Yesterday President Barack Obama announced his plans for securing cyberspace.
It would have been hard to imagine George Bush giving a talk about malware and bots. And that's exactly what Obama did.
From Obama, phrases like this sound perfectly natural: "we've had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm -- spyware and malware and spoofing and phishing and botnets."
President Obama also mentioned Conficker by name, which was interesting. The full text of his speech is available online.
Another quote: "Our Information Age is still in its infancy. We're only at Web 2.0."
My comments on President Obama's announcement are available in the New York Times.
Microsoft is currently reporting limited use against this vulnerability in the wild.
Update: Microsoft has published a "Fix It" tool that automates the registry changes.
Note: Our Exploit Shield technology — which is integrated into our Internet Security Technology Preview — heuristically blocks this vulnerability from being exploited.
There's some speculation among experts. Why Facebook? Has Facebook become a keystone from which to launch and steal all of an individual's passwords (i.e. banking and commerce sites)? Once you have Facebook, can you then compromise the primary e-mail account and everything else along with it?
Let's take Finland as an example. There are over one million estimated Facebook accounts and there are only 5.3 million people living in Finland. The regional network has over 544,000 members. Anything that size will be a target for scammers.
Wherever good people go, miscreants will follow.
So of course it's an excellent policy to maintain complex passwords that are unique to each site. Right?
Here's an idea. Write down your passwords. Seriously.
And once you write them down, put them in your wallet. Think about it. What else do you carry in your wallet? That's right, your bank cards. And your bank cards contain your account name and account number.
That's kind of like your online account names and passwords.
Only this is the key — It's a two part password. Because your account name and bank card number also requires your PIN.
So take a look at this screenshot. What do you see?
Passwords on a Post-it, only examples of course… non-dictionary ones at that.
Keep another three common characters in your head, and you'll have complex 10 character passwords. And you can insert those extra characters in the front, middle, or end.
What do we mean? It's like this.
The first three characters in this example are based on the website, "aMA" represents Amazon.com. And it can be written several ways, such as "AMa" or "aMa" or "AMA", etc. A good method should be easy for you to remember.
The next (or other) part, "2242" as in our example, should be something completely random. This is the part that you really need to write down and keep safe so that you don't forget it.
And then you should use a method to add three more characters (your "PIN") to every password. Something such as "35!" So the full password then becomes "aMA224235!" or "aMA35!2242" or "35!aMA2242".
Our other example would be "gMA35N135!".
Your PIN should never be written down, keep that bit of information in your head. Just like your bank card's PIN.
Note that our example does not include an e-mail address on the Post-it.
What happens if your wallet is stolen? You call the bank and cancel your cards.
And what about your Post-it? If it doesn't include your e-mail address or your PIN, you can reset your passwords in a timely fashion on a new piece of paper. You're good to go.
Using this methodology, you can maintain complex and unique passwords, and still have something handy for when you forget them. Because we all do forget stuff from time to time.
And if you're phished on one site, such as Facebook, your other accounts aren't sharing the same password.
Oh, one last piece of advice.
Don't put the Post-it on your monitor! And not on the underside of your keyboard either… everyone's familiar with that location too.
The H1N1, formerly known as swine, flu continues to make headlines… though the trends peaked earlier this month.
And while there hasn't been widespread use of H1N1 themes for malicious attacks, we have seen some limited use. Here's something that our honeypots collected last week.
When the PDF is opened, it exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu.
Here's a screenshot.
What happens behind the scenes? The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder.
The malicious file connects to three IP addresses in order to "call home". These addresses are, or were, in Texas (207.200.45.12), Budapest (89.223.181.93) and Hyderabad (202.53.69.130).
The individuals targeted by this attack are unknown to us.
Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase?
One of our Web Security Analysts discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website.
If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability (CVE-2008-2992).
The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan.
Below are the readable codes contained within the malicious PDF file.
This attack is targeted against older, unpatched versions, as the latest Adobe updates have already fixed this problem. More information and the updates can be found on adobe.com at http://www.adobe.com/support/security/bulletins/apsb08-19.html.
Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding.
But look closely and you'll see that the image above is for Mac Protection.
We used to have a Mac solution back in the days of sneakernets. The updates were distributed via floppies. This new Mac Protection (with antivirus) is part of our Technology Preview program and you can download it from our Beta Programs page. An Intel processor based Mac with OS X version 10.5 (Leopard) is a requirement.
Macs are popular, with consumers… and also with malware authors. There's plenty of Zlob codec trojans that will infect a Mac if given the chance. Mac's popularity is such that we feel it's time once again for our own Mac solution. Give it a try — Cheers.
We've moved. Our Kuala Lumpur Security Lab that is…
We successfully transplanted the entire Kuala Lumpur office to new premises over the weekend. The new location offers much more room for expansion as we continue to grow.
Here's an exterior shot of the office building — "Menara F-Secure" (F-Secure Tower) is the second tower from the right.
And here's a shot of the (much larger) Security Lab, before all the Analysts completed setting up their workstations:
There were still boxes, cables and other paraphernalia lying around at the time, as you can see in the background. Today though everything has been set up, all the boxes are being cleared and everyone is getting comfortable again.
During the entire move, we were able to maintain full response services by creatively working around the organized turmoil, but it's good to finally settle down and get to work in the new lab. So as an unofficial salute to mark the end of the move:
How big an issue are Rogue antivirus applications? Let's take a look.
What is your browser's user agent? Any ideas? The Firefox browser should look something like this:
You can determine yours from whatsmyuseragent.com. Now let's take a look at this user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Do you see it? Right there in the middle, "AntivirXP08". What is that all about?
Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website.
Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue.
How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08.
63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009".
One of our Web Security Analysts came across a website (118,000 ranking in Alexa) that drives users into installing a fake Adobe Flash Player file. The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site.
On clicking "Continue", visitors are taken to this page:
Looks pretty authentic, right? It even offers to download an "install_flash_player.exe" file for you. The analyst was using a Linux system though, so this seemed slightly odd.
Turns out the site is a (pretty good) fake. Unless a visitor takes a hard look at the address bar, it's pretty easy to be fooled.
The downloaded installer also looks like the original Adobe Flash Player installer, though the checksum and digital signatures point out the difference.
install_flash_player.exe version 10.0.22.87 md5: 51F26C0051E97A91145971FE5BC632FF
Do you enjoy installing and trying out new software? Do you want the chance to win an iPod? Yes? Okay, then keep reading…
Our most recent build of F-Secure Internet Security Technology Preview (ISTP) was released last Friday, version 9.40 build 172. Some big changes are being implemented into our products and ISTP 9.40 is our first look at them. The Security Lab has been testing 9.40 and we'd like to encourage our blog readers to do so as well. (Download Beta Programs)
The most immediate change you'll notice is the first-level GUI.
It is quite different from our present design and will eventually the basis of the entire GUI. It's still evolving so feedback is very formative at this point, if not this year's releases, then next.
There are also numerous changes in the technology:
• Scanning performance improvements • Boot optimization • Processes optimization • DeepGuard enhancements • New Spam Control • New network-based Parental Control
Here's an example of our new Browsing Protection options.
Exploit Shield and a network based reputation protection is now integrated (IE and Firefox). Known bad sites will be blocked, and unknown sites will be "shielded" against. And when the Shield is activated, we'll learn about yet another bad site… and that builds a protective feedback loop. The next visitor will be blocked from visiting rather than shielded.
Those of you familiar with our current lineup know that DeepGuard is found within our Real-time scanning "System Control" settings. DeepGuard is now uncoupled from Real-time scanning options and includes enhanced process monitoring.
ISTP's DeepGuard utilizes our "Cloud" of course.
And known malicious applications are blocked on the basis of server queries.
If you're offline, DeepGuard can automatically block malicious applications using our latest behavioral engine technology.
Alright, so there are a number of important changes and there's lots of testing and work to be done still. And even though we're testing internally, you know that real-world testing by actual users is very important to the process.
This time around, we'd really like some significant feedback. Anybody testing ISTP 9.40 build 172 that submits detailed feedback to the Beta Program will be eligible for a prize drawing. (We'll grandfather in those of you that have already provided detailed feedback on build 165.) The Beta Program team is gathering up the budget for some iPods and/or other cool stuff; details will soon be posted on the Beta Program page.
Another cool thing about the technology… it's updated automatically. Which means that if you are running ISTP 9.30 — It should update itself to Build 172 today via our update channel. If it doesn't soon, that's the kind of feedback we want to read about.
One additional note that's very important to us here in the Lab — this ISTP 9.40 release includes lots of changes to our detection technologies. They are more proactive and heuristic than in previous product releases. (DeepGuard being a good example.) This should enhance our detection of undefined/unknown malware. If you discover any new samples, we want them! Also, if you encounter a detection that's too aggressive, you can help us with feedback there as well.
Please use our Sample Analysis System to provide the Lab feedback on detection related issues.
FBI agent Keith Mularski gave an interview yesterday to Elinor Mills. In the interview he talks for the first time about the background of the infamous Darkmarket.ws sting operation.
Special Agent Mularski worked undercover for two years, operating a message forum for online criminals, posing as one of them. The operation ended last fall with 60 arrests around the world.
The most famous arrest to come out of this sting operation was the arrest of �ağatay Evyapan in Turkey. Mr. Evyapan, known online as "cha0" was arrested in a raid by a special unit of the Turkish police.
Here's a video of cha0's arrest from our Security Wrapup:
The Darkmarket case has received a lot of media coverage.
But what did the actual site look like when it was still operational?
For the first time, we're now publishing a series of screenshots taken of Darkmarket.ws.
We took these pictures mostly in 2006 and 2007. They detail how this forum was used to conduct all kinds of online crimes.
Login page of Darkmarket.ws
Here's a user who is interested in buying access to 3000-4000 infected machines a week.
"Get more $$$ for your logs" - this user is advertising cashing services for various banks, used to steal money from online bank accounts. Credentials for these accounts have been stolen via keyloggers.
User 'aloaster' has hacked several online shops. Now he's selling administrator access to them.
Distributed-denial-of-service attacks for sale. "This is a great deal on DDOS attacks and cannot be beat by anyone!"
200 "dove" stickers for $1500. "Dove stickers" are VISA credit card holograms.
We got plenty of good comments on the previous blog post about Windows 7, including feedback from people who are actually working in the Explorer development team at Microsoft.
Many of the comments included questions on the topic, so here's a Q&A:
Q: What is this all about? A: It's about Windows, by default, hiding file extensions such as .EXE. Virus writers exploit this by creating malicious files with double-extensions (PICTURE.JPG.EXE). Such a file would typically also use a misleading icon.
Q: How long has Windows Explorer been hiding file extensions "For known file types"? A: Since Windows NT.
Q: Why do they do it? A: We don't know.
Q: Is this a real risk? If user already has such a file on his hard drive, it's too late, right? A: Not really. The file could have come from the Internet, from a file share or a removable drive and the user hasn't necessarily executed it yet.
Q: But if the file came from the Internet, Explorer will warn you that it came from an "Untrusted Zone"! A: Only if you use Internet Explorer to browse the web and Outlook to download your e-mail attachments. There are plenty of other ways to download files from the net: 3rd party web and e-mail clients, BitTorrent and other P2P clients, chat programs etc. Also, you can't rely on such warning dialogs if the file is on a network share or an a USB drive.
Q: There is no problem. Even in your own screenshot the file is labeled by Explorer as "Application"! Thus, nobody would click on it. Even though the file is called something.txt. And it has the icon of a text file. A: Right…
Q: Do real worms really use such filenames? A: Oh yes. They typically spread by copying themselves with tempting filenames to random folders on removable drives or network shares, with filenames along these lines:
E:\PRESENTATION.PPT.exe E:\DOCUMENT.DOC.exe E:\PORNVIDEO.AVI.exe Etc.
Many would click on these, especially if the icon of the file looks like a document icon — and when Windows hides the ".exe" part of the name.
Q: So, the solution is turn off "Hide extensions for known file types" in Explorer settings? A: Yeah.
Q: Will that make all file extensions visible? A: Well, no. There are executable extensions that will STILL be hidden even if you turn the option off.
Q: What? A: For example PIF. This file type was meant to be a shortcut to old MS-DOS programs. Problem is, you can rename any modern Windows Executable to .PIF and it will happily run when double-clicked.
For example, the Scamo worm uses exactly this flaw, dropping files such as these:
HARRY POTTER 1-6 BOOK.TXT.pif ANTHRAX.DOC.pif RINGTONES.MP3.pif BRITNEY SPEARS FULL ALBUM.MP3.pif EMINEM BLOWJOB.JPG.pif VISTA REVIEW.DOC.pif OSAMA BIN LADEN.MPG.pif NOSTRADAMUS.DOC.pif
Q: How do you I make PIF files visible then? A: Via a registry key called "NeverShowExt". We'd link you to an article in the Microsoft Knowledgebase… except we couldn't find any. But here's a Web page on the topic, from GeoCities, made by some hobbyist a couple of years ago. Maybe it's the best source of information on the topic.
Q: Do you still expect Microsoft to change the behavior of Explorer in Windows 7? A: No, not really.
Bottom line: We still fail to see why Windows insists on hiding the last extension in the filename. It's just misleading.
Our readership may be interested in this vulnerability description regarding a ZIP and RAR archive evasion vulnerability in our products. On clients and servers, the worst case is a delay in detection and so it's considered to be low severity.
On the other hand, if you admin a gateway, read this and apply the available patches — Security Advisory FSC-2009-1.
Roger Mickael gets the credit for bringing this issue to our attention. Cheers.
We've covered targeted attacks manytimesin the past and we've also covered PDF and vulnerabilities in Adobe Acrobat/Reader being used to install malware. So we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009.
In 2008 we identified about 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%.
So far in 2009 we have discovered 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat/Reader than in the Microsoft Office applications. Like the two vulnerabilities we mentioned a week ago. These are scheduled to be fixed by Adobe on May 12.
More info about targeted attacks and how they work can be found in the Lab's YouTube video.
Because surely by now they've fixed Windows Explorer.
You see, in Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types. And virus writers used this "feature" to make people mistake executables for stuff such as document files.
The trick was to rename VIRUS.EXE to VIRUS.TXT.EXE or VIRUS.JPG.EXE, and Windows would hide the .EXE part of the filename.
Additionally, virus writers would change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled.
