F-Secure is organizing the next CARO Technical Workshop. It will be held in the end of May in Helsinki, Finland. Previous workshops have been in Iceland, The Netherlands and Hungary.
Call for Papers is open. We're looking for technical presentation relevant to the topic of Big Numbers in malware field.
Maintaining your computer can be a chore sometimes, especially if you're the kind of person that's always on the go. Keeping all the programs on a computer up-to-speed with the latest updates can be a hassle. Periodically 'housecleaning' the system (like defragging the hard drive) in order to optimize performance is even less exciting.
So we'd like to help with that. We recently launched the trial version of a single tool that handles both these tasks - Updater and Tuneup - on the Technology Preview page, and we'd like to get some feedback on how well your machine performs after using the tool.
The name says it all really - the Updater component keeps track of vulnerable applications installed on your machine and notifies you when updates are available; while Tuneup takes care of the housekeeping - defragging the hard drive, checking the registry, etc - so your machine stays optimized for speed.
And to say thanks for the trouble, we're offering the following items as prizes to users who give feedback:
• 5 boxes of F-Secure Internet Security 2010 • 15 VIP Cards for F-Secure Internet Security 2010 and F-Secure Mobile Security
Giveaway is by lucky draw.
The trial version is free, and the Technology Preview period closes at end January 2010.
I just got my hands on a new promo item our Marketing department came out with, which looks quite interesting:
It's Mikado, an old European stick game. Basically, the idea is to carefully pick up sticks without moving the pile, in order to gain points; player with the most points wins.
OK, so the game is rather cute, but it is supposed to convey a serious message - that IT security can be as simple as this game. Most people have the impression that IT security is complex, highly technical, frighteningly arcane, and difficult to manage.
To be fair, most people have good reason to think so. Even the language is difficult, like the latest from the Pentagon's cyber security people - the Global Information Grid Customizable Operational Picture (GIGCOP), which is just one component of their new security system (The Register article).
And even if all the 'technical' things are under control, sometimes it is possible to slip up on the "easy" stuff, like maintaining proper physical security - as in maybe not letting people use a slipper as a doorstop for a hi-tech server room. Really - that was reported in an article from The Star.
But it doesn't actually have to be that way. We'd like to have our products (and tools and services) be easy to use, and that's what we're increasingly working towards. Which I think is fairly neatly captured by drawing a parallel with Mikado.
Microsoft just released a patch to address the License Logging Server Heap Overflow Vulnerability (CVE-2009-2523). This vulnerability affects the License Logging Service (LLS), a feature which according to Microsoft is "designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model."
This vulnerability only affects Microsoft Windows 2000 Server Service Pack 4 and is rated Critical since this service is enabled by default in that OS. It is also accessible via anonymous network connection and exploiting this vulnerability can lead to extensive heap memory corruption which could possibly lead to remote code execution. It no longer affects the newer MS Server systems since this service has already been removed since Windows Server 2008.
So, there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here...")
When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains:
Once you log on, the bad guys gain access to your MySpace credentials.
Why do they want them?
So they can pose as you on MySpace and send malicious links to your friends — who will surely follow them, as they know you and trust you…
But in this case, this is not the only thing they are after. After logging on, you get this prompt:
A New MySpace Update Tool? Really? As an executable file?
Hmm… and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant.
F-Secure Anti-Virus blocks access to the malicious domains and detects the malware.
We have located the first iPhone worm, dubbed as Ikee. It's currently spreading in the wild, but it's only able to infect devices that have been "jailbroken" by their owners. Jailbreaking removes iPhone's protection mechanisms, allowing users to run any software they want.
Affected users will find that their iPhone wallpaper has been altered to a picture of Rick Astley (of Rickroll fame) and the message "ikee is never going to give you up".
The worm targets users who have jailbroken their phone but have not changed their default root login password. It will search for vulnerable iPhones by scanning a handful of IP ranges — most of which are in Australia. At the moment, we have no confirmed reports of Ikee outside of Australia.
After Ikee infects a phone, it disables the SSH service, preventing reinfection.
To protect your jailbroken iPhone, change your root password. Here's how.
The creator of the worm has released full source code of the four existing variants of this worm. This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.
Yesterday, three people were sentenced for writing the above malware (it's a variant of the Vanbot family) and other attacks — including some DDoS action.
The sentences were: 45 days jail, 40 days jail, and 0 days jail, respectively. The sentences were probationary, so nobody actually went to jail. In addition, some fines were written.
One thing that I have always found fascinating about Japan is definitely its rich and unique culture. However, there is just one other thing — vending machines. You not only find them everywhere, you can buy all sorts of things, including adult movies, from them (except for a security product, but that's probably just a matter of time).
Anyway, AVAR 2009 was held in Kyoto, Japan this time around and the turnout was just amazing, especially when coupled with very interesting presentations on how the threat landscape has been evolving and what every vendor is doing to tackle it.
For the first time, there were two concurrent sessions running. This year's keynote was by Jimmy Kuo (Microsoft), and he presented the key findings from Microsoft's Security Intelligence Report v7.
Interestingly, this time around there were several presentations on cloud-based security, one of which was by Dr. Igor Muttik (McAfee). In it, he mentioned the benefits of having antivirus technology in-the-cloud, as well as concerns surrounding privacy issues. One interesting fact he shared was McAfee verifies the robustness of their servers every Friday by DDoS-ing themselves. Coincidentally, that's when McAfee products are scheduled by default to run a full scan.
Also, Stefan Tanase (Kaspersky) gave an entertaining presentation about how there has been a exponential growth in attacks on social media on Facebook and Twitter. Tony Lee (Microsoft) too highlighted the same fact, as Microsoft found that the attacks on social media are dominating the threat landscape.
It seems like most people who have gone to watch the Michael Jackson This Is It movie have told me that it is really worth watching.
However, we are not too sure if Michael Jackson's Official Website at www.michaeljackson.com is actually worth visiting now.
Well, it turned up on our systems, which indicate that some of the child pages have been compromised with malicious scripts.
At the time of analysis, the malicious scripts were not leading users to malware (yet) — but they will probably remain there until someone cleans it up and fixes the vulnerable code as well.
We will rate the site SAFE in our Browsing Protection again once the site is cleaned up.
FRA was in the news recently, as Sweden passed a law giving them legal permission to tap Internet traffic passing through Swedish national borders. For example, the majority of Russian international Internet traffic passes through Sweden.
The monitoring effectively started last month.
We have no information on who's behind the attacks.
Microsoft has just released an update for their MS09-054 patch.
Note — It is critical not to install this update if the system has not installed the previous MS09-054 patch, as the updated one could break Internet Explorer. Some customers were reported to have browsing-related errors after installing said patch.
A fix is available via Windows Update, Microsoft Update and Automatic Updates.
The SIR is an incredibly detailed report that includes the analysis of data reported by Microsoft's Malicious Software Removal Tool (MSRT), which is included with Microsoft's monthly updates. Volume 7 covers January through July of 2009.
While reading through the report this morning, we were pleased to see a quote from Erka Koivunen of CERT-FI.
The quote is on Page 45 in the section called Best Practices Around the World.
This is a summary of what Finland has in its favor according to Erka:
• First, the capability to detect needs to be complemented with the ability to take action. • Second, the lifetime of the malware infections and security breaches needs to be cut down. • Third, the positive regulative atmosphere regarding sensible information security…
And thus:
We are just less likely to cause headaches for everybody else. In this sense, the description of Earth in the [Douglas Adams] book The Hitchhiker's Guide to the Galaxy fits Finland quite nicely as well: "Mostly Harmless."
That observation would have been better placed on Page 42.
"m00p" was a virus-writing group that had more than 10 members from various countries.
One of the gang members was sentenced in May last year. Another alleged member of the gang pleaded not guilty on Friday in a London court. Trial will continue in November 2010.
The wheels of justice are slow sometimes. Most of the alleged activities of this virus writing group were done in 2005 and 2006.
