NEWS FROM THE LAB - October 2005


Monday, October 31, 2005

Family values Posted by Mikko @ 20:25 GMT

As you know, new variants of old viruses are named by using a variable letter. Virus.a, Virus.b, Virus.c...etc.

When we have more than 26 variants of a virus, we run out of letters. Then we roll over from Virus.z to Virus.aa, Virus.ab, etc.

For some virus families, even this is not enough. They've become so large (over 700 members) that we've ended up to variant zz. When we, of course, roll over start over with, Virus.aab, Virus.aac etc.

I was looking at some of the latest definitions we've put out and noticed that today we published detection for three new variants in the generic Trojan-Downloader.Win32.Small family:

  [+] Added Trojan-Downloader.Win32.Small.bts
  [+] Added Trojan-Downloader.Win32.Small.btt
  [+] Added Trojan-Downloader.Win32.Small.btu

Huh. Variant "btu". That's close to 2000 different variants. I wonder how long it takes until we have to wrap to Virus.aaaa.

For reference, here are the virus families that have already wrapped to "three digits", ie. over variant letter ".aaa". Some of these are generic families where the malware isn't really related but they are so simple and stupid they end up getting categorized to the same family anyway:


Friday, October 28, 2005

More on international phishing Posted by Mikko @ 21:16 GMT

Earlier this week we were talking about international phishing attacks. In addition to the 16 languages we listed, we've received reports of similar attacks in Turkey, in Turkish language.

And just tonight we saw the first phishing attempts against Finnish banks. Although in this case the phishing mails and the scam site were in English language.

The phishing site tried to lure people giving out several of their one-time passwords for the Nordea Solo online system. This kind of an attack is probably not going to be too succesful.

Fake bank site


Wednesday, October 26, 2005

Skype users, time to update your software. Posted by Jarno @ 07:40 GMT

Yesterday Skype published an security advisory about heap overflow in Skype user client. According to another advisory published by EADS/CRC this vulnerability is remotely exploitable, and is not affected by heap protection used in Windows XP or Linux.

So updating your Skype client is a really good idea.

Vulnerability details from Skype Advisory:

Bulletin title: Heap overflow in networking routine
Bulletin ID: SKYPE-SB/2005-003
CVE references: CVE-2005-3267
Risk assessment: HIGH

The following Skype clients are vulnerable to this attack:

Skype for Windows:
All releases prior to and including 1.4.*.83

Skype for Mac OS X:
All releases prior to and including 1.3.*.16

Skype for Linux:
All releases prior to and including 1.2.*.17

Skype for Pocket PC:
All releases prior to and including 1.1.*.6

Fixed versions:

Skype for Windows:
Release 1.4.*.84 or later

Skype for Mac OS X:
Release 1.3.*.17 or later

Skype for Linux:
Release 1.2.*.18 or later

Skype for Pocket PC:
No patch is yet available. This bulletin will be updated when it
has been made available.


Tuesday, October 25, 2005

Global phishing Posted by Mikko @ 15:42 GMT

So, phishing is going global.

We just got a report of the first phishing attack in Greek language. This attack targeted the customers of the Alpha bank online system. According to our local experts at Inter Engineering, the phishing message was sent very widely and was received by virtually every email account in Greece.

It's all greek to me

Official statement on the incident from the Alpha bank is available here. Also, our spam update 2005-10-25_03 blocks these messages.

After this incident, we're aware of phishing cases done in 16 different languages, including:

- English
- Chinese
- German
- French
- Italian
- Spanish
- Portuguese
- Russian
- Dutch
- Greek
- Swedish
- Norwegian
- Danish
- Hungarian
- Estonian
- Romanian

We have no reports of phishing emails sent in languages such as Japanese, Arabic, Hindi, Korean, Polish, Czech or Finnish.

If you can prove us wrong, please let us know by mailing us at the usual address: weblog at our domain

We also appreciate samples of phishing emails in unusual languages.


Monday, October 24, 2005

Cabir.AA and other mobile news Posted by Jarno @ 14:09 GMT

Today we got a sample of new Cabir variant SymbOS/Cabir.AA. Unlike most other Cabir variants, Cabir.AA is not hex edited minor variant of Cabir.A or Cabir.B. Instead, this variant has been recompiled from source code of original Cabir (which has been floating around in the underground). Otherwise Cabir.AA is very similar to other Cabir variants with the exception that it shows a scary bitmap image when the worm starts.

We shot a video in our RF lab of a phone getting infected with Cabir.AA. The video shows two phones being infected, one infected over USB cable and another over Bluetooth from the infected phone. In this video we also have one phone that has F-Secure Mobile Anti-Virus installed, which shows the Anti-Virus detecting and blocking the Cabir, so that user cannot get infected even if he would accept the Blutooth file transfer from infected phone.

Cabir_AA.wmv (30293k file)

Smaller video which has unneccessary waiting removed
cabir_aa_small.wmv (13285k file)

We also have news on Commwarrior front.

In the past couple weeks, we have seen increasing amount of stories in media about people who have had their phones infected with Commwarrior.A or Commwarrior.B. In many cases Commwarrior infection has caused large phone bills due to the amount of MMS messages it sends.

Many new operators have posted warnings about the Commwarrior spreading among users, for example recent warning from TDC mobile.

We also have updated our free F-Commwarrior tool so that now it can also handle Commwarrior.C. Commwarrior.C has quite efficient self protection, and disinfecting it without special tool is rather difficult for normal user.


Sunday, October 23, 2005

First MS05-047 malware found Posted by Mikko @ 10:25 GMT

We're currently looking at a botnet client known as "Mocbot".

This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware we've seen.

Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded).

Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site.

Patch against this vulnerability was published in the last monthly update set from Microsoft. Patch now.

The vulnerability can be exploited via 139/TCP and 445/TCP.

Lab at work

Updated to add:

After further analysis, it turned out the actual vulnerability is not MS05-047 but the old MS05-039 (also used by the Zotob). The confusion was caused by the exploit code used by Mocbot, which resembles a publicly available exploit code for MS05-047. See the updated description of Mocbot.

Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms.


Friday, October 21, 2005

Back to the Virus Bulletin Posted by Mikko @ 16:49 GMT

As promised, here are the presentations we made during the Virus Bulletin conference in Dublin earlier this month.


Here's Kimmo Kasslin (with his stage assistant Jarkko Turkulainen), giving a presentation on rootkit techniques to an audience of around 300 people.

Kimmo & Jarkko

And here's Jarno Niemel� (with his demo assistant Mikko Hypp�nen), showing mobile trojans live on stage.

Jarno & Mikko

Download links:

Hide'n Seek revisited - Full stealth is back
Paper by Kimmo Kasslin, Mika St�hlberg, Samuli Larvala and Antti Tikkanen
Kimmo's paper

Kimmo's slides and Jarno's slides

Kimmo's slides Jarno's slides

(Jarno's paper won't be made publicly available at this time)


Thursday, October 20, 2005

Playstation Portable Trojan...the demo Posted by Dan @ 12:04 GMT

We blogged a story a couple weeks ago about the PSP trojan disguised as firmware for modified PSPs. A good story in its own right, but we wanted to see it in action. So what happens when a group of geeks gets an itch to destroy an expensive toy but nobody in the AVR lab is willing to pony up their own personal PSP? You make a call, get someone to donate a PSP, fire up the video camera & record it for posterity.

The result looks like this: bricking_psp.wmv (14427k file)

bricking_psp (31k image)


Jigsaw Piece - 682 Posted by Mikko @ 07:02 GMT


Monday, October 17, 2005

More information on Commwarrior.C Posted by Jarno @ 14:09 GMT

Commwarrior.C installing

We have now updated our virus description on Commwarrior.C.

It certainly does lots of things, and none of them are nice. This is probably the most dangerous mobile phone virus we've seen so far. Luckily it doesn't seem to be widespread .

Commwarrior.C spreads over Bluetooth in same manner as earlier variants, but the MMS functionality however is quite different.

First of all, Commwarrior.C goes through the address book and sends messages to numbers found in there, just like A and B variant did. But in addition, it also mimics the users MMS behavior. Commwarrior.C listens for any arriving MMS and SMS messages and replies to them with infected MMS! And when user sends a SMS message, Commwarrior follows this by sending immediatly a second message to the same address: an infected MMS.

The messages being sent by Commwarrior.C contain texts gathered from SMS messages that are stored on the phone, which means that the recipient of MMS message will receive a text that doesn't seem too strange.

Together these make a very strong social engineering trick: you send a SMS message to an infected friend, and his phone immediatly answers you back with an infected MMS, complete with message text stolen from random earlier messages!

Commwarrior.C also copies itself on any MMC card inserted into the phone, so it is also a virus capable of spreading to other phones if you share your card.

Regardless of the spreading method, the recipient still has to accept and install the SIS file of the virus, and accept the usual system warning of installing an unsigned application.

In addition of spreading, Commwarrior.C also contains some payloads, by which it indicates that it has infected the phone. On some phones the Commwarrior changes the operator logo to it's own logo which contains text "Infected by CommWarrior" .

The virus might also open a web page to the phone's browser. This website (which is hosted in Russia) has lifted some of it's content from our antivirus pages at

Compare these two pictures to each other: vs


Saturday, October 15, 2005

It's time to change your password.doc.scr Posted by Mikko @ 19:11 GMT

We've received some reports of a new massmailer spreading. This is detected either as a Mytob variant or as "Doombot". It mixes the code of Mydoom, Mytob and some IRCBots. Nice.

This is detected by our update 2005_10_15-01 as Email-Worm.Win32.Doombot.a.

Update: Five hours later, we got another one. Added in 2005_10_16-01 as Email-Worm.Win32.Doombot.b.


Thursday, October 13, 2005

New Commwarrior variant detected Posted by Jarno @ 13:59 GMT

commwarrior_c_install (45k image)

We just received a new sample of Commwarrior worm, Commwarrior.C.

The Commwarrior.C seems to function in similar manner as A and B variants, which means that is spreads over bluetooth using random file names and sends MMS messages. However as we just got the sample, the MMS message sending is not yet confirmed.

The sample that we received was posted in mobile phone forum in SIS trojan, which pretends to be pirate copied software SymCommander. So there might be people who have downloaded and installed Commwarrior.C and thus it might be in the wild, but we don't estimate it to be widespread at least yet.

F-Secure Mobile Anti-Virus detects Commwarrior.C with database update 53 that was published 13:31 GMT. So please make sure that your Anti-Virus is up to date.








Wednesday, October 12, 2005

Spyware vendor Mindset Interactive shuts down their business Posted by Stefan @ 11:19 GMT

Favoriteman and NetPal nuisances have after several years stopped. The company behind it has closed and we can report they have moved out of their company offices. All related web servers are unreachable and the already distributed Spyware no longer functions.


Like many Spyware vendors, Mindset Interactive has used multiple names to distribute their Spyware. That is why termination of the company behind it is such a positive turn.

Mindset Interactive was behind Favioriteman also known as F1Organizer, ATPartners, SpyAssult and Window Help 4 Smart Browsing. They also constructed NetPal, which had a massive numbers of games as distribution channels.

F-Secure will keep Favoriteman and NetPal in detection to clean out the final filth.


Tuesday, October 11, 2005

October's Microsoft Security Updates Posted by Ero @ 19:15 GMT

Microsoft released today updates for Windows covering 8 vulnerabilities affecting Windows and 1 affecting both Windows and Exchange.

The vulnerabilities rated Critical are MS05-050, MS05-051 and MS05-052. All of them could allow remote code execution, the first two due to vulnerabilities in DirectShow and MSDC/COM+ respectively; the latter one involves Internet Explorer and could be used to gain control of an unpatched system.

Four vulnerabilities are rated as Important MS05-046, MS05-047, MS05-048, MS05-049. All of them involve remote code execution. The affected components are �Client Services for NetWare�, �Plug and Play�, �Microsoft Collaboration Data Objects� and the �Windows Shell�. These are rated as Important as they require either user interaction, the attacker to log on locally, services not installed by default or services not vulnerable in their default configurations.

The last two, rated as Moderate are MS05-044 and MS05-045 affecting the Windows FTP client and the Network Connection Manager respectively.

Of all these, the three rated as critical might end up being used with malicious intent against unpatched machines. As usual, it�s recommended to update as soon as possible.


Nintendo DS trojan Posted by Mikko @ 16:51 GMT

Hot on the heels of the first PSP trojan, we've today learned about the first trojan for Nintendo DS handheld gaming console.

This simple trojan, known as "DSBrick" overwrites critical memory areas, preventing the console from booting.

We like Nintendo

Homebrewn software can be run only on modified DS units, so this is not going to be a big issue. Apparently the trojan has been distributed in as and

More info from Engadget.


Monday, October 10, 2005

Golden Hacker Defender Posted by Mikko @ 16:15 GMT

So, we're back from Virus Bulletin conference, everything went fine, including our presentations on rootkits and mobile risks. We'll be posting the papers and / or slides later this week.

golden hacker defenderBut while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.

The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.

The most notable feature of this non-public Golden Hacker Defender is it's anti-detection engine. It is able to bypass most of the modern rootkit detectors. The anti-detection engine identifies detectors through a binary signature before the detector has a chance to execute. If the signature matches, the rootkit can disable some of its hooks or it can patch the detector's binary to modify its functionality.

In this case, detection was possible because the intruder had not yet updated his/her rootkit to include the signature of our latest BlackLight release.

So now we have developers of rootkit detectors adding detection of latest rootkits to their scanning engines - and developers of rootkits adding detection of latest detectors to their scanning engines.

In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates.


Sunday, October 9, 2005

Zafi says: "rolig reklam!" Posted by Mikko @ 18:11 GMT

New Zafi variant was found tonight. Like most members of this Hungarian virus family, Zafi sends messages with fake web links starting the local attachment, and changes the language of the message based on the address of the recipient.

The mails might also contain a fake "MSN Photo email" picture to fool recipients.


Friday, October 7, 2005

Two British virus writers jailed Posted by Mikko @ 18:15 GMT

from the old thr34t krew website
Two UK men were sentenced today at Newcastle Crown Court for their part in an international hacking group.

They were charged for writing the "TK Worm" in 2003. This was one of the early botnet clients.

TK Worm is detected by our antivirus as Backdoor.IRC.Demfire. The name comes from "Fire Daemon", which is the name of the service started by the virus.

Andrew Harvey (23) from Durham pleaded guilty to conspiring to "effect unauthorised modifications to the contents of computers with the intent to impair the operation of those computers" and was sentenced to six months.

Jordan Bradley (22) from Darlington pleaded guilty to the same and was sentenced to three months.




Thursday, October 6, 2005

PlayStation Portable Trojan Posted by Gergo @ 12:05 GMT

Older versions of the PSP firmware (eg. 1.50) have a vulnerability that allows easy execution of custom code on the device. Every since Sony has fixed the flaw in newer versions, the firmware downgrade to 1.50 became the "Holy Grail" of PSP homebrew development. After the discovery of a buffer overflow in version 2.0 of the PSP firmware, many rushed to be the first to release a working firmware downgrader.

PSP Trojan

Soon, one of these firmware dowgrade tools turned out to be a trojan that renders the PSP unusable. The infamous patcher from PSP Team removes a few important system files from the flash which makes the system unbootable. Our analysis confirmed these reports.

This tool has been reported to be the first "PSP virus" by many sources. Since it does not replicate in any way, by our definition we can call it a trojan at most. It definitely falls under the malware umbrella term, however.

It is worth mentioning here that, according to Sony, running any unauthorized code on the PSP will immediately void the warranty.

PSP Updates has details on the story.


New dropper of Sober.S found Posted by Katrin @ 11:49 GMT

After the Sober.S worm has been spammed, we started to get reports of a new dropper for it. More information about it is available in the description of Sober.S.dr.


New Sober, new CME Posted by Mikko @ 07:51 GMT

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry f�r die bel�stigung
This German worm has been spammed during last hours. We have several sightings of the seeding but no real infection reports.

This variant sends itself either in a generic English message or a longer German message from "Kerstin", "Rita", "Hannelore" etc. The message tells a story about a school reunion, and asks if you are the person in the attached picture...which of course is not a picture.

This is also a good opportunity to showcase the new Common Malware Enumeration (CME) initiative, which has been introduced today at the Virus Bulletin 2005 conference in Dublin.

This new Sober variant goes by a variety of names, including Sober.R, Email-Worm.Win32.VB.b, W32.Sober.Q@mm, W32/Sober-O etc.

However, the CME identifier for this threat is: CME-151. And all the important vendors use the same identifier for it.



Wednesday, October 5, 2005

Phish down, spam up Posted by Era @ 12:01 GMT

Graph showing recent tidal rise in spam (44k image)

Over the last week or so, the volume of spam has been rising markedly. There is of course some variation between domains, but here is one typical example, from one of the domains we monitor.

At the same time, the number of phishing messages has been stabilizing. At one point in July, there was a tremendous number of basically identical Ebay and PayPal scam messages in transit, but we are no longer seeing those in large numbers (although they are still around, but in modest volumes).

This marked rise appears to be caused by a large number of matchmaking spams. So it would seem that the activities of a single determined (or crazy, if you will) spammer can still make a difference.

Unfortunately, we hereby speculate that no corresponding sharp decline will be noticed when this vandal is nailed ...


Tuesday, October 4, 2005

Nordic Phishing Posted by Mikko @ 11:07 GMT

Phishing attacks have been jumping from one geographical area to another. First we saw them in USA. Then in Australia. Then UK. Then in Germany, localized to German language. In early 2005, we saw isolated phishing cases in Denmark.

Last night an unknown party launched a large-scale attack against Nordea Sweden. Nordea is the largest bank in Nordic countries. It also operates one of the largest internet banks in the world, with over 4 million internet customers in eight countries.


Basically this was a normal phishing scam: somebody spammed a large amount of spoofed emails with links pointing to a fake bank. What made it different was two things:
1. The phishing emails were in Swedish
2. Nordea operates a one-time password system

The one-time password system in use by Nordea Sweden consists of a scratch sheet, where you will scratch to uncover the next available pin code for login.

Attacking a site like this is quite a bit more challenging than attacking banks authenticating users with a bank account number and a constant 4-number pin which never changes.

However, that's just what has now been attempted.

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at or (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.


As the scam was uncovered, Nordea Sweden shut down their whole internet bank. Apparently this was done in order to prevent the scammers from using the codes to move money around.