NEWS FROM THE LAB - October 2006


Tuesday, October 31, 2006 Posted by Mikko @ 22:03 GMT

How come we never see rogue domains registered under .gov or .mil? You know, like

Because not everybody can just go and register whatever domain name they want under those top-level domains.

So how come banks and other financial institutes are operating under the public, free-for-everyone top-level domains - such as .com?

This was the question posed to us by our reader William.

He writes: I read the blog about phishing domain names, and I couldn't help but think "how about a .Bank TLD that was only assigned to registered banks"

The British Museum


If the authorities can make this work with registered museums for the .museum domain, why couldn't they make it work with banks for a new top-level domain - such as .bank?

Of course, bad boys could still register similar-sounding domain names to whatever top-level domain they can. But I bet real banks would move their official online banking systems to .bank domains pretty quickly, and eventually people would get used to this.

For reference:

The British Museum


Monday, October 30, 2006

Sub-Zero Posted by Mikko @ 16:58 GMT

We're expecting our first snow any day now in Helsinki… the temperature is below zero (Celsius) and the wind is picking up.

And we're hiring! Welcome.


Update: The application deadline for those positions which were closing on Oct. 30th has been extended.


Friday, October 27, 2006

Reselling domain names... for phishing gangs Posted by Mikko @ 13:36 GMT

There's a very active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, and are being auctioned today to the highest bidders and they are expected to be sold for several million dollars each.

But most domain names are resold for a few hundred or a few thousand dollars (where the original registration price is typically $5 to $15).

The largest domain resellers include Sedo and Moniker.

There's nothing wrong in reselling cool domains like, or to anyone who wants to buy them.

But how about reselling domains that obviously belong to banks or other financial institutions?

We made some searches on and found out that they are reselling domains like, and Now, why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer? Don't mix these with new registrations: these are existing domain names, already owned by someone - and now being resold via Sedo.


Other examples of obviously fraudulent domain names that are currently being resold:
  paypal-antifraud.comSedo Chase

We also found out that they are reselling accented domain names that have been created using letters "�" and "�" with an apostrophe instead of the normal "a" or "i" to create highly deceptive domain names like v�, p� and payp� And these three examples are currently for sale to anyone via Sedo.

Domain name resellers should filter out obvious phishing site names.

PS.">Here's a rant on registering new bank-related domains.

Updated to add: Sedo responds. Jeremiah Johnston, Sedo's general counsel, says his company wants to "balance the rights of all users" and added that at times, trademark owners "harass a lot of legitimate domain owners." Full article in here.


Battery energy drink - Breakfast of champions Posted by Mikko @ 11:41 GMT

Our security labs were profiled in a feature in a local Finnish weekly publication last week.

The story mentioned that during late-night outbreaks we tend to drink lots of Battery, an energy drink.

Then yesterday, to our surprise, a courier delivered us a pallet of Battery. The shipment included a Thank You note from the marketing team at Sinebrychoff, the company behind the drink - apparently they had read the article too. Hey, nice! The drinks will be needed during the weekend if the Warezov virus situation continues as bad as it has been for the past few days.


So… is it really this easy to get free stuff via product endorsements?

If so, we would really like to play around with Nintendo(tm) Wii(tm) game consoles when we're not busy fighting viruses and our shipping address is F-Secure Labs, PL 24, 00181 Helsinki, Finland. Thanks a lot.


Wednesday, October 25, 2006

Puzzle challenge completed Posted by Mikko @ 20:03 GMT

The F-Secure Internet Security 2007 puzzle challenge is over and we have the winners for each continent:

Jigsaw Piece

    Europe: Peter Nilsson, Sweden
    North America: Sean Eaton, USA
    South America: Alvaro Steckert Filho, Brazil
    Asia: Kevin Lee, People's Republic of China
    Australia: Daniel Givney, Australia
    Africa: Ashley Ross, South Africa

Congratulations to all of you. We'll be sending you F-Secure Internet Security 2007 via mail.

The challenge was about searching our blog archive for a "hidden puzzle". Those who took the time started to find entries from our blog archives that only contained a jigsaw puzzle piece with no text. Here's a sample entry from July 2004.

If you collected all the pieces and put them together, you ended up with a picture of the F-Secure Internet Security 2007 box… except that one crucial piece of the puzzle was missing. It wasn't linked from any of the blog entries. In fact, this image was on our web site but there was no link to it from anywhere. You had to guess one of the two possible URLs to find it. And over 50 people did.

Jigsaw Piece

Once you had all the pieces, you had to put them together. To make this easier, you could actually find the right location of each puzzle part from the image's header information (A3, C4, D1, etc). The completed puzzle image contained this text:

    To Solve:
    Send nerds(e) a plain text e-mail message with the following subject line:
    I Have Way Too Much Free Time! Be Sure.


So that's it concerning the challenge. But what about Antarctica, the 7th continent? We promised a free box to anyone who would e-mail us from there, regardless if they could complete the puzzle or not.

And just few hour later, we got this e-mail, from Jacek Piszczek jr, reprinted with his permission:

    Well, here it is. I really wonder if I'm going to be the first person from
    Antarctica to email you though :)
    Anyway: who am I and what am I doing in Antarctica? My name is Jacek
    Piszczek and I am a member of the 30th Polish Antarctic Expedition. I am in
    charge of the communication equipment as well as all computers, etc. The
    Polish Antarctic H. Arctowski Station is placed in a really beautiful
    Admirality Bay, King George Island, South Shetlands and has operated since 1976.
    Our expedition arrived at 9th of November last year and we are now waiting
    for our supply ship to arrive. The ship will bring the new crew here and
    transport most of us to Argentina.
    A nearest penguin colony is about 500m from the building we live in. They
    returned here about a month ago and are already busy with lying eggs. The
    adelis and gentoos are here already, we're still waiting for chinstraps to
    show up though. This year's spring is pretty surprising - we already had a
    day with temperature near 10C. The glaciers already began to move and
    collapse. We can hear explosion alike noises every couple of hours.
    If you need more info to confirm I'm really there, you could check my small
    blog out ;) It is at
    Jacek Piszczek jr


The picture above is from Jacek's blog. Pretty cool.


Sunday, October 22, 2006

Status update on the puzzle Posted by Mikko @ 10:33 GMT

Continents - Image borrowed from

We have now over 200 submissions for our FSIS2007 puzzle challenge.

We promised a free package of F-Secure Internet Security 2007 to the first person from each continent that discovered the solution to a hidden puzzle from our blog archives.

We have now informed the winners from Asia, Europe, North America and South America. And although we have submissions from Africa and Australia, we don't have a winner yet.

We're not really holding our breath to get the puzzle solved by anybody from Antarctica... so let's change the rules a bit: the first e-mail sent to our weblog address from anywhere on Antarctica wins a free package!

Updated to add: We now have a winner for Australia and we actually got a real e-mail from a research station on Antarctica. :)


Saturday, October 21, 2006

Spamthru trojan Posted by Mikko @ 08:02 GMT

Interesting and thorough analysis of a modern spam trojan available here at Secureworks.

The analysis is done by Joe Stewart.





Friday, October 20, 2006

War-E-Zov Posted by Mikko @ 06:35 GMT

Another day, another Warezov. This time it's Warezov.DG being spammed out.

And they have a new domain too: this new variant is downloading additional components from

So the full list of domains used by past Warezov variants is:

We still don't know if these mean something in some language. Anybody?


Thursday, October 19, 2006

Puzzle Challenge Posted by Sean @ 15:32 GMT

We have received abundant submissions to our puzzle challenge.

Our thanks to all of you that made a guess - many of you even submitted the correct answer! We'll try to reply directly in the next week or so. We've enjoyed your comments.

At this point, it looks like we have two or three confirmed winners: Europe (Sweden), South America (Brazil), and maybe North America.

F-Secure Internet Security 2007 - Jigsaw

Since we still have other continents that can win the challenge, we aren't going to reveal the answer yet. We'll save that for a future post. Cheers.


The Warezov worm saga continues Posted by Gerald @ 03:37 GMT

Today we received several reports of new a Warezov variant - Warezov.DC - that we detect with Database 2006-10-19_02.

Like the previous variants, it mass-mails a copy of itself and then attempts to download files from the following links:[removed].exe[removed].exe[removed].exe[removed].exe[removed].exe

Right now, it is still quiet and slow. We'll see if this will spread furiously like the previous variants.

Updated to Add: This Warezov variant was very active today. Read more details about it here.


Wednesday, October 18, 2006

F-Secure Internet Security 2007 - Weblog Post 1000 Posted by Sean @ 13:24 GMT

F-Secure Internet Security 2007 is now available. It has in fact been available online for a short time already (but we're now starting to see the boxes in the lab). It has a number of new features - some of which we have blogged about recently.

F-Secure Internet Security 2007

There's improved spyware protection (detection and handling),
improved spam control (e-mail based anti-phishing),
parental control user profiles (child/teenager/parent independently configurable),
and System Control with DeepGuard Technology.

DeepGuard uses techniques such as sandboxing, advanced heuristics, and behavioral blocking to help protect against undefined malware.

The System Control is the most important of the new features and has been the focus of our 2007 Beta posts. The beta test results were very promising - and not only to proactively protect those running version 2007. Samples submitted by DeepGuard users will help us add detections for everyone.

By the way - This is our 1000th weblog post. To celebrate the reaching of this milestone, we're going to give away some copies of F-Secure Internet Security 2007. All you have to do is to complete our challenge.

Search though our weblog archives for a hidden puzzle. That should get you started. We'll give away a copy to the first person from each continent to solve the puzzle correctly - just so one particular time zone doesn't get an early start. Good luck!

Updated to Add: Looks like we can now confirm at least one winner - from South America. Get busy Antarctica.


Apple: "How to remove the Windows virus" Posted by Sean @ 11:06 GMT

First McDonald's and now Apple.

Apple Support has a very interesting notice available today. It seems that some of the iPod (video) units available for purchase from September 12th contain the RavMonE.exe virus. More details are available from:

Also of interest is Apple's framing of this support issue. Note that the notice is located in a sub-folder named "WindowsVirus" rather than "virus". In fact, the words "Windows Virus" appear eight times while the name of the virus - RavMonE.exe - is mentioned only twice. Let's be clear, some Apple iPods have shipped with a virus that affects mass storage devices. So it might not be a Mac OS or an iPod issue. But this is an Apple issue, not just Windows.

"Small number", "less than 1%", "less than 25", and "easily restore" are also mentioned frequently in the notice. With more than eight million iPods shipped in Apple's third quarter we would be interested in a raw number for that 1% effected by this. What's one percent of a few million?

From the notice: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." Whom do you think the people that bought those iPods will be more upset with?


Tuesday, October 17, 2006

Fake TV Ads Posted by Sean @ 13:09 GMT

Our October 5th post solicited fake TV ads for a rogue product named SpySheriff.

We have a winner: Mr. e9010. Check out his creative production at this YouTube page. And an honorable mention goes to Ms. Graynza. We'll be sending the two of you some F-Secure marketing stuff.

Too Much Cash?

Our next competition will not require any creativity on your part - just puzzle solving skills.


Monday, October 16, 2006

McDonalds ships MP3 players with a trojan Posted by Mikko @ 09:44 GMT

Earlier this month, McDonald's Japan shipped 10,000 MP3 players as prizes in a competition they organized with Coca-Cola.

The players, carrying the McDonald's "M" logo, were shipped with 10 preloaded songs.

Unfortunately, the players were also preloaded with a variant of the QQPass password-stealing trojan. We haven't seen these players ourselves, so we can't confirm how exactly you would get hit by this trojan, but some sources report you only had to plug it into your Windows PC.

More information for affected customers is available from McDonald's Japanese web site.

Snippet from


Friday, October 13, 2006

Fake Sony Vaio order confirmations going around Posted by Mikko @ 19:32 GMT

We've received several reports of a trojan that is being spammed out. The message looks like an order confirmation for the purchase of a $2482 Sony Vaio laptop. The attachment, named order_37679041.exe, contains the actual malware.

We detect this as W32/Small.DXC.


Video - Your Marriage is in Danger! Posted by Kamil @ 13:24 GMT

Weblog reader Per-Erik sent us a URL that he's received as an intrusive pop-under. It's for a product named Drive Cleaner that is classified as a rogue because of its employed sales tactics.

The first pop-up window uses animation and attempts to look like Windows Explorer. Examine the details that it displays in the left hand frame. The "Warning" message that it displays appears to offer a choice, but it's really just an image and clicking on the Yes or No has the same result - you're prompted to download the installer.

Example 1

If you cancel the download, you get a "Notice" asking you to reconsider. We like the kind reminder that having tracks of your online activities could harm your career and your marriage.

Example 2

If you select cancel from the second dialog, you'll get yet another dialog. This message states that Drive Cleaner will now scan your computer and that you must select Run or Open. This is another attempt to get the user to download and install the application.

Example 3

We have a video demo of this for you here (XviD) or here (WMV).

While it completely over-hypes the privacy danger as a critical issue rather than a risk, the application itself doesn't do anything really malicious if installed. It just doesn't do anything but scan unless you buy it. But do you really want to pay �35 to remove temporary files and cookies? You can set your browser to do that automatically when it closes.

Our thanks to Per-Erik for submitting the URL.


Thursday, October 12, 2006

Greetings from Virus Bulletin 2006 Posted by Mikko @ 13:25 GMT

Greetings from the Virus Bulletin 2006 conference in Montreal, Canada!

The second day of the conference is just starting with many interesting presentations to come. I'm especially looking forward to the presentations by Guillaume Lovet, Alex Shipp, and Jose Nazario - too bad Alex and Jose have been scheduled exactly at the same time!

I held my keynote presentation yesterday morning and it went very well.

Virus Bulletin 2006 Keynote

As you might remember, I asked for your help in choosing the topic for my presentation, and I'd like to thank all of the 150 people who took the time to send feedback and share their ideas. The suggestions covered the whole spectrum of the field, from rootkits, to virus history review, to mobile virus issues, to product pitches. In the end, I ended up talking about the history and the future, and how this is not merely a fight between antivirus companies and virus writers - but a fight between good and evil.

I managed to pack 164 slides into my 40-minute presentation (no joke). As promised, my slides are available for download now.

Here's a short video clip (shot with a Nokia E70):
vb video clip

Signing off,


Wednesday, October 11, 2006

Update Considerations Posted by Sean @ 13:49 GMT

Dateline July 2006: Microsoft discontinued update support for Windows 98.

Dateline October 2006: Microsoft discontinued updates for Windows XP Service Pack 1. October 10th's SP1 updates were the last of all public assisted support.


Service Pack 2 was released in September 2004. So, if you're still running with SP1 - it's really the time to update.

And another thing. We mentioned this last month, but it bears reminding that Microsoft will be pushing Internet Explorer 7 as an automatic update rather soon. Perhaps during October. According to the details that we've read, the update will prompt for confirmation before installing. If you have Automatic Updates enabled, be ready for the prompt; backup your settings and favorites. And maybe install a second browser if you don't have one already.

A few weeks ago, we tested the install of IE7 RC1 on an adware toolbar loaded IE6. The toolbars caused some buggy behavior, but the install completed itself with no trouble. Still, that's a lot of browser installs that will take place when the update is released. Hopefully it will go smoothly.

If you're an admin and your domain isn't ready for IE7 - there's a toolkit available to disable delivery.


Microsoft October Updates Posted by Francis @ 05:24 GMT

Microsoft's monthly updates are now available. There are 6 critical patches - most of them focus on Remote Code Execution patches for Microsoft Office applications such as PowerPoint, Excel, and Word.

Oct 2006 Update

More details about this month's patches here.

Patch now.


Tuesday, October 10, 2006

Swiss Government Investigates VoIP Tapping Posted by Stefan @ 08:10 GMT

Moritz Leuenberger - Head of UVEK

The Swiss Department of the Environment, Transport, Energy and Communications (UVEK) has started an investigation to determine the possibility of using software to tap VoIP phone calls.

A software prototype to do this has been developed by ERA IT solutions. It doesn't seem that the software would decypt any of the VoIP traffic itself. The software is a client side application that would listen to the computer's microphone and speakers to record the VoIP calls. The recordings made would be passed back in small packages over the Internet to the police authority. Two solutions to install the software on a suspect's machine have been presented. The first - police covertly install it locally. The second - the suspect's Internet service provider installs it remotely over Internet. How the later solution would be implemented is unknown to us.

If you understand German you can read more at SonntagsZeitung otherwise bablefish can assist you.

F-Secure will most likely add detection for this software if we find it used in the wild. We have previously made a statement about government developed spying programs.


Monday, October 9, 2006

Preview of Second Tuesday Posted by Sean @ 14:33 GMT

October 2006 Advance Notification

Microsoft has eleven security bulletins scheduled for tomorrow's patch Tuesday. They'll be released at approximately 10am PDT (17:00 GMT). That's tomorrow evening for those of us in Europe. So it looks like it will be quite a busy Wednesday morning with a significant number of updates to be installed. Many of them are rated critical.

See here and here for additional details.


Batch of interesting papers Posted by Mikko @ 09:06 GMT

There's this Software Systems Security Group at the Institute for Infocomm Research in Singapore's Agency for Science, Technology and Research (indeed a mouthful).

They have a nice selection of recent academic papers on security research topics.

Titles include:
"Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation"
"Network-Level Polymorphic Shellcode Detection Using Emulation"
"An Active Splitter Architecture for Intrusion Detection and Prevention"
"Defending against Hitlist Worms using Network Address Space Randomization"
"Detecting Targeted Attacks Using Shadow Honeypots"

All this at this handy address:






Sunday, October 8, 2006

Denmark targeted Posted by Mikko @ 05:39 GMT

The "Rechnung" spam run keeps up.

We've seen Bzub or Haxdoor variants being spammed since February 2006 in German mails looking like this:

  Subject: Rechnung
  Sehr geehrte Kundin, sehr geehrter Kunde
  Die Dateien wurden als Anhang eingefugt und konnen jetzt mit dieser
  Nachricht gesendet werden.
  Ich verwende die kostenlose Version von SPAMfighter,
  die bis jetzt 227 Spammails entfernt hat.
  Fur private Anwender ist SPAMfighter vollig kostenlos!
  Jetzt gratis testen: hier klicken.


Starting August 14th, we've seen spam runs with the same message translated in Swedish, targeting Sweden:

  Subject: Rakningen
  B�ste Kund!
  Filerna �r bifogade som en bilaga och kan vidarebefordras
  tillsammans med detta meddelande.
  Jag anv�nder en gratis version av SPAMfighter som har fram till nu raderat 227 SPAM-brev.
  SPAMfighter �r helt fri f�r privatbruk.
  Det kan provas nu och gratis: TRYCK H�R


And now, on Friday the 6th of October, we saw the first e-mails which have the message translated in Danish:

  Subject: Regning
  Kaere kunder!
  Data er tillagt og sent med denne meddelelse.
  Jeg bruger gratis antispamversion, som allerede har fjernt 227 spambreve.
  Antispam er helt gratis for private brugere.


This latest attachment contains Regning.exe, which we detect as Trojan-Downloader.Win32.Small.dwf.

It seems to download additional components from


Friday, October 6, 2006

WOW Posted by Mikko @ 07:02 GMT

We see tons of trojans designed to target online computer games: Massive Multiplayer Online Role-Playing Games (MMORPGs), such as World of Warcraft, EverQuest, Lineage, and Second Life.

Dunky Dancing

Now, this might sound pretty harmless to some of you. It sounds like kids using trojans to steal somebody's game progress, right?


MMORPGs are big commercial operations with many millions of subscribers. With seven million subscribers paying monthly for their accounts, World of Warcraft's Blizzard Entertainment must have hundreds of millions in revenue per year. And there's lots of money involved in secondary markets.

There are Asian sweatshops that do nothing but play these games to create virtual stuff to sell at auction. But why make virtual stuff when you can steal it?

The target of the trojans is to gain access to thousands of accounts to steal the gold, weapons, and spells those accounts possess. Then the gold, weapons, and spells are transferred to other accounts and are sold in online markets - For real-world cash.

This makes a lot of sense from the attacker's point of view. Imagine somebody trying to file a police report about how somebody stole his gold? In a game? It wouldn't get far.

Here's a screenshot of Stefan doing some research:


Thursday, October 5, 2006

If you buy this lousy fake antispyware today within the next 15 minutes... Posted by Mikko @ 08:54 GMT

SpySheriff is among the best-known rogue programs disguised as spyware protection. It might look like a useful security program but it actually isn't - it's typically pushed on systems through vulnerabilities, after which it reports nonexistent infections in order to scare you into registering the software for a cool $59.95 or so.

So, while having a coffee break in the lab, we were wondering what kind of TV ads a company like SpySheriff would run.

We're sure you would have lots of ideas. So here's a small competition for our readers:

 1. Make the cheesiest TV ad for SpySheriff you can possible come up with
 2. Post your ad to YouTube or Google Video
 3. Mail the link to your video to us to weblog at our domain
 4. We'll reward the best videos with F-Secure marketing junk (t-shirts, caps, posters, etc.)
 5. And we'll post a list of the cheesiest videos

Lets set the deadline to, say, the 15th of October so it's nicely after the VB conference, which starts next week.

And no, we don't really recommend anybody to go and use this software.


Monday, October 2, 2006

T2'06 Conference in Helsinki Posted by AP @ 11:06 GMT

Last week T2'06 Conference was held in Helsinki. This is the best technical hard-core security conference in Finland.

From F-Secure, we had Mika and Antti giving a presentation about Windows Rootkits, and Jarkko was presenting the answer to the T2 Reverse Engineering Challenge, which was run by the conference organizers. The challenge was held before the conference and the winners were awarded free tickets.

The keynote presentation was given by Harri Hursti. He was speaking about the US electronic voting systems and its weaknesses.

The presentation about Web Application Exploitation given by Joakim Sandstr�m was excellent. He was showing demos about the webappsec trends, automated tools, manual testing, extinction of common webapp vulnerabilities, "new" issues in php (evals, metadata code injection), backdooring web applications, techniques and tools for "calling home", exploitation of common web application vulnerabilities such as SQL injection, and cross site scripting.

The picture below is of Jarkko showing the solution to the T2-challenge:
Jarkko Rocks


Warezov Pact Posted by Patrik @ 07:21 GMT

The Kuala Lumpar Lab received a new Warezov variant this morning. As the day progressed and Europe woke up we started receiving lots of new variants. As with previous Warezovs, these new ones download additional components, this time from The site seems to be overloaded at the moment, most probably because of infected machines trying to download the file. If you are a firewall admin it's a good idea to block this domain.

We've just published a Radar 2 Alert about it and detection is out in the update 2006-10-02_01. As we're getting new samples all the time, we'll definitely release more updates soon.

Here's an example of an email that was used to spam out a new variant:

Fake kb546


Sunday, October 1, 2006

Folder web view "Setslice" vulnerability Posted by Mikko @ 06:50 GMT

IFRAMECASHWindows allows you to view folders in a "web view", complete with thumbnails of files etc. Turns out this functionality has a vulnerability. This vulnerability can be exploited remotely via an ActiveX component in Internet Explorer. And now there's public exploit code available for this vulnerability. Over the last day or so, several malicious websites have inserted such code via IFRAMEs on their site.

You can't patch your systems, as no official patch is available. Microsoft has an advisory out, explaining how you can disable the vulnerable ActiveX component via a registry change.

We detect html files containing the exploit as "Exploit.HTML.IESlice.c". They are typically hidden with Javascript obfuscators, which we detect as "Trojan-Downloader.JS.Agent.ab" or similar. In the end, most of the exploits end up downloading binaries with names like "loaderadv499_3.exe" and so - detected by our last update as "Trojan-Downloader.Win32.Small.dib".

This thing is out there but we're really not seeing this in huge numbers.