Digital currency company E-gold has been indicted by the U.S. Department of Justice for suspected money laundering and illegal money transmitting. This is interesting as we have seen E-Gold, Webmoney, Western Union, Fethard and other similar services being used by online criminals for quite a long time.
For example, here's a snippet from the Iframecash web site – this gang has been known to use exploits (such as WMF and ANI) to drop drive-by-installs to innocent bystanders' machines.
We have no information whether E-gold staff has been aware of misuse of their services, or whether they have been able to do anything to prevent misuse. But we sure have seen lots of criminals using E-gold.
For the past couple of days, there's been unrest and rioting in Estonia.
Quoting CNN: "Police arrested 600 people and 96 were injured in a second night of clashes in Estonia's capital over the removal of a disputed World War Two Red Army monument … Russia has reacted furiously to the moving of the monument … Estonia has said the monument had become a public order menace as a focus for Estonian and Russian nationalists."
We're now seeing large attacks against websites run by the Estonian government. Some of the sites are unreachable. Others are up, but do not allow any traffic from foreign IP addresses.
Here's the status as we saw it on Saturday at 15:00 GMT:
www.peaminister.ee (Website of the prime minister): unreachable www.reform.ee (Party of the prime minister): reachable www.agri.ee (Ministry of Agriculture): reachable www.kul.ee (Ministry of Culture): reachable www.mod.gov.ee (Ministry of Defence): reachable www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable www.fin.ee (Ministry of Finance): reachable www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable www.just.ee (Ministry of Justice): reachable www.sm.ee (Ministry of Social Affairs): reachable www.envir.ee (Ministry of the Environment): reachable www.vm.ee (Ministry of Foreign Affairs): unreachable www.pol.ee (Estonian Police): reachable www.valitsus.ee (Estonian Government): unreachable www.riigikogu.ee (Estonian Parliament): unreachable
News from the Lab, the blog you're reading now, was started in January 2004. Now we have a second blog to offer you. This one is coming from our Linux Team and is called F-Secure Linux Blog.
As you would expect, the blog is also available as an RSS feed.
F-Secure has pretty much always had a strong support for Linux platforms and we today ship both server and client security software for Linux platforms. Our Rescue boot-up CDs also run on Linux (link to ISO).
The aim of the blog is to write about things relevant to our Linux geeks ‐ which might often be interesting to other Linux geeks as well.
P.S. Linus Torvalds used to bicycle by our office every now and then when he was still living in Finland…
Continuing with the Question of the Day that we've been pondering on for the last couple of posts… things get even more interesting.
It turns out some users are not seeing the weird behavior of Google but they are instead getting sensible results.
Compare this screenshot, sent in by Jean W, to the one in the previous weblog post:
Alexander S theorized that this difference might be the result of hitting different Google data centers and some of them are somehow out-of-sync.
We did get a fairly good solution from Paul J, who rationalized why Google would sometimes show that a search would only have 4 or 5 results when it really has much more:
The difference is that first 5 have the search string text in the page, whereas the remaining search results have it linked from the page
Results 1 - 10 of about 5 for allintext: 13123390. (0.14 seconds)
Results 1 - 10 of about 0 for allinanchor: 13123390. (0.15 seconds)
We got quite a few answers to our question of the day but no conclusive answer.
The mystery is why Google gives such contradictory information when you search for the keyword "13123390".
Google says there are only five hits, but it's displaying the first ten of them?
And there are five more pages of this… so obviously there are more than five hits.
We did get lots of good guesses on what might be going on, including:
"The string in question, 13123390, is the same in decoded and encoded form. When search engines and web-indexing apps run across this text, it knocks things out of whack due to the identical nature of the decoded/encoded string."
"Results that are 'similar' were removed from the list...Why Didn't this Happen Immediately: Theory: In order to NOT process a complete list with a large set of results, Google performs "look aheads" to analyze the data. This look ahead is performed based on the page you are on. This "look ahead" only analyzes a couple pages immediately proceeding the initial page. Since you usually find what you are looking for in the first few pages, this means that Google doesn't have to perform a massive operation to eliminate duplicate/similar results."
"The distributed google index keeps track of many things, one which is the probabilistic frequency of search terms and words (or numbers) in their index. The search results page uses these figures to give hunch estimates on the search result relevancy, while the actual results are gathered from the full index. Hence, for some terms the figures don't seem to match. Seemingly irrational numbers are good for demonstrating it. Personalized results and/or link spamming prevention algorithms may play their part in this as well. And of course, for some things, censorship."
"I'm going to take a wild guess and say that 4 is the average of 1, 3, 1, 2, 3, 3, 9, and 0."
In our recent examination of Banker Keyloggers and Phishing sites we're noticing a growing trend. "Military" banks.
The image below is an example taken from a site that hosts a Man-in-the-Middle Phishing Kit.
Among the usual suspects is Bank of America Military.
Why target banks that cater to U.S. military personnel? Our guess is with the increased deployment of U.S. Military personnel around the world, they've become an interesting target for the bad guys. If you're away from home – you'll do your banking online.
Greetings from Bangkok where Interpol and the United Nation's Office on Drugs and Crime is hosting a Congress about Financial Crime.
The lineup of speakers is excellent and we've been hearing some very interesting presentations about, for example, how Western Union and Visa are handling fraud, on the take down of Shadowcrew, and how the bad guys are laundering money. Myself, I gave a presentation about how botnets are becoming more advanced and going kernel-mode.
Special thanks to the interpretors, it can't be easy to translate words such as botnets, kernel, ring-0, and Command & Control in real-time.
It seems that SMS phishing scams have come closer to home. As it turns out, apparently lots of people here in our Kuala Lumpur office received similar text messages during the week.
Below is the message that we received on our mobile phones:
Translation: "Announcement from PETRONAS MLSY. CONGRATULATIONS your phone number has won a prize of RM 11000. (About US$3,200) Please contact the following number at 0062858853982xx tomorrow morning at 8.00am. Thank you".
The SMS message was received at 12:15am on 16/4/2007. This looks pretty odd – why would Petronas Malaysiam, a national Oil and Gas company in Malaysia, want to send an SMS at this time?
From the phone numbers that we got from the SMS, we know that they belong to the Indonesian mobile network Indosat and therefore the phisher is located somewhere in Indonesia. This was further confirmed when the phisher spoke to us in Malay with a clearly Indonesian accent.
Apparently, this is not the first time these numbers have been used in a SMS phishing attack – the first reported attack using this number was on the 23rd of March 2007.
We decided to call the listed number and play along with the phisher to find out more about the phishing scheme. The original conversation was in the Malay language. Here is a translated transcript:
Phisher: Hello. Us: Hello. Phisher: What is your name? Us: My name is Devinder. Phisher: What's your phone number? Us: My number is xxxxxxx. Phisher: Congratulations, we have chosen your number to win RM 11000. What is your bank account number?
(Line got disconnected at this point.) (Next call.)
Phisher: Hello Mr.Devinder? Us: The line was disconnected just now… Phisher: In order for us to transfer the RM 11000, we need your bank account number. Us: I am using Maybank. Phisher: Do you have an account in any other bank other than Maybank? Us: I have Maybank only. Phisher: You can't use Maybank because we have another winner who is using Maybank. You need to have an account in one of these banks – RHB, Affin Bank, Bank Simpanan Nasional, Eon Bank and Public Bank. Us: I have an account in Bank Simpanan too. Phisher: Do you have an ATM card? We will not be able to give you the money if you don't have an ATM card. Do you have any friend who has an ATM card for an account in any of the [mentioned] banks? Us: Yes, my friend has a Giro ATM from Bank Simpanan and we can give you the number. The number is xxxx. Phisher: Is this the number on the card? Us: Yes Phisher: Is it an ATM card? Us: Yes it is an ATM card. Phisher: How much money do you have in that account? Us: I have around one thousand Ringgit. Phisher: Now go and check your balance from an ATM machine. It will be RM 12000 now. Us: How are you going to send the money? Are you going to send a check? Phisher: I am going to send a check to you. Please go to the ATM machine to insert the check in the ATM machine. Us: What is your name? Phisher: Mohammed Paisol. Phisher: Go to the ATM machine now and call us from there. Us: Ok. I will do that. Bye
(After a short time we tried calling again.)
Us: I am now at the ATM machine now. Phisher: What is your name? Us: Devinder. Phisher: Why did you call again? Us: Because just now you told me to go to the ATM machine. Phisher: So are you at the ATM now? Us: Yes. Phisher: Are you familiar with the ATM machine? Us: Yes I'm use to using it. Phisher: Please put your card in. Us: Ok the card is in. Phisher: What did the display say on the screen? Us: The screen says to choose either English or Bahasa Melayu. Phisher: Please choose Bahasa Melayu. Us: Ok I have chosen it. Phisher: Key in your pin number. Phisher: You have to be at the ATM! I know that you are not at the ATM now! Us: No, I'm at the ATM now. Phisher: No! You are not at the ATM now! Us: I'm at the ATM. Phisher: Have you insert the card in? Us: Yes. Phisher: Take the card out! Us: Ok, it's out. Phisher: It's ok. It's obvious you don't deserve the money. Thank you!!
The phisher hung up abruptly right after that.
We are still in the process of getting the latest information on this phisher. After two days passed, we invited our PR Manager to call the phisher using a mobile phone and found out that the phisher was receiving calls from another mobile phone and was on voice mail. The voice mail box was apparently full. As a result of this we had to abort the call.
So, everyone out there, be prudent when you receive this kind of SMS on your mobile phones.
There were a good number of responses to yesterday's post that correctly provided the what…
Weblog Reader Ville was one of some that also provided the why. The answer is really simple, right? d41d8cd98f00b204e9800998ecf8427e = 0 byte MD5 hash da39a3ee5e6b4b0d3255bfef95601890afd80709 = 0 byte SHA1 hash Both appear not only in numerous tutorials on the web concerning these two hashing algorithms, but also, and more importantly, in places where these hash functions are used for file integrity. Since an empty file will result in these hashes, any place that lists hashes for files will often feature these two particular strings. Thus, while being a seemingly random string of letters, their appearance on the web is common due to these two popular hashing algorithms.
We'll be sending Ville, and a few other randomly selected responses, a set of our laptop stickers.
Update: 18 April @ 9:57 GMT Thanks to everyone that has already sent in an answer to our question of the day, the response was overwhelming. We have enough…
Yup! There is another Skype worm on the loose and our detection for it is IM-Worm:W32/Pykse.A. It spreads by sending a message with a malware link to all online friends in Skype's contact list using the Skype API.
The message is randomly chosen from the following list:
Before sending the message, it will set the infected Skype user's status to DND (Do Not Disturb). As a side effect, it will not actively notify the user of calls or messages as shown in the warning message below:
Once the link is clicked, it will redirect and download the malware file:
Once you have downloaded and executed the file from the link, it will show you a picture of a lightly dressed woman, to avoid suspicion:
So what's the motive behind this worm?
It seems that it is promoting the following websites: http://aras.lookingat.us/index.htm http://asilas.my-php.net/index.html http://bobodada.3-hosting.net/index.html http://bobos45.bebto.com/index.html http://gogo442.hatesit.com/index.html http://jackdaniels.110mb.com/index.html http://timboss.1majorhost.com/index.html http://zozole.php0h.com/index.html
These websites all look the same. Here's a sample screenshot:
The following site is also visited:
http://aras.allfreehost.net/cal[REMOVED]nt.php
This is most probably a counter to find out how many users are infected. This could also be a way for the malware writer to quantify his profit. Who knows, malware nowadays are mostly driven and motivated financially.
We have another phishing related demo for you today. This time it's a Rock Phish Kit in action. Rock Phish allows nontechnical individuals to create and carry out phishing attacks.
Earlier today, several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:
A Dream is a Wish A Is For Attitude Eternal Love Eternity of Your Love Falling In Love with You Hugging My Pillow Inside My Heart Kisses Through E-mail Our Journey Sent with Love When Love Comes Knocking You're In My Thoughts You're the One
The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These include:
Love Card.exe Love Postcard.exe Greeting Card.exe Postcard.exe
All files are detected as Email-Worm.Win32.Zhelatin.ct.
A second run occurred after a few hours. This time, the subjects were security related.
Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment.
Something new to the Zhelatin family is the use of a password protected Zip archive as an attachment. The filenames vary but they have the following format:
patch-[4 to 5 random numerical characters].zip hotfix-[4 to 5 random numerical characters].zip
The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.
Executables are also detected as Email-Worm.Win32.Zhelatin.ct while the Zip archives are detected as Password-protected-EXE. Latest detections are included in update 2007-04-13_01.
First Question: Do You have a virus lab in the USA or Canada?
We do have lab facilities in San Jose, California if needed. Currently our shifts are handled in Malaysia and Finland.
Second Question: Does the weblog team just cover those who analyze malware or does it cover those involved in researching and developing new products, and those involved in producing the software? … Is it true that you have to be a heavy rock musician or heavy rock fan to work in the labs?!
The weblog team members work in the Response and Research Labs – our product software is developed and designed by other teams within F-Secure. The internal components of some of those products may be the results of research. So some things are born here, but then they are in the hands of other teams.
Do you have to be a Heavy Rock fan? No. But it certainly doesn't hurt.
Third Question: There have been multiple questions regarding our RSS and we want to update the feed, but before we do, we'd like to poll you on what software you use:
Our March 1st Poll is still open for any that would like to submit questions. We still have some from March left to answer, but welcome more in the meantime.
Included are five critical updates for vulnerabilities in Universal Plug and Play, Windows CSRSS, Microsoft Content Management Server, and Microsoft Agent that could allow remote code execution. This month's security update also includes the earlier patch (MS07-017) for the ANI vulnerability. Please make sure to patch your systems to avoid attacks, which exploits on these vulnerabilities.
A large amount of malicious e-mail has been sent with subjects suggesting a missile strike on civilian targets in Iran: "USA Just Have Started World War III" "Missle Strike: The USA kills more then 20000 Iranian citizens" "Israel Just Have Started World War III" "USA Missile Strike: Iran War just have started"
A malicious executable with "video.exe", "movie.exe", et cetera is attached.
We got a sample submission earlier today… a file called Oslo.zip.
The person who submitted it is actually a celebrity: you all know him:
What Oslo.zip contained was a virus for Apple's iPod.
However, this virus is able replicate only on iPods that are running the iPod Linux operating system. It does not work on normal iPods that are running the default iPod operating system.
iPod Linux is a uCLinux-based software distribution targeted specifically to run on Apple iPods. It enables the iPod to run a variety of third party software, such as games.
So it's a proof-of-concept virus for a rare operating system, and it's not going to become a real-world problem. However, it does show that the computer underground is actively studying new platforms such as portable devices.
And it really is theoretical. After we got the sample, we installed iPod Linux on some iPods we had at hand, but we couldn't get the malware to operate correctly no matter what we tried. However, our friends at Kaspersky did get it working. Pictures and more information available on their blog.
Mikko here. Excellent conference going on in Dubai. The organizers have managed to collect an excellent speaker lineup from all over the world (USA, India, Germany, Singapore, South Africa, Malaysia, Finland…).
The beginning was a bit unusual: all guests were asked to stand up when the guest of honour, His Excellency Mr. Mohammed Nasser Al Ghanim arrived to deliver the welcome address. Afterwards me and Lance Spitzner were invited to have a private chat with him. Learned interesting stuff: for example, United Arab Emirates has just set up their own CERT (aeCERT).
Two independent researchers, Vipin and Nitin Kumar from India had an interesting demo with a proof-of-concept rootkit that loaded from the boot sector during boot up process. Similar to the eEye Bootroot technique… except this one also worked under Windows Vista!
Remember Mark Weber Tobias? We blogged about his research into security locks in October 2004 while we were conducting our own hands-on testing against laptop locks. He was at the conference, demoing bump key attacks against different locks live. Impressive. Don't lend your keys to this guy.
Tareq Saade from Microsoft made an interesting note regarding the malware situation in Middle East. As many countries are centrally filtering questionable content (offending sites, porn, et cetera) for all citizens, this has actually helped the malware situation somewhat. Access to some spyware web sites is blocked, preventing tons of infections that would otherwise happen. It would actually be a good idea to use this functionality to filter dangerous sites (exploits, phishing, et cetera) more aggressively.
Signing off, Mikko
P.S. Thanks to biatch0 for the conference photo. I took the Rolls photo from a local parking lot.
As discussed in our previous post, this update was earlier to the usual second Tuesday monthly Security Release because of the alarming increase of Malware and sites exploiting the ANI vulnerability. Please make sure you install this security update right now!
Update: When you install the patch and have a computer with a Realtek Audio card you might get an error message reading "Rthdcpl.exe - Illegal System DLL Relocation". Microsoft has released a hotfix for this so if you have this problem, you can download the fix here.
Hot on the heels of the new ANI exploit is a new Warezov sample.
No variations were seen from the e-mail samples received and they all look like this:
The attachment is a ZIP file that contains an executable file. The filename is in the form of Update-KB[random numbers]-x86.exe and is detected as Trojan-Downloader:W32/Warezov.KG.
It downloads a file from the following link: http://buheradesunme.com/[removed].exe
This new file is the worm component and is detected as Email-Worm:W32/Warezov.MG.
Detections have been included since update 2007-04-03_02.
Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.
You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week. The issue of the ANI vulnerability was actually brought to Microsoft's attention back in December 2006 according to their their Security Response Blog and they've been investigating and working on a fix since then.
Until Microsoft has released the update, you can count on us to continue adding detection for known versions of the ANI exploit and worms.
Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.
This is real and we've confirmed it: however, we've only received six customer reports so far.
We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.
The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web page's files are viewed or uploaded to a web server, they will spread the infection further.
In addition to spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.
An easy way to confirm an infection is the existence of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to the SYSTEM32 folder. Sysadmins can monitor their outgoing e-mail to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com, or 3876195@qq.com would indicate an infection.
December 8th, 2006 was the Nintendo Wii's European launch date. Three Helsinki Lab members were infected that day and two more soon followed. Kamil's Wii was immediately tested in the lab, and frankly, productivity just might have taken a hit. Wii is very infectious. Good thing it was a Friday.
Today there are now at least eight people working in or directly adjacent to the Helsinki Lab that have become infected by Wii. No telling just how many infections exist within the entire building. There's even a dedicated Wii in the Response Lab itself…
Here's some video evidence of what this thing does to people.
Careful review of the Wii's log files reveal that there are now several Tennis "Pros" and that the Wii is powered up several times a week following the Helsinki shift. It seems that we're firmly in its grip. But at least we're able to contain it to the end-of-the-day.
So we might as well make the best of it! If you're a game developer and want some beta testers – contact us via the Weblog's e-mail address. Tennis. We want more Tennis especially. And we're quite willing to assist accessory makers as well. Cheers!
