NEWS FROM THE LAB - November 2007


Friday, November 30, 2007

Holiday Roast Posted by Toni @ 16:08 GMT

FBI Bot Roast II

Yesterday the United States Federal Bureau of Investigation published a press release related to Operation 'Bot Roast II'. The operation revealed more than a million compromised computers as well as over $20M in losses. In total eight individuals were identified during the operation to be conducting cyber crimes. Some of the suspects are pretty well known in the information security community. (At least by their handles…)

One of the suspects, Gregory King (alias SilenZ) was indicted by a Federal grand jury for allegedly conducting DDoS attacks against various organizations including CastleCops, a volunteer security community, known for fighting malware and phishing.

Another suspect, Robert Matthew Bentley (alias LSDigital) was indicted by a Federal grand jury for "his involvement in botnet related activity involving coding and adware schemes". Bentley operated the malware business revolving around the domain.

Even though the now indicted suspects are only a few out of thousands it is apparent that if law enforcement organizations are given enough funds and resources they can perform pretty well.

These are eight guys that we're happy to see out of business.


Tuesday, November 27, 2007

New Vulnerability in QuickTime Posted by Patrik @ 04:04 GMT

Not very long ago we posted about fixed vulnerabilities in QuickTime. Now another vulnerability has been discovered, this time in the way QuickTime handles the RTSP Content-Type header. RTSP is a protocol used to stream media. Unfortunately there's public exploit code available and no patch yet from Apple.

Quicktime Vulnerability

The team over at US-CERT has posted some workarounds such as disabling the QuickTime ActiveX Controls, blocking RTSP. If you do the registry changes, make sure you revert them once you have installed the coming patch or else you won't be able to view any streaming QuickTime media.

Additional Notes: Symantec has some excellent analysis located here. They found that this exploit crashes the ActiveX Control in IE. Firefox on the other hand may pass off the QuickTime request directly to QuickTime player depending on configuration. So Firefox users may therefore be more vulnerable, not because of the browser itself, but because Firefox will deliver the exploit directly to its most optimal platform.

Also, while this exploit allows remote code execution and is potentially quite severe, it's not yet being implemented in the wild. There is however a very good chance of that changing as QuickTime is one of a growing number of popular third-party applications targeted by the bad guys.

Monday, November 26, 2007

Gemini 2.0 Posted by Sean @ 13:41 GMT

Host Based Intrusion Prevention Systems (HIPS) offer a very important complement to traditional antivirus software.

Behavioral blocking software nevertheless, does have its own problems, specifically "noise". Many harmless applications have the same behavioral patterns as malware. Trojan-downloaders connect to the Internet and download executable files onto their hosts in a similar way to an installer loading legitimate software.

So behavioral blocking software needs to be trained to know bad from good.

Gemini Update 2007-11-15_09

Our database releases of November 15th included Gemini Update 2007-11-15_09.

What's Gemini?

Our Gemini engine is a component used by System Control alias DeepGuard. That's our HIPS technology.

You've already received this update if you're using one of our products that includes DeepGuard.

The Research Lab team responsible for DeepGuard's development used what they've learned since its first release and have now re-trained the Gemini engine.

It's a fairly significant engine update that promises to result in more automatic malware detections with fewer interruptions from legitimate software. That is to say, less noise. It allows DeepGuard to do its job while asking fewer questions. It's been termed Gemini 2.0 in-house.

And while Gemini 1.0 was excellent, we think that Gemini 2.0 is even better.

One of our tests used all of the unique Orion detected malware samples collected during the month of October. (Orion is signature based.) From that set, we found that 51% received high scores from Gemini. Scores that will result in an automatic block should DeepGuard determine an attempt do something dangerous on the computer. (No traditional signature detections required.)

That's a 20% improvement over the old training that would have resulted in a prompt to "Allow" or "Deny". Our customers will no longer need to decide for a greater percentage of malicious files.

There should be fewer questions of legitimate applications as well. Tests show a marked improvement on the number of good applications that receive a low score.

And as there is an apparently never-ending stream of malware — research on Gemini's training also continues.

Kudos to our hard-working Antimalware Technologies team.


My Egyptian Vacation Posted by Mikko @ 11:32 GMT

No, we haven't visited Egypt. But we're seeing a malware distribution run using a unique lure.

First, you get an e-mail like this from "Anita":

E-Mail with ZIP attachment

The ZIP contains these files:

Egyptian Pictures

How nice, Anita has even included an image viewer for us so we can take a look at her photos.

However, if you run viewer_img.exe, you'll get just an empty Paintbrush window:

Russian Paint

Of course, this is just a bluff. In the background it's dropping and executing a variant of the LdPinch data-stealing trojan.

Let's see. It loads up a Russian version of pbrush.exe. The images are named "egipet.jpg" — Egipet is the Russian spelling of Egypt. And LdPinch is Russian malware. So this attack is probably (we're guessing) coming from … Denmark!


Wednesday, November 21, 2007

Converting an iPhone into Full-Featured Spy Tool Posted by Jarno @ 14:16 GMT

Back on September 28th, I posted about H.D. Moore adding iPhone support for the Metasploit framework, predicting that iPhone support in Metasploit would make security and attack research much easier.
And boy, talk about getting nice demonstration…

Fast Company hired Rik Farrow, an independent security consultant, to see what can be done with Metasploit and an iPhone.

Rik was able to make a full-featured spy device.

Fast Company's article is here and Rik's video is here.

Using a specially crafted Web page utilizing an iPhone exploit (now patched) he gained root level shell access to the phone — which in layman's English means that he could do anything that the iPhone is capable of from his laptop.

With such access, Rik was able to download the phone's voice mail database file, a local Gmail message database, the browser history, and anything else on the phone. And in addition, he installed software capable of recording all ambient sound within microphone range, and then retrieved that sound file from the phone.

Rik's skills are evident in the video but his demonstration shows that with Metasploit, even those with basic level security skills can set up a Web page that gives them full access to any iPhone that attempts to load the page. And as iPhone is very popular, this brings big security and privacy concerns.

Currently there is no security software available for iPhone. Fortunately iPhone users can protect themselves against attack via this exploit by making sure their iPhone is up to date. And we hope that Apple will promptly fix any future exploits.

However — this might not help those who have unlocked their iPhones and are avoiding Apple's updates.

So if you are using an unlocked iPhone, and haven't patched its vulnerabilities yourself, be careful of what sites you surf or you could get iPwned.



Tuesday, November 20, 2007

Testing TOR Nodes for Man-in-the-Middle Attacks Posted by Toni @ 16:03 GMT

People tend to think of the TOR network as a silver bullet, which is not the case. Even on TOR's distribution site it's clearly stated that TOR will not guarantee complete privacy.
TOR Icon
What's TOR? If you don't know, TOR is a network of proxies designed to give some privacy and anonymity to its users.

From Wikipedia:

   Tor (The Onion Router) is a free software implementation of second-generation
   onion routing — a system enabling its users to communicate anonymously
   on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor
   became an Electronic Frontier Foundation (EFF) project in late 2004. …

   Like all current low latency anonymity networks, Tor is vulnerable to traffic
   analysis from observers who can watch both ends of a user's connection.

TOR is indeed vulnerable. And recently there have been reports of rogue nodes.

So here's the question. What other suspicious stuff is occurring on TOR? Let's take a look.

Here's a node that only accepts HTTP traffic for Google and MySpace; it resides under Verizon:

AS | IP | AS Name — 19262 | | VZGNI-TRANSIT - Verizon Internet Services Inc.

While curious and perhaps even suspicious, it isn't necessarily malicious. It could just be a Samaritan particularly concerned with anonymous searches and MySpace profiles for some reason. But there's no way to tell, so why use such a node if you don't have to?

But how about this one?

Now here's a node that was monitoring SSL traffic and was engaging in Man-in-the-Middle (MITM) attacks. Definitely bad.

AS | IP | CC | AS Name — 3320 | | DE | DTAG Deutsche Telekom AG

Here's how the testing was done:

   A test machine with a Web server and a real SSL certificate was configured.
   A script was used to run through the current exit nodes in the directory cache.
   Connections were made to the test machine.
   A comparison of the certificates was made.

And the exit node at provided a fake SSL certificate!

Now note, this was only one of about 400 plus nodes tested. But it only takes one.

Once the node faked the SSL of the test server, a well-known "payments and money transfer" site was tested, and it faked those SSL certificates as well.

Information was forwarded to the German authorities and the node is no longer available. It appears that prompt action was taken against it.

More details on the investigative process can be found here and here.

Any technology can be used in the wrong way, a fact that will never change. Be careful out there.


Friday, November 16, 2007

Video - Live at USENIX '07 Posted by Sean @ 15:10 GMT

Today's video is a demonstration of Mobile Spyware. It's a segment from Mikko's USENIX presentation.

Mobile Spyware Demo Usenix07

The video is available via our YouTube Channel.

Editor's Note: See our comments; this talk was presented at the 16th USENIX Security Symposium.


Thursday, November 15, 2007

Virtual Theft at the Habbo Hotel Posted by Sean @ 09:37 GMT

Habbo Hotel is a virtual community aimed at teenagers that's part chat room and part online game. It's the property of Helsinki based Sulake Corporation.

The BBC is reporting that six Dutch teenagers are allegedly involved in the theft of 4000 euros worth of virtual furniture.
(One arrest for theft and five questioned for possession of stolen goods.)


We don't know if this scam involved any malware or not; perhaps it's an example of simply luring other users into giving away their passwords.

However — we often do see Habbo hack-tools. Here are a few examples:

Habbo Hacker X — MrX-Shop.Net registered to Amsterdam, NL.
Habbo HackerX

Habbo BruteForcer
Habbo BruteForcer

Habbo Devil
Habbo Devil

Habbo SpeedKiller
Habbo SpeedKiller

Virtual commodities exist and hold value in many online games. Everyday we see detections for trojan password-stealers designed specifically for games. Virtual theft is real and this Habbo arrest could be a bellwether.


Wednesday, November 14, 2007

Raining Money Mules Posted by Patrik @ 06:15 GMT

The USA Web site of Korean pop singer "Rain" has been hacked to host a money mule fraud site.

The hacked site uses the company name of Rain Solutions. Clever…

Click image for animation.

Money mules are very often unsuspecting people getting tricked into helping out in money laundry schemes. They receive stolen money into their accounts, withdraw it in cash, and then transfer it to the bad guys by using some more anonymous service, such as Western Union. When authorities look into these cases the trail will always lead to the money mule, not the people behind the crime. We see these cases pretty frequently but it's not that often that a site gets hacked and used to host the mule site.

The same site design is also available on:

An excellent catch by Bob over at

Rain is quite popular in Asia and has even been spoofed by Steven Colbert in the USA:

While we're on the topic, if you haven't seen it yet, check out the Weblog's challenge post:

Updated to Add: Rain Solutions is still online. That's the difficult nature of these fraud sties.

Here's how the front page of the legitimate site appears:


Tuesday, November 13, 2007

Microsoft Updates Released Posted by Ian @ 21:08 GMT

This month's patch Tuesday consists only of one Critical and one Important update.

MS07 Nov

However, don't let your guard down as the vulnerabilities can enable remote code execution and DNS spoofing. Affected applications are IE7 for MS07-061 and all Windows servers for MS07-062.

Complete info and patch download links available from Microsoft's Web site.

Keep your systems updated, using updates from the original site.

Monday, November 12, 2007

Catch of the Day Posted by Sean @ 15:55 GMT

Today's special is Trojan-Dropper.W32/Agent.CPL. We discovered this phish in spam runs promoting a YouTube video.

If you click the link in the spam message, it opens a fairly decent copy of YouTube's site. Click the image for an expanded view:

YouTube CN

The page, located on a .cn server, prompts for the installation of Adobe's Flash Player. If you download the file, it's named install_flash_player.exe. Just as the real Flash Player download would be…

Firefox browser is already warning about the fraudulent nature of this site, and we have detection with our 2007-11-12_04 database, so we don't expect a very big catch for this particular rock phishing site.

Sunday, November 11, 2007

There's Nothing to See Here, Please Move Along Now Posted by Mikko @ 15:58 GMT

Picture: 'The Naked Gun: From the Files of Police Squad!' copyright (c) 1988 Paramount Pictures
Today is 11/11 and there's supposed to be an "electronic jihad attack" today.

Well, so far we haven't seen any activity. And we're not holding our breath either.

Earlier this week we downloaded a DDoS tool called E-Jihad30.exe from (down now). Today's attack rumors circle around this tool, of which we have a description and screenshots available over here.

This tool creates a botnet using a server at — a domain registered to Iraq. However, we've been monitoring this server all day and its IP address continues to point to So at least regarding this botnet, nothing is gonna happen.

Cyberterrorism is not a real problem. But it does make for cool movie scripts.


Thursday, November 8, 2007

Challenge - Money Laundering Fraud Posted by Sean @ 17:19 GMT documents money laundering fraud. It's an excellent site. Check out Bob's collection of e-mail based job scams.

   Fraudsters send unsolicited e-mails or place job offers on legitimate Internet recruitment sites looking
   to recruit 'money transfer agents' with bank accounts.

Money mules are the bottom end of the crimeware chain. And they're the people that often get burned.

Here's the thing — Bob is a volunteer effort and doesn't fight this type of fraud for profit. We'd like to help him out if we can.

There are currently about a half dozen sites that Bob doesn't yet have documented:

BobBear Not Yet Documented

So we have a challenge for you. Review his site. Learn what to look for. Research the undocumented sites and if you discover something, submit it to BobBear. For example, many of the undocumented fraud sites are copies of real sites — but nobody knows from where. Or, what kind of e-mails are linking to these sites? What other domain names are linked to them? Where are they hosted? What else is hosted on those servers?

Let us know the details of your submission at this address:

Money Mule Info at F-Secure

If Bob judges the information to be of value to his site, we'll include you in a drawing for some F-Secure swag. We'll coordinate with Bob on the duration. So volunteer your time and you'll earn a chance for some free stuff. And you'll help fight fraud.

A good way to start would be to review our October 12th post which has a video on the topic in which we discuss a fake site used for recruit of 'money transfer agents'.

Editor's Note: December 18th's post has the challenge results.


Wednesday, November 7, 2007

Security Advisories Posted by Sean @ 16:01 GMT

There's an update for QuickTime available. Version 7.3 fixes several flaws that malicious sites could use to install unwanted software (arbitrary code execution) just by viewing a specially crafted image or movie file.

Mac as well as Windows versions of QuickTime should be updated. If you're a Windows users and don't have iTunes/Apple Software Update installed, click here.

QuickTime 7.3

And then there's a Microsoft Security Advisory regarding a vulnerability in Macrovision's secdrv.sys driver. The driver comes installed on Windows XP and Windows Server 2003. This vulnerability could allow an elevation of privileges.

MS SA944653

Macrovision has a driver update which will likely be included in Microsoft's monthly updates.


Tuesday, November 6, 2007

Not a Good Sign Posted by Mikko @ 15:18 GMT

Looks like the Mac Trojan we posted about last week was not an isolated incident.

The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the trojan for the Mac too:


This is not likely to end any time soon.


Android Posted by Mikko @ 12:21 GMT

Google has now announced the Open Handset Alliance and the Android Platform.
Android is a Linux-based open source operating system for mobile devices. With this, Google hopes to challenge other open Linux-based devices, such as the Nokia N810.

Of course, we at F-Secure have to think what effect, if any, open platforms might have on the future of mobile malware. Will an open standard for mobile phones make mobile malware more or less of a problem? Might this accelerate or decelerate the evolution of mobile malware?

The key issue here is whether Android will go for totally open systems or whether they will adopt a system for signing approved applications (such as Symbian).

If unsigned and unknown applications written by anyone have full access to phone features, we smell trouble.

Quoting Android's homepage:

    "... an application could call upon
    any of the phone's core functionality
    such as making calls, sending text
    messages, or using the camera ..."

Of course, we won't know the full specifications of Android phones until they become available in late 2008.

And it's pretty guaranteed that no criminal attacks will take place until the installed base for Android has become large enough to interest the bad guys financially. This might never happen.

P.S. The installed base is already there for the iPhone. iPhone malware could easily become reality in the near future.


Friday, November 2, 2007

Audio - BNR Newsradio Posted by Sean @ 14:39 GMT

Mikko was in the Netherlands yesterday, and did a live radio interview with Herbert Blankesteijn for BNR Newsradio.

BNR Newsradio

The interview, in English, is available from BNR's site: BNR Nieuwsradio

Direct link: MP3

Topics discussed in the radio interview include the security of Windows Vista, "BundesTrojan", and if the Microsoft Update system is hackable or not.

Thursday, November 1, 2007

Don't Update With That Update.exe Posted by Alexey @ 15:37 GMT

Some malware authors are still fond of using the good old techniques to spread their wares. One of these techniques is to send e-mail messages with "Security Updates", released by a well-known software vendor.

Today we received multiple reports about a message claiming to be a "Critical Security Update" from Microsoft. The message had a ZIP archive with a trojan downloader inside.

To become infected a user needs to extract the trojan's file and to run it. It should be noted that unlike Swen's message, this fake update message does not even look legitimate, so we're not going to see a lot of real infections.


A short description of the trojan and a screenshot of the spammed message can be found here.