It's May 31st and today is the so-called Quit Facebook Day. Currently there are almost 27 thousand committed quitters. That's not very many people considering that Facebook is approaching 500 million accounts.
But forget about Facebook, we'd like to ask you something else. Do you have a Gmail account?
This event, organized by F-Secure, is the largest ever gathering of antivirus experts in Northern Europe. We have almost 150 delegates from 25 countries here.
The key experts from practically all the antivirus labs in the world will spending the next two days talking about Big Numbers, i.e. how do we keep up with the growing number of malware.
Here's a couple of photos from the workshop:
Mikko welcoming all delegates to Helsinki.
Dr Alan Solomon delivering his keynote presentation.
Maik Morgenstern from AV-Test.org talking about a typical day in anti-malware industry.
There's a new Facebook worm out there. However, it doesn't seem to be doing anything else than posting a message to people's Facebook walls.
The message that the worm posts is "try not to laugh xD http://www.fbhole. com/omg/allow.php?s=a&r=[random number]"
If you follow the link, you end up on a page that looks like this:
The page shows a fake error message. If you click anywhere on the page, you will trigger a script that will try to post the same message to your Facebook wall. This is done with an invisible iframe that follows your mouse around — causing you to click on an invisible "publish" button. In addition to the wall message post, nothing else happens.
We have blocked domain fbhole.com so that F-Secure Internet Security users cannot access it. The domain was registered yesterday and it points to an IP address in Czech Republic, shared by another Czech site called ironbrain.net.
Updated to add: Domain fbhole.com shared an IP address with ironbrain.net [82.208.32.99]. Ironbrain.net hosted a website with references to Facebook but no obvious illegal content. While fbhole.com was registered with privacy protection, ironbrain.net had contact information in the WHOIS database, complete with a Czech phone number.
So I called the number.
The call went roughly like this:
– Hello? – Hi. This is Mikko Hypponen from F-Secure Labs. – What is this about? – I'm looking for a person related to ironbrain.net. – ??? – We're investigating a Facebook worm on fbhole.com. That domain shares an IP address with ironbrain.net which is registered under your name. – And you are? – I'm from an antivirus company. Are you related to ironbrain.net? – I'll have to check… maybe my company is… – Please do. – Bye… [Click]
About 15 seconds later, both fbhole.com and ironbrain.net went offline. The attack is over.
A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen".
People see these messages when they look for trending topics in Twitter.
The shortlinks in the Tweets point to a compromised page, which uses a Java exploit to drop a keylogger / banking trojan combo to your system.
The attack is unusually easy to follow by just looking at the source code of the page. Take a look at this:
F-Secure Anti-virus blocks access to the malicious pages and detects both the malicious Jar file and the trojan it drops. We have also reported the shortlink to bit.ly and they should disable it soon.
Lesson of the day is probably this: Do you really need Java in your browser? Seriously, do you? If not, get rid of it.
Statistics from our Service Provider partners show that only about 9 to 10% of our consumer customers are running Windows XP SP2. But what about businesses, non-profits and schools? We'd like to know if your employer is using SP2.
Note to Facebook: Your privacy settings are much too difficult for the average individual to fully understand. Even critics of your privacy policies can't figure them all out.
Let's take Privacy Check for example. It's a Facebook application that I discovered via Openbook.
Here's the Privacy Check report:
Hey, not bad at all, my score is 17 out of 21. No big surprise for me. Everything is as I expected.
But wait, what's that text at the end of the explanation?
It says:
Note because Facebook does not let you hide all your information, the best score that you can currently achieve is 15/21 (unless you don't have any friends)!
I scored 17 out of a possible 15 points. Nice!
That's almost comic… even a developer focused on an application which exclusively highlights your privacy controls can't get it right.
Look, Facebook, I get it. I know exactly how to adjust my privacy settings to my liking and I have an impossibly high "privacy score" that demonstrates that fact. I only share what I want.
But take it from me, most people are somewhat confused, and not because the options aren't straightforward (there's three), but because you fail to provide usable controls to help understand those options (you can only preview two of the three).
It's a settings and control issue.
Facebook, you'd better improve your controls soon or else your critics will never stop harping about it being a privacy issue.
We found a new malicious XLS file which contains lots of names, details and contact information for journalists around the world:
This file was e-mailed to unknown persons, apparently in order to launch a targeted attack. The relevance of the journalists mentioned in the attack file is unknown.
When the file (md5 hash: 738B307F892BCCA4E40C8B9C78DA52E1) is opened, it exploits a vulnerability in Excel. The vulnerability executes a piece of embedded code that drops several new executables to hard drive and launches them, including:
This is a serious issue and Matousec's technical findings are correct. However, this attack does not "break" all antivirus systems forever. Far from it.
First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.
So the issue only affects new, unknown malware that we do not have signature detection for.
To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec's discovery is able to bypass only a few of these sensors.
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.
And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.
Microsoft's current SIR, Security Intelligence Report Volume 8, shows that Finland leads the pack in countries with at least 1 million average monthly MSRT executions. Only 1.4 infections per one thousand.
Here's an excerpt: "Party antics and examples of extreme behaviour posted for fun on Facebook and other social networking sites are set to become ghosts that haunt individuals when they try to get credit, homes or jobs as adults."
That's quite true, digital footprints created today may have later consequences. As the popularity and reach of social networking expands, many are beginning to worry about losing future opportunities due to their digital identities. Privacy protection is of great concern — but what if you didn't have to work so hard to protect your privacy because you controlled it instead?
That's how it works in Finland where employers can't search for personal information. Finnish employers must ask permission to access somebody's details online. All personal information should be provided by the person.
There exists an expectation of privacy in our daily lives — shouldn't there be an expectation of privacy in our virtual lives as well?
Employers and creditors aren't allowed to follow us around, enter our homes and start looking through our photo albums, letters, and drawers. Why is The Man allowed to enter our digital space without asking first?
Must we be required to put so much effort in preventing youthful indiscretions from finding their way onto the web? Do we even think that's possible for most of today's youth?!? It's not. That's fighting a lost battle.
People should be able to enjoy the benefits of sharing and openness without the fear of future reprisals. Personal and professional should be kept separated and individuals should have control over their digital persona. That requires legal consumer protections. Finns understand that.
One of the most important worm outbreaks in history happened ten years ago to the day.
Loveletter (aka ILOVEYOU or Lovebug) spread around the world in matter of minutes. When you got infected, the worm would send this e-mail from your system — posing as you — to all of your contacts:
From: (your e-mail address) To: (one of your contacts) Subject: ILOVEYOU Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Message: kindly check the attached LOVELETTER coming from me.
This turned out to be very effective. People would be surprised by the message, open the attachment and spam all of their friends with the same message. In couple of hours, millions of users around the world were infected.
And we were in the middle of this. As far as I know, we were the first ones to discover this worm.
I remember working with the case with Katrin Tocheva (nowadays at Microsoft), Sami Rautiainen (nowadays at Stonesoft) and Alexey Podrezov (still here at F-Secure).
Here's the e-mail that we believe to be "patient zero", i.e. the first infected party that contacted an antivirus company for help. The e-mail is from John Schr�der who worked for our Norwegian partner at the time:
—————
Date: Thu, 4 May 2000 09:41:08 +0200 From: John Schr�der To: samples@F-Secure.com Subject: Can you check this out Importance: high
I got the attached vbs script from client here in Norway. They say that this 'Love Letter' has spread to 100.000 machines in the client network in Europe.
ASAP please
-john
Attachment: pd000504.pgp
—————
Katrin was the analyst in charge of the shift when Loveletter struck, and she's the one that entered our company into emergency mode:
—————
Date: Thu, 04 May 2000 10:21:13 +0300 To: all-employees From: Katrin Tocheva Subject: IMPORTANT: New worm extremly in the wild
Hi all,
There is a new Script worm that is extremely in the wild since this morning. Many big companies in Europe are already infected. I already spoke with our IT guys and all Outlook users are now protected internally but just in case Do Not open any attachments.
The worm spreads via Outlook in a message with a
subject: ILOVEYOU Body: 'kindly check the attachedLOVELETTER coming from me' Attachment:LOVE-LETTER-FOR-YOU.TXT.VBS
We will be entering EMERGENCY MODE, effective *NOW*
Please be careful!
Regards, Katrin
—————
Emergency Mode meant various things, including canceling all in-house meetings, calling in extra people to answer phones at the switchboard and so on. It also meant that lab staff would not be allowed to leave for lunch. Instead, company would bring in pizzas for them automatically. We even had an intranet system where you would select your "emergency pizza" flavor.
Here's another example from my e-mail archives. First sample or the worm via industry sample exchange — in this case, from MessageLabs ("this is a big one guys...").
—————
Date: Thu, 4 May 2000 10:23:38 +0100 From: Alex at MessageLabs To: samples@f-secure.com Subject: URGENT HEADS UP - LoveBug virus sample
This is a big one guys. 600 copies in the last hour. Call me for details
~~~~~~~~~~~~~~~~~~~~~~~~~~~ Alex Shipp Imagineer ~~~~~~~~~~~~~~~~~~~~~~~~~~~
—————
I remember working on the case all day from 07:41 GMT when it started until midnight, then going to bed only to be woken up at 3am by calls from USA.
I also remember exiting a phone conference with CERTs and other security vendors. When I hung up my phone and looked at the screen, it showed that I had received and missed 40+ phone calls during that 30-minute conference call. All those calls were coming in from partners, vendors & media. Everybody wanted to know what was happening and how to fight the outbreak.
10 years ago, virus outbreaks were mainstream news. Here's the front page of CNN from the time. This screenshot also nicely illustrates how hard it is to try to predict how bad a particular outbreak might become.
For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught.
For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals.
Here's an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital.
The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades.
The problem is, finha-capital.com has nothing to do with Finha Capital Oy. The site is completely fake.
The only reason the website finha-capital.com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam.
And it's not just Finha Capital. Take a look at these:
Exactly the same website operates under (at least) two other names: Bin Finance and Contant.
And just like with Finha Capital, there are real companies called Bin Finance and Contant as well, and the addresses listed on the website are the mailing addresses of these real companies. Again, these companies have nothing to do with the illegal activity.
Domains finha-capital.com and contant-finance.com are hosted in St. Petersburg, Russia and bin-finance.com is hosted in Kiev, Ukraine.
And just last week, there was a similar scam running at domain nordea-securities.com. Nordea is a large Nordic bank, serving more than 10 million customers.
We spotted this message that was spammed via e-mail:
From: info@nordea-securities.com Subject: Career opportunity
Our firm have reviewed your resume from Career Builder resume base, reviewed it and sure that you to be a great applicant for the position which we suggest.
We are now looking for a individuals for a vacant position �Account Coordinator�. The main task of this position is to collect payments from our customers in US.
Basic Requirements: - Computer skills (MS Word), personal e-mail address - Ability to work at home - Responsibility - Age: 21+
If you are interested, please, register here: http://nordea-securities.com/rim/?link=getjob&rnd=34753525
The whois data for this site is misleading and tries to portray that domain nordea-securities.com would be owned by Nordea Bank. It isn't. Note the yahoo.com e-mail address.
Lessons to be learned?
• Realize that identity theft happens to companies as well as to individuals. • If somebody offers you a work-for-home position that's too good to be true, it probably is. • Do not move money for others. • Check that you're really speaking with who you think you're speaking.
Matti Vanhanen, the Prime Minister of Finland, was recently in Kuala Lumpur, Malaysia for a two day visit.
During his time here, we were absolutely honored that he made time in his busy schedule to pay us a visit at F-Secure Kuala Lumpur.
F-Secure Tower:
We first had lunch, followed by a short tour to the Security Lab and the Development department. Here are some pictures from the visit (click on the images below to view a larger version).
The Prime Minister arrives at F-Secure Tower:
And stops first for lunch:
Next, in the Security Lab I give a brief talk about the threat landscape to the delegation:
While at the next stop in Development, our General Manager Ingvar Froiland discusses some aspects of upcoming projects:
And finally, we bid farewell to the Prime Minister:
