Monthly Archives - July of 2005
 

Sunday, July 31, 2005

 
Another weekend, another Bobic Posted by Mikko @ 14:37 GMT

Message used in the seeding
Once again we're seeing a run of Bobic being seeded in emails claiming that Osama Bin Laden has been captured.

These messages contain an attachment called "pics.scr" - which could be compressed inside a zip file.

We've just shipped a new update which detects this as Net-Worm.Win32.Bobic.d.

This is in update 2005-07-31_01.

 
 

 
 
Friday, July 29, 2005

 
Assembly Posted by Mikko @ 12:48 GMT

It's good to note that Black Hat and DEF CON are not the only nerd gatherings that are happening right now: the Assembly'05 demoscene party is in full swing in Helsinki, Finland.

Assembly panorama photo 5812x1632 by Oleg Hartsenko

Assembly, one of the oldest and largest demo parties anywhere has around 5000 geeks gathered together for four days. Many of the techniques used in demo coding are interesting to us working in a virus lab: the fastest demos are written in low-level assembler, and to fit within the tight size limits (such as 4kB or 64kB), some of these demos use really advanced compressing techniques.
Title of lynn-cisco.pdf slideset: The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques by Michael Lynn
To get a feeling on what's happening at the party, you might want to tune in to AssemblyTV.

PS. The controversial Cisco IOS presentation given by Michael Lynn in BHB seems to be floating around in the net - despite the best efforts to censor it.

 

 
 

 
 
Black Hat 2005, Day 2 Posted by Ero @ 03:42 GMT


More interesting presentations today. Among the ones I had the chance to check were:

Stopping Injection Attacks Using Computational Theory was fairly interesting showing strong techniques to prevent this typical kind of attacks for which traditional regexp techniques prove insufficient to stop.

Google Hacking for Penetration Testers did live up to the expectations of a completely packed conference room. Johnny Long showed hilarious and scary examples of what's possible to come up with by properly data mining what's probably the largest database of public information (and some which should definitely be not so public...)

Beyond Ethereal: Crafting a Tivo For Security showed new visual tools for analysis of network data. With several types of visualizations certain patterns become obvious and it was possible to spot abnormal activity from large amounts of data by just browsing through it. Very interesting tools and methods with a huge potential for further development.

Other talks were on the effectiveness of the NX protection some processors will soon incorporate to prevent certain attacks relying on writing to memory which should not be accessible; as usual, not a complete solution but might mitigate some problems if implemented correctly. And another on routing in anonymous P2P networks.

So Black Hat has just ended. It has been two days of lots of interesting talks and tomorrow DEFCON starts...

 
 

 
 
Thursday, July 28, 2005

 
Black Hat 2005, Day 1 Posted by Ero @ 02:14 GMT

Day one has been pretty good indeed.

The 5 simultaneous tracks started this morning, not without some juicy bits. As it can be seen from the photos, the slides for a presentation were literally cut off from the briefings. The topic of the presentation was no other than remote execution on IOS, in short, gaining control of the OS running in most of the world's critical Internet network infrastructure. Needless to say it's rather serious.
Besides the slides being removed the presentation was nearly cancelled. The presenter, Michael Lynn, resigned from his employer prior to the talk, in order to be able to deliver it, and sure it was an interesting one.

The day followed with lots of other interesting talks: USB vulnerabilities, basically taking the play part in Plug & Play to a new level; SSH hijacking, and remote windows kernel exploitation. It's rather difficult to choose what to attend.

Looking forward to tomorrow's presentations, logging off...

blackhat2005 (559k image)

 
 

 
 
Tuesday, July 26, 2005

 
Busy week Posted by Mikko @ 19:01 GMT

It's going to be a busy week with lots of announcements ahead of us: the Black Hat Briefings and DEF CON conferences are on in Las Vegas. We have some of our people on location and should be getting updates from them as the shows progress.

Caesar's Palace, photo (c) MH 2004

There has already been some discussion about new Oracle holes as well as TippingPoint Technology Inc's new program where they are buying exploits. This has generated lots of discussion considering this isn't anything new: iDefense (bought by Verisign last week) has been paying money for exploits and vulnerabilities for several years and is now raising it's payments to respond to new competition.

 
 

 
 
Monday, July 25, 2005

 
Someone got too much SPAM ? Posted by Alexey @ 10:50 GMT

Russian media reported today that the owner of the American Language Center, Vardan Kushnir, had been killed. According to the reports, Kushnir's body with massive head trauma was found in his apartment in Moscow.

The American Language Center provides English language courses for Russian speaking people. In order to get new customers, the Center reportedly organized the largest SPAM campaign in Russian history. A huge amount of SPAM was (and still being) sent to over 20 000 000 e-mail addresses belonging to Russian speaking people. They say that you can hardly find a Russian who has never received a SPAM advertising the American Language Center.
ALC logo from now-defunct www.americancenter.ru
The SPAM campaign reportedly organized by the Center was so annoying that many people were trying to fight back. Some of them tried to sue, but with no results. Some tried to organize "denial of service" attacks to American Language Center phone numbers, advertised in SPAM messages (it should be noted that such attacks are basically illegal, but the authorities and the phone companies took no immediate action). As a result the Center's phone lines were totally overloaded for some time. Someone even tried to post Kushnir's personal information online so his mailbox, e-mail address and phone number could be targeted. There also appeared a lot of private webpages and forums devoted to fighting against the American Language Center, here's an example (NOTE: the site is in Russian and connection is slow).

However the killing of Kushnir might not be related to the American Language Center's SPAM campaign. Russian authorities are currently investigating this crime.

 
 

 
 
Friday, July 22, 2005

 
JOIN.EXE Posted by Mikko @ 12:57 GMT

Join the light side
We have a nice range of research-related positions open, so if you think you have what it takes to work in a virus lab you might want to have a look.

We have positions open in several countries, and recruiting & relocating is possible. For example, we have people from more than 15 countries working just in our HQ offices here in Helsinki.

So take a look.

 

 
 

 
 
Wednesday, July 20, 2005

 
Moogle Posted by Mikko @ 10:33 GMT

As most everybody knows, Google Maps and Google Earth do rock!

Here's our HQ's in Finland and in California (can't find coordinates for rest of our offices straight away).

F-Secure offices

But did you know this: moon.google.com? Incidentally, it's been 36 years since moon landing, today.

 
 

 
 
Tuesday, July 19, 2005

 
Hoax about "ICE" phone entries Posted by Mikko @ 14:28 GMT

ICE entry on a phone
A new idea has been gaining momentum, especially after the London bombings: people are being urged to add a new entry to their mobile phones with the name "ICE" (acronym for 'In Case of Emergency').

The idea is that if you're hurt, rescuers can easily figure out who they should contact - by calling the 'ICE' number from your phone (assuming they can access it).

This is a good idea. The only slight problem in using it is a practical one: on many phones if you have the same number listed under several names (for example, as "ICE" and as "Lisa"), the phone won't know which name to show for an incoming call and will only show the number. Which is a slight annoyance.

However, now some brain-dead pranksters have started a chain-letter email warning against such practice, because a mobile phone virus might exploit it. This is nonsense. No viruses to exploit the "ICE" number exist or are likely to exist. There are viruses already that go through the full phone book and attack every number.

Here's an example of a typical hoax message:

  You know the email that's gone round saying put ICE then a contact
  number in case of emergency? Well don't do it cos....
 
  Be very careful with this one - although the intention is great it is unfortunately
  phase one of a phone based virus that is laying a path for propagating very quickly.
  Passing it on is part of the virus interestingly, such is the deviousness of the people
  who write these things.
 
  We have already seen the "second phase" where a program is sent as part of a
  ring-tone download that goes into your address book and looks for something it
  recognises - you've guessed it, an address book entry marked "ICE or I.C.E."
  or whatever. It then sends itself to the "ICE list", charging you for the privilege.

Ignore this hoax message and don't forward it if you get it.

 
 

 
 
Monday, July 18, 2005

 
WSJ: Where the Dangers Are Posted by Mikko @ 14:22 GMT

WSJ
Today's Wall Street Journal has a long and thorough article by David Bank and Riva Richmond on cybercrime.

They are also hosting a lively discussion forum on the theme. Check out the on-going discussion on full disclosure and accountability on their Cybersecurity forum.

 
 

 
 
Friday, July 15, 2005

 
Breatle/Lebreat/Reatle worm on the loose Posted by Mikko @ 16:11 GMT

At least three variants of a new massmailer / network worm combo is on the loose. We currently detect it as W32/Lebreat.A@mm.

This virus claims to be "Breatle AntiVirus v1.0", and it spreads over both email and network vulnerabilities such as RPC and LSASS.

Apparently it also tries to launch a DDoS attack against www.symantec.com. With no visible effects so far.

The worm also contains an anti-Symantec message:

  easy to talk but hard to work :)
  what about working in symantec? :P
  it is not only a mass mail worm it is also a lsass worm :)

The worm sends variable emails, with messages such as:

  Your credit card was charged for $500 USD. For additional information see the attachment.

  Hello, I was in a hurry and I forgot to attach an important document. Please see attached.

 
 

 
 
View of the world Posted by Mikko @ 11:44 GMT

We've received some questions on the world map we run in our viruslab.

Virus lab

This is a system we can use to plot virus infections worldwide.

Virus world map

The more reports we got from a certain location, to brighter it glows in the map. We can monitor the situation in real-time or play back history data. All this helps us to assess just how bad the virus situation is.

Virus world map

The system also plots various graphs based on this data.

Virus world map
Virus world map

 
 

 
 
Wednesday, July 13, 2005

 
Phishing auf Deutsch Posted by Mikko @ 09:10 GMT

In addition to the typical phishing targets, such as Citibank, eBay, Paypal and US Bank, we've been seeing a move towards smaller markets. This is probably happening as most customers of a bank like Citibank have already received a hundred different phishing messages and will not be fooled by another one.

So phishers are doing more targeted attacks against smaller targets in order to find users who still could be fooled to respond to a phishing email.

This has resulted, for example, in a series of attacks against the German banks, with increased activity against organizations like Deutsche Bank and Postbank.

Here's an example of a phishing message against Postbank from last weekend:

Postbank phishing

As a result, both Deutsche Bank and Postbank will be introducing one-time passwords which are needed to authorize online transactions. This is something the more advanced banks have been doing since 1991 or so, and which many of the large american banks are still not implementing.

Financial Times Deutschland is reporting that German banks lost 70 million Euros due to phishing attacks over the last year and this figure is growing fast.

 
 

 
 
Tuesday, July 12, 2005

 
July's Microsoft security bulletin Posted by Ero @ 20:07 GMT

As every second Tuesday of each month Microsoft brings their latest security fixes. In this occasion 3 updates have been released.

MS05-035 affects several Microsoft Word versions. A vulnerability in the font parsing allows remote code execution. The vulnerability could be used to craft documents that would run malicious code and has been rated as Critical.

MS05-036 addresses a vulnerability found in the Color Management Module and could allow remote code execution. MS05-036 has also been rated as Critical.

And finally MS05-037 fixes a vulnerability in JView Profiler. According to the vulnerability description, a web page could be crafted so that it crashes Internet Explorer or even manages to run code, which could lead to the typical exploitation for installation of malware through an apparently innocuous web page. MS05-037 is, not surprisingly, also rated Critical.

We urge people running the affected versions of the Microsoft products to update their systems through the traditional channels.

 
 

 
 
Getting it right - and wrong Posted by Mikko @ 09:39 GMT

Continuing our series of how-not-to-send email.

So far, we've caught security companies RSA and CA sending out emails with masked links - just like phishers often do.

Today, we have a new example, this time from an email sent out by Internet Security System. Their email looks like it's linking to icsalabs.com but really links to "rm04.net" - whatever that is:

ISS getting it wrong (screenshot from Eudora)

However, it's not all bad. We never got feedback from RSA regarding our comments but apparently they are paying attention. I just received a marketing email from them. This time the masked links are gone and the mail starts off with a link to an explanation page. Nice! Although signing the message would be even nicer...

RSA getting it right (screenshot from Eudora)



 
 

 
 
Monday, July 11, 2005

 
London bombing trojan Posted by Patrik @ 15:40 GMT

First of all F-Secure would like to send its condolences and deepest sympathies to the families and friends of those who lost their lives in the terror attack in London.

After the 9/11 attack against the World Trade Center in New York we started to see malware that used the tragic events in an attempt to trick users into running malicious attachments. After only two weeks after the 11 september the e-mail worm W32/Vote.A@mm was found and exactly a year after the event another e-mail worm, W32/Chet@mm, was found. While Vote.A didn't spread very well the Chet worm was widespread and forced us to issue a F-Secure Radar 2 warning.

Unfortunately we've already found the first trojan that tries to exploit the London bombings. It's arrives as an attachment in e-mail messages looking like this:

London trojan e-mail

The ZIP file contains the file ''London Terror Moovie.avi <124 spaces> Checked By Norton Antivirus.exe'. F-Secure detects the trojan as 'SpamTool.Win32.Delf.h' with the update [2005-07-11_01].

Also, a hoax e-mail looking like it's coming from the British Red Cross have been reported from Australia:
Link to Australian Red Cross

 
 

 
 
Friday, July 8, 2005

 
Sven Jaschan gets 30 hours Posted by Mikko @ 16:14 GMT

Verdict info, Katharina Krützfeld from Verden court - image copyright (c) DPA
Sven Jaschan, the virus writer behind Sasser and Netsky, was sentenced today. He got a suspended jail sentence of 21 months. He also has to do 30 hours of community service.

Right after the sentencing Microsoft announced they have paid $250,000 to the two informants leading to Jaschan's arrest.

One of Jaschan's viruses, Netsky.P, is still number 4 in our virus statistics today, almost 16 months after it was released.

 

 

 
 

 
 
Symbian trojan that sends another trojan over bluetooth Posted by Jarno @ 14:03 GMT



We have received samples of rather interesting pair of trojans SymbOS/Onehop.A and SymbOS/Bootton.A.

The Onehop.A is a trojan that disables most of built in applications and replaces them with a component that causes the device to reboot when executed. Basically this means that when user tries to execute any system application or press the menu button, the device will reboot.

In addition of damaging the phone, the Onehop.A also contains bluetooth functionality by which it searches the first phone it finds and sends the Bootton.A to that device. As the Onehop.A sends copy of Bootton.A not a copy of itself, it does not replicate and thus is not a worm, only a trojan.

As the name suggests, the Onehop.A is capable of infecting devices only one hop away from the original infection, while a real worm is capable of unlimited hops.

The bluetooth functionality of Onehop.A is implemented with modified Cabir. The Onehop.A installs modified Cabir.B, that is not capable of spreading itself and sends copies of Bootton.A instead. The modified cabir is not capable of replication, so it is detected as component of Onehop.A not as a separate malware.

The Bootton.A is almost identical to the Onehop.A with the exception that it does not have the bluetooth functionality. And thus is not capable of affecting other devices,and is different enough to require other name than Onehop.

Neither the Onehop.A or Bootton.A have not been met in the wild. And as both of them pretend to be pirate copied software, people who don't install software from illegal sources do not need to be worried.

 
 

 
 
Thursday, July 7, 2005

 
Two Trojan-Downloaders seeded this morning Posted by Patrik @ 14:44 GMT

Two new Trojan-Downloaders were seeded early this morning. Both downloaders were sent in e-mails that looked like this:

Subject: Spam report

Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to
cancel your membership.

Virtually yours,
Network Administrator Team

Attachment: report.log.exe


The difference between the two downloaders is that they download additional malicious components (keylogger and backdoor) from two different webservers. F-Secure detects the downloaders and the additional components with update [2005-07-07_03].

 
 

 
 
Data Security Summary for past six months Posted by Sami @ 11:36 GMT

F-Secure has just released a summary of data security events for past six months. Main topics of the summary are current issues with spam, mobile malware, phishing and traditional malware. The summary is available at http://www.f-secure.com/2005/1/.


 
 

 
 
Tuesday, July 5, 2005

 
Sasser computer worm author confesses in trial Posted by Mikko @ 16:20 GMT

Image (c) Stern
BERLIN (Reuters) - The man on trial for writing the Sasser computer worm which wreaked havoc in big businesses and homes across the world last year has confessed to all the charges against him, a German court said on Tuesday.

Katharina Kruetzfeldt, judge at the court in the western town of Verden, said Sven Jaschan, 19, admitted to data manipulation, computer sabotage and interfering with public corporations in one of the biggest Internet attacks of its kind.

Full story from Reuters.

 
 

 
 
Saturday, July 2, 2005

 
How not to send email, part 2 Posted by Mikko @ 10:17 GMT

I was complaining yesterday how RSA was sending out emails that were masking links just like phishers do.

Well, we got some feedback on the post. Turns out RSA is not the only security company doing this: Computer Associates has been doing exactly the same thing!

Here's an example of one of their security warnings:

CA Phishing

This is just stupid.

 
 

 
 
It really is out there Posted by Mikko @ 10:04 GMT

I was driving in downtown Helsinki yesterday. I stopped at a red light, surrounded by other cars. Suddenly my 9500 Communicator lit up and asked "Accept Bluetooth connection from SPA1?". Apparently this was a Bluetooth phone in one of the cars around me.

So I accepted it...and received a copy of the Commwarrior.B virus. As you would expect, the virus was detected by F-Secure Anti-Virus. But it is really sobering to see this happen to yourself, in a real live situation.

Commwarrior.B on my phone

So mobile phone viruses are not just a theory. They are out there. We had one of our developers report last week that he had Commwarrior beamed to his phone twice during one day, with one of them happening at the local McDonald's...

 
 

 
 
Friday, July 1, 2005

 
New Symbian trojan that drops Commwarrior.B and disables the phone Posted by Jarno @ 13:53 GMT

Doomboot.A(25k image)


Today we received a sample of new Symbian trojan Doomboot.A that drops Commwarrior.B and breaks the phone so that it does not boot anymore.

While other trojans have dropped several different Cabir variants, Doomboot.A is the first known trojan that drops Commwarrior. And also the technique used to break the phone is new.

What makes Doomboot troubling is the unpleasant combination of Doomboot and Commwarriors effects on the phone. The Doomboot.A causes the phone not to boot anymore and Commwarrior causes so much Bluetooth traffic that the phone will run out of battery in less than one hour. Thus the user who gets his phone infected with Doomboot.A has less than one hour to figure out what is happening and disinfect his phone, or he will lose all data.

And what makes matters worse is that the Doomboot.A installation does not give any obvious clues that something is wrong, and Commwarrior.B does not have icon and is not visible in the process list. So the installation of Doomboot.A looks very much like failed installation of pirate copied game, and user has hard time noticing that something bad is happening.

If the users phone runs out of battery or user switches off the phone, the phone can be recovered with special hard format key combination. So the actual phone hardware is not damaged by the trojan. But formatting the phone will lose all data.

If user has installed the Doomboot.A it can be easily disinfected with F-Secure Mobile Anti-Virus or with manual disinfection instructions in the Doomboot.A description

Like most of the Symbian trojans Doomboot.A also pretends to be a pirate copied Symbian game. So people who don't download and install pirate copied games or applications are safe from nasty surprises.

 
 

 
 
How not to send email Posted by Mikko @ 10:58 GMT

I got couple of emails today.

One of them was from "Marry Kimmel, eBay Billing Department team (aw-confirm@ebay.com)". It was a typical eBay phishing scam mail, with a masked link that seems to be going to ebay.com but really doesn't. Instead it goes to a rogue site named "ebay-profileupdate.com" which is hosted in UK.

eBay phishing

The second one was from "RSA Conference Europe 2005 (emea.info@rsasecurity.com)". This one was not a phishing scam but a real marketing mail inviting me to the next RSA conference in Europe. However, it also had a masked link, which seemed to go to rsaconference.com but really went to rsc03.net. Which sounds phishy.

rsaphishing

The link through rsc03.net eventually goes to the real page at RSA. But how a security company sends out messages like this is beyond me. What's the point in trying to educate users about phishing scams and how they work if the same tricks are being used by the good guys?

Ranting off,
Mikko