I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets. On ...(more)...

A reader wrote in telling use a few big domains (mostly .edu at this point) have had their MX record ...(more)...

Encountering a mobile phone worm "in the wild" has never been a common event. But even less common must be encountering one in the wild while you're giving a presentation on mobile phone security.

Erkki Mustonen (Eki) is a Technical Service Manager here at F-Secure. He's very knowledgeable and frequently handles requests for comment from Finnish journalists regarding AV technologies.

Earlier this week Eki was visiting a customer's premises and was giving a presentation to approximately twenty people. As he was discussing the topic of mobile malware, a quite unexpected demonstration took place. Some of the phones within the room started to flicker simultaneously. Very soon it was determined that connection attempts were being made from a phone located somewhere nearby (but not in the room itself).

What was the source of the commotion? It was Commwarrior.B sending a copy of itself to open Bluetooth connections. Three years old and the worm is still kicking around.

The customer's phones were all Symbian S60 3rd Edition phones with F-Secure Mobile Security installed. So there were no infections and no problems. Commwarrior.B will not install on a S60 3rd Edition phone. Regardless, it wasn't even given the chance.

And the nearby S60 2nd Edition phone with the Commwarrior.B infection? Eki thinks that the phone's owner really should consider installing a security solution…

Here are some screenshots from Eki's Nokia E61i:

On 22/08/08 At 07:36 PM

...(more)...

Two months ago, ISC handler Maarten Van Horenbeeck did a great diary on how to extract exploit conte ...(more)...

Google Chrome in Beta, Vulnerabilities Discovered

Starting again with a pile of Shellcode, one that the bad guys were even friendly enough to label as ...(more)...

Several news sources have been carrying a story about the DEFCON BGP hijack. While that trick ...(more)...

Cisco Security Response: Cisco Secure ACS Denial Of Service Vulnerability A specially crafted R ...(more)...

This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses.

The e-mail claims to be from us. It's not.

Here's what the e-mail looks like:

  
   From: supportupdate@f-secure.com
   Date: 26. August 2008 08:31
   Subject: Data er tillagt og sendt med denne meddelelse.
  
   Käre kunder!
  
   Regning
  
   Data er tillagt og sendt med denne meddelelse.
  
   Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
  
   Antispam er helt gratis for private brugere.
  
   Attachment: f-secure.rar
  

The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker related trojan) that connects to a server in Ukraine.

We detect this trojan as Trojan:W32/Agent.FVO. More information in the virus description.

The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate@f-secure.com from non-existent e-mail addresses alone.

Watch out and pass the word.

Update: Agent.FVO is a downloader.

Yesterday, its C&C server was quiet so there were no additional components for download. Today, the C&C server is pushing out a BZub variant which has been detected as Trojan-Spy.Win32.Bzub.fbm since our 2008-08-25_07 database update.

BZub is a trojan-spy interested in banking details.

On 26/08/08 At 09:44 AM

Wireshark 1.0 ...(more)...

There is an e-mail that went out from GIAC to complete a survey. It uses an IP instead of a na ...(more)...

Google has released their awaited browser, Chrome, in beta. So far it looks to be a Windows-only, bu ...(more)...

(Posted 4 Sep 2008 by BlueVoodoo)

(Posted 4 Sep 2008 by Susenator)

(Posted 4 Sep 2008 by falko)

(Posted 5 Sep 2008 by Ray)

(Posted 5 Sep 2008 by BlueVoodoo)

(Posted 5 Sep 2008 by Susenator)

An online games password-stealer has reportedly made its way onto the International Space Station.

Fortunately for the space station, there's no direct Internet connection, and so therefore no online games to steal from (one hopes). The malware most likely made its way onto the infected ISS laptop via an infected USB drive.

Autorun.inf worms is another way of categorizing such malware. Worm.Win32.AutoRun.bhx is our detection name for their particular variant. Read more about it from the AutoRun.BHX description page.

BBC News has additional details.

On 27/08/08 At 02:58 PM

Fake airplane tickets, greetings cards and credit card receipts…

There's plenty of ZIPped trojans being spammed around. The one that's being seeded right now claims to be a bounced Western Union money transfer.



And the malware inside the ZIP is a ZBot banking trojan variant.

On 28/08/08 At 11:10 AM

The Lab's YouTube channel has been updated:

E:VOLUTION


This "white" video is a sequel to last year's "black".

RE:SOLUTION


Enjoy.

On 01/09/08 At 10:26 AM

So Google's Chrome web browser has been released.

For a change it's nice to see a browser that does not eat all of your memory.

Chrome is going to become popular. That means it will also become an interesting target for malware authors.

Google knows this.



Chrome features sandboxing of each tab, built-in web reputation service, special privacy mode and so on.

For example, here's what it looks like when you try access a known malicious site with Chrome:



However, one security vulnerability has already been found, based on the WebKit engine used inside Chrome.

There will be more issues, especially related to plugins.

We expect Chrome to quickly gather a sizable market share, mostly from existing Firefox users.

On 03/09/08 At 06:54 AM

Today is the official launch day for our 2009 consumer lineup. Lots of work has gone into the launch, and plenty more has gone into the development. We'll have some details on the technology for you later.

In meantime, check out our Online Wellbeing campaign.

On 03/09/08 At 03:51 PM

Digital security is something that human rights activists are concerned about, and they should be…

Here in the lab, we see many examples of targeted malware attacks focused on human rights organizations. Here's one example from September 3rd that ironically uses "digital security training" as the hook.

The spoofed message is very well done; the content uses real names, organizations, e-mail addresses, phone numbers, et cetera.

It looks very legitimate at first glance.



The message was sent to a human rights activist based in USA. There was a Word document attached.

It too uses real names, locations, and so on.



Fortunately, the recipient of this message was knowledgeable enough to avoid opening the attachment. Instead of opening it, he forwarded it to the lab for analysis.

Yep. It was a trap. The Word document had an exploit.

The only thing about this case that seems to indicate "hackers" rather than "spies" is the document's author.



…perhaps the spies are paying the hackers?

Front Line Defenders, mentioned in the e-mail message actually has some very good security advice on their site.

They should perhaps add one more topic — targeted malware attacks.

You can read more on the topic from Wired.com.

P.S. Front Line's Software Installation guide suggests uninstalling ALL unused Windows applications. Great idea.

Human Rights Organizations really concerned with digital security might also consider going one step further by giving something such as Ubuntu a try. It's free, has all of the needed applications, and none of the current exploits being used against activists.

On 05/09/08 At 08:26 PM

Greetings from Las Vegas, it's again that time of the year.



Black Hat 2008 is in full swing and DEF CON will start tomorrow.

On the first day of Black Hat the most popular presentation was, as could be expected, Dan Kaminsky's DNS talk. The room was totally packed while Dan went through in detail what exactly was the story behind the biggest vulnerability announcment of the year.



Dan actually spent most of his talk coming up with creative ways on how to exploit this DNS problem and combine it with other vulnerabilities - quite creative. Bottom line; if DNS doesn't work, pretty much nothing will work.

We have a presentation of our own coming on Sunday at noon in DEF CON, when Teo and Hirosh from our labs will talk about how to fight new types of phishing.



Signing off,
Mikko

On 07/08/08 At 04:15 PM