Monthly Archives - September of 2005
 

Friday, September 30, 2005

 
A new Symbian trojan that locks the phone MMC card Posted by Jarno @ 13:27 GMT



SymbOS/Cardblock.A is a Symbian trojan that is the first known trojan to attack phones MMC card. SymbOS/Cardtrap.A used phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself.

SymbOS/Cardblock.A is a trojanized version of Symbian application InstantSis created by Biscompute.

When installed Cardblock.A appears be a cracked version of InstallSis providing user with ability to repack already installed SIS files and copy them to another device.

However when user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.

Blocking the memory card is done by setting a random password to the card. So that after the phone has been once rebooted, the card is no longer accessible on the phone or any other device, without entering a password. And as the password is a random code, that is not provided to user, the card and it's contents are unusable until unlocked.

Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone and other critical system data. Which means that user loses access to applications he has installed into the phone, and his phone numbers and other important data.

Some phone such as Nokia 6670 and Nokia 6600 survive from deletion of system directories quite easily, just a reboot and phone is usable. But the user data and MMC card are still lost.

Unfortunately some phones that use newer versions of Symbian OS, such as Nokia 6630 are hit harder. These phones will fail to reboot and display message that requests the phone to be taken to maintenance. However the phone can be recovered with special hard format key combination.

The picture in this blog entry is from one such phone. The message is in Finnish which translated in English means, "Connection to phone failed, please contact supplier of the phone". The interesting bit is that we had the phone set in English when infecting it, but the Cardblock.A damages the OS so badly, that after reboot it even doesn't remember which language it should use.

Database update for F-Secure Mobile Anti-Virus has been published and it is capable of detecting and removing Cardblock.A. We are still working on how to get locked MMC cards functional again.

Needless to say that the Cardblock.A is not a threat to people who don't use pirate copied software, as it pretends to be a pirate copied version of commercial application.

 
 

 
 
Greetings from HITBSecCon2005 Posted by Mikko @ 06:05 GMT

The last two days have been busy at the HITBSecCon2005 data security conference in Kuala Lumpur, Malaysia.

HITBSecConf2005

I was happy to be asked to do a keynote presentation for this international audience of 400 computer security experts. My presentation discussed currently known mobile phone malware, complete with live demos of phones getting hit by trojans. We did this by having a cameraman shoot my phones and broadcasting the video feed to the projector.

The other keynote presentation was given by Tony Chor from Microsoft. He discussed new security features of Internet Explorer 7.

HITBSecConf2005

IE7 will ship with Vista and later it will also be available for XPSP2. Among the new security features was something called "Phishing Filter". This feature will allow end users to report suspicious websites to Microsoft, and when a site gets several reports, it will start to get labeled as suspicious to all the other users. Makes you wonder how many users will report microsoft.com as suspicious?

The feature seems to be already active. I wrote down the URL of the server that was visible in Tony's demo and it seems to resolve already from public internet.

This might or might not be related to the new anti-phishing feature included in Microsoft Outlook 2003 Junk Email Filter Update which was released on Wednesday.

PS. No obligatory quote of broken English this time...but check out this sign for a fire exit. I don't know why, but for some reason it makes me strangely nervous.

HITBSecConf2005

Signing off from Kuala Lumpur,
Mikko

 
 

 
 
Tuesday, September 27, 2005

 
Commwarrior sightings and some mobile malware statistics Posted by Jarno @ 12:52 GMT

mobile_count_9_2005 (7k image)

Lately we have received increasing number of queries about just how many known mobile malwares are out there. So we decided to do some statistics on how many cases we have seen and how frequent the cases actually are.

Currently the total count of known malware is 87 of which 82 run on Symbian series 60 platform.

Symbian malware is the vast majority in all mobile malware, but in our opinion this is not because Symbian would be any more insecure compared to other mobile platforms. The large number just shows how popular Symbian devices are, and thus they are the most interesting target for malware authors.

F-Secure Mobile Anti-Virus has been able to handle 61 (74%) cases of Symbian malware with generic detection. Which means that the Anti-Virus has been able to detect and stop the malware without needing database updates. Which in turn means that the user has been protected even before we have received the first sample.

Also we have received new reports about Commwarrior infections in new countries:

1. Ireland
2. India
3. Oman
4. Italy
5. Philippines
6. Finland
7. Greece
8. South Africa
9. Malaysia
10.Austria
11.Brunei
12.Germany
13.USA
14.Canada
15.UK
16.Romania
17.Poland
18.Russia
19.Netherlands
20.Egypt

 
 

 
 
This...is CNN Posted by Mikko @ 11:09 GMT

cnn

I gave a live interview with CNN International this morning at CNN Center in Hong Kong.

The whole event was quite surprising. I've previously visited CNN London, and everything there
was very tightly organized and controlled. In Hong Kong things were quite different...

cnn

We arrived to the CNN Center early in the morning, well before the scheduled broadcast of 07.30.

After taking the elevator to the right floor, a lone clerk greeted us from his desk. Reading from a
paper, he asked if we were the party of "Miko Hypponen". After telling him that yes we were,
he directed us to go up a floor to the broadcasting studio.

We walked in to an open-air office only to realise we were already live on-the-air: the cameras
were shooting the CNN anchors in the other end of the room and we were now part of their backdrop!

cnn

We walked all the way up to them...close enough to read their teleprompters. Scary. Otherwise the office seemed pretty deserted.

cnn

A helpful lady showed us to a side room to wait until our scheduled time would come up.

So there we were, watching CNN Today at the same time live from the TV...and live for real.

cnn
CNN anchor Kristie Lu Stout (of the Spark fame) and Jari

Finally a guy showed up to mike me, and he promised to let me know when it would be the right time to get to the show.

After a few minutes the time came and I gave a generic interview on how virus writers have changed and how we're seeing the
virus situation in Asia. Nothing really groundbreaking there.

But here's a nice shot of me with Hugh Riminton and Kristie Lu Stout.

cnn

Signing off from Hong Kong,
Mikko and Jari

 
 

 
 
Monday, September 26, 2005

 
What a nice magazine Posted by Mikko @ 10:40 GMT

infoworldInfoworld boxInfoworld is an excellent magazine. For example, go and read the latest issue, where F-Secure Anti-Virus Client Security 6.0 beats all the major competitors in a large review.

To quote the magazine: "Support for real-time protection also varies among vendors. McAfee’s, Trend Micro’s, and Tenebril’s versions allow the malware to install, but prevent it from executing, thus leaving it installed but neutered until a removal scan is started. Others, such as Sunbelt CounterSpy, block most malware installs while missing others, and, like Trend Micro, remove existing traces on next scan. F-Secure did the best job of preventing initial installations, blocking all spyware and malware attacks."

 

 

 

 

 

 

 
 

 
 
Friday, September 23, 2005

 
A different look at Bagle Posted by Gergo @ 13:59 GMT

"Okay, I hear a lot about these computer viruses but what do they actually look like?" – goes one of the most frequently asked questions we get. We have been working on some visualizations projects trying to answer that. We have mentioned our efforts in graphing malware earlier. The latest attempt is a 3D animation that visualizes the structure and execution of the W32/Bagle.AG@mm worm.



The boxes in the picture are functions of the worm. The one on the top is the "main" where the execution starts. The first ring contains all the functions that "main" calls. The second all the functions that the ones on the first ones call and so on. All connecting lines represent the calls from one function to the other. Red boxes belong to the virus code while the blue ones are API calls library code that do not belong to the malicious code.

For the curious minded, the animation was created using IDA Pro, IDAPython, Blender and some custom scripts.

The animations can be downloaded in the following formats:
Windows Media 9 (9.7 MiB)
Quicktime (9.3MiB)

 
 

 
 
Thursday, September 22, 2005

 
Going Gold Posted by Mikko @ 09:01 GMT

We started the production of the latest version of our home user product F-Secure Internet Security 2006 yesterday.

This meant that we shipped 42,000 boxes of the product to retailers across Europe to cover the initial demand.

The public launch of the product is next week.

Take a look at the piles of antivirus, photographed at our production factory.

F-Secure factory

 
 

 
 
The Spyware Who Loved Me Posted by Mika @ 08:24 GMT

The legendary Handler's Diary from ISC has an insightful and even funny story on a rootkit discovery set in a James Bondish setting. Note that ISC also suggests that Firefox users should update their browser to 1.0.7 due to vulnerabilities. We definitely second that!


 
 

 
 
Wednesday, September 21, 2005

 
First Symbian trojan that tries to attack PC Posted by Jarno @ 13:47 GMT

cardtrap_a_folder_crop (15k image)

Now as the Bagle situation has calmed down we have time to blog about other interesting case we got yesterday.

SymbOS/Cardtrap.A is otherwise unremarkable Symbian trojan, except that it also tries to infect users PC if user inserts the phone memory card to PC.

When infecting Symbian phone the Cardtrap.A copies two Windows worms (Win32/Padobot.Z and Win32/Rays) to the memory card of the phone. Padobot.Z is copied with autorun.inf file in attempt to start automatically if the card is inserted to PC using windows. Rays is copied with filename SYSTEM.EXE and same icon as the System folder, this is done as social engineering attempt so that user would click on Rays instead of System folder.

To our knowledge, no Windows version supports autorun from a memory card, but it still might work with some Windows version and third party driver combination.

The goal of the trojan is most likely to cause user to infect his PC when he is trying disinfect his phone. A typical reaction of more advanced user who would encounter trojan like Cardtrap, would be to insert the phone memory card to PC to copy file manager or disinfection tool to the card. Only this time a careless user might to get his PC infected in process.

Both Padobot.Z and Rays are detected by F-Secure Anti-Virus, and we have added detection and disinfection for them also for F-Secure Mobile Anti-Virus

 
 

 
 
Tuesday, September 20, 2005

 
It's a record! Posted by Mikko @ 18:46 GMT

F-Secure Anti-virus Client SecurityThis probably isn't too interesting to most of you but here goes anyway:
we've just broken our record in number of antivirus definition updates per day we've ever published!

We're right now at 11 updates for today and update 2005-09-20_12 is going to go out shortly.

So there.

 

 

 

 

 

 

 
 

 
 
Jigsaw Piece - 657 Posted by Katrin @ 15:35 GMT

Jigsaw
 
 

 
 
Another Bagle round Posted by Katrin @ 15:35 GMT

Seems we will have another Bagle round today. A new variant is taking off right now. We are calling it Bagle.BK and it is detected with update 2005-09-20_07.
 
 

 
 
Monday, September 19, 2005

 
Bagle showdown Posted by Mikko @ 20:42 GMT

bagleshow
It's been quite a ride tonight with tons of new, slightly different Bagle variant being seeded.

So far tonight we've seen these Bagles:

 Email-Worm.Win32.Bagle.cy (aka Bagle.BI)
 Email-Worm.Win32.Bagle.cz
 Email-Worm.Win32.Bagle.da
 Email-Worm.Win32.Bagle.db
 Email-Worm.Win32.Bagle.dc
 Email-Worm.Win32.Bagle.dd
 Email-Worm.Win32.Bagle.de
 Email-Worm.Win32.Bagle.df

Bottom line: if your organization is still, in year 2005, accepting incoming executable attachments in email, now might be a good time to rethink your strategy. Because it looks like these guys won't be stopping any time soon.

 
 

 
 
New Bagle spammed Posted by Katrin @ 15:35 GMT

We got reports of a new Bagle dropper - Bagle.BI. Looks like it has been spammed a lot today. We have published the urgent update (Version=2005-09-19_04) to detect it.
 
 

 
 
Mapping spam Posted by Mikko @ 06:14 GMT

mailinator

The Mailinator is a service that provides throw-away email addresses you can use for web registrations - similar to spam.la.

So the system ends up getting lots of spam.

Now here's the cool part: they've created a realtime map using Google Maps to actually show you where the spam is coming from.

Or actually it shows the location of the proxy - ie. the grandmother whose home computer was taken over by Mydoom, Bagle, Mytob or any of the gazillion other viruses that install spam proxies as their payload.

Take a look at http://mailinator.com/mailinator/map.html

 
 

 
 
Friday, September 16, 2005

 
Typosquatting Posted by Mikko @ 07:01 GMT

nortpnantivirusRemember the Googkle.com case?

We just noticed that some clown from Panama has been registering typosquatting domains like
"www-f-secure.com" and "wwwf-secure.com". Which at the moment point to a web site called "nortpnantivirus.com". Oh well.

At least this site isn't used for phishing or for downloading trojans.

Edited to add: These guys are fairly serious, looking at the amount of security-related domains they've registered (over 150!). These include:

 f-secue.com
 mesagelabs.com
 mcafeeantiviru.com
 bitdefneder.com
 pestpatorl.com
 wwwbullguard.com
 pandafirewall.com
 sendamil.org
 centralcomand.com
(Thanks, Micha!)

PS. Here's two photo collections posted by visitors to our lab. Especially the picture set from Trifinite really shows Helsinki at it's best...

Album from Silicon.com
Album from Trifinite

 
 

 
 
Thursday, September 15, 2005

 
17-year old confesses Paris Hilton phone hack Posted by Mikko @ 05:16 GMT

Image Copyright (c) Richard C. Soria 2
An American teenager has confessed hacking into Paris Hilton's mobile phone.

As you might or might not recall, this case had nothing to do with phone viruses or Bluetooth attacks: access to her Sidekick phone's web interface was gained with traditional social engineering tactics.

While at it, the kid also confessed hacking into AOL, hacking and later DDoSing the network of a telephone operator and calling in bomb threats to high schools.

This story was once again scooped by Brian Krebs at Securityfix.

 

 
 

 
 
Wednesday, September 14, 2005

 
Some thoughts about Bluetooth and Cabir spreading Posted by Jarno @ 10:49 GMT

Cabir_infecting (13k image)
Lately there has been discussion in some medias, that point out that the mobile worms that we have seen are nothing but hype and no one in their right mind would get infected with something as simple as Cabir or Commwarrior.

As all currently known Symbian trojans and worms display several warnings, it would be easy to blame any user who got phone infected being stupid or ignorant. However when starting to investigate why people get infected by Cabir and other Bluetooth worms, it turns out that the explanation is not as simple as one would think.

Firstly there are several Symbian software that require Bluetooth to be visible in order to work properly. And some of them either switch on the Bluetooth without asking from the user, or display activation question in such manner that user is likely to answer yes.

Then there are several social networking applications that use Bluetooth such as YOU-WHO and CrowdSurfer. Which enable people to use Bluetooth for social networking and gaming, thus lowering the bar for accepting any connections and files from unknown persons.
And there even is an art project, that is based on searching Bluetooth devices that are visible and contacting people.

And finally most Cabir variants are quite aggressive in spreading, and keep sending the Bluetooth connection requests, even when user clicks no to them. Thus potentially causing the user to get frustrated to these requests and start clicking yes to all questions.

To demonstrate this effect, we have shot videos of Cabir bombarding another phone, and commwarrior trying to hit all the phones it sees at the same moment.

A video of Cabir infecting another phone (WMV 17.2MB file)

A video of Commwarrior trying to connect several phones at the same time (1654k file)

On the other news, we added description for SymbOS/Doomboot.D a very close variant to Doomboot.C. Doomboot.D is otherwise minor case, except that it contains real pictures of Angelina Jolie, so it might spread among people who download illegal content.

Also we have updated the list of Commwarrior sightings.

1. Ireland
2. India
3. Oman
4. Italy
5. Philippines
6. Finland
7. Greece
8. South Africa
9. Malaysia
10.Austria
11.Brunei
12.Germany
13.USA
14.Canada
15.UK
16.Romania
17.Poland
18.Russia

 
 

 
 
Tuesday, September 13, 2005

 
We're entering hardware business! Posted by Mikko @ 09:13 GMT

This is what Microsoft must have felt when they started selling Microsoft mice...

We've been a software company for 17 years. But today we started selling our first harware product, ever. Which is cool.

The box is called F-Secure Messaging Security Gateway. It's a 1U-sized rack-mountable appliance that sits next to your email server and filters spam and viruses from the message traffic, automatically.

We're really excited about this new technology. Read all about it from our product pages.

Jarkko & Ero & F-Secure Messaging Security Gateway

Edited to add: Ok, turns out Microsoft's first hardware product was not the Microsoft Mouse but the Microsoft SoftCard released in 1980. It pre-dates the mouse by three years... (thanks, Matt!)


 
 

 
 
Monday, September 12, 2005

 
The price is right Posted by Mikko @ 20:11 GMT

Series of Bagle downloaders have been spammed tonight in slightly variable ZIP files.

The ZIPs always contain a CPL control panel extension, typically named with the word "price" in it.

 CPL

We detect these as variants of the Email-Worm.Win32.Bagle family.

 
 

 
 
Saturday, September 10, 2005

 
Bot herder websites come and go Posted by Mikko @ 18:20 GMT

Websites that specialize in distributing source code and tools for malicious bots and botnets pop up and disappear all the time.

Examples of high profile bot sites that have disappeared include ryan1918.com and 0x90-team.com.

Another such site, known as "Neo, The One", went offline on Friday. This site was hosted in Argentina.

neo-theone.com.ar

In fact, some bot distribution sites have started to charge money for downloading source code of bots such as rxBot, ForBot or SdBot.

  a_unix

 
 

 
 
Thursday, September 8, 2005

 
Rootkits at the Whiteboard Posted by Mika @ 07:26 GMT

Image copyright (c) Zdnet.com
Zdnet's excellent "At the Whiteboard" video series has released a short educational video on rootkits. If you are new to the concept of rootkits you really should take a look.

While the video somewhat lacks in technical accuracy, I really liked the "these are not the droids you're looking for" Star Wars analogy.

 

 
 

 
 
Monday, September 5, 2005

 
The 32nd APECTel meet Posted by Mikko @ 04:44 GMT

"The 32nd APEC Telecommunications and Information Working Group Meeting: APEC - OECD Joint Workshop Plenary" - now that's a mouthful.

Greetings from Seoul, Korea!

There's a workshop going on between APEC economies and OECD countries on spyware (and related issues).

apectel

Some interesting new stuff has been announced here, including new research from Japanese National Institute of Information and Communications Technology (NICT). Their presentation (which is available for download here) has interesting graphs on virus-generated DDoS traffic.

Another interesting thing: have a look at this photo of my conference badge:

apectel badge

thisplus
That looks like a RFID chip, doesn't it? First time I've seen RFID used in conference badges.

And lets end with the almost-mandatory example of mangled English you seem to see everywhere in Asia...

Signing off,
Mikko

 

 

 
 

 
 
Friday, September 2, 2005

 
Hunting the bad guys Posted by Mikko @ 11:59 GMT

Latest Wall Street Journal writes about tracking down virus writers (including Benny from 29A). The main figure in the article is Peter Fifka. Peter is an ex-cop how is now working for Microsoft. He's known in the industry as one of the best investigators in this field.

Article on wsj.com ($), free reprint in Pittsburgh Post-Gazette.

And the latest issue of TIME writes about Mr. Shawn Carpenter who spent months tracking down a Chinese hacker ring, only to be fired himself.

Article on TIME.com, one-page print version here.

 
 

 
 
Thursday, September 1, 2005

 
"Hurricane Katrina" spam message downloads trojans Posted by Mikko @ 19:54 GMT

We've received some reports from people who have received a spam message with subject fields like "Katrina killed as many as 80 people".

The message seems to contain a news article on the devastation caused by hurricane Katrina:

katrina spam

However, if you follow the "Read more" link, you end to a website called "nextermest.com":

nextermest.com

This site is just a placeholder, which will refresh to a page that tries to download the Trojan-Downloader.JS.Small.bq malware to the computer.

Avoid the site. Abuse messages have been filed for it.