for Workstations MP3) are outdated and no longer supported. All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.

The TDSS Killer’s DLL inject vulnerability mentioned in the WikiLeaks report was fixed in 2015.

Product behavior specifics

The report also says Kaspersky Lab’s security solutions do not block DLL injections into user processes and svchost.exe. In fact, we do protect against this sort of attack — in a smarter way that elegantly combines protection and a better user experience.

Nowadays, it’s common practice for legitimate applications to inject their code into user processes. To effectively distinguish legitimate from malicious actions, track changes, and restore unwanted amendments an application may make to the system, Kaspersky Lab’s products have included the System Watcher component since 2011. System Watcher monitors all processes on a device, including svchost.exe, and is capable of detecting malicious behavior, blocking it, and rolling back malicious changes.

The report also describes several tools and malicious programs that were used to collect data and infiltrate the users’ computers. However, all of them can be neutralized with Kaspersky Lab’s products. Let’s take a closer look at them.

First, the RickyBobby fileless Trojan is allegedly not detected by Kaspersky Lab’s products, which is not the case. All personal and enterprise level products can detect this Trojan, prevent the infection, and disinfect a system that was protected by a third-party or outdated security solution.

Second, the report mentions two other malware samples (Fine Dining and Grasshopper) that allegedly are not detected by Kaspersky Lab’s products. However, the report doesn’t provide further details of the malware. We will keep investigating the issue and report the findings as soon as details are available.

That said, we are skeptical: It’s said Fine Dining relies on the aforementioned DLL inject vulnerability in TDSS Killer, which is already fixed. Also it’s worth mentioning that Kaspersky products provide multiple layers of protection — such as emulation, heuristics, System Watcher, and Automatic Exploit Prevention — including those powered by industry-leading machine learning. These technologies are capable of detecting cyberthreats proactively based on their behavior and are constantly improved to address new techniques employed by malicious actors. The analysis of the report makes us optimistic that our customers are already protected against both Fine Dining and Grasshopper.

Third, the report mentions HammerDrill, API Memcry, and Trojan Upclicker, which use a variety of techniques to try to avoid detection by the emulator technology.

Kaspersky Lab’s emulator’s history dates back to the early 90s. It’s rated one of the best in the cybersecurity industry, and it’s continuously improved. The functionality to address the described Trojan Upclicker cloaking method was included in the emulator more than a year ago, for example. The other two tools are effectively managed by the multilayer protection available in Kaspersky Lab’s products both for home users and enterprise customers.

Fourth, the report mentions an MBR File Handle component that is able to circumvent security solutions’ drivers and thus upload malware into the Master Boot Record of the operating system.

In fact, this trick is foiled by the antirootkit technology included in Kaspersky Lab products, which enables them to reliably detect and remove infections — even the most advanced bootkits.

Fifth, another tool mentioned in the report is the Bartender program, which collects data on installed software. This functionality is not malicious and is used by many legitimate applications. However, Kaspersky Lab’s products do provide protection against such activity should a user select the high security level setting.

Fun facts

The other two mentions of Kaspersky Lab in the context of malware creation are actually fun facts.

First, the tool called DriftingShadows checks if Kaspersky Lab’s products are installed on the device, and if it finds them, it does … nothing. This means that the malware creators failed to sneak past our products. They now avoid protected devices so that their malware doesn’t get caught.

Second, the documents also describe a game called “Bonus: Capture the Flag” played among malware creators. It involves attempts to create a malware sample that bypasses Kaspersky Lab’s protection. In other words, malefactors consider our products a gold standard of cybersecurity.


Investigating the existing report thoroughly, we found two vulnerabilities and several other mentions of Kaspersky Lab, including discussions regarding our reports on the Duqu 2.0 and Equation cyberespionage campaigns. Both vulnerabilities were fixed quite some time ago and pose no threat to our customers. The same goes for the other malicious tools and techniques mentioned.

However, we are staying vigilant and continuously monitoring the situation. WikiLeaks may yet publish more details. In any case, we’d like to reassure customers that addressing any possible vulnerabilities will be our top priority.

No development process guarantees immediate, perfect, permanent invincibility. We are committed to constantly improving the development process, and we also make significant efforts to perfect the process of fixing newly discovered vulnerabilities.

Syndikovat obsah