NEWS FROM THE LAB - September 2008


Tuesday, September 30, 2008

Really Legal Stuff Posted by Sean @ 16:16 GMT

WinDefender 2008 is a rogue application. Rogues are also sometimes known as scareware.

Spyware Rogue : WinDefender 2008

Looks sort of familiar, doesn't it? Do you recognize the shape of the box?

The website creators appear to have "borrowed" a few things.

Let's check out the legal disclaimer.

Spyware Rogue : WinDefender 2008 : Really Legal Stuff

Hey — Really Legal Stuff — That's impressive. From where else we can find really legal stuff?

Spyware Rogue : Antivirus XP 2008 : Really Legal Stuff

Oh, Antivirus XP 2008. That particular rogue is a huge pain in the… neck.

The guys that produce this stuff are crooks and swindlers.

Spyware Rogue : Antivirus XP 2008

Here's a tip: If they claim to be REALiable — they're probably FAKE.

P.S. Performing a search for "really legal stuff" produces some very interesting but definitely NOT safe for work results.

Avoid following the links.


Friday, September 26, 2008

A Different Twist on the Path to the Kernel Posted by Response @ 14:52 GMT

Now here's something we don't see every day.

It's an interesting twist on an old tactic — a worm that uses a local elevation of privilege vulnerability to access the kernel and execute code.

Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this.

Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel's System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.

As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses "GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)" to do the job. For malware, its rather unique to see such a technique being used.

This vulnerability is due to an error in handling a shared memory structure, which allows the structure to be remapped from read-only to writable. April 2007's update patched the vulnerability.

Antivirus :  Worm:W32/AutoRun.GM

After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.

If attacking this vulnerability fails, the worm goes back to the tried-and-true "special driver" method. The driver is detected by us as Rootkit:W32/Agent.UG.

Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service.

This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.

Foresight? From:

"With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode."

Response team post by Lordian, Kimmo, Antti ...and Mika


Monday, September 22, 2008

You're Not Paying Attention Posted by Mikko @ 09:14 GMT

You're not listening to what we're saying at all.

We quite clearly told you in our last blog post not to post the address "" to a public web page.

Now look what you've done. The address is all over the web and all over the blogosphere.

Please try to pay more attention in the future.


Friday, September 19, 2008

Do spammers get spam? Posted by Mikko @ 15:06 GMT

Spam is still a problem.

Problem is, spam still works. So it won't be going away any time soon.

One spam vendor was recently spamming (yes) their own ads to a few million e-mail addresses. The message contained this PDF file:

Two things worthy of noting here:

First: The old e-mail spam vendors are selling mobile phone text message spam lists as well.

Second: The vendor here is trying to avoid getting spammed themselves, by writing their e-mail address
(which is as info [at] bulk-mail [dot] org.

We suppose they are worried that an e-mail collecting spider might find their e-mail address ( and add it to a spam database. Then their address (which was would get spam too. We guess.

Anyway, their address seems to be Make sure you don't post it to a public web page or they might otherwise get spam.


Thursday, September 18, 2008

JavaScript Injection Attack Posted by WebSecurity @ 09:13 GMT

JavaScript injection attacks seem to be the in thing these days. Malware writers are increasingly utilizing such attacks as a better means to spread their work.

As little as a year ago, the bad guys were dependent on enticing people to follow links that pointed to malicious websites (via e-mail, search links, or IM worms). Today, they are using JavaScript injection attacks to simply "steal" a website's visitors, and it has become something of a Swiss Army Knife for underground hackers to spread their malware worldwide.

JS Injection

We've seen numerous high traffic, legitimate websites attacked using this technique. One recent example is MegaGames, a very popular U.S. gaming portal with a 3172 rank in Alexa. The JavaScript injection attack successfully exploited one of MegaGames' servers to insert a couple extra lines of code. This addition redirects unsuspecting website visitors to a malicious European site where the main infection attempts are carried out.

The malicious site attempts two different methods to attack its visitors. The first is an attempt to exploit a Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (MS06-014).

JS Attack

This attack would only affect website visitors using versions of Microsoft's Internet Explorer (IE) browser, as the website basically requires visitors to use an ActiveX Control, then uses a loophole in the way the ActiveX Control interacts with the IE browser to provide remote attackers complete control over a victim's system.

The second attack attempted is a drive-by download, which affects not only the IE browsers, but also Firefox 1.0 & 2.0 browsers. This attack uses JavaScript to detect the browser's type, then uses Adobe Flash exploits to download and execute a malicious binary file onto the system.

Flash Exploits

The MegaGames website is currently still compromised and its misfortune illustrates a good point. Many Internet users are under the impression that they can only get infected with malware if they visit "obviously risky" (dodgy) websites, such as "pr0n" or "warez" sites. Unfortunately, that's not true. Malware writers have been getting more sophisticated and today, even legitimate news or business sites can get surreptitiously compromised.

Another good example that no site is safe — — a very legitimate and high traffic site. It has fallen victim to an SQL Injection attack, and such attacks inject JavaScript…

The Register has more details.

Web Security team post by — Choon Hong


Monday, September 15, 2008

Upcoming National Inter Varsity Security Tech Quiz Championship Posted by Response @ 02:36 GMT

We've been investing a lot of time recently in a Security Awareness Drive at local university campuses, to create more awareness about information security issues in Malaysia.

On the Security Awareness Drive

So far, the response from the students has been encouraging. Still, we wanted more students to get interested in this field, both academically and career-wise — so we thought, what better way to do it than to use information security as the topic for a competition where the grand prize is a paid trip to Helsinki, Finland, complete with a brand spankin' new laptop?

To that end, we've been involved in organizing the upcoming Malaysian National Inter Varsity Security Tech Quiz Championship, which will take place towards the end of 2008. The competition is open to teams of students from all private and public universities in Malaysia, who will compete through four rounds of increasingly tough questioning. Teams will be eliminated in each round, until one team of four students is left standing in the grand finale — and then it's off to Finland they go!

To win a round, the teams need to correctly answer questions revolving around security for mobile phones, desktops and laptops, and online threats. Practically, the questions will include everything from general security terms to landmark events in computer security history, malware characteristics and computer trivia. If we feel the teams are having too easy a time, we even have a list of "Almost Impossible" questions to throw in, to make things more interesting! We're looking forward to the Tech Quiz Championship and will probably post an update nearer to the event date.


Friday, September 12, 2008

Spam.KML Posted by Sean @ 14:35 GMT

Where does today's batch of spam and phishing come from?

Let's plot them out with Google Earth.


You can download today's KML data file from: spam and phishing 2008.09.12 (3731k file).


Thursday, September 11, 2008

Fore! Posted by Sean @ 16:09 GMT

Holo is one of our Database Update Publishers (DUP).

This is him:

Ready for the 2008 Golf Tournament

He's out this afternoon taking part in the Helsinki office's annual golf tournament.

So who's publishing the AV database updates in the meantime???

Azidin, one of the DUPs from our Kuala Lumpur team. He's been working remotely with the Helsinki shift today.

So we just realized something, September 13th will mark our Malaysian office's two year anniversary.

Working with counterparts from across the world has become second nature to us since then…

Good luck to Holo and thanks to Azidin!


Wednesday, September 10, 2008

What's The Latest Buzz? Posted by Response @ 06:25 GMT

The 2008 US Presidential Election is well on its way, and what news could be more enticing than an alleged sex scandal involving one of the candidates?

The latest e-mail spam run on the loose contains a link to an supposed pornographic video of Democratic candidate Senator Barack Obama.

In order to conceal the trojan's primary intent, a pornographic video will be opened once the file is downloaded and executed. Along with the video named 01.wmv, the trojan drops another malicious file onto the system called 809.exe. Next, it registers the file siemens32.dll as a Browser Helper Object (BHO).

As a result, every time Internet Explorer is launched, the malicious BHO is being referenced. As soon as the user connects to specific banking sites, especially well-known banks in Germany, the trojan collects the information gathered from the bank transactions then posts it to the "Medved Hotel", Finland.

Medved Hotel

Interestingly, there is no Medved Hotel in Finland. The website, however, looks real enough to fool unsuspecting users and the layout was apparently borrowed from a real Finnish Hotel, Bear Inn, in order to make a bogus site out of it.

Hotel Bear Inn

Can you spot the difference? Both the websites are almost the same except for the discrepancy on the right side of the page.

Currently, we have reported this to local authorities and they are working on getting the site shut down. All of the malicious files mentioned are detected as Trojan-Spy:W32/Banker.ISO.

Response Team post by — Mark


Tuesday, September 9, 2008

Trustworthy Domain Posted by Mikko @ 12:46 GMT

So, let's say you get an e-mail from your bank, asking to confirm your details.

You follow the link and end up at a site such as this:


Looks good.

Let's have a closer look at the domain information.


Turns out the bank site is hosted in Hong Kong. Which is not itself suspicious, I guess…

And the domain was registered yesterday. That could be a coincidence.

The nameservers of the site are, and…erm…which isn't necessarily a bad thing.

And the administrator's e-mail address is Ho hum.



Monday, September 8, 2008

Inside-Out Improvements Posted by Sean @ 11:49 GMT

Our 2009 consumer products were official launched last Wednesday and there are a number of technological enhancements within.

The lab has been busy working with core improvements inside our scanning engines for several months now, and we are very satisfied to see it yielding results so soon.

We scored very well in's latest results. More importantly, we're improving on our own already good results.

2009's scanning engines detect more, and do it faster.


F-Secure 2008 & 2009 results

"Outside" improvements have been implemented as well.

Our marketing team did some research for the 2009 packaging and developed a better box.

Dr. Tuula Pohjola of the Helsinki University of Technology was approached to perform a life cycle assessment (LCA). Keep an eye on the pressroom for the full details, coming soon.

For now, the basic details are as such — on-demand digital production techniques, local raw materials, plant-based inks, and it's easily recycled. Very nice.

It looks very nice too, as seen in this photo with two of our Helsinki office employees, Weronika and Niina.

Weronika and Niina with Internet Security 2009 and Anti-Virus 2009

Eco Friendly

You can find more pictures (of the boxes) from our marketing pages.


Friday, September 5, 2008 Posted by Sean @ 20:26 GMT

Digital security is something that human rights activists are concerned about, and they should be

Here in the lab, we see many examples of targeted malware attacks focused on human rights organizations. Here's one example from September 3rd that ironically uses "digital security training" as the hook.

The spoofed message is very well done; the content uses real names, organizations, e-mail addresses, phone numbers, et cetera.

It looks very legitimate at first glance.

Targeted Message

The message was sent to a human rights activist based in the USA. There was a Word document attached.

It too uses real names, locations, and so on.

Training Application Form

Fortunately, the recipient of this message was knowledgeable enough to avoid opening the attachment. Instead of opening it, he forwarded it to the lab for analysis.

Yep. It was a trap. The Word document had an exploit.

The only thing about this case that seems to indicate "hackers" rather than "spies" is the document's author.

Training Application Form Properties

…perhaps the spies are paying the hackers?

Front Line Defenders, mentioned in the e-mail message actually has some very good security advice on their site.

They should perhaps add one more topic — targeted malware attacks.

You can read more on the topic from

P.S. Front Line's Software Installation guide suggests uninstalling ALL unused Windows applications. Great idea.

Human Rights Organizations really concerned with digital security might also consider going one step further by giving something such as Ubuntu a try. It's free, has all of the needed applications, and none of the current exploits being used against activists.


Wednesday, September 3, 2008

It's Time for 2009 Posted by Sean @ 15:51 GMT

Today is the official launch day for our 2009 consumer lineup. Lots of work has gone into the launch, and plenty more has gone into the development. We'll have some details on the technology for you later.

In meantime, check out our Online Wellbeing campaign.

F-Secure Anti-Virus 2009


Google Chrome and Security Posted by Mikko @ 06:54 GMT

So Google's Chrome web browser has been released.

For a change it's nice to see a browser that does not eat all of your memory.

Chrome is going to become popular. That means it will also become an interesting target for malware authors.

Google knows this.

Snippet from the Chrome Cartoon by the great Scott McCloud

Chrome features sandboxing of each tab, built-in web reputation service, special privacy mode and so on.

For example, here's what it looks like when you try access a known malicious site with Chrome: phishing site

However, one security vulnerability has already been found, based on the WebKit engine used inside Chrome.

There will be more issues, especially related to plugins.

We expect Chrome to quickly gather a sizable market share, mostly from existing Firefox users.


Monday, September 1, 2008

Video - E:VOLUTION Posted by Sean @ 10:26 GMT

The Lab's YouTube channel has been updated:

E:VOLUTION E:volution

This "white" video is a sequel to last year's "black".

RE:SOLUTION Re:solution