NEWS FROM THE LAB - March 2006


Thursday, March 30, 2006

New Bagle, new trick Posted by Mikko @ 19:27 GMT

First things first: admins, block http access from your network to

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.

We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.

To make a long story short: block access to this download site. It's at - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.

Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.

  Connecting to[]:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  22:16:51 ERROR 403: Forbidden.


Hey, TYPE-YOUR-CREDIT-CARD-NUMBER-HERE.COM is available for registration! Posted by Mikko @ 14:00 GMT

Being curious about phishing, we decided to look into the number of domains that mimic banks. Just how many are out there? Well, lots.

We did a simple search across com/net/org/us/biz/info top-level domains for common bank names.

Keyword Number of domains
citibank* 497
bankofamerica* 407
lloyds* 994
bnpparibas* 41
egold* 691
hsbc* 1258
chase* 6470
paypal* 1634
ebay* 8057

When someone in, say, Nigeria wants to register a domain name that starts with the name of a well known bank, why are the registrars so willing to let them register it?

Some examples of existing, active registrations, using Citibank as an example:
  citibank-credicard.comCitibank account updating, anyone?

Some of these are probably perfectly legitimate. Others probably are, registered last Friday to Ms. Evelyn Musa in Arlington, VA?

Wednesday, March 29, 2006

First Trojan Spy for Symbian Phones Posted by Jarno @ 16:19 GMT


Today we heard of a rather interesting new Symbian malware application named Flexispy.A. It's a Symbian trojan spy that records information about the victim's phone calls and SMS messages, then sends them to a remote server.

What makes this interesting is that Flexispy.A is a trojan spy written by a company for commercial reasons. The company claims that it's a useful tool for catching a cheating spouse. By installing the application on the phone they can monitor to whom the victim is calling and what SMS messages he or she is sending. The company even claims that Flexispy is not a trojan.

However, this application installs itself without any kind of indication as to what it is. And when it is installed on the phone it completely hides itself from the user. So the application could easily be used by malware installing it as part of its payload, or a hacker could simply send it to a victim over Bluetooth and trust that there are enough curious people to install it.

Not to mention the fact that spying on people's private communication is illegal in most countries around the world. And the fact that all of the information is stored on the FlexiSpy servers, puts the company in a rather interesting light.

So yes, FlexiSpy is indeed a trojan and we have added the detection to our F-Secure Mobile Anti-Virus so that any user who has a phone that has been infected with this trojan will get a warning that someone is spying on them.


Workarounds for IE createTextRange() flaw Posted by Jarkko @ 11:25 GMT

There are some publicly available 3rd party patches available for the createTextRange() bug. However, we recommend waiting for the official fix from Microsoft. Before the patch is available, one workaround is to disable the Active scripting from Internet Explorer.

Detailed instructions on how to do this can be read from the Microsoft advisory under Suggested Actions / Workarounds. Here's a screenshot of the procedure:

How to disable Active Scripting

When the Active scripting is set to "Prompt", the prompting might look like this:

Execution of Script


Monday, March 27, 2006

Internet Explorer exploits in the wild Posted by Jarkko @ 14:10 GMT

createtextrange page from MSDN We've received some reports about the recent unpatched Internet Explorer vulnerability being exploited in the wild. The exploits are based on publicly available proof-of-concept code that exploits the processing of the createTextRange() function.

At the moment, there's no patch for the vulnerabilities. Please read the following links for more detailed information about the vulnerability and possible workarounds:

F-Secure Anti-virus detects HTML pages containing the exploit code as variants of Exploit.JS.CVE-2006-1359.


Friday, March 24, 2006

How Would You Like Your Bagle Done, with Rootkits on the Side? Posted by Sean @ 14:34 GMT

Rootkit development has had such a lull in recent months that we were beginning to wonder if the technique had suddenly become pass�. The last few days may have changed our opinion. With the discovery of three new cases we are now very curious to see what the future will bring.

One of the new cases, Gurong.A, is based on Mydoom code. See our earlier post for more technical details. The other two cases are variants of Bagle. Both Mydoom and Bagle are what we could call 'heavy hitters' in the field.

Gurong.A might be based on leaked source code, and may be only a cut and paste job by a new author. No way to really tell. But the Bagle variants have peaked our interest/concern. Bagle's authors are currently active and running botnets. They maintain a complex network and it�s a suite of programs that work together.

To illustrate just how complex the Bagle operation is nowadays, have a look at this graph illustrating the relationships between different Bagle modules:


Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality. Bagle.GE includes code that uses rootkit features to hide the processes and registry keys of Bagle.GF. We can see here an active example of the parts creating a greater whole.

There appear to be bugs in these new Bagles so it�s an early version. But if the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on.


Vulnerability in the way HTML Objects Handle Calls Could Allow Yada Yada Posted by Mikko @ 05:53 GMT

Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out.

Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser.


Thursday, March 23, 2006

Major vulnerability in sendmail Posted by Mikko @ 18:26 GMT logoSendmail - the most common MTA in the net - has a major vulnerability. This one allows remote execution of code. It just might be wormable.

Worms spreading via sendmail would be nothing new. We already saw this in 1988 with the infamous Morris Worm.

It's probably quite unlikely we would actually see a widespread worm with the current exploit. In any case, it's a good idea to patch now.


Wednesday, March 22, 2006

From Russia with Rootkit Posted by Kimmo @ 15:18 GMT

Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.


Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.

Source: Intel Corporation

Gurong.a uses the physical memory device as its initial injection vector to install a call gate to the Global Descriptor Table (GDT) that resides in system address space. Call gates are things we do not see everyday. Below is a definition from Wikipedia:

�Call gate is a mechanism in intel x86 architecture for changing privilege level of CPU when it executes a predefined function call.�

For more detailed information about call gates you should have a look at the IA-32 Intel Architecture Software Developer�s Manual, Volume 3A.

What this means is that through the call gate Gurong.a can execute parts of its code in privilege level 0 (kernel mode) without adding any additional code to the system address space. This code has full access to the system address space and privileged instructions. For example, the code that hides a process by modifying its object structure is actually part of the wmedia16.exe image (the file name used by the worm) and resides in user address space.

As a final note, F-Secure BlackLight is able to find and disable Gurong.a.


Monday, March 20, 2006

Commuting to the Office in Finland Posted by Sean @ 08:59 GMT

There are numerous forms of transportation available in the Helsinki area. We can easily travel via bus, tram, metro, train, or car. Many choose to bicycle or walk. The paths are kept clear of snow throughout the winter. This morning at least two of our lab members traveled to work on bicycle (8km & 15km).

And then sometimes one just feels like skiing the 15km to work. Spring weather is rapidly approaching so the route over the frozen Baltic will soon be gone� but it's fun while it lasts.



Thursday, March 16, 2006

Over 12500 Bluetooth Devices Scanned Posted by Mikko @ 07:33 GMT

We've been developing a Bluetooth honeypot. An early prototype was given a test run at the CeBIT trade fair during the week. The embedded device announces itself as a Bluetooth phone in discoverable mode. It detects Bluetooth devices within a one hundred meter range and creates a list of the device names found. It also accepts all file transfers and scans them for known mobile viruses.

We were scanning from our Hall 7 booth for a week. At any given time we would see more than 100 Bluetooth devices wandering within our range. Grand total: 12500 unique devices that a) had Bluetooth, b) had it enabled, c) had it visible. Unbelievable.


We imagine this honeypot can be used for various purposes when it's finalized, including being used by companies at security checkpoints so virus infected devices don't cross the threshold.

While discussing CeBIT: here's a nice 3D rendered video showing how F-Secure Blacklight scans music CDs for possible rootkits. Funnily enough, the video's virtual Blacklight also removes the rootkit from the CD itself. It unfortunately can't do that in real life, we can only remove rootkits from the PC. CDs are of course read only…
(Click the image for the video.)



F-Secure Anti-Virus for Cats Posted by Antti @ 06:39 GMT

Andrew Tanenbaum and his students just published a paper on the possibility of self-replicating RFID viruses (PDF). The paper is titled "Is Your Cat Infected with a Computer Virus?". MSNBC also has a story on this.

RFID tags, as you may know, are small radio chips that can be placed on inanimate objects, animals or even humans. Once in place, a specialized reader can read the tag from tens of meters away. The technology can be used to track luggage at airports or to automate store checkout systems, among many other things. It's already quite common to tag family pets for easy identification (hence the title of the paper).

F-Secure Anti-Virus for Cats

The paper presents an attack where the tags carry a small amount of data (127 characters) that will infect the RFID reader. More precisely, they use an SQL injection attack against an Oracle database backend that interfaces with the reader. The reader will then continue to infect all new tags it sees. Luckily, this is currently only a proof-of-concept attack, even though it's a scary idea.

As a side note, did you know that RFID tags are also used to fight />=3 the H5N1 avian influenza? I bet the clever people who thought of that never saw this one coming.


Tuesday, March 14, 2006

An Old Idea Returns for Building a Better Rootkit Posted by Sean @ 08:23 GMT

SubVirt is a new proof-of-concept rootkit created by Microsoft Research and the University of Michigan. The idea is to install a rootkit that inserts itself at a lower level than the OS and then give the user a virtual machine environment that if successful, looks just like their own. An inexperienced user then might never realize that they aren�t really in control, and all of their software defenses might not realize it either.


Why is Microsoft building a better rootkit? We aren�t too sure, but to paraphrase this eWeek article published on the 10th, Microsoft hopes to use the perspective of the attacker to better understand the needs of the defender. It sounds to us a bit like the scientists that were researching nuclear fission without really thinking about the final use for the bomb that they were helping to build.

In any case the concept isn�t entirely new. In 1993, PMBS was discovered, a stealth virus as they were termed at the time. PMBS was a boot virus that traveled via infected floppy disks. Once it infected a machine, it copied itself into extended memory, switched the computer into protected mode and ran virtual V86 machine. DOS and other applications where then run from that virtual PC.


Monday, March 13, 2006

Free Stickers Posted by Mikko @ 12:47 GMT

Last week we created some promotional material for the CeBIT trade show and now we’d like to share some of the remainders with you, our blog readers. It’s a collection of stickers for your laptop cover, or wherever else location you prefer. We’d like to think that they’re pretty cool. For example, “Tell me your password. It’s ok.”


The first 50 persons to send their mailing address to: nerds [at] f-secure [dot] com, will receive a free sheet of stickers in the post.

Update to add: You can stop sending the mails now, we have more than enough already. Thanks to everybody who emailed us.

We also got nice comments like "I find it funny that to get a sheet of stickers about scams, I have to send some random person my mailing address". Your stickers are in the mail buddy.

Also, one of you (and you know who you are) sent his mail quite late but changed his computer's clock back by two hours before sending the mails. Nice try. We'll send you two sticker sheets for the effort.


Wednesday, March 8, 2006

FC Nerds Posted by Mikko @ 09:50 GMT

It's that time of the year. The annual CeBIT fair will start tomorrow in Hannover, Germany. CeBIT is by far the largest technology fair in the world. We're in Hall 7 (stand D14).

This year there's something interesting going on during the fair: a football champion league is being played. Between antivirus companies. With table football.

We're ready for the challenge. We even have our playing shirts ready and waiting...

Team Finland / Team F-Secure

The actual tournament includes players from F-Secure, Kaspersky, Symantec, Trend Micro, ESET, Bitdefender, Grisoft and G Data. In fact, G Data is hosting the whole tournament in their booth - actually, they've even built their booth to look like a football stadium...


Here's the full tournament schedule and here's more info.


Spanish translation of Commwarrior.B Posted by Jarno @ 08:42 GMT

Yesterday we received a quite interesting sample, a hexedited version of Commwarrior.B that has all texts translated to Spanish.


Modifying samples with hexeditor is not anything new, we have seen that a lot with the Cabir family, and most of the Cabir variants are modified variants of Cabir.B. In the industry lingo we call such malware authors "hexedit idiots".

The modified sample was already detected with F-Secure Mobile Anti-Virus using generic detection. We have named the sample SymbOS/Commwarrior.D and the exact detection was added into mobile database build 74.


Tuesday, March 7, 2006

First virus for Infopath Posted by Sean @ 08:12 GMT

Don�t know what Microsoft Infopath 2003 is for? Neither did we until we took a look at the product�s demo page at Microsoft. The product allows for the creation of dynamic forms and data collection within an organization. The example used in the demo is expense reports.


What caused us to go look? Well, it is now a new platform for a proof-of-concept virus. The writer of Icabdi.A has determined a way to insert code into the .xsn files used by Infopath. Icabdi.A doesn�t really do any harm, it only displays quotes, but it is of interest as the first of its kind using this platform.


Monday, March 6, 2006

Every minute counts Posted by Mikko @ 16:28 GMT

Number of infected computersWe're proud of our fast response times in stopping new viruses.

That's why we're especially happy with the excellent results in's latest test (On-demand comparative / February 2006).

We've also just released a new flash movie called "Virus Protection: Every minute counts". It's done for marketing purposes but it actually contains pretty nice graphics - and a computer rendered version of our lab. Check it out at Enter the amount of computers in your organization and it will tell you how much money you'd save by upgrading to F-Secure Anti-Virus...

Da lab


Friday, March 3, 2006

Third of the month Posted by Mikko @ 14:24 GMT

nyxem in India It’s the 3rd of the month and so the Nyxem.E worm has another opportunity to activate and overwrite data files. Nyxem didn’t do that much damage last month and the statistics don’t look to be that bad this month either.

The only country in the world that seems to be affected in any serious manner this time around would be India.

If you look at Nyxem.E infections we've spotted in India yesterday via our Virus World Map, you'll see infection reports from places like Calcutta, Mangalore, Hyderabad, Bombay, Bangalore, Jaipur and New Delhi.

But in any case the activity is lower than last month. So hopefully fewer computers in India will actually be damaged this month than last.




Greetings from Blackhat Europe 2006 Posted by Jarno @ 08:52 GMT


Greetings from Blackhat Europe 2006. As before, Blackhat Europe is being held in the Grand Hotel Krasnapolsky in Amsterdam.

The quality of the presentations has once again been very high, and there have been many great presentations shedding light on new problems.

For example, Mikko Kiviharju's presentation on just Why Microsoft's Fingerprint Reader Is Not a Security Feature (links to PDF) was quite interesting and chilling at the same time.

In the picture we have Halvar Flake giving a presentation on Attacks on Uninitialized Local Variables (links to PDF).


Hacker Defender Antidetection Closes Shop Posted by Antti @ 07:31 GMT

The author of the Hacker Defender rootkit has announced that he will stop offering the so-called antidetection service, which promised to hide the rootkit from anti-virus products and even from rootkit detectors such as F-Secure BlackLight. The service, priced at several hundred euros, was on sale on the author's web site for more than a year. We mentioned the antidetection features in Hacker Defender in our previous blog entry.

Hacker Defender Closes Shop

It is a good thing that the "official" Hacker Defender anti-detection service is out of business. However, since Backdoor.Win32.Hacdef is an open-source rootkit, we will most likely continue seeing private builds of it also in the future.


Thursday, March 2, 2006

Old phones and the RedBrowser trojan Posted by Sean @ 14:30 GMT

6310iWe've been looking deeper into the RedBrowser trojan and have found that it uses just the standard MIDP 1.0 API and the optional CLDC 1.0 WMA package (Wireless Messaging API). Sun has a helpful list of J2ME phones and the version of the Java software installed on each.

So, among the older J2ME/Java supported phones that we have tested, none have been vulnerable to Redbrowser. The Nokia 6310i for example does not have the optional WMA support and the even though the Siemens SX1 has all of the needed software components, RedBrowser still doesn’t work on it.




New view of the world Posted by Sean @ 13:03 GMT

plasmaBack in July of 2005 we blogged about our "view of the world". Here at our labs we have a system that allows us to view a visual representation of virus infections worldwide. We can plot viruses in real-time or see an elapsed history.

After blogging about this system, we got requests from our users to make a version that would be available for everyone online. Well, that's just what we've done with F-Secure World Map. Visitors can easily see the virus situation at any given time and also in a particular location.