IBM Computer, Laptops and Servers

May 14, 2008 Kuala Lumpur, Malaysia May 14, 2008 F-Secure Corporation, the global leader in providing security as a service through mobile operators and Internet Service Providers, today announced that it has joined the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), with Chief Research Officer Mikko Hypponen representing the company on IMPACT International Advisory Board. laptop battery

The Malaysian IMPACT initiative seeks to establish a unique platform that brings together governments and the international private sector as partners in the global fight against cyber threats. IMPACT will host the World Cyber Security Summit in Kuala Lumpur, Malaysia, from 20 to 22 May 2008, in conjunction with the World Congress on Information Technology (WCIT). In addition to the IMPACT inaugural International Advisory Board meeting, a Ministerial Roundtable will also be taking place. The inaugural IMPACT Summit will be the largest ever gathering of governments, regulators and industry experts on cyber terrorism, with ministers and officials representing over 40 governments invited for the event. thinkpad

e are honored and proud to be part of the IMPACT initiative. We see IMPACT as an important global collaboration and a catalyst against cyber threats. We look forward to contributing to the direction and strategies of IMPACT, said Mikko Hypponen, Chief Research Officer at F-Secure. microsoft

Downloads Press and News Weblog Contacts F-Secure.co.uk Products

Products A-Z laptop computers

F-Secure Products Security Suites

• F-Secure Anti-Virus Small Business Suite
• F-Secure Anti-Virus Corporate Suite
• F-Secure Anti-Virus Enterprise Suite

Inside a malicious flash file - F-Secure Weblog : News from the Lab AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG laptop computer

Thursday, May 29, 2008 desktop computer

Inside a malicious flash file

Posted by Gerald @ 19:13 GMT | notebooks

---

We ve been receiving lots of malicious flash file lately. Most of the flash file that we received has obfuscated shellcodes. lenovo

I stumble on one sample and gave a closer look on it. The obfuscation is simple, it only uses XOR and ADD instruction. Basically, this flash file is taking advantage of the recent 0-day vulnerability in Adobe Flash Player. It downloads and execute a file from the following site: hxtp://www.psp1122.cn/[removed].exe We detect the downloaded EXE file as Trojan-PSW.Win32.OnlineGames.ayju and the flash file as Exploit.SWF.Downloader.a hard drive

Here s an animated image of decrypted shellcode: Comments Flash w/ SQL travelstar

| gateway

Google Earth with Worms, Spam and Malware - F-Secure Weblog : News from the Lab

---

Google Earth is cool. We ve been using it to track worms. If a worm contacts our monitoring system, its IP address is logged and is then converted to latitude and longitude. It alls goes into an XML feed that we use with Google Earth s network links. It looks something like this: Google Earth with Worms Click the image for a 1400x1050 view. And while that s pretty neat, worms aren t really today s threat. So we re working on some new data feeds. laptop parts

Lets take spam. This is what the source of spam from a single personal account looks like: Google Earth with Worms and Spam Then there s our worldmap.f-secure.com data. It also feeds an internal system that we use in the lab. We ve adapted that data for Google Earth which then looks like this: Google Earth with Worms, Spam and Malware software

Bot monitoring feeds are in the works as well. We ll do a video demo sometime next week. Comments Inside a Malicious Flash File hard drives

| electronics

DHS PDF AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG canon

Sunday, June 1, 2008 desktop pc

DHS PDF

Posted by Mikko @ 12:14 GMT | desktop computers

---

We get samples lots of samples every day. Like tens of thousands of them. think pad

They come from various sources: from our customers; from honeypots and honeynets; via our online scanners; submitted directly from our products; from operators and ISPs; via sample exchange with our competitors; and so on. repair

We also get copies of samples that people submit to online virus scanning services such as VirusTotal, Jotti, and VirSCAN. We d like to give big thanks to these services for their valuable cooperation. data recovery

When we get samples via such online services, we have absolutely no idea where the sample is coming from and who submitted it. Sometimes such samples can be real mysteries. Take for example this PDF file that we got a sample of via VirusTotal. The only information we have on this 130kB file is that it was named .pdf (after its MD5 hash) and that it was submitted on the 23rd of May. cisco

When you open this document, this is what you ll see: Department of Homeland Security G-325A Looks like a Department of Homeland Security form G-325A. Look again. What s the filename It s not .pdf. It s 0521.pdf. This is not the document we opened. So what happens here Apparently this PDF has been used in a targeted attack against an unknown target. keyboard

When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including: monitor

\windows\system32\avifil16.dll \windows\system32\avifil64.dll \windows\system32\drivers\pcictrl.sys \windows\system32\drivers\Nullbak.dat \windows\system32\drivers\Beepbak.dat The SYS component is a rootkit that attempts to hide all this activity on the infected machine. nbsstt.3322.org The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine. desktop

Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net. infosys

Where does nbsstt.3322.org point to nbsstt.3322.org IP address 125.116.97.19 is in Zhejiang, China. And it s live right now, answering requests at port 80. Comments Google Earth with Worms, Spam and Malware refurbished laptops

| wipro

Creating Malicous PDF Files

f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 lap top

Creating Malicous PDF Files - F-Secure Weblog : News from the Lab

Yesterday s post discussed a mystery PDF file that was booby trapped to drop a backdoor. Today we ll look at how these documents are created. Here s an example of a tool called Y08-40 aka GenMDB. GenMDB When run, it displays this user interface: y08-04 by Noble The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize, and which platform you expect the victim to be using. refurbished

Cool. Now, the real question is this: How on earth did we get our hands on such a tool You d never guess it. We received it inside a trojanized PDF file. Here s what we believe happened: Someone, somewhere was using this tool for the first time. They did a test run, selecting a random PDF file and a random EXE to create a trojanized PDF, just as a test. As a random EXE, they selected wait for it GenMDB.EXE itself! memory

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not. So he uploaded the trojanized PDF to an online scanner. Hey, thanks. Keep up the good work. Comments DHS PDF intel

| as400

Symbian Jailbreak AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG averatec

Tuesday, June 3, 2008 hardware

Symbian Jailbreak

Posted by Jarno @ 18:32 GMT | dual xeon

---

A Spanish modder has developed an easy to use privilege escalation hack for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone s file system. With this access any number of modifications can be made. storage

jojojojo. Image from BigStockPhoto.com

Mobile modding is a very dynamic scene. See our recent Motorola Razr post and of course Apple iPhone research has had a great deal of activity from the time of its introduction. Despite the diversity of platforms, mobile phone enthusiasts are drawn to popular hardware and are eager to unlock any restrictions that exist. seagate

Hacks directed towards S60 3rd Edition have been evolving for a while now. A number of OS security enhancements were implemented between the 2nd and 3rd Editions of S60. One of the practical results of these enhancements was the prevention of malware for 3rd Edition phones. The OS is locked down and applications require a Symbian signature. It s essentially a whitelisting system and only trusted applications can be installed. computer sales

While this provides a very practical consequence to regular consumers it also tends to frustrate enthusiasts. Late last year we tested a hack technique using Nokia s firmware update application. It ended up bricking one of our test phones and we needed to get it re-flashed. The hack wasn t very, shall we say, user friendly. And being difficult to use it never really took off. Modification of firmware is both difficult and error prone. So modders began to look for easier targets that were more reliable. computer hardware

Recent techniques used a new approach targeting Symbian s debugging interface, thus giving the modders full control without having to touch the device s firmware. Once a hacker has access to debug controls the device is completely under his control. printers

The first versions of this approach still required the use of a PC and thus could only be used by someone who knew what he was doing and required some time. So from the security point of view this was rather harmless. It would never become popular with the average Joe. technology

But things went on and then last week the steps were reduced to running a single SISX installation file. And it works easily with no fuss. The SISX installation package contains a simple graphical application to remove the access restrictions of any application that is currently running on the device. mainframe

It makes modding an S60 phone as easy as jailbreaking an iPhone. The privilege escalation is still not without side effects. After escalation the operating system is not able to start any new applications until the phone is rebooted. But whatever is running at the time has total control over the device. So what does the future hold Will we see new malware for S60 3rd Edition phones It s possible. Cabir, Commwarrior, or Beselo source code could be updated to work on 3rd Edition and with the addition of this privilege escalation they could do pretty much the same things as they do on 2nd Edition phones. samsung

However Nokia and Symbian have worked on more security features than just the platform security capabilities model. For example, S60 3rd Edition FP1 s user interface was modified to prevent simple social engineering tactics used by Cabir variants. So user interaction would still be required and we think more of a social engineering challenge than with 2nd Edition phones. computer repair

More likely we ll see a small but growing subset of enthusiasts running homebrew applications much as there exists for the iPhone. Those willing to risk the security consequences will run free applications from developers that skip the expensive development cost of the Symbian signing process. Just like those that will skip Apple iPhone s SDK applications which require Apple s approval. used computers

Comments Creating Malicous PDF Files

| network

Storm Still Alive Storm Still Alive - F-Secure Weblog : News from the Lab AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG digital cameras

Wednesday, June 4, 2008 desktops

Storm Still Alive

Posted by Patrik @ 00:20 GMT | cognos

---

Despite reports of Storm being killed off, it s still very much alive. As recently as earlier today we saw an upswing in e-mails being sent out attempting to trick people into visiting Storm sites such as the one below. hosting

Storm May 2008

While the Storm botnet certainly isn t as big as it used to be, it s definitely one of the most persistent botnets we ve ever seen and we ve not seen the last of it. PS. Nowadays Storm drops a filed called farkrish.exe to the system...we wonder if that means something in some language Comments Symbian Jailbreak netfinity

| internet

AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG cheap computer

Wednesday, May 28, 2008 digital camera

Flash w/ SQL

Posted by Sean @ 17:16 GMT | printer

---

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk. However chatter on the security lists we frequent suggest version 9.0.124.0 is not vulnerable and that the attacks are only reliably effective against version 9.0.115.0 and earlier (using CVE-2007-0071). xseries

In any case we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik s May 13th post for more information on the SQL attacks. Many/most people probably don t update Flash every time there s an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits. maxtor

Adobe is aware of the issue and is investigating but does not yet have a full report. We ll update you later on whether or not version 9.0.124.0 is affected. In the meantime, there may be some mitigating strategies you d like to employ. First of all you can uninstall Flash. But that can be somewhat aggravating as you ll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation. data storage

If you have Flash installed on your Windows computer, Add/Remove Programs includes a Computer for support information link. ActiveX component for Internet Explorer: Flash 901240 ActiveX Firefox Plugin: Flash 901240 Plugin Update to the most recent version. You can test your installation from this page. What are your options once you re up to date hitachi

For Internet Explorer, you can use the Manage Add-ons option to disable Flash: IE Manage Add-ons But then you ll get this annoying prompt on Flash enabled sites: Add-on Disabled An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed. rational

A big hat tip goes to John Haller s Useful Stuff site for the .reg files. And for Firefox We suggest Flashblock and NoScript: Firefox Add-ons NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it s a must have plugin for security conscious individuals. You can install it from noscript.net. websphere

Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org. battery

Update

: The Security Focus BID has been retired, see the details here. Adobe also has an updated post available. Adobe Flash version 9.0.124.0 is NOT vulnerable to the exploits that we re seeing in the wild. But there are a large number of sites hosting exploits for earlier Flash versions, so there is risk. We strongly advise updating your Flash installation as a minimum measure. it support

Home users can use our free Health Check service to assist in scanning and updating their systems. Comments Motorola Razr Vulnerability western digital

| music

Inside a malicious flash file

---

In mobile news: TippingPoint has reported a JPEG Processing Stack Overflow Vulnerability affecting firmware based Motorola Razr phones. The vulnerability was discovered last summer. New Razr shipments will not be affected as Motorola has produced a fix for the issue. Motorola Razr The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones. networks

From TippingPoint: A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device. So some user interaction is required accepting the MMS. However, people by and large generally trust image files so that isn t a difficult social engineering challenge. On a positive note, the Razr uses a proprietary OS and the knowledge base is limited to enthusiasts and modders. But there are modders are out there. Popular hardware always generates a crowd of recreational hackers, e.g. iPhone. toner

Perhaps we ll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all. We probably won t see any malware as a result of this vulnerability. Still, one interesting thing to consider is that if a Razr were to be exploited by this, the user wouldn t be able to undo the damage without a reinstall of the firmware. Being a closed OS, there is no hard reset available as there are with many smartphones. cheap laptops

Updates are available for older Razr models via Motorola. Comments Dear Google AdWords Customer wholesale

| brother

Flash w/ SQL Dear Google AdWords Customer - F-Secure Weblog : News from the Lab

---

Sometimes it can be quite hard to spot a phishing site on the first glance. Adwords Sure, it looks quite real. But always double check the address. Comments Romanian Whack-A-Mole and Linux Bots netvista

| camera

Motorola Razr Vulnerability Romanian Whack-A-Mole and Linux Bots - F-Secure Weblog : News from the Lab

---

It doesn t always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today s example comes in the relatively ancient form of brute force SSH. We recently received a sample containing several different files: A psyBNC installation; legitimate software used by many for normal purposes, but it s also a common tool in an attacker s toolkit. networking

And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open. The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network s administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania. sharp

Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name. Whac-a-Mole The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer. cheap

The moral Even unsophisticated attackers don t need the latest and greatest techniques if the target s passwords are weak. Comments Jobs:W32/F-Secure windows

| monitors

Dear Google AdWords Customer F-Secure.com Vulnerability on the latest Symbian operating system

Jun 5, 2008 It is now possible for mobile phone hackers to bypass the security system of the Symbian OS 9 based S60 3rd Edition phones with a mobile application. Symbian OS 9 based S60 3rd Edition is the market-leading open operating system for mobile phones. The newly developed hack is a so-called privilege escalation hack. This means that hackers can get unauthorized access to the phone file system, which is normally protected. With this access system modifications can be made. linux

Hacks directed towards the S60 3rd Edition have been evolving for some time. What makes this case different is that the new hack can be carried out without external devices or system knowledge by installing just one mobile application that is downloadable from the web. computer support

Because the application can be considered as a hacking application, it is classified by F-Secure as riskware. F-Secure Mobile Security software identifies this application and removes it. Commenting on the vulnerability, Jarno Niemel , Senior Mobile Virus Researcher at F-Secure, said, he application needs to be installed by the user, so this hacking tool is not a threat to the average mobile user. Because the application lets a user access the file system, we consider this as a security risk. Mobile virus source code could be updated to work on 3rd Edition phones and with the addition of this privilege escalation, hackers could do pretty much the same things as they do on 2nd Edition phones. /p used laptops

More information about the S60 3rd edition vulnerability at the F-Secure weblog: http://www.f-secure.com/weblog/archives/00001451.html F-Secure Mobile Security solution enables smartphone users to enjoy the full potential of their devices without the fear of mobile threats. The application combines real-time antivirus and antispyware functionality with a firewall, ensuring complete protection in today connected lives. cameras

F-Secure Mobile Security can be subscribed from selected mobile operators as a service, purchased directly from the F-Secure eStore at: http://www.f-secure.com/estore/, or bought from resellers worldwide. scanners

F-Secure.com F-Secure Corporation celebrates 20 years of reliable protection

May 22, 2008 Founded in 1988 under the name Data Fellows, F-Secure has grown from humble beginnings to become a globally recognized player in the Internet security and mobile security markets. The company outstanding technological innovation in the face of constantly evolving security threats has attracted both international accolades and respect within the industry. F-Secure is also a Finnish business success story. F-Secure was listed on the OMX Nordic Exchange Helsinki in 1999 and has consistently been one of the fastest growing publicly listed companies in the industry. The company has pioneered the Security as a Service business model and is today a global leader in providing security as a service through mobile operators and Internet Service Providers, with more than 160 partners around the world. panasonic

F-Secure 20th anniversary seminar was held at the Finnish Science Centre Heureka last Friday. The event included a panel discussion on the multiple meanings of ICT to Finland future. The panelists included: Jyrki Katainen, Minister of Finance; Jorma Ollila, Chairman of the Board of Nokia Corporation and Royal Dutch Shell; Vesa Puttonen, Professor from the Helsinki School of Economics; Kimmo Alkio, President and CEO, F-Secure Corporation; workstation

and Risto Siilasmaa, Chairman of the Board and founder of F-Secure. here has been discussions on howto encourage more so-called business angels to support startup companies, and also on tax incentives to support business development. In the model we are discussing, it should be possible for a company whose activities are seen as beneficial to the society to defer paying taxes until profits are actually returned to the investors Jyrki Katainen outlined. iseries

Jorma Ollila suggested more medium sized companies are needed: inland is among the winners of the ICT revolution. We have been able to transform the structure of the economy with the help of ICT, which has now become one of the foundations of the national economy. Finland has large companies and many startups but we are still lacking in medium-sized growth companies like F-Secure and need to find ways to improve this situation. /p backup

t is significant from Finland perspective that we are today celebrating the success of a company like F-Secure. We need a hundred more similar companies, which are rooted in the Finnish identity but are also internationally oriented right from the start said Vesa Puttonen information technology

e should not only be using ICT for doing the same old things in a more efficient way but thinking about the whole operation in a new way. This requires courage, a willingness for change and a long-term vision. Finnish companies have to be competitive so that they can make their contribution to maintaining the Finnish society. We need more competitive growth companies and more skilled labor for them said Risto Siilasmaa. routers

Kimmo Alkio commented on global growth opportunities and the availability of ICT professionals: hanks to F-Secure competitiveness and its motivated workforce, we believe strongly in the company future. The most important factors for success are innovation, global knowledge, and a multicultural environment. We now have a shortage of experienced ICT professionals in Finland, thus we should be encouraging more work-related immigration and global job rotation 180gxp

Apr 23, 2008 The strength of the service-based business again yields strong results for the company F-Secure Corporation continues its steady growth and increased its revenue by 15% during its first quarter of 2008. The company quarterly revenues reached an all-time high of 26.6m The strategically important Internet Service Provider business grew by 8% compared to the fourth quarter of 2007, and 41% year over year. Profitability remained on a good level with an EBIT of 5.3m representing 20% of revenues. notebook battery

The company long-term strategy of making data security available as a service continues to be successful. F-Secure now partners with 169 Internet Service Providers (ISP ) around the world, and is the clear leader in this globally growing segment of the Internet security market. At the end of 2007 F-Secure security services were available through ISP partners that cover 37% of all broadband subscribers in Europe, 10% in North America, and 9% in Asia-Pacific region. The service-based business model with ISP is repeatedly proving its strength and now represents 41% of the company revenues, up from 34% in the same quarter last year. security

The protection of smartphones is another strategic growth opportunity for F-Secure. In Q1 the company continued expanding its co-operation with both handset manufacturers and mobile operators, both of which are key in making mobile security available to end-users. In addition to the continued good co-operation with Nokia, the company announced new partnerships with Sony Ericsson on a global basis and with Toshiba Information Systems in Europe to provide security solutions for the smartphones these companies deliver. Mobile operators are also increasingly interested in the service, and a new partnership was announced with CSL, the largest mobile operator in Hong Kong. lotus

It is encouraging to see that our long-term investment in the ISP business continues to drive our growth in a sustainable fashion , said Kimmo Alkio, President and CEO of F-Secure Corporation. We have good confidence in our ability to reliably protect an increasing amount of Internet and mobile users around the world , he continues. virus

F-Secure.com Option Programs AGM 2008 Option Programs Analyst Coverage Contact F-Secure Investor Relations Careers Event Calendar Marketing eStore Products Support Downloads Press and News Weblog Contacts F-Secure.com F-SECURE

ABOUT F-SECURE Investor Relations Option Programs thinkpad t42

F-Secure Option programmes

If you would like to buy shares or would like further information concerning options please contact options@f-secure.com. Option Programs: * F-Secure Corporation Stock Option Plan 2002 thinkpad 600

* F-Secure Corporation Stock Option Plan 2005 F-Secure Corporation Warrants Subscription Schedule: thinkpad 600e

• May 14, 2008 thinkpad 570

• August 20, 2008 thinkpad 600x

• November 3, 2008 thinkpad 390x

• December 29, 2008 thinkpad a31

monebaggasse