NEWS FROM THE LAB - September 2006


Friday, September 29, 2006

Reselling stolen information Posted by Mikko @ 11:42 GMT

Haxdoor rootkit-equipped backdoors are widely used - in the "Rechnungen" and "R´┐Żkningen" spam runs in Germany and Sweden for example.
A-311 Death
These changing Haxdoor variants are generated with a toolkit known as "A-311 Death".

The toolkit itself is sold on the Internet by its author, known as "Corpse" or "Korpsov".

Now, people who use such backdoors quickly collect a lot of information from infected computers. Information such as passwords, credit cards, and bank logons. Some of these attackers filter the logs they collect to find juicy information and then use it themselves. Others grep the data for e-mail addresses (to sell them to spammers) and for credit card numbers and bank logins (to sell them to fraudsters).

Then again, others take the easy way out and end up selling the logs as they are, by the megabyte. Here's a screenshot from one forum:

380mb of logs


Thursday, September 28, 2006

Poll: What OS do you run at home? Posted by Sean @ 15:02 GMT

So that we'll know a bit more about you, our readers - we'd like to ask what OS is running on your primary computer? Or in other words, the computing device that you use most often to browse the web, read your e-mail, play games, et cetera.

September 28th Poll Results


Tuesday, September 26, 2006

Real VML Patch is Out Posted by Mikko @ 18:11 GMT

Microsoft has released a patch against the VML vulnerability outside of their normal update cycle. Which is great.

The patch is available right now via

Get it.

VML Patch

Updated to add: For those of you that applied the work-around that we suggested, the vgx.dll file will need to be re-registered before applying the Microsoft Update. Otherwise, the update might not find anything to fix.

Use the command below from Start, Run:
regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

This holds true for any of the work-arounds suggested by Microsoft as well. If you do not yet see the Security Bulletins or the Update on your language version of Microsoft Update - it will be there soon. Microsoft is currently replicating the patch across their network.


Statistics - PurityScan and Softomate Posted by Elda @ 05:55 GMT

At the end of last week our internal statistics showed a strong spike in description requests for several long detected spyware applications. We wondered about the cause. Their activity had been flat for some time. Something new was installing them, but what? We needed a bit more information.

You can see from the images below that the spike drops after the 22nd. Detection for Licat.C was added at that time. The detection of the IM worm (installer) then caused the spyware to fall back to its normal levels.

PurityScan Description Stats

Softomate Description Stats

It seems that we may now have a new forecasting tool.


MSN Worm Used to Download Adware Programs Posted by Elda @ 05:53 GMT

We have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

Licat.C Example

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C. This is used to connect to[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as The other is a Softomate adware installer - detected as Softomate toolbar.

Nowadays, instant messenger worms are being used to install adware programs. Be suspicious of unsolicited links in your IM client. Below is an illustration of the process:


Updated to add: Adjustments have been made to this post regarding msnmsgr.exe. Please see the Licat.C description for additional details.


Monday, September 25, 2006

Warezov.AT Posted by Sean @ 12:44 GMT

There have been several posts regarding Warezov this month and it remains busy. It reached variant AA on the 12th and we have now reached variant AT. Detections for Warezov.AT were added with database 2006-09-25_01.

We've received several submissions of Warezov, so we published a Radar 2 Alert about it today.

IS2007 Note: We tested Warezov.AT as we did with an earlier variant, and System Control continues to block it automatically.


Hack In The Box - Malaysia Posted by Gerald @ 09:59 GMT

HITBSecConf2006 was held on September 20th/21st at The Westin Kuala Lumpur Hotel. Thanks to our new lab in Kuala Lumpur - it gave those of us here the chance to attend. We found all of the topics to be very interesting, had a great time, and look forward to next year.

Be Sure

You can find PDFs of the presentations here.


Friday, September 22, 2006

VML patching Posted by Mikko @ 14:49 GMT

There's an unsupported third party patch for the VML vulnerability available at ZERT.
We haven't tested it, so we can't recommend it.

But it's good to know something is available if this VML thingy really gets out of hand (which it hasn't yet).

Updated to add: Your mileage may vary - this patch might not work with everyone. See discussion at PC Doctor Guides.


Wednesday, September 20, 2006

VML Exploit - Internet Explorer Posted by Stefan @ 09:09 GMT

Outlook's Default Settings - Restricted Sites

Once again there is a browser vulnerability that allows for the remote execution of code. And the only action necessary to become infected is to view a malicious webpage using Internet Explorer or an HTML formatted e-mail.

It was discovered in the wild by Sunbelt. Microsoft published Microsoft Security Advisory (925568) yesterday regarding the issue. The update is currently scheduled for October 10th - the next regular patch Tuesday.

Like the WMF exploit it is advised to unregister the susceptible dll from the system as a workaround for the vulnerability.

To unregister the dll you should execute from Start, Run:
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

This differs slightly from Microsoft's recommendation - so as to include localized versions of Windows.

The vgx.dll component solely handles Vector Markup Language (VML). VML is a description format for browsers to draw vector graphics. Not too many websites use this format today - but rather display plain images. Also - it's only supported by Internet Explorer. Opera and Firefox implement Scalable Vector Graphics (SVG).

Use this link with IE to see an example of VML. If you have the dll registered, you'll see a clock. Once unregistered, you shouldn't see anything.

Microsoft's Outlook e-mail client is also potentially vulnerable for this exploit. But fortunately e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors is disabled. By using a web-mail client and Internet Explorer you might still be vulnerable.

Unregistering vxl.dll

We strongly recommend implementation of this workaround immediately.


Monday, September 18, 2006

AutoIt.D and Agent.AXN Spreading via Yahoo! Messenger Posted by Francis @ 06:59 GMT

We have received some reports regarding AutoIt.D and Agent.AXN spreading via Yahoo! Messenger. AutoIt.D and Agent.AXN pops up a message randomly selected from any of the following messages in the screenshot below:

AutoIt.D Messages

Once the link has been clicked - it will redirect you until it downloads a copy of itself. And if it's accidentally executed, it will disable your Task Manager and Registry Editor. Moreover, it will set your Internet Home Page, Yahoo Buzz link, and Launchcast link to[REMOVED].

Be cautious in clicking these links, especially with the above mentioned strings.


Friday, September 15, 2006

Yuha de Fun Jinsa? Posted by Mikko @ 13:45 GMT

God damn
Just how hard is it to get one website off the net?

Over the last week, we've found several new variants of the Warezov family. They are all using the same website to download additional components and updates: We believe this domain is registered by the authors of this malware just for this purpose.

Likewise, earlier versions of Warezov used another domain for the same purpose: Yeah, where do they get these names from? I wonder if they mean something in some language?

We've now been trying to get off the net since last Sunday. I suppose other antivirus companies have tried too, and I know CERTs have been working on this (Hi Toni). However, it's still there, and the bad boys are still regularly posting new content in the specific download URL on this server.


Svensk politiker leker pirat? Posted by Stefan @ 13:19 GMT

Swedish elections are coming up this Sunday.

There's been a lot of coverage about a hacking incident between the parties.

But outside of that, one of the bigger issues in this election has been the attitude on P2P networks and file sharing - there's even a "pirate party" running. The sitting party, including party member Tomas Nordström, is in favor of stronger enforcement. The problem is, this week the politician was informed that he was sharing the entire contents of his hard drive, including the operating system, private pictures, and even party documents.

If you read Swedish, the article is available here.

At the bottom of the online article there is a poll about computer security. The question is: "Are you sure no one else can access the data on your harddrive?" As of writing this post, the percentages were - Yes: 37.6%, No: 51.7%, Don't know: 10.7%.

Poll Results


Wednesday, September 13, 2006

Video - FSIS 2007 Beta Demo Posted by Sean @ 15:26 GMT

Yesterday's post promised a video - and today we have it ready for you.

The video (WMV) (XviD) demonstrates FSIS 2007 Beta denying Warerov.U with its new System Control feature.

Play FSIS 2007 Demo

The default settings were used - Ask when case is unclear. For those of you testing the Beta, we'd like to suggest that after one week or so, System Control should be ready for you to set it to expert mode - Ask my permission. A week's time should be enough for all of your day-to-day apps to have been "learned".

We're interested in your feedback. You can e-mail us using the address at the top the weblog.

Just a small note about Warezov: It's been busy. Seems like it's been on some kind of binge since Sunday. It's back on the wagon as of this morning having reached the AA variant. We'll see how long it takes to run though another set of letters.


Opening of our lab in Kuala Lumpur! Posted by Patrik @ 04:18 GMT

Yesterday was the grand opening of our new Asian Technology Centre in Malaysia. Not only will this be our asian headquarters but more importantly for the readers of this blog, this is where we have the F-Secure Security Labs Kuala Lumpur. From now on, we'll handle cases from here together with our team in Finland. As there's a six hours time difference between the two labs, we can split the work between the two sites without much overlap.

Here are some pictures from the event.

Official opening
Our CEO and President, Mr Risto Siilasmaa and our Guest of Honour, Tan Sri Halim, the Chairman of MSC, officially open the new office in the traditional way.

Mikko speaking
Mikko talking about the latest threats in security.

Worldmap showing
Santeri showing a large group of visitors and journalists our Worldmap and Bluetooth Honeypot technology.

Analyst at work
Kimmo showing a group of visitors some of the tools we use and the work involved when analyzing malware.

The KL lab
This is what the lab looks like.

Thanks everyone for coming and let the work begin!


Tuesday, September 12, 2006

HIPS Update Posted by Sean @ 15:21 GMT

Steve H. - weblog reader and recurring e-mailer - wrote to suggest that it would be interesting to know how our FSIS 2007 Beta handles the malware on which we have recently been posting. How well does our new HIPS perform? We haven't mentioned it since our August 23rd post.

We think it's a valid point and we'll be looking into a way of publishing proactive detection statistics. As well as making note of the results on bigger cases.

DeepGuard Settings

And how does the new System Control feature do against Warezov? Using old virus definitions, we tested against Warezov.U and it was automatically blocked by the default settings. This results in a notification flyer to the user without any action required on his part. We'll post a demonstration video of it in action for you soon.

There was a new build of the FSIS 2007 Beta released last Friday. Click here for details on giving it a try.

Thank you to Steve for prodding us for an update.


Monday, September 11, 2006

Warezov Strikes Back Posted by Elda @ 08:14 GMT

Yesterday, we blogged about a new variant of Warezov being spammed around. Today, another variant has been seen spreading in the wild.

This new variant is now detected as Email-Worm.Win32.Warezov.u using database update version 2006-09-11_01.

It sends itself as e-mail attachments to addresses found on the infected computer.

Here's another email sample of this worm:

Warezov Example

Like yesterday's Warezov variant, it downloads another variant from[removed]/lt.exe. This downloaded file is now detected as Email-Worm.Win32.Warezov.t.

Once Warezov.U has been executed, it displays a notepad window with random character strings. This is used as a decoy mechanism to fool the users into thinking that this was the file executed instead of the actual worm. Below is an example:

Warezov Notepad

Let's see if these patterned attacks will continue striking tomorrow.


Sunday, September 10, 2006

Warezov / Stration being spammed Posted by Mikko @ 14:15 GMT

We're right now publishing an update for new Warezov / Stration variants that have been spammed within the last two hours. We will block this malware either as Email-Worm.Win32.Warezov.q or as Email-Worm.Win32.Warezov.r.

The worm is sending itself in various, different e-mails. Here's one example:

Warezov Example

This Warezov variant downloads additional components from[removed]/lt.exe. Admins might want to monitor traffic to that domain from their network.

When the malware has infected the system, it displays this reassuring message to the user:

Warezov Message


Friday, September 8, 2006

Next Tuesday's Preview Posted by Sean @ 14:19 GMT

MS Bulletin Advance Notification

Microsoft released their Advance Notification Bulletin yesterday. The September 12th patch cycle will include three security updates: two for Windows and one for Office. The Office patch is rated as critical and is most likely related to the recent Word 2000 vulnerability.

Just a reminder: Next month's cycle is the start of the fourth quarter when Microsoft plans to push Internet Explorer 7 as an automatic update. There's a toolkit for blocking the IE7 update - system administrators will want this until they can test for their production environments.

In other patch news: Microsoft released a patch outside of the regular monthly cycle. It happens to involve their DRM. There is an interesting take on the issue by Bruce Schneier at Wired News.


Thursday, September 7, 2006

JRE 5 Update 8 Posted by Sean @ 13:34 GMT

No Java?

Last Wednesday's "Got Java?" post generated number of e-mails regarding the silent removal of JRE 5 Update 8 from Sun's website. We don't know for how long it was gone, but it's now back on Sun's site. (As of September 7th at least.)

One reader asked about and commented on the system's use of previously installed versions of Java. So to clarify, the issue affected versions prior to Update 6. From Sun's site:

"Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected."

See here for more details.

Updated to Add: Reader Mika N. wrote to comment that still offers Update 6 - while offers Update 8. So this is perhaps why some thought that the download was removed from the "java" site. And maybe the Update Now feature in the Java Control Panel checks rather than Confusing, eh? Thanks to all of you for your comments.


Tuesday, September 5, 2006

Keynoting Posted by Mikko @ 13:22 GMT

VB 2006 Programme

Virus Bulletin is the most important annual conference of the antivirus industry. This year's conference, VB2006, will be held next month in Montreal, Canada.

I've attended every VB Conference since 1993, so I was honored to learn that this year I have been invited to deliver the keynote presentation on the first day of the conference. Cool.

So, here's a rare opportunity to address hundreds of people working in my field. What to speak about? Well, I came up with a brilliant idea of documenting a recent case we were working with: an investigation into an underground network gang. Great.

The problem is that a friendly authority has just told me that I cannot speak about that case. Oops.

I have one month to come up with something, so I'm looking for help. Any ideas? What should I talk about in my keynote presentation at VB2006?

September 5th Poll Results

PS. Here's our blog posts from VB 2005 and 2004.