The successful exploitation of Kaspersky's e-mail list followed what the company described as a "massive attack" against its Web server on Friday evening, according to Denis Zenkin, head of corporate communications at the Moscow-based company.
A statement posted on Kaspersky's Web site said the attack began on Thursday night (7 November). The company traced the attacks to a group of hackers in Mexico but as yet has no concrete evidence pointing to specific individuals.
According to Zenkin, the attackers used a sophisticated and "exotic" attack to compromise the company's Web server and gain access to a folder containing mail messages sent out by the company.
From those messages, the attackers were able to obtain the distribution list for the company's e-mail newsletter. A copy of that newsletter was distributed to Kaspersky's customers along with an attached executable file containing the Bridex worm.
"Our IT security people were amazed that hackers got the idea for this kind of hack attack," Zenkin said.
Zenkin refused to provide details about the attack, citing concerns that other members of the hacker community would use the information to carry out further attacks. Zenkin did disclose that Kaspersky's Web server runs the FreeBSD operating system, a version of Unix, and the common Postfix e-mail server software.
Hackers were unable to gain access to Kaspersky's e-mail address book, nor could they penetrate areas of the Web server containing virus signatures for Kaspersky's antivirus software, Zenkin said.
Zenkin would not reveal whether antivirus definitions were posted in a more secure area of the server, saying only that they were located in different "territories" of the server that were not affected by the attack.
Kaspersky's virus definitions use digital signatures that are verified by the company's software before they are installed and used. Tampering with Kaspersky's virus definitions - attempting to substitute malicious code for a signature, for example - would be detected and rejected by the company's software, according to Zenkin.
Zenkin added that his company was unaware of any customers who had been infected by the newsletter. Kaspersky staff first noticed the attack and took corrective action within minutes, he said.
Nevertheless, the attack produced the unusual scenario of an antivirus vendor's software being used to thwart an attack launched from its own servers. It was an embarrassing fact, brought to Kaspersky's attention by its own customers.
Since the attack, Kaspersky has closed the security loophole exploited by the attackers and taken other steps to prevent further attacks. The company has also inspected the entire contents of its Web server and claims that the e-mail newsletter was the only component of its Web site affected.
The Bridex worm, also known as "W32/Braid.A" or "I-Worm.Bridex," was first identified in early November and arrives in an e-mail message, typically contained in an attachment titled README.EXE.
When recipients double click on the attachment, the worm copies a variant of the FunLove virus to the local system with the name BRIDE.EXE, alters the machine's system registry so that the virus is relaunched each time Windows starts, scans the user's Outlook address book and e-mails copies of itself to any addresses it finds.
Antivirus software vendors including Kaspersky have published updated virus signatures to detect Bridex.