Blog Archives

Java ‘Icefog’ Malware Variant Affect US Businesses : worldleaks

worldleaks Icefog

A new report by Kaspersky Labs covers a newly found variant of the Icefog family. The original Icefog variant targeted government agencies and specific parties as well as maritime, military and ship-building groups.

Icefog is a Backdoor that allows hackers to get access to basic/key information about an infected system, and can allow attackers to monitor and control infected PC’s. It is also able to upload, download and install other forms of Malware for various aims, the main reason being to steal or edit data on the computer system.

“The Icefog operation has been functional for at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:

  1. The “old” 2011 Icefog – sends stolen data by e-mail; this version was used against the Japanese House of Representatives and the House of Councillors in 2011.
  2. Type “1″ “normal” Icefog – interacts with command-and-control servers via a set of “.aspx” scripts.
  3. Type “2″ Icefog – interacts with a script-based proxy server that redirects commands from the attackers to another machine.
  4. Type “3″ Icefog – a variant that uses a certain type of C&C server with scripts named “view.asp” and “update.asp”
  5. Type “4″ Icefog – a variant that uses a certain type of C&C server with scripts named “upfile.asp”
  6. Icefog-NG – communicates by direct TCP connection to port 5600

In addition to these, we also identified “Macfog”, a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.”

From September-October 2013, Icefog has become completely idle; all the Command and Control (C&C) servers have since been shut down by the malware writers and operators. The malware family are now back online and welcome a new Java variation of Icefog, called “Javafog”.

Javafrog uses the same payloads as the original Icefog campaign; it installs other specific Malware on to a victim’s computer, granting communication with Icefog C&C servers. The main difference between them is that Javafrog’s coding is written in Java.

Kaspersky have confirmed that there may be prove that many major US Corporations may have already been affected by Javafog!

“By correlating registration information for the different domains used by the malware samples, we were able to identify 72 different C&C servers, of which we handled to sinkhole 27.”

Sinkholing is basically the method of redirecting specific IP address network traffic for security reasons. Such examples of these reasons include efforts to divert potential attacks, to analyse network traffic or to try to detect suspicious activities.

“During the sinkholing operation, we observed eight IPs for three unique victims of Javafog, all of them in the United States. Based on the IP address, one of the victims was named as a very large American independent oil and gas corporation, with operations in many other countries.”

Obviously, the Javafog malware is much harder to detect and trace than the original variant, and the current detection rates for the malware are very low.

“Java malware is not as popular as Windows Preinstallation Environment (PE) malware, and can be harder to spot,”

At the moment, you shouldn’t be too related. Nonetheless, if you think that you may have been affected by similar Malware, you might find detection difficult for a while. Nonetheless, scan with your Antivirus and Anti-Spyware solutions if you’re worried.

For Icefog and Javafog, Kaspersky products are now able to detect all known variants.


For more articles :



NSA spreads more than 50,000 computer networks worldwide with malware : worldleaks

worldleaks NSA

The US’ National Security Agency reportedly infected more than 50,000 computer systems globally and infected them with malware, according to the classified documents exposed by whistleblower Edward Snowden.

The latest claims come from a digital presentation slide, which show a world map highlighting hard computer networks and ‘world-wide implants’ under the category.

CNE (Computer Network Exploitation), NSA jargon for malware infections.

NSA’s elite hacker team conducted these advanced spy attacks on networks including the one against Belgian telecom company Belgacom that was carried out by NSA’s UK ally, the GCHQ.

The report said that CNE includes altering actions and intelligence collection via computer networks that exploit data collected from target or enemy information systems or networks.

The ‘implants’ act as digital ‘sleeper cells’ that can be started with a single push of a button.

The revelations by Snowden have severely impacted US ties with its allies apart from experiencing loss of trust from its own citizens.


For more articles :