Monthly Archives - May of 2010
 

Monday, May 31, 2010

 
Poll: Anyone Quitting Facebook Today? Posted by Sean @ 13:37 GMT

It's May 31st and today is the so-called Quit Facebook Day. Currently there are almost 27 thousand committed quitters. That's not very many people considering that Facebook is approaching 500 million accounts.

But forget about Facebook, we'd like to ask you something else. Do you have a Gmail account?

If you have a Google account, have you "paused" your Web History?




If you need to check, go to: https://www.google.com/history/

 
 

 
 
Wednesday, May 26, 2010

 
CARO 2010 Posted by Mikko @ 11:13 GMT

The CARO 2010 Technical Workshop is underway in Helsinki.

This event, organized by F-Secure, is the largest ever gathering of antivirus experts in Northern Europe. We have almost 150 delegates from 25 countries here.

The key experts from practically all the antivirus labs in the world will spending the next two days talking about Big Numbers, i.e. how do we keep up with the growing number of malware.

Here's a couple of photos from the workshop:

CARO 2010
Mikko welcoming all delegates to Helsinki.

CARO 2010
Dr Alan Solomon delivering his keynote presentation.

CARO 2010
Maik Morgenstern from AV-Test.org talking about a typical day in anti-malware industry.

 
 

 
 
Friday, May 21, 2010

 
Warning on Facebook worm "FBHOLE" Posted by Mikko @ 12:49 GMT

There's a new Facebook worm out there. However, it doesn't seem to be doing anything else than posting a message to people's Facebook walls.

try not to laugh

The message that the worm posts is
"try not to laugh xD http://www.fbhole. com/omg/allow.php?s=a&r=[random number]"

If you follow the link, you end up on a page that looks like this:

fbhole.com

The page shows a fake error message. If you click anywhere on the page, you will trigger a script that will try to post the same message to your Facebook wall. This is done with an invisible iframe that follows your mouse around — causing you to click on an invisible "publish" button. In addition to the wall message post, nothing else happens.

fbhole.com

The worm is spreading like wildfire. To get some idea, try this public search via youropenbook.org.

We have blocked domain fbhole.com so that F-Secure Internet Security users cannot access it. The domain was registered yesterday and it points to an IP address in Czech Republic, shared by another Czech site called ironbrain.net.

Updated to add: Domain fbhole.com shared an IP address with ironbrain.net [82.208.32.99]. Ironbrain.net hosted a website with references to Facebook but no obvious illegal content. While fbhole.com was registered with privacy protection, ironbrain.net had contact information in the WHOIS database, complete with a Czech phone number.

So I called the number.

The call went roughly like this:

– Hello?
– Hi. This is Mikko Hypponen from F-Secure Labs.
– What is this about?
– I'm looking for a person related to ironbrain.net.
– ???
– We're investigating a Facebook worm on fbhole.com. That domain shares an IP address with ironbrain.net which is registered under your name.
– And you are?
– I'm from an antivirus company. Are you related to ironbrain.net?
– I'll have to check… maybe my company is…
– Please do.
– Bye…
[Click]

About 15 seconds later, both fbhole.com and ironbrain.net went offline. The attack is over.

Updated to add: Here's a short Flash screen-capture showing Facebook Search results for "try not to laugh" during the attack.

 
 

 
 
Thursday, May 20, 2010

 
Twitter Attack Posted by Mikko @ 11:37 GMT

There's another malware run underway on Twitter.

A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen".

Twitter attack

People see these messages when they look for trending topics in Twitter.

The shortlinks in the Tweets point to a compromised page, which uses a Java exploit to drop a keylogger / banking trojan combo to your system.

The attack is unusually easy to follow by just looking at the source code of the page. Take a look at this:

Compromised

F-Secure Anti-virus blocks access to the malicious pages and detects both the malicious Jar file and the trojan it drops. We have also reported the shortlink to bit.ly and they should disable it soon.

Lesson of the day is probably this: Do you really need Java in your browser? Seriously, do you? If not, get rid of it.

 
 

 
 
Tuesday, May 18, 2010

 
Do you use Windows XP SP2? Posted by Sean @ 13:21 GMT

July 13th is just 8 weeks away and that's when Microsoft plans end security support for Windows XP Service Pack 2.

Statistics from our Service Provider partners show that only about 9 to 10% of our consumer customers are running Windows XP SP2. But what about businesses, non-profits and schools? We'd like to know if your employer is using SP2.

Does your organization still use Windows XP SP2 as its primary OS?

Poll: Windows XP SP2?

 
 

 
 
Monday, May 17, 2010

 
Facebook Privacy Check Posted by Sean @ 16:05 GMT

Note to Facebook: Your privacy settings are much too difficult for the average individual to fully understand. Even critics of your privacy policies can't figure them all out.

Let's take Privacy Check for example. It's a Facebook application that I discovered via Openbook.

Here's the Privacy Check report:

Facebook Privacy Check

Hey, not bad at all, my score is 17 out of 21. No big surprise for me. Everything is as I expected.

But wait, what's that text at the end of the explanation?

Facebook Privacy Check

It says:

Note because Facebook does not let you hide all your information, the best score that you can currently achieve is 15/21 (unless you don't have any friends)!

I scored 17 out of a possible 15 points. Nice!

That's almost comic… even a developer focused on an application which exclusively highlights your privacy controls can't get it right.

Look, Facebook, I get it. I know exactly how to adjust my privacy settings to my liking and I have an impossibly high "privacy score" that demonstrates that fact. I only share what I want.

But take it from me, most people are somewhat confused, and not because the options aren't straightforward (there's three), but because you fail to provide usable controls to help understand those options (you can only preview two of the three).

It's a settings and control issue.

Facebook, you'd better improve your controls soon or else your critics will never stop harping about it being a privacy issue.

Signing off,
Sean

 
 

 
 
Friday, May 14, 2010

 
Videos - May 2010 Security Summary Posted by Response @ 12:31 GMT

The lab's Sean and Mikko recently found some time to discuss security trends that took place during the first four months of this year.

The results are three videos which you can watch on either the F-Secure Lab's YouTube channel or on F-Secure News.

May 2010: Security Summary

  •  Mobile Phone Security
  •  Crime and Punishment
  •  Targeted Attacks and Operation Aurora

 
 

 
 
Wednesday, May 12, 2010

 
Targeted Attack Using Journalists as a Lure Posted by Mikko @ 08:11 GMT

We found a new malicious XLS file which contains lots of names, details and contact information for journalists around the world:

Journalists targeted

This file was e-mailed to unknown persons, apparently in order to launch a targeted attack. The relevance of the journalists mentioned in the attack file is unknown.

When the file (md5 hash: 738B307F892BCCA4E40C8B9C78DA52E1) is opened, it exploits a vulnerability in Excel. The vulnerability executes a piece of embedded code that drops several new executables to hard drive and launches them, including:

   \windows\system32\Setup\fxjssocm.exe
   \windows\system32\spoolsv.exe
   \windows\system32\Setup\setjupry.exe
   \windows\system32\Setup\msxm32.dll

The executables contain a backdoor that gives the attacker full access to data on the target's computer.

We detect the malicious XLS and its dropped components as Exploit:W32/Xdropper.BR and Trojan-Dropper:W32/Agent.DJGD.

 
 

 
 
Monday, May 10, 2010

 
KHOBE Not So High On The Richter Scale Posted by Mikko @ 14:07 GMT

Researchers at Matousec have announced a new vulnerability that affects several Internet security products. This is generating some media coverage: see "New attack bypasses virtually all AV protection" in The Register.

This is a serious issue and Matousec's technical findings are correct. However, this attack does not "break" all antivirus systems forever. Far from it.

First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.

So the issue only affects new, unknown malware that we do not have signature detection for.

To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec's discovery is able to bypass only a few of these sensors.

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

In a nutshell: We believe in defense in depth.

 
 

 
 
Friday, May 7, 2010

 
SIR: Finland Has Lowest Infection Rates Posted by Sean @ 12:59 GMT

Microsoft's current SIR, Security Intelligence Report Volume 8, shows that Finland leads the pack in countries with at least 1 million average monthly MSRT executions. Only 1.4 infections per one thousand.

Finland 1.4 CCM2H09

Do you want to protect your computer?

Move to Finland.

 
 

 
 
Thursday, May 6, 2010

 
U Can't Search This Posted by Sean @ 17:19 GMT

Wednesday's Sydney Morning Herald ran a story called The terrors of Twittering: growing up in an unexploded data minefield.

Here's an excerpt: "Party antics and examples of extreme behaviour posted for fun on Facebook and other social networking sites are set to become ghosts that haunt individuals when they try to get credit, homes or jobs as adults."

That's quite true, digital footprints created today may have later consequences. As the popularity and reach of social networking expands, many are beginning to worry about losing future opportunities due to their digital identities. Privacy protection is of great concern — but what if you didn't have to work so hard to protect your privacy because you controlled it instead?

That's how it works in Finland where employers can't search for personal information. Finnish employers must ask permission to access somebody's details online. All personal information should be provided by the person.

That's such a novel idea, no?

The Act on the Protection of Privacy in Working Life (PDF) has been on the books since 2004.

Harvard's Info/Law blog wrote about it in 2006.

http://blogs.law.harvard.edu/infolaw/2006/11/15/finnish-employers-cannot-google-applicants/

There exists an expectation of privacy in our daily lives — shouldn't there be an expectation of privacy in our virtual lives as well?

Employers and creditors aren't allowed to follow us around, enter our homes and start looking through our photo albums, letters, and drawers. Why is The Man allowed to enter our digital space without asking first?

Must we be required to put so much effort in preventing youthful indiscretions from finding their way onto the web? Do we even think that's possible for most of today's youth?!? It's not. That's fighting a lost battle.

People should be able to enjoy the benefits of sharing and openness without the fear of future reprisals. Personal and professional should be kept separated and individuals should have control over their digital persona. That requires legal consumer protections. Finns understand that.

Time for the rest of the world to play catch-up.

 
 

 
 
Tuesday, May 4, 2010

 
Loveletter 2000-2010 Posted by Mikko @ 12:56 GMT

One of the most important worm outbreaks in history happened ten years ago to the day.

loveletter Loveletter (aka ILOVEYOU or Lovebug) spread around the world in matter of minutes. When you got infected, the worm would send this e-mail from your system — posing as you — to all of your contacts:

   From: (your e-mail address)
   To: (one of your contacts)
   Subject: ILOVEYOU
   Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
   Message: kindly check the attached LOVELETTER coming from me.

This turned out to be very effective. People would be surprised by the message, open the attachment and spam all of their friends with the same message. In couple of hours, millions of users around the world were infected.

And we were in the middle of this. As far as I know, we were the first ones to discover this worm.

I remember working with the case with Katrin Tocheva (nowadays at Microsoft), Sami Rautiainen (nowadays at Stonesoft) and Alexey Podrezov (still here at F-Secure).

Here's the e-mail that we believe to be "patient zero", i.e. the first infected party that contacted an antivirus company for help. The e-mail is from John Schrøder who worked for our Norwegian partner at the time:

—————

   Date: Thu, 4 May 2000 09:41:08 +0200
   From: John Schrøder
   To: samples@F-Secure.com
   Subject: Can you check this out
   Importance: high
   
   I got the attached vbs script from client here in Norway.
   They say that this
   'Love Letter' has spread to 100.000 machines in the
   client network in Europe.
   
   ASAP please
   
   -john
   
   Attachment: pd000504.pgp

—————

Katrin was the analyst in charge of the shift when Loveletter struck, and she's the one that entered our company into emergency mode:

—————

   Date: Thu, 04 May 2000 10:21:13 +0300
   To: all-employees
   From: Katrin Tocheva
   Subject: IMPORTANT: New worm extremly in the wild
   
   Hi all,
   
   There is a new Script worm that is extremely in the wild since this
   morning. Many big companies in Europe are already infected. I already
   spoke with our IT guys and all Outlook users are now protected internally
   but just in case Do Not open any attachments.
   
   The worm spreads via Outlook in a message with a
   
    subject: ILOVEYOU
    Body: 'kindly check the attachedLOVELETTER coming from me'
    Attachment:LOVE-LETTER-FOR-YOU.TXT.VBS
   
   We will be entering EMERGENCY MODE, effective *NOW*
   
   Please be careful!
   
   Regards,
   Katrin

—————

Emergency Mode meant various things, including canceling all in-house meetings, calling in extra people to answer phones at the switchboard and so on. It also meant that lab staff would not be allowed to leave for lunch. Instead, company would bring in pizzas for them automatically. We even had an intranet system where you would select your "emergency pizza" flavor.

Here's another example from my e-mail archives. First sample or the worm via industry sample exchange — in this case, from MessageLabs ("this is a big one guys...").

—————

   Date: Thu, 4 May 2000 10:23:38 +0100
   From: Alex at MessageLabs
   To: samples@f-secure.com
   Subject: URGENT HEADS UP - LoveBug virus sample
   
   This is a big one guys. 600 copies in the last hour.
   Call me for details
   
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Alex Shipp
   Imagineer
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~

—————

I remember working on the case all day from 07:41 GMT when it started until midnight, then going to bed only to be woken up at 3am by calls from USA.

I also remember exiting a phone conference with CERTs and other security vendors. When I hung up my phone and looked at the screen, it showed that I had received and missed 40+ phone calls during that 30-minute conference call. All those calls were coming in from partners, vendors & media. Everybody wanted to know what was happening and how to fight the outbreak.

10 years ago, virus outbreaks were mainstream news. Here's the front page of CNN from the time. This screenshot also nicely illustrates how hard it is to try to predict how bad a particular outbreak might become.

CNN Loveletter

Signing off,
Mikko

 
 

 
 
Monday, May 3, 2010

 
Corporate Identity Theft Posted by Mikko @ 08:39 GMT

For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught.

For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals.

Here's an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital.

Finha

The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades.

Finha

The problem is, finha-capital.com has nothing to do with Finha Capital Oy. The site is completely fake.

The only reason the website finha-capital.com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam.

And it's not just Finha Capital. Take a look at these:

Finha

Exactly the same website operates under (at least) two other names: Bin Finance and Contant.

And just like with Finha Capital, there are real companies called Bin Finance and Contant as well, and the addresses listed on the website are the mailing addresses of these real companies. Again, these companies have nothing to do with the illegal activity.

Finha

Domains finha-capital.com and contant-finance.com are hosted in St. Petersburg, Russia and bin-finance.com is hosted in Kiev, Ukraine.

And just last week, there was a similar scam running at domain nordea-securities.com. Nordea is a large Nordic bank, serving more than 10 million customers.

We spotted this message that was spammed via e-mail:


   From: info@nordea-securities.com
   Subject: Career opportunity
   
   Our firm have reviewed your resume from Career Builder resume base,
   reviewed it and sure that you to be a great applicant for the position which we suggest.
   
   We are now looking for a individuals for a vacant position “Account Coordinator”.
   The main task of this position is to collect payments from our customers in US.
   
   Basic Requirements:
   - Computer skills (MS Word), personal e-mail address
   - Ability to work at home
   - Responsibility
   - Age: 21+
   
   If you are interested, please, register here: http://nordea-securities.com/rim/?link=getjob&rnd=34753525


The whois data for this site is misleading and tries to portray that domain nordea-securities.com would be owned by Nordea Bank. It isn't. Note the yahoo.com e-mail address.

nordea-securities alexis perkus poelsevierali@yahoo.com

Lessons to be learned?

  •  Realize that identity theft happens to companies as well as to individuals.
  •  If somebody offers you a work-for-home position that's too good to be true, it probably is.
  •  Do not move money for others.
  •  Check that you're really speaking with who you think you're speaking.







 
 

 
 
Thank you, Mr. Prime Minister Posted by Fei @ 03:01 GMT

Matti Vanhanen, the Prime Minister of Finland, was recently in Kuala Lumpur, Malaysia for a two day visit.

During his time here, we were absolutely honored that he made time in his busy schedule to pay us a visit at F-Secure Kuala Lumpur.

F-Secure Tower:

F-Secure Tower

We first had lunch, followed by a short tour to the Security Lab and the Development department. Here are some pictures from the visit (click on the images below to view a larger version).

The Prime Minister arrives at F-Secure Tower:

Welcome Finnish PM to F-Secure Tower

And stops first for lunch:

Finnish PM (Lunch at F-Secure Tower)

Next, in the Security Lab I give a brief talk about the threat landscape to the delegation:

Finnish PM Tours Security Lab

While at the next stop in Development, our General Manager Ingvar Froiland discusses some aspects of upcoming projects:

Finnish PM Tours Development

And finally, we bid farewell to the Prime Minister:

Finnish PM Farewell

Thank you, Mr. Prime Minister.

Signing off,
Wing Fei