Alexey Kadiev Kaspersky Lab
Darya Gudkova Kaspersky Lab
download slides (PDF)
Nowadays, when almost every user has an anti-virus solution and knows at least something about Internet security, it's becoming harder for malware writers to infect a victim's computer. Creating an efficient web-based infecting scheme with JavaScript code, adding the knowledge about social engineering used by phishers, and spammers' techniques, one can create an ideal infecting scheme. At Kaspersky Lab, we noticed a new massive attack using this scheme in the middle of June 2010, and we have been tracking it since then.
Although other such schemes appeared a year ago, they were not so sophisticated. This is the most important thing related to the recent Pegel infections.
At the end of 2009, massive infections of legitimate websites with malicious JavaScript code became a serious problem, both for IT specialists and PC users all over the world. Since 2009, the first Gumblar variants and then some time later Pegel versions have used infected web servers for their propagation. Such a closed-loop concept used for building the Pegel botnet in combination with the constant addition of new features proved to be very effective and successful. And today, after more than a year of Pegel's existence, the situation is still getting worse.
Notably, in June 2010 Pegel took the number one position in the top 10 malicious attachments in spam mails tracked by Kaspersky. This presentation contains detailed information about how this type of threats works, showing the whole process from the moment a user receives the malicious email to the moment their computer is infected and becomes a point of distribution for more attacks.