NEWS FROM THE LAB - April 2006


Thursday, April 27, 2006

No SMS sending Symbian bluetooth viruses sighted Posted by Jarno @ 15:49 GMT

Today we have received several questions concerning a new Symbian worm that spreads via Bluetooth and sends premium rate SMS messages.

We were puzzled about those questions however, as we haven't seen any such malware. And obviously we have not made any warnings of such, otherwise you would have seen it on our weblog.

So to clarify things, there are only two known malwares that send SMS messages: Java/Redbrowser.A and SymbOS/Mquito.A. Both of these malwares are trojans, which means that they don't spread by themselves and need users to download and install them before they can do anything.

Redbrowser.A is a trojan that sends SMS messages to a Russian premium rate number and does not use the country code. That means that the premium rate number works only in Russia. And since the user interface of Redbrowser is in Russian, it is not a problem anywhere else other than Russian speaking countries.

Mquito.A is a cracked version of the game Mosquitos that sends SMS to a UK based premium rate number. But the premium rate number has been discontinued, and thus causes only the cost of a normal SMS.

Other than these two trojans, we don't know of any other case of malware on any platform that would send SMS messages. And most certainly we have not seen a bluetooth worm that would do so.

Edited to add: This blog entry was rewritten on Friday the 28th. The original version referred to an article on VNUNet and made it sound like a journalist at VNU would have gotten details wrong in an article - when in reality our country manager had provided incorrect information. Sorry for the hassle.


New Century in Mobile Malware Posted by JP @ 12:42 GMT

In less than half a year our tally of mobile malware has doubled to 200. Many of those in that count are variants of already detected viruses, but the speed at which the number grows has real implications for all those with unprotected smartphones. At the least, this is a testing ground. What comes next?


FlexiSpy demonstrates well that your privacy can be violated. RedBrowser is a good example of social engineering being implemented. The techniques that work with PC malware are being tested on the mobile side.

Text-Payment and Mobile Wallet services are now being introduced by Mobile Service Operators - and where there's money, there's motive. Growth of these services could easily augment malware's attention to mobile platforms. Operators and device vendors need to continue to factor this into their business strategy and design.


Wednesday, April 26, 2006

Sometimes Those Error Messages Actually Mean Something Posted by Mika @ 12:19 GMT


Sometimes a support issue can lead to the detection of malware. As an example, this case of a blue screen error points to a rootkit as its cause.

Removing spyware from a computer is becoming an increasingly difficult task. Look2Me, a displayer of pop-up advertisements, is a good example of a persistent malware application that just won't go away. It uses some interesting techniques to remain installed.

Look2Me hooks into the winlogon process as a notification package. If the user tries to unregister the notification package, it is immediately reinstated. Look2Me also removes the administrator group's debug privileges and thereby disables the user from interfering. This, along with some other tricks, makes manual removal close to impossible.

The removal of the debug privileges has resulted in some BlackLight support calls for us. And so, even though it doesn't have any rootkit functions, the SeDebugPrivilege error inadvertently turns our BlackLight tool into a Look2Me detector!

One of our researchers has spent a good deal of time fighting with Look2Me and the result is a removal tool that can be downloaded from here.


Greetings from RSA Japan Posted by Mikko @ 07:15 GMT

Greetings from the RSA Japan conference in Tokyo! There are about 6000 delegates in this Asian version of the RSA security happening.


I snapped the photo above with a Nokia 3250. This is a new phone running Symbian 9.1 (S60 3rd edition) with a pretty impressive camera. Just look at this full-resolution image.

I'll be speaking later today about mobile malware and specifically about the situation in Japan. The Japanese phone systems are way ahead of the ones in Europe or in the USA. They are also ahead in security: we don't get infection reports from Japan at all. There are several reasons, but this is largely because of the operating systems in use here. Almost all of the currently known mobile malware targets Symbian Series 60 phones. Most smartphones in Japan are running Linux, iTron or Symbian - but not Symbian Series 60. Additionally, local operators are heavily restricting on who can write native code for their phones. End result: so far Japanese phones have been quite well protected against mobile virus problems.

Auf Deutsch

I'd be interested to know if they got my name right above. I'm afraid I'll just have to take their word for it...

Signing off,


Monday, April 24, 2006

Remember James? Posted by Mikko @ 17:53 GMT

Remember James Ancheta? The botmaster that was caught and convicted earlier this year. We covered this in January.


usa_anchetaNow USA Today's Byron Acohido and Jon Swartz have done an extensive study into Ancheta's operations and even uncovered his arrest mug shot! Full story is available on




Reissue of MS06-015 Patch on Tuesday Posted by Sean @ 13:19 GMT

Microsoft's MS06-015 patch, released on April the 11th, resulted in Windows Explorer issues for some Windows users. Microsoft Knowledge Base Article 918165 provides documentation.

Tomorrow, Microsoft will re-release the patch targeting just those experiencing problems or those that have not yet installed the patch. The patch can be manually downloaded from here.


Saturday, April 22, 2006

First virus for Matlab Posted by Mikko @ 07:09 GMT

We've today received a sample of something that seems to be the first virus for Matlab m-files. We are calling it MLS/Lagob.A.

Matlab (made by Mathworks) is a high-level programming language for mathematical problem-solving. Matlab source files are known as "m-files".

The virus (known as "Bagoly") is not in the wild. It infects m-files parasitically by prepending it's own replication code to the beginning of other m-files it finds. It doesn't do anything else in addition to spreading.



Friday, April 21, 2006

Man Bites Dog Posted by Sean @ 14:43 GMT


Patching an OS isn't new, but patching an OS to enable a virus? That might be. Linus Torvalds has recently patched the Linux kernel to fix a small bug that was revealed during the testing of a proof-of-concept cross platform virus. Fixing the bug enables the virus to work as it should. Though Torvalds doesn't seem to think that Virus.Linux.Bi is much of a virus, just a program that has an interesting way of writing to files for which it has permissions. For more details, the stories can be found here and here.




Wednesday, April 19, 2006

Question For Our Readers Posted by Sean @ 16:59 GMT

Here's a quick poll for you:

April 19th Poll Results

Edited to add [Friday the 21st]: It's the beginning of the weekend, Finland time, and so our poll has closed. Thank you to all those that participated!


Sunday, April 16, 2006

Image stealing by phishers Posted by Mikko @ 09:51 GMT

Lazy phishers are often simply making a copy of the original bank site with some malicious modifications. As an example, take a look at this currently active phishing site targeting Chase Bank.

Chase phishing site

This phishing site is running on an infected home computer in Spain. Only the html is hosted there; all the images are actually loaded directly from a real server.

Now, activity like this could be detected by the website of the bank automatically. How about modifying the logic of the bank web server to do something along these lines:

If somebody

  a) loads my images but
  b) does not load the corresponding html file and
  c) has http referrer -values outside of my domain

then, for this user, lets change this image:

Chase logo before

to this image:

Case logo after

This could be activated only after the activity has happened from, say, 10 different IP addresses, to make it harder for the attackers to spot it until it's too late.

And, in most cases the REFERRER fields would directly point the bank staff to the real phishing site which they could now start closing down.

Eventually, attackers would move to host their own images, but for now they still typically don't.


This site needs to be shut down Posted by Mikko @ 09:28 GMT

mit5There's another Bagle-related run going on. One of the download URLs that infected machines are polling for new content became active a couple of hours ago. This is one of those new nasty download links that provide a new, uniquely repacked version of the malware every 50 seconds or so.

This download link resides on a website belonging to some sort of real estate agency in Slovakia: We've been trying to get the download link on this site inactivated but so far nothing has happened. Easter holidays aren't exactly helping here either.

Bottom line: if you're a sysadmin, block access to any URL under for now. If you have contacts to this Slovakian company or their upstream provider (Active 24), have them take action as soon as possible or have them contact us. Thanks.

Edited to add: We now detect all the modified versions of the downloaded file as SpamTool.Win32.Bagle.g.

Edited to add: The download link is now down (the site itself works fine but the malware has been removed). Thanks Palo!

Edited to add: Ten hours later, they are now repeating the same operation from a URL under Abuse messages have been sent.

Edited to add [on Tuesday the 18th]: After several attempts, the site has finally been shut down by the ISP.

Edited to add [on Tuesday the 18th]: And now they've moved to Feel free to block access to this site at your gateways.

Edited to add [on Friday the 21st]: Three days later, is shut down by their ISP. We haven't seen a replacement domain pop up yet.

Edited to add [on Sunday the 23rd]: Now the replacement appeared. Block


Thursday, April 13, 2006

Forget about Windows update Posted by Mikko @ 12:43 GMT

Two days ago, we recommended that you get the latest Microsoft patches and to visit

msupdBut nowadays it really makes more sense to recommend Microsoft Update instead of Windows Update. Microsoft Update does everything Windows Update does plus, in addition to patching the operating system, it also patches other common Microsoft software. This includes patching software like Word, Excel, SQL Server etc. In fact, many people probably thought Windows Update did this already!

Patching Word is quite important - we're regularly seeing targeted attacks made by e-mailing booby-trapped DOC files to companies. Word isn't often patched as well as Windows itself is, and DOCs go through gateway filters much more easily than EXEs do.

The URL for Microsoft Update is - get this:

Makes you wonder why they aren't using for this - they do own the domain.

Edited to add: Turns out not all versions of Microsoft Office are supported by Microsoft Update. If you are running Office 2000, you still need to visit Office Update.


Wednesday, April 12, 2006

Design Flaw in Human Brain Prevents Detection of Phishing Websites Posted by Sean @ 07:59 GMT

"Why Phishing Works" is a recent study (PDF) that examines phishing website techniques. The most visually deceptive website spoof in the study was able to fool 90% of the study's participants. That 90% figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting.

Crossing disciplines and summing up this article published last summer in the journal Neuron - If you don't see something often, you won't often see it. Perhaps you could also say - If you don't see fakes often, you won't often see fakes. Therefore, many phishers while designing visually deceptive phishing sites count less on technical subterfuge than on the failings of the human brain's power of perception. If it looks like what the brain is expecting, then the brain often won't see that it isn't.


Why don't banks allow you to customize your online banking interface with a picture of your preference? Like your own mugshot? Your pet? Your girlfriend? The logo of your favorite team? Your country's entry to the Eurovision song contest? Something that would relate to you - something that you'd miss if it weren't there. There are companies that are working on visual personalization technology; we think it's a good idea that could help to reduce the size of the phishing net.


Tuesday, April 11, 2006

Patch available for the createTextRange() vulnerability Posted by Mikko @ 19:32 GMT

Finally, an update for the critical and widely exploited "createTextRange" vulnerability in Internet Explorer is available. It was made available in patch MS06-013 today as part of the scheduled monthly security patch set.

Today's set also patches two other critical vulnerabilities and some others.

Time to visit right about now, then.

Edited to add: The hyperlink above has been correct, but the text of the link was incorrectly reading "udpate" until the 18th of April.




Friday, April 7, 2006

Exhibit 5 - A Better Internet? Posted by Stefan @ 14:20 GMT

In case we didn't already know - people don't like Spyware. Well, they really don't like Spyware. The New York Attorney General's office has brought suit for illegal practices against Direct Revenue and the exhibits make for interesting reading. Ben Edelman has a copy of the case documents here. Exhibit 5 has more than a few examples of the hate mail that Direct Revenue received. This is one of the less vulgar:


Direct Revenue, makers of VX2, ABetterInternet, and BestOffers, is a company that is known for its use of less than honest affiliates. Those affiliates have the very bad habit of installing software without user consent. Due to the method of installation, even the uninstaller offered by Direct Revenue didn't always work - evidenced by the table in the exhibit.

Direct Revenue has gone from shady to less shady over the years, but perhaps not quickly enough to avoid the eye of Attorney General Spitzer.


Keynote video from HITBSecConf2005 Posted by Mikko @ 12:37 GMT

This isn't brand new, but I just got it.

Here's a professionally shot video showing my keynote presentation in the HITBSecConf2005 security conference in Kuala Lumpur, Malaysia in September 2005.

I'm covering the status of mobile malware in detail, including browsing through some code and showing a live demo with a Symbian trojan. There's a questions and answers session in the end too.


The video is 1 hour 20 minutes long and is 56MB in size. Download from here.


PS. Thanks to Dhillon for letting me repost it!


Tuesday, April 4, 2006

Nordea Phishing is Back Posted by Katrin @ 13:42 GMT

We blogged about Nordea phishing cases in October and December of last year. Today we have reports of a new phishing case targeting Nordea's online banking. As before, this kind of phishing is an attempt to steal the customer's one-time passwords. Here is an example of one of the phishing e-mails:


The link in the e-mail is obfuscated, it doesn't lead to where it points, instead it opens another web page where the victim is supposed to fill in their unused passwords and all of the confirmation codes for Nordea's online banking. The new phishing attempt is very much similar to the previous two. What's new is the e-mail's content, the link is obfuscated, and it collects the e-mail address of those who click the link.


Moomin Anti-Virus is for Real Posted by Sean @ 13:36 GMT

For some reason, a surprising number of people thought that our new cartoon-themed security product was an April Fool's Day joke.


Well, we suppose that's what you get when you announce something this groundbreaking on the 1st of April!

But the Moomin-themed product is very real and it will soon hit the shops. It's already for sale in Japan - and there's good reason for that. The worldwide popularity and merchandising of the Moomin family dramatically increased in the 1990's when a Japanese production studio animated the stories, making them massively popular there.

Moomin Stuff

We can also recommend Tove Jansson's Moomin books, which are available in English at many major online retailers.


Saturday, April 1, 2006

F-Secure Internet Security & the Moomins! Posted by Mikko @ 14:25 GMT

Moomin BoxGood morning. Today, on the 1st of April, we have announced the release of Moomin-character themed F-Secure Internet Security product.

Moomins are a popular series of cartoon characters, created in the 1940s by Tove Jansson. And now they have their own computer security product.

The user interface of the Moomin-themed F-Secure Internet Security looks really cool, check this out:

FSIS Moomin interface

The product will be available (in Japanese and English) from our online store in two weeks time or so.

For more information, see our Japanese site or the press release.