NEWS FROM THE LAB - December 2009


Thursday, December 31, 2009

It's almost 2010, yearly round of new year related malware is going on. Posted by Jusu @ 10:33 GMT

The first signs of New Year's malware for 2010 were already sighted a while back, but the current one we're seeing in circulation wishes "Happy New Year 2010" and points to a fast flux domain site which serves up Trojan-Downloader:W32/Agent.MUG.

This particular trojan will try to install further malware, though the content it's pointing to seems to not yet be online, at least at the time of this post.

Be careful when reading electronic happy New Year's wishes also this year.

F-Secure Labs wishes all our readers happy and malware free New Year.


Tuesday, December 29, 2009

Y2K Posted by Mikko @ 12:17 GMT

It's now the end of the year.

At the end of 1999, IT professionals around the world were busy overhauling computer systems to make them 2000 compliant. This meant double-checking all legacy software and hardware to make sure the century roll-over wouldn't cause problems.

y2kWhat was the problem then? For example, if in 1997 a program tried calculate the age of a person by subtracting current year from his birth year of 1965, it might simply do it as a calculation of 97-65, concluding correctly that the person is 32 years old. Obviously after the decade changed, the calculation would fail: calculating 00-65 would tell that this person is minus 65 years old. Making software Y2K compliant meant combing through source code of all software using dates and converting them to use four-digit years – as 2000-1965 would again compute correctly.

An enormous amount of work hours and money was spent to fix these problems.

And this work did not go to waste. The global Y2K project was a success; when January 2000 came around, most systems were already checked and fixed, and only minor problems were reported.

Unfortunately this wasn't enough. A huge hype had been generated around the problem. Mainstream media was forecasting major failures, power outages and rioting for 1st of January. And there was no shortage of salesmen trying to cash in with the hysteria. For examples, check out these products on The Millennium Bug and Y2k Family Survival Guide on Video with Leonard Nimoy.

Y2k Family Survival Guide on Video with Leonard Nimoy  The Millennium Bug  

At the time it wasn't easy trying to convince people that Y2K projects will finish in time and that running out of food wasn't likely.

Then the year changed with little fanfare.

Immediately after the New Year mainstream media was quick to point out that since there were no major Y2K problems, the whole effort to find the bugs was unnecessary to begin with. In reality the millions invested in Y2k compliance prevented real-world problems.

Bizarrely, some people still today believe that there was no need to worry and computer systems would have worked fine without any extra effort.

So what does all this have to do with F-Secure? Not much, except that some people were expecting to see loads of viruses to appear over Y2K. We never saw any logic in this, but to ease concerns, we did set up a special Y2K Watch helpdesk over New Year 2000 to monitor things.

Interestingly, that Y2K Watch ten years ago was the first time we used a blog format to spread information. The page for the original F-Secure Y2K Watch Real-Time Status Updates is available here, with newest posts on the top. Entries are from December 31st 1999 to January 3rd 2000. The page also includes several real-world examples of the minor Y2K problems that were reported around the world at the time.

So what's next? Well, The Year 2038 Problem is just around the corner. If you're taking a 25-year mortgage and your bank's systems aren't 2038-compliant, you might run into this already in three year's time…

Edited to add: Some Y2K fixes in 1999 were real quick-hacks. For example a logic like this could have been applied: IF YEAR < 10 THEN YEAR = YEAR + 2000 ELSE YEAR = YEAR + 1900. Hacks like that would create problems now, in 2009 and 2010. For a real example, see one of the comments left to this post.


Thursday, December 24, 2009

Merry CHRISTMA EXEC Posted by Mikko @ 08:29 GMT

Once again, we'd like to wish our readers Merry Christmas with a reference to the 1986 CHRISTMA EXEC worm.


Here's a link to January 1987 Risks Digest, discussing the worm.

And here's a link to the original source code for this worm. Normally we wouldn't link to malware code, but hey, it's 23 years old.


Tuesday, December 22, 2009

Jobs and Money Mule Scams Posted by Response @ 05:09 GMT

With the unemployment rate rising, websites advertising job listings have been mushrooming. Some are the real deal, and some are not. We have also seen an increase in spam e-mails regarding job offers.

We came across this particular spam e-mail that has been circulating, looking for someone to be a money mule:

Money Mule Scam

If you try going to the domain mentioned in the spam, you will be redirected to a job listing site that lists jobs in Finland by industry.

Interestingly, when you check the IT & Internet job listings and proceed with any of the jobs listed:

Fake FS Jobs

You will find a fictional F-Secure recruiter listing, complete with our contact information:

Fake FS Jobs Recruiter

Apparently, we're looking to fill about 200 positions in our Helsinki office.

Just to be clear — those are definitely not authorized offers from us. The rest of the site is full of work from home offers and other slightly suspect listings.

Be careful out there if you're looking through job sites.

Oh, and if anyone out there would like to join F-Secure, please browse the job listings on our official website or a trusted source.


US Chief of CyberSecurity Posted by Alia @ 03:50 GMT

After months of negotiations, US President Barack Obama has finally chosen a Chief of CyberSecurity – Mr Howard A Schmidt. Confirmation of the appointment is expected shortly.

Mr Schmidt, who previously served with the Bush administration as a cyber security official, comes to the job with an impressively lengthy list of credentials.

The new Chief will essentially be the administration's go-to man for any coordinated efforts to deal with cyber threats and will be reporting to the National Security Council.

After a fairly eventful year of cyber attacks and the related media frenzy, it's nice to see someone finally willing to take up the challenge of dealing with it all. It also promises an interesting 2010.

Best of luck to the new Cyber Czar.

More details in this New York Times article.


Monday, December 21, 2009

Brittany Murphy SEO Posted by WebSecurity @ 09:20 GMT

Just a quick note — the sudden death of Hollywood celebrity Brittany Murphy last Sunday (BBC report here) has prompted a spike in searches on the subject — and of course, an SEO attack.

Users who click on a poisoned search result link will be redirected to a website that will display a scare message trying to panic users into downloading rogue AV software:

Screenshots of the rogue AV:

Brittany Murphy SEO

Brittany Murphy SEO

We detect the rogue AV as Trojan-Downloader:W32/Fakevimes.T.

Absolutely bog standard SEO attack — but still worth a warning to those who might be looking for more news on the event.


WebSecurity post by — Chu Kian


Friday, December 18, 2009

Steam Phishing Posted by Mikko @ 13:55 GMT

Steam from Valve is the largest digital distribution network in the world, with over 20 million active users.

This is how people today buy their PC games and other content.

In many ways, Steam is a competitor for iTunes.


And just as there are phishing attacks to steal iTunes accounts, there are phishing attacks against Steam as well. After all, they both have money in them.

Here's an example attack, trying to steal Steam credentials via the Steam Community social network side of Steam. Real URL is Wrong URL is


They do look quite similar, don't they?

The fake domain is registered to Mr. "Jay Will", who lives on 69 Lane, Los Angeles…


Be careful out there…


Detailed Report of Ikee.B iPhone Worm Posted by Mikko @ 10:28 GMT

SRI International has published an excellent technical report on the Ikee.B botnet that replicates on jailbroken iPhone devices.

The full report can be viewed here.


We're glad we were able to provide technical details for this report regarding the attack it does against an online bank.


Thursday, December 17, 2009

Merry Christmas, Idiot Posted by Mikko @ 08:20 GMT

It's not a huge surprise that we are seeing some malware spam runs where the malicious attachment attempts to portray itself as a Christmas Greeting of some sort.

Here's an example from today (md5: C670165AE6DFA8318F0EA795B1D3AD55). This one is actually a Zapchast (IRC bot variant).

The "Christmas Card" requires it's own "special version" of Flash to be installed — flashplayer2009.exe — which is the malware itself.

Once ready, it will display this friendly message written in Universal Gibberish.


Pay attention to the cheerful filename used for this message — idiot.jpg.

F-Secure Anti-virus detects and removes this as Backdoor.IRC.Zapchast.AVL.


Wednesday, December 16, 2009

How Not To Redact Confidential Information Posted by Mikko @ 13:59 GMT

We read with interest about yet another PDF redaction snafu.

In this case it was the attorney of TJX / 7-11 hacker Albert Gonzales, who posted an indictment that was redacted digitally and posted online as a PDF file — making it trivial to recover the original unredacted text.


Last week the US Travel Security Authority (TSA) sacked 5 persons for posting a digitally "redacted" security guideline document online.


Most people who know about digital redaction problems think it's just about being able to copy and paste the redacted texts of the document.

But in fact it's a much deeper problem. Most users only have a PDF Reader on their system (and most of those have specifically Adobe PDF Reader, unfortunately).

So because they can only read PDF files, they consider them PDF files to be read-only. This is not true.

Even most of the users who do create PDF files do it with a virtual printer. So they prepare the file in, say, Word, then just "print" it to a PDF file.

However, there's a wide variety of PDF Editors available. With a PDF Editor, you can open up any PDF file and modify it in any way you want. This includes being able to select the redaction black boxes and moving them away, uncovering the content underneath.

Here's a video from our YouTube channel that shows just how easy it is.

(Video — How Not To Redact a PDF File)

So, how to publish these securely then?

It's easy. There are several ways. We recommend the following…

Print the redacted document to paper.

Then scan it back as a PDF file.

Blam! No problems.



Tuesday, December 15, 2009

Adobe Acrobat 0-Day Analysis Posted by Sean @ 13:08 GMT

There's a 0-Day PDF exploit taking advantage of a vulnerability found in Adobe Reader and Acrobat 9.2 and earlier. Adobe has issued an advisory on their PSIRT blog.

The screenshot below, pulled from our automation, shows that when the PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable file. The server has been abused but is currently active.

Adobe, CVE-2009-4324, sample 0805d0...

The executable that is downloaded searches for and encrypts certain files and then uploads them to another server. This server is currently online and its contents are publicly browsable.

The machine name and the IP address of the compromised machine are included.

Here's an example:

Adobe, CVE-2009-4324

Based on the numbers of files found on the upload server, it appears that this exploit is only being used in targeted attacks.

But that could easily change…

Disabling Acrobat's JavaScript option may offer some mitigation.

You might also install an alternative PDF reader, many good ones are available for free.

Adobe is now on a scheduled quarterly update cycle, with security patches coming as needed on the same day as Microsoft's updates. It could be January 12th before Adobe publishes a fix.

We detect the following:

The exploit as Exploit:W32/AdobeReader.Uz.
The downloaded file as Trojan-Dropper:W32/Agent.MRH.
The dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK.

— Read More —

  •  Shadowserver – When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
  •  Security Fix – Hackers target unpatched Adobe Reader, Acrobat flaw
  •  The Register – Unpatched PDF flaw harnessed to launch targeted attacks


Updated to add: According to Contagio Malware Dump, some of the original targeted attack emails looked like this:

   From: Rachel Millstone
   To: (redacted)
   Date: Dec 11, 2009 3:12 PM
   Subject: reference
   Dear All
   Please find attached the updated country briefing notes, and staff lists.
   kind regards
   Attachment: note_20091210.pdf

   To: (redacted)
   Date: 2009-12-13 12:14 AM
   Subject: Interview Request
   This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
   There's growing concern about the U.S.-North Korea bilateral talks.
   So, we're planning an Interview about them.
   Attached is the outline of the interview.
   p.s. Detailed schedules will be followed soon if you accept the offer.
   Attachment: File outline_of_interview.pdf

   To: (redacted)
   Subject: reference
   Date: Mon, 30 Nov 2009 06:53:52 +0000
   Dear All
   Please find attached the updated country briefing notes, and staff lists.
   kind regards
   Attachment: note200911.pdf


Updated to add: Adobe has published an updated Security Advisory. They plan to make an update available on January 12th.

Also noteworthy, this PDF vulnerability has been added to Metasploit.

Monday, December 14, 2009

Security Threat Forecast 2010 Posted by Response @ 14:44 GMT

Here are our predictions for 2010 based on this year's threat analysis.

Predictions  •  Windows 7 will gain market share during 2010. Windows XP will drop below 50% market share overall and will thus reduce the amount of "low hanging fruit." This will improve Internet security in affluent countries and it will perhaps begin to create malware ghettos in less affluent countries as cyber-criminals concentrate their efforts on the remaining installed base of Windows XP. Whether attackers continue to focus on Microsoft Windows alone or whether they diversify to include OSX and mobile platforms remains to be seen.

  •  Real-time support in search engines such as Google and Bing will affect the frequency and manner of Search Engine Optimization (SEO) attacks.

  •  The 2010 FIFA World Cup (soccer for those of you in the USA) will generate a good number of related trojans, fake ticket shops, spam, online shop hacking, and DDoS attacks. There could already be SEO attacks months before the matches actually take place in June. South Africa's mobile phone networks will be a hotbed of activity during the games.

  •  Web search results leading to "location based attacks" using geo-location IP address techniques will increase. They will be localized in terms of language, current news events, and even regional banks that they target.

  •  There will be more attacks against online banks with tailor-made trojans.Predictions

  •  There will be more iPhone attacks, possibly also proof-of-concept attacks on Android and Maemo. We could also see a 0-day vulnerability used in a large scale exploit.

  •  More snowshoe spamming.

  •  At least one large-scale DDoS attack against a nation-state is likely.

  •  We may see a large-scale internal attack against a target such as Google Wave.

  •  There will be more attacks on social networks such as Facebook, Twitter, Myspace, Linkedln, etc. Facebook has now reached 350 million accounts and its growth doesn't yet show signs of slowing. This concentration of people and data is a very tempting target for cyber-criminals to exploit.

  •  As Internet search engines and social networking sites work towards "social search results", we'll see black hat social search optimization attacks.

  •  As more people connect via mobile networks, the amount of traffic and activity such as banking, gaming, and social networking increases in step. With mobile banking and in-game purchasing gaining popularity, the financial motivation becomes stronger to spy on such transactions. Integrated social networking applications are also driving mobile phones users to be "always connected." Cyber-criminals will use social engineering to exploit this trend.

  •  Attacks related to online games will continue. Such sites and games are particularly popular in the Asia-Pacific region. Not enough focus is put on securing them and the problem will be further fueled by the fact that many users are younger and therefore more vulnerable to experienced cyber-criminals.

  •  There will be significant data base compromises that lead to tailored attacks. Cyber-criminals now have the resources to analyze, plan, and carry out mass-targeted attacks.


Friday, December 11, 2009

DNSChanger Trojans & Modems Posted by Alia @ 01:42 GMT

Quick note: we're still occasionally getting reports of DNSChanger trojan variants altering the DNS information on both the infected system and on certain ADSL modems. It's an old, unsophisticated problem, but more awareness of it can't hurt.

There are a couple twists on the basic strategy — the trojan may modify the modem's settings to use a rogue DNS server (that serves tainted information) or it can install a DHCP driver on the modem. Either way, it redirects users to a malicious site doing drive-by downloads.

The trojan gets access to the modem's settings by brute-forcing the user name and password, which many people leave set as default. A simple, user-doable prevention measure is to change the default to a strong password. We've got a couple of previous posts (May 26, October 7) on how to do this.

For our users, if the infection was already on the computer before our product was installed, the product will clean up the infection on the computer, but the modem settings will still point to the rogue DNS server.

To clean out the modems, its settings need to be manually reset. Instructions would be specific for each modem type, so if necessary call your ISP for more details.


Thursday, December 10, 2009

New Wave of SQL Injection Attacks Posted by Chang @ 20:17 GMT

Reports have reached us of a fresh SQL injection attack that has compromised many websites. A Google search of the malicious iframes used in the attacks nets over 100,000 hits:

Google search results for SEO attack

As is typical, the initial iframes lead to HTML pages, which load iframes containing obfuscated JavaScript, which then attempts to exploit the unfortunate visitor. A successful exploit leads to a download of a malware of the Buzus family.

We already detect the malware binary as Trojan.Generic.2823971 with our latest Internet Security 2010 databases and as Trojan.Win32.Buzus.croo in our other products.


Tuesday, December 8, 2009

Critical Adobe Flash Update Posted by Sean @ 15:14 GMT

It's the second Tuesday of the month and there are important updates being released.

From Microsoft, of course, but also from Adobe.

Adobe Security bulletin APSB09-19

There's a critical security issue in Adobe Flash Player and earlier.

It's important that organizations deploy these updates before the Christmas holiday reduces IT staffing. Fortunately, this patch cycle is as early as can be landing on the 8th so there's still time to test and deploy.

  •  Adobe Security Bulletins and Advisories
  •  Microsoft Security Bulletin for December 2009


Monday, December 7, 2009

"You are signing in from an unfamiliar location." Posted by Sean @ 15:00 GMT

I recently took a sudden and unexpected trip to Norway. During my time there I needed to quickly update my family and friends as to my situation. How does one do that when one's family and friends span the globe?

I use Facebook.

Sure, I can use my phone to contact my most immediate family. But that's a challenge due to time zone differences.

Europe, America, Australia, who the heck can keep track of what time it is when you're in the middle of something urgent and haven't slept in two days?

Utilizing Facebook as a micro-blog worked perfectly (I don't use any third-party applications and have a rather limited profile).

And while accessing Facebook from Norway, I received the following prompt:

You are signing in from an unfamiliar location. For your security please verify your account.

Great. This seems like an excellent idea.

Facebook offers many language localizations based on location and it seems that some of this user data is logged, and if an account is accessed from an unfamiliar location, the user is challenged.

Only one problem — Please enter your birthday?

That has to be the single most shared bit of information on Facebook… it's not much of a "challenge" to answer that question.

We've earlier noted Facebook's problem of using security challenge questions based on social information.

Still, I quite like the idea of challenging the user when they access a web-based service from an unfamiliar location. It is a good anti-phishing effort and there are others that could implement it as well. Many of Google's services come to mind. Google certainly does it fair share of IP tracking and they could easily use this type of information for their users' benefit.

Signing off,

P.S. Dag and Ivar, your help was really invaluable. Thank you.


Friday, December 4, 2009

NYTimes Tech Talk Posted by Sean @ 14:28 GMT

Mikko has been traveling this week, and along the way, he stopped by the New York Times to participate in their Tech Talk Podcast.

NYT Podcast, Techtalk

Here's a direct link to the MP3 file. Mikko's interview starts at about 12m 40s.

I enjoyed the entire podcast, particularly Bettina Edelstein's segment on traveling in Amsterdam with only an iPhone as her link to the Internet.

Signing off,

P.S. Regarding iPhones, there's a post on Slashdot regarding the potential of iPhone Spyware using nothing more than Apple's public APIs. The information isn't anything groundbreaking but it's presented very well and is worth a look.


Thursday, December 3, 2009

Who is fr3sh_card3r_rz? Posted by Sean @ 13:45 GMT

We often come across interesting details during our data mining.

For example, take a look at the following domain registrant information.

Notice anything interesting?

     Domain Name: BENINECOB.COM
     Eco Bank
     David Kieselstein (
     81 fair hill drive
     westfield, New Jersey 07090

     Domain Name: S-CFS.COM
     Citizens First Bank
     Monica Lewinsky (
     390 lewinsky ave
     hull port mn,49309

     Domain name: NORDEABANKAB.COM
     Nordea Bank Ab
     Emilia Martins (
     1015 E Wylie St
     Bloomington, Indiana 47401

     Domain name: BOF-IRELAND.INFO
     Bank of Ireland
     Patricia Jones (
     Rainwood Apts 1885 Harper Dr A
     Lake City 30260

     Domain name: FIN-VB.COM
     First Investment Bank
     Don Spusta (
     1878 algonquin ave
     deltona, Florida 32725

     Domain name: IRBUK-OFFICE.COM
     UK Inland Revenue & Customs
     West john (
     564 galant dr
     wincostin mn,48493

     Domain Name: KCW-UK.COM
     Commonwealth Bank UK
     Monica Lewinsky (
     390 lewinsky ave
     hull port mn,49309

Monica Lewinsky? Clearly, that's BS.

But how about this

This e-mail address has been used to create fake bank sites as far back as July 2008.

Using fr3sh card3r… that is pretty bold, eh?


Video - Data Security Wrap-up 2009 Posted by Response @ 11:08 GMT

Our end-of-year Data Security Wrap-up video was published yesterday.

You can watch it via the lab's YouTube Channel:

Data Security Wrap-up 2009
Data Security Wrap-up 2009

You'll also find and written summary and links here:


Wednesday, December 2, 2009

FIRST-TC in Kuala Lumpur Posted by Alia @ 05:09 GMT

November 30th is World Computer Security Day. In conjunction with the event, the Forum of Incidence Response and Security Teams (FIRST) held a Technical Colloquium in Kuala Lumpur, which a few Analysts from our KUL Response Lab attended.

There were a number of interesting presentations, mostly dealing with the state of the Internet or the threat landscape today. There were also more technical demonstrations related to use of malware analysis tools.

Numerous speakers touched on the notorious Conficker epidemic, including Richard Perlotto (Shadowserver Foundation) and Ryan Connolly (Team Cymru). The talk by Roland Dobbin (Arbor Networks) meanwhile dwelt mostly on the preparedness of web operators to deal with DDoS attacks, with reference to the recent Republic of Korea and US Independence Day DDoS events.

Presentation at FIRST-TC

Jacomo Piccolini (ESR/RNP) presented a few instances of Brazilian-specific malware, particularly banking Trojans. Even though some were using interesting new tricks, even the simpler malware were disturbingly effective due to good, old fashioned social engineering. To prove his point, he also demonstrated just how easy it was to do social engineering — on the audience. Ouch.

Alex Tilley (image above) from the Australian Federal Police (AFP) gave a very interesting overview of a database hack that involved millions of Australian domains. Also included was an entertaining and illuminating attempt to explain cybercrime by comparing it to drug trafficking.

The first day of the Colloquium was closed with a swanky dinner and the official launch of CyberSecurity Malaysia's promising new Malware Research Center.