NEWS FROM THE LAB - October 2007


Wednesday, October 31, 2007

Mac Malware Posted by Mikko @ 17:35 GMT

Now here's something we don't see everyday.

Intego is warning on new malware for Mac OSX 10.x.

We'll try to find more info on what's going on here.

Updated to add: We now have a description of Trojan:OSX/DNSChanger.


Warezov Domains on All Hallows Eve Posted by Sean @ 15:39 GMT

Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did…

But recently they've been noticeable enough to prompt Toni into doing some research on their registered domains. And the results are kind of frightening.

Warezov Domains

Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today.

Of those, 810 domains resolved as a fast flux. 1229 do not currently resolve. They're dead. (Or are they undead?)

These domains are used for both malware downloads and for pushing spam.

The next step is to get them taken down. No small task that.

Download the Lists:

   Domains — 2039
   Fast Fluxes — 810
   Undead — 1229


On a Halloween related note, check out this silly website created by our Swedish office —
And our PR folks have put together a few "costumes" of their own as well.


Unrest in Ukraine Posted by Mikko @ 05:57 GMT

The website of the Ukrainian President Viktor Yushchenko has been under a DDoS attack for a while. Russian groups are currently being blamed for the attack.

Viktor Yushchenko

The case has some similarities to the large DDoS attacks in Estonia during the spring.


Tuesday, October 30, 2007

Trick or Treat with Stormy Helloween Posted by Jose @ 19:31 GMT

New tactics from the Storm gang can be seen as they celebrate with Halloween. Below is the look of the latest Storm site:

Halloween Storm

With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ

This may be a Trick, and a bad Threat from the Storm gang, so be sure to keep your databases updated.

Friday, October 26, 2007

Malicious PDF Files Being Spammed Out in Volume Posted by Jusu @ 15:10 GMT

A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.

Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.


The subjects for the spam messages include:

  Your credit report
  Your credit points
  Your balance report
  Personal Financial Statement
  Personal Credit Points
  Personal Balance Report
  Your Credit File
  Balance Report

More information is available in our full description.

More on the scope of the vulnerability is available via a ZDNet article.


This Bud's for You? Posted by Mikko @ 06:09 GMT

We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.

Here's an example:

The Bud Shop

This link takes you to a website called (not to be mistaken with

Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.

Let's see where the actual server is hosted:

Bud Shop Hosts

Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.

Lets take a closer look at the WHOIS record of

Name Servers

Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:

All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.

We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.

So, Just Say No.


Thursday, October 25, 2007

Mudslinging Malware Posted by Sean @ 13:02 GMT

Malware Attempts to Affect Kenyan Elections

Most of the day-to-day malware that we currently analyze has a financial motive. Such malware typically doesn't do anything noticeably malicious as it doesn't want to tip-off the victim.

But every now and then, we see something that's just plain nasty. Yesterday, Marko analyzed such a sample that we now detect as Trojan:W32/Agent.DPL.

This particular piece of malware appears to have a political rather than financial motive. A system infected with Agent.DPL displays the following message when Windows starts:


And it attempts to connect to

Kalonzo Musyoka for President

The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka. He launched his presidential campaign on October 14, 2007. Kenyan elections will be held in December. Note that the malware quotes Francis rather than Stephen.

Agent.DPL hacks the registry so that the user is unable to locate key Windows functions. This image shows the missing Control Panel icon as well as a few other things.


If any Control Panel apps are launched from another location, they'll be shut down by the malware.

Our guess is that by making the computer next to useless, Musyoka's detractors hope to shift the blame to him. But then again we don't know that much about the political situation in Kenya…

Our description — Trojan:W32/Agent.DPL — provides additional details, including an unusually easy way to disable it.

Wednesday, October 24, 2007

RSA Europe 2007 Conference Posted by Alexey @ 10:37 GMT

RSA Conference Europe 2007

Greetings from the RSA Europe conference. This year it's being held in the Excel Conference Center in London.

The conference has many different tracks: authentication, business trends and impact, deployment strategies, developing with security, enterprise defense, hackers and threats, and a few others.

Several leading security experts including Bruce Schneier are participating in the keynote sessions. And to crown it all off, the closing keynote session is hosted by Frank W. Abagnale, the world's famous authority on fraud and identity theft. This name rings the bell, doesn't it? Indeed, Frank was the subject of the major motion picture "Catch Me If You Can", directed by Steven Spielberg and starring Leonardo DiCaprio and Tom Hanks.

Signing off,


Monday, October 22, 2007

Security Advisories Posted by Sean @ 14:38 GMT

There's a RealPlayer vulnerability and fix reported:

Real 10.19.2007

Details are available from

And if you haven't come across it yet, there's an unpatched vulnerability in Adobe Reader; but there's a workaround:

Adobe 10.05.2007

Details are available from

Updated to Add: Adobe has released an update.


Friday, October 19, 2007

555 8th Ave Posted by Sean @ 15:15 GMT

The Russian Business Network has a curious domain registration history.

Here's the given address for the later half of 2006: History

The 555 reminded us of the fake phone numbers used in Hollywood movies so we decided to do a search on the address. There were lots of results. It was when we searched for "555 8th Ave" and e-gold that we discovered an interesting case from the past.

On February 22nd of 2006, the Manhattan District Attorney's office indicted three people for laundering $25 million via their business called Western Express:

Western Express Indictment

Western Express was hosted at Here's the page courtesy of the Wayback Machine:

Western Express - PayCard2000

Shortly after the incitement there's a message informing their customers that they have hired attorneys to fight the charges:

Western Express - Closed for Business

And then the case drops off the radar…
Being curious, we called the District Attorney's office in New York for a follow-up. The couple running the website plead guilty to the charges against them and received 2 to 6 (Vadim), and 1 to 3 (Yelena) years in prison. Their son is apparently still a fugitive.

Sometimes crime doesn't pay.


Audio - Silver Bullet Security Posted by Sean @ 11:23 GMT

Recently, Mikko was interviewed by Gary McGraw of the Silver Bullet Security Podcast. Show #19 was posted yesterday.

From McGraw's site:
"For the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. During this show, Gary and Mikko discuss Helsinki and Finnish pronunciation, whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko’s prediction for the appearance of the first mobile botnet. They also chat about Finnish hip-hop."

Link here: Show #19

Mikko's Usenix panel presentation (audio/video) is also available from



Wednesday, October 17, 2007

The New Global Storming Network Posted by Ian @ 20:32 GMT

A new Storm site advertises a networking application. That site looks like this:


However, a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves.

The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE.

This is one network you wouldn't want to join, so make sure to keep your databases updated.

Skype Stealer Posted by Sean @ 11:53 GMT

Yesterday we added detection for a Trojan-Spy password stealer targeting Skype. The malware bills itself as Skype Defender, which sounds like a security plug-in.

Running the malware produces this dialog:

Skype Defender Installation

Once "installed", what looks like the Skype logon screen is displayed:

Skype Defender SignIn

Attempting to use the logon screen produces an error message:

Skype Defender Error

Note that the real Skype's sign in button is different than the malware's:

Skype Logon

Our detection is Trojan-Spy.Win32.Skyper.B.

Read more details from Skype's Blog.


Tuesday, October 16, 2007

RBNNetwork Posted by Sean @ 15:20 GMT

Familiar with the Russian Business Network? Let's Ping

The loopback address is deliberate, the RBN doesn't want you to know anything about them.

Some of their customers include the Rock Phish gang, those thought to be responsible for the recent attack on

Rock Group

Brian Krebs has two must-read posts here and here.

Updated to add: Krebs has posted a follow-up based on this Wired story. The RBN claims to be misunderstood.

Also of interest — Check out RBNExploit at Blogspot which is entirely devoted to the RBN.


Saturday, October 13, 2007

Passwords on the Loose Posted by Mikko @ 20:27 GMT


An unknown group has caused quite a hassle by publicly posting information about tens of thousands of user accounts.

A 4.5MB text file (passlist.txt) was uploaded to a Finnish website earlier today. The file contains usernames, e-mail addresses, passwords and uncracked password hashes of almost 79,000 user accounts. These accounts are mostly from different Finnish web forums.

It's quite trivial to find the correct password based on the password hash, assuming the password is "easy" and can be found from a password dictionary. The passlist.txt file claims that the hack was done by two Swedish hackers but this has already been disputed.

The case exhibits some resemblance to an incident six weeks ago, where Swedish hacker Dan Egerstad published hundred passwords to different embassies and government organisations. However, in that case the information was stolen by Mr. Egerstad by running rogue TOR exit node servers.

In today's case, the information has been stolen by unknown parties – most likely by hacking the servers of several Finnish web forums: that's pretty much the only way to gain access to the password hashes.

More discussion (in Finnish) via


Friday, October 12, 2007

Video - Next Level Money Mule Recruitment Posted by Sean @ 16:13 GMT

Bobbear fights money transfer frauds. lists many of the sites used by the bad guys attempting to recruit money mules.

Well — The bad guys have struck back. The fraudsters have attacked the site's reputation and Bobbear is currently offline. Earlier today, it was also unavailable via Google's cache.

Today we also happened to receive some spam that caught our interest. It was a job recruitment from Next Level — one of the fraud sites listed at Bobbear.

Next Level

We examined the Next Level scam site until we made the connection to the real world company whose web design was being ripped off by the fraudsters. They're Solutions Inc.

We discuss some of the details in this video, available from our YouTube Channel.

Video - Next Level

We'll follow-up next week with some additional details…


Storm Gets Cute Posted by Patrik @ 02:08 GMT

After a few weeks of low activity from the Storm gang they restarted their activities earlier this week. The mails and website were the same as from September but yesterday they changed the e-mail messages and also the website:

Storm Oct 12th 2007

All the links points to SuperLaugh.exe which we detect as Email-Worm.Win32.Zhelatin.KI

Wednesday, October 10, 2007

Patch Tuesday Again, Folks... Posted by Esz @ 01:17 GMT

Below are the lists of critical and important updates Microsoft has for this month.

Microsoft's October Updates

These updates involve applications including Kodak Image Viewer, Outlook Express and Windows Mail, Internet Explorer, and a vulnerability in Microsoft Word. All of these could allow remote code execution and elevation of privileges. For more details on these updates, here's the link to Microsoft's Security Bulletin.

BE SURE to update always!

Tuesday, October 9, 2007

Police Academy in India Hosting a Phishing Site Posted by Mikko @ 13:55 GMT

While reviewing some international phishing sites we ran into this interesting case…

SVP National Police Academy in Hyderabad, India has had some sort of compromise on their website.

Police Academy

The end result is a Bank of America phishing site operating on one of their servers.

Bank of America Phishing Site

The Police Academy has been notified, and we expect that they'll sort this out swiftly.

After all, they have courses on computer crime listed in their course calendar.


Monday, October 8, 2007

How Gullible Can You Get? Posted by Mikko @ 08:53 GMT

Most of the new phishing we see is done with phishing kits, like the Rock Phish kit.

But every now and then we run into "old skool" phishing. Like the site we're looking at today, This domain was registered to Mr. "Asger Trier Bing" in Copenhagen three weeks ago. Quite surprisingly, the site is even hosted in Denmark.

When visiting the front page of the site, you get redirected to a standard PayPal phishing site. Once you log in (with any credentials), you get redirected to a page for some "additional security checks".

Now, take a look at the list of questions they're asking.

It's quite astonishing that anybody would be gullible enough to go through the full form and type in all the required information. Like your e-mail password? Your father's day of birth? Your PIN? Then again… somebody will fall for this. Someone always does.

Huge PayPal Phish

Sorry for the big screenshot. The site has been reported and should be down soon.

Editor's Note: The registrant noted above, Mr. Bing, is the victim of identity theft.


Friday, October 5, 2007

"Hentai" Trojan Spammed Posted by Mikko @ 10:13 GMT

We've received multiple reports of being spammed via e-mail in variable messages.

Typical message below:


We don't think this particular spam run is related to the Storm worm. We've added detection as Trojan-Downloader:W32/Agent.DTH.


Thursday, October 4, 2007

Bad Guys Posted by Sean @ 10:48 GMT

Handcuffs$2.1 billion in seized fake checks and 77 arrests…
eWeek – Spam-Scam Crackdown Nets $2B in Fake Checks.

DDoS Attacker Arrested…
Security Focus – California man arrested for DDoS attacks.

Storm Worm…
Time – The Worm That Roared.



Tuesday, October 2, 2007

Leaky Spy Tools? Posted by Jarno @ 12:22 GMT

One of the difficulties with spy tool applications is that even if they are legitimately used – the application vendor still has the problem of properly handling confidential data.

Case in point: Mobile-Spy for Windows Mobile.

Until recently (the last 48 hours or so) they had an issue with their web interface. The issue potentially allowed access to any communication data collected by their software.

Now that they've resolved the issue, we'll explain…

By using their Demo account to log onto their system, you were only supposed to be able to access demo messages. The logon is found at the following URL:

Smart Demo

This URL is from one of the demo messages that you're supposed to be able to view. Notice that the message ID is plainly visible in the URL. So, what happened if you changed the ID number in the URL?

Demo URL

We used 34841 as an example:

Test URL

Last week the result of adjusting the URL was this:


And now the result is this:


So, Mobile Spy has corrected the potential problem. You can read more details from ZDNet.

Déjà vu?

This reminds us of something…

During July, Brian Krebs of Security Fix wrote about exactly the same issue but with another mobile phone spy application.

This seems to have been the other vendor's solution: ignore reporters asking questions, fix the problem, then speak with the reporters and deny any knowledge of the issue.

With this approach to security – we wonder just how secure the rest of such spy tool applications are.

Updated to Add: We've received some communication from our readers that while Mobile-Spy's web interface issue has been addressed, the site may still be vulnerable to an SQL injection attack. We have not confirmed this, but if true, this means that all of the customer information is still accessible to anyone using the Demo account.

We have notified Mobile-Spy.