NEWS FROM THE LAB - January 2008
 

 

Wednesday, January 30, 2008

 
PHP IRC Bot Posted by Toni @ 14:51 GMT

Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)

Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.

Every once in a while we run into something more sinister.

PHP Bot

Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.

The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.

Detection for Backdoor:PHP/Obfu.A was added to our 2008-01-30_07 update.

You can find some additional information at teamfurry.

 
 

 
 
Monday, January 28, 2008

 
Studying Malware Analysis Posted by Mikko @ 12:23 GMT

There are very few places in the world where you can actually study malware analysis.

We decided to do our small part to improve this situation and we're happy to announce that we've started a course at the Helsinki University of Technology.

TKK. image from http://www.tkk.fi/fi/yleista/otaniemi/

The course is called Malware Analysis and Antivirus Technologies and is done in association with the Department of Computer Science and Engineering. Lectures are held by senior analysts and researchers from the F-Secure Security Labs and cover a range of topics from reverse engineering to decrypting malware to designing scanning engines.

The commencement lecture (open to the public) of the course was held last week and collected an audience of around 150 people. The course itself is designed for 40 students — unfortunately the course is full already, but we'll consider repeating it if there's lots of interest.

For more information, please see the course pages.

T-110.6220 Malware Analysis and Antivirus Technologies

For course reading material, we're using Peter Szor's book "The Art of Computer Virus Research and Defense". Cheers to Peter!

 
 

 
 
Friday, January 25, 2008

 
Case Closed Posted by Sean @ 15:41 GMT

The volume of malware is increasing and we rely on ever increasing amounts of automation.

Our automated systems are necessary to manage the flow of new samples. The automation also assists us in predicting which samples are malicious and should be detected. We review the likely samples first.

Human analysts use tools such as IDA to view the code.

This sample wasn't very difficult to confirm as malicious:

IDA

The fact that it's a Backdoor is there in the code itself:

IDA

Add detection — case closed in only few minutes — time to move on to the next.

 
 

 
 
Tuesday, January 22, 2008

 
New Symbian Worm in the Wild Posted by Jarno @ 08:57 GMT

We have been working on an interesting Symbian worm over the last few days. It affects S60 2nd Edition phones.

The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.

But what makes Beselo interesting is that instead of a standard SIS extension the Beselo family uses common media file extensions. This leads the recipient believe that he is receiving a picture or sound file instead of Symbian application. He is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file.

The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm.
Sex MP3
However, just this use of a new social engineering trick was not enough to get more attention from us; we added Beselo.A as Commwarrior.Y back in December. But last Friday and over the weekend a friend working for a major telecom operator became interested in the extensions and did a bit of investigation into what was going on.

It turns out that Beselo.A was in the wild on their MMS network and that it had a big brother, Beselo.B.

Both of these worms have been able to escape attention for at least a while with the simple trick of pretending to be common media files.

So if you have a Symbian S60 phone, and you receive a media file, answer "no" to any installation prompt that appears when trying to open the file. There is no reason for any image file to ask installation questions on the Symbian platform, so any image or sound file that does something else than play immediately is without question something else than it claims to be.

Beselo worms are compiled for S60 2nd Edition phones. Attempting to open the file on a 3rd Edition phone will likely cause an error message rather than an installation prompt.

We can also recommended having Anti-Virus running on your phone. You can find ours from F-Secure.mobi, try it from your phone.

 
 

 
 
Friday, January 18, 2008

 
One Year Ago... Posted by Sean @ 16:10 GMT

One year ago — Janurary 18th/19th depending on your timezone — a spam run began that resulted in the moniker of "Storm" being given to a family of related malware.

Today, the Storm botnet is one of the more troublesome threats in existence.

How did it get the name?

One year ago Dan and Jusu shot some video of our WorldMap Live in action. We uploaded that video to our newly created YouTube Channel and were quite surprised by the number of views that followed.

The "Storm Video" now has 880000+ views.

With that kind of mass attention, the name kind of stuck.

WorldMap

 
 

 
 
Video - Mac DNS Changer Trojan Posted by Sean @ 15:33 GMT

Unwanted Mac Software has been a recent topic…

With that in mind, Patrik produced a video demonstration of Trojan:OSX/DNSChanger.

Intego's warning of this malware came on October 31st. We made a follow up post on November 6th regarding the growing number of variants. (It's currently up Trojan:OSX/DNSChanger.BK by our count.)

The video demonstrates the results of the DNS changes made on a Mac OSX system:

DNSChanger Demo

It's available on the lab's YouTube Channel.

 
 

 
 
Wednesday, January 16, 2008

 
MacSweeper Responds Posted by Patrik @ 07:33 GMT

MacSweeper

Following yesterday's blog post, the developers of MacSweeper posted this comment:

I would like to explain all the situation, about MacSweeper.

We are really trying to make a good software, and you wont find any viruses/spyware/trojans/malware in MacSweeper (test it your self, if you don't believe me, you can use any type of firewalls, dissemblers, or other tools) .

The problem is that we are using selling partners that forces us to use this marketing type. We would like to leave them, we don't want to completely destroy Good Name of MacSweeper application.

Personally I adore Mac Platform, and it hearts to here that the program you wrote is said to be some kind of "Rogue application" , i wouldn't like to destroy good manners of software written for it :((

I would like to say sorry for all inconveniences that we could bring to you, but believe MacSweeper is meant to be a useful application. You can ask Questions, and i will try to answer them!

Thank You!
support@macsweeper.com


We'd like to ask our readers about their experience with MacSweeper and what they think of it. Leave your feedback as comments to this post.



Update: There's been a number of excellent comments made, so we've posted a short video on the Weblog's YouTube Channel:

YouTube FSLabs - MacSweeper Demo

 
 

 
 
Storm watching our every move? Posted by Patrik @ 01:35 GMT

That we are keeping track of the Storm gang goes without saying but are they doing the same and watching what we in the security industry are up to?

On Dec 23rd we posted about a bet we had in the lab. When the Storm gang would start sending out Christmas themed e-mails? One day later they did (after having been inactive for weeks).

Yesterday Symantec predicted that the next wave of Storm would be using Valentine's Day as the theme and sure enough, a few hours later we started seeing the love mails that Jojo (Jose) blogged about earlier today. Coincidence?

Really cool Skype phone, has nothing to do with this post though.

 
 

 
 
Tuesday, January 15, 2008

 
From Storm With Love! Posted by Jose @ 21:40 GMT

Yet another wave of the Storm worm is now being spammed widely and this time it's all about love. They were late for Christmas, just in time for the New Year and really early for Valentine's Day. The filename being downloaded now is withlove.exe.

Storm heart


The subject lines are the same as was used during January of last year; you can find them here and here.

Here's a sample of the spammed e-mail:

Storm With Love Message


We now detect this as Email-Worm:W32/Zhelatin.PY.

Update: As the file on the websites is changing every 15 to 30 minutes, requiring us to release a new update every time, it's good to see that DeepGuard is proactively able to block this without any updates. No signatures required.

DeepGuard blocks Valentine's Storm


Note: We're only four days away from the one year anniversary of Storm, the first one being found shortly after midnight (in Helsinki) on Jan 19th, 2007.
 
 

 
 
First Rogue Cleaning Tool for Mac Posted by Patrik @ 04:56 GMT

We've just found the first Mac rogue application and it's called MacSweeper.

It claims to clean your Mac from compromising files and it will always find something to fix/clean but the only way to do so is to buy the program.

Buy MacSweeper


Once installed it will also randomly show a big popup window stating that your privacy is compromised and again prompt you to buy the program.

Popup by MacSweeper


Even more telling that it's a scam is the fact that when you visit the MacSweeper website with a PC and click on "Scan", it will tell you that you have security vulnerabilities in folders that only exist on Mac like system_root/home. Fake? Oh yeah…

Mac vulnerabilities on a PC


Looking more at their website we found that they have copied the text describing the company directly from Symantec and just changed the name.

About MacSweeper


About Symantec


Rogue/fake applications (scareware) such as this have been around for years on Windows (WinFixer, SpySheriff, et cetera). They're designed to trick people into thinking that they have security problems and that the only way to solve it is to buy the software. Up until now this has been a Windows only problem but that's not the case anymore.

So what does the first Mac rogue application really mean? It means that with Mac's growing popularity and growing user base comes certain problems that can't be ignored. Mac users will increasingly come under attack from bad guys and this new rogue application and the constant stream of new variants of DNSChanger is proof of that. It doesn't mean that Mac is becoming less secure in and of itself. But it does mean that Mac users will have to watch out for social engineering tricks just like Windows users have had to do for years.

MacSweeper's sibling in the Windows world is called Cleanator.



Editor's Note — P.S. from Patrik:

Today I spoke with a journalist about MacSweeper and he said something that stuck in my mind.

"I visited the macsweeper.com website. I know I probably shouldn't have - but I used a Windows PC so I knew I wouldn't get infected."

Now that's something you don't hear everyday!
 
 

 
 
Sunday, January 13, 2008

 
Have you seen this man? Posted by Mikko @ 10:23 GMT

We've seen some MSN Messenger worms being spread around this weekend.

Once you get infected, your Messenger will start to send web links to all of your contacts. If they follow the links and download the prompted programs, they'll get infected too.

One of them (detected by us as Trojan.Win32.Agent.DWD) sends links titled "nakedfamily" or "naked4friends", and shows this image on your desktop once you get infected:

Naked?

 
 

 
 
Thursday, January 10, 2008

 
This blog post contains the words "V6J" and "5C6" Posted by Mikko @ 14:16 GMT

Got spam. Surprise surprise.

This time the link wasn't pointing to the spammer's website directly. Instead, it was pointing to Google:

January 1

So, it's making a Google search for the words V6J and 5C6 on a page that contains thereseason.com in the URL.

January 2

There can't be many pages like that on the net.

The link ends with "btnI=745". On Google, the btnI directive causes the I'm feeling lucky feature to activate and Google redirects the user to the first search result.

As a end result, clicking the spam link takes the user to a spam drugstore.

January 3

It's interesting to note that such spam links can be hijacked. All you need to do is to create a page that contains the words V6J and 5C6 and has "thereseason.com" in the URL — and have it pop up as search result #1 in Google.

There's lots of this spam going around. Also, the discount percentages of these guys seem to vary wildly…

January 4

 
 

 
 
Wednesday, January 9, 2008

 
Phishing from the Storm Botnet Posted by Mikko @ 11:43 GMT

Last night there was a phishing run using the domain i-halifax.com.

i-halifax

The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet.

i-halifax

Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar:

i-halifax

Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm.

So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before.

But we've been expecting something along these lines.

From our end-of-year Data Security Wrap-up:

   October brought evidence of Storm variations using unique security keys. The unique keys
   will allow the botnet to be segmented allowing "space for rent". It looks as if the
   Storm gang is preparing to sell access to their botnet.

This may be what's happening now.

 
 

 
 
First New Year Patch for 2008 Posted by Esz @ 01:49 GMT

Its time to patch again and below are the lists of critical and important updates Microsoft has for January 2008.

These updates involve vulnerabilities in Windows TCP/IP and a vulnerability in LSASS.

Jan MS08

For more details on these updates, here's the link to Microsoft's Security Bulletin.

 
 

Tuesday, January 8, 2008

 
F-Secure Health Check Posted by Sean @ 15:41 GMT

Keeping your Windows OS updated has become relatively simple with Microsoft Updates.
Web browsers such as Firefox also regularly prompt for updates.

But what about the rest of your applications?

Regular readers may remember past Security Advisories that we've posted.
See October 22nd, November 7th, and December 10th for examples.

We also conducted a poll five weeks ago:

Question #3

It appears that many people are uncertain if their computers are fully patched when there are third party updates involved.

Q — What can you do about it?
A — F-Secure Health Check.

Health Check is a free online tool designed to help consumers identify security updates needed on their computers.

F-Secure Health Check

Health Check currently requires Internet Explorer. Additional browser support will be added in the future.

The official launch page: https://www.f-secure.com/healthcheck/

Click here to launch Health Check directly.

 
 

 
 
Trojan Software for iPhone Posted by Jarno @ 08:57 GMT

Over the weekend we received reports of a malicious software package created for unlocked iPhones.

The trojan installation package contains false application installation information that causes legitimate third party applications to be removed if the trojan is uninstalled from the iPhone.

The first warnings about the trojan were published on the following site: http://www.modmyi.com/
Thread: http://www.modmyi.com/forums/showthread.php?t=24323

Web sites hosting the malicious package were taken offline soon after the discovery of the low-risk threat.

Hopefully this serves as a warning for those who have opened their iPhones using a security hole in the system and then installing unverified software without a second thought to what they are doing.

This time it was an 11-year-old kid playing with XML files who created the trojan. Next time it might be someone else with more skills and with specific target.

 
 

 
 
Monday, January 7, 2008

 
Published Bank Account Numbers Used for Charity Posted by Sean @ 15:22 GMT

Is it a good idea to publish your bank account information in the pages of a newspaper? No, but you probably knew that didn't you?

It's seems that Jeremy Clarkson of Top Gear needed to learn the hard way…

BBC News has an "entertaining" story of Clarkson's experience.

The HM Revenue and Customs office recently lost two CDs containing 25 million people's personal details. Clarkson apparently didn't consider the lost data to be a serious concern. So he published his own bank account details in the Sun Newspaper.

And what was the predictable result?
Someone used the details to create a �500 direct debit to a charity called Diabetes UK.

Top Gear is popular among the folks in the lab. It airs on MTV3 here in Finland:

http://www.mtv3.fi/ohjelmat/sivusto.shtml/sarjat/top_gear?etusivu

 
 

 
 
Thursday, January 3, 2008

 
Phish(Face)book! Posted by Esz @ 09:37 GMT

We recently came across a phishing attack targeting Facebook.

Phishers are apparently using hacked Facebook accounts to post links to a fake login page on other people's "Wall posts".

The phishing site is still currently online. Here's a screenshot:

Facebook Phishing

Be wary of clicking on those links out there, even if they seem to (genuinely) come from your friends!

Hat tip to Techcrunch.

 
 

 
 
Wednesday, January 2, 2008

 
Hupigon and On and On Posted by MikkoHy2 @ 15:59 GMT

Do you remember the time when the creator of a computer virus would spend days and nights to produce his new malware? Well I don't — but I'm rather new to the job of Response Analyst — nowadays a "malware author's" life is much easier.

For example, the Hupigon family has spread across the Internet with thousands and thousands of variants. You'll find it frequently in our list of database updates.

Hupigon is a very common family of backdoors. Why is it so common? Kits.

I'll give you an example of how variants are made. First, we acquired a copy of the Hupigon kit. It's very easy to use and to control infected computers (for Chinese speakers at least).

This is the main interface. It's highly polished and feels professionally designed:

Hupigon

Okay, next I can choose the option for "Fast Configuration".

Here's what the default setting looks like:

Hupigon

With the Fast Configuration, you only need to check the desired options and then you're ready to create the variant. It's pretty simple.

So what's the purpose of this backdoor?

Many things are possible. You can record the victim's webcam, send a message to them, copy their files, send additional stuff to their computer, steal passwords, and of course use the infected computer for DDoS attacks.

Here are the DDoS options:

Hupigon

Basically, you can control the victims computer remotely.

You can read more of the details from the family description.

As I don't speak Chinese very well — I've only spent about six months in a Chinese speaking country — I recruited one of our Quality Engineers from upstairs. A big thanks goes to Feng Ping for her assistance.

Signing off,
Mikko Hy2 (Another Mikko in the lab, not Mikko Hypp�nen)

 
 

 
 
Half-a-Million Posted by Sean @ 14:48 GMT

Our recent Data Security Wrap-up predicted we'd reach half-a-million malware detections by the end of the year.

And in fact — we did reach 500K of detections during the last week of December. Quite the way to end 2007…

Malware Growth by Year

Work in the Response Labs continued during the holiday season, but with reduced staffing. So now we've had a bit of rest and are recharged for the year ahead.

That's a good thing too because we predict that 2008 will be busier than ever.