NEWS FROM THE LAB - April 2010


Thursday, April 29, 2010

Why doesn't Windows include native PDF reader support? Posted by Sean @ 16:45 GMT

Dear Microsoft,

We'd like you to consider developing a PDF reader for your Windows OS.

Something such as Apple's Preview would be great:

Apple's Preview

"To view a PDF file, just double-click it to open it in Preview."

Mac doesn't require a third-party application to view PDFs, so why does Windows?

Heck, you don't even need to build it into the OS. Just make it an optional download such as your Save As PDF add-in for Office.

Save As PDF

We know, we know… even though anyone is allowed to create applications that can read and write PDF files without having to pay royalties to Adobe Systems, you guys can't. You're just too big and can't ship add on PDF functionality without freaking out Adobe.

But you know what?

You really shouldn't care anymore. Freak them out.

Your customers are tired of the exploits and the complications that so many of today's PDF readers include.

We just want to read PDFs. We don't want to /launch executables, to play video & audio, or to run JavaScript. A viewer that provides the basic functionality of the PDF/A standard is all we want. Is that so much to ask?

Please give it some thought, thanks.

Sincerely yours,
F-Secure Labs


Why doesn't Windows include native PDF reader support? Posted by Sean @ 15:54 GMT

Note: due to a technical issue, this post has been republished.

Friday, April 23, 2010

Registration for CARO 2010 closing Posted by Mikko @ 14:20 GMT

CARO 2010

May is getting closer. The CARO 2010 Technical Workshop is almost here.

It's going to be good. More than 130 people from all over the world have signed up already.

Registration for the workshop will close in two weeks time.

We have the final program online. You can see the full program with abstracts at, but here are the presentation titles:

Keynote address
Dr. Alan Solomon

Useful and useless statistics about viruses and anti-virus programs
Maik Morgenstern and Hendrik Pilz,

The Current State of Malware Collections and Sample Sharing
Dmitry O. Gryaznov, McAfee Labs

Sample Sharing Initiative
Righard Zwienenberg, Norman

Virtual Machine Protection Technology and AV Industry
Zhenxiang Jim Wang, Microsoft

File analysis and unpacking in the age of 40M new samples per year
Mario Vuksan and Tomislav Pericin, ReversingLabs

Indexing Large Volumes of Binary Content for Fast Search
Tim Ebringer and Marius Gheorghescu, Microsoft

Back to the future detecting the least polymorphic part
Roel Schouwenberg, Kaspersky Lab

Sequences and Beyond
Gabor Szappanos, Virusbuster

Anatomy of a Targeted Attack with Global consequences
Cristian Craioveanu, Microsoft

The Danish Patcher case
Peter Kruse and Dennis Rand, CSIS

It's Signed, therefore it's Clean, right?
Jarno Niemelä F-Secure

Detecting malicious web pages with MonkeyWrench
Armin Büscher, G Data

Using Value Set Analysis for Classification of metamorphic Malware Samples
Felix Leder, Bastian Steinbock and Peter Martini, University of Bonn

Profane penetration into Bredolab’s arcanes
Anoirel issaPpic, Symantec

Kernel-22: A Framework for Creating Analysis Tools
Mike McCarl, ICSALabs

SWF Disassembler Plug-in for IDA Pro
Marian Radu, Microsoft

See you in Helsinki!


MS10-025 Withdrawn For Now Posted by Alia @ 05:15 GMT

Microsoft recently announced it has withdrawn its MS10-025 security update when they found the update didn't adequately address the underlying issue it was intended to fix.

The update and subsequent withdrawal affects only Windows 2000 servers that have the optional Windows Media Service installed.

A re-release of the patch is due sometime in the next week. Pending the re-release, F-Secure has withdrawn the signature for this vulnerability from our Vulnerability database.

In the meantime, mitigation and workaround strategies listed in the MS10-025 bulletin are still considered effective.


Updated to add: The MS10-025 Security Update has been re-released (April 28th). Windows 2000 Server users with the non-default Windows Media Services installed are advised to install the latest update.


Wednesday, April 21, 2010

Finding Remote Vulnerabilities in a Trojan Posted by Mikko @ 10:40 GMT

Many of our readers are familiar with Poison Ivy, a Remote Access Trojan that is often used in various attacks — especially in targeted espionage attacks. More information on such RAT applications can be found from this blog post.

Poison Ivy RAT is developed by a Swedish coder called "Shapeless".


Now, we just learned about a new research paper by Andrzej Dereszowski of Signal11.


Andrzej was investigating a targeted attack case and discovered that Poison Ivy was used to steal data from the target. This got him thinking about the fact that lots of researchers do fuzzing and try to find vulnerabilities from Internet Explorer or Adobe PDF Reader — why not try to find vulnerabilities from Poison Ivy?

And then he did exactly this, uncovering a remote code execution vulnerability from Poison Ivy, making it possible for the victim to attack back at his attacker.


Nice work!

Full paper is available here.


Tuesday, April 20, 2010

Case Posted by Mikko @ 14:21 GMT

Two Belarussian hackers were arrested last week. The arrests are related to a website called, which was in operation for several years.

According to the indictment, Dmitry Naskovets and Sergey Semashko were the persons behind this service. The server itself operated in Lithuania. provided an online form where you could order fake confirmation phone calls by people who spoke either English or German. Such confirmation calls are often used by banks to confirm large money transactions or changing details of an account. Online criminals need a way to make convincing calls like this, and this is where came into picture.

Translation of their details page: Please register for the service...then fill in the order form for the call...add the details...we will make the call within 24 hours...if the call is not succesful you get your money back...price per call in English: $10.

Here's a snippet from an online chat where criminals are discussing money transactions related to the service:

The site is down now. Visiting will produce this page:

More details in an article by Kim Zetter in Wired.


Firefox Blocks Unsecure Java Plugin Posted by Sean @ 14:15 GMT

Mozilla Firefox has a Plugin Check feature. Today, they've gone another step towards securing their browser from unsecure plugins.

Firefox is now prompting users to block:

Firefox: Add-ons May Be Causing Problems

A current list of all the plugins blocked can be found at

Firefox: Add-ons Blocklist


Monday, April 19, 2010

Scareware Links Redirecting to Posted by Sean @ 16:46 GMT

Many Rogue SEO attack sites will only work if the referrer is from a Google query.

If the URL is visited from other source, the potential victim, will be directed away from the scareware. So where is it that the bad guys are currently forwarding non-Google visitors?

This video demonstrates with a recent Google trend:

Rogue sites redirect to via our YouTube channel.


Friday, April 16, 2010

What's a World of Warcraft account worth? Posted by Sean @ 15:14 GMT

How you given any thought to the monetary value of your virtual commodities? How much is an online game account worth?

For Hannu Ahola, it was 4,000 euros.

Marja, a contributer to F-Secure's Safe and Savvy blog, read about Hannu's case last November in the Helsinki Sanomat (in Finnish).

Hannu Ahola,

Marja was curious about Hannu's case, and recently, while visiting his area of Finland, she called, visited with him, and learned more of the details for herself.

The story starts about four years ago when Hannu purchased a World of Warcraft account from an acquaintance. He then invested his time and effort into the game and developed a strong character. Unfortunately for him, his success did not go unnoticed. His acquaintance decided that he wanted the WoW account back, logged in, and hijacked Hannu's character.

Now, what do you do when someone takes something from you in the virtual world?

It's quite difficult to make a criminal case from such an occurrence. But Hannu wasn't deterred, he wanted some kind of reckoning. He sought the help of Turre Legal and with the help of researcher Vili Lehdonvirta the WoW account was valued at 4000 Euros in an out of court settlement.

The lab frequently sees WoW phishing sites and password trojans, but rarely does the account holder know the other person involved, so this is a very interesting case.

World of Warcraft now reportedly has 11.5 million subscribers. At 4,000 Euros an account, that's starting to equal some real money. No wonder online games are such a popular target for online criminals.

See Safe and Savvy for Marja's post.


Thursday, April 15, 2010

Tax Day Freebies Posted by Sean @ 15:22 GMT

Google's Online Security Blog had a very interesting post yesterday regarding fake antivirus. Google has been working to protect their users since March 2007, when they first discovered fake AV. (We, and other security vendors, have been writing about the issue of rogues since at least July 2006.)

Google performed a 13 month study and "uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the [overall] malware domains" that were detected during the period.

Hopefully the research will be useful in combating the fake antivirus Search Engine Optimization (SEO) attacks that currently plague Google's real-time results.

Today, for example, is April 15th, tax day in the USA. So what happens if you search for "tax day freebies 2010" using Google?

Yep. You'll find rogues and fake antivirus attacks on the first page of results.

Here's a short flash video we made demonstrating the issue:

"tax day freebies 2010"

Generally, clicking on any of the links in Google Trends is an easy way to locate fake antivirus.

We haven't done a 13 month study, but Bing's results appear to be safer.

Bing's tax day freebies 2010


Wednesday, April 14, 2010

RIP Windows Vista RTM Posted by Sean @ 14:02 GMT

Avid readers of the Microsoft Support Lifecycle Blog (and really, how can you not be?) know that yesterday, April 13th, marked the end of support for Windows Vista RTM, also known as Windows Vista SP0.

We'd like to say that we'll miss Vista RTM. We'd like to say that… but, well…

Ctrl+Alt+Del - The Upgrade

On a related note, Windows XP Service Pack 2 (SP2) will reach its end of support this summer on July 13th. There are more positive memories of XP SP2, largely because of its emphasis on security.

However, that emphasis did come at a cost. Development resources at Microsoft were diverted from Vista and were given to XP SP2. Ironic? In any case, if you have Vista RTM or XP SP2 you should visit the Microsoft Download Center and update to the latest Service Pack sooner than later.

Just in case you were wondering, Windows 7 will be supported until January 13th, 2015.


Tuesday, April 13, 2010

Automated Updates Posted by Sean @ 14:10 GMT

It's that time of the month.

Here's Microsoft's Security Bulletin Notification. There are 11 bulletins with numerous fixes being published later today.

There's also an Adobe Security Advisory with an update scheduled for release.

Somewhat interestingly, today's Adobe update will utilize Reader's new automatic updater.


Monday, April 12, 2010

ICPP Copyright Foundation is Fake Posted by Mikko @ 08:47 GMT

There's a new extortion trojan in circulation.

This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".

The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

And the warnings will not go away. They will reappear every time the user reboots his system.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever.

Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.

The group behind this have even set up an official-looking website at

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

The domain is registered to Mr. "Shoen Overns". The same e-mail address has been seen before in various other domains, connected to Zeus and Koobface scams.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

If you click on the Reports shown by the application, you'll end up on pages such as these:

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

We tried calling the (Italian) phone number listed on the page: +39 (06) 9028 0658. Unsurprisingly, it goes nowhere.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

These pages are hosted at, which according to WHOIS belongs to EBUNKER-NET, a "High protected Somalia network". It's running in Moldova.

This is what the payment page looks like:


There is no obvious credit-card payment system connected to the site; they just seem to collect the credit card information.

If you are hit by this trojan, DO NOT PAY. Instead, use an antivirus program that is capable of detecting it to remove the trojan. F-Secure Antivirus detects it as Rogue:W32/DotTorrent.A. You can use our free Online Scanner at to check your system.

The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.


Friday, April 9, 2010

Trojanised Mobile Phone Game Makes Expensive Phone Calls Posted by Mikko @ 14:26 GMT

We have received reports of a malicious Windows Mobile game that creates significant phone bills to affected users.

The game in question is called 3D Anti-terrorist action, and it's manufactured by Beijing Huike Technology in China.

3D Anti-terrorist animation

The game itself is a 3D first-person shooter.

3D Anti-terrorist animation

Apparently some Russian malware author took the game and trojanized it. Then he uploaded the trojanized version to several Windows Mobile freeware download sites.

Quite quickly people started reporting that the phone was making expensive calls on it's own.

Here's an example of a thread on the XDA-Developers forum:

3D Anti-terrorist

When analyzing the code of the trojanized game, it's easy to see how it initiates several phone calls and waits for the calls to proceed. The calls are billed by minute.

3D Anti-terrorist

The numbers the trojan dials are:

  • +882346077
  • +17675033611
  • +88213213214
  • +25240221601
  • +2392283261
  • +881842011123
But how do such international premium-rate numbers work?

It turns out there are several companies that make all of their money by offering expensive international premium rate numbers in faraway countries. Go figure.


The case reminds us of a similar incident ("Case Mosquitos") on Symbian devices, six years ago.

F-Secure Mobile Security detects and blocks the trojanized version of this game.


Rogue AV Localization Fail Posted by Sean @ 12:59 GMT

Yesterday, while researching some blacklisted domains, we came across five rogue scanning UIs hosted from a single URL.

That's five scams for the price of one and we only needed to refresh our browser. All of our screenshots were taken from a computer running Linux.

The first one called itself AntivirusPlus and wanted its victim to Erase infected.
Antivirus Plus

Next, we refreshed, and there was another version of AntivirusPlus (red & white emblem) asking the victim to Protect now.
Antivirus Plus

Refreshing again, and it became XPert Antivirus (again with red & white emblem).
Antivirus Plus

But then back to AntivirusPlus on the next refresh, this time with a friendly 7 on the left side and an option to Turn on.
Antivirus Plus

And last but not least, the classic Windows XP look and feel.
Antivirus Plus

Before the XP UI was launched, this prompt was displayed:
Antivirus Plus

Hmm… notice anything interesting about the Cancel button? We have just one thing to say to that.

Spasibo, ne nado.


Thursday, April 8, 2010

Singer's Exploit Kit version CVE-2010-0806 Posted by Response @ 06:40 GMT

Well, well… looks like someone has been singing along to one of Jay Chow's songs while coding an exploit that corresponds to a vulnerability in Internet Explorer, which was addressed in Microsoft Security Bulletin MS10-018. The exploit that targets on the Peer Object component (iepeers.dll) in IE has been found in the wild, and today it was detected while attempting to exploit on the client browser.

After decoding from a shellcode, it will download the payload and will be detected as Trojan:W32/KillAV.LD.

The JavaScript used to exploit the vulnerability is shown below:

Upon a closer look, you will notice that the variable and function names were actually referring to some Chinese characters with specific meanings. Those are a mix of song lyrics in a childhood song and a song by Jay Chow, a Taiwanese singer.

As usual, exploits like this are blocked by our Browsing Protection, so you can browse with a peace of mind.

Response posted by — Jaan Yeh and Chu Kian.


Wednesday, April 7, 2010

Shadows in the Cloud Posted by Mikko @ 14:23 GMT

You might remember the Ghostnet white paper that was released a year ago? We blogged about it extensively.

The same researchers, with the help of Shadowserver Foundation, has now published a new whitepaper, called Shadows In The Cloud: Investigating Cyber Espionage 2.0 (link to a PDF).

This investigation into targeted attacks (à la "Operation Aurora") is very extensive and well worth a read. It includes technical analysis of the espionage methods as well as overview of the operation methods of the attackers.

Shadows in the Cloud

The report even goes on to name likely targets.

Shadows in the Cloud

To quote the beginning of the paper:

Main Findings

Complex cyber espionage network
Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents
Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of collateral compromise
A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services
Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, and Yahoo Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the People's Republic of China.

Links to Chinese hacking community
Evidence of links between the Shadow network and two individuals living in Chengdu to the underground hacking community in the People's Republic of China.

Shadows in the Cloud


Tuesday, April 6, 2010

Poll: How do you backup? Posted by Sean @ 14:57 GMT

We're curious, how do you currently backup your data at home? Please answer our poll:

Which of the following is/are your preferred method(s) for backing up data on your home computer?

Poll: How Do You Backup?

Edited to add: Great responses so far, cheers!

A couple of folks have asked what we mean by remote data storage. Primarily, an Internet drive or share space to which files can be copied (manually). In this context, sites such as Flickr could be considered a backup source.

We consider online backup services to imply software that automates the process.


Thursday, April 1, 2010

Internal April Fools Joke... Posted by Mikko @ 15:36 GMT

Yes, it's April Fools day today (see coverage from our Safe and Savvy blog).

LabDev is the team within F-Secure Labs that develops and maintains our internal systems that (among other things) import, scan, analyze and categorize all incoming samples.

As it happens, LabDev has put in a subtle change to our sample management system's interface today.

Here's a screenshot:

FSLabUI Facebook

Can't spot the joke? Well, many analysts missed it for quite a while as well. Maybe this helps.


Product Announcement from the Lab Posted by Mikko @ 05:53 GMT

F-Secure Labs is launching a new feature in Browsing Protection today.

Web security has become increasingly important over the last few years and we've already developed various protection mechanisms to keep our customers safe against exploits, phishing attacks, and drive-by-downloads. However, there's still more we can do against one of the most sinister of attacks.

In development for more than two years, we're now releasing completely new technology that will warn our customers whenever they click on a "Rickroll" link.

Never again will our customers unknowingly visit the infamous video of Rick Astley performing "Never Gonna Give You Up".

F-Secure Rickroll Protector

The new feature is called F-Secure Rickroll Protector. The technology is based on advanced image recognition analysis that monitors HTTP traffic for signs of bright red pompadours.

For more details, please follow this link.