I'll be delivering presentations on the current state of mobile malware this week at the Black Hat Briefings and next week at Usenix Security.
In these presentations, one of the new findings I'll be announcing is that the Bluetooth user interface has been changed to be more malware-resistant in the latest Symbian-based smartphones.
In this video, available via our YouTube Channel, we are testing the Cabir Bluetooth worm against two Symbian S60 3rd Edition phones: the Nokia E60 and Nokia E90.
As you'll see, there are important differences on how these phones handle the situation.
Do note that Cabir is a S60 2nd Edition Bluetooth worm and wouldn't be able to successfully infect these devices even if the transmission were to be accepted.
It gets cold in Helsinki during the winter months. So Finland is a popular place to perform cold weather testing – even when it's not winter. With this mind-set, Mikko and Dan grabbed a video camera, thermometer, gloves, and decided to test our lab's iPhone by taking it upstairs and putting it in the freezer.
This time the e-mail attachment is named as bsaver.zip.
E-mail subjects have also been revised. Below is a list of some examples we have witnessed so far:
Sunrise in your life Life will be better Good summer Do it for pleasure Life is good Wanna be slim? Good summer, dude Two Telephone Calls And An Air Be like me! To be slim Paradice in bed
The file is currently detected as Trojan-Downloader:W32/Agent.EXJ since database update 2007-07-27_01 which was released five hours ago.
Assembly 2007 – one of the world's largest demo parties – takes place in Helsinki next week. It will be held from Thursday to Sunday, August 2nd to 5th.
Last year we hosted an F-Secure Reverse Engineering Challenge Compo. We've prepared a challenge for this year as well. The competition's target is to decode programs in order to find hidden information. It consists of three Windows executable files.
The author of Khallenge 2007 is the Response Lab's youngest member — Kamil. His main focus is on antispyware response.
The e-mail messages that are sent typically contain funny.zip as the attachment.
E-mail subjects vary but are typically "spammy" in nature:
Action for pleasure Life is good! life is beautiful! Double energy Paradice in your bed View this price Return sunrise to your life! You can be young again! Paradice in your bed
We've had detection for this particular malware before the spamming really began on a large scale.
Adobe and Sun have released patches today for several critical vulnerabilities that affect their respective Flash Player and Java Runtime Environment. Many of these vulnerabilities can be exploited to execute arbitrary code on victims' computers just by making them access a malicious URL using any application that invokes Flash Player or JRE. In English, this means that you can get hacked just by viewing a web page that contains malicious Flash or Java content.
Many of the vulnerabilities are cross-platform, and between them, they have most OS-browser combinations covered. You are vulnerable until you install the patches. Read the advisories from the vendors and grab the patches here and here.
There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for at least a few of these vulnerabilities.
Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious website may lead to arbitrary code execution. Apple's website has additional details.
The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.
It's important to update. Why? Because of stuff like MPack.
MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.
The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime.
This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys. Patch your applications as well as your operating system.
Should police "hack"? We asked this question last February. That post was about Germany's law enforcement and hinged on a legal analysis from the German courts.
Should police hack is still an open question. Do they hack is a different question…
CNET reporter Declan McCullagh has details on a United States Drug Enforcement Administration (DEA) investigation of alleged "ecstasy" makers that utilized keylogger software to gather evidence. This is only the second U.S. case that McCullagh has found any such activity approved by a judge. You can listen to News.com's July 10th podcast for the full story. Listen to the first five minutes of the podcast.
It's that time of the month once more and for July, Microsoft has released the following security bulletins: three critical, two important and one moderate updates.
These updates cover vulnerabilities for several applications, including Office Excel, Windows Active Directory, and .NET Framework for the critical updates. Most of these vulnerabilities allow remote code execution and one allows information disclosure.
For more information as well as links for the actual patches, see July's bulletin.
There's a new video uploaded to our YouTube Channel. Subscribers may have already noticed since yesterday. The video is a brief history on the evolution of malware and the current characteristics of crimeware.
Note: High-res version coming soon to a weblog near you…
The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious.
Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab.
One of our analysis tools is named FSCSI. It's what we use to generate a report of the changes made by malware when it runs. It makes snapshots before and after the sample is run and then compares the two for changes.
The FSCSI report provides a basic understanding of what the malware is trying to do, before the analyst begins to really dig into the code. Then the analyst has a better idea of what to look for and it speeds up the whole process. We even have and are further developing automated systems that use this tool.
Another thing that we can do with the FSCSI report is to visualize it in a graphical interface. This can be helpful when dealing with a complex place of code.
Patrik recently spoke to some press in Sydney. He demonstrated the visualization of FSCSI and ZDNet Australia has some video.
During the last two weeks we've been receiving lots and lots of greeting card samples. So what happens is that someone gets an e-mail saying that they've received a greeting card from a friend, relative, or class mate and all they have to do to view it is to click on a link or go to a website and enter their eCard number. Below is an example:
Pretty much all of the messages we've seen have used a visible IP address as the address to download the greeting cards from. The fact that it's using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link.
As today is the 4th of July – Independence Day in the United States, it wasn't a big surprise that there has been lots of malicious 4th of July greeting cards going around. They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them.
What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded. It goes without saying that we're adding detection for them as we see new samples.
SANS ISC Handler's Diary has a very interesting post regarding MPack and Apache permissions. With multiple websites being hosted on a single machine, only one of the websites needs to contain a vulnerable PHP script in order to infect all of the sites hosted if Apache permissions are not properly configured.
Italy recently experienced MPack compromises on thousands of web sites that were hosted by only a few machines.
Haven't heard of MPack? It a malware "kit" that sells online for $500 to $1000 USD. It's maintained as if it were legitimate commercial software with modular extras available and maintenance updates. This type of kit provides a layer of insulation to the malware author as he is only writing a tool, and it's other bad guys that are actually carrying out the crime.
