F-Secure Virus News

Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked.

We have detailed information about the malware functionality in our Downadup.AL description.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the worm. The sites keep changing, but the current domains to block are:

64.70.19.33
acqggcq.cn
adbsq.net
akgjmdzx.cc
bclaxb.cn
bdjtrpaav.cc
bdrmppudqh.cn
boirczdikw.com
bpufhbvqwjs.com
bwocsfviu.net
bwtrd.net
bxtopike.ws
ccgdllgwk.info
ccolbxdud.com
cdbhi.cn
cffcipqz.biz
ciopicmfq.info
cjeyj.com
crikr.cn
dbizknbfyv.cn
dckhrrqh.com
djthknbtxe.cc
dkvjxac.info
dphxqdpp.cn
drykouwoa.com
dugnyfnxky.com
dwikmnmhx.org
esujw.cn
eufiwwkplyc.cn
evtwdavi.net
evuqysnc.cc
ezkhbz.org
fhchak.org
fhioqvpdpg.info
fhoptkn.org
fjxkmq.ws
fnmhkizip.ws
fnopiz.cn
fnxklfyxdy.com
gdneutxoi.cc
girirvjy.org
govagjcasyo.cn
gqjgx.cn
gwfnepcus.ws
hbkbc.biz
hpmhoassp.org
hrmwzqif.com
hwmggrmzdsw.biz
hxhpc.org
ibifq.ws
icbabdoo.org
igggellu.ws
imaexvlmjn.org
ipuuulsw.com
itiuuv.cn
itzbanmjbds.ws
iuqmklmklbw.ws
jfqlrlgf.biz
jilpumzn.ws
jjdifsh.net
jnfcmmuhfum.ws
jpgflwtu.net
jqlmcfmdua.info
jqmdyemnd.cn
jufwmttx.net
jzvpspdcv.cn
kbrlxkiohfb.org
kcawyfgl.ws
kkvugfb.biz
knpfuq.cc
ktveyekd.cn
kuikq.org
kxsmffcsh.biz
lejhfcdm.biz
leyloenk.cc
lmcrkcuu.net
lrkewik.net
lrwnqgoj.biz
memsvr.com
miyga.biz
mmprans.ws
mxvrtq.net
nhmgtrmka.org
nmdrr.com
nqnmjn.org
nwczso.cc
nykyhzap.cc
oawtwovet.cc
oecsw.net
omxzanan.ws
ovqoluqwhf.org
pakzqankxai.ws
pnaeydmg.org
pvfivnqgk.cn
qauaiepfih.ws
qdgvbkpopx.net
qhdefcfkqg.cc
qtjumbvk.ws
quvjfczmd.net
qvuycgw.net
qwwnsrgii.cn
qxdzbtgok.org
rcoesjhoii.info
rrtvw.org
sedueat.cc
siirkijx.cn
sjarftss.biz
snytwwp.cc
srfvt.com
srtbuvesjmy.org
thzydzvunfk.biz
tlxzjjlmk.org
tmegbpwamyr.ws
tnaqhezhswk.biz
tsamlnes.cc
txibddqtpuj.cc
udthrjtx.cc
udyxa.info
uikrzcuzw.com
uuuwlcpzi.cn
vbvvhgs.net
vfdjkunysp.cn
vhegpqfiga.cc
vlfgk.info
vrfouwsk.net
vuvjptke.org
vxuiwtpqc.info
vxuuur.biz
wagwovomnj.net
wbpciauakl.ws
wdgeaqrhk.net
weekax.cn
wpnmravf.cc
wycqkpn.cn
xakcypzbj.org
xbrpaahhcjl.org
xbtqz.com
xfpzmkcl.cc
xgdgxusdq.org
xihpmics.net
xrbczsuyw.com
xyywekmbuuq.net
yagcjzafet.cn
yjbslycn.org
ykzoap.cc
yrmek.cc
yrmvbwbzlt.ws
yryxdaecqwa.info
ysuxkcv.com
ywictoyhzeu.ws
zdjmcwcknwn.biz
zfrcc.org
zjcmnmrpwdp.info
zrfdubsgmuq.net
ztyshleh.biz

We'll update this list as needed.

On 06/01/09 At 06:15 PM

We did some co-operation recently with a company called Clarified Networks. Some of you might remember them as the guys who did the *wow* visualization of the Kaminsky DNS hole for his Black Hat presentation.

So we collected some botnet data and asked them to visualize it.



The end result is a quite nice animation.

You can get more info and the actual end result from their blog at www.clarifiednetworks.com.

On 05/01/09 At 04:56 PM

Those of you that missed the Helsinki University of Technology's malware analysis and anti-malware technologies course in the Spring of 2008, have the possibility to participate during Spring 2009.

The course curriculum is pretty much the same as it was last year and so are most of the lecturers. One notable addition will be more focus on Windows kernel malware. Kimmo Kasslin will be lecturing on the topic and there will be some homework fun on it as well.



Please check out the course pages, slides, and assignments from Spring 2008 to get an idea of what the course is all about.

Course web pages for 2009 are already available but still incomplete; students can already enlist, though.

On 31/12/08 At 12:10 PM

Our post from yesterday mentioned a video demonstration coming soon.

It's online now and you can find it from our YouTube Channel.

The video highlights the symptoms experienced on exploited phones; it doesn't show how to perform the attack. The attacking phone has been kept off screen. (It isn't difficult to find the CCC video at this point.)



The "Curse of Silence" was disclosed to several telecommunications operators about seven weeks ago and we were brought into the loop a few weeks later. The timing has been a real pain in the neck for those of us in the lab. We'd rather be researching something else or enjoying a relaxed holiday than dealing with a detection for an exploit that will mostly likely be used by jealous boyfriends.

Still, it is a safe bet that the Curse will be used to harass people, so support personnel should know what to look for.

On 31/12/08 At 12:09 PM

Addendum to our earlier post, Fake Friendster and Facebook Sites with One IP Address:

A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).

Here is an example of such an invite, from a known contact:



So how are the spammers getting access to the contacts lists?

Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.

This particular link leads the user to the legitimate domain, files.myopera.com, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.



Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.



The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.

As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.

On 31/12/08 At 06:51 AM

An easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress (25C3). The exploit is effective against a wide range of Symbian S60 smartphones and will effectively prohibit victims from receiving SMS messages.

The Chaos Communication Congress is a popular event among international "hacker" enthusiasts. It has been organized by the Chaos Computer Club since 1984, has been held in Berlin since 1998 and typically takes place between December 27th and 30th.

Today's Security Nightmares 2009 presentation included a demonstration of the Curse of Silence exploit, which was researched by Tobias Engel of the CCC.

According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well.

Versions 2.6, 2.8, 3.0, and 3.1 are also better known as S60 2nd Edition, Feature Pack 2; S60 2nd Edition, Feature Pack 3; S60 3rd Edition (initial release); and S60 3rd Edition, Feature Pack 1 respectively.

That's a lot of numbers…

S60.com has a handy comparison view of many Series 60 phones.



According to Engel's research, the vulnerable phones fall into two camps: S60 versions 2.6/3.0 (2FP2/3) and versions 2.8/3.1 (2FP3/3FP1). That's still too many numbers, so let's just select two phones.

Nokia 6680 — 2nd Edition, Feature Pack 2
Nokia N95 — 3rd Edition, Feature Pack 1.

The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)

What happens when a vulnerable phone receives the exploit message?

Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.

Click here to see some of the phones that fall into the 6680 example's category.

Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."



The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.

There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.

Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.

Click here to see some of the phones that fall into the N95 example's category.

Exploited phones will remain otherwise completely functional; only the SMS/MMS messaging is affected. Practically speaking, this also means no SMS notifications of voicemail, though the phone log will display the missed call.

A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.

Shameless self-promotion begins:

However — Engel practiced reasonable disclosure, which is why we have had time to test the exploit ourselves before today's CCC demonstration. Our Mobile Security solution will detect the exploit and can repair affected phones.

The exploit is detected as Exploit:SymbOS/SMSCurse and Mobile Security is capable of repairing exploited phones so that it will not lose any messages. Messages that have been sent while the messaging service is jammed will of course be lost.

Hopefully this exploit will not be widely used. We don't see much of a profit motive after all. Still, there were thousands of participants at this year's CCC and many of them saw the demonstration. As easy as it is to utilize the Curse of Silence, someone will surely try this for harassment…

A free seven day trial of Mobile Security can be directly download to phones from here.

 

We will have a video demonstration available soon.
Update: Info on the video is here.

On 30/12/08 At 03:34 PM

A few weeks ago, I received the following Instant Message:



Was it some kind of clever social engineering IM-worm?

Nope — It was just Mikko sharing a link that he found from Alex Eckelberry.



Even though I was sure, I still called out across the room to confirm that he had sent the link…

That's just one of the habits that's reinforced when working in the Response Lab.

 

Stay safe during the holidays. See you next week.

Signing off,
Sean

On 24/12/08 At 12:13 PM

Our File Analysis Team — they collect non-malicious files — came across an interesting case yesterday. Dzul Aiman was researching available driver downloads from Acer's Taiwanese (.tw) site and discovered something out of place. Maybe the site was hacked?

The list for WindowsXP Desktop drivers…



…included "nc.exe". That's a bit suspicious, don't you think?



That's probably a "driver" that you don't want to download. (Though it was probably Net Cat, it still shouldn't be there… it's not a trusted source.)

The team e-mailed Acer and the issue seems to have been resolved promptly.

So, even those that aren't looking for trouble may still find it. Stay vigilant.

On 19/12/08 At 05:14 PM

A mildly amusing sample came in today.

The sample itself is a very simple Visual Basic application. When executed, the unlucky recipient is shown this message:



Clicking the "Warning" button will play an alarm sound over the computer's speakers. Clicking "FBI" will close the form.

The sample also launched the default browser and opened the page www.fbi.gov – the legitimate FBI website.

Other than that, it seems to have no malicious intent and may have been a prank.

Seems rather old-fashioned, considering today's more monetized threat landscape.

Response team post by — KM

On 19/12/08 At 07:03 AM

There are some new developments on the mobile security front. Spy tool applications are now available for Apple's iPhone. Symbian and Windows Mobile spy tools have been around from two and a half to almost three years.

Now it would seem that it's finally the iPhone's turn.

One of the two spy vendors appears to require a jailbroken iPhone. They also claim to be the "first and only" spy software. If only that were true. Their application can be installed on 3G model iPhones.



…and on December 21st, a second option will be available. This vendor's comparison chart claims quality and features over costs.

Note that their application lets you "secertely" spy.



It doesn't seem entirely sure based their promotional promises, but it appears that vendor number two may be able to jailbreak, install, and then un-jailbreak the iPhone during its installation. It can be installed on older iPhones as well as current.

We wonder what Apple's position on this will be; will they do anything about it? What do you think?

We won't bother providing these spy vendors with a backlink to our weblog, so if you want to see more, use the addresses in the image below.

The first link in the set is a blog, not a vendor.

On 18/12/08 At 03:44 PM

Just in case you were distracted by yesterday's Internet Explorer update; there are some other browser updates that you should be applying.

Both Mozilla Firefox and Opera have vulnerabilities that should be patched.



See our Vulnerability Reports for Firefox 3.x and Firefox 2.x.



Our report for Opera 9.x is located here.

On 18/12/08 At 01:07 PM

A quick update to our earlier post about the recent critical vulnerability (MS08-078) in all available versions of Internet Explorer — Microsoft has released an update patch for the vulnerability. More information, including the patch, can be found here.

There have been a number of reports citing thousands of websites (both intentionally malicious and legitimate but compromised) exploiting this vulnerability. You can read more at BBC News and The Register.

Everyone is strongly encouraged to download and apply the patch without delay.

On 18/12/08 At 02:22 AM

Our previous post highlighted a recently disclosed vulnerability which exists in Microsoft Internet Explorer… and that there are currently websites hosting exploits targeting the vulnerability. Today our Vulnerability Response team would like to offer you our Security Labs' solution, which is now publicly available for download.

We call it Exploit Shield.

Exploit Shield protects against exploits both responsively and proactively. It has both shields and generic heuristics that monitor for and block suspected malicious activity. It logs attack attempts; and will also report suspicious URLs to our Real-time Protection Network1. New shields are delivered via our automatic update channel servers.



Vulnerability Shields offer "Patch-equivalent protection". Our Vulnerability Analysts, primarily based in Kuala Lumpur, publish vulnerability advisories and detections (used by our Health Check2 service). The Vulnerability team then uses the analysis to create exploit shields. The shields utilize either a hotpatch or else will disable the vulnerable ActiveX plugin.



This is what shield details look like:



The Proactive Measures currently block suspected malicious activity in Internet Explorer and Mozilla Firefox. This component of the beta monitors for heuristic behavioral techniques common to many types of exploits. We've tested the proactive component against a couple of malicious sites targeting the vulnerability, and the attacks have been successfully blocked.



As noted above, Exploit Shield has the option to report malicious websites that are blocked.



What do we do with the reported URL? The Response Lab will use it to respond faster. We have "HoneyMonkey" like systems to collect the exploit samples. Thus we'll have a greater ability to collection exploits and add signature detections to protect all of our customers. Exploit Shield users will help contribute to everyone's protection while remaining protected.

You can download a wmv video by Patrik demonstrating Exploit Shield in action.



—

You will find the download link for the beta on our Labs site.



—

Our Vulnerability Response team has been working very hard during the last few days to make this beta release ready at this time. Remember, it's still in beta, and you can help them by testing and by providing feedback. A big thank you is due to all those involved.

—

Footnote1 The current version of our DeepGuard Technology utilizes cloud-based networking lookups to our Real-time Protection Network. We'll cover that in a future weblog post.

Footnote2 Try Health Check. It's free and assists in updating and patching third-party applications.

On 17/12/08 At 10:45 AM

Updated to add: Microsoft has announced that they will be releasing out-of-band updates for this on December 17th.

Zero-day exploits are actively targeting an unpatched Internet Explorer vulnerability.

Microsoft recently expanded their Security Advisory 961051 to include all versions of Internet Explorer. The vulnerability was originally thought to only affect IE7.

As you can see, it's now a very long list of related software:



There are a number of (perhaps cumbersome) workarounds that may provide some mitigation:



More bad news, SQL Injection attacks are being used to hack legitimate websites in order to host exploits, turning trusted sites into malicious exploit hosts.

You can read additional details at Security Fix and eWeek.com.



Someone in the eWeek advertising department is trying to tell you something.

…and a tip of the hat goes to Camillo for providing the subject line to this post.

On 15/12/08 At 06:21 PM

One IP address that provides twice the fakery…

We spotted this fake Friendster website at http://friend[...]ter.com. The website steals the e-mail address and password information entered by an unsuspecting visitor who arrives at this page thinking it's the actual Friendster site.



Links to the fake website are propagating through malicious comments sent from the compromised accounts of friends in the Friendster network. The links are also included in the infected friend's profile.



Interestingly, on further analysis, the domain http://friend[...]ter.com also pointed to a fake Facebook page as its main page!



This fake domain was registered recently in China, and is hosted in China as well. We traced the IP address and noticed that it was hosting quite a few other fake social networking websites — MySpace, Friendster, Facebook, et cetera.





WebSecurity team post by — Chu Kian

On 15/12/08 At 02:20 AM

The AVAR 2008 conference is in full swing in New Delhi. Almost all antivirus companies are represented in this global conference.

Recent terror attacks in India were fresh in memory and indeed the conference was started with one minute of silence to honor the victims.



The terror attacks had an indirect toll on the conference as well, as seven speakers had canceled their trips. The organizers were happy to get replacement talks from the brave Peter Szor (Symantec), Andrew Lee (K7) and Randy Abrams (ESET).

My keynote presentation covered the initiative for "Internetpol" — the need to get better global IT law enforcement in action to really focus on getting online criminals behind the bars.


Photo by Luis Corrons / Panda Security

Other notable presentations included "Exploiting anti-virtualization techniques" by Andrew Lee. Many viruses won't execute if they detect the presence of a virtual machine. Andrew was using this feature against the malware itself by installing a fake VM on a real machine. As an end result, many types of malware wouldn't run at all. Neat.

Eugene Kaspersky also did an excellent overview of the worsening situation. He highlighted how criminals are using business models except here, instead of B2B (business-to-business) we're now seeing C2C (criminal-to-criminal) models.



And Vincent Weafer from Symantec presented their latest research into underground IRC networks and how large scale this is. Over a year, they monitored over 60,000 distinct advertisers on these boards, selling malware, botnets and stolen information.

Another interesting presentation was by Swanand Dattaram Shinde from India's Quick Heal. He spoke about how the local terrorist groups use the Internet for communication, recruiting and propaganda, and even to make online threats. No cases of real cyber-terrorism though.

And here's something you don't see everyday. All electricity got shut down twice during the second day of the conference. Andrew Lee was on stage and he did not miss a beat. He simply raised volume and carried on…



Signing off,
Mikko

On 12/12/08 At 01:48 PM

The video that we mentioned last week is now online.

There's a link from the security summary, or else you can check it out from the lab's YouTube channel.

On 11/12/08 At 05:16 PM

Got a copy of the "Homeview Installer" today which looked harmless enough…

During installation, it runs the user through a series of procedures that look pretty routine.



If I try to cancel the installation at the first screen, it is nice enough to ask me if I really want to continue…



And if I change my mind and install it anyway…







But when installation is "completed successfully", it turns out Homeview isn't really installed.



There's just an uninstaller file that, true enough, really does remove the Homeview folder from the Program Files, and the Homeview-related registry entries.

So it really just came and went without doing anything… Oh wait, it installed Trojan:W32/DNSChanger.ARNF and none of my clicks even mattered.

Crafty little thing.

Just a reminder — do be wary of executing any file you download or receive via e-mail, if you are unsure of its trustworthiness.

Response team post by — Christine

On 11/12/08 At 05:20 AM

As Christine mentioned earlier today in her post regarding Koobface and how it uses fake Flash players to trick people into downloading malware, a smart move is to only download Adobe Flash player from… Adobe!

Here's another example of a social engineering scam, this time using a new Bank of America online banking system.



Clicking on the link leads to a fake BoA page with a "video" showing what the new site looks like. To view you have to download the updated Flash player.



If you run the fake Flash player it downloads another file from premierinet.com which in turn is a trojan that hides itself with a rootkit, steals confidential information and posts it to a server in Ukraine.

Again, we recommend that you only download Adobe Flash Player from Adobe's website here.

Updated to add: The fake Flash player that the "BoA" site is providing is a new variant of the one detected on November 5th, used by the Obama election spam.

Both the Obama and the BoA variants post their stolen data to IP addresses within the same block, they're almost identical.

Update 2: Domains we've seen used to host the fake BoA page:

– demobankofamerica .com
– bankamericademo .com
– serverdemobank .com
– demoversions10 .com

Subjects of the spammed e-mails:

Bank of America – Always Free Customer Service Demo Account, Try for FREE
Bank of America – learn how to trade with the Demo Dealer Station below
Bank of America – We Give You The Tools You Need. Try A Free Demo Account!
Bank of America – New Demo Account, Try for FREE
Bank of America – Demo Account Set Up
Bank of America – Demo account
Bank of America – Open A Demo Account
Bank of America – your Demo Account username and passcodes will be generated and emailed to you.
Bank of America – DEMO ACCOUNT not working

On 09/12/08 At 07:22 PM

There's nothing like social networking sites to keep people connected and worms propagating — such as the all new and improved Net-Worm:W32/Koobface.CZ. A little infection equals a little comment in someone's little site somewhere.

This version of Koobface targets the following sites in its body:

– bebo.com
– myyearbook.com
– blackplanet.com
– facebook.com
– myspace.com
– friendster.com

It also has its own site, where it can query for more data, updates and of course the comments that it posts to the targeted websites. The site hosts plenty of comments (and of course the corresponding links) for the worm to use. Here are some of them:

– COMMENT: Are you sure this is your first acting experience?
– LINK: http://finditand .com/go/be.php?0e9c60ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: is it u there?
– LINK: http://findit12 .com/go/be.php?e7883ch7=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: impressive. i'm sure it's you on this video.
– LINK: http://find-notall .com/go/be.php?70dd4ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: How can anyone get so busted by a spy camera?
– LINK: http://find-allhere .com/go/be.php?50ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: You're the whole show! i'm admired with you
– LINK: http://freemarksearch .com/go/be.php?ch23=d41d8cd98f00b204e9800998ecf8427e

Here's an example of one of the comment:



And of course when the person clicks the link, out comes YouTube!



Er, I mean YuoTube... momentary dyslexia there... my bad.



Which of course contains an "update" for your Adobe Flash player, because the site is so sure that your player is outdated. Don't argue with its superior wisdom.

And when you execute that file in your system… well, let's just say you've gone and summoned his older brother — Net-Worm:W32/Koobface.CY.

Response team post by — Christine

On 09/12/08 At 02:19 AM