Monthly Archives - March of 2009
 

Tuesday, March 31, 2009

 
Conficker's Domain Routine has Already Started Posted by Patrik @ 19:08 GMT

Mikko posted earlier about how the domain generation algorithm in Conficker works. Just to make it clear to everyone – this has now started.

Infected computers use the local time as the trigger to start generating the list of 50,000 domains, so in places where the local time is already April 1st, these computers are now actively polling for domains.

And, until the GMT date is April 1st they are in fact polling for domains for 31st March. So far there hasn't been any updates available on those sites.

In summary: Conficker has activated. So far nothing has actually happened.

Conficker.C polling for domains







 
 

 
 
Video - Case Conficker Posted by Sean @ 15:06 GMT

The Lab's YouTube Channel has been updated with a conficker presentation given by Mikko & Patrik back in February.

Case Conficker

You'll find it here:

  •  Case Conficker — Part 1
  •  Case Conficker — Part 2







 
 

 
 
When will it start? Posted by Mikko @ 11:18 GMT

April 1st, 2009 has arrived.

As I'm posting this, it's 00:18 on the 1st of April in Auckland, New Zealand.

But there aren't that many Conficker infections in New Zealand to begin with.

Infection situation in South Korea is more interesting; it's in the TOP 5 infected countries. And it's already 20:18 on the 31st in Seoul right now.

So, when exactly is Conficker activating?

It goes like this:


  • Conficker checks the local clock every 90 minutes (in some cases even more frequently)
  • The check is done with Windows GetLocalTime function
  • GetLocalTime gives the local time, based on the local time zone
  • Because of this, machines around the world are returning different times
  • Clock skew affects this as well
  • But not by much, as Windows machines will sync their local clock with time.windows.com once a week
  • Once the local clock says it's April 1st, Conficker will collect a date from the net

This means that machines in Australia will already be collecting a date from the net when machines in Hawaii aren't.

Conficker's net time collection uses several large websites to get the date. These are sites such as:

  • adobe.com
  • answers.com
  • baidu.com
  • bbc.co.uk
  • comcast.net
  • disney.go.com
  • ebay.co.uk
  • facebook.com
  • imdb.com
  • megaporn.com
  • miniclip.com
  • rapidshare.com
  • torrentz.com
  • typepad.com
  • wikimedia.org
  • yahoo.com
  • youtube.com

The HTTP header time on these sites is very accurate and very close to each other.

You can check these yourself: simply connect to port 80 of any website with netcat or telnet. In Windows, simply run "telnet google.com 80". Once connected, type (blindly) "GET /" and hit enter a couple of times. You'll get a screenful of results, including a "Date:" field.

Time

Here's some sample HTTP HEAD returns from websites that Conficker uses to check the date. These were checked earlier this morning:

Google.com
   Date: Tue, 31 Mar 2009 06:27:42 GMT
   Client-Date: Tue, 31 Mar 2009 06:27:42 GMT
   Client-Peer: 209.85.171.103:80

Facebook.com
   Date: Tue, 31 Mar 2009 06:28:24 GMT
   Expires: Mon, 26 Jul 1997 05:00:00 GMT
   Client-Date: Tue, 31 Mar 2009 06:28:24 GMT
   Client-Peer: 69.63.184.143:80

www.baidu.com
   Date: Tue, 31 Mar 2009 06:31:47 GMT
   Expires: Tue, 31 Mar 2009 06:31:47 GMT
   Client-Date: Tue, 31 Mar 2009 06:31:48 GMT
   Client-Peer: 220.181.5.222:80

www.youtube.com
   Date: Tue, 31 Mar 2009 06:32:30 GMT
   Expires: Tue, 27 Apr 1971 19:44:06 EST
   Client-Date: Tue, 31 Mar 2009 06:32:31 GMT
   Client-Peer: 208.65.153.253:80

When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names. Do note that even if the date from the web sites says it's March 31st, Conficker would still activate if the local clock says it's April 1st.

The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up.

Cheers,
Mikko

PS. I'm on Twitter. http://twitter.com/mikkohypponen

PS2. Full disclosure: this post has been updated several times today as we've tried to get this right. It is pretty complicated.







 
 

 
 
Not A MacCinema Installer Posted by Response @ 09:37 GMT

We recently received a Mac sample, with a Disk Image File (DMG) extension, that claims to be a MacCinema Installer. The file was downloaded from the following link:

  •  http://power-best.com/download/[...]/Flash.Player.Update.v9.19.dmg

This is a fake video site that serves a fake Adobe Flash Player update for Macs, supposedly to watch a video.

Anyway, when mounted the DMG file has a package file named "install.pkg". Here's the snapshot of what you get when you open the package:

Install

The "install.pkg" file contains the following files:

install.pkg

We extracted the "Archive.pax.gz" which contains the following files:

Archive.pax.gz

We analyzed each file and found that "AdobeFlash", "preinstall" and "preupgrade" are all the same thing, which is actually an obfuscated bash script:

bash

So here's the de-obfuscated script:

bash1

Based on the above code, the script searches for the string "AdobeFlash" in the Schedule Jobs list; if the string doesn't exist, the script creates the following Schedule Job to run the "AdobeFlash" file every 5 hours.

"* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1"

Here's the de-obfuscated script after crontab instructions:

bash2

The above code reveals that it will download and execute files from the following site: http://94.247.2.[...]/cgi-bin/generator.pl.

Along with these downloads, it also sends the following information about the infected system:

  •  System Information Processor Type
  •  Computer Name

The downloaded file is also an obfuscated bash script:

bash3

Again, here's the de-obfuscated script of the downloaded file:

bash4

The above code shows that it will modify the infected systemís DNS server to one of the following:

  •  85.255.112.205
  •  85.255.112.237

This range of IP Addresses is actually owned by UkrTeleGroup. We'd recommend blocking DNS traffic to 85.255.112.0 – 85.255.127.255.

Response Team post by — Lordian

 
 

 
 
Monday, March 30, 2009

 
Conficker Hype Used by Rogue Gangs Posted by Patrik @ 20:20 GMT

Oh the irony.

As you're all aware Conficker has been in the news a lot lately, especially with regards to if anything will happen on April 1st or not. We found out that rogue security software folks have picked up on this. For example, let's have a look at remove-conficker.org, a domain which was registered today:

remove-conficker.org

They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC — only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it.

When it did find something that it claimed to be malware it looked like this:

MalwareRemovalBots scanning

And then it asked us to register and pay $39.95 for the removal functionality.

MalwareRemovalBots purchase

When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well.

Google search for Conficker.C

Like AdwareAlert and AntiSpy2009, it is clear that it's an affiliate program going on.

Rogue software

Get your facts from known sites and download your removal tools from respected companies. Such as ours which you can find here.







 
 

 
 
Behind GhostNet Posted by Mikko @ 15:32 GMT

The GhostNet spy network was built by infecting sensitive computers with backdoor/Remote Administration Tools (RAT). Most of these are modified and obfuscated versions of Poison Ivy (description) or Gh0st RAT.

These tools are open source backdoors, maintained by loose gangs of hackers.

And these gangs operate openly.

Here's the website for Poison Ivy:

Poison Ivy

With a nice collection of screenshots:

Poison Ivy

And the gang behind Gh0st RAT is known as C.Rufus aka Wolfexp:

C.Rufus Wolfexp

Some quotes from the above page:

  •  "Our†desire for success is like wolf's desire for blood..."
  •  "We work together against the enemy like a pack of wolves…"

Wolfexp website also feature a demo video on how to use Gh0st RAT to take over computers:

C.Rufus Wolfexp

Amazingly, the video ends by showing 10 live webcam sessions, snooping on unsuspected victims without their knowledge.

C.Rufus Wolfexp

On a related note, see this CNN video which interviews of the Chinese underground in 2008. Some of the hackers claim that they were paid by the Chinese government.

 
 

 
 
Sunday, March 29, 2009

 
GhostNet Posted by Mikko @ 14:21 GMT

Typical document used in a targeted attack.

The University of Toronto published today a great research paper on targeted attacks.

We've talked about targeted attacks for years. These cases usually go like this:

1. You receive a spoofed e-mail with an attachment
2. The e-mail appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically a Poison Ivy or Gh0st Rat variant
8. No one else got the e-mail but you
9. You work for a government, a defense contractor or an NGO

gh0st rat

But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were.

GhostNet
Click the image above to read John Markoff's article.

The release of the paper was synchronized with the New York Times article. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involvement.

For a reason or another, infowar-monitor.net has been down all day. So we've made a mirror of the research papers available here:

GhostNet.doc GhostNet.doc

More resources: Here's a video that we posted earlier about targeted attacks:

YouTube

And here are selected blog posts on the topic:


 
 

 
 
Thursday, March 26, 2009

 
Questions and Answers: Conficker and April 1st Posted by Mikko @ 14:32 GMT

Conficker and Downadup

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.

Q: I'm running a Mac, is something going to happen to me?
A: No.

Q: So… this means that the attackers could use this download channel to run any program on all the machines?
A: On all the machines that are infected with the latest version of the worm, yes.

Q: But what's this peer-to-peer functionality I've heard about?
A: The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn't that mean that if the bad guys wanted to run something on those machines, they don't need to wait for April 1st?
A: Yes! Which is another reason why it's unlikely anything major will happen on April 1st.

Q: Is there going to be media hype?
A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen!
A: Exactly.

Q: So, should I keep my PC shut down on April 1st?
A: No. You should make sure it's clean before April 1st.

Q: Can I change the date on my machine to protect me?
A: No. While the worm uses the local system time for certain parts of its update functionality it doesn't exclusively rely on that.

Q: I'm confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here!
A: Yes, you're confused. There is not going to be a "global virus attack". The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges?
A: Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that?
A: Correct. So there's no reason why they wouldn't do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what?
A: We don't know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don't know.

Q: They? Who are they? Who's behind this worm?
A: We don't know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm?
A: Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can't you just infect a PC, set the clock to April 1st and see what happens?
A: That's not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away!
A: Can't. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today!
A: Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I'm worried. How do I know if I'm infected?
A: Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name "Conficker" come from?
A: Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker?
A: It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There's further confusion about the variant letters among vendors. We're all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker?
A: About 1-2 million. How many of those are infected with the latest version? We don't have an exact count.

Q: How is the industry reacting to all this?
A: We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm.
A: Sure. Here's our description, and here's SRI's excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered?
A: It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when.
A: Byron Acohido has one.

Q: Is this all just an April Fools joke?
A: No, it's not. And although we don't think anything will happen on this particular date, Conficker is nothing to laugh about. The gang behind this is serious and we should not underestimate them. The fact that we don't know for real what they are really after just makes it all a bigger mystery.

Q: Is F-Secure able to detect and block this malware?
A: Yes.

Q: Do you have cleaning tool available?
A: Yes, and it's free. Click here to get it.

Q: Are you going to follow this through?
A: Yes. Stay tuned for updates.

 
 

 
 
Wednesday, March 25, 2009

 
Ad Supported Phone Applications and Proximity Services Posted by Sean @ 16:21 GMT

We saw the following on my-symbian.com:

     My-Symbian have teamed up with ZingMagic to offer you a selection of
     premium quality applications for FREE. These applications are ad-funded.

The ads are shown on your phone's display when you receive calls and text messages.

They are delivered via an application called adtronic. It sounded interesting so we decided to test it out for ourselves. The adtronic application is produced by Liquid Air Lab GmbH.

They have a Flash based demo here.

http://liquidairlab.com

Our tests demonstrated adtronic to be a well behaving application that did exactly what it said it would.

The user interface was easy to locate, the instructions to set the minimum/maximum limits were clear, and the ads themselves weren't actually all that intrusive. Downloading the ad banners requires a data connection and that is clearly stated. It was also easy to uninstall when we were done testing.

Combined with a set of free applications that people really want, this could be a successful business model. Success interests us because a money making business model will be noticed by eCrime.

Advertising revenue is the target of many DNSChanger PC malware families.

Also, while there are still some good Windows based ad supported applications, there are many more that crossover into adware and spyware.

Tell us, what do you think?

Question — Would you use ad supported software on your phone?

And something else we're interested in… What about mobile phone proximity based services?

Stuff like ad2hand, BlueBlitz, and Hypertag.

The basic idea is special offers and promotions are pushed out to those within Bluetooth range.

  •  Come visit our shop and receive a 10% discount!

Question — How would you feel if you were pushed an ad via Bluetooth?

Perhaps it would make a difference if the marketing material is pulled rather than pushed?

Your comments are welcome.







 
 

 
 
Another Day, Another Video Site with Malware Posted by Response @ 06:53 GMT

We recently received reports of a file named "ActiveXsetup.exe", which was downloaded from http://world-tube .biz.

World-tube

For people that want to play the video, there's a notice written on the page on red font that "You may need to download an ActiveX video codec (VAC)…". This old trick is well-known and commonly used by other malware.

Remember the Facebook site that attempts to trick people into downloading and executing a fake Adobe Flash Player?

Still, what happens when an unsuspecting user downloads the "ActiveXsetup.exe codec", thinking it is legitimate software? Hereís the snapshot of it, as it is executed:

TDSS installer

The file is a NSIS setup file, with a "Playme.exe" file inside the archive. Turns out the setup file is detected as Trojan:W32/TDSS.BR, while the Playme file is detected as Worm:W32/TDSS.BU.

So, more video sites serving malware. Watch out for these sites and stick to the trusted ones.

Response Team post by — Lordian

 
 

 
 
Tuesday, March 24, 2009

 
Something's Going Down @Twitter Posted by Patrik @ 18:41 GMT

Twitter.com is really slow today, most likely due to spammers using it to flood the system with messages such as this:

Free Range Rover

I created a new dummy account to test this and literally within seconds of signing up I had two followers.

One was DowningStreet which is the official Twitter account for the guy who runs the UK. The other follower was Kristen Andrews. If we take a look at her Twitter page we see a link:

Kristen Andrews

The link goes to… a Casino site!

Casino site

This page asks you to download the file goldencasino.exe which is a Casino game.

My "follower" Kristen's account was deleted within 10 minutes so it seems as Twitter is aware of the problem.

But let's follow the link from the first screenshot to really see what these scams are about. Who doesn't want a free Range Rover? Clicking on the link takes us to a page talking about how we can make $5000 USD per month. What happened to my free Range Rover!?

Google Cash

It still sounds like a good deal so let's go on. Clicking on any of the links takes us to (after a redirect via krovs.com) to onlinewizards.net where it says we can now make $6500 per month.

Google Cash

This is getting better and better. So let's sign up.

Google Cash

So this is what it's really about, they want my credit card info and my personal details. Stay away from it.

Tweeting off,
Patrik

 
 

Friday, March 20, 2009

 
Trafficconverter.net Going Down Posted by Mikko @ 14:22 GMT

One of the more notorious pay-per-install programs, Trafficconverter has been taken down today.

These sites work like this:

1.  Trafficconverter develops a "rogue" antivirus product
2.  The product will find viruses even on clean systems
3.  It won't "clean" those viruses unless you register the product
4.  Trafficconverter does not market their software at all
5.  Instead, all the marketing is done through affiliates
6.  Affiliates have existing botnets of thousands of infected computers
7.  They remotely install these rogue products to those computers
8.  Confused end users see warning messages about viruses on their screens
9.  …and register the rogue product for $50 to "fix" their machine
10. Affiliates get $30 per customer, Trafficconverter get $20
11. ???
12. PROFIT!

So, it's good to see these guys going offline.

Here's the front page of trafficconverter2.biz yesterday:

Traffic converter

Same page today:

Traffic converter

Kudos to Brian Krebs!

 
 

 
 
Thursday, March 19, 2009

 
Comcast High Speed Internet Posted by Patrik @ 16:17 GMT

Just a quick note on a new spam run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday.

Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing.

Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong.

Comcast

Click on the picture for a full page screen shot

Update: The spam run was just changed to a Facebook scheme.

Some subjects are:

     FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
     FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
     FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
     FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

Facebook

 
 

 
 
Skinny Guy Eats 53 Hot Dogs Posted by Mikko @ 15:17 GMT

YouTube is once again being used as a lure to spread malware.

Some clown is sending out e-mails such as this:

Skinny

Unlike most of the other similar cases, this one does not try to trick the user into downloading and installing a Flash "update".

Instead, if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines.

Skinny

The fake webpage runs on youtube.ikwb.com, the malware is downloaded from adobe-flash-player.serveftp.net.

Watch out.

 
 

 
 
Note, you may need to turn off your Anti-Virus... Posted by Sean @ 15:09 GMT

The YouTube video promoting a supposed Wii Points Generator, which we blogged about yesterday, has been removed due to terms of use violation.

What's more, the entire "ItunesGenerator" channel has been removed.

Nice.

Today we took another look and found some more videos to flag.

This video links to a file called Nintendo_Wii_Points_v2.exe. Wait, what does it say underneath the tooltip?

YouTube, willyspunk

Note, you may need to turn off your Anti-Virus?

YouTube, willyspunk

Right… that doesn't sound at all suspicious.

Let's search for "note, you may need to turn off your" and see what happens.

Hmm. Seems that there are plenty of videos to flag as malware pushers:

Note, you may need to turn off your anti-airus

 
 

 
 
Wednesday, March 18, 2009

 
YouTube Videos Promoting "Wii Points Generator" are Backdoors Posted by Sean @ 17:33 GMT

Christopher Boyd of FaceTime Security Labs wrote an interesting post regarding YouTube videos that promote Nintendo Wii Points Generators. They're a scam of course… and greedy victims attempting to steal Wii Points will get a malicious backdoor called Bifrose for their trouble.

WiiPoints01

Checking out some of the videos for ourselves, we discovered that the video information sections contained a link to a RapidShare download called Generator.exe. That's a trojan-dropper that installs the Bifrose backdoor.

There are a number of such Wii scams on YouTube, and for several months too.

WiiPoints02

At the top of the list is itunesGenerator, age 18:

WiiPoints06

His Wii Points video has almost 36,000 views.

And his channel has 252 Subscribers??? We thought that was interesting.

WiiPoints05

Who are these people? Fake accounts to support his feedback? Or affiliates that have purchased backdoor access?

And here's a selection of his "positive" feedback:

WiiPoints03

Of course the comments are moderated. Do you think our comment will be approved?

WiiPoints04

No — Not very likely.

We flagged the video with YouTube, but as Mikko's post from last week shows, YouTube doesn't really have an exact match for this type of scam. You can flag videos for visual content promoting physical bodily harm, but it's more difficult to warn of content with harmful consequences to your computer, should you follow its advice.

Update: Searching for XBox Points Generator and iTunes Gift Cards also leads to malware and phishing sites.

We hope this is something that YouTube acts on soon.

 
 

 
 
Tuesday, March 17, 2009

 
Geburtstagsgeschenke! Posted by Mikko @ 07:09 GMT

GermanyHey, our German office is ten years old (F-Secure is over 20 years old as a company).

As part of the celebrations, we were asked to come up with a list of the most important viruses for the past 10 years.

That wasn't too hard. For most years it's easy to name THE virus incident of the year:

  1999: Melissa
  2000: Loveletter
  2001: Code Red
  2002: Nimda
  2003: Slammer
  2004: Sasser
  2005: Sony rootkit
  2006: Warezov
  2007: Storm
  2008: ???
  2009: Downadup

But what about year 2008?

What was the most important malware for the year 2008? Mebroot? Antivirus XP? Banker? Something else?

Let us know your suggestions.

 
 

 
 
Friday, March 13, 2009

 
Malicious spam run. Again and again and again... Posted by Patrik @ 16:37 GMT

The type of spam runs we saw late last year (Obama and BofA) are starting to pick up again in volume. We've seen Classmates being used as a theme and two days ago it was fake Facebook messages. Today it's back to fake Bank of America certificates.

Fake BofA site

As in all previous spam runs it leads to a site prompting you to download a fake Adobe Flash player. This malware steals confidential information and sends it to a web server. In previous attacks this server was in the Ukraine but it has now been moved to Hong Kong. If you see network traffic to the IP address 58.65.232.17, it's a bad sign.

 
 

 
 
Thursday, March 12, 2009

 
New Online Backup Beta Available Posted by Response @ 19:47 GMT

You may remember the pilot project for our Online Backup back in December.

Version 2.0.0 is now available; its beta piloting project has just started. Online Backup makes it possible to back up your important data — photos, e-mails, documents and so forth — over the Internet to secure backup servers. Because you know that it's not a matter of if your hard drive fails, but when.

It also allows you to share items with friends via the Internet.

Online Backup

We're now releasing the Windows version for beta piloting. A bit later a brand new Mac version will also be made available.

We have a limited number of beta licenses to give out so if you want to try it out, act now! Once the licenses are given out, the beta program will close. You can join it at this address:

http://www.f-secure.com/en_EMEA/support/home-office/beta-programs/olb/

 
 

 
 
Wednesday, March 11, 2009

 
It's PDF Patching Day Posted by Mikko @ 15:59 GMT

Get the patches while they are hot:

Update Foxit Reader if you have it already.
Update Adobe Reader if you still have it.

Foxit 3.0.2009.1506

Do note that while we are recommending users move away from Adobe Reader, we are not recommending any particular replacement.

So, we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF.

Instead, we recommend users to find their own Adobe Reader replacement.

This way we get more heterogeneous userbase, which is a good idea security-wise. Nobody wants to repeat what happened with the great IE —> Firefox switch. As 40% of users switched to Firefox, about 40% of the attacks switched to target Firefox.

Monocultures are bad.

 
 

 
 
Tuesday, March 10, 2009

 
Follow Patrik on Twitter Posted by Sean @ 08:42 GMT

Our Chief Security Advisor, Patrik Runald, is based in San Jose, USA. You can follow his Tweets from http://twitter.com/patrikrunald.
 
 

 
 
Monday, March 9, 2009

 
Nominate Your Favorite Security Blog Posted by Sean @ 16:27 GMT

Only a short post today — it's been very busy lately…

Do you like our blog? If you do, consider nominating us for the first annual Social Security Awards.

     Held in conjunction with the Security Bloggers Meet-Up at RSA Conference 2009,
     the Social Security Awards give readers a chance to recognize the best, brightest,
     and most entertaining bloggers and podcasters in the field.

The categories:

http://www.SocialSecurityAwards.com/

And the link:

http://www.socialsecurityawards.com/

Nominations close March 31, 2009.

 
 

 
 
Wednesday, March 4, 2009

 
Illegal Trading on YouTube Posted by Mikko @ 10:20 GMT

Online criminals regularly post their ads on YouTube, looking for buyers for their products.

Some recent examples:

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

YouTube carding

No big surprises there.

A bit more surprisingly, when you want to report such videos to YouTube admins, they actually don't have an option for reporting criminal use like this.

YouTube carding

Updated to add: We've obfuscated image number eight.

It seems that the criminal's YouTube video is ripping off the logo of a legitimate security company called Pure Hacking.

They've received some questions due to this post. Don't be confused, the YouTube video is stealing their logo.

 
 

 
 
Monday, March 2, 2009

 
Hiring : This Job is Not Safe For Work Posted by Response @ 18:29 GMT

Forget about malicious software for a minute…

Let's take a look at another kind of content that's more or less available on the Internet — Pornography.

Not Safe For WorkHow to find it? How to detect it?

How to tell "good pornography" from "bad pornography". Odd question, right?

Good is safe for your credit card, and is legally produced. Bad equals people who want to steal your money, abuse children or have other illegal intentions.

Why do we bring this up?

Our Security Research Lab has a team dedicated to technology that identifies and classifies the content of websites. This technology is the primary underlying element of our F-Secure Parental Control. We also do quite a bit of manual research.

We *suffer* so your kids don't.

In case you're interested in this line of work, we have a job opening.

"F-Secure Corporation is looking for a technically skilled individual to fill a position in Security Research. You will develop and track the quality and value of detection software, platform solutions and processes that enable the F-Secure Parental Control and other content related detection services."

Our Careers page has more details, the "Quality Engineer with Development skills, Security Research Program" position.

 
 

 
 
Phishing Sites are Compromised and Re-compromised Posted by Sean @ 14:56 GMT

Tyler Moore of Harvard and Richard Clayton of Cambridge have studied the usage of search engines in the compromise of Web servers in order to host fraudulent content, e.g. phishing sites.

     "Although the use of evil searches has been known about anecdotally,
     this is the first paper to show how prevalent the technique has become,
     and to report upon the substantial rates of recompromise that currently occur."

Anecdotal evidence of multiple attacks?

Our May 21st, 2008 post is one such example. We've seen compromised sites becoming re-compromised for quite some time now.

Moore and Clayton's paper offers some fascinating analytics on the topic. They've found that compromised machines accounted for 75.8% of all the attacks analyzed. And 20% of the sites that were compromised were successfully attacked again within six months.

The paper is called Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing.

You'll find a download link from Richard Clayton's post on Light Blue Touchpaper.