NEWS FROM THE LAB - December 2005


Saturday, December 31, 2005

First WMF worm found Posted by Mikko @ 18:46 GMT

xmasfunnyFirst worm using the new WMF vulnerability has been found. This is what we were afraid of. Thankfully it doesn't seem to be too bad.

We only have second hand reports of this case so far. It' a MSN Messenger worm sending links to an image file (link ending with "xmas-2006 FUNNY.jpg"). The link actually contains a web page with a malicious WMF file. F-Secure Anti-Virus does detect´┐Ż the WMF file in question with our generic detection.

For more information see


Ilfak to the rescue! Posted by Mikko @ 11:12 GMT

ilfakHere's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog:

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.


Friday, December 30, 2005

WMF, day 3 Posted by Stefan @ 12:29 GMT

Paint BrushThe amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.


Thursday, December 29, 2005

WMF, day 2 Posted by Mikko @ 08:30 GMT

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

 Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
 when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

iframecash - don't visit the siteWe got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.


So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.

We've seen 57 different versions of malicious WMF files so far. We detect them all as PFV-Exploit.


Wednesday, December 28, 2005

Be careful with WMF files Posted by Mikko @ 15:30 GMT

Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit .A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

  Crackz [dot] ws
  unionseek [dot] com
  www.tfcco [dot] com
  Iframeurl [dot] biz
  beehappyy [dot] biz

And funnily enough, according to WHOIS, domain is owned by a previous president of Soviet Union:

  Registrant Name: Mikhail Sergeevich Gorbachev
  Registrant Address1: Krasnaya ploshad, 1
  Registrant City: Moscow
  Registrant Postal Code: 176098
  Registrant Country: Russian Federation
  Registrant Country Code: RU

"Krasnaya ploshad" is the Red Square in Moscow...

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.


New WMF 0-day exploit Posted by Mika @ 08:38 GMT

There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.


The exploit is currently being used to distribute the following threats:

Some of these install hoax anti-malware programs the likes of Avgold.


Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.

F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.

We expect Microsoft to issue a patch on this as soon as they can.


Tuesday, December 27, 2005

You don't want to download MSN Messenger beta 8 Posted by Mikko @ 08:38 GMT

There is no MSN Messenger 8 yet. Not in public beta anyway.

However, there's a new virus going around pretending to be "MSN Messenger 8 Working BETA".

There's two ways to catch it. First, by downloading it from a fake site where it has been supposedly "leaked":

If you download and run BETA8WEBINSTALL.EXE from that site, you won't get a new chat client. Instead, your existing MSN Messenger will start to send download links to everyone in your contact list. It also connects your machine to a botnet server.

The download link always contains the recipients' email address. For example, if you'd have a friend with email address, he would get a download link like


We've just added detection for this one as Virkel.F.


Saturday, December 24, 2005

Merry CHRISTMA EXEC to you! Posted by Mikko @ 08:24 GMT

Merry Christmas to all of our readers!

Christma exec image copyright IEEE

And happy holidays!

With best wishes,
F-Secure weblog staff


Friday, December 23, 2005

Another night, another Bagle night Posted by Katrin @ 21:27 GMT

It started almost 3 hours ago with 2 new Bagle downloaders and now there are 2 more. Looks like another Bagle night. Actually one more just arrived.

Thursday, December 22, 2005

Status update on Bagles Posted by Sami @ 21:07 GMT

We are up to Bagle.FJ. The count for this evening is already 6. Update version number 2005-12-22_07 is on its way.

The Bagle night continues Posted by Katrin @ 19:32 GMT

We have now four new Bagle downloaders - all are very similar varianats. We detect them as W32/Bagle.FE, W32/Bagle.FF, W32/Bagle.FG and W32/Bagle.FH. They are detected with the update 2005-12-22_05.


Another Bagle round Posted by Alexey @ 17:00 GMT

johenLooks like the guys behind Bagle don't have a life. Instead of shopping for Christmas they keep creating and spreading new downloaders. We just got a few reports about a new Bagle-related downloader that is now being spammed as a ZIP attachment containing a file named DFC00027.EXE. The mass-mailer that is responsible for this Bagle round was uploaded to one of the websites that are monitored by old Bagle downloaders some time ago. I hope that this round will be as short as the previous one.

Detection for the mass-mailer is already available as Email-Worm.Win32.Bagle.ex. The new downloader will be detected as W32/Bagle.FE with the 2005-12-22_03 updates that are expected shortly.


Tuesday, December 20, 2005

Sober does something good for a change Posted by Mikko @ 12:35 GMT

Remember Sober.Y? The one which sends fake emails from FBI, CIA and German police.

One of the emails it sends to German recipients goes like this:

   Das Herunterladen von Filmen, Software und MP3s ist illegal und
   somit strafbar. Wir moechten Ihnen hiermit vorab mitteilen, dass
   Ihr Rechner unter der IP erfasst wurde. Der Inhalt Ihres Rechner
   wurde als Beweismittel sichergestellt und es wird ein
   Ermittlungsverfahren gegen Sie eingleitet.
   Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird
   Ihnen in den naechsten Tagen schriftlich zugestellt.
   --- Bundeskriminalamt BKA
   --- Referat LS 2
   --- 65173 Wiesbaden
   --- Tel.: +49 (0)611 - 55 - 12331 oder
   --- Tel.: +49 (0)611 - 55 - 0

...which goes on to explain that illegal material has been found from your computer, an investigation against you has been started, contents of your hard drive has been seized as evidence and you should execute the attachment without thinking twice about it.

Now, turns out somebody in Padenborn, Germany got this message, freaked out about it and decided to turn himself in. Whoa. German police investigated his computer and found child porn from it.

Thanks to Micha for the tip. Full story from Kreispolizeibeh´┐Żrde Paderborn.



Oh no, more Bagles... Posted by Alexey @ 12:01 GMT

We have received reports about a Bagle-related downloader being posted on one of the sites, that were used for distribution of Bagle files in the past. This is the second level downloader that just downloads one file and runs it. The downloaded file is a minor variant of the previous Bagle mass-mailer, we detect it as W32/Bagle.FC@mm. The mass-mailer sends out ZIP archives with a new Bagle-related downloader that we detect as Bagle.FB in the latest updates.

Typogoogling Posted by Mikko @ 09:11 GMT

Ryan Naraine wrote an interesting article on how Google is indirectly profiting from typosquatters.

We wrote about the basic problem in September: clowns from Panama and elsewhere have been registering domains like, and and are using them to show ads.

According to the eWeek article, most of the misspelled URLs are parked with This is a domain parking server owned by Google.

When people mistype web addresses and end up to these sites, the sites show Google AdSense advertisments, profiting the fraudsters - and indirectly profiting Google.

Ben Edelman comments in the article: "By dramatically increasing the revenue that cyber-squatters can earn, Google encourages the cyber-squatting business and makes marginal squatting domains profitable — further increasing the scope of this problem".

Here's a nice example: typosquatting domain "" is showing Google Ad Sense ads that we pay for, pointing to our Client Security promotion site:

Oh, and here's another nice trick. The WHOIS data for a fraudulent domain "" contains Javascript which tries to launch a new window and load the fake site when viewing the record.

Unasi, Inc


Monday, December 19, 2005

When the sea freezes over... Posted by Mikko @ 14:10 GMT

We're finally getting some decent temperatures this winter. It's around -10 °C (that's 14 °F) right now in Helsinki and the sea around our headquarters has now frozen.

Frozen sea

And by the way: we have plenty of open positions in our Helsinki office. Check out if you're interested in working with us!

We hire a lot!

So come to Finland! Surf's up!

Frozen sea


Vulnerability in Widcomm Bluetooth stack allows remote audio listening Posted by Jarno @ 13:43 GMT

In August 2004 we warned people about a serious vulnerability in Widcomm Bluetooth stack used by many PC Bluetooth dongles. The Widcomm stack contains vulnerability which allows remote code execution over Bluetooth, so that an attacker or a worm can take a PC over just by being inside the Bluetooth communication range.

Last week people at Digital Munition have found another vulnerability that allows unauthorized remote access to PC Bluetooth audio profile. Basically this means that anyone with proper software can eavesdrop a PC that has Widcomm Bluetooth software and a microphone, or play audio on the target PC.

While this vulnerability is not nearly as dangerous as the remotely exploitable buffer overflow, it is a good reminder that nobody should be using the old and vulnerable Widcomm software anymore.

However, as Widcomm was bought by another company (Broadcomm), no security fixes have been made for devices that don't use Broadcomm chipset. Fixing this problem is not easy.

The best advise we can give to people is to look for some other Bluetooth stack, for example many Bluetooth devices work without any extra drivers with Windows XP Service Pack 2.

If there is no compatible Bluetooth stack available, we recommend to set authentication for the Headset Audio Gateway profile, as described in the advisory, and set PC Bluetooth to non-discoverable mode.

Setting your PC Bluetooth to non-discoverable will not remove the problem completely, as your PC can still be found by brute force scanning. But it will significantly limit the exposure.


Sunday, December 18, 2005

Turn it up Posted by Mikko @ 16:47 GMT

Fairly quiet weekend, except some small-scale Dasher action. Latest version is now using a ftp server (feel free to filter that at your corporate gateway).

So why not liven up the weekend by copying some security-related Podcasts to your MP3 player?

bbcworldservice1Clark Boyd from BBC's The World did a good 30-minute show on the latest virus situation. He interviewed me, Graham Cluley, Bruce Schneier and Alan Pallers (SANS).

Do note the huge difference in sound quality between me and Graham. Graham was using an ISDN line to talk with Clark in Boston, while I was using just a normal GSM phone. Can't wait for voip-based phone interviews to become commonplace...the sound quality would be superior.

And while on the topic of security podcasts, check out Security Now by Leo Laporte and Steve Gibson. Especially their episodes 9 listen and 12 listen were good ones to listen to.


Friday, December 16, 2005

Who axed you? Posted by Dan @ 16:41 GMT


Stefan has spent a considerable amount of time lately here in the Anti-Spyware lab looking into SpyAxe. Downloaded and installed by Trojan-Downloader.Win32.Zlob, SpyAxe is nice enough to detect the Trojan that downloads it, but it won't disinfect it unless you pay for a SpyAxe license, $49.50 U.S. (plus a nonimal $2.95 transaction fee). I wouldn't dare pay for a licensed copy to verify that removal is actually done, but I have my doubts.

An annoyance at first, but there seems to have recently been a huge spike in the distribution of Zlob. We found a way to see how many unique registration IDs have been handed out by the site Zlob registers with. Most of the day, there seemed to be about 1,000 new infections per hour, but now that the U.S. is waking up & powering on their computers, that number has risen to about 2,500 infections per hour. I'd guess that we can expect to see many more variants to come.

We have published detection for today's Zlob variant, named Zlob.CY, in the 2005_12_16_02 Virus update.


Thursday, December 15, 2005

Mass-mailer for Bagle.EX downloader found Posted by Alexey @ 15:57 GMT

The mass-mailer for Bagle.EX downloader has been found. It sends out a ZIP archives that contains Bagle.EX downloader file named as S3700020.EXE. Detection for the mass-mailer will be available shortly as W32/Bagle.EY@mm.

New Dasher variant Posted by Jarkko @ 15:02 GMT

ms05-051Shortly after Dasher.A, we got a sample of another variant, Dasher.B. This time the whole exploit chain is complete - the remote server where exploited machines connect to is currently up and running. The server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Both Dasher variants are using the same exploit code, released by "Swan" earlier this month.

Thanks to SANS ISC and Georg Wicherski of the German Honeynet Project for sending a sample of this variant!


Another Bagle night? Posted by Katrin @ 15:01 GMT

A new Bagle-related downloader - Bagle.EX, has been spammed a lot. We have just published urgent detection for it in the 2005-12-15_06 updates.

First MSDTC-exploiting malware unsuccessful Posted by Jarkko @ 10:00 GMT

dasherWe just received a sample of the first known malware exploiting the vulnerability in Microsoft Windows Distributed Transaction Coordinator (MS05-051 MS05-051). We call it "Dasher.A". The actual exploit is based on publicly available exploit code which was released on first of December.

This worm doesn't appear to be very successful because of two flaws:

- It uses a central server in China for distribution (which is currently down)
- The exploit code itself is quite unstable

As far as we can see, the situation with Dasher.A is already over.


Wednesday, December 14, 2005

Me speak no Phinnish Posted by Mikko @ 06:22 GMT

We forecasted this a year ago: first phishing emails in Finnish have just been sighted. Although the language used in these emails is so horribly bad it's just funny.

Unfortunately the hilariousness is pretty much untranslatable for our international readers, but trust us: the language here is baaad.


The links point to at least 4 different web sites, located in Australia and elsewhere. Nordea has a public warning out on this.

After this incident, we're aware of phishing cases done in 18 different languages:



Tuesday, December 13, 2005

Fake McAfee download links Posted by Mikko @ 13:52 GMT

We've received several reports of emails, warning about a new virus called "Kongo31.XRW" (which doesn't exist).

The email links to a fake McAfee site, hosted in Canada:


The download link gets you a file called ak26xrw-patch-installer-win32.exe - which (surprise, surprise!) is infected with Trojan-Downloader.Win32.Hanlo.h.

We have warned our colleagues at McAfee about the fake site.


Upcoming conferences in early 2006 Posted by Jarno @ 08:49 GMT

When looking at Anti-Virus research conference calendar, the time after new year seems to be quite active indeed.

Black Hat speaker buttonJarno is speaking at two Blackhat conferences in coming year. First at Black Hat Federal 2006 in Washington DC that is held on January 23-26, 2006, and then in Black Hat Europe 2006 that is held in Amsterdam on March 2-3, 2006.

In both Black Hats the topic is how to combat and handle Symbian malware. The goal of the presentation is to give necessary tools and information to how to clean infected devices and how to prevent the malware from spreading further.

In Blackhat Federal the presentation is from Federal and Law enforcement point of view and in Blackhat Europe the presentation is from system administrator point of view.

Mikko is speaking on similar topics in three conferences during first half of the year: in RSA Conference USA, in RSA Conference Japan and in AusCERT in Australia.


While being on the topic of handling Symbian malware, we have noticed that it is rather difficult to clean infected mobile device. So we have created a set of training slides that give instructions what to do when encountering a infected device.

And since the regular readers of this blog are people who are quite likely asked to help if employees or friends phone gets infected, we have decided to publish this information in hope that it helps in case where one gets infected phone in his hands and needs to figure out what to do.

Download the slides here:


Sunday, December 11, 2005

Fishing on the amazon Posted by Mikko @ 21:00 GMT

Almost any online shop can be a target of phishing scams., being one of the largest online shops in the world, is a popular target.

Here's a recent example. Somebody sent out a fairly large mailing of "Order enquiry" emails from "", directing people to a fake look-a-like site hosted in South Korea:


But this site is not just about stealing your Amazon username and password. Once you "log in", you get a new page, asking you to update your credit card information:


Here's a nice detail: see the "DFFDFD'S STORE" button above? The hacker was logged into the real with that user account when he stole the graphics.

Next you might notice that the site is also asking for your credit card PIN number. Funny that, I don't remember Amazon asking for this before...let's see the details.


Oh, it's for security. To fight identity theft and credit card fraud. Great.


Friday, December 9, 2005 phish redux Posted by Era @ 16:32 GMT

nordea phishing site
Just a quick one for our dear domestic readers: The Nordea on-line bank phisher from October is back, with a slightly different message. But by and large, it's familiar enough that there isn't really anything new. It's still in English, the sites are still on faraway servers, predominanty in the Far East from what we've gleaned from the samples we have seen so far, and the risk that actual Nordea customers would fall for it would seem rather small, considering how much publicity the previous incident stirred up in the Finnish media, for one thing.

The generic phishing detection rules of our spam filter already classify these messages correctly, but we are putting out a database update with a specific rule for this case, just to be on the safe side.


Thursday, December 8, 2005

How Sober activates Posted by Mikko @ 16:02 GMT

First Sober variant was found in October 2003. Since then, we've found over 20 different variants.

Most of these variants contain a routine that activates the virus at later date. After this the virus will try to periodically download and run a file from several websites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant.

Virus statistics

Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 6th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 6th, even if the clock of the computer is incorrect.

So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.

However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

So what do these pseudorandom URLs look like?

Sober.Y listThey look like this. These are the download sites Sober.Y will start using after 5th of January. We're leaving out the filename of the actual executable, but this should be good enough list of addresses you might want to block at your corporate firewall, if you're a system administrator:

Right now, none of these URLs exist. If they are to be used, the virus writer will register them just before the activation.

However, the list will change every 14 days. After 19th of January the list becomes:

Last thing: Several earlier Sober variants (most notably Sober.Q) have been sending out neonazi propaganda messages. According to iDefense, the activation date of January 5th is an anniversary date for the nazi party.

UPDATE: More on Sober activation dates from Joe Stewart at LURHQ.

ERRATA: The original entry contained errors in the URL lists. They should be accurate now. Also, the activation date is not the 5th of January, but day after that.


Wednesday, December 7, 2005

Wrapping up the year Posted by Mikko @ 16:50 GMT

Yeah, we still have three weeks to go before the end of the year, but we're publishing our year-end summary already.

In a nutshell: We're seeing less widespread outbreaks. This is the result of smaller targetted attacks launched by professional criminals - instead of the large outbreaks inititated by hobbyists. So while the situation seems to be getting better, it's actually getting worse.

wrapup videoF-Secure's Data Security Summary for 2005 is available in PDF: Part 1 and Part 2.

You can also watch a 10-minute video (WMV, 19MB) or download the same as an audio file (MP3, 7MB) for your iPod or whatever.

And for the hard core: the same in Finnish. The PDF, the video and the MP3.



So, how common are these rootkits? Posted by Mika @ 09:35 GMT

Since F-Secure is the first vendor to have a built-in rootkit scanner in its security suite, we are very often asked how many rootkit variants there exist. This question is not that easy to answer with precise numbers, as there are very few malware named "Rootkit.Win32.Something". Most malware that uses rootkit techniques is called "Backdoor.Win32.Something", "Worm.Win32.Something", "Virtool.Win32.Something", etc. However, since our BlackLight rootkit scanner (generic rootkit detection) has now been available for 9 months we have a pretty good feel on what the rootkit menace currently is all about.

F-Secure BlackLight Technology

In a recent eWeek article Microsoft says that more than 20 percent of all malware it has removed from its Windows XP sp2 customers are rootkits. "The open-source FU rootkit ranks high on the list of malicious software", the article states.

We definitely can agree that FU has been extremely widespread during 2005. There is a simple explanation to this. FU is a very simple rootkit to cut-and-paste into worms and bots. It should be noted that FU only hides processes -- not files or registry keys. Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not that keen on hiding files since most Windows users do not know which files should be in their "System32" folder, anyways.

In our view, Hacker Defender (Backdoor.Win32.HacDef) is not as common as FU. However, various bots and backdoors use the HacDef rootkit to do their hiding. In addition, we regularly see this rootkit being used by hackers on compromised corporate servers. Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious.

One might say that the Sony BMG DRM has to be the most common rootkit, because it was shipped on a huge number of music CDs. This would be a logical assumption, but we have not received that many reports of BlackLight finding this particular rootkit. BTW, Sony has finally released a stand-alone uninstaller for their DRM software.

We believe that since October 2005 the most common rootkit out there has clearly been Apropos spyware. The reason for Apropos to use rootkit techniques is very different from your average worm or bot. Usually rootkit malware tries to avoid detection. Apropos, on the other hand, shows the user pop-ups 'ad nauseam'. Therefore, the motive of Apropos is not to use rootkits for hiding itself. The very advanced rootkit functionality in Apropos is designed to prevent uninstallation and removal.


Monday, December 5, 2005

Old skool virus fighting Posted by Mikko @ 23:13 GMT

I was searching my hard drive for something else and I happened to run into this: a story I wrote over 12 years ago. It's about analysing a virus called Crepate. I hope you enjoy it.

F-PROT Professional 2.10 Update Bulletin

An ordinary day at work; testing F-PROT's OS/2 version, answering
support calls and writing the upcoming Update Bulletin. It's over
five o'clock, time to get home - the fall is far advanced and
I'll have to get my lawn sown before winter sets on.

The phone rings and shatters these thoughts. The call comes from
Symbolic, our distributor in Italy. Jeremy Gumbley, who works in
Symbolic's technical support, is on the line.

Jeremy gives it to me in a nutshell: A person had just dropped by and
told him that a new, unknown virus had been found in one Italian
university. There are probably tens of infected computers - the exact
number is not known, because none of the antivirus programs that have
been tried has been able to identify the new virus. The situation is
serious and all the computers will remain on hold until the virus is under
control. The visitor brought along a disketteful of files suspected to be

Jeremy has already taken a look at the files and is quite certain that
they contain a new virus. I tell Jeremy that the I'll start working on
the subject immediately. Via modem, Jeremy transfers a sample packet to
the F-Secure BBS system, and the examination begins. I extract the
samples and put them through an automated examination system, which
checks the files with thirteen different antivirus programs and stores
the reports in an easily readable form. The system reports no alarms,
although some programs report that certain sample files have counterfeit
time stamps: in their creation date, the clock's seconds field shows an
impossible value, 62. Some viruses use this trick to mark files they
have already infected.

I give the files a quick once-over with a hex editor, enough to conclude
that if they contain a virus, it is a brand-new one. Certain files have the
text "(c)Crepa" at their end. Via Internet, I transfer the files to Frisk
Software International's FTP server in Iceland. Just to be sure, I call
Iceland and recount the incident to Fridrik Skulason. He says that the
files will be taken under close inspection right away. We decide to
divide our forces: I and Jeremy will concentrate on examining how the
samples function, in other words find out what the virus really does.
The people in FSI will focus on building detection- and disinfection
routines for the new virus. We'll keep contact by phone and E-mail. I
hang up and start the classification of samples. Seems like I won't get
any time off for my lawn today.

I find out quickly that there are three different kinds of samples. Some
of the files contain extraneous code at their end. This is not caused by a
virus but the "Immunize" function of the Central Point Antivirus
program. To be on the safe side, I remove the Immunization code and
check the original programs. The files are clean. Some of the other
programs contain code which seems to have been added to their
beginning. The remaining files have the text "(c)Crepa" at their end.
It seems that we need to divide the analysing task if we want to resolve
the problem as quickly as possible. I call back to Iceland, and we agree
that they will start working on incorporating the detection and
disinfection of the virus while I and Jeremy start to disassemble and
document the functioning of the little beast.

I give the Crepa files a closer look. There are four of them, all parts of
the Italian MS-DOS 6. I choose to probe KEYB.COM, since it is a
comfortably short program to examine and I know its structure of old.
First I take a hex dump of the program by using Borland's TDUMP
application. Then I proceed to run a debug listing of it with good old

It proves extremely difficult to follow the program's execution with a
DEBUG listing: the virus completes only one or two instructions at a
time before jumping to somewhere else in the code. Therefore I turn to
Zanysoft Debugger, and use it to analyze the infected KEYB.COM.
Along with Borlands Turbo Debugger, I have found ZD to be a handy
tool to examine virus samples with.

The program's execution is easier to follow with ZD, and it soon
becomes clear that the author of the virus has wanted to make the
program difficult to examine by coding it full of jump instructions.
However, a careful inspection of the code reveals that the commands
executed between jumps form a complex routine that decrypts 3900
bytes at the end of the file. At this point it becomes obvious that this is
a self-encrypting virus.

I execute the virus one command at a time until it has decrypted itself.
Then I store the virus code back on the diskette. When I go over the
decrypted virus code, I notice that two new lines of readable text have
surfaced from beneath the encryption:


Crepate (c)1992/93-Italy-(Pisa)

The first line appears to indicate that the virus is capable of infecting
COM, EXE and Overlay files. The second line confirms the virus to be
of Italian origin.

I discover that the task of separating the virus code and the original
KEYB.COM code from each other is too arduous. Instead, I decide to
see whether I can get the virus to infect a bait file. As bait, I use a
collection of COM and EXE files which contain nothing more than a
termination instruction and a lot of zeros to pad the files to a certain
length. Such programs do nothing else than terminate their execution,
and since the file lengths are even numbers, a change in size caused by a
virus can be noticed at the first glance.

I transfer the virus to our much-abused test computer, and copy a sample
of clean baits into the same directory with the virus. When I run the
KEYB.COM, it gives an error message in Italian complaining about
incorrect parameters. I use a memory mapping program to check for
changes in memory allocation. No changes are evident, which means that
the virus is either not resident in memory or capable of bypassing
memory mapping applications. I check the bait files - no changes in
those either. I run the infected KEYB.COM a couple of times to be
certain, but the bait programs are simply ignored. Why? There are many
possible explanations. Maybe the virus is picky about the files it
infects. Maybe it won't infect anything on even days. Maybe it doesn't
infect files in its current directory, but somewhere else on the disk.
Maybe it is a stealth virus, in which case the changes cannot be seen
anyway, at least not while the virus is active.

Jeremy calls while I'm thinking about all this. We get to a discussion
on its peculiar jump structure. "I'm sure I have never seen so many jump
instructions", "For a moment I thought it was a new version of the
Commander Bomber virus, but no, at least not that", "I think that this
jump-spaghetti has been added just to confuse heuristic analysis".
Indeed - F-PROT's Heuristic Analysis failed to give warning of an
infected file even when the /GURU option was enabled. Goes to show that
any software-based protection can be overcome by software. Jeremy has
managed to examine the virus a bit further. We agree to name the virus Crepate for
the time being.

Jeremy says that, right after decrypting itself, the virus gets into the
business of doing some absolute disk writes. Immediately, I get a
brainstorm. - It is a multipartite virus we are talking about here,
operating in the same way as, for instance, Tequila. When the virus is
executed in a clean computer, it infects the hard disk's Master Boot
Record but does nothing else. The next time the computer is turned on,
the virus stays active in memory and starts infecting other program
files. I test my theory - and yes! The F-CHECK checksum program reports
an altered Master Boot Record.

I use Norton's DISKEDIT to take a copy of the Master Boot Record's code
before restarting the computer. The boot-up seems to be completely
normal. I run MEM and find the familiar sign indicating the presence of
a boot sector virus: the amount of DOS memory has dropped from the 640
kilobytes normally available in this computer. There are only 636
kilobytes left, which means that the virus takes up four kilobytes.
I go back to the virus directory and run the bait files again. Strangely
enough, the baits are still not infected. The filesizes stay the same,
whatever I do. Without giving the matter further thought, I run DOS's
CHKDSK and attain instant enlightenment. CHKDSK reports "Allocation
error" for every COM and EXE file I have executed during this session.
The report includes all the files referred to in AUTOEXEC.BAT, all bait
files, and CHKDSK.EXE itself. This is a clear sign of an active stealth
virus that is operating in the computer and hiding the changes it has
made to files. However, the virus is not sophisticated enough to hide
the changes from the CHKDSK program, which is reporting errors caused by
contradictions between directory information and File Allocation Table.
The closer I look, the more advanced this virus is beginning to seem.
When I compare the infected bait files, I notice that the decryption
routine varies between different samples. In addition to everything
else, the virus has polymorphic characteristics mixed in.

The phone rings - Fridrik is calling from Iceland. His staff has gone
through the same sample files, concentrating first on the samples which
I and Jeremy had decided to leave alone for the time being. Some of the
samples had indeed been clean, though packed by using CPAV. Some
other files had been found to contain a new virus, which was named
March 25th. In other words, two different viruses are on the loose in
the Italian university! Frisk hands me a short account on the
characteristics of the March 25th virus: a memory-resident COM and
EXE infector that structurally changes COM files into EXEs. The virus
activates on the 25th of March and overwrites most data on the hard
disk. The size of this virus is only 1024 bytes, and it is much simpler
than Crepate.

Frisk has also gone over the Crepate files, and he is already well
acquainted with the virus's functioning. For some reason, though, the
virus does not function in his test computers. Although it manages to
infect the hard disk's Master Boot Record, the computer won't boot
afterwards. Curious. Fridrik is ready to build a disinfection routine for
the virus, but he is hampered by the fact that he cannot get it to spread.
I promise to send him a program packet containing both clean and
infected versions of the same sample files.

After hanging up I take a closer look on the code the virus writes on
the Master Boot Record. Aha, it tries to make inspection more difficult
with commands that modify the commands next in line...I get another
brainstorm. Immediately, I call back to Frisk and ask what kind of a
computer he used to test the virus. Frisk tells me he has used his newest
virus testing computer, a 33 MHz 386DX. "Does it have internal cache
memory", I ask. "Yes, 8 kilos", Frisk answers. The mystery unravels. I
had tested the virus in a 16 MHz 386SX computer with no cache

The cache memory of Fridrik's computer buffers commands that are to
be executed next, and makes it unnecessary to retrieve them all the way
from the main memory. Because of that, though, the changes the virus
tried to make in its own code never got through. The bytes it tried to
change had already been read into the cache memory where they could
not be altered. In other words, the Crepate virus cannot function in
computers with internal cache memory - it will only crash them during

I start to create a sample of demo files, beginning with a collection of
programs that are different from each other both structurally and in file
size. I pack the clean programs and transfer the packet into the infected
computer. There I execute, open and copy programs. Any of these
operations infects the program in question, but I notice that the virus
won't infect the smallest files. I boot the computer from a clean
diskette, pack the infected files and transfer them back to my own
computer. Again, I open a telnet session and send the sample packet to
Iceland via FTP.

I continue to examine the virus. It seems that Crepate uses a very
peculiar method to hook the DOS interrupt 21h. The virus would gain
nothing by jumping to hijack the interrupt for the first thing it does
after it has been executed from the boot sector, because DOS takes the
interrupt into use only later on. Instead, at the very beginning the
virus hijacks BIOS's timer interrupt, activating 18.2 times in a second.
The virus uses this interrupt to check 18 times in a second whether DOS
has loaded itself. When that happens, the virus hooks the interrupt 21h
to its own code. That way it gets to be the first program to clam onto
the interrupt.

The phone rings again, this time it's Jeremy. We quickly exchange what
we have learned from the virus. He tells me he has found a date check
and destruction routine further along the code. The virus activates on
the 16th day of any month, and executes a remarkably thorough
destruction routine. It overwrites all the data on the first hard disk,
going through the disk from beginning to end. Since that kind of a
routine is quite difficult to code, most viruses use destruction routines
that overwrite only a part of the hard disk. For example, even the
notorious Michelangelo virus destroys only a certain amount of the
hard disk's data. After such partial destruction, it is usually possible to
salvage some data from the hard disk without turning to expensive data
recovery services. Crepate is a different breed of cat and goes through
the disk thoroughly, sector by sector.

The 16th day. That was a week ago -- maybe the virus was discovered a
week ago, when the first hard disks were wiped? No matter. It must be
stopped now, before it causes further damage.

I code a routine that checks files for Crepate infection. Using it, I
scan the test computer's hard disk. Practically all the programs I have
used during the evening have been infected. I wipe the hard disk and
restore a basic combination of clean software on it. I run the routine
also on diskettes I have used to carry files between the test computer
and my own. I'm surprised when I notice that the boot sectors on the
diskettes have also been infected. What on Earth - to the best of my
knowledge, the virus code contained no routines for infecting diskettes.
I go over the code more carefully, looking for something that hints at
diskettes. After a time it becomes clear that the virus uses the same
routine to infect both hard disks and diskettes. Crepate is a true
multipartite virus -- capable of infecting three different file types and
two kinds of boot sectors. Its maker must have spent a long time
finishing his creation.

Fridrik sends a completed search routine via FTP. Using it as the base,
I create F-PROT Professional 2.09e. After a quick check to make sure the
program recognizes both March 15th and Crepate faultlessly, I transfer
it to the file areas of F-Secure BBS. I call Jeremy to tell him he
can pick it up with his modem. At the moment, he is putting together a
summary of the virus to be delivered to the client. He says he will take
F-PROT to the university in the morning.

Everything is just about finished for the evening. Frisk E-mails a
message saying that he'll send a sample of the virus to other antivirus
program developers so they can add the recognition of the new virus to
their own products. After that, Frisk says, he will go home. Jeremy
sounded tired too.

The time is 01.30 in Finland, 00.30 in Italy and 22.30 in Iceland. I'll
go and get some sleep, too - the fall is far advanced and I'll have to
get my lawn sown before winter sets on.

Originally published 12 years ago in F-PROT Professional 2.10 Update Bulletin, May 1993.

PS. Jeremy, if you're reading this...get in touch!


Thursday, December 1, 2005

We just bought a company Posted by Mikko @ 07:09 GMT

After announcing F-Secure Messaging Security Gateway two months ago, we're going deeper into the hardware appliance business. We've today acquired a company called ROMmon - welcome aboard, guys!

ROMmon, the brainchild of the networking guru Petri Helenius has been specializing in ultra fast network monitoring devices.


One very nice application of this technology is automatic monitoring for rogue nodes in a network.

For example, ROMmon devices were used very effectively during the massive Assembly'05 demo party to locate and isolate infected machines in the party network. See some of these bandwidth graphs.
F-Secure Network Control Appliance
We're launching a new product called F-Secure Network Control Appliance based on this technology. It will tackle spam and computer zombies for service providers automatically. This box will monitor traffic from end-users at the network edge, automatically denying offending computers access to the network. Those using too much bandwidth or operating as spam zombies will automatically get redirected to a self-help web page, explaining what they have to do (like "clean your PC - install patches!") in order to regain network connectivity.

This is smart compared to the current model where ISPs and other service providers are manually trying to figure out who is a zombie and who is not - and when they find one they will just cut the user off, leaving him wondering what's going on and making support calls.

This technology works: it is already being used to monitor around half a million subscriber lines.