NEWS FROM THE LAB - August 2008


Thursday, August 28, 2008

Western Union MTCN #2989115571 Posted by Mikko @ 11:10 GMT

Fake airplane tickets, greetings cards and credit card receipts…

There's plenty of ZIPped trojans being spammed around. The one that's being seeded right now claims to be a bounced Western Union money transfer.

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service. Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 44571 since the recipient has been undergoing the international retrieval by the InterPol. Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

And the malware inside the ZIP is a ZBot banking trojan variant.

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service. Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 44571 since the recipient has been undergoing the international retrieval by the InterPol. Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.


Wednesday, August 27, 2008

Space Based Malware Posted by Sean @ 14:58 GMT

An online games password-stealer has reportedly made its way onto the International Space Station.

Fortunately for the space station, there's no direct Internet connection, and so therefore no online games to steal from (one hopes). The malware most likely made its way onto the infected ISS laptop via an infected USB drive.

Autorun.inf worms is another way of categorizing such malware. Worm.Win32.AutoRun.bhx is our detection name for their particular variant. Read more about it from the AutoRun.BHX description page.

BBC News has additional details.


Tuesday, August 26, 2008

Somebody Doesn't Like Us in Denmark Posted by Mikko @ 09:44 GMT

This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses.

The e-mail claims to be from us. It's not.

Here's what the e-mail looks like:

   Date: 26. August 2008 08:31
   Subject: Data er tillagt og sendt med denne meddelelse.
   Käre kunder!
   Data er tillagt og sendt med denne meddelelse.
   Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
   Antispam er helt gratis for private brugere.
   Attachment: f-secure.rar


The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker related trojan) that connects to a server in Ukraine.

We detect this trojan as Trojan:W32/Agent.FVO. More information in the virus description.

The spam run must have been fairly large, as we've received more than 13,000 bounces to from non-existent e-mail addresses alone.

Watch out and pass the word.

Update: Agent.FVO is a downloader.

Yesterday, its C&C server was quiet so there were no additional components for download. Today, the C&C server is pushing out a BZub variant which has been detected as Trojan-Spy.Win32.Bzub.fbm since our 2008-08-25_07 database update.

BZub is a trojan-spy interested in banking details.


Friday, August 22, 2008

An Unexpected Demonstration of Mobile Security Posted by Sean @ 19:36 GMT

Encountering a mobile phone worm "in the wild" has never been a common event. But even less common must be encountering one in the wild while you're giving a presentation on mobile phone security.

Erkki Mustonen (Eki) is a Technical Service Manager here at F-Secure. He's very knowledgeable and frequently handles requests for comment from Finnish journalists regarding AV technologies.

Earlier this week Eki was visiting a customer's premises and was giving a presentation to approximately twenty people. As he was discussing the topic of mobile malware, a quite unexpected demonstration took place. Some of the phones within the room started to flicker simultaneously. Very soon it was determined that connection attempts were being made from a phone located somewhere nearby (but not in the room itself).

What was the source of the commotion? It was Commwarrior.B sending a copy of itself to open Bluetooth connections. Three years old and the worm is still kicking around.

The customer's phones were all Symbian S60 3rd Edition phones with F-Secure Mobile Security installed. So there were no infections and no problems. Commwarrior.B will not install on a S60 3rd Edition phone. Regardless, it wasn't even given the chance.

And the nearby S60 2nd Edition phone with the Commwarrior.B infection? Eki thinks that the phone's owner really should consider installing a security solution…

Here are some screenshots from Eki's Nokia E61i:





Monday, August 18, 2008

Drops, Dumps, CVVS, WMZ, WU, et cetera... Posted by Mikko @ 11:41 GMT

Underground forums are always full of chatter around various activities related to online crime.

You keep reading about things like dumps (stolen credit card information), carding (using those cards), WU (Western Union), WMZ (Webmoney), CVVs (card verification value) and drops.

So what's a drop?

A drop is a remailing location. Many online shops refuse to send expensive items (think laptops, video cameras and so on) to faraway countries. So criminals use stolen credit cards to purchase items and have them mailed to a local drop, where someone else picks up the gear and forwards it to the final destination. Alternatively the dropkeeper will simply sell the goods in online auctions and then credits the carder with part of the profits.

Here's an example from an underground forum where an individual is advertising his website, providing such services. He offers 25% of the profits of the carder items to the carder — keeping 75% to himself.


And here's his website. Nice one.



Wednesday, August 13, 2008

MSNBC / CNN Malware Run Posted by Mikko @ 15:03 GMT

For some days we've been seeing spam runs with titles such as "CNN Alerts: My Custom Alert" or "CNN Alerts: Breaking news". These are fake news articles that point to a fake news page that will try to download malware to your machine.

Apparently people stopped clicking on fake CNN links as today the attackers switched the e-mails that look as if they are now coming from MSNBC.

Some examples:


Example e-mail:

  • From: MSNBC Breaking News
    Subject: - BREAKING NEWS: Elvis Presley daughter gives birth to twins
    Precedence: list BREAKING NEWS: Elvis Presley daughter gives birth to twins
    Find out more at
    See the top news of the day at, and the latest from Today Show and NBC Nightly News.
    This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
    newsletter because you subscribed to it or, someone forwarded it to you.
    To remove yourself from the list (or to add yourself to the list if this
    message was forwarded to you) simply go to, select unsubscribe, enter the
    email address receiving this message, and click the Go button.
    Microsoft Corporation - One Microsoft Way - Redmond, WA 98052

And the links point to a web page looking like this (notice the sudden change from MSNBC to CNN):


The site tries to prompt you to download ADOBE_FLASH.EXE, which we detect as

Tuesday, August 12, 2008

Teh skool Posted by Mikko @ 13:47 GMT

lukkari Summer is almost over and schools are restarting for our student readers.

Download a *free* school schedule and other mad props from our ABC pages. There's also a cool virus-themed game.

Take a deep breath. Next summer is coming soon.




About the Java Vulnerability on S40 Phones Posted by Jarno @ 12:09 GMT

S40 phone There's been some media coverage on a recent vulnerability announcement. This is related to Java vulnerabilities affecting at least the Nokia S40 phone platform, and possibly other phone platforms based on a similar Java reference platform.

The vulnerability details have not been released, but if it works as advertised, this vulnerability could affect more than a hundred million mobile phones. This vulnerability is reported to enable attacker to be able to execute arbitrary code on target phones.

The S40 platform has never been targeted by a mobile phone virus or other malware. We're not expecting to see real-world attacks using this vulnerability in the near future either.

We're monitoring the situation.


Friday, August 8, 2008

SQL Injection Attacks Targeting Chinese-oriented Sites Posted by Response @ 07:17 GMT

With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with "China" being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web — and we've been seeing some interesting examples of SQL injection attacks specifically targeting websites designed for a Chinese audience, whether from the mainland or overseas.

Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user's computer to download and execute malicious programs.

Obfuscated Script

In one of the samples we received, a close look at the obfuscated URL showed that users of the compromised website were being redirected to "http://vc??.cn". Though this malicious website was first reported in April 2008, it is still live and infectious today. Additional mirror sites include pdh0??.cn, iihao??.cn, qqhao??.cn, yyhao??.cn, zzhao??.cn and more, but they all redirect users to two sites hosting the most invasive programs: jzm0??.cn and hby0??.cn.

The "vc??.cn" website basically functions like a transit station, deciding which website the user gets shunted to next, depending on what browser they are using. Whichever route they take, they are finally infected with a password stealer trojan, which we detect as Trojan-GameThief.Win32.OnLineGames.snsq.

Infected Results

The interesting thing about this particular SQL injection attack is that a number of vulnerabilities the malware writers exploit are most likely to be used by Chinese websites, and by extension are targeted specifically towards Chinese (or Chinese-language literate) visitors. For example, the Baidu Soba Remote Code Execute Vulnerability is more or less exclusive to the Chinese web, as is the Sina DLoader Class ActiveX Control "DonwloadAndInstall" Method Arbitrary File Download Vulnerability.

That's not to say that non-Chinese visitors won't be affected by this attack, as a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user's computer memory beyond its capacity, then takes advantage of the computer's attempts to correct the problem to execute its own hidden code. If the user hasn't updated their Flash Player to newer versions than those targeted, their computer is vulnerable.

For such users then, the best advice would be to run the F-Secure Health Check to determine if your computer has all the latest updates and most importantly, don't click on any suspicious links related to the Olympics!

Response Team post by — Lordian & Alia


Thursday, August 7, 2008

Black Hat and DEF CON Posted by Mikko @ 16:15 GMT

Greetings from Las Vegas, it's again that time of the year.

Black Hat 2008

Black Hat 2008 is in full swing and DEF CON will start tomorrow.

On the first day of Black Hat the most popular presentation was, as could be expected, Dan Kaminsky's DNS talk. The room was totally packed while Dan went through in detail what exactly was the story behind the biggest vulnerability announcement of the year.

People attending Dan Kaminsky's talk

Dan actually spent most of his talk coming up with creative ways on how to exploit this DNS problem and combine it with other vulnerabilities - quite creative. Bottom line; if DNS doesn't work, pretty much nothing will work.

We have a presentation of our own coming on Sunday at noon in DEF CON, when Teo and Hirosh from our labs will talk about how to fight new types of phishing.

Def Con

Signing off,


Tuesday, August 5, 2008

F-Secure Khallenge III Results Posted by Kamil @ 11:01 GMT

Khallenge III take place over the weekend, and here are the current solution statistics:

Level 1: 393
Level 2: 20
Level 3: 8

During the run of the competition, the final level was solved by 4 people:

1. Igor Skochinsky (iPod Touch 32GB)
2. Kaspars Osis (iPod Touch 16GB)
3. "bbuc" (t-shirt)
4. Ludvig Strigeus (t-shirt)

Igor & Kaspars are returning winners from previous Khallenge competitions (1) (2). Great job guys!

Alexander Polyakov, "Lancert", "push.ret", "Hellspawn", V. Usatyuk, "Piotras", "ASMax"

Level 1 contains a hidden message, here are the winners:
1. Alexandru Maximciuc (t-shirt)
2. Volodymyr Pikhur (t-shirt)
3. Richard Baranyi (t-shirt)

On a personal note, while designing the challenges I've been wondering if level 2 was too difficult. The statistics have proved that it was. However, according to your responses, it was great fun! I'm glad to hear that many people enjoyed it. Next year though, we'll aim to get the challenges into a bit better balance. ;-)

The website will be online until the 12th of August. After that, you'll be able to get the files directly form our security center website:

Signing off,


Friday, August 1, 2008

Khallenge has Started Posted by Mikko @ 10:00 GMT

F-Secure's reverse engineering Khallenge has started.

You can download the first level now from

Results can be viewed in real-time from the same site.

Khallenge Level 1

Good luck!

Updated to add: Over 50 people solved the 1st level during the first hour of the Khallenge — but no solutions for level 2 yet…

Updated to add: By Saturday noon, the situation looked like this:

Khallenge Results

Very nice. Official results will be announced later.