NEWS FROM THE LAB - August 2007
 

 

Friday, August 31, 2007

 
Sony is Awake Posted by Mikko @ 11:04 GMT

MicroVault ReportSony Electronics phoned us today. They wanted to thank us for bringing the MicroVault incident to their attention. And they also wanted to apologize for not responding to our earlier queries regarding the incident.

We have now opened direct discussion channels with Sony Electronics and are assisting them with the investigation. We have also provided them with our internal investigation notes on the case.

We were also promised a direct contact point for future use. Just in case we would again discover a rootkit or something in Sony's products. After all, we have already done it twice…

 
 

 
 
Bank of India's Website Compromised Posted by Patrik @ 05:40 GMT

Earlier today we saw a blog post from the good people over at Sunbelt about a compromise of Bank of India's website and so we checked it out.

Bank of India


On the front page of the site a hidden IFrame has indeed been inserted and it loads a URL from another website.

Bank of India IFrame


This file in turn uses three IFrames to load three other URLs.

Bank of India IFrame


Two of the URLs are now down but the third contains an obfuscated JavaScript that uses exploits to download and run a file called loader.exe. This file is a small downloader which downloads additional files that are different password stealing trojans, additional downloaders, et cetera. We detect all of the malicious files with our latest database update.

Update: The malicious IFrame has been removed from the front page and it's now safe to visit the site again.
 
 

 
 
Wednesday, August 29, 2007

 
Sony's USB Rootkit vs Sony's Music Rootkit Posted by Mikko @ 14:45 GMT

Monday's post disclosed our investigation of Sony's MicroVault USM-F fingerprint reader software. Sony's software installs a driver that creates a hidden folder using rootkit techniques.

Spot the Van Zant Sony BMG music rootkit in the background!

This raises the question – while the techniques employed are similar – is this case as bad as the Sony BMG XCP DRM case
(i.e. the music rootkit)?

In a nutshell, the USB case is not as bad as the XCP DRM case. Why? Because…

The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.

The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners.

The Microvault software does not hide processes or registry keys. XCP DRM did.

It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.

And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.

However – this new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn't want to go into the details about this in our public postings, but we suppose the cat's out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware's folder, no questions asked.

We still haven't received any kind of response from Sony International. Sony Sweden did however confirm in a public IDG story that the rootkit is indeed part of their software.

 
 

 
 
Monday, August 27, 2007

 
Double Whammy! Another Sony Case (And it's Not BioShock) Posted by Mika @ 10:58 GMT

Biometrics – yes. BioShock – no.

Hypothetical: Imagine that you visit your local mall and browse around for stuff to buy. And you decide to buy a new CD from your favorite artist and you also buy a brand new cool USB stick thingy on an impulse. You go home and stick the CD into your laptop's CD drive. It prompts you to install some software. You do so and while you are listening to the music, you open the USB stick package and start experimenting with your new toy. It has a fingerprint reader so you install the software for that as well. Guess what… you might have just installed, not one, but two different rootkit-like software on your laptop.

We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.

BlackLight Hidden Items

Many of our regular readers will remember the huge Sony BMG XCP DRM rootkit debacle of 2005. Back then malware with rootkits were not very common but since then a lot of malware families have adopted rootkit cloaking techniques. It is unclear if the "rise of the rootkit" would have happened in this magnitude without the publicity of the Sony BMG case. In any case, a lot more people now know what a "rootkit" is than back then.

This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation.

MicroVault Boxes

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality.

Sony USM-F Notice


It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here. As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them.

Reading a Fingerprint

It should be noted that MicroVaults with fingerprint authentication appear to be an older product and may no longer be manufactured. At least we had some trouble finding a reader of this type in Helsinki. Nevertheless, we did manage to find them on sale.

Note that over the weekend there was news about a suspected rootkit in the PC version of the game Bioshock. This news proved not to be true, but since BioShock apparently uses copyright protection software made by Sony there was lots of initial commotion.
 
 

 
 
Sunday, August 26, 2007

 
Targeted trojan attacks against German government Posted by Mikko @ 11:07 GMT

Bundesministerium des InnernYesterday Der Spiegel magazine broke the story about targeted attacks against the German ministry of the interior.

As is typical in cases like this, the malware was sent to key employees via e-mail as booby-trapped DOC and PPT files, and the stolen data was sent out to unknown location via servers located in China.

We highlighted the risk of attacks like this in our video lecture last March. The video was recorded pretty much exactly at the time when these attacks were taking place.

We are aware of at least two other similar attacks against governments in Europe.

 
 

 
 
RTF Spam Posted by Mikko @ 09:36 GMT

Spamming evolves, part 23: We're now seeing RTF spam.

RTF Spam

When opened, the "Secure Message" turns out to be a pill-pushing spam scam:

RTF Spam

This is quite similar to the XLS spam we noted earlier this month. The main motivation in using RTF is by-passing spam filters and getting people to actually read the message (or open the attachment).

No malware was found from the RTF.

 
 

 
 
Storm Worm using YouTube Posted by Mikko @ 09:25 GMT

The latest twist with the Storm Worm / Zhelatin e-mails is that the e-mails now contain fake links to YouTube.

StormTube

In reality, the link redirects to a Zhelatin distribution site. They've added a YouTube logo to the page and the link now points to video.exe. Otherwise it's the same old game.

StormTube

 
 

 
 
Friday, August 24, 2007

 
RSS Feed Update Posted by Sean @ 15:23 GMT

We've been meaning to perform a few updates to our RSS feed for quite some time now. But until now it's taken a backseat to more important work.

This week we (specifically Kamil) found the time and made some upgrades.

So if you notice this button in your Firefox browser:

Rss Button

It now points to this:

RssLink

This RSS feed should now be compatible with Internet Explorer 7. The RDF feed has been updated as well. We're still making modifications, so it isn't absolutely official yet. Those of you that are willing to test – please do so – you can provide us feedback using the e-mail address listed at the top of the Weblog. Cheers!

 
 

 
 
Video - Storm Site Posted by Sean @ 09:05 GMT

The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.

Yesterday we made a short video highlighting the details:

Storm Site

The video is available via our YouTube Channel.

 
 

Tuesday, August 21, 2007

 
Zhelatin/Storm changes yet again Posted by Patrik @ 02:45 GMT

A few times over the last week we've posted on how the e-mails used by the Zhelatin/Storm gang have changed, so we weren't too surprised to see them change once again. This time though, they look very different as they talk about "you" having signed up for different services such as MP3 World or Internet Dating.

Storm 08.21.2007


Storm 08.21.2007


Subjects we've seen used in the e-mail messages so far are:

   Cat Lovers
   Dated Confirmation
   Internal Support
   Internal Verification
   Login Info
   Login Information
   Login Verification
   Member Confirm
   Member Details
   Member Registration
   Membership Details
   Membership Support
   New Member Confirmation
   New User Confirmation
   New User Details
   New User Letter
   New User Support
   Poker World
   Registration Confirmation
   Registration Details
   Secure Registration
   Tech Department
   Thank You For Joining
   User Info
   User Verification
   Your Member Info
   Welcome New Member
   Tech Support
   Internet Tech Support


And the senders have been:

   Bartenders guide
   Bartenders Guide
   Coolpics
   Dog lovers
   Entertaining pics
   Entertaining pros
   Fun World
   Free ringtones
   Free web tools
   Game Connect
   Internet Dating
   Job search pros
   Joke-a-day
   Mobile Fun
   MP3 world
   Net gambler
   Net-jokes
   Online hook-up
   Poker world
   Resume Hunters
   Ringtone heaven
   Web
   Web cooking
   Web connects
   Webtunes
   Wine Lovers


Once someone visits the website the text has changed a bit. Now it talks about that you need a Secure Login Applet to be able to use the service and the link points to applet.exe which is of course the infected file.

Storm 08.21.2007


Similar to previous attacks it also uses exploits in an attempt to automatically infect the user when you view the page – so don't do it.

UPDATE: The spam runs of these e-mail messages continues and we've updated the list of subjects and senders used. Feel free to mail us if you've seen any others that we don't have on the list. Use the e-mail address listed at the top of the page.

Thanks to everyone who has sent us updates on the subjects and senders used.
 
 

 
 
Sunday, August 19, 2007

 
International Hacking Competition 2007 at UiTM, Malaysia (iHack 2007) Posted by Esz @ 09:07 GMT

We participated in a computer security event known as iHack 2007 in Malaysia as a platinum sponsor. The event was held from the 17th to 19th of August.

Banner

Basically there were eight programs that were held during this event. They were:

1. International "Hacking" Competition 2007
2. Student Computer Security Project Presentation
3. Computer Security Exhibition
4. Computer Security Seminar
5. Computer Security Awareness Talk
6. Hack And Defense Workshop
7. PC Modification and Security Competition and
8. Hacking Demonstration

Patrik

Patrik spoke on day one on "Malware And Online Crime".

Friday
The events of the first day in a nutshell.

Santeri
Santtu with the Mayor of Shah Alam, Malaysia.

Santeri
Santtu presenting the Dean of Computer Science School of UiTM, Malaysia with a check of Ringgit Malaysia 10,000.

Booth Visit
School Dean giving us a visit at the booth.

d_crowd
The crowd on the first day.

It was a tiring but fulfilling, crowd driving three day event…

 
 

 
 
Saturday, August 18, 2007

 
Again new Zhelatin tactics Posted by Mikko @ 15:39 GMT

Last Wednesday we blogged about the changing tactics being used by the Zhelatin/Storm Worm gang and their "eCard for you" – themed malware spam.

The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files.

However, the e-mails no longer talk about ecards. Instead, they look like these two:

Storm

Storm

Thanks to Adam from Sunbelt for spotting the later one.

 
 

 
 
Friday, August 17, 2007

 
Run, run! Skype is falling... Posted by Mikko @ 12:12 GMT

Skype

Most of the worldwide Skype network has been down for a day now and it still has not recovered.

Skype's official word is that the problem was caused by "a deficiency in an algorithm within Skype networking software that controls the interaction between the user's own Skype client and the rest of the Skype network". Our own internal contacts within Skype also say that this was not a DDoS attack or anything else like that.

Skype

Then again: Skype's main development unit is in Estonia. Estonia's infrastructure was targeted by massive denial-of-service attacks earlier this year. This tied together with the fact that a new Denial-of-Service exploit against Skype server software was posted to securitylab.ru just hours ago has created lots rumors about what's really going on.

Skype Exploit

The exploit is quite simple and causes Skype client software to generate a large amount of calls, freezing the server it's connected to – and causing a reconnect to another server.

 
 

 
 
Thursday, August 16, 2007

 
Hamster Souvenirs from Usenix Posted by Daavid @ 11:27 GMT

Last week, I attended the Usenix Security conference held in Boston. In addition to attending the conference, I also had a couple of free evenings to tour around the city. In one of the shops I just had to get a "hamster cube" puzzle as a souvenir to bring back to the office.

Puzzle 1

Looks scary, doesn't it?

Puzzle 2

So after some time of trying to solve it, I decided to write a program that would do it for me. Yes, it was a slow day in the office.

Puzzle Code

This simple C program took five seconds to generate a correct solution, while it took my colleague Stefan at least fifteen minutes to solve it by hand! OK, it took a while to write the program, but still…

Puzzle Solved

Signing off,
Daavid

 
 

 
 
Game.zip Posted by Jose @ 06:48 GMT

Lately, we have been seeing a lot of reports for Trojan-Downloader.Win32.Agent.brk.

Agent.BRK VStats1


This time the e-mail attachment is game.zip.

Agent.BRK VStats 24hrs


Agent.BRK reports


E-mail subjects are now related to games like the following:

   Hot pictures
   Hot game
   Here is it
   You ask me about this game, Here is it
   Something hot


The file was already detected by us before the spamming run started to increase in number.

Previous posts related to this can be seen here and here.
 
 

 
 
Wednesday, August 15, 2007

 
Zhelatin gang changing tactics Posted by Mikko @ 08:16 GMT

Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out.

The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.

Since last night, the messages have changed. You still get the normal greeting card spam:

Message Data 1

But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer. Conveniently, they have it available for download, for free.

Message Data 2

Of course, the downloaded file msdataaccess.exe turns out to be the gift that keeps on giving. Avoid it like the plague.

Message Data 3

In general, it's a bad idea to follow such unsolicited links from e-mail. Don't even try the above URL just for fun. For example, if you access the page with an outdated version of Firefox or IE, the page will render with a nasty exploit code that will try to infect your computer immediately. Opera doesn't seem to be targeted at the moment.

This operation is apparently the work of the same gang that did the original "Storm worm" run in January 2007.

We detect the latest variants as Email-Worm.Win32.Zhelatin.gg.

 
 

 
 
Patch Tuesday, August Edition Posted by Mina @ 01:27 GMT

It's the second Tuesday of this month and as scheduled, Microsoft has released several security bulletins with six critical and three important updates.

August 2007 Updates


The updates resolve vulnerabilities found on several applications including Office Excel, Internet Explorer, and GDI. Most of these vulnerabilities allow remote code execution and one allows an elevation of privileges.

For more information as well as links for the actual patches, see August's bulletin.

As always, it's good to perform a system update ASAP.
 
 

 
 
Tuesday, August 14, 2007

 
Trojans, Online Poker and Terrorism Posted by Mikko @ 13:20 GMT

During the summer holidays, many people probably missed news stories about the sentencing of Mr. Tariq al-Daour in London.

According to this article by Brian Krebs, Mr. al-Daour had been running online fraud operations together with Waseem Mughal (aka "Abuthaabit") and Younis Tsouli (aka "IRH007" or "Irhabi007").

The trio used Windows-based trojans to steal information such as credit card numbers from normal net users. These credit card accounts were then used to make purchases at hundreds of online stores.

What kind of purchases were they making? Gear for insurgents in Iraq: plane tickets, GPS devices, night-vision goggles, sleeping bags, survival knives, and tents.

The money was apparently laundered through online poker sites (including AbsolutePoker.com, NoblePoker.com and ParadisePoker.com) as well as betting sites like Canbet.com.

The group was allegedly also planning real-world bomb attacks.

According to Newsweek, Mr. al-Daour and his accomplishes were caught after a Swedish-Bosnian terrorist Mr. Mirsad Bektasevic (aka "Maximus") was caught. Bektasevic had saved one of the men's phone numbers on his personal cell phone.

The concept of Cyberterrorism has been discussed for years, but we've never really seen any concrete examples. Here we have a case where cyber-attacks are being used to fund real-world attacks.

So: It's not always just bits and bytes that get hurt as a result of online attacks.

 
 

 
 
Friday, August 10, 2007

 
FDF spam Posted by Mikko @ 15:51 GMT

After image spam, PDF spam, DOC and XLS spam, we're now seeing FDF spam.

FDF Example

FDF apparently stands for Forms Data Format. This is a form file that's read by Acrobat and other PDF readers.

The content of the file - surprise, surprise: stock spam.

 
 

 
 
Domains by the Plenty Posted by Sean @ 15:17 GMT

Not very much has changed since March '06 regarding phishy websites.

At that time, we performed some domain searches using some bank names.
We were recently asked about it, so we decided to repeat the experiment.

We did a simple search across com/net/org/us/biz/info top-level domains:

March 2006

KeywordNumber of Domains
citibank*497
bankofamerica*407
lloyds*994
bnpparibas*41
egold*691
hsbc*1258
chase*6470
paypal*1634
ebay*8057


And today?

August 2007
KeywordNumber of Domains
citibank*810
bankofamerica*656
lloyds*1421
bnpparibas*62
egold*1304
hsbc*1574
chase*10153
paypal*1653
ebay*9120


Not all of these sites are bad, but there are definitely some needles in those haystacks.

Citibank Sites August 2007
 
 

 
 
Tuesday, August 7, 2007

 
FRECA Khallenge 2007 and Lucky Numbers Posted by Sean @ 11:45 GMT

Our 2007 Reverse Engineering Challenge for Assembly was held last week…

2007 Khallenge Results

It was a bit tricky to pull off this year as many members of the lab were attending Black Hat Briefings/DEF CON and were working remotely. And then there were vacations and office moves too. (An active week.)

But despite a few small glitches, everything seems to have gone off rather well. Our thanks to Sami Rautiainen for his assistance with the Khallenge.com domain.

Our three top prizewinners are: Kaspars Osis – Latvia; Otto Ebeling – Finland; and Attila Suszter – Hungary. They won, in the order named an 80GB, 4GB, and 2GB iPod.

Kaspars was also last year's winner and retains his title. Regular weblog readers will also recognize our second place prizewinner. Otto Ebeling was the designer of last year's Khallenge during his 2006 summer employment.

Our website's statistics show that Level 1 was downloaded about 2215 times. At the time of this posting we have received 442 responses. Level 2 has yielded 136 and Level 3 has 35 correct responses. So let's say that's roughly a 20/30/25 percent completion rate.

For those of you still working with Level 2 – it's possible to debug the binary and produce a dialog box with "lucky numbers". But you need to fully reverse engineer it to determine to one true parameter that produces a valid e-mail address. That's part of challenge. Hint: use the original binary with your parameter to test.

Here's the correct dialog:

2007 Level 2

We'll post the correct keys later. If you're interested, you can also acquire the challenge files from:
https://www.f-secure.com/security_center/asm.html

 
 

 
 
Friday, August 3, 2007

 
Black Hat briefs Posted by Mikko @ 20:49 GMT

Black Hat Briefings 2007 are safely behind us and DEF CON 15 is in full swing.

What was hot this year? VoIP. Detecting and hiding virtual rootkits. Gaining access to intranets via users that are browsing public websites. iPhone.

Black Hat 2007

Of course, having around 4000 (!) attendees in one location creates quite real problems for any conference. Regardless of having seven simultaneous tracks in huge rooms, popular talks still left lots of audience sitting on the floor. As an example, here's a photo taken during HD Moore's and Valsmith's presentation.

Black Hat 2007

And seeing 4000 people eat lunch complete with table service together at the same time in one hall is frankly quite amazing. On the first day lunch was chicken. I think we emptied a medium-sized chicken farm.

Black Hat 2007

We did a presentation on the Status of Cell Phone Malware in 2007. A big thanks for Jarno Niemela for helping out with the live demos.

The presentation went very well and all demos succeeded although we were worried about the sometimes spotty connectivity of some US carriers. Slides are available here (PDF). Audio will be available later on Black Hat's media archives.

Black Hat 2007

Signing off,
Mikko

 
 

 
 
Thursday, August 2, 2007

 
Assembly 2007 is almost there Posted by AP @ 08:14 GMT

Assembly_2007_Booth

Greetings from Assembly 2007. The action will start at 12:00 local time, and our still empty booth is waiting for the visitors to start pouring in. We hope to see you all there! Also, some of you may have already noticed that the F-Secure Reverse Engineering Challenge II is now open!

Signing off,
A-P