Thursday, May 31, 2007

Beating a Dead Horse Posted by Sean @ 11:58 GMT

Hypothetical: Let's say you're looking for information on the U.S. Military. It's rather easy to quickly locate twelve domains. However, it's not nearly as easy to determine ownership.,,,,,,,,,

Four of the domains belong to the U.S. Department of Defense, four of them are registered to National Direct Marketing Systems, two of them are registered to the Recruiting Commands of the Navy and Marines, one is registered to TribalDDB Worldwide, and last but not least, one is registered to, L.L.C.

Three of the eight Dot-Coms belong to recruitment commands. It looks like TribalDDB Worldwide works for the Air Force… The other five? Who knows? There isn't anything nefarious going on here, but if you input your name and phone number into some of these sites, we can't quite tell with whom it ends up. One site might even be looking for civilian contractors.

Which of the twelve can you deduce something about just by reading the URL? Try Quiz One:

May 31st Poll Results

Just for fun, here's another quiz:

May 31st Poll Results

So what's our point? The U.S. Department of Defense doesn't use Dot-Com addresses for their official sites. Dot-Com is just for marketing. Can you think of any other organizations that might benefit by having their own top-level domain (TLD)? Must Dot-Com remain the Web's virtual root forever?


Wednesday, May 30, 2007

Security patch for our products Posted by Mikko @ 19:58 GMT

Today we've released some Security Bulletins.

FSC-2007-1 is related to a buffer overflow vulnerability with LHA archive handling found in several of our products.

Although we haven't seen this vulnerability exploited in the field, we want to make sure all of our customers are protected against possible attacks.

Users of our products such as F-Secure Internet Security '05 to 2007 or F-Secure Anti-Virus '05 to 2007 have already been automatically patched. Others might need to download a patch. For details, please see the bulletins and Be Sure you're updated.

Hotfix distributed automatically, no user actions needed.


Should police hack? Posted by Mikko @ 09:55 GMT

Criminals use computers. Police forces around the world use computers, too. But when police need to investigate a possible crime, the methods they are allowed to use vary a lot from one country to another.

Police authorities in Germany have been prohibited from "hacking" into a suspect's computer by a February 2007 supreme court ruling. The German court determined that hacking techniques couldn't be used because no legal framework exists at present. This ruling leaves room for further debate, and Germany's Interior Minister Wolfgang Sch�uble will reportedly push for the legal changes needed to allow the police to perform such activities, known as "online house searches".

German law enforcement would like to search the contents of suspects' computers without the suspects knowing about it. Privacy advocates are concerned about such measures.

This formed the basis of a survey we conducted � should legitimate law enforcement authorities, such as the police, be allowed to use computer applications that would in other circumstances be considered malware? Should they be allowed to use hacking techniques to investigate suspects?

The February 6th opinion poll specifically asked: Should police authorities be allowed to "hack" a suspect's computer?

Out of the 1,020 respondents, 23% were in favor, 11% were undecided, and 65% were against. Approximately 70% of the responses were from one of five locations: Sweden, Germany, Great Britain, Finland, and the United States.

Over 91% of Germans were against such techniques, while only 56% of Britons were against them.

Considering the geopolitical factors and events such as the 2005 London bombings might explain the differences between these countries.

Respondents' comments noted that many would be willing to allow secret hacking techniques as long as law enforcement first obtained a warrant.

Could such "official" hacking software be a good thing? If the Internet is seen as a training camp for terrorists (as Minister Wolfgang Sch�uble has suggested), then hacking tools would be very useful and a potential benefit. Evidence could be gathered quickly and covertly from individuals operating within isolated cells. Covert collection of evidence is essential if all the cell members are to be identified in a timely fashion.

Recent reports from the UK pronounce that Scotland Yard has uncovered evidence of a bomb plot against the headquarters of Telehouse Europe. Detectives recovered computer files showing that suspects had targeted a "high-security internet hub" in London.

On the other hand -� much of this benefit is predicated on the theory that the tools will be properly handled. Police are generally trained in law enforcement and criminal investigation, not data security. It could be exceedingly difficult to corral and maintain hacking software. Once a suspect's computer is compromised, it might be infected by malware that then causes harm to innocent others

There is also the problem of the amount of data collected. "Online house searches" could yield such quantities of data that it overwhelms the signal with noise. The UK plot was uncovered with a series of raids. Police are trained to do physical investigations. Does the potential benefit of data collection with hack tools outweigh the potential distraction from the police's primary task?

And how should antivirus companies react to the existence of such malware? Detect it? Avoid detecting it on purpose? Avoid detecting hacking software used by goverments�of which country? Germany? USA? Israel? Egypt? Iran?

So should police hack? As it often is in life, even if the question is simple and straightforward, it might be hard to come up with a simple answer for it.

Mikko Hypponen

This article originally appeared in SC Magazine US


Monday, May 28, 2007

'Microsoft Support' has something very important to say Posted by Ian @ 21:20 GMT

A few hours ago, we received reports of an important update supposedly coming from Microsoft Support. Since this "update" is not part of the monthly cycle, we were, of course suspicious.

Looking at the e-mail, our suspicions grew due to the glaring typos and the non-Microsoft domain link.


The technical jargon used, however, might confuse normal users.

The sample contained in the link is now detected as Backdoor:W32/VanBot.CA since 2007-05-28_05.

Updates are always good, but in this case, also keep your virus definitions updated.


Updated to Add: The User Account has been terminated and the file is now removed from the site.


AusCERT2007 Posted by Kimmo @ 03:51 GMT

Last week I had the pleasure in attending the AusCERT Asia Pacific – Information Technology Security Conference 2007 aka AusCERT2007, which was held in Gold Coast, Australia. The conference had participants from government agencies, universities and various security vendors from all over the world.

Could I have one, please?

The conference program consisted of presentations and workshops. Presentations were held from Monday to Wednesday and the rest of the week was filled with various hands-on workshops. Full details are available from here.

The presentations were excellent and the organizers had managed to collect an interesting speaker lineup; and some had come from the other side of the world. Below are the highlights of some of the presentations I was listening to:

Ivan Krstic gave a keynote presentation about how dangerously chaotic the present security situation is today and what kind of solutions they have come-up with while working for the project called One Laptop per Child. This was also the first time I saw a real and working sample of the laptop – as shown in the picture.

I have been researching Windows rootkits for several years, so listening to Nelson Murilo's talk about rootkits and their detection on Unix environments was one of the highlights for me. He is the main author of a popular Unix rootkit detection tool known as Chkrootkit.

In addition, the presentations included very interesting topics about bots, spam and criminal groups working in the background in a very professional and organized way. It is clear that we are facing an enemy with vast resources and high motivation to continue using Internet for criminal purposes.

Signing off,


Friday, May 25, 2007

Weblog Q&A Posted by Sean @ 15:06 GMT

It's time for another Q&A post.

First Question:
How come your logo looks almost identical to Dr. Evil's logo in Austin Powers?

What's that?!? We have no knowledge of this. Don't know what you're talking about.

Second Question:
How many viruses or malware exist in general? Can you give me some number?

The approximate count is now over 300,000.

Number of Viruses

Third Question:
This question is actually a set of three.

1 – What is your relationship with Kaspersky Labs – do you in fact incorporate some of their engines?

2 – It is well known that your software includes the Kaspersky scan engine. Do you create signatures for the Kaspersky engine or do you wait for the signature updates that come from Kaspersky Labs?

3 – I believe you get definitions from Kaspersky as you use the KAV engine in addition to others. Do you spend some time checking those before adding them to the update mechanism?

F-Secure Engines

It seems some of the details are more well known to some than to others. Let's sum it up.

Our products use a multiple engine approach and we have partnerships with a number of other vendors – Kaspersky is one of them. When we have an urgent case, the detection is added to our own proprietary engine. Any detection that is added to one of our products, whether our own engine or a partner's is throughly tested by our Database Update Publishers before it is released.

We think this process works pretty well for us – see the previous post on our detection rates.

Speaking of Kaspersky… They're an important partner of ours and we recently celebrated the tenth anniversary of that relationship. And so we had the Kaspersky management team here for a visit yesterday and today.

Sailing with the Kaspersky Team:
Kaspersky Visit


Thursday, May 24, 2007

Blatant Self Promotion Posted by Sean @ 09:30 GMT May 2007, an independent testing group at the
Otto-von-Guericke-University, recently performed a test of 29 antivirus products with a fairly large sample set. The more than 600,000 samples included Trojans, Worms, Backdoors, and Bots that were no older than 12 months.

We're quite pleased with the results as we again beat our big international competitors.

You can read more details on the test results from PC Magazine.


Tuesday, May 22, 2007

Time To Fill Your Calendar Posted by Mikko @ 09:23 GMT

Summer/Autumn '07 is going to be a busy conference season. If you're attending any of these conferences you'll be able to meet our lab staff as one of us will be delivering a presentation at each of them.

Computer Security Mexico   
June 7th – 8th
Mexico City
Computer Security Mexico
Geneva Security Forum
June 20th – 21st
Geneva, Switzerland
Geneva Security Forum

Black Hat Briefings
August 1st – 2nd
Las Vegas, USA
Black Hat Briefings
Usenix Security 2007
August 6th – 10th
Boston, USA
Usenix Security 2007
September 3rd – 6th
Kuala Lumpur, Malaysia
Virus Bulletin
September 19th – 21st
Vienna, Austria
Virus Bulletin
October 11th – 12th
Helsinki, Finland
RSA Europe
October 22nd – 24th
London, UK
RSA Europe


Saturday, May 19, 2007

And you can take that to the .bank Posted by Mikko @ 07:59 GMT

We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. See this post for original context.

We've received lots of questions and also plain criticism over the whole idea – most notably, in Slashdot as well as from Larry Seltzer in his prominent blog.

So let me collect the most typical challenges to the idea, and answer them.

A new top-level domain will not solve the phishing problem once and for all, so it's not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

But .com works just fine!

Today anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Phishers could still create realistic-looking fake domains. For example a look-a-like for could be

Yes, phishers would still be able to do this; this new top-level-domain would not be able to do anything to stop this problem. Same thing with masked html links.

Illustration by Nenad Jakesevic for Foreign Policy

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

What about security researchers?

This would make life easier for security researchers to figure out which sites are not phishing sites. This really isn't as obvious as it sounds, as banks themselves use tons of different domains. We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank but they certainly do get phished. They might want to have a secured TLD for account access.

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

What about .pro?

The .pro TLD does validate who gets the domains, but it's targeting a different audience (individual professionals like doctors and lawyers).

Extended Validation (EV) certificates largely address the same issues.

We're not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There's no way to know if a site has a high-security certificate without visiting it.

Banks don't deserve their own domain.

We already have a TLD for airlines (try and museums (try Isn't it a bit odd we don't have one for banks? Although they are the ones that get attacked all the time?

Would this be a global domain?

Probably. Then again, nothing prevents local governments from setting up domains like,, in their own jurisdictions.

Would it work?

Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.

There are no rogue sites on .gov domain names. Why? Because you can only get a .gov domain if you really are a US governmental organization. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.

Ok, I'm convinced. What's next?

This initiative won't move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

This piece was crossposted with Foreign Policy blog.


Friday, May 18, 2007

New For-Profit Symbian Trojans Posted by Jarno @ 12:46 GMT


Yesterday we received a couple interesting cases from our partner. Three new for-profit SMS trojans that affect Symbian S60 2nd Edition and older devices.

The Viver family of trojans claim to be utility programs for Symbian phones. They have been uploaded to at least one popular file sharing site in the hopes that people will download and install them.

After installation, the Viver trojans immediately start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia.

We've already seen for-profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to send messages to Russian premium-rate numbers. But these trojans require user acceptance per each message and are able to send messages correctly only inside Russia.

But as the Viver family is more advanced and is able to operate anywhere, we find this development worrisome. Prior to 2003 there was little for-profit malware on the PC platform, and now almost all malware is written for one or other profit motivation. It is very likely that more for-profit malware will also appear on mobile platforms.

All three Viver variants are detected with F-Secure Mobile Anti-Virus.

For more information on Viver see's: Analyst's Diary.


DDoS Attacks on Finnish Sites Posted by Sean @ 12:01 GMT

Screenshot of Teamelite's Multispam DDoS tool

There has been several DDoS attacks targeted at Finnish websites this week. Targets have included the Finnish Broadcasting Company and the largest newswire in Finland. Several weblog readers have been asking for our take on this.

The attacks have been keeping us quite busy. Since we're working with the authorities, any insider details will have to wait until a later date as investigations are ongoing. So that's one of the reasons why little is mentioned here.

For general details English readers can read more about what's been going on from, STT and YLE: 1, 2, 3.





Wednesday, May 16, 2007

Security Tales Posted by Sean @ 16:26 GMT

Greetings Weblog Readers — We've received many excellent submissions in response to our Security Tales post. Thank you to all that have participated so far. We'll provide feedback soon. Keep 'em coming.

There seem to be a few themes: cheap former employers, college students that value P2P more than firewalls, and working with Mom and Dad's computer. It would appear that families turn to their own power user first. Good Times.

Please send your story to They don't need to be long, short is good. Cheers!


Tuesday, May 15, 2007

International Antivirus Testing Workshop Posted by Alexey @ 10:33 GMT

Iceland Church

Greetings from the International Antivirus Testing Workshop taking place in Reykjavik, Iceland. The conference was organized by Frisk Software and is being attended by over 60 people from various antivirus companies.

The event brings together developers of antivirus software and people involved in the comparative testing of such products. The goal is to discuss current "best practice", common flaws and suggest possible improvements in antivirus testing methods.

Several key antivirus industry people are attending the Workshop: Vesselin Bontchev, Peter Szor, Andreas Marx, and Randy Abrams. Fridrik Skulason, the owner of Frisk Software opened the conference. So far we've seen presentations from Andreas and Vesselin. Both presentations were devoted to the processes of antivirus testing and to problems that arise during such tests. We are looking forward for many more interesting presentations and open discussions.

Signing Off,

Fridrik Skulason


Friday, May 11, 2007

Just because it's Signed doesn't mean it isn't spying on you Posted by Jarno @ 13:00 GMT

While it has been rather peaceful on the mobile malware front, mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices.

We thought it likely that spyware rather than malware would be seen first on these platforms. Hobbyists of varying skill levels write all of the mobile malware that we have seen so far, and most mobile malware is rather simple. While on the other hand, spyware is being developed by commercial companies that have a lot more resources, skills, and motivation to get their creations to work.

Both new spying tools are rather similar in their capabilities. After being installed on the device, they hide from the user and report information from the phone to a central server. From there, it can be accessed through a web page interface.

Windows Mobile SpyTool - Account Page

An interesting fact is that the spyware for the Symbian 3rd Edition platform is Symbian signed. Therefore it can be installed without any warnings and is capable of operating without Symbian security alerting the user that something is going on.

The certificate that was given to the software company was for RBackupPRO. That name is different than the name they use to brand their spy tool. The name RBackupPRO would appear to indicate that the software is some kind of network backup tool. Right?

The fact that the spy tool authors could get their software certified indicates a potential issue when using digital signatures and certificates as the only security measure. On one hand the software is technically exactly what it claims to be, an application that backs up user data to a server. One the other hand, when the software is installed onto the device without the primary user's knowledge and permission, it can be used as a spying tool that compromises the said user's personal privacy. Thus if suspect applications cannot break security components, they can then play with the process of certification.

Both new spyware applications are now detected with F-Secure Mobile Anti-Virus. We're not naming either application in this post, as we don't feel like providing them with any direct publicity.


Thursday, May 10, 2007

Advanced tools to handle stolen information Posted by Patrik @ 04:18 GMT

When analyzing one of the latest variants of LDPinch, an information stealing trojan, we found the drop-site used by the trojan to upload the stolen information. As you can see from the screenshot below, the files are named in the format of hour_minute-day.month.year_ipaddress_computername.

Pinch Drop

So whenever a user gets hit by this trojan, it will collect lots of information, and upload it to this site.

At the time of writing, there are 1591 files there, and new ones are arriving every few minutes. We are still in process of taking down the site. The files on the drop-site are encrypted using a proprietary encryption algorithm. To decrypt it, the authors behind LDPinch have created a reporting tool. Thanks to Adam at Sunbelt Software, we got access to this tool.

The reporting tool has a very nice UI. As you can see from the screenshot, everything is structured very nicely, you can see generic information about the computer itself such as hardware information (CPU, RAM, Disk, et cetera). You can also see which version of Windows is being used together with the license key. At the bottom of the screen you can see all of the stolen information such as ICQ credentials, usernames and passwords taken from stored e-mail accounts in Outlook and Thunderbird, and also information stored in the password managers of Internet Explorer, Firefox, and Opera. To protect the identity of the infected user we've blurred some of the information.

Pinch Parser

The tool also comes with some simple statistics and you can also export the information into different types of files, such as exporting all e-mail addresses to a TXT file, or the report as an HTML, et cetera. There are also facilities to filter the data or search for strings, such as all stolen credentials for for example.

Pinch Parser

The guys behind the trojan are from Russia and the tool is available in both English and Russian languages. This clearly indicates that the bad guys are working in a professional manner, creating easy-to-use tools to quickly get to the information instead of having just TXT files with loads and loads of text to filter through.

Right now the latest variant is LdPinch.BYJ, detection was added yesterday evening.

Wednesday, May 9, 2007

9th of May Posted by Mikko @ 12:59 GMT

We've been following the attacks against Estonian servers for almost a week now.

For a good summary on what's been happening so far, read this article from Helsingin Sanomat.

Since that article was written, there's been one arrest ("Dmitri") in Estonia.

Here's an example of a Russian hacker site, offering Denial-of-Service tools crafted for this particular attack:


In addition to DDoS attacks, there's been some defacement activity.

Here's an Estonian website, defaced by Russian hackers:


And here's a Russian website, defaced by Estonian hackers:


On many Russian-speaking forums, we've seen discussion about starting a massive attack today, on the 9th of May – as this is a Victory holiday in Russia. And sure enough, after three calm days, just after midnight we saw a large botnet attack against multiple Estonian targets.


We probably haven't seen the end of these attacks yet.


Tuesday, May 8, 2007

Patch Tuesday, May Edition Posted by Francis @ 18:37 GMT

May's Patches

It's the first Tuesday of the month and Microsoft has released seven critical patches for vulnerabilities found on Excel, Word, Microsoft Office, Microsoft Exchange, Internet Explorer, CAPICOM, and Windows DNS Server. All of these allow for Remote Code Execution, which can be used by malware as an attack vector.

See May's bulletin for more details.


Monday, May 7, 2007

PhD on Viruses Posted by Mikko @ 14:41 GMT

Jussi Parikka

There are surprisingly few people out there who have done their PhD thesis on computer viruses.

However, we just got one more. Mr. Jussi Parikka did his dissertation on his thesis titled "Digital Contagions. A Media Archeology of Computer Worms and Viruses" on Saturday at the University of Turku, Finland.

As we here at F-Secure have a fairly substantial collection of material and memorabilia from the early days of the computer virus problem, we lent some of this material to Mr. Parikka during his research phase. It's good to see the final outcome now.




Friday, May 4, 2007

Security Tales Posted by Sean @ 16:16 GMT

Greetings Weblog Readers — Today we have an opportunity for some free stuff…

One of our forthcoming products aims to include real-life examples of why particular features and/or best practices should be utilized. The goal is to help users better understand the practical effect of their options.

An attorney brought his home computer into the office and asked his law firm's desktop support group for assistance. The computer couldn't connect to the Web without slowing everything to a crawl. The support staff examined the computer and discovered that there were hundreds of spyware applications and components installed. There were so many toolbars within the Web browser that it crashed under the strain in seconds. The Web browser's history showed that the attorney's son frequently visited questionable websites.

Spyware detections should be kept up-to-date or else problems can quickly escalate beyond control.
Young children should be supervised when using the Web.

So how can you win something? Send us your own personal examples of security horrors. We're sure that some of you IT folks have them. They only need to be in draft form, as we'll take care of the final versions. They need to be concise. Basically tell us why you'd want to use antivirus, firewall, parental control, et cetera.

In return for providing us with material the top five stories will be awarded with an F-Secure t-shirt, bag, stickers, or something along those lines. The product manager will determine the top five.

Please send your story to


Thursday, May 3, 2007

Masters of Their Domain Posted by Mikko @ 13:10 GMT

Computer security is a complex issue, and there is no simple cure-all. But one thing that continues to baffle me is the way we bank online.

Think about the Web address of your bank. It probably ends in one of the common top-level domains: ".com" if you're in the United States, or, depending on your home country, in something like ".uk", ".de", ".jp", or ".ru". Which is why Web sites with such names as "", "", "", or "" are so dangerous. They may look like the real thing, but they're operated by criminals.

Foreign Policy

And these rogue banking sites are popping up every day. Hosted on Web sites with misleading names that read like a real bank's Web address, the domains are registered with fake contact information. These impostors then bombard consumers with phishing e-mails, luring them to these sites, where their financial information is stolen.

How does this happen? At the moment, anyone willing to pay the fee of $5 or so can register any domain name they want, as long as the name is not already taken. So creating these look-alike pages is fast, easy, and cheap.

Why do banks and other financial institutions operate under the public top-level domains, like .com? The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason – something like ".bank", for example.

Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: It could be something like $50,000 – making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.

The creation of a new domain for a specific industry is not unprecedented: We've already done it for museums, with their restricted ".museum" top-level domain. If we can manage to protect storehouses of precious works of art from the Internet's most shameless thieves, surely we can find a way to protect our money.

— Mikko Hypponen

This article originally appeared in the Foreign Policy magazine (May/June 2007).

P.S. The ".bank" idea was first suggested to us by Mr. William Leech via weblog feedback. Thanks, William.