NEWS FROM THE LAB - October 2009
 

 

Friday, October 30, 2009

 
Swedish Police Experience DDoS Attacks Posted by Sean @ 10:52 GMT

Several of Sweden's websites experienced DDoS attacks yesterday, including the Swedish Police at polisen.se.

The sites weren't offline for very long and are accessible at present.

www.polisen.se/en

The attackers motives are currently unknown.

The Local has details in English:

"A number of major Swedish websites were rendered inaccessible on Thursday in what is believed to be a malicious distributed denial-of-service (DDoS) attack. The Swedish authorities have thus far had no success in locating the source of the attack."

And here are additional details in Swedish:

www.dn.se/ Attack mot polisens hemsida
www.idg.se/ �ven Polisen.se s�nktes
www.svd.se/ It-angrepp mot polisens webbsajt

 
 

 
 
Wednesday, October 28, 2009

 
Video - Griffin Teaser Posted by Sean @ 14:49 GMT

Our June 12th post mentioned a collaborative film project that's being produced by the Wreckamovie community.

Well, the project is now titled "Griffin" and there's a teaser available.


Link: Griffin Teaser

If you'd like to contribute to the project, you'll find more details at www.wreckamovie.com/griffin.

 
 

 
 
Tuesday, October 27, 2009

 
A Video For You Posted by Mikko @ 07:33 GMT

Please take 4 minutes 45 seconds of your day to watch this animation on the Evolution of Security.

It's pretty good.


Link: Evolution of Security

And let us know what you think!

 
 

 
 
Monday, October 26, 2009

 
Rogue AV Uses F-Secure as Bait Posted by WebSecurity @ 06:20 GMT

Lately, we've been tracking SEO attacks directing users to rogue AV sites. We've seen the people behind these attacks poisoning searches for many major world events, and some not-so-major ones as well. So it's kind of amusing — and annoying — to see F-Secure being used as the bait in this kind of thing.

We saw this search result pop up when searching for information about F-Secure:

FS Search

Clicking on the link takes the user on a redirect path as follows:

Redirect Path

After this, the attack follows the usual pattern of warning messages, misleading scan reports and so on:

FS Rogue Image

Just in case it is not obvious, this looks nothing like our products.

Finally, the user is asked to install the following:

FS Rogue Install

Which we detect as Rogue:W32/InternetAntivirus.BG. The detection covers the downloader, the downloaded installer and the main executable.

Nothing really new about this attack. Just a little more personal.


WebSecurity post by — Choon Hong

 
 

 
 
Friday, October 23, 2009

 
Time Warner Cable Modem/Router Fail Posted by Sean @ 13:45 GMT

When speaking about Internet worms, I like to point out that my personal computer hasn't been connected to the Internet in years, at least not directly.

I've had a WiFi router connected to the Internet via my cable modem since late 2003, which provides me with a security benefit. NAT routers act like a hardware firewall. Only requested traffic makes its way to my PC.

So, no direct Windows connection to the Internet, no worms such as blaster to worry about.

However, these days, there's malware that tries to work its way through home routers.

At that's why I want to link to this story:

chenosaurus.com

There are 64,000 SMC 8014 wireless router/cable modems that only limit Administrator access using JavaScript. Connect to the router with your browser's JavaScript disabled, and you have full access.

Including the ability to copy a configuration file that contains the administrative login and password in plain-text.

The issue was discovered by a blogger at chenosaurus.com.

I read about the story via Tim Greene at PC World.

If you have one of these SMC 8014 routers, check out the links for further details.

Signing off,
Sean

 
 

 
 
Thursday, October 22, 2009

 
.my Websites Compromised Posted by WebSecurity @ 02:51 GMT

Users aren't the only ones that have to stay vigilant when it comes to security. On the other side of the fence, keeping a website secure is a challenge for even the best webmasters.

We recently came across lots of websites under the ".my" domain that were compromised and unintentionally hosting malicious or unsafe links.

A very small sample of these sites:

.my domain hack search

Quite a few of the sites were hosting crack files:

.my domain hack cracks

.my domain hack download

Others had less savory things to offer:

.my domain hack smart results

Some sites had a page that looked like a search engine:

.my domain hack fake search

Clicking on any of the links didn't do anything, though.

The compromised sites were on multiple servers and are a disparate collection of commercial, personal and educational institution websites.

As usual, relevant malicious links were rated and F-Secure Internet Security 2010 users are protected by our Browsing Protection.


WebSecurity post by — Chu Kian

 
 

 
 
Wednesday, October 21, 2009

 
Alaska Day and SEO Attacks Posted by WebSecurity @ 07:04 GMT

SEO attacks driving users to rogue AV sites isn't exactly new, but it does seem to be getting more widespread. Now, the "bait" they use to draw in unsuspecting users isn't just related to major world events or well-known holidays.

October 18th is Alaska Day, an official state holiday in the northern US state of Alaska, when many towns will take part in big Alaska Day festivities. It's not a well-known holiday, even in the US. Still, someone's taking advantage of it to do some social engineering.

Anyone searching for "Alaska Day" information may see the following website:

Alaska SEO, Google

Hmm, "reptiles of alaska"? Sounds rather intriguing. If you click on the link though, as with most of these cases, the visitor gets redirected to a final webpage that displays fake alerts and a image of a fake scan:

Alaska SEO, popup

Alaska SEO, Popup

The redirection path followed is:

Alaska SEO, redirection path

As usual, F-Secure Internet Security 2010 users are protected with our Browsing Protection feature.


WebSecurity post by — Chu Kian

 
 

 
 
Tuesday, October 20, 2009

 
Fake Facebook, Fake Video, Fake CAPTCHA Posted by WebSecurity @ 06:52 GMT

Watching videos on Facebook is a popular activity, so it's not surprising to find dozens of fake copycat sites being used to infect unsuspecting viewers with malware.

Here's one fake Facebook site with a malicious JavaScript that uses the old "Flash Player upgrade installation" trick — but with a slight twist.

As usual, the viewer thinks they're going to see a video, if they just upgrade their Player:

Facebook vid malware
But first they have to download and install the "upgrade":

Facebook vid malware

The unusual thing is, this "upgrade" comes with a CAPTCHA pop-up:

Facebook vid malware

The request is displayed at random times and doesn't actually do anything. Anything entered into the field by the user results in this being displayed:

Facebook vid malware

The screen will close after a few tries, but will still continue to appear off and on.

While the user is having dubious fun with the CAPTCHA test, the malware copies a couple files to C:\Windows, deletes itself, and creates a few Registry keys.

Facebook vid malware

We detect the malware as Trojan:W32/Agent.MDN.

Our Browsing Protection blocks the whole fake Facebook website entirely. As usual though, be careful when you're surfing.


WebSecurity post by — Choon Hong

 
 

 
 
Monday, October 19, 2009

 
Face the Truth: IM Spam Posted by WebSecurity @ 05:44 GMT

With the recent attention on SMS spam, let's not forget to be careful on IM, that other favorite medium for spreading social engineered links.

I recently received a message from someone who sent me this link:

IM Phishing message

Which lead to a website where the user can supposedly view the uploaded photos by entering their MSN log-in credentials:

IM Phishing

Yep, more password-stealing madness.

Incidentally, that same website was recently registered on 16 Oct. 2009 in China, and shares the same IP as a bunch of other "truth"-type sites: your-lolful-truth.com, face-real-truth.com, face-the-truth.com and joseccmonteiro.your-lolful-truth.com.


WebSecurity post by — Choon Hong

 
 

 
 
Saturday, October 17, 2009

 
Firefox Blocks MS Add-on to Tighten Security Posted by Response @ 06:11 GMT

I woke up this morning and this is what greeted me:

Firefox addon

A while back, Microsoft released the ".NET Framework Assistant" as a Firefox add-on. Today, Firefox blocked it to disable a security vulnerability that affects it. So if this happens to your Firefox browser, don't fret, it's just a security tweak.

Mozilla noted this update in their Security blog.


Response post by — Christine

—————

Updated to add: The Mozilla Security blog has new information: "Microsoft has now confirmed that the Framework Assistant add-on is not a vector for this attack, and we have removed the entry from the blocklist."

 
 

 
 
Friday, October 16, 2009

 
What's w03.v762.net? Posted by Sean @ 13:29 GMT

I want to confess a bad habit of mine. I don't always review my phone bill.

As I have an F-Secure provided phone, and because my personal calls are usually well within budget, I often don't review my billing statement. (I really should call my mother more often…)

I think I'll start reviewing it regularly from now on.

Last Saturday, my wife received the following to her (also company provided) phone's Messaging Inbox:

+66816110466

It claimed to be a "Service message" and contained a link to a "video message".

Service Message, Kilkkaa

This is what the link renders via Firefox on Windows:

+66816110466, Error

And this is what "w03.v762.net" displays from a Nokia phone's browser:

w03.v762.net

Sorry, but you need my number? Not very useful, eh? What's this all about?

It's about the "Mobile Tube spam" that Jarno posted about ten days ago. At that point, it looked as if these links were billing those that clicked the link for a premium rate service. A few days later, the situation appeared to change and the links no longer generate a billing charge.

In any case, my wife didn't click on the message, asking me to review it instead, and I deleted it from her phone.

And now I can't help but wonder, how many people might have accidentally clicked on these links ten days ago and simply dismissed the result? And how many of those people share my bad habit, and don't bother to review their bill?

Reviewing one's bill is always good practice, it's one of the most effective ways of preventing fraud.

You should review your phone bill as closely as you do your credit card statement.


And with these "Service message" links in circulation, perhaps it's time for companies to remind their employees of this best practice.

Signing off,
Sean

 
 

 
 
Wednesday, October 14, 2009

 
Deployment Priorities Posted by Sean @ 13:40 GMT

Deploying updates can be a complicated process for large organizations with nodes numbering in the tens of thousands. A good deal of testing is required before deployment to the production network can begin.

So Update Tuesday often creates the need for a "Patch Wednesday Meeting" in order to discuss the testing schedule.

Microsoft now has some handy visual aids to assist.

Their October Bulletin MSRC post includes a graphical Severity and Exploitability Index.

Severity and Exploitability Index

Even better for IT managers is this Deployment Priority chart.

Deployment Priority

Very handy for those with limited resources that need to determine which patches to test first. Cheers to Microsoft.

 
 

 
 
Monday, October 12, 2009

 
Patch Tuesday the 13th, Part II Posted by Sean @ 16:08 GMT

Last week, Christine noted that Patch Tuesday the 13th is approaching. In fact, it's tomorrow.

This month's Microsoft Updates include 13 bulletins which fix 34 vulnerabilities. This is going to be a large number of updates.

Advance Notification Bulletin, October 2009
See the Microsoft Security Bulletin for October 2009 for the full details.

And on top of that… it's also time for Adobe's scheduled updates.

If you still happen to Adobe Reader installed, you'll want to apply this update asap as there are targeted exploits being circulated.

Adobe Security Advisory, 10.08.2009
See Adobe's Security bulletins and advisories for additional details.

Now then, one other thought regarding this October's Microsoft Updates…

Last October brought an out-of-cycle patch for Microsoft Windows. Just what did that patch? The Conficker vulnerability.

Because it was out-of-cycle, and because of the approaching holiday season and subsequent staffing issues, numerous organizations failed to readily test and deploy the update. Many of those organization then later had to deal with Conficker infections.

So how about now, which is National Cybersecurity Awareness Month, everyone focus on rapidly deploying these updates so we'll all be ready for whatever might turn up later, eh?

Because as we should all realize by now, the bad guys like to sit on 0-day vulnerabilities waiting for the worst possible timing.

Safe and efficient patching to you.







 
 

 
 
Gately Death Goes to Rogue AV Posted by WebSecurity @ 03:09 GMT

Stephen Gately (of Irish boyband Boyzone fame) passed away on October 10th 2009.

So here's what searching for news of his passing turned up:

Stephen Gately, rogue results

On checking the who.is for the website, we noticed this little detail: "Creation Date: 2009-10-09". Hmm.

Anyway, the site redirects visitors to a site that tells you:
Stephen Gately, rogue results
It doesn't matter if the user clicks on "OK" or "Cancel"; the site still goes on to display the following image, which mimics a computer scan:

Stephen Gately, rogue results

And the grand finale, a prompt to install something:

Stephen Gately, rogue results

Rogue AV strikes again. This particular malware site shares an IP address with other known malware sites such as forexbids.cn, norah-jones.cn, watermelonfun.cn, my-pc-scanner7.com and anamericanbeauty.com.

Some of these sites might already be down, but all the same, probably not wise to visit them. These websites are blocked by our Browsing Protection.

—————

Updated to add: A related SEO attack which leads to the same website originates from:

Stephen Gately, rogue results

Stephen Gately, rogue results

The redirect path this attack takes is as follows:

Stephen Gately, rogue results


WebSecurity post by — Choon Hong & Chu Kian

 
 

 
 
Friday, October 9, 2009

 
Twitter Still Doesn't Get It Posted by Mikko @ 10:11 GMT

As I reported yesterday, Twitter suddenly removed my account without explanation.

They have now unsuspended the account. You can visit it here.

I also received this explanation from Twitter last night:

        I've unsuspended your acct.
        You were suspended for using the malware URL rnyspeceDOTcom in DMs.
        Be careful!
        We scan evrythng for malware.


They are referring to this tweet I sent in August:

   I guess somebody will fall for it...a desperate Myspace phishing site
at www. rnyspece. com. (don't go there).
1:37 PM Aug 3rd from web


Really?

Banning me for that?

Two months afterwards?

This sure makes no sense to me.

But at least they've now uncensored my tweets (including the above tweet) and made my account accessible again.

Apparently they still think I'm dangerous, as they have now removed all my followers. As well as everybody I was following.

So while the episode might be over otherwise, it did leave a slight dent in my follower count, as you can see below…

twgraf

Hey, Thanks.
Mikko

—————

Updated to add: Michael Krigsman of ZDNet posted an excellent Project Failures Analysis on what went wrong inside Twitter when they banned me.







 
 

 
 
Cyberwar Crops Up Again Posted by Alia @ 04:43 GMT

Skoudis at HitB2009Ed Skoudis gave an interesting keynote speech (available here, PDF) at the Hack in the Box conference held in Kuala Lumpur yesterday. The talk included a section on cyberwar that was, in some ways, the complete inverse of Marcus Ranum�s Cyberwar is Bulls**t speech the previous year (slides here, PDF).

Plenty of interesting points mentioned. Here are a few, and just a few of the questions they raised:

There's been talk that some countries are leaning towards viewing cyber attacks as being on par with a traditional kinetic attack (i.e., involving nukes, guns and blood), and possibly requiring appropriate military responses.

Yet, there is no consensus on what constitutes a significant attack – one power grid control station taken down? A town�s Internet access shut down? Or, as one of our Analysts put in, "what would *really* constitute a digital 9/11?"

One of Skoudis's contentions is that an attack that takes down an entire country's Internet access is fundamentally similar to a blockade, which is historically accepted as an act of war. The 2007 attacks on Estonia spring to mind. Is that really an accurate, legally acceptable premise though? Can an online attack really cause significant damage to an entire nation's trade/economy/social structure?

On a higher level, assuming this issue isn't just a storm in a teacup, should supra-national organizations like the UN or EU pass legislation dealing with cyberwar? Say, something like setting rules of engagement or a "cyber Geneva Convention"?

The US and Russia can�t agree on a proposed treaty (New York Times article) dealing with the cyberwar "threat"; is there any likelihood that multiple countries with varying Internet connectivity and cyberattack-capabilities would be able to clobber a working treaty together?

And what about information security professionals? In events like the Estonia and Georgia cyber attacks, where commercial sites were targeted rather than military ones, it was the average system administrator or security professional that had to deal with the immediate effects of the attack. Do they have a part to play in mitigating cyberwar threats? Is the scope out of the industry's hands? Is it just "not my problem"?

Lots of things to think about, with no consensus in sight. A lot of blogposts, articles and comments – both supporting and dissenting – were generated by Ranum's talk on this topic last year; this year's talk looks set to generate more.

It would probably be interesting to listen to Ed Skoudis and Marcus Ranum debating this topic.







 
 

 
 
Patch... Tuesday the 13th Posted by Response @ 03:10 GMT

Thirteen security flaws will be unveiled and patched on October 13th.

  •  10 involve Remote Code Execution (8 of them rated Critical).
  •  1 involves an Elevation of Privilege.
  •  1 involves Denial of Service.
  •  and 1 involves spoofing.

The affected software for the Remote Code Execution flaws include Windows 2K to Windows Vista, Internet Explorer, and Microsoft Office Suite. More details are available from http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx.

It's not exactly Friday the 13th-style mayhem, but there's going to be some patching madness coming up.


Response post by — Christine

 
 

 
 
Thursday, October 8, 2009

 
Silence Hypponen Posted by Mikko @ 15:20 GMT

I used to have a Twitter account, called mikkohypponen

I used it to tell about things I saw while doing computer security research.

This turned out to be quite popular.

But then, two days ago, I got banned from Twitter.

Kicked off Twitter

My account was suspended by Twitter without explanation.

Since then I've received no further information from them and they have not responded to my queries.

My account was not hacked. Nevertheless, it was suspended because of "suspicious activity".

If you try to view my account, this is what you'll see:

Kicked off Twitter

Dear Twitter, was it something I said?

Unfortunately you can't go and read my tweets any more, as Twitter has removed them:

from:mikkohypponen

Right now I'm quite happy that I regularly took a backup of my Tweets. So now I can take that backup and post my full Twitter history for the world to see.

Lets have a poll on this.

What do you think, which of my Tweets got me suspended?

Select one from below:




 1  Apparently www.nsa.gov was hacked [sql injection] last week: http://bit.ly/8WRWJ
10:49 PM Oct 5th from bit.ly
 2  Make an impression: Print this is out and leave on top of your paper stacks: http://bit.ly/qkp7O [pdf from army.pentagon.mil]
5:42 PM Oct 1st from bit.ly
 3  A wildcard SSL certificate available for download: http://bit.ly/2WoCBl
4:48 PM Oct 1st from bit.ly
 4  Not sure if these files are supposed to be public, esp. "REQUEST FOR FORT KNOX SECRET NETWORK ACCOUNT.pdf"... http://bit.ly/BfbR7
6:00 PM Sep 29th from web
 5  Criminals are mass-generating fake Twitter accounts for profit: http://bit.ly/owG6j Be careful.
12:46 PM Sep 20th from bit.ly
 6  Here's an example of spammers paying money to Google: http://bit.ly/eI5Bq
9:45 PM Sep 18th from bit.ly
 7  Helpful when locating fresh malicious sites etc. Add this to a Google search URL to find sites created within last 15 hours: &tbs=qdr:h15
11:55 AM Sep 16th from web
 8  The FTP server that time forgot: ftp://ftp.microsoft.com - including files from 1993 and directories called 'garbage' or 'junk'...
10:32 PM Sep 4th from web
 9  Browsable online shop for blank credit cards. Wow. http://imagine-supplies.110mb.com/
10:07 PM May 18th from web
10  Yet another Twitter worm last night. More info & screenshots: http://bit.ly/q7lnf
9:15 AM Apr 18th from bit.ly


…or maybe it was something else?

Poll results
(Poll)

Thanks,
Mikko

—————

Updated on 9th by editor: Mikko's account now appears to be "un-banned".







 
 

 
 
Update on Finnish SMS Spam Case Posted by Jarno @ 09:55 GMT

We checked for updates on the Mobile Tube page that was linked by SMS spam, which we posted about on Tuesday.

Now the fine print says that service is free of charge, and by using this service, the user gives the company rights to send information and promotional messages in the future.

Interestingly enough, the page used to have the company name at the bottom, that is now removed.

If the fine print on the page can be relied on, the SMS spam messages are now rather harmless.

But we still advise people against clicking on any unsolicited links that they receive via SMS, as the company behind these messages still tries to use the page to legitimize any further advertising messages.


 
 

 
 
Wednesday, October 7, 2009

 
Password 123456? Posted by Sean @ 12:33 GMT

Some phishing lists were recently published online. Hotmail, Yahoo, AOL, Gmail, and other provider passwords are making the news.

So what's a popular password? 123456.

Brilliant, right? If you haven't done so already, nows a good time to review your personal passwords.

Remember, it's National Cybersecurity Awareness Month.

Here's some good advice, write down your passwords. Yes, seriously. Write them down.

See the following: Schneier on Security; Lifehacker; and our May 26th post.

Passwords on a post-it

 
 

 
 
Tuesday, October 6, 2009

 
Premium Rate SMS Spam Spotted in Finland Posted by Jarno @ 11:27 GMT

One of our Helsinki based researchers received the following SMS message yesterday:


(w03.v762.net)

The message text is in Finnish and translates as "Video message, click". If the recipient clicks on the link he'll end up opening a page that looks like an advert for a service called "Mobile Tube". So, at first glance, this just looks like ordinary SMS spam.



However, if the recipient reads the fine print at the bottom of the page, things get interesting.



The fine print is in Finnish and states that the user has accepted a premium rate service, and if he wishes, he can cancel the contract.

We have seen this type of scam before and have reports of many other languages besides Finnish being used. The scam works if the user has a WAP access point enabled, as is per default with most operators. The scammers will get the necessary information for billing just by having the user click a link and visiting the web page.

So whenever you see unexpected links via SMS, just delete the message and do not click them. If you clicked on a link, check if the page has an unsubscribe link. If it does, unsubscribe from the service and then file a complaint to your phone operator if you are billed by the premium service vendor.

Updated to add: The fine print on Mobile Tube page has been changed to indicate that now service does not have cost to user follow-up article





 
 

 
 
Trojan Goes OldSkool Posted by Response @ 06:08 GMT

Remember those long-gone days when malware popped up strange, cheeky or amusing messages while they 0wned your computer? We had a recent reminder with Trojan:W32/LongLeeb.A.

On booting up Windows, the trojan displays the following message box:

Trojan:W32/LongLeeb, Salutation

The message is in Tagalog, and reads: "Long live Gloria, FG, Abalos, Chavit, Jok Jok, Gonzales, Jose Pidal!". All the names mentioned refer to real Filipinos.

Again, on the Desktop, the following message is displayed:

Trojan:W32/LongLeeb, Manny

Which basically says: "Again, Long live Philippines! Long live Manny Pacquiao, too!!!"

The trojan itself is fairly cookie-cutter, but the messages are so reminiscent of early 90's viruses, it almost makes us feel… nostalgic.


Response post by — Irene



 
 

 
 
Friday, October 2, 2009

 
National Cybersecurity Awareness Month Posted by Sean @ 14:54 GMT

The U.S. Department of Homeland Security (DHS) is sponsoring its sixth annual National Cybersecurity Awareness Month this October as part of its ongoing efforts to secure America's cyber-infrastructure.

The campaign's theme is "Our Shared Responsibility."

National Cybersecurity Awareness Month
National Cybersecurity Awareness Month

One of the resources to which DHS links is staysafeonline.org. The site offers lots of practical advice such as keeping your computer's software up-to-date, backing up your data, and how to use security software. (F-Secure can assist with all of those…)

There's plenty of other practical advice as well.

Stay Safe Online, Top Tips
Stay Safe Online, Top Tips

Read more from the DHS Blog.

 
 

 
 
Thursday, October 1, 2009

 
Google Chrome Update? Posted by Sean @ 13:51 GMT

I was updating the browsers on one of my VMware images today:

Chrome/Internet Explorer/Firefox/Safari/Opera

And I updated Google Chrome to version 3.0.195.24:

Chrome3.0.195.24

Version 3.0.195.24 resolves a security vulnerability which could allow an attacker to run arbitrary code within the Google Chrome sandbox.

Only… the update didn't delete the vulnerable files during installation:

Chrome3.0.195.21, Folder

So while Chrome may no longer be using the vulnerable file, the old chrome.dll remains on my VMware system:

Chrome3.0.195.21, Chrome.dll

If something such as Sun Java can finally uninstall old versions, don't you think Google Chrome should be able to do so too?

Does anyone else notice this on their systems?

Signing off,
Sean