NEWS FROM THE LAB - January 2007
 

 

Tuesday, January 30, 2007

 
Take Your Virtual Gold Somewhere Else Posted by Sean @ 14:49 GMT

Best Prices on Gold

There are numerous password-stealing trojans specifically designed for World of Warcraft and other massively multiplayer online games. The passwords are used to steal gold and other items from victims so that it can be re-sold online.

Now eBay has decided to ban the auction of virtual goods. Actually, it's a more aggressive enforcement of already existing policy. It should be interesting to see just how this change in the re-sale market affects the source of supply. Demand is unlikely to change and so sites such as ige.com will be the short-term beneficiaries.

Read more about it from Daniel Terdiman at CNET.

 
 

 
 
Monday, January 29, 2007

 
Virus in your car? Posted by Patrik @ 03:04 GMT

TomTom

Longtime readers of the weblog might remember that we posted on testing a car's Bluetooth enabled phone to see if it could be infected by malware. That time nothing happened, but reports on the Internet now say that you can actually get a virus in your car – or to be more specific, on your TomTom GPS system.

What apparantly happened was that TomTom accidentally included two Windows malware files on the TomTom GO910's hard drive – Perlovga.a and Small.qp. While the device itself isn't infected, users have reported getting notifications from their antivirus products when they've connected the device to their PCs to do a backup.

The infected files are "copy.exe" and "host.exe" and they are located in the root of the hard drive of the GO910. Perlovga.a was discovered in June 2006 and Small.qp back in January of 2005, so they're not new in any way.

This isn't the first time devices have been shipped to customers with malware. In August 2005, Creative shipped 5GB Zen Neeon players containing Wullik.B (also known as Rays.A). In October in 2006, both McDonalds and Apple distributed Windows malware on devices.

There's nothing to be found on TomTom's website about this, but according to a post on DaniWeb, they have sent an official reply to customers. Links to some user reports:

   Link 1
   Link 2
   Link 3 (in German)
   Link 4

Updated to add: An official statement is now available from TomTom.

 
 

 
 
Friday, January 26, 2007

 
Chat with "Corpse" Posted by Mikko @ 16:49 GMT

Linus LarssonLinus Larsson, a journalist with Computer Sweden magazine, did an ICQ interview with "Corpse", the Russian author behind the Haxdoor trojan family.

The Swedish article, containing the full chat log has been translated to English and is available at IDG.SE.

It's not really an interview as Corpse believes he's speaking with a potential customer for his trojans.

Corpse has been in the news a lot lately, including the New York Times. We wouldn't be surprised to see him get caught in one way or another, or to go underground.

 

 
 

 
 
Thursday, January 25, 2007

 
WorldMap Live Wallpaper Posted by Sean @ 14:36 GMT

Three weeks ago we posted some screenshots of our WorldMap Live as a wallpaper giveaway.

We've had some additional questions since then, so we thought we'd post some more 1400 by 1050 screenshots for you.

WorldMap Live><br /><br /><br /><br /><b>Global</b> — <a href=15:31:40 — 00:14:5714:49:49

RegionalAPAC 14:44:48Europe 03:49:03USA 01:12:35

How does our WorldMap Live work?
When a detection occurs, many of our security products report back to us with data that includes an IP address. That IP address is converted to a physical location and that is then displayed on the WorldMap. The WorldMap software runs in real-time as well as 1hour and 24hours playback mode.

Is there a commercial version that can be purchased?
The live version of the WorldMap requires an internal connection to our servers and so is not a commercial product.

There is however worldmap.f-secure.com that is publicly available and it uses the same source data as the live version. There are multiple time periods that can be selected and the view can be defined to individual countries.

WorldMap Small.DAM in Europe

 
 

 
 
Of Love and Bills Posted by Kimmo @ 07:01 GMT

A new round of malicious billing spam e-mails were received yesterday. All attachments have the filename of Rechnung.pdf.exe. Two variants emerged from these spams: W32/Nurech.X and W32/Nurech.Y.

Later in the day, the phrase "Love is all Around" was given a new meaning when another batch of Stormy was received. This new Stormy is still adhered to the theme of Love. Filenames of this new variant could be any of the following:

   Flash Postcard.exe
   Greeting Postcard.exe
   Greeting Card.exe
   Postcard.exe
   flash postcard.exe
   greeting card.exe
   greeting postcard.exe
   postcard.exe


Attachments are now detected as Trojan-Downloader.Win32.Small.ciw.

As seen from the newest samples, social engineering techniques are still employed to entice a portion of the recipients to execute the malicious attachments.

Vigilance and caution are always advised.

 
 

 
 
Tuesday, January 23, 2007

 
Rechnung After the Storm Posted by Francis @ 09:23 GMT

We have received many reports from our German customers receiving spammed e-mails containing an attachment named GEZ_Rechnung.pdf.exe.

Here is a sample screenshot of the spammed e-mail:

Nurech.W

nurechwattach

Our detection for this malware is Nurech.W.

Nurech.W uses the following links to download Bzub.HO:

   http://buckells.co.uk/heidi/[BLOCKED]ex.txt
   http://floorsovertexas.com/images/[BLOCKED]ex2.txt
   http://gideonsarmy3.com/gideons_files/[BLOCKED]ex2.txt
   http://gilles-pouliot.com/images/[BLOCKED]ex2.txt
   http://graceinthedesert.org/images/photo_page/[BLOCKED]ex2.txt
   http://gracesanders.com/images/[BLOCKED]ex2.txt
   http://mazal18.com/temp/[BLOCKED]ex2.txt
   http://thecorsairs.co.uk/Pics/[BLOCKED]ex.txt

Bzub.HO is a password stealer and is hosted in the following link:

   http://samuraiwordsets.co.uk/images/[BLOCKED]p.exe

 
 

 
 
Monday, January 22, 2007

 
Stormy Love Posted by Patrik @ 20:00 GMT

This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.

Stormy Love

A list of subjects we've seen so far include:


A Bouguet of Love
A Day in Bed Coupon
A Monkey Rose for You
A Red Hot Kiss
Against All Odds
All That Matters
Baby, I'll Be There
Back Together
Breakfast in Bed Coupon
Can't Wait to See You!
Cyber Love
Dinner Coupon
Dream Date Coupon
Emptiness Inside Me
Fields Of Love
For You
Full Heart
I Believe
I Can't Function
I Dream of You
I Think of You
Internet Love
It's Your Move


Kiss Coupon
Love Birds
Love You Deeply
Made for Each Other
Miracle of Love
Moonlit Waterfall
My Invitation
Our Love
Our Love is Free
Our Two Hearts
Passionate Kiss
Pockets of Love
Puppy Love
Red Rose
Sending You My Love
Showers of Love
Someone at Last
Soul Partners
Summer Love
Take My Hand
That Special Love
The Dance of Love
The Long Haul


The Love Bugs
This Day Forward
This Feeling
Till Morning's Light
Till Morninig's Light
The Mood for Love
To New Spouse
Together Again
Together You and I
Touched by Love
Twice Blest
Until the Day
We're a Perfect Fit
Wild Nights
Will you?
When I'm With You
Worthy of You
Wrapped Up
Wrapped in Your Arms
You are our of this world
You Lucky Duck!
You Rock Me!
You Were Worth the Wait



Thanks to Diego who notified us and told us that this list looks very similar to the list of Romantic Cards over at 2000greetings.com and indeed it does.

The list of files is much shorter:

Greeting Postcard.exe
postcard.exe
greeting card.exe
Flash Postcard.exe
flash postcard.exe


We now detect this as Email-Worm.Win32.Zhelatin.a.

Note: For those of you who aren't already filtering EXE's in the e-mail gateway – do it now!
 
 

 
 
Stick This Posted by Sean @ 13:50 GMT

Our new laptop stickers have arrived! We started the contest several weeks ago. We then went through the results and selected the winners. And then we ordered up a batch and waited. Now we have them and stickers are everywhere in the lab.

2007 Stickers

The weblog readers whose suggestions were selected are:

      I lost my password, can you tell me yours? — Azham R. of Malaysia
      This is not the wireless access point you're looking for. — Matt L. of Australia
      Real men don't use antivirus. — Jonas L. of Sweden
      I just click OK to make the box go away. — Justin R. of UK
      My botnet can beat up your botnet. — David B. of USA
      Password is on a Post-it note on the display. — Ken T. of Germany

Their stickers were mailed out in the post today. Our thanks to all that contributed.

Now that we have them, we'll use them as rewards for future challenges.

 
 

 
 
Commwarrior Lite Posted by JP @ 13:20 GMT

Puhelin

We analyzed a new Commwarrior variant last week. It runs on Symbian devices using Series 60 user interface – first and second editions.

This variant of Commwarrior, enumerated as T, was otherwise quite uninteresting apart from the fact that it is newly compiled from the original source – unlike most variants. The author refers to it as "Commwarrior v3 Lite" in his code. In the mean time, we already have the detection published and we've updated our free F-Commwarrior utility that you can download from f-secure.mobi if you suspect your phone has been infected.

This variant affects only Symbian Series 60 phones that use Symbian OS version 8.1 or older. This means that the latest model of phones that could be affected is the Nokia N72. Phones using Symbian OS 9.0 or later, such as the Nokia E70 or 3250, will not be affected.

 

 

 

 
 

 
 
Sunday, January 21, 2007

 
Storm Worm starts to use Rootkit techniques Posted by Kimmo @ 21:45 GMT

The weekend has been very busy with Storm Worm. We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections. F-Secure BlackLight is able to detect the hidden files.

Storm Worm Rootkit

These variants are now detected as W32/Stormy.AB and Trojan-Downloader.Win32.Agent.bet.

 
 

 
 
Saturday, January 20, 2007

 
Another trojan run by the Storm Worm gang Posted by Mikko @ 07:29 GMT

We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.

Russian Missle

This time the subjects in the mails are:

  Russian missle shot down Chinese satellite
  Russian missle shot down USA aircraft
  Russian missle shot down USA satellite
  Chinese missile shot down USA aircraft
  Chinese missile shot down USA satellite
  Sadam Hussein alive!
  Sadam Hussein safe and sound!
  Radical Muslim drinking enemies' blood.
  U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  Venezuelan leader: "Let's the War beginning".
  Fidel Castro dead.
  Hugo Chavez dead.


And the attachment names are:

  Video.exe
  Full Video.exe
  Read More.exe
  Full Text.exe
  Full Clip.exe


When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.

We detect this as Trojan-Downloader.Win32.Agent.bet.

Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of:

  President of Russia Putin dead
  Third World War just have started!
  The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
  The commander of a U.S. nuclear submarine lunch the rocket by mistake.
  First Nuclear Act of Terrorism!


Update on Sunday: Another run. This time with a different theme included in the subjects:

  So in Love
  Happy World Religion Day!
  Most Beautiful Girl
  Someone at Last
  I Believe
  The Dance of Love
  The Miracle of Love
  All For You
  Vacation Love
  I am Complete
  Wrapped Up
  Moonlit Waterfall
  A Little (sex) Card
  A Special Kiss
  Hugging My Pillow
  Safe and Sound
  You're Soo kissable
  A Romantic Place
  Breakfast in Bed Coupon
  For You
  I Love You So
  Safe and Sound
  Want to Meet?
  We Are Different
  We Have Walked
  You Asked Me Why


New filenames include Flash Postcard.exe.

Detection for these is in our update 2007-01-21_04.

 
 

 
 
Friday, January 19, 2007

 
Storm-Worm Small.DAM Spread Quickly Posted by Jusu @ 09:53 GMT

The Small.DAM (Storm-Worm) we posted on earlier spread very fast during the night, Helsinki time. The heavy seeding through spam was quickly obvious on our tracking screens. The worm was spread throughout the world very rapidly.

Here is some footage of the worm's spread to share with our readers:

WorldMap Video

The video is encoded with XViD (4651k).

Also available via YouTube.

 
 

 
 
Small.DAM spammed around Posted by Francis @ 04:48 GMT

This morning we have been witnessing activities of Small.DAM being spammed.

Small.DAM

Here are the possible subjects headings:

230 dead as storm batters Europe.
A killer at 11, he's free at 21 and...
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza...

The "Storm in Europe" title is particularly timely, as there really is a storm in Europe at the moment and dozens of people have died.

Attachments may be of the following filenames:

Full Clip.exe
Full Story.exe
Read More.exe
Video.exe


The detection for Small.DAM was already included in our database update 2007-01-15_01.

Small.DAM

 
 

 
 
Thursday, January 18, 2007

 
Commercial-grade redundant client-server backend systems - for SPAM Posted by Mikko @ 13:53 GMT

Oh man, there's a lot of spam out there nowadays.

No wonder, too.

The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.

For more background info, read the "Connecting the Warezov domain dots" entry posted two months ago.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this server.

Addresses

Another good example of the client-server architecture is the service running at http://seeky.zootseek.com/d/body.html. This URL serves randomized HTML templates for different spam mails.

The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time (but do visit it at your own risk).

Medbot

And by the way, you might want to block access to all hosts under the domain medbod.com (as it is used by Medbot to download updated bot code).

 
 

 
 
Mule Farming Posted by Mikko @ 12:17 GMT

Fake web sites have been used to recruit money mules for quite a while. When cops investigate phishing or carding cases, the trail usually ends with the mule who might not have realized at all that he's actually laundering money for crime gangs.

Here's one site mule recruitment site which is offline by now:

Transworld

This morning I got a personalized mule recruitment spam. Emphasis below is mine:


From: "Eddie Arredondo" <371cameron@m4m.biz>
To: "Mikko Hypponen" <mikko.hypponen>
Received: from 4koiahot.0o4xb.aol.com (ppp85-140-200-191.pppoe.mtu-net.ru [85.140.200.191])
       by mx1.f-secure.com (Postfix) with ESMTP id B58F167CF2;
       Wed, 17 Jan 2007 23:59:43 +0200 (EET)
Subject: Fw: Re: Yuo will want this Job
Date: Thu, 18 Jan 2007 01:01:25 +0400

Yo Mikko.hypponen!

We are a small and relatively Software Development and Outsourcing
Company specializing in enterprise application development, system
integration, corporate networks and other software solutions for
business, finance, and for various types of problems. The company
based in Ukraine but at this time we open new office in Bulgaria.

We’ve earned ourselves a reputation of a reliable and trustworthy
partner working successfully with a number of West European and North
American copmanies and providing them with reliable software
development services in financial, telecom and media sectors Also we
are in search of new partners.

Unfortunately we are currently facing some difficulties with receiving
payments for our services.
It usually takes us 10-30 days to receive a
payment from your country and such delays are harmful to uor business.
We do not have so much time to accept every wire transfer and we can't
accept cashier’s checks or money orders as well. That’s why we are
currently looking for partners in your country to help us accept and
process these payments faster
.

If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you
will receive 8% of every deal we conduct. Your job will be accepting
funds in the form of wire transfers and check payments and forwarding
them to us
. It is nota full-time job, but rather a very convenient
and fast way to receive additional income. We also consider opening an
office in your country in the nearest future and you will then have
certain privileges should you decide to apply for a full-time job.
This is an entry level opportunity in the field of financial services.
Our financial professionals work with clients to help them achieve
their many financial goals such as saving on taxes.

We therefore solicit your assistacne in remitting this money and
facilitating transactions. If you believe you would be able to
undertake such a task and are interested in this job, please respond
to uaelectronic2@aim.com and send us the following information about
yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond ASAP and we will provide you with additional details on
how you can become our representative. Joining us and starting
business today will cost you nothing and you will b eable to earn a
bit of extra money fast and easy.

Should you have any quesitons, please feel free to contact us at the
address mentioned above. Looking forward to hearing from you.

Sincerely,

Kerri Knight
Director of Electronic Co

 
 

 
 
Time To Update Your Java Posted by Jarno @ 11:47 GMT

Advisory 102760

Last Thursday, we suggested that you update some of your applications…

Well, on Tuesday, January 16th, Sun released an advisory regarding a vulnerability in processing GIF images in some versions of the Java Runtime Environment.

When running a Java applet from a web page using a vulnerable version of Java Runtime, an applet exploiting the vulnerability may escape Java's sandbox. This means that the Java applet would have exactly the same access to the file system and process execution as any native application.

Java vulnerabilities have been actively used by malicious web pages in the past, so it is quite possible that this new vulnerability will also be used.

So do make sure that your Java runtime is up to date, instructions are available at Sun Advisory #102760.

Note: Sun provides links to J2SE 5.0 Update 10 in their advisory. As we posted earlier, version 6.0 is also available from: java.sun.com.

According to Sun, this vulnerability does not affect the Java versions used on mobile phones (J2ME).

 
 

 
 
Tuesday, January 16, 2007

 
Acer's Vulnerability Hotfix Posted by Kamil @ 09:02 GMT

AcerLAppFix.exe

There's an update for the Acer ActiveX component vulnerability we posted on last week. Details can be found via US-CERT. The patch is named "Acer Preload Security Patch for Windows XP" and can be found here.

 

 
 

 
 
Warezov.KA Posted by Sean @ 08:55 GMT

After a relatively short period of inactivity, Warezov has returned with about a dozen new variants in the last 24 hours. Variant KA received its moniker at the end of yesterday with update 2007-01-15_13. There is also a new domain to block: ertikadeswiokinganfujas.com. You'll find a more comprehensive list here.

Warezov_KA

F-Secure Internet Security 2007's System Control feature still automatically denies these latest variants.

 
 

 
 
Sunday, January 14, 2007

 
Do you have a TV permit? Posted by Mikko @ 12:58 GMT

There's a fairly large malware spam run going on in Germany.

The e-mails claim to be from GEZ, the local TV permit authority. The mail contains a bill for 445,99e for unpaid TV watching licenses.

The attachment, of course, is an executable: RechnungGEZ.pdf.exe. We now detect this as
Trojan-Downloader.Win32.Small.efe.

GEZ

When run, the attachment shows a fake error message to explain why you don't see the real bill after opening the attachment:


gez

 
 

 
 
Yay man! Posted by Mikko @ 08:37 GMT

Yay

We've received some questions about a piece of malware that announces its presence on a system by displaying a message saying "yay".

This is a simple downloader that we are detecting with Sunday's updates as
Trojan-Downloader.Win32.Agent.awf. It downloads and runs a program named "dtd51.php".

 

 
 

 
 
Friday, January 12, 2007

 
PayPal Key Fob Posted by Sean @ 13:03 GMT

Paypal will soon have for sale a one-time password token product. Designed to be carried with you on your key chain, it's based on a VeriSign device and will sell for five dollars.

We think this key fob is a good idea, especially considering that PayPal is such a prime target for phishers.

Here are some recently registered domain names for paypal phishing cases:

PayPal Phishing Sites

Of course, while a good idea, this key fob might not be the silver bullet that solves the phishing problem. Consider this eWeek article of a Phishing Kit that allows for easy man-in-the-middle attacks. The " Universal Man-in-the-Middle Phishing Kit" may well be the trend that phishing takes in 2007.

 
 

 
 
SMS Spam Follow up Posted by JP @ 12:18 GMT

WAP Text

We received a good number of reports regarding SMS spam that people had received on their mobile phones during a period in December. We looked into the issue and posted our findings. The number of reports regarding received SMS spam has gone down since December, but we are still hearing about the issue on daily basis.

We did talk briefly with couple of GSM operators about how to block this problem and avoid it bothering people. From what we have learned, if you as a customer of a cellular operator receive SMS spam and don't want to see more spam delivered to your mobile phone, you should report this to your operator's customer support. While we are very interested in getting reports about different SMS spam, we cannot as a third party report the abuse of the cellular operator's network. The cellular operators are able to control their networks, but they need to be informed by you, the customer, if their network is being abused against you.

 
 

 
 
Thursday, January 11, 2007

 
Update Your Apps Posted by Sean @ 15:50 GMT

The second Tuesday of each month is when Microsoft releases its security updates. But what else could or should you be updating? Not just your OS, but also your applications.

There's Adobe Reader with a well-publicized cross-site scripting (XSS) vulnerability in Adobe Reader 7.0.8 and earlier versions. You can either install an update, version 7.0.9, or you can install version 8, which no longer includes the vulnerable feature. And then again, you might consider uninstalling Adobe Reader and installing an alternative such as Foxit Reader.

Adobe Reader 8

Then there's Java. It was recently updated to version 6. You'll find it on java.sun.com, but you won't yet find it on java.com. For whatever reason, java.com still offers version 5 update 10.

Java SE6

Perhaps you updated your Microsoft Office on Tuesday via Microsoft Updates. But then perhaps you also have OpenOffice installed? If so, then you should update to OpenOffice.org 2.1. Version 2.1 now includes automatic notification of updates.

OpenOffice 2.1

And if you still haven't updated your Internet Explorer to IE7 — it's no longer a high priority (at Microsoft Update). This month the update has moved to the Optional Updates section. Or at least it has on one of our production machines. That makes a bit more sense for those of us still waiting for IT's blessing.

Optional IE7

Don't allow your apps to be the low-hanging fruit.

 
 

 
 
Wednesday, January 10, 2007

 
Further Information on the Pocket PC MMS Exploit Posted by Jarno @ 12:04 GMT

We have done further study on the MMS exploit discovered by Collin Mulliner.

The exploit affects most Pocket PC phone edition and Windows Mobile devices that use versions of ArcSoft MMS composer predating August 2006.

Fortunately, most vendors are providing updates that patch the vulnerability, but unfortunately they don't necessarily mention this in their updates. If you are unsure whether your phone vendor is providing the update, we recommend checking the vendors support page and contacting them if they don't have information available.

We have tried the exploit with several devices, and unless the shellcode is crafted for that particular device and MMS application happens to be in correct memory slot, the only result is a crash of the MMS application.

As mentioned previously we added detection for Exploit/MMS.A in the December 30th update for F-Secure Mobile Anti-Virus for Windows Mobile devices. So we decided to shoot a short video clip of the Anti-Virus in action and stopping the corrupted MMS message before user is able to open it.

The video was shot with a QTEK 9100 that has a vulnerable version of the MMS software installed.


 
 

 
 
Tuesday, January 9, 2007

 
First Monthly Patch of 2007 Posted by Francis @ 19:36 GMT

Microsoft's January patches are now out. The update includes three critical patches that fix flaws in Excel, Outlook, and Internet Explorer. All of these allow remote code execution and can be used as a vector for virus or trojan attacks.

Microsoft Updates - Jan 2007

At the moment, we haven't seen malware taking advantage of these vulnerabilities.

Start the year right, patch now!

 
 

 
 
Preloaded Vulnerability Posted by Kamil @ 09:14 GMT

Acer Ferrari

Yesterday, we tested a library taken from a Acer computer. It's very common that vendors sell machines with preloaded applications and system components of their own. The library, named LunchApp.ocx, is probably supposed to help with browsing the vendor's website, enable easy updates and such – it turns out… it also makes all those machines vulnerable to a specially crafted html file that could instantly download malicious file(s) onto the user's machine and then execute them. It gets even better… Acer enabled "safe for scripting" on that ActiveX library so you wouldn't even see when it's used.

It would be nice if Acer (and other vendors) thought twice before providing a "feature" like this in the future.

 

 

 
 

 
 
Monday, January 8, 2007

 
Don't click on Saddam attachments Posted by Mikko @ 14:03 GMT

In a non-surprising move, malware writers are trying to exploit the publicity around the hanging of Saddam Hussein to their own advantage.

So far we've seen three different examples of malware using Saddam-related themes.

Sadan

These are now detected as W32/Banload.BSW, W32/Banload.BSX and Trojan-Downloader.Win32.Delf.acc.

Two of these try to disguise their actions by opening up a YouTube page with the Portuguese search keyword "enforcado" (execution). More information is available in our descriptions: Banload.BSX, Banload.BSW and Delf.acc.

Enforcado
 
 

 
 
Monday post Posted by Mikko @ 12:45 GMT

Funny.

% ping org.org

Reply from 198.87.27.94: bytes=32 time=206ms TTL=48
Reply from 198.87.27.94: bytes=32 time=237ms TTL=48
Reply from 198.87.27.94: bytes=32 time=213ms TTL=48

% ping net.net.net

Reply from 67.15.129.30: bytes=32 time=177ms TTL=111
Reply from 67.15.129.30: bytes=32 time=182ms TTL=111
Reply from 67.15.129.30: bytes=32 time=182ms TTL=111

% ping com.com.com.com

Reply from 216.239.113.148: bytes=32 time=186ms TTL=244
Reply from 216.239.113.148: bytes=32 time=185ms TTL=244
Reply from 216.239.113.148: bytes=32 time=185ms TTL=244

 
 

 
 
Sunday, January 7, 2007

 
Weekend activity Posted by Mikko @ 10:54 GMT

This weekend we've seen a couple of runs with Feebs variants. This time the malicious Javascript HTA files have been attached in ZIPs to image spam e-mails. The spam itself advertises some penny stocks (Aerofoam Metals AFML). We detect these as Feebs variants.

Then there's been a new Rechnung spam run in German-speaking countries. Masquerading as a bill from the "1&1" ISP, the e-mails look like this:

1&1 Rechnung

We now detect the attachment as Backdoor.Win32.Agent.akf.

Updated to add: We have now seen same spam e-mails but with a different attachment, now detected as W32/Haxdoor.LQ or Backdoor.Win32.Haxdoor.jw. This variant tries to steal credentials for various banks located in Germany, Austria, Poland, and Sweden.

 
 

 
 
Friday, January 5, 2007

 
Wallpaper Giveaway Posted by Sean @ 14:05 GMT

We have two versions of our F-Secure WorldMap. There's the publicly available worldmap.f-secure.com and then there is our internal live version that runs as a desktop application.

The live version looks pretty cool and some of us use images of it as our wallpaper. We're sometimes asked by visitors if they can get a copy for themselves.

Notebook with WorldMap

Well, here are a couple of bitmaps for you. They're 1400 x 1050.

WorldMap

WorldMap #1 (4307k)
WorldMap #2 (4307k)

 
 

 
 
Wednesday, January 3, 2007

 
How to locate new phishing sites Posted by Mikko @ 13:55 GMT

Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?

Here's an example.

You can subscribe to alert services that will let you know when a new domain with certain keywords has been registered. Domaintools is one such service.

Here's an email from yesterday, letting us know that a one new domain with the word "bankofamerica" in it has been registered:

0nline-bankofamerica.com

Looking at detailed domain information, we can see the domain was registered on the 1st of January:

0nline-bankofamerica.com

The domain name has a live web server running. Front page looks like this:

0nline-bankofamerica.com

The folder "OnlineID" sounds suspicious. Lets follow it.

0nline-bankofamerica.com

And three folders deeper we'll find the real phishing site.

0nline-bankofamerica.com

At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will.

Hopefully we'll be able to shut down this site before the bad boys actually start using it.

 
 

 
 
Flash Phishing Posted by Mikko @ 11:40 GMT

We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content.

Two recent examples, both targeting PayPal: www.ppal-form-ssl.com and www.welcome-ppl.com.

These sites look like the real PayPal front page, but they are actually Flash recreations.

Flash PayPal

When you type in login information, the SWF file displays a new page, asking for your credit card information.

Flash PayPal

Abuse messages have been sent about these sites. Thanks to Axel P for the heads up.