As "JiLsi" — one of the online criminals from Darkmarket — was sentenced last week to almost five years in prison, we have received some media queries on the case.

In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka Çağatay Evyapan) looked like when they were posting to the Darkmarket forum.

So I went back to my notes and dug up example posts from the guys, complete with their avatar icons. Perhaps these are interesting for our blog readers too.









Cheers,
Mikko

On 08/03/10 At 11:19 AM

We've been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques).

For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera.

Now we're seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst's daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors.

One technique I've encountered in the last few months uses Adobe-specific JavaScript objects such as getPageNthWord and getPageNumWords. Here's a screenshot of one example:



Note how it uses old-school style spacings. Comments in the notepad were added for easier readability.

Anyway, once this is normalized, it becomes something much easier to read and analyze:



An interesting analysis about PDF obfuscation is also available at SANS.

Response post by — Zimry

On 01/03/10 At 10:11 AM

Moscone Center, San Francisco, USA is the site of this week's RSA Conference 2010. It's the world's largest information security industry conference with well over 10,000 attendees. For some perspective on just how big it is: there are 19 different tracks of talks going on at the same time given by 556 speakers.

This year we have three talks being presented by fellows of F-Secure:



Mikko has two presentations, "Case m00p" and "Mobile Malware in 2010".

Antti and Kimmo are presenting "Rootkits in the Real World Today".

Browse through RSA's session catalog here.

On 01/03/10 At 04:56 PM

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

That update should now be applied if you haven't already done so.

Why?

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.

It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.

Looking through our sample management system, we see a growing number of targeted attack files.

There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.

And how about the first two months of 2010?

Well, so far the number is 895, which will more than double last year's number if the current pace continues.

The percentage targeting Adobe Reader continues to rise.

Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks:



Updated to add: A couple of readers noticed that our graph's 2009 percentages where slightly off — it's been corrected.

On 09/03/10 At 03:30 PM

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…

Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.



And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.



Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.



But is it really a PDF this time around?



It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:



At least for a few hours before it becomes…



It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.

Response post by — Christine and Mina

On 05/03/10 At 07:00 AM

Microsoft took a stab at Waledac bots last April when they added detection to their Malicious Software Removal Tool (MSRT).

The MSRT is part of their monthly Microsoft Updates package.

Well this week, Microsoft is going after the Waledac botnet en masse, by taking down 277 dot.com Command & Control servers.



Kudos to Microsoft. We hope this endeavor is successful.

We haven't yet seen a drop in spam or bot samples, but we're waiting and watching.

It will likely take some time for the bodies to stop moving around even though the heads have been cut off.

They are zombies after all…

On 25/02/10 At 02:19 PM

Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn't necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims.

How about search engines? What is the biggest search engine on the block? Google — and the bad guys know it. The result?

It's becoming less and less safe to search via Google.

Yesterday, I was testing Internet Explorer 8 and made a typo in the address bar. Instead of update.microsoft.com I used updates.

There is no such domain, so Microsoft Bing kicked in and I ended up with the following search results:



What? No results?!?

So I searched for updates.microsoft.com with Google.



Did I mean update? Yeah, I guess so… Thanks.

Bing's results seemed sort of odd so I examined the settings and it turned out to be some idiosyncrasy of Finnish based results.

Changing the settings to the United States produced the following:



Better.

I continued testing Bing. Here's a Bing search for microsoft updates:



84,700,000 results.

Here's a Google search for the same:



90,900,00 results.

But how about something timely? Using Google trends, I found a hot search topic.

Minnesota's appliance rebate program has 5m dollars to give its citizens for buying energy efficient appliances, e.g. refrigerators.

The program launched on Monday and its web site was quickly overwhelmed; the event generated many searches.

Here's the Bing search for "mn appliance rebate":



25,300 results.

And Google?



31,300 results.

But here's an important difference — I didn't find any harmful links from Bing's results.

Google, on the other hand, had many bad links. This was the sixth result on the first page:



Clicking the link launched a rogue scam:



And then I was given the typical scan scam crap that is so profitable for the bad guys:



The site pushed this file:



It's now detected as Rogue:W32/FakeAlert.LB.

The folks at Google work hard to filter out harmful search results, but it's a difficult task.

The bad guys are constantly working against Google and they often get past their defenses long enough to infect victims. So what can you do stay safe? Avoid monoculture — try something else.

Because soon enough… Bing just might be the search engine that you want to bring home to your mom.

Google has been around and is simply receiving too much attention from the wrong sorts of guys.

Ask you yourself this: Do you feel lucky?



Signing off,
Sean

On 02/03/10 At 04:24 PM

Charlie Miller, the Pwn2Own contest winner for two years in a row, gives his take on Internet security. Guess what — your Mac OS is no less vulnerable than its Microsoft Windows counterpart.

Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?


Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

In your opinion, which is the safer combination OS+browser to use?


That's a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!

On 02/03/10 At 03:42 AM

Somebody is trying to pose as us. If you see an email like the one below, please ignore it:

     From: security@f-secure.com
     Reply-To: securitysupport@hotxf.com
     Subject: Security Maintenance.F-Secure HTK4S
     Date: Fri, 5 Mar 2010 18:11:05 -0000
     To: undisclosed-recipients:;
     
     Dear Email Subscriber,
     
     Your e-mail account needs to be improved with our new
     F-Secure HTK4S anti-virus/anti-spam 2010-version.
     Fill in the columns below or your account will be
     temporarily excluded from our services.
     
     E-mail Address:
     Password:
     Phone Number:
     
     Please note that your password is encrypted
     with 1024-bit RSA keys for increased security.
     
     Management.
     
     Copyright 2009. All Rights Reserved.

Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.

On 05/03/10 At 10:26 PM

ATM skimmers are installed like this:



Video source: Spiegel.de & German Federal Criminal Office (Bundeskriminalamt)

On 10/03/10 At 12:06 PM

Bulletin Severity Rating:Important - This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and persuaded the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Bulletin Severity Rating:Critical - This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Critical - This security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2.

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.

Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.

Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.

New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N

In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.

We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.

Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.

This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size. Installation When launched, the Trojan creates the following file: %AppData%\<name>.exe <name&gr; is chosen at random from...

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size. Installation The Trojan copies its executable file as follows: %WinDir%\system\svhost.exe In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link...

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 78848 bytes in size. It is written in C++.

This malicious program is a Windows DLL file. Installation The malware copies its executable file with random names to the following directories: %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Windows Media Player\<rnd>.dll %Program Files%\WindowsNT\<rnd>.dll %Program...

This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++. Installation Once launched, the Trojan copies its body to the current user’s Windows startup...

This Trojan downloads another malicious program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 9216 bytes in size. It is packed using UPX. The unpacked file is approximately 38KB in size. It is written in...

This network worm spreads via local networks and removable storage media. When it copies itself to remote computers, the worm creates a temporary file with a random extension. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX....

First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog.

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine. The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below...

EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to...