It's kind of quiet in the Helsinki Response Lab… but mostly because a number of people are away on summer vacation. Those of us remaining in the lab have been focused on the tasks at hand and on getting out the updates. And it's been keeping us busy.
So what's in the technology headlines this week? It seems that there's some new gadget for sale today. We're curious about the device's security features, but that will have to wait as we're a bit outside of AT&T's coverage area.
The mobile world has been made a bit safer with the arrest of a 28 year old man in Spain. Spanish police have reported that the man was arrested on suspicion of creating and writing mobile malware. The full report can be found from here.
Though no name was given, one name does come to mind – Vallez of 29a – the author of the first mobile malware, Cabir.
I'm in Spain right now attending the annual FIRST conference. I'm not alone, there are 476 attendees from 49 different countries. The majority of people attending the conference work on a security response team which sets the scene for some very interesting discussions.
The presentations here are great, there are six concurrent tracks, and this year they've introduced Geek Zone which is very much hands-on. And to give you an idea of what's going on, today Jacomo Piccolini from CAIS/RNP in Brazil and Francisco Monserrat from IRIS-CERT here in Spain will let everyone play around with IRC based botnets. Right now Robert Hensing from Microsoft CERT is giving a presentation and demo on how targeted attacks based on Office Documents work. More importantly, he's talking about how the new file format used in Office 2007 should help in making Office based attacks more difficult to perform.
We received an interesting collection of Symbian malware samples last Friday (15th). The samples were sent from a large telecom operator. Our thanks to Dawid.
What was interesting about the collection? It contained 21 – corrected June 19th 10:30 – new Commwarrior variants, all of them detected with generic detection. The variants were created by editing text strings in Commwarrior.A and .B variants.
What makes this case interesting is that all of the samples were intercepted from the telecom operator's network, which means that Commwarrior is still quite prevalent and that some people are making a lot of variations. But ultimately they are just wasting their time as operators do just happen to care about what is going on within their networks, and all of the samples in the set were detected by the operator.
F-Secure Mobile Anti-Virus is able to detect all of the 21 – corrected June 19th 10:30 – new variants using generic detection. So the number of new variants is rather meaningless, but it is interesting to see that there seem to be many people with nothing better to do than to create new trivial variants of mobile malware.
From time to time there appear proof-of-concept viruses for various platforms and applications that have their own scripting language interpreters. Almost a year ago a proof-of-concept virus for IDA (Interactive Disassembler Pro) appeared. IDA is our primary tool for reverse-engineering malware. No one in the industry was infected. As far as we know.
A few days ago someone sent us a new proof-of-concept virus. This time it was for WinHex, the powerful computer forensics, data recovery, and IT security tool. The virus prepends itself to all available .WHS (WinHex script) files. The infected WinHex scripts stop working and the only thing that they can do at that point is to spread the virus further. We named the virus "Vred.A". Here's a short description for the virus…
The developer of WinHex has been notified of the case.
Tyler Reguly over at ComputerDefense.org saw our weblog post on the missed VB100 test. We mentioned there that we release about six updates per day. He felt that it was overkill to do that many updates based on our number of new virus descriptions. The fact is that we normally only create descriptions for malware that are widespread, that are unique, that we get questions about, or that get mentioned in the media. It has little to do with the amount of new malware our products detect.
As previously mentioned, we do about six updates per day. Yesterday we released four, the day before that there were eleven updates. And in every individual update, we might add as little as one to as many as 250 plus malware detections. On average it's about 300 new detections per day. And we do this regardless of the malware being widespread or not. We definitely release an urgent update if something is spreading actively, but even if it isn't, why would we wait for a full day or a week before releasing an update? The simple answer is that we don't, our job is to protect customers from all threats big and small, now, not later.
P.S. If you want to see our updates and what we've added to them you can head over to our discussion forum where we automatically post an entry about each update. Alternatively, you can subscribe to this feed.
The U.S. Federal Bureau of Investigation (FBI) has launched an operation called Bot Roast that aims to disrupt botnet activities. This is a result of the growing botnet threat that lead to further security issues such as information theft, fraud, and e-mail scams. This ongoing operation has already charged several individuals with cyber-crimes and has identified about a million of compromised machines in the U.S. alone. In line with this operation, the FBI advises computer users not to directly contact the Bureau if they suspect that they have a computer infection. Instead, they ask users to contact their Internet Service Providers first as stated below:
"First, if you believe your computer has been compromised, do not call the FBI directly. You should contact your Internet Service Provider. They can help you determine if your computer has been infected, and what steps to take to restore it. We are not in a position to provide technical assistance."
Because of this news, we are now anticipating that Internet Service Providers will receive a lot of calls. Maybe it's best for computer users to install an antivirus product or to scan their computers with an online scanner first to check and identify if any Bot malware exists on their system.
We failed in the latest Virus Bulletin VB100 test. This is quite unusual for us. Since 2003, we've passed the VB100 test 16 times and failed once – this time.
So how come we failed? Because we shipped them a product with an old update file.
An old built-in update file is not normally a problem. Whenever a customer buys our product from a shop, he gets old updates on the CD-ROM anyway (we nowadays ship around six updates a day). The first thing the product does when run is that it downloads the latest updates.
Problem is, Virus Bulletin does their tests on isolated test systems without network connectivity. So they always use the updates that were provided to them with the product.
Now, we are aware of this restriction and should have known better. So there really is no excuse for us failing this test. Too bad.
Because of the old update file, we only got 99,88% detection rate (as we missed one virus) and this caused us to miss the VB100 logo this time.
We asked John Hawes from Virus Bulletin for his comment. He said:
"After some investigation, we discovered that the product submitted for the test did not include the latest updates available at the submission deadline. After retesting with these updates in place, F-Secure comfortably detected everything on the WildList, and would easily have qualified for the VB100 award had the correct data been supplied. Their customers, with the benefit of automatic updates, would certainly have been protected by this solid and reliable product."
Microsoft's update for June includes one important, one moderate and four critical patches for vulnerabilities in Windows' Schannel security package, Internet Explorer (IE), Outlook Express, and Windows Mail. All of these could allow remote code execution and therefore it is a MUST to have these patches.
Please make sure to patch your systems to avoid attacks, which could exploit on these vulnerabilities.
Thor Larholm has discovered a remote command execution vulnerability in the newly released Safari for Windows (Beta) just a day after it was released. The vulnerability is caused by Safari's failure to validate user-supplied strings before passing them as parameters to external URL protocol handlers. The vulnerability can be exploited to execute arbitrary code on a victim's computer just by making them view a malicious web page in Safari.
Some other vulnerability researchers have reportedly discovered moreremote command execution vulnerabilities in Safari. However, as of now, only the vulnerability discovered by Larholm can be independently confirmed.
Did you know that the Command Prompt tool found in Vista's System Recovery Options doesn't require a User Name or Password? And that the Command Prompt provides Administrator level access to the hard drive? For multiple versions of Windows? All you need is a Vista Install DVD and you're all set to go.
Just boot from the DVD and select the Repair option:
Then select the Command Prompt:
And you'll end up with an Administrator priviledged Command Prompt:
This kind of reminds us of a Windows XP Home feature. The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer.
Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate ActiveX controls related to webcam functionality. Both vulnerabilities are buffer overflows that can be exploited to execute arbitrary code on a victim's computer just by making him/her/it view a malicious web page in Internet Explorer.
Very accurate and script-kiddie-friendly exploits are publicly available for both vulnerabilities. It is possible that crimeware distributors will start exploiting this for drive-by downloads. Therefore, please install the latest upgraded version of Yahoo Messenger (Version 18.104.22.1681) as soon as possible. Yahoo will start distributing the new version soon through an automatic update, but until that happens, you will need to install the new version manually by going to the Yahoo Messenger download page. Quoting Yahoo:
Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.
Yahoo has a very good track record of fixing security issues quickly. However, I feel it is not proactive enough in communicating the security advisories to their users. For instance, for the current issues, there is no notice or link on the Yahoo Messenger home page or any other part of the website asking users to install the urgent security upgrade. You won't find the advisory unless you are looking for it.
Update (10th June): I just noticed that Yahoo has now added a prominent "Security Update" notice to the Yahoo Messenger home page. Good work, Yahoo!
Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.
What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.
Please note that many of the launchpoints that malware uses are also very commonly used by normal software such as installers. You can also expect to find several entries there on a typical non-infected Windows host.
The locations of the keys in the top10 are:
As a summary: 39.8% of malware launchpoints are still in the good ol' "run" key in HKLM. Of course a clean "run" does not mean you are not infected, but it still is an excellent place to start looking (after running an anti-virus scan, of course) if you suspect that you have been infected.
We have a full house today and the venue itself is amazing. A 250-year old palace called Palacio de Miner�a. I've spoken in a lot of places but I've never delivered a presentation in anything this cool.
The speaker list for this two-day conference is very impressive. Peter Cassidy. Lance James. Lance Spitzner. Jose Nazario. Paul Vixie. Richard Perletto.
Lance James had an interesting comment during his presentation: according to their information, some phishing gangs are earning over five million dollars a month with their attacks.
Yesterday I attended the 19th Annual Information Security Conference. The event was held at United Nations headquarters in New York. The venue was definitely an interesting change of pace from the usual hotel-based conferences.
The latest malware spam run is using gripping news headlines as e-mail subjects to hook unsuspecting victims. And while this is not something new, the use of actual news headlines can make it more difficult to distinguish it as malicious.
Re: U.S. violent crime up again, more murders, robberies Man Awakens From 19-Year Coma Law hits Las Vegas 'fake' bands
Also, body text may include any of the following:
Decade Of Mystery: John Ramsey Speaks Man wakes from 19-year coma in Poland US vows to pursue hunt for missing soldiers Password for submitted attachment is xxx
Attachments are password protected Zip archives with random filenames but appear to come from news organizations. The binary inside has the filename v245o.exe and is now detected as Backdoor:W32/Spamuwi.A with database update 2007-06-05_01.