NEWS FROM THE LAB - December 2006


Sunday, December 31, 2006

Fun Filled New Year May Your Dreams Come True Sparkling Happiness And Good Times etc. Posted by Mikko @ 10:41 GMT

Massive amounts of fake New Year's greetings cards are being sent by Tibs.jy (aka Luder).

According to both our public and private virus statistic systems, the numbers are big enough. So we've just raised Luder.A to Radar alert Level 2.



In any case, this is hopefully the last post of 2006. Have a Good Year.


First MMS exploit for phones has been released Posted by Jarno @ 08:41 GMT

Image copyright Collin Mulliner

On late Friday the 29th of December, Collin Mulliner published proof-of-concept exploits of MMS vulnerabilities that he discovered six months ago. When Collin first discovered the vulnerabilities he informed the software vendors, but as he has not received a report within half-a-year, he decided to now publish the exploit at the 23rd Chaos Communication Congress in Berlin.

The proof-of-concept exploits target vulnerabilities in the SMIL presentation control language in MMS messages. Region tags in MMS SMIL are vulnerable to buffer overflow causing arbitrary code execution. In other words, if those tags get too large in content it makes it to possible for a malicious MMS message to execute code on the target device.

It is still unknown which phones are vulnerable to this exploit. Collin's research has confirmed a vulnerability in the IPAQ 6315 and i-mate PDA2k, but it is quite likely that all Pocket PC 2003 and Windows Smartphone 2003 devices are also vulnerable.

The good news is that the only devices for which the proof-of-concept code is available are the IPAQ 6315 and i-mate PDA2k. And even in those devices the attacker needs to guess the correct memory slot where the MMS processing code is executing and send correctly crafted exploit code. This means that a malicious MMS message will most likely only be able to crash the device, not to to exploit it.

So while Collin's discovery is very significant, it does not pose immediate danger to any large group of users. And although it is possible to create an MMS worm or other malware that uses the vulnerability, this particular exploit cannot be directly used in creating malware.

But to be safe, we have included detection for the exploits on Saturday the 30th in F-Secure Mobile Anti-Virus for the platforms that can be affected by this vulnerability.

As the device vendors have not given confirmation that the exploit has been fixed, we cannot confirm that patches are available. But as always, it's a very good idea to have the latest updates installed on your devices.


Saturday, December 30, 2006

Modified versions of the malicious New Year cards Posted by Mikko @ 13:45 GMT

Fun filled New Year

We're now seeing slightly modified versions of the Happy New Year postcard.exe attachments that were first spotted on Friday.

This time the e-mail subjects vary a lot but are always themed around New Year greetings. For example, "Fun Filled New Year", "May Your Dreams Come True!", "Sparkling Happiness And Good Times!", or "Sender Happy 2007!". The attachment name is "greeting card.exe", "Greeting Postcard.exe", or something else along those lines.

The attachments have been modified slightly to avoid detection by antivirus programs, but we detect them as Trojan-Downloader.Win32.Tibs.jy. There are also some corrupted attachments floating around: those might not be detected, but they won't work either.

Details of this malware are available in our description.


Friday, December 29, 2006

BlackLight Beta for Windows Vista and Windows 2003 Server x64 Posted by Antti @ 12:37 GMT

We've just published a new beta version of our free BlackLight rootkit scanner, which now also supports Windows Vista (32-bit only) and Windows 2003 Server x64 Editions.

BlackLight on Vista

The same BlackLight executable will work on all supported platforms.

You may find it interesting that we're adding support for 64-bit operating systems, even though there are currently no rootkits for them! The reason is that while 32-bit rootkits do not work on 64-bit platforms it is not impossible to create a 64-bit compatible rootkit. It just requires extra effort.

For example, a user-mode rootkit would have to hook 64-bit processes with 64-bit code but also make sure everything is hidden from 32-bit applications running under WOW64 emulation. As the number of computers running 64-bit Windows has remained low, the rootkit authors have not had a reason to spend the extra effort to target those systems. When they do, we hope to be ready.


More malicious New Year postcards Posted by Mikko @ 07:43 GMT


There's a large scale spam run underway, sending short e-mail messages. No text, just the subject field of "Happy New Year!" and a file named postcard.exe as an attachment.

The attachments are variable, but so far we detect them all as Trojan-Downloader.Win32.Tibs.jy. We have a description online too.

In general, kill all files named "postcard.exe". They always seem to be bad news.




Thursday, December 28, 2006

Congratulations to Sabre Security Posted by Mikko @ 13:13 GMT


Here's our congratulations to a fellow research house: Sabre Security (the masterminds behind reverse engineering tools like BinNavi and BinDiff) won first place in the German IT Security Innovation Awards this year.

The award: a cool 100,000€.

They won the award with their automated malware classification project "VxClass", developed by Halvar Flake and Ero Carrera (Ero used to work here in our labs before joining Sabre).

Congrats boys!

Ero in action


Monday, December 25, 2006

Happy New Warezov Posted by Mikko @ 08:34 GMT

Warezov Postcard

A new Warezov spam run is underway, using a "Happy New Year" postcard as its disguise.

The attachment is named and the text of the message reads:

   Hi, you’ve just received a postcard.
   For: (your e-mail address)
   From: ---
   Text: Happy New Year!
   Click on attachment to view a postcard.

When run, the malware connects to and downloads a Warezov variant.

We detect this now as Trojan-Downloader.Win32.Small.edn.


Sunday, December 24, 2006

More Christmas-themed malware Posted by Mikko @ 10:47 GMT

Unfortunately there seems to be more Christmas-related malware floating around.

Now there's a backdoor named Christmas_Puzzle.exe. This one uses a rootkit to hide its presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one displays a Christmas-themed jigsaw puzzle game.

And then there's a PowerPoint file named Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has previously made the rounds.


We now detect this PPT file as Exploit.MSPPoint.Agent.g.


Saturday, December 23, 2006

Careful with Christmas.exe Posted by Mikko @ 14:10 GMT


We've just received a sample of something that's named CHRISTMAS.EXE.

When run, this IRCBot variant will try to download various malicious executables from web servers at and

As a decoy, it shows this Christmas-themed image:

Christmas.exe Image

Obviously, a gift that keeps on giving. To be avoided.


Friday, December 22, 2006

Merry Christmas Posted by Sean @ 10:41 GMT

The Christmas Holiday has arrived and the office will be rather quiet soon. The folks that are working over the weekend to ensure smooth operations will be doing so remotely. What else will they be doing? Opening gifts and playing games — We "tested" a Wii in the lab two weeks ago. Determination – It's very good fun.


And now some Fun with Flash – Here are some games for you to check out. The first game is IBM's The Evolving Threat. It's an Asteroids style game. There are screenshots here, here, and here.

The Evolving Threat

The second is Microsoft's Arm Yourself Against Attacks. It's another Asteroids style game. There's a screenshot here.

Arm Yourself

The third is Invisible Burglar from Symantec. This one looks like a Star Castle clone.

Star Castle

And finally, F-Secure has a PC Wellness campaign with a flash based site. Send a friend of yours a message. The site is available in English, French, and Finnish.

PC Wellnes Network


Wednesday, December 20, 2006

Phishing Filters - No Add-ons Required Posted by Sean @ 15:50 GMT

Today Opera released version 9.1 of its browser for Windows. A new security feature is included – Fraud Protection.

Opera's Settings

Using a whitelist from GeoTrust and blacklists from GeoTrust and Phishtank, Opera now alerts users of fraudulent sites. When the option is enabled, each URL visited will be checked to confirm its security and the user is presented with a warning rather than being taken to a phishing site.


Firefox 2.x and Internet Explorer 7 also have their own anti-phishing filters built into the browsers. IE7 checks against locally stored files, then against the URL Reputation Web Service (URS) hosted by MSN, and then uses built-in heuristics to validate the URL. Firefox 2.x has two options – either it checks against Google's AntiTrust database, or it uses a downloaded list of suspected sites. The site list is local to the user's hard drive, so anyone concerned about privacy might prefer this method. The download file is updated frequently.

Firefox's Warning:

IE's Warnings:
Internet Explorer 7

Suspicious Site

Safari 3.0 will reportedly include similar functionality.

On another front, we've also noticed Yahoo! Mail started blocking non-standard URLs at some point. Outlook as been doing so for a while now. Any unusual URLs prompt the user with the following warning:

Yahoo! Mail

We see these updates as a very positive development for the typical Web consumer and hope to see the features widely enabled. If you haven't updated your browsers, do so now. — There's a Firefox security update today as well… And for those of you that have the great pleasure of being your family's IT support – put this on your Christmas to-do list.


Tuesday, December 19, 2006

Skype Worm Posted by Mikko @ 11:58 GMT

We've received some queries about a Skype worm.

The situation is a bit confusing right now, but here's what we know:

  • There is no massive outbreak going on
  • There is something spreading on Skype, but only in limited numbers
  • It is not exploiting a vulnerability in Skype but simply sending chat messages asking you to download and run the infected executable
  • There are two different and separate malware samples being talked about relating to this case, confusing things further
  • One of them is named "sp.exe". We received a sample of this yesterday and added detection. This one is connecting to in its attempt to download additional components
  • The other one is described in here. This one downloads additional components from, and it's actually not new at all: we've detected it since beginning of October


Friday, December 15, 2006

'Tis the Season ... Posted by Era @ 10:58 GMT

Every year around Christmas, the spammers have arranged something like a Gold Rush, ramping up the number of messages they send for the Christmas shopping season.

However, this year, what we are seeing is a completely new phenomenon. It seems that multiple unfortunate events have coincided, resulting in an unprecedented rise in spam levels.

Now, if you look around for statistics, you will find that some claim that spam is now up to a record high 60% of all email in the world, and others claim that spam is at a record high 90% of all email, and some undoubtedly see close to 100% (my personal inbox would be a good example).

Sad Inbox

Whenever you see such numbers, you have to ask yourself whose numbers these are, and how they calculate them. Who has the data to correctly measure all the email in the world? Does that include email sent within corporate intranets, too? How do you account for blocked email which would have been sent if the block wasn't in place? Etc.

But however you measure it, the consensus is clear: Spam is worse than ever.

Right now, we are identifying three contributing factors:

1. Well, it's Christmas Gold Rush again.

2. It looks like the spam nets established by email worms over the last couple of years, and especially during this autumn (Warezov), are now entering a new phase, with massive volumes of spam being sent.

3. Possibly the same spammers have come up with techniques to introduce much more variation in their messages, which enables them to bypass many content-based filters which used to work better.

If you want some numbers, in spite of what was said above, here are some numbers. It's not clear how well they generalize, but this is what we are seeing:

- The average size of a spam message has doubled in the last year or so. No doubt, this is mainly because of the increase in image-based spam.

- The number of spam messages in a typical honeypot mailbox has tripled in two years. The growth is not constant; it has accelerated markedly in the last year.

- Combining and extending the two previous observations, the volume of spam in bytes has grown more than fifteen-fold in two years.

We are hard pressed to find any good news to report in order to balance this account, but it appears that at this rate, we will soon exceed the pain threshold for passing international legislation against spam.


Thursday, December 14, 2006

Wireless Client Update Posted by Sean @ 13:45 GMT

Windows XP SP2 Update KB917021 was published on October 17th 2006. What's that you say?


It's an update to "help prevent the Windows wireless client from advertising the wireless networks in its preferred networks list". Those of you that travel with confidential information might want to investigate this patch. It wasn't included in Microsoft's monthly updates.

Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack. This patch won't stop your Windows notebook from using a spoofed network, but it will fix it so that the hacker would have to guess the name.

You can find more details on this from Brian Krebs and Knowledge Base article 917021. You can download it from Microsoft's Download Center – Validation Required.


Wednesday, December 13, 2006

False alarm with Backdoor.Win32.HacDef.q Posted by Mikko @ 07:03 GMT

Today we had a false alarm with the detection of Backdoor.Win32.HacDef.q.

We've now published a fixed database 2006-12-13_04. Very sorry for the inconvenience.


Tuesday, December 12, 2006

Tuesday Patch Time Posted by Francis @ 20:52 GMT

Microsoft has released its monthly updates. As Patrik posted earlier, Microsoft's December update does not include a patch for the number of recently discovered Word vulnerabilities. Nonetheless, Microsoft's monthly update package includes three critical patches — one being a patch for Windows Media Player Remote Code Execution vulnerability MS06-078.

December's Second Tuesday

At the moment, we haven't seen any malware that takes advantage of this vulnerability. But it's possible that we'll see something using this exploit as a potential worm vector. For instance, a mass mailer that spams file attachments of specially crafted .ASF or .ASX files with exploit code or perhaps an Instant Messenger worm spamming links of malicious sites hosting exploited Windows Media Player files.

Who knows? Better patch now before it's too late.


Monday, December 11, 2006

QuickTime Flaw is Cross Platform Posted by SGMasood @ 14:28 GMT

QuickTime Safari JavaScript

Yep. We tested the two security issues mentioned in our previous post on Mac OS X with QuickTime v7.1.3. We found that the .qtl issue works on the Mac. So, now we have an unpatched QuickTime vulnerability that affects both Windows and Mac OS users. Any malicious JavaScript code exploiting it would affect the users of both operating systems. Phishing and Quickspace-type web application worms are two examples of attacks that are possible.

Click here to view a screenshot from our test.

Also, let us reiterate once again that this is not a MySpace only issue – this affects every other website that allows the embedding of QuickTime content. We tested two other well-known social networking sites.

Just a side note: the HREF track and .qtl issues seem to affect users of QuickTime Alternative as well.


Two Unpatched Apple QuickTime Vulnerabilities Still Imperil Users Posted by SGMasood @ 11:14 GMT

You all know the story by now – A week ago MySpace was attacked by the Quickspace worm that abused an alleged "feature" of Apple QuickTime movie files to inject and execute malicious javascript in user profile pages. The malicious code attempted to phish accounts and to offer spyware to an unspecified number of users with obvious hopes of financial gain by the perpetrators. The primary cause that made the attack possible is not a MySpace flaw, but rather an Apple QuickTime feature that is clearly a security vulnerability. QuickTime fails to enforce the same origin policy and to warn the user before loading and executing javascript from external resources – two things that all similar applications are expected to do. For example, Flash allows embedded scripts, but it warns the user when a flash application tries to access an external resource.

We have yet to see Apple acknowledge this as a security issue. On the contrary, it has claimed that this is a legitimate feature. A temporary, trivially evadible, fix was provided by Apple to MySpace that was, controversially, distributed only to MySpace users and only to those MySpace users who use IE. All other users of Apple QuickTime, including MySpace users who use a browser other than IE, are still vulnerable. And, since this fix was given only to MySpace users, other websites are still vulnerable to an attack by a worm similar to Quickspace.


We did some investigation and found that —

1. Apart from the HREF track flaw exploited by the worm, Apple QuickTime is still vulnerable to another similar flaw that has been publicly known for quite some time. This flaw can be exploited in the same way to achieve the exact same results as the first flaw. The second flaw is obscure and it still remains unfixed. We haven't yet seen anyone bringing attention to it or talk about fixing it. Any patch that fixes the first flaw but not the second one is inadequate.

2. MySpace is still vulnerable to both the flaws and nothing prevents another web application worm from exploiting them.

3. We tested a few other social networking sites and all the sites we tested were also vulnerable to web application worms utilizing the two flaws as an attack vector. With no fix available, currently the only feasible workaround for these social networking sites, and also other websites on the Net, is to completely block users from uploading Apple QuickTime content. Though scrubbing javascript from the content before accepting it is a solution, it is complex enough to make it impractical in this case.

Recommendation: Websites should block Apple QuickTime content completely until a patch is available from Apple for both vulnerabilities.

Bottom line: These are security vulnerabilities, not "features".


Yet another Word vulnerability Posted by Patrik @ 02:34 GMT

Last week we posted on a new vulnerability in Word. Today, the Microsoft Security Response Center reported on yet another Word vulnerability.

New MSWord

The new vulnerability affects Word 2000, 2002, 2003, and Word Viewer 2003 but not Word 2007. The vulnerability allows a malicious person to automatically execute code on the target machine when a DOC file is opened, so it's very similar to most of the other Word vulnerabilities we've seen during 2006. As it is actively being exploited, although the distribution so far is very limited, and there is no patch available we can only continue to use the same workaround as previously recommended – not to open or save any DOC files from untrusted sources or files that you have unexpectedly received from sources you trust.


Friday, December 8, 2006

Weekend Reading - December 8th Posted by Sean @ 14:19 GMT

ScienCentral News produced today's reading. The topic is that of Mobile Phone Malware. There's also a link to a video segment in which you can see our lab. You'll find the story here.

ScienCentral News works in collaboration with The Center for Science and the Media and ABC News. This particular story came about due to Mikko's eight page long article in November's Scientific American. The article even included a comic showing the spreading logic of MMS viruses. - Anatomy of Attack

A free preview of the article can be found at If you don't find it on your newsstand, you're sure to find it in your local library.

Have a good weekend folks,


Word hole will remain open Posted by Patrik @ 02:39 GMT

Microsoft just announced the patches that they will release on Tuesday the 12th. And as we feared, the Word vulnerability disclosed earlier this week will not be fixed. Looks like we'll have to not open or save Word files from untrusted sources, or unexpectedly received from trusted sources, for another month. No one sends DOC files in e-mails anyway, right?

The dropped files we have seen used together with the Word vulnerability are detected as, Trojan-Downloader.Win32.Cryptic.f and Trojan-Downloader.Win32.Tiny.y.

MSADVPatch Dec06

The patches that Microsoft will release are five security patches for Windows where the highest severity rating is Critical. A patch for Visual Studio with a severity rating of Critical will also be released. In addition, 14 non-security related patches will be released.

Thursday, December 7, 2006

Mobile Phone Spam Posted by JP @ 14:50 GMT

The lab is receiving numerous reports of SMS Spam in Europe. The reports have occurred during the last few days and it looks to be a very interesting case. The SMS arrives with a URL that can only be accessed via a WAP gateway. Putting the URL into a computer's web browser returns a page declaring that the service is unavailable. The URL in the SMS is also is tied to the phone's number, so only that phone can use the link. Forwarding the message to another phone renders it inaccessible.

While new to phones, this stuff looks like typical spam found on PCs and includes offers for free stuff. Example: Download a free ring tone. Or at least the first one is free. Reading the download agreement carefully shows that more downloads will be pushed weekly thereafter at a cost of �2 each. Receiving SMS messages doesn't usually cost the phone user, responding to these will…

Also interesting to note is the localization. We have found several examples of German language and we ourselves have received this type of spam in Finnish. Searching Yahoo! Yielded a few cached examples in English. The spam's links point to — registered to a German address. Searching for discussions online show that German speakers received some of these messages a couple of months ago. We think this must have been "beta" testing.

Here we have some examples of the Finnish Spam:

Mobile Spam 1

Mobile Spam 2

Mobile Spam 3Mobile Spam 4


Guardian comments on ".bank" gTLD Posted by Mikko @ 09:48 GMT

The Guardian
Today's Guardian has a story about a topic we raised last month: how come museums have a secure, restricted .museum top-level domain but banks don't have .bank?

You would think that banks get phished via fake look-a-life domains much more than museums do.

"There are no safeguards whatsoever against someone registering a domain name and using it for nefarious purposes," says Richard Martin, a business security consultant at the UK clearing bank group Apacs. Barnaby Davis, director of electronic banking for Barclays, says: "We're well past the tipping point when something needs to be done that makes it harder to register URLs or makes the consequences for misuse harsher."

Full story here.






Wednesday, December 6, 2006

Hole in Word Posted by Patrik @ 00:21 GMT

Microsoft has just released a security advisory about a new zero-day vulnerability found in a bunch of versions of Word and Works: MSW 929433

  • Word 2000
  • Word 2002
  • Word 2003
  • Word Viewer 2003
  • Word 2004 for Mac
  • Word 2004 v. X for Mac
  • Works 2004
  • Works 2005
  • Works 2006

So far the use of this vulnerability is limited and we're monitoring the situation. Interestingly enough this vulnerability wasn't found the day after Microsoft's Patch-Tuesday which has been the case for most of the other Office vulnerabilities found during 2006. Let's just hope Microsoft can get this fixed in time for the next batch of monthly patches which is on the 12th of December.

In the meanwhile, we can all follow this useful workaround suggested by Microsoft: Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.

Tuesday, December 5, 2006

An open letter to domain registrars Posted by Mikko @ 12:26 GMT

DEAR DOMAIN REGISTRARS, I know you are in the line of business of registering domain names for people who need them. However, are you sure you want to allow people to register any domain name? Even when the name is obviously going to be used for phishing? Like, say, somebody trying to register a .com domain with the words

AVAR 2006 - Auckland, New Zealand Posted by Kimmo @ 10:08 GMT

AVAR2006 and Peter Ferrie

Greetings from AVAR 2006 which this year was held in Auckland, New Zealand! The conference was excellent, lots of interesting topics and the place was perfect. New Zealand is a truly beautiful place and people are nice and helpful. I also had a chance to meet some of the old stars, including Peter Szor. Unfortunately, I forgot to bring my copy of �The Art of Computer Virus Research� book with me to get it signed. Well, maybe some other time then…

The picture is from Peter Ferrie�s presentation about attacks on virtual machine emulators. It explained known and new tricks to detect the presence of different virtual machines and also some newly discovered attacks against them.

I also had a chance to present my paper about kernel malware explaining what they are, how they work, and what makes their detection and removal challenging.


Monday, December 4, 2006

Data Security Summary - July to December 2006 Posted by Sean @ 15:26 GMT

July to December 2006

It's the end of the year and once again time for our semiannual data security summary. Mikko's video is ten minutes in length on this occasion. Ten minutes just happens to be within the limits to upload onto YouTube…

The written wrap-up is available here, and the page includes a variety of video formats as well as audio.


Saturday, December 2, 2006

New MySpace worm using a Quicktime exploit Posted by Mikko @ 20:52 GMT

We were contacted tonight by a user who pointed out that several of his friends have had their MySpace profile page modified.

The case looked like simple MySpace phishing, but it wasn't obvious to us how the profiles were modified. After investigating a bit further, it seems that we have a MySpace worm on our hands, using a malicious Quicktime MOV file to spread.

Infected MySpace pages are easy to find. They've had their standard MySpace header replaced with a new one:


The links here do not point to MySpace like they should. Instead they point to four different sites, hosting MySpace look-alike pages:



When you visit an infected page with IE, an embedded MOV movie file ( will be downloaded. The MOV file contains a Javascript snippet that will download a Javascript file (js.js) which will modify YOUR MySpace profile (if you have one). After that, everybody who visits your MySpace profile gets hit too.

The final target seems to be to steal MySpace logins in mass quantities.

The infected files are hosted on several different sites, including:,, and

We've seen two different versions of the malicious Quicktime file. We detect them with updates 2006-12-02_01 as JS/Quickspace.A.

More on this case from a blog entry at SpywareGuide.




Friday, December 1, 2006

Weekend Reading Posted by Sean @ 14:17 GMT

S.G.Masood - Photo by Taneli Kaivola

S.G. Masood, our resident Phishing Researcher, is a contributor to Biztech magazine — a property of CDW.

The articles are targeted to the IT managers that buy from CDW. So the technical level is suitable for those of us not in research. "They are more prescriptive than descriptive."

 11.2006 — Protect Your Assets from Search Engines
 09.2006 — Never Heard of XSS?
 03.2006 — You've Got Phish