Thursday, July 31, 2008

Assembly 2008 Khallenge Posted by Mikko @ 13:38 GMT

Assembly 2008

The Assembly Summer 2008 demoscene party is in full swing in Helsinki, Finland!

Assembly, one of the oldest and largest demo parties anywhere has around 5000 geeks gathered together for four days. Many of the techniques used in demo coding are interesting to us working in a antivirus lab: the fastest demos are written in low-level assembler, and to fit within the tight size limits (such as 4kB or 64kB), some of these demos use really advanced compressing techniques.

Assembly 2008 Crowd

To get a feeling on what's happening at the party, you might want to tune in to AssemblyTV.

Once again, as a sponsor of the event, F-Secure is running a reverse-engineering competition known as KHALLENGE. Your task is to decode three programs to find hidden information. The fastest solvers win new iPods and a visit to our viruslab.

Khallenge will begin tomorrow, Friday the 1st of August 2008, at 12:00 local Assembly time.

You can read more about the competition from and review the rules from the Assembly 2008 website.

Do note that will only be operational during the party.


Wednesday, July 30, 2008

Fake Jetblue eTickets Posted by Patrik @ 21:32 GMT

The most common way a person gets infected these days is through drive-by downloads, and while the prevalence of malicious e-mail attachments has definitely gone down, we still see them on a daily basis. Such as today when we saw a large spam run sending out fake JetBlue etickets.


The message contains a ZIP file that itself contains the file eTicket#1721.exe, which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself attempts to steal usernames and passwords to online banks.

I guess we can call this way of spreading malware "old school"…

Monday, July 28, 2008

Storm, the Feds and Facebook Posted by Patrik @ 19:12 GMT

Over the last few weeks we've seen a bunch of different Storm themes, and we don't blog about all of them because it would get pretty repetitive after a while, but it's interesting for us to follow them as the gang responsible is sometimes very innovative — and they sometimes fall back on tried and tested themes.

The latest round of e-mail, which started today, talks about the U.S. FBI gaining instant access to Facebook accounts.

Storm, the FBI, and Facebook

The e-mail attachment itself is almost a non-event as it's already detected by pretty much all vendors, but the theme is new.

And we've seen them change themes a lot during the last month.

June 23 - Beijing earthquakes/disaster
July 3 - 4th of July
July 8 - US invasion of Iran
July 21 - New US currency, Amero
July 24 - Love and postcards
July 28 - FBI & Facebook

Thursday, July 24, 2008

F-Secure Rescue CD 3.00 Posted by Sean @ 15:43 GMT

Our colleagues from the Linux team blogged about it last month, but it's worth repeating:

The latest version of our Emergency Rescue CD is available.

It's a bootable Linux CD that can scan Windows hard drives (NTFS and FAT) as well attached USB drives.

If the computer has an Internet connection, the virus definition databases are updated automatically. If an Internet connection isn't available, the definition databases can be manually updated using a USB drive.

It's an excellent support tool. It's also one of the best ways to scan for MBR rootkit infections.

You can download it from here and read more details from the Linux team's post.

F-Secure Rescue CD3


One Million Detections Posted by Sean @ 15:20 GMT

Our AVP database reached one million detection records last night.

Dr. Evil would be so impressed…

Dr. Evil's logo looks somewhat familiar.


Friday, July 18, 2008

Snapshot Viewer for Microsoft Access Posted by Sean @ 16:49 GMT

Security Advisories related to Microsoft Office were released last week. Regular weblog readers may have already read about them via other tech-news sources.

There's Microsoft Security Advisory 953635 which only affects Microsoft Office Word 2002 Service Pack 3. If you have that particular version of Word installed, you may want to download Word Viewer 2003 as a workaround, upgrade, or else avoid all external document files.

And then there's Microsoft Security Advisory 955179. A vulnerability in the ActiveX Control for Microsoft Access Snapshot Viewer which could allow remote code execution. This particular vulnerability made a number of headlines last week due to the Internet Explorer implications. It's currently unpatched and there have been some limited cases of an exploit in the wild.

One of the cases seen involved a patent themed site with thousands of pages injected with JavaScript. It looks like the site was hacked with a popular kit called Neosploit and the ActiveX exploit was added to the mix. That's only one site but many, many pages.

We weren't very familiar with the Snapshot tool so we experimented some earlier this week.

It ships with many versions of Microsoft Access previous to Office 2007. However, it isn't necessarily installed if you have Office 2003 with Access. The default option is to install the Snapshot Viewer on first use.

So what happens when Internet Explorer encounters an SNP file and you have a "Default" rather than "Full" installation of Office?

Well, first a legitimate file causes this prompt:

Information Bar Warning

Then, if you elect to continue and push past a couple more prompts, IE will call on the Office installer.

In our experience, many people will then see the following prompt:

Office CAB Not found

…and then you've got to go digging for your installation CD. Or perhaps you have to call the guys from IT to map out the network folder with the installation files.

That seems like a lot of trouble just to get the Snapshot Viewer OCX installed. So it's far from a perfect exploit.

But there are those that have the full installation of Access 2003, et cetera installed.

Think you might be vulnerable? Here is a test for you. Open this link — SNP.HTML — using Internet Explorer.

If you can easily read the "secret message" then you might want to set the killbits as recommend in MSA 955179.

Snapshot Viewer Killbit


Thursday, July 17, 2008

Video - Global Malware Posted by Sean @ 21:12 GMT

It's always interesting to examine our WorldMap data feeds.

Today I spotted an infected machine that belongs to the U.S. Department of Defense.

Pakes.dft Navy.MIL

A Navy computer in Ohio…

Also — I have finally produced the promised, and long overdue, video of our Google Earth feeds in action. Upgrading my computer hardware was necessary for a smooth video. My old T43 could either run Google Earth or capture the screen but it didn't do both very well with the hardware acceleration enabled.

The video is using live versions of the KML files mentioned in this post.

Some of you wrote to ask about additional KML samples. While it isn't difficult, it does take a bit of time to remove the IP addresses from the feeds. It's not something that I'll do often. But perhaps monthly releases would be of interest?

Signing off,


Firefox 3.0.1 Released Posted by Sean @ 17:01 GMT

There was a remote code execution vulnerability for Mozilla Firefox 3 discovered last month.

We mentioned it in our June 19th post.

Version 3.0.1 has been released to resolve MFSA2008-34 and two other security issues. But the nice thing about Firefox is that you probably already know about the fix if you have the "automatically check for updates" option selected.

Firefox 3.0.1

For more details see the Firefox 3.0.1 Release Notes or Mozilla Foundation Security Advisory 2008-34.


Wednesday, July 9, 2008

DNS and SQL Updates Posted by Sean @ 16:22 GMT

Microsoft released four security updates yesterday.

July Updates

The DNS update is noteworthy as it's part of a significant multi-vendor effort. There will be lots of patching going on as a result.

The MS08-037 update reportedly conflicts with ZoneAlarm's firewall software. Proceed with caution if you have ZA installed.

All of this month's updates are rated as important.

The SQL update is of interest to us what with the recent SQL Security Advisory and the rise in Mass SQL injection attacks.

Microsoft is working to secure SQL servers. Clearly there's a group of bad guys focused on SQL.

How could an attacker exploit the patched vulnerabilities?

An authenticated attacker could create insert statements that cause a buffer overrun, thus corrupting memory in such a way as to allow code execution — and you can easily do INSERT statements in SQL injections if the code isn't sanitized properly.

We recommend that you try out the free HP Scrawlr and UrlScan tools mentioned the SQL advisory and apply the SQL update to your servers.

Update: The Microsoft Security Response Center (MSRC) has a revision for MS08-037.


Monday, July 7, 2008

Live from Vilnius, EuroPython 2008 Posted by Dan @ 12:12 GMT

It may surprise some to find out exactly how much we use Python in our daily work here in the Security Lab (and beyond). Well truth be told, it's hard to imagine life at F-Secure without it. That's why F-Secure is well represented with five individuals from Helsinki and Stockholm sent to this year's European Python Conference taking place right now in Vilnius, Lithuania.

The conference opened this morning at 9:00 local time and the lectures end Wednesday evening with sprints taking place beyond that, all the way through Saturday. Today's lectures will come to an end with a special video conference featuring none other than Guido van Rossum, the author of the Python programming language.

We'll try to bring some of the highlights of the conference as soon as we can but in the meantime, why not head over to EuroPython 2008 to learn a bit more, and maybe start planning your attendance to next year's conference.

Signing off for now, Dan


Friday, July 4, 2008

Google Earth Downloads Posted by Sean @ 14:08 GMT

Happy Independence Day USA.

Fireworks Spam

Our use of Google Earth was a weblog topic several weeks ago. We've been working on additional features since then.

There were a few questions asked in the comments section.

Question —
I like maps like these (I like maps in general). But and I'm asking this out of curiosity, not because I'm criticising your work – does it add something to anti-malware research?

Answer —
The map's data source comes from our statistics server, which is very useful in our forecasting efforts. Analyzing the numbers helps drive the direction of our research.

The application of the data to Google Earth adds to our presentation and education efforts. Actually seeing a real-time view of malware in the world really helps lab visitors understand the threat scope. The live world map also shows real-time spikes in malware traffic and assists our shift managers.

Question —
Are we able to subscribe to these feeds?

Answer —
Unfortunately the public is unable to subscribe to the feeds. The data contains IP addresses and because those IP address are the source of spam, malware, et cetera — that means there are infected computers on the other end. Infected computers are vulnerable to further exploitation.

One of the ways to build a botnet is to hijack someone else's.

We also consider IP addresses to be personal data.

Phishing in Fairbanks
Click the image for a 1400x1050 view.

So because you can't subscribe to the feeds, we've created an offline KML file that you can download and import into your own installation of Google Earth. We've sanitized the IP addresses to

Here's the data from today, 20080704.KML.


Google Earth Legend

GeoIP conversion can be very helpful. The Warezov botnet uses fast-fluxing techniques with domain names registered in China. Sending abuse messages regarding the domains is fairly pointless. New domains quickly replace any that are actually taken down.

Locating the infected servers is more useful. The last time we analyzed our Warezov pharmacy site hosts lists, we found 397 unique domains online. Those 397 domains resolved to 76 unique IP address, 40 of which are located in the United States according to GeoIP. That list of 76 addresses is a much better target of abuse.

Warezov pharmacy website hosts KML file. Seattle is infested…

Warezov bots in Seattle

Just out of curiosity, we can also do other things with GeoIP conversions such as determine where our readership resides, e.g. we converted the IP addresses of those that answered our recent browser poll.

KML files can be viewed via Google Earth or they can be imported into Google Maps.

Google Maps - Weblog Poll Respondents


Thursday, July 3, 2008

Stormy Fireworks Posted by Patrik @ 23:23 GMT

As the United States is preparing for one of their biggest holidays of the year, 4th of July, it wasn't really a surprise to see that the Storm gang has started using this as a social engineering vector.

4th July of Storm

Using fireworks as the social engineering vector is definitely not new. Remember Happy99?

Tibia: Part Two Posted by Response @ 18:06 GMT

Tibia is a massively multiplayer online role-playing game (MMORPG). See part one of this post for more details.

Open Tibia players use "IP Changer" applications to reconfigure their Tibia clients.

We recently analyzed a sample which included one such IP Changer. It's detected as Trojan-Dropper.W32/Agent.EUJ.

Agent.EUJ has a file size of 728,637 bytes and is packed with FSG 2.0. When the file is executed it runs this IP Changer:


It also installs a Trojan-Spy on the player's computer.

BlackLight reveals FQHG.exe hidden in the process list.

Blacklight FQHG

So this is what happens when Agent.EUJ is executed…

It drops and executes:

C:\WIN.EXE – detected as Trojan-Dropper.Win32.Small.awz
C:\SHYNZO IPCHANGER.EXE – which is a non-malicious IP Changer

Small.awz is compiled in Microsoft Visual C++ 6.0 with a file size of 492,166 bytes. It creates the following files:

%temp%\@{random hex numbers}.tmp – a library file detected as Monitor.Win32.Ardamax.o
%temp%\@{random hex numbers}.tmp – a non-executable file which has embedded malicious executable files

Small.awz then loads the library file and executes its exported function "sfx_main". This library file extracts the embedded malicious executable files in the non-executable file "%temp%\@{random hex numbers}.tmp" and drops it to the folder %windir%\Sys32.

%windir%\Sys32\FQGH.006 – detected as Trojan-Spy:W32/Ardamax.N
%windir%\Sys32\FQGH.007 – detected as Monitor.Win32.Ardamax.o
%windir%\Sys32\FQGH.exe – detected as Trojan-Spy.Win32.Ardamax.r
%windir%\Sys32\AKV.exe – detected as Trojan-Spy.Win32.Ardamax.gz

Lastly, it executes Trojan-Spy.Win32.Ardamax.r.

Ardamax.r is used by the files FQGH.006, FQGH.007 and AKV.exe as a component for hiding its process, to monitor processes, and to take snapshots of the system.

It creates the following Registry entry as its Autorun:

FQHG Agent = "%windir%\Sys32\FQHG.exe"

It then sends the snapshots and monitored processes via e-mail to "Ardamax Keylogger" <[REMOVED]>.

E-mail message:


E-mail message:


Monitor logs:


Online game passwords are frequently targeted for a variety of reasons.

Hacked accounts are a common support issue. Check out option number four from Tibia's Lost Acconts page…

Tibia Lost Account

Response Team post by Lordian & Sean

Wednesday, July 2, 2008

Tibia: Part One Posted by Response @ 16:02 GMT

Massively multiplayer online role-playing games (MMORPGs) are immensely popular.

Tibia was established in 1997 and is an MMORPG with 250 thousand players. It's a free game that includes the option to pay for a premium account — which provides special in-game benefits. It's developed by Cipsoft GmbH.

What is Tibia?

The basic idea is to play for free and those that pay get extra stuff.

A mobile version called TibiaME also exists using the same pricing model.

The majority of Tibia's players are from Brazil, Poland and Sweden that are distributed between servers located in Germany and the United States.

With success often come those that wish harm for one reason or another. Tibia's servers in the United States have experienced problems due to repeated and ongoing DDoS attacks. Cipsoft's Marketing Manager Mercutio Mercado's blog has more details.

According to Mercado's interview:

Most of the attacks concentrate on a few servers, so we think we are dealing with a personal vendetta, which is used to take revenge over in-game issues.

Personal Vendetta? Moving an online grudge into the offline world? This shouldn't be surprising to anyone familiar with the social interactions of MMORPGs…

Some people prefer to create their own reality and play unofficial versions of Tibia using "Open Tibia". There are numerous OT Servers available with many in Brazil and Poland. OT players use an official Tibia software client to connect to unofficial open source back-ends.

Open Tibia players use a tool called an IP Switcher to configure the server that they play.

Part two of this post will examine a Trojan-Spy that uses such an IP Switcher as bait. It appears to have been written by a Brazilian. Perhaps it was authored by someone with an online grudge?

Response Team post by — Lordian & Sean