NEWS FROM THE LAB - November 2009


Monday, November 30, 2009

Video - Tiger Woods SEO Attacks Posted by Sean @ 16:34 GMT

Tiger Woods is in the news, and predictably, search engine optimization (SEO) attacks are attempting to direct the curious towards scareware scams.

We have a video demonstration available via the lab's YouTube channel:

YouTube, Tiger Woods SEO Attacks


Friday, November 27, 2009

Black Friday 2009 Posted by Sean @ 12:18 GMT

Today is Black Friday in the United States.

Black Friday is the Friday after Thanksgiving and is traditionally the start of the Christmas holiday shopping season.

Almost all big retailers promote "early bird" sales on Black Friday. How does one learn where the best deals are located?

Well, either you buy a newspaper and look through the inserts — or — you use an Internet search engine.

We fully expect to see search engine optimization (SEO) attacks this year. Our Browsing Protection Portal can be used (for free) to determine the safety of unknown sites.

In addition to search engines, we also expect that sites such as Twitter will be used to promote special offers.

Common to Twitter and other such sites are short URLs (such as those provided by and which are very convenient services but obscure the real URL source.

Is there a way to check the source of shortened URLs?

Yes. URLs can be expanded with

If you use Firefox, there's even an add-on available. expander add-on

When installed, hovering over a short URL looks something like this:


And another example from Mikko's Twitter feed:




Thursday, November 26, 2009

Exploit Shield FTW Posted by Response @ 13:24 GMT

Microsoft published a Security Advisory on Monday for a vulnerability in Internet Explorer 6 and IE7 that could allow for remote code execution. IE8 is not affected.

Currently, there are no reports of this vulnerability being exploited in-the-wild.

Our Exploit Shield analysts have been looking into this case and based on their initial tests, the code that they tested doesn't work reliably, and is more likely to result in a crash (DoS) than Remote Code Execution (RCE) on an unprotected computer.

But how about a computer protected with our Exploit Shield technology? How does our Internet Security handle an exploit targeting CVE-2009-3672?

No problem at all. The exploit is blocked by our heuristics. No specific shield is required.

Our customers using Internet Security 2010 were protected against this exploit before it was even discovered. Nice.

The Flash animation below demonstrates:

  •  Real-time scanning is OFF
  •  Browsing protection with Exploit Shield is ON
  •  The exploit POC is opened
  •  Exploit Shield protects the browser


Updated to add: SANS Diary notes that the advisory is now updated to include mitigations and that workable exploits are starting to surface on the web.


Wednesday, November 25, 2009

Mobile Security on the Sony Ericsson Aino Posted by Mikko @ 11:39 GMT

With the first iPhone worms making headlines, many people have contacted us regarding antivirus protection for the iPhone.

Unfortunately there are no antivirus products available for iPhone, from any vendor.

Producing such tools for iPhone would require assistance from Apple. As there are no worms for unmodified iPhones, there's no need (they think) for such…

Other vendors take a more proactive attitude.

Here's a good example: the new cutting-edge phone from Sony Ericsson, Aino, comes bundled with a security solution we developed for them.

Here's the Aino:
Sony Ericsson Aino

And here's our Mobile Security:
F-Secure Mobile Security


Sunday, November 22, 2009

Malicious iPhone Worm Posted by Mikko @ 11:38 GMT

We've received a sample of a malicious iPhone worm with botnet functionality.

Like the Ikee worm, it only affects Jailbroken iPhones which have SSH installed and have not changed the default password.

This one connects to a web-based command & control center running at in Lithuania.


The worm is not widespread, but it is much more serious than the first iPhone worm as it tries to steal information from the devices.

Thanks to Scott at XS4ALL for all the help!


Thursday, November 19, 2009

Call for Papers: CARO2010 Workshop Posted by Mikko @ 12:51 GMT

F-Secure is organizing the next CARO Technical Workshop. It will be held in the end of May in Helsinki, Finland. Previous workshops have been in Iceland, The Netherlands and Hungary.

Call for Papers is open. We're looking for technical presentation relevant to the topic of Big Numbers in malware field.

caro2010 CARO 2010

For more information, please see


Updater and Tuneup Technology Preview Posted by Alia @ 06:38 GMT

Maintaining your computer can be a chore sometimes, especially if you're the kind of person that's always on the go. Keeping all the programs on a computer up-to-speed with the latest updates can be a hassle. Periodically 'housecleaning' the system (like defragging the hard drive) in order to optimize performance is even less exciting.

So we'd like to help with that. We recently launched the trial version of a single tool that handles both these tasks — Updater and Tuneup — on the Technology Preview page, and we'd like to get some feedback on how well your machine performs after using the tool.

F-Secure Updater

The name says it all really — the Updater component keeps track of vulnerable applications installed on your machine and notifies you when updates are available; while Tuneup takes care of the housekeeping - defragging the hard drive, checking the registry, etc - so your machine stays optimized for speed.

And to say thanks for the trouble, we're offering the following items as prizes to users who give feedback:

  • 5 boxes of F-Secure Internet Security 2010
  • 15 VIP Cards for F-Secure Internet Security 2010 and F-Secure Mobile Security

Giveaway is by lucky draw.

The trial version is free, and the Technology Preview period closes at end January 2010.


Tuesday, November 17, 2009

IT Security as Easy as Mikado... Posted by Alia @ 09:14 GMT

I just got my hands on a new promo item our marketing department came out with, which looks quite interesting:


It's Mikado, an old European stick game. Basically, the idea is to carefully pick up sticks without moving the pile, in order to gain points; player with the most points wins.

OK, so the game is rather cute, but it is supposed to convey a serious message – that IT security can be as simple as this game. Most people have the impression that IT security is complex, highly technical, frighteningly arcane, and difficult to manage.

To be fair, most people have good reason to think so. Even the language is difficult, like the latest from the Pentagon's cyber security people – the Global Information Grid Customizable Operational Picture (GIGCOP), which is just one component of their new security system (The Register article).

And even if all the 'technical' things are under control, sometimes it is possible to slip up on the "easy" stuff, like maintaining proper physical security – as in maybe not letting people use a slipper as a doorstop for a hi-tech server room. Really – that was reported in an article from The Star.

But it doesn't actually have to be that way. We'd like to have our products (and tools and services) be easy to use, and that's what we're increasingly working towards. Which I think is fairly neatly captured by drawing a parallel with Mikado.

R, Alia


Wednesday, November 11, 2009

Windows 2K Server Patch Update Posted by Christine @ 00:27 GMT

Microsoft just released a patch to address the License Logging Server Heap Overflow Vulnerability (CVE-2009-2523). This vulnerability affects the License Logging Service (LLS), a feature which according to Microsoft is "designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model."

More details on LLS at: Description of the License Logging Service in Windows Server operating systems

This vulnerability only affects Microsoft Windows 2000 Server Service Pack 4 and is rated Critical since this service is enabled by default in that OS. It is also accessible via anonymous network connection and exploiting this vulnerability can lead to extensive heap memory corruption which could possibly lead to remote code execution. It no longer affects the newer MS Server systems since this service has already been removed since Windows Server 2008.

More details of this patch are at these locations:

  •  Microsoft Security Bulletin MS09-064
  •  Details on the License Logging Service vulnerability

It's time to patch those old 2K servers.


Tuesday, November 10, 2009

Why would anybody phish for XBOX accounts? Posted by Mikko @ 11:30 GMT

Here's an example of a YouTube video that is used to drive traffic to a "XBOX" phishing site.

The actual phishing site looks like this:

The URL is fairly convincing. Turns out .TP is the country code for East Timor.

But why would anybody phish for accounts of some online game?

Because you can sell XBOX Live accounts for real-world cash:



Monday, November 9, 2009

When Phishing Isn't Phishing Posted by Mikko @ 14:27 GMT

So, there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here...")

When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains:


Once you log on, the bad guys gain access to your MySpace credentials.

Why do they want them?

So they can pose as you on MySpace and send malicious links to your friends — who will surely follow them, as they know you and trust you…

But in this case, this is not the only thing they are after. After logging on, you get this prompt:


A New MySpace Update Tool? Really? As an executable file?

Hmm… and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant.

F-Secure Anti-Virus blocks access to the malicious domains and detects the malware.


Sunday, November 8, 2009

First iPhone Worm Found Posted by Mikko @ 18:21 GMT

We have located the first iPhone worm, dubbed as Ikee. It's currently spreading in the wild, but it's only able to infect devices that have been "jailbroken" by their owners. Jailbreaking removes iPhone's protection mechanisms, allowing users to run any software they want.

Affected users will find that their iPhone wallpaper has been altered to a picture of Rick Astley (of Rickroll fame) and the message "ikee is never going to give you up".

ikee iPhone worm

The worm targets users who have jailbroken their phone but have not changed their default root login password. It will search for vulnerable iPhones by scanning a handful of IP ranges — most of which are in Australia. At the moment, we have no confirmed reports of Ikee outside of Australia.

After Ikee infects a phone, it disables the SSH service, preventing reinfection.

To protect your jailbroken iPhone, change your root password. Here's how.

The creator of the worm has released full source code of the four existing variants of this worm. This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.


Saturday, November 7, 2009

Sentencing Posted by Mikko @ 12:06 GMT

This is a post from our blog in May 2007:


Yesterday, three people were sentenced for writing the above malware (it's a variant of the Vanbot family) and other attacks — including some DDoS action.

The sentences were: 45 days jail, 40 days jail, and 0 days jail, respectively. The sentences were probationary, so nobody actually went to jail. In addition, some fines were written.

All the three convicted were underage.


Friday, November 6, 2009

Try Health Check 2 Beta, complete survery, chance to win an iPod. Posted by Sean @ 14:32 GMT

Our Health Check 2.0 Beta was released about eight weeks ago.

F-Secure Health Check 2.0 Beta

Try Health Check.


Greetings from AVAR 2009! Posted by Fei @ 06:21 GMT

One thing that I have always found fascinating about Japan is definitely its rich and unique culture. However, there is just one other thing — vending machines. You not only find them everywhere, you can buy all sorts of things, including adult movies, from them (except for a security product, but that's probably just a matter of time).

Anyway, AVAR 2009 was held in Kyoto, Japan this time around and the turnout was just amazing, especially when coupled with very interesting presentations on how the threat landscape has been evolving and what every vendor is doing to tackle it.

AVAR2009, swan

For the first time, there were two concurrent sessions running. This year's keynote was by Jimmy Kuo (Microsoft), and he presented the key findings from Microsoft's Security Intelligence Report v7.

Interestingly, this time around there were several presentations on cloud-based security, one of which was by Dr. Igor Muttik (McAfee). In it, he mentioned the benefits of having antivirus technology in-the-cloud, as well as concerns surrounding privacy issues. One interesting fact he shared was McAfee verifies the robustness of their servers every Friday by DDoS-ing themselves. Coincidentally, that's when McAfee products are scheduled by default to run a full scan.

Also, Stefan Tanase (Kaspersky) gave an entertaining presentation about how there has been a exponential growth in attacks on social media on Facebook and Twitter. Tony Lee (Microsoft) too highlighted the same fact, as Microsoft found that the attacks on social media are dominating the threat landscape.

Signing off,

AVAR2009, performance


Thursday, November 5, 2009

This Is It! Posted by Fei @ 15:59 GMT

It seems like most people who have gone to watch the Michael Jackson This Is It movie have told me that it is really worth watching.

However, we are not too sure if Michael Jackson's Official Website at is actually worth visiting now.

MJ search results

Well, it turned up on our systems, which indicate that some of the child pages have been compromised with malicious scripts.

MJ site

At the time of analysis, the malicious scripts were not leading users to malware (yet) — but they will probably remain there until someone cleans it up and fixes the vulnerable code as well.

We will rate the site SAFE in our Browsing Protection again once the site is cleaned up.

Browsing Protection,

Signing off,


Vote 4 Us Posted by Response @ 10:31 GMT

Our blog has been nominated in the 2009 IT blog, IT Blog Awards 09

We're in the IT Security category.

If you like us, you can vote at


P.S. What's someone got to do to get nominated for the Twitter category, get banned or something?



Wednesday, November 4, 2009

DDoS on Posted by Mikko @ 10:02 GMT

The Swedish Signals Intelligence agency (Försvarets Radioanstalt FRA) is currently under a large-scale DDoS attack.

At the moment is inaccessible.

Försvarets radioanstalt

FRA was in the news recently, as Sweden passed a law giving them legal permission to tap Internet traffic passing through Swedish national borders. For example, the majority of Russian international Internet traffic passes through Sweden.

The monitoring effectively started last month.

 Försvarets radioanstalt

We have no information on who's behind the attacks.

Downtime stats are available here.


MS Post-Patch Update Posted by Response @ 00:29 GMT

Microsoft has just released an update for their MS09-054 patch.

Note — It is critical not to install this update if the system has not installed the previous MS09-054 patch, as the updated one could break Internet Explorer. Some customers were reported to have browsing-related errors after installing said patch.

A fix is available via Windows Update, Microsoft Update and Automatic Updates.

More details at:

Response Team post by — Christine


Tuesday, November 3, 2009

Finnish Internet is "Mostly Harmless" Posted by Sean @ 11:28 GMT

Microsoft released volume 7 of their Security Intelligence Report (SIR) yesterday.

The SIR is an incredibly detailed report that includes the analysis of data reported by Microsoft's Malicious Software Removal Tool (MSRT), which is included with Microsoft's monthly updates. Volume 7 covers January through July of 2009.

While reading through the report this morning, we were pleased to see a quote from Erka Koivunen of CERT-FI.

The quote is on Page 45 in the section called Best Practices Around the World.

Microsoft SIR Finland
Microsoft SIR Finland
Here's the text.

This is a summary of what Finland has in its favor according to Erka:

  •  First, the capability to detect needs to be complemented with the ability to take action.
  •  Second, the lifetime of the malware infections and security breaches needs to be cut down.
  •  Third, the positive regulative atmosphere regarding sensible information security…

And thus:

We are just less likely to cause headaches for everybody else. In this sense, the description of Earth in the [Douglas Adams] book The Hitchhiker's Guide to the Galaxy fits Finland quite nicely as well: "Mostly Harmless."

That observation would have been better placed on Page 42.


Monday, November 2, 2009

WTF is Posted by Sean @ 13:47 GMT

Lt.Col James Dox of the 1st Battalion 63rd Armor Regiment recently contacted me.

He made me an offer:

From Lt.Col James Dox. Dear Friend. We are in need of your assistance. My name is Lt. Col. James Dox, From 1st Battalion 63rd Armor Regiment here in Ba'qubah in Iraq. We have about  (One Million Four Hundred Thousand Euros Only) that we want to move out of this country (Iraq). We are seeking your mutual understanding and confidence to help us to receive the fund. You are to retain 30% of the fund and help us to keep the remaining 70% because we will be ending our mission in Iraq soon. You are free to read from this website how we got the money. Website: If you can assist us on the above. Please forward the below reqirements to me as soon as possible 1. Your Full Name:... 2. Your full mailing address:... 3. Your nature of business:... 4. Your marital status:... 5. Your Private Telephone Number:... Regards, Lt.Col James Dox Email:

Thanks, but no thanks, James.

But hey, your e-mail address is interesting, what the heck is

Turns out that the domain is registered to an UK based ISP called Freeola since 1999.

They offer free "occupational based" e-mail account names…

Freeola500 Occupations

It appears to be for fun and games. But unfortunately, it seems that an 419 advance fee fraudster now has other ideas.

Hmm, is also available.

I've always wanted to be a secret agent.

Agent 419

Signing off,


Case m00p Posted by Mikko @ 13:17 GMT

"m00p" was a virus-writing group that had more than 10 members from various countries.

One of the gang members was sentenced in May last year.
Another alleged member of the gang pleaded not guilty on Friday in a London court. Trial will continue in November 2010.

The wheels of justice are slow sometimes. Most of the alleged activities of this virus writing group were done in 2005 and 2006.

There's a bit more about the group in this 2006 article.