There has been numerous posts on this weblog of spammers and virus writers making money out of their criminal activities. Now rootkit authors are joining in. The author of a common rootkit called Hacker Defender has been selling undetection service for his products for some time now. Previously he only sold undetection against anti-virus products, but now his new "Golden Hacker Defender" is marketed as being able to hide from a number of rootkit detection tools, including our current F-Secure BlackLight beta. Hacker Defender is a user-mode rootkit/trojan that includes a built-in hidden backdoor. Apparently Golden Hacker Defender license costs 390 euros (about 500 US dollars).
We recommend you spend your money on something else. As rootkits keep adopting new techniques, BlackLight will follow suit. This is where you can help by sending us samples whenever BlackLight finds something suspicious on your computer!
Ero Carrera, a Spaniard, works with Tzvetan "Ceco'' Chaliavski, a Bulgarian, for F-Secure in San Jose. They trade shifts with the company's main lab in Helsinki, Finland, to make a SWAT-like team that stretches across the globe 24/7 to keep the world's network of computers and cell phones safe from attack....
Carrera and Chaliavski love the thrill of the chase, yet leave their desks for little more than coffee or bathroom breaks. They stare all day at computer screens filled with a sea of jumbled numbers and symbols -- the electronic guts of computer worms and viruses...
and here's our favourite quote:
With blond highlights streaking through his dark hair, Carrera looks more hipster than nerd. But he's just as excited describing decryption as he is about his first surfing trip to the Pacific...
While on the subject of money, here's a company from Tennessee, USA offering $25,000 for the first native, in-the-wild virus for Apple Macintosh OS X.
Which of course is stupid, irresponsible and possibly illegal. They also miss the point by mentioning that "international law forbids the transmission of computer viruses that damage infected computers".
Update on 27th of March
Couple of hours after our posting above, the DVForge Virus Prize site was changed and the competition has now been canceled.
In their new statement they say that they were contacted by a large number of Mac users who convinced them this was a bad idea.
We're happy to see this company came to their senses before anything bad happened.
As we know, there are millionaire spammers out there, ie. people who've made a fortunate by sending out spam.
We also know that some virus writers co-operate with spammers, either by setting up zombie networks of proxy machines to actually send the spam, or creating zombie web farms to host the sites or collecting email addresses for spam purposes via worms. Obviously they get paid for their efforts.
We assume there are virus writers out there that do this for a living. But how good money are they making? We don't know...but for a succesful virus writer who has good deals with good spammers it could be substantial.
So, I wonder: are there millionaire virus writers out there?
The Drever.B is a simplified version of Drever.A that attacks only Simworks Anti-Virus, it is likely that Drever.B is actually earlier case than Drever.A, but was found only later.
The Skulls.F is still under analysis, it is detected with generic detection from December 15th 2004, so it's a minor case.
The Drever.C is interesting case as in addition of attacking Kaspersky and Simworks Symbian Anti-Viruses, it also attacks F-Secure Mobile Anti-Virus.
Drever.C tries to damage the bootloader and application binaries of F-Secure Mobile Anti-Virus. However, the F-Secure Mobile Anti-Virus has protection against any attempts to modify it's files so the attack will not succeed.
If Drever.C SIS file is installed into Symbian device with F-Secure Mobile Anti-Virus running in Real-Time scan mode, as it is by default. The installation will terminate when the system installer tries to replace Anti-Virus files.
The hexedited files that Drever.C tries to use to damage F-Secure Mobile Anti-Virus, contain message intended to us.
FSECURE MUST DIE!!!!!! Please, don't make new antiviruses for my viruses and I stop make viruses for your antiviruses. My target is Simworks! =)
Thanks for the warning, but I don't think we are stopping any time soon.
A spyware manufacturer released a version of their trojan that they market as "Hidden from by F-Secure BlackLight Rootkit Elimination Technology!". They use a known trick that may fool programs that scan for rootkits. This trick depends on identifying BlackLight process and not hiding from it at all.
But the good news is that there is an easy workaround. Just rename the fsbl.exe file to something that doesn�t contain fsbl on its path. This is as a matter of fact a good thing to do with any rootkit scanner. So we suggest those who try out F-Secure BlackLight beta to rename the binary into something random before running it.
Above: BlackLight beta (renamed to zsbl.exe) detecting the trojan in question
Today two new Symbian-based trojans were discovered. They are both now detected with F-Secure Mobile Anti-Virus.
Drever.A is a SIS file trojan that tries to disable two mobile antivirus products: Simworks Anti-Virus and Kaspersky Anti-Virus.
Locknut.B is a new variant of the Locknut trojan family, which disables phone so that it can be disinfected only with a special disinfection tool. However as F-Secure Mobile Anti-Virus detects it with generic detection, it is not a threat to our users.
Also we had an idea of trying Series 60 malware on other Symbian devices, and the results were rather surprising. Neither Cabir nor Commwarrior work on Series 80 (such as Nokia Communicator) or Series 90 (such as Nokia 7710) - but Skulls and Locknut do work!
We tried the Skulls.A trojan on a Series 80 device, and it does cause problems there. Main menu is not disabled, but the trojan does replace icons with pictures of a skull, and the application manager is disabled so disinfection is tricky (as you can't install any applications to do it).
Also we tried Locknut.A on a Series 90 device, and the device was severly impaired by it. After installing Locknut.A, the phone would no longer boot up.
However, Series 60 malware is not a significant threat on other Symbian series devices, as installing them takes even more steps, and the user gets an extra warning that the application will cause errors in the device.
But then again, people are curious. The threat exists while it is small.
Here's a picture of a Nokia 9500 Communicator (Symbian Series 80) after being hit by Skulls:
While F-Secure ships Anti-Virus for mobile phones, the Samsung has taken a leap into a whole different field.
The Inquirer reports about a new Samsung phone that is coated is Anti-Bacterial paint. The Samsung SCH-869 is coated with colloidal silver that makes it rather difficult for bacteria to survive on it's surface. The coating is basically the same stuff that is used as Anti-Bacterial coating in modern refrigerators.
In the beginning of February, F-Secure's San Jose office held the official opening event of the first F-Secure AV Research Lab outside the Finnish headquarters. During such event, the lab was introduced to the press and several presentations were given, detailing the work of the AV research team.
By the end of the same month, the company's Brazilian launch event took place in Sao Paulo, with our partner there. A presentation covering similar material as in the San Jose opening was given. The powerpoint is now available for download here (16115k file).
The folks at Flexilis have come up with a new and improved version of the Bluesniper Bluetooth Rifle.
Tom's Hardware has an interesting article on how Flexilis guys built and tested a version of the rifle that succesfully made bluetooth connections to phones over 1.6km away.
John Hering in action in Los Angeles
On a related note, we made some interesting observations ourselves during the CeBIT fair. While enjoying a well-deserved beer at M�nchner Halle, we did some scanning for discoverable bluetooth devices. Without ever leaving our table, we were able to see 94 phones that had bluetooth enabled and were in discoverable mode. This is pretty unbelievable!
Well heres a proof that Java is portable programming environment :)
Christopher Boyd from Vitalsecurity.org has found a Java trojan that is capable of downloading and infecting Internet Explorer with Spyware/Adware, even is you are running another browser that supports Java such as Firefox.
What is happening here is that, the trojan is in signed Java archive, that is signed with valid certificate. Which causes the Java runtime to ask from user whether this applet should be executed or not. And if user answers yes, the Java applet is given all the access that any other binary running under the user account would have.
This allows the trojan do the same kind of nasty tricks as any other Java downloader trojan does, but without using any kind of exploits.
Also what makes the case interesting is that this trojan is probably not intended to work with Firefox or any other alternative browser. The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms.
And yes, the trojan will most likely also work under Linux, but it won't do really anything there as it tries to download and execute Win32 EXE trojan.
So if a website asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no.
So far, CeBIT has been going really well. There's been tons of interest on our BlackLight premiere.
We had one system administrator contact us about BlackLight yesterday. He had tried out the beta version, only to find out it was massively false alarming on several files in the SYSTEM folder of one of his servers. So we asked for samples to fix the problem. When he sent them to us, it turned out it wasn't a false alarm at all - he actually had a new, unknown rootkit on the system!
Here's a collection of random photos snapped during CeBIT.
Greetings from CeBIT 2005 in Hannover, Germany. CeBIT is by far the largest technology fair in the world.
Some statistics on CeBIT 2005: - 6270 exhibitors from 70 countries - 27 hangar-sized halls filled with booths - Over 300,000 square meters of exhibition space - Over half-a-million visitors are expected over the next 8 days
Just to jog around the exhibition area takes over an hour.
If you're in Hannover, do drop by to our booth at Hall 7, Booth D14! We're showing off cool demos and announcing new stuff.
One of the most interesting things we're showing on our booth is F-Secure BlackLight.
F-Secure BlackLight Rootkit Elimination Technology is a new functionality we're now announcing as a technology demonstration. We will integrate this functionality into our antivirus products later this year.
Back in the days when men were men and wrote their own device drivers, there was such a thing as stealth viruses. Then came Windows 95 and stealth viruses turned extinct. Well, stealth viruses are now back in the form of Windows rootkits.
What is a rootkit? Traditionally, rootkits have been defined as software packages that modify the operating environment in a way that makes it possible for an intruder to maintain undetected and privileged access to the compromised system. Today, anything that tries to hide its presence is often refered as a rootkit. The following sites have some thoughts on the subject:
Mr. Guillaume Tena was fined in French court yesterday a suspended fine of 5.000 Euros for publishing a vulnerability and a proof-of-concept exploit for antivirus software made by Tegam International. Apparently the judgment had something to do with the fact Mr. Tena was working with an illegal copy of the software.
We mentioned this case in our weblog some time ago and now the criminal case has been closed. A suspended fine means Mr. Tena has to pay 5000€ if he continues to publish more information on the topic.
Tegam international is proceeding with a civil case worth 900.000€ against Mr. Tena.
Also we have confirmation that the spreading over MMS messages works. However there seems to be a significant delay between the MMS messages. As a result, Comwarrior will not spread rapidly like e-mail worms do.
Also note that installing application from MMS message takes even more steps than with bluetooth message, and that receiver has to have compatible Symbian series 60 phone for the worm to function. As a result Comwarrior MMS spreading is not as dangerous as it could have been.
In addition, many operators do not have MMS service enabled for all customers by default, so quite large number of the phones that could be infected cannot send MMS messages.
So Comwarrior will not cause a massive MMS outbreak, and this is not the end of the world as we know it.
Recently we have noticed an increase in IM (Instant Messaging) worm numbers. We are regularly adding detection for new Bropia worm variants. The last one, Bropia.K, appeared yesterday, on Sunday. Today there appeared 2 more MSN worms: a variant of Kelvir and a new worm called Sumom.
The interesting fact is, that the Sumom worm contains message addressed to the author of the Assiral worm. The message is quite rude and blasts the Assiral's author for trying to eliminate Bropia worm infection by creating a new worm.
I really hope we are not going to see another War of the Worms like the Bagle-Netsky-Mydoom war last year...
We've found a mobile phone virus that appears to be the first one that replicates via MMS messages.
MMS stands for Multimedia Messaging Service. These are text messages that include an image, audio or video. MMS messages are sent from one phone to another or to email.
Phone viruses so far have been spreading over Bluetooth - so they only affected phones that were nearby. A MMS virus can potentially go global in minutes, just like email worms do.
We're currently analysing CommWarrior, which runs on Symbian Series 60 platform. It attempts to spread over both MMS and Bluetooth. The virus seems to be from Russian, as it contains text that says "OTMOP03KAM HET!". Which roughly translates to "No to braindeads".
We have received a sample of new Symbian trojan, that is different enough to get a new name. Dampig.A is a SIS file trojan that disables some built in applications and third party file managers, and installs several Cabir variants to phone, which will not start automatically however.
About the only interesting thing about this new trojan is, that is corrupts the system uninstallation information, and cannot be removed without disinfecting the phone with Anti-Virus.
On the other news, we received a report of Cabir infection in France. A journalist informed that his boss got Cabir infection in 3GSM conference in France.
So now we have 17 countries with Cabir sightings:
1. Philippines 2. Singapore 3. UAE 4. China 5. India 6. Finland 7. Vietnam 8. Turkey 9. Russia 10. UK 11. Italy 12. USA 13. South Africa 14. Australia 15. Hongkong 16. Japan 17. France
It seems that as long as people are not using Anti-Virus and are curious, the Cabir phone worm just keeps spreading.
Now we have received confirmed report from our Japan office of Cabir in Hongkong and Japan; a Japanese visitor in Hong Kong picked up the infection to his phone in late February and returned to Tokyo with the infected handset. He noticed that something is wrong because his battery life had reduced to 30 minutes per recharge. However, it is likely that the infection has spread to at least some handsets before this.
If your phone receives any SIS file from someone that you were not expecting, please do not install it. Instead, send the file to firstname.lastname@example.org. We are rather interested about just what variants are on the move.
And for those who are curious, please use F-Secure Mobile Anti-Virus which detects Cabir and all other known Symbian Viruses, worms and trojans.
So now we have 16 countries with Cabir sightings:
1. Philippines 2. Singapore 3. UAE 4. China 5. India 6. Finland 7. Vietnam 8. Turkey 9. Russia 10. UK 11. Italy 12. USA 13. South Africa 14. Australia 15. Hongkong 16. Japan
Update on 7th of March: We removed the phone type from this entry as we can't confirm the exact model that was affected in this case --Mikko
Lets try to clear up the messy situation with today's Bagle-related malware.
We were baffled in the morning about the invasion of the Bagle-related downloaders that wouldn't replicate. There were several different versions of these downloaders, all of which were polling a long list of websites for a mystery program to download and run (we're still monitoring these sites constantly to see what will happen).
Then we figured what was going on: there are at least two new variants of the Bagle worm going around too. One feature of these new variants is to use infected computers to seed out emails with the downloader program as an attachment. So in addition of sending out emails with the virus, they send out emails with a downloader which won't spread further. Lots of them.
So far, we've seen 4 different downloaders and 2 different Bagles...most likely there's two more Bagles out there that we haven't found yet. We're detecting most of the Bagles of this type generically as Bagle.pac.
There's something else too. These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yup.
Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.
A typical list of addresses returned by the server looks like this:
This back-end server is being hosted on a hacked page at oceancareers.com. We've sent them an abuse message about this and hopefully the service will shut down soon.
Update at 16:18 GMT: We just got confirmation from Hosting 4 Less that the site has been taken offline. Great!
We're getting several reports of a new thingy, typically seen as an email attachment named doc_01.exe. We first thought it's a new Bagle variant...but apparently this thing doesn't send itself further via email so it's not a virus.
When run, it drops files like winshost.exe and wiwshost.exe and tries to download an executable named "zo2.jpg" from dozens of different download sites. As usual, most of these download sites don't contain such a file now, but at a later date they will contain different spam proxies or backdoors.
We detect this one right now as Email-Worm.Win32.Bagle.bb, but it will be later categorized as something else.
This thing also modifies various registry keys related to Windows BITS technology. This is the "Background Intelligent Transfer Services" used by Windows Update. We'll dig in to figure out what is it attempting to do.