NEWS FROM THE LAB - November 2008


Friday, November 28, 2008

Spam on the Rise? Posted by Sean @ 15:06 GMT

Weblog reader Steve H. forwarded this BBC News story to us, "Spam on rise after brief reprieve".

If you remember, the shutdown of McColo two weeks ago resulted in a significant drop in spam. No one expected it to last forever.

And a drop in spam is relative we suppose. A good deal of spam is still just as annoying as a great deal of spam, isn't it?

Spam Subjects


Thursday, November 27, 2008

VirusRemover2008... The Nerve... Posted by Response @ 02:59 GMT

The site powerfulvirusremover2008 .com is reported to have been using dodgy practices in order to push their product, and really, what's new? Yet another rogue antispyware on the loose.

Funny thing is though, it even has specific websites for different countries, so that they can cater to specific audiences. Here are some of the sites that they host for different countries:

jp.powerfulvirusremover2008 .com

VirusRemover2008, Japanese

Other versions include de, dk, es, fr, it, no, nl, and no.

And what's the difference for each? Oh, just the way they say "If you aren't redirected automatically, please click here" and the language of the webpage that strongbilling .com (the third party site it uses to process payments) uses on its page when the user wants to purchase the program. It gives the user a certain comfort level and the illusion that he actually understands what he is buying.

VirusRemover2008, Buy Japanese

OK, so let's say the user (by some stroke of luckless chance, or courtesy of a trojan downloader) ends up with the demo installer of Rogue:W32/VirusRemover2008.C on their hands and it runs…

Enter the End User License Agreement (EULA). Who really reads the EULA nowadays? All we do is click, click, click, then done! Then we wonder why our computers are sputtering malware every day. And if we complain, the product pushers will just say, "You've been warned." But where? "In paragraph 100 of the EULA."

But really, the EULA actually does contain some of the indecencies that they do to your system. They have some nerve putting it there:

Exhibit A:

VirusRemover2008 EULA

What kind of products? You mean my valid AV?

Exhibit B:

VirusRemover2008 EULA

Lack of viruses? Oh, right. You mean those malware your product told me existed in my system — but actually don't?

Whoa! People should really start reading some of these stuff. It's pretty scary what they put there.

OK, say that, through the universal law of click-click-click, you skipped the EULA and happily installed the rogue antispyware… since it's the usual senseless stuff really… it'll do this:

1. Scans your system:


2. Tells you you have an infection:


And of course it comes with a link to buy the stuff, yada-yada.

Don't bother checking the files listed, they don't exist in your system. And you know where they exist? In a text file that they dropped into the system. A very readable text file!

Text file

How insulting is that?

Response team post by — Christine


Tuesday, November 25, 2008

Being Too Helpful Posted by Mikko @ 18:41 GMT

Here's a screenshot of a site:


It's a phishing site using Google AdWords as the lure.

What it really tries to do is to steal your Google AdWords account username and password.

And your credit card number.

Now look again. Look at what the browser is offering.


No thanks, I'd rather not save my password for this site, thank you very much.


Monday, November 24, 2008

Stickers 2008 Posted by Sean @ 18:03 GMT

Laptop stickers — they're very popular.

Six weeks ago, we requested suggestions, hosted a couple of polls, and then picked our our favorites from the suggestions.

Wing Fei, from our Kuala Lumpur Lab, placed the order and ended up giving away a bunch of stickers at Hack In The Box Security Conference 2008Malaysia.

Last week, Wing Fei was in Helsinki for our pikkujoulu and we now have our own stack of stickers here in the Helsinki Lab. So now it is time to start giving some away to weblog readers.

Laptop stickers 2008

Here are the handles of those that provided the selections used, and a few of the top poll choices.

Top sticker suggestions

Requests for postal addresses will be sent this week, watch for it. We will also pick several random names from the 100 or so others that made submissions. Cheers!


Friday, November 21, 2008

Search-and-Destroy Posted by Response @ 12:07 GMT

Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck.

As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other.

Then there are some "rogues" that are just kind of sad… we're tempted to call them lame-ware rather than scareware.

Last week, someone calling himself "Mirando" submitted this to our moderated comment system:

Search-and-Destroy Antispyware

What are the odds that such a comment, promoting a dubious application, will be approved by us? Not likely.

This is how the search-and-destroy .com site appears:


The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name.

This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application.

We downloaded and tested the Search-and-Destroy Antispyware application.

First it prompted a warning that there were zero risks.

Startup Risk

Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version.

Scan Finished

Within the "malicious threats" that were discovered, were invalid shortcuts.

Threat Details

True, the links were invalid, but that's hardly a threat.

So we uninstalled the application, and it left behind a registry key:

After Uninstall

Typical. The scan warned us about invalid shortcuts, and then leaves behind an invalid registry key.

Mirando has posted to other forums as well.


Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program.

We hope that he'll consider quiting while he's ahead, and doesn't move on to the hard-rogues.


Wednesday, November 19, 2008

German, Finnish and Swedish Posted by Alia @ 06:12 GMT

German, Finnish and Swedish versions of E:VOLUTION are now available on our YouTube Channel.

YouTube FSLabs

Update: the Italian version is now available.


Tuesday, November 18, 2008

Video - E:VOLUTION en francais Posted by Sean @ 15:36 GMT

Bonjour. By popular demand, E:VOLUTION has been translated into several different languages. You can now find the French version via our YouTube Channel.

E:VOLUTION — French language version E:volution

Additional language versions will soon follow.


Monday, November 17, 2008

VirusResponse Lab 2009 Posted by Sean @ 16:24 GMT

Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.

Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.

404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:

If the victim fell for the trick, they would have downloaded what we detect as

As you can see from the screenshot above, the fraud page is not at all dynamic. Even though we opened the page with Firefox on a Linux based system, the page displays the text "Internet Explorer".

The 404dnswebsite account is now suspended.


Thursday, November 13, 2008

Web Trail Posted by Sean @ 16:49 GMT

One of our development teams would like you to try their beta application, Web Trail.

They want feedback before moving on to the RTM version.

F-Secure Web Trail

F-Secure Web Trail

You can download it from here.


Termination of EstDomains, 24 November 2008 Posted by Sean @ 15:54 GMT

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

There are approximately 281,000 domain names managed by EstDomains, many of which shouldn't be touched with a ten-foot pole.

ICANN is now seeking expressions of interest from registrars to receive a bulk transfer of those domains. Anyone interested?

See our past posts here, here, and here for additional details.


McColo Mole Wacked Posted by Sean @ 15:11 GMT

Kudos to Brian Krebs, whose excellent investigative reporting produced some rather dramatic results.

What's the story? McColo Corp. — major source of spam — was knocked offline earlier this week. And now there's a large decrease in the amount of spam being distributed., Spamweek

Why is that? Because McColo Corp. was hosting a large number of spam bot control and command servers. Knocking them offline has left the spam bots temporarily without masters.

Unfortunately the bots themselves are still out there, so the spam will eventually return.

You can download a very detailed report on McColo from, McColo CyberCrime


Wednesday, November 12, 2008

We're on Security Focus Posted by Sean @ 14:34 GMT

This is just a short note to mention that Security Focus is now syndicating our weblog posts:

Security Focus, Security Blogs

You can find them, and others, at



Researchers Hack Storm Botnet for Economics Study Posted by Response @ 02:03 GMT

There's an interesting study on the economics of spamming, reported today at BBC and The Register.

Spamalytics: An Empirical Analysis of Spam Marketing Conversion was authored by researchers from the University of California, Berkeley, and UC San Diego.

Summary: the Storm botnet sends out spam leading interested parties to two sites, a malware-infected site designed to expand the botnet itself and a pharmacy site promoting "male enhancement drugs". It has been assumed that even a few people buying such products would be enough for spammers to make a huge profit, but few studies have been performed to investigate.

In this study, the researchers hacked into the Storm botnet's command and control system to modify a subset of spam already being sent out. The change redirected "any interested recipients to servers under [the researcher's] control, rather than those belonging to the spammer", where the researchers could track sales attempts. They could then use the data to figure out how many actual sales the entire spam operation would be likely to generate.

Interesting points from the analysis: even with a tiny conversion rate of "0.00001 per cent" from spam to sale, spammers can still net a fair bit of profit, but not as much as suggested. Since the conversion rate is so minuscule however, spammers can be really pressured by countermeasures that affect it, like anti-spam filters, blacklists and so on.

The study also clearly documented the reasoning the researchers used to handle the legal and ethical issues they faced, the key points being that they: 1) did not actively send out the spam itself, or create new spam; 2) none of the actions performed based on the methodology were "intrinsically objectionable"; and 3) where there was potential for harm, they worked to "strictly reduce" it.

Interesting stuff.


Tuesday, November 11, 2008

Antivirus Professional 2008 Posted by Sean @ 16:38 GMT

Yesterday's post, Stupid Rogue Trick, took a look at antivirus-online-scanner .com and a rogue application called Antivirus Professional 2008.

The antivirus-online-scanner site was using GeoIP Lookup to customize the supposed threat that would be displayed to visitors. If you visited from Helsinki, Finland then the threat was called something such as Win32.IRC.Bot.Helsinki.

A nasty trick for the unsuspecting…

Taking a look today, we discovered that the site is offline. Good news, such sites are often difficult to get shutdown. So, who was the ICANN Registrar?

EstDomains. You remember Case EstDomains from two weeks ago don't you?

Antivirus Online Scanner, ESTDomains

Hmm. The site was created back in June.

Well, at least it's suspended now.

Antivirus Online Scanner, ESTDomains Suspended


Monday, November 10, 2008

Stupid Rogue Trick Posted by Sean @ 14:02 GMT

We came across a rogue today called Antivirus Professional 2008 that uses GeoIP Lookup as part of its scare tactics.

This site uses Flash and script to create the effect of an online scan, that then attempts to push an installer at the visitor.

The NoScript extension for Mozilla Firefox is an excellent way to mitigate against this kind of garbage.

Antivirus Professional 2008 Helsinki

But here's the interesting thing…

The "antivirus online scanner" site is using the visitor's IP address to customize the so-called threat.

Oh no. Trojan.Helsinki.Downloader.26. Right.


Refreshing the page regenerates the supposed threat.

Antivirus Professional 2008 Helsinki


There Goes WPA Posted by Response @ 04:02 GMT

It seems to be "bad news" season for WPA, as researchers keep finding ways to crack it faster and faster.

Last month, Elcomsoft found a way to use GPU computing architecture to boost a cracking utility's brute-force attack in order to break through WPA encryption "100 times faster than with just a CPU".

Now there's another, newly reported way to attack WPA's Temporal Key Integrity Protocol (TKIP), which can crack an encrypted Address Resolution Protocol (ARP) packet in "less than 15 minutes". More details are available at The Register.


Friday, November 7, 2008

Critical Updates for Adobe Posted by Sean @ 16:18 GMT

There is a critical security update available for Adobe Reader 8 and Acrobat 8. Here's the Security Advisory.

SANS Internet Storm Center is reporting that the Adobe Reader vulnerability is being exploited in the wild.

You want to update as soon as possible.

You can read more about the vulnerability from Security Fix. Read this SC Magazine article for additional background material.

…and if you would like assistance with keeping your home Windows computer up to date, watch this:

Health Check

Then try our Health Check application.


Thursday, November 6, 2008

We Hate WinDefender Posted by Sean @ 14:14 GMT

Not Windows Defender — WinDefender.

WinDefender 2009 is a supposed update of the WinDefender 2008 rogue.

Version 2009 promises to Get rid of mailware now!

WinDefender 2009

Perhaps future versions will also get rid of "maleware".


Obama and McCain Campaigns Hit with Targeted Attacks Posted by Mikko @ 05:55 GMT

Newsweek Cover
Newsweek has a breaking story about how both the Obama and McCain campaign computer systems were hit by targeted attacks earlier this year.

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem … and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised. A top McCain official confirmed to NEWSWEEK that the campaign's computer system had been hacked and that the FBI had become involved.

Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents. (Obama technical experts later speculated that the hackers were Russian or Chinese.)

We have no further information on the case, but this does not really surprise us. We've talked about similar attack techniques several times in the past.



Wednesday, November 5, 2008

US Presidential Malware Posted by Patrik @ 17:22 GMT

Not a big surprise at all… a spam run distributing malware, referring to Obama's election as the new U.S. President, started this morning (U.S. time).

The e-mail looks like this:

The link points to a website that looks as if it contains a video, and to view it the user has to download a "new" flash player, adobe_flash9.exe (MD5 47c86509a78dc1edb42f2964bea86306).

We detect this as Trojan-PSW:W32/Papras.CL which is a trojan that hides itself using a rootkit. The trojan attempts to steal confidential information from the computer and upload it to a server in Ukraine.

Editor's Note: There is in fact a new version of Adobe Flash, version
But you'll want to download it directly from

Update: Sunbelt has listed additional subjects used by this spam.

Got Root? Posted by JP @ 13:43 GMT

Mobile phone enthusiasts have discovered a method to gain Root access to the T-Mobile G1 Android mobile device.

Jailbreaking phones is a popular activity. Many Apple iPhone owners choose to unlock their phones. And we have also seen methods to unlock Symbian S60 phones so that one gains full access to the device.

Now there's a way to acquire full access to the G1 (which uses Google's Android) using the PTerminal application from the Android Market. The details were posted today on the xda-developers forum.

Google's Android is a largely open platform, so this may only be of limited use only to those that for some reason really want to have core access to the operating system.

Kind of like breaking out of a minimum security jail…


Poker in the ZBot Posted by Sean @ 10:41 GMT

Toni ran into an interesting ZBot sample yesterday. During his analysis, he was surprised to discover a big bunch of poker sites among the configuration file's targets.

Targeting gaming sites is new behavior for the ZBot gang.

Why online poker? Because the sites payout real money, and often lots of it. Additionally, if you have access to a compromised poker account, you can use it to fix games and/or to launder funds. Funds such as those stolen from bank accounts…

Poker Table

Doing a quick search on other ZBots variants seen in the last few days yielded the encrypted configuration files from a number of C&C servers. There were 22 of them online. Decrypting the files led to some additional discoveries.

Spanish banks are being widely targeted for some reason.

Even more surprising is that there are also many Russian (.ru) sites among the targets. Taking into consideration that ZBot is a Russian trojan and many of the attackers are probably from Russia, this is a bit unusual to see. Typically skilled individuals tend not to operate in their own countries, in order to make prosecution against them more difficult.

After seeing this list, it isn't too difficult to imagine how much in damages these guys might be responsible for annually.

See our Trojan-Spy:W32/ZBot.XF description for a list of the online poker sites.


Tuesday, November 4, 2008

Pirates and Internet Crime Posted by Sean @ 15:38 GMT

One of the radio programs that I regularly listen to, via podcast, is Marketplace from American Public Media.

Last Thursday's program included a very interesting segment about a pirate.

Not a software pirate. An Indonesian sea pirate.

"I want to stop. It's dangerous out at sea. I have a dream that one day I will make so much money I can quit this work…, But until then, what else can I do?" — Agus Laodi, Pirate.

APM Marketplace

Being an Indonesian pirate involves boarding a cargo ship on a dark moonless night, holding a large knife to the ship's captain, and demanding money from the safe. Agus Laodi doesn't like his job. But he does it because it seems like an opportunity to him under the circumstances.

Read/listen to more here.

Agus Laodi's situation reminded me of Ronit… He wants to be an Internet criminal.

"Hi, i Am Ronit I am In 9th [grade] And I Struggled A Lot In My Life , But I Still Happy Bcoz My Family Is With Me , But Now i didn't have any friend here , all people's are very bad , i really wana change my life , please teach that how to hack cc's or shop admin's"…

In other words, Ronit wants to "improve his life" by stealing credit card account information. And why not? As long as he has Internet access, stealing CC's has got to beat many of the other possible alternatives to which some people turn.

Here's a screenshot of the forum where Ronit posted his message:

Hack CC's and Shop Admin's

"When you have poor people next to rich people, you have piracy." The Internet has no borders — so rich and poor exist together. As Internet access expands to everyone, so too will Internet crime expand. It's a social issue as much as it is a technology issue. Perhaps we need to begin thinking of solutions for both.

Our Q3 2008 Security Wrap-up, has more on crime and punishment.

Signing off,


Monday, November 3, 2008

Worm Exploiting MS08-067 in the Wild Posted by Toni @ 13:34 GMT

Code building on the proof of concept binaries that were mentioned last week has moved into the wild.

We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.

The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.

The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.