NEWS FROM THE LAB - March 2005


Thursday, March 31, 2005

Greetings from Blackhat Europe 2005 Posted by Jarno @ 10:54 GMT

bh_europe_2005 (54k image)

Greetings from Blackhat Europe in Amsterdam - the largest Blackhat information security seminar in Europe so far.

Or as Blackhat organizers like to call it, the digital self defence course :)

In the picture we have Simon Davies from Privacy International, also known as the longest surviving privacy advocate in the world.

More Black Hat 2005 coverage from Red Herring.


Wednesday, March 30, 2005

Money: Rootkit authors go for gold Posted by Mika @ 11:17 GMT

There has been numerous posts on this weblog of spammers and virus writers making money out of their criminal activities. Now rootkit authors are joining in. The author of a common rootkit called Hacker Defender has been selling undetection service for his products for some time now. Previously he only sold undetection against anti-virus products, but now his new "Golden Hacker Defender" is marketed as being able to hide from a number of rootkit detection tools, including our current F-Secure BlackLight beta. Hacker Defender is a user-mode rootkit/trojan that includes a built-in hidden backdoor. Apparently Golden Hacker Defender license costs 390 euros (about 500 US dollars).

Golden Hxdef Factsheet (6k image)

We recommend you spend your money on something else. As rootkits keep adopting new techniques, BlackLight will follow suit. This is where you can help by sending us samples whenever BlackLight finds something suspicious on your computer!


Virus hunters unlikely heroes Posted by Mikko @ 09:58 GMT

Ero & Ceco
The San Jose Mercury News made a very nice feature story on Ceco and Ero from our US viruslab.

Ero Carrera, a Spaniard, works with Tzvetan "Ceco'' Chaliavski, a Bulgarian, for F-Secure in San Jose. They trade shifts with the company's main lab in Helsinki, Finland, to make a SWAT-like team that stretches across the globe 24/7 to keep the world's network of computers and cell phones safe from attack....

Carrera and Chaliavski love the thrill of the chase, yet leave their desks for little more than coffee or bathroom breaks. They stare all day at computer screens filled with a sea of jumbled numbers and symbols -- the electronic guts of computer worms and viruses...

and here's our favourite quote:

With blond highlights streaking through his dark hair, Carrera looks more hipster than nerd. But he's just as excited describing decryption as he is about his first surfing trip to the Pacific...


Tuesday, March 29, 2005

Free webcast on computer crime Posted by Mikko @ 14:41 GMT

Last week I did a one-hour webcast on Microsoft's Technet webcast system. The presentation was titled "Phishers, Spammers and Scammers: Criminals of the Internet".

This live webcast was archived and is now available on in here or here.

You need to register, but after that the webcast can be viewed as a WMV video or as still slide images with a downloadable audio for each slide. The whole show takes about one hour.

Nice rating, too.


Saturday, March 26, 2005

Talking about money... Posted by Mikko @ 18:51 GMT

DVforge snippetWhile on the subject of money, here's a company from Tennessee, USA offering $25,000 for the first native, in-the-wild virus for Apple Macintosh OS X.

Which of course is stupid, irresponsible and possibly illegal. They also miss the point by mentioning that "international law forbids the transmission of computer viruses that damage infected computers".

Update on 27th of March

Couple of hours after our posting above, the DVForge Virus Prize site was changed and the competition has now been canceled.

In their new statement they say that they were contacted by a large number of Mac users who convinced them this was a bad idea.

We're happy to see this company came to their senses before anything bad happened.

Here's a screenshot of the original site.


Money Posted by Mikko @ 07:35 GMT

A scary thought just occured to me.
As we know, there are millionaire spammers out there, ie. people who've made a fortunate by sending out spam.

We also know that some virus writers co-operate with spammers, either by setting up zombie networks of proxy machines to actually send the spam, or creating zombie web farms to host the sites or collecting email addresses for spam purposes via worms. Obviously they get paid for their efforts.

We assume there are virus writers out there that do this for a living. But how good money are they making? We don't know...but for a succesful virus writer who has good deals with good spammers it could be substantial.

So, I wonder: are there millionaire virus writers out there?


Thursday, March 24, 2005

It's official: Linux sucks? Posted by Mikko @ 09:29 GMT

As we discussed briefly last month, three security researchers have done a controversial study that proves once and for all that Windows is way safer than Linux (or something along these lines).

The study was presented last month by Richard Ford, Herbert H. Thompson and Fabien Casteran, and the full report has now been published. It's available for download from Security Innovation.

RHEL = Red Hat Enterprise Linux

We'd expect that this report is not going to generate flames or heated discussion anywhere.


Tuesday, March 22, 2005

Three new Symbian trojans in one day Posted by Jarno @ 13:52 GMT

drever_c_message (50k image)

Today we added descriptions for three new Symbian trojans found late monday. Drever.B, Drever.C and Skulls.F.

The Drever.B is a simplified version of Drever.A that attacks only Simworks Anti-Virus, it is likely that Drever.B is actually earlier case than Drever.A, but was found only later.

The Skulls.F is still under analysis, it is detected with generic detection from December 15th 2004, so it's a minor case.

The Drever.C is interesting case as in addition of attacking Kaspersky and Simworks Symbian Anti-Viruses, it also attacks F-Secure Mobile Anti-Virus.

Drever.C tries to damage the bootloader and application binaries of F-Secure Mobile Anti-Virus. However, the F-Secure Mobile Anti-Virus has protection against any attempts to modify it's files so the attack will not succeed.

If Drever.C SIS file is installed into Symbian device with F-Secure Mobile Anti-Virus running in Real-Time scan mode, as it is by default. The installation will terminate when the system installer tries to replace Anti-Virus files.

The hexedited files that Drever.C tries to use to damage F-Secure Mobile Anti-Virus, contain message intended to us.

Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!

Thanks for the warning, but I don't think we are stopping any time soon.


Monday, March 21, 2005

Spyware authors challenge BlackLight Posted by Mika @ 14:33 GMT

A spyware manufacturer released a version of their trojan that they market as "Hidden from by F-Secure BlackLight Rootkit Elimination Technology!". They use a known trick that may fool programs that scan for rootkits. This trick depends on identifying BlackLight process and not hiding from it at all.

But the good news is that there is an easy workaround. Just rename the fsbl.exe file to something that doesn�t contain fsbl on its path. This is as a matter of fact a good thing to do with any rootkit scanner. So we suggest those who try out F-Secure BlackLight beta to rename the binary into something random before running it.

zsbl_found (25k image)

Above: BlackLight beta (renamed to zsbl.exe) detecting the trojan in question


Friday, March 18, 2005

Two new Symbian trojans in one day. Posted by Jarno @ 14:30 GMT


Today two new Symbian-based trojans were discovered. They are both now detected with F-Secure Mobile Anti-Virus.

Drever.A is a SIS file trojan that tries to disable two mobile antivirus products: Simworks Anti-Virus and Kaspersky Anti-Virus.

Locknut.B is a new variant of the Locknut trojan family, which disables phone so that it can be disinfected only with a special disinfection tool. However as F-Secure Mobile Anti-Virus detects it with generic detection, it is not a threat to our users.

Also we had an idea of trying Series 60 malware on other Symbian devices, and the results were rather surprising. Neither Cabir nor Commwarrior work on Series 80 (such as Nokia Communicator) or Series 90 (such as Nokia 7710) - but Skulls and Locknut do work!

We tried the Skulls.A trojan on a Series 80 device, and it does cause problems there. Main menu is not disabled, but the trojan does replace icons with pictures of a skull, and the application manager is disabled so disinfection is tricky (as you can't install any applications to do it).

Also we tried Locknut.A on a Series 90 device, and the device was severly impaired by it. After installing Locknut.A, the phone would no longer boot up.

However, Series 60 malware is not a significant threat on other Symbian series devices, as installing them takes even more steps, and the user gets an extra warning that the application will cause errors in the device.

But then again, people are curious. The threat exists while it is small.

Here's a picture of a Nokia 9500 Communicator (Symbian Series 80) after being hit by Skulls:

Nokia 9500 with Skulls


Thursday, March 17, 2005

Samsung announces anti-bacterial phone Posted by Jarno @ 12:04 GMT

While F-Secure ships Anti-Virus for mobile phones, the Samsung has taken a leap into a whole different field.

The Inquirer reports about a new Samsung phone that is coated is Anti-Bacterial paint. The Samsung SCH-869 is coated with colloidal silver that makes it rather difficult for bacteria to survive on it's surface. The coating is basically the same stuff that is used as Anti-Bacterial coating in modern refrigerators.

SKK has a nice explanation on how this works.

However this coating will not provide protection against software viruses, but then again our Anti-Virus will not kill biological viruses either.


Computerized bank robbery foiled Posted by Mikko @ 10:58 GMT

Today's Financial Times reports about a group of computer hackers who tried to pull off one of the biggest bank robberies ever.

An international group of online thieves were apparently using various kinds of malware to gain access to the systems of the Sumitomo bank.

Financial Times, Thursday March 17 2005, as photographed in the lobby of the Jury's Doyle hotel on Russel Street, London

The thieves intended to transfer money to ten bank accounts around the world.

The plot, reported to be worth 220 million pounds (317 million Euros), was foiled by British National Hi-Tech Crime Unit.


Wednesday, March 16, 2005

US Lab opening Posted by Ero @ 21:43 GMT

USLab (36k image)

In the beginning of February, F-Secure's San Jose office held the official opening event of the first F-Secure AV Research Lab outside the Finnish headquarters. During such event, the lab was introduced to the press and several presentations were given, detailing the work of the AV research team.

Some media did cover the event.

By the end of the same month, the company's Brazilian launch event took place in Sao Paulo, with our partner there. A presentation covering similar material as in the San Jose opening was given. The powerpoint is now available for download here (16115k file).


Tuesday, March 15, 2005

Return of the Bluesniper Posted by Mikko @ 07:43 GMT

The folks at Flexilis have come up with a new and improved version of the Bluesniper Bluetooth Rifle.

Tom's Hardware has an interesting article on how Flexilis guys built and tested a version of the rifle that succesfully made bluetooth connections to phones over 1.6km away.

John Hering in action in Los Angeles
John Hering in action in Los Angeles

On a related note, we made some interesting observations ourselves during the CeBIT fair. While enjoying a well-deserved beer at M�nchner Halle, we did some scanning for discoverable bluetooth devices. Without ever leaving our table, we were able to see 94 phones that had bluetooth enabled and were in discoverable mode. This is pretty unbelievable!

Scanning for open phones, 81 found so far


Monday, March 14, 2005

Java Applet trojan that infects Internet Explorer even when run in Firefox. Posted by Jarno @ 12:27 GMT

Well heres a proof that Java is portable programming environment :)

Christopher Boyd from has found a Java trojan that is capable of downloading and infecting Internet Explorer with Spyware/Adware, even is you are running another browser that supports Java such as Firefox.

We detect this as Java.OpenStream.T

What is happening here is that, the trojan is in signed Java archive, that is signed with valid certificate. Which causes the Java runtime to ask from user whether this applet should be executed or not. And if user answers yes, the Java applet is given all the access that any other binary running under the user account would have.
Java warning
This allows the trojan do the same kind of nasty tricks as any other Java downloader trojan does, but without using any kind of exploits.

Also what makes the case interesting is that this trojan is probably not intended to work with Firefox or any other alternative browser. The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms.

And yes, the trojan will most likely also work under Linux, but it won't do really anything there as it tries to download and execute Win32 EXE trojan.

So if a website asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no.


Friday, March 11, 2005

Status report from CeBIT Posted by Mikko @ 20:47 GMT

So far, CeBIT has been going really well. There's been tons of interest on our BlackLight premiere.

We had one system administrator contact us about BlackLight yesterday. He had tried out the beta version, only to find out it was massively false alarming on several files in the SYSTEM folder of one of his servers. So we asked for samples to fix the problem. When he sent them to us, it turned out it wasn't a false alarm at all - he actually had a new, unknown rootkit on the system!

Here's a collection of random photos snapped during CeBIT.

The CeBIT fairgrounds. Yes, that house is weird.

Coolest booth this year. Operator O2 had amazing moving roof.

It was cold.

Need a hard drive? Get one cheap.

M�nchener Halle. Also known as hell on earth.


A self-made hands-free kit for Siemens. And that's Eugene Kaspersky driving a Segway.

Crowds rioting and doing the wave on our booth.

There was some kind of world games championship in one of the halls.

Some real-life versions of cars from Need for Speed Underground 2

G-Data was distributing a freeware uninstallation tool.


Thursday, March 10, 2005

Greetings from CeBIT 2005! Posted by Mikko @ 11:59 GMT

Greetings from CeBIT 2005 in Hannover, Germany. CeBIT is by far the largest technology fair in the world.
Some statistics on CeBIT 2005:
- 6270 exhibitors from 70 countries
- 27 hangar-sized halls filled with booths
- Over 300,000 square meters of exhibition space
- Over half-a-million visitors are expected over the next 8 days

Just to jog around the exhibition area takes over an hour.

If you're in Hannover, do drop by to our booth at Hall 7, Booth D14! We're showing off cool demos and announcing new stuff.

Our 2005 booth

One of the most interesting things we're showing on our booth is F-Secure BlackLight.

F-Secure BlackLight Rootkit Elimination Technology is a new functionality we're now announcing as a technology demonstration. We will integrate this functionality into our antivirus products later this year.


Back in the days when men were men and wrote their own device drivers, there was such a thing as stealth viruses. Then came Windows 95 and stealth viruses turned extinct. Well, stealth viruses are now back in the form of Windows rootkits.

What is a rootkit? Traditionally, rootkits have been defined as software packages that modify the operating environment in a way that makes it possible for an intruder to maintain undetected and privileged access to the compromised system. Today, anything that tries to hide its presence is often refered as a rootkit. The following sites have some thoughts on the subject:

Robert Hensing's Incident Response WebLog

Sysinternals Freeware - RootkitRevealer

If you think rootkits are just niche tools for elite black hats, do check out some recent real-world viruses using rootkit techniques, like Maslan and Myfip.H.

In addition to these worms, a large number of trojans and keyloggers have file and process hiding functionality.

So we've today made public a beta tool for detecting and removing rootkits and malware with rootkit functionality. You can download it right now.

More info on rootkits here.

Signing off from Hannover,


Wednesday, March 9, 2005

Man fined for publishing a vulnerability Posted by Mikko @ 07:10 GMT

Mr. Guillaume Tena was fined in French court yesterday a suspended fine of 5.000 Euros for publishing a vulnerability and a proof-of-concept exploit for antivirus software made by Tegam International. Apparently the judgment had something to do with the fact Mr. Tena was working with an illegal copy of the software.

We mentioned this case in our weblog some time ago and now the criminal case has been closed. A suspended fine means Mr. Tena has to pay 5000€ if he continues to publish more information on the topic.

Tegam international is proceeding with a civil case worth 900.000€ against Mr. Tena.

More info from K-OTik and Le Monde Informatique (in French, of course).


Tuesday, March 8, 2005

More detailed description of Commwarrior worms Posted by Jarno @ 15:42 GMT

Screenshot of a MMS messagent sent by Commwarrior

We have updated the description of Commwarrior.

Also we have confirmation that the spreading over MMS messages works. However there seems to be a significant delay between the MMS messages. As a result, Comwarrior will not spread rapidly like e-mail worms do.

Also note that installing application from MMS message takes even more steps than with bluetooth message, and that receiver has to have compatible Symbian series 60 phone for the worm to function. As a result Comwarrior MMS spreading is not as dangerous as it could have been.

In addition, many operators do not have MMS service enabled for all customers by default, so quite large number of the phones that could be infected cannot send MMS messages.

So Comwarrior will not cause a massive MMS outbreak, and this is not the end of the world as we know it.


Monday, March 7, 2005

Detection for Commwarrior variants published. Posted by Jarno @ 17:58 GMT

Detection for both variants of Commwarrior MMS worm are now published for F-Secure Mobile Anti-Virus, the detection has been added into the database build 28

Instant Messaging worms getting popular Posted by Alexey @ 16:51 GMT

Recently we have noticed an increase in IM (Instant Messaging) worm numbers. We are regularly adding detection for new Bropia worm variants. The last one, Bropia.K, appeared yesterday, on Sunday. Today there appeared 2 more MSN worms: a variant of Kelvir and a new worm called Sumom.

The interesting fact is, that the Sumom worm contains message addressed to the author of the Assiral worm. The message is quite rude and blasts the Assiral's author for trying to eliminate Bropia worm infection by creating a new worm.

I really hope we are not going to see another War of the Worms like the Bagle-Netsky-Mydoom war last year...


First MMS mobile phone virus? Posted by Mikko @ 16:07 GMT

Screenshot from the distribution site of CommWarrior
We've found a mobile phone virus that appears to be the first one that replicates via MMS messages.

MMS stands for Multimedia Messaging Service. These are text messages that include an image, audio or video. MMS messages are sent from one phone to another or to email.

Phone viruses so far have been spreading over Bluetooth - so they only affected phones that were nearby. A MMS virus can potentially go global in minutes, just like email worms do.

We're currently analysing CommWarrior, which runs on Symbian Series 60 platform. It attempts to spread over both MMS and Bluetooth. The virus seems to be from Russian, as it contains text that says "OTMOP03KAM HET!". Which roughly translates to "No to braindeads".



Sunday, March 6, 2005

New Bropia detected. Posted by Jarno @ 10:24 GMT

This morning we received couple samples of new Bropia Messenger worm.

The new variant is named Bropia.K, and is detected with Anti-Virus update 2005-03-06_01 that
we just published.

This Bropia variant does not seem to be too widespread yet, and as detection is already out, theres
hope that it will remain minor case.


Friday, March 4, 2005

More Bagle Posted by Ero @ 19:20 GMT

A new variant is out. We detect it with the database version 2005-03-04_03 as Email-Worm.Win32.Bagle.pac

This variant drops a downloader which will use a list identical to that of the previous variant. So far none of those sites is offering anything to be downloaded


New Symbian trojan and Cabir sighted in France Posted by Jarno @ 12:33 GMT

We have received a sample of new Symbian trojan, that is different enough to get a new name.
Dampig.A is a SIS file trojan that disables some built in applications and third party file managers, and installs several Cabir variants to phone, which will not start automatically however.

About the only interesting thing about this new trojan is, that is corrupts the system uninstallation information, and cannot be removed without disinfecting the phone with Anti-Virus.

On the other news, we received a report of Cabir infection in France. A journalist informed that his boss got Cabir infection in 3GSM conference in France.

So now we have 17 countries with Cabir sightings:

 1. Philippines
 2. Singapore
 3. UAE
 4. China
 5. India
 6. Finland
 7. Vietnam
 8. Turkey
 9. Russia
10. UK
11. Italy
12. USA
13. South Africa
14. Australia
15. Hongkong
16. Japan
17. France


Thursday, March 3, 2005

Cabir now in Hongkong and Japan Posted by Jarno @ 12:30 GMT

Bluetooth warning display

It seems that as long as people are not using Anti-Virus and are curious, the Cabir phone worm just keeps spreading.

Now we have received confirmed report from our Japan office of Cabir in Hongkong and Japan; a Japanese visitor in Hong Kong picked up the infection to his phone in late February and returned to Tokyo with the infected handset. He noticed that something is wrong because his battery life had reduced to 30 minutes per recharge. However, it is likely that the infection has spread to at least some handsets before this.

If your phone receives any SIS file from someone that you were not expecting, please do not install it. Instead, send the file to We are rather interested about just what variants are on the move.

And for those who are curious, please use F-Secure Mobile Anti-Virus which detects Cabir and all other known Symbian Viruses, worms and trojans.

So now we have 16 countries with Cabir sightings:

 1. Philippines
 2. Singapore
 3. UAE
 4. China
 5. India
 6. Finland
 7. Vietnam
 8. Turkey
 9. Russia
10. UK
11. Italy
12. USA
13. South Africa
14. Australia
15. Hongkong
16. Japan

Update on 7th of March: We removed the phone type from this entry as we can't confirm the exact model that was affected in this case --Mikko


Tuesday, March 1, 2005

New reverse engineering tools Posted by Ero @ 23:24 GMT

The iDefense guys have recently started to release free tools for the Reverse Engineering community.

Today they released Pedram Amini's IDASync, which allows multiuser synchronized use of IDA (one of the main tools for any reverse engineer).


Clearing up the Bagle mess Posted by Mikko @ 14:31 GMT

Lets try to clear up the messy situation with today's Bagle-related malware.

We were baffled in the morning about the invasion of the Bagle-related downloaders that wouldn't replicate. There were several different versions of these downloaders, all of which were polling a long list of websites for a mystery program to download and run (we're still monitoring these sites constantly to see what will happen).

Then we figured what was going on: there are at least two new variants of the Bagle worm going around too. One feature of these new variants is to use infected computers to seed out emails with the downloader program as an attachment. So in addition of sending out emails with the virus, they send out emails with a downloader which won't spread further. Lots of them.

So far, we've seen 4 different downloaders and 2 different Bagles...most likely there's two more Bagles out there that we haven't found yet. We're detecting most of the Bagles of this type generically as Bagle.pac.

There's something else too. These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yup.

Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.

A typical list of addresses returned by the server looks like this:


This back-end server is being hosted on a hacked page at We've sent them an abuse message about this and hopefully the service will shut down soon.

Update at 16:18 GMT: We just got confirmation from Hosting 4 Less that the site has been taken offline. Great!


Bagle / Mitglieder case Posted by Mikko @ 04:05 GMT

We're getting several reports of a new thingy, typically seen as an email attachment named doc_01.exe. We first thought it's a new Bagle variant...but apparently this thing doesn't send itself further via email so it's not a virus.
When run, it drops files like winshost.exe and wiwshost.exe and tries to download an executable named "zo2.jpg" from dozens of different download sites. As usual, most of these download sites don't contain such a file now, but at a later date they will contain different spam proxies or backdoors.

We detect this one right now as, but it will be later categorized as something else.

This thing also modifies various registry keys related to Windows BITS technology. This is the "Background Intelligent Transfer Services" used by Windows Update. We'll dig in to figure out what is it attempting to do.