Tag: malware

In the last few days we observed a number of new attacks targeting the Polish Android users. Many Polish and foreign blogs reported the phishing e-mails using Kaspersky brand to convience user to install an apk file. Below some details of this attack, including the malware analysis, are provided. Thanks to the cooperation of different actors, C&C server was taken down very quickly. Malware moved to the new C&C and changed its infection vectors. Below we also describe the new (though some may call it vintage) infection vector utilizing the BitTorrent network. We are sure that all of these attacks are performed by the same person or a group that created the VBKlip in the .NET version.
Read more

AutoIt scripts use becomes more and more fashionable for malware obfuscators, cryptors and alike. Especially among the not-so-sophisticated malicious software. Recently we described the phishing attack targeted at Polish users using Booking.com and Allegro.pl. This attacked used AutoIt script (called RazorCrypt) in one of its stages in order to pack the final malware. We observed a somewhat similar campaign (although there are no conclusions about the authors this time) that also used a very interesting AutoIt script and also was targeting Polish users of an auction website Allegro.pl.
Read more

During the last few days, we have observed an attack on Polish users of auction website Allegro.pl and a hotel reservation portal – Booking.com. These attacks were directed at Polish users. Victims received a personalized e-mail that informed them that their account has been blocked either due to the outstanding fees or due to the inappropriate auction content. In case of Booking.com users were led to believe that they made a reservation and an invoice for that reservation is included in the e-mail message. Both campains had nearly identical infection schemes, which makes it very likely that they were performed by the same person or group.
Read more

On multiple occasions we informed about a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.

Read more

We have published our annual report, describing CERT Polska activities in 2013. The highlights of the document are: our botnets takeover summary, our malware analyses results, stopping rogue registrar Domain Silver Inc. and results of botnet sizes estimations done using new methodology.
Read more

Annual CERT Polska report will soon be available on our website for download. This year we decided not only to include statistical data (which will be moved to a separate section), but also describe trends and events that were important according to us and were observed in the last year. While you wait for the report, you can read a short fragment of the report below. It contains a description of the method we used to estimate the botnet size and results of this estimations. Some of the referenced material has been removed to improve readability, but it will be available in the final version of the report.

Read more

We recently blogged about a new strain of malware called VBKlip. This malware was aimed at Polish online banking users. In the last few days a new, revised version of this malware has resurfaced. This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal. This is what makes this threat especially dangerous to the users. The new malware spreads as “Adobe Flash Player” and has an icon as the one on the left.
Read more

The E-Security mobile malware appeared at the beginning of this year. This malware was targeting Polish online banking users, with the goal of stealing One Time Passwords (OTPs) used to confirm banking transactions. The attack was part of a bigger scheme. When the user computer was infected, it displayed an installation message when a user tried to log in to online banking website. This message instructed the user to install a mobile “certificate” app called “E-Security”. Recently this E-Security app was switched to a new one – more powerful and more dangerous, but essentially made for the same purpose – to steal OTPs sent via text messages to unknowing users.
Read more

At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware itself is relatively simple – its only functionality is to perform DDoS attacks, mainly DNS Amplification. There is also a version targeting the Windows operating system, which installs a new service in order to gain persistence. The antivirus detectability is fairly high for Windows version: 34/48, while the Linux version is detected by only a couple of antivirus solutions: 3/47.
Read more

On the 31st of October Google released a new version of the Android Operating System – 4.4 called KitKat. This version introduces a number of new features, including a handful of security improvements. It also introduces a new approach to SMS and MMS handling, which breaks the compatibility of some Android malware and makes it easier for users to spot a malware infection. This security improvement comes as a side effect to the new system-wide approach to messaging applications.
Read more