Monthly Archives - May of 2005
 

Tuesday, May 31, 2005

 
Three Bagle-related downloaders spotted Posted by Alexey @ 17:31 GMT

We have several reports about a new Bagle-related downloader, which dropper was spammed in e-mails to a large number of people. So far 3 variants are reported and they all have the same functionality (they are just recompiled and repacked versions of the original dropper). We currently detect all spotted droppers and downloaders as Bagle.BO. We are monitoring the situation...


 
 

 
 
More commwarrior sightings. Posted by Jarno @ 14:59 GMT

Yesterday we received information on Commwarrior.B sightings on two new countries: Greece and South Africa.

So it seems that the rate in which Commwarrior is spotted is quite a lot faster than with Cabir. But then again, high discovery rate might be result of increased public awareness.

Also as Commwarrior is in the wild here in Finland, we have had an opportunity to follow how the worm spreads and interviewed people who have been infected with it. And it seems that we have found at least partial answer to the question why people install Symbian worms on their phones.

The most common reason why people have installed Commwarrior from MMS message is the trust that they have on the sender. People are wary of messages that they receive from unknown sources, but quite willing to install whatever has been sent from a friends mobile. This is a phenomenon that we have also seen with E-Mail worms, people just are unwilling to mistrust something coming from a friend.

Current count of countries with Commwarrior sightings:
1.Ireland
2.India
3.Oman
4.Italy
5.Philippines
6.Finland
7.Greece
8.South Africa


 
 

 
 
The Grand opening! Posted by Mikko @ 08:51 GMT

We had the grand opening of our new security lab in Finland last week. The new premises are really nice!

Here's some pictures to give you an idea about where we are working nowadays.

lab

Our labs are on a separate floor in our HQ building. Access to the secure area is via an electronic door, made out of bullet-proof glass.

lab

In the center of the labs we have a purpose-built command center with real-time displays of the global virus situation.

lab

Our server room has racks for creating virtual replication systems and hosting our servers and storage systems. Katrin and Jarno hacking away in the foreground, Alexey in the background.

lab

lab

This is our RF Lab. When the copper-lined door is closed, the lab is completely radio-shielded from the outside world and we can safely test wireless viruses inside.

Nowadays this is only used to work with mobile viruses. In the future we can use it for possible Windows viruses that might use Bluetooth or WLAN connections to spread.

In fact, just last week we got two separate phones sent to us via a courier by someone who had his phone infected with Commwarrior and wanted us to clean it in our lab.

lab

In the grand opening we had visitors from local customers checking out the lab. Here Mika is demoing rootkits for an interested audience.

lab

And we also had Bruce Schneier deliver a keynote presentation for our labs' grand opening. Thanks for the visit, Bruce.

 
 

 
 
Monday, May 30, 2005

 
A trojan that takes hostages Posted by Alexey @ 13:03 GMT

It looks like not only terrorists and kidnappers can take hostages, but trojans too. A trojan called Gpcode (also known as PGPCoder) encrypts user's files with certain extensions and then asks for a ransom to "fee" (decrypt) them. This trojan got some media attention during past 2 weeks. According to media reports the authorities are investigating the case.

Luckily the trojan had a very simple encryption algorithm, so it was possible to create a decryptor for the encrypted files. F-Secure Anti-Virus can detect and decrypt files encrypted by Gpcode trojan. If you are hit by this trojan and your files are encrypted, please scan ALL files on your hard disk and they will be decrypted.


 
 

 
 
Friday, May 27, 2005

 
The Kid in the Lab Posted by Mikko @ 13:53 GMT

otto (21k image)
This is Otto Ebeling. He's 16 years old and he's been working in our viruslab for the past two weeks.

In Finland, all 9th-graders have to take a mandatory work reherseal period, where they work in a real company for two weeks, doing real work.

Normally this work reherseal is done in a place like a warehouse or - if you're lucky - at McDonalds.

Otto has a variety of reverse engineering skills, so he contacted us instead, and asked for a job in the viruslab. Which he got. And so he's been writing tools and doing virus analysis for the past weeks. He even published his first virus analysis yesterday.

Now Otto is leaving us and going back to school. We're sure he has a bright future ahead of him.

Thanks Otto, we'll miss you!

 

 

 
 

 
 
Wednesday, May 25, 2005

 
Preparing for the grand opening of our new antivirus lab Posted by Jusu @ 14:15 GMT

The Lab is being built

We have been working on our new and shiny lab for quite a while already. The new lab should make our life much easier, since now we actually will have almost everything we need in one place, including a RF shielded room for bluetooth and other wireless vulnerability and malware testing. The grand opening will be held on Thursday 26.5.2005. We will make a full entry about the lab when it is officially in action.

 
 

 
 
Tuesday, May 24, 2005

 
New trojan downloader spammed as attach.rar.exe Posted by Katrin @ 12:52 GMT

Today we got several reports of a new trojan downloader Small.avu. It was spammed in e-mail messages as an attachment 'attach.rar.exe'. The trojan downloads and runs a Dumador backdoor variant from a web location.

 
 

 
 
Monday, May 23, 2005

 
Sober.Q started the update phase Posted by Jarkko @ 08:04 GMT

Sober.Q (aka "Nazi-Worm") started a new phase in its lifecycle last night.

The worm was supposed to start the update phase few hours ago, at 23rd of May at midnight GMT. This means that instead of sending out the spam, it will poll for updates at predefined web locations. We have carefully analyzed the complex algorithm that generates the update URLs and can confirm that the locations do not currently have anything for the virus to download. These URLs are hosted on sites that offer free web space for anybody and the virus writer simply might not have access to the addresses he wants.

We are monitoring these locations so stay tuned.

 
 

 
 
Thursday, May 19, 2005

 
Update on Comwarrior sighting in Finland Posted by Jarno @ 17:26 GMT



Now we have personally verified the Commwarrior case in Finland.

We invited the user who reported the case to visit us in the F-Secure AV lab with the infected phone. Then in the radio shielded lab, we investigated the phone and found that it was infected with Commwarrior.B variant, a very close variant to the Commwarrior.A.

After verifying the case we installed F-Secure Anti-Virus on the phone and disinfected the phone. And now the phone is usable again.

F-Secure is also co-operating with the local mobile carriers, who are configuring their MMS gateways so that the Commwarrior MMS messages cannot move in their MMS networks anymore. Preventing Commwarrior from using MMS should limit the spreading and outbreak of Commwarrior. However Commwarrior also uses bluetooth, so preventing MMS spreading does not kill the worm, but slows it down considerably.

 
 
 
 
 
 
 
 
 

 
 

 
 
Commwarrior in Finland Posted by Katrin @ 13:10 GMT

One more report today of Commwarrior infected phone, this time in Finland. This is the first report from a Nordic Country.

Here are the countries from where we've got reports on phones infected with Commwarrior:
1.Ireland
2.India
3.Oman
4.Italy
5.Philippines
6.Finland

 
 

 
 
Commwarrior spotted in Philippines Posted by Jarno @ 09:31 GMT

Screenshot of a MMS messagent sent by Commwarrior

It seems that Commwarrior is getting more widespread.

Yesterdays edition of the Philstar has article written by journalist who had got his phone infected with Commwarrior.

And Smart,Philippines' leading wireless service provider, has issued an advisory about the Commwarrior worm. Although one would advice to be cautious about their instructions as, the first thing they advice to do is to reformat your phone is you are infected, which would cause your phone to lose all data.

The preferred way to disinfect your phone is to install Anti-Virus either by downloading and installing from PC or by surfing with a phone to mobile.f-secure.com. The F-Secure Mobile Anti-Virus is free for trial use, so disinfecting your phone costs nothing.

So far Commwarrior has been sighted in following countries:
1.Ireland
2.India
3.Oman
4.Italy
5.Philippines

On the other news, we also received reports of Cabir in Germany, that makes it 24th country with reports on Cabir.

 
 

 
 
Tuesday, May 17, 2005

 
Cut'n'Paste Rootkit-Bots Posted by Mika @ 05:28 GMT

As you probably know, there are a ridiculous number of variants for certain Bots. A recent development has been the addition of rootkit drivers into some Bot variants. Most likely Bot authors do not possess the skills required to write their own drivers, so they just add a driver from an existing rootkit or PoC and cut-and-paste the user-mode code for controlling the driver.

For example, some variants of Rbot drop a recompiled version of FU rootkit's driver onto the infected machine and use that to remove their process entry from Windows task manager. Another example of this behavior has been the use of JiurlPortHide driver for hiding network connections.

F-Secure BlackLight, if you recall, looks for discrepancies between two views - a tainted view and a clean view. This is how it finds rootkits. We have had some questions on BlackLight beta detecting FU rootkit. I will try to clarify the issue here:

FU rootkit exploits the fact that Windows process list and scheduler have virtually nothing to do with each other. FU removes a process from the kernel process list but magically the program will continue running as if nothing happened. FU is actually not a full-flexed rootkit - For example, it does not hide its driver file. When a malicious program, lets say Rbot, uses FU driver for hiding its process, BlackLight beta will show this Bot-process as hidden. However, BlackLight will not find the FU driver itself since it is not hidden in any way.

FU hiding processes (6k image)

 
 

 
 
Monday, May 16, 2005

 
Commwarrior spotted in Italy Posted by Jarno @ 11:17 GMT

Over the weekend we received report about Commwarrior sighting in Italy.

So it seems that like Cabir also Commwarrior is slowly spreading to new countries. And as most people don't have Anti-Virus in their phones and are curious enough to install something that arrives over MMS, it doesn't matter that Commwarrior has been known since March, is it still able to spread.

If a phone is infected with Commwarrior it can be easily disinfected with F-Secure Mobile Anti-Virus. And if there is significant Commwarrior MMS traffic in the area, mobile phone operators are adviced to filter out the infected MMS traffic with F-Secure Mobile filter or other similar product.

According to postings at Italian mobile users group, some people have received the Commwarrior as MMS and installed it from there. So the extra steps required to install application over MMS do not seem to prevent people getting their phones infected.

When monitoring postings in various news groups and discussion sites, one worrying aspect we have found is that people do not seem to know that they should contact Anti-Virus companies when phones get infected. What we see that in many cases people get their phones infected, they ask help from other users in the forums.

This is bad since, they might get bad advice, such as instructions to format their phones, while using Anti-Virus or disinfection tool would be enough. Also it is problematic for us, since without user reports it is hard for us to keep track of the developments in the mobile field. And it is impossible for us to provide guaranteed detection for new malware, without getting a sample of it first.

So do pass word around, that if someones phone gets infected, he should contact Anti-Virus company for help. Advice costs nothing and it helps us to keep up to date whats going in.

Currently the Commwarrior has been sighted in following countries:

1.Ireland
2.India
3.Oman
4.Italy



 
 

 
 
More on Sober.q Posted by Jarkko @ 08:57 GMT

Sober.Q spam
We have received a lot of questions about origins of the recent Sober-related spam messages. Sober.p downloaded and activated Sober.q during last weekend. This new variant of Sober is the one sending out right-wing propaganda.

Sober.q also drops a file called Spammer.Readme. It contains this text:

  http://i-newswire.com/pr19707.html
  http://www.ebcvg.com/press.php?id=965
 
  Ich bin immer noch kein Spammer!
  Aber sollte vielleicht einer werden :)
 
  In diesem Sinne


This is basically a message to Anti-virus industry claiming that "I'm not a spammer, although I might become a one!".


 
 

 
 
Sunday, May 15, 2005

 
Sober.q spams right-wing related emails Posted by Katrin @ 16:16 GMT

New Sober variant (Sober.Q) was found yesterday. We've added detection of it last evening (in update 2005-05-14_01).

Today we got confirmation from Germany that this variant spams right-wing related emails - or more exactly links to such articles.

 
 

 
 
Wednesday, May 11, 2005

 
Commwarrior Symbian MMS worm is in the wild Posted by Jarno @ 08:24 GMT

Screenshot of a MMS messagent sent by Commwarrior

We have been publishing posts about Cabir sightings in various countries. However, it's not the only phone worm spreading in the wild. The Commwarrior worm that spreads both via Bluetooth and MMS messages was found in-the-wild in Ireland already in January. Three weeks ago we got a report from India, and now we've received information about a Commwarrior sighting in Oman in Middle East.

All these have been isolated cases. Nevertheless, this virus is in the wild. Commwarrior could potentially be much bigger trouble than Cabir - via MMS it can jump from one country to another easily.

Commwarrior monitors the phone's clock and spreads over Bluetooth during daytime (from 08:00 to midnight) and spreads via MMS during the night (from midnight to 07:00). The worm sleeps a random time between sending the messages, further slowing down the spreading.

And of course, sending MMS messages is expensive. Lets do a little math here. How many phone numbers do you have in your phone? How much does sending one MMS cost you? Assuming, say, 500 numbers and 0.50€ per message, that would cost you 250€. Of course, that money wouldn't go back to the virus writer, but in any case we're talking about a nasty side effect here.

When Commwarrior arrives via MMS, the user sees a message that contains social engineering text and an attachment. Unlike in Bluetooth replication, where the system installer starts automatically after receiving message (of course with normal installation dialog), user has to save the SIS file attachment from MMS before the installer starts.

Message from Oman. Quoted with permission.
Thus getting infected with Commwarrior over MMS takes even more steps than Cabir over Bluetooth, which is probably one of the reasons why we haven't seen distribution in larger scale. But as we know, people are curious, and there are always some people who will install Commwarrior. Especially since via MMS they seem to receive the file from somone they know.

Commwarrior infected phones can be easily disinfected with by surfing to mobile.f-secure.com and downloading F-Secure Mobile Anti-Virus - or manually with a third party file manager. And telecom operators can scan the MMS traffic for viruses using a suitable tool, for example F-Secure Mobile Filter

However, we've only received isolated reports about Commwarrior, so the worm seems to be quite rare and currently it is not really a serious threat.

PS. We've also received a report of Cabir sightings in New Zealand and in Switzerland. That makes it 23 countries with reports on Cabir.

 

 
 

 
 
Tuesday, May 10, 2005

 
Microsoft May security bulletin released Posted by Ceco @ 23:35 GMT

The monthly security roundup brings only one update this time. The update is rated "Important" and it affects Windows 2000 SP3 and SP4 systems as well as some older platforms. We urge customers who are using these platforms to consider updating. Detailed description on May's update can be found here: MS-05-024
 
 

 
 
Monday, May 9, 2005

 
In-depth investigation of the "Cabir-in-Cars" myth Posted by Jarno @ 11:06 GMT

Couple of months ago there were rumours floating around that Bluetooth viruses could infect the on-board computers of some Lexus cars, or at least cause some visible effects on them.

In February we published an official statement from Toyota that Lexus does not use Symbian OS, and thus cannot be infected by any of the Cabir variants.

However a mobile worm infecting a car is a thought that one cannot let go easily, and even as we knew that the car cannot be infected, this was something that just had to be tested for real.

So we got a Toyota Prius to test out the myth. Credit has to be given to Toyota for trusting their systems enough to actually lend the car for us for such testing. According to Toyota, this Prius model had identical in-car Bluetooth systems with the Lexus models, so it was suitable for our tests. This Bluetooth functionality is intended to, for example, transfer the phone book from the car owners mobile phone to the built-in phone of the car.

Underground

After getting the car we drove it to a safe testing location: an underground base 42 meters (140 feet) below sea level - for some in-depth testing! Before starting any testing with live viruses we obviously made sure there were no third party phones in the area which otherwise could have been at risk.

In the tests we used the Cabir.B and Cabir.H viruses: Cabir.B being the most widespread variant and responsible for most of the Cabir sightings in-the-wild, and Cabir.H as it has a different and more powerful spreading algorithm.

We did the tests by infecting phones with Cabir variants and operated the car in all available Bluetooth modes. We wanted to simulate a situation where someone just walks past the car with a Cabir-infected phone that has not been paired with the car. Then we recreated a situation where the phone of the owner of the car is infected and he does Bluetooth operations with the car.

Jarno inside the car

It came as no surprise that we could not infect the car, but the Prius performed in the test even better than expected. No matter what we did the car did not react to the Bluetooth traffic at all. Cabir tried to send itself to the car and the car just did not allow the Bluetooth OBEX transfer to happen.

After finishing the tests with infected phones, we tried to transfer a Cabir-infected SIS file to the car with a special file transfer program from the phones. In this test the Prius accepted the file transfer to begin, but then displayed a message stating "Transfer failed". This message is shown for any data transmitted to a car that is not a valid VCARD phone book.

Transfer failed

While we had the car for testing, we also tried all kinds of other publicly known Bluetooth attacks on it. Our goal was to find out if the car would react in any way to known Bluetooth attacks and exploits.

After some tests we got a surprising result: Suddenly all dashboard warning lights came on. The car went totally dead. Even the door locks didn't open anymore. The onboard computer displayed a severe warning: "The transmission lock mechanism is abnormal. Park your car on a flat surface, and fully apply the hand brake". We waited hesistantly a moment, turned ignition off and rebooted the car - and everything was back to normal. Weird.

crash

We repeated the same test - with the same results. We run it for a third time - and once again the system crashed. After that we started to get really worried. This can't be right - Bluetooth can't cause this, can it? Thoughts of massive product recalls started to float in our minds.

So we started from scratch and double checked everything. Going through the standard process of elimination by switching all Bluetooth devices off and waiting for some time, the problem repeated itself. Turns out the cause of the error was low voltage. After intensive tests for all morning, the battery of the car was running low! The car computer was going haywire because of that, and the problem had nothing to do with Bluetooth! But those were quite tense moments indeed - we almost thought that the impossible might have happened.

After fixing the battery problem, we continued tests and Toyota Prius performed admirably. We managed to find one minor issue with the system (a corrupted phone name would freeze the on-board display), but otherwise the Prius Bluetooth system was far more stable than our test phones and PCs. We had to reboot our test systems several times as their Bluetooth systems died on us, while Toyota Prius just kept going.

All in all, that test was definitely one of the more interesting virus tests we've done for quite a while.

Wardriving!

 
 

 
 
Friday, May 6, 2005

 
This is all Greek to me Posted by Mikko @ 08:27 GMT

Greek Cabir
We got today a report of a Cabir infection in Greece. That's the 21st country reported to have had Cabir in the wild.

The infection had happened in the central square of the city of Athens.

People keep asking what does it actually look like when Cabir hits you...so here's a series of pictures showing one example. The actual prompts differ from one phone model to another. These pictures are taken in a RF lab on a Nokia 7610.

 

 

Cabir prompts

So how come anybody ever gets infected by it if you have to click "Yes" so many times?

Well, we've spoken to many people who've actually been infected, and they typically explain it like this: They got this weird message on the phone, requesting a "Yes" or "No" answer. So they clicked "No". But the message popped up immediatly again. And they clicked "No" - only to see the message pop up again. And since "No" didn't seem to be working, they clicked "Yes"...

The message would have disappeared if they would have walked away from the area where they were (to get out of the range of the infected phone), but there's no way for an end user to know that.

 
 

 
 
Tuesday, May 3, 2005

 
Sober Agent Posted by Mikko @ 17:25 GMT

The Sober variant we alerted on last night is still spreading...although not enough to get a Radar Level 1 rating.

One example of a mail Sober.P might send is a German message promising free tickets to the soccer world championships. The ticket sales for the next World cup were opened on Monday - the same day the virus was released. Here's what these viral emails looked like:

  From: Ticket@fifa.de
  Subject : WM-Ticket-Auslosung
  
  Herzlichen Glueckwunsch,
  
  beim Run auf die begehrten Tickets für die 64 Spiele der
  Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
  
  Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
  
  Ihr "ok2006" Team
  St. Rainer Gellhaus
  
  --- FIFA-Pressekontakt:
  --- Pressesprecher Jens Grittner und Gerd Graus
  --- FIFA Fussball-Weltmeisterschaft 2006
  --- Organisationskomitee Deutschland
  --- Tel. 069 / 2006 - 2600
  --- Jens.Grittner@ok2006.de
  --- Gerd.Graus@ok2006.de
  
  Attachment: Fifa_Info-Text.zip


fifa.com screenshot
In fact, the Fédération Internationale de Football Association has put out a public warning on this. Because of the Sober emails overloading the systems, FIFA organizers were unable to receive or send normal e-mails according to vice president Wolfgang Niersbach.

Another recent development that has been getting some attention lately has been the Agent.aa trojan (aka Trojan-PSW.Win32.Agent.aa or Bancos.NL). As many bank trojans, this one starts logging user keypresses and making screenshots when infected user enters specific websites.

What sets this one apart though is the sheer size of the list of banks: 2764 different sites from over 100 different countries are targeted! The full list is available here.

Do note that it doesn't automatically mean that the customers of listed banks are affected. Many online banks use proper one-time password authentication schemes, and are thus not in danger of someone stealing access to accounts. The attacker might still see confidential information though.

 
 

 
 
Monday, May 2, 2005

 
Who would've guessed? New Sober found. Posted by Mikko @ 18:58 GMT

Sober.P
We've received some reports of a new Sober variant in the wild. As usual, this is an email worm sending variable messages in English and German.

Historically, Sober variants have often made a pretty big hit - especially in central Europe. We'll see what happens with this one.

In this case time zones are on our side...by the time European workers get back to their offices tomorrow morning, all antivirus programs should already stop it. We detect it as Email-Worm.Win32.Sober.p.

 
 

 
 
Greetings from EICAR 2005 Posted by Katrin @ 11:31 GMT

Greetings from EICAR 2005 in Malta. The conference has 36 presenters and around 100 participants.

EICAR is one the "big three" antivirus conferences in the world, together with the Virus Bulletin and AVAR conferences. This year we have Patrick Runald from our UK office keynoting the conference with a presentation about rootkits and other new risks.

Eicar 2005 Malta

Tomorrow Sami Rautiainen and me will give a presentation titled "Scripts - Appetizer or Main Course?", where we discuss different methods of malicious scripting used by recent worms, trojans, spam and phishing.

Signing off,
Katrin