IBM Computer, Laptops and Servers

May 14, 2008 Kuala Lumpur, Malaysia May 14, 2008 F-Secure Corporation, the global leader in providing security as a service through mobile operators and Internet Service Providers, today announced that it has joined the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), with Chief Research Officer Mikko Hypponen representing the company on IMPACT International Advisory Board. laptop battery

The Malaysian IMPACT initiative seeks to establish a unique platform that brings together governments and the international private sector as partners in the global fight against cyber threats. IMPACT will host the World Cyber Security Summit in Kuala Lumpur, Malaysia, from 20 to 22 May 2008, in conjunction with the World Congress on Information Technology (WCIT). In addition to the IMPACT inaugural International Advisory Board meeting, a Ministerial Roundtable will also be taking place. The inaugural IMPACT Summit will be the largest ever gathering of governments, regulators and industry experts on cyber terrorism, with ministers and officials representing over 40 governments invited for the event. thinkpad

e are honored and proud to be part of the IMPACT initiative. We see IMPACT as an important global collaboration and a catalyst against cyber threats. We look forward to contributing to the direction and strategies of IMPACT, said Mikko Hypponen, Chief Research Officer at F-Secure. microsoft

Downloads Press and News Weblog Contacts F-Secure.co.uk Products

Products A-Z laptop computers

F-Secure Products Security Suites

• F-Secure Anti-Virus Small Business Suite
• F-Secure Anti-Virus Corporate Suite
• F-Secure Anti-Virus Enterprise Suite

Inside a malicious flash file - F-Secure Weblog : News from the Lab AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG laptop computer

Thursday, May 29, 2008 desktop computer

Inside a malicious flash file

Posted by Gerald @ 19:13 GMT | notebooks

---

We ve been receiving lots of malicious flash file lately. Most of the flash file that we received has obfuscated shellcodes. lenovo

I stumble on one sample and gave a closer look on it. The obfuscation is simple, it only uses XOR and ADD instruction. Basically, this flash file is taking advantage of the recent 0-day vulnerability in Adobe Flash Player. It downloads and execute a file from the following site: hxtp://www.psp1122.cn/[removed].exe We detect the downloaded EXE file as Trojan-PSW.Win32.OnlineGames.ayju and the flash file as Exploit.SWF.Downloader.a hard drive

Here s an animated image of decrypted shellcode: Comments Flash w/ SQL travelstar

| gateway

Google Earth with Worms, Spam and Malware - F-Secure Weblog : News from the Lab

---

Google Earth is cool. We ve been using it to track worms. If a worm contacts our monitoring system, its IP address is logged and is then converted to latitude and longitude. It alls goes into an XML feed that we use with Google Earth s network links. It looks something like this: Google Earth with Worms Click the image for a 1400x1050 view. And while that s pretty neat, worms aren t really today s threat. So we re working on some new data feeds. laptop parts

Lets take spam. This is what the source of spam from a single personal account looks like: Google Earth with Worms and Spam Then there s our worldmap.f-secure.com data. It also feeds an internal system that we use in the lab. We ve adapted that data for Google Earth which then looks like this: Google Earth with Worms, Spam and Malware software

Bot monitoring feeds are in the works as well. We ll do a video demo sometime next week. Comments Inside a Malicious Flash File hard drives

| electronics

DHS PDF AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG canon

Sunday, June 1, 2008 desktop pc

DHS PDF

Posted by Mikko @ 12:14 GMT | desktop computers

---

We get samples lots of samples every day. Like tens of thousands of them. think pad

They come from various sources: from our customers; from honeypots and honeynets; via our online scanners; submitted directly from our products; from operators and ISPs; via sample exchange with our competitors; and so on. repair

We also get copies of samples that people submit to online virus scanning services such as VirusTotal, Jotti, and VirSCAN. We d like to give big thanks to these services for their valuable cooperation. data recovery

When we get samples via such online services, we have absolutely no idea where the sample is coming from and who submitted it. Sometimes such samples can be real mysteries. Take for example this PDF file that we got a sample of via VirusTotal. The only information we have on this 130kB file is that it was named .pdf (after its MD5 hash) and that it was submitted on the 23rd of May. cisco

When you open this document, this is what you ll see: Department of Homeland Security G-325A Looks like a Department of Homeland Security form G-325A. Look again. What s the filename It s not .pdf. It s 0521.pdf. This is not the document we opened. So what happens here Apparently this PDF has been used in a targeted attack against an unknown target. keyboard

When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including: monitor

\windows\system32\avifil16.dll \windows\system32\avifil64.dll \windows\system32\drivers\pcictrl.sys \windows\system32\drivers\Nullbak.dat \windows\system32\drivers\Beepbak.dat The SYS component is a rootkit that attempts to hide all this activity on the infected machine. nbsstt.3322.org The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine. desktop

Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net. infosys

Where does nbsstt.3322.org point to nbsstt.3322.org IP address 125.116.97.19 is in Zhejiang, China. And it s live right now, answering requests at port 80. Comments Google Earth with Worms, Spam and Malware refurbished laptops

| wipro

Creating Malicous PDF Files

f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 lap top

Creating Malicous PDF Files - F-Secure Weblog : News from the Lab

Yesterday s post discussed a mystery PDF file that was booby trapped to drop a backdoor. Today we ll look at how these documents are created. Here s an example of a tool called Y08-40 aka GenMDB. GenMDB When run, it displays this user interface: y08-04 by Noble The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize, and which platform you expect the victim to be using. refurbished

Cool. Now, the real question is this: How on earth did we get our hands on such a tool You d never guess it. We received it inside a trojanized PDF file. Here s what we believe happened: Someone, somewhere was using this tool for the first time. They did a test run, selecting a random PDF file and a random EXE to create a trojanized PDF, just as a test. As a random EXE, they selected wait for it GenMDB.EXE itself! memory

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not. So he uploaded the trojanized PDF to an online scanner. Hey, thanks. Keep up the good work. Comments DHS PDF intel

| as400

Symbian Jailbreak AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG averatec

Tuesday, June 3, 2008 hardware

Symbian Jailbreak

Posted by Jarno @ 18:32 GMT | dual xeon

---

A Spanish modder has developed an easy to use privilege escalation hack for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone s file system. With this access any number of modifications can be made. storage

jojojojo. Image from BigStockPhoto.com

Mobile modding is a very dynamic scene. See our recent Motorola Razr post and of course Apple iPhone research has had a great deal of activity from the time of its introduction. Despite the diversity of platforms, mobile phone enthusiasts are drawn to popular hardware and are eager to unlock any restrictions that exist. seagate

Hacks directed towards S60 3rd Edition have been evolving for a while now. A number of OS security enhancements were implemented between the 2nd and 3rd Editions of S60. One of the practical results of these enhancements was the prevention of malware for 3rd Edition phones. The OS is locked down and applications require a Symbian signature. It s essentially a whitelisting system and only trusted applications can be installed. computer sales

While this provides a very practical consequence to regular consumers it also tends to frustrate enthusiasts. Late last year we tested a hack technique using Nokia s firmware update application. It ended up bricking one of our test phones and we needed to get it re-flashed. The hack wasn t very, shall we say, user friendly. And being difficult to use it never really took off. Modification of firmware is both difficult and error prone. So modders began to look for easier targets that were more reliable. computer hardware

Recent techniques used a new approach targeting Symbian s debugging interface, thus giving the modders full control without having to touch the device s firmware. Once a hacker has access to debug controls the device is completely under his control. printers

The first versions of this approach still required the use of a PC and thus could only be used by someone who knew what he was doing and required some time. So from the security point of view this was rather harmless. It would never become popular with the average Joe. technology

But things went on and then last week the steps were reduced to running a single SISX installation file. And it works easily with no fuss. The SISX installation package contains a simple graphical application to remove the access restrictions of any application that is currently running on the device. mainframe

It makes modding an S60 phone as easy as jailbreaking an iPhone. The privilege escalation is still not without side effects. After escalation the operating system is not able to start any new applications until the phone is rebooted. But whatever is running at the time has total control over the device. So what does the future hold Will we see new malware for S60 3rd Edition phones It s possible. Cabir, Commwarrior, or Beselo source code could be updated to work on 3rd Edition and with the addition of this privilege escalation they could do pretty much the same things as they do on 2nd Edition phones. samsung

However Nokia and Symbian have worked on more security features than just the platform security capabilities model. For example, S60 3rd Edition FP1 s user interface was modified to prevent simple social engineering tactics used by Cabir variants. So user interaction would still be required and we think more of a social engineering challenge than with 2nd Edition phones. computer repair

More likely we ll see a small but growing subset of enthusiasts running homebrew applications much as there exists for the iPhone. Those willing to risk the security consequences will run free applications from developers that skip the expensive development cost of the Symbian signing process. Just like those that will skip Apple iPhone s SDK applications which require Apple s approval. used computers

Comments Creating Malicous PDF Files

| network

Storm Still Alive Storm Still Alive - F-Secure Weblog : News from the Lab AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG digital cameras

Wednesday, June 4, 2008 desktops

Storm Still Alive

Posted by Patrik @ 00:20 GMT | cognos

---

Despite reports of Storm being killed off, it s still very much alive. As recently as earlier today we saw an upswing in e-mails being sent out attempting to trick people into visiting Storm sites such as the one below. hosting

Storm May 2008

While the Storm botnet certainly isn t as big as it used to be, it s definitely one of the most persistent botnets we ve ever seen and we ve not seen the last of it. PS. Nowadays Storm drops a filed called farkrish.exe to the system...we wonder if that means something in some language Comments Symbian Jailbreak netfinity

| internet

AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG cheap computer

Wednesday, May 28, 2008 digital camera

Flash w/ SQL

Posted by Sean @ 17:16 GMT | printer

---

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk. However chatter on the security lists we frequent suggest version 9.0.124.0 is not vulnerable and that the attacks are only reliably effective against version 9.0.115.0 and earlier (using CVE-2007-0071). xseries

In any case we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik s May 13th post for more information on the SQL attacks. Many/most people probably don t update Flash every time there s an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits. maxtor

Adobe is aware of the issue and is investigating but does not yet have a full report. We ll update you later on whether or not version 9.0.124.0 is affected. In the meantime, there may be some mitigating strategies you d like to employ. First of all you can uninstall Flash. But that can be somewhat aggravating as you ll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation. data storage

spamwarezov2 Interestingly, the domains used by the fake Viagra shops not only have similar sounding names to the downloader URLs but also have the same registration information. All the domains we've seen can be categorized according to just three different groups: domains registered to "Wang Pang", "Dima Li" or "Bai Ming". spamwarezov8 And when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of a single operation: spamwarezova Still in November, Warezov continued its run, and F-Secure continued to add detections at the same rate. With many of the parts of the jigsaw falling into place, new variants of the worm are now automatically blocked using F-Secure Internet Security 2007's System Control feature. Nevertheless, the Warezov worm seems to be a malware that will continue to cause headaches for researchers and users for some time to come. Social networking sites under worm threat . At the end of July, the Research team came across further examples of Web Application Worms exploiting persistent Cross Site Scripting (XSS) vulnerabilities in websites. This is a new category of malware and a growing concern for popular websites. Social Networking sites seem to be the most popular target right now thanks to their immense popularity and user bases. MySpace has already been hit by two such worms - the Samy worm in October 2005 and by a "Flash" worm in July 2006. Samy was written by somebody who wanted to become popular on MySpace. The malware author in question designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. The MySpace Flash worm exploited vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage. samywormcode In July, MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines. Following these attacks we decided to see how secure other popular social networking sites are against "wormable" XSS vulnerabilities. We picked out two of the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities. And here something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser exploit - maybe even a zero-day exploit, could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base... We recommend end users to patch their computers and that web application developers start taking security seriously. XSS issues have stopped being funny for a long time now. They are a real danger with the advent of phishing and Web application worms that can exploit a mass user base of millions of users within a very short time. Of course, the Research team reported the issues to the affected websites and are working with them to get the issues fixed. The writing is on the wall - let hope the malware community can read that quickly. VML Exploit put IE users at risk . In late September, F-Secure reported a VML Exploit on Internet Explorer in the wild that allowed for the remote execution of code with the only action necessary to become infected being to view a malicious webpage using Internet Explorer or an HTML formatted e-mail. Fortunately for IE users, Microsoft published a prompt Microsoft Security Advisory (925568) regarding the issue and an update was scheduled for October. Users were advised to unregister the susceptible dll from the system as a workaround for the vulnerability. unregistervgx For most users, the vulnerability represented a limited threat since the vgx.dll component solely handles Vector Markup Language (VML) - something not too many websites use these days. Microsoft's Outlook e-mail client was also potentially vulnerable to this exploit but fortunately again, e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors are disabled. Research team boosted by Kuala Lumpur security laboratory . kul_labopening5 Given the time difference between the F-Secure labs monitoring the global malware situation, work shifts are conveniently split without much overlap. In this way, F-Secure is able to maintain its promise to respond faster to virus outbreaks than its competitors. Mobile malware - the usual suspects and a few notable oddities On the mobile front, there was the usual steady advance of mobile malware and their variants in the last half of 2006. By July the number had exceeded the three hundred mark and continued its rise. As in earlier times, Symbian continues to be the platform of choice for the majority of mobile malware authors reflecting the preponderance of the platform in the smartphone market. Cross-platform worms - the malware of the future . In late autumn, the Research team encountered a cross-platform worm that is theoretically capable of spreading from a PC to a mobile device and back again. The "Mobler" worm as it has been labeled, moves between Symbian and Windows platforms. Although its payload on the Windows side is significant, it doesn't cause much harm on the Symbian device rather copying itself to the memory card and trying to trick the user into infecting his or her PC. Technically speaking, there is no automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer so potentially it is possible for the user to accidentally open it and infect their PC while browsing the memory card's files. Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialize. Commwarrior - again... . Also in late autumn, the Research team received a new Commwarrior sample - SymbOS/Commwarrior.Q. Nothing remarkable about that except the fact that Commwarrior.Q is not just a hexedit of Commwarrior.B. but rather a new variant with additional functionalities. Commwarrior.Q is based on Commwarrior.C and has the same functionality as Commwarrior.C and more. Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds. That means that in addition to trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he might copy to his friend. Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes making it difficult to exclude. When Commwarrior.Q is installed it will display an HTML page to the phone's default browser after a random delay. Although Commwarrior.Q was detected in the wild, the fact that Commwarrior.Q displays the HTML page that states that the phone is infected means that it is unlikely that it will lead to a large scale outbreak - that and the fact that Commwarrior.Q is detected by F-Secure Mobile Anti-Virus with database update 103. Mobile spyware - legitimate or not . Also on the mobile front, F-Secure continued to investigate commercially available spying trojans for mobile phones that run on the Symbian OS as well as on other mobile phone platforms. The Research team originally thought that such software would still be a rather limited phenomenon and that there would be only a couple vendors making spy tools for smartphones. But it turns out that there's quite a cottage industry that has been lying low and by and large has been able to escape attention. In fact, there are several vendors either making software for Symbian smartphones or are making hardware-modified versions of just about any phone available. All the phones and software under investigation yielded rather similar features. A typical feature set includes SMS forwarding, SMS and voice call log information, remote listening and covert conference calling. Some even include localization services. This basically means that if the victim has a full-featured spy application in their phone, they have no privacy whatsoever for their calls while the one controlling the software has access to all the information available. Spyware software vendors state that their software should only be used in accordance with local laws and that a typical application for such tools is to keep track of a cheating spouse or to monitor children phone usage. Naturally, of course these tools have darker applications such as industrial espionage, identity theft and stalking. One of the spyware applications under investigation, Acallno.A. is an SMS spying tool that forwards all sent or received messages to an additional number configured by the individual who installed it. Just to be sure, the Research team added detection of Acallno.A into F-Secure Mobile Anti-Virus as spyware. Acallno.A is by the way, a pseudonym for the real software name since F-Secure is in the business of informing our customers of potential malware, not promoting commercial spy utilities. Fortunately, Acallno.A is limited by the target device's IMEI code, so in the absence of familiar access to the phone, it is impossible to download to just anyone. Nor can it be just included into a trojan or other method of mass installation. As monitoring tools are not always illegal, and there might be some legitimate uses for Acallno.A or any other such software, it is possible for users to release the detected spyware so that Anti-Virus allows for its use. In such cases, please consult the product documentation. Centrino vulnerabilities open potential window on WLAN viruses . In early August, Intel published a set of patches for Intel Centrino. Nothing particularly significant about that but the fact is that Centrino is not just a processor but also integrates WLAN and other features for laptops. The vulnerabilities are not related to the processor itself but to the wireless features - one of the more common applications in use for modern computer users on the move. centrinologo The vulnerabilities being patched are significant. The worst of them "could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges". So at least in theory, somebody could write a WLAN virus that would jump from one laptop to another if the laptops within range of the access point are too close to each other. This vulnerability is not solely the problem of Intel Centrino with other operating systems such as Mac showing potential windows for hackers to exploit in their drivers. In all instances, our advice is to make sure your Wi-Fi drivers are up to date. The Swedish toy manufacturer, Brio, has decided to create a lovable collection of figures that ive inside a typical computer for children to play with. brioviruses The wooden toys also include a number of virus figures. Not only that they have even built a dedicated website to support the activities including an active desktop feature and related mini movie. Our only hope at F-Secure is that children fall in love with the little computer helpers and not the viruses...

---

. Earlier summaries are available:

Data Security Summary 2006 January to June Data Security Summary 2005 July to December Data Security Summary 2005 January to June Data Security Summary 2004 Data Security Summary 2003 Data Security Summary 2002

Last modified: Dec 5, 2006. We haven't seen new Bagle attacks in a while. The last one and even that was an isolated one was exactly a month ago. But now somethings up. Bagle.GO Some of the old Bagle update URLs activated tonight, offering a new 188kB executable. This is downloaded and run by machines infected by previous Bagle variants and it starts to spam out infected attachments with filenames talking about price lists. The spammed e-mails include a GIF which shows a password needed to decode the ZIP files. When the e-mail attachment is decoded and run by the user, the worm runs (as a decoy) either Notepad or Registry Editor. Notepad will display a fake error message looking like this: UTF-8 Decoding Error This new Bagle also uses an SSDT rootkit to hide its presence on an infected system. Administrators: You might want to check your firewall logs for suspicious activity to www.bronko-m.ru and bpsbillboards.com and block future access to them. We've added detection of this variant as W32/Bagle.GO. Stickers - Selection Round Posted by Sean @ 14:31 GMT | Comments Tuesday's Weblog post sought your suggestions and we received lots of them. Thanks to all of you! Great responses. And now We have the next round as selected by the Lab during lunch. Your vote in this poll will help select the finalists. FS1130Poll Tuesday, November 28, 2006 Laptop Stickers Posted by Sean @ 13:14 GMT | Comments We gave away free laptop stickers back in March. Stickers Now we're going to order some more and we'd like your opinion. Take the poll, select your favorite(s), and/or make a suggestion. The submissions that we like the most will get some of the new stickers. Include an e-mail address in the text field so we'll know how to contact you. Cheers. November 28th Poll Results Rootkits and rooting sticks Posted by Mikko @ 11:22 GMT | Comments Got a USB stick as a gift. This one is a bit special. At least according to the documentation, it supports rooting from BIOS! It also has "encrupted" support and Super-Stabletechnology neat! Schtick Monday, November 27, 2006 Zero day Warezov Posted by Mikko @ 09:52 GMT | Comments We've been busy with the latest spam runs of the Warezov family over the last hours. We've added detection for the following variants, and there are probably more on the way: W32/Warezov.HB W32/Warezov.HC W32/Warezov.HD W32/Warezov.HE W32/Warezov.HF W32/Warezov.HG W32/Warezov.HH W32/Warezov.HI W32/Warezov.HJ weblog_lab1 Updated to add: New domain - RXFF - See the list. Friday, November 24, 2006 Infosecurity...Lapland! Posted by Mikko @ 12:22 GMT | Comments Lapland, home of lap dancing monebaggasse