Monday, July 30, 2007

Testing a Bluetooth worm against the E90 Communicator Posted by Mikko @ 11:23 GMT

I'll be delivering presentations on the current state of mobile malware this week at the Black Hat Briefings and next week at Usenix Security.

In these presentations, one of the new findings I'll be announcing is that the Bluetooth user interface has been changed to be more malware-resistant in the latest Symbian-based smartphones.

In this video, available via our YouTube Channel, we are testing the Cabir Bluetooth worm against two Symbian S60 3rd Edition phones: the Nokia E60 and Nokia E90.

As you'll see, there are important differences on how these phones handle the situation.

Do note that Cabir is a S60 2nd Edition Bluetooth worm and wouldn't be able to successfully infect these devices even if the transmission were to be accepted.

Signing off,


Sunday, July 29, 2007

Another Messenger worm spreading Posted by Mikko @ 18:41 GMT

There's a MSN Messenger worm spreading.

It sends messages to other Messenger Contacts that are along the lines of:

  Psssssst .... just between me and you, please accept
  Looking for hot summer pictures ? well here they are !!

…and includes a link to a file hosted on seems to be an innocent bystander. They have been notified.

We detect the file as Backdoor.Win32.IRCBot.acd.


Saturday, July 28, 2007

Spam with XLS attachments Posted by Mikko @ 09:33 GMT

In the beginning spam was just text. – Spam filters adapted to block that.

Then spammers started to use html. – Spam filters adapted to block that.

Then spammers started to use images. – Spam filters adapted to block that.

Then spammers started to use PDF attachments. – Spam filters are adapting for that right now.

And now spammers are starting to use Office files…

Like this case in point. Let's say you receive an e-mail with just a zip. No subject field, no text content:

Zip Attachment

The ZIP contains a single Excel spreadsheet file:

XLS File

…and when opened in Excel… it's just stock spam.

Stock Spam

Such spam gets through filters better… and people probably pay more attention to them, too.

Of course, opening unknown XLS files is always risky as there might be malicious code embedded. However, in this case it was just spam.

What next? Attached MP3 files that are radio commercials? Haven't seen that yet but I'm sure somebody's already tried it.


Friday, July 27, 2007

Fun & Games Posted by Mikko @ 18:51 GMT

We're seeing a substantial seeding of a new Storm Worm variant.

The attachment is static, and the e-mails look like this (sender information varies):

Fun & Games

Inside is fungame.exe (md5: 2EEFD084D54649B4DA2176D6FEA24FB5).
Detection should be out by now as Trojan.Win32.Agent.auh.


Video - Cold Weather Testing the iPhone Posted by Sean @ 07:33 GMT

It gets cold in Helsinki during the winter months. So Finland is a popular place to perform cold weather testing – even when it's not winter. With this mind-set, Mikko and Dan grabbed a video camera, thermometer, gloves, and decided to test our lab's iPhone by taking it upstairs and putting it in the freezer.

iPhone in a Freezer:
iPhone in a Freezer

The video is available via our YouTube Channel.


When would you need to use your iPhone in freezing temperatures?
Perhaps not during the Summer Ice Fishing World Championships held in Pudasj�rvi
 Posted by Kimmo @ 06:02 GMT

On Wednesday we blogged about major seeding of Trojan-Downloader.Win32.Agent.brk. This is now happening again.


This time the e-mail attachment is named as

E-mail subjects have also been revised. Below is a list of some examples we have witnessed so far:

  Sunrise in your life
  Life will be better
  Good summer
  Do it for pleasure
  Life is good
  Wanna be slim?
  Good summer, dude
  Two Telephone Calls And An Air
  Be like me!
  To be slim
  Paradice in bed

The file is currently detected as Trojan-Downloader:W32/Agent.EXJ since database update 2007-07-27_01 which was released five hours ago.


Wednesday, July 25, 2007

Coming Soon: Reverse Engineering Khallenge Posted by Sean @ 14:35 GMT

Assembly 2007 – one of the world's largest demo parties – takes place in Helsinki next week. It will be held from Thursday to Sunday, August 2nd to 5th.


Last year we hosted an F-Secure Reverse Engineering Challenge Compo. We've prepared a challenge for this year as well. The competition's target is to decode programs in order to find hidden information. It consists of three Windows executable files.

The author of Khallenge 2007 is the Response Lab's youngest member — Kamil. His main focus is on antispyware response.

Kamil's Khallenge Posted by Mikko @ 12:27 GMT

There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.


The e-mail messages that are sent typically contain as the attachment.

E-mail subjects vary but are typically "spammy" in nature:

  Action for pleasure
  Life is good!
  life is beautiful!
  Double energy
  Paradice in your bed
  View this price
  Return sunrise to your life!
  You can be young again!
  Paradice in your bed

We've had detection for this particular malware before the spamming really began on a large scale.


Monday, July 23, 2007

Bulletproof Hosting Posted by Mikko @ 13:33 GMT

So Google has these sponsored links in their search results…

Which is all nice and simple when you search for something like "flowers" or "clip art".

But try searching for "bulletproof hosting", and you'll get a bunch of Google sponsored links for companies that sell hosting for spammers:

Bulletproof Hosting

No, this can't be true… there must be some misunderstanding. Google wouldn't license their sponsored links for such businesses.

Let's follow the first link to see where these go.

Bulletproof Hosting

Well, duh.


Tuesday, July 17, 2007

Re:Solution VOB as Torrent Posted by Sean @ 13:00 GMT

F-Secure Re:Solution

One week ago we posted video to our
FSLabs YouTube channel.
We now have a high-resolution version of that video available for download.

The video can be freely used for in-house briefings, end-user education, et cetera.

You will need a media player that can handle VOB files, such as VLC, and a BitTorrent client.

Click here:
Re:Solution Torrent — 404MB.




Friday, July 13, 2007

Patch your Flash Player and Java Runtime Environment *NOW* Posted by SGMasood @ 21:59 GMT

Adobe and Sun have released patches today for several critical vulnerabilities that affect their respective Flash Player and Java Runtime Environment. Many of these vulnerabilities can be exploited to execute arbitrary code on victims' computers just by making them access a malicious URL using any application that invokes Flash Player or JRE. In English, this means that you can get hacked just by viewing a web page that contains malicious Flash or Java content.

Many of the vulnerabilities are cross-platform, and between them, they have most OS-browser combinations covered. You are vulnerable until you install the patches. Read the advisories from the vendors and grab the patches here and here.

There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for at least a few of these vulnerabilities.


Thursday, July 12, 2007

QuickTime Update Equals Update QuickTime Posted by Sean @ 15:33 GMT

Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious website may lead to arbitrary code execution. Apple's website has additional details.

The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.

It's important to update. Why? Because of stuff like MPack.

MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.

MPack Code

The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime.

This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys. Patch your applications as well as your operating system.


U.S. Drug Enforcement Keylogging Posted by Sean @ 11:29 GMT

Should police "hack"? We asked this question last February. That post was about Germany's law enforcement and hinged on a legal analysis from the German courts.

Should police hack is still an open question. Do they hack is a different question…

CNET reporter Declan McCullagh has details on a United States Drug Enforcement Administration (DEA) investigation of alleged "ecstasy" makers that utilized keylogger software to gather evidence. This is only the second U.S. case that McCullagh has found any such activity approved by a judge. You can listen to's July 10th podcast for the full story. Listen to the first five minutes of the podcast.


Tuesday, July 10, 2007

Patch Tuesday, July Edition Posted by Ian @ 20:20 GMT

It's that time of the month once more and for July, Microsoft has released the following security bulletins: three critical, two important and one moderate updates.

MS Security Patch July 2007

These updates cover vulnerabilities for several applications, including Office Excel, Windows Active Directory, and .NET Framework for the critical updates. Most of these vulnerabilities allow remote code execution and one allows information disclosure.

For more information as well as links for the actual patches, see July's bulletin.

Video - Re:Solution Posted by Sean @ 13:37 GMT

There's a new video uploaded to our YouTube Channel. Subscribers may have already noticed since yesterday. The video is a brief history on the evolution of malware and the current characteristics of crimeware.


Note: High-res version coming soon to a weblog near you…


Monday, July 9, 2007

Fake alert emails Posted by Patrik @ 06:52 GMT


The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious.

Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as




Thursday, July 5, 2007

FSCSI and Visualization Tools Posted by Sean @ 14:52 GMT

One of our analysis tools is named FSCSI. It's what we use to generate a report of the changes made by malware when it runs. It makes snapshots before and after the sample is run and then compares the two for changes.

The FSCSI report provides a basic understanding of what the malware is trying to do, before the analyst begins to really dig into the code. Then the analyst has a better idea of what to look for and it speeds up the whole process. We even have and are further developing automated systems that use this tool.

Another thing that we can do with the FSCSI report is to visualize it in a graphical interface. This can be helpful when dealing with a complex place of code.

Patrik recently spoke to some press in Sydney. He demonstrated the visualization of FSCSI and ZDNet Australia has some video.



Wednesday, July 4, 2007

4th of July and Greeting Cards Posted by Patrik @ 06:56 GMT

During the last two weeks we've been receiving lots and lots of greeting card samples. So what happens is that someone gets an e-mail saying that they've received a greeting card from a friend, relative, or class mate and all they have to do to view it is to click on a link or go to a website and enter their eCard number. Below is an example:

Greeting Card Example

Pretty much all of the messages we've seen have used a visible IP address as the address to download the greeting cards from. The fact that it's using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link.

As today is the 4th of July – Independence Day in the United States, it wasn't a big surprise that there has been lots of malicious 4th of July greeting cards going around. They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them.

4th Greeting Card Example

What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded. It goes without saying that we're adding detection for them as we see new samples.

Monday, July 2, 2007

Apache Configurations and MPack Posted by Sean @ 16:47 GMT


SANS ISC Handler's Diary has a very interesting post regarding MPack and Apache permissions. With multiple websites being hosted on a single machine, only one of the websites needs to contain a vulnerable PHP script in order to infect all of the sites hosted if Apache permissions are not properly configured.

Italy recently experienced MPack compromises on thousands of web sites that were hosted by only a few machines.

Haven't heard of MPack? It a malware "kit" that sells online for $500 to $1000 USD. It's maintained as if it were legitimate commercial software with modular extras available and maintenance updates. This type of kit provides a layer of insulation to the malware author as he is only writing a tool, and it's other bad guys that are actually carrying out the crime.

Read more about MPack at CNET.