NEWS FROM THE LAB - February 2008


Friday, February 29, 2008

Windows Mobile Trojan InfoJack Posted by JP @ 14:34 GMT

There's been some news this week about a Windows Mobile trojan called InfoJack. Our detection name is Trojan:WinCE/InfoJack.

While reverse-engineering this trojan I realized it's a new of can of worms for mobile devices. There have long been malicious downloaders on PCs, but I believe this is the first to be discovered for mobile devices.

The website from which this software was downloading additional components is offline. Analyzing this trojan without all of the downloaded parts from its server is a bit like completing a puzzle without all of the pieces. You have to determine the "shape" of the missing pieces by visualizing the empty spaces and by filling in the gaps.

So I'm still spending some time reading through the code and there are pieces that raise my interest. One of which you can see in the image below, and nobody else is mentioning as of yet —SMS.


If there is more to tell I'll be back with it next week.

Happy Weekend,


Anatomy of a Rock Posted by Mikko @ 10:47 GMT

Let's have a closer look at a typical rock phish.

Here's the mail, sent yesterday:

Rock Phish

The link points to The domain was registered a week ago with bogus whois data and (we guess) a stolen credit card.

Rock Phish

Here's what the site looks like:

Rock Phish

Let's see where this is hosted.

Rock Phish

This IP address is physically in Israel. Let's see what the front page looks like.

Rock Phish

Ah. "209.1 Host Locked".

This. is. Rock. phish.

While we wait for the abuse messages to go through, lets have a quick look at what kind of host names in addition to have been pointing to this same IP address.

Turns out that's quite a list, here's a sampling:

Yes, it goes on. Oh well.

5th Annual Enterprise Security Asia Conference 2008 Posted by Esz @ 08:28 GMT

We participated in the 5th Annual Enterprise Security Asia Conference 2008 as a Silver Sponsor. The conference was held in Kuala Lumpur. The conference was held for two days on the 27th and 28th of February.

Patrik Runald, who's back in Kuala Lumpur a short visit this week, presented on Mobile Security Challenges.

Our exhibit at the conference:


Some of the attendees with Bryan Sat:

Bryan Sat

Patrik's presentation:



Thursday, February 28, 2008

Mac Case Posted by Sean @ 16:53 GMT

Patrik's Mac DNS Changer video recently generated some viewer mail.

RLV wrote us the following:

Thank you for your video about the DNS changer trojan horse being targeted to Mac computers.
I was wondering if you could offer assistance. My computer has been infected by this trojan horse…

Green Apple
This is what happened:

RLV thought that his Mac was infected with a DNSChanger trojan and so he started doing some research. His search results located our video but the demo and his personal experience didn't sync because he wasn't prompted for his password as was demonstrated.

He then contacted us and we requested his samples. Well, his sample files were indeed a variant of Trojan:OSX/DNSChanger.

So we followed-up again. With a few more details, we realized that he had installed Intego's VirusBarrier before the "infection" and not afterwards as we had original thought. So the trial version of VirusBarrier had done its job and had prevented the installation of the DNSChanger.

Any AV activity being an uncommon event on a Mac, RLV interpreted the "infected files" notification on his hard drive as a successful system infection.

With another round of messages, we expressed confidence that his Mac was fine and provided him with information on DNS settings along with suggestions on how to test his system in order to confirm that it was clean. If his DNS settings were okay, then his personal information was okay as well. In any case, DNSChangers are more interested in making money by altering search results.

Excerpts from RLV's last message:

Thank you again for your message and for your really great help.

I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.

Doesn't hurt to be informed, or to doublecheck, even though it is a rare occurrence for Macs. Everyone I talked to was denying any malware vulnerability for Mac platforms, which struck me as not the best attitude to take.

I'm grateful for the help offered by you and f-secure and hopefully I won't be needing it again!

We hope so too. In his messages, RLV came across as a gentlemen. There are several Mac users here in the lab and we were happy to assist him with something a bit outside of our normal routine.


Tuesday, February 26, 2008

MDeC Signing Ceremony Posted by Esz @ 03:24 GMT

There was a special signing ceremony held in our Kuala Lumpur Security Lab earlier today.

The Multimedia Development Corporation (MDeC) has provided us with a research grant establishing special projects with MSC Malaysia. The fund grants are close to RM6.6 or about 1.7 million USD.

The purpose of the R&D projects funded by the grant is to further Malaysia's development as one of the world's best environments for multimedia and ICT ( Information, Communication, and Technology).

Here's our Ingvar Fröiland with the Finnish ambassador:


The ambassador and MDeC Senior VP Dato’ Narayanan Kanan:


All three gentlemen:


It was quite an honor to have them visit.

So as we mentioned, the signing ceremony took place in our Kuala Lumpur Security Lab.

The lab has undergone some renovation since we last posted a picture.

This is what the work-area looks like from the front:


And these photos are from the back:


The front contains various monitors and a projection system. We use this during weekly meetings between the labs:

KulLab_Monitors and Projector

Looks kind of like a Starship…


Thursday, February 21, 2008

Canada eh? Posted by Sean @ 16:05 GMT

Tuesday's phpBB money laundering post posed a question regarding the forum's membership list — why are Canadians advertising their location on a forum promoting illegal activity?

Well, some of our steadfast readers did the legwork and located the answer.

Email Money Transfer (EMT):

Interac E-mail Money Transfers

Click here for a screenshot of the entire thread.

Here's another thread:

ATI-Manager Thread28

Very interesting.

Interac Email Money Transfer service allows people to send money to anyone with an e-mail address and a bank account in Canada.

Folks with one of the "Big Five" Canadian banks can send EMTs. And any personal account holder in Canada can receive funds.

EMT funds are not frozen, so an EMT doesn't bounce, as the funds are guaranteed.

It does sound like something worth advertising to crooks desiring to launder money.

Sounds easy, right? Maybe not. Brian Krebs of Security Fix investigated similar sites last month.

When Krebs contacted the Supplier's ICQ address and attempted to play along, he was offered a certified check rather than an EMT. Certified checks can be faked — that sounds more like an advance fee fraud such as we wrote about on February 1st.

Either they didn't trust Krebs or it makes for a rather risk-free fraud for the bad guys. How many victims are going to complain to the bank if they're scammed while attempting to launder money?

Not many.

Click on the image below for Interac's EMT video:


Wednesday, February 20, 2008

More Finnish Spam Posted by Jusu @ 10:40 GMT

We have another example of ZBot.HS Finnish language spam.

The new message doesn't warn of a radioactive cloud…

The newest example has a subject line of "Etsin rakastajaa". That translates as "Looking for a lover".

Skeptical of radioactive clouds? Would you believe that Tatjana wants you?

That's social engineering 101.

Example screenshots are available in our ZBot.HS description.
The website designs have been used in the past, using German language and targeting Switzerland.

Update #2:
Comprehensive analysis of ZBot.HS has been completed. See the description for details.


Mikkeli Spam Links to ZBot Malware Posted by Sean @ 10:01 GMT

We are getting reports of Finnish language spam that links to a ZBot variant.

We've seen this spam message ourselves. Here's an example of the text:

ZBot.HS Spam

The subject line is "Uutinen Suomen ydinsaastumisesta".

That translates as "News of Nuclear Fallout in Finland".

The thing is — there's no nuclear power plant in the Mikkeli area as the message claims.

The first image shows the location of Mikkeli and the second image shows the locations of Finland's four existing plants:

The site to which the spam links provides an additional link directing recipients towards a variant of ZBot.
The spam message itself is not malicious.

ZBot is family of banking trojans that have in the past included Finnish banks among its targets.

We detect the variant as Trojan-Spy:W32/ZBot.HS with database update 2008-02-20_04.

Further analysis of ZBot.HS is ongoing.


Tuesday, February 19, 2008

Paid for Receiving Bank Transfers Posted by Sean @ 17:22 GMT

Here's a screenshot of a site that we discovered back in December, BGI-Funds:


It's of a PHP based Bulletin Board that's used for money laundering recruitment.

We searched for the following text taken from the site:

I'll get right to the point. I have large amount of funds

At the top of the search results was a Symantec post (September '07) making the link between Storm spam and a copy of the phpBB site. So that pretty much confirmed what we wanted to know.

Returning to the search today — the site's still alive — though the name has changed several times. Submitting a Google search for Paid for Receiving Bank Transfers provides a large number of results.

Most of the sites are offline; you'll need to view the cache to see an example.

We located two sites that are currently active. They're hosted using fast flux:

ati-manager fast flux

Another example:

vks-manager fast flux

New forum members have been signing up at both locations in order to communicate with the site's Admin (who promises 10%). The membership list appears to be merged prior to February of this year. Posts to the forum date back to the end of 2004. The recycled forum will apparently survive as long as does the Storm botnet.

One curious thing about the membership list… of those that provide their location, the majority are Canadians. What's up with that?

ATI-Manager member list

A two minute video is available on the Weblog's YouTube Channel that toggles through the cached results.

Update: Our readers have located an answer to the Canadian question. You'll find the details in this post's comments.


Friday, February 15, 2008

Campus Party Posted by Mikko @ 08:47 GMT

So I was in Sao Paulo this week trying to investigate why exactly Brazil is the largest source of new banking trojans in the world. After a day of meeting with local banks, I heard about an interesting event underway in Parque Ibirapuera.

A local fair center was hosting Campus Party Brazil — a massive LAN party. So of course I had to pay it a visit.

Campus Party

The event resembled the infamous Assembly party in many ways — with some notable differences. There were a few thousand tents in which the party people were sleeping. Nobody was writing demos. There was an ongoing series of lectures going on — I noticed one was about using Nepenthes. The party lasted a week. And the most astonishing part — check out the individuals that are endorsing this event: Campus Party endorsers.

Below are some random photos I snapped at the party.

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Campus Party

Thanks to Marcelo ( and Rodrigo for helping me to hook up with Campus Party!

Signing off,


Wednesday, February 13, 2008

Video - Rogue Spotting Posted by Sean @ 10:47 GMT

Better Living thru Search Engines

In July of 2006 we did some searching for potentially unwanted applications; recycled or repackaged applications that were of dubious value. Affiliate marketing is used to promote sales and unfortunately such systems often provide economic incentives to cheat.

Those earlier search results contain some links to known rogue antispyware sites, but in general it's mostly harmless optimization software. (The real value of which is unknown to us.) Interestingly, since 2006 there are now many French, Spanish, Italian, and German localizations in the results. Everything is localized except the Privacy Policy text we searched for.

Now to the present — being less interested in PUAs and more interested in known bad Rogues, we tried a few different searches last week.

Starting with a new Rogue (VirusHeat, circa Feb. 8th) we used this text from the affiliate page:

     Being associated with one of the most known innovative software solutions developer
     whose mission is to protect the privacy and security of Windows computer users.

The Google search results produced a number of known bad guys. Many of the search links are blocked by

Click the image below for an example of the recycling (animated GIF). Attack of the Clones:

Rogue Screenshots

This Rogue list included applications that we've seen elsewhere. Where?

On a list of applications hosted by the Russian Business Network.

RBN is an infamous underground ISP that provides bulletproof hosting. The site isn't among the results and the URL doesn't currently resolve (server not found). However, using the site's last known IP address from a list of RBN associated IP Addresses, we located the page.

It uses the very same text on its affiliate page. They're all bad Rogues…

You don't want to buy what they're selling.

For a demonstration, watch this short video on the Security Lab's YouTube Channel:

Rogue Spotting Video


Tuesday, February 12, 2008

February's Updates Posted by Sean @ 15:51 GMT

Today is the second Tuesday of the month — it's time for scheduled updates from Microsoft.

Last Thursday's Security Bulletin Advance Notification included details on twelve issues, seven of which were rated as critical.

Remote code executions affecting Windows (Media file formats, LSASS, Message Queuing Service, DirectShow, Macrovision Driver), Internet Explorer, VBScript, JScript and Office are involved, so keep an eye out for today's updates and get them installed.

Advance Notification for February 2008

While you're updating your Microsoft software, don't forget to check your unscheduled applications as well.

There have been several security updates for a number of popular applications in the last week or so.

All of these applications — Apple QuickTime, Adobe Reader, Mozilla Firefox, Skype, and Sun Java JRE — have a large installed base. They're targets so make sure you have the most secure version available.

Health Check was launched last month with this in mind.

Note: As Anonymous wrote in this post's comments, it appears that only six critical bulletins were published today rather than seven.

Also worth mentioning — Jussi's comments regarding the Linux kernel. Cheers!


Up, Up and Away Posted by Sean @ 15:05 GMT

Our malware detections continue to grow at a quick pace. But by how much?
Growth Rate
At the end of 2006 we had about 250 thousand detections in total. That took 20 years to accumulate. (From 1986 to 2006.)

At the end of 2007 we had doubled our total number of detections to just over 500 thousand. So it only took one year to double the previous twenty year's accumulation.

Taking a look at today's numbers, we have close to 560 thousand total detections. It's February 12th. That's an additional 59000 detections added in 43 days at an average of 1372.093 per day.

Maintaining that pace (no guarantee that it won't further increase) there will be at least another 500 thousand detections this year for a grand total of one million or more by the end of 2008.


Storm Has Sent Their Cupids Posted by Fei @ 05:15 GMT

The Storm worm gang is at it again.

Their current spam run directs recipients to a site hosting their malicious download. If you open the site, you'll be prompted to download the file after five seconds.

It's a rerun of the Valentine's Day theme with new subject lines such as "Love Rose", "Rockin' Valentine", and "Just You". The Web site produces random images with each visit and then let's not forget the filename — valentine.exe.

Less than a month ago, we saw the first run and now that Cupid is preparing his bow for Valentine's Day, they have resumed their campaign.

They'll keep on doing it as long as people keep falling for it.

Storm Worm Valentine

As we blog, we detect this as Email-Worm:W32/Zhelatin.TQ.

So be sure to keep your virus definitions up to date, your computer patched, and don't be part of the Storm botnet this Valentine's Day. We'll keep an eye on their next move.


Monday, February 11, 2008

Safer Internet Day 2008 Posted by Sean @ 15:12 GMT

February 12th 2008 is Safer Internet Day in many European countries. You can find details from Insafe at

Safer Internet Day 2008

There is a listing of scheduled events for each country and the SID Competition winners will be announced online.

In Finland, there will be events held in downtown Helsinki as well as online.


Friday, February 8, 2008 Posted by Mikko @ 14:01 GMT

Luca Sambucci has been maintaining a useful web calendar of upcoming IT conferences and events.

The site has now been relaunched as Luca migrated the service to Google Calendar. The URL is


Wednesday, February 6, 2008

Spotted in the Wild: Rogue Microsoft Update Site Posted by Mikko @ 12:37 GMT

Watch out for this one. It's not the real Microsoft Update site.

Note the real URL ( and the spelling errors ("Please intall").

If you click the Urgent Install button, you'll get a file called WindowsUpdateAgent30-x86-x64.exe, which is not signed by Microsoft. (i.e. Click the button — Download a Trojan-Dropper.)

This is a fast flux site and uses a wide range of IP addresses:

The dropper is now detected as Trojan-Dropper:W32/Agent.DYD, and the dropped malware was already detected as
Backdoor:W32/Agent.CVU; this is functionally the same as the earlier Backdoor:W32/Agent.CTH.


Monday, February 4, 2008

Viagra Shop Busted in Sweden Posted by Mikko @ 15:33 GMT

Seven men are being prosecuted in Sweden for running an illegal online pharmacy.

These men are accused of running several web shops selling prescription drugs without a prescription. They started operations in 2003 and generated several million Euros in revenue until they were shut down in 2007. By this time they had sold drugs to 65 different countries.

The gang was caught after a cashier at a post office thought it was suspicious that the same man came every day, day after day for several months to send bags of stuff to foreign countries. She alerted the police, they opened one of the envelopes and found drugs.

This case was covered widely in Swedish newspapers on Monday morning, but none of the newswire services were reporting the names or web addresses of their shops.

So, we called the Stockholm district attorney and got the names from her. The sites were:


The sites are offline by now (or almost), but you can find what they looked like by searching

We were of course interested in the case to find a spam angle. However, although these shops had an active affiliate program, we were immediately unable to find cases where spam would have been used to advertise these sites. If you have a collection of spam you can search through, please check if you find links to these guys and let us know. Thanks.

Friday, February 1, 2008

Website Partnership Enquiry Posted by Sean @ 16:02 GMT

We were asked about some spam messages today.

The subject lines are Partnership Enquiry and Website Partnership Enquiry. The names of the senders include Richard Thompson, Edward Johnson, Daniel Lee, Jason Miller, George Nelson, et cetera.

The content of the messages are as such:

     To: *deleted*.com
     Subject: Partnership Enquiry


     My name is Jason Miller and I am contacting you to discuss the option of purchasing a text link
     or banner on your website (*deleted*.com ).

     Could you please tell me what is the price of one text link:

     1) on your homepage only
     2) all your pages
     3) banner ad 120x60, 125x125 on homepage
     4) banner ad 120x60, 125x125 on all pages

     Thank you in advance!
     Jason Miller

Here's a screenshot of another:

Website Partnership Enquiry

It's clearly spam. But what's the goal — how does the scam work? The sender wants to buy something, so how does he steal your money?

It's a form of Advance fee fraud alias Nigerian 419 fraud.

If you fall for the bait and sell something for $2000, you'll receive a check for $3000. The perpetrator of the scam will then claim that a mistake was made and ask that you refund $1000 via money transfer.

So you send $1000 via money transfer, which cannot be stopped… and in the end when it finally clears, the $3000 check ends up being a fake.

It's an old fraud that uses technology for a clever new bit of social engineering.

These messages are being sent to website contact addresses and are including the site name in the body of the message. This results in a message that feels almost personalized and might potentially lower the guard of the recipient.