F-Secure Antivirus Research Weblog

Cat-herding

Zango and the USA's Federal Trade Commission (FTC) reached a settlement last Friday. Zango agreed to pay the FTC $3 million. The agreement also contains language strongly clarifying what is required as consent from installers of Zango's software. See Part V in this PDF.

Zango for its part, wants to raise the bar and to hold their affiliates to a higher standard. Perhaps we're willing to give them the benefit of doubt for the time being…

But it raises the question: Isn't trying to manage such affiliates like cat-herding?

November 6th: Websense reports "Fradulent YouTube video on MySpace installing Zango Cash".

On 07/11/06 At 12:47 PM

Warezov vs System Control

Warezov continues its seemingly endless run, and we continue to add detections apace.

Detection for Warezov.DG was added on October 20th, and today, we added detection for Warezov.GL with database 2006-11-07_04. It's a very busy little bugger and the subject of many unkind words among the researchers.

So, Alexey was curious and tested the GL variant against F-Secure Internet Security 2007's System Control feature. (As we did with the beta). The results were very pleasing: Warezov is still automatically denied and blocked by System Control.

Here's a screenshot of the details:

On 07/11/06 At 10:53 AM

New phishing statistics

Phishtank, a service run by the good folks at OpenDNS, have published their first set of phishing statistics.

Interesting stuff, showing that Paypal and eBay continue to be the most targeted organizations in phishing attacks, but some German banks are climbing up the scales.

Other sources of phishing stats: Netcraft, Ciphertrust and APWG [PDF].

On 06/11/06 At 11:40 AM

Bluetooth cracking

Last Friday Thierry Zoller and Kevin Finistere gave a presentation in the Hack.lu 2006 conference on Bluetooth issues. They also showed a demo of BTCrack, a Windows tool that can crack Bluetooth PIN and Linkkey in almost real-time (assuming it has sniffed the initial pairing).

Full slides are available here.

On 02/11/06 At 06:58 PM

www.citi.bank

How come we never see rogue domains registered under .gov or .mil? You know, like wwwwhitehouse.gov?

Because not everybody can just go and register whatever domain name they want under those top-level domains.

So how come banks and other financial institutes are operating under the public, free-for-everyone top-level domains - such as .com?

This was the question posed to us by our reader William.

He writes: I read the blog about phishing domain names, and I couldn't help but think "how about a .Bank TLD that was only assigned to registered banks"

Indeed.

If the authorities can make this work with registered museums for the .museum domain, why couldn't they make it work with banks for a new top-level domain - such as .bank?

Of course, bad boys could still register similar-sounding domain names to whatever top-level domain they can. But I bet real banks would move their official online banking systems to .bank domains pretty quickly, and eventually people would get used to this.

For reference:
http://the.british.museum
http://smithsonian.museum
http://naturalhistory.london.museum

On 31/10/06 At 10:03 PM

Sub-Zero

We're expecting our first snow any day now in Helsinki… the temperature is below zero (Celsius) and the wind is picking up.

And we're hiring! Welcome.

Update: The application deadline for those positions which were closing on Oct. 30th has been extended.

On 30/10/06 At 04:58 PM

Reselling domain names... for phishing gangs

There's a very active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, hell.com and auction.com are being auctioned today to the highest bidders and they are expected to be sold for several million dollars each.

But most domain names are resold for a few hundred or a few thousand dollars (where the original registration price is typically $5 to $15).

The largest domain resellers include Sedo and Moniker.

There's nothing wrong in reselling cool domains like tractors.com, filmlist.com or 4fares.com to anyone who wants to buy them.

But how about reselling domains that obviously belong to banks or other financial institutions?

We made some searches on Sedo.com and found out that they are reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. Now, why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer? Don't mix these with new registrations: these are existing domain names, already owned by someone - and now being resold via Sedo.

Other examples of obviously fraudulent domain names that are currently being resold:

  americanexpress.cc
  americanexpresscredicard.com
  amex.cc
  citi-bank.info
  citibanconline.com
  ccitibank.com
  paypal-antifraud.com
  chasebank-online.com
  chase-bank-credit-card.info
  bank-of-america.be
  halifax.uk.com
  httpwwwhotmail.com
  https.in
  hsbc-internet-banking.info
  post-bank.com
  mastercard.name
  mastercarding.com
  natwestbank.net
  visacard.us
  visacardcredit.com
  wwwbankofchina.com
  wwwcitifinancial.ca
  wwwpaypal.ca
  www-e-bay.de
  www-ebay.es
  wwwmastercard.com.br
  wamubamk.com
  wamu-online-banking.info
  atmmastercard.com

We also found out that they are reselling accented domain names that have been created using letters "�" and "�" with an apostrophe instead of the normal "a" or "i" to create highly deceptive domain names like v�sa.com, p�ypal.com and payp�l.com. And these three examples are currently for sale to anyone via Sedo.

Domain name resellers should filter out obvious phishing site names.

PS. Here's a rant on registering new bank-related domains.

Updated to add: Sedo responds. Jeremiah Johnston, Sedo's general counsel, says his company wants to "balance the rights of all users" and added that at times, trademark owners "harass a lot of legitimate domain owners." Full article in here.

On 27/10/06 At 01:36 PM

Battery energy drink - Breakfast of champions

Our security labs were profiled in a feature in a local Finnish weekly publication last week.

The story mentioned that during late-night outbreaks we tend to drink lots of Battery, an energy drink.

Then yesterday, to our surprise, a courier delivered us a pallet of Battery. The shipment included a Thank You note from the marketing team at Sinebrychoff, the company behind the drink - apparently they had read the article too. Hey, nice! The drinks will be needed during the weekend if the Warezov virus situation continues as bad as it has been for the past few days.

So… is it really this easy to get free stuff via product endorsements?

If so, we would really like to play around with Nintendo(tm) Wii(tm) game consoles when we're not busy fighting viruses and our shipping address is F-Secure Labs, PL 24, 00181 Helsinki, Finland. Thanks a lot.

On 27/10/06 At 11:41 AM

Puzzle challenge completed

The F-Secure Internet Security 2007 puzzle challenge is over and we have the winners for each continent:

    Europe: Peter Nilsson, Sweden
    North America: Sean Eaton, USA
    South America: Alvaro Steckert Filho, Brazil
    Asia: Kevin Lee, People's Republic of China
    Australia: Daniel Givney, Australia
    Africa: Ashley Ross, South Africa

Congratulations to all of you. We'll be sending you F-Secure Internet Security 2007 via mail.

The challenge was about searching our blog archive for a "hidden puzzle". Those who took the time started to find entries from our blog archives that only contained a jigsaw puzzle piece with no text. Here's a sample entry from July 2004.

If you collected all the pieces and put them together, you ended up with a picture of the F-Secure Internet Security 2007 box… except that one crucial piece of the puzzle was missing. It wasn't linked from any of the blog entries. In fact, this image was on our web site but there was no link to it from anywhere. You had to guess one of the two possible URLs to find it. And over 50 people did.

Once you had all the pieces, you had to put them together. To make this easier, you could actually find the right location of each puzzle part from the image's header information (A3, C4, D1, etc). The completed puzzle image contained this text:

    To Solve:
    Send nerds(e)f-secure.com a plain text e-mail message with the following subject line:
    I Have Way Too Much Free Time! Be Sure.

So that's it concerning the challenge. But what about Antarctica, the 7th continent? We promised a free box to anyone who would e-mail us from there, regardless if they could complete the puzzle or not.

And just few hour later, we got this e-mail, from Jacek Piszczek jr, reprinted with his permission:

    Well, here it is. I really wonder if I'm going to be the first person from
    Antarctica to email you though :)

    Anyway: who am I and what am I doing in Antarctica? My name is Jacek
    Piszczek and I am a member of the 30th Polish Antarctic Expedition. I am in
    charge of the communication equipment as well as all computers, etc. The
    Polish Antarctic H. Arctowski Station is placed in a really beautiful
    Admirality Bay, King George Island, South Shetlands and has operated since 1976.
    Our expedition arrived at 9th of November last year and we are now waiting
    for our supply ship to arrive. The ship will bring the new crew here and
    transport most of us to Argentina.

    A nearest penguin colony is about 500m from the building we live in. They
    returned here about a month ago and are already busy with lying eggs. The
    adelis and gentoos are here already, we're still waiting for chinstraps to
    show up though. This year's spring is pretty surprising - we already had a
    day with temperature near 10C. The glaciers already began to move and
    collapse. We can hear explosion alike noises every couple of hours.

    If you need more info to confirm I'm really there, you could check my small
    blog out ;) It is at http://binaryriot.org/dreamolers/arctowski

    Regards
    --
    Jacek Piszczek jr

The picture above is from Jacek's blog. Pretty cool.

On 25/10/06 At 08:03 PM