So: if you've ever seen a bluetooth virus in action, do post a comment to Pete's blog. Let's see if we can get any feedback about real cases. Somehow I find it hard to believe I would be the only person in the world who has seen these incoming bluetooth connections in real life.
We've seen two separate spam runs with infected attachments tonight.
First one comes in an email with random header info and body text "Hi, Honey - My best photo ever!". This one contains a file called "dsc00342.jpg .exe" as an attachment. This one is detected by us as Trojan-Downloader.Win32.Small.cyy.
The second one comes in an email looking like this:
The link to all-yours.net is fake; instead the link points to an EXE file hosted at whitehat.cc.
The file is named "postalcard.jpg.exe" and is detected by us as Backdoor.IRC.Cloner.ae.
All-yours.net is a real greeting card site and has nothing to do with this case. Abuse messages have been sent about whitehat.cc domain.
We have a winner for our latest competition. We received 60+ submissions, and most of them guessed correctly. The winner's (Mika) tee shirt is on its way, and for the rest, you can confirm your answer using the extra hint shown in this post's image. We'll profile the author next week at the start of the FRECA Competition.
Some of the incorrect guesses included: - Virus writer Marcos Velasco - Antivirus expert Peter Szor - Heiress Paris Hilton
Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It's a new category of malware and it's a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week's Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. Last week's worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.
Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.
Something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser expoit (maybe even a 0-day exploit) could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...
1. End users need to patch their machines. There's no excuse not to. 2. Web application developers must start taking security seriously. Yes, XSS issues are silly, easy to find and omnipresent. And XSS issues have stopped being funny for a long time now. They are a real danger with the advent of Phishing and Web Application worms that exploit a mass user base of millions of users within a very short time.
Of course, we have reported the issues to the affected websites and are working with them to get the issues fixed. And, of course, we aren't taking any names here.
Last week we promoted our upcoming Reverse Engineering Challenge. Today we have a different challenge for you. Just who is the mystery author mentioned in our previous post? The first person to send the correct answer to "nerds [at] f-secure [dot] com" will be mailed a free F-Secure tee shirt.
Here are your clues: He's in the banner photo. He was the subject of a weblog post sometime during 2005. He has 17 years of "experience".
For those of you that don't want to do any sleuthing, we'll have the answer for you next week when Assembly '06 starts.
An interesting discussion has started around comments released by one of our competitors, namely Computer Associates. The comments given by Simon Perry, a VP at CA were prompted by the mobile antivirus service that will be available for Orange smartphone users in UK.
What is interesting about the debate is that CA is indirectly claiming that Orange has made a bad decision by launching a mobile security solution. CA seems to be claiming that Orange is either ignorant of what is the real malware situation in their network or of ignoring the data they have and choosing to launch an unnecessary service. CA well knows that all mobile operators have real-time data detailing everything that happens in their networks, and simply cannot be influenced by marketing messages related to what is happening in their network.
Could it be that CA simply does not have competitive mobile security solutions and is explaining their complete lack of success in the mobile market by denying the threat?
The fact is that there are over 300 known mobile malware. That is not hype. We estimate that tens of thousands of phones have been infected so far, worldwide. Smartphones based on open operating systems are being targeted already. This means that the vast majority of phones are safe against current malware, but does not eliminate the damage caused to the users of the smartphones that are or have been infected. It is also a fact that the number of smartphones, mobile malware and infections are on the rise.
Is the threat real? Yes it is. I know, because I've been hit four times myself. Of course I'm running our antivirus on my phone, so I haven't actually been infected. But a Bluetooth virus has tried infecting my phone four times so far. Twice in Helsinki, once in Stockholm and once in London.
Protecting mobile users against current and future threats shows caring and wisdom. It should be applauded rather than criticized.
If we ignore this problem now it's only going to get worse. We can still stop this problem and avoid things getting as bad as they did with PCs.
While we were drafting a weblog post on XSS and Social Networking sites, our man Miguel pointed us to Netscape.com.
We've received several reports of a mass mailing that's going around. The messages have been spoofed to look like they are from firstname.lastname@example.org and arrive with title "Warning! New Virus On The Internet! Update Now!".
The link in the mail goes to http://update.microsoft.go.ro and downloads an IRC backdoor. Administrators might want to filter web traffic to this site.
Abuse messages on the site have been sent. The downloaded file is detected as W32/FakeMSUpdate by our latest update (2006-07-26_02).
Our spyware researchers really hate the word "affiliate". Affiliate marketing drives spyware. From the worst known offenders to questionable rogue anitspyware software - affiliates trying to sell-by-any-means are the engine behind the problem.
Known rogues install maliciously. But it's often difficult to pin down the real rogues. There's an incredible amount of just mediocre antispyware out there that isn't malicious, but they use the same marketing and sales techniques as the rogues. Lots of ads (paid for by commission seeking affiliates) - No trial period - Offering a free scan - But if it finds something you then have to pay to clean it off your system. And they really get in your face about buying. The known rogues present outright false positives - sometimes offering to clean the malware that prompted you to download the rogue in the first place. The mediocre guys might also have false positives, but due to bugs in their code, not outright lies. Adding detections for second-rate software as malware isn't something we do, but we can blog about it to help you be aware.
Many fall into a gray area and our researchers have to put them to the test. But regardless of anything else, all of these guys, malicious or not, make apparently outrageous claims. Affiliates repeat the claims over and over in ads to drive sales and get their cut.
Check out this one site we visited, which we will not name here, but it was nuker.com. They claim to have a very positive review from Download.com. Only it isn't a link, just an image. We've searched Download.com's site for the supposed review and cannot locate it, not to our surprise. Download.com is a trusted source and these guys are trying to subvert that trust to their own ends.
They also link to a Yahoo! "Headline" on their site. But if you follow the links, you find it's from the PR news section of Yahoo Business and that they themselves uploaded the article. They're quoting themselves! Think you want to try their product?
F-Secure is sponsoring Assembly 2006 – one of the largest demo parties in the world. It takes place in Helsinki, and it’s historically always been organized at the same time as DEF CON – so in two weeks from now.
As part of our sponsorship we're hosting an F-Secure Reverse Engineering Challenge Compo. It's a competition where the target is to decode programs in order to find hidden information. It consists of three Windows EXE files written by one mystery researcher working in the F-Secure Security Labs.
The three challenges are a set. When the programs are run, they'll ask the user for a password. Give the correct password, and you then get instructions on how to find the next challenge. The goal is to solve all three challenges. The first ones to complete the challenges will win an iPod or a PSP – See Assembly's website.
The competition will be open to all, not just those attending Assembly. More details on the rules - and on the mystery author of the challenges – soon!
Another Microsoft Office exploit, Bifrose.UZ, was discovered last week. It drops a backdoor using PowerPoint (PPT) files. The exploit was discovered after a limited number of people received e-mail with the PowerPoint file as an attachment.
So what's the deal with Microsoft Office and why the exploits? There were Word fixes in June - Several Excel fixes were included in July's patches - And now there is a PowerPoint exploit that will need to be patched in August. See a pattern?
There's a growing trend here. We've been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money - not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it's just another document that they need to review, open it up and the backdoor gets installed.
The bad guys are taking advantage of three things:
The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.
The first ever case of using a man-in-the-middle attack against an online bank was reported by Brian Krebs of Security Fix on Tuesday.
The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.
Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.
With spear phishing on the increase, you shouldn't neglect visiting Microsoft Update this month. There are a good number of Office patches to be downloaded and Excel has the most with eight different vulnerabilities. Even Excel Viewer 2003 requires a patch. Users don't update Office as often as the Windows OS and it's increasingly becoming a target for more focused spear phishing attacks. Your company could be next - update soon.
And now for something completely different: Daylight Savings Time 2006 was adjusted in Australia to accommodate the Commonwealth Games. If you live down under, it's time to adjust the system time back to the standard dates. G'Day!
There's a category of software that's rather difficult to define, or at least to name. Many term it as potentially unwanted applications or software (PUA/PUS). Companies pushing this type of software use every possible means to get you to download as many copies of their product as possible. Spamming, pop-ups, hijacking start pages, etc. Sound familiar?
What are we speaking of? Rogue anti-spyware and other so-called system optimization utilities. And they aren't just pushing one version, they're pushing many.
Some of these guys create one engine and then sell it under multiple names and interfaces. Their websites even look like they are copied from the same template. The sales pitch typically includes a "free" scan. The results of the scan are often doctored with items that you should remove or fix. Except in order to do so, you now need to buy a license.
If your product is legitimate, why do you need 30 or more names for it?
The second Tuesday of this month brings something else in addition to Microsoft Security Updates. July 11th will also mark the end of Windows 98/ME technical support. It's now the end of their lifecycle. At least at Microsoft.
According to IDC figures, there are an estimated 70 million 98/ME machines still in operation worldwide. Searching for news stories on the topic yields a good number of results from India. Older hardware and the costs of upgrading can be a very limiting factor for some.
So what to do if you're still running an older OS? Make sure that you have a good antivirus product and a firewall. Check out Microsoft's Security At Home 98 & ME for more information. (You'll find special offers for our F-Secure Internet Security and Anti-Virus products there.)
If you're still holding on to older hardware because you're a hobbist, you might also consider trying out a lightweight distribution of Linux. Live CDs make it quite easy to give it a try.