NEWS FROM THE LAB - November 2006


Thursday, November 30, 2006

It's been a while. Bagle. Posted by Mikko @ 20:08 GMT

We haven't seen new Bagle attacks in a while. The last one – and even that was an isolated one – was exactly a month ago. But now somethings up.

Bagle.GOSome of the old Bagle update URLs activated tonight, offering a new 188kB executable. This is downloaded and run by machines infected by previous Bagle variants… and it starts to spam out infected attachments with filenames talking about price lists.

The spammed e-mails include a GIF which shows a password needed to decode the ZIP files.

When the e-mail attachment is decoded and run by the user, the worm runs (as a decoy) either Notepad or Registry Editor. Notepad will display a fake error message looking like this:

UTF-8 Decoding Error

This new Bagle also uses an SSDT rootkit to hide its presence on an infected system.

Administrators: You might want to check your firewall logs for suspicious activity to and… and block future access to them.

We've added detection of this variant as W32/Bagle.GO.


Stickers - Selection Round Posted by Sean @ 14:31 GMT

Tuesday's Weblog post sought your suggestions – and we received lots of them. Thanks to all of you! Great responses.

And now — We have the next round as selected by the Lab during lunch. Your vote in this poll will help select the finalists.



Tuesday, November 28, 2006

Laptop Stickers Posted by Sean @ 13:14 GMT

We gave away free laptop stickers back in March.


Now we're going to order some more and we'd like your opinion. Take the poll, select your favorite(s), and/or make a suggestion.

The submissions that we like the most will get some of the new stickers. Include an e-mail address in the text field so we'll know how to contact you. Cheers.

November 28th Poll Results


Rootkits and rooting sticks Posted by Mikko @ 11:22 GMT

Got a USB stick as a gift.

This one is a bit special.

At least according to the documentation, it supports rooting from BIOS!

It also has "encrupted" support and Super-Stabletechnology… neat!



Monday, November 27, 2006

Zero day Warezov Posted by Mikko @ 09:52 GMT

We've been busy with the latest spam runs of the Warezov family over the last hours.

We've added detection for the following variants, and there are probably more on the way:



Updated to add: New domain - RXFF - See the list.


Friday, November 24, 2006

Infosecurity...Lapland! Posted by Mikko @ 12:22 GMT

Lapland, home of lap dancing

Greetings from Rovaniemi.

I've today been keynoting at the Infosecurity Lapland conference, which was held in Rovaniemi, Finland. Around 90 experts from all parts of Europe have spent a few days discussing the state of data security and should we care about it or not.

The amount of daylight hours is getting pretty small up here this time of the year - Rovaniemi is right next to the Arctic Circle. The sun came up today around 10am and is going down now, at 2.30pm…

Did you know that the laptop was invented in Lapland?

Signing off,






Thursday, November 23, 2006

iAdware Posted by Kamil @ 14:12 GMT


We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications.

This is easier to do than with Windows. After all, it's a Mac.


Wednesday, November 22, 2006

Warezov List Posted by Sean @ 14:04 GMT

The Weblog has received several requests from readers for a list of Warezov domains so that they could be blocked on their networks. We have posted on the topic many times and have typically included screenshots with the details, but not always something that could be copied and pasted. And these are kind of odd names… so it's easy to make a typo when typing them yourself.

Warezov Domain List

Our current list of Warezov domains, which we will try to keep current (*experiment*), can be found from

This is at the moment, the only link to the page, so bookmark it. Note that most of the domains listed are presently offline.

Perhaps we could collect other information for our readers in a similar fashion? Is there anything else that you have been copying from our content? Please submit your comments to the address listed at the top of the Weblog's homepage.


Warezov.HA - just for laughs Posted by Katrin @ 10:22 GMT

Did you laugh today? If you are getting as many new Warezov samples as we do, probably not. But I did just for a second or two when we took over the shift from our Kuala Lumpur Response Lab and they had added the latest new Warezov variants including — Warezov.HA — the 209th variant. Then I realized that we won't be laughing when the .HAHA variant arrives.

There will be more information on the domain names used by this worm from Sean shortly. Those who want our current list of the domains to block, stay tuned!



When will you stop! Posted by Francis @ 07:45 GMT

After seeing several domains related to Warezov during these past few weeks, here comes another new domain, still registered to Bai Ming. The new domain name is for those of you that wish to block it.


Our detections for the new variants are Warezov.GX and Warezov.GY. The detection package is included in database release 2006-11-22_01.


Tuesday, November 21, 2006

Video about the "Grey Goo" Attack on Second Life Posted by Mikko @ 08:40 GMT

Here's a video, showing the symptoms of the "Grey Goo" ring attack on the Second Life online multiplayer game last weekend. Shot by Amulius.

Via YouTube.


Monday, November 20, 2006

Worms in Second Life Posted by Mikko @ 20:11 GMT

ringSecond Life, an online multiplayer game, has recently been targeted with self-replicating scripts, written with the Linden Scripting Language.

Apparently there was a pretty bad attack last weekend, shutting down the game and leaving valid users still without script support. This "Grey Goo" attack was visible to the players of the game as it scattered revolving golden rings around. More from the official Linden Blog.

Copyright 2006, Linden Research, Inc. All Rights Reserved.


Friday, November 17, 2006

Mobile Security Posted by Sean @ 12:56 GMT

So you probably have a podcast catcher, torrent client, web browser, RSS reader, e-mail application, and some online games installed on your computer – that's typical. But some users already have these types of applications running on their smartphones. For example: Members of our Response Lab.

And such network-intense phone apps need lots of bandwidth – bandwidth you can get with traditional cellular technologies like 3G, WCDMA, HSDPA – or with Wi-Fi on your phone.

So if you're online, you need security. A firewall on the phone should prove quite useful for those times when smartphone users leave the relative safety of a 3G network to roam the local coffee shop's free Wi-Fi.

F-Secure Mobile Security with Firewall

We've just released our latest version of F-Secure Mobile Security. Mobile Security includes an integrated firewall for S60 3rd edition smartphones (such as the Nokia N80 and Nokia E70). Our firewall, which probably is the first one available for S60 3rd edition phones, provides protection on all available types of networks, and is capable of filtering both outbound and inbound traffic.

You can download it straight to your phone from



REALLY want to know what's happening in your system? Posted by Mikko @ 08:06 GMT

Sysinternals has made available a great new tool called Procmon that combines the features of two older Sysinternals utilities: Filemon and Regmon, and adds much more. You can use this tool to monitor very closely what's happening on a system, as it happens.

  "Process Monitor is an advanced monitoring tool for Windows that shows
  real-time file system, Registry and process/thread activity. Process Monitor
  adds an extensive list of enhancements including rich and non-destructive
  filtering, comprehensive event properties such session IDs and user names,
  reliable process information, full thread stacks with integrated symbol
  support for each operation, simultaneous logging to a file, and much more.
  Its uniquely powerful features will make Process Monitor a core utility in
  your system troubleshooting and malware hunting toolkit."


As Microsoft has bought Sysinternals, Procmon is available for download from Microsoft:

Cheers to Mark.

Updated to add: There's been some reports of system crashes while using Procman. See the discussion here. We've seen no problems ourselves but your mileage, as usual, may vary.


Wednesday, November 15, 2006

November patches from Microsoft Posted by Esz @ 02:39 GMT

Microsoft has released six new patches whereof five are rated as critical, allowing for remote execution.

MSPatches Nov2006

One of the vulnerabilities fixed is "wormable" and for some of the vulnerabilities, the exploit code is already publicly available, so make sure you install the updates as soon as possible.

More information is available from Microsoft's November Security Bulletin.


Tuesday, November 14, 2006

Codec No. 107 Posted by Kamil @ 14:31 GMT

While browsing the Internet for movies – *cough* pr0n – people often end up downloading some DRM protected material, bundled with a license that uses social engineering tactics to push the victim into dowloading a "codec". These supposed codecs are downloading and installing malware known as Zlob.

I've been keeping an eye on some of these codecs for quite a while and one of my conclusions: they need more templates for their websites. The thing is, all them look alike. They basically choose one of a few templates, and then only change a couple of things such as the top-left corner logo and the codec name. So here's an example:



Right now, all of these sites (keycodec, ivideocodec, jpegencoder, lightcodec, elitecodec, qualitycodec, et cetera) default to using a filename of "FakeCodec.107.exe". So currently, fake codecs with the number 107 in their name should be an easy tell to avoid. However, when an affiliate pushes one of these sites, the filename number might also change to reflect his ID.

Here are some other templates used by this gang:



Sunbelt's blog frequently posts fake codec site URL's to avoid. Good Guys.

Kurt Wismer also has some good advice: Get a good media player that handles multiple formats, and then be very suspicious of anything else prompting you for a new codec.

No to narazie,


VB2OO6 One more time Posted by Mikko @ 13:23 GMT

The Virus Bulletin 2006 conference website has been updated with the official conference report, several interesting slide sets from the presenters, as well as tons of photos.


Check it out at


Monday, November 13, 2006

There's a Virus on my Notebook Posted by Sean @ 14:42 GMT

Brio, a Swedish toy manufacturer that specializes in wooden toys, has a new product. Viruses!

Brio Viruses

The Viruses are part of their "Brio Network" collection. Along with product info, Brio's site also includes a virus download aka active desktop, and a movie.

We think they're pretty cool. Unfortunately, the ones pictured above belong to someone else — Mari from Marketing. Or rather, they belong to her son. So we'll just have to get our own.


Saturday, November 11, 2006

Connecting the Warezov domain dots Posted by Mikko @ 13:57 GMT

As was recently disclosed, the Warezov operation is largely to blame for the massive increase in spam amounts. Warezov-infected machines download additional components which, after a variable delay, start sending out spam messages. All of these spams (as far as we've seen) are pharmaceuticals spams, advertising Viagra, Vialis, Valium, and Xanax clones.

You can make the connection between the virus and the spam just by looking at the domain names used by the Warezov gang for both the virus component download and for the hosting of the fake Viagra sites.

Warezov is spread by spamming slightly modified versions of the downloader component. This is modified by the spammers as soon as major antiviruses add detection for that particular component. We believe the Warezov gang is using services such as Virustotal or Jotti to monitor the reactions of the antivirus industry.

Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example:


Over the last months, we've seen a major increase in spams like the one below:

spam warezov

spam warezov

spam warezov

They link to fake Viagra sites like these:

spam warezov

spam warezov

When we look at the whois information of these domains, we see that not only do these domains have similar sounding names but we can also categorize them to just three different groups: domains registered to "Wang Pang", "Dima Li" or "Bai Ming".

spam warezov
spam warezov
spam warezov

And when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of single operation:

spam warezov

The Warezov operation started in the middle of August 2006 and continues to this day.

Two more things:

1) No, we don't know if these domain names mean something in some language.

2) The case is under police investigation.


Thursday, November 9, 2006

Gromozon vs. Marco Giuliani Posted by Paolo @ 14:28 GMT

Sadly well known among Italian computer users, "Gromozon" is a complex collection of malware that feature rootkit techniques, anti-debugging tricks, and more in order to perform its vicious activities. We detect this collection by many names such as Trojan.Win32.Obfuscated.a or Trojan.Win32.Agent.rk.

At this point you're probably thinking - So, this is rather typical when it comes to really nasty malware, what's the reason behind this particular blog entry?

Well, it seems that the war between Gromozon's authors and security researchers at Prevx has reached a new level - It's personal now.

Marco Giuliani

After being utterly frustrated by the inability to bypass Prevx's dedicated disinfection tool, Gromozon's authors decided to attack on another front. In the latest variants of Gromozon, whenever an analysis tool, such as our F-Secure BlackLight, or more generically a "banned" application is detected, the malware itself will present the user with a lovely message that leads him to believe that the source behind the malware are the guys from Prevx, and especially Marco Giuliani - one of the first security researchers to study Gromozon in depth and to provide a disinfection tool.

Of course, Prevx and Marco Giuliani have nothing to do with the malware. On the contrary, they are active members of the community that struggles everyday for computer users' safety.

It will be really interesting to see what Gromozon's next move will be...



Redaction Posted by Sean @ 14:16 GMT

From November 2nd: Wired News - Uncover DHS' Virus Gaffe.

Wednesday, November 8, 2006

Case Wikipedia Posted by Mikko @ 12:01 GMT

Two days ago, the German version of Wikipedia was targeted in an attack where the encyclopedia entry for the Blaster worm was modified to include download links for a fake patch. If you followed the links and installed the patch, you got hit with a trojan instead.

The official Wikipedia pages (and archives) were cleaned quickly. But now some clown is mailing around German language e-mails with the following content:


If you follow the links in the e-mail, you'll end up on a Wikipedia lookalike page at "" which is actually running on a server named "".

The page has several download links for patches (although they all download the same file):


Interestingly, the download (which we block as Trojan-Dropper.Win32.Small.atq) actually installs the original patch from Microsoft - and then drops a trojan. Nice.

The rogue domain "" has nothing to do with real Wikipedia. However, it has been registered with exactly the same registration information as the real domain.


While the real Wikipedia is registered to St. Petersburg, Florida in the USA, the IP Address of the fake site is located in St. Petersburg, Russia.



Tuesday, November 7, 2006

Cat-herding Posted by Sean @ 12:47 GMT

Zango and the USA's Federal Trade Commission (FTC) reached a settlement last Friday. Zango agreed to pay the FTC $3 million. The agreement also contains language strongly clarifying what is required as consent from installers of Zango's software. See Part V in this PDF.

Zango for its part, wants to raise the bar and to hold their affiliates to a higher standard. Perhaps we're willing to give them the benefit of doubt for the time being…

But it raises the question: Isn't trying to manage such affiliates like cat-herding?

November 6th: Websense reports "Fradulent YouTube video on MySpace installing Zango Cash".


Warezov vs System Control Posted by Sean @ 10:53 GMT

Warezov continues its seemingly endless run, and we continue to add detections apace.

Detection for Warezov.DG was added on October 20th, and today, we added detection for Warezov.GL with database 2006-11-07_04. It's a very busy little bugger and the subject of many unkind words among the researchers.

Application was Denied

So, Alexey was curious and tested the GL variant against F-Secure Internet Security 2007's System Control feature. (As we did with the beta). The results were very pleasing: Warezov is still automatically denied and blocked by System Control.

Here's a screenshot of the details:

Warezov.GL vs System Control


Monday, November 6, 2006

New phishing statistics Posted by Mikko @ 11:40 GMT

Phishtank, a service run by the good folks at OpenDNS, have published their first set of phishing statistics.

Interesting stuff, showing that Paypal and eBay continue to be the most targeted organizations in phishing attacks, but some German banks are climbing up the scales.

Phishtank Stats

Other sources of phishing stats: Netcraft, Ciphertrust and APWG [PDF].


Thursday, November 2, 2006

Bluetooth cracking Posted by Mikko @ 18:58 GMT

Last Friday Thierry Zoller and Kevin Finistere gave a presentation in the 2006 conference on Bluetooth issues. They also showed a demo of BTCrack, a Windows tool that can crack Bluetooth PIN and Linkkey in almost real-time (assuming it has sniffed the initial pairing).

Bluetooth Crack

Full slides are available here.