NEWS FROM THE LAB - February 2009


Friday, February 27, 2009

Downadup, Good News / Bad News Posted by Response @ 18:59 GMT

First the bad news: There's still a lot of Downadup (Conficker) infections out there.

Our February 5th post noted 1.9 million unique IP addresses connecting to our sinkhole. We're now logging something around 2.1 to 2.5 million. The log files are huge and can be very time consuming…

Here's the good news: Despite the ongoing infections, progress was made against the worm.

Domains monitored by our sinkhole can no longer be registered. The worm's ability to phone home has been crippled. This is due to a collaborative effort within the industry.

On February 12, 2009, Microsoft announced a $250,000 USD reward for information. Microsoft's Conficker Worm page has details. Bounties have been successful in the past, e.g. Netsky's author, Sven Jaschen.

Our January 30th post provided a Downadup domain blocklist for the month of February. While the domains no longer need to be blocked, such a list can still be useful to monitor for infected machines within your own network.

You can download a ZIP file with domains in use until June 30th from the Microsoft Security Response Center.

Our Removal Tool is called f-downadup.


Thursday, February 26, 2009

About the Adobe and Excel Vulnerabilities Posted by Mikko @ 13:21 GMT

Adobe/ExcelThere are two notable vulnerabilities currently being exploited.

Both of them are not yet patched.

One fortunate mitigating factor is that the exploits are being used for targeted attacks.

Though that isn't very much of a mitigation if you happen to be the target.

Here are our vulnerability reports:

  •  Microsoft Excel Invalid Object Reference Vulnerability
  •  Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

Microsoft published Security Advisory (968272) on Tuesday and recommends using the Microsoft Office Isolated Conversion Environment (MOICE) as a workaround. High risk "targets" may want to consider this as standard operating procedure.

Adobe is planning to release an update on March 11th. That's March 11th, like two weeks from now.

Adobe's mitigation steps involve disabling JavaScript. However, see discussion here as well.

Adobe's steps are as follows:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the "Enable Acrobat JavaScript" option
  5. Click OK

I'd show you a screenshot of the options, only I don't have Adobe Reader installed.

I find it a bit confusing how commonplace Adobe Reader has become. For some reason everybody seems to be using it for reading PDF files. Even though there are plenty of free alternatives. And the alternatives are much smaller and faster. And start up in under a minute.

From my point of view, Adobe Reader has become the new IE. For security reasons, avoid it if you can.

Ranting off,


Wednesday, February 25, 2009

Adobe Flash Vulnerability Posted by Vulnerabilities @ 12:45 GMT

Patch your Flash: There's a vulnerability in multiple versions of Adobe Flash.

See our report:

  •  Adobe Flash Player remote code execution vulnerability

Here's a tip — examine the following folder to see what you have installed:

  •  C:\WINDOWS\system32\Macromed\Flash

You may have multiple files from previous versions just sitting around…

You don't need much more than these files:


Version is the updated version.

Here's the IE version properties:

Flash OCX

Here's the Firefox version properties:


You can download the update from Adobe and our Health Check service is also of assistance.

Updated to add: Adobe Security Advisory


Tuesday, February 24, 2009

Error Check System Posted by Sean @ 16:55 GMT

Error Check System: As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence.

It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.

XP-Police dialog

Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic… They're both.

Let's take a look at another recent example.

Parking Tickets: That's right, Parking tickets in North Dakota.

SANS blogged about it earlier this month.

Some North Dakotans found a yellow ticket on their windscreen reading:

  •  "PARKING VIOLATION This vehicle is in violation of standard parking regulations".

That sounds kind of familiar.

The supposed ticket then instructed the victim to visit a website where the driver could:

  •  "view pictures with information about your parking preferences"

To view the pictures, a toolbar needed to be installed, that then pushed rogues at the victim.

The BBC reported on it here.

Microsoft: Last October, Microsoft and Washington state started suing scareware purveyors. There are also some recent cases in which rogue bank funds were seized. Perhaps that's a good start, but it isn't nearly enough. The real bad guys aren't scared.

How's this for bold?

Many XP Antivirus variants hamper analysis by checking for an Internet connection. Our test networks need be configured to provide the expected reply if we want to automate our analysis.

And what page does the rogue check for?


The XP Antivirus gang has been doing this for some time now… seems to us like a slap in Microsoft's face.

We would like to see Microsoft slap them back. Using a hammer.


Monday, February 23, 2009

Don't Search for "Error Check System" Posted by Sean @ 16:27 GMT

A Facebook application called "Error Check System" apparently spread itself over the weekend utilizing misleading messages.

     "[Name] has faced some errors when checking your profile – View The Errors Message"

The Errors Message?

Attempting to view the error prompted for the application to be Allowed. The allowing of Error Check System provided access to the user's Friends to which the application then spammed additional notifications.

All Facebook and Graham Cluley have screenshots and additional details.

What is more interesting to us at the moment is that performing a Google search for the words "Error Check System" will result in numerous links pointing to Rogue Antivirus scams.

You do not want to visit the sites highlighted in red:

Error Check System Search Results

The timing of this is almost too much of a coincidence.

The Facebook application didn't do very much other than spread itself… it did however create a newsworthy story. And now people will be searching for that story and will stumble upon fake antivirus sites.


Thursday, February 19, 2009

Mebroot Posted by Kimmo @ 08:22 GMT

One of 2008's most interesting research cases proved to be the Mebroot rootkit.

Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.

The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.

Mebroot VBPaper

We contributed our first bit of Mebroot analysis last March. While the post is quite technical, it only scratched the surface.

Elia Florio of Symantec is another researcher that has analyzed Mebroot in depth. I collaborated with Elia and our efforts produced a paper for the Virus Bulletin: VB2008 conference. I delivered a presentation on the opening day of the conference. You can find our VB2008 post with PowerPoint slides here.

Mebroot VBPaper

We can now make the paper itself available. Click the link below to download the PDF file.

Your Computer is Now Stoned (...Again!). The Rise of MBR Rootkits (3169KB PDF).

Signing off,


Wednesday, February 18, 2009

"Sexy View" Trojan on Symbian S60 3rd Edition Posted by Response @ 18:14 GMT

We've an interesting mobile case to report…

One of today's samples is a trojan compiled for S60 3rd Edition phones. It's detected as TrojanWorm:SymbOS/Yxe.A.

This is something we don't see very often. There are spy tools and other privacy threats directed at S60 3rd Edition phones, but malware is still mainly an issue on S60 2nd Edition phones.

S60 3rd Edition uses a different binary structure than 2nd Edition, and then all 3rd Edition applications must be signed. What's special about Yxe is that all evidence suggests it uses a valid Symbian Certificate.

With this certificate, the trojan was signed. And being a signed application it gains privileged access.

The source of this trojan is China.

Here you can see the language options, EN and ZH:

Trojan:SymbOS/Yxe package info

Did you also notice the "Sexy View" and "Play Boy"? That should give you a good idea of the Social Engineering that's being utilized.

Our mobile analysts are still working the case. We'll have more for you as it develops.

Updated to add: A description is now available.

Updated to add: Our detection name was changed from Trojan to Worm on February 25th.


Exploit Shield Protects Against New IE7 Vulnerability Posted by Patrik @ 06:04 GMT

As Sean predicted a week ago, we now have exploit code in-the-wild for MS09-002, a vulnerability in Internet Explorer 7. The exploit downloads a file named jc.exe from a server in China.

Exploit:W32/JSShell.A is our detection name for the exploit and the downloaded file is Trojan-Dropper:W32/Agent.JLA. The file jc.exe drops a backdoor detected as Backdoor:W32/Agent.JLA.

It was great to see that F-Secure Exploit Shield proactively protected against the exploit without the need for a shield update. Below is a screenshot of the exploit being blocked with heuristics.

Exploit Shield blocks MS09-002

If you haven't installed the Exploit Shield update already, do so now.

Updated to add: You should also of course install February's Microsoft Updates if you haven't already done so…

Our Vulnerability Description for IE7 provides links to each of the individual updates should you need to install them manually.


Monday, February 16, 2009

Exploit Shield 0.60 Beta Posted by Response @ 14:34 GMT

A new version (0.60) of our F-Secure Exploit Shield Beta is now available. Our first public beta was released two months ago.

You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor's patch.

To sum up, Exploit Shield provides:

  •  Zero Day Defense: Protects unpatched machines.
  •  Patch-Equivalent Protection: Vulnerability "shield" updates.
  •  Proactive Measures: Heuristic detection techniques.
  •  Protects Against All Websites: Regardless if untrusted or trusted and malicious or hacked.
  •  Automatic Feedback: detected exploit attempts are automatically reported to F-Secure.

Here's the main menu:

Exploit Shield 0.60 Beta

Here's a view of the Proactive Measures menu:

Exploit Shield Beta 0.60, Proactive

Version 0.60 now includes 32-bit Vista support, includes more vulnerability coverage and also includes engine improvements.

Look for the download link from:

If you want or need a reason to test Exploit Shield, consider this month's Microsoft Updates. There were two vulnerabilities in Internet Explorer 7 for Windows XP and Windows Vista that were patched last week…

Firefox isn't completely immune either, see Mozilla's Security Center for details on recent vulnerability patches.

Note: Version 0.5 users will now see a prompt that their installation has expired. The database channel is now closed, but the existing shields and the proactive protections remain.


Thursday, February 12, 2009

Google Earth KML Posted by Sean @ 16:18 GMT

One of the tasks our stats server has is to provide data feeds — from which Google Earth KML files can be created.

We often use Google Earth for presentations as it makes for a very effective demonstration.

Here's part of Eurasia:

Stats, Google Earth Image

This is an example from Fiji:

Stats, Google Earth Image

Version 5 of Google Earth has some very cool new features…

Download some of today's data: 2009.02.12 Statistics (9.5MB).


Google Earth Legend

An extra icon in the data set represents use of our Online Scanner. Those are detection, not source locations.


SQL Injection Posted by Patrik @ 06:45 GMT

SQL injection is a type of attack that is growing in popularity — e.g. 1, 2.

It can also be used to steal information, and to show that an attack is possible.

During the last few days a Romanian group has been doing SQL injection attacks on several security vendor's websites and early this morning they hit us. One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack. Fortunately we utilize defense-in-depth strategies so the attack was only partly successful.

Although the attackers were able to read information from the database they couldn't write or manipulate it. And they couldn't access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it's not the end of the world.

The malware statistics are something we publish anyway at and because of our IT security strategy, the impact was minimal.


Wednesday, February 11, 2009

MS09-002/MS09-004, Consistent Exploit Code Likely Posted by Sean @ 12:23 GMT

Two of yesterday's Microsoft Updates have Exploitability Index Assessments of 1 — Consistent exploit code likely.

First there's MS09-002 which addresses two vulnerabilities in Internet Explorer 7.


And then there is MS09-004 which patches a vulnerability in Microsoft SQL Server.

You can see from the bulletin that exploit code has already been published for the SQL vulnerability.


The Internet Explorer 7 vulnerability allows for Remote Code Execution on Windows XP SP2/3 and Windows Vista. Considering the installed base, and the high Exploitability assessment, expect to see exploits in-the-wild very soon.

Our Vulnerability Description for IE7 provides links to each of the individual updates should you need to manually update.


Tuesday, February 10, 2009

Safer Internet Day 2009 Posted by Sean @ 09:57 GMT

Today is Safer Internet Day 2009 — an annual event coordinated by InSafe.

Blog reader (MJ) sent us a reminder, some links, and highlighted this year's anti-cyberbullying campaign.

German speakers can find more information from (English information about the klicksafe project).

France's safe Internet site is called Internet Without Fear.

Then there's the Finnish based Security School (Tietoturvakoulu) and Information Security Guide (Tietoturvaopas).

Another excellent resource is The site has sections regarding cyberbullying (films) as well as social networking.

Social Networking sites can often be the location of cyberbullying.

Do you have any additional resource suggestions? If so, please post a comment. And have a good Safer Internet Day.


Monday, February 9, 2009

Social Networking Hack Posted by Patrik @ 16:59 GMT

We recently read an interesting story from MSNBC's "The Red Tape Chronicles" regarding an emerging Social Networking scam.
(There's also video.)

The victim of the scam had his Facebook account hacked. The attacker then targeted his friends by changing the Status message to "BRYAN IS IN URGENT NEED OF HELP!!!". And at least one of his friends fell for it, and wired $1,200 to the hacker.

Discussing this article in our San Jose office, we discovered that one of our employees knew someone that was targeted in the same way. Only, he didn't fall for the scam. We asked for permission to post his chat logs.

"Lisa" is the hacked account. "Bob" is the target.

Here's the conversion:

Facebook 419

Bob's skepticism proved to be invaluable. His next action was to contact Lisa so that she could recover her account access.

We know of many Social Networking sites that are targeted by Phishing. This type of scam could occur on any of them. A healthy amount of caution is very helpful if you wish to fully enjoy your Social Networking experience.

We're curious about our readership. How many of you use Social Network sites?


Friday, February 6, 2009

Microsoft Updates, February 2009 Posted by Sean @ 15:47 GMT

Next Tuesday's Microsoft Update notification has been released. The details are in Microsoft's Security Bulletin Advance Notification.

Critical fixes for Internet Explorer 7 and Exchange are coming:

Microsoft's Advance Bulletin Feb

XP, Server 2003, Vista, and Server 2008 are among the affected operating systems.

Looks like network administrators should begin scheduling some time next week for testing and deployment.


Thursday, February 5, 2009

Downadup Sinkhole Numbers Posted by Response @ 14:32 GMT

Our Downadup sinkhole logged 1.9 million unique IP addresses yesterday; our last reported count was just over one million.

Now, this doesn't necessarily reflect a growth in infections. Our sinkhole has been monitoring a greater number of domains during the past two weeks. It's more sensitive and 1.9 million is the result.

The source of the IP addresses hasn't changed much. China, Brazil and Russia still rank at the top.

Here's the top ten:

Downadup, Top Ten Countries by IP Count

You can also review the complete list.


How Much Latitude? Posted by Sean @ 13:20 GMT

A new mobile phone application, Google Latitude, was introduced yesterday. It's an interesting new addition to Google Maps.

According to Google, with Latitude you can:

  •  See where your friends are and what they are up to
  •  Quickly contact them with SMS, IM, or a phone call
  •  Maintain complete control over your privacy

Err… Complete control? True, only the friends that you add/allow are able to follow your movements and Latitude does have a manual override function. But complete control? Perhaps it would be more accurate to claim that there are strong controls.

Assuming that you remember to use those controls of course.

If you want to maintain complete control over your privacy, you probably won't be installing Latitude.

Google Latitude

On the other hand, if you're willing to share some of your personal details, Latitude could prove itself to be a really useful feature.

Updated to add: Reader Daniel S. posted a comment, Google has modified their text to:

  •  Control what your location is and who gets to see it


Wednesday, February 4, 2009

Nine Million Dollar Bank Heist Posted by Response @ 15:04 GMT

How much money is lost due to online crime?

It's a question that we're frequently asked about and it can be challenging to provide a really good answer…

It's an underground economy, it's big, it's global, and no one organization can really understand the true costs without extensive amounts of research and cooperation. And victims don't always (for quite valid reasons) want to cooperate.

But how much is it?

Wired has an excellent post about a nine million dollar ATM hack bank job, with video from FOX:

Wired: Kevin Poulsen, Global ATM Caper

It probably says something that we're not surprised by stuff like this anymore.

And while nine million dollars is definitely a very impressive amount of cash to steal during a single coordinated attack, based on the conversations we've had with banking industry insiders, that's certainly just the smallest tip of the overall iceberg.


Species 2009 Posted by Patrik @ 10:58 GMT

Greetings from a snowy Netherlands where a bunch of us are at our annual Species conference, an event for our ISP partners.

Keynote from Species 2009

Partnering with ISPs to provide Security as a Service has been a core strategy for several years and we now have over 180 partners working with us to secure end-users. In fact, we have more ISP partners in Europe, US and Asia than any other antivirus vendor. This means that we have millions of users around the world running our software who have never heard of F-Secure — and that's fine with us.

At this year's conference we have participants from over 22 different countries and it's been a great event where we've been able to, not only share our views and ideas on what F-Secure and our products will look like in the future; but the partners can share their experiences on everything from customer support and marketing, to implementation of new services.


Tuesday, February 3, 2009

Sample Analysis System Posted by Sean @ 15:47 GMT

Our Lab Development (LabDev) team has produced a new service that we want to tell you about.

It's called F-Secure Sample Analysis System.

The system has undergone testing for several weeks and now we would like you, our readers, to try it out. It is a significant upgrade from our current sample submission form.

Create an account: Sample Analysis System accounts display details and information regarding your submissions. Regular users will now be able to track their submission results as a group.

Here's an example of the My Samples view:

Sample Analysis System, My Samples View

So, with this new system, you'll know what we know. And when we know more, your account view will be updated automatically.

Anonymous submissions have been simplified, but there is currently a 5MB limit on file size. Registered accounts have less restricted upload limits.

The system is designed to be flexible, and has additional features that are available based on the user's needs and requirements. We'll discuss more on that later…

For now, please try it @: