NEWS FROM THE LAB - March 2007


Friday, March 30, 2007

Update on ANI Exploit Posted by Mikko @ 15:09 GMT

The Windows Animated Cursor Handling vulnerability – CVE-2007-1765 – is out there although we aren't getting a huge amount of customer reports. However, do be cautious over the weekend. The bad guys will be trying their best to use this exploit before Microsoft releases a patch.


Current testing indicates that this is mainly an Internet Explorer and Outlook issue. So we'd suggest using something else.

SANS Internet Storm Center has good information on mitigations and domains to block.


Thursday, March 29, 2007

Always keep your softwares up to date... or not Posted by Ian @ 23:09 GMT

Time and again, we have always advised users that it is a good practice to keep your software applications updated. However, it does not seem so after today.

E-mails that supposedly came from admin[at]microsoft[dot]com are advising users to upgrade to IE 7.0 Beta 2. The e-mail details are as follows:

From: admin[at]microsoft[dot]com
Subject: Internet Explorer 7 Downloads

IE 7 Beta 2

The picture links to various sites containing a file named ie7.0.exe. This file is activated by clicking on the embedded image.

The ie7.0.exe file is already detected as Virus.Win32.Grum.A.

With this authentic looking image, it might be difficult to see offhand that this is malicious.

Remember to always get your updates from the original developer's site.


More vulnerabilities, ANI-one? Posted by Ian @ 19:45 GMT

Animated Icons

There are new reports of targeted attacks using a vulnerability in the way Microsoft Windows handles animated cursor (.ANI) files.

These animated cursor files can be hosted on websites and will be triggered upon visiting such sites. They can also be embedded in specially crafted e-mails or attachments within the e-mail.

Microsoft has released a security advisory regarding this.

A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.

Until a patch is released, exercise caution when surfing and opening attachments in e-mail.


What were you doing eight years ago? Posted by Mikko @ 10:56 GMT

I know what I was doing eight years ago…

I only had time for one thing – the Melissa worm.


Melissa was the original, first massive e-mail worm outbreak.

Good times.


Wednesday, March 28, 2007

So, what does the enemy look like in real life? Posted by Mikko @ 11:06 GMT

Greetings from the eCrime conference in London. This conference is mostly meant for people working with law enforcement and in the financial industry and focuses on how to fight fraud and electronic crime.

eCrime 2007

Yesterday at the conference I had a chance to meet Anton Aleksandrovich Pakhomov. He works as a public prosecutor in the Saratov Regional Prosecutor's Office in Russia.

Mr. Pakhamov worked as a prosecutor on a case against denial-of-service extortionists. The case involved a large botnet that was used to attack webshops and gambling operators in UK and in USA. Targeted companies were forced to pay a ransom to get their sites back online. The ring earned several million dollars before they were caught.

The case involved 10 persons in Latvia (money mules) and four attackers from Russia and two from Kazakhstan. Out of these, three persons were successfully located and prosecuted in the city of Balakov in Russia. The whole investigation took more than a year, but in the end the three individuals were all sentenced. They got eight years of prison each.

So who were they? They were, from left to right, Alexander Petrov, Denis Stepanov and Ivan Maksakov.

Photo copyright (c) 2006 Kommersant /

Signing off,


Tuesday, March 27, 2007

Weblog Q&A Posted by Sean @ 16:09 GMT

Selecting No

How does a Bluetooth worm get installed [on a mobile phone]? The user has to allow its install, don't they? Why would they allow it?

Bluetooth worms effectively cause a denial-of-service attack. Selecting "No" results in repeated prompts until many just give up and try "Yes".

Mikko wrote a ten-page article for Scientific American about mobile malware a few months ago. The article seems to be available for download in PDF format via Professor Robins' homepage here:
Search for "Mobile Malware" to find it.


Sunday, March 25, 2007

Need an excuse to go to Dubai? Posted by Mikko @ 07:18 GMT

Coming up: HITBSecConf2007 - Dubai.


Speakers include Lance Spitzner, Window Snyder, Shreeraj Shah, The Grugq, HE. Mr. Mohammed Nasser Al Ghanim and me.



Friday, March 23, 2007

Nurech on the Run Again. Posted by Jusu @ 11:54 GMT

We last posted about a Nurech run on February 19th using Ikea Deutchland as their supposed front. This time the Nurech gang is riding on 1&1, an Internet hosting provider. We have received reports of a large amount of e-mails in Germany.

It seems that the gang is monitoring the success of their trojan. As soon as the antivirus industry caught up with the first downloaded malware (Trojan-Spy.Win32.BZub.IJ), they changed it to another one. We detect the current downloaded file as Trojan-Spy:W32/BZub.IK.

The downloader itself (Trojan-Downloader:W32/Small.EJK) has been detected since morning with update 2007-03-23_02, detection of all known files thus far in 2007-03-23_03.

Here's an example of the spammed message:


Updated to add:
Here's another example of text used in the spam with a translation provided by a German partner of ours.

Aktueller Sicherheitshinweis:
Unbekannte haben Millionen von E-Mails versendet,
die sich als Rechnungen der 1&1 Internet AG tarnen.
Diese E-Mails versuchen den Rechner des Empf�ngers mit einem Virus zu infizieren.
Ausschlie�lich solchen E-mails wie dieser k�nnen Sie vertrauen.
�ffnen Sie keinesfalls in gef�lschten E-Mails angeh�ngten Dateien!

Sie erkennen die Echtheit Ihrer 1&1 E-Mail-Rechnung an folgenden Merkmalen:
- Sie erhalten echte Rechnungen immer als ZIP Dateien
- Sie finden immer diesen Sicherheitshinweis darin

Security Advice!!
Unknown persons have send millions of e-mails, that stealth as invoices from 1&1 Internet AG.
These e-mails try to infect the recipients computer with a virus.
Only trust e-mails like this one! Never open an attachment in a faked e-mail!

Original e-mails from 1&1 can be identified by
- Real invoices are always sent in a ZIP
- You will always find this security advice.

Trust No One. Except us…


Thursday, March 22, 2007

This Sucks Posted by Mikko @ 14:21 GMT

When working with Windows files it's helpful to know just what type of file you're working with, right?

Older versions of Windows used to hide the extensions by default. This was known as "Hide extensions for known file types". It was always a bad idea, and it was used extensively by the bad guys with double extensions as a means of tricking users into running files. You know, LOVE-LETTER-FOR-YOU.TXT.VBS and so on.

So, now we have Windows Vista.

Turns out, they still have this feature on by default.

What were they thinking? Does anybody like it like this?

So… can you tell what types of files are in the images below?

List Icons

Medium Icons

Big Icons

Detailed Icons

This just sucks.


Wednesday, March 21, 2007

Weblog Q&A Posted by Sean @ 16:02 GMT

First Question:
I'm planning to visit Finland this fall. Do you offer tours of your facility?
Do you do open day tours around your buildings and research labs? Especially the bluetooth testing chambers.


We do have visitors in the lab. At the moment this is generally limited to our partners, associates, VIPs, police and military trainees, et cetera. So it's not currently open to the general public.

We did however have a unique group a couple of weeks ago. They were the winners of an ISP security contest. After visiting our Helsinki lab, the group traveled North to Kemi and visited LumiLinna – Snow Castle. Nice trip!

Since you asked, we let the folks in marketing know of your interest. If they develop a system to coordinate a visit, we'll let you know. In the meantime, we are working on a video tour.

Second Question:
I am interested in owning Polo T-shirt with collar from F-Secure. Are we able to buy them from you guys?
Is it possible to buy an F-Secure t-shirt?

We do have an internal store with Polo and T-shirts for marketing and sales. This is another idea that I mentioned to marketing. And they we're interested to hear about it. So they'll investigate that as well.

Perhaps the lab can get a few shirts to give away in our next weblog challenge…

Third Question:
That photo was taken in June in Helsinki!?!? It looks like February in Minnesota! Do you ever actually have SUMMER? And if you sleep late that weekend, do you miss it?

Hmm. It seems there's been a small miscommunication.
We weren't referring to this photo. That was taken on the canal outside about one year ago on March 17th. And if we tried the same spot this year – we'd end up very wet. This is the photo that was taken in June.

Finnish Summer can be awesome with long, long daylight hours and warm temperatures. And Winter isn't that bad…


Tuesday, March 20, 2007

Anti-Spyware Coalition Posted by Kamil @ 17:41 GMT

Anti-Spyware Coalition

On March 15th, the Anti-Spyware Coalition released the finalized versions of two documents. One is titled Best Practices Suggestions and the other is on the topic of Conflicts Resolution. F-Secure is a member of the coalition and one of our security researchers was involved with the drafting process.

So, if you want to read a detailed description of what spyware is, then visit the coalition's document page.


Monday, March 19, 2007

Video - Targeted Attacks Posted by Sean @ 09:51 GMT

We have a new video available for you in which Mikko discusses Targeted Attacks.

Click on the image:
Targeted Attacks

The video has been available via our YouTube Channel since last Friday. So subscribe to the channel and you'll be ahead of the curve!


QuickSpace: MySpace Tracker Launch by QuickTime Posted by Jose @ 06:07 GMT

We've seen another attack using an insecure feature of QuickTime called HREF Tracks. This is a feature that can specify movies from other links to automatically open simultaneously when the movie is run. With the QuickTime sample that we received, it will try to download and execute a spying JavaScript from this website:[removed].js

We detect the JavaScript as Trojan-Spy:JS/Spacestalk.A. We detect the downloader as


The said script collects MySpace information from the user that includes Username, FriendID, MySpace Display Name, and other logins of the user, and sends this information back to the tracking server at together with the current URL as well as the current referrers' page.


Updated to add:
We would like to note that Apple resolved this issue with QuickTime 7.1.5 – released on March 5th. See CVE-ID: CVE-2006-4965, CVE-2007-0059 for all the details.

From Apple's website:
QuickTime 7.1.5 for Windows may be obtained from the Apple Software Update application, or as a manual download from:

So, you'll need Apple Software Update installed or else you'll have to perform a manual download. We've already posted on manually downloading QuickTime. Some of ours readers wrote to tell us that the update automation also includes "optional recommendations" to install iTunes…

This isn't particularly useful to those of us with corporate machines that want QuickTime but not iTunes.


Friday, March 16, 2007

Big Thinkers Posted by Sean @ 13:07 GMT

Risto Siilasmaa

BT – formerly known as British Telecom – conducts forums known as BT's Big Thinkers series.

F-Secure's Chairman of the Board, Risto Siilasmaa, was a panelist during a recent discussion along with Michael Barrett, the Chief Information Security Officer of PayPal. It was hosted by well-known security expert Bruce Schneier, and was moderated by Esther Dyson.

Security: not just a technical problem was the topic of discussion. It's a people issue as well.

The discussion is about an hour in length. It takes a minute or two for the video to load from BT's site, probably due to the demand at the moment. Be patient, it's worth the wait.






Thursday, March 15, 2007

Hell on Earth Posted by Mikko @ 06:22 GMT

CeBIT 07

It is that time of the year again. CeBIT, the world's largest IT fair starts today in Hannover, Germany.

As usual, CeBIT is massive. How massive? Over 6000 exhibitors from 80 countries. Close to half a million visitors over seven days.

Let me illustrate it like this. Our booth is in Hall 7, as it usually has been. This is where almost all of the other security vendors are too. And over 200 other vendors from other industries. So it's a pretty big hall.

Now, locate hall 7 from this map of CeBIT fairgrounds:

CeBIT Halls

Wish us luck.

Signing off,

Be Sure


Wednesday, March 14, 2007

Secure logins? Posted by Mikko @ 07:54 GMT

Spotted yet another PayPal phishing site this morning, running at

The site contains a copy of the normal PayPal login screen:

If you log-in, you'll get a prompt about the need to verify your information. Note how the page tries to con you into giving out your debit card number instead of a credit card number, as it would be more useful for these crooks.

This domain was registered two days ago – apparently the scam was still at building stage. The domain is owned by Mr. James Sexton ( Yeah right.


Tuesday, March 13, 2007

Apple Updates Posted by Sean @ 16:32 GMT

What's the deal with QuickTime Player 7.1.3 for Windows?

QuickTime 7.1.3

If you select the "Update Existing Software" option from within QuickTime 7.1.3 you'll get the following notification:

Update QuickTime

But that's not exactly correct – version 7.1.5 is now available, and it includes security updates. If you download version 7.1.5 from and install it you'll see this option:

Apple Software Update

Apple Software Update can be installed to easily update QuickTime and other Apple software. So does easily update mean that it's now the only way to update without manually checking apple's site? What was wrong with the old method of having the client check for you?


Saturday, March 10, 2007

Domain to drop Posted by Mikko @ 06:18 GMT


While looking at some incoming malware, we noticed a
trojan-downloader that downloaded additional malware from Very funny. We've seen a similar domain ( used by other downloaders already in December.

If you're a sysadmin, you might want to filter your traffic to that domain.

The same IP also has other interesting hosts, including,,


Friday, March 9, 2007

Weekend Reading - March 9th Posted by Sean @ 15:07 GMT

Image Properties

Here's some of the reading we've done today.

If you're interested in Phishing, check out this post at ZoneLabs. They have a cool photo of a box of cash. Lots of hundred dollar bills. The image's metadata is still intact.

For those of you interested in mobile issues:
Earlier this week, an employee of Wal-Mart was fired for listening in on phone calls and intercepting text messages. The calls were between Wal-Mart staff and a news reporter. Slate magazine's Ask the Explainer answers the question: How Do You Intercept a Text Message?

Over at CNet, Robert Vamosi looks into evil twin attacks using a mobile phone rather than a laptop.

Microsoft published their Advance Notification bulletin yesterday. There are no security updates scheduled for next Tuesday… They must have been busy enough with the Daylight Saving Time change in the US this weekend.


Wednesday, March 7, 2007

Case Posted by Mikko @ 14:19 GMT

There was another Nurech spammed today. The gang behind it has been masquerading as various German organizations when spamming out their malware, including GEZ, the German division of Ikea, and

Today we saw a run of mails claiming to be from a dating site named

Case Singel

The mails contained a ZIP attachment, with a file named inside.

When decoding this file, we saw that it attempts to download several more files:

Case Singel

Turns out, most of these URLs will not resolve and were probably put in there just to throw us off. However, the link ending with "tss0.txt" does work, giving out two lines of text:

Case Singel

Now, this looks like a URL encoded with a 8-bit constant, doesn't it?

And in fact, it's encrypted by running XOR 0x02 on each byte. An easy way to decrypt something like this is to use the Edit feature in HIEW hex editor.

Case Singel

And with this we get to the encrypted content, which is a link to yet another piece of malware:

Case Singel

We're in the process of shutting down the offending site. Also, we detect the dropped samples as
Trojan-Downloader:W32/Nurech.BB and the downloaded sample as Trojan.Win32.Agent.aeq.


Netbank Disaster Recovery Posted by Sean @ 11:30 GMT

IDG.NO ComputerWorld

It seems that a big Norwegian netbank has been experiencing malware problems since last Friday. Internal tools are offline for some of their users, who's able to open what applications is random, and the online bank site has been slow. The bank is approaching a normal situation now, but apparently later than the original estimates.

If you can read Norwegian, you'll find the details on IDG.No ComputerWorld's site.


Tuesday, March 6, 2007

Video - Aloha Phishing Demo Posted by Sean @ 17:10 GMT

Big banks have been hardening their defenses against phishing attacks. So what are the bad guys doing? They're going after the lower hanging fruit and are targeting smaller financial institutions such as credit unions.

Today's video is of a live phishing site mirroring a credit union in Hawaii.

Aloha Phishing Demo

Aloha Phishing Demo (Flash 1024x768 – 6464k)
The video is also available via our YouTube Channel.


Number Forty-Three Posted by Mikko @ 13:50 GMT

Hey – Thanks PC World!



Come Join the Good Fight Posted by Sean @ 13:12 GMT

There have been several Q&A submissions asking:
How does one get to work for you?

Well – we're hiring.

Our Helsinki based careers page has a number of European positions listed. We're also hiring in Malaysia. You can find those positions here.

Two of the Helsinki positions are directly related to the Security Labs.

Helsinki Careers

The Malware Analyst opening is part of Response.
Contact A-P

And there is a System Developer position as well. The LabDev Team are the ones that create and maintain many of the applications and systems we use.
Contact Olli


The Malaysian openings also include two within the Security Labs team. We're looking for an Analyst and a Security Labs Administrator.

Kuala Lumpur Careers


Related Q&A Questions:
It sounds like you have a lot of fun there. How do go about getting a job with you. btw I can't speak Finnish, is that a problem?
What is the best way to get a job at F-Secure? What kind of people you need?
What skills are required to be in your line of work?
I suspect that many people who read this blog would like to work doing virus/malware research or something similar. Would you have any advice for people who would like to pursue a career in this area?

Language – We're a very international organization and English is the official business language of F-Secure.

Kind of People – In Response, those with code analysis and debugging skills. Our past challenges have introduced us to good candidates. Keep your eyes open for future challenges. They're fun, but also serve a practical purpose.

We'll address the types of skills we'd advise for anyone wanting to work in the industry in a future post.


Monday, March 5, 2007

Weblog Q&A Posted by Sean @ 14:42 GMT

First Question:
Is the [banner] photo [on your weblog's home] page the full Finnish team? When will you also show the Malaysian team?

Six of the people in the current banner photo work in the Malaysian lab. The picture was taken last June during several weeks of training. And while on the topic of training, two from the Helsinki lab are now on three month assignments in Malaysia. So that makes a total of eight from the photo at the moment.

Helsinki On Ice

As the team is growing in both locations, our photo is once again becoming out-of-date. We'll do something about that in the near future.

Most of the Helsinki Security Labs team is in the photo. F-Secure as a whole is now made up of 500+ employees.

Second Question:
How old is the youngest employee at F-Secure? The photo has at least one who looks to be a teenager.

Actually – there is a teenager in the photo. His name is Otto Ebeling. As mentioned above, the photo was taken in June, also the period of Otto's summer employment.


Submit your question.


WordPress Remote PHP Execution Posted by Sean @ 10:14 GMT

On Friday, WordPress reported that a server intrusion occurred on The result is that version 2.1.1 of their blogging software is compromised by a backdoor. The intruders modified two files to include code that would allow for remote PHP execution.

WordPress has corrected the issue and has released version 2.1.2. You can read more details here.


Saturday, March 3, 2007

Email-Worm.Win32.Warezov.Email-Worm.Win32.Email-Worm.Win32.Warezov.jx Posted by Mikko @ 09:21 GMT


A new Warezov run has been going on for some hours now. The e-mails seem to be constant and look like this:

  Do not reply to this message

Dear Customer,

Our robot has fixed an abnormal activity from your IP address on
sending e-mails. Probably it is connected with the last epidemic of a
worm which does not have patches at the moment. We recommend you to
install a firewall module and it will stop e-mail sending. Otherwise
your account will be blocked until you do not eliminate malfunction.

Customer support center robot

The attachment is a ZIP file which contains a static EXE file. The name varies, but it's always something like Update-KB[random numbers]-x86.exe.
We detect it as Email-Worm.Win32.Warezov.jx.

Friday, March 2, 2007

ADVANCED+ Posted by Mikko @ 14:26 GMT

aAVC Logo

The latest comparative test results from are out. We did very nicely in the test and netted the highest "ADVANCED+" rating – unlike the big boys.

This test used almost half a million sample files. For full results, download the test report. (PDF)



Weblog Q&A Posted by Sean @ 08:43 GMT

Thank you for submitting your questions. Please keep them coming. We'll answer as many of them as possible over the next few weeks.


First Question:
What hours do you guys work? I see updates to the weblog (and the virus definitions) at all hours of the day and night.

F-Secure has offices in fifteen countries and labs in four locations. The vast majority of malware analysis is done between our Helsinki and Kuala Lumpur labs. There are three shifts with a length of eight hours each – one in Helsinki, Finland and two in Kuala Lumpur, Malaysia.

Second Question:
Are you _really_ using white labcoats when working in your Kuala Lumpur site?

Francis: Yes – Sometimes. Really.
The air conditioning is much, much colder in KUL then in HEL…

White Coats

Third Question:
Are there polar bears in Finland?

No. While there are many bears in Finland, they aren't polar bears. There are no polar bears in Kuala Lumpur either. Unless it's at the zoo.


Thursday, March 1, 2007

Query the Weblog Team Posted by Sean @ 16:18 GMT

Greetings Weblog Readers,

A few weeks ago, Mikko took part in an online Q&A session. The questions and answers (in Finnish) were part of Finland's National Information Security Day. The session went very well, so we've decided to try something similar with the weblog.

What question have you always wanted to ask of us? Use the poll (allow script) to submit yours.


Members of the weblog team are standing by:

Junior Analyst