NEWS FROM THE LAB - January 2010


Saturday, January 30, 2010

Texaco Offers You a Job For £8500 a Month Posted by Mikko @ 17:04 GMT

Online criminals need people to move their money so they themselves don't get caught. We call these Money Mules.

Most money mules recruitment is done in the name of a fictitious company, but sometimes the scammers simply lift a well-known brand.

Here's an example of a recent money-mule ad that has been spammed around in the name of Texaco, the oil company:


The e-mail originated from an IP address in Lagos, Nigeria. I guess Texaco must be doing some drilling over there.

The PDF contains no exploits and looks like this:


The text reads, in part:

  Texaco/Chevron Downstream Europe
  1 Westferry Circus Canary Wharf
  London E14 4HA

Dear Job Candidate,

The TEXACO Online Employment System wish to inform you that your posted
information onlinehas been carefully and confidentially reviewed by our
Recruitment Team Professionals and we have considered under our current
vacant opportunities within the Firm to employ you for work in our company.

TEXACO Online Employment System is affiliated to various job recruitment
websites and your information was submitted to us by our online agent that
submit job candidate resumes for consideration of employment depending on
the vacancies we have in any branch of TEXACO Company Worldwide.

As regards to this, you have been automatically granted this employment to
work in TEXACO Oil & Gas Field with a monthly salary of Eight Thousand
Five Hundred Pounds (£8,500).

Kindly acknowledge the content of this message by reconfirming your interest
in working for us and indicating your area of job interest, ensuring that you
have quoted your vacancy title below or send your CV with a covering letter.

For further details relating to your employment, kindly send an email to
Texaco/Chevron Downstream Europe H/R Recruitment Service Department / /

  Paul Matins
  HR Recruitment Manager

Do note the suspicious contact information like and Top-level domain .ms belongs to a small Caribbean nation called Montserrat.

The website at looks like this:


Don't apply… although the salary looks good and you get to name your own area of job interest, I'm sure your job would include picking up cash and wiring it to far-away places with Webmoney, Western Union and Fethard Finance.

Friday, January 29, 2010

Twittering Widgets Posted by Sean @ 16:04 GMT

I've been playing with Twitter's Goodies this afternoon. The Profile Widget is pretty cool.

Here's Mikko's tweets:

It's JavaScript, click here if you're reading from an RSS feed.

Signing off,


Thursday, January 28, 2010

Is the lack of iPad Flash support for security? Posted by Sean @ 09:21 GMT

We've received some questions regarding Apple's iPad, and whether or not the lack of Adobe Flash support is for security reasons.

Well, no, we don't think so.

True, Adobe Flash has been exploitable in the past, and it will undoubtedly be so again, but we think it's more a matter of practicality and not security.

Flash is processor, battery, and bandwidth intensive. Mobile networks and devices are not yet suitable.

Jeff Glueck, the chief executive of Skyfire, very nicely summed up the issue two days ago here at VentureBeat.

Apple's iPad


Wednesday, January 27, 2010

Loose Tweets Sink Fleets Posted by Mikko @ 15:11 GMT

Information leakage is a real problem.
Loose Tweets Sink Fleets (c) Brian Lane Winfield Moore
It's especially bad for high-security organizations, like military agencies.

And it's now harder than ever, thanks to services such as Flickr, Photobucket, Facebook, Twitter and Myspace.

So, we worked together with Lewis Communications to submit a Freedom Of Information Act request to Ministry of Defence in UK, asking if they've had problems with this.

After waiting some weeks, we got a reply back, detailing that UK military personnel and Ministry of Defence staff have leaked secret information 16 times on social networking websites and Internet forums.

People might think they are confiding in friends or family when they go on Facebook, for example, but in fact they might be making information available to everybody. Such mistakes can happen especially now that Facebook has been modifying their privacy settings.

Here's Sky News' take on this.

FOIA reply

"Loose Tweets Sink Fleets" Poster image credit: Brian Lane Winfield Moore


Tuesday, January 26, 2010

Facebook Mischief Posted by Sean @ 14:18 GMT

Facebook recently published a nice new feature: Reply to this email to comment on this status.

This seems like a very handy feature to have if you're trying to converse with friends on the go.

But is it secure?

As it turns out, based on our testing, anyone can use the Reply To address, from any e-mail account.

Of course, the notification links are only sent to the account holder's primary e-mail, but we all know just how often e-mail accounts are phished/hacked, right?

Matti Meikäläinen

Try it yourself. Send an e-mail message to this address, include a subject message, and you'll see the results, posted in Matti's name, here.

Coming soon to a comment near you — EMAIL REPLY SPAM.


Twitter as a Professional Tool Posted by Mikko @ 08:04 GMT

I've never been a fan of social networks.

Twitter LogoI'm not on Facebook. Or Myspace. Or LinkedLn.

But last year I decided to take a look at this Twitter thingy.

I gave myself a trial period of couple of months, until the end of 2009 to decide if Twitter is useful or not. And if I wouldn't find it useful, I would quit using it.

During these months I've learned that Twitter is quite different from the other social networks. It is actually quite useful as a professional tool.

Many don't really understand what Twitter is all about. They think it's a system where people can tell others about their daily chores ("just had corn flakes for breakfast!"). This is not what Twitter is for.

Twitter is at its best when experts in their own field share notes, links and pointers to important developments they see.

In the field of data security, that would be a note about a new vulnerability. A major outbreak. Phishing run. Or something else.

And today, the place where you would hear about it first would be Twitter. Not the news. Not the blogs. Twitter.

I myself have now reached 5000 followers on Twitter (thanks!) and plan on continuing.

And the neat thing about Twitter is that you don't need to even sign up. It's all public.

You can just browse anyone's Tweets or make a global search on

Before Twitter, when something major would be going on, the first warnings and initial discussion about it would be in private – via e-mail, private mailing lists and text messages. Now much of that would happen in Twitter – in public. And you wouldn't even need to have a Twitter account to follow it.

As an example. Let's say that a major website like TechCrunch would get hacked, Just by searching for "techcrunch hacked" in Twitter you would be able to see the very first warnings, read what's the buzz and get the first expert opinions.

TechCrunch hacked

And the best part: Twitter is full of interesting figures from the field of computer security.


Signing off,


Monday, January 25, 2010

Alarm in show_ads.js Posted by Mikko @ 18:31 GMT

Some of our antivirus products had a brief false alarm today. The alert was from a common JavaScript file called show_ads.js. The false alarm was for a trojan called

The false alarm has been fixed in our update 2010-01-25_17.

This only affected our older products, such as the 2009 product range. F-Secure Internet Security 2010 had no issues.

We apologize for the false alarm. Sorry.


Book: "Fatal System Error" Posted by Mikko @ 15:19 GMT

There's a new book out on Cyber Crime. This one is written by Joseph Menn. Joseph has covered computer security for Financial Times and the Los Angeles times for years.

The book is called Fatal System Error.

Fatal System Error

The book covers in detail several interesting real-world stories on computer criminals. For example, it covers the history of online crime sites like Carderplanet, Shadowcrew and DarkMarket. It talks about the credit card thefts of Albert Gonzales. It even talks about Ghostnet and some of the targeted attacks that have now been in headlines.

And there's a very detailed rundown on what happened with the so-called Balakov Trio which we have mentioned in our blog before.

Fatal System Error

The book is due for release tomorrow, 26th of January.


Thursday, January 21, 2010

Targeted Attack Using "Operation Aurora" as the Lure Posted by Mikko @ 15:15 GMT

Now here's an interesting turn of events.

In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!

Here's the e-mail we saw (the mail was forged to look like it came from

   From: david████
   Date: Wed, 20 Jan 2010 09:26:24
   To: (email addresses of the targets)
   Subject: Chinese cyberattack
   Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack.
   I hope you find it interesting.
   If you have any good idea / comments, are warmly welcome to feedback.
   Attachment: .pdf Chinese cyberattack.pdf

The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).

The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435). We detect this as W32/PoisonIvy.NQ. The PDF is detected as Trojan.Script.256073.


Intelligence Sector Hit by a Targeted Attack Posted by Mikko @ 14:52 GMT

We just blogged about a highly targeted attack against military contractors.

Now we saw one against the intelligence sector.

This attack was done with a PDF file. Again.

It was targeting the CVE-2009-4324 vulnerability. Again.

When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:


What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).

Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.


Hmm. The Agenda looks awfully familiar.

We detect the files as Exploit.PDF-JS.Gen and Trojan-Spy:W32/Agent.NBZ.


Microsoft Vulnerabilities Posted by Sean @ 14:33 GMT

Microsoft is releasing an out-of-band update for their IE vulnerability.

Internet Explorer 6 is affected and is being actively exploited in the wild.

The patch will be released on the 21st, today, see Microsoft's Security Bulletin for additional details.

Updated to add: Microsoft Security Bulletin MS10-002.

What version of Internet Explorer do you have installed? (Poll)

Poll results

Also in Microsoft news, Security Advisory (979682). There's a vulnerability in Windows kernel privilege escalation.

The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7), on non x64-based systems, unless 16-bit application support is disabled.

There's a workaround for disabling 16-bit support provided in Microsoft's Security Advisory.

Disabling 16-bit applications will mitigate the issue. Then, you'll be all set.

Unless you happen to use a 16-bit, 420 byte tool, from 1998, to convert hex to dec…


Some people still use such apps in 2010, for real.


Tuesday, January 19, 2010

To IE or Not to IE : That is the Question Posted by Sean @ 17:51 GMT

Internet Explorer's latest vulnerability is causing Germany and France to advise against its use.

That's a bit overkill, though, we do recommend using another browser by default.

We're curious, how many of our readers have tried the option of turning off Internet Explorer 8 in Windows 7?

Turn Windows features on or off

Our commenting system is back online, leave your comments here.


Monday, January 18, 2010

On-going Targeted Attacks Against US Military Contractors Posted by Mikko @ 12:54 GMT

F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were e-mailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week.

The PDF file was quite convincing and it looked like it came from the Department of Defense:

PDF file md5 hash: c144581973fe16a6adca09e0d630bf63

The document talks about a real conference to be held in Las Vegas in March.

When opened to Adobe Reader, the file exploited the CVE-2009-4324 vulnerability. This is the vulnerability that Adobe patched last Tuesday.

The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address In order to avoid detection, it bypasses the local web proxy when doing this connection.

Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan.



F-Secure's Exploit Shield Blocks the "Aurora" Exploit Posted by Alia @ 05:52 GMT

Microsoft recently announced a new vulnerability in certain versions of its Internet Explorer web browser. If exploited, the vulnerability (CVE 2010-0249) can allow remote code execution.

Announcement of this vulnerability follows on the heels of last week's targeted zero-day attacks against a number of companies.

Since we are talking about a targeted attack, many companies and organizations have contacted us asking about solutions for attacks like this. We're happy to report that F-Secure Internet Security blocked this exploit proactively. This is made possible by the Exploit Shield element in our Browsing Protection feature.

So far we've only seen a handful of samples that exploit this vulnerability. To protect users with older versions of our products and to add gateway detection, we have added specific detection for the known samples as well. We detect the exploit code as Exploit:JS/Agent.MZF, while the payload is detected as Exploit:JS/Comele.A.

Below is a quick video showing the Exploit Shield feature in action. It isn't narrated, but the whole thing is pretty straightforward.

Not all antivirus solutions are equal. Our Exploit Shield was able to block "Operation Aurora" attacks before they were made.


Friday, January 15, 2010

JiLsi in Court Posted by Mikko @ 07:20 GMT

Renu Renukanth Subramaniam aka JiLsiYesterday in Blackfriars Crown Court in London, Mr. Renu Subramaniam aka JiLsi pleaded guilty to "conspiracy to defraud" and to five counts of "furnishing false information". Judge John Hillen warned it was "inevitable" he faced a "substantial sentence".

This is the last development in the Darkmarket Sting Operation, where FBI hero Special Agent Keith Mularski worked undercover for two years, operating a message forum for online criminals, posing as one of them. The operation ended last fall with 60 arrests around the world.

The most famous arrest to come out of this sting operation was the arrest of Çağatay Evyapan in Turkey. Mr. Evyapan, known online as "cha0" was arrested in a raid by a special unit of the Turkish police.

JiLsi was one of the co-administrators of Darkmarket with agent Mularski and had no idea he was working with a "fed".

For more information and screenshots we took from inside Darkmarket when it was still up, see our blog post from last May.


Thursday, January 14, 2010

Facebook Privacy Doesn't Really Exist Posted by Sean @ 11:15 GMT

Facebook recently rolled out new privacy settings that provides additional publishing controls.

For example, Facebook users can now publish a photo to a selected list of friends.


Clicking the "lock" icon opens the Custom Privacy settings.


Once a photo is selected and the privacy options are set, the next step is to Share.


As you can see, the default setting is set for Only Friends and this particular post is set for Only Me.


So only Matti Meikäläinen can see this image, right?


Well… almost, but no, not quite. There is one large loophole to all this.

Do you see the link, highlighted in red?


That's right! The photo can be shared with anyone by sending them this public link.

Absolute privacy on Facebook (and the Internet) is an illusion, it doesn't really exist. Relative privacy is the best that we can hope for.

Should we panic about this?


There's is a very simple solution. If you absolutely don't want to share it, then don't upload it to a SOCIAL networking site.

And fortunately, most of the people that we've surveyed, appear to have enough common sense to understand the costs and benefits of sharing.

P.S. It would, however, be nice if Facebook users could disable the share with anyone option.

We haven't seen it in the wild, but it would be rather trivial for a worm such as Koobface to collect such URLs when an account is compromised. Recovering the account and resetting the password won't invalidate access to these links.


Haiti Earthquake: Another Rogue Rides the News Posted by Response @ 08:28 GMT

A day after the disaster that struck the Caribbean nation of Haiti, Rogue perpetrators have once again been busy with their SEO poisoning schemes. Searching for terms related to this earthquake leads to a website that installs a Rogue into the system.

It happens when an unsuspecting user searches for Haiti Earthquake details.

hai-1 (14k image)

Happily clicking the link leads to this page:

hai-2 (25k image)

Then this…

hai-3 (38k image)

And this…

hai-4 (50k image)

Wait! What's that? F-Secure?!? Nice try… We definitely don't support this malware.

After dragging the F-Secure name to its wares… It finally downloads the rogue component.

hai-5 (50k image)

Installs itself, then scares the user.

hai-6 (42k image)

Threats found? Don't believe it.

The downloader and the rogue component are already detected in the latest database updates, users would be well advised to keep their antivirus databases updated.

Response post by — Chris & Mina


Wednesday, January 13, 2010

Targeted Attacks Against Google Posted by Mikko @ 10:06 GMT

To the memory of, image from the few last years, we've worked with dozens of companies who have been hit with targeted attacks, ie. espionage trojans. Not a single one of these companies went public with the information.

Amazingly, Google has now done just that. They've announced they were hit with a targeted trojan. The aim of the attack was to gain access to Gmail accounts of Chinese human right activists. Google also goes on to directly blame the Chinese Government for the attack, and announce that as a result, they plan to stop censoring search results. Wow.

We believe the attack was launched via a convincing e-mail with an exploit-ridden PDF attachment. Updated to add: We were wrong, the attack was done with an IE 0-day attack instead.

Adobe has yesterday released security updates for Adobe Reader, closing several vulnerabilities.

Amazingly, at the same time Adobe has also announced that they were hit by a targeted attack as well. Maybe somebody was trying to gain access to their development systems in order to find out new vulnerabilities for future attacks?


We have warned about attacks like this several times.

To get a better idea of how these attacks work, here's a YouTube video we have created about Targeted Attacks:


And here's another video that shows a screen capture of what it actually looks like when you open a booby-trapped PDF file.

And here are selected blog posts on the topic:

  •  Case Ghostnet
  •  Behind Ghostnet
  •  Several examples of what the attack documents have looked like
  •  The mystery of Sergeant "nbsstt"
  •  How we found the PDF generator used in some of these attacks


Tuesday, January 12, 2010

It's Nice To Get Noticed Posted by Mikko @ 13:48 GMT

Looking at a random new incoming malware sample in our sample automation systems. Notice the Mutex names it uses:


Hey STFU yourself, why don't you?

P.S. We detect the sample as Email-Worm:MSIL/Agent.MXK.


Monday, January 11, 2010

Warning On Possible Android Mobile Trojans Posted by Mikko @ 13:49 GMT

Google's Android mobile operating system has been out for a while and is generating more and more interest.

Now there has been some buzz about fraudulent applications being posted on the Android Market. See these postings:



Both of these apps were written by an anonymous developer known as 09Droid.

In fact, he had a whole collection of online banking applications for sale on the Market:

image courtesy of Brandon McGee
(image courtesy of Brandon McGee)

These applications were being sold, but it's still unclear what exactly they did. We haven't been able to secure a copy for ourselves yet, so we don't know either.

Since the applications were not developed or authorized by the banks themselves, they could not do real online banking from the Android device. Apparently they only opened the web interface of the online bank for the user. On the other hand, they could have stolen user credentials.

We can't ask these questions from Mr. 09Droid himself either, as he is nowhere to be found. His applications have been removed from the market, and his contact information points to an empty Blogspot page.


In the meanwhile, many of the affected banks have been assuming the worst and have issued public warnings to their customers. Here's an example warning from Bayport Credit Union:


In any case, we recommend users to remove applications from 09Droid from their Android devices.

Updated to add: Developer 09Droid had at least the following applications for sale in Android Marketplace. They have all been removed.

Abbey Bank
Alaska USA FCU
Alliance & Leicester (v. 1.1)
Bank Atlantic
Bank of America
Bank of Queensland
Barclaycard (v. 1.1)
Barclays Bank (v. 1.2)
City Bank Texas
Commerce Bank
Compass Bank
Deutsche Bank
Fifty Third Bank v.1.1
First Republic Bank v.1.1
Great Florida Bank
Grupo Banco Popular
HSBC US (v. 1.2)
ING DiBa v.1.1
Key Bank
Mechanics Bank v.1.1
MFFCU v.1.1
Nationwide (v. 1.1)
NatWest (v. 1.1)
Navy Federal Credit Union (v. 1.1)
Royal Bank of Canada
RBS v.1.1
TD Bank v.1.1
US Bank v.1.2
USAA v.1.1
Valley Credit Union
Wachovia Corp (v. 1.2)
Wells Fargo (v. 1.1)


Ready, Set, Update Posted by Sean @ 12:53 GMT

We have a reminder for you — tomorrow is Update Tuesday — and there are more than Microsoft's update(s) coming.


If you recall, we posted on the 15th of December about an Adobe Reader/Acrobat 0-Day vulnerability. There are limited exploits being used in targeted attacks. We detected that exploit as: Exploit:W32/AdobeReader.UZ.

There have been reports of additional exploits since then. SANS Diary has an excellent write up from the 4th of this month. We detect the referenced exploit as Exploit:JS/Pidief.CKJ.

This is what the PDF decoy looks like:


See Adobe's Security bulletins and advisories for more details, and prepare for testing and deployment.



Friday, January 8, 2010

Ransomware - Buy Back Your Own Files Posted by Alia @ 02:08 GMT

We haven't seen ransomware for a while, so a recent scheme that mixed elements of modern rogueware pushing and old-school ransomware attempts was rather interesting.

The preliminary work is done by a program we detect as Trojan:W32/DatCrypt, which makes it look as if certain files — mostly Microsoft Office documents, video, music and image files — on the infected system had been "corrupted":

Trojan.W32.Datcrypt, Notice

Actually, the files have been encrypted by DatCrypt.

Next, the trojan advises the user to download and execute the "recommended file repair software":

Trojan.W32.Datcrypt, Message

Which we detect as Rogue:W32/DatDoc.

If the utility is downloaded and executed, the luckless user finds that it can "only repair one file in unregistered version":

Rogue.W32.Datdoc, Decryption

To repair — or more accurately, decrypt — anything more, the user has to buy the product.

Think about this from the users point of view. "Oh my god I've lost my important files!" "Thank god I found this great product that recovered them perfectly for just $89.95" "I'm going to recommend Data Doctor to all my friends". Effectively, user is forced to pay a ransom for his own files and the user doesn't even realize he's paying a ransom.

This scheme works on the assumption that the user wants the affected files badly enough to be willing to pay to recover them — and that the user hasn't prudently saved copies of these files elsewhere. The attack would probably lose its bite if the user could just say, "oh well…", delete the "corrupted" files and retrieved the backups.

So this would be a good time to remind everyone to backup their important files regularly, either onto removable media like CDs, DVDs or USB thumb drives, or online resources such as our Online Backup.

Because having to pay someone to get back a copy of your homework, or tomorrow's presentation, or your mom's favorite recipe, is just… annoying.

Many thanks to Adam Thomas from Sunbelt for providing samples of the dropper, and Chang for the initial analysis.


Thursday, January 7, 2010

University Course on Malware Analysis Posted by Antti @ 12:58 GMT

For two years now, we've been co-operating with the Helsinki University of Technology, having researchers from the F-Secure Labs giving lectures on a course dedicated to the topic.

We have good news: this spring is no exception! We're going to cover topics from reverse engineering to antivirus engine internals, including homework puzzles that will make the students test their skills with actual tools of the trade like IDA Pro and Ollydbg.

Now although we won't give out actual malware samples to the students, we try to cover a lot of real cases on the lectures. Something that hasn't changed over the years is the habit of malware authors leaving secret messages in their creations. As I was going through samples to show, I picked out a few examples. Here's a boot sector infected by Brain, the first PC virus from 1986:

Boot sector infected by Brain

And here's a rootkit driver seen in the wild during the Christmas holidays of 2009, trying to make the message a bit less easy to spot:

Strings in a TDL3 rootkit variant

We'll touch on both cases during the lectures.

If you're not a student at the university, you can view the course material from the course page, where we'll post new material as the course progresses.


Wednesday, January 6, 2010

Wallpapers - Retrospective Posted by Alia @ 08:00 GMT

One of our readers recently sent us a wallpaper he created, using our new style and logo:

It was a nice gesture — thanks George Janiashvili!

His work looks a bit like a re-imagined version of our old WorldMap wallpaper:

WorldMap 25.01.2007

We've had a few F-Secure wallpapers over the years, most of them pretty simple and unadorned – nothing fancy.

Still, a couple readers have asked after one of our older wallpapers:

Be Sure

So here it is in 1400x1050.

A quick look around the Response Lab shows that, funnily enough, quite a few of us are still using our even older, early 90s-style wallpaper:

Be Sure

Though a few of the more up-to-date folks are using the new branding as their desktop background:

F-Secure 800x600



Simple and clean, just the way we like it. Now to make sure the computer stays that way…