NEWS FROM THE LAB - August 2006


Thursday, August 31, 2006

Mobile Spy Tool (With Video) Posted by Jarno @ 08:30 GMT

Let's suppose you have a keylogger installed on "your" computer. Would you mind? There are a number of factors to consider: who is the owner of the computer, where is it physically located, and what are the local laws in effect? If it's at work and provided to you by your employer in a country with no laws against it, then you might mind — but there's nothing you can do about it. However, if we were speaking of your personal computer located in your own home — then of course you would mind. You might even be outraged.

How about your phone?

For the last several weeks we've been researching monitoring tools and spy applications that run on the Symbian OS as well as on other mobile phone platforms. And what we have discovered is rather interesting.

We originally thought that such software would still be a rather limited phenomenon and that there would be only a couple vendors making spy tools for smartphones. But it turns out that there's quite a cottage industry that has been lying low and by and large has been able to escape attention. We found that there are several vendors either making software for Symbian smartphones or are making hardware-modified versions of just about any phone available. All phones and software we found provided a rather similar set of features.

A typical feature set includes SMS forwarding, SMS and voice call log information, remote listening, covert conference calling, and some even include localization services. This basically means that if the victim has a full-featured spy application installed on their phone, they have no privacy whatsoever and that the one controlling the software has access to all of the information that the phone has.

The spy software vendors state that their software should be used only in accordance of local laws. And that a typical application for such tools is to keep track of your spouse (in order to catch possible cheating), or to monitor your children, or just to keep track of your own phone use.

But of course the vendors take no responsibility for how their software is actually used, and in many countries such monitoring is viewed as gross violation of personal privacy and can end up in a jail sentence. And these tools have darker uses such as industrial espionage, identity theft, or stalking.

Play Acallno Demo

In this video (WMV) (XviD) we demonstrate the use of one of the monitoring programs that we are investigating - Acallno.A. It's an SMS spying tool that forwards all sent or received messages to an additional number configured by the individual who installed it on the target phone.

We have added the detection of Acallno.A into F-Secure Mobile Anti-Virus as spyware. Acallno.A is a pseudonym for the real software name. We are in the business of informing our customers of what is running on their phone, not promoting commercial spy utilities.

Acallno.A is limited by the target device's IMEI code, so you have to have familiar access to the phone and cannot just sneak it onto just anyone's phone. And it cannot be just included into a trojan or other method of mass installation.

As monitoring tools are not always illegal, and there might be legal uses for Acallno.A or any other such software, it is possible for users to release the detected spyware so that Anti-Virus allows for its use. If you really want to do that, then please consult the product documentation.


Wednesday, August 30, 2006

Got Java? Posted by Sean @ 14:45 GMT

Java Runtime Environment (JRE) 5.0 Update 8 is available. That being so, we attempted to update via the Java Control Panel applet. The result was a prompt informing us that we had the latest version.

You Already Have The Latest Java - Image

That seemed odd so we searched for details and discovered that Brian Krebs has written a very interesting article on the matter.

To sum it up: Installing a JRE Update doesn't remove the older versions of JRE that are installed. So, any older security issues remain installed as well. You'll want to manually uninstall the old version(s) before "updating".

Multiple Java Folders - Image

If you have JRE installed, read Brian's column for more details.


Jump Around Posted by MikaT @ 10:13 GMT

This week we've encountered a cross-platform worm that's capable (at least theoretically) of spreading from a PC to a mobile device and back. To be more specific, the "Mobler" worm moves between Symbian and Windows platforms. Although it's quite nasty on the Windows side, it doesn't cause much harm on the Symbian device. It just copies itself to the memory card and tries to trick the user into infecting his PC.

� Franz Pfluegl - starfotograf. Image from

Technically there isn't any automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer - so it's possible for the user to accidentally open it and infect their PC while browsing the memory card's files.

Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialise.

For more information, see the descriptions for Mobler and Cardtrap.AK.


Monday, August 28, 2006

Are you a phisher? Looking for free hosting? Posted by Mikko @ 11:31 GMT

Tripod offers free web pages to anyone.

So you would think that they would try to avoid getting phishing sites hosted on their servers.

You know, doing the easy stuff. Like preventing people from creating new hosts with names like "pay-pal-redirect"? Or perhaps every now and then scanning user-created content to find obvious copies of eBay or PayPal login pages?

But apparently they aren't doing this. With a few trivial searches you can find several PayPal phishing sites on Tripod:

PayPal on Tripod

Some examples of sites that were active this morning:

Abuse messages have been sent about the above sites to both Tripod and PayPal (Update: Ten hours later, five of these sites were taken offline by Tripod).

How do you feel about this issue?

August 28th Poll Results


Friday, August 25, 2006

We Knew It Would Happen Posted by Era @ 12:08 GMT

Well, it did!

Specifically, somebody set up a PayPal phishing site which apparently is designed to perform a man-in-the-middle attack on your password. It displays a genuine-looking login box, and guess what?
You have to type in a valid PayPal user name and password — so it's probably doing a shadow login to the real PayPal site behind the scenes. Then, of course, the phisher has your password ... and credit card number, if you fill in that, too.

PayPal fake login screenshot

Luckily, we were alerted to this before it was actually spotted in the wild. We imagine the phisher is still working on going live with the site as we write this! Thanks to blog reader "Scarlet Pimpernel" for the tip-off, and to Kamil and Mikko for their research.

Needless to say, abuse notices about the phishing site have been sent.


Thursday, August 24, 2006

Final note on Intel drivers - For now Posted by Sean @ 13:56 GMT

On Monday we invited feedback - and we received e-mail from a good number of you. All but one reported the same issue that we are experiencing. The S24EvMON.exe process installed with the driver is using an ever-increasing amount of handles and memory. Many are finding this to be the case - click here for more details.


It seems important to note that the driver is not the source of the issue; it's the associated software. So what configuration have we tested now? The Intel software has been uninstalled from Add/Remove Programs and the then driver re-installed from the Device Manager/Update Driver option using the 5.7MB download. We updated by having Windows pull the driver from the folder - not by running the update executable. Windows Wireless Zero Config doesn't have all of the extra features of Intel's PROSet, but it doesn't end up taking over all of your system resources either. So you can have the updated driver without the PROSet services. Hopefully Intel will have a fix for the software soon as it's worth having installed.

Thanks to all those that submitted their observations.

Updated to Add: There are now reports, here and here, that Intel will post a fix to their website on Friday.

Updated to Add: Monday, August 28th. Downloaded the fix this morning from Intel and installed. Handles/Memory are stable and the PROSet is running well.


Wednesday, August 23, 2006

"FSIS2007 Don't Lie" Posted by Mika @ 13:50 GMT

Host-based Intrusion Prevention System (HIPS) is a term commonly used for behavior blocking security software, i.e. software that monitors for potentially dangerous behavior rather than known file signatures.

This morning we blogged about a "small dog" that installs a Trojan-Spy named BZub.BL. We decided to test our IS2007 beta with old antivirus definition fingerprints to see if it would detect the BZub variant - and it did. Below is a screenshot of the alert given by the System Control component.

FSIS2007 detecting BZub.BL

Note that this test used the default System Control setting of "Ask when case is unclear". In that mode our heuristics first determines if the application appears to be harmless or if it is something the user should be warned about. For expert users we recommend using the "Ask my permission" setting that provides utmost control but creates more noise in the form of question dialogs.

FSIS2007's System Control settings

The beta of our Internet Security 2007 is now available for download. Among many of the new features is the newly designed proactive defense - System Control 2.0. We believe this version is much improved and offers better protection against 0-day malware.

If you're technically inclined and are interested in trying out the new beta, you can get it from our beta site. There's an opportunity to win an iPod for testers.


Spammed Small.DOG downloads another BZub variant Posted by Francis @ 06:24 GMT

A new downloader detected as was spammed earlier today with German text as its message body and an attachment named Document.doc.exe.

Here's a sample screenshot of the spammed e-mail:

Small.DOG Screenshot

Small.DOG downloads BZub.BL that is quite similar to our previous weblog entry about BZub.BS.


Monday, August 21, 2006

Working with the Intel Wi-Fi Drivers Again Posted by Sean @ 14:56 GMT

Seven days ago we revisited our post on Intel's Wi-Fi Drivers. The current driver release for the 2915ABG/2200BG wireless cards is After some initial troubleshooting, we managed to get things settled and everything working fine.

Well, over the weekend we noticed that software (S24EvMON.exe) installed with the driver seems to be leaky. It's eating tons of file handles and tons of memory — and it continues to grow! See the screenshot:


We don't know if this is the case for everyone, but it seems to be the case on all the laptops we checked. (Personal and work machines.) We've submitted the issue to Intel through their customer support - let's see what we find out. Perhaps the need to patch the security problems created other issues?

Feedback is welcomed. Use the e-mail address at the top of the weblog.

Updated to add: Intel's tech support has replied. They are aware of the issue and are currently at work on it. No official release date yet. We'll let you know.


Friday, August 18, 2006

BlackLight Command Line Posted by Sean @ 16:02 GMT

Just in case you missed our earlier post, we have a new command line version of F-Secure BlackLight.

F-Secure BlackLight Beta Command Line

For those of you (Sys Admins) that are interested, you can download the new tool from the same location as the GUI. You'll find instructions and some examples here. Or else just download and use "--help" to get started. You'll find the feedback e-mail address on the download page.


Thursday, August 17, 2006

More on Haxdoor.KI Posted by Mikko @ 18:11 GMT

As you see from the image below, taken from our Virus Worldmap service, most of the reports we continue to receive from Europe are about this one malware: Backdoor.Win32.Haxdoor.KI.


We believe there's a single group, most likely from Germany, behind this and the ongoing Deutsch Telekom and Ebay "Rechnung" malware spams that keep bugging European users.


Haxdoor.KI Being Spammed Posted by Sean @ 13:27 GMT

There's a spam run of a new Haxdoor variant - Haxdoor.KI - now detected as

We have reports of it being spammed in both Swedish and German language messages. The Swedish attachment is a zip file named The German attachment is named

Haxdoor.KI E-Mail Message

The text of the message and the names of the attachments are the same as the spammed malware from last Tuesday. But the malware inside this message is completely different.

Here's a screenshot of Haxdoor.KI being detected by BlackLight:

BlackLight Beta Command Line in Action

As you can see from the screenshot, we now have a command line version of BlackLight. The new command line tool is available now at We'll have more details on it soon.


Time for Skhool Posted by Sean @ 10:01 GMT

ABC Game

Last week, a weblog reader e-mailed to ask about our F-Secure School Schedule. Well, it has returned. To celebrate the beginning of a new school year, our ABC pages are now online.

Two school schedules (PDF) are available as well as other fun and games. The site has been designed with kids in mind as a nice and simple way to inform them of Internet threats.


Tuesday, August 15, 2006

Root Kit video available on Posted by Mika @ 13:48 GMT

Australian band Root Kit - a favorite of ours - was the runner up in Gidol at's Original Competition Demo. Root Kit received 4796 votes. Gidol, not affiliated with Google, holds online competitions using publicly available Google Videos.

If you have missed Root Kit's video "Patch Me Up", then you should definitely check it out at Google Video. Listen to the lyrics carefully; there's some sound security (and love life) advice in there.


Monday, August 14, 2006

Rakningen.exe going around Posted by Mikko @ 19:30 GMT

There's been a spam run of a new backdoor application that we now detect as

This was spammed in Swedish e-mail messages with an attachment called R�kningen.exe or Rakningen.exe - which means "Bill" in most Nordic languages.


The actual trojan is very similar to the ones we've seen before targeting German speaking users (with "Rechnung.exe"). When run, the trojan drops a file named ipv6mons.dll which monitors user activities.


Intel Wi-Fi - Drivers Only Posted by Sean @ 16:11 GMT


Over the weekend we received some feedback regarding our Intel driver post. It looks like Intel has made their Wi-Fi driver downloads easier to handle. The 129MB download that included both 32 and 64Bit versions of the PROSet software has since been broken into two separate downloads about 50MB each.

It also appears that sometime on the same day as our posting, Intel made a driver only download available. The download file is only 5.7MB and should be much easier to handle for those of you that have been holding off on updating.

A big Tip of the Hat to reader Robert A. for the links!


Sunday, August 13, 2006

IRC bot exploits the 5-day old MS-06040 vulnerability Posted by Mikko @ 08:23 GMT

Hopefully everybody followed the advice we gave five days ago. We've just located the first bot exploiting one the remote code execution vulnerabilities patched in last Tuesday's patch set by Microsoft.

The bot, known as Mocbot aka is apparently only able to spread to Windows 2000 and perhaps to Windows XP SP1 computers.

Our update 2006-08-13_01 detects this bot.

The bot connects to IRC servers at:

Network admins might want to monitor connection attempts to those hosts from within their network.

More info on the MS06-040 vulnerability.


Friday, August 11, 2006

A-Positive Friday #1 Posted by Kamil @ 12:59 GMT

We often get so-called anti-spyware applications to test. While doing so, we notice that some of them are not really into removing spyware from your system, they prefer to remove the contents of your pocket. (Rogues.) Here's a couple of funny screenshots for you to end your week with. Enjoy:


The images were captured on a virtual machine running Windows XP. Trust us, a Desktop.ini file from a clean install is not a critical risk.


Names have been obscured to protect the guilty!


Tuesday, August 8, 2006

Black Tuesday Posted by Mikko @ 18:29 GMT

rceIt's the second Tuesday of the month and Microsoft has released a bunch of patches. Most of which affect most of you. And most of which enable remote code execution.

Nasty stuff. Like PPT files that will run code when you click on them.

Patch now.

More info.


Monday, August 7, 2006

Khallenge Results Posted by Sean @ 07:58 GMT


The results of the F-Secure Reverse Engineering Challenge Compo can now be found at

Our three top prizewinners are: Kaspars Osis - Latvia; Igor Skochinsky - Belgium; Pasi Parviainen - Finland. They won, in the order named: a 60GB iPod, a Sony PSP, and an iPod Nano.

Two additional winners chosen from the correct answers to the third challenge are Anssi Kolehmainen and Kyynaama/Deviate of Finland. They'll be invited to lunch here at our Helsinki Labs.

Reader Daniel W. wrote: "I didn't have all that much time to spend on the Khallenge, but I doubt that I would have been able to unravel Level3 even if I had had the time. Please heap ample incentives onto Otto to make sure he stays on the side of the "Good Guys" -- I would *hate* to have to deal with a piece of true malware written by him. Thanks for the good fun!"

Otto is genuinely a good guy, so no worries there we think.

The three challenge programs each used different tricks. The last/third made a virtual code maze that you had to maneuver through. Alexander Sotirov had the coolest solution to this; he actually drew a picture of the maze in order to solve it. Nice one Alexander! Although you didn't finish early enough to qualify for prizes, we'll send you a tee shirt or something.

Alexander Sotirov's Maze


Friday, August 4, 2006

Updated Commwarrior.Q Description and Disinfection Method Posted by Jarno @ 12:55 GMT

We have finished analyzing the latest Commwarrior variant - Commwarrior.Q.

Commwarrior.Q Source Code

While we were reverse engineering the sample we found an interesting feature within. The Commwarrior.Q and C variants both have an internal deactivation mechanism. Creating a file named "noboot" in the e:\system\temp folder will prevent Commwarrior.Q and C from starting when phone is rebooted.

So to disinfect Commwarrior.Q and C:

Kill the Commwarrior Process

  1. Install a third-party file manager
  2. Create a file using the file manager named "noboot" in the E:\System\Temp\ folder
  3. Reboot the phone

Install F-Secure Mobile Anti-Virus to finish cleaning up your phone

  1. Open the phone's web browser
  2. Go to
  3. Select the "Downloads" link and then select the phone model
  4. Download the file and select open after download
  5. Install F-Secure Mobile Anti-Virus
  6. Go to Applications Menu and start Anti-Virus
  7. Activate Anti-Virus and scan all files


Assembly Reverse Engineering Khallenge - and the Return of Otto Posted by Mikko @ 06:59 GMT

The Assembly 2006 party is in progress and the F-Secure Reverse Engineering Challenge Compo for Assembly '06 has officially started - exactly now. This is a competition where the target is to decode programs in order to find hidden information. The rules for the challenge can be found here.

To start the challenge, go now to The contest ends on Sunday (August 6th 2006) at 11:59 Assembly time. The competition is open to everybody worldwide. The prizes are nice: iPods, PSPs and such.

And just who is the Mystery Author of these challenge programs? We posted about this last week.

He's none other than 17 years old Otto Ebeling. Last year Otto joined us for two weeks - And this year he spent his summer break working in our virus lab for two months.

One of last year's challenge programs captured Otto's interest and it was one of the reasons he asked to work in the lab. He wanted to meet the guys who authored the challenge. His training period went so well last year that we asked him back for summer work. And now, he's the guy that authored this year's challenge! He has also been busy developing new tools for the lab during the summer but now he's going back to school. It was great to have you with us Otto!

Otto at Work


Thursday, August 3, 2006

Intel Centrino Patch Follow Up Posted by Sean @ 11:53 GMT

On Wednesday we posted about Intel's latest driver release. We have since installed the new driver on some of our machines and have some tips for those of you that aren't system admins.

Driver Properties

While the download patches vulnerabilities, it isn't really a patch; it's a full-blown driver install with the Intel PROSet connection software included in 32/64Bit flavors. Thus 129MB.

Now lets say you install that download on, say, an IBM ThinkPad T43. Did you update the ThinkVantage Access Connections software first? If not, then the ThinkVantage software might not recognize the new driver and it could lead to a system crash. If you do have the latest IBM software then the Intel driver works but there seem to be a few small issues. Or at least on one machine the toggling on/off of the Wi-Fi radio leads to a maximum connection time of 5 minutes. Booting with the radio on to begin with works fine.

We've also seen cases where updating the IntelPROSet software makes the software lose all of your existing favorite networks and it forgets your existing WEP/WPA keys.

Currently Dell and IBM are providing driver version for the systems we checked. Those vendor driver updates were released in May and June and it's likely that both companies will have the new Intel driver available soon. In the meantime as there are no exploits in the wild, and unless you're ready to spend some time troubleshooting your system, you might want to wait for your laptop's manufacturer to provide an update. For the rest of you, have fun!

Do you have your keys?


Wi-Fi Hacking on Stage in Las Vegas Posted by Gergo @ 08:10 GMT

Gergo posting from Black Hat USA 2006
Wireless Drivers - Speakers: Johnny Cache & David Maynor

Slide One - Device Drivers

The talk was mostly about different protocol vulnerabilities in wireless LANs. They spent most of the time talking about different angles of why 802.11 sucks. ;)

The interesting bit was the few minutes long video at the end of the briefing. Apparently they have found a remote overflow in a certain wireless card driver. For the demo, an Intel-based Mac was used, with a third-party wireless card. It was not really clear whether the driver was included in OS X or came with the third-party network card. Nevertheless the net result is a connect-back remote shell on the Mac. Pretty impressive, and scary at the same time...

Details have not been released on the vulnerability yet; they are still working with the vendor (Apple?) on the fix. There has not been any hint on a connection between this and the Intel Centrino fix.

The long-standing suspicion has been confirmed but there is no evidence of this affecting a widespread device/driver yet. That is, until they release more information on the vulnerability itself.

The video can be found at Brian Krebs' Security Fix column.



Wednesday, August 2, 2006

WLAN viruses, anyone? Posted by Mikko @ 08:10 GMT

Intel Centrino logo

Intel has published a set of patches for Intel Centrino.

Centrino is not just a processor, it integrates WLAN and other features for laptops. The vulnerabilities are not related to the processor itself but to the wireless features.

The vulnerabilities are pretty awful. The worst of them "could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges". So at least in theory, somebody could write a WLAN virus that would jump from one laptop to another if the laptops are too close to each other.

Patch now.

Intel page

Updated to add: What's going on here? To patch one stupid device driver, you need to download a 129MB patch file? Are we missing something here?



Tuesday, August 1, 2006

Why Not MySpace? Posted by SGMasood @ 15:09 GMT

After reading our post on Web Application Worms, XSS and social-networking sites, several bloggers have wondered why we didn't test MySpace, since that website's past security issues is what prompted our testing. Some even speculated if one of the two sites we were talking about was MySpace.

Demetri Martin - The Daily Show

No, one of the two vulnerable sites was not MySpace. And, well, we did look at MySpace, though it was a quick and dirty test just like with the other sites and nothing comprehensive. What we found was that MySpace appears to have a lot of defenses in place for preventing XSS and those defenses seem to work pretty well. It might be a direct response to all the current attention the website is getting because of its recent security issues. It is good to see websites taking security seriously, but unfortunately we cannot say this about most websites we come across.

In the earlier post, we recommended that users should patch their machines and web developers should start coding secure applications. The truth is that patching and using antiviruses will protect users only in case a browser exploit is used by the XSS exploit (which can be a web application worm). In most cases, patching and using traditional security tools will not protect you from XSS exploits.

The only solution lies with the web developers and administrators. Their users' security is truly in their hands alone.

The guys over at SPIDynamics have recently published an interesting paper and Proof of Concept that expand the limit of what's possible with javascript malware.


Scammers Target Interpol Posted by SGMasood @ 14:53 GMT

The Register is reporting on a 419 advance fee scam site that is intended to impersonate Interpol. Like always, the goal is to fool people into believing that they are dealing with the real Interpol website.

Interpol Logo from

The scam site is quite convincing as the scammers seem to have leeched several hundred pages from the original site. The domain name doesn't raise much doubt either. The only giveaway - as Era here noticed while analyzing the site - is that much of the content, especially the news, seems to be from 2004. This might be because they leeched the content sometime during that year.

Admins might want to block For your reference, the real Interpol domain is


New Variant of Commwarrior Detected Posted by Jarno @ 12:41 GMT

Today we received a new Commwarrior sample - SymbOS/Commwarrior.Q.

Unlike most Commwarrior samples we have received, Commwarrior.Q is not just a hexedit of Commwarrior.B. Commwarrior.Q is a fully new variant with new functionalities.

Commwarrior.Q is based on Commwarrior.C and has same functionality as Commwarrior.C and more.

Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds. That means that besides trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he would copy to his friend.

Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes. That makes it difficult to exclude from MMS traffic.

When Commwarrior.Q is installed it will display an HTML page to the phone's default browser after a random delay.


The sample that we received came from a regular user, so Commwarrior.Q is in the wild, but we don't estimate it to be large outbreak as we have received only one report so far. And as Commwarrior.Q displays the HTML page that states that the phone is infected, it's unlikely that Commwarrrior.Q would cause a large scale outbreak.

Commwarrior.Q is detected by F-Secure Mobile Anti-Virus with database update 103.


Viva Las Vegas Posted by Sean @ 08:25 GMT

It's that time of the year again. This week Las Vegas will be hosting Black Hat Briefings and DEFCON 2006.

Black Hat

There's always something interesting going on at these happenings - last year is remembered for the Michael Lynn / Cisco controversy.

Titles of some of the more interesting topics this year include:
  Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems
  Automated Malware Classification/Analysis Through Network Theory and Statistics
  R^2: The Exponential Growth in Rootkit Techniques
  Analysing Complex Systems: The BlackBerry Case
  New Attack to RFID-Systems and their Middleware and Backends
  Analysis of Web Application Worms and Viruses
  Six Degrees of XSSploitation  Subverting Vista Kernel For Fun And Profit

Gergo and Paolo from our team will try to provide some reports while on location.