There are numerous password-stealing trojans specifically designed for World of Warcraft and other massively multiplayer online games. The passwords are used to steal gold and other items from victims so that it can be re-sold online.
Now eBay has decided to ban the auction of virtual goods. Actually, it's a more aggressive enforcement of already existing policy. It should be interesting to see just how this change in the re-sale market affects the source of supply. Demand is unlikely to change and so sites such as ige.com will be the short-term beneficiaries.
Longtime readers of the weblog might remember that we posted on testing a car's Bluetooth enabled phone to see if it could be infected by malware. That time nothing happened, but reports on the Internet now say that you can actually get a virus in your car – or to be more specific, on your TomTom GPS system.
What apparantly happened was that TomTom accidentally included two Windows malware files on the TomTom GO910's hard drive – Perlovga.a and Small.qp. While the device itself isn't infected, users have reported getting notifications from their antivirus products when they've connected the device to their PCs to do a backup.
The infected files are "copy.exe" and "host.exe" and they are located in the root of the hard drive of the GO910. Perlovga.a was discovered in June 2006 and Small.qp back in January of 2005, so they're not new in any way.
This isn't the first time devices have been shipped to customers with malware. In August 2005, Creative shipped 5GB Zen Neeon players containing Wullik.B (also known as Rays.A). In October in 2006, both McDonalds and Apple distributed Windows malware on devices.
There's nothing to be found on TomTom's website about this, but according to a post on DaniWeb, they have sent an official reply to customers. Links to some user reports:
How does our WorldMap Live work? When a detection occurs, many of our security products report back to us with data that includes an IP address. That IP address is converted to a physical location and that is then displayed on the WorldMap. The WorldMap software runs in real-time as well as 1hour and 24hours playback mode.
Is there a commercial version that can be purchased? The live version of the WorldMap requires an internal connection to our servers and so is not a commercial product.
There is however worldmap.f-secure.com that is publicly available and it uses the same source data as the live version. There are multiple time periods that can be selected and the view can be defined to individual countries.
A new round of malicious billing spam e-mails were received yesterday. All attachments have the filename of Rechnung.pdf.exe. Two variants emerged from these spams: W32/Nurech.X and W32/Nurech.Y.
Later in the day, the phrase "Love is all Around" was given a new meaning when another batch of Stormy was received. This new Stormy is still adhered to the theme of Love. Filenames of this new variant could be any of the following: Flash Postcard.exe Greeting Postcard.exe Greeting Card.exe Postcard.exe flash postcard.exe greeting card.exe greeting postcard.exe postcard.exe
Attachments are now detected as Trojan-Downloader.Win32.Small.ciw.
As seen from the newest samples, social engineering techniques are still employed to entice a portion of the recipients to execute the malicious attachments.
This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.
A list of subjects we've seen so far include:
A Bouguet of Love A Day in Bed Coupon A Monkey Rose for You A Red Hot Kiss Against All Odds All That Matters Baby, I'll Be There Back Together Breakfast in Bed Coupon Can't Wait to See You! Cyber Love Dinner Coupon Dream Date Coupon Emptiness Inside Me Fields Of Love For You Full Heart I Believe I Can't Function I Dream of You I Think of You Internet Love It's Your Move
Kiss Coupon Love Birds Love You Deeply Made for Each Other Miracle of Love Moonlit Waterfall My Invitation Our Love Our Love is Free Our Two Hearts Passionate Kiss Pockets of Love Puppy Love Red Rose Sending You My Love Showers of Love Someone at Last Soul Partners Summer Love Take My Hand That Special Love The Dance of Love The Long Haul
The Love Bugs This Day Forward This Feeling Till Morning's Light Till Morninig's Light The Mood for Love To New Spouse Together Again Together You and I Touched by Love Twice Blest Until the Day We're a Perfect Fit Wild Nights Will you? When I'm With You Worthy of You Wrapped Up Wrapped in Your Arms You are our of this world You Lucky Duck! You Rock Me! You Were Worth the Wait
Thanks to Diego who notified us and told us that this list looks very similar to the list of Romantic Cards over at 2000greetings.com and indeed it does.
The list of files is much shorter: Greeting Postcard.exe postcard.exe greeting card.exe Flash Postcard.exe flash postcard.exe
We now detect this as Email-Worm.Win32.Zhelatin.a.
Note: For those of you who aren't already filtering EXE's in the e-mail gateway – do it now!
Our new laptop stickers have arrived! We started the contest several weeks ago. We then went through the results and selected the winners. And then we ordered up a batch and waited. Now we have them and stickers are everywhere in the lab.
The weblog readers whose suggestions were selected are:
I lost my password, can you tell me yours? — Azham R. of Malaysia This is not the wireless access point you're looking for. — Matt L. of Australia Real men don't use antivirus. — Jonas L. of Sweden I just click OK to make the box go away. — Justin R. of UK My botnet can beat up your botnet. — David B. of USA Password is on a Post-it note on the display. — Ken T. of Germany
Their stickers were mailed out in the post today. Our thanks to all that contributed.
Now that we have them, we'll use them as rewards for future challenges.
We analyzed a new Commwarrior variant last week. It runs on Symbian devices using Series 60 user interface – first and second editions.
This variant of Commwarrior, enumerated as T, was otherwise quite uninteresting apart from the fact that it is newly compiled from the original source – unlike most variants. The author refers to it as "Commwarrior v3 Lite" in his code. In the mean time, we already have the detection published and we've updated our free F-Commwarrior utility that you can download from f-secure.mobi if you suspect your phone has been infected.
This variant affects only Symbian Series 60 phones that use Symbian OS version 8.1 or older. This means that the latest model of phones that could be affected is the Nokia N72. Phones using Symbian OS 9.0 or later, such as the Nokia E70 or 3250, will not be affected.
The weekend has been very busy with Storm Worm. We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections. F-Secure BlackLight is able to detect the hidden files.
These variants are now detected as W32/Stormy.AB and Trojan-Downloader.Win32.Agent.bet.
We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.
This time the subjects in the mails are: Russian missle shot down Chinese satellite Russian missle shot down USA aircraft Russian missle shot down USA satellite Chinese missile shot down USA aircraft Chinese missile shot down USA satellite Sadam Hussein alive! Sadam Hussein safe and sound! Radical Muslim drinking enemies' blood. U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel U.S. Southwest braces for another winter blast. More then 1000 people are dead. Venezuelan leader: "Let's the War beginning". Fidel Castro dead. Hugo Chavez dead.
And the attachment names are: Video.exe Full Video.exe Read More.exe Full Text.exe Full Clip.exe
When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.
We detect this as Trojan-Downloader.Win32.Agent.bet.
Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of: President of Russia Putin dead Third World War just have started! The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead! The commander of a U.S. nuclear submarine lunch the rocket by mistake. First Nuclear Act of Terrorism!
Update on Sunday: Another run. This time with a different theme included in the subjects: So in Love Happy World Religion Day! Most Beautiful Girl Someone at Last I Believe The Dance of Love The Miracle of Love All For You Vacation Love I am Complete Wrapped Up Moonlit Waterfall A Little (sex) Card A Special Kiss Hugging My Pillow Safe and Sound You're Soo kissable A Romantic Place Breakfast in Bed Coupon For You I Love You So Safe and Sound Want to Meet? We Are Different We Have Walked You Asked Me Why
New filenames include Flash Postcard.exe.
Detection for these is in our update 2007-01-21_04.
The Small.DAM (Storm-Worm) we posted on earlier spread very fast during the night, Helsinki time. The heavy seeding through spam was quickly obvious on our tracking screens. The worm was spread throughout the world very rapidly.
Here is some footage of the worm's spread to share with our readers:
This morning we have been witnessing activities of Small.DAM being spammed.
Here are the possible subjects headings: 230 dead as storm batters Europe. A killer at 11, he's free at 21 and... British Muslims Genocide Naked teens attack home director. U.S. Secretary of State Condoleezza...
The "Storm in Europe" title is particularly timely, as there really is a storm in Europe at the moment and dozens of people have died.
Attachments may be of the following filenames: Full Clip.exe Full Story.exe Read More.exe Video.exe
The detection for Small.DAM was already included in our database update 2007-01-15_01.
The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.
Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.
The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this server.
Another good example of the client-server architecture is the service running at http://seeky.zootseek.com/d/body.html. This URL serves randomized HTML templates for different spam mails.
The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time (but do visit it at your own risk).
And by the way, you might want to block access to all hosts under the domain medbod.com (as it is used by Medbot to download updated bot code).
Fake web sites have been used to recruit money mules for quite a while. When cops investigate phishing or carding cases, the trail usually ends with the mule who might not have realized at all that he's actually laundering money for crime gangs.
Here's one site mule recruitment site which is offline by now:
This morning I got a personalized mule recruitment spam. Emphasis below is mine:
From: "Eddie Arredondo" <email@example.com> To: "Mikko Hypponen" <mikko.hypponen> Received: from 4koiahot.0o4xb.aol.com (ppp85-140-200-191.pppoe.mtu-net.ru [188.8.131.52]) by mx1.f-secure.com (Postfix) with ESMTP id B58F167CF2; Wed, 17 Jan 2007 23:59:43 +0200 (EET) Subject: Fw: Re: Yuo will want this Job Date: Thu, 18 Jan 2007 01:01:25 +0400
We are a small and relatively Software Development and Outsourcing Company specializing in enterprise application development, system integration, corporate networks and other software solutions for business, finance, and for various types of problems. The company based in Ukraine but at this time we open new office in Bulgaria. We’ve earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European and North American copmanies and providing them with reliable software development services in financial, telecom and media sectors Also we are in search of new partners.
Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment from your country and such delays are harmful to uor business. We do not have so much time to accept every wire transfer and we can't accept cashier’s checks or money orders as well. That’s why we are currently looking for partners in your country to help us accept and process these payments faster.
If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and check payments and forwarding them to us. It is nota full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. This is an entry level opportunity in the field of financial services. Our financial professionals work with clients to help them achieve their many financial goals such as saving on taxes.
We therefore solicit your assistacne in remitting this money and facilitating transactions. If you believe you would be able to undertake such a task and are interested in this job, please respond to firstname.lastname@example.org and send us the following information about yourself:
1. Your Full Name as it appears on your resume. 2. Education. 3. Your Contact Address. 4. Telephone/Fax number. 5. Your present Occupation and Position currently held. 6. Your Age
Please respond ASAP and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will b eable to earn a bit of extra money fast and easy.
Should you have any quesitons, please feel free to contact us at the address mentioned above. Looking forward to hearing from you.
Last Thursday, we suggested that you update some of your applications…
Well, on Tuesday, January 16th, Sun released an advisory regarding a vulnerability in processing GIF images in some versions of the Java Runtime Environment.
When running a Java applet from a web page using a vulnerable version of Java Runtime, an applet exploiting the vulnerability may escape Java's sandbox. This means that the Java applet would have exactly the same access to the file system and process execution as any native application.
Java vulnerabilities have been actively used by malicious web pages in the past, so it is quite possible that this new vulnerability will also be used.
So do make sure that your Java runtime is up to date, instructions are available at Sun Advisory #102760.
Note: Sun provides links to J2SE 5.0 Update 10 in their advisory. As we posted earlier, version 6.0 is also available from: java.sun.com.
According to Sun, this vulnerability does not affect the Java versions used on mobile phones (J2ME).
There's an update for the Acer ActiveX component vulnerability we posted on last week. Details can be found via US-CERT. The patch is named "Acer Preload Security Patch for Windows XP" and can be found here.
After a relatively short period of inactivity, Warezov has returned with about a dozen new variants in the last 24 hours. Variant KA received its moniker at the end of yesterday with update 2007-01-15_13. There is also a new domain to block: ertikadeswiokinganfujas.com. You'll find a more comprehensive list here.
F-Secure Internet Security 2007's System Control feature still automatically denies these latest variants.
Paypal will soon have for sale a one-time password token product. Designed to be carried with you on your key chain, it's based on a VeriSign device and will sell for five dollars.
We think this key fob is a good idea, especially considering that PayPal is such a prime target for phishers.
Here are some recently registered domain names for paypal phishing cases:
Of course, while a good idea, this key fob might not be the silver bullet that solves the phishing problem. Consider this eWeek article of a Phishing Kit that allows for easy man-in-the-middle attacks. The " Universal Man-in-the-Middle Phishing Kit" may well be the trend that phishing takes in 2007.
We received a good number of reports regarding SMS spam that people had received on their mobile phones during a period in December. We looked into the issue and posted our findings. The number of reports regarding received SMS spam has gone down since December, but we are still hearing about the issue on daily basis.
We did talk briefly with couple of GSM operators about how to block this problem and avoid it bothering people. From what we have learned, if you as a customer of a cellular operator receive SMS spam and don't want to see more spam delivered to your mobile phone, you should report this to your operator's customer support. While we are very interested in getting reports about different SMS spam, we cannot as a third party report the abuse of the cellular operator's network. The cellular operators are able to control their networks, but they need to be informed by you, the customer, if their network is being abused against you.
The second Tuesday of each month is when Microsoft releases its security updates. But what else could or should you be updating? Not just your OS, but also your applications.
There's Adobe Reader with a well-publicized cross-site scripting (XSS) vulnerability in Adobe Reader 7.0.8 and earlier versions. You can either install an update, version 7.0.9, or you can install version 8, which no longer includes the vulnerable feature. And then again, you might consider uninstalling Adobe Reader and installing an alternative such as Foxit Reader.
Then there's Java. It was recently updated to version 6. You'll find it on java.sun.com, but you won't yet find it on java.com. For whatever reason, java.com still offers version 5 update 10.
Perhaps you updated your Microsoft Office on Tuesday via Microsoft Updates. But then perhaps you also have OpenOffice installed? If so, then you should update to OpenOffice.org 2.1. Version 2.1 now includes automatic notification of updates.
And if you still haven't updated your Internet Explorer to IE7 — it's no longer a high priority (at Microsoft Update). This month the update has moved to the Optional Updates section. Or at least it has on one of our production machines. That makes a bit more sense for those of us still waiting for IT's blessing.
Don't allow your apps to be the low-hanging fruit.
The exploit affects most Pocket PC phone edition and Windows Mobile devices that use versions of ArcSoft MMS composer predating August 2006.
Fortunately, most vendors are providing updates that patch the vulnerability, but unfortunately they don't necessarily mention this in their updates. If you are unsure whether your phone vendor is providing the update, we recommend checking the vendors support page and contacting them if they don't have information available.
We have tried the exploit with several devices, and unless the shellcode is crafted for that particular device and MMS application happens to be in correct memory slot, the only result is a crash of the MMS application.
As mentioned previously we added detection for Exploit/MMS.A in the December 30th update for F-Secure Mobile Anti-Virus for Windows Mobile devices. So we decided to shoot a short video clip of the Anti-Virus in action and stopping the corrupted MMS message before user is able to open it.
The video was shot with a QTEK 9100 that has a vulnerable version of the MMS software installed.
Microsoft's January patches are now out. The update includes three critical patches that fix flaws in Excel, Outlook, and Internet Explorer. All of these allow remote code execution and can be used as a vector for virus or trojan attacks.
At the moment, we haven't seen malware taking advantage of these vulnerabilities.
Yesterday, we tested a library taken from a Acer computer. It's very common that vendors sell machines with preloaded applications and system components of their own. The library, named LunchApp.ocx, is probably supposed to help with browsing the vendor's website, enable easy updates and such – it turns out… it also makes all those machines vulnerable to a specially crafted html file that could instantly download malicious file(s) onto the user's machine and then execute them. It gets even better… Acer enabled "safe for scripting" on that ActiveX library so you wouldn't even see when it's used.
It would be nice if Acer (and other vendors) thought twice before providing a "feature" like this in the future.
In a non-surprising move, malware writers are trying to exploit the publicity around the hanging of Saddam Hussein to their own advantage.
So far we've seen three different examples of malware using Saddam-related themes.
These are now detected as W32/Banload.BSW, W32/Banload.BSX and Trojan-Downloader.Win32.Delf.acc.
Two of these try to disguise their actions by opening up a YouTube page with the Portuguese search keyword "enforcado" (execution). More information is available in our descriptions: Banload.BSX, Banload.BSW and Delf.acc.
Then there's been a new Rechnung spam run in German-speaking countries. Masquerading as a bill from the "1&1" ISP, the e-mails look like this:
We now detect the attachment as Backdoor.Win32.Agent.akf.
Updated to add: We have now seen same spam e-mails but with a different attachment, now detected as W32/Haxdoor.LQ or Backdoor.Win32.Haxdoor.jw. This variant tries to steal credentials for various banks located in Germany, Austria, Poland, and Sweden.
We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content.
Two recent examples, both targeting PayPal: www.ppal-form-ssl.com and www.welcome-ppl.com.
These sites look like the real PayPal front page, but they are actually Flash recreations.
When you type in login information, the SWF file displays a new page, asking for your credit card information.
Abuse messages have been sent about these sites. Thanks to Axel P for the heads up.