Call for Papers: CARO2010 Workshop

F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Copyright (c) 2007 F-Secure Corporation. All Rights Reserved. tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001821.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com F-Secure is organizing the next CARO Technical Workshop. It will be held in the end of May in Helsinki, Finland. Previous workshops have been in Iceland, The Netherlands and Hungary. Call for Papers is open. We're looking for technical presentation relevant to the topic of Big Numbers in malware field. <a href="http://caro2010.org"><img border="1" src="http://www.f-secure.com/weblog/archives/caro2010web.png" alt="caro2010 CARO 2010"> </a> For more information, please see <a href="http://caro2010.org">CARO2010.org</a>. On 19/11/09 At 12:51 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Call for Papers: CARO2010 Workshop tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001820.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Maintaining your computer can be a chore sometimes, especially if you're the kind of person that's always on the go. Keeping all the programs on a computer up-to-speed with the latest updates can be a hassle. Periodically 'housecleaning' the system (like defragging the hard drive) in order to optimize performance is even less exciting. So we'd like to help with that. We recently launched the trial version of a single tool that handles both these tasks - Updater and Tuneup - on the <a href=" http://www.f-secure.com/en_EMEA/downloads/beta-programs/home-office/updater-and-tuneup/index.html">Technology Preview</a> page, and we'd like to get some feedback on how well your machine performs after using the tool. <img src="http://www.f-secure.com/weblog/archives/updater.PNG" alt="updater" width="700"/> <img src="http://www.f-secure.com/export/system/fsgalleries/is2010/FSC_IS2010_Left_200x240.png" align="left"> The name says it all really - the Updater component keeps track of vulnerable applications installed on your machine and notifies you when updates are available; while Tuneup takes care of the housekeeping - defragging the hard drive, checking the registry, etc - so your machine stays optimized for speed. And to say thanks for the trouble, we're offering the following items as prizes to users who give feedback: &nbsp;&nbsp;&bull;&nbsp;5 boxes of F-Secure Internet Security 2010 &nbsp;&nbsp;&bull;&nbsp;15 <a href="http://campaigns.f-secure.com/vip2010">VIP Cards</a> for F-Secure Internet Security 2010 and F-Secure Mobile Security Giveaway is by lucky draw. The trial version is free, and the Technology Preview period closes at end January 2010. On 19/11/09 At 06:38 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Updater and Tuneup Technology Preview tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001819.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com I just got my hands on a new promo item our Marketing department came out with, which looks quite interesting: <img border="0" src="http://www.f-secure.com/weblog/archives/mikado.jpg" alt="mikado" /> It's Mikado, an old European stick game. Basically, the idea is to carefully pick up sticks without moving the pile, in order to gain points; player with the most points wins. OK, so the game is rather cute, but it is supposed to convey a serious message - that IT security can be as simple as this game. Most people have the impression that IT security is complex, highly technical, frighteningly arcane, and difficult to manage. To be fair, most people have good reason to think so. Even the language is difficult, like the latest from the Pentagon's cyber security people - the Global Information Grid Customizable Operational Picture (GIGCOP), which is just one component of their new security system (The Register <a href="http://www.theregister.co.uk/2009/11/10/raytheon_netops_sa_deal/">article</a>). And even if all the 'technical' things are under control, sometimes it is possible to slip up on the "easy" stuff, like maintaining proper physical security - as in maybe not letting people use a slipper as a doorstop for a hi-tech server room. Really - that was reported in an <a href="http://thestar.com.my/news/story.asp?file=/2009/11/6/nation/5051971&amp;sec=nation">article</a> from The Star. But it doesn't actually have to be that way. We'd like to have our products (and tools and services) be easy to use, and that's what we're increasingly working towards. Which I think is fairly neatly captured by drawing a parallel with Mikado. On 17/11/09 At 09:14 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z IT Security as Easy as Mikado... tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001817.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Microsoft just released a patch to address the License Logging Server Heap Overflow Vulnerability (CVE-2009-2523). This vulnerability affects the License Logging Service (LLS), a feature which according to Microsoft is "designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model." More details on LLS at: <a href="http://support.microsoft.com/kb/824196">Description of the License Logging Service in Windows Server operating systems</a> This vulnerability only affects Microsoft Windows 2000 Server Service Pack 4 and is rated Critical since this service is enabled by default in that OS. It is also accessible via anonymous network connection and exploiting this vulnerability can lead to extensive heap memory corruption which could possibly lead to remote code execution. It no longer affects the newer MS Server systems since this service has already been removed since Windows Server 2008. More details of this patch are at these locations: <a href="http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx">Microsoft Security Bulletin MS09-064</a> <a href="http://blogs.technet.com/srd/archive/2009/11/10/details-on-the-license-logging-service-vulnerability.aspx">Details on the License Logging Service vulnerability</a> It's time to patch those old 2K servers. On 11/11/09 At 12:27 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Windows 2K Server Patch Update tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001816.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Here's an example of a Youtube video that is used to drive traffic to a "XBOX" phishing site. <img border="1" src="http://www.f-secure.com/weblog/archives/livetp2.png" alt="live.xbox.co.uk.tp"> The actual phishing site looks like this: <img border="1" src="http://www.f-secure.com/weblog/archives/livetp.png" alt="live.xbox.co.uk.tp"> The URL is fairly convincing. Turns out .TP is the country code for East Timor. But why would anybody phish for accounts of some online game? Because you can sell XBOX Live accounts for real-world cash: <img border="1" src="http://www.f-secure.com/weblog/archives/livetp3.png" alt="ebay"> On 10/11/09 At 11:30 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Why would anybody phish for XBOX accounts? tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001815.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com So, there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here...") When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains: <img width="644" height="456" border="1" src="http://www.f-secure.com/weblog/archives/deaaas1.png" alt="Zeus"> Once you log on, the bad guys gain access to your MySpace credentials. Why do they want them? So they can pose as you on MySpace and send malicious links to your friends &mdash; who will surely follow them, as they know you and trust you&hellip; But in this case, this is not the only thing they are after. After logging on, you get this prompt: <img width="644" height="460" border="1" src="http://www.f-secure.com/weblog/archives/deaaas2.png" alt="Zeus"> A New MySpace Update Tool? Really? As an executable file? Hmm&hellip; and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant. F-Secure Anti-Virus blocks access to the malicious domains and detects the malware. On 09/11/09 At 02:27 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z When Phishing Isn't Phishing tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001814.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We have located the first iPhone worm, dubbed as Ikee. It's currently spreading in the wild, but it's only able to infect devices that have been "<a href="http://en.wikipedia.org/wiki/Jailbreak_%28iPhone_OS%29">jailbroken</a>" by their owners. Jailbreaking removes iPhone's protection mechanisms, allowing users to run any software they want. Affected users will find that their iPhone wallpaper has been altered to a picture of Rick Astley (of <a href="http://en.wikipedia.org/wiki/Rickroll">Rickroll</a> fame) and the message "ikee is never going to give you up". <center> <img width="320" height="480" border="1" src="http://www.f-secure.com/weblog/archives/photo.jpg" alt="ikee iPhone worm"> </center> The worm targets users who have jailbroken their phone but have not changed their default root login password. It will search for vulnerable iPhones by scanning a handful of IP ranges &mdash; most of which are in Australia. At the moment, we have no confirmed reports of Ikee outside of Australia. After Ikee infects a phone, it disables the SSH service, preventing reinfection. To protect your jailbroken iPhone, change your root password. <a href="http://www.f-secure.com/weblog/archives/cydia.htm">Here's how</a>. The creator of the worm has released full source code of the four existing variants of this worm. This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed. <img width="582" height="320" border="1" src="http://www.f-secure.com/weblog/archives/ikee1.png" alt="ikee"> On 08/11/09 At 06:21 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z First iPhone Worm Found tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001813.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com This is a post from our blog in May 2007: <a href="http://www.f-secure.com/weblog/archives/00001200.html"><img width="550" height="347" border="1" src="http://www.f-secure.com/weblog/archives/vanbot.png" alt="Vanbot"> </a> Yesterday, three people were sentenced for writing the above malware (it's a variant of the <a href="http://www.f-secure.com/v-descs/backdoor_w32_vanbot_br.shtml">Vanbot family</a>) and other attacks &mdash; including some DDoS action. The sentences were: 45 days jail, 40 days jail, and 0 days jail, respectively. The sentences were probationary, so nobody actually went to jail. In addition, some fines were written. All the three convicted were underage. On 07/11/09 At 12:06 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Sentencing tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001812.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Our <a href="http://www.f-secure.com/weblog/archives/00001774.html">Health Check 2.0 Beta</a> was released about eight weeks ago. <img width="637" height="438" border="0" src="http://www.f-secure.com/weblog/archives/F-Secure_HealthCheck2.png" alt="F-Secure Health Check 2.0 Beta" /> Try <a href="http://www.f-secure.com/en_EMEA/downloads/beta-programs/home-office/healthcheck/index.html">Health Check</a>. <script src="http://www.f-secure.com/links/health-check.js" type="text/javascript" ></script> <noscript>This is an <a href="http://www.f-secure.com">Antivirus Software</a> from F-Secure Corporation </noscript> <hr> On 06/11/09 At 02:32 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Try Health Check 2 Beta, complete survery, chance to win an iPod. tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001811.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com One thing that I have always found fascinating about Japan is definitely its rich and unique culture. However, there is just one other thing &mdash; vending machines. You not only find them everywhere, you can buy all sorts of things, including adult movies, from them (except for a security product, but that's probably just a matter of time). Anyway, <a href=http://www.aavar.org/avar2009>AVAR 2009</a> was held in Kyoto, Japan this time around and the turnout was just amazing, especially when coupled with very interesting presentations on how the threat landscape has been evolving and what every vendor is doing to tackle it. <img width="498" height="360" border="0" src="http://www.f-secure.com/weblog/archives/AVAR2009_bird.jpg" alt="AVAR2009, swan" /> For the first time, there were two concurrent sessions running. This year's keynote was by Jimmy Kuo (Microsoft), and he presented the key findings from <a href=http://www.microsoft.com/sir>Microsoft's Security Intelligence Report v7</a>. Interestingly, this time around there were several presentations on cloud-based security, one of which was by Dr. Igor Muttik (McAfee). In it, he mentioned the benefits of having antivirus technology in-the-cloud, as well as concerns surrounding privacy issues. One interesting fact he shared was McAfee verifies the robustness of their servers every Friday by DDoS-ing themselves. Coincidentally, that's when McAfee products are scheduled by default to run a full scan. Also, Stefan Tanase (Kaspersky) gave an entertaining presentation about how there has been a exponential growth in attacks on social media on Facebook and Twitter. Tony Lee (Microsoft) too highlighted the same fact, as Microsoft found that the attacks on social media are dominating the threat landscape. Signing off, Fei <img width="595" height="461" border="0" src="http://www.f-secure.com/weblog/archives/AVAR2009_performance.jpg" alt="AVAR2009, performance" /> On 06/11/09 At 06:21 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Greetings from AVAR 2009! tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001810.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com It seems like most people who have gone to watch the Michael Jackson <a href=http://www.thisisit-movie.com>This Is It</a> movie have told me that it is really worth watching. However, we are not too sure if Michael Jackson's Official Website at www.michaeljackson.com is actually worth visiting now. <img width="661" height="537" border="1" src="http://www.f-secure.com/weblog/archives/mj_searchresults.jpg" alt="MJ search results"/> Well, it turned up on our systems, which indicate that some of the child pages have been compromised with malicious scripts. <img width="698" height="546" border="1" src="http://www.f-secure.com/weblog/archives/mjsitej.jpg" alt="MJ site"/> At the time of analysis, the malicious scripts were not leading users to malware (yet) &mdash; but they will probably remain there until someone cleans it up and fixes the vulnerable code as well. We will rate the site SAFE in our <a href="http://browsingprotection.f-secure.com">Browsing Protection</a> again once the site is cleaned up. <a href="http://browsingprotection.f-secure.com/swp/result?x=CDqZ1MMd*BD9zTUA8QGshViAtnfnpllO0Zx7CaRfWOX3Hkh91jwVEy07N2WdDS9o3fri8t-JEvFmWg6V-hWn-Q"><img width="750" height="375" border="0" src="http://www.f-secure.com/weblog/archives/BrowsingProtection_MichaelJackson.png" alt="Browsing Protection, michaeljackson.com" /></a> Signing off, Fei <hr> On 05/11/09 At 03:59 PM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z This Is It! tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001809.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Our blog has been nominated in the 2009 ComputerWeekly.com IT blog awards.<a href="http://www.computerweekly.com/Articles/2009/11/03/238190/vote-in-the-computer-weekly-it-blog-awards-2009.htm"><img align="right" hspace="11" width="250" height="197" border="0" src="http://www.f-secure.com/weblog/archives/Computer_Weekly_IT_Blog_Awards_09.gif" alt="ComputerWeekly.com, IT Blog Awards 09" /></a> We're in the IT Security category. If you like us, you can vote at <a href="http://www.computerweekly.com/Articles/2009/11/03/238190/vote-in-the-computer-weekly-it-blog-awards-2009.htm">ComputerWeekly.com</a>. Cheers! P.S. What's someone got to do to get nominated for the Twitter category, <a href="http://blogs.zdnet.com/projectfailures/?p=6327">get banned</a> or something? &nbsp; On 05/11/09 At 10:31 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z Vote 4 Us tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001808.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com The Swedish Signals Intelligence agency (F�rsvarets Radioanstalt FRA) is currently under a large-scale DDoS attack. At the moment <a href="http://www.fra.se">www.fra.se</a> is inaccessible. <img width="417" height="230" border="1" src="http://www.f-secure.com/weblog/archives/fra1.png" alt="F�rsvarets radioanstalt"> FRA was in the news recently, as Sweden passed a law giving them legal permission to tap Internet traffic passing through Swedish national borders. For example, the majority of Russian international Internet traffic passes through Sweden. The monitoring effectively started last month. <a href="http://downforeveryoneorjustme.com/www.fra.se"><img width="634" height="188" border="1" src="http://www.f-secure.com/weblog/archives/fra2.png" alt=" F�rsvarets radioanstalt"></a> We have no information on who's behind the attacks. Downtime stats are available <a href="http://uptime.pingdom.com/site/month_summary/site_name/www.fra.se">here</a>. <hr> On 04/11/09 At 10:02 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z DDoS on www.fra.se tag:www.f-secure.com,2009-11-20:%2Fweblog%2Farchives%2F00001807.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Microsoft has just released an update for their MS09-054 patch. Note &mdash; It is critical not to install this update if the system has not installed the previous MS09-054 patch, as the updated one could break Internet Explorer. Some customers were reported to have browsing-related errors after installing said patch. A fix is available via Windows Update, Microsoft Update and Automatic Updates. More details at: <a href="http://support.microsoft.com/kb/976749">http://support.microsoft.com/kb/976749</a> Response Team post by &mdash; Christine On 04/11/09 At 12:29 AM 2009-11-20T05:40:09Z 2009-11-20T05:40:09Z MS Post-Patch Update XML::Atom::SimpleFeed 2009-11-20T05:40:09Z Weblog of F-Secure Antivirus Research Team F-Secure Antivirus Research Weblog