NEWS FROM THE LAB - February 2006


Tuesday, February 28, 2006

More on RedBrowser Posted by Mikko @ 19:15 GMT

The RedBrowser trojan is unique in several ways:

1. First J2ME (Java 2 Mobile Edition) malware. Some old Java viruses like Strangebrew do work on some Java phones, but RedBrowser is the first malware targeting Java phones on purpose.

2. First mobile malware that tries to steal money. The threat is is still very limited: this thing does not spread by itself and we have no direct reports of anybody being hit by it in Russia (where the first reports were from).

3. All other mobile malware targets smartphones (running on Symbian, Palm or PocketPC). This one works on many low-end closed phones. We've succesfully tested it under:
  Nokia 9300 (Communicator, running Symbian Series 80)
  Nokia 6630 (Symbian S60 smartphone)
  Nokia 5140i (low-end Series 40 phone)
We've also heard it works under Blackberries with J2ME support. We will be testing it with Nokia 6310i - one of the first phones with Java support.

These screenshots taken under Nokia 6630 show how the social engineering works:


The trojan always sends the messages to number 1615, which seems to be a generic premium-rate number in Russia, used by several different services.


Two new developments on the mobile front Posted by Mikko @ 05:15 GMT

A quick note on two separate developing issues:

redbrowser1: Redbrowser.A: First J2ME mobile phone trojan. Apparently works on most phones with J2ME support (ie. hundreds of different phones). Sends SMS messages to Russian premium rate numbers to steal money from the user. First reported by Kaspersky Lab.

2: is reporting a new C# virus, which would be succesful in spreading from the PocketPC mobile platform to a normal Win32 desktop computer. We haven't seen a sample of this one yet.


Friday, February 24, 2006

Rootkit Pharming Posted by Mika @ 14:52 GMT

Image: Phish

Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.

So, why doesn't Haxdoor just hook system calls in the kernel? A recent Secure Science paper has a good explanation for this. Haxdoor is used for phishing and pharming attacks against online banks. Pharming, according to Anti-Phishing Working Group (APWG), is an attack that misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

We took a careful look at (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted. Apparently Haxdoor is designed to steal data especially from IE users, and not all tricks it plays work against, for example, Firefox.

If you want to know more about the phishing threat, Anti-Phishing Working Group's latest trend report and this article by Brian Krebs should make an interesting read.


Speaking at Tallinn IT College Posted by Jarno @ 04:31 GMT

Speaking at IT Collecge

Yesterday I visited our neighbors in Tallinn, Estonia to speak at the Tallinn IT College with our local partner BCS Baltic Computer Systems.

As I was starting my speech on the current situation of the malware front, we got a surprise visitor. In addition to the students and the company representatives, we had the honor of having the president of the Estonian parliament, Ms Ene Ergma attending the presentation.

Ene Ergma
In this picture we have the President of Riigikogu (Parliament) being greeted by Kalle Tammem´┐Że, the Headmaster of the IT College.


Tuesday, February 21, 2006

More OS X malware Posted by Jarno @ 11:12 GMT

Today we received two more samples of Mac OS X malware.

OSX/Inqtana.B and OSX/Inqtana.C are close variants to original OSX/Inqtana.A. About the only difference between variants is the technique by which the worm will start on the infected machine after user has accepted OBEX file transfers.

The startup routines on Inqtana.B and Inqtana.C will most likely work also on OS X 10.3.

Like Inqtana.A the .B and .C are locked to certain bluetooth addresses and are time limited to 24. February 2006, so they will not be able to replicate on any real environment and will work only in specially crafted lab. However it is possible that some virus author will create similar worms that are not intentionally limited, so please make sure that your OS X is up to date.


Monday, February 20, 2006

Mare.D: Another linux worm on the loose Posted by Gergo @ 10:07 GMT


A new variant of the Mare family of Linux worms has been found. This one exploits one vulnerability in Mambo and another one in PHP XML-RPC.

Mare.D installs an IRC-controlled backdoor as payload.

Our description is available at


Friday, February 17, 2006

Second Max OS X malware discovered Posted by Jarno @ 14:06 GMT

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth.

OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.

If you are using OS X 10.4 make sure that you have latest security patches installed and you are safe from Inqtana.A and any future worm that tries to use same exploit.

Inqtana.A has not been met in the wild and it uses Bluetooth library that is locked into specific Bluetooth address and the library expires on 24. February 2006. So it is quite unlikely that Inqtana.A would be any kind of threat.


Thursday, February 16, 2006

Leap.A - The first virus for Mac OS X Posted by Katrin @ 15:39 GMT

The first virus for Mac OS X has been found today. It is called OSX/Leap.A.

The malware was originally posted via link to MacRumors forum pretending to be screenshot for Mac OS X v10.5 Leopard.

Update by Gergo:

Leap.A propagates through iChat and infects local applications using the companion method. Our description is located at


Time to make sure that your Bluetooth stack is safe Posted by Jarno @ 11:46 GMT

Some of you might remember the mess caused by unfixed vulnerability in the old Widcomm bluetooth stack.

This caused quite a few vendors to switch to other bluetooth stacks. Unfortunately it seems that just switching to another vendor does not always help.

In the past month there has been two announcements of serious vulnerabilities in commonly used bluetooth stacks. Both the Toshiba stack and BlueNeighbors stack used by Ambicom were found vulnerable.

For Toshiba there is a patch available in but this may not work with OEM devices, and some vedors have not yet provided an update to their customers.

Ambicom updates are available at but we do not have information whether they are already providing updated drivers or not.


SymbOS/Commwarrior.B found from Palm Treo 700W phone Posted by Jarno @ 11:07 GMT

A couple days ago we encountered an interesting case involving Commwarrior.B and Palm Treo 700w smartphone.

We received a request for help from a person who was trying to figure out a case of Commwarrior.B infected Palm Treo 700w. And as Treo 700w is Windows Mobile based device and thus Commwarrior.B cannot work on such device we found the case rather interesting.

When user was trying to sync the Treo 700w with PC the desktop Anti-Virus was giving alerts about SymbOS/Commwarrior.B, and both the telecom and phone vendor support were at loss on figuring out what was going on.

When we started helping customer to figure out what was going on it turned out that the customer really had Commwarrior.B on the phone. However this was SymbOS/Commwarrior.B not a new variant, and it was totally harmless in the device. With the exception of causing PC Anti-Virus alarms at sync.

The phone contained several SIS files with random filenames such as n0g5u00p7.sis, which means that the files were received over bluetooth, as the MMS spreading uses a constant filename commw.sis.

It seems that the user of Treo 700w has accepted Commwarrior.B bluetooth transfer requests, and the phone had stored those files. And thus the phone was causing problems with PC sync.

Actually this is not the first time that we have had to help Palm users with malware that is harmless on their devices, but still causing nuisance at PC sync. I remember several cases where Palm user has received E-mail containing Klez E-mail worm, and has then been unable to sync the Palm mail inbox with PC.

In case there are more people with similar problems, we will include all Symbian Bluetooth and MMS worm detections also to Windows Mobile version of F-Secure Mobile Anti-Virus. So that cleanup will be easier on those devices, even as the Symbian worms are harmless on those devices.


Wednesday, February 15, 2006

Jigsaw Piece - 813 Posted by Katrin @ 18:20 GMT


Love is in the air Posted by Katrin @ 18:20 GMT

Two days ago we got Bagle.FY that arrives in email messages related to the Olympic games in Torino. Yesterday one more variant Bagle.FZ appeared - similar to an older version. Today one more just arrived - one late Bagle for Valentine's day.

The worm sends itself in messages with various subjects like this one:

Will You Be My Valentine?

Two of the three texts that it shows are love poems written by the American poet Robert Frost and the third is written by the Argentinean poet Juan Manuel Perez. The worm shows these poems on a background of Valentine's pictures.

Enough about love, it is time to land and update the database to protect your computers. What you need to detect Bagle.GA is FSAV update version number 2006-02-15_03


Tuesday, February 14, 2006

What's up at the RSA Conference Posted by Mikko @ 17:52 GMT

Bill Gates just finished his keynote here at the RSA Conference in San Jose. He gave a good show and even dropped security buzzwords such as botnets, rootkits and phishing. He also mentioned malicious attacks against mobile phones as an example of current trends.

Bill Gates live on stage

Bill's presentation focused on four things that we need: trust ecosystem, engineering for security, simplicity and fundementally secure platforms.

On authentication his comment was simple: "passwords won't cut it anymore".

Likewise, on simplicity of security systems he said: "we absolutely have to do better".

According to a previous keynote by Gates, spam shouldn't be a problem anymore now in 2006. Gates acknowledged this didn't happen: "User's see less spam...but spam is not gone. There's still work to be done."

Gates also forecasted that far fewer people will be running Vista with administrator rights (than XP). Sounds good.

That's the queue to see Gates' keynote.


About the Hidden Smith Family Posted by Antti @ 14:51 GMT

Heise Online is reporting about yet another example of the ever-warming relationship of copy protection and rootkit technologies. The affair started with the digital rights management system Sony BMG was using to protect audio CD's. Now, we can also confirm (thanks to Rüdiger from our German office!) that at least the German DVD release of the movie "Mr. & Mrs. Smith" contains a copy protection mechanism which uses rootkit-like cloaking technology.

Mr. and Mrs. Smith DVD BlackLight detecting hidden process

The Settec Alpha-DISC copy protection system used on the DVD contains user-mode rootkit-like features to hide itself. The system will hide its own process, but does not appear to hide any files or registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all files on the disk. However, as we note in our article on rootkits, it's not that uncommon for real malware to only hide their processes.

Our message to software companies producing any software (not just copy protection products) is clear. You should always avoid hiding anything from the user, especially the administrator. It rarely serves the needs of the user, and in many cases it's very easy to create a security vulnerability this way.

If you suspect you have this copy protection system installed on your computer and you wish to remove it, the manufacturer is providing an uninstaller.

A note to our local readers: we can also confirm that the Finnish release "Mr. & Mrs. Smith" does not contain this particular copy protection technology.


Olympic-themed computer viruses Posted by Mikko @ 00:21 GMT

Katrin blogged previously about the new Bagle variant that spreads via emails with Olympic-themed content ("2006 Torino Winter Games FREE Tickets" and so on).

This is not the first time winter Olympic games are being targeted by computer viruses. During the 1994 Lillehammer Olympic games a Swedish virus writing group got some coverage for their Olympic-themed virus, known as Virus.DOS.VCL.Olympic.1440.

The virus was programmed to overwrite the hard drive of the infected machine on the starting day of the games, and then display this message:

VCL.Olympic message

Kristin and Haakon were the mascots of the 1994 games and Antonio was a reference to Juan Antonio Samaranch, the president of International Olympic Committee at the time.

Do note that just like VCL.Olympic, Bagle.FY doesn't seem to be widespread.


Monday, February 13, 2006

Bagle and Olympics Posted by Katrin @ 17:07 GMT

A new Bagle is spreading in messages related to the Olympic games in Torino. It arrives in emails offering a free ticket for the games or to participate in a lottery to win such.

We added detection of it as Bagle.FY in update version number 2006-02-13_06.


Friday, February 10, 2006

Animations from Caida Posted by Mikko @ 09:21 GMT

Caida has posted a nice Quicktime animation to illustrate, and I quote: "the spread of the Nyxem virus around the world with emphasis on the diurnal patterns of the spread of the virus.

The full video is available from their analysis page.

caida world animation


Thursday, February 9, 2006

New Bagle mass-mailer found Posted by Alexey @ 14:19 GMT

phscWe have received a new Bagle mass-mailer.

It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. We detect this new mass mailer as W32/Bagle.FM@mm with the 2006-02-09_03 updates.


Tuesday, February 7, 2006

Cyber attacks against Danish sites Posted by Mikko @ 13:40 GMT

Since the outcry on the cartoon images of Muhammed started, there's been a series of attacks against Danish web sites.

Many of these are just typical defacements, but the message is very directly anti-Danish.

Here's some examples from today and yesterday:

Defacement on

Defacement on

Defacement on

Defacement on has categorized over 500 defacements like this since the conflict started.


Damage figures in India Posted by Mikko @ 05:52 GMT

Word DATA Error [47 0F 94 93 F4 K5]We just got an updated figure from Sanjay Katkar or Quickheal in India about the Nyxem damage over there:

  The news is by today morning I had received confirm reports of 4800
   to 5000 PCs with data damaged by this worm.
  We carried out a phone survey among all our retailers to find out any
  complaints received by them and we came to above figures.
  This figure is from cities of Mumbai, Pune, Delhi, Bangalore,
  Hyderabad, Chennai, Nagpur, Nashik & Baroda.
  Now I believe that the actual number of PCs corrupted by this worm
  can be higher as we don't get reports from many of the states
  and cities of India.

It would be nice to get similar reports from Peru or Turkey - two other countries that had large amounts of infected machines during the weeks before the activation. Anybody?


Monday, February 6, 2006

Analysis and Inferences Posted by Mikko @ 19:18 GMT

CAIDA, the Cooperative Association for Internet Data Analysis has worked over the Nyxem counter stats. As a result, they have come up with an impressive analysis on just how widespread Nyxem was and where was it most prevalent.

The results have just been published at

Copyright Caida source

Quote: "We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem".

All the hard work on this publication has been done by Colleen Shannon and David Moore. Good job!

PS. We were talking with the folks at Quickheal (one the major antivirus companies in India) about Nyxem damage that they might have seen. Sanjay Katkar wrote to us:

   Now I am receiving reports form various branch office across India and it seems that
   around 230 to 250 users had real damage done to their systems. The number of computer
   counts can go up to 500 as most of the users were home users and offices having 3
   to 5 computers. I believe the actual number of systems damaged will be more
   as its difficult to reach out to people who have faced it.

Thanks Sanjay.


Sunday, February 5, 2006

Nyxem: nothing happened? Posted by Mikko @ 13:46 GMT

So, Nyxem.E had infected hundreds of thousands of computers over the last two weeks. It activated on Friday, overwriting data. But almost nobody reported any problems. So what happened?

Excel DATA Error [47 0F 94 93 F4 K5]Well, probably several things, including:

- The amount of machines that were really infected still on Friday was much smaller than the total amount of machines that got infected (and cleaned) during the whole outbreak. This number is probably in the tens of thousands. Which is not a lot of computers out of, say, one billion computers in the world.

- Many of the infected machines were not rebooted on Friday. They were simply running all the time. The worm only does damage when you start the machine on the 3rd.

- Many infected home machines were shut down all of Friday, and nothing happened. People went to movies, bars, parties on Friday night instead of surfing.

- The media coverage on the whole incident prompted many people to check their system and clean them up in time.

So, does this mean there weren't any problems reported, anywhere? Well, no. We had some isolated support calls to our country offices from home users who were hit. And a partner company of ours in USA was contacted with a company that had one of their Windows servers hit.

And there were some unconfirmed online reports of problems. You can find examples if you dig online forums and usenet groups. See some examples below:

  Newsgroups: microsoft.public.excel.misc
   From: "=?Utf-8?B?bXVydWdhbl9oc0B5YWhvby5jb20=?="
   Subject: data error while opening files
   Date: Wed, 18 Jan 2006 22:18:02 -0800

   when i open excel or word existing file i getting contents as "DATAError
   [47 0F 94 93 F4 K5]" instead of my saved data.
   pls help me solving. My all word & excel files are have same problem.
  Newsgroups: microsoft.public.excel.misc
   From: "saran"
   Subject: Re: data error while opening files
   Date: 2 Feb 2006 23:18:19 -0800

   i am also having the same problem i thing the virus webmal can corrupt
   the dat if u got the solution pls send it to me
  Newsgroups: Yummypinays
   From: Elpidio Garcia
   Date: Fri, 3 Feb 2006 05:03:39 +0000 (GMT)
   Subject: [YP] HHHHHHHHHHHHelp!!!!!!! anyone...

   ...i found out that all my files particularly office docs were corrupted
   and only shows this message everytime i open my files,
   DATA Error [47 0F 94 93 F4 K5]
   From: aougarferhat
   Subject: c'est quoi data error 47 0F 94 93 F4 K5?
   Date: Sat, 4 Feb 2006 14:41:45 -0800



Friday, February 3, 2006

Quite quiet Posted by Mikko @ 11:46 GMT

So far today we haven't received any significant Nyxem damage reports.

Vast majority of the machines infected by Nyxem are home computers. Nothing will happen on them until people get home from work and boot up their machines. Half an hour later the damage starts. The user won't realise what's going on until an hour or two later, when it's already late Friday night.

The full scope of the problem won't come to light until during the weekend or early next week.

We'd like to think that they whole problem was avoided and everybody cleaned up their machines in time. But unfortunately that's probably not true.


Italian media has reported that the Municipality of Milan had many of their 10.000 machines infected by Nyxem.E and have chosen to switch off their network today.

According to our data, Italy had the most infected computers of European countries.


Thursday, February 2, 2006

Nyxem on a world map Posted by Mikko @ 14:31 GMT

CounterWe have been co-operating with RCN, the company running the counter site that is used by the Nyxem.E worm. Last night we got the web access statistics, listing all the IP addresses that have accessed the Nyxem counter.

After filtering out the addresses of bots that have been hammering the counter lately, we used our WORLDMAP technology to map the addresses to a map. As a result we have a global view of the machines that will run into trouble unless they are disinfected before tomorrow:

Nyxem.E worldmap
- click the map for a high-resolution version -

Nyxem.E starts to overwrite files half an hour after the infected machines are started on the 3rd of the month.

We'd like to thank Jason Nealis and Chris Jackman at RCN for their generous help with this issue.


Concerning the payload of Nyxem.E worm Posted by Alexey @ 12:27 GMT

As we warned before, the payload of Nyxem.E worm will activate tomorrow, on February 3rd, 2006 on all infected computers that have their clock set correctly.

We made a few additional tests with the worm in our test network environment. When the payload is activated, the worm enumerates all logical drives and damages files on them in a loop. So it should damage files on all drives that have a drive letter, including network drives. That's the theory. In practice, however, the worm failed to do so on network drives, at least in our test environment. Files on local and removable drives (including USB memory) were damaged by the payload.


Wednesday, February 1, 2006 under attack Posted by Mikko @ 12:46 GMT

There's a mass spamming underway right now. Somebody is sending out thousands of emails spoofed to be from "David Adams, Dept. Research, F-Secure Development (". Some emails were also spoofed from or from

These emails contain a new variant of the Breplibot worm. We're right now shipping detection for it as "".

The emails are not sent from our network, they are just spoofed to look like they are coming from a F-Secure address.

This is what the emails looked like:
david adams spoof email