NEWS FROM THE LAB - April 2009
 

 

Thursday, April 30, 2009

 
Facebook Security Questions Posted by Sean @ 14:59 GMT

Facebook has excellent granular privacy controls.

Facebook Privacy_Controls

But here's the thing…

What's the deal with Facebook's Security Questions???

Facebook Security Questions

Mother's birthday? — Father's middle name? — Third grade teacher?

Security challenge questions based on social information is probably not the best of ideas on a social networking site. Particularly now that Facebook's user base is as expansive as it is.

After all, who's going to know personal details about yourself?

That's right — your friends.

Facebook should revise this sooner than later.

 
 

 
 
Wednesday, April 29, 2009

 
Targeted Examples Posted by Mikko @ 14:22 GMT

We continue to see targeted attacks. More and more of them. We're currently collecting some statistics on the frequency of these attacks and hope to publish them here later this week.

Here's some recent examples of documents that we've seen in targeted attacks. All of them use known vulnerabilities to drop backdoors to take over the computer.

The examples cover all popular file types: DOC, XLS, PPT and PDF. (Just to be fair.)

We've seen all of these cases exactly once, worldwide. So whomever got hit by these, it wasn't just bad luck and it wasn't just a coincidence.

Our first example looks like an average in-house purchase agreement… but when viewed, it drops a backdoor that connects to lemondtree.freetcp.com. XLS file.

Assets

Connects to heet.25u.com. PDF file.

UNICEF

Drops files called hlwin32.dll, hlsvc32.dll and svchost.exe to SYSTEM32 or TEMP folders. PPT file.

USFood

"Fertilizer news and analysis"? What? Drops a backdoor that connects to wolfdu.5166.info. PDF file.

Market

Drops a variant of Poison Ivy remote access trojan. PDF file.

Medvedev

We don't have any information on the identities of the parties targeted with these attacks.

 
 

 
 
Two New Vulnerabilities in Adobe Acrobat Reader Posted by Patrik @ 04:18 GMT

Two new vulnerabilities have been found in Adobe Reader and are under investigation by Adobe. The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution. This means they both could be used in targeted attacks and drive-by downloads. There are PoCs (Proof of Concept) available for both vulnerabilities but so far no in-the-wild attacks.

We've said it before but it's worth repeating — use an alternative to Adobe Acrobat Reader. We won't recommend any reader over another as it would be better if people use a wide variety of them. A list of readers can be found here, pdfreaders.org. Others are Foxit, CutePDF, etc.

If you can't change from Adobe Reader we strongly recommend that you disable its ability to run JavaScript.

This is easily done via: Edit –> Preferences –> JavaScript –> Un-check "Enable Adobe JavaScript"

Disable JavaScript in Adobe Reader

Adobe has a blog post with more information here.

 
 

 
 
Tuesday, April 28, 2009

 
Estonia Posted by Mikko @ 19:51 GMT

Today is the 2nd anniversary of the nation-scale DDoS attacks against Estonia.

Availability graph of the website of Estonian government on 30th of April 2007

Here's the very first blog post I made on these developments on Saturday, the 28th of April 2007, as things started happening. Here's a follow-up post a couple of days later. Reading these now, they really feel sort of historic. Things changed in April 2007.

By co-incidence, I've spent the day in Estonia, participating the EU Ministerial Conference on Critical Information Infrastructure Protection.

Today's first presentation was by president of Estonia, Mr. Toomas Hendrik Ilves.

Ilves

I was really impressed by the talk by Mr. Ilves. It was a rhetorically sound and masterfully executed talk by an European statesman. And even though it was on the topic of my own expertise, I still found it insightful. It was also refreshing to listen him mention technical details like botnets, DNSSEC and DDoS. Impressive. Watch this man.

Signing off,
Mikko
http://www.twitter.com/mikkohypponen

 
 

 
 
Monday, April 27, 2009

 
CAPTCHA me if you can! Posted by Mikko @ 14:36 GMT

Last week, a Vietnamese security company located a worm that mass-registers Gmail accounts for spamming purposes. In order to do that, the worm needs to crack the Gmail CAPTCHA security images.

gmail captcha

In order to do that, the worm uploads the CAPTCHA images to a Russian CAPTCHA Cracking Service.

anti-captcha

This service offers 1000 cracked codes for $1 with a money-back guarantee in case of mistakes, or with codes that took too long to crack (over 60 seconds).

Such services typically use humans to crack the codes manually. It's hard to image a more repetitive or boring job. The people behind such services exploit cheap labor or possibly – child labor. Read more from this article by Byron Acohido.

Perhaps the most surprising twist in the whole story is that Google is not just a victim here.

Surprisingly, if you go searching for terms like "crack captcha" or "break captcha", you will get sponsored ads in Google search results — for CAPTCHA cracking services!

captchalinks

Does anyone else see any irony in here?







 
 

 
 
Swine Flu SEO Posted by Sean @ 09:34 GMT

Swine Flu is in the news worldwide and search trends are spiking in North America:

Swine Flu, Google Trends

We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend.

Swine Flu

No malware sites… yet. But plenty of them are opportunistic:

NoSwineFlu.com

Click on the "Add to Cart" button at noswineflu.com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95.

Swine Flu Survival Guide $19.95

You'd be better off spending your money on this.

Updated to add: Joe, the owner of noswineflu.com sent us a copy of his PDF.

It's 19 pages opinion and advice, and the copy that we received is NOT malware.

Remember, this post notes the creation of opportunistic sites, not malicious ones.

And we still do not recommend the purchase…

 
 

 
 
Thursday, April 23, 2009

 
Taking Cyberwar Seriously? Posted by Alia @ 03:50 GMT

Techies and non-techies have been debating about "cyberwar" – is there such a thing? Is it a threat? Who would do it? Who cares? – since the movie WarGames came out in 1983.

No consensus on the topic as yet, but it looks like some military officials are taking the threat seriously. Computerworld reports that the Obama administration may be setting up a military command center dedicated to combating and "developing offensive cyberwarfare capabilities".

Not everyone thinks all the concern is warranted. Marcus Ranum, CSO of Tenable Network Security gave a keynote speech at the 2008 Hack In The Box conference in Kuala Lumpur entitled "Cyberwar is Bullsh*t". The title says it all, really. You can get the slides from the speech here (pdf).

Not everyone dismisses the threat though. Interesting commentary to Mr Ranum's contentions come from Richard Bejtlich's TaoSecurity blog, here.

For those interested, there are plenty of debates on the topic floating around the Internet. Thoughts, anyone?

 
 

 
 
Wednesday, April 22, 2009

 
Online Scanner 4 with Support for Firefox Posted by Sean @ 15:11 GMT

F-Secure Online Scanner 4 will soon be released. There are some noteworthy changes.

The UI has been updated, improved performance — AND — there's now support for the Firefox browser.

Here's what the beta looks like:

Options

Scanning in progress:

Scanning

And the finished results:

Finished

Our Support News has more details and you can find a link to the Beta Program there.

 
 

 
 
Tuesday, April 21, 2009

 
�25,000 Bank Robbing Mobile Phones? Posted by Sean @ 13:53 GMT

Many European banks provide their customers with a paper list of sequential numbers and randomly requested checksums. Without this physical list, an attacker might be able to access the online banking GUI, but they should not be able to complete a fund transaction.

Now, carrying around a card and scratching off numbers is fairly secure but it isn't always convenient.

otp

What's more convenient and is something you always have with you? Your phone.

More and more banks are beginning to offer transaction authentication numbers (TAN) via SMS text messages. The customer registers their phone to receive the one-time passwords, and the TAN is provided on-demand. Easy, secure.

And that brings us to this headline: Criminals Pay Top Money for Hackable Nokia Phone

A company called Ultrascan Research Services claims that East European gangs are paying big money for certain versions of Nokia 1100 phones.

Nokia 1100

According to Ultrascan's post, some Nokia 1100 phones can be used to intercept SMS messages.

We don't have the details, we only know what's been stated by Ultrascan. We've also been unable to find a hacker forum or an auction site with actual requests for such phones.

To be worth the prices being paid (up to �25,000) the phone would somehow need to spoof the victim's phone number without using their SIM card. If that's possible, then it's a very clever trick and suddenly enables the use of all of the past compromised account information that's been gathered by banking trojans.

And that's a very sizable return on investment. Even for a �25,000 phone.

 
 

 
 
Monday, April 20, 2009

 
False Alarm with Backdoor.Win32.Agent.afqs Posted by Jose @ 05:15 GMT

In the last couple of hours, we had a false alarm on a Windows XP system file called wmiprvse.exe
(md5:798A9E6828997EEF4517ADA8A2259831).

This file was updated by Windows updates earlier this year. Though the executable is not signed by Microsoft, it is indeed a clean file.

The file may appear on your system in the following locations:

  •   C:\WINDOWS\system32\wbem\wmiprvse.exe
  •   C:\WINDOWS\system32\dllcache\wmiprvse.exe
  •   C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3_ctc\SP3GDR\wmiprvse.exe

We have fixed the false alarm and apologize for any inconvenience.

Fix is included in the database release 2009-04-20_02.

 
 

 
 
Sunday, April 19, 2009

 
Malware Analysis Course Materials Now Available Posted by Mika @ 15:54 GMT

As we blogged on New Year's Eve, we have been teaching malware analysis and antivirus technologies at Helsinki University of Technology again this Spring.

TKK Main Building in Otaniemi

Above: TKK (Helsinki University of Technology) main building. Photo taken February 2009 on a fairly "white sky" day.

Antti giving a lecture

Above: Antti Tikkanen giving a lecture on dynamic analysis of malware

The lectures are now over and the students have about a month to turn in their final assignments. Even though the "last hurrah" for the 2009 Spring course is is still missing, I would like to thank TKK staff and FS Labs lecturers for the course. I would also like to thank the students; It was again a real pleasure to teach motivated and smart people. I'm really looking forward to receiving the final project submissions.

For those interested, slides for all of the lectures are available in PDF format from the course homepages.

Lecture schedule

— Mika, Principal lecturer of T-110.6220, Spring 2009

 
 

 
 
Mikey and the Mysterious Treqz. Posted by Mikko @ 10:31 GMT

One more post on Twitter worms.

What's up with Mikey Mooney? He wrote a series of Twitter worms, got hired, got hacked (hey, nice passwords, Mikeyy) and released yet another worm last night.

This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."

Mikey and the Mysterious Treqz

This variant downloaded additional scripts from runebash.net/xss.js (careful, it's still up).

The messages it sent were more philosophical in nature:
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.
If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.
Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.
Age is a very high price to pay for maturity. Womp. mikeyy.
Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.
If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.
Money is not the only thing, it's everything. Womp. mikeyy.
Success is a relative term. It brings so many relatives. Womp. mikeyy.
'Your future depends on your dreams', So go to sleep. Womp. mikeyy.
God made relatives; Thank God we can choose our friends.Womp. mikeyy.
'Work fascinates me' I can look at it for hours ! Womp. mikeyy.
I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.
RT!! @spam Watch out for the Mikeyy worm (bit.ly link)
FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link)
Mikeyy worm is back!!! Click here to remove it: (bit.ly link)


How many users got infected? We can't tell the total count. However, Mikeyy seeded the infection via three new Twitter user accounts he had created and we can see how many clicks they got:

Account 54321ana: 4,833 clicks
Account er1kaaa: 4,895 clicks
Account chicostickgirl: 8,066 clicks

The only thing we haven't seen yet is that a really popular Tweeter with tons of followers would get infected (think Britney Spears or Lance Armstrong).

 
 

 
 
Friday, April 17, 2009

 
Yet Another Twitter Worm Posted by Patrik @ 22:03 GMT

A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey.

twitter_041709_1.jpg

Other messages used by the worm include:

Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
Horrible Coding!
@oprah - sup? welcome to twitter - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboyellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. ;) - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlCars!!! - mikeyy
Get Firefox, thanks. www.Firefox.com
Twitter, you should be paying me now. - mikeyy


Once a user views an already infected profile they get infected as well. The name, location, website and bio all gets changed to Mikeyy and they start posting messages randomly picked from the list above.

twitter_041709_1.jpg

The malicious script itself is downloaded from 74.200.253.195. Twitter is working on fixing the problem.

This happens on the same day as media reports that Michael Mooney got a job because of his writing the first Twitter worms. So if he did this one too, what was the motivation? To get an even better offer from someone else!? Stupid.

For now, stay away from looking at user's profiles. Also Firefox and NoScript is a good combo.

Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well.

 
 

Thursday, April 16, 2009

 
Now This is Just Wrong! Posted by Patrik @ 23:03 GMT

Searching for good things with bad results is something that now happens on a regular basis, like the example we blogged about the other day. But now it's personal - searching for "f-secure" leads to rogue products. This time it's not via SEO (Search Engine Optimization) but through malicious Google ads. As you can see in the screenshot below there's an ad pointing to update-xp.com. You have to click on search twice for it to come up and it doesn't seem to happen every time.

google_fssearch_1.jpg

Let's check it out. It leads to a page talking about Fix F-Secure Problems.

google_fssearch_2.jpg

Let's download and install this fix tool on a clean XP SP3 machine and see what it is.

google_fssearch_3.jpg

Amazing! 1303 total problems found whereof 1277 couldn't be removed in the unregistered version. Let's try to register.

google_fssearch_4.jpg

Surprise! We have to pay $34.95 to register and remove all the "problems".

Last bit of irony, it claims that Windows is up-to-date but as you can see from the screenshot below 36 updates are actually missing.

google_fssearch_5.jpg

This has been reported to Google so hopefully it will be removed soon.

Updated to add: Google have now removed the malicious ad. Prompt action from them, we appreciate the assistance.

 
 

 
 
Waledac Offering a Fake SMS Spying Tool Posted by Mikko @ 12:22 GMT

The Waledac botnet has been actively used to push malware since last year.

The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected.

Last night, the websites used to push Waledac infections got an overhaul.

We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.

When we went searching, we noticed that the Waledac sites now looked like this:

smstrap.exe

Nice graphics, jerks.

Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com.

If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect.

Lets monitor the IP address of smsclubnet.com for two minutes:


Time    IP
11:00:17    118.232.218.209
11:00:22    211.105.220.204
11:00:28    121.179.73.185
11:00:33    124.8.89.29
11:00:38    69.55.30.158
11:00:44    116.127.184.49
11:00:49    201.42.136.214
11:00:54    89.35.18.27
11:01:00    24.77.250.131
11:01:05    118.130.83.202
11:01:11   77.78.150.199
11:01:16    211.180.118.70
11:01:21    189.111.197.36
11:01:27    121.183.32.80
11:01:32    211.218.197.220
11:01:38    121.183.32.80
11:01:43    125.129.151.33
11:01:48    151.60.88.70
11:01:54    121.179.73.186
11:01:59    210.207.217.154

And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver — which is serving viruses.

This botnet is not just used to host the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet.

waledac_animation

Waledac gang has registered over 100 .com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses: hanlin_425@126.com, lijian@qq.com and wusong_ccc@126.com.

Here they are:

News
bestgoodnews.com
bestbreakingfree.com
breakinggoodnews.com
breakingnewsltd.com
breakingkingnews.com
breakingnewsfm.com
easyworldnews.com
goodnewsreview.com
goodnewsdigital.com
reportradio.com
linkworldnews.com
tntbreakingnews.com
usabreakingnews.com
wapcitynews.com
worldtracknews.com
worldnewseye.com
worldnewsdot.com
worldtracknews.com
spacemynews.com
yourbreakingnew.com

Blogs
bestusablog.com
bestjournalguide.com
bestlifeblog.com
bestblogdirect.com
boarddiary.com
blogsitedirect.com
blogginhell.com
farboards.com
mobilephotoblog.com
photoblogsite.com

Fear & Terror
againstfear.com
antiterroris.com
antiterroralliance.com
antiterrornetwork.com
fearalert.com
globalantiterror.com
terroralertstatus.com
terrorfear.com
terrorismfree.com
urbanfear.com

Coupons & Sales
bestcouponfree.com
codecouponsite.com
gonesite.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
smartsalesgroup.com
thecoupondiscount.com
yourcountycoupon.com

Love & Sex
adorelyric.com
adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
chatloveonline.com
cherishletter.com
cherishpoems.com
extendedman.com
funloveonline.com
funnyvalentinessite.com
greatsvalentine.com
orldlovelife.com
greatvalentinepoems.com
lovecentralonline.com
lovelifeportal.com
romanticsloving.com
thevalentinelovers.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worshiplove.com
youradore.com
yourgreatlove.com
yourlength.com
yourvalentineday.com
yourvalentinepoems.com
yourvalnetinepoems.com

And here are the latest additions:

SMS Spying
chinamobilesms.com
downloadfreesms.com
freecolorsms.com
freeservesms.com
miosmsclub.com
smsclubnet.com
smspianeta.com
virtualesms.com

This leaves us with a handful of domains we can't categorize to any of the above groups. They are:

batchoose.com
bayhousehotel.com
coralarm.com
longballonline.com
moneymedal.com
quickjust.com
soundroyal.com
yourbarrier.com
yourlol.com
yourwent.com

Maybe these domains could give us a hint on their next move?

Does anybody have any ideas? If so, leave us a comment.
 
 

 
 
Tuesday, April 14, 2009

 
Twitter Worm Google Searches Leads to Malware Posted by Patrik @ 20:47 GMT

No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately.

By searching for "Twitter worm" on Google one of the top 10 hits look like this:

twitterworm_google_search.jpg

Which leads to this site:

twitterworm_google_2.jpg

But you'll never see that as you immediately will get redirected to videxxxxxs.cn which immediately redirects you to loyxxxxxxno.com which tricks you into downloading a fake video codec from cxxxxxxxxaz.com. No exploits are used, it's just social engineering. At least for now.

twitterworm_google_3.jpg

And the fake codec is of course malware. In fact, it's a trojan downloader that downloads some additional malware, including a rogue security product called WinPC Defender which shows fake malware detections.

twitterworm_google_4.jpg

Like all rogue security products it will tell you that you have malware on your PC and that you have to buy the product to remove them. This is more expensive then usual though as they want you to pay $69.99 (the usual rate seem to be $39.95).

twitterworm_google_5.jpg

So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.

Updated to add: Searching for "Mikeyy" also leads to malicious results.







 
 

 
 
April Security Updates From Microsoft Posted by Patrik @ 17:29 GMT

Microsoft just released the security updates for April and this includes the fix for Excel which have been exploited in targeted attacks for over a month now. Make sure you download these patches, including the one for Excel if you use Microsoft Office 2007, right now. Unfortunately a fix for the PPT vulnerability wasn't part of this month's update.

MS Updates April 2009

 
 

 
 
Monday, April 13, 2009

 
Ongoing Problems at Twitter Posted by Mikko @ 09:37 GMT

Twitter administrators don't seem to be able to shut down the various XSS / CSRF worms that have been plaguing the service over the weekend.

The actual problems to end users haven't been devastating — so far. Most of the Twitter worms simply modify people's profiles to infect more users.

However, attacks like these could be much worse if the attackers would incorporate nastier attacks, such as browser exploits.

The attacks have been credit to "Mikey" or "Mikeyy", who apparently was the administrator of a site called Stalkdaily. Stalkdaily was a competitor for Twitter and apparently the original motive of the attack was to "steal" Twitter users to join this new service. Web page for Stalkdaily is currently down.

Latest round of worms just started minutes ago. Apparently this run was started by a freshly registered user called cleaningUpMikey:

mikeyy

This is what the attack looked like:

mikeyy

If you clicked on the name or the image of the person sending the message, you would get infected as well and would send the same message - and anyone viewing your profile would do the same.

We can't confirm whether "Mikeyy" is really behind these attacks. We can't confirm the above phone number either. However, it was likely picked up from this page from a social networking site:

mikeyy

For now, don't view profiles in Twitter.

Updated to add:

A quick look at another incarnation of the same worm. This one was interesting, as it was using bit.ly redirector in the messages.

Infected users were sending Tweets like this: "How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1S"

A message like this is particularily nasty, as there were plenty of re-tweets of this malicious message sent by genuine users.

The bit.ly link got redirected back to Twitter, to user reberbrerber's profile. Which would infect Twitter users who would view it.

The good part about using a URL redirector is that now we can get exact statistics on how much traffic this link received. Turns out the URL got clicked over 18,000 times - and the figure is still growing.

mikeyy

And where were these users from?

mikeyy

One more chart. Based on keyword mikeyy stats from Tweetscoop, the outbreaks are leveling out now:

mikeyy

 
 

 
 
Sunday, April 12, 2009

 
Twitter Worm Outbreak Over Easter Posted by Mikko @ 09:35 GMT

A cross-site scripting worm was spreading in Twitter profiles for several hours last night.

People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:

stalkdaily

stalkdaily

Later on the messages morphed several times:

stalkdaily

Many people followed the links to stalkdaily.com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.

stalkdaily

More info on the technical internals of the attack are available at dcortesi.com.

stalkdaily

As expected, the whole worm was a publicity stunt by stalkdaily.com.

stalkdaily

You can see the latest official status of Twitter from their status page at status.twitter.com

stalkdaily

We detect the script file as Worm:JS/Twettir.A.

Updated to add: This is not over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links. It's beautiful outside, maybe go for a walk instead?

Here's one current variant:

mikeyy

All these attacks are Javascript-based. Turn Javascript off if you're worried. More info here.

 
 

 
 
Thursday, April 9, 2009

 
New Conficker action Posted by Patrik @ 19:08 GMT

A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.


  • On April 8th a new update was made available to Conficker.C infected machines via the P2P network
  • The new file, which we call Conficker.E, was executed and co-existed alongside the old infection.
  • It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
  • The new variant does not have the domain generation algorithm like the previous variants have
  • There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
  • There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product was SpywareProtect2009.
  • Conficker.E deletes itself if the date is May 3, 2009 or later. It does not delete Conficker.C though so that will remain on an infected computer.
Sound complicated and strange? It is and unfortunately nothing is easy when it comes to Conficker so we'll continue to update this post as we find out more about its behavior. We detect the new Conficker.E since yesterday and all the related files it downloads.
 
 

 
 
The Dove Posted by Mikko @ 12:30 GMT

You can buy anything online nowadays.

Case in point, here's Wenzhou Fuyuan Printing Co., ltd:


hologram


This company is based in the South-Eastern shores of China. They specialize in manufacturing stationary, stickers, bags...and holograms.

Here's some examples of their products, taken from the alibaba.com supplier directory:


hologram


Let's have a closer look at this hologram sticker sheet with "perfect quality", "standard size" and "3D effect":


hologram


Here's a close-up:


hologram


Hmm.


That looks familiar.


Looks like a bird.


Maybe a dove?


visa
 VISA credit card image credit: Paylife.at.

Like I said: You can buy anything online nowadays.




 
 

 
 
Wednesday, April 8, 2009

 
Security Threat Summary Q1/2009 Posted by Mikko @ 09:13 GMT

f-secure

We've just published our threat summary for the first quarter of 2009.

This one focuses on Conficker, the first SMS worm and threats in social networks.

More info at https://www.f-secure.com/2009/




 
 

 
 
Tuesday, April 7, 2009

 
Spying via XLS files Posted by Mikko @ 11:10 GMT

We see targeted attacks and espionage with trojans regularily. Here's a typical case.

A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apparently to just one person.

When opened, this is what the XLS looked like:

pc-officer

However, in reality the malicious file had already exploited Excel and taken over the computer by the time you saw this.

The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them.

These DLL files are backdoors that try to communicate back to the attackers, using these sites:


  • feng.pc-officer.com
  • ihe1979.3322.org
Right now, host ihe1979.3322.org does not resolve at all, and feng.pc-officer.com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks.

The domain name pc-officer.com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before.

See this ISC blog entry from September 2007. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer.com, not feng.pc-officer.com.

If you haven't read about Ghostnet yet, now would be a good time.

PS. We don't know what area is shown in the map image. If you do, please leave a Comment.

Updated to add, Wednesday the 7th of April:

We kept monitoring the host feng.pc-officer.com. As expected, it became alive for a short period yesterday.

Here's what our logs look like:

   Tue 7 Apr 2009 16:13:21    63.64.63.64
   Tue 7 Apr 2009 16:14:17    63.64.63.64
   Tue 7 Apr 2009 16:15:13    63.64.63.64
   Tue 7 Apr 2009 16:16:09    216.255.196.154
   Tue 7 Apr 2009 16:17:04    216.255.196.154
   Tue 7 Apr 2009 16:18:00    216.255.196.154
   Tue 7 Apr 2009 17:40:33    216.255.196.154
   Tue 7 Apr 2009 17:41:29    216.255.196.154
   Tue 7 Apr 2009 17:42:25    216.255.196.154
   Tue 7 Apr 2009 17:43:21    63.64.63.64
   Tue 7 Apr 2009 17:44:17    63.64.63.64
   Tue 7 Apr 2009 17:45:13    63.64.63.64

IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.

The IP is located in Spokane, USA:   
% whois 216.255.196.154
   
   OrgName: One Eighty Networks
   OrgID: OEN-1
   Address: 118 N Stevens
   City: Spokane
   StateProv: WA
   PostalCode: 99201
   Country: US



Updated to add, Thursday the 9th of April:

It changed again. Host feng.pc-officer.com is now pointing to 211.234.122.84.

This IP is located in Seoul. South Korea:   
% whois 211.234.122.84
   
   [ IPv4�ּ� ��� ��� ���� ]
   ���������ȣ : ORG137200
   ����� : (��)����������
   �ּ� : ������ ������
   ���ּ� : 261-1
   ������ȣ : 135-010





 
 

 
 
Monday, April 6, 2009

 
Understanding the Spreading Patterns of Mobile Phone Viruses Posted by Mikko @ 12:42 GMT

The latest issue of Science publishes a research paper titled Understanding the Spreading Patterns of Mobile Phone Viruses.

The paper is by Pu Wang, Marta C. Gonz�lez, C�sar A. Hidalgo and Albert-L�szl� Barab�si
Science
Abstract

We model the mobility of mobile phone users to study the fundamental spreading
patterns characterizing a mobile virus outbreak. We find that while Bluetooth
viruses can reach all susceptible handsets with time, they spread slowly due to
human mobility, offering ample opportunities to deploy antiviral software. In
contrast, viruses utilizing multimedia messaging services could infect all users
in hours, but currently a phase transition on the underlying call graph limits
them to only a small fraction of the susceptible users. These results explain the
lack of a major mobile virus breakout so far and predict that once a mobile
operating system�s market share reaches the phase transition point, viruses will
pose a serious threat to mobile communications.


The paper more or less ignores the effects of technical safeguards built into modern smartphones operating systems.

Another weird thing: the paper mentions that the reason why there hasn't been more mobile outbreaks is that no smartphone operating system is dominating enough. Then in the next paragraph it mentions that Symbian has, oh, 65% market share of all smartphones.

In any case, an interesting paper. And lots of pretty pictures.

mobile phone spreading patterns

mobile phone spreading patterns

mobile phone spreading patterns

mobile phone spreading patterns

Link to the paper (PDF)

Link to the supporting data (PDF):

Thanks for the links to Nick Fitzgerald.

Here's more info https://www.f-secure.comf-secure.com/weblog/archives/mobile.htm">mobile phone virus and trojan removal.



 
 

 
 
Thursday, April 2, 2009

 
Post April 1st Conficker Q&A Posted by Patrik @ 20:40 GMT

As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.

Q: First off, how do I know if I'm infected?
A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. It's also available on his own site here. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.

Q: So April 1st came and went. Was there any doomsday activity, did the Internet break down?
A: No. If it did you wouldn't be able to read this. And we never really expected anything to happen.

Q: So what really happened then, what was all the fuss about?
A: Conficker.C was programmed to start generating a list of websites on April 1st in an attempt to download updates to itself.

Q: And did it?
A: Yes it did. That part of the worm worked just as intended.

Q: So why didn't something major happen then?
A: Because the people behind Conficker didn't publish an update on any of the websites Conficker tried to contact.

Q: Was it a mistake on their part, did they forget about the April 1st activation date?
A: Very unlikely. What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.

Q: But isn't it so that the worm can also update itself using the peer-to-peer (P2P) technology?
A: That's right, it can. And it could've done this prior to April 1st.

Q: I didn't turn on my PC on April 1st so I should be OK, right?
A: If your computer is infected then no, the worm will still be there and it will try to download updates to itself when you turn it on.

Q: Which countries are the most infected?
A: China, Brazil, Vietnam, Russia, Indonesia, India, Philippines, Thailand, South Korea and Ukraine

Q: What's this I've heard about two people arrested in Belarus in connection with Conficker?
A: It was just an Aprils fools joke. More here

Q: So what happens now, can we forget about Conficker and worry about other things?
A: No, not really. April 1st was just the activation date. Infected computers will continue to reach out to 500 websites daily in an attempt to update itself. And let's not forget the P2P technology, it can update itself using that as well.

Q: So that means we'll have to deal with this for a long time?
A: Yes, until all the computers are cleaned up or until the people behind it decide it's not worth it anymore. So we'll keep on monitoring the situation.

Q: What if I have more questions?
A: Hopefully they're already answered by our previous Q&A. If not, make a comment to this post and we'll answer it for you.

 
 

 
 
Conficker World Maps Posted by Mikko @ 06:55 GMT

Where in the world are the Conficker-infected machines today?

Shadowserver and Conficker Working Group have the maps:

Conficker World Map


Conficker World Map


Conficker World Map

For more maps, visit the website of the Conficker Working Group.

 
 

 
 
Wednesday, April 1, 2009

 
April Fools Jokes and Conficker Posted by Mikko @ 06:50 GMT

It's first of April today. There's going to be April Fools jokes about Conficker today.

Here's some examples from the Web and from Twitter:

April Fools Conficker

April Fools Conficker

April Fools Conficker

For the record, we plan on having no April Fools jokes in our blog this time.

PS1. Here's what we posted on April 1st in 2007 and 2008.

PS2. This post from 2005 was not a joke, but many people though it was. Go figure.

PS3. Hey, check out what news Google has.

PS4. Excellent Conficker Coverage from CNN.







 
 

 
 
Conficker - What's going on? Posted by Patrik @ 04:51 GMT

So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far — nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).

And we don't really expect one, at least not right now.

The Conficker worm is still creating headlines though as can be seen from the front page of cnn.com.

CNN and Conficker

Myself and Mikko will post updates on Twitter.