NEWS FROM THE LAB - May 2006
 

 

Wednesday, May 31, 2006

 
Yahoo Profiles Phishing Redux Posted by SGMasood @ 12:19 GMT

yahoo-members

Regular readers of our weblog will remember a post we made during the first week of May about a Yahoo! Account phishing scam. It was not flagged at that time by any of the popular URL blacklists and URL rating services that we checked it against, inspite of it being around for a significant amount of time. Well, surprisingly, the phishing site (yahoo-members.com) is still active even though the Yahoo! abuse team has reportedly taken action against it. Even more surprisingly, several URL blacklists and rating services still fail to warn against the site even though they were alerted to it weeks ago.

The most likely reason for the longevity of the phishing site is that it was not a widespread attack and it didn't target a major financial service. Hence, it managed to stay under the radar of the blacklists. Since way-under-the-radar spear phishing is the fastest growing category of phishing, this certainly doesn't portend a good future for most existing anti-phishing measures in the market - considering blacklisting is currently the most popular method for combating phishing.

We would like to hear what you think are good solutions to combat highly targeted spear phishing attacks. E-mail us at the weblog address listed at the top of this page.

 
 

 
 
Tuesday, May 30, 2006

 
No, Microsoft has not released a new patch Posted by Patrik @ 16:35 GMT

troj-qqpass-hoToday we have recieved samples of an e-mail that has been spammed out to lots of recipients looking like an e-mail from Microsoft, with a link to a patch that is supposed to be a patch for a new vulnerability in the Microsoft WinLogon Service. Of course it isn't and even though the link looks like it's going to www.microsoft.com it will take you to http://www.redcallao.com/[undisclosed]/winlogon_patchV1.12.exe instead which is a password stealing trojan that we detect as Trojan-PSW.Win32.QQPass.ho.

Using Microsoft and the "patch for a new vulnerability" theme is nothing new. Back in 2003 the e-mail worm Swen, which at the time was classified as F-Secure Radar 1, used the same social engineering vector but in an e-mail that looked like it actually could've come from Microsoft. The difference was that Swen had an EXE attached to the e-mail, something malware writers have stopped doing as most e-mail gateways and e-mail clients nowadays will block executable files as a preventation against new malware.

 
 

 
 
Monday, May 29, 2006

 
Donate Your Time to Anti-Spam Research Posted by Era @ 07:22 GMT

Dating email ... at work?A few weeks back, prolific anti-spam researcher John Graham-Cumming announced a new site, SpamOrHam.org, where you can donate your time to spam research. That's right, visitors to the site can spend a few minutes (or hours, or weeks, as you deem fit) looking at messages one at a time, and judging whether they think each is a spam or a ham (legitimate, non-spam) message, thereby helping The Cause. This is important because (a) it helps improve the quality of the collection, and (b) coincidentally, it helps build a benchmark for how good or bad actual humans really are at making this judgment. The preliminary results are already interesting.

(Some paranoid visitors might be slightly disturbed by the repeated display of CAPTCHA images, but maybe it's just a glitch. Pay no attention to the man with the British accent behind the curtain. Actually, there's apparently a good reason for those.)

The actual messages which you are being asked to classify are from the Enron corpus. Enron Corporation, if you recall, was briefly the biggest bankruptcy of all time (until it was trumped by WorldCom) — incidentally, the sentences for the former CEOs were announced just last week. Anyway, as part of the Enron investigations, the US Federal Energy Regulatory Commission seized Enron's email records and released them to the public in 2003. Although the database is free for anyone to download and browse, the interface at SpamOrHam actually makes it much easier (for one thing, you don't have to download several hundred megabytes of compressed data to your local hard drive).

Now if you dive in and start clicking, you will find that many spammers have not changed their basic modus operandi at all during the last five years — it's the same Viagra and stock spams that we are seeing today (though they may have evolved their obfuscation techniques a little bit). Also, there are surprisingly many phishing messages already from 2001.

What's more, amongst all the spam and business email, there is a healthy dose of office flirtation, class reunion planning, and various family-related email. This is probably highly typical of organizations which do not have a strict policy on separating business and private email.

The moral? Maybe you want to keep your work email separate from your private communications, unless you want to risk having them exposed in a similar investigation one day. (A subpoena is a subpoena even if you're innocent!)

 
 

 
 
Friday, May 26, 2006

 
T2'06 Reverse Engineering Challenge Posted by Mikko @ 19:23 GMT

t206Once again, F-Secure is supporting the T2 Information Security conference, to be held in Helsinki in September. And once again, free tickets to the conference are given to people completing the T2 CHALLENGE.

As last year, your mission (should you decide to accept it) is to reverse engineer or crack a Windows EXE file, which is available for download in here.

The challenge program - written by Jarkko Turkulainen from our lab - contains an assortment of nasty tricks. Breaking it won't be easy. Good luck. The first one to crack the challenge gets a free ticket to the conference, and another ticket is drawn among others who complete it.

Last year, the challenge program was downloaded more than 50,000 times. Less than 30 cracked it.

 

 
 

 
 
The Da Vinci code virus Posted by Katrin @ 08:23 GMT

davincim
We are posting information on this topic due to media attention and requests from our customers.

There is a rumor that a new "Da Vinci virus" has been hitting mobile phones. We don't have a single infection report and we have no sample of such malware. However, we will keep you updated as soon as we have more information.

All the discussion on the net on this topic seems to be linking back to one news article posted in an Indian magazine two days ago.

 
 

 
 
Thursday, May 25, 2006

 
Tickets for the World Cup? Posted by Katrin @ 11:41 GMT

Tickets for the World Cup? No, this time it is a virus.

There is a new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed email messages. The worm sends itself as a password protected archive and includes in the email the password for it. The emails sent by the worm are in German and some of them offer tickets for the football games in Germany next month.

There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the emails sent by the worm looks as follow:

"Hi man,

ich hab gesehen, das du zu WM wolltest, frag nicht wer ich bin und warum ich es mache. Hier hast du 5 Stueck, das ist eine spezielle Online Version, drueck es aus und unterschreib. Password zu dem Archiv lautet (psw)

Mfg Niemand ;)"

This means in English:

"Hi man,

I saw that you want to go to the World Cup. Don't ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).

With friendly greetings Nobody ;)"

Thanks to Sasho for the translation.

For more information on the World Cup and the tickets see the official site for the 2006 FIFA World Cup Germany

 
 

 
 
Tuesday, May 23, 2006

 
Greetings from AusCERT 2006! Posted by Mikko @ 05:29 GMT

Greetings from the AusCERT conference, currently underway in Gold Coast, Australia. There are around 1100 people attending this security happening organized by AusCERT - the national CERT of Australia. Out of all the CERTs we co-operate with, AusCERT is one of the most active ones.

The conference's speakers include many old-school computer security legends, such as Eugene Spafford, Wietse Venema, Paul Ducklin, Richard Thieme and Ken van Wyk (the original moderator of the virus-L / comp.virus mailing list).

Computer crime survey

The official 2006 Australian Computer Crime and Security Survey was released on the opening day. One interesting finding in this survey is that out of the 400 companies that responded, 45% reported being hit by a virus during the previous year - and 21% reported being hit by a rootkit or a trojan. The full report is available online too.

Signing off,
Mikko

 
 

 
 
Sunday, May 21, 2006

 
3322, 8866 and others Posted by Mikko @ 21:02 GMT

There's been quite a lot of buzz about the new 0-day Word vulnerability.

While talking about details of the vulnerability, it's easy to forget what the vulnerability was actually used for.

According to the information we have, a US-based company was targeted with emails that were sent to the company from the outside but were spoofed to look like internal emails.

8866The emails contained a Word DOC file as an attachment. DOCs are a nasty attack vector. Few years ago, when macro viruses were the number one problem, many companies were not allowing native DOC files through their email gateways. Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don't install Word patches nearly as well Windows patches.

When run, the exploit file ran a backdoor, hid it with a rootkit and allowed unrestricted access to the machine for the attackers, operating from a host registered under the Chinese 3322.org domain.

3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org (like whatever.3322.org) and the service will point that hostname to any IP address you want. There's actually a series of such services, including 8866.org, 2288.org, 6600.org, 8800.org and 9966.org. There are tons of useful things you can do with such host-resolving service. And tons of bad things too.

Now, we've seen these kinds of attack before.

In March 2005, somebody was sending out dozens of emails to US government email addresses, spoofed to be from Washington Post. The email content talked about "international IPR conventions China has acceded to". The attached DOC file dropped a backdoor that connected to a host under 8866.org.

In September 2005, somebody sent several batches of EU-themed emails to addresses at the EU Parliament. Email topics included "Parliamentary Assembly", "Assembly of Council of Europe" and "Parliamentary Assembly Declaration". Emails contained a DOC that connected to a host under 3322.org.

In March 2006, a big European company received emails that were spoofed to look like internal job applications. The attached DOC file dropped a backdoor that connected to a host under 3322.org.

In April 2006, another European company was targeted by a similar attack, this time connecting to a host under 8866.org.

And now in May 2006, this latest case complete with a zero-day exploit, connecting to a host under 3322.org.

So, should you block access to hosts under 3322.org, 8866.org and others? Depends. It's kind of like blocking access to Geocities: you'd block lots of bad stuff - and lots of good stuff. But then again, most users of these services are in China. If you're not in China and your users are not supposed to access different Chinese services, blocking might not break too many things.

We'd recommend you'd at least check your company's gateway logs to see what kind of traffic you have to such services.

 
 

 
 
Friday, May 19, 2006

 
Word gets exploited Posted by Sami @ 13:51 GMT

Internet Storm Center reported about a new zero-day Word vulnerability being used. We have received a sample, and it indeed is a Word DOC document that attempts to exploit a vulnerability in Word, in order to drop and execute a binary file that downloads a backdoor.

Both the shellcode used in the exploit as well as the binary part in the document are encoded in order to hide them.

More details about the backdoor is available in the W32/Ginwui.A description.

 
 

 
 
Wednesday, May 17, 2006

 
More about the "Poker Rootkit" Posted by Mikko @ 04:07 GMT

Relating to our earlier post on the RBCalc rootkit, we've received some questions on what the malicious RBCALC.EXE application looked like.

Here's some screenshots:

rbcalc

about

We've also updated our technical description of this backdoor, complete with a list of poker applications that are targeted:

  PartyGaming.exe
  mppoker.exe
  poker.exe
  gameclient.exe
  ultimatebet.exe
  absolutepoker.exe
  mainclient.exe
  pokerstars.exe
  pokerstarsupdate.exe
  partypoker.exe
  fulltiltpoker.exe
  pokernow.exe
  multipoker.exe
  empirepoker.exe
  eurobetpoker.exe

Stealing money via stolen poker accounts might be hard to prove: attacker could login with your stolen account and then play poker badly against himself. Try explaining that to the administrators of the gaming site : "I lost lots of money because somebody logged in as me and then played badly!" - "Yeah, sure they did".

F-Secure Anti-Virus detects this thing as Backdoor.Win32.Small.la. However, this doesn't seem to be a very big problem in the real world.

 
 

 
 
Tuesday, May 16, 2006

 
Reporting from Ottawa Posted by Stefan @ 22:42 GMT

The Anti-Spyware Coalition is having a public workshop here in Ottawa, Canada. As a representative for F-Secure I have been participating to several interesting presentation and debates on spyware topics.

asc_workshopOne of the newer members of the Anti-Spyware Coalition is National Network to End Domestic Violence (NNEDV). They fight against domestic violence in USA. The connection with spyware and domestic violence might not be obvious. But after listening to their presentation I am both shocked and moved. Cindy Southworth (representative of NNEDV) and Anne Mau (representative of lokk.dk) explained how monitoring tools such as keyloggers are used by abusers for surveillance of victims of domestic violence. Keystrokes, IM messages, E-mails, passwords, computer use and even phone use can be monitored with today's software. Monitoring a person clearly inflicts on the persons privacy rights and is illegal in most countries. The monitoring tools are however not illegal by themselves and are therefore a part of a spyware threat category.

Computer technologies can today help victims to reach out for help. But reaching out through a digital device that is monitored can have lethal consequences.

The Anti-Spyware Coalition is a group that has created a set of documents to bring consensus about spyware. The group is lead by Ari Schwartz who, together with Ross Schulman, arranged this public workshop. They both work for the Center of Democracy and Technology.

Signing off,
Stefan

 
 

 
 
Video of a speech at DePaul University Posted by Mikko @ 13:32 GMT

depaulI was giving a lecture last week at the DePaul University in Chicago. The Computer Science department has nicely made the two-hour lecture available as an online video. For those who prefer audio content, here's a MP3 version (63MB) of the audio track of the lecture.

Thanks to professor Lucia Dettori and the rest of the staff at the School of Computer Science, Telecommunications and Information Systems at the DePaul University.

Cheers,
Mikko

 
 

 
 
Monday, May 15, 2006

 
How's your poker face? Posted by Kimmo @ 13:34 GMT

Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn't long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user's %SystemRoot%\system32 folder and executes them.

checkraised.comThe purpose of the dropped executables is to collect login information for various online poker websites from the user's computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.

The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack.

The following day after we received the sample, on the 11th of May, detection for RBCalc.exe and all files it dropped were added into our database. Abuse reports were also sent to CERT and checkraised.com. On the evening of May 12th, RBCalc.exe was removed from the checkraised.com website.

If you have downloaded and executed this binary provided by checkraised.com, you should check your system immediately for possible infection. You can scan your computer for free with our new F-Secure Online Scanner Next Generation Beta, which also now has rootkit detection capabilities through the F-Secure BlackLight engine.

Checkraised.com (http://www.checkraised.com/site/apps/rbcalc/rbcalc.php) has set up a page to explain their view of the situation. The page also contains step-by-step instructions for manually removing the malware.

Losing hand?


So a question for all you poker fanatics; when is this not a winning hand?

Answer: When your online poker login credentials have been stolen and your
account drained. We have received no reports of this happening, but
the possibility is definitely there.

 
 

 
 
Jigsaw Piece - 877 Posted by Dan @ 13:28 GMT

Jigsaw
 
 

 
 
"We do not want to do you any harm" says the trojan Posted by Alexey @ 13:10 GMT

Lately we've come accross a pretty interesting "ransomware" - a trojan that takes user's files hostage and asks for a ransom to "free" them. The MayArchive.B trojan copies the contents of user's files into its own archive, deletes the original files and then asks a victim to send a message to a specified e-mail address in order to receive the password for "encrypted" files.

The interesting thing in all that is that in order to get the password a victim will be asked to buy some product from an online store. The trojan claims "We do not want to do you any harm, we do not ask you for money, we only want to do business with you". No comments...

As a matter of fact user's files don't even get encrypted when they are stored in the archive. Besides the trojan is quite buggy and some of user's files may become corrupted.

 
 

 
 
Thursday, May 11, 2006

 
May 9th Poll Results Posted by Sean @ 11:20 GMT

TP

First off, thank you to those that took part in the poll regarding James Ancheta's 57 month jail sentence.

With 725 participants the results break down like this:
294 - 40.6% thought that the sentence was Fair Enough or Just Right
213 - 29.4% thought that it was Too Little
161 - 22.2% thought that is was Too Much
57 - 7.9% answered No Idea

We also received some e-mails on the matter. Reader Tony H. put it this way:
Ancheta is believed to have had some 500,000 computers under his control. That works out to: Serving 1 year for every 100,000 or so machines he hit; Serving 1 month for every 9000 or so machines; Serving 1 week for every 2000 systems; Serving 1 day for every 300 or so systems; Serving 1 hour for every dozen systems; or Serving 5 minutes for each machine infected. Considering that it takes anywhere from 30 minutes to many hours of a skilled person's time to clean an infected system reliably, that means he's only going to lose 15% of the time he took from others - and he gets to sleep at least part of that time. :)

Mikko enjoyed Tony's math! Please continue with the feedback, the address is listed on the top of the web page. Thanks.

 
 

 
 
Tuesday, May 9, 2006

 
Poll: James Got 57 Months Posted by Sean @ 13:21 GMT

Two weeks ago we asked if you remembered James? Well, as it turns out, James Ancheta has received a 57 month jail sentence for his botnet activities. We'd like to ask your opinion on the sentence.

Here's some other jail terms to consider:
November 2004 - Spammer, Jeremy Jaynes, sentenced nine years.
January 2005 - Blaster.B author, Jeffrey Lee Parson, sentenced 18 months.
July 2005 - Sasser author, Sven Jaschan, sentenced 21 months (Suspended - Age 17 at time of arrest).

May 9th Poll Results

Note: If you see script in your RSS reader rather than the poll, click here for the web page.

Edited to Add The poll is now closed. Thank you to those that participated.

 
 

 
 
Apropos, Spyware Discontinued Posted by Stefan @ 10:56 GMT

Our users' reports of Apropos have been on the decline lately. And now we know why.

ContextPlus

ContextPlus, the makers of Apropos spyware, have discontinued distribution. We have previously blogged on the rootkit techniques used by Apropos. We will of course continue to detect older installs.

 
 

 
 
Grand Theft Auto - With a Laptop Posted by Sean @ 10:46 GMT

MBS-Class550

You wouldn't trust $100K worth of data to 40-bit encryption authentication would you? So how about your automobile? It looks like stealing a high-end car using a laptop isn't very difficult to do.

Robert Vamosi has written an article on keyless ignition systems based on a study from Johns Hopkins University and RSA. Vamosi notes in the conclusion of his article that the manufacturers of the RFID systems don't seem think there's a problem. So get yourself a tin foil cover for your key! It's an interesting read, check it out here.

 

 
 

 
 
Next Up: Nordea Sweden Posted by Era @ 06:55 GMT

nordea-se-2006-05-08Well, it had to happen. After the multiple phishing attempts against Nordea Finland, we are now seeing phishing attempts targeting Nordea Sweden (again). Fortunately, they are just as unconvincing as the ones targeting Nordea Finland earlier, if not even more so. The message has a text and a HTML version — the text version (which many "modern", "graphical" email clients will not display by default) is particularly hilarious, although obviously, this is fundamentally a dead serious incident.

For the record, the anti-phishing rules we already have in our spam scanner detected this message as a phishing attempt.

 
 

 
 
Friday, May 5, 2006

 
Psst... Come hither, Check out my profile Posted by SGMasood @ 13:18 GMT

One of our readers has brought to our attention an interesting instance of a popular Yahoo! account phishing scam. This scam takes advantage of the fact that Yahoo! requires members to logon to their account to verify their age before they can view members with adult content in their profile. Users on Yahoo! chat rooms, besides other places, are enticed to click on a link to view a profile. The link leads to a phishing web page that is a spoof of a typical Yahoo! profiles login page hosted on a domain named yahoo-members.com.

YahooMD

The interesting thing about this domain is that none of the phishing blacklists we have checked seem to recognize this as a phishing site, which is weird because according to its whois record, yahoo-members.com has been around for about six months now.

This is one more reason why blacklisting should be combined with whitelisting - along with trying to catch all the spoofs of Yahoo! websites out there, phishing filters should also tell the users which Yahoo! sites are genuine. This way, when they go to a spoofed site that is not flagged by the blacklists, it will still make the users suspicious because it wont be validated as genuine either.

By the way, the domain itself has been registered with a yahoo.com email address. Here is the Yahoo! profile of the apparent registrant of the domain with a nice pic.

Thanks for the heads-up, Ian.

 
 

 
 
Thursday, May 4, 2006

 
To our Malaysian readers Posted by Patrik @ 02:22 GMT

brontok We've been in touch with the Malaysian CERT over the last few days and there seem to be a fairly big local outbreak of the Brontok worm going on there. Therefore we'd like to give a heads-up to our readers in that region. MyCERT has put together a good advisory on how to clean your PC if you are infected.

Brontok has been around since October last year and is a pretty standard mass-mailing worm but can be a bit tricky to remove as some variants modify the Explorer and Shell registry values. Unless it's done correctly, you might run into login problems. The texts in the message itself are in Indonesian. For more information, please see our description of Brontok.

 
 

 
 
Wednesday, May 3, 2006

 
Find Me Anywhere Posted by Sean @ 12:54 GMT

The 2005 Ig Nobel Prize for Literature was awarded to the Internet entrepreneurs of Nigeria, for "creating and then using e-mail to distribute a bold series of short stories." Today we found at least one case of non-fiction.

IgNobel_Literature

While mapping street addresses from recently submitted e-mail scams, we came across one address that matched both an actual location and company in the UK. That piqued our interest and examining further, we discovered that the company details were legitimate. We called the company to see if they were aware of the identity theft. It turns out that they were and they have contacted the police regarding the matter. (We'll leave them as anonymous while the case is being investigated.)

The UK phone number in the scam e-mail was a "find me anywhere" number in the 70 range. These numbers start with the +44 country code of the UK, but they can ring almost anywhere in the world - in this case, probably Nigeria. We suppose that the same could easily be done with VoIP numbers as well.

We're interested in just how many other cases exist where the details of the scam have been stolen instead of invented. Does anyone have other known examples?

 
 

 
 
01:02:03 04.05.06 Posted by Mikko @ 08:30 GMT

This is kinda cool. An hour and two minutes after midnight tonight the clock will tick:

01:02:03 04.05.06


 
 

 
 
Monday, May 1, 2006

 
Nugache Posted by Mikko @ 18:31 GMT

Nugache
There's a new bot (known as "Nugache") going around. This one is not creating botnets via IRC as they most often do - it's using a peer-to-peer network via TCP port 8.

This is not the first malware to create p2p networks of infected hosts - Linux worm Slapper premiered this technology already in 2002.

We currently detect this Nugache thingy as "Backdoor.Win32.SdBot.aqy".