NEWS FROM THE LAB - December 2008


Wednesday, December 31, 2008

Malware Analysis Course Rides Again Posted by Mika @ 12:10 GMT

Those of you that missed the Helsinki University of Technology's malware analysis and anti-malware technologies course in the Spring of 2008, have the possibility to participate during Spring 2009.

The course curriculum is pretty much the same as it was last year and so are most of the lecturers. One notable addition will be more focus on Windows kernel malware. Kimmo Kasslin will be lecturing on the topic and there will be some homework fun on it as well.

Homework Fun

Please check out the course pages, slides, and assignments from Spring 2008 to get an idea of what the course is all about.

Course web pages for 2009 are already available but still incomplete; students can already enlist, though.


Video - SMS Exploit Effects Posted by Sean @ 12:09 GMT

Our post from yesterday mentioned a video demonstration coming soon.

It's online now and you can find it from our YouTube Channel.

The video highlights the symptoms experienced on exploited phones; it doesn't show how to perform the attack. The attacking phone has been kept off screen. (It isn't difficult to find the CCC video at this point.)

Curse of Silence Effects

The "Curse of Silence" was disclosed to several telecommunications operators about seven weeks ago and we were brought into the loop a few weeks later. The timing has been a real pain in the neck for those of us in the lab. We'd rather be researching something else or enjoying a relaxed holiday than dealing with a detection for an exploit that will mostly likely be used by jealous boyfriends.

Still, it is a safe bet that the Curse will be used to harass people, so support personnel should know what to look for.


Your Friendster Contacts Are Belong To Us Posted by WebSecurity @ 06:51 GMT

Addendum to our earlier post, Fake Friendster and Facebook Sites with One IP Address:

A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).

Here is an example of such an invite, from a known contact:

Friendster messege

So how are the spammers getting access to the contacts lists?

Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.

This particular link leads the user to the legitimate domain,, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.

View Source

Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.


The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.

As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.


Tuesday, December 30, 2008

Curse of Silence, a Symbian S60 SMS Exploit Posted by Response @ 15:34 GMT

An easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress (25C3). The exploit is effective against a wide range of Symbian S60 smartphones and will effectively prohibit victims from receiving SMS messages.

The Chaos Communication Congress is a popular event among international "hacker" enthusiasts. It has been organized by the Chaos Computer Club since 1984, has been held in Berlin since 1998 and typically takes place between December 27th and 30th.

Today's Security Nightmares 2009 presentation included a demonstration of the Curse of Silence exploit, which was researched by Tobias Engel of the CCC.

According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well.

Versions 2.6, 2.8, 3.0, and 3.1 are also better known as S60 2nd Edition, Feature Pack 2; S60 2nd Edition, Feature Pack 3; S60 3rd Edition (initial release); and S60 3rd Edition, Feature Pack 1 respectively.

That's a lot of numbers… has a handy comparison view of many Series 60 phones., Compare Devices

According to Engel's research, the vulnerable phones fall into two camps: S60 versions 2.6/3.0 (2FP2/3) and versions 2.8/3.1 (2FP3/3FP1). That's still too many numbers, so let's just select two phones.

Nokia 6680 — 2nd Edition, Feature Pack 2
Nokia N95 — 3rd Edition, Feature Pack 1.

The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)

What happens when a vulnerable phone receives the exploit message?

Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.

Click here to see some of the phones that fall into the 6680 example's category.

Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."

SMS Curse Error

The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.

There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.

Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.

Click here to see some of the phones that fall into the N95 example's category.

Exploited phones will remain otherwise completely functional; only the SMS/MMS messaging is affected. Practically speaking, this also means no SMS notifications of voicemail, though the phone log will display the missed call.

A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.

Shameless self-promotion begins:

However — Engel practiced reasonable disclosure, which is why we have had time to test the exploit ourselves before today's CCC demonstration. Our Mobile Security solution will detect the exploit and can repair affected phones.

The exploit is detected as Exploit:SymbOS/SMSCurse and Mobile Security is capable of repairing exploited phones so that it will not lose any messages. Messages that have been sent while the messaging service is jammed will of course be lost.

Hopefully this exploit will not be widely used. We don't see much of a profit motive after all. Still, there were thousands of participants at this year's CCC and many of them saw the demonstration. As easy as it is to utilize the Curse of Silence, someone will surely try this for harassment…

A free seven day trial of Mobile Security can be directly download to phones from here.


We will have a video demonstration available soon.
Update: Info on the video is here.


Wednesday, December 24, 2008

Safe to Open Posted by Sean @ 12:13 GMT

A few weeks ago, I received the following Instant Message:

Safe to Open

Was it some kind of clever social engineering IM-worm?

Nope — It was just Mikko sharing a link that he found from Alex Eckelberry.

Global Energy Connection PDF

Even though I was sure, I still called out across the room to confirm that he had sent the link…

That's just one of the habits that's reinforced when working in the Response Lab.


Stay safe during the holidays. See you next week.

Signing off,


Friday, December 19, 2008 Posted by Sean @ 17:14 GMT

Our File Analysis Team — they collect non-malicious files — came across an interesting case yesterday. Dzul Aiman was researching available driver downloads from Acer's Taiwanese (.tw) site and discovered something out of place. Maybe the site was hacked?

The list for WindowsXP Desktop drivers…

…included "nc.exe". That's a bit suspicious, don't you think?

That's probably a "driver" that you don't want to download. (Though it was probably Net Cat, it still shouldn't be there… it's not a trusted source.)

The team e-mailed Acer and the issue seems to have been resolved promptly.

So, even those that aren't looking for trouble may still find it. Stay vigilant.


Your Computer is Under Investigation Posted by Response @ 07:03 GMT

A mildly amusing sample came in today.

The sample itself is a very simple Visual Basic application. When executed, the unlucky recipient is shown this message:


Clicking the "Warning" button will play an alarm sound over the computer's speakers. Clicking "FBI" will close the form.

The sample also launched the default browser and opened the page – the legitimate FBI website.

Other than that, it seems to have no malicious intent and may have been a prank.

Seems rather old-fashioned, considering today's more monetized threat landscape.

Response team post by — KM


Thursday, December 18, 2008

iSpy an iPhone Spy Posted by Response @ 15:44 GMT

There are some new developments on the mobile security front. Spy tool applications are now available for Apple's iPhone. Symbian and Windows Mobile spy tools have been around from two and a half to almost three years.

Now it would seem that it's finally the iPhone's turn.

One of the two spy vendors appears to require a jailbroken iPhone. They also claim to be the "first and only" spy software. If only that were true. Their application can be installed on 3G model iPhones.

Mobile… spy dot com

…and on December 21st, a second option will be available. This vendor's comparison chart claims quality and features over costs.

Note that their application lets you "secertely" spy.

Flexi… spy dot com

It doesn't seem entirely sure based their promotional promises, but it appears that vendor number two may be able to jailbreak, install, and then un-jailbreak the iPhone during its installation. It can be installed on older iPhones as well as current.

We wonder what Apple's position on this will be; will they do anything about it? What do you think?

We won't bother providing these spy vendors with a backlink to our weblog, so if you want to see more, use the addresses in the image below.

The first link in the set is a blog, not a vendor.

Links to iPhone spy tool information


Firefox and Opera Patches Posted by Sean @ 13:07 GMT

Just in case you were distracted by yesterday's Internet Explorer update; there are some other browser updates that you should be applying.

Both Mozilla Firefox and Opera have vulnerabilities that should be patched.

Firefox 3.0.5 Security Updates

See our Vulnerability Reports for Firefox 3.x and Firefox 2.x.

Opera 9.6.3 Security Updates

Our report for Opera 9.x is located here.


Update: Patch for Internet Explorer Security Hole Posted by Response @ 02:22 GMT

A quick update to our earlier post about the recent critical vulnerability (MS08-078) in all available versions of Internet Explorer — Microsoft has released an update patch for the vulnerability. More information, including the patch, can be found here.

There have been a number of reports citing thousands of websites (both intentionally malicious and legitimate but compromised) exploiting this vulnerability. You can read more at BBC News and The Register.

Everyone is strongly encouraged to download and apply the patch without delay.


Wednesday, December 17, 2008

Exploit Shield - F-Secure's Solution to Zero-Day Exploits Posted by Response @ 10:45 GMT

Our previous post highlighted a recently disclosed vulnerability which exists in Microsoft Internet Explorer… and that there are currently websites hosting exploits targeting the vulnerability. Today our Vulnerability Response team would like to offer you our Security Labs' solution, which is now publicly available for download.

We call it Exploit Shield.

Exploit Shield protects against exploits both responsively and proactively. It has both shields and generic heuristics that monitor for and block suspected malicious activity. It logs attack attempts; and will also report suspicious URLs to our Real-time Protection Network1. New shields are delivered via our automatic update channel servers.

Exploit Shield Technology Preview

Vulnerability Shields offer "Patch-equivalent protection". Our Vulnerability Analysts, primarily based in Kuala Lumpur, publish vulnerability advisories and detections (used by our Health Check2 service). The Vulnerability team then uses the analysis to create exploit shields. The shields utilize either a hotpatch or else will disable the vulnerable ActiveX plugin.

Exploit Shield Technology Preview

This is what shield details look like:

Exploit Shield Beta, CVE-2008-3008

The Proactive Measures currently block suspected malicious activity in Internet Explorer and Mozilla Firefox. This component of the beta monitors for heuristic behavioral techniques common to many types of exploits. We've tested the proactive component against a couple of malicious sites targeting the vulnerability, and the attacks have been successfully blocked.

Exploit Shield Technology Preview

As noted above, Exploit Shield has the option to report malicious websites that are blocked.

Exploit Shield Technology Preview

What do we do with the reported URL? The Response Lab will use it to respond faster. We have "HoneyMonkey" like systems to collect the exploit samples. Thus we'll have a greater ability to collection exploits and add signature detections to protect all of our customers. Exploit Shield users will help contribute to everyone's protection while remaining protected.

You can download a wmv video by Patrik demonstrating Exploit Shield in action.

Exploit Shield wmv

You will find the download link for the beta on our Labs site.

Download Exploit Shield

Our Vulnerability Response team has been working very hard during the last few days to make this beta release ready at this time. Remember, it's still in beta, and you can help them by testing and by providing feedback. A big thank you is due to all those involved.

Footnote1 The current version of our DeepGuard Technology utilizes cloud-based networking lookups to our Real-time Protection Network. We'll cover that in a future weblog post.

Footnote2 Try Health Check. It's free and assists in updating and patching third-party applications.


Monday, December 15, 2008

Extremely Dangerous Internet Explorer Security Hole - Beware! Posted by Sean @ 18:21 GMT

Updated to add: Microsoft has announced that they will be releasing out-of-band updates for this on December 17th.

Zero-day exploits are actively targeting an unpatched Internet Explorer vulnerability.

Microsoft recently expanded their Security Advisory 961051 to include all versions of Internet Explorer. The vulnerability was originally thought to only affect IE7.

As you can see, it's now a very long list of related software:

Microsoft Security Advisory 961051

There are a number of (perhaps cumbersome) workarounds that may provide some mitigation:

Microsoft Security Advisory 961051

More bad news, SQL Injection attacks are being used to hack legitimate websites in order to host exploits, turning trusted sites into malicious exploit hosts.

You can read additional details at Security Fix and

Someone in the eWeek advertising department is trying to tell you something.

…and a tip of the hat goes to Camillo for providing the subject line to this post.


Fake Friendster and Facebook Sites with One IP Address Posted by WebSecurity @ 02:20 GMT

One IP address that provides twice the fakery…

We spotted this fake Friendster website at http://friend[...] The website steals the e-mail address and password information entered by an unsuspecting visitor who arrives at this page thinking it's the actual Friendster site.

Fake Friendster

Links to the fake website are propagating through malicious comments sent from the compromised accounts of friends in the Friendster network. The links are also included in the infected friend's profile.


Interestingly, on further analysis, the domain http://friend[...] also pointed to a fake Facebook page as its main page!

Fake Facebook

This fake domain was registered recently in China, and is hosted in China as well. We traced the IP address and noticed that it was hosting quite a few other fake social networking websites — MySpace, Friendster, Facebook, et cetera.


IP address

WebSecurity team post by — Chu Kian


Friday, December 12, 2008

Greetings from India! Posted by Mikko @ 13:48 GMT

AVAR 2008

The AVAR 2008 conference is in full swing in New Delhi. Almost all antivirus companies are represented in this global conference.

Recent terror attacks in India were fresh in memory and indeed the conference was started with one minute of silence to honor the victims.

AVAR 2008

The terror attacks had an indirect toll on the conference as well, as seven speakers had canceled their trips. The organizers were happy to get replacement talks from the brave Peter Szor (Symantec), Andrew Lee (K7) and Randy Abrams (ESET).

My keynote presentation covered the initiative for "Internetpol" — the need to get better global IT law enforcement in action to really focus on getting online criminals behind the bars.

Image credit Luis Corrons / Panda Security
Photo by Luis Corrons / Panda Security

Other notable presentations included "Exploiting anti-virtualization techniques" by Andrew Lee. Many viruses won't execute if they detect the presence of a virtual machine. Andrew was using this feature against the malware itself by installing a fake VM on a real machine. As an end result, many types of malware wouldn't run at all. Neat.

Eugene Kaspersky also did an excellent overview of the worsening situation. He highlighted how criminals are using business models except here, instead of B2B (business-to-business) we're now seeing C2C (criminal-to-criminal) models.

AVAR 2008

And Vincent Weafer from Symantec presented their latest research into underground IRC networks and how large scale this is. Over a year, they monitored over 60,000 distinct advertisers on these boards, selling malware, botnets and stolen information.

Another interesting presentation was by Swanand Dattaram Shinde from India's Quick Heal. He spoke about how the local terrorist groups use the Internet for communication, recruiting and propaganda, and even to make online threats. No cases of real cyber-terrorism though.

And here's something you don't see everyday. All electricity got shut down twice during the second day of the conference. Andrew Lee was on stage and he did not miss a beat. He simply raised volume and carried on…

AVAR 2008

Signing off,

AVAR 2008


Thursday, December 11, 2008

Video - Data Security Summary Posted by Sean @ 17:16 GMT

The video that we mentioned last week is now online.

There's a link from the security summary, or else you can check it out from the lab's YouTube channel.

2008Q4H2 Security Summary Video


Faking It Posted by Response @ 05:20 GMT

Got a copy of the "Homeview Installer" today which looked harmless enough…

During installation, it runs the user through a series of procedures that look pretty routine.

Agent.FLN fake installation screen

If I try to cancel the installation at the first screen, it is nice enough to ask me if I really want to continue…

Agent.FLN quit installation screen

And if I change my mind and install it anyway…

Agent.FLN fake installation screen

Agent.FLN fake installation screen  /><br /><br /><img width=

But when installation is "completed successfully", it turns out Homeview isn't really installed.

Agent.FLN no homeview

There's just an uninstaller file that, true enough, really does remove the Homeview folder from the Program Files, and the Homeview-related registry entries.

So it really just came and went without doing anything… Oh wait, it installed Trojan:W32/DNSChanger.ARNF and none of my clicks even mattered.

Crafty little thing.

Just a reminder — do be wary of executing any file you download or receive via e-mail, if you are unsure of its trustworthiness.

Response team post by — Christine


Tuesday, December 9, 2008

Bank of America's New Banking Site Posted by Patrik @ 19:22 GMT

As Christine mentioned earlier today in her post regarding Koobface and how it uses fake Flash players to trick people into downloading malware, a smart move is to only download Adobe Flash player from… Adobe!

Here's another example of a social engineering scam, this time using a new Bank of America online banking system.


Clicking on the link leads to a fake BoA page with a "video" showing what the new site looks like. To view you have to download the updated Flash player.


If you run the fake Flash player it downloads another file from which in turn is a trojan that hides itself with a rootkit, steals confidential information and posts it to a server in Ukraine.

Again, we recommend that you only download Adobe Flash Player from Adobe's website here.

Updated to add: The fake Flash player that the "BoA" site is providing is a new variant of the one detected on November 5th, used by the Obama election spam.

Both the Obama and the BoA variants post their stolen data to IP addresses within the same block, they're almost identical.

Update 2: Domains we've seen used to host the fake BoA page:

– demobankofamerica .com
– bankamericademo .com
– serverdemobank .com
– demoversions10 .com

Subjects of the spammed e-mails:

Bank of America – Always Free Customer Service Demo Account, Try for FREE
Bank of America – learn how to trade with the Demo Dealer Station below
Bank of America – We Give You The Tools You Need. Try A Free Demo Account!
Bank of America – New Demo Account, Try for FREE
Bank of America – Demo Account Set Up
Bank of America – Demo account
Bank of America – Open A Demo Account
Bank of America – your Demo Account username and passcodes will be generated and emailed to you.
Bank of America – DEMO ACCOUNT not working

You've Got Comment! Posted by Response @ 02:19 GMT

There's nothing like social networking sites to keep people connected and worms propagating — such as the all new and improved Net-Worm:W32/Koobface.CZ. A little infection equals a little comment in someone's little site somewhere.

This version of Koobface targets the following sites in its body:


It also has its own site, where it can query for more data, updates and of course the comments that it posts to the targeted websites. The site hosts plenty of comments (and of course the corresponding links) for the worm to use. Here are some of them:

– COMMENT: Are you sure this is your first acting experience?
– LINK: http://finditand .com/go/be.php?0e9c60ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: is it u there?
– LINK: http://findit12 .com/go/be.php?e7883ch7=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: impressive. i'm sure it's you on this video.
– LINK: http://find-notall .com/go/be.php?70dd4ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: How can anyone get so busted by a spy camera?
– LINK: http://find-allhere .com/go/be.php?50ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: You're the whole show! i'm admired with you
– LINK: http://freemarksearch .com/go/be.php?ch23=d41d8cd98f00b204e9800998ecf8427e

Here's an example of one of the comment:

koob blog

And of course when the person clicks the link, out comes YouTube!

fake youtube

Er, I mean YuoTube... momentary dyslexia there... my bad.

koob title

Which of course contains an "update" for your Adobe Flash player, because the site is so sure that your player is outdated. Don't argue with its superior wisdom.

And when you execute that file in your system… well, let's just say you've gone and summoned his older brother — Net-Worm:W32/Koobface.CY.

Response team post by — Christine


Friday, December 5, 2008

Macs are totally secure out of the box? Posted by Patrik @ 17:11 GMT

There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on Apple's website. In the article, Apple advised users to install an anti-virus software to make sure their computers are safe. The reason it took people by surprise is that Apple has previously said that Mac users doesn't have to worry about antivirus software.

Turns out the support article was from 2007 and now has been pulled from Apple's site. Apple also issued a statement saying that the article was outdated and that Macs really don't need antivirus because they are so secure. Quoting a spokesperson from Apple:

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats, right out of the box."

That's just silly.

While there is much less malware out there for Macs, they definitely exist, and Mac users are as likely to fall victim for traditional email based phishing attacks as PC users. Not to mention all the security vulnerabilities that Apple has fixed this year that fortunately weren't exploited but easily could have been.

Apple Security

The fact is that yes, Mac users are much less likely to get hit by malware but that doesn't mean that they can be totally careless and ignore potential threats all together. Use common sense and if they want to be extra safe, do install an antivirus software.

Creating MS08-067 Exploits Posted by Mikko @ 11:10 GMT

We are seeing fair amounts of infections using the MS08-067 vulnerability.

Most of these belong to a worm family that goes by the names Downadup, Conficker, or Kido.

We have also discovered several Chinese tools that are being used by the underground to create files that exploit this vulnerability.

Below you'll see some screenshots of such tools.






Wednesday, December 3, 2008

Data Security Summary - July to December 2008 Posted by Sean @ 15:45 GMT

Our end-of-year data security wrap-up is online at

Threat Summary H2-2008

The video will follow next week.


Monday, December 1, 2008

Pimp My Backup Posted by Sean @ 14:36 GMT

One of our project teams has a beta that they'd like to advertise.

"How many photos do you have on your computer? Documents? E-mail messages, letters, and receipts of your online purchases? What happens to your files if — when — your hard drive fails?"

We currently have an active beta piloting program for F-Secure Online Backup 1.1 and would like you to try it out. However, act quickly — as we have only a limited number of beta licenses to give. For more information and to join this project, please click here.

Update: Due to an overwhelming interest, all of the beta licenses reserved for this project have been taken. Thank you to those interested in participating.


F-Secure Online Backup Service for Consumers