F-Secure Home Page
The Weblog Team

Weblog : News from the Lab


Welcome to the blog of the F-Secure Security Labs - maintained by the personnel responsible for analysing virus, phishing, spyware, and spam attacks.

This weblog was started in January 2004, and the full history of the blog is available in the archives.
The content is also available as an RSS feed. Maintainers of this weblog can be reached via Weblog [at] Our Domain

Please DO NOT send support requests or virus samples to this address. Instead, please read and follow the instructions on
How to Send a Sample to Us.


Monday, October 16, 2006

McDonalds ships MP3 players with a trojan Posted by Mikko @ 09:44 GMT

Earlier this month, McDonald's Japan shipped 10,000 MP3 players as prizes in a competition they organized with Coca-Cola.

The players, carrying the McDonald's "M" logo, were shipped with 10 preloaded songs.

Unfortunately, the players were also preloaded with a variant of the QQPass password-stealing trojan. We haven't seen these players ourselves, so we can't confirm how exactly you would get hit by this trojan, but some sources report you only had to plug it into your Windows PC.

More information for affected customers is available from McDonald's Japanese web site.

Snippet from http://www.mcd-holdings.co.jp/news/2006/release-061013.html



Friday, October 13, 2006

Fake Sony Vaio order confirmations going around Posted by Mikko @ 19:32 GMT

We've received several reports of a trojan that is being spammed out. The message looks like an order confirmation for the purchase of a $2482 Sony Vaio laptop. The attachment, named order_37679041.exe, contains the actual malware.

We detect this as W32/Small.DXC.




Video - Your Marriage is in Danger! Posted by Kamil @ 13:24 GMT

Weblog reader Per-Erik sent us a URL that he's received as an intrusive pop-under. It's for a product named Drive Cleaner that is classified as a rogue because of its employed sales tactics.

The first pop-up window uses animation and attempts to look like Windows Explorer. Examine the details that it displays in the left hand frame. The "Warning" message that it displays appears to offer a choice, but it's really just an image and clicking on the Yes or No has the same result - you're prompted to download the installer.

Example 1

If you cancel the download, you get a "Notice" asking you to reconsider. We like the kind reminder that having tracks of your online activities could harm your career and your marriage.

Example 2

If you select cancel from the second dialog, you'll get yet another dialog. This message states that Drive Cleaner will now scan your computer and that you must select Run or Open. This is another attempt to get the user to download and install the application.

Example 3

We have a video demo of this for you here (XviD) or here (WMV).

While it completely over-hypes the privacy danger as a critical issue rather than a risk, the application itself doesn't do anything really malicious if installed. It just doesn't do anything but scan unless you buy it. But do you really want to pay €35 to remove temporary files and cookies? You can set your browser to do that automatically when it closes.

Our thanks to Per-Erik for submitting the URL.



Thursday, October 12, 2006

Greetings from Virus Bulletin 2006 Posted by Mikko @ 13:25 GMT

Greetings from the Virus Bulletin 2006 conference in Montreal, Canada!

The second day of the conference is just starting with many interesting presentations to come. I'm especially looking forward to the presentations by Guillaume Lovet, Alex Shipp, and Jose Nazario - too bad Alex and Jose have been scheduled exactly at the same time!

I held my keynote presentation yesterday morning and it went very well.

Virus Bulletin 2006 Keynote

As you might remember, I asked for your help in choosing the topic for my presentation, and I'd like to thank all of the 150 people who took the time to send feedback and share their ideas. The suggestions covered the whole spectrum of the field, from rootkits, to virus history review, to mobile virus issues, to product pitches. In the end, I ended up talking about the history and the future, and how this is not merely a fight between antivirus companies and virus writers - but a fight between good and evil.

I managed to pack 164 slides into my 40-minute presentation (no joke). As promised, my slides are available for download now.

Here's a short video clip (shot with a Nokia E70):
vb video clip

Signing off,
Mikko



Wednesday, October 11, 2006

Update Considerations Posted by Sean @ 13:49 GMT

Dateline July 2006: Microsoft discontinued update support for Windows 98.

Dateline October 2006: Microsoft discontinued updates for Windows XP Service Pack 1. October 10th's SP1 updates were the last of all public assisted support.

WinXP SP2

Service Pack 2 was released in September 2004. So, if you're still running with SP1 - it's really the time to update.

And another thing. We mentioned this last month, but it bears reminding that Microsoft will be pushing Internet Explorer 7 as an automatic update rather soon. Perhaps during October. According to the details that we've read, the update will prompt for confirmation before installing. If you have Automatic Updates enabled, be ready for the prompt; backup your settings and favorites. And maybe install a second browser if you don't have one already.

A few weeks ago, we tested the install of IE7 RC1 on an adware toolbar loaded IE6. The toolbars caused some buggy behavior, but the install completed itself with no trouble. Still, that's a lot of browser installs that will take place when the update is released. Hopefully it will go smoothly.

If you're an admin and your domain isn't ready for IE7 - there's a toolkit available to disable delivery.



Microsoft October Updates Posted by Francis @ 05:24 GMT

Microsoft's monthly updates are now available. There are 6 critical patches - most of them focus on Remote Code Execution patches for Microsoft Office applications such as PowerPoint, Excel, and Word.

Oct 2006 Update

More details about this month's patches here.

Patch now.



Tuesday, October 10, 2006

Swiss Government Investigates VoIP Tapping Posted by Stefan @ 08:10 GMT

Moritz Leuenberger - Head of UVEK

The Swiss Department of the Environment, Transport, Energy and Communications (UVEK) has started an investigation to determine the possibility of using software to tap VoIP phone calls.

A software prototype to do this has been developed by ERA IT solutions. It doesn't seem that the software would decypt any of the VoIP traffic itself. The software is a client side application that would listen to the computer's microphone and speakers to record the VoIP calls. The recordings made would be passed back in small packages over the Internet to the police authority. Two solutions to install the software on a suspect's machine have been presented. The first - police covertly install it locally. The second - the suspect's Internet service provider installs it remotely over Internet. How the later solution would be implemented is unknown to us.

If you understand German you can read more at SonntagsZeitung otherwise bablefish can assist you.

F-Secure will most likely add detection for this software if we find it used in the wild. We have previously made a statement about government developed spying programs.



Monday, October 9, 2006

Preview of Second Tuesday Posted by Sean @ 14:33 GMT

October 2006 Advance Notification

Microsoft has eleven security bulletins scheduled for tomorrow's patch Tuesday. They'll be released at approximately 10am PDT (17:00 GMT). That's tomorrow evening for those of us in Europe. So it looks like it will be quite a busy Wednesday morning with a significant number of updates to be installed. Many of them are rated critical.

See here and here for additional details.



Batch of interesting papers Posted by Mikko @ 09:06 GMT

sg
There's this Software Systems Security Group at the Institute for Infocomm Research in Singapore's Agency for Science, Technology and Research (indeed a mouthful).

They have a nice selection of recent academic papers on security research topics.

Titles include:
"Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation"
"Network-Level Polymorphic Shellcode Detection Using Emulation"
"An Active Splitter Architecture for Intrusion Detection and Prevention"
"Defending against Hitlist Worms using Network Address Space Randomization"
"Detecting Targeted Attacks Using Shadow Honeypots"

All this at this handy address: http://s3g.i2r.a-star.edu.sg.

 

 

 

 



Sunday, October 8, 2006

Denmark targeted Posted by Mikko @ 05:39 GMT

The "Rechnung" spam run keeps up.

We've seen Bzub or Haxdoor variants being spammed since February 2006 in German mails looking like this:

------------------
  Subject: Rechnung
  
  Sehr geehrte Kundin, sehr geehrter Kunde
  
  Rechnung
  
  Die Dateien wurden als Anhang eingefugt und konnen jetzt mit dieser
  Nachricht gesendet werden.
  
  Ich verwende die kostenlose Version von SPAMfighter,
  die bis jetzt 227 Spammails entfernt hat.
  Fur private Anwender ist SPAMfighter vollig kostenlos!
  Jetzt gratis testen: hier klicken.
  
  Attachment: Rechnung.zip

------------------

Starting August 14th, we've seen spam runs with the same message translated in Swedish, targeting Sweden:

------------------
  Subject: Rakningen
  
  Bäste Kund!
  
  Räkningen
  
  Filerna är bifogade som en bilaga och kan vidarebefordras
  tillsammans med detta meddelande.
  
  Jag använder en gratis version av SPAMfighter som har fram till nu raderat 227 SPAM-brev.
  SPAMfighter är helt fri för privatbruk.
  Det kan provas nu och gratis: TRYCK HÄR
  
  Attachment: Rakningen.zip

------------------

And now, on Friday the 6th of October, we saw the first e-mails which have the message translated in Danish:

------------------
  Subject: Regning
  
  Kaere kunder!
  
  Regning
  
  Data er tillagt og sent med denne meddelelse.
  
  Jeg bruger gratis antispamversion, som allerede har fjernt 227 spambreve.
  Antispam er helt gratis for private brugere.
  
  Attachment: Regning.zip

------------------

This latest attachment contains Regning.exe, which we detect as Trojan-Downloader.Win32.Small.dwf.

It seems to download additional components from speedest-net.com.



[ Older News >> ]

[Buy F-Secure Products] [F-Secure Frontpage] [Privacy Policy] [Legal Notices] [Contact Us]

Copyright © 2006 F-Secure Corporation