Monthly Archives - June of 2010
 

Wednesday, June 30, 2010

 
Security Updates for Adobe Reader and Acrobat Posted by Sarah @ 03:51 GMT

Earlier this month, Adobe addressed a vulnerability issue that affects three products: Flash Player, Reader and Acrobat. While the Flash Player issue was fixed rather quickly, refer to Adobe Flash Player 10.1.53.64 Security Update, the latter two products did not receive similar love as their updates were only promised to be available at a later date, on June 29, 2010.

As promised, the security updates for Adobe Reader and Acrobat have finally arrived. Download the latest version for applicable product, which are available here.

 
 

 
 
Tuesday, June 29, 2010

 
F-Secure PC Booster Beta Posted by Mikko @ 11:18 GMT

We have a beta of a new product available for download on our beta pages.

F-Secure PC Booster

F-Secure PC Booster optimizes the performance of your Windows computer and cleans up old junk.

Try it out! We'd love to hear your feedback on the new product.

 
 

 
 
Monday, June 28, 2010

 
The Case of TDL3 Posted by Mikko @ 10:05 GMT

Ace from our Kuala Lumpur lab has written a technical white paper on the internals of the highly advanced TDL3 trojan. The paper goes deep into the features of this advanced backdoor/rootkit.

tdl3 or TDSS

You can download "The Case of Trojan DownLoader TDL3" from here [2MB PDF file].

In some ways, TDL3 is similar to the infamous Mebroot rootkit. For a thorough discussion on Mebroot, see our presentation from 2008.

 
 

 
 
Thursday, June 24, 2010

 
Targeted Attacks with Excel Files Posted by Mikko @ 10:56 GMT

We've previously shown screenshots of document files used in targeted espionage attacks. Most often, those have been PDF files, as they are the most commonly used filetype in such attacks.

But here's a fresh set of attacks done with XLS files instead.

This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed.

targeted attack XLS file

An apparent agenda. Looks fairly normal and innocent:

targeted attack XLS file

This one seems to contain some sort of a list of organizations:

targeted attack XLS file

A budget file.

targeted attack XLS file

How timely! FIFA World Cup 2010 match schedule.

targeted attack XLS file

The exploit in these files targets Excel Pointer Offset Memory Corruption Vulnerability CVE-2009-3129.

As you can see, such attack files can look like perfectly normal and credible document files.

The hashes of the files are:
362d2011c222ae17f801e3c79e099ca7
97a3d097c686b5348084f5b4df8396ce
d076187337b7a5c74401770e2e7af870
8f51b0e60d4d4764c480af5ec3a9ca19
0c1733b4add4e053ea58d6fb547c8759

 
 

 
 
Monday, June 21, 2010

 
"Hacked By Turkish Hackers"? Posted by Mikko @ 19:58 GMT

For the past 12 hours, over 1000 Twitter accounts have been hacked with an unknown method.

The symptoms are always the same; the account is used to broadcast the phrase "Hacked By Turkish Hackers".

Hacked By Turkish Hackers

Here's a sample search via search.twitter.com.

Although the exploit mechanism is unclear, most of the compromised accounts seem to belong to Israeli Twitter users.

Hacked By Turkish Hackers

Perhaps there's a Twitter phishing run in Hebrew underway?







 
 

 
 
It's signed, therefore it's clean, right? Posted by Mikko @ 11:08 GMT

Jarno Niemelä from our lab did a study on malicious Windows binaries that have been signed (with Microsoft Authenticode).

Turns out, we have copies of tens of thousands of malware samples that have been signed.

Malware authors are attempting to use code signing techniques to their advantage.

signed

Details of this surprising find are presented in Jarno's presentation file, which can be downloaded from here (PDF). It was first presented in the CARO 2010 Technical Workshop in May 2010.

 
 

 
 
Friday, June 18, 2010

 
XSS Posted by Mikko @ 07:17 GMT

When a company is hit with a cross-site scripting (XSS) attack, the natural reaction is to downplay the significance of the incident.

After all, an XSS vulnerability on a site does not mean that the site could be hacked or shut down. A typical XSS demonstration showing a funny dialog box on somebody else's site just emphasizes how harmless such an attack looks.

However, XSS is not harmless. We were just hit by one last night. And we do not want to downplay it.

The vulnerability on f-secure.com was found by security researcher Xylitol. He reported it yesterday evening. Xylitol is well-known for finding XSS vulnerabilities on sites such as army.mil, ibm.com and nasa.gov.

The problem was on a download page for our Mobile Anti-Theft product (anti-theft-download-wizard.html). With some clever tinkering, it was possible to create a web link that would point to our site, but when clicked, it would execute JavaScript controlled by the attacker.

xss
Above: result of accessing www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C/script%3E before the page was fixed. Screenshot from xssed.net.

We almost got it right. In fact, the script on our page does successfully filter out control characters and other dangerous content. Unfortunately, almost doesn't count. We do the filtering right once, and wrong once.

Apparently we added a feature to the page as an afterthought, and that feature did not go through code review or testing.

xss

The problem has been fixed now. It was limited to our static Mobile Anti-Theft pages, and did not give access to any of our systems. This problem has not been used to do any harmful activities.

In any case, we were burned.

So, what could have been done with this vulnerability? Well, for example, somebody could have sent out a spam campaign, claiming to be from F-Secure, pointing to a link apparently at www.f-secure.com. And when that link would have been clicked, it would have downloaded malware (from some other site) to the user's computer. XSS vulnerabilities can be used to create serious problems. Luckily, in this case nothing bad happened.

Here's the time line of the incident:

  •  Xylitol published an article on the problem at early evening on 17th June
  •  We noticed the article at 20.51 EEST 17th June
  •  We started fixing the problem at 02.15 EEST 18th June
  •  We shut down the Mobile Anti-Theft page temporary for fixing and isolating problem at 02.45 EEST 18th June
  •  Page was republished at 06.05 EEST 18th June

 
 

 
 
Thursday, June 17, 2010

 
All Your Farm Are Belong To Us Posted by Sean @ 16:02 GMT

Zynga's FarmVille is a popular social networking game and perhaps it should come as little surprise that many players want to learn FarmVille secrets and cheats. And so they turn to search engines to find them.

Currently, "farmville cheats" is a highly ranked suggestion:

FarmVille suggestions

Sad but true.

Anyway, we searched for farmville cheats and readily discovered farmville-secrets.spruz.com:

FarmVille secrets cheats

Spruz.com has removed the page for violating their terms of use policy, so it's no longer hosted, but beware of Google's cache.

Here's what the site looked like:

Click Here

The "Click Here" button opens a download dialog for a file called FarmVille_autobot.exe.

An autobot sounds like a convenient way to cheat, right? Only in this case the cheater will get more than they asked for because the file includes a variant of TDSS, an advanced backdoor rootkit. Best kept secrets indeed!

The MD5 of the file we analyzed (thanks JoJo) is 9c7812efa218ab3750e570a93015e884 and is detected as Trojan:W32/TDSS.FZ.

 
 

 
 
Wednesday, June 16, 2010

 
Have you ever configured your Adobe Flash Player? Posted by Sean @ 12:03 GMT

Adobe released a critical Flash update on June 10th. If you haven't seen it yet, this is the update notification:

Adobe Flash Player, Update 10.1

Do you know what Flash version you have installed? No? Then use Adobe's version test page.

Once you have the current version, you may also wish to adjust your configuration. Flash's settings are rather curious as the controls themselves aren't located on the computer but are instead accessed through a Flash object hosted by Adobe.

Adobe: "The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."

Right-clicking a Flash object and selecting "Global Settings" opens a page to Adobe's Flash Player Settings Manager.

Flash Global Settings

On the Setting Manager page you'll find links to the Notifications panel.

Flash Global Settings - Notifications

As well as the Website Privacy panel:

Flash Global Settings - Website Privacy

It's interesting to note that Flash maintains its own selected history.

Updated to add: A reader noticed that Adobe's Flash support page, linked above, does not correctly list the current versions. Use Adobe's About Flash Player page instead. Thank you, Paul!

 
 

 
 
Tuesday, June 15, 2010

 
F-Secure Internet Security 2011 Beta is Available Posted by Response @ 10:48 GMT

Our Internet Security 2011 Beta is now available for download.

Internet Security 2011 Beta

Beta testers receive a six month subscription and the opportunity to influence the final release.

The biggest new feature from the lab's point of view is our "DeepGuard 3" technology which utilizes cloud based reputation systems, prevalence, source, age, et cetera.

The end result is that if we don't know or trust it — it'll be blocked before it can do harm.

Here's an example screenshot that shows a "rare" file being blocked from an "unrated" site. This is a familiar malware/scareware scenario: short lived, unrated sites which use frequently produced and rare installation files.

Internet Security 2011 Beta

We welcome you to give it a try. The download page includes links to the release notes and feedback forms. Cheers.

 
 

 
 
Monday, June 14, 2010

 
We're Giving Away 15 Phones Posted by Sean @ 15:44 GMT

The folks in PR have come up with a competition to promote our Anti-Theft for Mobile software.

We're giving away 15 phones — 12 Nokia 5230 and 3 Nokia X6 — starting on June 15th.

Phonehunt

You'll find the details here: http://www.f-secure.com/phonehunt

Happy hunting!







 
 

 
 
Facebook Spam App Du Jour Posted by Sean @ 10:10 GMT

There's yet another Facebook spam application on the run.

It uses this string of text to lure folks: "I am shocked!!! The teacher nearly killed this boy: http://bit.ly/aWeBMl - Worldwide scandal!"

If you click on the link, you're directed to this application:

Teacher nearly kills a boy

How many have clicked on the link so far?

bit.ly/aWeBMI

Almost 140 thousand.

Hopefully not as many people allowed the application to access their profiles:

Allow?

Updated to add: Now it's more than 140 thousand clicks and the applications page indicates almost 59 thousand active users. That indicates that about 40% plus of the users exposed to this lure are falling for it!

 
 

 
 
Friday, June 11, 2010

 
Wr0ld Cup 2010 Posted by Sean @ 14:05 GMT

The 2010 FIFA World Cup starts today in South Africa.

www.fifa.com

Four years ago, in 2006, we were on the lookout for football themed malware. Here's one example of a football themed e-mail worm.

Today, in 2010, we're more likely to see Search Engine Optimization (SEO) attacks as folks search for news and information on the matches and players. So avoid too many web searches if you can.

Here's the official website for the Fédération Internationale de Football Association (FIFA). This is the safest place to start looking for information and official partners.

We did a poll four years ago, so let's do another:

What football team are you rooting for in the 2010 FIFA World Cup?



 
 

 
 
Thursday, June 10, 2010

 
Kuala Lumpur Police Bust SMS Scam Ring Posted by Sean @ 14:45 GMT

An SMS scam syndicate has been busted with the arrest of 26 people according to Malaysia's The Star Online.

Our Malaysian lab did some investigation on this topic back in 2007 and managed to record a conversation with one of the phishers.

SMS Phishing

You'll find the original post and links to the audio here: SMS phishing on the rise in SE Asia?

 
 

 
 
Wednesday, June 9, 2010

 
2010 FIFA World Cup is Approaching Posted by Sean @ 15:53 GMT

June 11th kicks off the 2010 FIFA World Cup, and not surprisingly, we're seeing a rise in related spam.

It's still just a small percentage of spam overall (under 2%) but when comparing the first three days from the last six months, we see a doubling in volume and 74 times the number of hits on related keywords from January to June.

FIFA 2010 related spam

As the tournament continues from June to July 11th, we expect to see more related threats.

A good example? SEO poisoning.

Currently, "World Cup printable bracket" is a dangerous search term.

Updated to add: Here's an additional FIFA post from our friends over at Commtouch Café.

 
 

 
 
Tuesday, June 8, 2010

 
Exploit.PDF-Dropper.Gen Posted by Sean @ 09:02 GMT

The lab is currently seeing a spam run pushing a PDF exploit.

The emails look like this:


   From: random addresses
   To: random recipients
   Subject: New Resume
 
   Please review my CV, Thank You!
 
   Attachment: resume.pdf


This PDF attachment is not utilizing the critical Flash vulnerability that we wrote about yesterday. Instead, it's attempting to use the PDF /launch feature.

The timing of this spam run seems a bit odd as it isn't using the current vulnerability, but perhaps the gang which uses this particular tactic knows that there's about to be a big push to update Adobe Reader. Current versions of Reader include the Trust Manager feature, and so this gang's window of opportunity will be narrowing soon.

We already detected this threat as Exploit.PDF-Dropper.Gen with our Internet Security 2010.

The PDF's MD5 is cff871a36828866de1f42574be016bb8. If allowed to run, the exploit will drop an alureon/dnschanger trojan.

Our telemetry indicates that several thousand customers have already been exposed to the exploit. We have no hits on the payload so we know that our generic detection is blocking the threat.

Hydra detection for the attachment/payload was published with database version 2010-06-08_03.

Updated to add: Here's a screenshot of the PDF attachment. The PDF is based on a resume/CV pulled from the Internet, and the /launch prompt is rather noisy.

Pidief.CPY

 
 

 
 
Monday, June 7, 2010

 
Block Flash Posted by Sean @ 13:03 GMT

There's going to be numerous updates published tomorrow by Microsoft.

But you'll more likely want to keep an eye on Adobe. Current versions of Flash are vulnerable.

Adobe Security Bulletin, June 4th

"A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems."

The vulnerability is currently being exploited in the wild. You can determine your version of Flash here.

If you're using Adobe Reader, consider another application. You'll find suggestions in our comments here and here.

As for Flash… well, unless you're Steve Jobs, you probably need or want to have Flash installed, at least sometimes. Adobe Labs has prereleases available here. The 10.1 release candidate does not appear to be vulnerable.

If you don't regularly use Internet Explorer, why not go ahead and uninstall or disable the Flash ActiveX control. What's the point of having it if you don't use it?

If you're a Firefox user, you could consider installing a Flash blocking add-on such as Flashblock. It's very simple to configure, unlike NoScript, easy to use and does its job well.

Here a short Flash video demo:



Yes, short Flash video, the irony is not lost on us.

Updated to add: Adobe's advisory now reports that Flash will be updated on June 10th and Acrobat and Reader on June 29th.

 
 

 
 
Friday, June 4, 2010

 
Windows 7 AutoPlay and Virtual CDs Posted by Sean @ 13:12 GMT

Some folks read Wednesday's post about autorun-worm infected Samsung Wave microSD cards and commented — thank goodness Windows 7 fixes that issue. Only optical media is allowed to AutoPlay on Windows 7, so USB devices can't spread autorun-worms.

Right?

Well, while Windows 7 does significantly improve the AutoPlay/AutoRun user experience, it isn't bulletproof. There's a small, not likely to be exploited, loophole.

Virtual CDs.

For example, Western Digital USB hard drives ship with Virtual CDs on board to install WD's SmartWare software.

You can see the CD device here along with the Passport:

Windows 7, Virtual CD

This is how a default Windows XP installation handles the Virtual CD's autorun.inf:

Welcome to WD SmartWare

It just launches the installer program, no questions asked.

Now this is how Windows 7 AutoPlay handles the Virtual CD's autorun.inf:

Windows 7 AutoPlay

The installer on the Virtual CD is the default option, but it doesn't launch.

On the plus side, AutoPlay functionality can easily be turned off in Windows 7:

Windows 7 Control Panel, AutoPlay

Do note that this isn't a Windows 7 vulnerability.

From Microsoft's Security Research & Defense blog: "It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."

This is just a curiosity to be aware of — not a flaw.

Bottom-line, don't let Windows 7's improved handling of AutoPlay give you a false sense of security. There are more and more USB drives shipping with Virtual CDs, and sooner or later, one of them will be infected during the manufacturing process.

 
 

 
 
Thursday, June 3, 2010

 
Mac OS X Spyware Posted by Sean @ 14:29 GMT

Mac ProtectionOn Tuesday, Mac security firm Intego blogged about their discovery of Mac based Spyware which they dubbed OSX/OpinionSpy.

To quote Intego: "OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia."

Back in March we said that Macs are generally safer but that doesn't mean more secure: "Houses located in a safer neighborhood are not technically more secure from burglary. Most of today's Macs just happen to exist in a safer online environment and aren't being targeted by cyber-criminals. Criminal's return on investment is simply better in the PC world."

Looks as if another threat is checking out the neighborhood.

Our F-Secure Mac Protection Beta, available here, detects the spyware as Spyware:OSX/OpinionSpy.A and Spyware:OSX/OpinionSpy.B. You'll find the release notes here.

 
 

 
 
Wednesday, June 2, 2010

 
Samsung Wave Autorun.inf Posted by Sean @ 13:50 GMT

Samsung WaveMore and more mobile phones are shipping with Windows installation files on microSD cards rather than on CD-ROMs. All that's needed to sync your phone with your PC is to connect the phone, detect it as a removable USB drive, and then run the installer. Many phone vendors also include an autorun.inf file to assist the process.

Unfortunately, autorun.inf files can be infected during the production process, and microSD cards aren't read-only.

Engadget is reporting that at least some German models of Samsung's Wave, a Linux based "iPhone killer", are shipping with an infected autorun.inf and a file called slmvsrv.exe.

The file's MD5 is bb9818d76fe60e68608e2a1e7bc6666b and we detect it as Trojan.Generic.3932466. We have telemetry indicating this is in the wild (but quite limited).

This is yet another example of infected devices which will spread to your computer.

 
 

 
 
Tuesday, June 1, 2010

 
Facebook, Google and Privacy Posted by Sean @ 17:16 GMT

There's been a great deal of discussion (controversy?) recently regarding personal privacy and the pursuit of profit. Many pundits are concerned that businesses are putting personal data at risk for financial gains.

And so the question is being asked: Are Facebook and Google contributing to an erosion of personal privacy?

So let's take a look at that, shall we? If you want to find personal information about somebody, are you really dependent on Google? Or Facebook? Really? No… not really.

In fact, there's LOTS of personal information that's been available to academics and demographers for years.

For example, take the State of North Carolina, USA. The NC State Board of Elections website is a great place to start as it provides a form for checking *my* registration. And only two bits of data are required — first and last names.

Privacy?

Let's take a look at a public figure, Richard Burr. He's North Carolina's senior Senator.

Privacy?

Look what's available: his full name, voter registration number, registration date, address and race.

Let's see you get that info from Facebook. Not likely.

Now we know his home address is in Forsyth County, so let's visit the Forsyth County Tax Administration website and use their Geo-Data Explorer. It's super cool.

All you need the street address and presto, you get an aerial view with the property lines, the home value, property value, owners, et cetera.

Privacy?

Historical information is also available.

And check out this street view! Man, that beats Google's street view, hands down. No comparison at all. Google's an amateur.

Next, let's take a look at an online phone book, White Pages dot com.

Again, using very little information, just first name, last name, city and state, we get these results:

Privacy?

Richard Burr's work (local office) and home numbers.

And what else? Twitter? Really? Yep. The Burr's campaign Twitter feed is indexed in the White Pages.

There's tons of information on this guy, and on non-public figures as well. Resources such as this can be found all over the Internet.

Companies such as LexisNexis specialize in the collection and sale of data access and they started long before Sergey M. Brin, Lawrence E. Page and Mark Zuckerberg were even born.

So how exactly is Google and Facebook eroding privacy? Because they do in the open do what others do behind closed doors? Because they are trying to invent something new?

Guess that depends on what you consider privacy.

Governments have always known your personal details. Making some information public contributes to an open and healthy democracy. So many things aren't really private, are they? Someone, somewhere already knows plenty of things about you.

At least you get something, services, for using Google and Facebook. LexisNexis and others aren't going to give you a cent for your information.

And consider this, posting messages in online forums, commenting on blog posts and sharing links with your friends is kind of like having a private conversation in a public shopping mall. Sure, you can have a personal conversation at your local coffee shop, but do you really expect that conversation to be secure?

If somebody overhears your conversation, are you going to blame the shop owner for not protecting your personal information? No, of course not.

Facebook and Google are INTERNET services. Internet equals public space. Or at least, people should consider it to be so.

It's more accurate to say that information technologies are eroding the length of time that is required to access your data.

Yes, that does have an impact on our online and real-world lives. But should we panic about it?

Should we be pointing the finger at Facebook and Google saying that they're to blame because they are making business decisions? Don't think so, information technologies are going to continue to open up personal information regardless of whether or not Google and Facebook are trying to make a profit.

Do you want data and personal privacy protections? Then pass a law protecting personal privacy from being misused by employers. That's what people really care about — their jobs and their livelihood — not being marketed to.

Perhaps that's something Senator Burr will consider during his reelection campaign.

Privacy?