NEWS FROM THE LAB - August 2009


Saturday, August 29, 2009

T2'09 Challenge Posted by Mikko @ 06:48 GMT


T2 Challenge has started. Solve the puzzle and win; you can win with Speed or Style.

Two winners get free tickets to the T2 Security Conference.

Go to to start your Challenge.


Friday, August 28, 2009 Hack Posted by Mikko @ 12:44 GMT

Earlier today the official website for the Apache Software Foundation (of the Apache web server fame) was offline for several hours.

When it came back online, it briefly showed this message:

The site looks normal now.

Why is this important? Because the Apache web server software is distributed from, and roughly one half of all the web servers on the planet run on Apache!

We have no information on whether any code on the site was modified or not.

Edited to add: More info now at


Wednesday, August 26, 2009

IceGold is NOT Back Posted by Mikko @ 12:40 GMT

IceGold used to be an online currency transfer service. The company, operating in Estonia, ceased operations last year when the Estonian government passed new anti-money laundering laws.

The company has had a placeholder site since at However, now someone has started up a fake copy of the site at, offering electronic currency transfers.

Here's what the real and fake websites look like.


We suggest you put your money somewhere else.


Monday, August 24, 2009

Uyghur Malware Posted by Mikko @ 14:57 GMT

Over the summer there's been unrest and rioting among the Uyghurs, an ethnic minority living in western parts of China.

The riots were shut down by force by Chinese army.

Image (c) Copyright

Image (c) Copyright
Images from Free Republic

This is probably not connected at all, but we've noticed a steep increase in the amount of targeted attacks against organizations supporting the Uyghurs.

These support groups operate around the world. The attack techniques against them are the same as we've seen in similar attacks before: highly targeted emails with innocent looking booby-trapped document attachments.

Here's some examples of such malicious documents that we've seen. Most of them look pretty innocent.

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

When opened, all the above documents use known vulnerabilities in Adobe Reader or Microsoft Word to invisibly take over the computer. After this a backdoor allows an outsider full access to the computer and the local area network.

Targeted attack against Uyghur supporters

Targeted attack against Uyghur supporters

The two screenshots above are not from documents but instead fake screen savers… which contain backdoors.

Again, this wave of attacks against Uyghur supporters probably isn't connected to the real-world riots in any way. We think.


Wednesday, August 19, 2009

Fellow's Paper on Worms Posted by Alia @ 01:48 GMT

Computerwürmer am Beispiel des Conficker WurmsOne of the Fellows from our Munich office, Rüediger, has written a paper on worms (including Conficker) in the course of his studies, which we'd like to share.

The paper is written in German and is available here (PDF, 2MB). Feel free to download and enjoy.



Tuesday, August 18, 2009

Case Posted by Mikko @ 13:36 GMT

Five days ago, an anonymous comment was left in the comments section of our blog: a carder/hacker forum says its been taken over by feds. bet there's alot of scared script kiddies out there

Intrigued by the comment, I checked out Indeed, last week it had this on the front page.


So, I tweeted about it and didn't think much more of it. I wasn't familiar with this hacker forum beforehand, but apparently it was run in Australia by someone called h1t3m, who was now arrested on malware-related charges.

Mr. h1t3m's other website is still up at

According to Australian media, "Federal police officers in co-operation with Victoria Police executed a search warrant on premises in Brighton, Melbourne, connected to the administrator of an underground hacking forum,, which had about 5000 members."



1. was taken over by the police
2. …but it was still up and running

And now, someone calling himself KillaWho infiltrated, replacing the front page again.


Mr. Killawho also posted details about the system itself and files found from it. He posted full details to this posting on "I decided I would move on to getting control of See what the authorities know about server maintenance.. and how secure they can make stuff."


Right now the server seems to be taken down for good.

There are already several media reports that claim that Australian Police itself got hacked.

Now, if the police take over a web server run by hackers, and that server later gets hacked, I wouldn't be too worried!

We've seen no evidence showing that any internal police systems would have been infiltrated.

Signing off,


0wn1ng Delphi Posted by Response @ 03:21 GMT

Here's an interesting move recently found being used by some malware targeting Delphi.

The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas and writes malicious code there. After this, SysConsts.pas is deleted.

The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entrypoint of the SysConsts.dcu library.

When a program is compiled with an infected version of SysConsts.dcu, it will have something like the malicious code snippet below:

Delphi Virus

Subsequently, whenever the compiled program is executed, if SysConst.bak is not found the malicious code in the program tries to re-infect Delphi.

In this case, the malware is basically just ensuring that Delphi stays infected. Still, it's another mechanism to spread malware around.

We currently detect this as: Virus.Win32.Induc.a.

The same finding is also reported here (Russian).


Monday, August 17, 2009

IntegrIT Web Server Compromised, Redirects to Porn Site? Posted by WebSecurity @ 10:29 GMT

We received a report that the popular IntegrIT website was suspected to be compromised and performing a redirect-link to a pornography website. The case occurred when the user searched for "integrit" (without quotes) in a search engine.


We inspected the contents and found no suspicious code, hence we suspect that the Web server configuration files (htaccess, etc.) redirecting the client browsers were compromised.


This was the page we were redirected to when the HTTP Header containing the "referer" parameter (above) was detected:


This is what you would get without the "referer":


A few search engines were tested and only two search engines (Yahoo! and Google) were redirecting users to the pornography website; the other search engines (Bing, Altavista, Ask, and Lycos) were not affected.

Users who type the web address "" directly into their browsers won't see this redirection.

The website owner was informed and our users are protected.

Web Security team post by — Chu Kian


Updated to add: Currently the .ru domain is not resolving, though the redirect is still occurring.


Friday, August 14, 2009

Twitter Turned Botherder Posted by Alia @ 03:32 GMT

As if being deluged under DDoS attacks isn't bad enough, this week Twitter found itself the target of another sort of threat. The Register recently reported that the wildly popular social networking service is also being used to direct part of a botnet's activities.

According to the report, a security analyst accidentally stumbled across a Twitter account being used by botherders as a cheap and effective way of directing infected computers to websites where they can get further instructions.

This appears to be the first time Twitter has been used as part of a botnet's command and control structure. At time of writing, the malicious account has already been taken offline.

For more details, you can also check the original post from Arbor Sert.


Thursday, August 13, 2009

MS09-043 Posted by Mikko @ 13:24 GMT

In last Tuesday's patches, Microsoft fixed a vulnerability in Office Web Components (MS09-043).

This was good, as the vulnerability is actively being exploited via malicious web pages.

What's surprising about the case is that the vulnerability was reported to Microsoft more than two years ago.


That's a surprisingly long patch cycle, and we've learned to expect better from Microsoft. There's probably more to this story than meets the eye.


Tuesday, August 11, 2009

Memories of Blaster Posted by Mikko @ 07:45 GMT

On this day five years ago, one of the largest worm outbreaks in history happened: Blaster.

The case was so huge, even VANITY FAIR wrote a 10-page feature on it. It's hard to imagine any virus getting that kind of coverage today.

Vanity Fair

So we're republishing the original article from 2004. It's a long story, but worth a read. In fact, the article got reprinted in Reader's Digest in over 20 different languages.

Here's the article itself. Have fun.


Friday, August 7, 2009

Facebook Fans, Postcards, and Free Laptop Stickers Posted by Response @ 15:35 GMT

We published a new "F-Secure Labs" Facebook Page yesterday.

F-Secure Labs Page

And we were planning to mention it yesterday…

But as you may have read, Facebook was experiencing some (DDoS) issues.

Anyway, do you have a Facebook account? Yes? Well then we welcome you to "Become a Fan" of the Lab's page.

We'll use the page for an insider's look of life in the labs. And please feel free to contribute to our content.

To really make it worth your while… we're going to give away some of our sought after laptop stickers. How do you get some?

1st: Fan our page. That's easy.

2nd: Send us a postcard in the mail. It doesn't matter where it's from, any postcard will do. That's also easy.


Address and send it to:

F-Secure Labs
Tammasaarenkatu 7
00180 Helsinki

Write your address on the postcard and we'll begin mailing out stickers in early September. Simple!

First-come, first-serve, while they last.


P.S. Upload a picture of your postcard to the Lab's Facebook page before you drop it in the mailbox… and you'll be eligible for another giveaway in September. Cheers!


Silence Cyxymu Posted by Mikko @ 13:21 GMT

Last night we saw a massive attack on a Georgian blogger who goes by the name "Cyxymu".

The attack included at least these components:

  •  DDoS attack against Cyxymu's Twitter account (
  •  DDoS attack against Cyxymu's Youtube account (
  •  DDoS attack against Cyxymu's Facebook account (
  •  DDoS attack against Cyxymu's Livejournal account ( and
  •  DDoS attack against Cyxymu's Fotki account (
  •  An e-mail "Joe Job" campaign against Cyxymu

The effects of some of these attacks are still visible. For example, Livejournal and Facebook are still not accepting connections to Cyxymu's pages.



Here's an example of what the Joe Job e-mails looked like. They were not sent by Cyxymu although they look like it.


Launching DDoS attacks against services like Facebook is the equivalent of bombing a TV station because you don't like one of the newscasters. The amount of collateral damage is huge. Million of users of Twitter, Livejournal, and Facebook have been experiencing problems because of this attack.

Whoever is behind this attack, they had significant bandwidth available. Our best guess is that these attacks were done by nationalistic Russian hackers who wanted to silence a visible online opponent. While doing that, they've only managed to attract more attention to Cyxymu and his message.

Then again, Cyxymu himself simply comments in his Tweets that the attack was done by the Russian KGB.


We're unlikely to ever know the truth.

Updated to add: Added info that Cyxymu's Fotki account was under attack as well.

Updated to add: See the comments section for commentary from a person who worked at a radio station that was bombed…


Monday, August 3, 2009

Twitter Now Filtering Malicious URLs Posted by Mikko @ 10:37 GMT

As Twitter has been getting more and more popular, it is increasingly targeted by worms, spam and account hijacking.

We've recommended Twitter to start filtering traffic to fight this. They can easily do it, as all the messages go through them.

Twitter hasn't announced this, but we just noticed that they have now started filtering Tweets that contain links to known malware sites.

This is what it looks like if you try to send a message with a bad URL:



Updated to add: A source tells us it is confirmed that Twitter's URL filtering is using Google's API.

However, we ourselves cannot confirm this to be the case based on our internal tests…


Missed Call Scammers Are on the Move Posted by Jarno @ 10:27 GMT

This scam is old as hills, but scammers are still using and making money of unsuspecting people. So we thought that a warning is in order.

Today, one of our senior researchers received a call from unknown international number and when he answered the call, it was immediately dropped. And being used to receiving calls from reporters from around the world he might have done the obvious thing and called the number back.

But what he did instead was to perform a Google search on the number. He discovered there are a lot of other people who have received calls from same number and wondered what the calls are about, and more importantly people who called back and are complaining about mysterious charges on their phone bill.

The scam used by fraudsters is very simple. Set up a premium rate number, use that number to call a group of randomly selected phone numbers and either let the phone ring only once, or cut the call immediately after receiver answers the call.

Then simply wait for curious people to call back, play an "busy tone" audio file to make the caller think that call did not connect, and then rake in the profits.

Usually these numbers charge something in between 1 to 5€, a big enough sum to make money if you can fool thousands of people into calling, small enough to make complaints impractical.

The best way to avoid this scam is to be wary of unknown numbers and not to call them back immediately. If the number looks something you have not seen before and the country code is something you haven't even heard of run a Google or WhoCallsMe search on the number before calling back.

Being careful might save you a bit of money.


Rogue AV Using Malware Domains List Posted by Alia @ 06:15 GMT

Malware Domains List (MDL) is a popular website among security professionals and others interested in IT security. Now a rogue antivirus promoter seems to have latched onto its popularity by setting up a website on a URL very close to MDL's domain.

Visitors expecting to see this:

Malware Domains List

May instead end up seeing the following:

Malware Domain Lists

Note the difference in the URL between the legitimate website and the fake.

Despite a few grammatical errors, the warning does a decent job of looking like a legitimate notice from Firefox. Compare it to the (legit) one below:

Firefox warning

Note the "Get security software" button on the malicious website's "warning" message. If clicked, the user is directed to a website promoting a rogue antivirus solution.

You can read more about it at