Hilarious video from F-Secure. I’ve got people emailing their credit card numbers clear text. Perhaps this might get the message across.
Posts tagged ‘F-Secure’
Fake AV on Drudge
I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.
| File inst.exe received on 2010.05.06 14:31:04 (UTC) | |||
| Antivirus | Version | Last Update | Result |
| a-squared | 4.5.0.50 | 2010.05.06 | - |
| AhnLab-V3 | 2010.05.05.00 | 2010.05.05 | - |
| AntiVir | 8.2.1.236 | 2010.05.06 | TR/Fakealert.mnd |
| Antiy-AVL | 2.0.3.7 | 2010.05.06 | - |
| Authentium | 5.2.0.5 | 2010.05.06 | - |
| Avast | 4.8.1351.0 | 2010.05.06 | - |
| Avast5 | 5.0.332.0 | 2010.05.06 | - |
| AVG | 9.0.0.787 | 2010.05.06 | - |
| BitDefender | 7.2 | 2010.05.06 | Trojan.FakeAlert.CCA |
| CAT-QuickHeal | 10.00 | 2010.05.04 | - |
| ClamAV | 0.96.0.3-git | 2010.05.06 | - |
| Comodo | 4779 | 2010.05.06 | - |
| DrWeb | 5.0.2.03300 | 2010.05.06 | Trojan.Fakealert.15369 |
| eSafe | 7.0.17.0 | 2010.05.05 | - |
| eTrust-Vet | 35.2.7471 | 2010.05.06 | Win32/FakeAlert.E!generic |
| F-Prot | 4.5.1.85 | 2010.05.06 | - |
| F-Secure | 9.0.15370.0 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Fortinet | 4.0.14.0 | 2010.05.05 | - |
| GData | 21 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Ikarus | T3.1.1.84.0 | 2010.05.06 | - |
| Jiangmin | 13.0.900 | 2010.05.06 | - |
| Kaspersky | 7.0.0.125 | 2010.05.06 | Packed.Win32.Krap.ai |
| McAfee | 5.400.0.1158 | 2010.05.06 | - |
| McAfee-GW-Edition | 2010.1 | 2010.05.06 | - |
| Microsoft | 1.5703 | 2010.05.05 | - |
| NOD32 | 5091 | 2010.05.06 | a variant of Win32/Kryptik.ECX |
| Norman | 6.04.12 | 2010.05.06 | - |
| nProtect | 2010-05-06.02 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Panda | 10.0.2.7 | 2010.05.05 | Suspicious file |
| PCTools | 7.0.3.5 | 2010.05.06 | - |
| Prevx | 3.0 | 2010.05.06 | High Risk Cloaked Malware |
| Rising | 22.46.03.04 | 2010.05.06 | - |
| Sophos | 4.53.0 | 2010.05.06 | Mal/FakeAV-CZ |
| Sunbelt | 6267 | 2010.05.06 | FraudTool.Win32.SecurityTool (v) |
| Symantec | 20091.2.0.41 | 2010.05.06 | - |
| TheHacker | 6.5.2.0.277 | 2010.05.06 | - |
| TrendMicro | 9.120.0.1004 | 2010.05.06 | - |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.05.06 | - |
| VBA32 | 3.12.12.4 | 2010.05.06 | - |
| ViRobot | 2010.5.6.2304 | 2010.05.06 | - |
| VirusBuster | 5.0.27.0 | 2010.05.06 | - |
| Additional information | |||
| File size: 887824 bytes | |||
| MD5…: 2e797ae47b533739a234ffd66d736a55 | |||
| SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34 | |||
| SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202 | |||
| ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU | |||
| PEiD..: - | |||
| PEInfo: PE Structure information
( base data ) ( 5 sections ) ( 2 imports ) ( 0 exports ) |
|||
| RDS…: NSRL Reference Data Set - |
|||
| pdfid.: - | |||
| trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
|||
| Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99 | |||
| sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: - signing date.: - verified…..: Unsigned |
|||
| <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a> | |||
In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.
PDF Launch Vulnerability
If you’ve been sleeping on the Adobe Acrobat and Reader /Launch vulnerability, its time to consider taking mitigating steps.
The proof of concept presented by Didier Stevens uses the /launch functionality that is part of the specification for PDF in order to execute arbitrary code.
Because this was a problem with the PDF specification, the problem effects multiple vendors. I had recently read F-Secure call for Microsoft to natively support the PDF/A format. PDF/A is a cut down version of the PDF standard. It specifically doesn’t allow file launches so by default it would be safe from this sort of attack. The problem I see is it does not support PDF encryption. You need that critical mass of people able to read PDF encrypted documents in order to be able to use PDF encryption.
Until last week, the attacks using the /launch functionality were also using JavaScript in the PDF. So if you had disabled JavaScript in Adobe, the user would now have to ignore a LOT of warnings in order to be attacked. Now an attack is in circulation that uses the /launch functionality without using JavaScript.
Its time to step up and apply the mitigation listed by Adobe in the Adobe Reader Blog
For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications”.
For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0
Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1
Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0″.
.
The Adobe blog entry also lists a registry change to gray out the setting so the user can’t change it back if you’d like to do that.
Here’s a link to the ADM file I’m using to disable the /launch and javascript functionality in Adobe Reader and Adobe Acrobat. Make sure you test before using in a production environment.
adobe.adm
Kaspersky and csshover.htc Possible False Positive?
This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.
Seems to be a false positive.
Virustotal shows the following:
| File csshover.htc received on 04.09.2009 17:40:35 (CET) | |||
| Antivirus | Version | Last Update | Result |
| a-squared | 4.0.0.101 | 2009.04.09 | - |
| AhnLab-V3 | 5.0.0.2 | 2009.04.09 | - |
| AntiVir | 7.9.0.138 | 2009.04.09 | - |
| Antiy-AVL | 2.0.3.1 | 2009.04.09 | - |
| Authentium | 5.1.2.4 | 2009.04.08 | - |
| Avast | 4.8.1335.0 | 2009.04.09 | - |
| AVG | 8.5.0.285 | 2009.04.09 | - |
| BitDefender | 7.2 | 2009.04.09 | - |
| CAT-QuickHeal | 10.00 | 2009.04.09 | - |
| ClamAV | 0.94.1 | 2009.04.09 | - |
| Comodo | 1107 | 2009.04.09 | - |
| DrWeb | 4.44.0.09170 | 2009.04.09 | - |
| eSafe | 7.0.17.0 | 2009.04.07 | - |
| eTrust-Vet | 31.6.6447 | 2009.04.09 | - |
| F-Prot | 4.4.4.56 | 2009.04.08 | - |
| F-Secure | 8.0.14470.0 | 2009.04.09 | Trojan-Downloader.JS.Iframe.aqo |
| Fortinet | 3.117.0.0 | 2009.04.09 | - |
| GData | 19 | 2009.04.09 | - |
| Ikarus | T3.1.1.49.0 | 2009.04.09 | - |
| K7AntiVirus | 7.10.697 | 2009.04.08 | - |
| Kaspersky | 7.0.0.125 | 2009.04.09 | Trojan-Downloader.JS.Iframe.aqo |
| McAfee | 5578 | 2009.04.08 | - |
| McAfee+Artemis | 5578 | 2009.04.08 | - |
| McAfee-GW-Edition | 6.7.6 | 2009.04.09 | - |
| Microsoft | 1.4502 | 2009.04.09 | - |
| NOD32 | 3997 | 2009.04.09 | - |
| Norman | 6.00.06 | 2009.04.09 | - |
| nProtect | 2009.1.8.0 | 2009.04.09 | - |
| Panda | 10.0.0.14 | 2009.04.09 | - |
| PCTools | 4.4.2.0 | 2009.04.08 | - |
| Prevx1 | V2 | 2009.04.09 | - |
| Rising | 21.24.32.00 | 2009.04.09 | - |
| Sophos | 4.40.0 | 2009.04.09 | - |
| Sunbelt | 3.2.1858.2 | 2009.04.09 | - |
| Symantec | 1.4.4.12 | 2009.04.09 | - |
| TheHacker | 6.3.4.0.305 | 2009.04.09 | - |
| TrendMicro | 8.700.0.1004 | 2009.04.09 | - |
| VBA32 | 3.12.10.2 | 2009.04.09 | - |
| ViRobot | 2009.4.7.1686 | 2009.04.09 | - |
| VirusBuster | 4.6.5.0 | 2009.04.09 | - |
| Additional information | |||
| File size: 4314 bytes | |||
| MD5…: 4d50942ad963dd3d0cde4fe42ae1157b | |||
| SHA1..: ddb47d9f8d783f8ff1b79527b65ee7e6ac53a359 | |||
| SHA256: afb97a5d637531616f85cffcd11dd68e7b85f2b5aa01b51b7959dbf2fcf8704c | |||
| SHA512: c829e90f6a3669320aec4bb489fb91aa39ed17a85f1584156b5eb8fc32c26b4d 610ede9a8060ce5a82b945930796c7033c55a8e48e7c13a4a179d2aa41b459c0 |
|||
| ssdeep: 96:D+5yu5ugQhnmLzuAX6mLJ3FFD6wB5XhY/l1yYmLXiuiXqwCDGqh:Dju5ugQOF zLJ3FF5B5S/l1B8XiuiXtCP |
|||
| PEiD..: - | |||
| TrID..: File type identification Unknown! |
|||
| PEInfo: - | |||
| RDS…: NSRL Reference Data Set - |
|||
UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan’s entry in the comments.
My problem was compounded a bit becasue the BlueCoat cached the “infected” status, so I needed to clear the cache of that, before csshover.htc could be served.
FDF Spam
F-Secure is reporting in their blog that they are seeing spam in FDF file attachments. FDF files will open in Adobe Reader. Spammers are using this as their latest attempt to bypass spam filters.
Delf.aki
The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here’s the result.
File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES
Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki
As Steve Spurrior would say while coaching the Redskins,”6 and 10, not too good.” Virustotal will pass on this file to the vendors who didn’t detect it and they’ll “coach ‘em up.”
More Stormwatch
F-Secure has a blog entry on the latest virus varients from the stormwatch virus.
Subject:So Unique
Feeling Horny?
Full Heart
Sending Kiss
Just You
Heart of Mine
I Love You Soo Much
[events]Our Wedding Day
Love at first sight
Dream Date Coupon
Back Together
Attachment: flash postcard.exe
postcard.exe
greeting postcard.exe
Greeting Card.exe
Those are just some of the ones I have seen.
Virus of the day
Today’s virus of the day is being detected as win32.small.dam in our inbound email.
The recipient addresses so far are very old. I guess this is one spammer group that hasn’t been sold our corporate addressbook.
The only reason I mention the virus, is the lurid subject lines got a laugh out of me.
“U.S. Secretary of State Condoleeza Rice has kicked German Chancellor Angela Merkel”
other subjects:
“Naked teens attack home director”
“British Muslims Genocide”
Attachment named “full clip.exe” and video.exe
F-Secure: postcard.exe spam run
F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject “Happy New Year!”
I saw that at my site last night. Actually, I probably wouldn’t have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn’t get filled up with all the phishing detection notifications.

