Kaspersky Lab, Kyrus Tech and Microsoft Disable the Hlux/Kelihos Botnet

AppId is over the quota
AppId is over the quota

In their ongoing assault against botnet operators and the hosting companies that allow anonymous domain registrations which facilitate them, Kaspersky Lab, Microsoft and Kyrus Tech have successfully worked together to take out the Kelihos botnet, originally named Hlux by Kaspersky Lab. Kelihos was used for delivering billions of spam messages, stealing personal data, performing DDoS attacks and many other criminal activities, via an estimated 40,000 computers. Microsoft has also taken legal action against 24 individuals in connection with the infrastructure behind the botnet in a civil case that enabled the takedown of the domains being used to command and control the botnet. Microsoft’s legal action included declarations submitted to court to which contributions were made by Kaspersky Lab, and also a direct declaration from Kyrus Tech providing detailed information and evidence regarding the Kelihos botnet.

Kaspersky Lab has played a pivotal role in taking down the botnet, tracking it since the beginning of 2011, when it started collaborating with Microsoft in tackling Kelihos, including sharing its live botnet tracking system with the US company. Kaspersky Lab has also taken care that the botnet cannot be controlled anymore, and continues to make sure that this is the case. Its specialists reversed-engineered the code used in the bot, cracked the communication protocol, discovered the weaknesses in the peer-to-peer infrastructure, and developed the corresponding tools to counteract it. What’s more, since the offending domains used in the botnet have gone offline via court orders Microsoft had secured, Kaspersky Lab has been “sinkholing” the botnet - where one of its computers has gotten inside the botnet’s complex internal communications to bring it under its control.

Acknowledging Kaspersky Lab’s active involvement in taking down the botnet, Richard Boscovich, senior attorney with the Microsoft Digital Crimes Unit, said: "Kaspersky Lab played a key role in this operation by providing us with unique and in-depth insight based upon their technical analysis and understanding of the Kelihos botnet. This contributed to both a successful takedown and as evidence for declarations made about the analysis and structure of the botnet. We are grateful for their support in this matter and their determination to make the Internet safer."

Speaking of the continuing role Kaspersky Lab is playing in controlling Kelihos, Tillmann Werner, senior malware analyst of Kaspersky Lab Germany, said: “Since Kaspersky Lab’s sinkholing operation began on September 26, the botnet has been inoperable. And since the bots are communicating with our machine now, data mining can be conducted to track infections per country, for example. So far, Kaspersky Lab has counted 61,463 infected IP addresses, and is working with the respective ISPs to inform the network owners about the infections.”

Kelihos is a peer-to-peer botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network's dynamic structure. Routers are infected machines with public IP addresses. They run the bot for sending out spam, collecting email addresses, sniffing out user credentials from the network stream, etc.

Microsoft has announced that its Malware Protection Center has added detection for the Kelihos malware to its Malicious Software Removal Tool. Since this tool is well-distributed the number of infections that have already been cleaned up is significant.

Cooperation between Kaspersky Lab and Microsoft has been ongoing now for some time. Notable recent collaboration includes that on the infamous Stuxnet worm, which hacked industrial control systems like those used in Iran’s nuclear programs.

Kaspersky Lab would like to thank SURFnet for its support in the operation, and especially for providing the perfect infrastructure to run the sinkhole.

More about → Kaspersky Lab, Kyrus Tech and Microsoft Disable the Hlux/Kelihos Botnet

Spam Without Borders

AppId is over the quota
AppId is over the quota

There are almost no spam-free zones left in the world today. For many years, spammers have fought hard for areas of the world from which they could launch spam attacks, constantly trying to maintain their conquered territories while annexing new ones. Meanwhile law-enforcement agencies, anti-spam vendors and other interested parties are doing their best to combat the ‘invasion’.

Statistics show that unlike 2010, in 2011 the share of spam distributed from different regions stopped fluctuating from month to month. No longer is half the world’s spam coming from just three countries. The zombie machines used to spread spam emails are now distributed fairly evenly throughout the world, signalling the end of the spammers’ geographical expansion. Infected computers sending spam are now found as far afield as South Africa and on remote Pacific islands.

This shift in the geographical spread of spam sources is primarily down to progress on the legal front, and the growing global reach of the Internet as well as the closure of botnets and affiliate programs. Almost nowhere has escaped the interests of the bot-masters: strong legislation in the developed world is offset by fast and widespread Internet connectivity, while developing nations are catching up in terms of computer access but still have weak anti-spam legislation and low levels of IT security.

“According to Kaspersky Lab, in the near future the BRICS and other rapidly developing countries will top the rating of the most prolific sources of spam because they are of particular interest to the spammers from the ‘legislation/IT protection/number of users/bandwidth’ point of view. We also expect the amount of spam originating from the US to grow, although it will not reach its previous level. Widely available Internet connectivity and a large number of users attract botnet owners in spite of the raft of anti-spam legislation adopted in the country and the high level of IT protection in use,” comments Darya Gudkova, Head of Content Analysis & Research.

More information about the migration of spam sources and the reasons behind it as well as a brief history of the spam industry’s key milestones are available in the article ‘Planet of the Spammers’ by Darya Gudkova at: www.securelist.com.

More about → Spam Without Borders

Kaspersky Lab’s Newest Corporate Security Solution Takes First Place in Independent Testing by Leading IT Security Institute

AppId is over the quota
AppId is over the quota

Kaspersky Endpoint Security 8 for Windows, Kaspersky Lab’s recently unveiled corporate security solution, has received the highest marks in its first independent testing, conducted by leading IT security institute AV-Test.org, one of the most reputable independent security testing labs in the world. The “business product full testing” was conducted in July and August of 2011, during which the beta version of Kaspersky Endpoint Security 8 for Windows was evaluated along with six other vendors’ endpoint security products. All products were awarded the “approved” rating, but the solution from Kaspersky Lab outscored the competition on points, thanks to its outstanding performance on detection and removal of malicious software, in addition to overall usability.

The testing by AV-Test.org evaluated the efficiency of business products in various situations, including protection against zero-day malware attacks, detection of malicious objects, and the revealing and removal of malware from an already infected machine. Other factors taken into consideration were the performance of the product (judging by the slowdown of the computer in everyday use) and false detections and warnings regarding legitimate programs. As a result, Kaspersky Lab’s most recent corporate solution received the highest score of 16 out of 18 points - much higher than the average result (12.8 points). The nearest competitor was outperformed by Kaspersky Endpoint Security 8 for Windows in the removal of malware testing, overall performance, and the number of “false positives” (there were no false positive detections for Kaspersky Lab’s solution).

Specific achievements in the testing of Kaspersky Endpoint Security 8 for Windows include a 100% result in “real-world” testing, in which the level of protection against zero-day malware attacks and web and e-mail threats was evaluated. In the static testing the solution from Kaspersky Lab detected 99% of more than 230,000 malware samples. Another 100% result was achieved in detection of widespread malware (of which 5000 samples were used). High effectiveness was also shown in the removal of malicious software, in which 95% of actively running malicious programs were detected and 85% of them removed (compared to the average of 74%).

Nikolay Grebennikov, Chief Technology Officer of Kaspersky Lab, commented: “Kaspersky Endpoint Security 8 for Windows is a tremendous achievement for Kaspersky Lab’s research and development team, and provides a number of major benefits for our corporate clients. One of them is an unparalleled level of security, which was confirmed by the 100% detection rate of zero-day malware attacks and widespread malware. With our new corporate solution businesses are able to improve their IT security even further, utilizing flexible Whitelisting and Application Control features, and support for the cloud-based Kaspersky Security Network.”

Nikita Shvetsov, Director of Anti-Malware Research of Kaspersky Lab, said: “A recent survey conducted by Kaspersky Lab indicates that IT security is one of the top priorities for businesses, especially when it comes to protection from malware. Kaspersky Endpoint Security 8 for Windows provides the deepest level of protection thanks to the fully revised anti-virus engine, cloud-based security system, and other enhancements. We are pleased that the first independent testing revealed the full potential of our new corporate solution, which earned top marks for detection and removal of malicious objects, as well as performance and usability, with zero false positive detections of legitimate software.”

Detailed information on the results of Kaspersky Endpoint Security 8 for Windows in AV-Test.org’s testing can be found at: http://www.av-test.org

More about → Kaspersky Lab’s Newest Corporate Security Solution Takes First Place in Independent Testing by Leading IT Security Institute

Kaspersky Lab Granted Two US Patents for Remote Administration of Computer Networks

AppId is over the quota
AppId is over the quota

Kaspersky Lab, one of the leading developers of secure content and threat management solutions, announces that it has been granted two new patents in the USA – Nos. 8024449 and 8024450 – which both disclose a system and method for remote administration of a computer network. The applications were filed earlier this year, and the patents were both granted on September 20, 2011.

The first patent relates to technology used for the remote administration of a computer network through a local administration proxy. This is needed when the “software as a service” (SaaS) business model is applied - where a supplier develops a web application and administers it independently via its own server, providing the customer with online access to the software. Problems with this model can arise as some computers may not be connected to the Internet, or be located in a closed network inaccessible to the remote server. Accordingly there is a need to improve techniques for remote administration of a computer network. And this is where Kaspersky Lab’s newly patented technology comes in.

The patent covers systems, methods and computer program products for remote administration of a computer network. It does this by deploying administration agents to the computers on a network to gather information about the hardware and software configuration of each PC. Then on the basis of the collected information the performance rating for each variable of each PC is determined, and the computer with highest rating is selected to act as the local administration proxy for the network. The server then transmits control signals to this local administration proxy that instruct the agents deployed on the computers on the network to perform administrative tasks.

The second patent discloses technology intended for use in large distributed networks having a complex network topology, where personal computers cannot always be administered directly (for example, those allocated in a DMZ). The technology involves installation of special agents on all PCs on a network for collecting information, according to which the most suitable nodes are determined for delegating the necessary administrative tasks from the central server to all the computers on the network. Choosing such a node for the delegation of tasks may be based on a number of parameters, such as the location of the computer in the network topology, its availability, and so on.

The invention enables organizing apportioned interaction between the administration server and endpoints so the latter can carry out administrative operations. This helps in the administration of a large corporate network, which today may incorporate printers, scanners, fax machines, and mobile communication devices. Failures in network management may result in network security breaches, computer malfunctions, and other problems that can negatively affect productivity of employees and cost thousands of dollars in lost profits and repair costs. The current invention makes it possible to better organize interaction between the administration server and computers in the network for accomplishing all types of necessary administrative tasks for more reliability.

At present Kaspersky Lab technologies are protected by 43 Russian and 34 US patents, and has a further 32 and 47 patent applications in the two countries, respectively. Another 42 patent applications covering innovational technologies in the information security field are currently being examined by the Chinese and European patent offices.

More about → Kaspersky Lab Granted Two US Patents for Remote Administration of Computer Networks