NEWS FROM THE LAB - August 2010


Tuesday, August 31, 2010

When do 258 tweets equal nearly half a million dollars? Posted by Sean @ 21:44 GMT

Wikipedia's affiliate marketing entry includes the following sentence: "Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers."

This is very true — affiliate marketing methods definitely attract abuse from spammers.

Our recent posts on Facebook and YouTube spam linked to cost per action (CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investigating social networking spam, and one of the more interesting companies that we frequently see abused is

CPAlead claims to be to be one of the largest affiliate networks with nearly 11 thousand members in its Facebook Group. They also have an interesting Twitter profile that lists their daily top earners.

They've tweeted 258 times since June 18th and the total amount of daily top earnings is $485,188.34.

CPAlead Top Earners

There were 281+ thousand leads (completed surveys) and 3.7+ million clicks. That's a 7.5% conversion rate for the top earners.

With numbers such as that… there's little wonder why spammers are attracted.


Monday, August 30, 2010

Phishing Attempt Alert! Posted by Response @ 04:13 GMT

Someone has been trying to pose as us again, and is sending out an e-mail that looks like this:

From: Account Support
Date: Saturday, August 28, 2010 4:33 AM
To: none
Subject: Account Alert!!!

An HTK4S virus has been detected in your Email Account, and your email account has to be upgraded immediately to our new F-Secure HTK4S anti-virus/anti-Spam version 2010 to prevent damage to the email and important files in your email account. You are therefore required fill the columns below to enable us verify your email account or your email account will be suspended temporarily from our services.

Date of Birth:
Telephone Number:

Copyright© Customer Care Center 2010 All Rights Reserved.

You can safely ignore that e-mail and please do not reply with the requested details. We don't have a product called F-Secure HTK4S anti-virus/anti-Spam, and we certainly wouldn't let such a badly written e-mail to be sent out to customers.


Friday, August 27, 2010

CPAlead Spam on YouTube Posted by Sean @ 20:22 GMT

One of our Safe and Savvy bloggers, Melody-Jane, recently asked me about some "free" offers for F-Secure Internet Security 2010 that she spotted on YouTube. She thought the videos, and their associated links, looked just a bit more than suspicious. So I decided to check them out.

What I discovered was Cost per action (CPA) spam. The same sort as I've recently been investigating on Facebook. (I'm really, REALLY beginning to hate this CPA stuff.)

This is what one of the typical videos looks like:

YouTube Spam

"Click the Link to Begin Your DOWNLOAD.......BEFORE IT'S REMOVED!!"

Too late. I've already reported the video to YouTube and abused their link within 30 minutes of my request. (Nice!)

Here's another example of a spam video.

YouTube Spam

As you can see, it isn't just our software that the spammer is trying to rip-off, he's offering many other AV products as well.

If you click on the link advertised in the video's description, you'll end up at a blog.

At which point you'll be presented with a CPA survey to "unlock the free content".

YouTube Spam

And what content do you get for your trouble when you fill out the survey?

A link to a torrent site… (jerk).

Downloading cracked software is typically a short path to malware. We don't recommend it (doesn't matter what software).

Be seeing you,


Wednesday, August 25, 2010

DLL Hijacking and Why Loading Libraries is Hard Posted by Antti @ 17:45 GMT

In the past days, a class of exploits that fall under the category of DLL hijacking (or "binary planting") have gotten a lot of attention. Apple's iTunes had problems, and a lot of other applications seem to be falling for the same thing.

The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.

The whole class of problems is really nothing new. As Thierry Zoller points out, a nearly identical issue was reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.

So what can you do to keep safe? Microsoft has Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.

We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.

Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.

Signing off,

P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument,
LoadLibrary("mylibrary.dll"), can be so difficult to get right?

LoadLibrary MSDN

The documentation for LoadLibrary has about 1100 words, the page describing it in more detail has 1000 words, and the page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!


Corporate Identity Theft Used to Obtain Code Signing Certificate Posted by Jarno @ 12:46 GMT

Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.

Company X's stolen certificate

This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.

I searched for a company that matched the name and address in the certificate and found small consulting firm that provides services related to industrial process control and optimization.

I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.

I investigated the case with the help of the victim and Comodo, the Certification Authority that had signed the fraudulent certificate. I discovered that the certificate had been requested in name of an actual employee and that Comodo had used both phone call verification as well as e-mail. The fraudster had access to the employee's e-mail and the phone call verification either ended up with wrong person, or there was some misunderstanding. So the phone check offered no prevention this case.

Comodo has revoked the fraudulent certificate and any files signed with that certificate will be blocked automatically.

Also during the investigation I learned that the compromised employee had received a phone call from Thawte, another CA company. Thawte asked if she requested a code signing certificate in the company's name, to which she had answered "no", and Thawte then aborted the certification process. So it seems that the malware authors tried multiple CAs until everything fell into place in gaming the application process.

This case gives cause for serious concern about the trustworthiness of code signing in general.

When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. Mistakes will also happen in the future. It is very likely that we'll see more of these cases in which an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.

Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However these systems are maintained by humans, and are thus fallible, and we have to accept the fact that that with current system, certificates are not 100% proof of a file's origin.

The current situation of a single entity being served by several certification authorities is not good from a security point of view. Certification Authorities should have similar process as with domain names where a single domain name, for example, can be hosted by only one registrar at a time.

Also, code signing or SSL certificates should be allowed to be signed by only one CA at the time.

So if someone would like to get certificate in name of F-Secure they would only be able to get that from the same CA where F-Secure currently gets its certificates, which has an existing business relationship with F-Secure, and thus any new certification requests would be verified from existing business contacts. For this to be possible, the CA would need to have a central information resource.

The current model of any CA being able to issue a certificate in any name is simply not ever going to be secure as there are way too many possibilities for scams and social engineering.

For those interested in hearing more about code signing abuse, I will be giving a presentation at T2 Information security conference in October.


Signing off,


Tuesday, August 24, 2010

I May Never Text Again: More Facebook Spam Posted by Sean @ 16:50 GMT

Today we have an example of yet another Facebook spam (YAFS).

This particular spam links to a Facebook Page called "I May NEVER T�XT AGAIN After Reading THI$!!".

I May NEVER T�XT AGAIN After Reading THI$!!

As you can see, there are over 200 thousand likes.

The Facebook user must click the Like button in order to continue.


But not really. Let's skip step 1 and take a look at the selection source.

selection source

Step 2 requests (but doesn't enforce) sharing the Page and step 3 provides a link to Blogger.


JavaScript for a CPAlead (an affiliate marketing vendor) kicks in when you visit the Blogger page.

This actually surprised us as we wouldn't have expected Google to allow this sort of thing on a page hosted at

CPAlead Survey

In order to view the Blogger page, you have to fill out a survey.

But not really. A browser add-on such as NoScript can be used to disable the JavaScript and view the page. Adblock Plus also works.

The "Never Texting Again" blog looks like this once you disable the survey.

Never Texting Again

The Blogger page was created in May 2010 and simply copies this article from September 2008.

So how many people filled out the survey in order to view the page? That's difficult to say as there aren't any counters on the page.

Another similarly themed spam link from June 29th offers a hint:

There were nearly 300 thousands clicks on the link…

But remember — clicks don't equal conversions.

The statistics show that the link was only liked 3048 times.

That's just a one percent conversion rate from Clicks to Likes (step 1 to step 2). And as we mentioned yesterday, even fewer people appear to fill out the surveys (step 3).

Yes. The links do "spread virally". But as a wise man once wrote: Don't Panic!

The links are just spam, and the majority of people recognize it as such — just like e-mail spam, which also links to surveys, scams, and dubious offers.

This spammer has several Blogger pages:

My Blogs

And they all seem to fit Google's definition of spam:

Google's definition of spam

So we reported the entire account to Google.

Done, and done.

We don't really care for the sort of "news" that CPA spammers continue to hype — and you probably don't either — but perhaps you have a friend that frequently falls for this sort of spam? Then check out Bypass Facebook Fan Pages. The site tracks Facebook spam and links to the material on which the CPA affiliates are trying to capitalize. They also have a Twitter account.

Cut the spammers out of the loop.


Monday, August 23, 2010

What's the success rate of Facebook spam? Posted by Sean @ 20:09 GMT

Facebook spam (erroneously called scams) has been making headlines recently…

And with all the attention on "virally spreading" links, we wondered, just how effective is it? What's the conversion rate? Links spread virally — but so what? That's only one step in the process. How many people actually fill out the CPA surveys that make the money?

Here's one recent example of spam attempting to use English football player Peter Crouch as bait.

Facebook spam

Only 269 "likes" — doesn't seem that interesting…

But wait, what's that in the bottom right hand corner? A counter of some sort?

Indeed, this particular spammer is using a statistics site called

Here's the dashboard view for the football spam:

Facebook spam

The most action that this spam managed was 208 hits in one hour.

Here's another, more popular spam about an unlucky McDonald's Happy Meal:

Facebook spam

This spam uses links to spread itself on Facebook.

Facebook spam

Facebook spam

The links lead to and there are just over 32,000 clicks. The stats also show the number of likes. Clicks to likes, what's the conversion rate? One link has around 40% and the other about 48%.

The dashboard reflects the successful traffic.

Facebook spam

40% is an excellent conversion rate, much better than e-mail spam.

However, the 32,000 clicks is far less than similar spam from just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks.

Returns are diminishing as people are exposed, develop a resistance, and recognize Facebook spam for what it is.

In fact, the spammers themselves seem to know this and are working harder to convince people.

This version of the Happy Meal spam promises "no need to complete surveys."

Facebook spam

And the initial likes and the site's dashboard stats reflect well on that promise.

Facebook spam

But it's the same old spammer lie.

This page has an anti-spam bot "test", which is just a survey by another name.

Facebook spam

Let's close the page. Wait, what's this?

Facebook spam

Please take one minute to complete a spam-free market research survey?!?


Screw the spammers! Let's take a look at what they're trying to cover up with their JavaScript.

Here's the page source for the spam page:

Facebook spam

Rather than "like" the page and then "share" it with our friends on Facebook, let's skip to "step 3" and open /reveal.html.

Hmm, that reveals a reference to widget.php.

Facebook spam

And widget.php's page source gives us the final result:

Facebook spam

What? Really? The Happy Meal story is from November 2007? Cripes…

If that's the type of "free content" that these bonehead spammers are pushing, it's no wonder that there's a diminishing return on their efforts. What a joke.

A couple of other examples that we examined today used video bait (video.php). Those spam pages eventually linked to YouTube videos, and those view statistics only showed tens of views from the embedded sources.

That's good news. Examination of the data demonstrates that fewer and fewer people actually continue on to "step 3", which is filling out the survey. The vast majority of people bail out of the process after simply liking the page, or after sharing the link.

But here's the bad news.

Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts. Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made. And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon.


Friday, August 20, 2010

PS3 Jailbreak Trojan Posted by Mikko @ 14:04 GMT

For those of our readers who follow PlayStation 3 discussions, it would have been hard to miss the discussion about a new "jailbreak" for PS3. News of a USB dongle that breaks the security model of the game console to enable execution of third party software (as well as pirated games) have been going around like wildfire.

psjailbreak2.jpg from

Not surprisingly, online miscreants are trying to exploit the excitement. The real USB jailbreak gadget is not a USB drive. But it looks like one. So now some clown is distributing a Windows program that claims to creates a jailbreak USB device out of a normal thumb drive. All you need to do is to download and run the program.

PS3 Jailbreak

In reality, it drops a backdoor. We detect it as Trojan:W32/Agent.DLEN (md5 e3e03501c795a6cc4c53df2619cadd4b).


Malware and Critical Infrastructure Posted by Mikko @ 12:53 GMT

"Computer viruses may have contributed to the Spanair passenger plane crash which killed 154 people in Madrid two years ago", reports the Spanish newspaper El Pais.

El Pais

"The Spanair central computer which registered technical problems in airplanes was not functioning properly because it had been contaminated by harmful computer programs", the magazine continues.

We cannot confirm whether malware played a part, nor do we know which particular malware it could have been. However, over the years, we have seen real-world infrastructure affected by computer problems. In most cases, this has been just a side effect; the malware behind the problem wasn't trying to take systems down, it just did.

This was especially bad in 2003, when we saw malware induced problems in real-life systems unprecedented in their severity. The main culprits were network worms Slammer and Blaster.

The network congestion caused by Slammer dramatically slowed down the network traffic of the entire Internet. One of the world's largest automatic teller machine networks crashed and remained inoperative over the whole weekend. Many international airports reported that their air traffic control systems slowed down. Emergency phone systems were reported to have problems in different parts of the USA. The worm even managed to enter the internal network of the Davis-Besse nuclear power plant in Ohio, taking down the computer monitoring the state of the nuclear reactor.

The RPC traffic created by Blaster caused big problems worldwide. Problems were reported in banking systems and in the networks or large system integrators. Also, several airlines reported problems in their systems caused by Blaster and Welchi, and flights had to be canceled. Welchi also infected Windows XP-based automatic teller machines made by Diebold, which hampered monetary transactions. The operation of the US State Department's visa system suffered. The rail company CSX reported that the worm had interfered with the train signaling systems stopping all passenger and freight traffic. As a result of this, all commuter trains around the US capital stopped on their tracks.


There was a lot of attention to the indirect effects of Blaster on a major power blackout in the Northeastern USA which occurred during the outbreak week. According to the report of the blackout investigative committee there were four main reasons behind the power failure, one of them being specifically computer problems. We believe these problems were to a great extent caused by the Blaster.



It is important to note that even though the system problems caused by Slammer and Blaster were truly considerable, they were only byproducts of the worms. The worms only tried to propagate: they were not intended to affect critical systems. The malware affected environments that had nothing to do with Windows: it was the massive network traffic caused by the worms that alone disrupted normal operations.


Wednesday, August 18, 2010

Once Again, Zeus Posted by Mikko @ 10:33 GMT

Zeus continues to be one of the most common malware we run into.

Just now we've been watching a spam run with malicious ZIP files attached to them.

Resume ZBot

Inside the ZIP is always the same Zeus variant (md5 92671afe999e12669315e220aa9e62c2) but the name varies. So far, we've seen these filenames:

  •  2010 Contract With LC Change 051005.exe
  •  Flight Attendant-0600003A.exe
  •  Second chord sounds in world's longest lasting concert - Yahoo! News.exe
  •  Cancellation Notice.exe
  •  IN255596.exe
  •  2010 expenses.exe
  •  resume.exe

The malware downloads additional components from two malicious websites in Russia: and

We block access to the malicious websites and detect the malware as Trojan:W32/Agent.DKJC.


Tuesday, August 17, 2010

Android Game Isn't Actually a Game Posted by Mikko @ 08:25 GMT

Another malicious application has been found from the Android Market. A game called Tap Snake isn't just a game, it turns out to be a client for a commercial spying application called GPS SPY.

Tap Snake

The Tap Snake game looks like an average "Snake" clone. However, there are two hidden features. First, the game won't exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports the GPS location of the phone to a server.

Tap Snake

GPS SPY is a simple mobile spying tool and only costs $4.99. When bought, the application advises you to download and install the "Tap Snake game" to the phone you want to spy on. During installation, the game is registered with a keycode to enable spying. This means that the spy has to have physical access to the phone he wants to spy on.

Tap Snake

In many ways, GPS SPY / Tap Snake can be seen as a little brother of mobile spy tools such as FlexiSPY. GPS SPY is developed by "Maxicom".

We expect Google to remove Tap Snake from Android Market soon.

Here's a video we shot, showing the gameplay of the Tap Snake game.

F-Secure Mobile Security 6 for Android protects Android handsets against GPS SPY and Tap Snake. The detection name is called Android.Tapsnake.

To install F-Secure Mobile Security to your phone, visit on your handset.

Updated to add: As we noted above, we fully expect that Google will pull Tap Snake from the Android Market. But it's also possible that they'll once again flip Android's kill switch and it will be interesting to see if Tap Snake meets Google's kill criteria.

Updated to add: GPS SPY and Tap Snake are no longer available in the Android Market.

Updated on August 12, 2011: Edits made to remove personal details.


Monday, August 16, 2010

Facebook Recommends Spam Profiles Posted by Sean @ 16:02 GMT

Facebook's "People You May Know" feature appears to be using profile search history when making its recommendations.

I frequently search for spam related keywords, and today, two spam accounts were recommended to me.

People You May Know

Elma and Drema? I don't know anybody by those names…

Searching for the name "Elma Fewell" yielded a few doppelgängers. Checking incremental Facebook IDs yielded even more.

All of these spam accounts were created on Wednesday, August 11th.

Facebook Spam

I also found five Sueann Dehart accounts and a Janiece Duval. All of the profile pictures are of attractive young woman (and one of Kim Kardashian). Several of the photos appear to be of Ukrainian models, based on a reverse image search.

The profiles posted spam links such as these on the 12th:

  •  A deal you just can't refuse!
  •  Check this out!
  •  Do not pay for a new iphone 4, get one for free one for no cost!
  •  I became tired of my old mobile phone and got an apple iphone 4 for free!
  •  Incredible Offer Below
  •  Just had to share this with you
  •  Take advantage of this awesome deal!
  •  Take advantage of this great deal!
  •  Whoa, check this out everyone

The links lead to LiveJournal pages that display this iPhone 4 bait:

LiveJournal Spam

But then the "Click Here Now" button directs to another domain which, in Finland at least, gives the following message:

"Sorry, this offer is unavailable in your country. You are now being redirected to a similar offer that is available in your country."

And I was then directed to advertisements for "Bounty Bay Online" by Frogster games, a Berlin based game company.

Bounty Bay Online,

One of my German colleagues has informed me that there's a game expo coming up soon, and that Frogster is promoting a free MMORPG. I think it unlikely that Frogster could be aware of just how their advertising budget is possibly being drained by these unscrupulous affiliate marketers via Facebook and LiveJournal. (Our German office will let them know…)

Abuse messages have been sent to the appropriate parties.

As for Facebook… thanks, but I really don't appreciate the recommendations. Perhaps Facebook should allow people to purge their search history from time to time? Or else they should retool their recommendation algorithm to weed out the fakes.

It's easy enough finding spam on my own — I don't need any extra help.

Signing off,


Friday, August 13, 2010

"I possibly wont be back for a while..." Posted by Mikko @ 14:14 GMT

Some of you might have noticed in the news that several people were charged for online crimes in an UK court last week:

ZDNet Kelly

One the persons charged was Mr. Gary Kelly (21) from Manchester.

What makes this case more interesting is that Mr. Kelly posted a long message about the case to an underground forum. See below.

Gary Kelly

What can I say? Crime doesn't pay.

Signing off,


Thursday, August 12, 2010

Two Steps Away from a Free iPad Posted by Response @ 02:00 GMT

Honestly, how many times have you won free stuff by clicking on links? And no… those spam, trojan, and spyware do not count as free stuff.

We recently found a scam that promises a free iPad to application testers. Apparently, the site lures the person into joining an iPad application testing program while the site owner makes profit from SMS fee charges and affiliation programs. To enroll in the program, "testers" are required to complete two steps.

iPad scam website

Step one: Twitter connect, where "testers" are required to log into their Twitter account, and allow an application called "Keep it to hend" to access their information.

iPad scam Twitter

Soon after, friends of the testers will receive a tweet containing a link to the iPadAppsTesting website, and a new follower known as Jennt0kvqt will be following them.

iPad scam, Twitter spam

iPad scam, Twitter Jenny

So, who's Jenn? Nothing much can be found on her page, except for a link to her photos (it directs to an adult site that rewards those who refer somebody to join the website) and some trivial tweets.

Step two: Complete the registration by clicking a button, in which the testers will be directed to another site.

After answering an iPad worthy question, they are then asked to enter their mobile phone number and agreed to receive two SMS a week, in which an SMS costs RM8 each.

iPad scam SMS

At the end of the day, the iPad is yet to be seen; the testers are stuck with Twitter spam and a ridiculous charge for SMS messages.

Response post by — Choon Hong


Wednesday, August 11, 2010

Apple Patches the JailbreakMe Vulnerability Posted by Mikko @ 20:04 GMT

Apple has today patched the JailbreakMe vulnerability. This was done via a new iOS operating system update.

The new operating system versions are 4.0.2 for iPhone and iPod Touch and 3.2.2 for iPad.

Installing the new operating system version is not mandatory. However, it is offered to all iPhone users as they connect their handset to their computers.

iOS 4.0.2

The operating systems are also available for direct download from these locations (about 300MB each):

  •  iOS 4.0.2 for iPhone 4
  •  iOS 4.0.2 for iPhone 3GS
  •  iOS 3.2.2 for iPad

Although we haven't yet seen malicious attacks via the JailbreakMe vulnerability, we recommend to install the patch right away.

This does mean that users who have jailbroken their devices and prefer to keep it that way will have to face the increased likelihood of malicious attacks through this vulnerability.

We recommend that all iOS users, including those who have jailbroken their devices, would install the latest update now.

More details on what was patched is available from Apple.

Updated to add: Jay Freeman (Saurik) has made an unofficial patch for one (CVE-2010-1797) of the two vulnerabilities patched by Apple. It's available for Jailbroken devices via Cydia, and will work also on the older devices that have not yet received any updates from Apple.


3 minutes 27 seconds Posted by Mikko @ 14:56 GMT

We have put together a short video about our upcoming F-Secure Internet Security 2011 product.

I just watched the video, which features Sean from our lab. And I must tell you that Sean looks amazing.

I don't know how they did that. Maybe he's rendered.

Sean Sullivan

In any case, I recommend you spend 3 minutes and 27 seconds watching the video.


Monday, August 9, 2010

How to Install LNK Update (KB2286198) on Windows XP SP2 Posted by Sean @ 16:04 GMT

Microsoft discontinued support for Windows XP Service Pack 2 on July 13th, and that means there is no SP2 update for the recent LNK shortcut vulnerability (KB2286198). If you review the comments from this SANS Diary post, you'll see that there was some initial confusion regarding SP2 support, due to a typo in Microsoft's Security Bulletin (MS10-046). The bulletin is now corrected.

However, even today, the download for Windows XP still includes SP2 in the file properties.

KB2286198, Properties

But if you try to install the update on an SP2 system, you'll get this error message:

KB2286198, Setup Error

"Setup has detected that the version of the Service Pack installed on your system is lower than what is necessary to apply this hotfix. At minimum, you must have Service Pack 2 installed."

This minimum requirement reminded us of some other software that required SP3… Grand Theft Auto IV.


GTA IV wouldn't install on SP2 systems when it was released in December of 2008.

And so some determined gamers came up with a registry hack.

XP SP2 Registry Hack

It turns out that an SP2 system will think its SP3 if you edit this key: HKLM\System\CurrentControlSet\Control\Windows, and edit the DWORD value CSDVersion from 200 to 300 (and reboot).

It worked for GTA IV, so we decided to test it with KB2286198. And our test worked, WindowsXP-KB2286198-x86-ENU.exe installed on our SP2 test system once we tweaked the registry. We also tested an LNK exploit, and it did not infect the system after the patch.


But remember, this update is NOT officially tested or supported by Microsoft for SP2. And we do NOT recommend that anybody use this tweak in a production network of any kind. Hacking the registry and applying updates is likely a very quick way to destabilize your system. You really should update to Service Pack 3 if at all possible.

If you want to experiment, do so at your own risk.

Updated to add: A reader added this link to Security Active Blog into the comments of this post.

The Security Update for Windows XP Embedded also installs on Windows Service Pack 2 systems and no registry tweak is needed. The file is called WindowsXP-KB2286198-x86-custom-ENU.exe.


Friday, August 6, 2010

Questions and Answers on the JailbreakMe Vulnerability Posted by Mikko @ 13:15 GMT

Q: What is this all about?
A: It's about a site called that enables you to Jailbreak your iPhones and iPads just by visiting the site.

Q: So what's the problem?
A: The problem is that the site uses a zero-day vulnerability to execute code on the device.

Q: How does the vulnerability work?
A: Actually, it's two vulnerabilities. First one uses a corrupted font embedded in a PDF file to execute code and the second one uses a vulnerability in the kernel to escalate the code execution to unsandboxed root.

Q: How difficult was it to create this exploit?
A: Very difficult.

Q: How difficult would it be for someone else to modify the exploit now that it's out?
A: Quite easy.

Q: Was this irresponsible disclosure?
A: Yes it was. Apple was never informed of the vulnerability.

Q: Who created this exploit?
A: The credits on are as follows: "Jailbreak by comex, website by westbaer and chpwn. Special thanks go out to BigBoss, chronic, DHowett, MuscleNerd, planetbeing, posixninja, and saurik."

Q: So this is an iPhone problem?
A: No, it's an iOS problem. Which means it affects iPhones, iPads and iPods.

Q: iPods too?
A: Yes, iPod Touch is affected. That's the iPod that looks like an iPhone.

Q: Which versions of iPhones, iPads and iPod touches are affected?
A: All of them.

Q: So this affects all iPhone users in the whole world?
A: Yes.

Q: But I thought only jailbroken iPhones were at risk!
A: You're confused. All iOS devices, including plain vanilla iPhones, are at risk.

Q: Is there a patch available?
A: No.

Q: Ouch. Will there be a patch?
A: Apple is expected to ship one as soon as they can.

Q: Is that confirmed?
A: It is. Apple wants to patch this for two reasons: to prevent people from jailbreaking their devices and to protect their customers from potential attacks.

Q: Does the PDF vulnerability affect Adobe PDF Reader?
A: No. Adobe PDF Reader on Windows and other platforms is not affected by this vulnerability.

Q: Is the PDF reader on my iPhone made by Adobe?
A: No, it's made by Apple. And there is no separate Reader application, PDF support is built into the OS.

Q: After all the fighting between Apple and Adobe (regarding Flash), isn't this a bit ironic?
A: Yeah.

Q: Are any other applications vulnerable?
A: Some versions of Foxit Reader and the FreeType2 library might be. See here.

Q: How many malicious attacks with this vulnerability have you seen so far?
A: Zero.

Q: So there's no risk?
A: There's no risk, at the moment. The potential for risk, however, is big.

Q: What's your best guess, when will we see an iPhone worm spreading via this vulnerability?
A: Within a week or so.

Q: How could such a worm arrive to my phone?
A: Via any mechanism that could make your device open a malicious PDF file. We have examples in an earlier blog post.

Q: So a malicious web page would do it?
A: Yes. Or a malicious PDF email attachment. Or a text message with a weblink. Or a link in Twitter or Facebook feed - assuming you click on that link with your iPhone.

Q: Could it arrive via MMS messages?
A: Thankfully, no, as PDF attachments fail in iPhone MMS messages. This is also known as security through incompatibility.

Q: How could such a worm replicate further?
A: It could replicate further from your phone by sending itself as a text message to all people listed in your phone book. For example.

Q: What could such a worm do on my phone?
A: Anything. It could do anything you can do on your phone, and more. So it could destroy or steal all of your data. Track your location. Spam your friends. Listen to your phone calls. Dial the presidents of every country in the world. Anything. And you would pay for all the charges it would create, too.

Q: So as an iPhone user, what should I do to protect myself?
A: You should be careful. And you should install the patch when it becomes available.

Q: Should I run an antivirus on my iPhone?
A: You should, yes. But you can't.

Q: I can't? Why not?
A: Because there are no antivirus programs available for iPhone.

Q: What?
A: There are no antiviruses available on iPhone. Not from any vendor.

Q: Why not?
A: We can't make them without Apple's help.

Q: Anything else I could do?
A: If your iPhone is jailbroken, you could consider installing the "PDF Loading Warner" app, made by Chronic Dev Team. We're not endorsing the tool, but it might help.

Q: What does this tool do?
A: It warns you every time a web page tries to load a PDF file, harmful or not.

Q: Where can I get that PDF Loading Warner app?
A: See here.

Q: Are you telling me that it would be safer now to jailbreak my phone so I could install a PDF Warner?
A: Yes, sort of.

Q: But wouldn't jailbreaking expose my phone to other security risks?
A: Well yes, it would. And we do not recommend people to jailbreak any of their devices for any reason. For example the only iPhone worms we've seen so far only infected jailbroken devices, although those also required you to install an SSH server, and assumed you had not changed your root password.

Q: So you know the root password of my iPhone?
A: If you haven't changed it, it's "alpine".

Q: So I guess I should change it?
A: Yes, although that's not related to the jailbreakme vulnerability. For instructions, see our blog post from 2009.

Q: Anything else I could do?
A: You should follow the news. If there will be a real attack via this vulnerability, we will be able to give you much more concrete instructions on how to protect yourself. Follow our blog and Twitter feeds.


Wednesday, August 4, 2010

How many ways can you remotely exploit an iPhone? Posted by Sean @ 14:26 GMT

At this point, you've probably read there are vulnerabilities in Apple's iOS that allow drive-by jailbreaks. And you also know that those vulnerabilities can be used for other drive-by exploits such as malicious attacks.

Many reports have mentioned that attackers could exploit iPhone owners by tricking them into visiting a specially crafted webpage. We have been asked: Just how do you trick somebody into opening such a webpage from a phone? What are the methods that could be used? So we did some lab tests using the jailbreak PDFs.

Are e-mail worms possible?

We tested an exploit PDF as an e-mail attachment.

Test #1:
iPhone email with pdf attachment

The iOS e-mail client readily recognized and launched the PDF attachment with no trouble, smooth as silk.

One mitigation that limits an e-mail worm is that the PDF exploit targets a specific combination of hardware and firmware. Spear phishing is a possibility if an attacker knows, or guesses, the versions being used by the potential targets.

How about an SMS worm?

Test #2:
iphone sms with hyperlink

This is probably the easiest method to attempt as the iPhone's software automatically formats hyperlinks sent via SMS.

But then, if this attack were to happen, the lifespan is limited by time before the exploit server is abused and taken offline. (And the security community responds very quickly to such malicious hosts.)

And then what about MMS worms?

Test #3:
iphone mms with pdf attachment

Do you see the question mark in the image above? Fortunately, the iPhone's substandard support for MMS messages prevents the PDF from launching. We'll call this security through incompatibility…

Hopefully Apple will patch the vulnerabilities before anyone attempts to use them maliciously. But we'll have to wait and see just how long that will take.

From Apple's support site:

"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."


Tuesday, August 3, 2010

JailbreakMe 2.0 Uses PDF Exploit Posted by Sean @ 10:33 GMT

Edited to add: Due to a communication error between our labs, we incorrectly stated that the exploit PDF files, mentioned below, crash Adobe Reader. This is not the case. Our apologies for the error.

The iOS drive-by jailbreak available at (see yesterday's post) utilizes a PDF exploit. The PDF files, 20 of them, for various combinations of hardware/firmware, are located in a subdirectory off the root of the website.

JailbreakMe 2.0 PDF Directory

Here's a snapshot of the code.

JailbreakMe 2.0 PDF Code

Charlie Miller had this to say via Twitter:

"Starting to get a handle on exploit. Very beautiful work. Scary how it totally defeats apple's security architecture."

In our testing, the PDF files crash both Adobe Reader and Foxit on Windows. We detect them as variants of Exploit:W32/Pidief. While these files are not being used maliciously, an exploit is an exploit, and we'll add detections for them.

Do note that by default, there's no separate PDF viewer on an iPhone. Instead, PDF viewing is built into the Safari browser. The attack uses a corrupted font placed inside the PDF file to crash the Compact Font Format (CFF) handler.

(There have been 4 previously patched iOS CoreGraphics/PDF related vulnerabilities.)

VirusTotal Report, Exploit:W32/Pidief

You can find SHA1 and other information from VirusTotal.

On an amusing endnote, while jailbreaking an iPhone is now legal, it's not very nice to do so at the Apple Store.

Updated to add: Foxit Reader 4.1, released on August 3rd, fixes a "crash issue when opening certain PDFs."

JailbreakMe is exploiting two vulnerabilities in iOS, the PDF support flaw allows for the execution of code, and another vulnerability in the kernel allows for an escalation of privileges to escape from the sandbox. VUPEN Security has a detailed vulnerability report.


Monday, August 2, 2010

Out of Band Microsoft Update for LNK Vulnerability Posted by Sean @ 14:17 GMT

Microsoft will release an out of band update today to address the LNK Vulnerability (2286198) that is being exploited. The security update will be released at approximately 10:00 Pacific Daylight Time.

From the Microsoft Security Response Center:

"We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. […] We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."

We agree. Cheers to Microsoft.

New update: The patch to resolve the vulnerability is out and available for download now.


JailbreakMe 2.0 for iOS 4 Posted by Sean @ 12:37 GMT

There are numerous reports that JailbreakMe 2.0 has been released with support for iOS 4. All that's needed to jailbreak an iPhone, iPod or iPad is to visit and then to engage the drive-by script.

This follows last week's news that jailbreaking is legal in the USA.

We're currently investigating to learn more about the vulnerability being used… if the vulnerability can be used to jailbreak, it can also be used for more malicious drive-by exploits. (JailbreakMe's website has been online since late 2007 and they appear to be legitimate enthusiasts.)

And on the topic of iOS vulnerabilities, we've updated the spreadsheet linked in last Friday's post to include a category list and chart.

WebKit and Safari account for 64% of iOS's security fixes.

iOS Security Updates, 2010.06.21