NEWS FROM THE LAB - February 2007


Tuesday, February 27, 2007

Skypezov? Posted by Mikko @ 15:46 GMT

We have two reports of people receiving links to a Warezov-infected file via Skype.

Now, some older Warezov variants have used other Instant Messaging client in a similar fashion, but not Skype.

The messages looked like this:


We detect the binary at that download location as


New MySpace Nasty Posted by Mikko @ 15:34 GMT

There's something new spreading on MySpace.

It ends up modifying existing profiles, overlaying the content with a message like this:


If you follow the link, you'll end up with a download. This is a Zlob variant.

We haven't finished our analysis on this, but apparently when run it tries to modify your MySpace page to include a code snippet that is responsible for the malicious download link.



German Hacking Update Posted by Sean @ 13:09 GMT

If you found our February 16th Poll Results on German police "hacking" to be of interest, then you'll want to read this news piece from The Register as a follow up.

Germany's police and secret services are pushing for a legal basis for "online house searches".



Monday, February 26, 2007

Video - Live Phishing Demo Posted by Sean @ 17:52 GMT

We frequently post on the topic of Phishing. Today we discovered a phishing site that was created two days ago on February 24th.

We are monitoring new domain registrations that include particular keywords, such as eBay and Paypal. We create a list and use it to do a quick audit of URLs. If we find any obvious phishing sites – we get them shut down.

Ser vl Ces at PayPal

You can download a video with audio commentary from here:

Phishing Site Video (XviD – 7918k)
70% Quality (Windows – 4638k)
The video is also available via our YouTube Channel.


Public Service Announcement Posted by JP @ 13:50 GMT

There are currently two tracks within the channels of mobile malware authorship. It's reminiscent of the early days inside the "Demo-Scene" subculture for computers programmers. There are skilled and not so skilled people on the scene.

Analysis of the binaries reveals that one group of mobile malware comes from very knowledgeable people – whom for some reason have decided to use their skills for harm. The other group of malware is created by a group of individuals that appear to have lesser knowledge – and a crushing lack of common sense.

We are against the creation of all different types of malware but the group with lesser skills creating mobile malware seems particularly peculiar to us. These individuals seem to desire the obtainment of some kind of cool factor by merely editing the work of others and calling it their own. In these binaries, we often discover where the "creator" has inserted their e-mail address into the "new" malware. Or in some instances, they've even embedded a photo of themselves!

Perhaps this is a cultural difference? Many of the authors in this group are from developing countries and malware authorship might be seen more as experiment then as a practical venture. The early days of PC viruses had hobbyist as well. But times have rapidly changed since then…


We would strongly urge those experimenting with the creation of mobile malware to really think what would happen if they did actually succeed in creating something epidemic. If you don't even understand enough of the possible consequences to strip the meta data containing your personal contact information from your new experiment, then you deserve what you get. Mobile malware that succeeds in doing enough damage does get the attention of law enforcement authorities. And we do cooperate with them on a regular basis.

To those malware authors that might be reading, it's not cool and it's not a game. It's a crime. Stop it.


Friday, February 23, 2007

Credit Card Data Breaches Posted by Sean @ 13:50 GMT

There's been quite a lot of news regarding TJX Companies and their data breach. The most recent news is that the amount of data stolen was greater than was earlier reported during January.

TJX is the parent company of Marshalls and TJMaxx (TKMaxx in Europe). The breach affects a great many people and their credit card numbers. Click here and here for more details.

Some journalists from Sweden visited for an interview a few weeks ago. As more and more financial transactions are occurring online, Mikko was asked a question along the lines of… What can average consumers do to protect themselves from credit card fraud?

And the answer was in essence – Carefully read and review your billing statement.

Billing Statement

This is true whether you shop online or not. TJX operates "brick and mortar" stores. Yet, your credit card transactions exist on their network. Most business transactions are "online" today in one way or another.

So review and audit your statement each month. If you have access to it electronically then perhaps review it more often. If you see anything that you don't recognize – call your card issuer. We've sought information many times in the past (forgetful after long trips) and the people on the other end of the line were always very willing to assist.


Video - Bagle Mashup Posted by Sean @ 09:30 GMT

Our video of the W32/Bagle.AG@mm worm was originally posted in September of 2005. Gergo provided the details then:

The boxes in the picture are functions of the worm. The one on the top is the "main" where the execution starts. The first ring contains all the functions that "main" calls. The second all the functions that the ones on the first ones call and so on. All connecting lines represent the calls from one function to the other. Red boxes belong to the virus code while the blue ones are API calls library code that do not belong to the malicious code.

Today we have a re-posting of the video with some heavy metal music included.

Bagle.AG - Moment of Inertia

The music is provided by Moment of Inertia and the track is Diecast Soul. You can download the MP3 from their website. Why use this band's music? Answer – Mika St�hlberg of our Research Lab is the band's drummer. Enjoy!

Bagle Video (WMV – 13394k)
The video is also available via our YouTube Channel.


Thursday, February 22, 2007

Kernel Malware Posted by Kimmo @ 08:34 GMT

Last December, I blogged about the AVAR 2006 conference where I presented my paper on kernel malware. Finally, we are able to provide the material for our readers. Both the paper and slides are available in PDF format.

The paper – "Kernel Malware: The Attack from Within" – is about kernel malware, explaining what they are, how they work, and what makes their detection and removal challenging. It also looks at two interesting malware cases utilizing kernel-mode techniques to avoid detection and to bypass personal firewalls.

An important part of the paper was a statistical analysis run over a large sample set to investigate how the kernel malware trend has changed over the years. Details for the analysis can be found from the paper but I thought it would be nice also to post the results here. Below, we have two graphs demonstrating the change in kernel malware trends since year 2003 onwards.

Kernel Samples 720

The first graph shows how the number of kernel-mode driver samples has changed over the years. This data includes different variants of the same family. A more interesting graph is shown below, which illustrates the cumulative number of malware families utilizing kernel-mode components.

Kernel Families 720

From these two graphs we can easily see how the trend has changed dramatically at the end of the year 2004. This is mostly explained by the increased number of malware starting to use kernel-mode rootkits to hide their presence on the compromised system.

Today, kernel-mode rootkits are much more common than their user-mode counterparts. There are many reasons for this. Kernel-mode rootkits are more powerful thus they are able to hide better. Documentation with examples and fully working source code is easily available – there are even books available that explain in detail how to write your own kernel-mode rootkit. Implementing a full-flexed user-mode rootkit is a complex task. It seems that for malware authors, it is much easier just to upgrade their user-mode malware with a cut-and-paste kernel-mode rootkit.

Signing Off,


Wednesday, February 21, 2007

Swedes to Make DDoS Attacks Illegal Posted by Sean @ 13:46 GMT

Head of State

Swedes have until June 1st to commit a Distributed denial-of-service attack (DDoS). After that – it will be a criminal offense. It isn't technically one now.

Last year, there were attacks on websites owned by the Swedish government and the Swedish police. The attacks were the result of a dispute with The Pirate Bay. The websites were offline for a number of hours and reportedly the URLs were circulated in IRC channels before the attacks.

We aren't knowledgeable on the exact changes in the law, but sounds as though the amendment would criminalize DDoS attacks, whether carried out with a Botnet, or by an activist crowd using their own resources.

We're curious if that would also apply to a Slashdot effect.

You can read about it here and here.


Monday, February 19, 2007

Next up, IKEA customers! Posted by Mina @ 23:33 GMT

It seems that the new target of the Nurech gang are IKEA customers.

The latest "billing statement" looks like this.

Email Nurech.AS

The attached binary file is now detected as Trojan-Downloader:W32/Nurech.AS since database update 2007-02-19_09.

Similar to the previous variants, the recipient is asked to verify the billing statement by opening the file using Adobe Reader. This time, however, recipients are assured with the digital signature mumbo jumbo.

When in doubt, contact the possible source. In this case, your nearest IKEA representative.


Friday, February 16, 2007

Poll Results - Should Police Hack? Posted by Sean @ 16:12 GMT

Our February 6th post conducted an opinion poll that asked:
Should police authorities be allowed to "hack" a suspect's computer?. Germany's supreme court recently made a ruling on the issue.

There were 1020 responses. Now we have some analysis by country for you.

GB Results

A graph of the overall results can be found in the original post. There were 23.8% in favor, 65% against, and 11.2% that were undecided. Approximately 68% of those 1020 responses were from one of five locations: Sweden, Germany, Great Britain, Finland, and the United States.

Feb 6th Poll Results

Germans were the least approving of police using hacking techniques, while Britons were the most willing. Finns fell somewhere in the middle.

Kind of interesting results when you consider the geopolitical factors…


Updated to add: Typo in the table has been corrected.


Thursday, February 15, 2007

Firefox Cookie Bug Posted by Sean @ 14:43 GMT

Bug 370445

There's a new bug reported in the way Firefox handles writes to the 'location.hostname' DOM property. The vulnerability could potentially allow a malicious website to manipulate the authentication cookies for a third-party site. The bug was submitted by Michal Zalewski and was tested with the current version of Firefox.

The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy.

Firefox is often patched quickly, so take note, it's an excellent idea to enable Firefox's automatic updates option if you haven't already.

Firefox Update Options

A demo of the vulnerability and a suggested work-around can be found here.


Bomb them from orbit. It's the only way to BE SURE. Posted by Mikko @ 14:16 GMT

We have this cool prototype in the lab that enables us to locate computers that are probing our darknet. We can plot the location of the infected machines over Google Earth and get a feeling of where on the globe these machines are, in real-time.

Google Earth

A little over a year ago, we had a group of US Army Generals visit our labs here in Helsinki. We did a demo of this prototype for them, zooming in on some particular computer to show off the amazing level of detail in Google Earth. One of the Generals made a comment along the lines of "that would be accurate enough to bomb it". Very funny.

Google Earth

Then last week we saw this news piece via Network World:

U.S. cyber counterattack: Bomb 'em one way or the other.
"...the Department of Defense is prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source..."

Oops, hope it wasn't us that gave them the idea…


Wednesday, February 14, 2007

Valentine's Day Flash Posted by Elda @ 12:16 GMT

A new spam e-mail has been seen in the wild taking advantage of Saint Valentine's Day. Below is a sample of such an e-mail:


It disguises itself as a Valentine's eCard notification. When you click on the link in the e-mail, it will redirect you to a page that asks you to install a fake Macromedia Flash Player (Adobe Flash Player). This fake player is actually a trojan that downloads and installs a BZub variant onto the system. Both files are now detected as Valenavir.A and Bzub.HZ respectively using our latest database updates. So, please be cautious in opening those Valentine's Day greeting cards.

Make sure to patch your systems, get the latest database updates and enjoy your Valentine's Day!


PS – Our PC Wellness campaign has been updated. You can now use it to send Valentine's Greetings in English, Finnish, French, and Italian. It's Flash based. Install the legitimate Flash Player from Adobe here.


Tuesday, February 13, 2007

Valentine Patch Posted by Elda @ 20:10 GMT

It's now Saint Valentine's Day here in Kuala Lumpur, Malaysia and it's just the perfect time to patch your system. Microsoft's security updates for February are now out. They include six critical updates for Microsoft Office, Internet Explorer, Data Access Components, HTML Help ActiveX, and more. The fix for the recent Zero-day Excel exploit MS07-015 is also included in this month's security updates. It's very important to patch your systems since these flaws can be used as vectors for malicious attacks.

February Patches


Monday, February 12, 2007

Snow Day Hackers Posted by Sean @ 09:21 GMT

Two Ohio, USA High School students were arrested last Thursday. The female students are accused of hacking into their school district's Web site and scheduling a Snow Day. The district had originally published notification of a one-hour delay, but as the two students knew the system's password, they were able to adjust the notice to a full Snow Day.

You can read the details here and here.

For our Finnish audience – A Snow Day is when events, businesses, and schools actually close due to snow…

Snow Day


Friday, February 9, 2007

Storm-Worm Gang Attacking the Warezov Gang Posted by Mikko @ 11:40 GMT

Interesting developments going on. The P2P botnet created by Storm-Worm variants has been used to launch Distributed Denial-of-Service attacks. Targets include several domains used by the Warezov/Medbot gang – with names like,,, et cetera. Also, several antispam organizations have been attacked.

Joe Stewart has done a good write-up about this.

This is not a good development and reminds us of the Great Virus War fought in 2004.

PS – There has been some speculation that these DDoS attacks might be related to the attacks on the root nameservers earlier this week, but we haven't been able to confirm this.


February 2007 Advance Notification Posted by Sean @ 09:52 GMT

Feb 8th Advance Notification

The period of time between Microsoft's January to February Patch Tuesday is five weeks. And it seems that Microsoft has been productive during this period.

Thursday's Advance Notification has been released and it shows that Tuesday's plan is for a dozen Security Bulletins affecting such items as Microsoft Windows, Microsoft Office, Visual Studio, et cetera.

One of the planned updates is for Live OneCare and is rated as Critical.



Thursday, February 8, 2007

Hello from APCERT AGM 2007 Posted by Patrik @ 16:32 GMT

Greetings from a sunny Langkawi in Malaysia where the 6th annual APCERT General Meeting is going on. A few of us are here to not only meet and greet with 19 different CERTs from primarily Asia-Pacific but also to give presentations on the latest developments on mobile malware, botnets and kernel malware.


So far the event has been very interesting with lots of great information and statistics on the security situation in countries throughout the region. For example, over 16000 botnet C&C (Command & Control) servers were found in China during 2006 and in Malaysia phishing reports have increased by 92.4% since 2005. There has also been some excellent presentation on tools that some of the CERTs have developed such as MCFinder from KrCERT that keeps track of websites hosting malicious websites.

Signing off,

Wednesday, February 7, 2007

VirusTotal Online Scanner Posted by Sean @ 12:04 GMT

VirusTotal + F-Secure

The team over at VirusTotal has added our F-Secure Anti-Virus to their lineup of scanners. VirusTotal is a free, independent service that analyzes suspicious files using multiple antivirus engines.

From there, you can easily check to see if we have detection for something new that you've found. Right now, it's our signature based antivirus engines that are used, but in the near future we'll also add our behavior based DeepGuard.

We would like to extend a big Thank You to Julio for working tirelessly with the integration!

VirusTotal Scanning Results

While we're on the topic of VirusTotal: There's an interesting article available on their site by Michael St. Neitzel.



RSA Conference 2007 - Greetings from San Francisco Posted by Antti @ 04:09 GMT

The 16th annual RSA Conference is being held this week at the Moscone Center in San Francisco. Today began with a nice kick-off show featuring dancing monks. Fancy!

RSA show

RSA show

The first keynote of the day was delivered by Microsoft's Bill Gates and Craig Mundie, who naturally drew a big crowd. Throughout the day you could see lots of familiar names on stage, including crypto-legends Whitfield Diffie, Ron Rivest, Adi Shamir and Martin Hellman in the Cryptographers Panel.

I'll be giving a session about malware forensics and how to examine infected Windows systems on Thursday morning at 8:00 am. If you're attending the conference, be sure to join in!

From San Francisco,

PS – F-Secure is exhibiting in the Expo Hall: Booth 731.


Tuesday, February 6, 2007

German Supreme Court Says No to Hacking Posted by Sean @ 15:32 GMT

Four months ago – We posted on the topic of police authorities using software to tap VoIP conversations. The post was about a department of the Swiss government performing an investigation into the possibility of using "spying" applications.

Now Germany is debating the topic – Police authorities in Germany have been prohibited from "hacking" into a suspect's computer by a recent supreme court ruling. The German court determined hacking techniques couldn't be used because no legal framework exists at this time. Further debate is possible and Germany's Interior Minister Wolfgang Sch�uble will reportedly push for the legal changes needed to allow the police to perform such activities. Deutsche Welle has an English language article with more details here.

So this forms the basis for the question we'd like to ask you – Should legitimate law enforcement authorities such as the police be allowed to use applications that would in other circumstances be considered malware? Should they be allowed to use hacking techniques to investigate suspects?



Monday, February 5, 2007

Client Security 7 Posted by Sean @ 16:27 GMT

F-Secure Client Security 7

Whenever we post on the new features integrated within F-Secure Internet Security 2007, such as DeepGuard, we often receive e-mails asking when the same features will be included in our F-Secure Client Security (our corporate security suite). We have a number of readers looking forward to its next release.

While the official "Grand Opening" has yet to occur, it's imminent. Our product page was updated today and you can read the details here. There's also a cool new flash demo that you can view.

PDF files:
Key Features and Benefits
Feature Comparison v6 vs. v7




Friday, February 2, 2007

Some football-related thingy Posted by Mikko @ 22:38 GMT

A number of unrelated web sites have been hacked into over the last days. They have been modified by inserting a reference to a script on a Chinese site called

Some of the hacked sites are related to the Super Bowl, being played this weekend.

However, the scripts will ultimately try to download a file called W1C.EXE from the site. We detect the file as and the site is now offline. Case closed.


Vista Bulletin Posted by Mikko @ 11:16 GMT

Vista VB

The Virus Bulletin magazine has completed its first comparative review of antivirus products for Microsoft Windows Vista.

We're happy to report that our F-Secure Anti-Virus for Vista 7.00 got the VB100 award on its first try.

Other antivirus products that made the mark were Avast, CA, Quick Heal, NOD32, Fortinet, AVG, Kaspersky, Sophos, and Symantec.

Interestingly, Microsoft Live OneCare for Vista did not get the VB100.




Thursday, February 1, 2007

Video - Haxdoor Demo Posted by Sean @ 12:43 GMT

Last Friday's post linked to Computer Sweden and an "interview" with Corpse, the author of Haxdoor.

Today we have some video demos of Haxdoor.KI and F-Secure Internet Security 2007 with DeepGuard technology.

The DeepGuard System Control feature is capable of defending a system even without definitions of the malware. This is because the behavior of the malware is determined as a threat and is automatically blocked.

The demo uses a Rakningen sample that was caught during a spam run.

DeepGuard Demo with Haxdoor.KI

Part one shows the results of launching Rakningen with System Control disabled. The rootkit is installed. Our F-Secure Blacklight is able to detect it…

Part two shows the System Control in action. It automatically denies Haxdoor access to the system and the rootkit fails to install.

Demo – Part 1 (XviD – 5489k)
Demo – Part 2 (XviD – 6132k)

The videos are also available via our YouTube Channel.