NEWS FROM THE LAB - June 2006
 

 

Thursday, June 29, 2006

 
Phishing Hooks Posted by Sean @ 13:14 GMT

Hypothetical Mobile Phishing

April 2006 brought news of e-mail trying to lure recipients into calling toll-free phone numbers. Automated voice systems on the other end of the numbers were used to request personal info, supposedly for Chase Bank. (Credit Card #, PIN, Etc.)

Bait has been taking other forms as phishers have been testing VoIP systems. VoIP bots are calling individuals directly with "account requests". And it works, people have been conditioned to recognize such scams via e-mail, but their guard is down when they receive a request on their phone.

In a fairly related matter, there was a recent endeavor to use SMS messages to lure recipients into visiting a website to "unregister" from a sham dating service, or else be charged $2USD. The process was an effort to install a Backdoor Trojan. The SMS numbers were spammed in bulk to numbers in the UK and Iceland. (The Irreal Dating site is still currently online.)

We could predict that it's only a matter of time before phishers try SMS as a vector. It seems likely that someone could be tempted into clicking on a phone/web link within an SMS, only to be directed to an automated phishing net. We could predict, but in fact - it's reportedly already happened in China last October.

Bottom line: When it comes to requesting your personal data, don't trust ANY source.

 
 

 
 
Wednesday, June 28, 2006

 
Security Bulletin Info Posted by Sean @ 16:38 GMT

Security Bulletin FSC-2006-4 was released today in regard to several F-Secure Anti-Virus products. The bulletin and issued hotfixes address two separate scenarios that can both lead to malware bypass.

FSC-2006-4_Table

Home users of our products will receive hotfixes automatically and will not need to take individual action. System administrators will want to read the bulletin to determine if any of the patches are necessary, and then apply them to their systems.

Our guidance here is the same as for patches from any other vendor: Patch now before there is an exploit for the vulnerabilities.

 
 

 
 
Precedent Events, Current Events Posted by Sean @ 13:53 GMT

Handcuffs

Precedent Events:
On February 1, 2006 we blogged about a variant of the Breplibot worm (Breplibot.AE) that was being distributed via mass amounts of spam. That spam was using the name of "David Adams" and spoofed the F-Secure domain name.

Current Events:
Police in the UK and in Finland have recently taken suspects into custody for computer related criminal activity. Additional details can be found here (YLE) and here (BBC).

We'd like to offer our thanks to the UK and Finnish investigators for their efforts.

 
 

 
 
Tuesday, June 27, 2006

 
Kukudro.A - Macro trojan dropper spammed Posted by Katrin @ 19:07 GMT

A new macro trojan dropper has been spammed in various e-mails. The trojan arrives inside zip archives that contain an MS Word document named my_Notebook.doc.

The macro trojan activates during the opening of the document. It extracts a binary file from its code and runs it. The file is saved as C:\666inse_1.exe and is a trojan downloader.

Both the Word document and the binary executable are detected with FSAV update version 2006-06-27_07 as W97M/Kukudro.A and Small.dcu respectively.

 
 

 
 
Monday, June 26, 2006

 
Data Security Summary - January to June 2006 Posted by Sean @ 12:56 GMT

It's midyear and time for our semiannual data security summary. Mikko's video (13min) was shot on our office roof for this occasion. It was a very fair, sunny day in Helsinki.

Jan to June wmv file.

The wrap-up is available here, and includes a variety of video formats as well as audio. Download it for your iPod or other media device.

The video's topics include: Twenty Years of Viruses, WMF Exploit, Nyxem, Macintosh Viruses, Rootkits, Mobile Viruses, and Spear Phishing. Mikko looks very earnest in the video, but don't panic, that's probably due to the brightness of the sun.

 
 

 
 
Wednesday, June 21, 2006

 
Hiding the Unseen Posted by Antti @ 17:33 GMT

Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They're not that well documented and there are only a few tools that can actually handle them. Lately we've been looking at variants of the Mailbot family that use hidden streams to hide themselves.

Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.

We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

BlackLight Detecting Mailbot.AZ

As you can see from the strings inside the malware, Mailbot.AZ also attempts to detect and avoid some of the more popular rootkit detectors:

Strings Inside Mailbot.AZ

What about removal? Removing a hidden data stream, especially one attached to a Windows system directory, is quite tricky. Since the rootkit is also active in Safe Mode, the easiest solution is to reboot to Windows Recovery Console and write out the data stream from there. You can do this by copying a suitable file on top of the stream ("copy c:\windows\SomeNonExecutableFile c:\windows\system32:18467"). The copy operation won't succeed, but it will clear out the stream.

 
 

 
 
Posts Revisited: Posted by Sean @ 12:55 GMT

Revisiting Old Posts

Microsoft June Updates - MS06-025 has a known issue with dial-up connections that use a terminal window, or dial-up scripting. It's an "older technology that is rarely used".

Our World Cup Poll - The greatest number of votes (18.9%) was for Brazil. It seems that our readers agree with the rest of the IT community.

Our New Banner - If you use an RSS reader, you may not have noticed that the weblog banner photo has been updated. If you want a closer view, there may be an Easter egg on the site somewhere�

Yahoo Phishing - Yahoo-Members.com has been offline for at least a week.

T2'06 Reverse Engineering Challenge - There is a winner, so the prize is claimed, but the challenge is still available here. Several of our researchers discovered a new evening hobby and lost time for playing WoW.

The Da Vinci Code Mobile Virus - We never acquired a sample so its existence remains a mystery. It may have been just a local infection that failed to replicate further. That crazy monk that followed us around insisted that we should leave it alone�

 
 

 
 
Tuesday, June 20, 2006

 
One Bagle Per Day Posted by Katrin @ 20:30 GMT

One Bagle per day - it isn't a diet, it's a way of life.

We usually receive new Bagle variants once or twice a week, but for the past week we have received a new Bagle once per day.

Fresh_Hot_Bagel

Today's Bagle arrives in an e-mail message as a password protected archive with the password included within the e-mail body as a picture.

FSAV already detects it as Bagle.AL since April, but we published an urgent update for its components and they are detected as Bagle.FY by update version number 2006-06-20_05.

 
 

 
 
Another Soccer Themed Worm Posted by Katrin @ 08:47 GMT

FIFA

Since the FIFA World Cup is in progress, it's not such a surprise that another Soccer themed worm, Delf.V, has been discovered. The worm sends itself in e-mails that look like they come from news at CNN, Hotmail or Yahoo! domains, and uses various subjects such as "Soccer fans killed five teens", "Crazy soccer fans", etc. This worm is not widely spread; it doesn't even show among the first 50 in our virus statistics.

FSAV has detection with update version 2006-06-20_01.

 
 

 
 
Monday, June 19, 2006

 
Candy From Strangers Posted by Sean @ 13:45 GMT

CuteUSB

Hypothetical One: There's a wallet lying on the ground outside of your office building. It almost certainly contains confidential information. Would you pick it up, open it, determine to whom it belongs, and take steps to return it to them? Many/most people would probably try to be helpful in such a situation.

Hypothetical Two: There's an open box of chocolates lying on the ground outside of your office building. It appears to contain delicious treats. Do you put a piece in your mouth and taste? Most people would probably either ignore the box or put it in a nearby trashcan.

So why did people pick up a USB stick and then insert it into their computer during a security audit as was written about here? Perhaps because USB sticks are so cool�

Or perhaps training often only includes what not to do (a list too long to ever be complete) rather than how to think about the computers within a secure environment. To the non-security minded (regular people), inserting a USB stick is more likely akin to opening a wallet and examining the contents. There is little danger of physical harm. But if training included an analogy that such an action was more like inserting a potentially bacteria covered and unknown flavor of candy into your mouth, well then, you'd probably think twice. You never know what you're going to get. Training needs to put people in the place of the computer, not just teach them what to do with it.

Social engineering, the bypassing of security systems via the manipulation of its human users, is a challenge for any security service provider. Documented examples of failures aren't difficult to find. If you, our weblog readers have any success stories that you'd like to share with the rest, please submit them to the e-mail address listed at the top of our web page. Cheers.

 
 

 
 
Friday, June 16, 2006

 
New Breplibots Spotted Posted by Alexey @ 12:43 GMT

We received several new variants of the Breplibot backdoor a short time ago. This backdoor is capable of downloading and running files on an infected computer. Detection of these Breplibot variants with F-Secure Anti-Virus is available in the 2006-06-16_03 update.
 
 

 
 
Wednesday, June 14, 2006

 
Reboot Tuesday Posted by Sean @ 08:52 GMT

MSJuneUpdates

The June security update has something for nearly everyone. Microsoft released twelve updates addressing various issues yesterday. There are several for different flavors of Windows and IE, and others for Word (MS06-027), PowerPoint (MS06-028), and Media Player 10 (MS06-024).

The patch for Word fixes an issue that was blogged about in May. The PowerPoint includes versions for Windows and Mac - though the vulnerability is not likely to exploit either OS. Additional analysis is available here.

Edited to add: Here's some more information on the patches available and what they fix. Several of them have exploits. Update your systems soon.

 
 

 
 
Problems at iframecash.biz? Posted by Mikko @ 08:44 GMT

The operations of the iframecash.biz gang has been covered in our blog before. Basically, they've been buying traffic from anybody who's been willing to sell it to them - then they use exploits to take over innocent surfer's computers and install trojans and spyware on them.

iframeplus

Now, the good news is that at least for the present, their main site www.iframecash.biz is offline. Hopefully it stays that way.

iframeoff1

 
 

 
 
Tuesday, June 13, 2006

 
Yamanner - JavaScript worm that targets Yahoo! Mail Posted by Katrin @ 10:13 GMT

Yahoo! Mail

There has been some media attention on the new JavaScript worm Yamanner that targets Yahoo! webmail and groups.

The Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.

The infected e-mail sent to Yahoo! users look as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

This type of worm is not a surprise - it has been theorized since at least 2001. Yamanner is however the first worm to be realized in the wild.

yahoo new graphic site

 
 

 
 
Friday, June 9, 2006

 
Wr0ld Cup Posted by Mikko @ 08:20 GMT

Yeah, the football World Cup starts *today* in Germany.

It will be interesting to see if there will be any virus-related incidents during the games. Over the last months we've already seen a couple of e-mail viruses and phishing scams trying to cash in with the popularity of the games.

worldcup

We will also be monitoring what's happening at the stadiums themselves. You might remember that during the World Championships in Athletics last year there were bluetooth virus problems at the stadium. This happens easily when you gather tens of thousands of people from all over to world to a very small area - and everybody has a phone in their pocket.

While we're on the topic, lets see who's going to win the games. Here's our poll:

June 9th Poll Results
Click here if your RSS reader doesn't display the poll.

PS. It seems that if you search for the words "world cup" in Google, it will show you the match schedules...

 
 

 
 
Wednesday, June 7, 2006

 
Zlob Problems Posted by Sean @ 12:51 GMT

There was a short period of time today in which F-Secure Anti-Virus detected "Trojan-Downloader.Win32.Zlob.obfuscated" in several different files. This was a false alarm.

The problematic update was 2006-06-07_01, and the issue was resolved with the next update number 2006-06-07_02. We are sorry for any inconvenience that this false alarm might have caused to our customers.

 
 

 
 
Tuesday, June 6, 2006

 
Here's One For You Posted by Mikko @ 11:19 GMT

Try this under Windows:

Right-click on the Desktop
Create a new Shortcut
Point the location of the item to any executable... such as: c:\windows\system32\calc.exe
Name the shortcut, for example, www.microsoft.com
Start Internet Explorer (IE5 and IE6 work best)
Type "www.microsoft.com" into the address bar
Enjoy.

Cheers to Per Hellqvist. More info can be found from here.

 
 

 
 
Coming Soon Posted by Sean @ 10:44 GMT

Our team is growing. And consequently our weblog photo is becoming more and more out-of-date. Three faces have moved on and many additional ones need to be added. We get e-mail asking about this from time to time� So due to popular demand, coming soon, a new weblog banner photo!

This has been the photo for the last two and half years:
Current weblog photo

On March 17th we took some photos on the Baltic Sea - To be more precise, on the frozen canal outside of our Helsinki office. Time passed and we ended up not using those photos.

March 17th 2006

Now, with some recently hired employees, we have a still larger and even more international team. The preview photo below includes persons from: Finland, Philippines, USA, Bulgaria, Russia, Poland, Italy, India, Hungary, and Sweden.

At the photo studio

We should have the banner updated before the end of the year.

 
 

 
 
Are you getting weird spam with numbers? Posted by Mikko @ 09:37 GMT

We've received some questions on weird spam messages going around that look like this:

5556

There seems to be lots of them going around, looking at some of the discussion on the topic.

The mails do not contain an attachment. There aren't any scripts in them either. The numbers keep changing though? So what are they? We're not sure, but it might be that some botnet herder is checking the quality of his email lists: finding out which messages bounce and which don't.

 
 

 
 
Friday, June 2, 2006

 
OpenOffice and Ziggy Stardust Posted by Sean @ 15:08 GMT

One of our researchers, Sami Rautiainen, produced a paper for the Virus Bulletin Conference in September of 2003 on the topic of OpenOffice Security. The conclusions that he reached: The macro language and the API of OpenOffice are very powerful, but unfortunately the power can be abused for malicious purposes. The security settings in the default installation of OpenOffice much resembles older versions of Microsoft Office. You can download the paper in PDF format here.

OO2MacroSecurity

That was then, and now� we have a proof-of-concept sample for OpenOffice.org named Stardust.A. This thing is very buggy and is not something in the wild, it's classified as intended, but it's interesting to note that the waters are indeed being tested.

Updated to Add: Terms used in this post were updated on June 6, 2006.

 
 

 
 
Happy Birthday to LISTSERV Posted by Sean @ 13:02 GMT

LISTSERV

LISTSERV was the first e-mail list management software available. It was originally developed by Eirc Thomas in June of 1986. That means that this month is the product's 20th Birthday! That's quite a grown-up software app. As millions of L-Soft's messages are protected by our product each day, we'd like to congratulate our partner on their two decades old product. Here's to many more.

 
 

 
 
Thursday, June 1, 2006

 
Patch.us Posted by Mikko @ 16:12 GMT

fsigk

We've today released security bulletin FSC-2006-3 which covers a buffer overflow vulnerability in the web console of two of our products: F-Secure Anti-Virus for Microsoft Exchange 6.40 and F-Secure Internet Gatekeeper 6.50, 6.42, 6.41, 6.40.

If you're running these products, please read our bulletin and apply the patch. Do note that by default the web console does not allow connections from other hosts, limiting the scope of this vulnerability.

We're not aware of any known exploit code that would exploit this vulnerability. But patch anyway.