Category Archives: Malware

malware

Jul 05

OSX continues to be exploited

Posted on by

Once again, Apple’s OS X is being confronted with a security risk. The latest backdoor has been discovered by Russian security firm Kaspersky Labs and is being used as part of a Advanced Persistent Threat campaign. This is just the latest in a series of security risks present in the Mac OS X operating system.

Kaspersky researchers found that Uyghur activists in China were being targeted by hackers. These hackers sent e-mails with a compromised attachment that was in the form of a JPEG. The code hidden inside the JPEG was a new form of the MaControl backdoor and is compatible with both the PowerPC and i386 Mac variants.

The researchers found that the Command and Control server that the malware was reporting back to was located in China. This suggests that it could be the government trying to keep tabs on these activists. For years, users believed that Mac OS X was safer than Windows. However, with all of these recent outbreaks, people are starting to realize this is not the case.

It had seemed safer because not many hackers targeted Macs due to their low market penetration. Apple has now realized the times and taken down a comment from its website that claimed they weren’t susceptible to the same malware that Windows PCs are. Clearly, they are no longer sure this is the case.

Most recently, Kaspersky Lab researchers found that cyberthreats targeting the Mac OS X platform have been used as part of a comprehensive campaign targeting Uyghur activists–apparently presumed to be using Macs–by sending customized e-mails with attached ZIP files exploiting a malicious Mac OS X backdoor.

Like untold threats targeting Windows, the infected ZIP file is delivered as a phishing attack leveraging social engineering techniques, enticing victims with a JPEG photo that masks the malware.
The Mac OS X attack appears to be a new threat– detected as the most recent variant of the MaControl backdoor Trojan, which supports both i386 and PowerPC Macs. Once it gains entry, the Trojan installs itself on the Mac and immediately connects to its command and control center—which appears to be located in China–for instruction. The backdoor then has the ability to list and transfer files, as well as run commands on the victim’s Mac at the discretion of the malware’s operators.

The new MaControl variant is the latest in a string of recent APT-driven attacks this year targeting the Mac OS X platform. In April, Kaspersky Lab researchers detected an active APT campaign, so called SabPub, which targeted Mac OS X by exploiting a MS Office vulnerability running on the platform. Once the Trojan was installed on a victim Mac OS X, it could then take screenshots of the user’s current session and execute commands on the infected computer.

Prior to that, the Flashflake Trojan ran rampant on users’ Macs, creating a botnet comprised of more than 700,000 infected computers.

While Mac threats hasn’t yet reached the same heights as their Windows counterparts, the numbers are on a steady incline and will continue to grow, thanks in large part to a rising Mac OS X market share.

That said, the barrage of new Mac threats could open up new opportunities for security partners with tried and true mechanisms long-deployed on Windows environments. For one, the rising tide of Mac threats could easily pave the way for channel partners to add Mac security products and mechanisms to their portfolio.

Also, unlike previous years, the highly publicized spate of Mac threats will allow partners to simply start conversations with their customers in regards to securing their Mac environments.

Historically, with market share in the single digits, the Mac OS X has not been a highly lucrative target for cyber criminals. As such, Macs became known as the “secure” platform, lulling users into a false sense of security and making them largely resistant to any external security product or best practice.

But that might be changing. As threats targeting the Mac platform continue to emerge, many users will have to play “catch-up,” with everything from security best practices and awareness, to products and management for Mac environments.

Those knowledge gaps leave potential windows of opportunity for the channel, enabling partners to essentially go back to square one with basic security consulting services, and standard security software dedicated to the Mac OS X platform once thought to be immune to threats.

 

Jun 05

Flame malware using Windows Update to spread

Posted on by

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft’s Windows Update mechanism.

Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?

Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company’s Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates “signed” by Microsoft.

Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame’s development and attacks.

Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure’s chief research officer and the first to announce that Flame was abusing Windows Update, called the feat “the Holy Grail of malware writers” and “the nightmare scenario” for antivirus researchers.

Microsoft released a security alert and patch due to the disturbing news that the hugely complex Flame malware has spoofed MS-signed certificates, potentially making Microsoft Update a malware delivery mechanism.

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.
The massive and complex Flame malware, linked to state-sponsored espionage and information-gathering, has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.

Jun 01

New Flame Malware Discovered

Posted on by

Security software firm Kaspersky Lab recently discovered a new malware used as a cyber weapon to attack certain countries.

Worm.Win32.Flame or “Flame” has the ability to steal data such as e-mails, audio recordings, photos, documents, messages and discussions from infected computers.

According to Kaspersky Lab, the captured information is sent to a network of command-and-control servers located in different parts of the world.

It added that Flame is much more sophisticated than the Duqu malware, which sneaks into computers by hiding in documents such as Microsoft Word files.

The new malware is described as having “worm-like” features, and “can replicate in a local network and on removable media if it is commanded by its master.”

Flame occupies about 20 megabytes of space, which Kaspersky Lab said is rather uncommon among malware that are trying to hide themselves from being detected.

It copies radio recordings through an internal microphone, and can use Bluetooth to collect information about discoverable devices near the infected computer.

Kaspersky Lab said Flame has so far infected computers in seven Middle Eastern countries namely Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Through its antivirus software, Kaspersky is aware of the virus infecting 600 machines, but Kamluk believes there are probably thousands of machines that were compromised. It can record audio, grab screenshots and monitor keyboard activity and network traffic. It can even record Skype conversations and download contact information from nearby Bluetooth-enabled mobile phones.

Kamluk says it appears the developers and controllers of the Flame malware, which spreads through Microsoft Windows-based computers, were able to use it to obtain vital information use it to “destroy” operating systems, rendering machines “completely broken”.

Flame, Kamluk says, is part of a “small group of malicious applications that can be referred to as ‘cyber weapons’”. With all its modules, the virus is 20MB in size, which is unusually large for malware.

Kaspersky Lab has tried to determine who wrote the software, but admits it hit a brick wall in its investigations. “There was obviously no contact information in the body of the malware, so we tried to find out what it does and where it is controlled from,” Kamluk says. “We discovered dozens of servers located in different countries.”

This post sponosored by 1 to 1 Risk Control IT Consulting in Oklahoma City, Oklahoma

May 31

What is the Flame virus or Flame malware?

Posted on by

The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.

Israel has dismissed suggestions that it might be behind the Flame cyber-attack.

Several media reports linked comments made by the country’s vice prime minister with the malware, which has infected more than 600 targets.

However, a spokesman for the Israeli government told the BBC that Moshe Ya’alon had been misrepresented.

Security experts said it was still too early to pinpoint the source of the attack.

Mr Ya’alon, who is also Israel’s minister of strategic affairs, discussed the attacks on Israel’s military radio station, Army Radio.

“There are quite a few governments in the west that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat – and can possibly be involved with this field,” he said.

“I would imagine that everyone who sees the Iranian nuclear threat as a significant one, and that is not only Israel, it is the entire Western world, headed by the United States of America, would likely take every single measure available, including these, to harm the Iranian nuclear project.”

When asked to clarify Mr Ya’alon’s comments by the BBC, a spokesman for the minister said: “There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus.”

In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.

Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
Related

Researchers at Kaspersky Lab, which first reported the virus Monday, believe Flame was written by a different group of programmers from those who had created other malware directed at computers in the Middle East, particularly those in Iran. But Flame appears to be part of the state-sponsored campaign that spied on and eventually set back Iran’s nuclear program in 2010, when a digital attack destroyed roughly a fifth of Iran’s nuclear centrifuges.

What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”
“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”

How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It’s unclear what the initial point of entry is. “We expect to find a spear phishing e-mail with a Zero-Day exploit,” Schouwenberg said.

How long has Flame been around?
“We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that,” Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National’s International Telecommunication Union for help in uncovering malware dubbed “Wiper” that was stealing and deleting sensitive information on computers in Iran’s oil sector.

How does Flame relate to Wiper?
“Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental,” Schouwenberg said. “So, we have an open mind to Wiper being a Flame plug-in.” Iran’s National Computer Emergency Response Team (CERT), which is called “Maher,” said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran “could be the outcome of some installed module of this threat,” the center said, speculating that attacks in which data from Iran’s gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.

Why wasn’t Flame discovered earlier?
Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.

Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.

This post sponsored by www.osxantimalware.com Antivirus for Mac

May 29

Stuxnet type malware discovered in Middle East

Posted on by

Researchers have discovered what they say is the most sophisticated malware ever discovered running rampant in the Middle East. First revealed by Kaspersky Lab, Flame is several times larger than Stuxnet, and appears to have been targeted at Iran’s oil ministry and main oil export terminal.

Flame is a backdoor Trojan with worm-like features that allow it to replicate in a local network and on removable media on command. Once a machine’s infected, it starts sniffing network traffic, taking screenshots, intercepting the keyboard and even recording audio conversations.

It’s a huge package of modules, comprising almost 20 MB in size when fully deployed.

What’s most astonishing is that Kaspersky believes that the Worm.Win32.Flame virus has been out there undetected for over two years.

Among other things, it can use a computer’s microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.

One of the toolkit’s first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.

Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.

Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that’s highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn’t seen any malware samples before Flame that were written in the language, Kamluk said.

Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.

Sponsored by: 1 to 1 Risk Control Oklahoma City IT and Cybersecurity Consulting

May 18

Facebook and Adndroid top malware targets

Posted on by

Android plagued with malware

Android smartphones rock, but whether you use Avast, Lookout, the new Sophos, or another freebie antivirus/security app, you better lock and load to protect your Android before you become a victim and a stat.

Android, once dubbed a “cyber menace,” is too popular, too juicy and potentially too lucrative of a target for malware writers to ignore. In fact, a new F-Secure report suggests malware writers are getting craftier by creating trojanized apps that can defeat anti-virus detection. F-Secure released its latest mobile threat report [PDF] concerning the first quarter of 2012 and Android malware has grown exponentially. Since a year ago, the number of new malware variants have quadrupled and the number of malicious Android application package files (APKs) had a “staggering” increase of “139 to 3063 counts.”

Facebook target of malware campaign

A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.
We’ve recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet’s leading online services and websites.

The Facebook scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. “The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points,” said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

In the Gmail, Hotmail, and Yahoo variations, the scam “offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs,” said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person’s debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won’t be able to use Hotmail to make any purchases.

 

Sponsored by osxantimalware.com – antivirus for mac

May 16

Wikipedia Ads and Malware

Posted on by

Wikipedia visitors seeing commercial ads on its pages may be surfing online with an infected Web browser, the popular online encyclopedia warned.

As long-time users are fully aware, Wikipedia does not display commercial advertisements on any of its pages. Instead, the site relies on voluntary contributions from its user community to keep running. It also runs fund-raising appeals, usually at the end of the year, to raise the necessary funds.

Visitors to Wikipedia who see advertisements on the site have most likely fallen victim to a browser-based malware infection, Wikimedia Foundation, the organization operating the website, said on Monday.

“We never run ads on Wikipedia,” said Philippe Beaudette, director of community advocacy for the Wikimedia Foundation, in a blog post. “If you’re seeing advertisements for a for-profit industry … or anything but our fundraiser, then your web browser has likely been infected with malware.”

One example of such malware is a rogue Google Chrome extension called “I want this,” Beaudette said. However, similar malicious add-ons might also exist for Mozilla Firefox, Internet Explorer and other browsers, he said.

May 14

Malware threats growing online and getting tougher to detect

Posted on by

New Malware Campaign

A new malware campaign is making the rounds of the Internet, taking advantage of curiosity and sympathy surrounding the passing of Beastie Boys’ Adam Yauch (a.k.a. MCA).

Trend Micro said the attack appeared to target specific recipients, using a news item about Yauch’s death as a social engineering lure.

“We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing,” it said.

It said the email contains a .DOC file attachment, which is supposed to contain the complete story.

But users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET.

“This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs,” Trend Micro said.
Online ads serving malware

One of the sneakiest scams among cybercrooks these days involves malicious advertisements that can infect a computer with nasty software even if a person merely happens onto a website where the ads appear and doesn’t click on them.
The sinister ad software, called “malvertisements,” which can steal bank account passwords, disable computers or cause other mischief, have claimed millions of victims. And some experts fear worse problems may be ahead.

“What we are seeing today is the canary in the mine,” said Craig Spiezle, executive director of the nonprofit Online Trust Alliance, which seeks to bolster consumer confidence in cyberspace. “It’s an early warning and if we don’t do more to secure the ad infrastructure, we run the risk of having much broader distribution of malware than we have today.”

Phony Flash Player

Adobe Flash Player users beware: A website that promises visitors a free copy of the download for all versions of Android is reportedly planting malware on smartphones running Google’s mobile operating system.

The infected web page used to distribute the malware was discovered in a number of Russian domains, wrote Karla Agregado, a fraud analyst with Trend Micro, in a recent company blog. A similar tactic emerged last month to infect Android phones with bogus copies of Angry Birds and Instagram.

When a visitor clicks the download button at the infected site, Agregado explained, a connection is made to another site that, without the guest’s knowledge, sends a malicious APK file to the mobile web surfer’s smartphone.

Once on the phone, the malware starts to secretly send text messages to premium numbers. This scam is a popular one among cyber criminals targeting Android phones.

Amnesty International targeted by malware

People visiting Amnesty.org.uk on Wednesday and Thursday were exposed to malicious code that exploited a now-patched vulnerability in Oracle’s Java software framework, according to a blog post published Friday by Websense. End users who hadn’t yet applied the patch were infected with Gh0stRat, a family of malware that siphons sensitive data from victims’ machines and can also operate Web cams and microphones in real time. The trojan came to light in 2009 when researchers reported that it infiltrated government and private offices in 103 countries. That included computers belonging to the Dalai Lama.

The Java vulnerability targeted on the Amnesty International site has been used in the past to install malware on computers running both Microsoft Windows and Apple’s OS X. Recently, similar espionage attacks have migrated to OS X, and the Flashback malware attack believed to have infected more than 500,000 Macs targeted the same bug. Based on the Websense post, however, it appears this week’s attacks infected only Windows users.

May 11

FBI warns about hotels installing malware

Posted on by

The FBI warned people traveling abroad that attackers are targeting users on hotel networks by tricking them into installing malware under the guise of software updates. The agency’s Internet Crime Complaint Center says any government, business or academic personnel traveling abroad should be especially wary.

The FBI issued an advisory this week alerting international travelers about attempts to infect their computers with malware when they log on to hotel networks.

In an intelligence note from the FBI’s Internet Crime Complaint Center (IC3), the agency warned that attackers have been targeting travelers abroad when they use the Internet connection in their hotel rooms. According to the FBI, when the victims attempt to set up the hotel room Internet connection, they were presented with a pop-up window notifying them to update a “widely-used software product.”

“If the user clicked to accept and install the update, malicious software was installed on the laptop,” according to IC3. “The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The FBI recommends checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor, and advises travelers update the software on their laptops immediately before travelling.

May 09

New malware targeting credit card users

Posted on by

Malware posing as credit card fraud insurance

A piece of financial malware called Tatanga attempts to trick online banking users into authorizing rogue money transfers from their accounts as part of the activation procedure for a free credit-card fraud insurance service purportedly provided by their banks, security researchers from Trusteer said Tuesday.

Tatanga is an online banking Trojan horse that was first discovered in May 2011. It is able to inject rogue Web pages into browsing sessions and affects nine different browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari.The malware is known to use social engineering techniques against victims in order to bypass security measures enforced by banks, like one-time passwords (OTPs) or transaction authorization numbers (TANs).

A new Tatanga configuration detected recently by Trusteer displays a rogue message inside the browser when the victim authenticates on their bank’s website, claiming that their bank is offering free credit-card fraud insurance to all customers.The message claims that the new service is provided in partnership with Visa and MasterCard and covers losses that might result from fraudulent online transactions performed with the victim’s credit or debit card. The malware grabs the user’s real account balance, rounds it up, and presents the result as the allegedly insured sum.

DNS Changer malware workaorund to go offline

The FBI warned recently that people with computers infected by a mysterious malware dubbed DNSChanger will lose Internet and email access in July.
While the warning falls under the category of technology terror stories I normally just ignore and hope for the best, this one sounds like something that many of us might be wise to heed.
The scary part is that many owners of the roughly half a million infected computers in the United States may have no idea their connection to the Web could suddenly end July 9 when the FBI shuts down an expensive workaround to the problem.
Not that more people getting outside in the summer instead of huddling over their keyboards and updating their status on Facebook would necessarily be a bad thing, but that’s another story — and should be a matter of individual choice.
The background, according to the FBI website, is that criminals infected millions of computers around the world with malware that allowed them to control DNS (Domain Name System) servers, forcing unsuspecting users to fraudulent websites and making their computers vulnerable to other kinds of malicious software.
DNS is a critical service that converts user-friendly domain names into numerical addresses that allow computers to talk to each other.
By manipulating the way Internet ads appeared in browsers, the cyber thieves were able to make at least $14 million in illicit fees before the FBI, working with Estonian officials, arrested six Estonian nationals for the crime in November and seized their servers. The two-year investigation that led to the arrests was called Operation Ghost Click.

80% of malware found to be Trojan horse programs

Last year, Trojans represented about 73 percent of all malware, according to PandaLabs’ Quarterly Report for Q1. Worms were the second-most common form of malware in the first quarter of this year at 9.3 percent, followed by viruses at 6.43 percent, adware (2.89 percent), and other malware 0.6 percent).

Worms were the cause of just 8 percent of all infections, while Trojans have become the more popular tool for attackers, causing 66.3 percent of all infections worldwide, according to the report.

Worldwide, the average number of infected PCs is 35.51 percent, a drop of 3 percent since 2011. China is home to the most infected PCs, with 54.1 percent of its desktops infected, followed by Thailand (47.15 percent) and Turkey (42.75 percent). European nations tend to have the least number of infected machines, with Sweden as the cleanest, with less than 20 percent infected computers. Japan has less than 30 percent of its computers infected.