NEWS FROM THE LAB - June 2009
 

 

Tuesday, June 30, 2009

 
Security Threat Summary Q2/2009 Posted by Sean @ 11:57 GMT

Our Q2 Security Threat Summary is available from: https://www.f-secure.com/2009/

Q2 Summary

Video is available via our Video Channel, and also the Lab's YouTube Channel.

 
 

 
 
Monday, June 29, 2009

 
Michael Jackson Malware Posted by Mikko @ 08:36 GMT

There has been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected.

Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites.

When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message:

michael jackson malware

We detect the dropper and the backdoors as Trojan.Win32.Buzus.bjyo.

 
 

 
 
Friday, June 26, 2009

 
Sad News Generate Bad Things Posted by Toni @ 11:44 GMT

The "King of Pop", Michael Jackson, died last night after suffering a cardiac arrest. The news is currently spreading through a lot of different media outlets and they are being printed worldwide.

Another recent death, Farrah Fawcett, is also making headlines.

The subjects themselves are not related to information security, but how long do you think it will take until the bad guys pick up the news as well and start using it? Usually it has taken a few days at most.

So remember, if or more likely when you start receiving e-mails on these subjects, please be extra careful when opening any links as they might be taking you in for a rough ride.

 
 

 
 
Thursday, June 25, 2009

 
Government, Military - Aviation? Posted by Alia @ 02:25 GMT

U.S. Secretary of Defense Robert Gates recently confirmed the creation of a U.S. Cyber Command aimed at dealing with cyberthreats to military resources. A previously announced White House "cybersecurity coordinator" is already in the works to deal with similar threats to critical government infrastructures.

On the whole, that's good news. It would be great however to hear of similar efforts in protecting a particular commercial resource that�s definitely "critical infrastructure" – civil aviation electronic systems.

Earlier this year, the U.S. Department of Transportation released an audit report (streaming PDF here, Open rather than Save) in which it determined the national air traffic control systems administered by the Federal Aviation Administration (FAA) had significant weaknesses and vulnerabilities, potentially allowing an unauthorized party to access and control vital services and systems.

This isn�t the first time the FAA has been criticized for the weaknesses in civil aviation electronic system security, with the first such criticisms coming as early as 1998.

The report cites incidences that took place in 2006, 2008 and 2009 as supporting evidence that the administrative and operational systems can be breached. The FAA contends this claim.

Not cited in the report, but of possible interest, is a 1998 incident in which a teenager successfully disabled vital airport control tower services at a regional Massachusetts airport (CNet article here).

Hopefully, with the current government enthusiasm for improving computer security, the current civil aviation systems get some attention too.

 
 

 
 
Wednesday, June 24, 2009

 
Would You Give Your Facebook Password for a Job Application? Posted by Alia @ 01:53 GMT

CNN.com carried a recent news article about the city of Bozeman, Montana, USA, which has been pressured into removing an item in its background-check waiver form requesting all applicants for to disclose their account names and passwords for social networking websites such as Facebook, MySpace and Youtube.

The change in policy is attributed to a furore that arose after one applicant contacted the Montana's News Station expressing concern about that particular aspect of the background check.

The city justified the login details request as just another part of an extensive background check they perform on all employees. The precautions were meant to ensure that those holding positions where they'd be handling the city's funds or operations will be reputable and honest. And presumably smart enough not to post details of any objectionable activity they might engage in online.

The Bozeman Daily Chronicle also mentioned that elected city commissioner's weren't affected by the policy, only city employees.

What's actually rather interesting to consider is that the policy has apparently been in force for about three years and according to city attorney Greg Sullivan, "No one has ever removed his or her name from consideration for a job due to the request". Rather begs the question, did they really give up their login details? Provide fake ones? Or just ignore the request?

And yes, legally, the policy does appear to be on some seriously shaky ground. Unlike some states – or countries – Montana's state constitution explicitly guarantees a citizen's right to privacy.

The request for login details was quickly removed last week. Still, it appears the city is still keen on checking applicants' online behavior, as "officials are looking at ways to alter the policy so that they might view an applicant's online information without asking for log-in codes".

 
 

 
 
Tuesday, June 23, 2009

 
Hacktivist Tweets Posted by Sean @ 15:56 GMT

The collision of politics and technology is often interesting and the recent Iranian presidential election has seen a great deal of both.

From the New York Times: Web Pries Lid of Iranian Censorship.

And while the Internet is a source of information for political activists, there is also something else more questionable taking place… DDoS attacks against government servers in Iran.

A Twitter search for Iran and DDoS yields numerous results. Some folks are urging against DDoS attacks, but not in principle, rather because they might affect the bandwidth of political protesters. What are those concerned for the protesters promoting instead?

Targeted hacking.

We saw this earlier today on Twitter: "Please, use SURGICAL hacking only".

Our recommendation? No one should hack servers. It's a crime. Period.

Private citizens can participate in organized peaceful protests. Organizing surgical strikes against someone else's servers is virtual violence.

And violence begets violence.

Vigilante cyberwar is not a productive path upon which to proceed.

 
 

 
 
Monday, June 22, 2009

 
Scareware Attacks Posted by Sean @ 12:29 GMT

Rogue Antivirus A.K.A. scareware continues to be a pervasive threat against consumers.

Byron Acohido recently posted an excellent article on the topic.

The related posts on the business of scareware and rogues are also well worth reading.

The Last Watchdog, June 10th

Check them out.

 
 

 
 
Thursday, June 18, 2009

 
ISTP 9.50 is Available Posted by Sean @ 13:47 GMT

Our Internet Security Technology Preview has been updated and it is looking and performing great.

Here's a short video demo via our YouTube channel.



You can download it from here.

 
 

 
 
Wednesday, June 17, 2009

 
Mac Protection Update(s) Posted by Sean @ 16:29 GMT

We've been focused on testing our ISTP and almost failed to notice that our Mac Protection beta was updated last week.

Mac Protection 4766

Signature updates are now in the database channel. You can try it from here.

 
 

 
 
Monday, June 15, 2009

 
Working to Protect You Posted by Sean @ 12:36 GMT

It's a busy day in the lab. Only, not in the way that we normally consider it to be a "busy day".

We're having strategy review meetings today. Woot.

The security landscape changes rapidly and everyone needs to be up to speed on our future goals.

These are the guys working to protect you.

06.15.2009

The meeting is still in progress… so I'd better get back to it.

Signing off,
Sean

 
 

 
 
Friday, June 12, 2009

 
Wreck A Movie Posted by Sean @ 15:34 GMT

The folks at Wreck A Movie make collaborative films and the Lab is involved with one of their current projects.

Wreck A Movie was founded by the folks that made Star Wreck: In the Pirkinning.

wreck-a-movie

From wreckamovie.com:

"Project Worm will be a six-part (web) TV series about international cyber crime. Initial development goals are concept development, story line, synopsis and a screen play for part one. This early development will run from May to July 09. Shooting of the actual TV series will take place in six different countries in 2010."

A series about cybercrime? Cool. Members of the Lab are assisting as "technical consultants" (or something like that).

If you're interested in participating, check out the Project WORM production page.

 
 

 
 
Wednesday, June 10, 2009

 
Quarterly Updates Posted by Sean @ 15:49 GMT

Microsoft delivered lots of updates yesterday. See the Microsoft Security Bulletin Summary for June 2009 for full details.

Running your Microsoft Updates is all you'll need to patch your system.

However, there is something new on this particular update cycle — Adobe.

Back on May 20th, Brad Arkin stated on Adobe's ASSET blog that the company would be moving to a quarterly update cycle.

Adobe Regular Security Updates

And that's a promising move as it helps to highlight the need to keep your Adobe applications up-to-date.

As we've noted before, Adobe Acrobat/Reader exploits account for nearly half of the targeted attack cases we've analyzed.

So you want to stay updated.

Targeted attacks 2009 ytd

You can find this quarter's Adobe updates from Adobe's Security bulletins and advisories.

 
 

 
 
Tuesday, June 9, 2009

 
Waiting for Mobile Malware Wave Posted by Alia @ 02:41 GMT

For the last couple years there has been talk – like this iGillotResearch report (in pdf) – about how the convergence of mobile phones and the Internet would unleash a new wave of threats targeted to the phone and distributed over the Internet. We've definitely seen a number of attacks on mobile network operators. Yet up until now, most users haven't been hit by Internet-based attacks.

For example, the Apple iPhone last year saw its first Trojan to be distributed via the Internet. Still, that was more "script-kiddie prank program" than "serious crimeware". Heck, it wasn't even the first Internet-based mobile threat – technically, you could argue the 2006 Eliles.A worm has that distinction. Halfway through 2009, there hasn't yet been any major outbreaks of Internet-distributed mobile malware.

So what's this, another bogeyman story about mobile security? Well kinda. Today Apple announced the release of its iPhone 3G S model on June 19. It's supposed to be faster, more feature-loaded and so on.

iphone(source: att.com)

In offering a neat package of enhanced phone, easy surfing with the onboard Safari browser and the appeal of a huge variety of programs from the App store, Apple looks set to spur even more people into into getting online via their mobile phones.

And as seems to be the case with mobile phones these days – where Apple leads, others will follow. Most mobile phone producers have been racing to provide the same level of online browsing user-friendliness in their products. If they get it right, that means even more users picking up mobile surfing.

Which means that malware authors will have even more reason to start targeting the mobile phone. Let's hope's the phone producers and mobile network operators consider that first Trojan a kind of "warning shot" and set up some strong security measures.

For now, it seems like all is quiet on the mobile front.

On an unrelated note, the new iPhone model also formally introduces an Internet Tethering functionality allowing users to connect a computer to the phone and surf the Internet – no Wi-Fi hotspot required. Some users have been asking for the feature for a while now, so – wish granted. Enjoy!

 
 

 
 
Monday, June 8, 2009

 
ISTP Network Reputation is Pretty Cool Posted by Sean @ 15:12 GMT

I've been testing our ISTP for several weeks now here in the Lab.

The more that I use our ISTP — the more I find to like — and I'm very much looking forward to this year's product releases.

This past weekend I tested some new ISTP features from home. One thing I've never really had a need for is anti-spam for a POP mail account. I've been using webmail since 1997.

That's why I was curious to test our new Browsing protection ratings for webmail based links. And I have to say, it does a pretty credible job so far. I'm looking forward to it being in full production.

Here's a sample screenshot using a malware domain list pulled from malwaredomains.com, a useful blocklist site. The red "X" icons show the domains that our network reputation services already recognize as malicious.

ISTP Browsing protection

Next I e-mailed myself some Facebook phishing links.

ISTP Browsing protection

The fourth URL in my test isn't detected, so I clicked on the "?" icon to report that particular link.

ISTP Browsing protection

Then all I needed to do was to select "It is harmful to use" and to click on the OK button.

ISTP Browsing protection

That then submits information to be analyzed by our Network Reputation team and their automation.

To Jay-R and team — Keep up the good work! This is a great service.

Signing off,
Sean

 
 

 
 
Friday, June 5, 2009

 
Visit to IMPACT Global Response Center Posted by Mikko @ 18:21 GMT

Last week we had a chance to visit the Global Response Center of IMPACT.

impact

IMPACT is the first global public-private initiative against cyber threats. The headquarters are in Cyberjaya, Malaysia.

Their HQ building is quite impressive!

impact

The Global Response Center is getting ready for action.

IMPACT

More about IMPACT:



The IMPACT initiative has been underway since 2007. Hopefully it will get more traction and international acceptance, as this is the kind of action we need if we really want to fight online threats.

 
 

 
 
Tuesday, June 2, 2009

 
Exploit Shield vs DirectShow Posted by Sean @ 08:49 GMT

We posted a link to Microsoft Advisory 971778 / CVE-2009-1537 last week.

The advisory details a vulnerability in Microsoft's DirectShow, quartz.dll, affecting QuickTime parsing. (Not a QuickTime vulnerability.) Microsoft has reported some use of an exploit in the wild.

An analyst from our Exploit Shield team, Victor, tested a working sample against our Exploit Shield technology.

His efforts can be seen below, click the image for a larger view.

Exploit Shield vs DirectShow Exploit

Excellent. Exploit Shield proactively blocks this threat with heuristic detection of shellcode exploitation.

The screenshot above is from one of the Lab's internal builds. It is also integrated into our Internet Security Technology Preview.

Browsing protection ISTP9.50

And this is the block page that will be displayed to clients.

Exploit Shield Block of DirectShow Exploit

P.S. And just so you know, there is ALSO a QuickTime vulnerability that's been patched. See our vulnerability description for details. Update your QuickTime to version 7.6.2.

Updated to add: There's also an advisory for iTunes so you can get your QuickTime update along with iTunes 8.2.

Our vulnerability description has details.

 
 

 
 
Monday, June 1, 2009

 
Poll: Cyber Defense Posted by Sean @ 13:35 GMT

Just over a year ago, Col. Charles W. Williamson III posed questions regarding the US Air Force's Cyber Defense plans.

Our post included a poll on the matter — US Air Force Colonel Proposes Skynet.

Now that the Pentagon has made its proposal to Barack Obama; and now that the President has announced his civilian agency goals, let's ask a slightly different question.

Are you in favor of President Obama's Cyber Security Strategy?

June 2009 Poll