The case of the “Superfish” adware has caused quite a sensation through its association with computer technology company Lenovo. However, the following report shows that “Superfish” is just the tip of the iceberg. It explains the implications of and possibilities for misuse. By way of an example, experts at G DATA SecurityLabs have investigated a piece of update software involved in the case, to illustrate the risks of certificate misuse. ... read more

Babar: espionage software finally found and put under the microscope

G DATA experts analyze malware mentioned in CSEC documents leaked by Snowden


Author: Paul Rascagnères

Almost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French newspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made by the Communication Security Establishment Canada (CSEC). The following analysis is the first report about the espionage malware dubbed Babar, which the whole computer security community searched for. After the disclosure about EvilBunny [1], Babar is now a second component identified to be related to Operation SNOWGLOBE and is believed to be coded by the same developers. Babar’s feature set includes keystroke logging, clipboard logging and, most interesting, the possibility to log audio conversations – the elephant has big ears! ... read more

Analysis of Project Cobra

Another extensible framework used by the Uroburos’ actors


Author: Paul Rascagnères

Project Cobra and the Carbon System were mentioned by Kaspersky in the article called “The Epic Turla Operation” . This malware is used by the same actors as Uroburos (aka Snake/Turla) and Agent.BTZ. We estimate that Carbon System was developed after Agent.BTZ and before Uroburos. The Carbon System shares some technical details with Uroburos and Agent.BTZ (encryption key, encryption algorithm, design, …) and some other links, such as the name of the snake-related project: Cobra. Uroburos could be considered as a kernel centric “snake” and Cobra Carbon System as a userland centric “snake”. ... read more

Author: Paul Rascagnères

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the targeted infrastructure: Uroburos, a rootkit; Agent.BTZ/ComRAT, remote administration tools or Linux malware and maybe even more. ... read more

BKA strikes a blow against botnet operators

G DATA provides free tool for purging Dropperbot


Author: Sabrina Berkenkopf

The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from infected computers – until it was discovered. Around half of the infections have been detected in Germany. Now that the perpetrators have been arrested, it is a matter of cleaning up the PCs. G DATA is providing all computer users with a free tool to detect and remove Dropperbot that works independently of the installed AV software. ... read more

Money is what matters, and visitors are money

Or: Why online casino advertising appears on legitimate websites


Author: Sabrina Berkenkopf

Gambling has always been a somewhat shady area – online and offline. In the digital world, the proportion of legal gambling sites is vanishingly small [1], in Germany at least, compared to the almost countless number of providers. Every provider is on the lookout for customers and so has to have a presence – on search engines for example. Experts at G DATA explain three of the methods currently used for increasing the level of awareness that all involve the manipulation of websites and that website visitors might come across while surfing. ... read more