The Windows Animated Cursor Handling vulnerability – CVE-2007-1765 – is out there although we aren't getting a huge amount of customer reports. However, do be cautious over the weekend. The bad guys will be trying their best to use this exploit before Microsoft releases a patch.
Current testing indicates that this is mainly an Internet Explorer and Outlook issue. So we'd suggest using something else.
SANS Internet Storm Center has good information on mitigations and domains to block.
Time and again, we have always advised users that it is a good practice to keep your software applications updated. However, it does not seem so after today.
E-mails that supposedly came from admin[at]microsoft[dot]com are advising users to upgrade to IE 7.0 Beta 2. The e-mail details are as follows:
From: admin[at]microsoft[dot]com Subject: Internet Explorer 7 Downloads
Body:
The picture links to various sites containing a file named ie7.0.exe. This file is activated by clicking on the embedded image.
There are new reports of targeted attacks using a vulnerability in the way Microsoft Windows handles animated cursor (.ANI) files.
These animated cursor files can be hosted on websites and will be triggered upon visiting such sites. They can also be embedded in specially crafted e-mails or attachments within the e-mail.
A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.
Until a patch is released, exercise caution when surfing and opening attachments in e-mail.
Greetings from the eCrime conference in London. This conference is mostly meant for people working with law enforcement and in the financial industry and focuses on how to fight fraud and electronic crime.
Yesterday at the conference I had a chance to meet Anton Aleksandrovich Pakhomov. He works as a public prosecutor in the Saratov Regional Prosecutor's Office in Russia.
Mr. Pakhamov worked as a prosecutor on a case against denial-of-service extortionists. The case involved a large botnet that was used to attack webshops and gambling operators in UK and in USA. Targeted companies were forced to pay a ransom to get their sites back online. The ring earned several million dollars before they were caught.
The case involved 10 persons in Latvia (money mules) and four attackers from Russia and two from Kazakhstan. Out of these, three persons were successfully located and prosecuted in the city of Balakov in Russia. The whole investigation took more than a year, but in the end the three individuals were all sentenced. They got eight years of prison each.
So who were they? They were, from left to right, Alexander Petrov, Denis Stepanov and Ivan Maksakov.
Question: How does a Bluetooth worm get installed [on a mobile phone]? The user has to allow its install, don't they? Why would they allow it?
Bluetooth worms effectively cause a denial-of-service attack. Selecting "No" results in repeated prompts until many just give up and try "Yes".
Mikko wrote a ten-page article for Scientific American about mobile malware a few months ago. The article seems to be available for download in PDF format via Professor Robins' homepage here: http://www.cs.virginia.edu/~robins/cs661/ Search for "Mobile Malware" to find it.
We last posted about a Nurech run on February 19th using Ikea Deutchland as their supposed front. This time the Nurech gang is riding on 1&1, an Internet hosting provider. We have received reports of a large amount of e-mails in Germany.
It seems that the gang is monitoring the success of their trojan. As soon as the antivirus industry caught up with the first downloaded malware (Trojan-Spy.Win32.BZub.IJ), they changed it to another one. We detect the current downloaded file as Trojan-Spy:W32/BZub.IK.
The downloader itself (Trojan-Downloader:W32/Small.EJK) has been detected since morning with update 2007-03-23_02, detection of all known files thus far in 2007-03-23_03.
Here's an example of the spammed message:
Updated to add: Here's another example of text used in the spam with a translation provided by a German partner of ours.
Aktueller Sicherheitshinweis: ============================= Unbekannte haben Millionen von E-Mails versendet, die sich als Rechnungen der 1&1 Internet AG tarnen. Diese E-Mails versuchen den Rechner des Empf�ngers mit einem Virus zu infizieren. Ausschlie�lich solchen E-mails wie dieser k�nnen Sie vertrauen. �ffnen Sie keinesfalls in gef�lschten E-Mails angeh�ngten Dateien! Sie erkennen die Echtheit Ihrer 1&1 E-Mail-Rechnung an folgenden Merkmalen: - Sie erhalten echte Rechnungen immer als ZIP Dateien - Sie finden immer diesen Sicherheitshinweis darin
Security Advice!! ================= Unknown persons have send millions of e-mails, that stealth as invoices from 1&1 Internet AG. These e-mails try to infect the recipients computer with a virus. Only trust e-mails like this one! Never open an attachment in a faked e-mail! Original e-mails from 1&1 can be identified by - Real invoices are always sent in a ZIP - You will always find this security advice.
When working with Windows files it's helpful to know just what type of file you're working with, right?
Older versions of Windows used to hide the extensions by default. This was known as "Hide extensions for known file types". It was always a bad idea, and it was used extensively by the bad guys with double extensions as a means of tricking users into running files. You know, LOVE-LETTER-FOR-YOU.TXT.VBS and so on.
So, now we have Windows Vista.
Turns out, they still have this feature on by default.
What were they thinking? Does anybody like it like this?
So… can you tell what types of files are in the images below?
First Question: I'm planning to visit Finland this fall. Do you offer tours of your facility? Do you do open day tours around your buildings and research labs? Especially the bluetooth testing chambers.
We do have visitors in the lab. At the moment this is generally limited to our partners, associates, VIPs, police and military trainees, et cetera. So it's not currently open to the general public.
We did however have a unique group a couple of weeks ago. They were the winners of an ISP security contest. After visiting our Helsinki lab, the group traveled North to Kemi and visited LumiLinna – Snow Castle. Nice trip!
Since you asked, we let the folks in marketing know of your interest. If they develop a system to coordinate a visit, we'll let you know. In the meantime, we are working on a video tour.
Second Question: I am interested in owning Polo T-shirt with collar from F-Secure. Are we able to buy them from you guys? Is it possible to buy an F-Secure t-shirt?
We do have an internal store with Polo and T-shirts for marketing and sales. This is another idea that I mentioned to marketing. And they we're interested to hear about it. So they'll investigate that as well.
Perhaps the lab can get a few shirts to give away in our next weblog challenge…
Third Question: That photo was taken in June in Helsinki!?!? It looks like February in Minnesota! Do you ever actually have SUMMER? And if you sleep late that weekend, do you miss it?
Hmm. It seems there's been a small miscommunication. We weren't referring to this photo. That was taken on the canal outside about one year ago on March 17th. And if we tried the same spot this year – we'd end up very wet. This is the photo that was taken in June.
Finnish Summer can be awesome with long, long daylight hours and warm temperatures. And Winter isn't that bad…
On March 15th, the Anti-Spyware Coalition released the finalized versions of two documents. One is titled Best Practices Suggestions and the other is on the topic of Conflicts Resolution. F-Secure is a member of the coalition and one of our security researchers was involved with the drafting process.
So, if you want to read a detailed description of what spyware is, then visit the coalition's document page.
We've seen another attack using an insecure feature of QuickTime called HREF Tracks. This is a feature that can specify movies from other links to automatically open simultaneously when the movie is run. With the QuickTime sample that we received, it will try to download and execute a spying JavaScript from this website:
http://profileawareness.com/logs4/[removed].js
We detect the JavaScript as Trojan-Spy:JS/Spacestalk.A. We detect the downloader as Trojan-Downloader:JS/Spacestalk.A.
The said script collects MySpace information from the user that includes Username, FriendID, MySpace Display Name, and other logins of the user, and sends this information back to the tracking server at http://profileawareness.com together with the current URL as well as the current referrers' page.
Updated to add: We would like to note that Apple resolved this issue with QuickTime 7.1.5 – released on March 5th. See CVE-ID: CVE-2006-4965, CVE-2007-0059 for all the details.
So, you'll need Apple Software Update installed or else you'll have to perform a manual download. We've already posted on manually downloading QuickTime. Some of ours readers wrote to tell us that the update automation also includes "optional recommendations" to install iTunes…
This isn't particularly useful to those of us with corporate machines that want QuickTime but not iTunes.
BT – formerly known as British Telecom – conducts forums known as BT's Big Thinkers series.
F-Secure's Chairman of the Board, Risto Siilasmaa, was a panelist during a recent discussion along with Michael Barrett, the Chief Information Security Officer of PayPal. It was hosted by well-known security expert Bruce Schneier, and was moderated by Esther Dyson.
The discussion is about an hour in length. It takes a minute or two for the video to load from BT's site, probably due to the demand at the moment. Be patient, it's worth the wait.
It is that time of the year again. CeBIT, the world's largest IT fair starts today in Hannover, Germany.
As usual, CeBIT is massive. How massive? Over 6000 exhibitors from 80 countries. Close to half a million visitors over seven days.
Let me illustrate it like this. Our booth is in Hall 7, as it usually has been. This is where almost all of the other security vendors are too. And over 200 other vendors from other industries. So it's a pretty big hall.
Now, locate hall 7 from this map of CeBIT fairgrounds:
Spotted yet another PayPal phishing site this morning, running at securelogins.com.
The site contains a copy of the normal PayPal login screen:
If you log-in, you'll get a prompt about the need to verify your information. Note how the page tries to con you into giving out your debit card number instead of a credit card number, as it would be more useful for these crooks.
This domain was registered two days ago – apparently the scam was still at building stage. The domain is owned by Mr. James Sexton (fockerfocker123@aol.com). Yeah right.
What's the deal with QuickTime Player 7.1.3 for Windows?
If you select the "Update Existing Software" option from within QuickTime 7.1.3 you'll get the following notification:
But that's not exactly correct – version 7.1.5 is now available, and it includes security updates. If you download version 7.1.5 from Apple.com and install it you'll see this option:
Apple Software Update can be installed to easily update QuickTime and other Apple software. So does easily update mean that it's now the only way to update without manually checking apple's site? What was wrong with the old method of having the client check for you?
While looking at some incoming malware, we noticed a trojan-downloader that downloaded additional malware from www.norton-kaspersky.com. Very funny. We've seen a similar domain (norton-kaspersky.ru) used by other downloaders already in December.
If you're a sysadmin, you might want to filter your traffic to that domain.
The same IP also has other interesting hosts, including www.spamh0use.com, www.norton-av2007.com, and www.kusik-tusik-traff.com.
Phishing: If you're interested in Phishing, check out this post at ZoneLabs. They have a cool photo of a box of cash. Lots of hundred dollar bills. The image's metadata is still intact.
For those of you interested in mobile issues: Earlier this week, an employee of Wal-Mart was fired for listening in on phone calls and intercepting text messages. The calls were between Wal-Mart staff and a news reporter. Slate magazine's Ask the Explainer answers the question: How Do You Intercept a Text Message?
Over at CNet, Robert Vamosi looks into evil twin attacks using a mobile phone rather than a laptop.
Patches: Microsoft published their Advance Notification bulletin yesterday. There are no security updates scheduled for next Tuesday… They must have been busy enough with the Daylight Saving Time change in the US this weekend.
There was another Nurech spammed today. The gang behind it has been masquerading as various German organizations when spamming out their malware, including GEZ, the German division of Ikea, and quelle.de.
Today we saw a run of mails claiming to be from a dating site named Singel.de:
The mails contained a ZIP attachment, with a file named Singel.de.pdf.exe inside.
When decoding this file, we saw that it attempts to download several more files:
Turns out, most of these URLs will not resolve and were probably put in there just to throw us off. However, the link ending with "tss0.txt" does work, giving out two lines of text:
Now, this looks like a URL encoded with a 8-bit constant, doesn't it?
And in fact, it's encrypted by running XOR 0x02 on each byte. An easy way to decrypt something like this is to use the Edit feature in HIEW hex editor.
And with this we get to the encrypted content, which is a link to yet another piece of malware:
We're in the process of shutting down the offending site. Also, we detect the dropped samples as Trojan-Downloader:W32/Nurech.BB and the downloaded sample as Trojan.Win32.Agent.aeq.
It seems that a big Norwegian netbank has been experiencing malware problems since last Friday. Internal tools are offline for some of their users, who's able to open what applications is random, and the online bank site has been slow. The bank is approaching a normal situation now, but apparently later than the original estimates.
Big banks have been hardening their defenses against phishing attacks. So what are the bad guys doing? They're going after the lower hanging fruit and are targeting smaller financial institutions such as credit unions.
Today's video is of a live phishing site mirroring a credit union in Hawaii.
Related Q&A Questions: – It sounds like you have a lot of fun there. How do go about getting a job with you. btw I can't speak Finnish, is that a problem? – What is the best way to get a job at F-Secure? What kind of people you need? – What skills are required to be in your line of work? – I suspect that many people who read this blog would like to work doing virus/malware research or something similar. Would you have any advice for people who would like to pursue a career in this area?
Language – We're a very international organization and English is the official business language of F-Secure.
Kind of People – In Response, those with code analysis and debugging skills. Our past challenges have introduced us to good candidates. Keep your eyes open for future challenges. They're fun, but also serve a practical purpose.
We'll address the types of skills we'd advise for anyone wanting to work in the industry in a future post.
First Question: Is the [banner] photo [on your weblog's home] page the full Finnish team? When will you also show the Malaysian team?
Six of the people in the current banner photo work in the Malaysian lab. The picture was taken last June during several weeks of training. And while on the topic of training, two from the Helsinki lab are now on three month assignments in Malaysia. So that makes a total of eight from the photo at the moment.
As the team is growing in both locations, our photo is once again becoming out-of-date. We'll do something about that in the near future.
Most of the Helsinki Security Labs team is in the photo. F-Secure as a whole is now made up of 500+ employees.
Second Question: How old is the youngest employee at F-Secure? The photo has at least one who looks to be a teenager.
Actually – there is a teenager in the photo. His name is Otto Ebeling. As mentioned above, the photo was taken in June, also the period of Otto's summer employment.
On Friday, WordPress reported that a server intrusion occurred on WordPress.org. The result is that version 2.1.1 of their blogging software is compromised by a backdoor. The intruders modified two files to include code that would allow for remote PHP execution.
WordPress has corrected the issue and has released version 2.1.2. You can read more details here.
A new Warezov run has been going on for some hours now. The e-mails seem to be constant and look like this:
Do not reply to this message
Dear Customer,
Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.
Customer support center robot
The attachment is a ZIP file which contains a static EXE file. The name varies, but it's always something like Update-KB[random numbers]-x86.exe. We detect it as Email-Worm.Win32.Warezov.jx.
The latest comparative test results from AV-Comparatives.org are out. We did very nicely in the test and netted the highest "ADVANCED+" rating – unlike the big boys.
This test used almost half a million sample files. For full results, download the test report. (PDF)
Thank you for submitting your questions. Please keep them coming. We'll answer as many of them as possible over the next few weeks.
First Question: What hours do you guys work? I see updates to the weblog (and the virus definitions) at all hours of the day and night.
F-Secure has offices in fifteen countries and labs in four locations. The vast majority of malware analysis is done between our Helsinki and Kuala Lumpur labs. There are three shifts with a length of eight hours each – one in Helsinki, Finland and two in Kuala Lumpur, Malaysia.
Second Question: Are you _really_ using white labcoats when working in your Kuala Lumpur site?
Francis: Yes – Sometimes. Really. The air conditioning is much, much colder in KUL then in HEL…
Third Question: Are there polar bears in Finland?
No. While there are many bears in Finland, they aren't polar bears. There are no polar bears in Kuala Lumpur either. Unless it's at the zoo.
A few weeks ago, Mikko took part in an online Q&A session. The questions and answers (in Finnish) were part of Finland's National Information Security Day. The session went very well, so we've decided to try something similar with the weblog.
What question have you always wanted to ask of us? Use the poll (allow script) to submit yours.