NEWS FROM THE LAB - July 2006
 

 

Monday, July 31, 2006

 
Black swan? Posted by Mikko @ 15:23 GMT

p3pPete Lindstrom at Spire Security's weblog has an interesting post out, challenging whether it really is true that bluetooth viruses have tried infecting my phone four times so far:

  My own anecdote is that Mikko is the first person I've ever heard of who has been
  attacked by a bluetooth virus. And he's been attacked four times.
 
  Has anyone else out there ever been hit by one, or have a friend who was infected?


Read the full post here.

So: if you've ever seen a bluetooth virus in action, do post a comment to Pete's blog. Let's see if we can get any feedback about real cases. Somehow I find it hard to believe I would be the only person in the world who has seen these incoming bluetooth connections in real life.

Here's one example of my encounter with Cabir.B.

Cheers,
Mikko

 
 

 
 
Friday, July 28, 2006

 
Two massmailings underway Posted by Mikko @ 17:06 GMT

We've seen two separate spam runs with infected attachments tonight.

First one comes in an email with random header info and body text "Hi, Honey - My best photo ever!". This one contains a file called "dsc00342.jpg .exe" as an attachment. This one is detected by us as Trojan-Downloader.Win32.Small.cyy.

The second one comes in an email looking like this:

drone

postalcardThe link to all-yours.net is fake; instead the link points to an EXE file hosted at whitehat.cc.

The file is named "postalcard.jpg.exe" and is detected by us as Backdoor.IRC.Cloner.ae.

All-yours.net is a real greeting card site and has nothing to do with this case. Abuse messages have been sent about whitehat.cc domain.

 
 

 
 
Mystery Man Competition Winner Revealed Posted by Sean @ 09:17 GMT

Jpeg Properties

We have a winner for our latest competition. We received 60+ submissions, and most of them guessed correctly. The winner's (Mika) tee shirt is on its way, and for the rest, you can confirm your answer using the extra hint shown in this post's image. We'll profile the author next week at the start of the FRECA Competition.

Some of the incorrect guesses included:
- Virus writer Marcos Velasco
- Antivirus expert Peter Szor
- Heiress Paris Hilton

Good job everyone!

 
 

 
 
Thursday, July 27, 2006

 
Alert("Your new friend is a worm"); Posted by SGMasood @ 12:43 GMT

Sample of Samy worm code

Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It's a new category of malware and it's a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week's Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. Last week's worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.

Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.

All this piqued our interest and we decided to see how secure other popular social networking sites are against "wormable" XSS vulnerabilities. We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities.

Something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser expoit (maybe even a 0-day exploit) could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...

Recommendations -

1. End users need to patch their machines. There's no excuse not to.
2. Web application developers must start taking security seriously. Yes, XSS issues are silly, easy to find and omnipresent. And XSS issues have stopped being funny for a long time now. They are a real danger with the advent of Phishing and Web Application worms that exploit a mass user base of millions of users within a very short time.

Of course, we have reported the issues to the affected websites and are working with them to get the issues fixed. And, of course, we aren't taking any names here.

 
 

 
 
F-Secure Tee Shirt Opportunity Posted by Sean @ 11:42 GMT

Last week we promoted our upcoming Reverse Engineering Challenge. Today we have a different challenge for you. Just who is the mystery author mentioned in our previous post? The first person to send the correct answer to "nerds [at] f-secure [dot] com" will be mailed a free F-Secure tee shirt.

Here are your clues: He's in the banner photo. He was the subject of a weblog post sometime during 2005. He has 17 years of "experience".

Who is this guy?

For those of you that don't want to do any sleuthing, we'll have the answer for you next week when Assembly '06 starts.

 
 

 
 
Wednesday, July 26, 2006

 
CA vs F-Secure Posted by Mikko @ 14:13 GMT

Skulls trojanAn interesting discussion has started around comments released by one of our competitors, namely Computer Associates. The comments given by Simon Perry, a VP at CA were prompted by the mobile antivirus service that will be available for Orange smartphone users in UK.

What is interesting about the debate is that CA is indirectly claiming that Orange has made a bad decision by launching a mobile security solution. CA seems to be claiming that Orange is either ignorant of what is the real malware situation in their network or of ignoring the data they have and choosing to launch an unnecessary service. CA well knows that all mobile operators have real-time data detailing everything that happens in their networks, and simply cannot be influenced by marketing messages related to what is happening in their network.

Could it be that CA simply does not have competitive mobile security solutions and is explaining their complete lack of success in the mobile market by denying the threat?

The fact is that there are over 300 known mobile malware. That is not hype. We estimate that tens of thousands of phones have been infected so far, worldwide. Smartphones based on open operating systems are being targeted already. This means that the vast majority of phones are safe against current malware, but does not eliminate the damage caused to the users of the smartphones that are or have been infected. It is also a fact that the number of smartphones, mobile malware and infections are on the rise.

Is the threat real? Yes it is. I know, because I've been hit four times myself. Of course I'm running our antivirus on my phone, so I haven't actually been infected. But a Bluetooth virus has tried infecting my phone four times so far. Twice in Helsinki, once in Stockholm and once in London.

Protecting mobile users against current and future threats shows caring and wisdom. It should be applauded rather than criticized.

If we ignore this problem now it's only going to get worse. We can still stop this problem and avoid things getting as bad as they did with PCs.

Ranting off,
Mikko

 
 

 
 
Netscape.com hacked Posted by SGMasood @ 11:45 GMT

While we were drafting a weblog post on XSS and Social Networking sites, our man Miguel pointed us to Netscape.com.

Netscape3

Netscape.com has been hacked via a persistent Cross Site Scripting (XSS) vulnerability in their newly launched Digg-like news service. Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own javascript code snippets into pages on the website, including the homepage. As of now, it has only been used to display javascript alerts with "comical" messages and to redirect visitors to Digg.com!

Check out additional screenshots here and here.

Fortunately no one has tried to inject malcious code... yet.

We'll finish our draft with more on the potential dangers of XSS for you soon.

 
 

 
 
Don't fall for a fake virus outbreak warning Posted by Mikko @ 10:14 GMT

We've received several reports of a mass mailing that's going around. The messages have been spoofed to look like they are from update@microsoft.com and arrive with title "Warning! New Virus On The Internet! Update Now!".

chto

The link in the mail goes to http://update.microsoft.go.ro and downloads an IRC backdoor. Administrators might want to filter web traffic to this site.

Abuse messages on the site have been sent. The downloaded file is detected as W32/FakeMSUpdate by our latest update (2006-07-26_02).

 
 

 
 
Tuesday, July 25, 2006

 
Demo Video - Rogue Suspect Posted by Kamil @ 14:15 GMT

As Seen On TechTV?

What does a spyware researcher do? With at least part of his day, he tests samples.

Today we made some video with notes for you to follow along. Enjoy!

Video 1: demonstrates the installation of one suspected rogue - it breaks the IE browser with a Browser Helper Object.
Video 2: demonstrates the pop-ups that really push for the $ale.

The videos are encoded using standard windows codec.

 
 

 
 
Friday, July 21, 2006

 
Spy vs. Spy Posted by Sean @ 09:29 GMT

Our spyware researchers really hate the word "affiliate". Affiliate marketing drives spyware. From the worst known offenders to questionable rogue anitspyware software - affiliates trying to sell-by-any-means are the engine behind the problem.

Free Trial Offer

Known rogues install maliciously. But it's often difficult to pin down the real rogues. There's an incredible amount of just mediocre antispyware out there that isn't malicious, but they use the same marketing and sales techniques as the rogues. Lots of ads (paid for by commission seeking affiliates) - No trial period - Offering a free scan - But if it finds something you then have to pay to clean it off your system. And they really get in your face about buying. The known rogues present outright false positives - sometimes offering to clean the malware that prompted you to download the rogue in the first place. The mediocre guys might also have false positives, but due to bugs in their code, not outright lies. Adding detections for second-rate software as malware isn't something we do, but we can blog about it to help you be aware.

Many fall into a gray area and our researchers have to put them to the test. But regardless of anything else, all of these guys, malicious or not, make apparently outrageous claims. Affiliates repeat the claims over and over in ads to drive sales and get their cut.

Check out this one site we visited, which we will not name here, but it was nuker.com. They claim to have a very positive review from Download.com. Only it isn't a link, just an image. We've searched Download.com's site for the supposed review and cannot locate it, not to our surprise. Download.com is a trusted source and these guys are trying to subvert that trust to their own ends.

They also link to a Yahoo! "Headline" on their site. But if you follow the links, you find it's from the PR news section of Yahoo Business and that they themselves uploaded the article. They're quoting themselves! Think you want to try their product?

 
 

 
 
Wednesday, July 19, 2006

 
Coming Soon: Another Reverse Engineering Challenge Posted by Mikko @ 14:34 GMT

F-Secure Sponsors Assembly 2006

F-Secure is sponsoring Assembly 2006 – one of the largest demo parties in the world. It takes place in Helsinki, and it’s historically always been organized at the same time as DEF CON – so in two weeks from now.

As part of our sponsorship we're hosting an F-Secure Reverse Engineering Challenge Compo. It's a competition where the target is to decode programs in order to find hidden information. It consists of three Windows EXE files written by one mystery researcher working in the F-Secure Security Labs.

The three challenges are a set. When the programs are run, they'll ask the user for a password. Give the correct password, and you then get instructions on how to find the next challenge. The goal is to solve all three challenges. The first ones to complete the challenges will win an iPod or a PSP – See Assembly's website.

The competition will be open to all, not just those attending Assembly. More details on the rules - and on the mystery author of the challenges – soon!

Assembly

 
 

 
 
Monday, July 17, 2006

 
Exploit Wednesday Posted by Sean @ 10:27 GMT

Another Microsoft Office exploit, Bifrose.UZ, was discovered last week. It drops a backdoor using PowerPoint (PPT) files. The exploit was discovered after a limited number of people received e-mail with the PowerPoint file as an attachment.

So what's the deal with Microsoft Office and why the exploits? There were Word fixes in June - Several Excel fixes were included in July's patches - And now there is a PowerPoint exploit that will need to be patched in August. See a pattern?

Hat Trick of Expliots

There's a growing trend here. We've been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money - not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it's just another document that they need to review, open it up and the backdoor gets installed.

The bad guys are taking advantage of three things:

The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.

The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.

And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.

 
 

 
 
Wednesday, July 12, 2006

 
Man-in-the-middle phishing Posted by Mikko @ 11:26 GMT

http://www.flickr.com/photos/chikawatanabe/135652122/

The first ever case of using a man-in-the-middle attack against an online bank was reported by Brian Krebs of Security Fix on Tuesday.

The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.

Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.

 
 

 
 
More on Updates Posted by Sean @ 11:11 GMT

With spear phishing on the increase, you shouldn't neglect visiting Microsoft Update this month. There are a good number of Office patches to be downloaded and Excel has the most with eight different vulnerabilities. Even Excel Viewer 2003 requires a patch. Users don't update Office as often as the Windows OS and it's increasingly becoming a target for more focused spear phishing attacks. Your company could be next - update soon.

July's Excel Vulnerabilities

And now for something completely different: Daylight Savings Time 2006 was adjusted in Australia to accommodate the Commonwealth Games. If you live down under, it's time to adjust the system time back to the standard dates. G'Day!

Australian DST

 
 

 
 
Tuesday, July 11, 2006

 
July bulletins are out Posted by Mikko @ 19:25 GMT

Microsoft has just released the latest security updates, with critical updates affecting Windows and Office.

Details at
http://www.microsoft.com/technet/security/bulletin/ms06-Jul.mspx, updates at http://update.microsoft.com/microsoftupdate/.

 
 

 
 
Monday, July 10, 2006

 
Wr0ld Cup Results Posted by Sean @ 13:02 GMT

Our resident Italian has something to celebrate today! Italy's football team won the World Cup, 5-3 on penalties after a 1-1 tie with France.

ItalyPoll

Italy received 3.9% of the votes in our June 9th poll. Our congratulations to Italy.

Paolo

You can Be Sure that's coffee in the mug at Paolo's side�

 
 

 
 
Yet Another Name Posted by Kamil @ 11:04 GMT

Last Friday we posted on rogue anti-spyware. Also on Friday, Alex Eckelberry of SunbeltBlog posted on a new rogue named SpyHeal. It is believed that SpyHeal is probably a replacement for SpywareQuake.

SpyHeal

Take a look, SpyHeal is one of the results of our "Privacy Policy" search. SpywareQuake is there too! We have no doubt that they are related. Kudos to Sunbelt.

 
 

 
 
Saturday, July 8, 2006

 
$pyware Economics Posted by Sean @ 06:17 GMT

Spyware

On April 7th we posted about New York's lawsuit against Direct Revenue.

BusinessWeek has been examining the court documents and they have a very interesting article, The Plot To Hijack Your Computer, and related items detailing Direct Revenue's business model.

There's also a podcast for those of you on the go. Check it out.

 
 

 
 
Friday, July 7, 2006

 
What's In a Name? Posted by Kamil @ 14:53 GMT

There's a category of software that's rather difficult to define, or at least to name. Many term it as potentially unwanted applications or software (PUA/PUS). Companies pushing this type of software use every possible means to get you to download as many copies of their product as possible. Spamming, pop-ups, hijacking start pages, etc. Sound familiar?

ErrorSafe

What are we speaking of? Rogue anti-spyware and other so-called system optimization utilities. And they aren't just pushing one version, they're pushing many.

SystemDoctor

Some of these guys create one engine and then sell it under multiple names and interfaces. Their websites even look like they are copied from the same template. The sales pitch typically includes a "free" scan. The results of the scan are often doctored with items that you should remove or fix. Except in order to do so, you now need to buy a license.

Check out the results of this Google search. Most of the results are of suspected rogues and are hosted on the same server. What did we search for? A block of text from one site's privacy policy. Either all of the sites borrowed exactly the same text from each other, or they are in fact the same organization.

If your product is legitimate, why do you need 30 or more names for it?

 
 

 
 
Preview of Next Tuesday Posted by Sean @ 14:48 GMT

Microsoft released their Advance Notification
Bulletin
on the 6th of July. Next Tuesday's update will include four Windows updates and three Office updates.

 
 

 
 
Wednesday, July 5, 2006

 
Still Living in 1998? Posted by Sean @ 10:32 GMT

ChinaWin98

The second Tuesday of this month brings something else in addition to Microsoft Security Updates. July 11th will also mark the end of Windows 98/ME technical support. It's now the end of their lifecycle. At least at Microsoft.

According to IDC figures, there are an estimated 70 million 98/ME machines still in operation worldwide. Searching for news stories on the topic yields a good number of results from India. Older hardware and the costs of upgrading can be a very limiting factor for some.

So what to do if you're still running an older OS? Make sure that you have a good antivirus product and a firewall. Check out Microsoft's Security At Home 98 & ME for more information. (You'll find special offers for our F-Secure Internet Security and Anti-Virus products there.)

If you're still holding on to older hardware because you're a hobbist, you might also consider trying out a lightweight distribution of Linux. Live CDs make it quite easy to give it a try.