Malware writers seem to have picked up a new trick for blocking anti-virus updates. Usually this is done with hosts-file by redirecting hostnames to localhost. Today we were looking at a new trojan called Fantibag that uses packet filtering to achieve the same goal.
This trojan installs a packet filtering policy that blocks access to several anti-virus companies and other mostly security-related sites. More info in the description.
We've seen some copies of a fake Microsoft security bulletin. This bulletin is being spammed via email and it tries to con users into downloading a new Microsoft security update.
Real bulletins don't link directly to downloadable binaries; instead they link to a download site located at www.microsoft.com.
Here's what the fake bulletin looks like:
The link in the fake bulletin points to a hacked server located in ThePlanet's IP address space. The account in question already has it's bandwidth limit exceeded. Which is probably a bad sign.
As a sidenote, at the moment (June 2005), no update with the code MS05-39 exists. The last real security update from Microsoft is MS05-34.
This is not the first time virus writers are sending out fake MS bulleting. The Swen email worm did this already in 2003.
It seems that Commwarrior just keeps spreading. Today we received report about Commwarrior infection in UK, which makes it 15th country with Commwarrior reports.
On June 27th editor of mobile phone security forum www.mobilephonevirus.com received contact from a person who had their phone infected.
Commwarrior was first detected in 9th of March 2005, so it has been in the wild for almost four months now. For PC environment this would be unusually long time for a worm to spread, as most PCs are protected by Anti-Virus the outbreaks are quite short lived.
In phone environment things are different, as most people don't have Anti-Virus in their phones. It does not matter how long a piece of malware is known as the factors that limit the outbreak in PC environment are missing. Current count of countries with Commwarrior sightings: 1. Ireland 2. India 3. Oman 4. Italy 5. Philippines 6. Finland 7. Greece 8. South Africa 9. Malaysia 10.Austria 11.Brunei 12.Germany 13.USA 14.Canada 15.UK
Over the weekend we have received Commwarrior reports both from USA and Canada. So it seems that Commwarrior has invaded also the new world.
We have received reports of people having problems when trying to disinfect Commwarrior infected phone. Some people have their phones so full of installed applications that they cannot fit Anti-Virus on the phone.
And some people have turned off their phones and do not want to turn on the phone so that their phones would be sending Commwarrior over bluetooth and MMS while downloading and activating the Anti-Virus.
To solve these problems we have created a free disinfection tool that can kill the Commwarrior worm from the phone. The tool is very small, so it is quick to download and should be able to fit any phone.
However be advised that the F-Commwarrior tool is intended only for quick disinfection of Commwarrior, it is not able to detect Commwarrior SIS files in messaging inbox or other locations. For full disinfection of device we recommend F-Secure Mobile Anti-Virus
A new Mitglieder, also known as Bagle.bq has been spammed largely. We are currently working on it. FSAV detects it with the just published updates Version=2005-06-26_02.
Description of this Mitglieder variant can be found here: Mitglieder.CN
This week we received report of Commwarrior in Germany, which makes it 12th country with Commwarrior sightings.
Also we have received samples of two new Symbian trojans Skulls.M and Fontal.B
Both trojans are detected by F-Secure Mobile Anti-Virus with generic detection. And as they pretend to be pirate copied versions of commercial software, people who don't download software from illegal sources do not need to be worried.
Current count of countries with Commwarrior sightings: 1. Ireland 2. India 3. Oman 4. Italy 5. Philippines 6. Finland 7. Greece 8. South Africa 9. Malaysia 10.Austria 11.Brunei 12.Germany
People interested in reverse engineering with IDA Pro might like to hear that a new version of IDAPython, the Python plugin for IDA Pro, has been released. It supports IDA Pro 4.8, wraps even more API calls and comes with a number of new features.
* Batch execution support (use the option -OIDAPython:yourscript.py) * Added ScriptBox - lists previously run scripts (Hotkey:Alt-7) * Added support for IDA Pro 4.8 (both Linux and Windows) * Dropped support for IDA Pro 4.6 and 4.6SP1 versions * Wrapped the list chooser (see examples/choose.py) * A dozen or so IDC functions added * Lots of char * API calls wrapped * Added Python error handling in the plugin C layer * Bunch of misc small cleanups and fixes * For more details see CHANGES-SWIG.txt and CHANGES-Plugin.txt * API CHANGE: {Next|Prev}Function() return BADADDR instead of -1
The following screenshot shows IDAPython running a simple XOR decryptor on Linux:
Today we received information of commwarrior sightings in three new countries Malaysia, Austria and Brunei. Also, we have received quite a lot of feedback, about the comment on the trust to sender being the most likely reason why people install Commwarrior and Cabir.
We have heard stories about organizations, where users have been explicitly warned not to install anything coming over MMS. And still people install Commwarrior as it came from a friend.
It seems that people have trouble understanding the difference between a friend intentionally sending something over MMS and infected phone sending MMS worms. Maybe this is due to the reason that people see mobile phones as very personal items and associate a phone with the person.
Current count of countries with Commwarrior sightings: 1. Ireland 2. India 3. Oman 4. Italy 5. Philippines 6. Finland 7. Greece 8. South Africa 9. Malaysia 10.Austria 11.Brunei
The monthly security bulletin has been published. Depending on your OS of choice, different number of security updates will apply. Three security advisories are rated "Critical". The remaining advisories are rated of a lesser importance and may or may not apply to your platform of choice. As always, we urge you to consider updating.
Skulls.L is a minor modification of Skulls.C trojan, about the only differences are that Skulls.L is named the same as F-Secure Mobile Anti-Virus installation package, and that the trojan shows dialog text "F-Secure Antivirus protect you against the virus. And don`t forget to update this!"
The Skulls.L obviously does not contain pirate copied version of Anti-Virus, it breaks the system applications on the phone. So that none of the smartphone functions of the phone are as long as the phone is infected.
Users are advised not to download F-Secure Anti-Virus files from any other server than official F-Secure servers or from the short link phoneav.com, which leads to the same server.
Please note that all official F-Secure SIS installation packages are Symbian signed, so that when installing official F-Secure Anti-Virus, the user does not get the warning about missing installation package signature. If you are trying to install F-Secure Mobile Anti-Virus and you get a warning about missing signature, abort the install.
The latest Businessweek magazine has a long and interesting article titled "Hacker Hunters" by Brian Grow. The story covers several recent cases.
Although the guy in the cover is Daniel Larkin from the FBI, main focus of the story is in fact on how US Secret Service agents worked to take down the Shadowcrew credit card ring.
Ceco posted earlier this night about Trojan-Downloader.Win32.Small.axr, which was spammed widely in various messages.
One of the texts of these messages read:
Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture. I apologize for the low quality, its the best I could do at this point of time. Hopefully CNN will have pictures and a video soon. God bless the USA! Stephen Christensen
Attachment: pics.scr
At least one weblog was actually duped by these messages, and as a result they posted "breaking news" about Osama Bin Laden's capture.
A new downloader trojan was seeded today. It comes as a Zip attachment. When extracted - pics.scr file is created. This is a tiny downloader that if run, loops through set of URLs and downloads additional malware. One site from the set was active and hosting a new variant of Bobic.
We released update that adds detection for the downloader as well as the Bobic variant. The downloader is detected as 'Trojan-Downloader.Win32.Small.axr' and the Bobic variant as 'Net-Worm.Win32.Bobic.d'
The number of new Bagle-related downloader variants (aka: Mitglieder ) that we monitor has grown up to 8 in the past few hours. The downloaders are very similar. When run, they all drop a DLL (named WIWSHOST.EXE, more information here: Bagle.BO ) and inject it into Explorer.EXE address space. The dropped DLLs can be grouped into two groups. The difference between the two groups is the slightly changed set of URLs that they use to additionally download malware. Currently some variants are under analysis and updates will be provided shortly.
We continue to monitor this development and updates will be provided promptly. Thus, do not be surprised if you see databases ending _08.
