First things first: admins, block http access from your network to endoliteindia.com.
We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.
The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.
We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.
To make a long story short: block access to this download site. It's at endoliteindia.com - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.
Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.
Being curious about phishing, we decided to look into the number of domains that mimic banks. Just how many are out there? Well, lots.
We did a simple search across com/net/org/us/biz/info top-level domains for common bank names.
Keyword
Number of domains
citibank*
497
bankofamerica*
407
lloyds*
994
bnpparibas*
41
egold*
691
hsbc*
1258
chase*
6470
paypal*
1634
ebay*
8057
When someone in, say, Nigeria wants to register a domain name that starts with the name of a well known bank, why are the registrars so willing to let them register it?
Some examples of existing, active registrations, using Citibank as an example:
Some of these are probably perfectly legitimate. Others probably are not...like citibank-account-updating.com, registered last Friday to Ms. Evelyn Musa in Arlington, VA?
Today we heard of a rather interesting new Symbian malware application named Flexispy.A. It's a Symbian trojan spy that records information about the victim's phone calls and SMS messages, then sends them to a remote server.
What makes this interesting is that Flexispy.A is a trojan spy written by a company for commercial reasons. The company claims that it's a useful tool for catching a cheating spouse. By installing the application on the phone they can monitor to whom the victim is calling and what SMS messages he or she is sending. The company even claims that Flexispy is not a trojan.
However, this application installs itself without any kind of indication as to what it is. And when it is installed on the phone it completely hides itself from the user. So the application could easily be used by malware installing it as part of its payload, or a hacker could simply send it to a victim over Bluetooth and trust that there are enough curious people to install it.
Not to mention the fact that spying on people's private communication is illegal in most countries around the world. And the fact that all of the information is stored on the FlexiSpy servers, puts the company in a rather interesting light.
So yes, FlexiSpy is indeed a trojan and we have added the detection to our F-Secure Mobile Anti-Virus so that any user who has a phone that has been infected with this trojan will get a warning that someone is spying on them.
There are some publicly available 3rd party patches available for the createTextRange() bug. However, we recommend waiting for the official fix from Microsoft. Before the patch is available, one workaround is to disable the Active scripting from Internet Explorer.
Detailed instructions on how to do this can be read from the Microsoft advisory under Suggested Actions / Workarounds. Here's a screenshot of the procedure:
When the Active scripting is set to "Prompt", the prompting might look like this:
We've received some reports about the recent unpatched Internet Explorer vulnerability being exploited in the wild. The exploits are based on publicly available proof-of-concept code that exploits the processing of the createTextRange() function.
At the moment, there's no patch for the vulnerabilities. Please read the following links for more detailed information about the vulnerability and possible workarounds:
Rootkit development has had such a lull in recent months that we were beginning to wonder if the technique had suddenly become pass�. The last few days may have changed our opinion. With the discovery of three new cases we are now very curious to see what the future will bring.
One of the new cases, Gurong.A, is based on Mydoom code. See our earlier post for more technical details. The other two cases are variants of Bagle. Both Mydoom and Bagle are what we could call 'heavy hitters' in the field.
Gurong.A might be based on leaked source code, and may be only a cut and paste job by a new author. No way to really tell. But the Bagle variants have peaked our interest/concern. Bagle's authors are currently active and running botnets. They maintain a complex network and it�s a suite of programs that work together.
To illustrate just how complex the Bagle operation is nowadays, have a look at this graph illustrating the relationships between different Bagle modules:
Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality. Bagle.GE includes code that uses rootkit features to hide the processes and registry keys of Bagle.GF. We can see here an active example of the parts creating a greater whole.
There appear to be bugs in these new Bagles so it�s an early version. But if the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on.
Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.
Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.
Gurong.a uses the physical memory device as its initial injection vector to install a call gate to the Global Descriptor Table (GDT) that resides in system address space. Call gates are things we do not see everyday. Below is a definition from Wikipedia:
�Call gate is a mechanism in intel x86 architecture for changing privilege level of CPU when it executes a predefined function call.�
For more detailed information about call gates you should have a look at the IA-32 Intel Architecture Software Developer�s Manual, Volume 3A.
What this means is that through the call gate Gurong.a can execute parts of its code in privilege level 0 (kernel mode) without adding any additional code to the system address space. This code has full access to the system address space and privileged instructions. For example, the code that hides a process by modifying its object structure is actually part of the wmedia16.exe image (the file name used by the worm) and resides in user address space.
There are numerous forms of transportation available in the Helsinki area. We can easily travel via bus, tram, metro, train, or car. Many choose to bicycle or walk. The paths are kept clear of snow throughout the winter. This morning at least two of our lab members traveled to work on bicycle (8km & 15km).
And then sometimes one just feels like skiing the 15km to work. Spring weather is rapidly approaching so the route over the frozen Baltic will soon be gone� but it's fun while it lasts.
We've been developing a Bluetooth honeypot. An early prototype was given a test run at the CeBIT trade fair during the week. The embedded device announces itself as a Bluetooth phone in discoverable mode. It detects Bluetooth devices within a one hundred meter range and creates a list of the device names found. It also accepts all file transfers and scans them for known mobile viruses.
We were scanning from our Hall 7 booth for a week. At any given time we would see more than 100 Bluetooth devices wandering within our range. Grand total: 12500 unique devices that a) had Bluetooth, b) had it enabled, c) had it visible. Unbelievable.
We imagine this honeypot can be used for various purposes when it's finalized, including being used by companies at security checkpoints so virus infected devices don't cross the threshold.
While discussing CeBIT: here's a nice 3D rendered video showing how F-Secure Blacklight scans music CDs for possible rootkits. Funnily enough, the video's virtual Blacklight also removes the rootkit from the CD itself. It unfortunately can't do that in real life, we can only remove rootkits from the PC. CDs are of course read only… (Click the image for the video.)
Andrew Tanenbaum and his students just published a paper on the possibility of self-replicating RFID viruses (PDF). The paper is titled "Is Your Cat Infected with a Computer Virus?". MSNBC also has a story on this.
RFID tags, as you may know, are small radio chips that can be placed on inanimate objects, animals or even humans. Once in place, a specialized reader can read the tag from tens of meters away. The technology can be used to track luggage at airports or to automate store checkout systems, among many other things. It's already quite common to tag family pets for easy identification (hence the title of the paper).
The paper presents an attack where the tags carry a small amount of data (127 characters) that will infect the RFID reader. More precisely, they use an SQL injection attack against an Oracle database backend that interfaces with the reader. The reader will then continue to infect all new tags it sees. Luckily, this is currently only a proof-of-concept attack, even though it's a scary idea.
As a side note, did you know that RFID tags are also used to fight />=3 the H5N1 avian influenza? I bet the clever people who thought of that never saw this one coming.
SubVirt is a new proof-of-concept rootkit created by Microsoft Research and the University of Michigan. The idea is to install a rootkit that inserts itself at a lower level than the OS and then give the user a virtual machine environment that if successful, looks just like their own. An inexperienced user then might never realize that they aren�t really in control, and all of their software defenses might not realize it either.
Why is Microsoft building a better rootkit? We aren�t too sure, but to paraphrase this eWeek article published on the 10th, Microsoft hopes to use the perspective of the attacker to better understand the needs of the defender. It sounds to us a bit like the scientists that were researching nuclear fission without really thinking about the final use for the bomb that they were helping to build.
In any case the concept isn�t entirely new. In 1993, PMBS was discovered, a stealth virus as they were termed at the time. PMBS was a boot virus that traveled via infected floppy disks. Once it infected a machine, it copied itself into extended memory, switched the computer into protected mode and ran virtual V86 machine. DOS and other applications where then run from that virtual PC.
Last week we created some promotional material for the CeBIT trade show and now we’d like to share some of the remainders with you, our blog readers. It’s a collection of stickers for your laptop cover, or wherever else location you prefer. We’d like to think that they’re pretty cool. For example, “Tell me your password. It’s ok.”
The first 50 persons to send their mailing address to: nerds [at] f-secure [dot] com, will receive a free sheet of stickers in the post.
Update to add: You can stop sending the mails now, we have more than enough already. Thanks to everybody who emailed us.
We also got nice comments like "I find it funny that to get a sheet of stickers about scams, I have to send some random person my mailing address". Your stickers are in the mail buddy.
Also, one of you (and you know who you are) sent his mail quite late but changed his computer's clock back by two hours before sending the mails. Nice try. We'll send you two sticker sheets for the effort.
It's that time of the year. The annual CeBIT fair will start tomorrow in Hannover, Germany. CeBIT is by far the largest technology fair in the world. We're in Hall 7 (stand D14).
This year there's something interesting going on during the fair: a football champion league is being played. Between antivirus companies. With table football.
We're ready for the challenge. We even have our playing shirts ready and waiting...
The actual tournament includes players from F-Secure, Kaspersky, Symantec, Trend Micro, ESET, Bitdefender, Grisoft and G Data. In fact, G Data is hosting the whole tournament in their booth - actually, they've even built their booth to look like a football stadium...
Yesterday we received a quite interesting sample, a hexedited version of Commwarrior.B that has all texts translated to Spanish.
Modifying samples with hexeditor is not anything new, we have seen that a lot with the Cabir family, and most of the Cabir variants are modified variants of Cabir.B. In the industry lingo we call such malware authors "hexedit idiots".
The modified sample was already detected with F-Secure Mobile Anti-Virus using generic detection. We have named the sample SymbOS/Commwarrior.D and the exact detection was added into mobile database build 74.
Don�t know what Microsoft Infopath 2003 is for? Neither did we until we took a look at the product�s demo page at Microsoft. The product allows for the creation of dynamic forms and data collection within an organization. The example used in the demo is expense reports.
What caused us to go look? Well, it is now a new platform for a proof-of-concept virus. The writer of Icabdi.A has determined a way to insert code into the .xsn files used by Infopath. Icabdi.A doesn�t really do any harm, it only displays quotes, but it is of interest as the first of its kind using this platform.
We're proud of our fast response times in stopping new viruses.
That's why we're especially happy with the excellent results in AV-Comparatives.org's latest test (On-demand comparative / February 2006).
We've also just released a new flash movie called "Virus Protection: Every minute counts". It's done for marketing purposes but it actually contains pretty nice graphics - and a computer rendered version of our lab. Check it out at www.f-secure.com/speed/demo. Enter the amount of computers in your organization and it will tell you how much money you'd save by upgrading to F-Secure Anti-Virus...
It’s the 3rd of the month and so the Nyxem.E worm has another opportunity to activate and overwrite data files. Nyxem didn’t do that much damage last month and the statistics don’t look to be that bad this month either.
The only country in the world that seems to be affected in any serious manner this time around would be India.
If you look at Nyxem.E infections we've spotted in India yesterday via our Virus World Map, you'll see infection reports from places like Calcutta, Mangalore, Hyderabad, Bombay, Bangalore, Jaipur and New Delhi.
But in any case the activity is lower than last month. So hopefully fewer computers in India will actually be damaged this month than last.
The author of the Hacker Defender rootkit has announced that he will stop offering the so-called antidetection service, which promised to hide the rootkit from anti-virus products and even from rootkit detectors such as F-Secure BlackLight. The service, priced at several hundred euros, was on sale on the author's web site for more than a year. We mentioned the antidetection features in Hacker Defender in our previous blog entry.
It is a good thing that the "official" Hacker Defender anti-detection service is out of business. However, since Backdoor.Win32.Hacdef is an open-source rootkit, we will most likely continue seeing private builds of it also in the future.
We've been looking deeper into the RedBrowser trojan and have found that it uses just the standard MIDP 1.0 API and the optional CLDC 1.0 WMA package (Wireless Messaging API). Sun has a helpful list of J2ME phones and the version of the Java software installed on each.
So, among the older J2ME/Java supported phones that we have tested, none have been vulnerable to Redbrowser. The Nokia 6310i for example does not have the optional WMA support and the even though the Siemens SX1 has all of the needed software components, RedBrowser still doesn’t work on it.
Back in July of 2005 we blogged about our "view of the world". Here at our labs we have a system that allows us to view a visual representation of virus infections worldwide. We can plot viruses in real-time or see an elapsed history.
After blogging about this system, we got requests from our users to make a version that would be available for everyone online. Well, that's just what we've done with F-Secure World Map. Visitors can easily see the virus situation at any given time and also in a particular location.
We've been looking deeper into the 
Back in July of 2005 we blogged about our 