F-Secure Virus News

An Estonian virus writer has been sentenced to jail in Harju, Estonia.

The author of the Allaple virus family, 44-year old Mr. Artur Boiko pleaded not guilty.

Nevertheless, he was found guilty and sentenced to 2 years and 7 months in prison.

Allaple is a complex worm using polymorphic encryption. It spreads over network shares and by modifying local HTML files. When such HTML files are uploaded to public websites, they spread the infection further.

Apparently Mr. Boiko had been in a car accident and had ended up in dispute over his insurance claim with If Insurance. As a result, his worm launches DDoS attacks against these sites:

    www.if.ee             (website of the insurance company)
    www.online.if.ee    (customer online interface of the insurance company)
    www.starman.ee    (website of a local ISP)

The DDoS attacks were quite serious — see this post from ISC Diary in 2007.

We detected several variants of Allaple during 2006-2007. The problem is that this is not a botnet — these worms have no command and control channel. The infected machines will attack their targets until they are cleaned. There are still thousands of active, infected computers today around the world, and they are still attacking. And the worm is still spreading further.


Snapshot from F-Secure interface showing new samples on 11th of March 2010

Boiko was sentenced to prison, where he has already been awaiting his trial for 19 months. He was also sentenced to pay the following sums to cover losses:

To If Insurance: 5.1 Million Estonian Kroons (about 330000 Euros or 450000 USD)
To Starman ISP: 1.4 Million Estonian Kroons (about 91000 Euros or 130000 USD)

More info (in Estonian) from ERR Uudised

On 11/03/10 At 11:20 AM

F-Secure has an additional blog that launched today. It's called Safe and Savvy.



You'll notice that the name is pink. That's part of our new brand but it also reflects the authorship. Safe and Savvy's contributors are the female employees of F-Secure (mostly).

Hetta, Marja, Annika, Alia, Melody-Jane, (and Jason) have already gotten started.

Read more of Hetta's latest post to learn about six free months of our Internet Security 2010.

On 10/03/10 At 05:29 PM

I wasn't sure I'd see this Browser Choice update:



I set my computer's Regional Options for the United States even though it's physically located in Finland (I'm an American after all).

Regional settings might trump my IP address, I thought… but it seems not. I manually ran Microsoft Update and was provided access to KB976002. Cool.

If you're located outside of Europe and are wondering what's this is all about, read this from the BBC.

Microsoft is offering alternative browser options to European Windows users to settle an anti-trust lawsuit. The update component points users to browserchoice.eu — from where they can select from 12 different web browsers.

On a somewhat not completely unrelated note: Microsoft Security Advisory (981374) was published yesterday.

"Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7."

The vulnerability could allow for remote code execution.

Once again, that browser choice link is browserchoice.eu. Share it with your family and friends.

Signing off,
Sean

On 10/03/10 At 05:00 PM

ATM skimmers are installed like this:



Video source: Spiegel.de & German Federal Criminal Office (Bundeskriminalamt)

On 10/03/10 At 12:06 PM

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

That update should now be applied if you haven't already done so.

Why?

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.

It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.

Looking through our sample management system, we see a growing number of targeted attack files.

There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.

And how about the first two months of 2010?

Well, so far the number is 895, which will more than double last year's number if the current pace continues.

The percentage targeting Adobe Reader continues to rise.

Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks:



Updated to add: A couple of readers noticed that our graph's 2009 percentages where slightly off — it's been corrected.

On 09/03/10 At 03:30 PM

As "JiLsi" — one of the online criminals from Darkmarket — was sentenced last week to almost five years in prison, we have received some media queries on the case.

In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka Çağatay Evyapan) looked like when they were posting to the Darkmarket forum.

So I went back to my notes and dug up example posts from the guys, complete with their avatar icons. Perhaps these are interesting for our blog readers too.









Cheers,
Mikko

On 08/03/10 At 11:19 AM

Somebody is trying to pose as us. If you see an email like the one below, please ignore it:

     From: security@f-secure.com
     Reply-To: securitysupport@hotxf.com
     Subject: Security Maintenance.F-Secure HTK4S
     Date: Fri, 5 Mar 2010 18:11:05 -0000
     To: undisclosed-recipients:;
     
     Dear Email Subscriber,
     
     Your e-mail account needs to be improved with our new
     F-Secure HTK4S anti-virus/anti-spam 2010-version.
     Fill in the columns below or your account will be
     temporarily excluded from our services.
     
     E-mail Address:
     Password:
     Phone Number:
     
     Please note that your password is encrypted
     with 1024-bit RSA keys for increased security.
     
     Management.
     
     Copyright 2009. All Rights Reserved.

Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.

On 05/03/10 At 10:26 PM

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…

Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.



And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.



Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.



But is it really a PDF this time around?



It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:



At least for a few hours before it becomes…



It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.

Response post by — Christine and Mina

On 05/03/10 At 07:00 AM

Another day, another news, and well… another SEO poisoning stint.



Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files… Then, we saw something:



Ok, could be a one time thing, so we checked the other sites:



And in the usual geeky fashion in the lab… we got excited.

When decompressed, the SWF contains this:



Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.

The SWF is of course the key to getting to:







It seems that the bad guys want the malicious URLs to be hidden inside the SWF.

Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.

The malicious URLs are now blocked via our Browsing Protection and malicious files are detected.

Response post by — Christine and Mina

On 04/03/10 At 10:06 AM

Remember Microsoft's action against 277 Waledac domains last week? Well, that's one way of going after a botnet…

Another way of shutting down a botnet? Arrest the botmasters!

Three Spanish citizens have been arrested for running the "Mariposa" botnet. The three reportedly have no criminal records and have limited hacking skills. Mariposa is a Butterfly Kit based botnet, and the kit is no longer for sale.

Details are available from the BBC and The Register. Kudos to those involved in the arrests.

On 03/03/10 At 04:43 PM

Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn't necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims.

How about search engines? What is the biggest search engine on the block? Google — and the bad guys know it. The result?

It's becoming less and less safe to search via Google.

Yesterday, I was testing Internet Explorer 8 and made a typo in the address bar. Instead of update.microsoft.com I used updates.

There is no such domain, so Microsoft Bing kicked in and I ended up with the following search results:



What? No results?!?

So I searched for updates.microsoft.com with Google.



Did I mean update? Yeah, I guess so… Thanks.

Bing's results seemed sort of odd so I examined the settings and it turned out to be some idiosyncrasy of Finnish based results.

Changing the settings to the United States produced the following:



Better.

I continued testing Bing. Here's a Bing search for microsoft updates:



84,700,000 results.

Here's a Google search for the same:



90,900,00 results.

But how about something timely? Using Google trends, I found a hot search topic.

Minnesota's appliance rebate program has 5m dollars to give its citizens for buying energy efficient appliances, e.g. refrigerators.

The program launched on Monday and its web site was quickly overwhelmed; the event generated many searches.

Here's the Bing search for "mn appliance rebate":



25,300 results.

And Google?



31,300 results.

But here's an important difference — I didn't find any harmful links from Bing's results.

Google, on the other hand, had many bad links. This was the sixth result on the first page:



Clicking the link launched a rogue scam:



And then I was given the typical scan scam crap that is so profitable for the bad guys:



The site pushed this file:



It's now detected as Rogue:W32/FakeAlert.LB.

The folks at Google work hard to filter out harmful search results, but it's a difficult task.

The bad guys are constantly working against Google and they often get past their defenses long enough to infect victims. So what can you do stay safe? Avoid monoculture — try something else.

Because soon enough… Bing just might be the search engine that you want to bring home to your mom.

Google has been around and is simply receiving too much attention from the wrong sorts of guys.

Ask you yourself this: Do you feel lucky?



Signing off,
Sean

On 02/03/10 At 04:24 PM

Charlie Miller, the Pwn2Own contest winner for two years in a row, gives his take on Internet security. Guess what — your Mac OS is no less vulnerable than its Microsoft Windows counterpart.


Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?


Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.


No operating system and browser is immune to an attack. And, Flash is the bane of security (well, one of it anyway).


In your opinion, which is the safer combination OS+browser to use?


That's a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!


The interview was conducted by Matteo Campofiorito at OneITSecurity. You can read the full version here.

On 02/03/10 At 03:42 AM

Moscone Center, San Francisco, USA is the site of this week's RSA Conference 2010. It's the world's largest information security industry conference with well over 10,000 attendees. For some perspective on just how big it is: there are 19 different tracks of talks going on at the same time given by 556 speakers.

This year we have three talks being presented by fellows of F-Secure:



Mikko has two presentations, "Case m00p" and "Mobile Malware in 2010".

Antti and Kimmo are presenting "Rootkits in the Real World Today".

Browse through RSA's session catalog here.

On 01/03/10 At 04:56 PM

We've been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques).

For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera.

Now we're seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst's daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors.

One technique I've encountered in the last few months uses Adobe-specific JavaScript objects such as getPageNthWord and getPageNumWords. Here's a screenshot of one example:



Note how it uses old-school style spacings. Comments in the notepad were added for easier readability.

Anyway, once this is normalized, it becomes something much easier to read and analyze:



An interesting analysis about PDF obfuscation is also available at SANS.

Response post by — Zimry

On 01/03/10 At 10:11 AM

We've received some questions regarding recent phishing attacks conducted against Twitter.com.

Tweets and Direct Messages (DM) containing phases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised.

Phishing attacks directed against Twitter are not new. But what's the point?

Trust.

Peers within a social network have a greater level of trust amongst themselves.

And so why the recent attacks?

We think it could have something to do with some of the recent search engine deals that have been made.

Yahoo announced that they'll begin to include Twitter's real-time feed into their search results and Facebook is now included in Google's search results.

The bad guys can use social networking trust to enhance their SEO attacks.

Lets take a current hot topic as an example. There are several Twitter results in the image below.



Note: Always be careful when searching for hot topics. This "sea world trainer killed" example is currently being used in SEO attacks and many results will lead directly to scamware.

There's also a Facebook result in the example above. We expect to see fresh phishing attacks against Facebook before too long.

Twitter's Safety and Spam feeds are useful to follow if you have a Twitter account. Twitter's working on the issue now by prompting those that received phishing messages to change their password.

There is a silver lining to all of this…

While social networking trust can be abused, social networks themselves are incredibly responsive to emerging threats.

Check out the latest search results for "This you??". Twitter users are already spreading information to counter the dis-information pushed by the bad guys.

It used to take weeks to stamp out e-mail hoaxes. Now, the issue almost corrects itself as quickly as it is abused.

On 25/02/10 At 03:12 PM

Microsoft took a stab at Waledac bots last April when they added detection to their Malicious Software Removal Tool (MSRT).

The MSRT is part of their monthly Microsoft Updates package.

Well this week, Microsoft is going after the Waledac botnet en masse, by taking down 277 dot.com Command & Control servers.



Kudos to Microsoft. We hope this endeavor is successful.

We haven't yet seen a drop in spam or bot samples, but we're waiting and watching.

It will likely take some time for the bodies to stop moving around even though the heads have been cut off.

They are zombies after all…

On 25/02/10 At 02:19 PM

More than 60 websites have been found to be hotbeds for SEO poisoning. Each of these domains host hundreds of possible matches for search keys.

Also, the topics in one domain overlap with that of the other domain, thus making it possible that they will both emerge in the search results. Topics range from the Winter Olympics Luge Crash to the death of Alexander McQueen and even to NASCAR Schedule.

When an unsuspecting user happens to input a particular search key that matches one of those being served by the compromised sites, the search results will be full of malicious links. Moreover, unlike before where there are only a few rogue links in the results, there are more than 60 this time, and a lot of them are in the top 10. This strategy increases their chances of being clicked by the user.



After the user clicks on the link, a page will open, pretending to scan your system. Afterwards, it displays a supposed system infection and offers a "solution"…



If you execute it, you welcome a Rogue downloader onto the system…



And afterwards, the rogue itself…



Rogue distribution seems to be playing the numbers game. The more websites they can compromise, and the more search keys they employ, the more chances of getting their webpages matched en route to getting the scamware onto the user's system. It's pretty devious, and it seems to be working.

F-Secure Browsing Protection already protects users from visiting these compromised domains and the subsequent malicious sites they redirect to.

Response post by — Christine and Mina

On 25/02/10 At 07:23 AM

SC Magazine (US) is hosting security blog awards next week at RSA Conference 2010 and our own Mikko Hypponen is among the nominees in the Five to Follow on Twitter category.



Mikko decided to take a look at "this Twitter thingy" last year and has now posted over 900 tweets with more than 5,600 followers.

Here's an example of the type of thing you might find from his feed. Lots of good stuff there…

Here's SC Mag's poll. Be sure to check out the other categories on their front page. Thanks.

—————

Updated to add: The poll is closed. Results will be announced at Tuesday's SC Magazine Awards 2010 gala in San Francisco.

Updated to add: Mikko was voted one of the "Five to Follow". Congrats to Mikko.

All results can be found at twitter.com/SCMagazine.

On 24/02/10 At 05:04 PM

Why is it that banking trojans are a problem when all online banks are HTTPS secured and many of them employ multi-factor authentication?

The answer: Humans are not digital.

If we would have a network cable attached to our brain, and our brain could decrypt and encrypt SSL, there would be no problem. However, due to the "analog" interfaces which human beings have, a web browser has to decrypt the traffic and convert it into images (text characters, icons, et cetera) and sounds. This means that a malicious application that can modify the browser memory can control what the user sees, and what he then sends to the bank via in-band communications. It is technically possible for malware to free ride on authenticated sessions with online services and feed or modify transactions.

If malware can modify the memory of the browser, or some other application, it can gain control. This is not just a problem for online banking and not just with malware. For example, current MMORPG games typically do quite a bit of the computation needed on the client side. Not all of this computation is graphics processing. This creates the possibility for cheating in games by patching the client or its memory locally on the host (Greg Hoglund and Gary McGraw have written a book called "Exploiting Online Games: Cheating Massively Distributed Systems [2007]" on the subject). Another good example of this "client-side dilemma" is voting. Imagine sitting at home on your couch while using your web browser to vote in your local/state/national elections. If and when this becomes possible, malware may be used to rig votes.



Today's browser is more powerful than yesterday's OS.

The browser is, for all practical purposes, a terminal of the bank, but it is running in a completely untrusted environment. Actually, you could say that the Browser is the new OS. Since important content is more and more in the cloud and accessed via the browser, malware, in theory, does not have to infect the OS at all. Malware only needs to infect the browser and it will be able to access, steal, and modify all the necessary content. Since most browsers have a cross-platform plugin architecture, it may even be possible to create data stealing malware that is not interested in the operating system or file system at all. It will only exist in memory of the browser.

Currently, banking trojans do infect the OS and are typically only a problem for Windows based systems. Banking trojans and other malware that need to bypass HTTPS security operate within the browser. This is called a Man-in-the-Browser (MitB) attack. If the malware would try to intercept the traffic from a lower OS level, it would already be HTTPS encrypted. This is not a new phenomenon but nevertheless it is still on the upswing within most malware author's armory. MitB malware is typically browser dependent and most of them only target Internet Explorer (and possible other browsers using MS WinINet API) and lately also Firefox.

Is safe online banking impossible then?

Aside from keeping your system clean of malware, at least "safe enough" is definitely possible. For example, out-of-band solutions, using an SMS message to review and confirm transactions, provide a good additional layer of security. Some have also suggested using something such as a Live Linux CD when doing online banking.

Alas, both SMS messaging and Live CDs are examples of the old "security versus usability" issue. They're an additional layer of security, but they can also rapidly overwhelm the analog brains of those using them.

On 23/02/10 At 02:18 PM

The lab has a survey request. As Windows 7 gains market share, code signing is becoming more important for software developers.

A byproduct of more clean code being signed is that malware authors now have greater incentives to get their stuff signed in order to prevent it from being easily distinguished from legitimate software.

With this in mind, we'd like to run a questionnaire aimed at developers who sign their code.

So if you're a Windows developer, we would appreciate it very much if you would care to answer following short survey.

1. Do you sign your code?
2. Do you have a separate server for signing code, or are you signing on same computer as you use for development?
3. Are you either signing your files without a password, or have you made a signing batch file that contains the password?
4. Do you browse the Internet, read email, or use your development computer in other activities than just pure development?
5. Do you run antivirus software on your development and/or signing computers?
6. Has your development and/or signing computer ever been infected with a virus or other other type of malicious software?
7. What verifications were required when you applied for your signing certificate?
8. Has your signing certificate even been stolen?
9. Additional comments.

Click here to answer. Cheers!

On 22/02/10 At 03:24 PM