NEWS FROM THE LAB - September 2010


Wednesday, September 29, 2010

Patch for Information Disclosure Vulnerability Released Posted by Alia @ 08:11 GMT

Microsoft has released an out-of-band security bulletin (MS10-070), for the ASP.NET "information disclosure" vulnerability.

The short version of the vulnerability is that exploiting it generates unintended error messages containing information that an attacker may be able to use to view or compromise data.

According to the bulletin, any applications running on the platform are vulnerable. It also indicates Microsoft is aware of current, limited attacks against the vulnerability.

SANS raised their InfoCon Alert from Green to Yellow for this vulnerability, to "raise awareness for this problem and patch." The notice on the SANS blog also links to a much more detailed explanation of the attack.

For more info, you can read our Vulnerability Report on it, or better yet, go straight to the Microsoft site and get yourself the updates (MS10-070 Security Bulletin).


Tuesday, September 28, 2010

Twitter Antispam: Media not displayed Posted by Sean @ 17:30 GMT

Two weeks ago, Twitter began rolling out a new design with new features. We've been concerned about the display media option.

Could the displaying of media (pictures) facilitate image spam?

Good news. It seems Twitter may also be thinking about this:

Though it appears they might be worried about offending somebody more than they are of spam.

Media not displayed

Here's the default setting:

Settings: Tweet Media

Whatever the reasoning — it's good to see that a filtering option has been included.


Monday, September 27, 2010

ZeuS Variants Targeting Mobile Banking Posted by Sean @ 16:42 GMT

There's an interesting Windows+mobile case today involving a ZeuS variant that steals mTANs, using a Symbian (.sis) or Blackberry (.jad) component.

An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction. The SMS message may also include transaction data that allows you to ensure that nothing has been modified (via a Man-in-the-Browser attack).

Windows OS based online banking is constantly under attack from phishing, pharming, cross-site scripting, and password stealing trojans. Adding an "outside" device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game, and we've often predicted it's only a matter of time before some banking trojan focused on phones.

Enter case Mitmo: S21sec, a digital security services company, posted on their blog on Saturday: ZeuS Mitmo: Man-in-the-mobile. The ZeuS variants they've discovered (which we detect as Trojan-Spy:W32/Zbot.PUA and PUB) ask for mobile phone details and then send an SMS with a download link based on the answers given by the victim.

We've analyzed the Symbian component (which we detect as Trojan:SymbOS/ZeusMitmo.A) and can confirm S21sec's research. The Symbian file, cert.sis, calls itself "Nokia update" and is Symbian Signed for S60 3rd Edition mobile phones.

It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot.PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It's been developed by individuals with an excellent understanding of mobile applications and social engineer. We expect that they'll continue its development.

Cat-and-mouse continues.


Thursday, September 23, 2010

Get the Hackers on Your Side Posted by Mikko @ 08:00 GMT

New York Times / Mikko Hypponen

Like it or not, Twitter is important. It is not only used for chit-chat, but it has turned out to be the fastest way to get eye-witness reports from people who are on location whenever something happens.

So it feels quite unpleasant when something like yesterday's attacks happen. Suddenly a service we've started to rely on is out of order -- because of some stupid worm? One moment you're catching up with the latest Tweets, and suddenly you've somehow resent a viral message to all of your followers.

And the antivirus program you've bought won't help you. No matter how hard you scan your system, there's nothing there. The worm isn't on your computer: it's on some Twitter server farm in some data center somewhere.

This is part of what we call the cloud. Once we start to use cloud services more and more, we also give up the control of our data. If you have your documents on your computer, you can encrypt and secure them. If you store them on a cloud service, you have to hope that someone else does it for you. Same thing with your communication.

Twitter worms are quite different from the more sinister trojans we see attacking the Windows operating system. Most of the Twitter worms are made just for testing, or for fun. Very few try to steal information or to make money. They are created by the same kind of curious tinkerers that 10 years ago would have been writing Internet worms, just to see how quickly they would replicate.

My recommendation? Twitter should establish a bounty for finding major new security vulnerabilities in their system.

Maybe some of these online hackers would be more interested in cashing in than writing yet another system-breaking worm for their amusement.

This op-ed originally appeared in The New York Times


Wednesday, September 22, 2010

Twitter onMouseOver Spam Posted by Sean @ 18:05 GMT

The first of yesterday's Twitter onMouseOver worms was started by Magnus Holm.

His version of onMouseOver worm did nothing more spread itself and could be deleted. And because it merely spread itself, Holm considers his version of the worm to have been harmless. Many authors of yesteryear's Internet worms thought the same.

Unfortunately, a "harmless" worm doesn't stay harmless for very long and there soon came a more aggressive onMouseOver worm, written by a seventeen-year-old using the alias Matsta.

Here's a screenshot of his now suspended Twitter account:

Twitter onMouseOver worm

Can you see the two links in his feed of tweets?

They were clicked several thousand times.

Twitter onMouseOver worm

Twitter onMouseOver worm

And where do the links go? — Surveys.

Matsta is a spammer driving traffic towards the affiliate network.

CPAlead affiliates are paid up to a buck or more per "lead".

Here's an iPad offer:

Twitter onMouseOver worm

And here's advice on how to unhack Twitter:

Twitter onMouseOver worm

If you fill out a survey and provide your e-mail address, or download a toolbar, or sign up for an SMS ($/) service, you'll then be directed to Ask Dave Taylor.

Matsta isn't even providing original content, he's just a proxy, promoting surveys and earning himself money in the process.

Another one of the tweets in Matsta's feed mentioned DanielFarley:

Twitter onMouseOver worm

And one of Farley's tweets refers to this recently created Facebook Page:

Twitter onMouseOver worm

Gascoigne's site at Rick Rolled visitors yesterday.

Today, there's a blog:

Twitter onMouseOver worm

Matsta writes:

"I'm going to post my full account of what happened on Twitter this morning."

It should be quite interesting to see what he has to say for himself.

Hopefully Twitter's lawyers are taking notes…


Tuesday, September 21, 2010

Worms Loose on Posted by Mikko @ 13:17 GMT

Several related XSS Worms are spreading on at the moment.

Twitter worm

An XSS vulnerability was discovered earlier today, and we quickly saw several worms created by different individuals.

Most of the worms are using onmouseover techniques, meaning it's enough to simply move your mouse on top of a malicious (mischievous) Tweet to resend the malicious message to your followers.

Here's a screenshot of Mr. Magnus Holm's Twitter feed (read from bottom to top):

Twitter worm

While Twitter's security team is scrambling to close this loophole, we expect problems to continue. It's perfectly possible that there will be more malicious attacks, possibly combining this technique with browser exploits.

In the meanwhile, we recommend you either:

  •  Log out of Twitter
  •  Use client programs to access Twitter instead of using
  •  Turn off JavaScript

Twitter's Trending Topics is full of chatter related to the worms:


Another example of what you could do with the XSS vulnerability:

Twitter worm

Updated to add: Twitter has fixed the XSS vulnerability and it's no longer exploitable.


1 Ad Service Compromised, 1 Country's Users Annoyed Posted by Alia @ 04:06 GMT

On September 19th and 20th, over 600 sites, mainly in Malaysia and Indonesia, were temporarily listed by Google as potentially harmful*. The roll call of sites affected include many of Malaysia's major online media sites, including TheStar, Malaysiakini, Berita Harian and the Malaysian Insider.

Firefox warning

The issue was traced to ads unintentionally served on the affected sites by a third party ad provider, which were pointing to malware sites. The ad service has since announced that the offending material has been removed and that Google has reviewed their site. Most major websites affected also appear to have been cleaned.

Actually, compromised ad servers (and their knock-on effect on associate websites) are nothing new. What is interesting to note in this case is the disproportionate affect it had on an entire country's online community.

It's hard to imagine this incident occurring in Finland, the US or the UK. In those mature online markets, the level of computer security is generally higher; and there are more ad services, reducing the impact a compromised ad service might have.

But not all countries enjoy those advantages. That's especially true of countries only just coming online, who are still growing their online population and developing an online market.

In Malaysia's case, the attack was something of a perfect storm. Malaysia has a relatively small online population of approximately 17 million users; these users depend on a small handful of high-traffic local sites; these sites coincidentally shared the same third-party ad service.

Once that ad service was compromised, it was like throwing a big stone into a small pond — the ripples spread far and wide. In this case, it really didn't take much to inconvenience an entire country's online population.


* An article on gives a summary of this incident.

Hat tip to Choon Hong for his analysis.


Monday, September 20, 2010

F-Secure Safe Links Beta Posted by Sean @ 15:12 GMT

Do you own and maintain a website? If so, there's a new beta that we'd like you to check out. It's called F-Secure Safe Links.

Regular users of our Internet Security should already be familiar with our Browsing Protection feature. It rates the reputation of visited sites and search engine results:

F-Secure Safe Links beta

Safe Links uses the same back end technology and rates the reputation of hyperlinks posted on your site. Very useful for those that allow user created content.

Here's an introduction post from a demo blog on

F-Secure Safe Links beta

The service is free to try and the development team is eager for feedback. You'll find additional details and links to create an account on our Beta Programs page.



Flash Update Expected Today Posted by Sean @ 14:31 GMT

Last week, we mentioned Adobe's Flash Player advisory.

Well, the advisory been updated and the vulnerability fix is expected to ship today:

Flash Player, CVE-2010-2884


Thursday, September 16, 2010

Shaq is Wack Posted by Mikko @ 06:40 GMT

Shaquille O'Neal NBA
Online Gossip Magazine Radar Online is reporting that NBA star Shaquille O'Neal is facing a lawsuit accusing him of hacking, destroying evidence and indicating that he attempted to frame an employee by planting child pornography on his computer.

According to the lawsuit, O'Neal also threw a personal computer in the lake behind his home.

O'Neal (widely known by his nickname 'Shaq') is one of the most famous professional basketball players in the world and one of the wealthiest sport stars overall.

Mr. O'Neal is active online with his "THE_REAL_SHAQ" Twitter account, but so far he has not commented on these latest allegations.

For us who work with computer security, it's a bit hard what to make of these allegations. Listening to someone else's voicemail isn't very hard at all, neither is trying to hide computer evidence by throwing a laptop into a lake. As such, we wouldn't categorize Mr. O'Neal as a hacker. But I guess we'll learn more when the case progresses.

Shaquille O'Neal NBA

Hat tip to Bob McMillan. Image credit: Keith Allison


Wednesday, September 15, 2010

Launch Day 2011 Posted by Sean @ 15:47 GMT

Today is the official launch day of our F-Secure Internet Security 2011.

Yesterday's internal launch had cake… nam.

say no to viruses

See our site for more details.


Tuesday, September 14, 2010

Adobe Advisories Posted by Sean @ 17:35 GMT

Adobe released a security advisory for Flash Player yesterday:

Flash Player, CVE-2010-2884

"There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows."

Flash Player will be patched the week of September 27, 2010. Flash technology is also embedded in Reader and Acrobat. They'll be patched during the week of October 4, 2010, at which point, this vulnerability will also be addressed.

Best practices, as always, are advised in the meantime.

And here's a little thought on the matter from


Friday, September 10, 2010

Here You Have... Has Come and Gone Posted by Sean @ 12:54 GMT

We've received some media inquires about an e-mail worm that's being called "Here you have".

The name is based on the subject lines used by the worm. It isn't anything very special, just your run-of-the-mill worm that requires its recipients to click on included links. The links supposedly open to either documents or videos, but it is really just a disguised executable called something such as PDF_Document21_025542010_pdf.scr.

Screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links. Our antivirus already detected this threat before it was used by this particular "Here you have" run of e-mails. We detect it has Gen:Trojan.Heur.rm0@fnBStPoi.

The files to which the links attempted to connect were taken offline rather quickly, so it was not widespread in Europe where it was too early in the morning to snare anybody.

In the USA, several big companies noticed the worm moving through their systems.

The links reportedly did not spread much from "Company A" to "Company B" as e-mail filtering systems caught the inbound/outbound threat. But within organizations, if the executable was downloaded and run, the worm attempted to steal browser passwords, and then to spread via contacts. Internal e-mail filtering is not as common and there is also a networking share component used by the worm, so within some companies, its spread was highly noticeable.

E-mail worms have not been "fashionable" for some time now as antivirus vendors are quick to detect and block them and antispam technologies are quite effective at filtering them. But just because a threat isn't fashionable doesn't mean that best practices shouldn't be followed.

Don't readily click on links that arrive via e-mail, even if they are sent by people that you ordinarily trust.


Thursday, September 9, 2010

Apple's iOS 4.1 Fixes 24 Vulnerabilities Posted by Sean @ 14:11 GMT

Apple released iOS version 4.1 yesterday and it patches 24 security vulnerabilities. 20 of the vulnerabilities are related to WebKit.

Two flaws that are of interest are related to image handling vulnerabilities that could allow for arbitrary code execution.

iOS Security Updates 2010.09.08

Last month, JailbreakMe 2.0 was released which used a combination of two vulnerabilities: CVE-2010-1797 and CVE-2010-2973.

JailbreakMe users can (using an unofficial fix) patch CVE-2010-1797, the vulnerability exploited by a PDF document with maliciously crafted embedded fonts. It should be interesting to see if unofficial patches for these new vulnerabilities are developed as some of them could possibly be used with CVE-2010-2973, putting JailbreakMe users at risk to remote attack.

We've updated our spreadsheet indexing Apple's iOS Security Advisories. [XLSX]

There's an HTML version here.

Also of note: iPhone enthusiasts have discovered a bootrom exploit that will allow for jailbreaking via a vulnerability embedded at the hardware level (not remotely exploitable).

Hat tip to Chris Wysopal.

Edited: Clarified that JailbreakMe users have access to an "unofficial" patch for CVE-2010-1797.


Tuesday, September 7, 2010

Facebook Spam Worm Links to "Mobile Entertainment" Posted by Sean @ 11:59 GMT

The survey spam worm that spread across Facebook yesterday was posted to profile Walls "via Mobile Web".

In here the lab, we're always interested in all things mobile, so we took another look at All Facebook's post. In an update, they show that the spam was also spreading via messages.

And there is a link visible in the screenshot pointing to

That site is registered to a "Jane Doe" and is hosted in the USA by Dynamic Dolphin. Visiting the URL from Finland simply redirects to another site called Wixawin (via which offers "Mobile Entertainment". And what kind of entertainment do they offer?

The kind that could cost you upwards of 17.50 per month in subscription fees.

This is what you'll see if you attempt to visit Wixawin with our Mobile Security Browsing Protection enabled.

Mobile Security Browsing Protection

The affiliate ID that appears to be behind much of this mischief is: "affiliateid=WANE". Perhaps the spam was being posted via Mobile Web so that it included the necessary referrer?

In any case, let's hope that the affiliate network revokes whatever leads this spammer may have made.


Monday, September 6, 2010

New Spam Worm on Facebook Posted by Sean @ 23:46 GMT

A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to "share" the application to the user's Wall.

See the search results below:

I thought this survey

Note that each of search results were posted "via Mobile Web", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.

It's also interesting that the application links seem almost polymorphic or Captcha-like.

All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.

Tip hat to All Facebook, read more here.


Fake Passports Posted by Mikko @ 14:20 GMT

In today's episode of What Can You Find On the Web, we give you an online store for purchasing fake passports that we ran into.

Prices of these range from $650 to $1000. They don't seem to (yet?) offer passports with embedded RFID chips.

Some screenshots:





Updated to add: We can now confirm the site's URL was and it has been taken offline by the hosting company. Unfortunately there are copies of the site still operating elsewhere in the world.


Wednesday, September 1, 2010

Twitter Spam and the OAuthcalypse Posted by Sean @ 15:36 GMT

Twitter discontinued support for basic user authentication in third-party applications yesterday morning.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.


So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a link that pointed to an application called "Lady Gaga photos".


If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).

We don't suspect Boy George is behind this…


Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.


And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.