NEWS FROM THE LAB - January 2006


Tuesday, January 31, 2006

First reports of Nyxem damage Posted by Mikko @ 16:24 GMT

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.


When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been infected by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named "Nyxem" because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website ( We don't know why.

We have a free tool available to help disinfect machines before the deadline passes.


Monday, January 30, 2006

It's a long time in this world... Posted by Mikko @ 21:24 GMT

Our blog is now exactly two years old.


In the beginning we were only planning to create a temporary blog to cover the Mydoom incident. This was the massive attack launched by Mydoom.A on the 30th of January 2004 to take down

About 800 blog posts and two years later, we're now regularily seeing tens of thousands of readers a month, and our blog has been ranked among the top 500 blogs in the world by Feedster.

Bagle butterflyLet's review some of the highlights of our blog, starting from our very first post.

Throughout the blog history, we've been fighting Bagle variants. From the very first variants all the way to having Bagles for lunch. Our 3D animations of Bagle code also proved popular.

First spring of the blog was spent fighting the virus war between Bagle, Netsky and Mydoom. Here's a history chart showing the release of new virus variants. Eventually we got really fed up with Mydoom and its variants.

On March 21st 2004, we found a new virus called Netsky.P. Almost two years later, it's still in the TOP 10 of most common viruses in the world!

Then in May 2004, we found Sasser. Quoting the blog: ...there has been Sasser-related problems in at least three large banks. RailCorp rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded - CEO of the company is quoted saying a virus might be the reason. Also, according to several sources, Delta Airlines had their planes grounded in USA on Saturday for several hours, because of a "computer glitch"...

Then in June 2004 we found the first real mobile phone virus, Cabir. It was confirmed to be in the wild later the same year and caused problems on the stadium during the World Championships in Athletics. Here's a video showing why people get infected by it.


PicOne of our more popular write-ups was the posting on goofing around with laptop locks.

The first MMS mobile phone virus Commwarrior was found in March 2005 and it was later found in the wild. It even hit one of our own phones. Last variant of this family is the multifunctional Commwarrior.C and it spreads really fast - see this video.

Some of our more controversial writings were probably the ones titled "Linux sucks" or "Millionaire virus writers"...

Here's a good story on finding an infected mobile phone in the middle of a high-security Interpol conference in April 2005.

It is arriving in 2007, but we already broke the news about Windows XP SP3 already in April 2005!

We did some interesting tests with wireless systems on a Toyota Prius, and continued with neat bluetooth hacks when the Trifinite group visited us.

Here's pictures from our viruslab grand opening in May 2005 - with neat features like the realtime virus worldmap.

And here's our eye-witness account story on the Zotob outbreak.

In October 2005, we shot a short and funny video where we managed to "brick" a brand new Sony PSP with a trojan that overwrites system files. Then we posted the 14MB file to our blog. A week later, our IT department nicely notifies us that we've had around 207 THOUSAND downloads for the video, roughly doubling our websites traffic. Ho hum. But it is a nice video.

We followed the Sony rootkit saga from start to finish...all the way to creating lab t-shirts with the now-infamous quote (listen).

How phishing went global and the sea froze over. How did we fight viruses during internet pre-history, before PC viruses had their 20th anniversary.

And New Year 2006 we spent, of course, fighting WMF problems, with another blog posting that generated lots of feedback.

So that's the first two years. Thanks for reading - wishes the weblog team and Lu the Monkey!



Exploits from AMD? Posted by Mikko @ 16:51 GMT

We're not sure what's going on in here, but there's something wrong at AMD's user discussion forum, located at forums[dot]amd[dot]com.

If you visit the site (and please don't visit it right now), you get a WMF exploit sent to you right from the front page.

When inspecting the source code, you'll see that at the bottom of the HTML is an encoded IFRAME directive:


When decoded, that translates to http[colon]//toolbardollars[dot]biz/dl/adv586.php.

How did it end up on the AMD site? We have no clue. But we have informed relevant people, so hopefully this will be resolved soon.


Friday, January 27, 2006

Great initiative by an ISP Posted by Patrik @ 17:58 GMT

By now you have all heard about Nyxem.E (aka Blackworm, Mywife.E etc) and its payload that will delete certain files on Friday the 3rd of February. Well, as part of our tracking of this worm we check on the webcounter the worm visits when infecting a machine. Imagine my surprise when I yesterday recieved an e-mail from our ISP saying that we might be infected with Nyxem.E!

Turns out that the ISP our UK office is using (Easynet), is monitoring all traffic going to the webcounter. Whenever an IP within their address space goes there, an e-mail is sent out to the technical contact informing them that they have a machine that potentially could be infected. The e-mail also included links to information on how to remove the worm.

We thought this was an excellent idea and wanted to promote it here! We encourage other ISPs to do the same as it will help users disinfect their machines before the 3rd of February.


Thursday, January 26, 2006

New trojan download spammed Posted by Jarkko @ 23:02 GMT

New trojan downloader is just being heavily spammed. It comes with subject "YOUR BILL PAYMENT NOT APPROVED!" and message like this: "We are unable to obtain the bill payment from your bank account. Your bank returned the following error to us: BILL PAYMENT NOT APPROVED BILL #5563880".

Attached in the message is a small downloader that tries to activate file from We detect the downloader as W32/Small.CGS in the update 2006-01-27_01.


Greetings from Blackhat Federal 2006 Posted by Jarno @ 16:12 GMT

Hello to everyone from Washington DC USA.

I'm attending information security conference Black Hat Federal 2006, and like all other Black Hat conferences the quality of presentations has been really high and theres always lots of new things to learn.

This time the talks on Blackhat Federal have been focused very much on topic of rootkits and forensics. Presenters have had quite novel ideas and are presenting interesting problems for security community to solve.

In addition of following talks by others I gave a talk on how to combat Symbian malware, and audience seemed to be rather pleased with the presentation.

Now second day of the conference is starting and it promises to be quite interesting day.

In the picture J0hnny Long is giving a humorous presentation at the end of the first day on serious topic of the high end hacking techniques used by hollywood movie industry. One has to keep up with the times and monitor all new developments.


My next public presenatation will be on Black Hat Europe 2006 on the same topic as in Black Hat Federal. See you in Amsterdam.


Status update on the virus situation Posted by Katrin @ 15:03 GMT

Yesterday the Bagle night started but did not continue for a long time. Instead it continues today. Few minutes ago we found new Bagle variants (Bagle.FT, Bagle.FS and Bagle.FU) but we don't have any reports of them from the field yet.

Meanwhile Nyxem.E reached the top position in our virus statistics with 21.7% of all reported infections. Still, the total number of infections have decreased since last week when the worm was found.


Wednesday, January 25, 2006

Bagle night started Posted by Katrin @ 17:08 GMT

It was so nice and almost quiet week... till now. Seems a new Bagle series started the round.

Tuesday, January 24, 2006

Botmaster going down Posted by Mikko @ 13:24 GMT

James Ancheta aka "Resjames" or "Botmaster" pleaded quilty in Los Angeles yesterday for running a botnet and selling bots.

He faces up to six years in prison. He will also have to pay restitution and give back about $60,000 and his BMW, bought with botnet money.

Ancheta was active in 2004. With another bot herder known as "SoBe", they infected more than 400,000 computers.

They were making money by selling bots to spammers, and by signing up as affiliates in adware install programs run by Gammacash and Loudcash (both are owned by 180Solutions nowadays). This way they earned money every time they installed an adware program to an infected machine.

James Ancheta seems to be offline nowadays, but you can still find some of his old forum posts via Google. In this thread he has just rented a dedicated server from Sagonet, which he then used to run the irc server to control his bots.

The court papers make a fascinating read, with snippets like these:

James Jeanson Ancheta

James Jeanson Ancheta

James Jeanson Ancheta

James Jeanson Ancheta

James Jeanson Ancheta

James Jeanson Ancheta


Saturday, January 21, 2006

Not good Posted by Mikko @ 19:03 GMT

The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia.

If the worm keeps this pace, Friday the 3rd of February might be nasty - that's when the destructive payload is programmed to strike for the first time.

nyxem stats


Friday, January 20, 2006

Nyxem.E upgraded to Radar 2 Posted by Katrin @ 15:03 GMT

We upgraded Nyxem.E to Radar level 2 due to the increased number of reports.

The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB,

CounterThe worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it's already over 417,000 and growing. The counter didn't necessarily start from zero.


Nyxem.E is picking up Posted by Katrin @ 10:05 GMT

A new email worm Nyxem.E is picking up. We are seeing more reports of it. FSAV detects it with update version 2006-01-20_01 published early this morning.

Jigsaw Piece - 785 Posted by Katrin @ 10:05 GMT


Thursday, January 19, 2006

Then and Now: Brain.A vs Bagle.AG Posted by Gergo @ 16:28 GMT

Time flies, it seems. The first PC virus was found exactly two decades ago. F-Secure's press release has a rundown on how viruses have changed over the years. It is probably not a surprise that viruses have also gotten more complex in the process.

The following is a structural comparison of Boot/Brain.A (1986) and W32/Bagle.AG@mm (2004):



Can anyone spot the five small differences between these two pictures?

Brain.A fits into a few sectors and consists of around a dozen functions. Bagle.AG weighs over 100 KiB unpacked and it is built from more than a hundred functions. For people interested in history, we still have a description of Brain.A.

brain floppy


Vulnerability in F-Secure products Posted by Mikko @ 14:01 GMT

We have just released security advisory FSC-2006-1.
Secunia sa18529
This advisory describes a vulnerability that affects several F-Secure Anti-virus products for Windows and Linux. We hope that all system administrators that use our products read the advisory and apply the necessary upgrades or hotfixes.

Our guidance here is the same as for patches from any other vendor: Patch now before someone figures out how to exploit the vulnerability. At the moment we are not aware of any attacks that would have used this vulnerability.

And thanks to Thierry Zoller who found the vulnerability and responsibly disclosed it to us.


Feebs: perfect (anti)social engineering? Posted by Jarkko @ 11:25 GMT

We saw first versions of Feebs worm couple of weeks ago. Feebs spreads itself in HTA (HTML application) scripts which it re-generates every time it sends them out. The actual script contains the worm binary file, or in some cases it can download the worm from other locations. This way Feebs can send highly variable HTA scripts that possibly download new Feeb variants from the web. While this is quite rare approach for a mass-mailing worm, in addition to its built-in SMTP engine, Feebs has another quite unusual e-mail spreading technique in its sleeve.

While we were checking the rootkit features of Feebs (yes, among other things, Feebs can also hide itself using rootkit techniques), we saw a weird hook in Windows socket library.

When application in infected system sends data to network, Feebs makes some extra checks. If it detects traffic to port 25 (SMTP default port) which looks like e-mail with a MIME attachment, it generates the HTA script and injects it in the e-mail as an extra attachment! This is not very efficient spreading mechanism measured in volume, but in some cases it might produce quite legitimate looking e-mails. Feebs doesn't have to use social engineering in messages, it just sits in memory, waits for the user to send messages and silently inserts itself in them.

BlackLight detecting Feebs

While it is rare, the spreading technique is not unique. The Ska worm used similar spreading method already back in 1999!


Wednesday, January 18, 2006

DDoS and the Million Dollar homepage Posted by Mikko @ 18:09 GMT

The Million Dollar homepage gained lots of publicity during new year for making Alex Tew, the 21-year old student behind it a millionaire - by selling pixels! Unfortunately it also gained the attention of a botnet gang, who have launched several attacks against the site.

According to The Times, the attackers (calling themselves the "The Dark Group") sent an extortion e-mail to Mr. Tew on January 7th, demanding $5000. When the ransom was not paid, the site was attacked, as documented on Netcraft.

milliondollarhomepage.comA week later, Tew received another mail from the attackers, asking for $50000. And this morning, after the ransom was not paid, the whole site was apparently defaced with a note saying "don't come back you sly dog!".

This is an interesting case, as the target is quite unusual. Instead of the usual targets (online shops, credit card merchants, gambling sites), this time the attackers are targeting a private person because they know he has the money.

Alex Tew comments on the developments in his own blog.


New e-mail worm spreading Posted by Jarkko @ 11:50 GMT

The worm, named as seems to be spreading quite aggressively, it is already 3rd in our Virus Statistics. It is a simple mass-mailer written in Visual Basic. Please see the virus description for more details.

We detect the worm with FSAV update version 2006-01-18_02.


Monday, January 16, 2006

WMFishing Posted by Mikko @ 12:48 GMT

The Microsoft patch for the WMF vulnerability has now been out there for more than 10 days. However, we believe that most of the vulnerable Windows machines worldwide have not installed the patch yet. We also believe this vulnerability will continue to be used by various different attackers for months, possibly years.

Today we saw a phishing scam exploiting this vulnerability. This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to with the real bank but it sounds close enough.

The site is running on a owned home computer somewhere in Illinois. This machine, connected to the net via a high-speed cable connection, is hosting or has been hosting several other phishing-related domains, including these gems that administrators might want to filter at their gateways: www[dot]i7tgg4rv[dot]com and www[dot]ll67ffgsp[dot]com, www[dot]mrhpd74e[dot]com and www[dot]pph4e32q[dot]com.

The WMF connection comes from the fact that if you visit this site (and please don't), the front page contains an IFRAME that will try to push an exploit file called tr.wmf to your system. When that is executed, it will download a file called update.exe from the same server. This unexpected gift turns out to be a variant of the Trojan-Spy.Win32.Goldun family, which will start to collect information from the system.


Relevant authorities and the HSBC bank have been informed and work is under progress to get this fraudulent site taken down.


Sunday, January 15, 2006

F-Google Posted by Mikko @ 10:33 GMT

Hey, this is funny. If you Google for the single character "F", turns out F-Secure is #1 from 822 million results. Other top results include website of the JFK airport in New York, Stephen F. Austin University in Texas and the John F. Kerry official homepage.


Yeah, it is a quiet Sunday.

PS. Check out the latest news from ShmooCon via Brian Krebs.


Friday, January 13, 2006

Cloaking without malicious intent Posted by Mika @ 07:23 GMT

There is an ongoing discussion on the Norton SystemWorks issue (see e.g. Larry Seltzer's opinion). As a result people are asking us how many of these cases are there. Well, ever since BlackLight beta was released on 10th March 2005 we have received reports of only a few non-malicious applications using rootkit-style cloaking. We have seen three different categories:

1) File and folder hiding software that people use e.g. to hide adult material from their family

2) System backup software hiding their backup files

3) Software protecting their processes or configuration data

There are not many applications that hide things. In fact, all in all we only know less than a dozen of such software and most of them are very rare tools. Moreover, most of these cloaking apps belong to the first group (file and folder hiding software).

This is not a big issue. Many of these applications are very upfront about their hiding functionality and have been carefully designed not to allow malware to exploit the cloak. Also, it is pretty easy for malware just to install their own rootkits on the system. On the other hand, we do not understand why benign software would need to hide something from the Administrator of the computer in the first place. If you want to prevent access to your files or processes you should use OS access controls or encryption - not rootkit cloaking techniques.

Image - Hidden attribute settings

One clarification: By hiding/cloaking/stealth we mean actual filtering of operating system functionality. We are definitely not referring to Windows "hidden attribute" or "system file attribute". By default Windows does not show files with these attributes to the user, but if the user wants to see everything, they can be made visible from the "Tools"-"Folder options" menu in Explorer.


Thursday, January 12, 2006

The "Symantec rootkit" Posted by Mikko @ 18:39 GMT

There has been quite a bit of media coverage on the "Symantec rootkit".

nprotectWe were the ones that discovered this issue and informed Symantec about it last year - in fact this is nicely attributed in the Symantec advisory.

But we want to be clear on this: what Symantec was doing here was not nearly as bad as what Sony was doing with their rootkit.

Norton Systemworks has a feature called "Protected Recycle Bin". This feature is intended to enable the user to recover deleted files that would otherwise be unrecoverable. These files are stored in a folder typically called C:\Recycler\Nprotect - and this folder is hidden with rootkit-like techniques. There's nothing inherently wrong in this.

The only problem is that any malware already running on the system can copy itself to that particular folder and Systemworks will hide it completely from the user and from most on-demand antivirus scanners (but not from F-Secure Internet Security 2006, which will see it because it integrates the BlackLight rootkit detection technology).

However, we haven't seen any malware which would even attempt to do that.

PropsitThe main difference between the Symantec rootkit and Sony rootkit is not technical. It's ideological. Symantec's rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user. Unlike Sony's rootkit.

So we don't think this was that big a deal. But we're happy it has been fixed before anybody really attempted to exploit it.


Tuesday, January 10, 2006

It's that time of the month again Posted by Mikko @ 19:54 GMT

microsoft_os2_floppy_stickerMicrosoft has just released it's monthly security bulletin. In addition of the MS06-001 patch that was released early, there's two new critical updates:
MS06-002 - vulnerability in Embedded Web Fonts
MS06-003 - Vulnerability in TNEF Decoding

Of these, the WMF vulnerability is still by far the most serious. After that, MS06-002 has most worm potential.

Update now.


Monday, January 9, 2006

MSN Search refusing phpbb searches? Posted by Mikko @ 05:20 GMT

Has anyone noticed this before?

If you search for the word "phpbb" on MSN Search, you get a 403 error:


This is quite similar to what Google has been doing for at least a year when you search for "viewtopic.php" and hit the "Next" link a couple of times:


Google originally started blocking such queries around a year ago, during the Santy phpbb worm incident.


Situation calm. For a change. Posted by Mikko @ 05:13 GMT

The Sober download sites are still empty. Great.

When the Sober.y download deadline passed on January 6th, all infected machines started download attempts from the five different sites. At the same time, the virus stopped emailing itself around.

As a result, the virus that had held #1 position in virus stats since November 2005 just disappeared from the stats.


There still are at least tens of thousands of infected machines out there. They just aren't spreading the virus further: they're just trying to download and run a mystery file - which isn't there to be downloaded.

How to locate and shut down all these infections? ISPs are in key position.

ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to,,, and Contact these users and let them know they most likely are infected with Sober and they should clean up their act. If you'd like to do this but don't feel like making tons of phone calls, you can automate processes like these with our Network Control appliance.


Friday, January 6, 2006

Sober: So far, so good Posted by Mikko @ 08:40 GMT

getsoberThe Sober activation deadline passed around eight hours ago.

We've been monitoring the locations of the files that infected machines are now trying to download. So far none of them have activated.

We hope it stays that way.



Thursday, January 5, 2006

Microsoft WMF patch coming out today Posted by Mikko @ 20:09 GMT

www.windowsupdate.comWe just got the word that Microsoft is going out of normal update cycle to release security update MS06-001 today. This will fix the WMF vulnerability on XP, 2003 and 2000 (sp4) systems.

Microsoft originally planned to release the update on next Tuesday, but they finished testing early.

Everybody was hoping they would get the patch out before a major attack would start. Now it looks like they succeeded in doing just that. Well done.

Update: The patch can now be downloaded from here. It seems to co-exist fine with the REGSVR32 workaround and the Ilfak patch.


The Exact Activation Time for Sober Posted by Mikko @ 11:27 GMT

We've received some questions on when exactly does the Sober activation on January 6th happen.

After all, it already is past the midnight in Auckland! But the Sober date check is not using local time.

The Sober download phase starts globally at the same time: at midnight UTC (aka GMT). All infected machines regularly connect to several NTP servers and synchronize themselves using the "time" protocol.

We don't think much will happen. But if anything happens, it will start happening after midnight in UK, 4pm in San Francisco, 7pm in New York, 2am in Finland and 9am in Tokyo.

Watching the watch


Wednesday, January 4, 2006

Sober.Y reminder Posted by Jarkko @ 14:46 GMT

Just to remind you, Sober.Y update phase starts on 6th day. This means that all machines infected by Sober.Y try to download and execute code from certain addresses. If you want block these addresses at your firewall, here is the list again. The actual filename is left intentionally out from the addresses.

The most likely set of download URLs is:

However, in some circumstances, Sober might try to access some of the following URLs:

Sober.y situation in

These additional addresses might be produced by the URL algorithm in certain rare conditions. We are not sure if this is the intention of the worm author, but it might be a good idea to block all of the above addresses.



New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There's a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:

We are very sad to say that over the New Year the Campus was subjected to  several acts of mindless vandalism.  As well as bricks being thrown through  windows, several members of staff have reported their cars as being the  subject of practical jokes.  Some of these cars were filled with water whilst  others had graffiti daubed across them.  We have uploaded the pictures of the  graffiti here in the hope that someone  may recognise the culprits work. If anyone can shed any light on this unfortunate  incident could they please contact the main office as soon as they have time.

When curious readers follow the link to a web server under, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox, using the "InstallVersion.compareTo()" flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
   http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
   tftp (ie. UDP) access to
   IRC access to
   IRC access to
   IRC access to
   IRC access to
   IRC access to

PS. There seems to be no Professor Robert Gordens in Yale.
 overloaded Posted by Mikko @ 06:23 GMT

Turns out half the planet tried to download WMFFIX_HEXBLOG.EXE from Ilfak Guilfanov's personal website ( The resulting traffic amounts were so huge that his hosting provider actually shut his site down.

Update at 09:55 GMT: The site is now back up and running in reduced state. It's still under extremely heavy traffic.

Ilfak has set up a temporary site at, offering links to various download locations.

He mentions on his page:

  Due to incredibly high load, the page has been reduced to the bare minimum.
  Thanks for understanding.
  Safe computing!

Our guidance on the "WMF vulnerability" continues to be:

1) Make sure your antivirus is up-to-date and enabled. F-Secure Anti-Virus detects right now all known exploit versions, but new ones are popping up

2) Apply the Microsoft-recommended REGSVR32 /u shimgvw.dll work-around. It doesn't solve all problems - but it does disable the most obvious ways of exploiting this

3) Install the unofficial patch from Ilfak Guilfanov. We've tested and audited it and can recommend it. We're running it on all of our own Windows machines.


Tuesday, January 3, 2006

WMF construction kit Posted by Jarkko @ 18:27 GMT

We just received a sample of easy-to-use WMF construction kit. The WMF file it generates is based on "first generation" metasploit exploit which itself was based on the very first WMF exploit found in the wild last week. The program itself is not that interesting, it is a console-mode Windows application that just generates a file named "evil.wmf" with whatever payload given from command line. The application is user-friendly but the user still needs to know how to write assembly payloads (or where to download one). That, in addition to fact that at least some WMF files it generates are buggy, makes this construction kit a minor threat.

We detect the constructor kit as VirTool.Win32.WMFMaker.a


Nice Posted by Mikko @ 08:06 GMT

Infoworld AwardWe'd like to say thank you to InfoWorld for awarding F-Secure Anti-Virus Client Security 6 with the InfoWorld Best Anti-Spyware Solution -award in their annual Technology of the Year Awards.

Comment from Doug Dineley from the InfoWorld Test Center. "F-Secure Anti-Virus Client Security delivered the strongest real-time protection against spyware of all the solutions we tested. We couldn't sneak anything past it."

Hey, thanks!

Read the full review where we are ranked against the competition.


Which platforms can really get hit by WMF? Posted by Mikko @ 07:29 GMT

Windows 3.11Larry Seltzer from eWeek has been doing lots of additional testing against older versions of Windows and bad WMF files.

He has just blogged his interesting findings: a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.
...all versions of Windows back to 3.0 have the vulnerability in GDI32. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files...

So the vulnerability is there on all platforms but it seems that only Windows XP and 2003 are easily exploitable. Unfortunately this still means that majority of Windows computers out there are vulnerable right now. And at least Windows 2000 becomes vulnerable if you're using many of the available third party image handling programs to open image files.

Virus statistics for 2005 Posted by Mikko @ 06:14 GMT

Turns out the year has just changed.

According to our virus statistics, these were the most common viruses for the year 2005:

1. Email-Worm.Win32.LovGate.w - 8.9 %
2. Email-Worm.Win32.Netsky.p - 8.8 %
3. Net-Worm.Win32.Mytob.x - 8.2 %
4. - 8.1 %
5. Email-Worm.Win32.Sober.y - 7.4 %
6. Email-Worm.Win32.Netsky.q - 2.9 %
7. - 2.6 %
8. - 2.6 %
9. E-Mail-Worm.Win32.Netsky.d - 2.4 %
10. Email-Worm.Win32.Doombot.b - 1.7 %

Overall activity chart for 2005 looked like this:

2005 stats


Monday, January 2, 2006

Targeted WMF email attacks Posted by Mikko @ 12:17 GMT

Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.

A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from www.jerrynews[dot]com.

What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.

From:, Confidential, Attached is the digital map for you. You should meet that man at those points seperately. Delete the map thereafter. Good luck, Tommy

Oh yeah? And should you get killed, we will disavow any knowledge of your actions. This tape will self-destruct in five seconds...


It's not a bug, it's a feature Posted by Mikko @ 04:13 GMT

What exactly is going wrong with the WMF vulnerability?

Turns out this is not really a bug, it's just bad design. Design from another era.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.

The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction.

Microsoft documentation

This function was designed to be called by Windows if a print job needed to be canceled during spooling.

This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

Paintbrush from Windows 3.0


Sunday, January 1, 2006

Internet Storm Center recommends Ilfak too Posted by Mikko @ 16:05 GMT

Read Tom Liston's diary entry from SANS Internet Storm Center.

To quote:
  To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers
  hasn't asked for your trust: we've earned it. Now we're going to expend some
  of that hard-earned trust:

  This is a bad situation that will only get worse. The very best response that our collective
  wisdom can create is contained in this advice - unregister shimgvw.dll and use the
  unofficial patch. You need to trust us.

We agree. Read the full diary entry.

Then unregister the DLL and download and install the unofficial patch: or

Update: Updated the links to point to version 1.3.


New WMF exploit attacks via email Posted by Mikko @ 09:38 GMT

HappyNewYear.jpgSome clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen.

The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.

When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot] Admins, filter this domain at your firewalls.

It's going to get worse.


Bad behaviour Posted by Mikko @ 00:49 GMT

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.