Saturday, May 31, 2008

Google Earth with Worms, Spam and Malware Posted by Sean @ 10:54 GMT

Google Earth is cool.

We've been using it to track worms. If a worm contacts our monitoring system, its IP address is logged and is then converted to latitude and longitude. It alls goes into an XML feed that we use with Google Earth's network links.

It looks something like this:

Google Earth with Worms
Click the image for a 1400x1050 view.

And while that's pretty neat, worms aren't really today's threat. So we're working on some new data feeds.

Lets take spam. This is what the source of spam from a single personal account looks like:

Google Earth with Worms and Spam
Click the image for a 1400x1050 view.

Then there's our data. It also feeds an internal system that we use in the lab.

We've adapted that data for Google Earth which then looks like this:

Google Earth with Worms, Spam and Malware
Click the image for a 1400x1050 view.

Bot monitoring feeds are in the works as well. We'll do a video demo sometime next week.


Thursday, May 29, 2008

Inside a Malicious Flash File Posted by Gerald @ 19:13 GMT

The lab has been receiving lots of malicious flash files lately. Most of the flash files that we've received have obfuscated shellcodes.

Our systems flagged one sample and I decided to take a closer look. The obfuscation is simple, it only uses XOR and ADD instructions.

Basically, its taking advantage of a recent exploit and it's coupled with SQL attacks. It downloads and executes a file from the following site:[removed].exe

We detect the downloaded EXE file as Trojan-PSW.Win32.OnlineGames.AYJU and the flash file as Exploit.SWF.Downloader.A.

Here's an animated image of decrypted shellcode:

Signing off,


Wednesday, May 28, 2008

Flash w/ SQL Posted by Sean @ 17:16 GMT

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to are reported to be at risk. However — chatter on the security lists we frequent suggest version is not vulnerable and that the attacks are only reliably effective against version and earlier (using CVE-2007-0071).

In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.

Adobe is aware of the issue and is investigating but does not yet have a full report. We'll update you later on whether or not version is affected.

In the meantime, there may be some mitigating strategies you'd like to employ.

First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.

If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.

ActiveX component for Internet Explorer:

Flash 901240 ActiveX

Firefox Plugin:

Flash 901240 Plugin

Update to the most recent version. You can test your installation from this page.

What are your options once you're up to date?

For Internet Explorer, you can use the Manage Add-ons option to disable Flash:

IE Manage Add-ons

But then you'll get this annoying prompt on Flash enabled sites:

Add-on Disabled

An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.

A big hat tip goes to John Haller's Useful Stuff site for the .reg files.

And for Firefox?

We suggest Flashblock and NoScript:

Firefox Add-ons

NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from

Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from

Update: The Security Focus BID has been retired, see the details here. Adobe also has an updated post available.

Adobe Flash version is NOT vulnerable to the exploits that we're seeing in the wild. But there are a large number of sites hosting exploits for earlier Flash versions, so there is risk. We strongly advise updating your Flash installation as a minimum measure.

Home users can use our free Health Check service to assist in scanning and updating their systems.


Motorola Razr Vulnerability Posted by Jarno @ 13:52 GMT

In mobile news: TippingPoint has reported a JPEG Processing Stack Overflow Vulnerability affecting firmware based Motorola Razr phones. The vulnerability was discovered last summer. New Razr shipments will not be affected as Motorola has produced a fix for the issue.
Motorola Razr
The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones.

From TippingPoint:

A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.

On a positive note, the Razr uses a proprietary OS and the "knowledge base" is limited to enthusiasts and modders. But there are modders are out there. Popular hardware always generates a crowd of recreational hackers, e.g. iPhone.

Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.

We probably won't see any malware as a result of this vulnerability. Still, one interesting thing to consider is that if a Razr were to be exploited by this, the user wouldn't be able to undo the damage without a reinstall of the firmware. Being a closed OS, there is no hard reset available as there are with many smartphones.

Updates are available for older Razr models via Motorola.


Tuesday, May 27, 2008

"Dear Google AdWords Customer" Posted by Mikko @ 21:31 GMT

Sometimes it can be quite hard to spot a phishing site on the first glance.


Sure, it looks quite real. But always double check the address.


Romanian Whack-A-Mole and Linux Bots Posted by Toni @ 17:27 GMT

It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.

We recently received a sample containing several different files:

A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.

And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.

The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.

Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.


The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer.

The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak.


Friday, May 23, 2008

Jobs:W32/F-Secure Posted by Sean @ 15:29 GMT

Living in Finland can sometimes be a challenge (winter). But then some people make opportunities from those challenges.

Here's the winter commute:


Finland also has its rewards (summer). The weather is excellent right now and the days are getting ever longer.

Here's the office's summer parking lot:


Working for F-Secure provides many interesting challenges and also has its rewards. We're hiring and there are two positions in the Helsinki Research and Response Labs.

The Security Research Program needs a capable antivirus engine developer to produce code that is efficient, high performing, innovative, and robust. You don't necessarily need to know that much about malware to start, but you should be ready for the challenge and eager to learn (and have some fun).

Click here for more information.

Our Lab Development is seeking a software developer. LabDev builds and designs all of our Response systems that we require to contain, analyze, and fight malware. The team is very active as there's no shortage of ideas for new systems in the lab.

Click here for more information. There are also other open positions.

How about our Kuala Lumpur office? Analysts and developers are some of the open positions available. See this page for details.


Wednesday, May 21, 2008

Phishing Piers on Legitimate Sites Posted by Sean @ 10:52 GMT

Let's say that you want to phish for PayPal accounts. One might attempt to register something such as But that's too obvious and is likely to be discovered and abused before the phishing even begins.

See this example, created one day and abused on the next:

Clearly that technique is now well guarded against. So instead of a clever misspelling, more obscure URLs such as are required.

However, even obscure URLs can be taken offline quickly as they have no legitimate functions. Sending a message to the host providers with a request that the entire bogus site be taken offline does the trick.

So what next?

Instead of setting up their own sites, we're seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing. And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage.

Sites such as, a 15 year old business with a long-standing Web presence.

PayPal phishing from their site was reported to PhishTank on May 6th: - May 6th

That phishing pier, located in the /administrator/ folder, was quickly taken offline.

But now BBCSales have been hacked again and a new pier configured from the /includes/ folder. Here's a PhishTank report from today, May 21st: - May 21st

Until the website's vulnerabilities are resolved, the phishers will just continue to hack-and-pier.

Once again the company, located in Canada, must be contacted to resolve the issue. And this is undoubtedly costly for the business while providing a new advantage to the phishers.

A quick scan through PhishTank's Recent Submissions yields many hacked piers.


Friday, May 16, 2008

20 Years Old Posted by Response @ 10:10 GMT

We're no longer teenagers.

Twenty years ago on this day, May 16th, F-Secure was founded by Risto Siilasmaa. That makes today our birthday.

To celebrate, the folks "upstairs" have produced a pretty cool time line with videos.

F-Secure 20th anniversary:

20 Years of Reliability

A lot of things have changed over the years. Check out the lab's hardware from the early days:

High Tech Lab


Debian OpenSSL Vulnerability Posted by Vulnerabilities @ 10:07 GMT

Debian's OpenSSL packages versions 0.9.8c-1 up to 0.9.8g-9 are affected by a highly critical vulnerability which may lead to weak cryptographic keys and potentially compromise the system.


The vulnerability is due to the random number generator in Debian's OpenSSL package being more predictable which might lead an attacker to conduct brute force guessing attacks and decipher cryptographic keys used in SSH, OpenVPN, DNSSEC, X.509 certificates, and session keys used in SSL/TLS connections.

Also, an unspecified weakness in the Datagram Transport Layer Security implementation can be exploited by remote attackers to cause a denial of service condition and potentially compromise the vulnerable system.

Update the OpenSSL package from Debian and recreate all cryptographic keys to mitigate.

For more information read our vulnerability report and Debian's announcement.


Wednesday, May 14, 2008

May's Microsoft Updates Posted by Esz @ 08:06 GMT

It's time once again for monthly updates from Microsoft.

MS Updates for May 2008

Microsoft Office Word and Publisher reportedly have Remote Code Execution vulnerabilities which could be exploited by remote attackers. Various Office versions are affected.

The three vulnerabilities are highly critical and we recommend users to apply the latest updates.

Microsoft Malware Protection Engine, a component of their antivirus products, reportedly has two denial of service vulnerabilities. The vulnerabilities can be exploited remotely and can cause the malware engine to stop responding or to restart while scanning a specially-crafted file. It may also exhaust available disk space.

The issue of specially-crafted files affected all antivirus vendors. We fixed it a few months ago with automatic hotfixes. You can read the Security Bulletins here and here.

Click here for more information on Microsoft's Updates.


Tuesday, May 13, 2008

SQL Injection Attacks Becoming More Intense Posted by Patrik @ 23:20 GMT

The mass SQL injection attacks we've mentioned here and here are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code.

Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:

We've now seen other domains being used as well such as which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available. The domain fast-fluxes to several different IPs in Europe, Israel and North America.

SQL fastflux direct84

The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS.

This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.

There are many articles on how to do this such as this one. You could also have a look at URLScan which provides an easy way to filter this particular attack based on the length of the QueryString.


US Air Force Colonel Proposes Skynet Posted by Sean @ 12:27 GMT

This month's issue of Armed Forces Journal features an article by Col. Charles W. Williamson III titled:

Carpet bombing in cyberspaceWhy America needs a military botnet

It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.

Quoting the colonel:

"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources."

In that case the AF.MIL botnet might be missing a key element of success. Criminal botmasters don't use their own resources. Criminals steal resources from geographically diverse locations. Their crimes are international and they can be exceedingly difficult to trace back to their origins. They often avoid resources in their own countries so as to avoid local law enforcement action.

"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies' civilians."

This isn't just difficult — this is likely to be the main problem that any credible cyber-threat would present. Using the criminal's model of success, an enemy nation-state will just infect resources belonging to others. And in that case an AF.MIL solution would be fuel for the fire by cannibalizing its own and/or other nation's networks without counterattacking the true source of the threat.

In his essay, Col. Williamson uses a fortress analogy. He suggests that the military age of the fortress is over because air power can travel over fortress walls. Military forces respond to such threats by attacking the enemy's airfields from which the attacks are launched. So to extrapolate, AF.MIL botnet would attack the locations from which DDoS attacks are being launched.

However, Col. Williamson seems to have overlooked something from his own essay:

"Homer's epic poems describe how fortified Troy held out against the united Greek armies for 10 years until Troy finally fell when it foolishly brought the threat inside its own walls by falling for the enemy's masquerade in the form of a giant wooden horse."

Trojans are precisely the point. Social engineering, exploits, and trojans are used to create the enemy within. The enemy's launch point will be from within the fortress walls.

It's quite possible that any threat big enough to warrant the use of an AF.MIL botnet would largely come from within the borders of the United States.

Let's take AKILL for example. Owen Thor Walker, an 18 year old bot herder from New Zealand was arrested as a result of last year's Bot Roast II. He controlled a network of one million computers. A failed botnet update resulted in a DDoS on the University of Pennsylvania. The failure led to the arrest of a partner and then Walker himself.

Now let's suppose that instead of Walker being some Kiwi kid interested in making lots of money, that he was an enemy of the state bent on attacking the USA. Do you think his arsenal was located in New Zealand? It wasn't. So what's the military target? UPenn?

"[A smart enemy] could even craft his packets to make it appear the attack was coming from inside U.S. military networks so that if we merely captured the apparent source IP address and used that to aim the attack we would fire our botnet at our own computers."

A smart enemy might not need to spoof US military networks. A herder known as SoBe, whose real name is unknown since he is a juvenile, pleaded guilty in February for helping to herd more than 400 thousand computers along with Resjames. He also admitted to damaging US military computers.

If SoBe can infect the military, a "smart enemy" will do so as well in an attempt to win the cyber-battle before it's even fought.

"The best defense is a good offense" may not apply very well to cyber-threats if you're really planning to play by the rule of law.

What do you think? Does America need a military botnet?

Comments are welcomed.

AF.MIL Botnet Poll Results


Monday, May 12, 2008

Vulnerability Descriptions Posted by Esz @ 11:40 GMT

We now have vulnerability descriptions available from

Here's an example of one:

First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version to mitigate these vulnerabilities.

Mozilla Thunderbird

For more information, read Security Advisory SA29548.

You can use Health Check to determine if you have vulnerable software installed.

And you can update to the latest version of Mozilla Thunderbird from here.


Saturday, May 10, 2008

SQL Injection Continues Posted by Patrik @ 00:24 GMT

A couple of weeks ago we blogged about mass SQL injections. After that it went quiet but the attacks have now started again, this time pointing to several different domains.

During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:

All of the domains above are pointing to IP addresses in China.

SQL May 9th 2008

Just like last time the scripts attempt to use several exploits to infect the user's computer.


Monday, May 5, 2008

BBB Case #947344536 Posted by Mikko @ 16:05 GMT

We're seeing some new BBB trojan attacks going around.

This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.

The message looks like this:


This would be fairly convincing to most recipients, especially since the real company and individual names are used.

The message links to a page under (the real BBB site is at


The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.

If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:


In reality, it's just installed a backdoor (which we detect as an Agent variant).

Nasty stuff. Watch out.