"To view a PDF file, just double-click it to open it in Preview."
Mac doesn't require a third-party application to view PDFs, so why does Windows?
Heck, you don't even need to build it into the OS. Just make it an optional download such as your Save As PDF add-in for Office.
We know, we know… even though anyone is allowed to create applications that can read and write PDF files without having to pay royalties to Adobe Systems, you guys can't. You're just too big and can't ship add on PDF functionality without freaking out Adobe.
But you know what?
You really shouldn't care anymore. Freak them out.
We just want to read PDFs. We don't want to /launch executables, to play video & audio, or to run JavaScript. A viewer that provides the basic functionality of the PDF/A standard is all we want. Is that so much to ask?
Microsoft recently announced it has withdrawn its MS10-025 security update when they found the update didn't adequately address the underlying issue it was intended to fix.
The update and subsequent withdrawal affects only Windows 2000 servers that have the optional Windows Media Service installed.
A re-release of the patch is due sometime in the next week. Pending the re-release, F-Secure has withdrawn the signature for this vulnerability from our Vulnerability database.
In the meantime, mitigation and workaround strategies listed in the MS10-025 bulletin are still considered effective.
—————
Updated to add: The MS10-025 Security Update has been re-released (April 28th). Windows 2000 Server users with the non-default Windows Media Services installed are advised to install the latest update.
Many of our readers are familiar with Poison Ivy, a Remote Access Trojan that is often used in various attacks — especially in targeted espionage attacks. More information on such RAT applications can be found from this blog post.
Poison Ivy RAT is developed by a Swedish coder called "Shapeless".
Now, we just learned about a new research paper by Andrzej Dereszowski of Signal11.
Andrzej was investigating a targeted attack case and discovered that Poison Ivy was used to steal data from the target. This got him thinking about the fact that lots of researchers do fuzzing and try to find vulnerabilities from Internet Explorer or Adobe PDF Reader — why not try to find vulnerabilities from Poison Ivy?
And then he did exactly this, uncovering a remote code execution vulnerability from Poison Ivy, making it possible for the victim to attack back at his attacker.
Two Belarussian hackers were arrested last week. The arrests are related to a website called callservice.biz, which was in operation for several years.
According to the indictment, Dmitry Naskovets and Sergey Semashko were the persons behind this service. The server itself operated in Lithuania.
Callservice.biz provided an online form where you could order fake confirmation phone calls by people who spoke either English or German. Such confirmation calls are often used by banks to confirm large money transactions or changing details of an account. Online criminals need a way to make convincing calls like this, and this is where callservice.biz came into picture.
Translation of their details page: Please register for the service...then fill in the order form for the call...add the details...we will make the call within 24 hours...if the call is not succesful you get your money back...price per call in English: $10.
Here's a snippet from an online chat where criminals are discussing money transactions related to the service:
The site is down now. Visiting callservice.biz will produce this page:
More details in an article by Kim Zetter in Wired.
Many Rogue SEO attack sites will only work if the referrer is from a Google query.
If the URL is visited from other source, the potential victim, will be directed away from the scareware. So where is it that the bad guys are currently forwarding non-Google visitors? CNN.com.
This video demonstrates with a recent Google trend:
How you given any thought to the monetary value of your virtual commodities? How much is an online game account worth?
For Hannu Ahola, it was 4,000 euros.
Marja, a contributer to F-Secure's Safe and Savvy blog, read about Hannu's case last November in the Helsinki Sanomat (in Finnish).
Marja was curious about Hannu's case, and recently, while visiting his area of Finland, she called, visited with him, and learned more of the details for herself.
The story starts about four years ago when Hannu purchased a World of Warcraft account from an acquaintance. He then invested his time and effort into the game and developed a strong character. Unfortunately for him, his success did not go unnoticed. His acquaintance decided that he wanted the WoW account back, logged in, and hijacked Hannu's character.
Now, what do you do when someone takes something from you in the virtual world?
It's quite difficult to make a criminal case from such an occurrence. But Hannu wasn't deterred, he wanted some kind of reckoning. He sought the help of Turre Legal and with the help of researcher Vili Lehdonvirta the WoW account was valued at 4000 Euros in an out of court settlement.
The lab frequently sees WoW phishing sites and password trojans, but rarely does the account holder know the other person involved, so this is a very interesting case.
World of Warcraft now reportedly has 11.5 million subscribers. At 4,000 Euros an account, that's starting to equal some real money. No wonder online games are such a popular target for online criminals.
Google performed a 13 month study and "uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the [overall] malware domains" that were detected during the period.
Hopefully the research will be useful in combating the fake antivirus Search Engine Optimization (SEO) attacks that currently plague Google's real-time results.
Today, for example, is April 15th, tax day in the USA. So what happens if you search for "tax day freebies 2010" using Google?
Yep. You'll find rogues and fake antivirus attacks on the first page of results.
Here's a short flash video we made demonstrating the issue:
Avid readers of the Microsoft Support Lifecycle Blog (and really, how can you not be?) know that yesterday, April 13th, marked the end of support for Windows Vista RTM, also known as Windows Vista SP0.
We'd like to say that we'll miss Vista RTM. We'd like to say that… but, well…
On a related note, Windows XP Service Pack 2 (SP2) will reach its end of support this summer on July 13th. There are more positive memories of XP SP2, largely because of its emphasis on security.
However, that emphasis did come at a cost. Development resources at Microsoft were diverted from Vista and were given to XP SP2. Ironic? In any case, if you have Vista RTM or XP SP2 you should visit the Microsoft Download Center and update to the latest Service Pack sooner than later.
Just in case you were wondering, Windows 7 will be supported until January 13th, 2015.
This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".
The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines.
And the warnings will not go away. They will reappear every time the user reboots his system.
All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever.
Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.
The group behind this have even set up an official-looking website at icpp-online.com.
The domain is registered to Mr. "Shoen Overns". The same e-mail address ovenersbox@yahoo.com has been seen before in various other domains, connected to Zeus and Koobface scams.
If you click on the Reports shown by the application, you'll end up on pages such as these:
We tried calling the (Italian) phone number listed on the page: +39 (06) 9028 0658. Unsurprisingly, it goes nowhere.
These pages are hosted at 91.209.238.2, which according to WHOIS belongs to EBUNKER-NET, a "High protected Somalia network". It's running in Moldova.
This is what the payment page looks like:
There is no obvious credit-card payment system connected to the site; they just seem to collect the credit card information.
If you are hit by this trojan, DO NOT PAY. Instead, use an antivirus program that is capable of detecting it to remove the trojan. F-Secure Antivirus detects it as Rogue:W32/DotTorrent.A. You can use our free Online Scanner at ols.f-secure.com to check your system.
The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.
We have received reports of a malicious Windows Mobile game that creates significant phone bills to affected users.
The game in question is called 3D Anti-terrorist action, and it's manufactured by Beijing Huike Technology in China.
The game itself is a 3D first-person shooter.
Apparently some Russian malware author took the game and trojanized it. Then he uploaded the trojanized version to several Windows Mobile freeware download sites.
Quite quickly people started reporting that the phone was making expensive calls on it's own.
When analyzing the code of the trojanized game, it's easy to see how it initiates several phone calls and waits for the calls to proceed. The calls are billed by minute.
The numbers the trojan dials are:
+882346077
+17675033611
+88213213214
+25240221601
+2392283261
+881842011123
But how do such international premium-rate numbers work?
It turns out there are several companies that make all of their money by offering expensive international premium rate numbers in faraway countries. Go figure.
The case reminds us of a similar incident ("Case Mosquitos") on Symbian devices, six years ago.
Well, well… looks like someone has been singing along to one of Jay Chow's songs while coding an exploit that corresponds to a vulnerability in Internet Explorer, which was addressed in Microsoft Security Bulletin MS10-018. The exploit that targets on the Peer Object component (iepeers.dll) in IE has been found in the wild, and today it was detected while attempting to exploit on the client browser.
After decoding from a shellcode, it will download the payload and will be detected as Trojan:W32/KillAV.LD.
The JavaScript used to exploit the vulnerability is shown below:
Upon a closer look, you will notice that the variable and function names were actually referring to some Chinese characters with specific meanings. Those are a mix of song lyrics in a childhood song and a song by Jay Chow, a Taiwanese singer.
As usual, exploits like this are blocked by our Browsing Protection, so you can browse with a peace of mind.
This investigation into targeted attacks (� la "Operation Aurora") is very extensive and well worth a read. It includes technical analysis of the espionage methods as well as overview of the operation methods of the attackers.
The report even goes on to name likely targets.
To quote the beginning of the paper:
Main Findings
Complex cyber espionage network Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.
Theft of classified and sensitive documents Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked �SECRET�, six as �RESTRICTED�, and five as �CONFIDENTIAL�. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama�s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.
Evidence of collateral compromise A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.
Command-and-control infrastructure that leverages cloud-based social media services Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the People's Republic of China.
Links to Chinese hacking community Evidence of links between the Shadow network and two individuals living in Chengdu to the underground hacking community in the People's Republic of China.
A couple of folks have asked what we mean by remote data storage. Primarily, an Internet drive or share space to which files can be copied (manually). In this context, sites such as Flickr could be considered a backup source.
We consider online backup services to imply software that automates the process.
Yes, it's April Fools day today (see coverage from our Safe and Savvy blog).
LabDev is the team within F-Secure Labs that develops and maintains our internal systems that (among other things) import, scan, analyze and categorize all incoming samples.
As it happens, LabDev has put in a subtle change to our sample management system's interface today.
Here's a screenshot:
Can't spot the joke? Well, many analysts missed it for quite a while as well. Maybe this helps.
F-Secure Labs is launching a new feature in Browsing Protection today.
Web security has become increasingly important over the last few years and we've already developed various protection mechanisms to keep our customers safe against exploits, phishing attacks, and drive-by-downloads. However, there's still more we can do against one of the most sinister of attacks.
In development for more than two years, we're now releasing completely new technology that will warn our customers whenever they click on a "Rickroll" link.
Never again will our customers unknowingly visit the infamous video of Rick Astley performing "Never Gonna Give You Up".
The new feature is called F-Secure Rickroll Protector. The technology is based on advanced image recognition analysis that monitors HTTP traffic for signs of bright red pompadours.
