NEWS FROM THE LAB - September 2007


Friday, September 28, 2007

Reality Check Interview Posted by Sean @ 14:02 GMT

Riem Higazi of FM4's Reality Check interviewed Mikko while he was attending VB2007 last week.

You can listen to the audio here:

   FM4 Reality Check - Part 1
   FM4 Reality Check - Part 2


Hacker Tools vs iPhones Posted by Jarno @ 12:36 GMT

Msf3 HashdumpThe past week has been rather interesting on the iPhone front.

First, H.D. Moore of Metasploit has been working on iPhone support for the Metasploit Framework. The Metasploit Framework is a development system used by security professionals for vulnerability and exploit research. And having iPhone support in Metasploit makes security vulnerability and exploit research easier, which makes developing new exploits more likely.

Also in the news is that Apple's iPhone 1.1.1 firmware update breaks unlocked iPhones, which means that anyone who updates an unlocked iPhone will return it to an activation screen and reactivating the phone will be impossible. At least until someone figures out a new way to hack the phone that is…

These and other developments in the field will make iPhone security research very interesting. The fact that Apple is actively defending iPhone locking makes it a very tempting target for skilled hackers – both as worthy challenge and for bragging rights. This means that we'll probably see more details about the iPhone's internals in the future. It's already safe to say that the iPhone is probably the most well-known and understood closed system there is.

Unfortunately the amount of technical information makes it likely that sooner or later someone will misuse that information to create worm or some other malware. This will create an interesting problem for the security field as the iPhone is currently a closed system and it's not feasible to provide Anti-Virus or other third party security solutions for it.

So if someone were able to create a rapidly spreading worm on the iPhone, protecting users against it would be problematic.

Fortunately as Cabir and Commwarrior Symbian worms have proven, even mobile worms that are capable of infecting large user populations have been rather slow at spreading. Thus hopefully Apple will have enough time to react if iPhone malware appears.


Thursday, September 27, 2007

Weblog 2.0 Update Posted by Kamil @ 13:01 GMT

For those of you that read our posts via RSS feed — our Weblog's layout has been updated and we have introduced a few new features.

Check them out from:

Here's the "classic" layout:

Weblog Classic

The new layout includes a comment system:

Comments are currently moderated during the Helsinki day shift, be patient.

We've added navigation options:

For example – the FSLABS TUBE button will take you to our YouTube Channel:
YouTube FSLabs Channel

Post titles will now link to the individual pages we created a couple of weeks ago. We have also added additional navigation options to these pages.

The archive indexes remain in place for those that prefer that layout. (And to maintain legacy support, e.g. anchored links are still valid…)

We'll be adjusting the rss feed next week to point to the individual post pages. The ABOUT US button contains our contact information.

Signing off,

Wednesday, September 26, 2007

The Trojan Money Spinner Posted by Sean @ 09:33 GMT

Virus Bulletin 2007 took place last week in Vienna, Austria.

Mika Stahlberg from our Security Research Program gave a presentation there on Friday the 21st.

Virus Bulletin 2007 Presentation

Mika is the author of one of our analysis tools called Mstrings. The tool is part of the automation that assists us in identifying malware as Banking Trojans. His presentation, The Trojan Money Spinner, provides details on the nature of Banking Trojans and their function.

PDF files are available — Virus Bulletin Conference September 2007
The Trojan Money Spinner and Presentation Slides

Legal Stuff – Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

There is also a video excerpt available on our YouTube Channel.

Monday, September 24, 2007

Cards, Cards, Cards, Baked Beans, Cards, Cards... Posted by Sean @ 10:20 GMT

There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today.

It's very similar to August 16th's run of Agent.BRK.

This time the bad guys have once again returned to the attachment name of card.exe.

Trojan-Downloader:W32/Banload.DRS Statistics

The subject lines are recycled as well:

   Hot pictures
   Hot game
   Here is it
   You ask me about this game, Here is it
   Something hot

Our signature detection for this latest variant is included in database 2007-09-24_01.
Our DeepGuard System Control technology will have prompted users even before signatures were released.


Wednesday, September 19, 2007

Vienna Posted by Sean @ 16:41 GMT

Virus Bulletin 2007 ViennaVirus Bulletin Conference 2007 is currently taking place. It's in Vienna, Austria this year and a number of Helsinki lab members are attending. Our own Mika Stahlberg will be presenting this Friday.

So what's going on back at the lab(s)?

Kuala Lumpur Response has been training. And who's providing the training? Helsinki Research lab members. Two more guys away…

Due to the training in Kuala Lumpur, the guys remaining here in Helsinki have had their noses to the grindstone. There's been no slack this week. It's very busy, and yet also very quiet. There's only the quiet hum of malware being analyzed.



Monday, September 17, 2007

How to Find Phishing Sites Posted by Mikko @ 10:48 GMT

So you want to search for active phishing websites via Google?

You could start off with a simple search parameter like – inurl:paypal

Paypal Phishing

You'd get way too many results, and vast majority of them would be legitimate sites.

But if you kept scrolling down, you would eventually find this:

Paypal Phishing

Hmmm… Sounds phishy.

Paypal Phishing

Indeed, it's a live phishing site, located in the /eg/ directory of the site.

Now, let's have a look at the front page of the site.

Paypal phishing

Who would have guessed? "209 host locked" – the telltale sign of a rock phish site.

So, let's refine our original search and now search for – inurl:paypal intitle:209

Paypal Phishing

I rest my case.


Sunday, September 16, 2007

Storm Games Posted by Mikko @ 11:04 GMT

The latest tactic from Storm Worm: e-mails with links to a fake gaming site:

1000 Games

All the links from these pages point to ArcadeWorld.exe – detected by us now as Zhelatin.JP.


Friday, September 14, 2007

Weblog 2.0 Posted by Sean @ 23:23 GMT

We're building individual pages for our weblog posts. You can check them out from:

We'll update the indexes next week. In the meantime, please provide your feedback.



Wednesday, September 12, 2007

Patch Tuesday, September Edition Posted by Jose @ 05:33 GMT

Below are the lists of critical and important updates Microsoft has for this month.

Microsoft September Updates

These updates involve applications including Visual Studio, Windows Services for UNIX, Subsystem for UNIX-based application, MSN Messenger, and Windows Live Messenger. All of these could allow remote code execution and one allows an elevation of privileges.

For more details on these updates, here's the link to Microsoft's Security Bulletin.

BE SURE to update!

Monday, September 10, 2007

Seeing bubbles? Might be the Skype worm... Posted by Mikko @ 22:37 GMT

A Skype worm is going around. It's spreading via Skype's instant-messaging functionality, Skype Chat. Users receive English (or, in some cases, Lithuanian) messages from their friends with links to innocent-looking URLs along these lines:[removed]/dsc027.jpg[removed]/dsc027.jpg

Although the links look like they are pointing to an image, they are not. Instead, they point to a page that will try to download a program called DSC027.SCR to your machine.

We've seen at least two different versions of this malware so far. When run, they both display one of the default built-in wallpapers in Windows (Soap Bubbles.bmp):

Skype Bubbles

For more information, see our malware description and follow the Skype Heartbeat blog.


Sunday, September 9, 2007

Storm and NFL Posted by Patrik @ 15:41 GMT

Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL) which is timely considering the 2007 NFL season started on the 6th of September. The website even has the correct score, statistics, and schedule information.

Storm and NFL

Storm and NFL

What's interesting is that the website they want you to visit doesn't contain exploit code anymore. To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails.

Thursday, September 6, 2007

sTORm worm Posted by Ian @ 19:02 GMT

A new round of storm worm attacks are playing on people's paranoia against being watched online.

This time the lure leads users to a "TOR download" page, which is… surprise, surprise… fake.


Clicking on the button in that web page will download a malicious file called tor.exe onto the system. This file is already detected as Email-Worm:W32/Zhelatin.IL.

Do note that the real TOR application is hosted on For those unfamiliar with it, it's a system designed to enable its users to communicate anonymously over the Internet.

T2'07 Reverse Engineering Challenge Posted by Kamil @ 13:47 GMT

T2 Conference - t2.fiIt's time for another reverse engineering challenge. This one is for the T2'07 Information Security Conference.

For this year's challenge I have written something special and let me I assure you, it won't be too easy!

As usual, the first one to crack the challenge will receive a free ticket to the conference, and another ticket will be drawn from among the others whom complete it.

The challenge will be available at – tomorrow – September 7th at 15:00 Zulu.

Signing off,

Not Vista Ready
Update: The challenge should now be available for download from

P.S. Win XP Required; it might be fully Win 2K compatible, but it's rather untested; Not Vista ready…

Troubleshooting Tips:
 — Run as admin.
 — Killing the process without entering a key will result in an unstopped T2 service.
You'll need to stop it with "net stop t2" from the command line.


Wednesday, September 5, 2007

HITBSecConf2007 in Malaysia Posted by Patrik @ 10:51 GMT

As usual for September, HITBSecConf is taking place and Mikko had the honor of doing a keynote speech about the state of online crime and malware.

HITB 2007

As is customary with HITB (Hack in the Box) the lineup of speakers are very good and this year folks such as Lance Spitzner, Emmanuel Goldstein, Window Snyder, and Dr. Jose Nazario are here to give their take on topics such as how to use Google to find malware, how to secure large development projects, and more. We also have a booth where we showcased some of our tools.


For the Capture The Flag (CTF) competition, the prize goes to the group from Vietnam with the prize money of 3,000USD; the second goes to the group from Switzerland with the prize money of 2,000USD; and the third prize goes to group from Korea with the prize money of 1,000USD.

Oh yeah, we also have a bunch of open positions in our Kuala Lumpur office so if you're in the area and are interested in joining us, please do come see us tomorrow.

Signing off,


Tuesday, September 4, 2007

Weblog Q&A - FSIS 2008 Posted by Sean @ 17:19 GMT

News from the Lab : Questions and Answers

On August 16th you wrote about the Usenix conference and mentioned/posted pictures of a hamster puzzle. I have tried searching for a supplier of this puzzle and have not had any success. Could you please tell me what the correct name of this puzzle is and who the manufacturer is?

The manufacturer is "ThinkFun" and the name of the puzzle is "Prairie Dog Town Stacking Puzzle". Daavid had limited luggage space so he trashed the box before leaving Boston. And since there are no Prairie Dogs in Finland, he kind of thought that they looked like hamsters. The manufacturer's name is on the puzzle, so we were able to perform a successful search. Try "prairie dog think fun" on Amazon and you should get a direct hit.


Will there be a possibility to comment on your blogs? Perhaps [some]time in the future?

The weblog's server sits within a secure isolated Security Labs network. It's not a part of our regular production network. When we add a post to the weblog it doesn't end up directly on the web. Once added we next "publish" the post, which then copies it to our Web server. Therefore, interactive features such as comments aren't really practical.

However – you can provide us with feedback using the address listed at the top of the page. Most of the team belongs to the address and we frequently reply. If there is interest, perhaps we might begin a semi-regular reader's feedback post.

When will F-Secure Internet Security 2008 be available?

The beta period is complete. The official release of F-Secure Internet Security 2008 was launched on September 3rd! You can download and try it now.

F-Secure Internet Security 2008


Saturday, September 1, 2007

Virenj�ger Posted by Mikko @ 16:27 GMT

Here's some weekend watching for our German readers.

Cybercrime - Yve

ZDF / 3SAT aired yesterday a half-hour documentary titled "Cybercrime". It features our lab systems and lab staff extensively.

The documentary is available online via ZDF.DE. Here's a direct link to the ASX stream.


P.S. If you speak Norwegian, here's another recent clip from NRK.NO. – Eivind's conversations with us are in English.


3D Spam Posted by Mikko @ 08:18 GMT

Image spam is old news. The spammers use botnets to send uniquely modified images in each spam e-mail. The images have to be unique – otherwise spam filters could just simply drop known spam images.

So far, the images have typically been modified by adding colors, changing fonts, and inserting random dots and lines.

Results have typically looked like this (URLs smudged to prevent accidental business benefits for the spammers):



Over the last few days, we're seeing more image spam that is rendering the spam text with a pseudo 3D layout:



Generating images like this is of course more computing intensive… but hey, spammers have lots of computing power at their disposal via the huge botnets they're running. It's not like they couldn't afford to render unique 3D spam for every recipient.