As you know, new variants of old viruses are named by using a variable letter. Virus.a, Virus.b, Virus.c...etc.
When we have more than 26 variants of a virus, we run out of letters. Then we roll over from Virus.z to Virus.aa, Virus.ab, Virus.ac etc.
For some virus families, even this is not enough. They've become so large (over 700 members) that we've ended up to variant zz. When we, of course, roll over start over with Virus.aaa, Virus.aab, Virus.aac etc.
I was looking at some of the latest definitions we've put out and noticed that today we published detection for three new variants in the generic Trojan-Downloader.Win32.Small family:
Huh. Variant "btu". That's close to 2000 different variants. I wonder how long it takes until we have to wrap to Virus.aaaa.
For reference, here are the virus families that have already wrapped to "three digits", ie. over variant letter ".aaa". Some of these are generic families where the malware isn't really related but they are so simple and stupid they end up getting categorized to the same family anyway:
Yesterday Skype published an security advisory about heap overflow in Skype user client. According to another advisory published by EADS/CRC this vulnerability is remotely exploitable, and is not affected by heap protection used in Windows XP or Linux.
We just got a report of the first phishing attack in Greek language. This attack targeted the customers of the Alpha bank online system. According to our local experts at Inter Engineering, the phishing message was sent very widely and was received by virtually every email account in Greece.
Official statement on the incident from the Alpha bank is available here. Also, our spam update 2005-10-25_03 blocks these messages.
After this incident, we're aware of phishing cases done in 16 different languages, including:
- English - Chinese - German - French - Italian - Spanish - Portuguese - Russian - Dutch - Greek - Swedish - Norwegian - Danish - Hungarian - Estonian - Romanian
We have no reports of phishing emails sent in languages such as Japanese, Arabic, Hindi, Korean, Polish, Czech or Finnish.
If you can prove us wrong, please let us know by mailing us at the usual address:
We also appreciate samples of phishing emails in unusual languages.
Today we got a sample of new Cabir variant SymbOS/Cabir.AA. Unlike most other Cabir variants, Cabir.AA is not hex edited minor variant of Cabir.A or Cabir.B. Instead, this variant has been recompiled from source code of original Cabir (which has been floating around in the underground). Otherwise Cabir.AA is very similar to other Cabir variants with the exception that it shows a scary bitmap image when the worm starts.
We shot a video in our RF lab of a phone getting infected with Cabir.AA. The video shows two phones being infected, one infected over USB cable and another over Bluetooth from the infected phone. In this video we also have one phone that has F-Secure Mobile Anti-Virus installed, which shows the Anti-Virus detecting and blocking the Cabir, so that user cannot get infected even if he would accept the Blutooth file transfer from infected phone.
In the past couple weeks, we have seen increasing amount of stories in media about people who have had their phones infected with Commwarrior.A or Commwarrior.B. In many cases Commwarrior infection has caused large phone bills due to the amount of MMS messages it sends.
Many new operators have posted warnings about the Commwarrior spreading among users, for example recent warning from TDC mobile.
We also have updated our free F-Commwarrior tool so that now it can also handle Commwarrior.C. Commwarrior.C has quite efficient self protection, and disinfecting it without special tool is rather difficult for normal user.
We're currently looking at a botnet client known as "Mocbot".
This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware we've seen.
Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded).
Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site.
Patch against this vulnerability was published in the last monthly update set from Microsoft. Patch now.
The vulnerability can be exploited via 139/TCP and 445/TCP.
Updated to add:
After further analysis, it turned out the actual vulnerability is not MS05-047 but the old MS05-039 (also used by the Zotob). The confusion was caused by the exploit code used by Mocbot, which resembles a publicly available exploit code for MS05-047. See the updated description of Mocbot.
Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms.
We blogged a story a couple weeks ago about the PSP trojan disguised as firmware for modified PSPs. A good story in its own right, but we wanted to see it in action. So what happens when a group of geeks gets an itch to destroy an expensive toy but nobody in the AVR lab is willing to pony up their own personal PSP? You make a call, get someone to donate a PSP, fire up the video camera & record it for posterity.
It certainly does lots of things, and none of them are nice. This is probably the most dangerous mobile phone virus we've seen so far. Luckily it doesn't seem to be widespread .
Commwarrior.C spreads over Bluetooth in same manner as earlier variants, but the MMS functionality however is quite different.
First of all, Commwarrior.C goes through the address book and sends messages to numbers found in there, just like A and B variant did. But in addition, it also mimics the users MMS behavior. Commwarrior.C listens for any arriving MMS and SMS messages and replies to them with infected MMS! And when user sends a SMS message, Commwarrior follows this by sending immediatly a second message to the same address: an infected MMS.
The messages being sent by Commwarrior.C contain texts gathered from SMS messages that are stored on the phone, which means that the recipient of MMS message will receive a text that doesn't seem too strange.
Together these make a very strong social engineering trick: you send a SMS message to an infected friend, and his phone immediatly answers you back with an infected MMS, complete with message text stolen from random earlier messages!
Commwarrior.C also copies itself on any MMC card inserted into the phone, so it is also a virus capable of spreading to other phones if you share your card.
Regardless of the spreading method, the recipient still has to accept and install the SIS file of the virus, and accept the usual system warning of installing an unsigned application.
In addition of spreading, Commwarrior.C also contains some payloads, by which it indicates that it has infected the phone. On some phones the Commwarrior changes the operator logo to it's own logo which contains text "Infected by CommWarrior" .
The virus might also open a web page to the phone's browser. This website (which is hosted in Russia) has lifted some of it's content from our antivirus pages at mobile.f-secure.com.
We just received a new sample of Commwarrior worm, Commwarrior.C.
The Commwarrior.C seems to function in similar manner as A and B variants, which means that is spreads over bluetooth using random file names and sends MMS messages. However as we just got the sample, the MMS message sending is not yet confirmed.
The sample that we received was posted in mobile phone forum in SIS trojan, which pretends to be pirate copied software SymCommander. So there might be people who have downloaded and installed Commwarrior.C and thus it might be in the wild, but we don't estimate it to be widespread at least yet.
F-Secure Mobile Anti-Virus detects Commwarrior.C with database update 53 that was published 13:31 GMT. So please make sure that your Anti-Virus is up to date.
Favoriteman and NetPal nuisances have after several years stopped. The company behind it has closed and we can report they have moved out of their company offices. All related web servers are unreachable and the already distributed Spyware no longer functions.
Like many Spyware vendors, Mindset Interactive has used multiple names to distribute their Spyware. That is why termination of the company behind it is such a positive turn.
Mindset Interactive was behind Favioriteman also known as F1Organizer, ATPartners, SpyAssult and Window Help 4 Smart Browsing. They also constructed NetPal, which had a massive numbers of games as distribution channels.
F-Secure will keep Favoriteman and NetPal in detection to clean out the final filth.
Microsoft released today updates for Windows covering 8 vulnerabilities affecting Windows and 1 affecting both Windows and Exchange.
The vulnerabilities rated Critical are MS05-050, MS05-051 and MS05-052. All of them could allow remote code execution, the first two due to vulnerabilities in DirectShow and MSDC/COM+ respectively; the latter one involves Internet Explorer and could be used to gain control of an unpatched system.
Four vulnerabilities are rated as Important MS05-046, MS05-047, MS05-048, MS05-049. All of them involve remote code execution. The affected components are “Client Services for NetWare”, “Plug and Play”, “Microsoft Collaboration Data Objects” and the “Windows Shell”. These are rated as Important as they require either user interaction, the attacker to log on locally, services not installed by default or services not vulnerable in their default configurations.
The last two, rated as Moderate are MS05-044 and MS05-045 affecting the Windows FTP client and the Network Connection Manager respectively.
Of all these, the three rated as critical might end up being used with malicious intent against unpatched machines. As usual, it’s recommended to update as soon as possible.
So, we're back from Virus Bulletin conference, everything went fine, including our presentations on rootkits and mobile risks. We'll be posting the papers and / or slides later this week.
But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.
The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.
The most notable feature of this non-public Golden Hacker Defender is it's anti-detection engine. It is able to bypass most of the modern rootkit detectors. The anti-detection engine identifies detectors through a binary signature before the detector has a chance to execute. If the signature matches, the rootkit can disable some of its hooks or it can patch the detector's binary to modify its functionality.
In this case, detection was possible because the intruder had not yet updated his/her rootkit to include the signature of our latest BlackLight release.
So now we have developers of rootkit detectors adding detection of latest rootkits to their scanning engines - and developers of rootkits adding detection of latest detectors to their scanning engines.
In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates.
New Zafi variant was found tonight. Like most members of this Hungarian virus family, Zafi sends messages with fake web links starting the local attachment, and changes the language of the message based on the address of the recipient.
The mails might also contain a fake "MSN Photo email" picture to fool recipients.
Two UK men were sentenced today at Newcastle Crown Court for their part in an international hacking group.
They were charged for writing the "TK Worm" in 2003. This was one of the early botnet clients.
TK Worm is detected by our antivirus as Backdoor.IRC.Demfire. The name comes from "Fire Daemon", which is the name of the service started by the virus.
Andrew Harvey (23) from Durham pleaded guilty to conspiring to "effect unauthorised modifications to the contents of computers with the intent to impair the operation of those computers" and was sentenced to six months.
Jordan Bradley (22) from Darlington pleaded guilty to the same and was sentenced to three months.
Older versions of the PSP firmware (eg. 1.50) have a vulnerability that allows easy execution of custom code on the device. Every since Sony has fixed the flaw in newer versions, the firmware downgrade to 1.50 became the "Holy Grail" of PSP homebrew development. After the discovery of a buffer overflow in version 2.0 of the PSP firmware, many rushed to be the first to release a working firmware downgrader.
Soon, one of these firmware dowgrade tools turned out to be a trojan that renders the PSP unusable. The infamous patcher from PSP Team removes a few important system files from the flash which makes the system unbootable. Our analysis confirmed these reports.
This tool has been reported to be the first "PSP virus" by many sources. Since it does not replicate in any way, by our definition we can call it a trojan at most. It definitely falls under the malware umbrella term, however.
It is worth mentioning here that, according to Sony, running any unauthorized code on the PSP will immediately void the warranty.
This German worm has been spammed during last hours. We have several sightings of the seeding but no real infection reports.
This variant sends itself either in a generic English message or a longer German message from "Kerstin", "Rita", "Hannelore" etc. The message tells a story about a school reunion, and asks if you are the person in the attached picture...which of course is not a picture.
This is also a good opportunity to showcase the new Common Malware Enumeration (CME) initiative, which has been introduced today at the Virus Bulletin 2005 conference in Dublin.
This new Sober variant goes by a variety of names, including Sober.R, Email-Worm.Win32.VB.b, W32.Sober.Q@mm, W32/Sober-O etc.
However, the CME identifier for this threat is: CME-151. And all the important vendors use the same identifier for it.
Over the last week or so, the volume of spam has been rising markedly. There is of course some variation between domains, but here is one typical example, from one of the domains we monitor.
At the same time, the number of phishing messages has been stabilizing. At one point in July, there was a tremendous number of basically identical Ebay and PayPal scam messages in transit, but we are no longer seeing those in large numbers (although they are still around, but in modest volumes).
This marked rise appears to be caused by a large number of matchmaking spams. So it would seem that the activities of a single determined (or crazy, if you will) spammer can still make a difference.
Unfortunately, we hereby speculate that no corresponding sharp decline will be noticed when this vandal is nailed ...
Phishing attacks have been jumping from one geographical area to another. First we saw them in USA. Then in Australia. Then UK. Then in Germany, localized to German language. In early 2005, we saw isolated phishing cases in Denmark.
Last night an unknown party launched a large-scale attack against Nordea Sweden. Nordea is the largest bank in Nordic countries. It also operates one of the largest internet banks in the world, with over 4 million internet customers in eight countries.
Basically this was a normal phishing scam: somebody spammed a large amount of spoofed emails with links pointing to a fake bank. What made it different was two things: 1. The phishing emails were in Swedish 2. Nordea operates a one-time password system
The one-time password system in use by Nordea Sweden consists of a scratch sheet, where you will scratch to uncover the next available pin code for login.
Attacking a site like this is quite a bit more challenging than attacking banks authenticating users with a bank account number and a constant 4-number pin which never changes.
However, that's just what has now been attempted.
The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).
The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.
As the scam was uncovered, Nordea Sweden shut down their whole internet bank. Apparently this was done in order to prevent the scammers from using the codes to move money around.