Adobe's PDF Reader gets lots of criticism for poor security. However, the problems go beyond one specific PDF reader brand.
Have you ever looked at the specifications for the PDF file format? You can download them from here (PDF). They're 756 pages long. For real.
There's some crazy stuff in the PDF specs.
Take a look at these.
You can embed movies and songs. Into a PDF file. What?
PDF files can contain 3D objects, complete with embedded JavaScript? Who comes up with these things?
PDFs can have forms. That's fine. But why do we need functionality where such forms can submit the data you input directly to a server somewhere on the net?
There's a function within PDF specs to launch executables. Or to run JavaScript. Why do we need these things?
With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins.
It's no wonder there are regular security problems with PDF readers in general.
The perfect example is the "Escape from PDF" demo from Didier Stevens' blog.
Users of Foxit Reader: try opening Didier's demo PDF file. After opening, it will run CMD.EXE on your system; no questions asked. And this is a legitimate PDF file which uses no exploits.
One way to reduce your risk is not to download PDF files from the web to your machine at all. Instead of opening the files on your local machine, you can open them remotely in viewers like Google Docs. This process can be made completely automatic with plugins like gPDF (for Chrome/Opera/Firefox/Iron). Do note that it will only work with PDF files you access in the public web.
Otherwise, our guidance would be to use a PDF reader that's as unpopular as possible. The less users a product has, the less attacks it will attract.
Updated to add: A press representative of Foxit software sent us a message via our weblog@ address. Foxit is working on an update/fix for their reader. See this post's comments for more details.
Microsoft is releasing a cumulative update for its Internet Explorer browser.
The update is out-of-band and patches an exploited vulnerability in IE 6 and 7. The update also fixes 9 additional vulnerabilities, and for those, Internet Explorer 8 and Windows 7 are included in the affected software. Automatic updates will therefore be available for most Windows systems later today.
Does a Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing.
Once installed on one Friend's account, this application tags 20 Friend into a picture such as the one below:
If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link, they'll see this:
If you have a lot of friends, you might end up with a series of albums like this:
You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider.
Updated to add: Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the misspelling of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps.
Looking for something to do at home this weekend? You are? Excellent, then try out our latest Online Backup beta.
I have to admit, I haven't tried this product since its first release. We can't test Backup on our production computers (naturally), and I've been busy building new computers at home (so nothing really to backup, yet).
This latest version 2.2.0, according to project manager Tapio K., includes the ability to share as well as supporting size limits.
So, after your photos are all backed up, you can select some files and configure them to be shared with your friends and family. There's a web portal interface for configuration, and the portal also enables access to your content when you're away from home. Sounds pretty cool.
Both Windows and Mac versions are available for testing.
Monday's post regarding the Merogo SMS worm noted its use of signed installation files and that the Symbian Foundation promptly revoked the publisher ID that was used.
So, the worm's files were signed but the certification has been revoked. Problem solved, right?
Unfortunately, not quite yet. One more step is required. Typically, S60 phones aren't configured to check for certification revocation by default.
This is very understandable. If hardware vendors shipped phones configured to make data connections by default, it could potentially cause very big customer service headaches for telephone operators. The hardware vendor cannot assume that the customer will buy a data plan, so the certification check is turned off by default.
If you have an S60 phone, and have a data plan, we suggest adjusting your Application Manager settings.
A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message.
The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach.
Today, a security blogger forwarded us (and others) his version of the e-mail:
At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center.
It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism.
In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe.
The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China.
The earlier attachment that we saw also attempted to connect to a server in China.
Our Online Tools team recently released an updated version of our Health Check utility. In addition to the updated signature database, new features added are:
• Monthly e-mail reminder to run Health Check • Additional browser support for Chrome 3.0 and Opera 10.10
Recap: F-Secure Health Check is an online check that tells you if your computer is protected. It is designed to help a busy computer user simplify their computer/program security maintenance routine, so it will:
• Check for security updates for the most frequently used programs (OS, browsers, media players, etc.) • Check that documents, image files, etc. are backed up • Provide a summary of the computer's 'health' or overall security, and recommendations for improving it
�lyp��, a popular Finnish game and quiz site, announced a database breach late last night.
Over 127,000 account names and passwords were leaked.
The site has currently suspended access and doesn't maintain any personal details but �lyp�� users should determine whether or not they recycle their passwords elsewhere. If so, those accounts are at risk of being hacked.
Mozilla Firefox recently came under fire for a vulnerability that affected (only) the 3.6 version.
The German government went to the extent of cautioning its citizens to steer clear of the Mozilla Firefox browser until 30 March, when an update was expected to be released.
Well, the 3.6.2 version is now out early, with fixes for that vulnerability as well as a few other issues.
So stay safe and update to the latest browser — whether Firefox or otherwise.
For more info, check out the Firefox 3.6.2 release notes.
We're investigating a series of SMS Worms, found in the wild in China. Known as Trojan:SymbOS/MerogoSMS, these worms try to spread on Symbian Series 60 3rd Edition devices. Symbian continues to be by far the most common smartphone operating system in the world.
These worms spread by sending text messages to other phones. The text messages contain variable messages (in Chinese), and a link to a website. If the link is followed, the user is prompted to install an application — infecting the phone and restarting the SMS spreading.
In addition to spreading, these worms seem to have the capability of sending messages to expensive premium-rate numbers.
As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default, the SISX installation packages of this worm have indeed gone through the Symbian Signed process. Apparently they were submitted through the Express Signing mechanism. The signed installation files contain further, unsigned SISX files which the host installer will deploy. Such mechanism makes it hard for certification systems to get a full view of what the program actually does.
Symbian Foundation has already revoked the publisher ID that was used for these packages.
We have no reports of this malware from outside China.
Today there's a phishing run underway in Twitter, using Direct Messages ("DMs"). These are private one-to-one Tweets inside Twitter.
The messages look like these:
If you follow the link, you end up to a fake Twitter page:
If you mistakenly give out your credentials, the attackers will start sending similar Direct Messages to your contacts, posing as you.
The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these account to post Tweets with URLs pointing to malicious websites which will take over users computers when clicked.
Lets have a closer look at the domain mhansenhome.org.
The front page seems to be an active MySpace phishing page. Nice.
The good news is that Twitter is already filtering these from being posted, although it's unclear if they are also removing already-delivered DMs.
Also, the Twitter built-in link shorteners (twt.tl and bit.ly) already detect the URLs as malicious:
Buying and selling stock online is big business. It also carries its own risks. And we don't mean the risk of doing bad investments; we mean losing access to your trading account because your computer got infected by a keylogger.
Take a case of Mr. Valery Maltsev from St. Petersburg.
Maltsev runs an investment company called Broco Investments (available online at www.brocompany.com).
Unfortunately (for him), Maltsev was yesterday charged by US Securities & Exchange commission.
They claim that Maltsev's extraordinary gains in thinly traded NASDAQ and NYSE stocks were not a coincidence. Apparently Maltsev used malware with keyloggers to gain access to other people's online trading accounts. With such accounts, he could buy stocks at inflated prices, and use his real account to sell the same stock, for instant gains.
Quoting from the SEC Complaint:
On December 21,2009, at 13:37, BroCo bought shares of Ameriserv Financial, Inc (ASRV) at a price of $1.51 per share. Approximately one minute later, three accounts at Scottrade were illegally accessed and used to purchase shares of ASRV at prices ranging from $1.545 to $1.828 per share. While this was happening, BroCo sold shares of ASRV at prices ranging from $1.70 to $1.80 per share, finishing at 13:52. By trading shares of ASRV within minutes of unauthorized trading through the compromised accounts, Maltsev and BroCo grossed $141,500 in approximately fifteen minutes, realizing a net profit of $17,760.
Here's the stock chart for Ameriserv Financial. You can clearly see the unusually high trading levels on December 21st.
SEC claims that overall, Maltsev made more than $250,000. More details in the original SEC Complaint (PDF file).
And this is not the first time we've seen this. There was a very similar case in 2006, where Mr. Jevgeny Gashichev was running a fake Estonian company called Grand Logistics.
His tactic was almost identical: he used keyloggers and phishing attacks to gain access to stock trading passwords, inflated the price of a penny stocks and cashed in.
The SEC claims that Gashichev made more than $350,000. Again, more details in the original SEC Complaint (PDF file).
An Estonian virus writer has been sentenced to jail in Harju, Estonia.
The author of the Allaple virus family, 44-year old Mr. Artur Boiko pleaded not guilty.
Nevertheless, he was found guilty and sentenced to 2 years and 7 months in prison.
Allaple is a complex worm using polymorphic encryption. It spreads over network shares and by modifying local HTML files. When such HTML files are uploaded to public websites, they spread the infection further.
Apparently Mr. Boiko had been in a car accident and had ended up in dispute over his insurance claim with If Insurance. As a result, his worm launches DDoS attacks against these sites:
www.if.ee (website of the insurance company) www.online.if.ee (customer online interface of the insurance company) www.starman.ee (website of a local ISP)
The DDoS attacks were quite serious — see this post from ISC Diary in 2007.
We detected several variants of Allaple during 2006-2007. The problem is that this is not a botnet — these worms have no command and control channel. The infected machines will attack their targets until they are cleaned. There are still thousands of active, infected computers today around the world, and they are still attacking. And the worm is still spreading further.
Snapshot from F-Secure interface showing new samples on 11th of March 2010
Boiko was sentenced to prison, where he has already been awaiting his trial for 19 months. He was also sentenced to pay the following sums to cover losses:
To If Insurance: 5.1 Million Estonian Kroons (about 330000 Euros or 450000 USD) To Starman ISP: 1.4 Million Estonian Kroons (about 91000 Euros or 130000 USD)
F-Secure has an additional blog that launched today. It's called Safe and Savvy.
You'll notice that the name is pink. That's part of our new brand but it also reflects the authorship. Safe and Savvy's contributors are the female employees of F-Secure (mostly).
I set my computer's Regional Options for the United States even though it's physically located in Finland (I'm an American after all).
Regional settings might trump my IP address, I thought… but it seems not. I manually ran Microsoft Update and was provided access to KB976002. Cool.
If you're located outside of Europe and are wondering what's this is all about, read this from the BBC.
Microsoft is offering alternative browser options to European Windows users to settle an anti-trust lawsuit. The update component points users to browserchoice.eu — from where they can select from 12 different web browsers.
On a somewhat not completely unrelated note: Microsoft Security Advisory (981374) was published yesterday.
"Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7."
The vulnerability could allow for remote code execution.
Once again, that browser choice link is browserchoice.eu. Share it with your family and friends.
Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.
That update should now be applied if you haven't already done so.
Why?
Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).
Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.
It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.
Looking through our sample management system, we see a growing number of targeted attack files.
There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.
And how about the first two months of 2010?
Well, so far the number is 895, which will more than double last year's number if the current pace continues.
The percentage targeting Adobe Reader continues to rise.
Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks:
Updated to add: A couple of readers noticed that our graph's 2009 percentages were slightly off — it's been corrected.
As "JiLsi" — one of the online criminals from Darkmarket — was sentenced last week to almost five years in prison, we have received some media queries on the case.
In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka �ağatay Evyapan) looked like when they were posting to the Darkmarket forum.
So I went back to my notes and dug up example posts from the guys, complete with their avatar icons. Perhaps these are interesting for our blog readers too.
Somebody is trying to pose as us. If you see an email like the one below, please ignore it:
From: security@f-secure.com Reply-To: securitysupport@hotxf.com Subject: Security Maintenance.F-Secure HTK4S Date: Fri, 5 Mar 2010 18:11:05 -0000 To: undisclosed-recipients:;
Dear Email Subscriber,
Your e-mail account needs to be improved with our new F-Secure HTK4S anti-virus/anti-spam 2010-version. Fill in the columns below or your account will be temporarily excluded from our services.
E-mail Address: Password: Phone Number:
Please note that your password is encrypted with 1024-bit RSA keys for increased security.
Management.
Copyright 2009. All Rights Reserved.
Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.
Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…
Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.
And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.
Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.
But is it really a PDF this time around?
It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:
At least for a few hours before it becomes…
It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.
Another day, another news, and well… another SEO poisoning stint.
Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files… Then, we saw something:
Ok, could be a one time thing, so we checked the other sites:
And in the usual geeky fashion in the lab… we got excited.
When decompressed, the SWF contains this:
Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.
The SWF is of course the key to getting to:
It seems that the bad guys want the malicious URLs to be hidden inside the SWF.
Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.
The malicious URLs are now blocked via our Browsing Protection and malicious files are detected.
Another way of shutting down a botnet? Arrest the botmasters!
Three Spanish citizens have been arrested for running the "Mariposa" botnet. The three reportedly have no criminal records and have limited hacking skills. Mariposa is a Butterfly Kit based botnet, and the kit is no longer for sale.
Details are available from the BBC and The Register. Kudos to those involved in the arrests.
Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn't necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims.
How about search engines? What is the biggest search engine on the block? Google — and the bad guys know it. The result?
It's becoming less and less safe to search via Google.
Yesterday, I was testing Internet Explorer 8 and made a typo in the address bar. Instead of update.microsoft.com I used updates.
There is no such domain, so Microsoft Bing kicked in and I ended up with the following search results:
What? No results?!?
So I searched for updates.microsoft.com with Google.
Did I mean update? Yeah, I guess so… Thanks.
Bing's results seemed sort of odd so I examined the settings and it turned out to be some idiosyncrasy of Finnish based results.
Changing the settings to the United States produced the following:
Better.
I continued testing Bing. Here's a Bing search for microsoft updates:
84,700,000 results.
Here's a Google search for the same:
90,900,00 results.
But how about something timely? Using Google trends, I found a hot search topic.
Minnesota's appliance rebate program has 5m dollars to give its citizens for buying energy efficient appliances, e.g. refrigerators.
But here's an important difference — I didn't find any harmful links from Bing's results.
Google, on the other hand, had many bad links. This was the sixth result on the first page:
Clicking the link launched a rogue scam:
And then I was given the typical scan scam crap that is so profitable for the bad guys:
The site pushed this file:
It's now detected as Rogue:W32/FakeAlert.LB.
The folks at Google work hard to filter out harmful search results, but it's a difficult task.
The bad guys are constantly working against Google and they often get past their defenses long enough to infect victims. So what can you do stay safe? Avoid monoculture — try something else.
Because soon enough… Bing just might be the search engine that you want to bring home to your mom.
Google has been around and is simply receiving too much attention from the wrong sorts of guys.
Charlie Miller, the Pwn2Own contest winner for two years in a row, gives his take on Internet security. Guess what — your Mac OS is no less vulnerable than its Microsoft Windows counterpart.
Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?
Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.
No operating system and browser is immune to an attack. And, Flash is the bane of security (well, one of it anyway).
In your opinion, which is the safer combination OS+browser to use?
That's a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!
The interview was conducted by Matteo Campofiorito at OneITSecurity. You can read the full version here.
Moscone Center, San Francisco, USA is the site of this week's RSA Conference 2010. It's the world's largest information security industry conference with well over 10,000 attendees. For some perspective on just how big it is: there are 19 different tracks of talks going on at the same time given by 556 speakers.
This year we have three talks being presented by fellows of F-Secure:
Mikko has two presentations, "Case m00p" and "Mobile Malware in 2010".
Antti and Kimmo are presenting "Rootkits in the Real World Today".
We've been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques).
For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera.
Now we're seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst's daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors.
One technique I've encountered in the last few months uses Adobe-specific JavaScript objects such as getPageNthWord and getPageNumWords. Here's a screenshot of one example:
Note how it uses old-school style spacings. Comments in the notepad were added for easier readability.
Anyway, once this is normalized, it becomes something much easier to read and analyze:
An interesting analysis about PDF obfuscation is also available at SANS.
As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default, the SISX installation packages of this worm have indeed gone through the Symbian Signed process. Apparently they were submitted through the Express Signing mechanism. The signed installation files contain further, unsigned SISX files which the host installer will deploy. Such mechanism makes it hard for certification systems to get a full view of what the program actually does.
