Monthly Archives - May of 2009
 

Saturday, May 30, 2009

 
Securing Cyberspace Posted by Mikko @ 09:01 GMT

Yesterday President Barack Obama announced his plans for securing cyberspace.

It would have been hard to imagine George Bush giving a talk about malware and bots. And that's exactly what Obama did.

From Obama, phrases like this sound perfectly natural: "we've had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm -- spyware and malware and spoofing and phishing and botnets."

CyberObama

President Obama also mentioned Conficker by name, which was interesting. The full text of his speech is available online.

Another quote: "Our Information Age is still in its infancy. We're only at Web 2.0."

My comments on President Obama's announcement are available in the New York Times.

 
 

 
 
Friday, May 29, 2009

 
Microsoft DirectShow is Vulnerable Posted by Sean @ 15:07 GMT

There's a vulnerability in Microsoft's DirectShow (DirectX). It affects Windows 2000 / XP / Server 2003.

MSA971778

The vulnerability exploits quartz.dll QuickTime parsing. However, you don't have to have QuickTime installed.

MSA971778

Microsoft has some workarounds to offer.

MSA971778

See Microsoft Security Advisory 971778 for details.

MSA971778

Microsoft is currently reporting limited use against this vulnerability in the wild.

Update: Microsoft has published a "Fix It" tool that automates the registry changes.

Note: Our Exploit Shield technology — which is integrated into our Internet Security Technology Preview — heuristically blocks this vulnerability from being exploited.

 
 

 
 
Tuesday, May 26, 2009

 
Put Your Passwords on a Post-it Posted by Sean @ 16:07 GMT

Facebook is slowly but surely defending itself against aggressive spam runs.

There's some speculation among experts. Why Facebook? Has Facebook become a keystone from which to launch and steal all of an individual's passwords (i.e. banking and commerce sites)? Once you have Facebook, can you then compromise the primary e-mail account and everything else along with it?

Maybe so, but regardless of why — the sheer gravity of Facebook makes it a target. Its growth and size is tremendous.

Let's take Finland as an example. There are over one million estimated Facebook accounts and there are only 5.3 million people living in Finland. The regional network has over 544,000 members. Anything that size will be a target for scammers.

Wherever good people go, miscreants will follow.

So of course it's an excellent policy to maintain complex passwords that are unique to each site. Right?

Here's an idea. Write down your passwords. Seriously.

And once you write them down, put them in your wallet. Think about it. What else do you carry in your wallet? That's right, your bank cards. And your bank cards contain your account name and account number.

That's kind of like your online account names and passwords.

Only this is the key — It's a two part password. Because your account name and bank card number also requires your PIN.

So take a look at this screenshot. What do you see?

Passwords on a post-it

Passwords on a Post-it, only examples of course… non-dictionary ones at that.

Keep another three common characters in your head, and you'll have complex 10 character passwords. And you can insert those extra characters in the front, middle, or end.

What do we mean? It's like this.

The first three characters in this example are based on the website, "aMA" represents Amazon.com. And it can be written several ways, such as "AMa" or "aMa" or "AMA", etc. A good method should be easy for you to remember.

The next (or other) part, "2242" as in our example, should be something completely random. This is the part that you really need to write down and keep safe so that you don't forget it.

And then you should use a method to add three more characters (your "PIN") to every password. Something such as "35!" So the full password then becomes "aMA224235!" or "aMA35!2242" or "35!aMA2242".

Our other example would be "gMA35N135!".

Your PIN should never be written down, keep that bit of information in your head. Just like your bank card's PIN.

Note that our example does not include an e-mail address on the Post-it.

What happens if your wallet is stolen? You call the bank and cancel your cards.

And what about your Post-it? If it doesn't include your e-mail address or your PIN, you can reset your passwords in a timely fashion on a new piece of paper. You're good to go.

Using this methodology, you can maintain complex and unique passwords, and still have something handy for when you forget them. Because we all do forget stuff from time to time.

And if you're phished on one site, such as Facebook, your other accounts aren't sharing the same password.

Oh, one last piece of advice.

Don't put the Post-it on your monitor! And not on the underside of your keyboard either… everyone's familiar with that location too.







 
 

 
 
Rai.TV neaPOLIS Posted by Response @ 11:26 GMT

We recently hosted an Italian reporter from neaPOLIS, a technology program broadcast on Italian television Rai.

If you speak Italian, you'll find the clip from here… or perhaps you just want to see our Helsinki Security Lab.

FSecure's Paolo Palumbo on Rai.tv

 
 

 
 
Monday, May 25, 2009

 
Do Facebook Phishers Prefer Macs? Posted by Sean @ 15:21 GMT

Facebook phishing has been on the increase lately.

It's nothing new however, PhishTank.org has been tracking Facebook as a "Targeted Brand" for quite some time.

Here's a screenshot of the real Facebook login page:

Facebook login, real

And here's a screenshot of a fake courtesy of PhishTank:

Facebook login, fake

Notice the difference?

There's a grammatical mistake, "We helps you"… and then the fake login page looks as if it is being rendered by the Safari browser.

So perhaps phishers prefer using Macs?







 
 

 
 
H1N1 Themed Targeted Attack Posted by Response @ 13:02 GMT

The H1N1, formerly known as swine, flu continues to make headlines… though the trends peaked earlier this month.

And while there hasn't been widespread use of H1N1 themes for malicious attacks, we have seen some limited use. Here's something that our honeypots collected last week.

It's a malicious PDF file (that's nothing new).

When the PDF is opened, it exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu.

Here's a screenshot.

H1N1

What happens behind the scenes? The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder.

The malicious file connects to three IP addresses in order to "call home". These addresses are, or were, in Texas (207.200.45.12), Budapest (89.223.181.93) and Hyderabad (202.53.69.130).

The individuals targeted by this attack are unknown to us.

 
 

 
 
Friday, May 22, 2009

 
Malicious IFrame on Gadgetadvisor.com Posted by WebSecurity @ 06:35 GMT

Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase?

One of our Web Security Analysts discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website.

Gadget Advisor

If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability (CVE-2008-2992).

The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan.

Below are the readable codes contained within the malicious PDF file.

Gadget Advisor Exploit 1

Gadget Advisor Exploit 2

This attack is targeted against older, unpatched versions, as the latest Adobe updates have already fixed this problem. More information and the updates can be found on adobe.com at http://www.adobe.com/support/security/bulletins/apsb08-19.html.

Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding.

Updated to add: The website is now clean.

 
 

 
 
Wednesday, May 20, 2009

 
Mac Protection Posted by Sean @ 15:12 GMT

Take a look at this:

F-Secure Mac Protection

Looks like our recently mentioned Internet Security Technology Preview, right?

But look closely and you'll see that the image above is for Mac Protection.

We used to have a Mac solution back in the days of sneakernets. The updates were distributed via floppies. This new Mac Protection (with antivirus) is part of our Technology Preview program and you can download it from our Beta Programs page. An Intel processor based Mac with OS X version 10.5 (Leopard) is a requirement.

Macs are popular, with consumers… and also with malware authors. There's plenty of Zlob codec trojans that will infect a Mac if given the chance. Mac's popularity is such that we feel it's time once again for our own Mac solution. Give it a try — Cheers.

 
 

 
 
Tuesday, May 19, 2009

 
We've Moved Posted by Response @ 09:26 GMT

We've moved. Our Kuala Lumpur Security Lab that is…

We successfully transplanted the entire Kuala Lumpur office to new premises over the weekend. The new location offers much more room for expansion as we continue to grow.

Here's an exterior shot of the office building — "Menara F-Secure" (F-Secure Tower) is the second tower from the right.

New KL Office

And here's a shot of the (much larger) Security Lab, before all the Analysts completed setting up their workstations:

New Security Lab

There were still boxes, cables and other paraphernalia lying around at the time, as you can see in the background. Today though everything has been set up, all the boxes are being cleared and everyone is getting comfortable again.

During the entire move, we were able to maintain full response services by creatively working around the organized turmoil, but it's good to finally settle down and get to work in the new lab. So as an unofficial salute to mark the end of the move:

"Cheers from the KUL Lab!"

 
 

 
 
Monday, May 18, 2009

 
Rogue Browser Agents Posted by Sean @ 15:30 GMT

How big an issue are Rogue antivirus applications? Let's take a look.

What is your browser's user agent? Any ideas? The Firefox browser should look something like this:

What is my user agent?

You can determine yours from whatsmyuseragent.com. Now let's take a look at this user agent:

     Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Do you see it? Right there in the middle, "AntivirXP08". What is that all about?

Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website.

Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue.

How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08.

63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009".

It's a small measure of a very large problem.

 
 

 
 
Thursday, May 14, 2009

 
twitter.com/FSLabs Posted by Sean @ 16:13 GMT

Our Twitter account can be used to follow the blog at twitter.com/FSLabs, #Blog designates something from our RSS feed.

Other links of interest may be tweeted there as well.

 
 

 
 
Wednesday, May 13, 2009

 
Fake Adobe Flash Player Site Posted by WebSecurity @ 07:40 GMT

One of our Web Security Analysts came across a website (118,000 ranking in Alexa) that drives users into installing a fake Adobe Flash Player file. The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site.

Fake Adobe Flashplayer

On clicking "Continue", visitors are taken to this page:

Fake Adobe FlashPlayer

Looks pretty authentic, right? It even offers to download an "install_flash_player.exe" file for you. The analyst was using a Linux system though, so this seemed slightly odd.

Turns out the site is a (pretty good) fake. Unless a visitor takes a hard look at the address bar, it's pretty easy to be fooled.

The downloaded installer also looks like the original Adobe Flash Player installer, though the checksum and digital signatures point out the difference.

Fake Adobe Flashplayer installer

install_flash_player.exe version 10.0.22.87
md5: 51F26C0051E97A91145971FE5BC632FF

malware_install_flash_player.exe
md5: 71AD0C4A4168AA98BB20E3561E505CC7

Based on a reverse domain lookup on the malware link, the fake site is hosted in Bulgaria.

Updates to the latest antivirus definitions detect this threat.







 
 

 
 
Update on Updates Posted by Patrik @ 05:04 GMT

A bunch of updates were made available by several vendors yesterday. Get'em while they're hot.

Microsoft — patch for PowerPoint fixes 14 vulnerabilities
Adobe — patch for two Adobe Reader vulnerabilities
Apple — fixes 67 security issues in OS X

Security Updates en masse

 
 

 
 
Monday, May 11, 2009

 
l337 Beta Testers Needed Posted by Sean @ 14:23 GMT

Do you enjoy installing and trying out new software? Do you want the chance to win an iPod? Yes? Okay, then keep reading…

Our most recent build of F-Secure Internet Security Technology Preview (ISTP) was released last Friday, version 9.40 build 172. Some big changes are being implemented into our products and ISTP 9.40 is our first look at them. The Security Lab has been testing 9.40 and we'd like to encourage our blog readers to do so as well. (Download Beta Programs)

The most immediate change you'll notice is the first-level GUI.

F-Secure Technology Preview 9.40

It is quite different from our present design and will eventually the basis of the entire GUI. It's still evolving so feedback is very formative at this point, if not this year's releases, then next.

There are also numerous changes in the technology:

  •  Scanning performance improvements
  •  Boot optimization
  •  Processes optimization
  •  DeepGuard enhancements
  •  New Spam Control
  •  New network-based Parental Control

Here's an example of our new Browsing Protection options.

F-Secure Technology Preview 9.40  <br />Browsing Protection

Exploit Shield and a network based reputation protection is now integrated (IE and Firefox). Known bad sites will be blocked, and unknown sites will be "shielded" against. And when the Shield is activated, we'll learn about yet another bad site… and that builds a protective feedback loop. The next visitor will be blocked from visiting rather than shielded.

Those of you familiar with our current lineup know that DeepGuard is found within our Real-time scanning "System Control" settings. DeepGuard is now uncoupled from Real-time scanning options and includes enhanced process monitoring.

F-Secure Technology Preview 9.40  <br />DeepGuard

ISTP's DeepGuard utilizes our "Cloud" of course.

nhips_dialog

And known malicious applications are blocked on the basis of server queries.

nhips_dialog_highlighted

If you're offline, DeepGuard can automatically block malicious applications using our latest behavioral engine technology.

DeepGuard Flyer

Alright, so there are a number of important changes and there's lots of testing and work to be done still. And even though we're testing internally, you know that real-world testing by actual users is very important to the process.

This time around, we'd really like some significant feedback. Anybody testing ISTP 9.40 build 172 that submits detailed feedback to the Beta Program will be eligible for a prize drawing. (We'll grandfather in those of you that have already provided detailed feedback on build 165.) The Beta Program team is gathering up the budget for some iPods and/or other cool stuff; details will soon be posted on the Beta Program page.

Another cool thing about the technology… it's updated automatically. Which means that if you are running ISTP 9.30 — It should update itself to Build 172 today via our update channel. If it doesn't soon, that's the kind of feedback we want to read about.

Download ISTP from the Beta Programs page. Cheers!

One additional note that's very important to us here in the Lab — this ISTP 9.40 release includes lots of changes to our detection technologies. They are more proactive and heuristic than in previous product releases. (DeepGuard being a good example.) This should enhance our detection of undefined/unknown malware. If you discover any new samples, we want them! Also, if you encounter a detection that's too aggressive, you can help us with feedback there as well.

Please use our Sample Analysis System to provide the Lab feedback on detection related issues.

And the Beta Program Feedback form should be used for product related issues.

 
 

 
 
Saturday, May 9, 2009

 
What Did Darkmarket.ws Look Like? Posted by Mikko @ 10:58 GMT

Keith Mularski
FBI agent Keith Mularski gave an interview yesterday to Elinor Mills. In the interview he talks for the first time about the background of the infamous Darkmarket.ws sting operation.

Special Agent Mularski worked undercover for two years, operating a message forum for online criminals, posing as one of them. The operation ended last fall with 60 arrests around the world.

The most famous arrest to come out of this sting operation was the arrest of Çağatay Evyapan in Turkey. Mr. Evyapan, known online as "cha0" was arrested in a raid by a special unit of the Turkish police.


Here's a video of cha0's arrest from our Security Wrapup:

cha0 aka Çağatay Evyapan

The Darkmarket case has received a lot of media coverage.

But what did the actual site look like when it was still operational?

For the first time, we're now publishing a series of screenshots taken of Darkmarket.ws.

We took these pictures mostly in 2006 and 2007. They detail how this forum was used to conduct all kinds of online crimes.

Darkmarket
Login page of Darkmarket.ws

Darkmarket
Here's a user who is interested in buying access to 3000-4000 infected machines a week.

Darkmarket
"Get more $$$ for your logs" - this user is advertising cashing services for various banks, used to steal money from online bank accounts. Credentials for these accounts have been stolen via keyloggers.

Darkmarket
User 'aloaster' has hacked several online shops. Now he's selling administrator access to them.

Darkmarket
Distributed-denial-of-service attacks for sale. "This is a great deal on DDOS attacks and cannot be beat by anyone!"

Darkmarket
200 "dove" stickers for $1500. "Dove stickers" are VISA credit card holograms.

Darkmarket
Another ad for credit card holograms.

Darkmarket
Malware for sale, $350.

Updated to add: Darkmarket is back, sort of. See:
http://twitter.com/mikkohypponen/status/1747396042 and
http://twitter.com/mikkohypponen/status/1747396623

 
 

 
 
Thursday, May 7, 2009

 
Q&A: Windows 7 File Extension Hiding Posted by Mikko @ 14:25 GMT

We got plenty of good comments on the previous blog post about Windows 7, including feedback from people who are actually working in the Explorer development team at Microsoft.

Many of the comments included questions on the topic, so here's a Q&A:

Q: What is this all about?
A: It's about Windows, by default, hiding file extensions such as .EXE. Virus writers exploit this by creating malicious files with double-extensions (PICTURE.JPG.EXE). Such a file would typically also use a misleading icon.

Q: How long has Windows Explorer been hiding file extensions "For known file types"?
A: Since Windows NT.

Q: Why do they do it?
A: We don't know.

Q: Is this a real risk? If user already has such a file on his hard drive, it's too late, right?
A: Not really. The file could have come from the Internet, from a file share or a removable drive and the user hasn't necessarily executed it yet.

Q: But if the file came from the Internet, Explorer will warn you that it came from an "Untrusted Zone"!
A: Only if you use Internet Explorer to browse the web and Outlook to download your e-mail attachments. There are plenty of other ways to download files from the net: 3rd party web and e-mail clients, BitTorrent and other P2P clients, chat programs etc. Also, you can't rely on such warning dialogs if the file is on a network share or an a USB drive.

Sucks

Q: There is no problem. Even in your own screenshot the file is labeled by Explorer as "Application"! Thus, nobody would click on it. Even though the file is called something.txt. And it has the icon of a text file.
A: Right…

Q: Do real worms really use such filenames?
A: Oh yes. They typically spread by copying themselves with tempting filenames to random folders on removable drives or network shares, with filenames along these lines:

    E:\PRESENTATION.PPT.exe
    E:\DOCUMENT.DOC.exe
    E:\PORNVIDEO.AVI.exe
    Etc.

Many would click on these, especially if the icon of the file looks like a document icon — and when Windows hides the ".exe" part of the name.

Q: So, the solution is turn off "Hide extensions for known file types" in Explorer settings?
A: Yeah.

Windows 7 Folder Options

Q: Will that make all file extensions visible?
A: Well, no. There are executable extensions that will STILL be hidden even if you turn the option off.

Q: What?
A: For example PIF. This file type was meant to be a shortcut to old MS-DOS programs. Problem is, you can rename any modern Windows Executable to .PIF and it will happily run when double-clicked.

For example, the Scamo worm uses exactly this flaw, dropping files such as these:

    HARRY POTTER 1-6 BOOK.TXT.pif
    ANTHRAX.DOC.pif
    RINGTONES.MP3.pif
    BRITNEY SPEARS FULL ALBUM.MP3.pif
    EMINEM BLOWJOB.JPG.pif
    VISTA REVIEW.DOC.pif
    OSAMA BIN LADEN.MPG.pif
    NOSTRADAMUS.DOC.pif

Q: How do you I make PIF files visible then?
A: Via a registry key called "NeverShowExt". We'd link you to an article in the Microsoft Knowledgebase… except we couldn't find any. But here's a Web page on the topic, from GeoCities, made by some hobbyist a couple of years ago. Maybe it's the best source of information on the topic.

Q: Do you still expect Microsoft to change the behavior of Explorer in Windows 7?
A: No, not really.

Bottom line: We still fail to see why Windows insists on hiding the last extension in the filename. It's just misleading.







 
 

 
 
Security Advisory FSC-2009-1 Posted by Mikko @ 14:02 GMT

Our readership may be interested in this vulnerability description regarding a ZIP and RAR archive evasion vulnerability in our products. On clients and servers, the worst case is a delay in detection and so it's considered to be low severity.

On the other hand, if you admin a gateway, read this and apply the available patches — Security Advisory FSC-2009-1.

Roger Mickael gets the credit for bringing this issue to our attention. Cheers.

 
 

 
 
Wednesday, May 6, 2009

 
PDF Most Common File Type in Targeted Attacks Posted by Patrik @ 18:40 GMT

We've covered targeted attacks many times in the past and we've also covered PDF and vulnerabilities in Adobe Acrobat/Reader being used to install malware. So we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009.

Targeted Attacks 2008

In 2008 we identified about 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%.

Targeted Attacks 2009

So far in 2009 we have discovered 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat/Reader than in the Microsoft Office applications. Like the two vulnerabilities we mentioned a week ago. These are scheduled to be fixed by Adobe on May 12.

More info about targeted attacks and how they work can be found in the Lab's YouTube video.

 
 

 
 
Tuesday, May 5, 2009

 
Windows 7 Fail Posted by Mikko @ 13:25 GMT

Windows 7 RC is out today.

This is great news.

Because surely by now they've fixed Windows Explorer.

You see, in Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types. And virus writers used this "feature" to make people mistake executables for stuff such as document files.

The trick was to rename VIRUS.EXE to VIRUS.TXT.EXE or VIRUS.JPG.EXE, and Windows would hide the .EXE part of the filename.

Additionally, virus writers would change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled.

Surely this won't work in Windows 7.

Lets try.

Hmm. It sure looks like a text file in Explorer:

7 sucks

But it actually is an executable:

7 sucks

Windows 7 Fail

 
 

 
 
Monday, May 4, 2009

 
H1N1 Domains Posted by Sean @ 15:18 GMT

As a follow up to last Monday's post, here is a list of domains registered over the weekend using the words swine flu.

There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files.

In fact, the only malicious file we've seen is something that Symantec posted about last week.

It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy.

PDF based exploit using swine flu FAQ

One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf.

Tibet themed exploits are very popular with targeted attacks.