Greetings from the launch happening of the National Data Security Day in Sweden.
Sweden is joining Ireland, Denmark, Finland and some other European countries in hosting a national day focusing on educating users about computer security. Title of the day in Sweden is "Surfa Lugnt".
The launch party was held today close the Kings Castle in downtown Stockholm. The launch was keynoted speaker was Steve Ballmer (CEO of Microsoft), Ulrica Messing (Swedish Minister for Communications), Per Hellqvist (Symantec) and me.
Mr. Ballmer made some interesting remarks: Microsoft might indeed ship SP3 for Windows XP before longhorn comes out. Also, upcoming version 7 of Internet Explorer should have anti-phishing technology built-in.
Mr. Thierry Zoller from Luxembourg got in touch with us.
He writes:
Dear F-Secure Viruslab,
Thanks to your site I disinfected a phone in Luxemburg today (yes that's a country;) the person who owned the Mobile said infection occured in France. You can add it to your list of countries!
He tried to disable Bluetooth but failed, he ran out of battery every few hours and had to constantly keep recharging his mobile, the local mobile phone company said to throw away the mobile and to buy a new phone. What a business approach!
Thank you for the free disinfection tool, without it I would have had a lot of trouble to remove it.
Thierry Zoller / TELINDUS PSF
Thank you Thierry for reporting the case.
In fact, that rounds up our list of countries with known cases of Cabir to 20:
And while talking about Bluetooth worms, we have some interesting research going on. Jarno and Jusu spent yesterday in an underground bunker testing car Bluetooth systems against known Bluetooth worms and other Bluetooth attacks. However we're not allowed to publicly discuss the results yet so stay tuned.
F-Secure is proud to be supporting the geekiest annual data security conference in the Nordic countries: T2!
T2'05 will be held in Finland in September, with a keynote presentation from the infamous Fravia.
Now, the interesting part is here: T2 is organizing a reverse engineering competition, where the fastest one to solve a disassembly problem will win a free ticket to the conference. The prize is only available for residents living in Finland, but anybody is free to try the challenge.
Gergo and Jarkko from our viruslab created the challenge program, which is available for download from T2
Silicon.com is reporting of rather interesting hacker attack that happened on WLAN IT conference in London on previous week.
Apparently the hackers created malicious WLAN hotspots with forged log-in web page, that tries to install malware on users computer that logs to the hotspot and tries to access web over it.
While technically this kind of attack is rather simple to accomplish, it raises worrying implications on use of free wireless hotspots. As business travellers frequently use whatever connection is available, and carry quite important data in their laptops.
The best way to protect yourself against such attack, is to have up to date operating system and browser, with Anti-Virus and firewall installed. Also it is important to have any critical connections done over VPN, and not to use unsecure connection for any service that requires user name and password.
So if you are using open WLAN connection, do not log in to any service that requires user name and password and does not use SSL. If you really need to use such service, use VPN connection to your company office and route the connection from there. Or use some proxy service that provides SSL such as Anonymizer
We have been investigating an interesting case about what happens if you happen to mistype www.google.com. One variation (www. googkle .com) leads to a site that will start a huge chain of webpages with exploits in various formats. HTML, CHM, JS, VBS, EXE, JAR you name it. As an end result the poor mistypist will have seriously malware and spyware infected computer. So keep your browsers up to date and practice on your touch typing.
We received the sample set of the 52 files that were claimed to be new Symbian trojans.
And we confirm that, yes the files are malicious. After brief examination it seems that the trojans are variants of Skulls trojan, modifications based on Skulls.D.
The trojans in the set are very similar to each other, basically they have been created by inserting malicious SIS file into pirated copies downloaded from the net.
So even as there are large number of infected files, the actual number of new trojans is quite low. We estimate that after analysis the files will fall under 2-3 variant letters.
So what we have here is large collection of minor variants of same trojan, or collection of files that have been manually infected by a trojan. A thing that we have already seen on earlier skulls variants. But not on this scale.
And the good news is that the generic detection in F-Secure Mobile Anti-Virus is already capable of detecting all samples without any need for database updates.
None of the trojans in the set have been seen in the wild, and most likely will not get in the wild either. So the case is interesting from academical point of view, but not a real threat to the users.
We will do some statistics on the trojans, and add descriptions about the new variants early next week.
OpenOffice.org 1.1.4 and below suffer from a vulnerability that may allow execution of arbitary code in the context of the user when user opens an hostile document. The bug lies in the way how OpenOffice.org parses Microsoft's Word's DOC file structure.
This vulnerability is now fixed, and there is patches available from the OpenOffice.org project.
For past two days there has been interesting discussions in web forums, about 52 new Symbian trojans being discovered. And now the count has changed to 71.
Currently we cannot yet confirm or deny the case, as we or any other major AV company have not received a any samples about the case. We are monitoring the case closely and so far have not found any samples in the wild.
So even as there are claims about huge number of mobile malware, they are not threat to normal users, as they are not in the wild. And even if they would be, the only way to be infected is to download software from illegal sites. Which one cannot do by accident.
And the huge number of new cases is rather clear indication, that someone is manufacturing them for fun, and has most likely created a program to generate the variants (or is really in need of something better to do with his time). So the actual number of variants may be surprisingly low, as AV companies group near identical samples under same variant letter.
We post more information about the case as we find out more about it.
New Sober variant has been seeded last night. Spreading speed is unknown at this time, but many previous Sober variants have been fairly big problems.
Once again, this variant send German messages to .de addresses and English messages anywhere else. The message claims that someone else has been receiving your emails in error and urges you to open up the attachment to see the emails in question. Don't.
Right now we detect this one as Email-Worm.Win32.VB.aj.
Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities:
These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.
We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.
Right after my presentation on mobile viruses in Cairo, one of the local police officers approached me. He wanted to ask about suspicious activity on his Nokia 6600.
I had a look and - get this - his personal phone was infected with Cabir.B! So basically he was walking around the secure conference area with a live virus on his phone - and dozens of people from all over the world were constantly walking around him. Luckily Cabir is capable of spreading to only one phone per reboot.
We surfed to http://mobile.f-secure.com straight from his phone and cleaned the virus off with the free F-Cabir tool. This takes only a minute or so.
So the list of known infections by Cabir currently looks like this:
1 Philippines 2 Singapore 3 UAE 4 China 5 India 6 Finland 7 Vietnam 8 Turkey 9 Russia 10 UK 11 Italy 12 USA 13 Japan 14 Hong Kong 15 France 16 South Africa 17 The Netherlands 18 Egypt
Interpol's 6th International Conference on Cyber Crime is currently underway in Cairo, Egypt.
The conference has 150 police officers from over 100 different countries discussing hacking, botnets, phishing, DDoS and other cool stuff...and how to catch the bad boys doing all this.
This morning me and Detective Inspector Paul Gillen from Ireland gave a presentation about modern telecom networks and about fraud and virus risks on cellular phone systems. Which was great.
From an outsiders point of view, Interpol operations seemed to be hindered with massive bureaucracy and constant need for interpreters. But internet is international, so we need the Interpol to police it.
Having an Interpol conference in Egypt also means security is tight...this is the first time I've ever been picked up from the airport by armed police officers and transported to the hotel in a police car!
A new Bagle variant has been found. We detect it with latest updates (2005-04-15_01). The sample we got seems to be very similar to previous variants. It is currently under analysis, more information will be posted later.
Update: the sample appears to a variant of Mitglieder, trojan that is closely related to Bagle. It doesn't have replication mechanism of its own, so it was probably spammed out using some other proxy trojans or a new Bagle worm variant. However, we have not got any reports about this Bagle worm yet.
The Bluetooth Special Interest Group's annual All Hands Meeting is currently underway in sunny Portugal.
The topic for the meeting is "Securing the Future", and various security risks relating to Bluetooth have been discussed over the last days. These risks include things like Bluesnarfing, Bluebugging and of course various Bluetooth viruses. In fact many SIG members were surprised to learn there already are more than 20 known Bluetooth viruses.
Bluetooth SIG seems to be taking these risks seriously and is building better security into future specifications of the protocol. Default settings in various Bluetooth-enabled devices are also a key factor on how easy it is to execute such attacks.
Security panel underway with Robin Heydon from CSR, Mikko Hypponen from F-Secure, Adam Laurie from Thebunker and Nick Hunn from Ezurio.
This morning we received a sample of new Symbian malware which is called SymbOS/Hobbes.A.
It is a SIS based trojan that pretends to be Symantec Anti-Virus for Symbian phones. When the trojan is installed it shows dialog instructing user to reboot his phone, to activate the Anti-Virus. Of course the trojan contains no Anti-Virus just a component that disables the Phone application menu.
We have tested the trojan on different phones and it seems to affect only the old versions of Symbian Series 60 phones, such as NGage and 3650.
To our knowledge the trojan is not in the wild, but any user who happens to install it, should not reboot their phones. And uninstall the file with Application manager.
The SymbOS/Hobbes.A trojan is already detected with F-Secure Mobile Anti-Virus using generic detection introduced in database update 15 published in December 13th, 2004
Exploit code for a Microsoft Jet Database Engine vulnerability has been published. This vulnerability can be exploited to run arbitrary code if the user opens a crafted Access database file (".mdb"). It was not addressed by the Microsoft's April security patches released yesterday. For more information check this advisory from Secunia.
Note also that there already is a public proof-of-concept exploit for IE DHTML object memory corruption vulnerability described on MS05-20 from yesterday. You really should apply the patch immediately. Often within a few days of these proof-of-concepts appearing, we will start seeing malware that uses the same techniques.
Our F-Secure BlackLight beta release has apparently gained a lot of attention among both users and rootkit authors. There is actually a lively debate going on about how to make rootkits that can hide from BlackLight. The discussion seems to be escalating and web sites have even been attacked. We are, needless to say, following the situation closely. Here's the story in brief.
In early April a spyware group posted an article on rootkit.com where they advertized their products and presented source code for evading detection from BlackLight. This technique involved avoiding processes that were named "blacklight". A maintainer of rootkit.com commented on the post, essentially saying that they thought the technique was rather unsophisticated. We have a previous weblog entry and a workaround on this same case.
On April 5th someone launched a DDoS attack on rootkit.com. Few days later a similar attack was started against websites of the Hacker Defender rootkit, apparently after the author of this rootkit had commented the case. These sites are still down.
Paul Roberts has written an article on the incident. The article states that there is a connection between the posting on rootkit.com and the attacks. It further says that "the attacks are believed to be the work of a group of Bulgarian and Turkish hackers known as the SIS-Team".
Author of the Voltan e-mail virus has been sentenced in Italy yesterday. He got 14 months detention and 3000 Euros fine.
The virus writer got off fairly easily as he had a clean record, and he co-operated with the court. According to the court papers, he used the mass-mailer to install dialer programs which called toll numbers rerouting money back to the virus writer. Overall this generated 104.000 Euros for the virus writer before being caught. We assume he had to return this money.
More information from Repubblica.it (in Italian, of course).
Thanks to Fabrizio Cassoni for the heads-up on this.
Adult sites have been using disclaimers and enter-buttons to "prevent" people under 18 from entering their site. Underground hacking sites are also adopting this practise. There is something different about these disclaimers, though. They commonly seem to prevent everyone from entering the site. Putting a site on the web and denying access to the content from everyone seems a bit illogical at first. Or what do you think of the following statement found on one site's disclaimer: "You must be at least 250 years old and own a pink car to enter this site."
Pink car... checked. By the way, as you can see from the photo (taken by Micke), we barely have any snow left here in Helsinki but the sea is still partly frozen.
The Fontal.A description now contains disinfection instructions both for disinfection by Anti-Virus and manually using third party file manager.
The disinfection was a lot easier than we originally thought it to be. Due to the fact that the trojan disables only the application manager. But the warning about not rebooting the phone still holds, as after trying to boot the phone it won't start, and neither of the instructions on the description will help after that.
So it seems that, as always, the most important instruction is "Don't panic"
We've just added detection and description for a new Symbian Series 60 trojan that we named Fontal.A.
This is a SIS file trojan that installs a corrupted file which causes phone to fail at reboot. If user tries to reboot the infected phone, it will be permanently stuck on the reboot, and cannot be used before disinfecting.
The Fontal.A is a trojan, and as such it does not spread by itself, not over bluetooth or any other channel. Most likely way to user to get infected would be to get the file from IRC or Peer to Peer fileshare and install it to the phone. So to avoid Fontal and other trojans, download files only from legal sources.
Basically the Mabir.A is Cabir with added MMS functionality, both are written by the same author and have very similar code. So it seems that Mabir.A is based on Cabir source code.
The Mabir.A spreads using bluetooth using the same routine as early variants of Cabir, when Mabir.A activates it will search for the first bluetooth phone it finds, and start sending copies of itself to that phone. If the phone Mabir finds goes out of range, the Mabir.A still seems to be locked on that.
The MMS spreading function of Mabir.A uses a new social engineering technique. Instead of just reading all phone numbers from the local address book, the Mabir.A listens for any SMS or MMS messages that arrive to the phone. And when a message arrives, the Mabir sends itself as MMS message to the sending phone number. Thus posing as a reply to whatever message was sent to the infected phone.
The F-Secure Mobile Anti-Virus has now exact detection for the Mabir.A, and was able to detect it even before we got the sample using generic detection.
Now that there are three mobile viruses which try to spread over MMS messages, we've been getting questions on how global MMS functionality really is. Well, it seems to be pretty global and pretty compatible. I'm right now travelling in USA and have been succesfully sending MMS messages from my European phone to local phones and to back home. Last month we succesfully received MMS messages from Australia.
And that's the scary part of MMS viruses. Think about it: how many numbers do you have stored in your mobile phone? Dozens? Hundreds? In how many countries are they? If you would get infected and would send a malicious MMS to all those numbers, how many of the recipients would trust the message coming from you and open it? To how many countries would you spread the virus?
The latest MMS virus Mabir is written by the same virus writer who wrote the Cabir bluetooth worm. In a magazine interview he gave two weeks ago, he was quoted that he hopes to write another cellphone virus, as soon as he finds the time. Seems that he did.
Mabir has not been found in the wild. Lets hope it never makes it there.
We have just received a new Symbian worm that spreads over bluetooth and possibly also over MMS.
The new worm is based on the same source code as original Cabir, but is different worm as it has MMS capabilities. So we named it SymbOS/Mabir.
The worm is still under analysis so no further details are available yet.
But the good news is that the F-Secure Mobile Anti-Virus is already capable of detecting it using generic detection, using databases published on March 18th, 2005.
In the good old days, we used to have lots of viruses activate on this date, showing various messages or playing pranks with the users.
Unfortunately we live in different times now. We haven't seen viruses like this for some time, as the #1 profile of a virus writer has changed from a hobbyist to a professional.
We don't expect to see any funny new viruses today. We expect to see the usual batch of bots, trojan downloaders, keyloggers, spam proxies and email worms.