F-Secure Antivirus Research Weblog http://www.f-secure.com/weblog/ Weblog of F-Secure Antivirus Research Team en-us Copyright (c) 2005 F-Secure Corporation. All Rights Reserved. Tue, 07 Nov 2006 12:55:37 +0200 Tue, 07 Nov 2006 12:55:37 +0200 weblog@PLEASE-REMOVE-THIS.f-secure.com weblog@PLEASE-REMOVE-THIS.f-secure.com F-Secure Antivirus Research Weblog http://www.f-secure.com/weblog/fsc_weblog_small.gif http://www.f-secure.com/weblog/ 128 Cat-herding http://www.f-secure.com/weblog/#00001014 Zango and the USA's Federal Trade Commission (<a href="http://www.ftc.gov/os/caselist/0523130/">FTC</a>) reached a settlement last Friday. Zango agreed to pay the FTC $3 million. The agreement also contains language strongly clarifying what is required as consent from installers of Zango's software. See Part V in this <a href="http://www.ftc.gov/os/caselist/0523130/0523130agree061103.pdf">PDF</a>.</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/ZangoFTC.png" ALT="www.ftc.gov/os/caselist/0523130/0523130agree061103.pdf"></p><p align="justify">Zango for its part, wants to raise the bar and to hold their affiliates to a higher standard. Perhaps we're willing to give them the benefit of doubt for the time being&hellip;</p><p align="justify">But it raises the question: Isn't trying to manage such affiliates like <a href="http://www3.merriam-webster.com/opendictionary/newword_display_recent.php?id=12215">cat-herding</a>?</p><p align="justify">November 6th: Websense reports "<a href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=689">Fradulent YouTube video on MySpace installing Zango Cash</a>". <p>On 07/11/06 At 12:47 PM</p> Warezov vs System Control http://www.f-secure.com/weblog/#00001013 <a href="http://www.f-secure.com/v-descs/warezov.shtml">Warezov</a> continues its seemingly endless run, and we continue to add detections apace.</p><p align="justify">Detection for Warezov.DG was added on October 20th, and today, we added detection for Warezov.GL with database 2006-11-07_04. It's a very busy little bugger and the subject of many unkind words among the researchers.</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/WarezovGLDenied.png" ALT="Application was Denied"></p><p align="justify">So, Alexey was curious and tested the GL variant against F-Secure Internet Security 2007's System Control feature. (As we did with the <a href="http://www.f-secure.com/weblog/archives/archive-092006.html#00000970">beta</a>). The results were very pleasing: Warezov is still automatically denied and blocked by System Control.</p><p align="justify">Here's a screenshot of the details:</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/WarezovGLvsSystemControl.png" ALT="Warezov.GL vs System Control"> <p>On 07/11/06 At 10:53 AM</p> New phishing statistics http://www.f-secure.com/weblog/#00001012 Phishtank, a service run by the good folks at <a href="http://en.wikipedia.org/wiki/OpenDNS">OpenDNS</a>, have published their first set of <a href="http://www.phishtank.com/stats/2006/10/">phishing statistics</a>.</p><p align="justify">Interesting stuff, showing that Paypal and eBay continue to be the most targeted organizations in phishing attacks, but some German banks are climbing up the scales.</p><p align="justify"><a href="http://www.phishtank.com/stats/2006/10/"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/opendns.jpg" ALT="Phishtank Stats"></a></p><p align="justify"><BR>Other sources of phishing stats: <a href="http://toolbar.netcraft.com/stats/countries">Netcraft</a>, <a href="http://www.ciphertrust.com/resources/statistics/phishing.php">Ciphertrust</a> and <a href="http://www.antiphishing.org/reports/apwg_report_August_2006.pdf">APWG [PDF]</a>.</p><p align="justify"><BR><a href="http://www.antiphishing.org/reports/apwg_report_August_2006.pdf"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/apwg1.jpg" ALT="http://www.antiphishing.org/reports/apwg_report_August_2006.pdf"> </a> <p>On 06/11/06 At 11:40 AM</p> Bluetooth cracking http://www.f-secure.com/weblog/#00001011 Last Friday Thierry Zoller and Kevin Finistere gave a presentation in the <i>Hack.lu 2006</i> conference on Bluetooth issues. They also showed a demo of BTCrack, a Windows tool that can crack Bluetooth PIN and Linkkey in almost real-time (assuming it has sniffed the initial pairing).</p><p align="justify"><a href="http://secdev.zoller.lu/research/bluetoothcracker.htm"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/btcrack.jpg" ALT="Bluetooth Crack"></a></p><p align="justify">Full slides are available <a href="http://www.hack.lu/images/7/70/Zoller_hack_lu_2006.pdf">here</a>. <p>On 02/11/06 At 06:58 PM</p> www.citi.bank http://www.f-secure.com/weblog/#00001010 How come we never see rogue domains registered under .gov or .mil? You know, like wwwwhitehouse.gov?</p><p align="justify">Because not everybody can just go and register whatever domain name they want under those top-level domains.</p><p align="justify">So how come banks and other financial institutes are operating under the public, free-for-everyone top-level domains - such as .com?</p><p align="justify">This was the question posed to us by our reader William.</p><p align="justify">He writes: <i>I read the blog about phishing domain names, and I couldn't help but think "how about a .Bank TLD that was only assigned to registered banks"</i></p><p align="justify"><IMG ALIGN="RIGHT" HSPACE="11" BORDER="0" SRC="http://www.f-secure.com/weblog/archives/thebritishmuseum.gif" ALT="The British Museum"></p><p align="justify">Indeed.</p><p align="justify">If the authorities can make this work with registered museums for the <b>.museum</b> domain, why couldn't they make it work with banks for a new top-level domain - such as <b>.bank</b>?</p><p align="justify">Of course, bad boys could still register similar-sounding domain names to whatever top-level domain they can. But I bet real banks would move their official online banking systems to .bank domains pretty quickly, and eventually people would get used to this.</p><p align="justify">For reference:<BR><a href="http://the.british.museum">http://the.british.museum</a><BR><a href="http://smithsonian.museum">http://smithsonian.museum</a><BR><a href="http://naturalhistory.london.museum">http://naturalhistory.london.museum</a></p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/thebritishmuseum1.gif" ALT="The British Museum"> <p>On 31/10/06 At 10:03 PM</p> Sub-Zero http://www.f-secure.com/weblog/#00001009 We're expecting our first snow any day now in Helsinki&hellip; the temperature is below zero (Celsius) and the wind is picking up.</p><p align="justify">And we're hiring! <a href="http://www.f-secure.com/f-secure/careers.html">Welcome</a>.</p><p align="justify"><a href="http://www.f-secure.com/f-secure/careers.html"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/hiring.gif" ALT="Join.exe"> </a></p><p align="justify"><b>Update</b>: The application deadline for those positions which were closing on Oct. 30th has been extended. <p>On 30/10/06 At 04:58 PM</p> Reselling domain names... for phishing gangs http://www.f-secure.com/weblog/#00001008 There's a very active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, hell.com and auction.com are being auctioned today to the highest bidders and they are expected to be sold for several million dollars each.</p><p align="justify">But most domain names are resold for a few hundred or a few thousand dollars (where the original registration price is typically $5 to $15).</p><p align="justify">The largest domain resellers include Sedo and Moniker.</p><p align="justify">There's nothing wrong in reselling cool domains like tractors.com, filmlist.com or 4fares.com to anyone who wants to buy them.</p><p align="justify">But how about reselling domains that obviously belong to banks or other financial institutions?</p><p align="justify">We made some searches on Sedo.com and found out that they are reselling domains like <b>chasebank-online.com, citi-bank.com</b> and <b>bankofameriuca.com</b>. Now, why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer? Don't mix these with new registrations: these are existing domain names, already owned by someone - and now being resold via Sedo.</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/citi-bank.gif" ALT="Citi-Bank"></p><p align="justify">Other examples of obviously fraudulent domain names that are currently being resold:</p><p align="justify">&nbsp;&nbsp;<b>americanexpress.cc</b><BR>&nbsp;&nbsp;<b>americanexpresscredicard.com</b><BR>&nbsp;&nbsp;<b>amex.cc</b><BR>&nbsp;&nbsp;<b>citi-bank.info</b><BR>&nbsp;&nbsp;<b>citibanconline.com</b><BR>&nbsp;&nbsp;<b>ccitibank.com</b><BR>&nbsp;&nbsp;<b>paypal-antifraud.com</b><IMG ALIGN="RIGHT" BORDER="0" SRC="http://www.f-secure.com/weblog/archives/sedochase.gif" ALT="Sedo Chase"><BR>&nbsp;&nbsp;<b>chasebank-online.com</b><BR>&nbsp;&nbsp;<b>chase-bank-credit-card.info</b><BR>&nbsp;&nbsp;<b>bank-of-america.be</b><BR>&nbsp;&nbsp;<b>halifax.uk.com</b><BR>&nbsp;&nbsp;<b>httpwwwhotmail.com</b><BR>&nbsp;&nbsp;<b>https.in</b><BR>&nbsp;&nbsp;<b>hsbc-internet-banking.info</b><BR>&nbsp;&nbsp;<b>post-bank.com</b><BR>&nbsp;&nbsp;<b>mastercard.name</b><BR>&nbsp;&nbsp;<b>mastercarding.com</b><BR>&nbsp;&nbsp;<b>natwestbank.net</b><BR>&nbsp;&nbsp;<b>visacard.us</b><BR>&nbsp;&nbsp;<b>visacardcredit.com</b><BR>&nbsp;&nbsp;<b>wwwbankofchina.com</b><BR>&nbsp;&nbsp;<b>wwwcitifinancial.ca</b><BR>&nbsp;&nbsp;<b>wwwpaypal.ca</b><BR>&nbsp;&nbsp;<b>www-e-bay.de</b><BR>&nbsp;&nbsp;<b>www-ebay.es</b><BR>&nbsp;&nbsp;<b>wwwmastercard.com.br</b><BR>&nbsp;&nbsp;<b>wamubamk.com</b><BR>&nbsp;&nbsp;<b>wamu-online-banking.info</b><BR>&nbsp;&nbsp;<b>atmmastercard.com</b></p><p align="justify">We also found out that they are reselling accented domain names that have been created using letters "" and "" with an apostrophe instead of the normal "a" or "i" to create highly deceptive domain names like <b>vsa.com, pypal.com</b> and <b>paypl.com</b>. And these three examples are currently for sale to anyone via Sedo.</p><p align="justify">Domain name resellers should filter out obvious phishing site names.</p><p align="justify">PS. <a href="http://www.f-secure.com/weblog/archives/archive-032006.html#00000845">Here's</a> a rant on registering new bank-related domains.</p><p align="justify"><b>Updated to add</b>: Sedo responds. Jeremiah Johnston, Sedo's general counsel, says his company wants to "balance the rights of all users" and added that at times, trademark owners "harass a lot of legitimate domain owners." Full article <a href="http://www.techweb.com/showArticle.jhtml?articleID=193402987">in here</a>. <p>On 27/10/06 At 01:36 PM</p> Battery energy drink - Breakfast of champions http://www.f-secure.com/weblog/#00001007 Our security labs were profiled in a <a href="http://www.suomenkuvalehti.fi/?id=8369">feature</a> in a local Finnish weekly publication last week.</p><p align="justify">The story mentioned that during late-night outbreaks we tend to drink lots of Battery, an energy drink.</p><p align="justify">Then yesterday, to our surprise, a courier delivered us a pallet of Battery. The shipment included a Thank You note from the marketing team at Sinebrychoff, the company behind the drink - apparently they had read the article too. Hey, nice! The drinks will be needed during the weekend if the Warezov virus situation continues as bad as it has been for the past few days.</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/battery.jpg" ALT="Battery"></p><p align="justify">So&hellip; is it really this easy to get free stuff via product endorsements?</p><p align="justify">If so, we would really like to play around with Nintendo(tm) Wii(tm) game consoles when we're not busy fighting viruses and our shipping address is F-Secure Labs, PL 24, 00181 Helsinki, Finland. Thanks a lot. <p>On 27/10/06 At 11:41 AM</p> Puzzle challenge completed http://www.f-secure.com/weblog/#00001006 The F-Secure Internet Security 2007 puzzle challenge is over and we have the winners for each continent:</p><p align="justify"><IMG ALIGN="RIGHT" HSPACE="11" BORDER="0" SRC="http://www.f-secure.com/weblog/archives/jig3.jpg" ALT="Jigsaw Piece"></p><p align="justify">&nbsp;&nbsp;&nbsp;&nbsp;Europe: <b>Peter Nilsson</b>, Sweden<BR>&nbsp;&nbsp;&nbsp;&nbsp;North America: <b>Sean Eaton</b>, USA<BR>&nbsp;&nbsp;&nbsp;&nbsp;South America: <b>Alvaro Steckert Filho</b>, Brazil<BR>&nbsp;&nbsp;&nbsp;&nbsp;Asia: <b>Kevin Lee</b>, People's Republic of China<BR>&nbsp;&nbsp;&nbsp;&nbsp;Australia: <b>Daniel Givney</b>, Australia<BR>&nbsp;&nbsp;&nbsp;&nbsp;Africa: <b>Ashley Ross</b>, South Africa</p><p align="justify">Congratulations to all of you. We'll be sending you F-Secure Internet Security 2007 via mail.</p><p align="justify">The challenge was about searching our blog archive for a "hidden puzzle". Those who took the time started to find entries from our blog archives that only contained a jigsaw puzzle piece with no text. Here's <a href="http://www.f-secure.com/weblog/archives/archive-072004.html#00000236">a sample entry</a> from July 2004.</p><p align="justify">If you collected all the pieces and put them together, you ended up with a picture of the F-Secure Internet Security 2007 box&hellip; except that one crucial piece of the puzzle was missing. It wasn't linked from any of the blog entries. In fact, this image was on our web site but there was no link to it from anywhere. You had to guess one of the two possible URLs to find it. And over 50 people did.</p><p align="justify"><IMG BORDER="1" SRC="http://www.f-secure.com/weblog/archives/jig1.jpg" ALT="Jigsaw Piece"></p><p align="justify">Once you had all the pieces, you had to put them together. To make this easier, you could actually find the right location of each puzzle part from the image's header information (A3, C4, D1, etc). The <a href="http://www.f-secure.com/weblog/archives/ajigsaw.jpg">completed puzzle image</a> contained this text:</p><p align="justify">&nbsp;&nbsp;&nbsp;&nbsp;To Solve: <BR>&nbsp;&nbsp;&nbsp;&nbsp;Send nerds(e)f-secure.com a plain text e-mail message with the following subject line: <BR>&nbsp;&nbsp;&nbsp;&nbsp;I Have Way Too Much Free Time! Be Sure.</p><p align="justify">&nbsp;</p><p align="justify">So that's it concerning the challenge. But what about Antarctica, the 7th continent? We promised a free box to anyone who would e-mail us from there, regardless if they could complete the puzzle or not.</p><p align="justify">And just few hour later, we got this e-mail, from Jacek Piszczek jr, reprinted with his permission:</p><p align="justify"><BR>&nbsp;&nbsp;&nbsp;&nbsp;Well, here it is. I really wonder if I'm going to be the first person from<BR>&nbsp;&nbsp;&nbsp;&nbsp;Antarctica to email you though :)<BR>&nbsp;&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;Anyway: who am I and what am I doing in Antarctica? My name is Jacek<BR>&nbsp;&nbsp;&nbsp;&nbsp;Piszczek and I am a member of the 30th Polish Antarctic Expedition. I am in<BR>&nbsp;&nbsp;&nbsp;&nbsp;charge of the communication equipment as well as all computers, etc. The<BR>&nbsp;&nbsp;&nbsp;&nbsp;Polish Antarctic H. Arctowski Station is placed in a really beautiful<BR>&nbsp;&nbsp;&nbsp;&nbsp;Admirality Bay, King George Island, South Shetlands and has operated since 1976.<BR>&nbsp;&nbsp;&nbsp;&nbsp;Our expedition arrived at 9th of November last year and we are now waiting<BR>&nbsp;&nbsp;&nbsp;&nbsp;for our supply ship to arrive. The ship will bring the new crew here and<BR>&nbsp;&nbsp;&nbsp;&nbsp;transport most of us to Argentina.<BR>&nbsp;&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;A nearest penguin colony is about 500m from the building we live in. They<BR>&nbsp;&nbsp;&nbsp;&nbsp;returned here about a month ago and are already busy with lying eggs. The<BR>&nbsp;&nbsp;&nbsp;&nbsp;adelis and gentoos are here already, we're still waiting for chinstraps to<BR>&nbsp;&nbsp;&nbsp;&nbsp;show up though. This year's spring is pretty surprising - we already had a<BR>&nbsp;&nbsp;&nbsp;&nbsp;day with temperature near 10C. The glaciers already began to move and<BR>&nbsp;&nbsp;&nbsp;&nbsp;collapse. We can hear explosion alike noises every couple of hours.<BR>&nbsp;&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;If you need more info to confirm I'm really there, you could check my small<BR>&nbsp;&nbsp;&nbsp;&nbsp;blog out ;) It is at http://binaryriot.org/dreamolers/arctowski<BR>&nbsp;&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;Regards<BR>&nbsp;&nbsp;&nbsp;&nbsp;-- <BR>&nbsp;&nbsp;&nbsp;&nbsp;Jacek Piszczek jr</p><p align="justify"><IMG BORDER="0" SRC="http://www.f-secure.com/weblog/archives/belvedere.jpg" ALT="Belvedere"></p><p align="justify">The picture above is from <a href="http://binaryriot.org/dreamolers/arctowski">Jacek's blog</a>. Pretty cool. <p>On 25/10/06 At 08:03 PM</p>