NEWS FROM THE LAB - June 2007
 

 

Friday, June 29, 2007

 
iFone? Posted by Sean @ 15:19 GMT

It's kind of quiet in the Helsinki Response Lab… but mostly because a number of people are away on summer vacation. Those of us remaining in the lab have been focused on the tasks at hand and on getting out the updates. And it's been keeping us busy.

So what's in the technology headlines this week? It seems that there's some new gadget for sale today. We're curious about the device's security features, but that will have to wait as we're a bit outside of AT&T's coverage area.

Let's take a poll:

June 29th Poll Results

Updated to add: Answer number four's intent is "couldn't care less". But it's too late now unless we reset the votes. Know what? We could care less.

 
 

 
 
Sunday, June 24, 2007

 
Good Mobile News from Spain Posted by Ian @ 18:11 GMT

The mobile world has been made a bit safer with the arrest of a 28 year old man in Spain. Spanish police have reported that the man was arrested on suspicion of creating and writing mobile malware. The full report can be found from here.

Though no name was given, one name does come to mind – Vallez of 29a – the author of the first mobile malware, Cabir.

 
 

 
 
Thursday, June 21, 2007

 
Midsummer Posted by Mikko @ 11:37 GMT

Ah, it's Midsummer. In Finland this is roughly as big a holiday as Christmas is.

Which means everything pretty much shuts down and many people start their summer holidays now – but don't worry, our labs continue operating normally, 24 hours a day.

Midsummer is in the middle of summer. That's why they call it midsummer. In fact, today is the longest day of the year in the Northern hemisphere. The solstice occurs at 18:06 UTC.

To illustrate this, here's a photo I took from an airplane yesterday as we were starting to land at the Helsinki airport. When I took the photo, it was ten past eleven. In the evening.

Juhannus

Hauskaa Juhannusta.
Mikko

 
 

 
 
Hola - Greetings From Spain Posted by Patrik @ 08:17 GMT

I'm in Spain right now attending the annual FIRST conference. I'm not alone, there are 476 attendees from 49 different countries. The majority of people attending the conference work on a security response team which sets the scene for some very interesting discussions.

FIRST 2007


The presentations here are great, there are six concurrent tracks, and this year they've introduced Geek Zone which is very much hands-on. And to give you an idea of what's going on, today Jacomo Piccolini from CAIS/RNP in Brazil and Francisco Monserrat from IRIS-CERT here in Spain will let everyone play around with IRC based botnets. Right now Robert Hensing from Microsoft CERT is giving a presentation and demo on how targeted attacks based on Office Documents work. More importantly, he's talking about how the new file format used in Office 2007 should help in making Office based attacks more difficult to perform.

Hasta la vista,
Patrik
 
 

 
 
Wednesday, June 20, 2007

 
Where are we now? Posted by Sean @ 15:21 GMT

Mikko spoke at the Geneva Security Forum today. And Patrik is attending the 19th Annual FIRST Conference.

It's a busy season ahead…

Geneva Security Forum
June 20th – 21st
Geneva, Switzerland
Geneva Security Forum

Black Hat Briefings
August 1st – 2nd
Las Vegas, USA
Black Hat Briefings
Usenix Security 2007
August 6th – 10th
Boston, USA
Usenix Security 2007
HitbSecConf
September 3rd – 6th
Kuala Lumpur, Malaysia
HitbSecConf
Virus Bulletin
September 19th – 21st
Vienna, Austria
Virus Bulletin
T2'07
October 11th – 12th
Helsinki, Finland
T2'07
RSA Europe
October 22nd – 24th
London, UK
RSA Europe

 
 

 
 
Monday, June 18, 2007

 
Twenty-One New Commwarrior Variants Sighted Posted by Jarno @ 12:27 GMT

Variant

We received an interesting collection of Symbian malware samples last Friday (15th). The samples were sent from a large telecom operator. Our thanks to Dawid.

What was interesting about the collection? It contained 21 – corrected June 19th 10:30 – new Commwarrior variants, all of them detected with generic detection. The variants were created by editing text strings in Commwarrior.A and .B variants.

What makes this case interesting is that all of the samples were intercepted from the telecom operator's network, which means that Commwarrior is still quite prevalent and that some people are making a lot of variations. But ultimately they are just wasting their time as operators do just happen to care about what is going on within their networks, and all of the samples in the set were detected by the operator.

F-Secure Mobile Anti-Virus is able to detect all of the 21 – corrected June 19th 10:30 – new variants using generic detection. So the number of new variants is rather meaningless, but it is interesting to see that there seem to be many people with nothing better to do than to create new trivial variants of mobile malware.

 
 

 
 
Friday, June 15, 2007

 
WinHex Virus? Here you go... Posted by Alexey @ 14:45 GMT

WinHex

From time to time there appear proof-of-concept viruses for various platforms and applications that have their own scripting language interpreters. Almost a year ago a proof-of-concept virus for IDA (Interactive Disassembler Pro) appeared. IDA is our primary tool for reverse-engineering malware. No one in the industry was infected. As far as we know.

A few days ago someone sent us a new proof-of-concept virus. This time it was for WinHex, the powerful computer forensics, data recovery, and IT security tool. The virus prepends itself to all available .WHS (WinHex script) files. The infected WinHex scripts stop working and the only thing that they can do at that point is to spread the virus further. We named the virus "Vred.A". Here's a short description for the virus…

The developer of WinHex has been notified of the case.

 
 

 
 
0.7 New Threats Per Day? Posted by Patrik @ 08:58 GMT

DB Update

Tyler Reguly over at ComputerDefense.org saw our weblog post on the missed VB100 test. We mentioned there that we release about six updates per day. He felt that it was overkill to do that many updates based on our number of new virus descriptions. The fact is that we normally only create descriptions for malware that are widespread, that are unique, that we get questions about, or that get mentioned in the media. It has little to do with the amount of new malware our products detect.

As previously mentioned, we do about six updates per day. Yesterday we released four, the day before that there were eleven updates. And in every individual update, we might add as little as one to as many as 250 plus malware detections. On average it's about 300 new detections per day. And we do this regardless of the malware being widespread or not. We definitely release an urgent update if something is spreading actively, but even if it isn't, why would we wait for a full day or a week before releasing an update? The simple answer is that we don't, our job is to protect customers from all threats big and small, now, not later.

Kurt Wismer over at anti-virus rants has also posted his thoughts on this.

P.S. If you want to see our updates and what we've added to them you can head over to our discussion forum where we automatically post an entry about each update. Alternatively, you can subscribe to this RSS feed.

 
 

 
 
Thursday, June 14, 2007

 
Data Security Summary - January to June 2007 Posted by Sean @ 10:51 GMT

F-Secure's Data Security Summary for H1 2007 is now available.

Click on the image below to view the video:
Summary video for H1 2007
The video is also available via our YouTube Channel.

 
 

 
 
Wednesday, June 13, 2007

 
FBI Headline: Operation BOT ROAST Posted by Elda @ 18:31 GMT

The U.S. Federal Bureau of Investigation (FBI) has launched an operation called Bot Roast that aims to disrupt botnet activities. This is a result of the growing botnet threat that lead to further security issues such as information theft, fraud, and e-mail scams. This ongoing operation has already charged several individuals with cyber-crimes and has identified about a million of compromised machines in the U.S. alone. In line with this operation, the FBI advises computer users not to directly contact the Bureau if they suspect that they have a computer infection. Instead, they ask users to contact their Internet Service Providers first as stated below:

"First, if you believe your computer has been compromised, do not call the FBI directly. You should contact your Internet Service Provider. They can help you determine if your computer has been infected, and what steps to take to restore it. We are not in a position to provide technical assistance."

Because of this news, we are now anticipating that Internet Service Providers will receive a lot of calls. Maybe it's best for computer users to install an antivirus product or to scan their computers with an online scanner first to check and identify if any Bot malware exists on their system.

F-Secure provides a free Online Scanner.

For more information about the Bot Roast Operation, check the FBI's site.

 
 

 
 
Dang Posted by Mikko @ 06:17 GMT

VB100

We failed in the latest Virus Bulletin VB100 test. This is quite unusual for us. Since 2003, we've passed the VB100 test 16 times and failed once – this time.

So how come we failed? Because we shipped them a product with an old update file.

An old built-in update file is not normally a problem. Whenever a customer buys our product from a shop, he gets old updates on the CD-ROM anyway (we nowadays ship around six updates a day). The first thing the product does when run is that it downloads the latest updates.

Problem is, Virus Bulletin does their tests on isolated test systems without network connectivity. So they always use the updates that were provided to them with the product.

Now, we are aware of this restriction and should have known better. So there really is no excuse for us failing this test. Too bad.

Because of the old update file, we only got 99,88% detection rate (as we missed one virus) and this caused us to miss the VB100 logo this time.

We asked John Hawes from Virus Bulletin for his comment. He said:

"After some investigation, we discovered that the product submitted for the test did not include the latest updates available at the submission deadline. After retesting with these updates in place, F-Secure comfortably detected everything on the WildList, and would easily have qualified for the VB100 award had the correct data been supplied. Their customers, with the benefit of automatic updates, would certainly have been protected by this solid and reliable product."

Thanks John.

 

 

 
 

 
 
Tuesday, June 12, 2007

 
Patch Tuesday, June Edition Posted by Jose @ 19:36 GMT

MS Security Patch June 2007

Microsoft's update for June includes one important, one moderate and four critical patches for vulnerabilities in Windows' Schannel security package, Internet Explorer (IE), Outlook Express, and Windows Mail. All of these could allow remote code execution and therefore it is a MUST to have these patches.

Please make sure to patch your systems to avoid attacks, which could exploit on these vulnerabilities.

See June's Bulletin for more information.

 
 

 
 
Safari Vulnerabilities Posted by SGMasood @ 15:11 GMT

Thor Larhom

Safari for Windows that is…

Thor Larholm has discovered a remote command execution vulnerability in the newly released Safari for Windows (Beta) just a day after it was released. The vulnerability is caused by Safari's failure to validate user-supplied strings before passing them as parameters to external URL protocol handlers. The vulnerability can be exploited to execute arbitrary code on a victim's computer just by making them view a malicious web page in Safari.

Some other vulnerability researchers have reportedly discovered more remote command execution vulnerabilities in Safari. However, as of now, only the vulnerability discovered by Larholm can be independently confirmed.

 
 

 
 
Vista Recovery Command Prompt Posted by Sean @ 10:27 GMT

Did you know that the Command Prompt tool found in Vista's System Recovery Options doesn't require a User Name or Password? And that the Command Prompt provides Administrator level access to the hard drive? For multiple versions of Windows? All you need is a Vista Install DVD and you're all set to go.

Just boot from the DVD and select the Repair option:

   Step 1

Then select the Command Prompt:

   Step 2

And you'll end up with an Administrator priviledged Command Prompt:

   Step 3

Interesting. You can find more details from Mr. Kimmo Rousku.

This kind of reminds us of a Windows XP Home feature. The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer.

Physical security of your computer is paramount.

 
 

 
 
Friday, June 8, 2007

 
Upgrade your Yahoo Messenger immediately Posted by SGMasood @ 12:57 GMT

Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate ActiveX controls related to webcam functionality. Both vulnerabilities are buffer overflows that can be exploited to execute arbitrary code on a victim's computer just by making him/her/it view a malicious web page in Internet Explorer.

Yahoo Messenger

Very accurate and script-kiddie-friendly exploits are publicly available for both vulnerabilities. It is possible that crimeware distributors will start exploiting this for drive-by downloads. Therefore, please install the latest upgraded version of Yahoo Messenger (Version 8.1.0.401) as soon as possible. Yahoo will start distributing the new version soon through an automatic update, but until that happens, you will need to install the new version manually by going to the Yahoo Messenger download page. Quoting Yahoo:

Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.


Yahoo has a very good track record of fixing security issues quickly. However, I feel it is not proactive enough in communicating the security advisories to their users. For instance, for the current issues, there is no notice or link on the Yahoo Messenger home page or any other part of the website asking users to install the urgent security upgrade. You won't find the advisory unless you are looking for it.

Update (10th June): I just noticed that Yahoo has now added a prominent "Security Update" notice to the Yahoo Messenger home page. Good work, Yahoo!

Signing Off,
Masood
 
 

 
 
Top10 malware registry launchpoints Posted by Mika @ 12:48 GMT

Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.

Top 10 Launchpoints

Please note that many of the launchpoints that malware uses are also very commonly used by normal software such as installers. You can also expect to find several entries there on a typical non-infected Windows host.

The locations of the keys in the top10 are:

Launchpoint Table

As a summary: 39.8% of malware launchpoints are still in the good ol' "run" key in HKLM. Of course a clean "run" does not mean you are not infected, but it still is an excellent place to start looking (after running an anti-virus scan, of course) if you suspect that you have been infected.

 
 

 
 
Thursday, June 7, 2007

 
Still on the road Posted by Mikko @ 17:43 GMT

Cheers from Mexico City.

We're currently at Congreso seguridad en c�mputo 2007. This is the most important computer security conference in Mexico.

We have a full house today and the venue itself is amazing. A 250-year old palace called Palacio de Miner�a. I've spoken in a lot of places but I've never delivered a presentation in anything this cool.

Congreso seguridad en computo 2007 Mexico City

The speaker list for this two-day conference is very impressive. Peter Cassidy. Lance James. Lance Spitzner. Jose Nazario. Paul Vixie. Richard Perletto.

Lance James had an interesting comment during his presentation: according to their information, some phishing gangs are earning over five million dollars a month with their attacks.

Lance James live on stage in mexico Palacio de Miner�a

Signing off,
Mikko

 
 

 
 
Wednesday, June 6, 2007

 
On the road Posted by Mikko @ 10:53 GMT

Greetings from New York.

United Nations

Yesterday I attended the 19th Annual Information Security Conference. The event was held at United Nations headquarters in New York. The venue was definitely an interesting change of pace from the usual hotel-based conferences.

United Nations

Signing off,
Mikko

 
 

 
 
Tuesday, June 5, 2007

 
Real News with Real Malware Posted by Ian @ 04:12 GMT

The latest malware spam run is using gripping news headlines as e-mail subjects to hook unsuspecting victims. And while this is not something new, the use of actual news headlines can make it more difficult to distinguish it as malicious.

SANS ISC reports that the following have been used as subject lines:

   Re: U.S. violent crime up again, more murders, robberies
   Man Awakens From 19-Year Coma
   Law hits Las Vegas 'fake' bands


Also, body text may include any of the following:

   Decade Of Mystery: John Ramsey Speaks
   Man wakes from 19-year coma in
   Poland US vows to pursue hunt for missing soldiers
   Password for submitted attachment is xxx


Attachments are password protected Zip archives with random filenames but appear to come from news organizations. The binary inside has the filename v245o.exe and is now detected as Backdoor:W32/Spamuwi.A with database update 2007-06-05_01.