NEWS FROM THE LAB - December 2007


Tuesday, December 25, 2007

Happy2008.exe Posted by Mikko @ 18:30 GMT

Storm action continues.

They were late for Christmas but early for the New Year: We're already seeing New Year greeting card spam runs directing recipients to a malicious web site called

Right now there are no exploits on the site, but it tries to download a copy of Happy2008.exe to the user. Which is something you don't want.

Update 1: On the 26th we started seeing a new domain: The filename has morphed as well, to

Update 2: Still the 26th and the new domain is being used. Filename right now is


Monday, December 24, 2007

It's a Stormy Christmas Eve... Posted by Esz @ 08:54 GMT

So, we were wrong. It turns out that the Storm gang was going to do a Christmas malware run after all, they just decided to start it surprisingly late — on Christmas eve itself!

There's been a series of spam messages redirecting traffic to malicious site This site contains a new version of the Storm Worm. The IP address of the site changes every second. We already detect it as

Here are some screen shots of the site:

Storm Xmas

Storm Xmas

Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!


Sunday, December 23, 2007

No Storm This Christmas Posted by Mikko @ 12:02 GMT

The Storm gang was very active this year. They often used holidays like Halloween and Labor Day to push out their malicious greeting cards.

We were quite sure that the Storm gang would — of course — start sending out malicious Christmas cards too.

In fact, we were so confident on this that we even had a bet on it in our lab. The analyst guessing the date when Storm Xmas cards would start rolling in would win a bottle.

Storm Bet

Well, predicting the future isn't easy. It's now the day before the day before Christmas and no Storm worm activity has been seen. So I guess we were wrong and Storm has gone underground for now. Which must be good news.

Happy Holidays to all the blog readers!


Friday, December 21, 2007

Germans Sure Know How to Test Products Posted by Mikko @ 06:58 GMT

We hate to brag… but our proactive protection (DeepGuard) again did really well in a comparative test.
This time in a test by the German c't magazine.



Thursday, December 20, 2007

Pinch Malware Authors Busted Posted by Alexey @ 16:30 GMT

Nikolay Patrushev, head of the Russian FSB (Federal Security Agency), recently announced that over 1.4 million hacker attacks against federal sites were repelled in just 2007.

Patrushev also stated that the authors of the famous Pinch trojan (known as LdPinch, PdPinch) have been identified and are now awaiting trial. Pinch production has been done in a very professional manner with the authors creating easy-to-use tools to quickly get stolen information from infected computers.

The two malware authors are reported to be Russian citizens Ermishkin and Farhutdinov. According to some reports, Pinch-based malware has infected tens of millions of personal computers worldwide. The financial losses due to Pinch infections can hardly be calculated.

Pinch Parser

See Patrik's earlier post for more details on some of the tools used.

Arrested Mules Posted by Patrik @ 04:20 GMT

Over the last few days we've done a few posts on money laundering fraud and today it was announced that the Dutch police have arrested 14 suspected "mules" for money laundry. The mules had received money from phishing scams targeting ABN AMRO using servers in Hong Kong and forwarded the money to Russia and other countries.

Arrested Money Mules

This is the thing if you sign up for one of these money mule jobs. The money trail leads to you, not the perps ending up with the money. Don't do it.

Full story here.

Wednesday, December 19, 2007

Red Cross Money Mule Recruitment Posted by Mikko @ 20:43 GMT

Money mule recruitment is getting more and more blatant. We just ran across a spam run that uses the Red Cross as the lure to recruit people for money laundering.

Example below (emphasis ours):

From: American Red Cross (
Subject: Red Cross and its new Projects in Europe. Join now!

American Red Cross Donation Department is looking for new partners in European region.

With over 30 million US dollars offered as charity funds for for EU Projects, American Red Cross Charity Department needs more employees in European Union.

The vacancy available at the moment is "Donation Collector"

Since we receive regular moneyed assistance for our Organisation in checks, money orders, bank wire transfers and even in gifts, be aware that "Donation Collector's duties would include regular cooperation with our Financial Department. Every day we receive a great deal of contribution from thousands of people, but unfortunately do not have enough employees to guarantee that these donations are contributed to the purpose they were meant for in the very beginning of our program.

"Donation Collector" together with our financial missionaries in different regions of EU receives and sends donations to the people in need and furthermore is committed to minimise the chances of any unsolicited use of these funds by any other third party.

The vacancy is not a non-profit work. Regular monthly salary of 2500 EUR is paid in the end of every working month.

If you have what it takes to be successful in this job, and are interested in the career with real career growth, promotion chances, then apply online, send to HR DEPARTMENT (link to a Yahoo email address)


Internet Security Technology Preview Posted by Sean @ 16:58 GMT

A member of our Customer Involvement Team (Tomi in Helsinki) would like to extend an invitation to our regular readers.

"Weblog readers are right kind of users for ISTP."

What's ISTP? Internet Security Technology Preview.

F-Secure Internet Security Technology Preview

This preview is a free version for those individuals capable of testing new software technologies.
There are six-months free subscriptions and regular prizes for users who send us feedback.

Sound interesting to you? Then come take part.

You can find more information on this (and other) preview program from


Worm on Google's Orkut Posted by Mikko @ 14:46 GMT

Google's Orkut social networking site has been hit by a web worm.

This one used a vulnerability in the "scrapbook" feature of the site. It infected almost 400,000 accounts before it was shut down by removing a download file it needed to operate.


More information here and here and, hopefully soon, also at the official Orkut blog.


Tuesday, December 18, 2007

Challenge Results - Money Laundering Fraud Posted by Sean @ 16:11 GMT

Our November eighth post invited readers to contribute to, a site devoted to documenting money laundering fraud sites.

   Fraudsters send unsolicited e-mails or place job offers on legitimate Internet
   recruitment sites looking to recruit 'money transfer agents' with bank accounts.

Financial Agent

We/Bob selected some prize winners last week and contacted them today. Congratulations to Gordon (winner), Chris, Ville (runners up), and Susan (honorable mention)! Look for more details soon on Bob's site.

Money Laundering Fraud sites are difficult to get shut down. And the problem doesn't look like it will be going away any time soon…

"the biggest problem with all of these crooks is actually getting the service providers, (whether it be hosts or registrars), actually to take any action against their criminal clients. A significant proportion of them are perfectly happy to make a profit from criminal fraud and that proportion appears to be growing."

We consider it important to be aware of these types of fraud sites as real innocents are snared by them.

Bob continues to fight the good fight.


Happy New Year... .exe? Posted by Mikko @ 13:20 GMT

Some clown is spamming around an attachment called Happynewyear.exe (md5: 978f25a5ef399b7090454ae2ca4fc364).

When run, this malware drops a nice Christmas tree to your desktop and Systray.

Christmas Tree

The malware itself (detected as Trojan-PSW:W32/Delf.BBE by our antivirus) steals passwords and other assorted information and sends them to

Stay away, don't click, et cetera.


Monday, December 17, 2007

Fake Adult Friend Finder Greeting Cards Posted by Mikko @ 06:58 GMT

A batch of fake Adult Friend Finder greeting cards were distributed over the weekend.

The e-mails looked like this (or similar):

Adult Friend Finder

The attachment contains card.scr (md5: 536BFC077FBAD247FA5EA67ADF1DCA7D), which we detect as


Friday, December 14, 2007

Welcome to our Forum Posted by Patrik @ 13:37 GMT

We've now restarted Meanwhile we've received some questions from our readers asking for more information about what happened and what we did to fix it so that others won't end up in the same situation.

F-Secure Forum

The forum software we run is based on Snitz Forums 2000. While it has most basic features, the one we use has been extended into a version called Image Forums 2001. It is essentially the basic software plus modifications to support our needs such as user groups and private messages.

To cut a long story short, the group behind Snitz only maintains the basic package. On the 1st of December a security patch was announced and was withdrawn almost immediately to again be announced on the 4th of December.

We immediately implemented the patch. However, what we didn't know at the time was that a discussion was ongoing in the development forum. Not only was an improved fix recommended but there was also discussion that potential extensions to the forum might be vulnerable as well.

Turns out that's exactly what happened to us. While the main forum itself was patched it was the private messaging module that made the defacement possible. (Exploit code for this vulnerability is publically available.) We have now patched that too, and have checked through all other extensions to ensure that they are okay, and as said, the server is up and running again. No information was disclosed, the guy defaced the page and moved on not to be seen again. Typical of a Turkish defacement gang…

If you're running a discussion forum, make sure you're not only patching the main software but also any extensions you might have installed.

Come see me in the forum!


Turkish Defacement Posted by Mikko @ 07:53 GMT

It's somewhat surprising that still, in late 2007, there are hobbyist Web defacement gangs that compete in how many Websites they can deface. Most of these gangs originate from Turkey or Brazil and they keep score on the numbers of their defacements through special defacement archive servers.

Why am I bringing this up? Because last night our Web discussion forum server ( got defaced by a Turkish gang. See this screen shot:


Quite embarrassing. So how did this happen? The server itself is quite well hardened, but the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their "greeting".

Most of you probably didn't even know that we have a web forum. It has never been advertised much. We'll let you know when it's back online.

Editor's Note: The forum is once again online.


Thursday, December 13, 2007

Warezov Continues Posted by Toni @ 16:38 GMT

Regular readers might remember Halloween's Warezov post.

At that time we had located 2039 domains associated with Warezov (alias Stration) and of those 2039 domains a whopping 810 were then active.

Yesterday, we decided to iterate through the list again. Any clue as to what we found?

Warezov Domains

Yep, out of the 2039 domains there are 826 domains alive and kicking. About 600 of them were alive during October's test.

We also decided to poke the servers a bit. As you may or may not know, Warezov uses servers (infected computers) for three main purposes:

   To distribute new versions of their malware
   To distribute spam templates for their spam agents
   To host various "pharmacy" sites

Without digging any further into how we identified the servers — during our observation the Warezov gang had a whopping 506 domains that were hosting pharmacy sites la fast-flux. 320 sites were used to distribute either malware or spam templates. Those were also fast-flux.

It's long been clear that the Warezov gang rotate their domains to take some of the heat off and that the only way to really make a dent in their operations would be to take down all of the 2039 domains simultaneously.

The fact that most of the domains are under two different registrars would make it easy… but the fact that both registrars are in China and seem to be somewhat reluctant to act makes it a tad more difficult goal to achieve.

Download the Lists:

   Active Domains826
   Inactive Domains1213
   Malware Hosts320
   Spam Agents506


Wednesday, December 12, 2007

Year-End Updates from Microsoft Posted by Jose @ 02:20 GMT

Below are the lists of critical and important updates Microsoft has for this month.

Microsoft's December Updates

These updates involve applications including Internet Explorer, DirectX, DirectShow, and Windows Media Format Runtime. Five of these updates could potentially allow remote code execution and another two allows an elevation of privileges.

For more details on these updates, here's the link to Microsoft's Security Bulletin.

To be safe, BE SURE to update!

Tuesday, December 11, 2007

Cheers from Africa Posted by Mikko @ 17:04 GMT

Greetings from Cape Town.

I keynoted yesterday to an audience of senior security chiefs at the Information Security Forum's 18th annual world congress. Other presenters included Ira Winkler and Bruce Schneier.

Information Security Forum

Much of the focus of the congress was in governance and compliance, but there were some interesting technical talks too.

I especially enjoyed the presentation of Jolyon Clulow from Deloitte about future techniques for securing online banks. He had with him some first examples of embedded smart bank cards I've ever seen. Check this out:

Information Security Forum

This card, the size of a normal credit card, has a keypad and small display embedded to it and is capable of doing responses to challenges presented to it. The challenge, shown to a user of an online bank, can then include some sort of a hash of transaction values and recipients, making man-in-the-browser attacks harder.

Signing off,

P.S. South Africa has the only airports I remember seeing, that has separate check-in desks for people checking in with… guns.

Vat Refund, Lift, Customs, Weapons


Monday, December 10, 2007

Security Advisories Posted by Sean @ 11:48 GMT

Two recommended updates — potentially serious vulnerabilities — no in-the-wild exploits reported.

Open Office.Org Advisory

CVE-2007-4575, a popular office suite application, contains a security vulnerability in the default database engine for all versions prior to 2.3.1.

Database documents may allow attackers to execute arbitrary code. Updating to version 2.3.1 is the recommended solution.

VLC Advisory


VLC media player, a free media player application by the VideoLAN project, contains a vulnerability in its ActiveX plugin that could allow specifically crafted websites to execute arbitrary code.

The vulnerability is limited to the local user's privileges and exploitation requires the user to visit a maliciously crafted website using VLC media player's ActiveX plugin.

Avoiding the ActiveX plugin is an available workaround. The plugin is an optional component during VLC installation.

Updating to version 0.8.6d resolves the issue.


Wednesday, December 5, 2007

Data Security Summary - July to December 2007 Posted by Sean @ 15:10 GMT

Our end-of-year data security wrap-up was published yesterday.



Data Security Wrap-Up 2007

The video is also available on our YouTube Channel.

The theme of 2007? Bulk.

A huge amount of samples have been collected this year and our detections have doubled. At the end of 2006 we had roughly 250 thousand detections. That took 20 years to accumulate. We added the same volume of detections in just 2007. It will soon be 500 thousand in total.

It's been a busy year.


More Christmas Card Action Posted by Mikko @ 10:42 GMT

We've just seen another fake Christmas card malware run.

E-mails looked like this:

Fake Yahoo Greeting Cards

The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site).

Fake Yahoo Greeting Cards

The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37).

We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website.

Fake Yahoo Greeting Cards

Update: Another domain is being used too, registered by the same person —


Tuesday, December 4, 2007

Poll: Is your software up-to-date? Posted by Sean @ 17:05 GMT

It's been a while since we held our last poll…

Considering the constant flow of new vulnerabilities and security advisories — we'd like to ask you a set of questions regarding your software updates.

Question #1
Dec 4th Question #1

Question #2
Dec 4th Question #2

Question #3
Dec 4th Question #3

Editor's Note: The poll is now closed. Thank you to those that participated!


Worm-Like Anti-Theft Posted by JP @ 14:55 GMT

We've recently received questions about a Symbian S60 application circulating the Internet that sends SMS messages at very high rate to an unknown phone number. While we were studying this software we came to realize it's actually a well-known anti-theft system for Symbian Series 60 phones.
MMC Card
We contacted the author of the software and at the author's request we now are detecting, disabling, and removing a certain version (0.95 beta for S60 2nd Edition) of this anti-theft system from phones running our Mobile Anti-Virus software.

Due to design and programming errors, version 0.95b of the anti-theft software exhibits worm-like behavior moving from MMC card to phone. Once on an "unknown" phone it sends SMS messages on eight second intervals to a predefined number.

The spreading mechanism, that was actually meant to be a system resisting phone formatting, causes this anti-theft system to make a full copy of the software onto MMC cards inserted into the phone. When an MMC card that contains a copy of this software is inserted into a new phone, the "worm" starts automatically in the new phone, makes a copy of itself onto the C: drive of the phone, and starts the SMS alert loop thinking it's still on the original phone — that supposedly was just stolen and formatted.

Now, as if the previous behavior wasn't bad enough for software that was meant to protect your phone, things got worse when someone decided to repackage the software from an already installed set.

If you were to swap an MMC card with a friend, and it resulted in an alert that your friend's phone has been stolen (giving your number as the thief) you would realize soon enough that something strange is afoot.

But if the person who has defined the number into the (repackaged) software is not someone that you know… and that person has no way to tell you about the SMS messages your phone is sending — you are kind of in a bad situation since you'll only find out about the issue when your GSM-operator gets in touch with you to talk about the 100,000+ SMS messages you've recently sent.

Current versions of the anti-theft system we're writing about here is available in many Symbian forums. Numerous Symbian blogs also contain discussions about "HatiHati virus" (hence the name for our detection) or "3396003964 virus". We've only seen a few connections made between the two thus far.


Sunday, December 2, 2007

Merry Christmas and so on Posted by Mikko @ 17:27 GMT

It's December, and we've already seen the first malware runs using fake Christmas Cards as the lure.

Here's an example that we saw today:

123 Greetings

And when run, it displays a nice season's greetings:

123 Greetings

In reality, it's a Zapchast mIRC-based backdoor.