NEWS FROM THE LAB - January 2011


Monday, January 31, 2011

With great name comes great liability? Posted by Response @ 08:04 GMT

As users become smarter in distinguishing the name of fake and real antivirus programs, rogueware authors have now resorted to a bolder move — stealing the identity of a legit program and using it on their fake products. A rogue was recently discovered to be using AVG's logo and reputable name, hoping to mislead and trick people into purchasing the fake AV.

It implemented the typical method used by other rogues, i.e., pretending to scan the system and then claiming to have detected multiple malicious files. Since the free version is limited in capability, users have to upgrade to the full (fake) version to remove these files.

Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011.

Fake AVG



However, users who aren't familiar with the product might not notice this difference and think that they are getting the real thing.

One bit of advice — watch out for the source. Most antivirus companies provide free/trial versions of their products directly on their websites. So, skip the untrustworthy channel and get it directly from the AV vendors.


Mobile Security Tips Posted by Response @ 02:16 GMT

CES 2011 kicked off the year with a preview of what's upcoming in mobile computing. Expect more releases of high-spec smartphones and tablets, possibly powered by a dual-core CPU such as NVIDIA Tegra 2. Some of us are wooed by the sneak peak of phones such as the LG Optimus 2X and Motorola Atrix 4G, and certainly are looking forward to their releases this quarter.

With data charges getting cheaper and technologies in mobile computing getting more powerful, mobile devices are becoming more like a small personal computer. Moreover, the availability of applications that aid users to easily perform banking transaction, online shopping, flight booking and just plain Web browsing further encourages users to rely on their smartphones.

The surge in mobile computing popularity is opening new doors for malicious attacks. Since it is a relatively new area, some of us are not aware of the risk awaiting and are not really sure of how to protect ourselves. For a start, here are some useful tips:

1. Keep your system updated

Don't take this for granted. Keeping your mobile operating system updated not only allow you to enjoy the latest offerings, but also helps to protect your security. Similar to a good practice with your personal computer, having your system up-to-date could prevent malicious attacks that take advantage of unpatched security holes or vulnerabilities.

2. Install a security application in your phone

As your mobile device functioning more like a mini computer, it becomes an increasingly attractive target for attacks or theft. And that situation calls for a need to protect your physical device and the data it contains. Our Mobile Security application for instance, offer features that help to safeguard your data, protect against threats and locate your lost or stolen phone.

3. Watch where you click and land

We anticipate that scams and phishing to obtain personal or credit card information will be the most active attacks on mobile users. Social engineering methods would be used to lure users into clicking on malicious links or to trick them into surrendering valuable information. So, check out if a website starts with "https" before you enter sensitive information.

4. Refrain from doing transactions on a public network

A public network is useful and may help you save on data charges. However, keep in mind that the public Wi-Fi that your phone is connected to might not be secure. Just to stay on the safe side, limit your activity to browsing and avoid committing any important transactions.

5. Install or obtain applications from trusted source

Part of the fun (and convenience) in having a smartphone is making use of various applications which let you do a lot of things. There are plenty of applications out there, and some are offered through independent, unmonitored channel. Be careful of what you installed and watch out for the source. Some of the sources may contain repackaged apps that contain malicious content.

6. Make it a habit to check each applications' data access on your phone

Some applications may have access to your data or personal information. Be wary of the access that is outside of the scope or purpose of the applications. For example, a game application that has the access to SMS (read, write and send), calling, phonebook entries, and system files should trigger your suspicion for why it requires such access. If you have any doubt about an application, do not install it.

This year, we aim to further explore the emerging trend in mobile threats. Keep posted for the latest findings and news in mobile security.

Response Post by — Zimry Ong


Friday, January 28, 2011

Securing Cloud-Based Security Posted by Mika @ 14:07 GMT

Cloud-based antivirus solutions work. We know this because virus writers are trying to fight back.

There have been articles [1] [2] written lately about Backdoor:W32/Bohu.A. Bohu has raised interest as it incorporates two different techniques for evading detection:

  1.  Appending garbage data to the end of a file
  2.  Preventing access to av vendor servers

These are not new techniques. It's true that if a system is already infected with Bohu, access to servers of several antivirus vendors is blocked. This is a problem, but it is not a problem to cloud-based solutions only. Exactly the same attack has been seen over and over again to try to prevent traditional antivirus from getting updates.

We've done a lot of work in creating technology that allows us to stay connected to our clients, even if malware tries aggressively to prevent it.

Image: Screenshot of the media player Backdoor:W32/Bohu.A installs as a decoy.

Writing random garbage to the end of the file does change the full file hash and hence it will evade detection that is based on full file hashes. That does not mean that cloud-based security does not work, though. It means that modern security products should not be based only on full file hashes.

Actually, this kind of an evasion mechanism can be turned against the malware. As an example, F-Secure DeepGuard 3 is based on reputation of applications and other objects. If DeepGuard detects an object that is very uncommon it will be tagged as "suspicious". So, basically DeepGuard detects files that have random garbage appended to the end since that is what they are — garbage.

The arms race between security products and bad guys continues.


Monday, January 24, 2011

What would you ask from the creators of the very first PC virus? Posted by Mikko @ 13:52 GMT

It's now January 2011. Which means the Brain virus is now 25 years old.

Brain virus 1986

Brain, spreading on 5.25" floppy disks was the first PC virus.

Which means that the PC virus is now 25 years old.

So, what did brain do? Let's look at our virus description database, which — of course — has a description of the virus.

Brain description

As you can see, the Brain virus contains contact information for "Basit and Amjad" in Lahore, Pakistan.

Due to this 25 year milestone, I've decided to go to Lahore, Pakistan. I'll go there to find Basit and Amjad, and I'll speak with them about how they feel about the phenomenon they started.

Lahore photo by o_0  -

Of course, writing a boot sector virus in 1986 was a completely different thing than writing, say, a banking trojan in 2011. For one, writing viruses was not illegal in 1986. People did not know at the time if writing viruses was a bad idea. We learned that later.

But it just boggles to mind to think about how much has happened in these 25 years.

So, what would you like to ask from the writers of the very first PC virus?

Post your suggestions to our blog comments. I'll take the best ones with me to Lahore.



Friday, January 21, 2011

CO2 Phishing Posted by Mikko @ 11:51 GMT

This post has been modified since it was first posted. See here for a correction.

The European Union caps the amount of carbon dioxide (CO2) a company may emit in a year.

Companies exceeding their emissions quotas can buy them from companies don't need them.

This creates a market for buying and selling emission certificates. A very big market. Market big enough to interest online criminals.

If the criminals are able to log into an online trading system with a company account, they can sell the emission rights and pocket the money. This involves changing the bank account in the system to point to an account of a money mule.

As a result of this, there have been several attacks trying to gain access to EU Emission Trading System (EU ETS).

All emission trading in EU was halted yesterday as the latest attack was discovered. Certificates valued at over 28 Million Euros were stolen.

Emission phishing

"The thefts could have been a concerted action because the recent incidents happened within the last few days", said Maria Kokkonen, a spokeswoman for EU climate policy.

We've seen targeted phishing scams that have been emailed to people in charge of emission trading. These have been sent in various languages.

Here's two example phishing emails, in German and in Finnish:

Emission phishing, German

Emission phishing, Finnish

Sites such as have been registered either with false information or with domain protection systems:

As a result of these attacks, national emission trading systems are getting rid of authentication using just a username and a password, and are introducing stronger authentication systems. These include multi-factor and SMS authentication systems.

In Finland, logging to the emission trading system already supports using bank account multi-factor authentication schemes:

Emission authentication

P.S. The commenting system on our blog is broken at the moment. We'll get it fixed shortly.


Malware Referencing Julian Assange Posted by Mikko @ 07:54 GMT

While browsing through incoming malware samples, we noticed this one.

It's an unremarkable malware dropper (md5: 5aac5fc644f5b2797683c2acb337297a).

The somewhat interesting thing about this malware is that it drops a Russian version of Notepad and opens it up for the user to see this message:

Malware referencing Julian Assange - I enjoy crushing bastards (c) Julian Assange

We detect this malware as Trojan-Dropper:W32/Agent.DQJN.


Tuesday, January 18, 2011

Learning Malware Analysis Posted by Antti @ 08:28 GMT

If you happen to be studying at the Aalto University in Helsinki, there's one lecture you don't want to miss tomorrow: our Chief Research Officer Mikko Hyppönen will open the course on Malware Analysis and Antivirus Technologies.

This is a course that we've arranged in co-operation with Aalto University for the past three years. It's always a joy to see people pick up reverse engineering skills and learning malware analysis. Every year we create homework puzzles for the students to test their skills on. This spring Timo, who is working here at the Labs, will be creating the puzzles for the course. Timo is also the author of the T2'10 Challenge, which started off like this:

T2 2010 Challenge

If that looks strange to you, you can also turn it into a picture:

T2 2010 Challenge as a picture

Does it still look weird? Do you think you'd enjoy solving more puzzles and getting course credits for doing it? Then we hope to see you in the course!

If you're not a student at the university, you can view the course material from the course page, where we'll post new material as the course progresses.


Monday, January 17, 2011

New Info on Stuxnet Posted by Mikko @ 12:13 GMT


Stuxnet continues to make headlines. The New York Times published a long story on the latest findings, including these:

President George Bush started an experimental cyber attack program against Iran already in 2008.

The NY Times claims that Stuxnet was developed jointly by USA and Israel. They offer no direct proof though.

Israel has built a replica of the Iranian Natanz enrichment facility in their Negev Nuclear Research Center in Dimona. It was used to test drive Stuxnet before it was deployed.

Dimona Israel Negev

Embassy cables leaked by WikiLeaks seem to prove that Iran's nuclear program was indeed using Siemens PLC gear.

Stuxnet cable

The NY Times claims that Idaho National Laboratory at Idaho Falls used their security testing of the Siemens PLC systems to find vulnerabilities to be used in the Stuxnet attack. Apparently Siemens thought this testing was done in order to secure industrial systems. In any case, it is easy to confirm that Siemens and INL did joint security testing in 2008, see this slide:

Stuxnet INL
Image copyright Idaho National Laboratory & Siemens

The target of the attack was to modify the operation of high-frequency power drives made by Vacon and Fararo Paya. These drives were controlling the centrifuges that were enriching uranium.

Vacon drives

Stuxnet specifically targets a grid of 984 converters.

Curiously, when international inspectors visited Natanz enrichment facility in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines.

Siemens S7-400 PLC

While Stuxnet is doing malicious modifications to the system, it uses a man-in-the-middle attack to fool the operators into thinking everything is normal.

Iranian President Mahmoud Ahmadinejad confirmed in November 2010 that a cyber attack had indeed caused problems with their centrifuges.


Another leaked embassy cable would indicate that there would other, unknown enrichment plants in addition to Natanz. Attacking such unknown targets with cyber sabotage makes much more sense than, say, trying to bomb them. A worm will find even the facilities that you do not know about.

Stuxnet cable

There is a real fear that we will eventually see modified copies of Stuxnet.

While modifying Stuxnet is obviously not easy, it is easier than creating the same functionality from scratch.

Finding a copy of Stuxnet is not hard at all as you can see from this forum posting we found:

Finding Stuxnet

For further background info, see our Stuxnet Q&A and Ralph Langner's thorough article on Stuxnet for the Control Global magazine.

Or, watch our new Stuxnet video which we just published.


Wednesday, January 12, 2011

Update: IE vulnerability (Security Advisory 2488013) Posted by Sarah @ 03:38 GMT

The vulnerability in Internet Explorer that was first reported on December 23rd, 2010 has yet to be patched but Microsoft has updated its advisory which contains workarounds and mitigations for the issue.

For those who don't use IE, it'd be wise to turn off the IE option until a permanent fix is released. Those who need to use IE are advised to implement the workarounds that involve:

  •  preventing the recursive loading of CSS style sheets in IE,
  •  deploying the Enhanced Mitigation Experience Toolkit (EMET), and
  •  setting Internet and local Internet security zone settings to "High".

Detailed instructions for implementing the workarounds can be found at the updated Security Advisory 2488013. Please take note that for these workarounds to be effective, the latest security update (MS10-090) must be installed first.

Keep posted for the latest news.


Wednesday, January 5, 2011

First 2011 Windows Vulnerability Posted by Alia @ 01:34 GMT

Another year, another vulnerability in Windows. Yesterday Microsoft confirmed it was investigating a "recently discovered" vulnerability. Exploit code for this is reported to be already available.

According to the Security Advisory, the vulnerability involves the Windows Graphics Rendering Engine. Affected Windows versions are various flavors of XP, Vista, Server 2003, and Server 2008. Windows 7 is not affected.

Exploiting the vulnerability requires a specially-crafted thumbnail image (say of a folder or program). Successful exploitation can lead to the attacker pretty much taking control of said computer.

One note: whether the booby-trapped thumbnail is on a site or sent in an e-mail, the user still has to actively visit the site or click a link in the e-mail (or open an attachment) to be affected, so standard precautions about safe surfing and computer usage still apply.

For users on affected versions, the advisory has a workaround that will at least "help block known attack vectors", until a patch is released. Or since the new year is a time for fresh starts, this might be a good time to consider upgrading to Windows 7.

No out-of-band update release seems to be forthcoming, so the soonest a patch might be available is January 11. Stay tuned.