Let's suppose you have a keylogger installed on "your" computer. Would you mind? There are a number of factors to consider: who is the owner of the computer, where is it physically located, and what are the local laws in effect? If it's at work and provided to you by your employer in a country with no laws against it, then you might mind — but there's nothing you can do about it. However, if we were speaking of your personal computer located in your own home — then of course you would mind. You might even be outraged.
How about your phone?
For the last several weeks we've been researching monitoring tools and spy applications that run on the Symbian OS as well as on other mobile phone platforms. And what we have discovered is rather interesting.
We originally thought that such software would still be a rather limited phenomenon and that there would be only a couple vendors making spy tools for smartphones. But it turns out that there's quite a cottage industry that has been lying low and by and large has been able to escape attention. We found that there are several vendors either making software for Symbian smartphones or are making hardware-modified versions of just about any phone available. All phones and software we found provided a rather similar set of features.
A typical feature set includes SMS forwarding, SMS and voice call log information, remote listening, covert conference calling, and some even include localization services. This basically means that if the victim has a full-featured spy application installed on their phone, they have no privacy whatsoever and that the one controlling the software has access to all of the information that the phone has.
The spy software vendors state that their software should be used only in accordance of local laws. And that a typical application for such tools is to keep track of your spouse (in order to catch possible cheating), or to monitor your children, or just to keep track of your own phone use.
But of course the vendors take no responsibility for how their software is actually used, and in many countries such monitoring is viewed as gross violation of personal privacy and can end up in a jail sentence. And these tools have darker uses such as industrial espionage, identity theft, or stalking.
In this video (WMV)(XviD) we demonstrate the use of one of the monitoring programs that we are investigating - Acallno.A. It's an SMS spying tool that forwards all sent or received messages to an additional number configured by the individual who installed it on the target phone.
We have added the detection of Acallno.A into F-Secure Mobile Anti-Virus as spyware. Acallno.A is a pseudonym for the real software name. We are in the business of informing our customers of what is running on their phone, not promoting commercial spy utilities.
Acallno.A is limited by the target device's IMEI code, so you have to have familiar access to the phone and cannot just sneak it onto just anyone's phone. And it cannot be just included into a trojan or other method of mass installation.
As monitoring tools are not always illegal, and there might be legal uses for Acallno.A or any other such software, it is possible for users to release the detected spyware so that Anti-Virus allows for its use. If you really want to do that, then please consult the product documentation.
Java Runtime Environment (JRE) 5.0 Update 8 is available. That being so, we attempted to update via the Java Control Panel applet. The result was a prompt informing us that we had the latest version.
That seemed odd so we searched for details and discovered that Brian Krebs has written a very interesting article on the matter.
To sum it up: Installing a JRE Update doesn't remove the older versions of JRE that are installed. So, any older security issues remain installed as well. You'll want to manually uninstall the old version(s) before "updating".
If you have JRE installed, read Brian's column for more details.
This week we've encountered a cross-platform worm that's capable (at least theoretically) of spreading from a PC to a mobile device and back. To be more specific, the "Mobler" worm moves between Symbian and Windows platforms. Although it's quite nasty on the Windows side, it doesn't cause much harm on the Symbian device. It just copies itself to the memory card and tries to trick the user into infecting his PC.
Technically there isn't any automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer - so it's possible for the user to accidentally open it and infect their PC while browsing the memory card's files.
Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialise.
For more information, see the descriptions for Mobler and Cardtrap.AK.
So you would think that they would try to avoid getting phishing sites hosted on their servers.
You know, doing the easy stuff. Like preventing people from creating new hosts with names like "pay-pal-redirect"? Or perhaps every now and then scanning user-created content to find obvious copies of eBay or PayPal login pages?
But apparently they aren't doing this. With a few trivial searches you can find several PayPal phishing sites on Tripod:
Some examples of sites that were active this morning:
Abuse messages have been sent about the above sites to both Tripod and PayPal (Update: Ten hours later, five of these sites were taken offline by Tripod).
Specifically, somebody set up a PayPal phishing site which apparently is designed to perform a man-in-the-middle attack on your password. It displays a genuine-looking login box, and guess what? You have to type in a valid PayPal user name and password — so it's probably doing a shadow login to the real PayPal site behind the scenes. Then, of course, the phisher has your password ... and credit card number, if you fill in that, too.
Luckily, we were alerted to this before it was actually spotted in the wild. We imagine the phisher is still working on going live with the site as we write this! Thanks to blog reader "Scarlet Pimpernel" for the tip-off, and to Kamil and Mikko for their research.
Needless to say, abuse notices about the phishing site have been sent.
On Monday we invited feedback - and we received e-mail from a good number of you. All but one reported the same issue that we are experiencing. The S24EvMON.exe process installed with the 9.0.4.17 driver is using an ever-increasing amount of handles and memory. Many are finding this to be the case - click here for more details.
It seems important to note that the driver is not the source of the issue; it's the associated software. So what configuration have we tested now? The Intel software has been uninstalled from Add/Remove Programs and the then driver re-installed from the Device Manager/Update Driver option using the 5.7MB download. We updated by having Windows pull the driver from the folder - not by running the update executable. Windows Wireless Zero Config doesn't have all of the extra features of Intel's PROSet, but it doesn't end up taking over all of your system resources either. So you can have the updated 9.0.4.17 driver without the PROSet services. Hopefully Intel will have a fix for the software soon as it's worth having installed.
Thanks to all those that submitted their observations.
Updated to Add: There are now reports, here and here, that Intel will post a fix to their website on Friday.
Updated to Add: Monday, August 28th. Downloaded the fix this morning from Intel and installed. Handles/Memory are stable and the PROSet is running well.
Host-based Intrusion Prevention System (HIPS) is a term commonly used for behavior blocking security software, i.e. software that monitors for potentially dangerous behavior rather than known file signatures.
This morning we blogged about a "small dog" that installs a Trojan-Spy named BZub.BL. We decided to test our IS2007 beta with old antivirus definition fingerprints to see if it would detect the BZub variant - and it did. Below is a screenshot of the alert given by the System Control component.
Note that this test used the default System Control setting of "Ask when case is unclear". In that mode our heuristics first determines if the application appears to be harmless or if it is something the user should be warned about. For expert users we recommend using the "Ask my permission" setting that provides utmost control but creates more noise in the form of question dialogs.
The beta of our Internet Security 2007 is now available for download. Among many of the new features is the newly designed proactive defense - System Control 2.0. We believe this version is much improved and offers better protection against 0-day malware.
If you're technically inclined and are interested in trying out the new beta, you can get it from our beta site. There's an opportunity to win an iPod for testers.
A new downloader detected as Trojan-Downloader.Win32.Small.dog was spammed earlier today with German text as its message body and an attachment named Document.doc.exe.
Seven days ago we revisited our post on Intel's Wi-Fi Drivers. The current driver release for the 2915ABG/2200BG wireless cards is 9.0.4.17. After some initial troubleshooting, we managed to get things settled and everything working fine.
Well, over the weekend we noticed that software (S24EvMON.exe) installed with the driver seems to be leaky. It's eating tons of file handles and tons of memory — and it continues to grow! See the screenshot:
We don't know if this is the case for everyone, but it seems to be the case on all the laptops we checked. (Personal and work machines.) We've submitted the issue to Intel through their customer support - let's see what we find out. Perhaps the need to patch the security problems created other issues?
Feedback is welcomed. Use the e-mail address at the top of the weblog.
Updated to add: Intel's tech support has replied. They are aware of the issue and are currently at work on it. No official release date yet. We'll let you know.
Just in case you missed our earlier post, we have a new command line version of F-Secure BlackLight.
For those of you (Sys Admins) that are interested, you can download the new tool from the same location as the GUI. You'll find instructions and some examples here. Or else just download and use "--help" to get started. You'll find the feedback e-mail address on the download page.
As you see from the image below, taken from our Virus Worldmap service, most of the reports we continue to receive from Europe are about this one malware: Backdoor.Win32.Haxdoor.KI.
We believe there's a single group, most likely from Germany, behind this and the ongoing Deutsch Telekom and Ebay "Rechnung" malware spams that keep bugging European users.
There's a spam run of a new Haxdoor variant - Haxdoor.KI - now detected as Backdoor.Win32.Haxdoor.ki.
We have reports of it being spammed in both Swedish and German language messages. The Swedish attachment is a zip file named Rakningen.zip. The German attachment is named Rechnung.zip.
The text of the message and the names of the attachments are the same as the spammed malware from last Tuesday. But the malware inside this message is completely different.
Here's a screenshot of Haxdoor.KI being detected by BlackLight:
As you can see from the screenshot, we now have a command line version of BlackLight. The new command line tool is available now at www.f-secure.com/blacklight. We'll have more details on it soon.
Last week, a weblog reader e-mailed to ask about our F-Secure School Schedule. Well, it has returned. To celebrate the beginning of a new school year, our ABC pages are now online.
Two school schedules (PDF) are available as well as other fun and games. The site has been designed with kids in mind as a nice and simple way to inform them of Internet threats.
Australian band Root Kit - a favorite of ours - was the runner up in Gidol at GoogleIdol.com's Original Competition Demo. Root Kit received 4796 votes. Gidol, not affiliated with Google, holds online competitions using publicly available Google Videos.
If you have missed Root Kit's video "Patch Me Up", then you should definitely check it out at Google Video. Listen to the lyrics carefully; there's some sound security (and love life) advice in there.
There's been a spam run of a new backdoor application that we now detect as Trojan-Spy.Win32.BZub.bs.
This was spammed in Swedish e-mail messages with an attachment called R�kningen.exe or Rakningen.exe - which means "Bill" in most Nordic languages.
The actual trojan is very similar to the ones we've seen before targeting German speaking users (with "Rechnung.exe"). When run, the trojan drops a file named ipv6mons.dll which monitors user activities.
Over the weekend we received some feedback regarding our Intel driver post. It looks like Intel has made their Wi-Fi driver downloads easier to handle. The 129MB download that included both 32 and 64Bit versions of the PROSet software has since been broken into two separate downloads about 50MB each.
It also appears that sometime on the same day as our posting, Intel made a driver only download available. The download file is only 5.7MB and should be much easier to handle for those of you that have been holding off on updating.
A big Tip of the Hat to reader Robert A. for the links!
Hopefully everybody followed the advice we gave five days ago. We've just located the first bot exploiting one the remote code execution vulnerabilities patched in last Tuesday's patch set by Microsoft.
The bot, known as Mocbot aka Backdoor.Win32.IRCBot.st is apparently only able to spread to Windows 2000 and perhaps to Windows XP SP1 computers.
Our update 2006-08-13_01 detects this bot.
The bot connects to IRC servers at:
bbjj.househot.com:18067 ypgw.wallloan.com:18067
Network admins might want to monitor connection attempts to those hosts from within their network.
We often get so-called anti-spyware applications to test. While doing so, we notice that some of them are not really into removing spyware from your system, they prefer to remove the contents of your pocket. (Rogues.) Here's a couple of funny screenshots for you to end your week with. Enjoy:
The images were captured on a virtual machine running Windows XP. Trust us, a Desktop.ini file from a clean install is not a critical risk.
It's the second Tuesday of the month and Microsoft has released a bunch of patches. Most of which affect most of you. And most of which enable remote code execution.
Nasty stuff. Like PPT files that will run code when you click on them.
The results of the F-Secure Reverse Engineering Challenge Compo can now be found at Khallenge.com.
Our three top prizewinners are: Kaspars Osis - Latvia; Igor Skochinsky - Belgium; Pasi Parviainen - Finland. They won, in the order named: a 60GB iPod, a Sony PSP, and an iPod Nano.
Two additional winners chosen from the correct answers to the third challenge are Anssi Kolehmainen and Kyynaama/Deviate of Finland. They'll be invited to lunch here at our Helsinki Labs.
Reader Daniel W. wrote: "I didn't have all that much time to spend on the Khallenge, but I doubt that I would have been able to unravel Level3 even if I had had the time. Please heap ample incentives onto Otto to make sure he stays on the side of the "Good Guys" -- I would *hate* to have to deal with a piece of true malware written by him. Thanks for the good fun!"
Otto is genuinely a good guy, so no worries there we think.
The three challenge programs each used different tricks. The last/third made a virtual code maze that you had to maneuver through. Alexander Sotirov had the coolest solution to this; he actually drew a picture of the maze in order to solve it. Nice one Alexander! Although you didn't finish early enough to qualify for prizes, we'll send you a tee shirt or something.
We have finished analyzing the latest Commwarrior variant - Commwarrior.Q.
While we were reverse engineering the sample we found an interesting feature within. The Commwarrior.Q and C variants both have an internal deactivation mechanism. Creating a file named "noboot" in the e:\system\temp folder will prevent Commwarrior.Q and C from starting when phone is rebooted.
So to disinfect Commwarrior.Q and C:
Kill the Commwarrior Process 1. Install a third-party file manager 2. Create a file using the file manager named "noboot" in the E:\System\Temp\ folder 3. Reboot the phone
Install F-Secure Mobile Anti-Virus to finish cleaning up your phone 1. Open the phone's web browser 2. Go to http://mobile.f-secure.com 3. Select the "Downloads" link and then select the phone model 4. Download the file and select open after download 5. Install F-Secure Mobile Anti-Virus 6. Go to Applications Menu and start Anti-Virus 7. Activate Anti-Virus and scan all files
The Assembly 2006 party is in progress and the F-Secure Reverse Engineering Challenge Compo for Assembly '06 has officially started - exactly now. This is a competition where the target is to decode programs in order to find hidden information. The rules for the challenge can be found here.
To start the challenge, go now to Khallenge.com. The contest ends on Sunday (August 6th 2006) at 11:59 Assembly time. The competition is open to everybody worldwide. The prizes are nice: iPods, PSPs and such.
And just who is the Mystery Author of these challenge programs? We posted about this lastweek.
He's none other than 17 years old Otto Ebeling. Last year Otto joined us for two weeks - And this year he spent his summer break working in our virus lab for two months.
One of last year's challenge programs captured Otto's interest and it was one of the reasons he asked to work in the lab. He wanted to meet the guys who authored the challenge. His training period went so well last year that we asked him back for summer work. And now, he's the guy that authored this year's challenge! He has also been busy developing new tools for the lab during the summer but now he's going back to school. It was great to have you with us Otto!
On Wednesday we posted about Intel's latest driver release. We have since installed the new driver on some of our machines and have some tips for those of you that aren't system admins.
While the download patches vulnerabilities, it isn't really a patch; it's a full-blown driver install with the Intel PROSet connection software included in 32/64Bit flavors. Thus 129MB.
Now lets say you install that download on, say, an IBM ThinkPad T43. Did you update the ThinkVantage Access Connections software first? If not, then the ThinkVantage software might not recognize the new driver and it could lead to a system crash. If you do have the latest IBM software then the Intel driver works but there seem to be a few small issues. Or at least on one machine the toggling on/off of the Wi-Fi radio leads to a maximum connection time of 5 minutes. Booting with the radio on to begin with works fine.
We've also seen cases where updating the IntelPROSet software makes the software lose all of your existing favorite networks and it forgets your existing WEP/WPA keys.
Currently Dell and IBM are providing driver version 9.0.4.13 for the systems we checked. Those vendor driver updates were released in May and June and it's likely that both companies will have the new Intel driver available soon. In the meantime as there are no exploits in the wild, and unless you're ready to spend some time troubleshooting your system, you might want to wait for your laptop's manufacturer to provide an update. For the rest of you, have fun!
Gergo posting from Black Hat USA 2006 Wireless Drivers - Speakers: Johnny Cache & David Maynor
The talk was mostly about different protocol vulnerabilities in wireless LANs. They spent most of the time talking about different angles of why 802.11 sucks. ;)
The interesting bit was the few minutes long video at the end of the briefing. Apparently they have found a remote overflow in a certain wireless card driver. For the demo, an Intel-based Mac was used, with a third-party wireless card. It was not really clear whether the driver was included in OS X or came with the third-party network card. Nevertheless the net result is a connect-back remote shell on the Mac. Pretty impressive, and scary at the same time...
Details have not been released on the vulnerability yet; they are still working with the vendor (Apple?) on the fix. There has not been any hint on a connection between this and the Intel Centrino fix.
The long-standing suspicion has been confirmed but there is no evidence of this affecting a widespread device/driver yet. That is, until they release more information on the vulnerability itself.
The video can be found at Brian Krebs' Security Fix column.
Centrino is not just a processor, it integrates WLAN and other features for laptops. The vulnerabilities are not related to the processor itself but to the wireless features.
The vulnerabilities are pretty awful. The worst of them "could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges". So at least in theory, somebody could write a WLAN virus that would jump from one laptop to another if the laptops are too close to each other.
Patch now.
Updated to add: What's going on here? To patch one stupid device driver, you need to download a 129MB patch file? Are we missing something here?
After reading our post on Web Application Worms, XSS and social-networking sites, several bloggers have wondered why we didn't test MySpace, since that website's past security issues is what prompted our testing. Some even speculated if one of the two sites we were talking about was MySpace.
No, one of the two vulnerable sites was not MySpace. And, well, we did look at MySpace, though it was a quick and dirty test just like with the other sites and nothing comprehensive. What we found was that MySpace appears to have a lot of defenses in place for preventing XSS and those defenses seem to work pretty well. It might be a direct response to all the current attention the website is getting because of its recent security issues. It is good to see websites taking security seriously, but unfortunately we cannot say this about most websites we come across.
In the earlier post, we recommended that users should patch their machines and web developers should start coding secure applications. The truth is that patching and using antiviruses will protect users only in case a browser exploit is used by the XSS exploit (which can be a web application worm). In most cases, patching and using traditional security tools will not protect you from XSS exploits.
The only solution lies with the web developers and administrators. Their users' security is truly in their hands alone.
The guys over at SPIDynamics have recently published an interesting paper and Proof of Concept that expand the limit of what's possible with javascript malware.
The Register is reporting on a 419 advance fee scam site that is intended to impersonate Interpol. Like always, the goal is to fool people into believing that they are dealing with the real Interpol website.
The scam site is quite convincing as the scammers seem to have leeched several hundred pages from the original site. The domain name doesn't raise much doubt either. The only giveaway - as Era here noticed while analyzing the site - is that much of the content, especially the news, seems to be from 2004. This might be because they leeched the content sometime during that year.
Admins might want to block www.interpolglobal.com. For your reference, the real Interpol domain is www.interpol.int.
Unlike most Commwarrior samples we have received, Commwarrior.Q is not just a hexedit of Commwarrior.B. Commwarrior.Q is a fully new variant with new functionalities.
Commwarrior.Q is based on Commwarrior.C and has same functionality as Commwarrior.C and more.
Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds. That means that besides trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he would copy to his friend.
Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes. That makes it difficult to exclude from MMS traffic.
When Commwarrior.Q is installed it will display an HTML page to the phone's default browser after a random delay.
The sample that we received came from a regular user, so Commwarrior.Q is in the wild, but we don't estimate it to be large outbreak as we have received only one report so far. And as Commwarrior.Q displays the HTML page that states that the phone is infected, it's unlikely that Commwarrrior.Q would cause a large scale outbreak.
It's that time of the year again. This week Las Vegas will be hosting Black Hat Briefings and DEFCON 2006.
There's always something interesting going on at these happenings - last year is remembered for the Michael Lynn / Cisco controversy.
Titles of some of the more interesting topics this year include: Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems Automated Malware Classification/Analysis Through Network Theory and Statistics R^2: The Exponential Growth in Rootkit Techniques Analysing Complex Systems: The BlackBerry Case New Attack to RFID-Systems and their Middleware and Backends Analysis of Web Application Worms and Viruses Six Degrees of XSSploitation Subverting Vista Kernel For Fun And Profit
Gergo and Paolo from our team will try to provide some reports while on location.