Home   Blog   Twitter   Database  

US spied on Japanese PM Abe, Mitsubishi, and so much more

WikiLeaks exposes blanket snooping on Asian powerhouse

The NSA spied on Japan's prime minister, central bank, finance ministry and major corporations, such as the natural gas division of Mitsubishi, according to documents released today.…

Posted: 31 Jul 2015 | 5:08 am


It's #SophosRetroWeek - so take a trip with us down IT memory lane as we say "Thanks, IT, and Happy Sysadmin Day."

Posted: 31 Jul 2015 | 4:08 am

MMS Not the Only Attack Vector for “Stagefright”

Earlier this week Zimperium zLabs revealed an Android vulnerability which could be used to install malware on a device via a simple multimedia message. This vulnerability, now known as Stagefright, has gained a lot of attention for the potential attacks it can cause. Stagefright makes it possible, for example, for an attacker to install a spyware app in a targets phone without their knowledge just by sending an MMS.

Versions of Android from 4.0.1 to 5.1.1 are affected; this represents 94.1% of all Android devices in use today.

We independently discovered this vulnerability as well; this blog post will disclose more details about this particular flaw.

Vulnerability analysis

Like the previous Android vulnerability we found, this vulnerability is in the mediaserver component, which is responsible for handling open media files.

The version of mediaserver in the vulnerable versions cannot correctly handle a malformed MP4 file. When such a MP4 file is introduced into mediaserver, it may trigger a heap overflow and overwrite data in the heap. This can lead to code execution, which may lead to an app being downloaded onto the device.

The root cause of the vulnerability is an integer overflow when parsing an MP4 file, causing memory to be written out of the buffer. Specifically, it occurs when mediaserver it parses tx3g-flagged data; this is normally used to provide text subtitles.

The affected code can be found in frameworks/av/media/libstagefright/MPEG4Extractor.cpp:

1890         case FOURCC('t', 'x', '3', 'g'):
1891         {
1892             uint32_t type;
1893             const void *data;
1894             size_t size = 0;
1895             if (!mLastTrack->meta->findData(
1896                     kKeyTextFormatData, &type, &data, &size)) {
1897                 size = 0;
1898             }
1899             //
For example,fist time chunk_size == 0x100000,second time chunk_size == 0xFFF00001. Then 0x100000 + 0xFFF00001 = 1, allocate 1 byte indeed.
1900             uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size];
1901             if (buffer == NULL) {
1902                 return ERROR_MALFORMED;
1903             }
1905             if (size > 0) {
1906                 memcpy(buffer, data, size);//
Still writes 0x100000 bytes in 1 byte buffer
1907             }
1909             if ((size_t)(mDataSource->readAt(*offset, buffer + size, chunk_size))
1910                     < chunk_size) {
1911                 delete[] buffer;
1912                 buffer = NULL;
1914                 // advance read pointer so we don't end up reading this again
1915                 *offset += chunk_size;
1916                 return ERROR_IO;
1917             }
1919             mLastTrack->meta->setData(
1920                     kKeyTextFormatData, 0, buffer, size + chunk_size);
1922             delete[] buffer;
1924             *offset += chunk_size;
1925             break;
1926         }


Proof-of-concept demonstration

We tested three scenarios which can be used to attack mediaserver. WE used the adb shell top | grep mediaserver command to the process; we can see that because mediaserver‘s PID (Process Identification Number) changed, the process crashed and restarted.

Scenario #1: Attack from an Application

Here, we demonstrate how this vulnerability can be exploited from within an app. The specially crafted MP4 file will cause mediaserver‘s heap to be destroyed or “exploited”. Here it only crashes, but an attacker can construct a specific data block to fill the heap and gain control of the execution flow.

Figure 1. Debugging output of mediaserver crashes

Scenario #2: Attack from URL

We embedded the same malformed MP4 file (named mp4.mp4) into an HTML file as below, which is then uploaded to a web server. When using the built-in WebView in Android 5.1.1 (as used by the Twitter app) to access the website, the same problems seen in scenario #1 happen.

Figure 2. HTML code for embedding MP4 file

In addition, even though the mobile Chrome browser disables preloading and autoplay of videos embedded with the <video> tag, the malformed file still causes the mediaserver heap overflow. Somehow this limitation has been bypassed.

Scenario #3: Attack from MMS messages

This particular scenario is the one that has received a great deal of attention. We can attach this MP4 file to a MMS and send it to victim’s phone. On our test device (a Nexus 6 running Android 5.1.1), the mediaserver process crashed twice when it received the MMS. This method is particularly dangerous as it involved no user interaction: the mere act of sending the file is sufficient to target the vulnerable device.

Figure 3. Attaching the malformed mp4 file to a MMS message

This vulnerability is fairly potent as it can be effectively controlled by the attacker, which means he can decide when to start the attack and also when to stop. The mediaserver deals with multimedia-related tasks, such as opening and reading MP4 files, decoding/encoding an MPEG4 stream, taking a picture, record the video/audio/screen, read/write pictures and videos from/to the SD card, and so on. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines.

Users have relatively little recourse to deal with this threat.  They may not even be able to detect this threat, given that the initial compromise (the MMS message) doesn’t appear to be malicious in any way. Users can disable the autofetch of MMS content, which will mean that the user will have to open the MMS message before any attack.

A patch has been delivered by Google, but when it will arrive to user devices depends on the device OEMs. In addition, customized Android versions that did not modify mediaserver are also at risk. We will continuously monitor for the existence of new threats that target this vulnerability.

On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these as well.

Disclosure Timeline

We responsibly disclosed this vulnerability to Google, and this is the timeline of our exchanges with them:


Posted: 31 Jul 2015 | 2:25 am

IT threat evolution Q2 2015


Q2 in figures


Targeted attacks and malware campaigns

Monkey business

Recently we published our analysis of CozyDuke, yet another cyber-espionage APT from the ‘Duke’ family – which also includes MiniDuke, CosmicDuke and OnionDuke. CozyDuke (also known as ‘CozyBear’, ‘CozyCar’ and ‘Office Monkeys’) targets government organisations and businesses in the US, Germany, South Korea and Uzbekistan.

IT threat evolution Q2 2015

The attack implements a number of sophisticated techniques, including encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family.

However, one of CozyDuke’s most notable features is its use of social engineering to get an initial foothold in targeted organisations. Some of the attackers’ spear-phishing emails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as email attachments. A notable example (which also gives the malware one of its names) is ‘OfficeMonkeys LOL Video.zip’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers.

It is necessary to make staff education a core component of any business security strategy #KLReport


The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.

Naikon: gathering geo-political intelligence

In May we published our report on the Naikon APT. Naikon is used in campaigns against sensitive targets in South-eastern Asia and around the South China Sea. The attackers seem to be Chinese-speaking and have been active for at least five years, focusing their attention on top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.

IT threat evolution Q2 2015

As with so many campaigns of this kind, the attackers use spear-phishing emails to trick unsuspecting staff into loading the malware. Emails include an attached file containing information likely to be of interest to the victim. The file seems to be a standard Word document, but it is really an executable with a double extension, or an executable that uses the RTLO (right to left override) mechanism to mask the real extension of the file. If the victim clicks on the file, it installs spyware on the computer while displaying a decoy document to avoid arousing suspicion.

The attackers use spear-phishing emails to trick staff into loading malware #KLReport


Naikon’s main module is a remote administration tool: this module supports 48 commands to exercise control over infected computers. These include commands to take a complete inventory, download and upload data, and install add-on modules. In addition, Naikon sometimes uses keyloggers to obtain employees’ credentials.

Each target country is assigned its own operator, who is able to take advantage of local cultural features – for example, the tendency to use personal email accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer data to the attackers’ Command-and-Control (C2) servers.

You can find our main report and follow-up report on our web site.

Spying on the spies

While researching Naikon, we uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia – most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US.

IT threat evolution Q2 2015

In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the email questioned the authenticity of the email with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an email back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities.

Hellsing found itself on under a spear-phishing attack by the Naikon APT group – and struck back #KLReport


In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual.

Grabit and run

Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of the attackers. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. Every business is a potential target – for its own assets, or as a way of infiltrating another organisation.

The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files.

The malware is delivered in the form of a Word document attached to an email. The document contains a malicious macro named ‘AutoOpen’. This macro opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub. Then the program used to carry out the spying operation is downloaded from this server. In some cases, the macro is password protected (the attackers seem to have forgotten that a DOC file is actually an archive; and when it’s opened in an editor, macro strings are shown in clear-text). The attackers control compromised computers using a commercial spying tool called HawkEye (from HawkEyeProducts). In addition, they use a number of Remote Administration Tools (RATs).

The attackers have implemented some techniques designed to make Grabit hard to analyze,, including variable code sizes, code obfuscation and encryption. On the other hand, they fail to cover their tracks in the system. The result is a ‘weak knight in heavy armor’, suggesting that the attackers didn’t write all the code themselves.

The return of Duqu

In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0′.

The malware platform was designed to survive almost exclusively in the memory of infected systems. #KLReport


In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes.

However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal. The attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

One of Duqu 2.0’s most notable features was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that he attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory.

The Duqu 2.0 technical paper and analysis of the persistence module can be found on our web site.

Malware stories

Simda’s hide-and-seek malware business

In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed 190 countries that had been affected by the botnet.

Preliminary analysis revealed 190 countries that had been affected by the Simda botnet. #KLReport


The bots are distributed via a series of infected web sites that re-direct visitors to exploit kits. The bots download and run additional components from their own update servers and are able to modify the hosts file on the infected computer: in this way, once-infected computers can keep sending out HTTP requests to the malicious servers, indicating that they are still vulnerable to re-infection using the same exploit kits.

Although the Simda botnet is relatively large, with an estimated 770,000 infected computers, the authors went to great lengths to try and make it ‘fly under the radar’ of anti-malware systems. The malware is able to detect emulation, security tools and virtual machines; it uses a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network; and it implements server-side polymorphism.

Simda also de-activates itself after a short time. This is closely related to the purpose of this particular botnet: it’s a delivery mechanism, designed to disseminate potentially unwanted and malicious software. The distributors wanted to guarantee that only their client’s malware would be installed on infected computers.

Kaspersky Lab products currently detect hundreds of thousands of modifications of Simda, together with many different third-party malicious programs distributed using the Simda botnet. You can use our free Simda bot IP scanner to check if your IP has connected to a Simda C2 server in the past.

Phishing, but not as we know it

Early in 2014 a serious vulnerability in the OAuth and OpenID protocols was discovered by Wang Jing, a PHD student at the Nanyang Technological University in Singapore. He found what he named the ‘covert redirect’ vulnerability, which could allow an attacker to steal data following authentication (a summary of the problem, including a link to Jing’s blog, can be found on Threatpost).

Recently, we discovered a phishing campaign that takes advantage of the OAuth vulnerability. OAuth lets customers of online services give third parties limited access to their protected resources without sharing their credentials. It is commonly used by applications for social networks – for example, to obtain access to someone’s contact lists or other data.

The Kaspersky Lab customer who reported the attack received an email saying that someone had used their Windows Live ID and asking them to follow a link to the Windows Live site and follow the security requirements outlined there.

Do not allow untrusted applications to access your data #KLReport


On the face of it, it seems like a standard phishing technique – one that would result in the victim being re-directed to a fake site. But in this case, the link led to the legitimate site. The victim’s login credentials aren’t stolen and they are logged in to the legitimate site. However, after authorization, the victim receives a request for a range of permissions from an unknown application. This can include automatic login, access to profile information, contact list and email addresses. If the victims hands over these rights, it offers the cybercriminals access to their personal information – information that they can use to distribute spam, phishing links or for other fraudulent purposes.

We would recommend the following to safeguard your personal data.

Smart cities but not-so-smart security

The use of CCTV systems by governments and law enforcement agencies for surveilling public places has grown enormously in recent years. Most of us accept them as a reasonable trade-off between privacy and security. However, this rather assumes that the data gathered using this technology will be handled securely and responsibly, to ensure that the benefits aren’t outweighed by any potential dangers.

Many CCTV cameras have a wireless connection to the Internet, enabling police to monitor them remotely. However, this is not necessarily secure: it’s possible for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site).

Aspects of life are being made digital & security should be considered as part of the design stage #KLReport


The researchers started by looking at the surveillance equipment in locations across the city. Unfortunately, there had been no attempt to mask the branding of the cameras, so it was easy to determine the makes and models of the cameras, examine the relevant specs and create their own scale model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so that an attacker would be able to create their own version of the software and manipulate data travelling across it.

It’s important to note that they did not attempt to hack into the real network, but analyzed the hardware and communication protocols and built a scale model. The network topology of the surveillance camera network is unlike a standard home wireless network. On a home network, all devices connect to the Internet and one another through a router. Any device connected to that router could potentially trick the other devices into thinking it’s the router and monitor or change data by performing a Man-in-the-Middle attack.

IT threat evolution Q2 2015

IT threat evolution Q2 2015

The surveillance camera network is more complicated, because of the distances the data needs to travel. The data must travel from any given camera through a series of nodes eventually leading back to a hub (in a real world implementation, this might be a police station). The traffic follows the path of least resistance where each node has the ability to communicate with several others and selects the easiest path back to the hub.

IT threat evolution Q2 2015

Hioureas and Kinsey built a series of fake nodes that purported to offer a direct line of communication to a simulated police station. Since they knew all the protocols used on the network, they were able to create a Man-in-the-Middle node that seemed to offer the path of least resistance, causing the real nodes to relay their traffic through their malicious node.

One potential use for attackers would be to spoof footage sent to a police station. This could make it appear as if there was an incident in one location, thereby distracting police from a real attack occurring elsewhere in the city.

The researchers reported these issues to the authorities responsible for the city surveillance systems concerned and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in these networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and that footage is encrypted as it travels through the network.

The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered as part of the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind.


All the statistics used in this report were obtained using the Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Mobile banker Trojans still remain among the top mobile threats. In our Q1 2015 report, we mentioned Trojan-SMS.AndroidOS.OpFake.cc, which could attack at least 29 banking and financial applications. The latest version of this Trojan can now attack 114 banking and financial applications. Its main goal is to steal the user’s online credentials. Serving the same purpose, it also attacks several popular email applications.

Trojan-Spy.AndroidOS.SmsThief.fc also deserves a mention. Cybercriminals managed to add their code into the original banking application without affecting its operation, making this Trojan more difficult to detect.

The latest version of Trojan-SMS.AndroidOS.Opfake.cc can now attack 114 banking and financial applications. #KLReport


A new iOS Trojan, Trojan.IphoneOS.FakeTimer.a, emerged in Q2. It is interesting in that it is an iOS version of a malicious Android app which emerged several years ago. FakeTimer.a attacks even non-jailbroken devices. Its payload is rather primitive: it is a regular phishing application created to steal money from Japanese users.

In Q2, Trojans which can use root privileges to display advertisements to users or install advertising applications became especially visible. A total of six such malicious programs landed in the Q2 TOP 20 of malicious malware.

The number of new mobile threats

In Q2 2015, Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs, a 2.8-fold increase on Q1 2015.

Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs #KLReport


The number of installation packages detected was 1,048,129 – this is seven times as many as in the previous quarter.

IT threat evolution Q2 2015

Number of malicious installation packages and new malicious mobile programs detected (Q4 2014 – Q2 2015)

Distribution of mobile malware by type

IT threat evolution Q2 2015

Distribution of new mobile malware by type, Q2 2015

The ranking of malware objects for mobile devices for the second quarter of 2015 was headed by RiskTool (44.6%). These are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.

Potentially unwanted advertising apps came second with 19%.

SMS Trojans have previously led this ranking, but in Q2 they were only in the fourth place with 8.1% – this is 12.9% lower than in Q1. The lower share taken by these malicious programs is in part accounted for by the fact that those who were previously active distributing SMS Trojans have started using ‘cleaner’ monetization techniques (as testified by the increased RiskTool shares), or prefer to use other types of malware. Thus the Trojan share increased from 9.8% in Q1 to 12.4% in Q2.

Top 20 malicious mobile programs

Please note that, starting from this quarterly report, we are publishing the ranking of malicious programs, which does not include potentially dangerous or unwanted programs such as RiskTool or adware.

  Name % of attacks *
1 DangerousObject.Multi.Generic 17.5%
2 Trojan-SMS.AndroidOS.Podec.a 9.7%
3 Trojan-SMS.AndroidOS.Opfake.a 8.0%
4 Backdoor.AndroidOS.Obad.f 7.3%
5 Trojan-Downloader.AndroidOS.Leech.a 7.2%
6 Exploit.AndroidOS.Lotoor.be 5.7%
7 Trojan-Spy.AndroidOS.Agent.el 5.5%
8 Trojan.AndroidOS.Ztorg.a 3.1%
9 Trojan.AndroidOS.Rootnik.a 3.0%
10 Trojan-Dropper.AndroidOS.Gorpo.a 2.9%
11 Trojan.AndroidOS.Fadeb.a 2.7%
12 Trojan-SMS.AndroidOS.Gudex.e 2.5%
13 Trojan-SMS.AndroidOS.Stealer.a 2.5%
14 Exploit.AndroidOS.Lotoor.a 2.1%
15 Trojan-SMS.AndroidOS.Opfake.bo 1.6%
16 Trojan.AndroidOS.Ztorg.b 1.6%
17 Trojan.AndroidOS.Mobtes.b 1.6%
18 Trojan-SMS.AndroidOS.FakeInst.fz 1.6%
19 Trojan.AndroidOS.Ztorg.pac 1.5%
20 Trojan-SMS.AndroidOS.FakeInst.hb 1.4%

* Percentage of users attacked by the malware in question, relative to all users attacked

The top position in the rankings was occupied by DangerousObject.Multi.Generic (17.5%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.

Trojan-SMS.AndroidOS.Podec.a (9.7%) has been among the Top Three malicious mobile programs for three quarters in a row due to its active dissemination.

Trojan-SMS.AndroidOS.Opfake.a (8.0%) has been quickly rising to the top lines of the ranking. While in Q3 2014 it was in the 11th place only,it is now in the TOP 3 of mobile malware. Obfake.bo, another representative of this malware family, is in 15th place.

It is also worth mentioning the appearance of Backdoor.AndroidOS.Obad in the TOP 20 ranking – in fact, it jumped to fourth place all at once. This is a multi-functional Trojan, capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. We wrote about it two years ago, and its capabilities have remained virtually unchanged ever since.

Another interesting thing is that although this ranking does not include adware programs, six of the TOP 20 malicious mobile programs use advertisements as the main vehicle of monetization. Unlike regular advertisement modules, Trojan.AndroidOS.Rootnik.a, three programs of the Trojan.AndroidOS.Ztorg family, Trojan-Downloader.AndroidOS.Leech.a and Trojan.AndroidOS.Fadeb.a do not carry any productive payload with them. Their goal is to deliver to the user as much advertising as possible in various ways, including installation of new adware programs. These Trojans can use root privileges to conceal themselves in the system folder – this makes it very difficult to delete them.

Mobile banker Trojans

In Q2 2015, we detected 630 mobile banker Trojans. It should be noted that the number of new malware programs belonging to this category is now growing at a much slower rate.

IT threat evolution Q2 2015

Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q3 2014 – Q2 2015)

IT threat evolution Q2 2015

Geography of mobile banking threats in Q2 2015
(number of users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.

Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked):

  Country* % of users attacked by mobile bankers**
1 Republic of Korea 2.37%
2 Russia 0.87%
3 Uzbekistan 0.36%
4 Belarus 0.30%
5 Ukraine 0.29%
6 China 0.25%
7 Kazakhstan 0.17%
8 Australia 0.14%
9 Sweden 0.13%
10 Austria 0.12%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country

Mobile bankers proliferate most actively in Korea. Cybercriminals are also historically active in Russia and other post-Soviet countries. It is some of these countries that occupy four out of five positions in the ranking.

An indication of how popular mobile banker Trojans are with cybercriminals in each country, may be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the reported three month period, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking is different from the one above:

TOP 10 countries by the percentage of users attacked by mobile bankers relative to all attacked users

  Country * % of users attacked by mobile bankers, relative to all attacked users *
1 Republic of Korea 31.72%
2 Russia 10.35%
3 Australia 6.62%
4 Austria 6.03%
5 Japan 4.73%
6 Uzbekistan 4.17%
7 Belarus 3.72%
8 Ecuador 3.50%
9 Ukraine 3.46%
10 Switzerland 3.09%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country

In Korea, almost one third of all users attacked by mobile malware were attacked by mobile bankers in particular. In Russia, every tenth attacked user came under a mobile banker attack. In other countries, this percentage is lower. Interestingly, there are four countries in this TOP 10 which are also in the TOP 5 of most secure counties with the lowest probability of mobile malware infection – these are Australia, Austria, Japan and Switzerland.

The geography of mobile threats

IT threat evolution Q2 2015

The geography of mobile malware infection attempts in Q2 2015
(percentage of all users attacked)

Top 10 countries attacked by mobile malware:

  Country* % of users attacked**
1 China 16.34%
2 Malaysia 12.65%
3 Nigeria 11.48%
4 Bangladesh 10.89%
5 Tanzania 9.66%
6 Algeria 9.33%
7 Uzbekistan 8.56%
8 Russia 8.51%
9 Ukraine 8.39%
10 Belarus 8.05%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country

This ranking is led by China, where 16.34% of all users of Kaspersky Lab’s product were attacked at least once during the three month period. Malaysia is in second place with 12.65%. Russia (8.51%), Ukraine (8.39%) and Belarus (8.05%) close the TOP 10 ranking, below some Asian and African countries.

Korea took 11th place in this ranking with 7.46%. Let us remind the reader that mobile banker Trojans are very popular with the Korean cybercriminals: 31.72% of all users attacked by mobile malware were the victim of a mobile banking Trojan attack.

The most secure countries in this respect are:

  Country % of users attacked
1 Japan 1.06%
2 Canada 1.82%
3 Austria 1.96%
4 Australia 2.16%
5 Switzerland 2.19%

Vulnerable applications used by fraudsters

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

IT threat evolution Q2 2015

Distribution of exploits used in attacks by type of application attacked, Q2 2015

The rating of exploits has seen little change from the first quarter. The Browsers category (60%) maintained its top position in the Q2 2015. Currently most exploit packs contain a pack of exploits for Adobe Flash Player and Internet Explorer. It is worth mentioning the growing number of exploits for Adobe Flash Player (up by six percentage points) which is caused by the large number of spam mass mailings containing malicious PDF documents.

The number of exploits for Java continues to decrease (down four percentage points): in Q2 we did not see any new exploits for Java.

In the second quarter of 2015 we registered the use of four new vulnerabilities in Adobe Flash Player:

Although the share of exploits for Adobe Flash Player in our rating is only 3%, there are many more of them in the “wild”. When considering these statistics, we should take into account that Kaspersky Lab technologies detect exploits at various stages. The Browsers category also includes detection of landing pages that “distribute” exploits. According to our observations, they are most often exploits for Adobe Flash Player

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

In the second quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 755,642 users. This figure represents an 18.7% decrease compared to the previous quarter (735,428).

There were 5,903,377 registered notifications about attempted financial malware infections #KLReport


A total of 5,903,377 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2015.

IT threat evolution Q2 2015

Number of computers attacked by financial malware, Q2 2015

Geography of attacks

In the second quarter of 2015, we changed the methodology used to create the rating of countries affected by the malicious activity of banking Trojans. In our previous reports, the Top 10 was made using the number of users attacked. Although this aspect is very important, it depends on the number Kaspersky Lab product users in the countries.

To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this threat during the reporting period in the country, of all users of our products in this county.

IT threat evolution Q2 2015

Geography of banking malware attacks in Q2 2015 (the percentage of users attacked)

Top 10 countries by the percentage of users attacked

  Country* % of users attacked **
1 Singapore 5.28%
2 Switzerland 4.16%
3 Brazil 4.07%
4 Australia 3.95%
5 Hong Kong 3.66%
6 Turkey 3.64%
7 New Zealand 3.28%
8 South Africa 3.13%
9 Lebanon 3.10%
10 UAE 3.04%

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000)
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country

In Q2 2015, Singapore took the lead in the percentage of Kaspersky Lab users attacked by banking Trojans. Noticeably, most countries in the TOP 10 have a high level of technological and banking system development, which draws the attention of cybercriminals.

In Russia, 0.75% users encountered banking Trojans at least once during the quarter, in the US – 0.89%, in Spain – 2.02%, in the UK – 1.58%, in Italy – 1.57% , in Germany – 1.16%.

The TOP 10 banking malware families

The table below shows the Top 10 malicious programs most commonly used in Q2 of 2015 to attack online banking users, based on the number of users attacked:

  Name Number of notifications Number of users attacked
1 Trojan-Downloader.Win32.Upatre 3888061 419940
2 Trojan-Spy.Win32.Zbot 889737 177665
3 Trojan-Banker.Win32.ChePro 264534 68467
4 Backdoor.Win32.Caphaw 72128 25923
5 Trojan-Banker.Win32.Banbra 56755 24964
6 Trojan.Win32.Tinba 175729 22942
7 Trojan-Banker.AndroidOS.Marcher 60819 19782
8 Trojan-Banker.AndroidOS.Faketoken 43848 13446
9 Trojan-Banker.Win32.Banker 23225 9209
10 Trojan-Banker.Win32.Agent 28658 8713

The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

The Top 3 banking malicious programs remain unchanged from the previous quarter. Trojan-Downloader.Win32.Upatre kept its leading position in the rating. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the Command-and-Control center.

In Q2 2015, the new banking Trojans entered the rating – Backdoor.Win32.Caphaw, Trojan-Banker.AndroidOS.Marcher and Trojan-Banker.AndroidOS.Faketoken.

Backdoor.Win32.Caphaw was first detected in 2011. It utilizes the Man-in-the-Browser technique to steal online banking credentials of the customers.

Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher attack Android-based mobile devices. Faketoken works in partnership with computer Trojans. To distribute this malware, cybercriminals use social engineering techniques. When a user visits his online banking account, the Trojan modifies the page, asking him to download an Android application which is allegedly required to securely confirm the transaction. In fact the link leads to the Faketoken application.

Once Faketoken is on the user’s smartphone, the cybercriminals gain access to the user’s banking account via the computer infected with a banking Trojan and the compromised mobile device allows them to intercept the one-time confirmation code (mTAN). The second mobile Trojan is Trojan-Banker.AndroidOS.Marcher. After infecting a device, the malware tracks the launch of just two apps – the mobile banking customer of one of the European banks and Google Play. If the user starts Google Play, Marcher displays a false window requesting credit card data which then go to the fraudsters. The same method is used by the Trojan if the user starts the banking application.

Financial threats

Financial threats are not limited to banker malware that attacks online banking customers.

IT threat evolution Q2 2015

Financial malware: distribution by malware type

In Q2 2015, the proportion of banking malware increased from 71% to 83% compared with the previous quarter. The second most widespread financial threat was Bitcoin miners – malicious software that uses computing resources of the victim’s computer to generate bitcoins. In the previous quarter, this category of malware was in third place. Of note is the fact that some legitimate software developers secretly integrate Bitcoin-miners in their applications.

Top 20 malicious objects detected online

In the second quarter of 2015, Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.

Kaspersky Lab detected and repelled a total of 379,972,834 malicious attacks from online resources #KLReport


We identified the 20 most active malicious objects involved in online attacks against users’ computers. These 20 accounted for 96.5% of all attacks on the Internet.

Top 20 malicious objects detected online

  Name* % of all attacks**
1 AdWare.JS.Agent.bg 47.66%
2 Malicious URL 32.11%
3 Trojan.Script.Generic 4.34%
4 AdWare.Script.Generic 4.12%
5 Trojan.Script.Iframer 3.99%
6 AdWare.JS.Agent.bt 0.74%
7 Exploit.Script.Blocker 0.56%
8 Trojan.Win32.Generic 0.49%
9 AdWare.AndroidOS.Xynyin.a 0.49%
10 Trojan-Downloader.Win32.Generic 0.37%
11 Trojan-Ransom.JS.Blocker.a 0.34%
12 Trojan-Clicker.JS.Agent.pq 0.23%
13 AdWare.JS.Agent.an 0.20%
14 AdWare.JS.Agent.by 0.19%
15 Trojan.Win32.Invader 0.12%
16 Trojan-Downloader.Win32.Genome.qhcr 0.11%
17 AdWare.Win32.Amonetize.ague 0.11%
18 AdWare.Win32.MultiPlug.nnnn 0.10%
19 AdWare.NSIS.Agent.cv 0.09%
20 Trojan-Downloader.Script.Generic 0.09%

* These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
** The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs.

Aggressive distribution of advertising programs affected the rating: 10 out of 20 positions were occupied by advert-related objects. In first place is the script AdWare.JS.Agent.bg which is implemented by inserting adware in arbitrary web pages. It could even push down Malicious URL, the verdict we use for the links from the black list which are ranked second in Q2 2015.

Of interest is the appearance of the AdWare.AndroidOS.Xynyin.a verdict – it’s unusual to see a verdict for Android malware in the rankings for malware on users’ computers. The program corresponding to this verdict is an advertising module for Android which is embedded in different applications (for example, in programs “accelerating” the work of the phone). One such application was popular in March and April of this year when it was actively downloaded by users. Since Google Play does not provide such applications these applications were downloaded from the Internet mostly via the victims’ computers.

The Trojan-Ransom.JS.Blocker.a verdict is a script which tries to block the browser using a periodic page update and displays the message asking the victim to pay a “fine” to the specified e-wallet for viewing inappropriate material. The script is mostly encountered on porn sites.

Top 10 countries where online resources are seeded with malware

The following stats are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2015, Kaspersky Lab solutions blocked 379,972,834 attacks launched from web resources located in various countries around the world. 89% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

IT threat evolution Q2 2015

Distribution of web attack sources by country, Q2 2015

Russia (51%) maintained its leadership: this country’s share increased by 11.27%. Switzerland left the Top 10. Singapore came eighth in the ranking with 1.56% of all web attacks.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculate the percentage of Kaspersky Lab users in each country who encounter detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.

  Country* % unique users attacked**
1 Russia 38.98%
2 Kazakhstan 37.70%
3 Ukraine 35.75%
4 Syria 34.36%
5 Belarus 33.02%
6 Azerbaijan 32.16%
7 Thailand 31.56%
8 Georgia 31.44%
9 Moldova 31.09%
10 Vietnam 30.83%
11 Armenia 30.19%
12 Kyrgyzstan 29.32%
13 Croatia 29.16%
14 Algeria 28.85%
15 Qatar 28.47%
16 China 27.70%
17 Mongolia 27.27%
18 Makedonia 26.67%
19 Bosnia and Herzegovina 25.86%
20 Greece 25.78%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2 2015, Russia, which was second in the first quarter, regained its top position in the ranking. Since the previous quarter, UAE, Latvia, Tajikistan, Tunisia and Bulgaria have left the Top 20. The newcomers to the rankings were Syria, which rocketed to fourth place (34.36%); Thailand, which was in seventh place (31.56%); Vietnam, in tenth place (30.83%); China (27.70%) and Macedonia (26.67%), which occupied 16th and 18th places respectively.

23.9% of computers connected to the Internet globally were subjected to at least 1 web attack in Q2 #KLReport


The countries with the safest online surfing environments included Argentina (13.2%), the Netherlands (12.5%), Korea (12.4%), Sweden (11.8%), Paraguay (10.2%) and Denmark (10.1%).

IT threat evolution Q2 2015

On average, 23.9% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

Local threats

Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2015, Kaspersky Lab’s file antivirus modules detected 110,731,713 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on users computers

  Name* % unique users attacked**
1 DangerousObject.Multi.Generic 22.64%
2 Trojan.Win32.Generic 15.05%
3 Trojan.WinLNK.StartPage.gena 8.28%
4 AdWare.Script.Generic 7.41%
5 Adware.NSIS.ConvertAd.heur 5.57%
6 WebToolbar.Win32.Agent.azm 4.48%
7 WebToolbar.JS.Condonit.a 4.42%
8 Trojan-Downloader.Win32.Generic 3.65%
9 Downloader.Win32.MediaGet.elo 3.39%
10 Trojan.Win32.AutoRun.gen 3.29%
11 Downloader.Win32.Agent.bxib 3.26%
12 WebToolbar.JS.CroRi.b 3.09%
13 RiskTool.Win32.BackupMyPC.a 3.07%
14 Virus.Win32.Sality.gen 2.86%
15 Worm.VBS.Dinihou.r 2.84%
16 WebToolbar.Win32.MyWebSearch.si 2.83%
17 DangerousPattern.Multi.Generic 2.75%
18 AdWare.NSIS.Zaitu.heur 2.70%
19 AdWare.BAT.Clicker.af 2.67%
20 AdWare.Win32.MultiPlug.heur 2.54%

* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components (such as AdWare.BAT.Clicker.af), and to worms distributed on removable drives.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q2 2015, Sality was in 14th place with 2.86%, a 0.32% decrease compared to the previous quarter.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

  Country* % unique users**
1 Bangladesh 60.53%
2 Vietnam 59.77%
3 Pakistan 58.79%
4 Mongolia 58.59%
5 Georgia 57.86%
6 Somali 57.22%
7 Nepal 55.90%
8 Afghanistan 55.62%
9 Algeria 55.44%
10 Armenia 55.39%
11 Russia 54.94%
12 Laos 54.77%
13 Iraq 54.64%
14 Kazakhstan 54.23%
15 Syria 53.00%
16 Tunisia 53.75%
17 Ethiopia 53.44%
18 Ruanda 53.17%
19 Ukraine 53.01%
20 Cambodia 52.88%

These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

In Q2 2015, Bangladesh (60.53%) took the lead as the country with the highest level of computer infection, pushing down Vietnam which has headed the rating for almost two years. Pakistan (58.79%) rocketed from 13th position in the previous quarter to 3rd place in Q2.

The newcomers in the rankings were Georgia (5th position with 57.8%), Russia (11th position with 55%), Tunisia (16th position with 53.7%) and Ukraine (19th position with 53%).

An average of 40% of computers globally faced at least 1 local threat during Q2 2015 #KLReport


The safest countries in terms of local infection risks were Sweden (19.7%), Denmark (18.4%) and Japan (15.5%).

IT threat evolution Q2 2015

An average of 40% of computers globally faced at least one local threat during Q2 2015, which is 0.2% percentage points more than in Q1 2015.

Posted: 30 Jul 2015 | 4:54 am

Webshell with a Booby Trap

I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me.

Here’s the first one which looks innocent enough.


However, if you put in the wrong password, you can end up at a malicious or phishing page.



Inspecting the traffic shows that the password you tried gets captured.


Here’s what the panel looks like:


This is the second script which looks like it failed to do anything:


Nope, the script works just fine. It dropped a webshell in the folder.


If you look closely, you can see that the initial file resembles a JPEG file. The file does open up as a normal graphic but embedded in it are scripts that can execute PHP, ASP, and JSP commands as well as drop a PHP webshell.


The third script looks like this when you open it in the browser. It’s a seemingly benign page from the PHP Documentation website.


However, if you append a certain value to the URL, a hidden feature is enabled at the bottom of the page and you can now upload any file of your choice.


Ah, more things to be on the lookout for…

Posted: 24 Jul 2015 | 7:39 pm

Watering holes exploiting JSONP hijacking to track users in China

By: Eddie Lee and Jaime Blasco


Imagine if an authoritarian state had a tool to get private information about users visiting certain websites, including real names, mail addresses, sex, birthdays, phone numbers, etc. Imagine that even users that run TOR or VPN connections to bypass the tools that the authoritarian government uses to block and monitor these websites were exposed to this technique.

In this blog post we are going to describe a series of watering hole attacks that have been targeting NGO, Uyghur and Islamic websites since at least October 2013, with the most recent attack discovered a few days ago. We want to thank Sumayah Alrwais, a PhD student in the system security lab at Indiana University, for discovering and notifying us through RSA Labs about this latest watering hole attack affecting the Chinese website of an international NGO.

A Watering Hole is a technique where the attacker wants to target a particular group (company, industry, ethnic, etc). The attackers compromise websites used by the group and include malicious content that gets executed when users access the affected websites.

Typically, attackers gain access to a victim’s system by including an iframe or JavaScript file from a malicious server to exploit a vulnerability in Internet Explorer, Java, or Flash. Some examples we have documented in the past are:

In other cases we have discovered Watering Holes where the attackers use reconnaissance techniques to extract information about software installed on a victim’s machine or even using a JavaScript keylogger to steal credentials:

In addition to this, it is not the first time we have documented cyber espionage campaigns targeting China’s Uyghur minority:

The latest attack that we are describing is a novel technique that we haven’t seen before with watering hole attacks.  Let’s describe how it works:

When we started to write this blog post we weren’t going to publish the list of affected services; however, after doing a bit of research, we found the same vulnerabilities have been public since 2013! Details of the vulnerabilities are mentioned in a Chinese security blog as well as several Chinese forums. 

To describe the severity of the issue, we are showing a list of Alexa ratings for the affected services and the personal data the attackers are able to steal:


JSONP is a widely used technique to make cross-domain JavaScript requests that bypass the same-origin policy. However, bypassing the same-origin policy can lead to information leakage between different origins or domains. This is especially dangerous when JSONP contains user data. Since JSONP requests/responses bypass the same-origin policy, malicious sites can cause victims to make cross-domain JSONP requests and read the private data using the “script” tag.

Let’s see an example from the malicious JavaScript found in one of the Watering Holes that we have analyzed.

The vulnerable site responds with the following content:

When the browser receives the data, it calls the renren_all callback function that prepares the personal data including sex, birthday, real name and user ID to be sent to an attacker-controlled server.

After all the JSONP requests have been made, the malicious JavaScript sends the data to an attacker-controlled server:

In addition to this, we have also seen one of the malicious JavaScript files that contains code to return the public and private addresses of the user using WebRTC with STUN as documented here


Implications to privacy and attribution

All of the Watering Holes that we have observed are targeting Chinese users visiting Uyghur or Islam-related websites or NGOs sympathetic to freedom of speech. It looks like this campaign has been targeting a very small group of people, and since there is no financial gain on collecting most of the leaked personal data, we can say that whoever is behind these attacks is looking to reveal the identity of the users visiting certain websites. Another point is that some of the affected websites are hosted outside of China, and the Great Firewall likely blocks some of those sites. According to The China Story Project, one of the main categories of foreign websites that was blocked in China was regarding “Web pages belonging to organizations that campaign against the Communist Party or that promote Tibetan and Uyghur causes or independence for Taiwan, as well as sites belonging to the banned religious organization Falun Gong.”

In general, the Great Firewall (GFW) is able to analyze and block traffic that is leaving China; however, this is not necessarily true when Chinese users run VPNs (Virtual Private Networks) or TOR. In these cases, the GFW doesn’t have full visibility into the traffic that goes through VPNs or TOR. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the real IP address of the user that is visiting a specific website.

Now imagine that the Chinese government wants to know the real identities of individuals visiting certain websites that are sympathetic to certain causes, people who are exiled, or specific people living abroad even when they use TOR or VPNs. In the scenario we have described, this is a reality and has been happening since 2013. Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW.



First of all, the list of affected sites (Baidu, Taobao, etc.) should fix the JSONP Hijacking vulnerabilities. There are several ways to do this:

- Include a random value in all the JSONP requests (this also works to prevent CSRF attacks)

- Use CORS instead of JSONP

- Don’t use cookies (e.g. session identifiers) to customize JSONP responses

- Don’t include private/user data in JSONP responses

The recommendation for users is be vigilant and follow best practices when browsing the Web, especially if you live in an authoritarian country or you are worried about being tracked. For example, do not browse sensitive websites after logging into another website - even in a different tab or window.

It is really important to understand the differences between anonymity and privacy. For instance, if you are using TOR or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk. Anonymity is the idea of being “non-identifiable” or un-trackable, but as we have described in this blog post it is hard to remain anonymous if you are using services where you have revealed personal information and you browse other sites that can exploit vulnerabilities to access your personal information.

[Update: 06/15/2015]

We would like to thank you Citizen Labs for helping us with victim notification. On the other hand we want to point out that every TOR user should be using the TOR browser that is more suitable to browse the web to prevent these kind of attacks and other privacy related issues. 


Posted: 11 Jun 2015 | 11:54 am

An Overview of Exploit Packs (Update 25) May 2015

Update May 12, 2015

Added CVE-2015-0359 and updates for CVE-2015-0336

Reference table : Exploit References 2014-2015

Update March 20, 2015

Added CVE-2015-0336

Update February 19, 2015

Added Hanjuan Exploit kit and CVE-2015-3013 for Angler 

Update January 24, 2015 

Added CVE-2015-3010, CVE-2015-3011 for Agler and a few reference articles. 
If you notice any errors, or some CVE that need to be removed (were retired by the pack authors), please let me know. Thank you very much!

Update December 12, 2014

Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423

Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
from the previous

Styx 4.0Cool Topic EK Nice EK
CVE-2013-2423and + all or some
CVE-2013-2463from the previous
Social Eng


The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.

Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX

Other changes
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits

March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new

The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)

  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  

The full table in xls format - Version 17 can be downloaded from here.  

Exploit lists for the added/updated packs

AssocAID (unconfirmed)
Unknown CVE


Neo Sploit


Black hole 2.0
CVE-2012-4969 promised

Black hole 1.2.5
CVE-2007-5659 /2008-0655

Private no name

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)

Java Signed Applet


Sweet Orange 1.1

Sweet Orange 1.0

Phoenix  3.1.15
CVE: 2010-0248
CVE: 2011-2371
Firefox social
CVE: 2012-0500


Sakura 1.1

Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



1. Blackhole Exploit Kit 1.2.3
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs

  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 
9. Dragon Pack - via DaMaGeLab  December 2010 - it is old, listing for curiosity sake

  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer

Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack

Siberia Private

Techno XPack

"Yang Pack"

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack

Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
Best Pack
read analysis at 
Sava Pack
read analysis at
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection

Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.

It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)

Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)

See the list of packs covered in the list below

The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)

Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit


    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update

    As usual, send your corrections and update lists.

    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Phoenix 2.5
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
      etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)

    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.

    Posted: 12 May 2015 | 9:05 pm

    Freedome VPN For Mac OS X

    Take a look at this:

    F-Secure Freedome Mac OS X

    F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


    The beta is now open for everyone to try for 60 days at no cost.

    Download or share.

    On 24/04/15 At 12:37 PM

    Posted: 24 Apr 2015 | 1:37 am

    A More Realistic Perspective on Cybersecurity from the Director of the NSA

    A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

    The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

    Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

    At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

    If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.

    NSA Rodgers Urges Cyber-Resiliency

    Posted: 19 Sep 2014 | 2:46 pm