In March, Kaspersky Lab experts detected a unique malicious attack which used malware capable of operating without creating files on infected systems. An investigation by Kaspersky Lab showed that Russian media websites using the AdFox teaser system on their pages were unwittingly infecting visitors. While downloading the news teaser, the user’s browser was secretly redirected to a malicious website containing a Java exploit. “This is the first time in years that we have come across this rare kind of malware – so-called ‘fileless’ malicious programs,” explains Alexander Gostev, Chief Security Expert at Kaspersky Lab. “The fact that they only operate in the infected computer’s RAM makes it much harder for antivirus solutions to detect them. This incident was targeting Russian users, but the same exploit and fileless bot may well be used against users in other parts of the world as they can be distributed via similar banner or teaser networks in other countries.”
Kaspersky Lab’s investigation into the Duqu Trojan is into its sixth month, and March brought further progress as the company’s experts were able to establish which language was used in its Framework code. This discovery was made with the help of the international IT community which sent in several hundred possible explanations and hypotheses. The Duqu Framework was written in C and compiled with MSVC 2008 with the options “/O1” and “/Ob1”. Meanwhile, the Duqu creators are not resting on their laurels: in March a new driver was detected in the wild which was practically identical to those used earlier in Duqu. The previous drivers had been created on 3 November 2010, and 17 October 2011, and the new driver was created on 23 February 2012. It seems whoever is behind Duqu went back to work after just a four-month break.
Kaspersky Lab in cooperation with the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project performed a major operation to disable the second Hlux/Kelihos botnet in March. The researchers call this botnet Kelihos.B to indicate that it has been created using the second, modified variant of the original bot. A dedicated sinkhole-router was introduced into the botnet, allowing the company’s experts to gain control of the bots from the botnet owners and stop them from operating.
Fans of Google’s web browser also need to be careful. At the beginning of the month Kaspersky Lab experts detected yet another malicious extension for Google Chrome. This time it targeted Facebook users in Brazil. However, there is no reason why cybercriminals couldn’t stage a similar attack on users elsewhere. Malicious extensions were spread on Facebook via links that appeared to be for legitimate applications. If a user opted to install the app, he was redirected to the official Google Chrome web store, where the malicious extension for Chrome presented itself as “Adobe Flash Player”. After the malicious extension was installed on a computer, the perpetrators gained full access to the victim’s Facebook account. Google deleted the malware as soon as they were informed about it. However, criminals have already created similar extensions and placed them at the same place – the Google Chrome web store.
Mac OS threats
This month brought unprecedented malware activity on Mac OS. The most prominent case was the distribution of spam to addresses of Tibetan organisations. This spam contained links to a Java exploit designed to install malicious programs on users’ computers: Backdoor.OSX.Lasyr.a on the computers of Mac OS users and Trojan.Win32.Inject.djgs on Windows users’ computers. This exploit infected the computers of Mac OS X users with the malicious program Backdoor.OSX.MaControl.a. Also in March a new modification of the malicious program Backdoor.OSX.Imuler was detected. Malicious programs belonging to this family are spread under the cover of files with safe extensions. During the March attack, cybercriminals distributed spam containing malicious files that were masked as erotic images with .JPG extensions. Another first in March was malicious programs using Twitter as a command and control server. To distribute these malicious programs cybercriminals used 200,000 hacked blogs operating under WordPress.
The mobile threat segment saw the arrival of a completely new type of Trojan banker for Android. In the past there have been other Trojans capable of stealing mobile transaction authentication numbers (mTAN), which banks send to customers’ mobile phones via SMS. In mid-March a piece of mobile malware was detected that could steal not only text messages containing mTANs but the credentials (login and password) used for online banking authentication.
The full version of the Monthly Malware Review for March 2012 can be viewed at Securelist.com.