Weblog : News from the Lab

Tuesday, January 23, 2007

We have received many of reports from German customers receiving a spammed e-mail containing an attachment named GEZ_Rechnung.pdf.exe.

Here is a sample screenshot of the spammed e-mail:

Our detection for this malware is Nurech.W.

Nurech.W uses the following links to download Bzub.HO:

   http://buckells.co.uk/heidi/[BLOCKED]ex.txt
   http://floorsovertexas.com/images/[BLOCKED]ex2.txt
   http://gideonsarmy3.com/gideons_files/[BLOCKED]ex2.txt
   http://gilles-pouliot.com/images/[BLOCKED]ex2.txt
   http://graceinthedesert.org/images/photo_page/[BLOCKED]ex2.txt
   http://gracesanders.com/images/[BLOCKED]ex2.txt
   http://mazal18.com/temp/[BLOCKED]ex2.txt
   http://thecorsairs.co.uk/Pics/[BLOCKED]ex.txt

Bzub.HO is a password stealer and is hosted in the following link:

   http://samuraiwordsets.co.uk/images/[BLOCKED]p.exe

Monday, January 22, 2007

This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.

A list of subjects we've seen so far include:

A Bouguet of Love A Day in Bed Coupon A Monkey Rose for You A Red Hot Kiss Against All Odds All That Matters Baby, I'll Be There Back Together Breakfast in Bed Coupon Can't Wait to See You! Cyber Love Dinner Coupon Dream Date Coupon Emptiness Inside Me Fields Of Love For You Full Heart I Believe I Can't Function I Dream of You I Think of You Internet Love It's Your Move

Kiss Coupon Love Birds Love You Deeply Made for Each Other Miracle of Love Moonlit Waterfall My Invitation Our Love Our Love is Free Our Two Hearts Passionate Kiss Pockets of Love Puppy Love Red Rose Sending You My Love Showers of Love Someone at Last Soul Partners Summer Love Take My Hand That Special Love The Dance of Love The Long Haul

The Love Bugs This Day Forward This Feeling Till Morning's Light Till Morninig's Light The Mood for Love To New Spouse Together Again Together You and I Touched by Love Twice Blest Until the Day We're a Perfect Fit Wild Nights Will you? When I'm With You Worthy of You Wrapped Up Wrapped in Your Arms You are our of this world You Lucky Duck! You Rock Me! You Were Worth the Wait

Thanks to Diego who notified us and told us that this list looks very similar to the list of Romantic Cards over at 2000greetings.com and indeed it does.

The list of files is much shorter:

Greeting Postcard.exe
postcard.exe
greeting card.exe
Flash Postcard.exe
flash postcard.exe

We now detect this as Email-Worm.Win32.Zhelatin.a.

Note: For those of you who aren't already filtering EXE's in the e-mail gateway – do it now!

Our new laptop stickers have arrived! We started the contest several weeks ago. We then went through the results and selected the winners. And then we ordered up a batch and waited. Now we have them and stickers are everywhere in the lab.

The weblog readers whose suggestions were selected are:

      I lost my password, can you tell me yours? — Azham R. of Malaysia
      This is not the wireless access point you're looking for. — Matt L. of Australia
      Real men don't use antivirus. — Jonas L. of Sweden
      I just click OK to make the box go away. — Justin R. of UK
      My botnet can beat up your botnet. — David B. of USA
      Password is on a Post-it note on the display. — Ken T. of Germany

Their stickers were mailed out in the post today. Our thanks to all that contributed.

Now that we have them, we'll use them as rewards for future challenges.

We analyzed a new Commwarrior variant last week. It runs on Symbian devices using Series 60 user interface – first and second editions.

This variant of Commwarrior, enumerated as T, was otherwise quite uninteresting apart from the fact that it is newly compiled from the original source – unlike most variants. The author refers to it as "Commwarrior v3 Lite" in his code. In the mean time, we already have the detection published and we've updated our free F-Commwarrior utility that you can download from f-secure.mobi if you suspect your phone has been infected.

This variant affects only Symbian Series 60 phones that use Symbian OS version 8.1 or older. This means that the latest model of phones that could be affected is the Nokia N72. Phones using Symbian OS 9.0 or later, such as the Nokia E70 or 3250, will not be affected.

Sunday, January 21, 2007

The weekend has been very busy with Storm Worm. We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections. F-Secure BlackLight is able to detect the hidden files.

These variants are now detected as W32/Stormy.AB and Trojan-Downloader.Win32.Agent.bet.

Saturday, January 20, 2007

We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.

This time the subjects in the mails are:

  Russian missle shot down Chinese satellite
  Russian missle shot down USA aircraft
  Russian missle shot down USA satellite
  Chinese missile shot down USA aircraft
  Chinese missile shot down USA satellite
  Sadam Hussein alive!
  Sadam Hussein safe and sound!
  Radical Muslim drinking enemies' blood.
  U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  Venezuelan leader: "Let's the War beginning".
  Fidel Castro dead.
  Hugo Chavez dead.

And the attachment names are:

  Video.exe
  Full Video.exe
  Read More.exe
  Full Text.exe
  Full Clip.exe

When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.

We detect this as Trojan-Downloader.Win32.Agent.bet.

Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of:

  President of Russia Putin dead
  Third World War just have started!
  The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
  The commander of a U.S. nuclear submarine lunch the rocket by mistake.
  First Nuclear Act of Terrorism!

Update on Sunday: Another run. This time with a different theme included in the subjects:

  So in Love
  Happy World Religion Day!
  Most Beautiful Girl
  Someone at Last
  I Believe
  The Dance of Love
  The Miracle of Love
  All For You
  Vacation Love
  I am Complete
  Wrapped Up
  Moonlit Waterfall
  A Little (sex) Card
  A Special Kiss
  Hugging My Pillow
  Safe and Sound
  You're Soo kissable
  A Romantic Place
  Breakfast in Bed Coupon
  For You
  I Love You So
  Safe and Sound
  Want to Meet?
  We Are Different
  We Have Walked
  You Asked Me Why

New filenames include Flash Postcard.exe.

Detection for these is in our update 2007-01-21_04.

Friday, January 19, 2007

The Small.DAM (Storm-Worm) we posted on earlier spread very fast during the night, Helsinki time. The heavy seeding through spam was quickly obvious on our tracking screens. The worm was spread throughout the world very rapidly.

Here is some footage of the worm's spread to share with our readers:

The video is encoded with XViD (4651k).

Also available via YouTube.

This morning we have been witnessing activities of Small.DAM being spammed.

Here are the possible subjects headings:

230 dead as storm batters Europe.
A killer at 11, he's free at 21 and...
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza...

The "Storm in Europe" title is particularly timely, as there really is a storm in Europe at the moment and dozens of people have died.

Attachments may be of the following filenames:

Full Clip.exe
Full Story.exe
Read More.exe
Video.exe

The detection for Small.DAM was already included in our database update 2007-01-15_01.

Thursday, January 18, 2007

Oh man, there's a lot of spam out there nowadays.

No wonder, too.

The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.

For more background info, read the "Connecting the Warezov domain dots" entry posted two months ago.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this server.

Another good example of the client-server architecture is the service running at http://seeky.zootseek.com/d/body.html. This URL serves randomized HTML templates for different spam mails.

The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time (but do visit it at your own risk).

And by the way, you might want to block access to all hosts under the domain medbod.com (as it is used by Medbot to download updated bot code).

Fake web sites have been used to recruit money mules for quite a while. When cops investigate phishing or carding cases, the trail usually ends with the mule who might not have realized at all that he's actually laundering money for crime gangs.

Here's one site mule recruitment site which is offline by now:

This morning I got a personalized mule recruitment spam. Emphasis below is mine:

From: "Eddie Arredondo" <371cameron@m4m.biz>
To: "Mikko Hypponen" <mikko.hypponen>
Received: from 4koiahot.0o4xb.aol.com (ppp85-140-200-191.pppoe.mtu-net.ru [85.140.200.191])
       by mx1.f-secure.com (Postfix) with ESMTP id B58F167CF2;
       Wed, 17 Jan 2007 23:59:43 +0200 (EET)
Subject: Fw: Re: Yuo will want this Job
Date: Thu, 18 Jan 2007 01:01:25 +0400
Yo Mikko.hypponen!
We are a small and relatively Software Development and Outsourcing
Company specializing in enterprise application development, system
integration, corporate networks and other software solutions for
business, finance, and for various types of problems. The company
based in Ukraine but at this time we open new office in Bulgaria.
We’ve earned ourselves a reputation of a reliable and trustworthy
partner working successfully with a number of West European and North
American copmanies and providing them with reliable software
development services in financial, telecom and media sectors Also we
are in search of new partners.
Unfortunately we are currently facing some difficulties with receiving
payments for our services. It usually takes us 10-30 days to receive a
payment from your country and such delays are harmful to uor business.
We do not have so much time to accept every wire transfer and we can't
accept cashier’s checks or money orders as well. That’s why we are
currently looking for partners in your country to help us accept and
process these payments faster.
If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you
will receive 8% of every deal we conduct. Your job will be accepting
funds in the form of wire transfers and check payments and forwarding
them to us. It is nota  full-time job, but rather a very convenient
and fast way to receive additional income. We also consider opening an
office in your country in the nearest future and you will then have
certain privileges should you decide to apply for a full-time job.
This is an entry level opportunity in the field of financial services.
Our financial professionals work with clients to help them achieve
their many financial goals such as saving on taxes.
We therefore solicit your assistacne in remitting this money and
facilitating transactions. If you believe you would be able to
undertake such a task and are interested in this job, please respond
to uaelectronic2@aim.com and send us the following information about
yourself:
1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age
Please respond ASAP and we will provide you with additional details on
how you can become our representative. Joining us and starting
business today will cost you nothing and you will b eable to earn a
bit of extra money fast and easy.
Should you have any quesitons, please feel free to contact us at the
address mentioned above. Looking forward to hearing from you.
Sincerely,
Kerri Knight
Director of Electronic Co

Last Thursday, we suggested that you update some of your applications…

Well, on Tuesday, January 16th, Sun released an advisory regarding a vulnerability in processing GIF images in some versions of the Java Runtime Environment.

When running a Java applet from a web page using a vulnerable version of Java Runtime, an applet exploiting the vulnerability may escape Java's sandbox. This means that the Java applet would have exactly the same access to the file system and process execution as any native application.

Java vulnerabilities have been actively used by malicious web pages in the past, so it is quite possible that this new vulnerability will also be used.

So do make sure that your Java runtime is up to date, instructions are available at Sun Advisory #102760.

Note: Sun provides links to J2SE 5.0 Update 10 in their advisory. As we posted earlier, version 6.0 is also available from: java.sun.com.

According to Sun, this vulnerability does not affect the Java versions used on mobile phones (J2ME).

Tuesday, January 16, 2007

There's an update for the Acer ActiveX component vulnerability we posted on last week. Details can be found via US-CERT. The patch is named "Acer Preload Security Patch for Windows XP" and can be found here.

After a relatively short period of inactivity, Warezov has returned with about a dozen new variants in the last 24 hours. Variant KA received its moniker at the end of yesterday with update 2007-01-15_13. There is also a new domain to block: ertikadeswiokinganfujas.com. You'll find a more comprehensive list here.

F-Secure Internet Security 2007's System Control feature still automatically denies these latest variants.