NEWS FROM THE LAB - December 2010


Thursday, December 23, 2010

Merry Christmas and Happy Security Advisory 2488013 Posted by Sean @ 13:40 GMT

There's an unpatched Internet Explorer 6, 7, and 8 vulnerability in the wild. Drive-by exploitation could allow remote code execution. Reports are that Metasploit already has a module available. There's a concise write-up at SANS Diary, and Microsoft's Security Response Center has more extensive details.

If you're visiting with family over the holiday weekend, and somebody's received a new computer from Santa, and they don't use IE by default, then why not try out Windows 7's turn off Internet Explorer option?

Turn Windows features on or off

If you don't use it, lose it.

We at F-Secure Labs wish you have a safe and happy holiday weekend.

Here in Helsinki, it's a white Christmas (and a cold -21°C/-6°F).

The view from F-Secure's Helsinki headquarters

Hyvää joulua


Wednesday, December 22, 2010

Social Spam Q&A Posted by Sean @ 16:35 GMT

Q: What is "social spam"?
A: Social spam is spam that uses social networking, media and news related websites to spread links.

Q: Links? You mean stuff like those links I see on Facebook saying something like "OMG! Father catches his daughter on webcam"?
A: Yes. Those links.

Q: And just how does spreading salacious links payoff for the social spammer?
A: First, let's discuss how e-mail spam works.

Q: Well… alright then, what about e-mail spam?
A: E-mail spam is similar to real world junk/bulk mail, the stuff that clogs up your mailbox at home. A product owner wants promotion, so he hires somebody to distribute advertising. The bulk mailer (spammer) offers prices/rates based on the number of ads to be distributed.

Q: Sounds rather straightforward. So how does an e-mail spammer get paid?
A: Could be a number of ways, but generally, you'll pay upfront for X amount of messages distributed. E-mail spammers compete with one another by attempting to offer better services. They also try to guarantee that their address lists are validated (live) accounts and thus a better quality than the other guys.

Q: So e-mail spam is a traditional product owner to advertiser relationship?
A: Right. The product owner wants advertising, so he pays an advertiser. The ad (spam) is sent to your Inbox and your antispam software filters the spam to a junk folder.

Q: Let's get back to social spam. How does spamming a link payoff for the spammer? There's no "advertising message" embedded in the link… it's just some tabloid style headline. Does the link open to an ad page?
A: No. (That's comment spam.) The social spam link is only the first step in the social spam process. And the greater the number of links spread, the greater the potential payoff for the spammer.

Q: What's the second step in the process?
A: Spreading the spam link.

Q: And how is that done?
A: By abusing the "social" nature of the website. So on Facebook for example, if you click a spam link, you'll be directed to a page that wants you to either like or allow.

Q: Like or allow?
A: Right. If the link takes you to a Facebook application (hosted by you'll have to allow the application access to your profile. If you do, the application will post its link to your profile, and thus share it with your friends.

Q: If it isn't an application?
A: If the link takes you to a "Page" (either on or offsite) you'll be requested to "Like" and "Share" the page to your profile. Spammers will use a various tricks to get you to like and share.

Q: What kind of tricks?
A: Clear click clickjacking attacks. Pages attempt to use invisible frames to get people to click on a "like button" without even realizing it.

Q: So liking and sharing the page spreads the links… you do the spammers work for them?
A: Right.

Q: But if it is an application instead of a page, you have to allow it access?
A: Correct. And Facebook does provide a clear warning beforehand.

Q: How about other websites?
A: Twitter applications also warn the user before they add an application. Twitter switched to OAuth at the end of August 2010 so that your password is no longer shared with third party applications.

Q: So applications can be controlled and/or limited, but external pages that mimic the social site, can they be prevented?
A: That's a challenge. Social sites are designed to share. That's why they're social. Far greater amounts of legitimate pages are liked/shared and tweeted every day. The only way to really prevent a spam page from being shared is to block all sharing or of course, to remove the page from the site.

Q: So what is done?
A: Filtering. Social sites rely on their communities to report spam. Both Twitter and Facebook have "report as spam" options. And they have antispam technologies on the back-end.

Q: Step 2 is spreading… why does that process sound kind of familiar?
A: Because it is similar to an e-mail worm.

Q: What? An e-mail worm?
A: Yeah. E-mail spam includes its advertising in the body of the message or in an attachment. E-mail worms are a bit different. They used to attach a binary payload to a message, but antivirus companies long ago learned to filter such attachments.

Q: And?
A: And so these days, because malicious attachments are filtered, e-mail worms use links as bait. Recipients click on the link within the message and are taken to a webpage offering a malicious payload. And part of that payload's mission may include stealing your e-mail contacts so they'll be exposed to the threat as well.

Q: So social spammers didn't invent this process?
A: No, far from it. This whole process of link baiting has evolved from e-mail.

Q: So social spam is spread via "link worms"?
A: Yeah, that's kind of the general idea…

Q: Okay. Step 1 and 2 spreads like an e-mail worm, but the goal is more similar to e-mail spam. What's step 3? Do you get to see the father/daughter webcam video?
A: That depends on whether step 2 was an application or a page (still using Facebook as our example).

Q: What if step 2 allowed an application?
A: Then spam application often provides the video (or whatever else) in return for harvesting your information.

Q: What kind of information?
A: That depends on what you allowed. It could be anything from basic public details to allowing the application to e-mail you, to managing your Facebook Pages. (Twitter applications will cause your account to follow others and to re-tweet their links.)

Q: Then what?
A: And then the social spammer has information that can be turned into a commodity for sale. Remember up above…

Q: That e-mail spammers compete with each other by offering better services and validated lists?
A: Right. What better way to create a validated list than a social networking site such as Facebook? Not only will you have live e-mail addresses, but the associated age, sex, gender, likes and interests. After all, there's very little point in sending Viagra spam to a 25 year old woman…

Q: That's sounds like an excellent commodity. What else can be done with the information?
A: Worst case scenario: it could be used for identity theft or blackmail.

Q: Is that likely?
A: It's possible, but probably not likely. From what we've read in spammer forums, these guys are more about making a quick buck pushing ads.

Q: Okay, so back to step 2 again… What if step 2 was a page, then what?
A: This part is a bit complicated.

Q: It is?
A: Yes. If the social spam links to a page, the page is typically utilizing some sort of Cost Per Action affiliate marketing network.

Q: What is a Cost Per Action affiliate marketing network?
A: First, let's discuss affiliate marketing… This is from Wikipedia's entry: Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts.

Q: So affiliates don't get paid upfront to advertise?
A: Right. Affiliates aren't selling bulk advertising. But instead, they're driving traffic towards the product owner. And the more traffic that they can drive towards the product, the more they can earn. Product owners like this method of marketing as they don't have to commit to funds upfront before results are produced.

Q: And affiliate marketing models are used by spammers?
A: Yes. Unfortunately, affiliate marketing is easily abused by spammers.

Q: So why is it legal?
A: Because there are many legitimate ways to run affiliate marketing. Let's take Groupon ( as an example. If a certain number of people sign up for a Groupon offer, the deal becomes available to all; if the predetermined minimum is not met, then no one gets the deal that day. Groupon users are acting as a kind of affiliate. If they do the marketing work and share the offer among their peers, and enough people sign up, the company authorizes the deal.

Q: So it is quite difficult to legislate good from bad affiliate marketing?
A: Yes.

Q: Okay, so social spammers utilize a form of affiliate marketing. What are Cost Per Action affiliate networks?
A: An affiliate marketing network is kind of like a "super affiliate". Affiliate marketers earn a progressive percentage of payout based on the volume of leads produced. One individual typically cannot produce enough volume to reach a higher percentage tier. Affiliate marketing networks allow individuals to act as a collective affiliate, producing higher volumes, which passes the higher payouts down to the network members.

Q: And Cost Per Action (CPA)?
A: CPA is typically about acquiring something from potential leads.

Q: So what happens during step 3 after a page is liked and shared?
A: The spammer promises to show the video (or whatever) after a small "anti-bot" test (action) has been performed. They claim it is a form of CAPTCHA, or verification that you’re human.

Q: And this is when the spammer gets what he wants?
A: Yes. At this point a JavaScript form opens and "special offers" are given to proof that the person is human.

Q: What kind of special offers?
A: It could be something as simple as downloading a search toolbar for your browser or providing a valid e-mail address to receive a coupon. Or… it might be something as manipulative as getting you to sign up for expensive SMS-based subscription services.

Q: And is this when the spammer makes money?
A: Yes. For each person that completes an action, and offers the product owner a "lead", the affiliate/spammer can earn one dollar or more.

Q: One dollar or more? That's good money.
A: Yes. It takes very little effort to earn good money.

Q: So is all of this considered a scam?
A: Scam is a rather strong word.

Q: But there are some security vendors that call this stuff a scam. You don't think so?
A: Scam is a strong word to use… A scam is something such as an Advance Fee Fraud, i.e. "You have just won the UK lottery! Contact LottoUK at blah blah blah dot com."

Q: So what is this CPA spam stuff then?
A: It falls under the category of deceptive marketing.

Q: So why do some folks keep blogging about Facebook Scams? Is it hype?
A: You'll have to ask them.

Q: Well then, if it is deceptive marketing… what can be done about it?
A: Government regulators should get involved. Example: In Finland, a case of localized (Finnish language) Facebook spam was resolved by the Finnish Consumer Protection Agency. F-Secure provided details to the press, and either the press, and/or victims reported the SMS subscription vendor as being deceptive. The local company which provided the billing services for the SMS vendor reversed all charges associated with that spam run. (There hasn't been a second attempt.)

Q: What about the United States? Is there a way to fight deceptive affiliate marketing spam in the United States?
A: It's been done before. In 2006, Zango, an adware vendor (Hotbar) faced an FTC investigation that essentially put them out of business. A public advocacy group filed two official complaints charging Zango with engaging in unfair and deceptive business practices.

Q: So who are the companies that the FTC should probably look at in 2011?
A: The list includes CPAlead (, PeerFly (, and Adscend Media ( among others.

Q: What about the recent lawsuits that Facebook brought against three spammers.
A: Actually, one of those three lawsuits is focused on Jason Swan, the CTO of CPAlead. The CAN-SPAM act is being cited in the lawsuits and all three examples include cases in which fake or fraudulent services were offered. "Facebook Gold" accounts for example. There are no such thing, and so Facebook claims the defendants are guilty under the CAN-SPAM.

Q: But doesn't most social spam eventually open the promised video (or whatever)?
A: Yes. It's mostly just recycled content from YouTube but if all 3 steps are completed, the links delivers on its promise. So these three cases are interesting, but it seems more like a warning to spammers than a solution. We aren't sure if the CAN-SPAM act applies (but it's worth bringing before a judge).

Q: So summarize it again, what are the steps involved with social spam?
A: First the victim clicks on a link. Second, they like/share or allow the application or page. Third, they complete the Cost Per Action offer. And then they are "rewarded" with old content that they could have located on YouTube (or elsewhere) themselves.

Q: How effective is social spam.
A: Very good question. In 2009, social spam was generated by hacked/phished accounts. During 2010, other methods were developed by spammers to seed spam links. By the summer of 2010, spam links were generating hundreds of thousands of clicks.

Q: Do social spam links still get clicked?
A: Click rates have dropped as people become familiar with the process. There is an ever increasing decline in the effectiveness of any single link. However, the click rates and payouts are considerably higher for social spammers than e-mail spam.

Q: Will social spam ever be as big a problem as e-mail spam?
A: E-mail spam does not require interaction. Spammers can simply pump as much of it as possible in their attempts to bypass spam filters.

Social spam typically requires human interaction (except for occasional site vulnerabilities). Because social spam is interactive, there is something that can be done. Facebook and Twitter are constantly redesigning their UI to improve the user experience and to help their communities recognize and avoid spam. And because social media sites are constantly evolving, the nature of social spam is also evolving.

Social spam will probably always exist, taking advantage of one site feature or another, but it isn't as likely to abuse the system so completely as e-mail spam has. The only way to fix e-mail spam is to fix e-mail protocols. Facebook and Twitter spam can be addressed by the sites as needed.

Q: Finally, are there other types of spam being pushed via social media sites?
A: Yes. Fake profile spam pushing adult dating sites and services… but that's another Q&A. We'll get back to that once we're done sorting through all the images (somebody's got to do it).


Monday, December 20, 2010

Is Facebook spam extending its reach outside of the USA and UK? Posted by Sean @ 16:27 GMT

Here's some analysis of Facebook spam that we have been tracking today.

There are several spam runs which can be found with an "http:// omg" search:

http:// omg

A number of the spammers utilize and have public timelines.

Here's the least successful of the three we tracked.

99% of the People From USA unable to Watch This Video more than 25 second !!

The subject line doesn't have much of a hook and there's no picture, so it's not surprising that chirag9999's collection of links has only yielded about 30,000 clicks.

Now this "suicide girl" sample is more enticing.

This Girl Killed Herself After Dad Posted THIS on her Wall

Metawealth's collection of links has yielded over 170,000 clicks so far.

But this is today's winner. A one year old girl with twins in her belly?

OMG! One years old girl pregnant with twins in her belly!

Over 250,000 clicks and counting.

It is important to remember that not everybody that clicks on these links will have added the spammer's application. But we did see several thousand active monthly users when we checked a few of them, so the conversion rate is quite a bit higher than e-mail spam.

Interestingly, these three spam runs do not appear to be very popular in the United Kingdom.

Only the least successful "Daily News" spam accumulated clicks from the UK.

The "suicide girl" spam appears to be popular Malaysia and Singapore, as well as the USA.

And for some reason, Sweden seems to be interested in many of the "pregnant one year old" links.

This is the first time that we've noticed people from such countries clicking on Facebook spam in such numbers. Typically we've seen such tabloid style spam pulling in folks from the USA/UK, or vice versa.

All of the spam applications have been reported to Facebook and will hopefully be disabled soon.


Friday, December 17, 2010

Tonight We Dine in Hell Posted by Sean @ 14:18 GMT

We've been working very hard this year, and all the hard work has paid off!

F-Secure has won AV-Comparatives' Whole Product Dynamic Test for 2010 and received another Advanced+ award — the seventh this year. We're currently the vendor with the most awards of the highest category given by AV-Comparatives in 2010.

The difference between the first two places in the Whole Product Dynamic Test couldn't have been tighter.
Image from AV-Comparatives Whole Product Dynamic Test — Summary 2010

We blocked 1946 of the tested files while Symantec blocked 1936. However, Symantec additionally prompted the user for his opinion on 19 files. They received half a point each for those.

Which means that the final score was:

F-Secure: 1946
Symantec: 1945.5

Now that's narrow. We won by half a sample.

This is AV-Comparatives!

Sorry, Symantec!


Thursday, December 16, 2010

Is ChromeOS for suckers? Posted by Sean @ 19:38 GMT

Google unveiled the Cr-48 notebook last week in a soft launch of their ChromeOS operating system.

And this week, naysayers are calling it a waste of time.

Richard Stallman has said that ChromeOS looks like a plan to push people into "careless computing" by forcing them to store their data in the cloud, and he supposes that many people will continue moving in that direction because "there's a sucker born every minute." Business Insider's analysis is that ChromeOS is a waste of time saying that "Based on what Google is showing now, unless they give away Chrome notebooks for free, there's no reason to use one."

Is ChromeOS a waste of time? That depends… ChromeOS may or may not manage to win consumers over to cloud computing, but there definitely could be some useful side-effects from Google's efforts.

Is there ever a time when it's more secure to push people into "the cloud"? Yes, there is. When the cloud, and the data, belongs to an organization. After all, the Cr-48 is really nothing more than a Google thin client.

And what's a mobile thin client cost these days?

Here's an HP Windows Embedded mobile thin client starting at $625:

HP 4320t Mobile Thin Client,

Geez, that's pretty pricey for a computer without a hard drive.

Yet, many organizations, such as hospitals, need mobility, and they cannot risk having hard drives on which data can be stored (and lost), and so they pay a high cost for Windows Embedded machines. There's money to be made offering a cheaper alternative. We predict it won't be long before somebody wants to adapt ChromeOS for thin client usage (and HP's webOS is very likely to follow).

But you don't want your organization's data in Google's cloud?


Citrix has developed a ChromeOS client.

What can you do with Citrix?

Here's Windows 7 on an iPad via Citrix Receiver for iPad:

Citrix Receiver for iPad,


Cool hardware for personal use via cloud computing with virtualization technologies providing secure connections to an organization's data via thin client software. Work and play, without the fear of data loss.


Wednesday, December 15, 2010

Gawker's Data Disclosure Posted by Sean @ 17:42 GMT

I've been traveling, and whenever I return to the office, there's always a lot of news to catch up on. I'm just now reading the details related to Gawker Media's recent security breach. Over one million Gawker/Gizmodo/Lifehacker related commenting accounts were compromised last weekend, and more than 500,000 e-mail addresses and 185,000 decrypted passwords are being shared on The Pirate Bay.

On Monday there was a Twitter spam outbreak promoting Acai berries. Many people use the same password on multiple sites, which they really shouldn't, and so the compromised Gawker accounts provided access to Twitter accounts…

If you use any Gawker related sites, you should update all of your related passwords.

That's all very interesting, but I'm curious about something else related to Gawker. Last June, a group called "Goatse Security" exploited a vulnerability on AT&T Web servers and harvested iPad customer e-mail addresses and network IDs.

From the Wall Street Journal: "In a blog post defending Goatse Security's actions, a member of the group said it only gave the data to Gawker and later destroyed it."

In that same Goatse blog post, I was quoted as saying: "the disclosure was completely irresponsible."

Did I think the vulnerability disclosure was irresponsible?


Did I think the exploitation of the vulnerability was irresponsible?

Well, kind of, I mean, they could have bought an iPad to exploit themselves and didn't really need to harvest other people's names to make their point… but, let's say no. Even exploiting the vulnerability wasn't "completely" irresponsible.

So what was it that I though was so completely irresponsible?

It was the turning over of an unredacted dataset to Gawker Media.


Because regardless of how much Goatse Security trusted Remy Stern and Ryan Tate of Gawker/Valleywag (and I'm sure they're very trustworthy), Goatse Security never should have trusted AT&T customer information to Gawker's security infrastructure.

After all, six months later, Gawker was hacked:

Was Your Gawker Password Hacked?
Image from Slate's Was Your Gawker Password Hacked?

And so who knows now where those iPad addresses have ended up?

Hopefully they were deleted from Gawker's servers after the FBI finished their investigation.

I e-mailed Ryan Tate last June to ask how the iPad dataset was sent, encrypted or not, but I never heard back… I'm sure Ryan was busy at the time. And I'm sure he's busy now as well, but at this point, I want to know.

How and in what format was the iPad dataset sent to Gawker, and how/when was it deleted?


Edited: Even exploiting the vulnerability wasn't "completely" irresponsible.

Typo has been corrected.

Update: Escher Auernheimer of Goatse Security offers assurances, via Twitter, that the transfer was between them and Tate only, the dataset never touched Gawker servers.


Monday, December 13, 2010

IPv4 Unallocated Space Running Out, Film at 11 Posted by Era @ 10:29 GMT

There is a tracker at which currently calculates that all of IPv4 address space will be allocated by the end of February 2011. The 100,000,000 address mark was broken on Sunday.

Prediction: A couple of years from now, we will scoff at this campaign sort of like we now scoff at the Y2K panic back in 1999, except this time, there's quite a lot less of alarmist coverage in the popular media.

Because, let's face it, this is not armageddon. "Allocated" does not mean "used". What we are seeing is a gold rush to stake out the last available unallocated pieces of IPv4 space. Or rather just a land grab, because it's unlikely that there is a lot of gold in them thar hills. But certainly, the operators who are now buying the remaining available pieces of IANA's unallocated address space are hoping to make some good money putting it up for sale or lease, or at least turn a profit. If the laws of demand and supply hold, and IPv6 doesn't suddenly take off spectacularly, IPv4 address prices can be expected to rise, and some actors are no doubt gambling that they will rise a lot.

A much more interesting question is how much of IPv4 space is really used up, not just allocated, but that is a lot harder to calculate, because there is no central authority like IANA where you can easily obtain numbers. Some of the big dinosaurs who were involved in the early stages of IPv4 development have huge pools of presumably mostly unused address space for which there is going to be a lot of demand eventually. Tracking the depletion of unallocated space is a good help for guessing when something will start to happen to the big Class A netblocks allocated to entities like General Electric (3/8, that is, all of through; that's a rough 16 million IPv4 addresses), IBM (9/8), Xerox (13/8), Hewlett-Packard (15/7 — two consecutive Class A:s, 32 million addresses), Apple (17/8), MIT (18/8), and Ford Motor Company (19/8). The US Department of Defense also sits on several large blocks, and while they are presumably very reluctant to let go of this luxury, we can safely speculate that there is going to be a lot of pressure to transfer some of their addresses to civilian, even commercial use. But long before that, Ford will find a way to monetize their IPv4 asset, though perhaps not by going into direct competition with the likes of AT&T and Level 3 Networks.

A related question is under what terms you will be able to obtain an IP address in the future. Price is just one factor; and as the recent WikiLeaks incidents illustrate, obtaining an IP address which offers true freedom of expression might be even more important, for those who have something unpopular to say. And in an ironical twist, it seems that totalitarian states are going to be the only ones offering this scarce commodity, to everyone else except their own citizens. It seems that WikiLeaks is struggling to avoid moving their servers to the Wild East, because such freedom comes at a price, which is measured partly in ethical terms, but also partly in security; depending on what at least parts of the international community will refer to as a rogue state and its inevitable whims is hardly a viable long-term solution.

In the meantime, don't panic, but do keep on monitoring the situation. We are not trying to say that IPv4 address space depletion is not a problem, and we certainly are in favor of sustainable development, whether that means IPv6 or a reform of IPv4. But we would like to point out that this is just another phase of a chronic problem, not an acute crisis for IPv4.


Friday, December 10, 2010

Adware.smartad.d Posted by Mikko @ 07:22 GMT

Unfortunately we had a nasty false alarm couple of hours ago.

The false alarm involved the detection Adware.smartad.d, which was in the database update 2010-12-09_10, released on 9th Dec 2236 UTC.

This detection inadvertently triggered on the file This file is a script associated with Google Analytics, and it's found on a fair number of websites.

An exclusion for the file was released in the database update 2010-12-10_01 at 10th Dec 0052 UTC - about 2.5 hours after the bad update went out.

Apologies for any disruptions caused by this false alarm. We're sorry. To minimize disruptions, please make sure your product has been updated to use the latest database updates.


Thursday, December 2, 2010

10,000 Posted by Mikko @ 09:59 GMT

The F-Secure HQ in Helsinki has been in the same building for more than ten years. So we are renovating the building at the moment. As a result, the lab had to move to a different floor while we rebuild the area.

As I was collecting my gear to be moved away, I noticed a book.

When we were running the CARO 2010 Workshop in the spring, the speaker gift to be given to each speaker was a copy of the book Fatal System Error, signed by the author Joseph Menn.

Because we can't count, turns out we have one extra copy of the book left.

fatal system error by Joseph Menn

So I wanted to give it away.

I also noticed another thing. Quite remarkably, I'm getting close 10000 followers on my Twitter account. That's a lot.


So, my 10000th follower will get the book.

As Twitter followers fluctuate up and down, there will probably be multiple accounts that are listed as the 10000th follower. I'll choose which one gets the book.

Follow me at


Updated to add: And the winner is Guddeman! Thanks, all.