NEWS FROM THE LAB - September 2009


Wednesday, September 30, 2009

Samoa Earthquake News Leads To Rogue AV Posted by WebSecurity @ 08:03 GMT

It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii.

Readers looking for news articles on the earthquake may come across this page in the Google search results:

Samoa earthquake, Google

On clicking the link, the user is redirected to a series of sites via 302 redirects:
Samoa earthquake redirect
The final landing page warns the user that their "system is infected":

Samoa earthquake, Rogue AV

The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software.

As usual, be careful when browsing. These websites are blocked by our Browsing Protection.


Updated to add: Looks like tweets are also being used to direct people looking for tsunami news to rogue AV. Searching Twitter with the term "tsunami" turned up the following tweet:

Samoa earthquake, Twitter

Which lead to the following message:

Samoa earthquake, Twitter

How nice, a free system scan. Then a notification that "Your computer is infected" appears:

Samoa earthquake, Twitter

Note that the whole "folder" is really just an image. Users then get messages asking them to download a rogue AV to clear the supposed infections.

Web Security post by — Chu Kian & Choon Hong


Tuesday, September 29, 2009

No Trial Mounts For You Posted by Response @ 05:50 GMT

Say you play World of Warcraft (WoW) and you really, really want a mount. Then someone pops up and tells you about a new website where Blizzard is offering new trial mounts:

WoW phishing

So you visit the site and see this:

Phishing site

Yes, it's another phishing website, which looks exactly like the real login page. A player entering his details into the page expecting to get a mount basically gets his account pwned instead. Apart from losing all the gold and items saved, a compromised account could also be used to send out the malicious messages to other victims, adding insult to injury.

An interesting detail about this particular site is that a reverse-IP check on its IP address turned up over a dozen other WoW phishing sites.

As usual, be careful while gaming. These phishing websites are blocked by our Browsing Protection.


Monday, September 28, 2009

XSS Worm on Posted by Mikko @ 11:12 GMT

Reddit ( is a social news website, and it's much better than Digg or Slashdot.

However, it got hit today by a XSS worm that was spreading via comments on the site.


It all started with a user called, suitably enough, xssfinder.

His account has already been deleted.


This user posted some test comments exploiting the fact that Reddit wasn't filtering out JavaScript in certain instances when you were hovering your mouse over text.


When xssfinder got his script working, he tested it by posting one comment to a popular link called "Guy on a bike in New York 'high fives' people hailing cabs".

After this, things happened quickly.

People reading comments ended up sending massive amounts of new comments to Reddit threads.

Right now things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now.



Friday, September 25, 2009

Irreplaceable Posted by Response @ 17:10 GMT

It's been an active week here in the Lab while some of us were away at VB2009 in Geneva.

TGIF, it's the weekend, time for family and friends. Let's have some Friday fun.

Would you like to win an 8GB iPod touch and one year of F-Secure Online Backup? Yes, you would?

Then check out the details on F-Secure's Facebook page.

The basic idea behind the promotion is to upload and share a photo of something "irreplaceable".

Something such as Tyson here:


He's very irreplaceable to one member of the Lab's family.

We're looking forward to seeing your pictures. Click here for the full details.


Repost: Linux Rescue CD 3.11 Posted by Sean @ 15:50 GMT

Our Mac & Linux Team published an update to our Linux based F-Secure Rescue CD this week.

F-Secure Rescue CD 3.11

Rescue CD 3.11 now includes some useful disk utilities:

  •  PhotoRec — a recovery tool for data that's been accidentally deleted or lost due to a corrupted file system
  •  TestDisk — a recovery tool that can be used to recover a lost partition
  •  smartmontools — contains utilities that can be used to inspect S.M.A.R.T. values

We think these utilities are great additions to the Rescue CD.

The Mac & Linux blog has the full details.


Wednesday, September 23, 2009

Health Check 2.0 Beta is Available Posted by Sean @ 16:22 GMT

There's a new version of F-Secure Health Check available for beta testing and it's considerably different from its predecessor.

(We like it.)

F-Secure Health Check 2.0 Beta

So what's new?

More browser support and no more ActiveX among other things.

F-Secure Health Check 2.0 Beta, New

What are the requirements?

Various 32-bit Windows, Internet Explorer and Firefox.

F-Secure Health Check 2.0 Beta, Supported

We even have code for a "widget" if you'd like to embed F-Secure Health Check on your site.



Sunday, September 20, 2009

Mass-Generating Fake Twitter Accounts for Profit Posted by Mikko @ 09:43 GMT

We're seeing more and more fake Twitter accounts being auto-generated by the bad boys.

The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically.


All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans.

And where do all the links eventually end up to?

Of course, they lead to fake websites trying to scare you into purchasing a product you don't need:


Be careful out there.


Friday, September 18, 2009

Hi! Can I send email spam from your servers? Posted by Mikko @ 18:44 GMT

I noticed this Google Ad on

Good AdWords

Hmm. Mailing servers? Sounds suspicious.

How could I confirm if these guys are just selling spamming services through Google AdWords?

What if I just mail them and ask?

Good AdWords

And here's the reply from them:

Good AdWords

Aw. I rest my case.


Hacker Forum Got Hacked Posted by Mikko @ 07:09 GMT

A web forum called was one of those "underground" forums where people discuss hacking techniques and sell malware code, bank logins and stolen credit card numbers.


But now, Pakbugs is gone.

Turns out someone hacked this hacker forum and posted the results to the Full Disclosure mailing list.


What was made available was the full userlist of the forum with logins, email addresses and password hashes.


The website has been up and down over the last hours.


Thursday, September 17, 2009

More Swayze-Baited Traps Posted by WebSecurity @ 03:27 GMT

First it was spam; now it is videos. People looking for videos of Patrick Swayze's funeral may stumble across the following website listed in Google's search results:

Swayze video

Folks may think that they need to click on the "video" to enable video streaming. Actually, it's an image and clicking on it takes the user to another website that promises this video:

Swayze video 2

And clicking on THIS video ends up with the victim unintentionally downloading a rogue AV.

Incidentally, on the first website the bottom video is an actual YouTube video that's completely unrelated to the funeral and is not linked to malware.

The relevant malicious websites used in this attack are already blocked by our Browsing Protection.

Web Security post by — Chu Kian


Tuesday, September 15, 2009

Swayze Spam Posted by WebSecurity @ 08:39 GMT

Within hours of the reported death of movie star Patrick Swayze, our Web Analysts saw the first wave of spam related to the event.

When people search for news of the star's passing in Google, randomly checking the search results leads them to a "news report" such as this:

Swayze Death

Which suddenly displays this:

Swayze Death

Oh oh. Looks like SEO poisoning is being used to hit the user with a rogue AV's "invitation". The user then gets shown an image (not the user's actual folder, just an image) like this:

Swayze Death

Any mouse action on the image ends with the installer being downloaded.

One interesting detail is the rogue AV website includes a "geoip.php" that seems to be recording the city and country origin of each incoming connection. Could be for statistics tracking; it also seems to redirect anyone going back to the website for a second look, so you can't return to the exact same page.

This probably won't be the only rogue AV website to take advantage of Swayze's death to trap users. F-Secure users are protected from this threat, as the download links are already identified and blocked by the Browsing Protection service.

Swayze Death, Blocked

WebSecurity post by — Chu Kian


Monday, September 14, 2009

Sender: Anonymous Posted by Response @ 07:32 GMT

Michael Muller of discovered a bug in certain smartphones that allows sender obfuscation for MMS messages.

According to the security advisory, an attacker can create a MMS message that cloaks the sender number. This could essentially give people who send threats, scams and spams a free pass, as it negates any worries about their numbers being reported/exposed.

The attacker could also theoretically automatically download content onto a device, using a specially crafted MMS containing a URL. The major obstacle to this is that automatic download is entirely dependent on the service provider the device connects to.

According to Muller, "MMS clients which do not allow access to content URLs other than that of the provider's MMS proxy should be safe from the content, but are still vulnerable to the sender obfuscation."

The bug was discovered in June; full disclosure only occurred on September 11, 2009. This bug has been tested on the following devices:

– Blackberry (BB 8800, Firmware:
– Windows Mobile (WM5, WM6, WM6.1, WM6.5)
– Sony Ericsson W890i, W810i

Further details are available at

Response post by — Christine


Friday, September 11, 2009

Firefox Advice Posted by Sean @ 08:16 GMT

Firefox 3.5.3 was released on September 9th. If you're using Firefox, you've probably already been prompted to update.

Fixed in Firefox 3.5.3

While updating Firefox on one of our internal demo computers, we received this prompt:

You Should Update Your Flash

And since we keep Flash up-to-date on our production machines, we've never really noticed this before.

So Firefox "nags" that Flash should be updated kudos to Firefox. Update both versions while you're at it.


Wednesday, September 9, 2009

Microsoft Updates for September 2009 Posted by Response @ 10:56 GMT

It's the second Tuesday of the month, which means it's time for Microsoft Updates.

Five remotely exploitable vulnerabilities are detailed in this month's Security Bulletin.

All five are Critical and different platforms of Windows are affected. Among the affected vulnerabilities are Scripting JScript, ActiveX control, Media format files reading component, and WLAN AutoConfig Service.

But the big one is the TCP/IP stack processing vulnerability. This is the one that was discussed in the T2'08 conference by Jack C. Louis and Robert E. Lee.

Sadly Jack passed away before he could see his work published.

You can see more details at CERT.FI.


Nokia Booklet 3G Posted by Sean @ 10:49 GMT

Nokia has announced an interesting device: The Nokia Booklet 3G.

Coming from Nokia, this tiny aluminum laptop has several nice phone-like features integrated, including: 3G phone for HSDPA high-speed connections, GPS receiver, motion sensor, built-in camera and 12-hour battery life.

Having a phone integrated into your computer provides some nice advantages. Including sending text messages effortlessly from the computer and downloading your email over an encrypted GPRS connection instead of a random Wi-Fi hotspot.

So why are we talking about this?

Because Nokia Booklet 3G comes with F-Secure Internet Security 2010!

Nokia Booklet 3G with IS2010

For more information, see the full specifications.


Monday, September 7, 2009

Tweet, and Win a Nikon D60 SLR Posted by Response @ 13:48 GMT

Hi Folks,

To celebrate the launch of Internet Security 2010 (and our new branding), F-Secure is sponsoring a contest:

Tweet to Win

Just follow on Twitter and Tweet the phase found here to be eligible for a Nikon D60 SLR.


Thursday, September 3, 2009

Video - Internet Security 2010 Posted by Sean @ 15:11 GMT

Here's a brief video demonstrating the new look and feel of our Internet Security product, as well as some of the new key features.

YouTube Internet Security 2010

It's available on our YouTube Channel.


Protecting the irreplaceable Posted by Mikko @ 07:09 GMT

After the teaser yesterday, what's the big news?

We actually have several items.

F-Secure has a new logo.

F-Secure has a new slogan.

F-Secure has a new product.

Here's what our new logo looks like:

F-Secure logo. Click for a cooler 3D version

Our corporate slogan was BE SURE for years. Now it's:

Protecting the irreplaceable

Nice detail: the font above is called "F-Secure Sans". So we have our own font now too.

You can already see our new look & feel in our website and in things like our business cards.

Sean's business card

And, you can see it in our products…

…because today, we're officially launching F-Secure Internet Security 2010!

F-Secure Internet Security 2010

Looks great, doesn't it? Among other things, Internet Security 2010 provides huge performance increases over previous versions.

And, if you're an existing customer, you can upgrade for free right now!

We'll tell you more about the new features of the product in another post later today.


Wednesday, September 2, 2009

Big News Tomorrow Posted by Mikko @ 07:27 GMT

FragmentWe have some big news coming up tomorrow…

Stay tuned…

Watch this space…



Cyber Attacks on Malaysian Websites Posted by WebSecurity @ 03:30 GMT

On August 31 Malaysia celebrated its National Day. It was also the day hackers (who claimed to be from "INDONESIAN CODER") launched an attack against a Malaysian-based web host and defaced over 100 websites, most of them Malaysia-oriented. The affected websites include national institutes, universities and media and business sites.

A couple screenshots of the affected sites:



The hackers appear to be a loose coalition of various groups or teams. Individual hacker or team names used include ServerIsDown, MainHack, Brotherhood, Indonesian Coder and YogyaCarder Link.

The following is a sample of the affected sites:


The above was originally reported on a forum at Oraumum (,1663.0.html, Indonesian language). More details were also available on the blog.

Some of the sites are now clean or have been taken offline by their administrator. Some of them are still active. Defaced sites are rated as "unsafe" by our products until the pages are removed.

Web Security team post by — Chu Kian


Updated to add: Post edited to indicate the attack was primarily against a single web host, rather than against multiple servers.

Updated again to add: The Jakarta Globe website carried an article with more details on this incident, including comments from an Indonesian Foreign Ministry spokesman.


Tuesday, September 1, 2009

Online Backup 2.1.0 Beta Available Posted by Response @ 12:48 GMT

There's a new version of our Online Backup available. Version 2.0 was mentioned here back in March.

And then in July, F-Secure bought Steek, our technology partner at the time.

Well, version 2.1.0 of Online Backup is now available.

OnlineBackup2.1.0 710x535

Here's a message from the Project Managers:

Interested in trying out our newest Online Backup offering? We just launched a quick beta pilot for you to try out before its release!

This new version has some new features and functionality:

  •  Windows 7 support
  •  Right-click backup by clicking a file with the right mouse button to back it up immediately
  •  Easy to see which files are backed up; the icons for files already backed up will have a green marker (Windows version only)
  •  New localizations: Spanish, Brazilian Portuguese and Slovenian

There's also a web portal through which you can access your file back ups from any location.

More information and the subscription form can be found at our Beta Programs page.

Be quick — we'd really like to have some feedback. Cheers!