Threat Summaries Volume 1: 2006 - 2002 - F
Transcription
Threat Summaries Volume 1: 2006 - 2002 - F
THREAT SUMMARIES VOLUME 1 2006 - 2002 CONTENTS 2006 2005 2004 2003 2002 .................. 2 . . . . . . . . . . . . . . . . . . 14 . . . . . . . . . . . . . . . . . . 23 . . . . . . . . . . . . . . . . . . 31 . . . . . . . . . . . . . . . . . . 39 This document contains a compilation of all the Threat Summaries released by F-Secure Labs during the years 2002 to 2006, in reverse chronological order. This document is followed by Threat Summaries Volume 2: 2011 to 2007. For threat landscape coverage and malware research details from the years after2011, see the Threat Reports and Mobile Threat Reports available from F-Secure Labs: Whitepapers. THREAT SUMMARIES V. 1 2006 - 2002 2 2006 H2 2006 THREAT SUMMARY As 2006 winds to a close, the basic trends in the data security world and its counterpart in the malware community seem, for the time being, relatively predictable. Although the number of known viruses kept growing at a steady pace, year 2006 witnessed a remarkable step down in the volume of visible attacks by worms, viruses and other malware. At the same time, however, targeted attacks using backdoors, booby trapped document files and rootkits became increasingly commonplace. Also spam reached new record-breaking heights. In place of widespread malware assaults, 2006 has been characterized by targeted attacks which do not make the headlines and which have typically one motivation - money. In such scenarios, a hacker may target a single company, use a cloaking device like a rootkit to conceal a backdoor and extract valuable information for their own financial gain or that of the person(s) interested in having such data. Many of these cases use forged emails with a booby-trapped Microsoft Office document as the way to gain entry. The other more visible malware assault motivated by money is phishing. 2006 has seen a significant increase in the kinds of scams that use clever social engineering techniques and well-engineered bogus websites to separate the unwary from their money. And obviously phishing works since the attacks continue to build in force and complexity. Lately, phishers have been using websites with an average life of just one hour to try to entice web users before disappearing off the radar. PayPal and eBay continue to be the most targeted organizations for phishing attacks, but some German banks are climbing up the ranks. This finding was confirmed In November by Phishtank, a service run by OpenDNS which published their first set of phishing statistics. Bogus domain names support phishing In October, the F-Secure Research team’s interest was piqued in the active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, such sites as hell.com and auction.com which came up for sale in October were expected to be sold for several million dollars each - quite a price mark up for sites that were originally registered for something like 5 to 15 USD. Typically, however, most domain names are resold for a few hundred or a few thousand dollars and the largest domain resellers for such transactions are Sedo and Moniker. The Research team was particularly interested in the resale of domains that obviously belong to banks or other financial institutions -domains like chasebank-online.com, citibank.com and bankofameriuca.com. THREAT SUMMARIES V. 1 2006 - 2002 3 The list included something like 30 more sites for resale and all very similar in name to their legitimate counterparts. The question is, why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer? then scanning user-created content to find obvious copies of eBay or PayPal login pages. In all instances, abuse messages were sent about the above sites to both Tripod and PayPal ten hours after which, five had been taken offline by Tripod. The Research team also found out that the companies in question are reselling accented domain names that have been created using the letters “á” and “í” with an apostrophe instead of the normal “a” or “i” to create highly deceptive domain names like vísa.com, pàypal. com and paypàl.com - almost indistinguishable from the legitimate sites. Sedo responded to the questionable nature of selling site names which appear to be legitimate sites but are not. Sedo’s general counsel, Jeremiah Johnston, said his company wants to “balance the rights of all users” and added that at times, trademark owners “harass a lot of legitimate domain owners. Continuing the phishing line, in late August the Research team were given a heads-up to a PayPal phishing site apparently designed to perform a man-in-the-middle attack on a user’s password. The site displayed a genuinelooking login box, and the user had to type in a valid PayPal user name and password. The assumption by the team was that the scammer had created a shadow login to the real PayPal site behind the scenes. Anybody falling victim to the phisher would relinquish both their password and most likely their credit card number too if they fell for this highly convincing ruse. Luckily, the alert came before it was actually spotted in the wild and abuse notices about the phishing site were sent to the appropriate authorities. We expect man-in-the middle phishing to become a real issue in the future. On the same theme of legitimate companies supporting the activities of illegitimate enterprises, at the end of August, Tripod, the free web hosting service from Lycos was found to have a number of phishing sites hosted on their servers. Some examples of sites that were active included: • • • • • • pay-pal-redirect.tripod.com pay-pal-jack-pot.tripod.com pay-pal-upgrade.tripod.com/asfafsa.html gontham5.tripod.com/paypal.html wakabu2.tripod.com/paypal.html pp-account.tripod.com/paypal.html The Research team wondered why Tripod had not done more to prevent people from creating new hosts with names like “pay-pal-redirect” or at least every now and Warezov makes headlines and headaches During 2006, we’ve only seen two large “traditional” email worm outbreaks: Nyxem and Warezov. The Warezov mass-mailing worm attacks started in August. Warezov and its many variants sent themselves as e-mail attachments to addresses found on computers it had infected. In some cases, the infected attachment could start automatically. In other cases, the system was infected when the user opened the attachment. Warezov also attempts to download updated variants of itself from specified website(s) on the Internet. After the worm’s file is run, it shows a message box as a decoy. It installs itself so that it runs when Windows is started. When activated, it installs itself to the system and creates a startup key for itself in the Windows registry. It then stays active in the system’s memory. While active, the mass-mailer searches for specific files (HTML files for example) on all available hard disks for e-mail addresses. Finally, it connects to an available mail server and sends itself to all the addresses it has found. What was interesting about this worm was the fact that it was able to spread on its own, just like e-mail worms from earlier years, and it was by far the most actively spammed attack during 2006. All the variants initially used the same website to download additional components and updates: gadesunheranwui.com. - a domain registered by the authors of this malware just for this reason. THREAT SUMMARIES V. 1 2006 - 2002 4 By November, the Warezov’s purpose had been revealed as a highly coordinated exercise in spam propagation. Warezov-infected machines were shown to download additional components which, after a variable delay, started sending out spam messages advertising Viagra, Vialis, Valium, and Xanax clones. Spam messages like the following: And when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of a single operation: The Research team made the connection between the virus and the spam just by looking at the domain names used by the Warezov gang for both the virus component download and for the hosting of the fake Viagra sites. Warezov is spread by spamming slightly modified versions of the downloader component. This is modified by the spammers as soon as major antiviruses add detection for that particular component. Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example: • yuhadefunjinsa .com/ chr/grw/ lt.exe The spam messages link to fake Viagra sites like these: Still in November, Warezov continued its run, and F-Secure continued to add detections at the same rate. With many of the parts of the jigsaw falling into place, new variants of the worm are now automatically blocked using F-Secure Internet Security 2007’s System Control feature. Nevertheless, the Warezov worm seems to be a malware that will continue to cause headaches for researchers and users for some time to come. Social networking sites under worm threat Interestingly, the domains used by the fake Viagra shops not only have similar sounding names to the downloader URLs but also have the same registration information. All the domains we’ve seen can be categorized according to just three different groups: domains registered to “Wang Pang”, “Dima Li” or “Bai Ming”. At the end of July, the Research team came across further examples of Web Application Worms exploiting persistent Cross Site Scripting (XSS) vulnerabilities in websites. This is a new category of malware and a growing concern for popular websites. Social Networking sites seem to be the most popular target right now thanks to their immense popularity and user bases. MySpace has already been hit by two such worms - the Samy worm in October 2005 and by a “Flash” worm in July 2006. Samy was written by somebody who wanted to become popular on MySpace. The malware author in question designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million “friends” in a couple of hours. The MySpace Flash worm exploited vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage. THREAT SUMMARIES V. 1 2006 - 2002 5 In July, MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines. Following these attacks we decided to see how secure other popular social networking sites are against “wormable” XSS vulnerabilities. We picked out two of the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially “wormable” XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day’s work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities. And here’s something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser exploit - maybe even a zeroday exploit, could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base... We recommend end users to patch their computers and that web application developers start taking security seriously. XSS issues have stopped being funny for a long time now. They are a real danger with the advent of phishing and Web application worms that can exploit a mass user base of millions of users within a very short time. Of course, the Research team reported the issues to the affected websites and are working with them to get the issues fixed. The writing is on the wall - let’s hope the malware community can’t read that quickly. For most users, the vulnerability represented a limited threat since the vgx.dll component solely handles Vector Markup Language (VML) - something not too many websites use these days. Microsoft’s Outlook e-mail client was also potentially vulnerable to this exploit but fortunately again, e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors are disabled. Research team boosted by Kuala Lumpur security laboratory F-Secure opened a new Asian Technology Centre in Malaysia in September 2006. This is the home to the F-Secure Security Labs in Kuala Lumpur. Malaysia was selected as a key hub for Asian operations for its well qualified human resources, the country’s initiative to encourage high tech companies to set up business there and its strategically optimal time zone. VML Exploit put IE users at risk In late September, F-Secure reported a VML Exploit on Internet Explorer in the wild that allowed for the remote execution of code with the only action necessary to become infected being to view a malicious webpage using Internet Explorer or an HTML formatted e-mail. Fortunately for IE users, Microsoft published a prompt Microsoft Security Advisory (925568) regarding the issue and an update was scheduled for October. Users were advised to unregister the susceptible dll from the system as a workaround for the vulnerability. Given the time difference between the F-Secure labs monitoring the global malware situation, work shifts are conveniently split without much overlap. In this way, F-Secure is able to maintain its promise to respond faster to virus outbreaks than its competitors. THREAT SUMMARIES V. 1 2006 - 2002 6 Mobile malware - the usual suspects and a few notable oddities Mobler poses no immediate risk to mobile device users in its present form. However, it’s possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialize. Commwarrior - again... Also in late autumn, the Research team received a new Commwarrior sample - SymbOS/Commwarrior.Q. Nothing remarkable about that except the fact that Commwarrior.Q is not just a hexedit of Commwarrior.B. but rather a new variant with additional functionalities. On the mobile front, there was the usual steady advance of mobile malware and their variants in the last half of 2006. By July the number had exceeded the three hundred mark and continued its rise. As in earlier times, Symbian continues to be the platform of choice for the majority of mobile malware authors reflecting the preponderance of the platform in the smartphone market. Cross-platform worms - the malware of the future? In late autumn, the Research team encountered a crossplatform worm that is theoretically capable of spreading from a PC to a mobile device and back again. The “Mobler” worm as it has been labeled, moves between Symbian and Windows platforms. Although its payload on the Windows side is significant, it doesn’t cause much harm on the Symbian device rather copying itself to the memory card and trying to trick the user into infecting his or her PC. Technically speaking, there is no automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device’s memory card. This executable is visible as a system folder in Windows Explorer so potentially it is possible for the user to accidentally open it and infect their PC while browsing the memory card’s files. Commwarrior.Q is based on Commwarrior.C and has the same functionality as Commwarrior.C and more. Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds. That means that in addition to trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he might copy to his friend. Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes making it difficult to exclude. When Commwarrior.Q is installed it will display an HTML page to the phone’s default browser after a random delay. Although Commwarrior.Q was detected in the wild, the fact that Commwarrior.Q displays the HTML page that states that the phone is infected means that it is unlikely that it will lead to a large scale outbreak - that and the fact that Commwarrior.Q is detected by F-Secure Mobile AntiVirus with database update 103. Mobile spyware - legitimate or not? Also on the mobile front, F-Secure continued to investigate commercially available spying trojans for mobile phones that run on the Symbian OS as well as on other mobile phone platforms. The Research team originally thought that such software would still be a rather limited phenomenon and that there would be only a couple vendors making spy tools for smartphones. But it turns out that there’s quite a cottage THREAT SUMMARIES V. 1 2006 - 2002 7 industry that has been lying low and by and large has been able to escape attention. In fact, there are several vendors either making software for Symbian smartphones or are making hardware-modified versions of just about any phone available. All the phones and software under investigation yielded rather similar features. A typical feature set includes SMS forwarding, SMS and voice call log information, remote listening and covert conference calling. Some even include localization services. This basically means that if the victim has a full-featured spy application in their phone, they have no privacy whatsoever for their calls while the one controlling the software has access to all the information available. Spyware software vendors state that their software should only be used in accordance with local laws and that a typical application for such tools is to keep track of a cheating spouse or to monitor children’s phone usage. Naturally, of course these tools have darker applications such as industrial espionage, identity theft and stalking. One of the spyware applications under investigation, Acallno.A. is an SMS spying tool that forwards all sent or received messages to an additional number configured by the individual who installed it. Just to be sure, the Research team added detection of Acallno.A into F-Secure Mobile Anti-Virus as spyware. Acallno.A is by the way, a pseudonym for the real software name since F-Secure is in the business of informing our customers of potential malware, not promoting commercial spy utilities. Fortunately, Acallno.A is limited by the target device’s IMEI code, so in the absence of familiar access to the phone, it is impossible to download to just anyone. Nor can it be just included into a trojan or other method of mass installation. As monitoring tools are not always illegal, and there might be some legitimate uses for Acallno.A or any other such software, it is possible for users to release the detected spyware so that Anti-Virus allows for its use. In such cases, please consult the product documentation. Centrino vulnerabilities open potential window on WLAN viruses In early August, Intel published a set of patches for Intel Centrino. Nothing particularly significant about that but the fact is that Centrino is not just a processor but also integrates WLAN and other features for laptops. The vulnerabilities are not related to the processor itself but to the wireless features - one of the more common applications in use for modern computer users on the move. The vulnerabilities being patched are significant. The worst of them “could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges”. So at least in theory, somebody could write a WLAN virus that would jump from one laptop to another if the laptops within range of the access point are too close to each other. This vulnerability is not solely the problem of Intel Centrino with other operating systems such as Mac showing potential windows for hackers to exploit in their drivers. In all instances, our advice is to make sure your Wi-Fi drivers are up to date. And finally The Swedish toy manufacturer, Brio, has decided to create a lovable collection of figures that ‘live’ inside a typical computer for children to play with. The wooden toys also include a number of virus figures. Not only that they have even built a dedicated website to support the activities including an active desktop feature and related mini movie. Our only hope at F-Secure is that children fall in love with the little computer helpers and not the viruses... THREAT SUMMARIES V. 1 2006 - 2002 8 H1 2006 THREAT SUMMARY The first six months of 2006 seemed quiet on the surface. But a lot of new criminal malware development and exploits were happening under the surface, despite the decreased publicity. The new threats are often more expertly targeted and extremely well hidden, and criminals are continuously finding new ways to deliver their payloads behind the lines of defense. The beginning of 2006 was also the 20th anniversary of the first PC virus, Brain, which infected computers via floppy disks. Things have changed quite much since then as the following report demonstrates. At present there are over 185,000 viruses and the number continues to grow rapidly. The biggest change over these 20 years has not been in the types of viruses or amount of malware; rather it has been in the motives of the virus writers. The most significant change has been the evolution of virus writing hobbyists into criminally operated gangs writing viruses for financial gain. And this trend is continuing with most new malware having a financial motive, turning infected PCs into bots being used for distributed spam or phishing e-mails or being used to steal personal and financial information. In March 2005 F-Secure launched its Blacklight engine for detecting rootkits. Rootkits are effectively cloaking devices, which allow malware authors to enter a computer under the radar and go about their business completely undetected. Since that time, we’ve seen a steady growth in the number of various kinds of malware using rootkit technology to hide. Interestingly, most other data security vendors still fail to offer rootkit detection technology in their offerings, even after the Sony DRM Rootkit case made the headlines late last year. And the stakes are getting higher - already in May 2006 a backdoor scam was found from an online gaming site using rootkit technology to covertly glean information from players downloading an apparently useful poker utility program. Luckily this showed up on our Blacklight radar and was successfully neutralized. In other news, 2006 was the year that saw the mobile malware count reach and exceed the 200 mark. If you compare the figures against the PC world, this does not warrant a state of alarm but it certainly indicates a growing trend. As mobile phones become more like computers offering the possibility to make financial transactions, it’s certain that the malware community will follow suit with new exploits. Hectic Start to the Year 2006 started in a very hectic way with the zero-day exploit in the Windows Graphics Rendering engine and the way it handles Windows Metafiles (WMF) images - an exploit which was found at the end of 2005. In just a few days a large number of malicious files using the exploit were found and with no vendor patch available, Ilfak Guilfanov at DataRescue, was first to create a temporary patch for the vulnerability. Microsoft broke their pattern of only providing updates once a month by shipping an update on the 5th of January. One of the incidents we saw was a highly targeted attack on the UK parliament. E-mails like the one below were sent from a South Korean computer to a few dozen high-profile e-mail addresses. THREAT SUMMARIES V. 1 2006 - 2002 9 The e-mail encouraged users to open the attached MAP. WMF file - which exploited the computer and installed a backdoor that allowed full access to all the data on the machine. What made the case really interesting was the social engineering texts used in the e-mail. It was obviously crafted to look like a message from a spy movie with a secretive tone - of course raising the curiosity of the recipients and getting them to open it. January continued being a very busy month with yet another e-mail worm appearing on the 17th of the month and spreading very aggressively. The new worm, called Nyxem.E, (with aliases such as MyWife, Blackworm and Blackmal) was interesting on two counts; it used a web counter to keep track of the number of infected computers and it was set to overwrite files on a certain date every month. In the days of cyber crime, it’s not very often we see malware with destructive payloads like this one. The web counter was another interesting thing about this malware. It’s not the first malware to use a web counter but this time we were able to get the statistics from the counter provider in order to create a breakdown on all the IP addresses having visited the counter. We mapped the IP addresses with our F-Secure Worldmap technology to create a world map showing all the affected machines. Macintosh Virus The virus-free Macintosh honeymoon is over. In February the first virus ever for Mac OSX was found when Leap.A appeared. The malware was originally posted to the MacRumors discussion forum. The virus, spreading via iChat and by infecting local files, was soon followed by other viruses for the same platform, amongst others a proof-of-concept virus named OSX/Inqtana.A, which uses vulnerability in the Bluetooth OBEX Push functionality to spread from computer to computer. Rootkits Still a Problem One of the big issues in 2005 was the Sony BMG rootkit case where CDs were sold with a DRM (Digital Rights Management) copy protection scheme using rootkit technology to hide its presence from users. Rootkits continued to be a problem in the first quarter of 2006 where lots of new malware used rootkit techniques to hide the installed files. Examples of these were variants of the Feebs worm, hiding its presence with a rootkit. It spreads as an e-mail attachment but instead of generating e-mails by itself, it waits until the users sends an e-mail and automatically attaches the malicious attachment to the e-mail in transit without the user’s knowledge. The benefit is of course that the e-mail will always look like a proper e-mail message, because it is! However, the spreading rate will be much slower compared to other e-mail worms. In February we received reports of a case very similar to the Sony BMG. The German DVD release of the movie “Mr. & Mrs. Smith” contained a copy protection mechanism, which used rootkit-like cloaking technology. The Settec Alpha-DISC copy protection system used on the DVD hides its own process but fortunately, and unlike the Sony BMG rootkit, it doesn’t hide any files or registry keys making it impossible to use this rootkit to hide malicious files. The most infected countries were India, Peru, Turkey and Italy. Fortunately, by the time the malware activated on February 3, most users had already cleaned their computers, much thanks to the warnings distributed via the news media. However, thousands of users still had their Excel spreadsheets or Word documents overwritten. All in all, the worm overwrote 11 different file formats. Nyxem.E continues to be active on the 3rd of every month, trying to overwrite files on infected machines. Most reports of affected users continue to originate in India. Our message to software companies producing any software (not just copy protection products) is clear. You should always avoid hiding anything from the user, especially the administrator. It rarely serves the needs of the user, and in many cases it makes it very easy for hackers to breach the security system. THREAT SUMMARIES V. 1 2006 - 2002 10 Two of the most widespread worms used to install botclients have had rootkit technology added to them. In March, variants of both the Bagle and Mydoom families were found, using rootkit technology to hide the worms’ files, processes and registry keys. The Bagle variants are the most interesting in their demonstration of viral evolution and collaboration among virus authors. Two years ago Bagle was a simple virus consisting of one EXE file, e-mailing itself around. It’s not like that anymore. Bagle’s authors for example maintain a complex network and have constructed a suite of programs that work together as the following diagram illustrates: In mid-May we saw a new twist using a rootkit exploit. An online poker backdoor, covertly storing gamblers’ information for potential theft was uncovered by F-Secure’s proprietary rootkit detection technology, Blacklight. In this case the online tool RBCalc.exe, also known as a Rakeback calculator, had been unwittingly distributed from a legitimate gaming site, Checkraised. com. The backdoor, a method for bypassing normal authentication or securing remote access to a computer was created by silently dropping files into the user’s computer using a rootkit driver to conceal the operation. With this in place, the tool’s author could access login information from the user’s computer for various online poker websites. Having gained access, the hacker could then play poker against himself, losing on purpose and reaping the rewards. Shortly after the discovery, Checkraised.com removed the offending exe file from its website and issued an official statement on its website advising users to change their poker site passwords as well as offering instructions for manually removing the malware. Mobile Malware for Everyone The rootkit technique used in both of the cases mentioned is the so-called kernel-mode rootkit, which means that the rootkit has direct access to all system functions, thus making detection even more difficult. If the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on. Fortunately, the F-Secure Blacklight rootkit elimination scanner is able to detect these threats. Mobile malware has now been around since June 2004 but so far damage has been limited. The first Java or J2ME malware was found at the end of February with the emergence of the Redbrowser trojan. This trojan tries to steal money by portraying itself as a way to use WAP services for free. When run, it sends a premium-rate SMS messages to a number in Russia, costing the user around 5 USD for every message sent. Fortunately, the exploit was limited by the use of language - Russian. However, we anticipate seeing attacks of a similar nature in other languages in future. THREAT SUMMARIES V. 1 2006 - 2002 11 In March of 2006 the first mobile spyware application was found in the form of FlexiSpy. Being a commercial application, the customer logs into a portal where the software, when installed on the mobile device, monitors all calls, SMS and MMS messages and posts them to the portal. The software is advertised as a clever means for suspicious husbands or wives to keep track of their spouses’ online activities. For those couples with the right data security installed, however, this will not work. F-Secure Mobile Anti-Virus will detect and remove this spyware application as it installs itself without any indication of what the functionality of the software is. In March, the mobile malware count reached and exceeded the 200 limit. Launch of F-Secure Worldmap The F-Secure Worldmap is a system used by the Security Research Labs to monitor the spreading of viruses, in real-time, around the world. The system can also be used to play back earlier events, for example when comparing a new outbreak with a previous one to determine the correct alert level to the press and other bodies. In March, a public version of the tool was launched on our website, making it possible for anyone to see the spreading of viruses around the world. Visitors to the website can easily see the virus situation at any given time and also in a particular location. Phishing is Popular F-Secure conducted a simple search across com/net/org/ us/biz/info top-level domains for common bank names and other financial institutions and the results show that they are very well represented on the web - clearly some of these are legitimate but typically most are there to separate the foolish and their money. KEYWORD NUMBER OF DOMAINS citibank* 497 bankofamerica* 407 lloyds* 994 bnpparibas* 41 egold* 691 hsbc* 1258 chase* 6470 paypal* 1634 ebay* 8057 Unfortunately, phishing works. In a recent study examining phishing website techniques, it turns out that the most visually deceptive website spoof was able to fool 90 percent of the study’s participants. That 90 percent figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting. Crossing disciplines and summing up an article published last summer in the journal Neuron - If you don’t see something often, you won’t often see it. Perhaps you could also say - If you don’t see fakes often, you won’t often see fakes. Therefore, many phishers while designing visually deceptive phishing sites count less on technical subterfuge than on the failings of the human brain’s power of perception. If it looks like what the brain is expecting, then the brain often won’t see that it isn’t. Our experts wonder why don’t banks allow users to customize their online banking interface with a picture of preference - for example a passport picture, an image of a pet or other family member - something at least that would indicate authenticity - something that the users would miss if it weren’t there. There are companies that are working on visual personalization technology and the data security researchers at F-Secure think it’s a good idea that could significantly reduce the size of the phishing net. We are starting to see it happen. THREAT SUMMARIES V. 1 2006 - 2002 12 No April Fool On one day of the year, it’s commonly understood not to believe everything you hear, that day being April 1. For some reason, a surprising number of people thought that our new Moomin-themed security product, Internet Security 2006 was an April Fool’s Day joke, which is presumably what you get when you announce something like that on such a day! change in the situation, should you have such an ignition key, get yourself a tin foil cover for it! It’s an interesting read, check it out at the following address: http://reviews. cnet.com/4520-3513_7-6516433.html?tag=txt Mobile Security What’s the Word? In late May there was quite a lot of discussion about the new zero-day vulnerability in Word. According to sources, a US-based company was targeted with e-mails that were sent to the company from the outside but were spoofed to look like internal e-mails. The e-mails contained a Word DOC file as an attachment. When run, the exploited file ran a backdoor hidden with a rootkit allowing unrestricted access for the attackers, operating from a host registered under the Chinese 3322. org domain. But the Moomin- themed product is very real and will be available in Europe this year. It’s already for sale in Japan - and there’s good reason for that. The worldwide popularity and merchandising of the Moomin family dramatically increased in the 1990’s when a Japanese production studio animated the stories, making them massively popular there. Modern Car Jacking In a parallel step away from viruses, modern car thieves don’t bother with crowbars or improvised coat hangers to break into modern cars - they use laptops. If your expensive car is using a keyless ignition 40-bit encryption authentication system you might find your ride gone in 60 seconds. Robert Vamosi has written an article on keyless ignition systems based on a study from Johns Hopkins University and RSA. Vamosi noted in conclusion that the manufacturers of the RFID systems don’t seem to think there’s a problem. Perhaps they should ask David Beckham who had his BMW X5 stolen in Spain using exactly this technique. So our advice is, until there is any DOCs are a nasty attack vector for a couple of reasons. A few years ago, when macro viruses were the number one problem, many companies denied native DOC files at their e-mail gateways. Nowadays DOCs typically are admitted. The more important reason to be concerned is that Word has vulnerabilities and users typically don’t install Word patches nearly as well Windows patches. 3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org and the service will point that hostname to any IP address specified. There’s actually a series of such services, including 8866. org, 2288.org, 6600.org, 8800.org and 9966.org. If you have any doubt about the origin of a Word doc entering your e-mail, we’d recommend you’d at least check your company’s gateway logs to see what kind of traffic you have to such services. Da Vinci Mobile Virus - Truth or Fiction? Also in late May, a rumor originating in an online Indian publication caused a stir about a new mobile virus using the name “Da Vinci virus” - malware obviously surfing off the marketing buzz around the general Hollywood release, the “Da Vinci Code”. THREAT SUMMARIES V. 1 2006 - 2002 13 By the end of May, the F-Secure Data Security Laboratory didn’t have a single infection report and no sample of such malware. Is it truth; is it fiction? Time will tell but for a look at the original story go to: h t t p://w w1.mid-day.com/ news/city/2006/may/137895.htm World Cup or Own Goal? And last of all, eager football fans in Germany might get a bit more than they bargained for if they answer a new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed e-mail messages. The worm sends itself as a password protected archive and includes in the e-mail the password for it. The e-mails sent by the worm are in German and some of them offer tickets for the football games in Germany in June. There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the e-mails sent by the worm looks as follows in English translation: “Hi man, I saw that you want to go to the World Cup. Don’t ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw). With friendly greetings Nobody ;)” For all soccer fans, we at F-Secure recommend you search for more information on the World Cup and the tickets from the official site for the 2006 FIFA World Cup Germany. Virus Statistics for the First Half of 2006 The top 10 viruses reported to the F-Secure Worldmap for the first quarter of 2006 were: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. E-mail-Worm.Win32.Nyxem.e 17,3 percent Net-Worm.Win32.Mytob.x 11,2 percent E-mail-Worm.Win32.NetSky.q 11,2 percent Net-Worm.Win32.Mytob.az 11 percent E-mail-Worm.Win32.Sober.y 5,7 percent E-mail-Worm.Win32.Bagle.fj 4,3 percent E-mail-Worm.Win32.Mydoom.m 3,3 percent E-mail-Worm.Win32.Doombot.g 2,4 percent Net-Worm.Win32.Mytob.c 2,2 percent Net-Worm.Win32.Mytob.bi 2,2 percent By June 2006, just 20 years after the first detected virus, Brain, there were over 185, 000 recorded viruses. Authors: Patrik Runald, Senior Security Specialist and Mark Woods, Corporate Communicator THREAT SUMMARIES V. 1 2006 - 2002 14 2005 H2 2005 THREAT SUMMARY In the second half of the year, we can report that the trend towards mass assaults using network worms has dropped significantly with two major outbreaks, one in September causing larger disruptions internationally and the second, a worm flooding email systems in late November. Nevertheless, the virus count continued to rise with alarming force increasing from 110,000 to approximately 150, 000 by the end of the year. July 2005 started out for data security professionals visiting the DEFCON conference in Las Vegas - the largest computer underground event in the world was held. As usual, the participants came from both sides of the fence and everything inbetween with thousands of black, grey and white hat hackers as well as security professionals, law enforcement members and undercover agents. In slightly less exotic Helsinki: the Assembly’05 demo party was the scene of 5000 geeks gathering together for four days. The event was of particular interest to the data security lab specialists since many of the techniques used in demo coding are written in low-level assembler, and to fit within tight limits using really advanced compression techniques. Overall, it was a tough year for high profile malware authors around the world, at least according to the number of convictions. In July three men in their early 20s heading an international extortion ring were arrested in raids in Russia apparently after launching big DDoS attacks from botnets against gambling sites, then emailing them and asking $50,000 for not doing it again. Despite the money trail routing itself to Russia via the Caribbean and Latvia, the UK police were nevertheless able to trace it, leading eventually to the arrests. Various other virus authors were reached by the long arm of the law including the VBS/Lasku virus author in Finland, the Peep backdoor author arrested in Taiwan and most notoriously, the Sasser and Netsky author, Sven Janschen who equally notoriously received a thirty hour community service order and suspended sentence for creating a worm that caused damage in the millions of dollars before it was brought under control. THREAT SUMMARIES V. 1 2006 - 2002 15 Spam is bad for your health Sometimes, things are handled differently in attempting to stop the spread of malware and spam. In July, Russian media reported the owner of the American Language Center, Vardan Kushnir, had been killed. According to the reports, Kushnir had suffered massive head trauma when he was found in his apartment in Moscow. The American Language Center provides English language courses for Russian speaking people and reportedly organized the largest spam campaign in Russian history. Spam was sent to over 20 million e-mail addresses belonging to Russian speaking people. The campaign was so pervasive that you can hardly find a Russian who has never received a message advertising the American Language Center. The killing of Kushnir might not, however, be related to his company’s spamming although many people might have wished him dead after receiving yet another spam email from his company. Russian authorities are currently investigating the crime with suspects in the thousands. Phishing is obviously worth it In July, the Financial Times Deutschland reported that German banks lost 70 million Euros due to phishing attacks over the last year and this figure is growing fast. If this is the case in one country we can extrapolate that phishing is not only big business but is also clearly worth it to the criminal fraternity. As phishing becomes more widespread, however, so too do the authorities’ ability to detect it. As a result, typical larger phishing targets, such as those made onCitibank, eBay, Paypal and US Bankhave been replaced by more focused attacks against smaller targets in order to find users who still can still be fooled to respond to a phishing email. This has resulted, for example, in a series of attacks against German banks, with increased activity against organizations like Deutsche Bank and Postbank. As a result, both Deutsche Bank and Postbank will be introducing one-time passwords, which are needed to authorize online transactions. There is some evidence that the criminal organizations behind phishing attacks have been jumping from one geographical area to another looking for more targets. First we saw them in the US, then in Australia and then the UK. In Germany, the attacks were localized in the German language as was the case earlier in 2005 when phishing cases localized in Danish were detected in Denmark. It didn’t take long afterwards in August for a large-scale attack against Nordea in Sweden. Nordea is the largest bank in the Nordic countries. It also operates one of the largest Internet banks in the world, with over 4 million Internet customers in eight countries. In this particular case somebody spammed a large amount of spoofed emails with links pointing to a fake bank. Once again, the attack was localised in the target language but this time, the scam was aimed at breaking through Nordea’s one-time password system. The system in use by Nordea Sweden consists of a scratch sheet, where you scratch the paper to uncover the next available pin code for login. Attacking a site like this is quite a bit more challenging than attacking banks authenticating users with a bank account number and a constant 4-number pin code as was the case in Germany. The fake mails explained that Nordea was introducing new security measures, which could be accessed at w w w.nordea-se.com or w w w.nordea-bank.net (both fake sites hosted in South Korea). The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what was entered, the site would complain about the scratch code and ask for the next one. In reality, the phishers were trying to hook several scratch codes for their own use. Nordea Sweden took the threat seriously and immediately shut down their whole Internet bank while they looked into the assault and immobilised it. Apparently this was done in order to prevent the scammers from using the codes to move money around. THREAT SUMMARIES V. 1 2006 - 2002 16 Overall, by September, the number of phishing attempts overall had levelled out but this was also marked by an increase in the volume of spam. This marked rise appears to be caused by a large number of matchmaking spams. So it would seem that the activities of a single determined spammer can still make a difference. Typosquatting for careless typists Earlier this year we saw evidence of typosquatting with the Google surfers mispelling it as ‘googkle’ leading them to all manner of malware ridden sites instead. In the autumn, an even larger exploit concerning typosquatting was launched - no surprises there but the sheer scale of the domains created to trick the unwary was impressive 150 of them, many of which were targeted to data security companies. Among other typosquats we found:”www-f-secure.com” and “wwwf-secure.com” which at the moment point to a web site called “nortpnantivirus.com”. The good news is that at least this site isn’t used for phishing or for downloading trojans. Other typosquats related to security firms include the following: f-secue.com, mesagelabs. com, mcafeeantiviru.com, bitdefneder.com, pestpatorl. com, wwwbullguard.com, pandafirewall.com, sendamil. org and centralcomand.com. Terror attacks, natural disasters and exploitation In a year characterised by a large number of natural disasters and terror attacks, another important and regrettable trend repeated itself - members of the malware community using other people’s misery for profit. After the 9/11 attack against the World Trade Center in New York, malware was launched using the event to trick users into running malicious attachments. Just two weeks after the September attack the e-mail worm W32/Vote.A@mm was found and exactly a year after the event another e-mail worm, W32/Chet@mm, was found. While Vote.A didn’t spread very well the Chet worm was widespread and prompted an F-Secure Radar 2 warning. In July of this year, the same pattern repeated itself with the underground terrorist attack in London. Shortly after the bombing the first trojan was detected as an attachment in e-mail messages. The ZIP file contained the file ‘’London Terror Moovie.avi <124 spaces> Checked By Norton Antivirus.exe’. F-Secure detected the trojan as ‘SpamTool.Win32.Delf.h’ and promptly sent out an update. In September there were reports of a spam message with subject fields like “Katrina killed as many as 80 people”. The message seems to contain a news article on the devastation caused by hurricane Katrina but actually directed the reader to a website called “nextermest. com. Further investigation reveals that the site is just a placeholder that refreshes to a page that tries to download the Trojan-Downloader.JS.Small.bq malware. Major virus outbreak in August In August the Data Security Laboratory in Helsinki’s headquarters mapped the course of a botwar that took on the proportions of an international incident before it was stopped. It started with a new virus round about lunch exploiting a Microsoft patch vulnerability: the MS05-039 PnP hole. As the virus progressed, CNN was struck as was the Financial Times, The New York Times and ABC. The attack which centres around the Zotob virus is also aided by assaults by bot variants which interestingly compete with each other over infected machines actively removing the resident infection and replacing it with their own. Specifically, there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots.Widespread disruption, particularly in the media was eventually brought under control and F-Secure’s report makes the headlines in over 500 different journals in the days that follow. THREAT SUMMARIES V. 1 2006 - 2002 17 Not long after the outbreak, two young men were arrested regarding the Zotob PnP worm case. Moroccan authorities arrested “Diabl0”, aka Farid Essebar and Turkish authorities arrested “Coder”, aka Atilla Ekici. The suspects are aged 18 and 21, respectively. Then there are several social networking applications that use Bluetooth such as YOU-WHO and CrowdSurfer. Which enable people to use Bluetooth for social networking and gaming and these naturally lower the bar for accepting any connections and files from unknown persons. Mobile malware proliferation And finally most Cabir variants are quite aggressive in spreading, and keep sending the Bluetooth connection request, even when the user clicks ‘no’ to them. Eventually, the user gets frustrated and start clicking yes to all questions with inevitable results. Interest in mobile malware continues to grow in step with the increasing media coverage, To date, F-Secure has received an increasing number of queries about just how many known mobile malwares are out there. At the time of writing the total count has already exceeded 100 - a landmark in the progress of viruses and their assault on the mobile environment. Symbian-related malware is the vast majority of all mobile malware. The large number just shows how popular Symbian devices are, thus making them the most interesting target for malware authors. F-Secure Mobile Anti-Virus has been able to handle 61 (74 percent) cases of Symbian malware with generic detection. Which means that the Anti-Virus has been able to detect and stop the malware without the need for database updates. Commwarrior continues to spread Nevertheless certain viruses continue to spread unchecked, most obviously the infamous Commwarrior which has now been reported in infection cases in twenty countries so far spanning from as far afield as India and South Africa. In August F-Secure received a sample of new Symbian trojan Doomboot.A that drops Commwarrior.B and damages the phone such that it does not boot anymore. While other trojans have dropped several different Cabir variants, Doomboot.A is the first known trojan that drops Commwarrior and uses a new technique to break the phone. As all currently known Symbian trojans and worms display several warnings, it would be easy to blame any user who got phone infected for being stupid or ignorant. However, it seems that the explanation why people get infected by Cabir and other Bluetooth worms show that it is not so straightforward. Firstly, a great deal of Symbian software requires Bluetooth to be visible in order to work properly. And some of these programs either switch on the Bluetooth without asking the user, or display the activation question in such a manner that the user is likely to answer yes. Like most of the Symbian trojans Doomboot.A also pretends to be a pirate copied Symbian game. So people who don’t download and install pirate copied games or applications are safe from nasty surprises. What makes Doomboot troubling is the unpleasant combination of Doomboot and Commwarrior’s effects on the phone. The Doomboot.A causes the phone not to boot anymore and Commwarrior causes so much Bluetooth traffic that the phone will run out of battery in less than one hour. Thus the user who gets his phone infected with Doomboot.A has less than one hour to figure out what is happening and disinfect his phone, or he will lose all data. THREAT SUMMARIES V. 1 2006 - 2002 18 In September,an otherwise unremarkable Symbian Trojan, SymbOS/Cardtrap.A is, put a new spin on mobile malware by being able to cross infect a PC if the user inserts the phone memory card to his PC. When infecting a Symbian phone, the Cardtrap.A copies two Windows worms (Win32/Padobot.Z and Win32/Rays) to the memory card of the phone. Padobot.Z is copied with an autorun.inf file in an attempt to start automatically if the card is inserted to a PC using Windows. Rays is copied with the filename SYSTEM.EXE and the same icon as the System folder. This is done as a social engineering technique so that the user would click on Rays instead of the System folder. Luckily, both Padobot.Z and Rays are detected by F-Secure Anti-Virus, and we have added detection and disinfection for them also for F-Secure Mobile Anti-Virus. Viruses spread to MP3 players and game consoles At the end of August, reports came through of a commercial MP3 player being shipped out with a virus. The manufacturer, Creative reported it had accidentally shipped almost 4000 MP3 players with a Windows virus. This happened in Japan with the 5GB Zen Neeons players. The filesystem on the players contains one file that is infected with the Wullik.B (also known as Rays.A) email worm. The worm does not, however, infect PCs unless the user browses the player’s files and clicks on the infected file. In October this was followed up by a malware alert for Sony Playstation appearing in a firmware dowgrade tool that turned out to be a trojan rendering the PSP unusable. The infamous patcher from PSP Team removes a few important system files from the flash, which makes the system unbootable. This tool has been reported to be the first “PSP virus” by many sources. Since it does not replicate in any way, however, by the F-Secure definition it can called a trojan at most. It definitely falls under the malware umbrella term, however. It is worth mentioning here that, according to Sony, running any unauthorized code on the PSP will immediately void the warranty. Hot on the heels of the first PSP Trojan in October, the data security lab received reports about the first trojan for the Nintendo DS handheld gaming console.This simple trojan, known as “DSBrick” overwrites critical memory areas, preventing the console from booting. Back with Sony again, the big news in November was the discovery of a rootkit detected in some Sony BMG music CDs placed there by the company itself to enforce the copy control policies of its audio CDs. The rootkit, which acts as a covert method for monitoring customer behaviour through Digital Rights Management software is installed when the user inserts the CD to a Windowsbased PC, and accepts a license agreement. Unknown to the user, the rootkit is installed after which, there’s no direct way to uninstall it. The system also opens a possible backdoor for viruses (or any other malicious program) to use the rootkit to hide themselves. The good news is that F-Secure’s BlackLight scanner introduced this year in March is able to detect both the Sony DRM rootkit system and any other malware that hides using it. Speaking about the Sony case, Risto Siilasmaa, CEO of F-Secure said: “The real story, and the very valuable lesson, here is that many companies are linking their products to ICT technology. This means that they need to educate themselves on data security issues, build processes to handle claims of vulnerabilities, train their PR people to deal with these kinds of situation and so on. Hundreds of consumer electronics companies will find themselves in the same boat with Sony.” Also in late November F-Secure issued a Radar Level 1 alert about a New Sober variant that caused the year’s largest email worm outbreak with everal millions of infected emails reported by Internet operators. The mails contained faked messages from such claimed sources as the FBI and CIA asking its recipients to open an attachment containing the Sober variant worm. The first Sober was found in October 2003, over two years ago and F-Secure believes all 25 variants of this virus have been written by the same individual, operating from somewhere in Germany. Interestingly, the author seems to be from the old school of virus writers seeking for fame not fortune since there appears to be no clear financial motive behind the exploit. THREAT SUMMARIES V. 1 2006 - 2002 19 Successful product releases and the move from software to hardware Back in June, F-Secure released F-Secure Client Security 6.0 and, after a summer break, the reviews have started to flow in. Most significantly for F-Secure, Infoworld review of F-Secure Anti-Virus Client Security 6.0 in September put F-Secure ahead of all the major competitors in a large review. H1 2005 SECURITY THREAT SUMMARY Spam wars, pc viruses, mobile viruses, phishing and typosquatting, F-Secure Anti-Virus Client Security 6.0 launch and multiple awards Despite the efforts of companies like F-Secure to eradicate spam from email servers and private mailboxes, the volumes continued to rise in the first half of 2005. Indeed, spam accounts for 85 percent of mail traffic globally, so concerted efforts on behalf of antivirus vendors and legislators to stop this modern plague are needed. To quote the magazine: “Support for real-time protection also varies among vendors. McAfee’s, Trend Micro’s, and Tenebril’s versions allow the malware to install, but prevent it from executing, thus leaving it installed but neutered until a removal scan is started. Others, such as Sunbelt CounterSpy, block most malware installs while missing others, and, like Trend Micro, remove existing traces on next scan. F-Secure did the best job of preventing initial installations, blocking all spyware and malware attacks.” Nevertheless, Microsoft’s Bill Gates made optimistic statements about eradicating spam predicting in January 2004 that technology will help us finally win the battle against spam by 2006. One of the first steps in that direction was announced by Microsoft in April 2005 with the corporation’s first foray into offering data security management software - a consumer subscription service called Windows OneCare. The service is scheduled to include antivirus, antispyware, firewall, PC maintenance, and data backup and restore functionality. For its part, F-Secure welcomed the fact that the IT giant is starting to develop similar service-centric security concepts to the ones that it has successfully pioneered over the past five years. Also in September, F-Secure launched its flagship consumer product, F-Secure Internet Security 2006 and shipped out 42,000 boxes of the product destined for retailers across Europe. The latest version contains a wealth of new features that will undoubtedly result in favourable reviews still this year. Viruses Infections under control in first half of 2005 And also in September, F-Secure made a significant decision to change the dynamic of company production: after 17 years as a software company F-Secure started selling its first hardware product, ever. The box is called F-Secure Messaging Security Gateway. It’s a 1U-sized rack-mountable appliance that sits next to your email server and filters spam and viruses from the message traffic, automatically. The appliance is a result of collaboration with US manufacturer Proofpoint and initial response has been favourable. The virus situation is actually looking pretty good. The amount of virus outbreaks is down almost 50percent compared to same time in the previous year. Nevertheless, the number of viruses has consecutively grown an average of 40 percent per year for the past two years - all this in step with the growth of spam. Industry pundits put this marked growth in relation to two phenomena, the ongoing increase in processing power allowing PC users to advertantly or inadvertantly propagate spam and spam scams, and the fact that more and more people have broadband connections keeping them on line potentially 24/7. THREAT SUMMARIES V. 1 2006 - 2002 20 According to world famous security expert, Bruce Schneier who paid a visit to the F-Secure headquarters in May, anti virus protection is a ‘done deal’ equivalent to inoculating against the common cold. Despite what he described as the ‘insane amount’ of new viruses emerging everyday he was happy to note that the technology already exists to fight it. For F-Secure, this stands true - in its efforts to offer the best security possible the company opened two completely refurbished state of the art data security labs, the first in mid March in its San Jose office and the second at the end of May at its headquarters in Helsinki. Nevertheless, black hats benefiting from cheap bandwidth, a good technology infrastructure, and poor policing in certain countries are able to launch increasingly bold exploits that aim to circumvent traditional prevention techniques. Phishing, pharming and Trojans One particular trend in malware-writing from the black hats is the rapid increase in new trojans and bots. Unlike the more indiscriminate assaults by viruses and worms, trojans can be delivered with precision to target organisations via email attachments or links to websites. Once a system is infiltrated, remote hackers can go about stealing information and planning further attacks from the inside. The stealth aspect of Trojans, meaning that they don’t replicate under their own power, conceals the fact that they are significantly on the rise as a highly effective tool for criminal exploits. Phishing is another good example of the modern criminal mind because it combines the global reach of spam messaging with the subtle psychology of the confidence trickster. In addition to the typical phishing targets, such as eBay, Paypal and large American and British banks, we’re seeing a move towards smaller markets. This is probably happening as most customers of a bank like Citibank have already received a hundred different phishing messages and will not be fooled by another one. Given the possibility that a phishing message gets past all relevant filters and into your email inbox, the only true protection is your own common sense. Recognizing the mail for what it is, the best policy is simply to delete it. Another more sinister evolution of phishing is the term pharming or the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic from that web site to another web site. DNS servers are the machines responsible for resolving Internet names into their real addresses - effectively the “signposts” of the Internet. If the web site receiving the traffic is a fake web site, such as a copy of a bank’s website, it can be used to “phish” or steal a computer user’s passwords, PIN number or account number. So, for all on-line transactions, set the alarm bells ringing if you receive invalid server certificates especially when attempting to enter any site where you deposit confidential information or perform money transactions. Worms, hostage-takers and bogus WLANS At the beginning of May this year a new email worm Sober variant was reported in the wild in Europe sending variable messages in English and German. In this case, the authors were banking on the German public’s interest in football, and specifically the forthcoming World Cup with some predictable results. The worm was released on the same day ticket sales for the next World Cup began. Sober.P sent a message out in German confirming successful ticketing application to the soccer world championships encouraging recipients to open an enclosed and infected file. FIFA was quick to respond with a public warning but not before its system experienced some heavy traffic as a result. The worm itself compromised thousands of PCs with reports coming in from 40 countries. As with everything else these days, the malware community has become very adept at blending, automating and adding new layers of sophistication to their threats. In May there were reports of a data stealing Trojan called Agent.aa Trojan (aka Trojan-PSW.Win32. Agent.aa or Bancos.NL) which monitors active Internet Explorer instances. When a web page containing certain domain names is visited from an infected computer, the Trojan logs data from the web page, including key strokes and also takes screenshots of browser windows. Unsurprisingly, domain names in this particular exploit are mostly online banks but what sets this Trojan apart is the sheer volume of banks listed: 2764 different sites in total from over 100 different countries. THREAT SUMMARIES V. 1 2006 - 2002 21 At the end of May there were also reports of a piece of malware that can take hostages and demand a ransom. The Trojan called Gpcode (also known as PGPCoder) encrypts user’s files with certain extensions and then asks for a ransom to “fee” (decrypt) them - a good example of adapting new technology to fit a more commonly recognized model of criminal activity in the ‘real world’. Luckily, Gpcode had a very simple encryption algorithm, so it was possible to create a decryptor for the encrypted files and F-Secure Anti-Virus was able to detect and decrypt files encrypted by Gpcode. A further demonstration of the criminal mind in action to take advantage of gaps in modern technology came out in March when it was discovered at a conference in London that hackers had created malicious WLAN hotspots with a forged log-in web page. People using the hotspot to access websites automatically found themselves to be the target of malware. While the exploit came to light, it raises worrying implications on the use of free wireless hotspots for business travellers hopping from one connection to another often with important data in their laptops. This exploit seems to be the model for more to come. With this in mind, the best way to protect yourself against such attacks, is to have up-to-date operating system and browser, with the latest anti-virus and firewall software installed. Also, it is important to have any critical connections secured over VPN, and not to use any unsecured service connection requiring your user name and password. Also in March, F-Secure was actively engaged in promoting its new BlackLight Rootkit software at the monumental CeBIT fair in Hannover, Germany. Blacklight addresses the problem of rootkits, which allow hackers to create backdoors in systems completely under the radar of traditional anti virus software. While this exploit is not common, it has been implicated in a number of high profile corporate espionage cases in the States. Now, thanks to BlackLight technology, system administrators have a new tool in their armoury against their increasingly cunning opponents. If only to demonstrate the impact of the new release in the malware community, a spyware manufacturer released a version of their Trojan marketing it as “Hidden from by F-Secure BlackLight Rootkit Elimination Technology!”. The spyware used a simple trick: identifying the BlackLight process and not hiding from it. Never versions of BlackLight have been modified so that it can’t be hidden from in this manner. As evidence of the ingenuity of the online criminal fraternity in their attempts to trick unwary websurfers is the raise in malicious typosquatting websites. In the case in point, if you happen to mistype w w w.google. com (one variation being w w w.googkle.com) you will be lead to a site that will start a huge chain of web pages with exploits in various. As a result, the poor mistypist will have seriously malware and spyware infected computer. So, our advice to you is keep your browsers up to date and practice your touch typing. The advance of mobile malware Mobile viruses continue to make news although it appears that the majority of them continue exhibit ‘proof of concept’ ie malware authors are putting their toe in the water to demonstrate that mobile viruses are possible. So far, the worst damage has been shown by a Trojan called Skulls, a malicious SIS file Trojan that replaces the system applications with non-functional versions, so that all but the phone’s basic functionality is disabled. Once again, as evidence of malware author ingenuity, F-Secure received reports this spring of a Symbian Trojan Skulls.L that pretends to be a pirate copied version of F-Secure Mobile Anti-Virus showing a dialogue text “F-Secure Antivirus protect you against the virus. And don`t forget to update this!” Users are advised not to download F-Secure Anti-Virus files from any other server than the official F-Secure site. For your information, all official F-Secure Anti-Virus installation packages are Symbian signed, so that when installing it, the user does not get the warning about a missing installation package signature. If you are trying to install F-Secure Mobile Anti-Virus and you get a warning about a missing signature, simply abort the install. Equally, in spring there were numerous reports of Cabir sightings in the wild this spring in more than 23 countries, as far afield as New Zealand and Switzerland. Cabir is a worm that runs in Symbian mobile phones that support Series 60 platform. Cabir replicates over Bluetooth connections and appears in the infected phone’s messaging inbox as a SIS file containing the worm. The minute the unwitting user clicks on it and chooses to install, the worm activates and starts looking for new devices to infect over Bluetooth. THREAT SUMMARIES V. 1 2006 - 2002 22 More worryingly for smartphone owners is the arrival of Commwarrior - a mobile virus that spreads both via Bluetooth and MMS messages, which was first reported in the wild in Ireland already in January 2005. Commwarrior could potentially be much bigger trouble than Cabir because of its capability to spread via MMS thus allowing it to jump from one country to another easily. Up to the first half of the year, reports on phones infected with Commwarrior came from 15 different countries, including USA, Ireland, India, Italy, Germany, The Philippines and of course, Finland. When Commwarrior arrives via MMS, the user sees a message that contains a social engineering text and an attachment. The problem with viruses spread by MMS is the trust factor; people are more likely to open a file from someone they know thus giving the virus access to their own contacts file and ever onwards. Commwarrior infected phones can be easily disinfected with by surfing to mobile.f-secure.com and downloading F-Secure Mobile Anti-Virus - or manually with a third party file manager. And telecom operators can scan the MMS traffic for viruses using a suitable tool, for example F-Secure Mobile Filter. Award winning and malware conquering across the board In the first six months of the year, F-Secure’s products was awarded more than eight times in important trade magazines from around Europe as well as receiving a number of other positive reviews - all validating the excellence of F-Secure as the connoisseur’s choice of antivirus software. As a company we actively solicit the critical review of our products to enable our customers to make informed choices. Achieving awards validates the quality of our products and proves in an unbiased manner to our customers that with F-Secure they can be sure of the highest levels of protection on the market. View our review successes at Awards page. And with the highest protection in mind, F-Secure launched its flagship product Anti-Virus Client Security 6 in June at the same time introducing a new approach to tackling modern day threats known as ‘Behavior Adaptive Security’ allowing protection to be kept at the highest level no matter how people use their computers and networks. A practical example of how this adaptive technology works is the automatic security level change when a roaming user connects his laptop to a network outside corporate premises. Another example is the monitoring of suspicious activities beyond ‘normal parameters’ so that no software is allowed to take control over the computer without the users’ approval. In this manner, F-Secure has created the means to anticipate security threats beyond the control of traditional anti virus prevention and raise the threshold to a new unprecedented level. Examples of malware exploits in the first half of 2005 indicate that the malware community are ingenious in their ability to create workarounds to traditional AV solutions and invent unprecedented attacks in order to achieve their criminal goals. Based on our awardwinning track record and an innovative approach to evolving security threats we are confident, however, that subsequent releases like F-Secure Anti-Virus Client Security 6.0 prove to industry specialists and customers alike that we will continue to fulfill the highest requirements in the market. THREAT SUMMARIES V. 1 2006 - 2002 23 2004 2004 THREAT SUMMARY When looking back at the year 2004, it's clearly split in half from the middle: the beginning of the year was record-breaking busy with a huge number of major new virus outbreaks. However, since June, things calmed down and we've only had a few serious outbreaks since. This development cannot easily be attributed to any single reason. New trends in 2004 were primarily the massive increase in phishing email scams, introduction of open-source botnets - networks of infected machines harnessed for malicious operations, and for-profit virus-writing, but this year was also the best year ever in actually catching virus writers and other cyber criminals. The network worm problems encountered during the year have shown how important it is to protect every single computer with a personal firewall. During 2004 the number of known viruses passed the 100,000 mark. F-Secure Corporation classifies viruses according to their severity on a scale called Radar. The number of level one alerts, or the most severe type, was four in 2004 (7 in 2003). Most of the Radar alerts issues in 2004 happened during the first five months of the year. When we look at the year as a whole, six virus families were in a league of their own: Bagle, Mydoom, Netsky, Sasser, Korgo and Sober. It is interesting to note that of these six largest cases, three of them would be categorized as forprofit virus writing (Bagle, Mydoom and Korgo). These viruses are linked either with spammers or with stealing of banking information. THREAT SUMMARIES V. 1 2006 - 2002 24 Around 70percent of all email is nowadays spam - and most of that is sent through infected home computers. As spammers also make good money out of it, they can invest into their operations - making the problem even worse. Due to this and the organized crime behind some of today's viruses, the amount of infected email has grown massively from 2003. Despite of this we have only seen a few big outbreaks in the second half of the year 2004. The Virus War The year kicked off with an intense battle between the creators of three different viruses; Bagle, Mydoom and Netsky. All three are email worms, spreading by sending infected attachments. Bagle and Mydoom create spam proxies; Netsky uninstalls them. What we saw during January-May was an unusual race between three different viruses. New variants are popping up all the time, peaking on March 3rd, when we found a new variant of each within one hour! Doomjuice.A managed to disrupt the operation of ww w. microsoft.com in February. Graph (c) Rommon. It is interesting to note the variety of techniques we saw in the different variants of these worms. For example, they would use highly misleading icons to try trick users into clicking email attachments. Bagle sometimes used icons which resembled folders - but they were in fact the virus carrying executables. The biggest single outbreak was Mydoom.A - in fact, this outbreak, first seen on January 26th, was the largest email incident in history, bypassing even the Sobig.F epidemic of 2003. At its worst, close to 10percent of all email traffic globally was caused by Mydoom.A. Many of the Mydoom variants launched distributed denial-of-service attacks: • Mydoom.A attacked and took down SCO.COM (as a result, SCO took the domain offline for five weeks) • Mydoom.B attacked MICROSOFT.COM with little visible results • Doomjuice.A also attacked Microsoft and was successful to some level • Mydoom.F attacked and took down RIAA.COM Mydoom.M used Google to search for email addresses. ( as a result, Google was overloaded with requests and remained offline for hours). Mydoom relied on substituting icons of familiar applications to it's attachment, making the virus appear to be a document or a movie file: Late variants of Bagle came up with new tricks: • At first, Bagle sent infected executables as attachments • We started detecting that • Then it started sending zipped executables • We started unpacking the ZIPs and detecting the virus THREAT SUMMARIES V. 1 2006 - 2002 25 • Then Bagle started encrypting the ZIPs with a password and telling the user the password in the email • We started searching the email for the password and decrypting the attached ZIP files • Bagle started telling the password to the user in an image, so it couldn't be found from the email text. • - and so on and on, in a big game of cat and mouse. Netsky played its own tricks, for example by adding fake "scanned for viruses" banners to the mails it sent: in January 2004. Bagle.A downloaded it from a web site and installed it to infected computers. Mydoom.A left a small backdoor to each infected computer. Several days after the initial outbreak someone who knew how to operate the backdoor portscanned large parts of the internet address space and installed another version of the Mitglieder trojan to these machines - and started sending spam through them. The fact that both Bagle and Mydoom families are utilizing the Mitglieder trojan might indicate that there is, in fact, a single group of virus writers behind both of them. Some variants were more successful than others. Netsky.P became the most widespread. It was the most common virus in our statistics from April 2004 to August 2004 an is still in the top 10 in December. The result of all of this was that the first months of the year were very busy virus-wise - probably the busiest we have ever seen. Around June, however, the situation started to calm down a bit. Case Sasser On May 1st we saw the biggest network worm case of the year: The Sasser worm started spreading, exploiting a new security whole in the LSASS service of Windows 2000 and XP. Microsoft had issued a patch for this hole only 18 days earlier, meaning that many organizations had not yet installed the patch. This phenomenon, where a realworld virus would be found in just days after a vulnerability was announced publicly, was repeated several times throughout the year. Another trick was seen in Netsky.X: it sends messages in many different languages depending on the recipients top-level domain. The message could be in English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German. The main goal for Bagle and Mydoom was to turn the infected machine into a spam proxy that the spammers could use to send out bulk email. The Mitglieder proxy trojan is an interesting link between these two viruses. The first known version of this trojan was used by Bagle.A Sasser could be compared to the Blaster outbreak in August 2003 in many ways. Both were automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host. Also, both worms caused unpatched machines to start to reboot. This created some major headaches in computer systems and in networks in general: There were Sasser-related problems in at least three large banks. RailCorp rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded. Two county THREAT SUMMARIES V. 1 2006 - 2002 26 hospitals Sweden got infected, with 5000 computers and X-ray equipment offline. European Commission in Brussels and Coastguard UK were affected too, as were many other organizations around the world. Sasser was released early Saturday morning. Next Friday, the German police arrested a young programming hobbyist named Sven Jaschen. He confessed to writing both the Sasser and Netsky virus families. His motive: fighting the spammers behind the Bagle and Mydoom virus families. For several months after Sven Jaschan was arrested his viruses continued to top the virus charts. Even in December 2004, five out of the TOP 10 viruses were Netsky variants, with Netsky.P being by far the most common one in the wild. Arrests Wanted by FBI Year 2004 was the best year ever in actually catching virus writers and other cyber criminals. There have also been several arrests of people from Russian, Lithuanian and Ukrainan origins, who have been found behind the phishing attacks in USA, UK and Australia. Microsoft started offering bounties for the writers of certain virus already in late 2003. So far, they have not actually paid any out. However, such bounties put pressure on virus writers as they became afraid of others ratting them out. For example, the information that was used to arrest Sven Jaschen was given to the authorities with the hopes of collecting such bounty money. One such arrest was Mr. Andrew Schwarmkoff, who was charged for credit card and identity fraud in Brighton, Boston. Apparently Mr. Schwarmkoff sent out phishing emails to collect people's credit card and banking details. This alleged member of Russian mafia was arrested with $200,000 worth of stolen merchandise, credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash. He has been alleged to have underground connectionswith Russian mafia. Distributed denial-of-service attacks are being used in a more organized way as well. Authorities in several countries completed big operations to arrest online criminals. For example, the US Secret Service shut down the carderplanet.cc and shadowcrew. com sites, which were used to trade stolen credit card numbers online. Mr. Jay Echouafni, the CEO of satellite receiver reseller Orbit Communication was charged for hiring hackers to launch DDoS attacks against their competitors. Their idea was to take down the online ordering systems of other large competitors, such as rapidsatellite.com and weaknees.com. After being charged Mr. Echouafni skipped bail, and is today listed among the FBI's most wanted. THREAT SUMMARIES V. 1 2006 - 2002 27 Mobile devices are more and more common and as they become more widespread they also become a more attractive target for virus writers. The bigger the target, the better it looks to these people. Also, with the increase of for-profit virus writing the likelihood of severe mobile viruses is high. Every phone call or SMS message is also a financial transaction. That opens up a flood of earning opportunities for the for-profit hackers and virus authors. Spamming Mobile Threats The first real mobile phone viruses were found in 2004. In June 2004 we found Cabir, the first virus to hit Symbianbased Bluetooth phones. At the same time it was the first virus that spreads based on proximity -- if you are close to an infected Bluetooth device you can get infected. Later in July we found a proof-of-concept PocketPC virus called Duts. Shortly thereafter we found the first backdoor for PocketPC devices (Brador). In the spring 2004 we found a game for Symbian phones (Mosquitos), which was secretly sending messages to expensive toll numbers, creating invisible costs for the user. In November we discovered yet a new threat, as we received reports of users who had been hit by the new Skulls trojan on their phones. This trojan has been distributed on some Symbian shareware download sites as "Extended Theme Manager" or "Camera Timer" freeware tool. It makes the smartphone features of your phone useless leaving you with the ability to still make calls with the phone but that's it; no messages, no web, no applications. Recovery could get tricky, and might cause the user to loose all of his own data on the phone - including phonebook, calendar and message history. The most obvious symptom of the trojan is that the typical programs on the phone will not work any more, and that their icons get replaced with a picture of a skull. The spam situation is getting worse and worse. Around 70percent of all email is nowadays spam - and most of that is sent through infected home computers. The CAN-SPAM act passed in USA in early 2004 did little to solve the spam problem. Many argue it actually made the situation more difficult, by legalizing spamming in USA, as long as one follows certain guidelines. It would be similar to passing a law that would make it ok to steal money as long as you're being nice about it. Spammers make good money out of spam. Which mean spammers can invest into their operations - making the problem worse. One of the few spammers ever sentenced, Mr. Jeremy Jaynes (aka Gaven Stubberfield) is a good example of how well this works. This spammer from North Carolina was getting rich by sending out up to 20 million spam emails a day. Only a few hundred of those would actually lead to a sale (reply rate of 0.00005percent or so). However, even that would be enough to create him an income of up to $750,000 a month. Eventually, Mr. Jaynes built a fortune worth as much as $24 million - including several cars and several houses, with one mansion having 16 separate T-1 data lines connected to it to provide spamming bandwith. The good news is Mr. Jaynes was arrested, charged and convicted. He's now serving nine years in a jail, which is in fact a surprisingly long sentence. His defense attorney argued that the prosecutors never proved the e-mail Jaynes sent was unsolicited. The bad news is that there are hundreds of other spammers more than happy to jump in on this lucrative business. We here at F-Secure also have evidence which would suggest that some spammers have succesfully recruited individual employees from anti-spam software developers. Which is like a plot from a bad sci-fi movie 'come to the dark side - we'll double your salary'. THREAT SUMMARIES V. 1 2006 - 2002 28 People who design antispam software would be the best experts to figure out how to make spam messages get through antispam filters. Spammers are also known to hire linguistics to assist them in developing spam emails that better evade antispam traps. Such trends are disturbing, of course. What's next? Virus writers hiring anti-virus researchers? Other Cases In 2004 we saw at least two major cases where popular websites were hacked and had an exploit installed to them. The first case in June was done with the Download. Ject exploit and the second in November with an IFRAME exploit. In both cases the end result was that when end users surfed to well-known and trusted web pages, their PC got exploited...if they were surfing with Internet Explorer. Many high-profile organizations have recommended over and over again during 2004 for people to upgrade to alternative browsers because of security concerns. And in fact, IE's market share seems to have dropped at least some percentage points during the year. Botnets keep getting bigger and bigger. Sheer amount of bots based on open source code has skyrocketed, with several thousand variants of bot families like Agobot are now known. Linux There were no major incidents in Linux operating system. Some bugs were found and SuSE has dispatched three local security holes to prevent a local user from hacking the computer. Security holes have been found and dispatched in silence in other widely-used systems e.g. Samba, Squid, PHP. These incidents would have created a lof of publicity in the Windows world. Windows XP Service Pack 2 Microsoft shipped Windows XP Service Pack in August. SP2 is by far the largest service pack we've seen (it's over 250MB in size and quite a download). What's more important, this SP centres around security features only. From the antivirus point of view, the three most important features in SP2 are: • Stack & heap protection: this will make it much harder to generate exploits for buffer overflows, such as those used by automatic network worms like Slammer, Blaster and Sasser. We had a look at how Microsoft actually implemented this, and it looks good. • Built-in firewall, which is enabled by default, and running right from the boot-up. It will not only prevent access from the outside but it will also warn users when local applications start to listen on specific ports. It won't warn when local THREAT SUMMARIES V. 1 2006 - 2002 29 applications send data to the Internet, though. • Patched versions of IE and Outlook. As these are the most common tools to access the net, it is important to have them up-to-date. The end result will be that once patched XPs become commonplace, it will be much harder to create large network worm outbreaks. User-assisted viruses (like email worms) will not go away...and the bad boys will eventually find ways around the safeguards. But nevertheless, this is a big improvment. As XP is already the most common operating system on the Internet, this Service Pack is very important. We hope the majority of XP users will apply it soon. This would benefit everybody on the Internet. Monthly Wrap-Up of the Year January • First variants of Mydoom, Bagle and Netsky are found. The virus war continues for several months. February • The Mosquito trojan is found. This Symbian trojan is a game that secretly sends out SMS text messages to toll numbers, creating hidden costs to the user. March • The Witty worm spreads rapidly, but only affects users running BlackIce software. However, on infected machines the worm seems to do really bad damage, overwriting random parts of the hard drive as long as the machine is infected. Witty spreads through direct network connections, targetting machines that are running BlackIce security software. Witty was released only one day after the vulnerability was announced. April • Sober.F, one of the common Sober variants of the year spreads largely by sending English and German email messages. May • Sasser network worm is foundand causes widespread chaos. June • Network worm Korgo is found. This Russian worm drops an aggressive keylogger. Several variants have been found throughout the rest of the year - many have been used to steal user account and banking details. • Cabir, the first real virus for mobile phones is found. July • Duts, the first real virus for PocketPC phones and PDAs is found. August • Microsoft releases Windows XP SP2, arguably the largest security effort ever done by the company. • Brador, the first backdoor for PocketPC devices is found. September • There is a lot of media buzz about a JPEG vulnerability, but it never becomes a big problem. October • Somebody registeres a domain called fedora-redhat. com, and does a fairly large spam run, targeting Linux users. The spam message claimes a security vulnerability has been found in Fedora Linux and the fix is available at fedora-redhat.com. The fake update file turns out to be a rootkit. • First real malware for Apple Macintosh OS X is found. Known as "Opener", this is a bash script which copies itself as one of the startup items that copies itself to all mounted drives. It containes destructive functionality, a keylogger, a backdoor etc. THREAT SUMMARIES V. 1 2006 - 2002 30 November • A virus known as Bofra is found. This is one of the fastest viruses ever to take advantage of a new security vulnerability, released only five days after the vulnerability was announced. • Skulls trojan for Symbian phones is found. • Sober.I becomes the largest outbreak of the last half of the year times as many as Trend and almost five times as many as McAfee. For the 45 major malware epidemics during 2004, F-Secure customers received their updates on average six hours after the first sample was detected, while, on average, Trend customers were updated ten hours, McAfee customers 14 hours and Symantec customers 16 hours after the first sample. (Source AV-Test. org) December • Lycos Europe starts a controversial program to fight spammers via their makelovenotspam.com site. Spammers quickly counterattack them. The service is discontinued after the first week of operation. To communicate breaking news fast F-Secure initiated a weblog to provide customers and the media with the latest factual information about viruses, worms, security hacks, and the people behind them. Comments and analyses are updated continually by Mikko Hypponen and the rest of F-Secure's security research team, and postings often include screen shots and images of actual viruses and malware code. The End of Email? "We don't see many directly destructive viruses nowadays; most viruses just try to silently take over your machine instead", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "Current email systems are in serious trouble. I'm afraid we need to do a major overhaul of the underlying email standards in the near future. This would mean changing the basic protocols to more robust ones and adding strong user authentication. This would be a massive and very expensive project...which means it won't be done until the current email systems simply stop working", concludes Hypponen. Company Summary During 2004 F-Secure Corporation has been the fastest growing company globally in the antivirus and intrusion prevention industry with more than 50percent growth of revenues during the first 9 months in 2004. Growing twice the market rate can only be based on happy customers. Our customer satisfaction has stayed at 4.3 on a scale from 1 to 5 (5 being the best) for the last three years. A major part of the value we provide to our customers is our commitment to protect them against new threats better than any other vendor. That we have been able to do systematically and provenly over the last ten years. Based on independent research by AV-Test.org and Messagelabs F-Secure detects new threats faster compared to other major antivirus vendors. F-Secure also updates customers more regularily than other major antivirus vendors. Between January and August 2004, F-Secure sent out an average of 48 updates per month, which is 50percent more than Symantec, almost three ISP Offerings F-Secure's concept of offering security solutions through outsourced services to Internet users is gaining in popularity. More and more service providers are gradually acknowledging the benefits of partnering with F-Secure. F-Secure is constantly entering new territories successfully, while reinforcing the position in the existing markets at the same time. During the last six months service providers in 6 new countries, including Canada, Turkey, USA, Greece and Switzerland have chosen F-Secure as their security partner. Overall, 40 service provider partnerships have been announced and 16 of those during the last six months. This makes F-Secure the fastest growing company in the world in offering security services through service providers. Mobile Offerings In Q4 2004, Nokia announced the first two phones in history that ship with antivirus software enabled. These phones are Nokia 6670 and Nokia 7710. The antivirus software on them is made by F-Secure. F-Secure Mobile Anti-Virus is the most comprehensive solution for protecting smartphones against harmful content, from undesired messages to malfunctioning applications. It provides real-time, on-device protection and automatic over-the-air antivirus updates through a patented SMS update mechanism. In addition to the hardware vendor cooperation, Elisa, as the first mobile operator in the world, has started offering wireless antivirus services to its smartphone customers. The service is based on the F-Secure Mobile Anti-Virus service solution. THREAT SUMMARIES V. 1 2006 - 2002 31 2003 2003 THREAT SUMMARY Overview The year 2003 has clearly been the worst in virus history. At the same time, the entire computer virus phenomenon saw its 20th birthday this year. New trends in 2003 were primarily the way spammers began to use viruses as a tool and how several critical infrastructure systems suffered from the consequences of virus outbreaks. The network worm problems encountered during the year have shown how important it is to equip every single computer with a personal firewall. The number of known viruses is at the moment some 90,000. Virus problems seem to arrive in waves. Year 2001 was a very busy virus year, while 2002 was clearly quieter. Unfortunately, 2003 exceeded previous years in terms of both the number of virus outbreaks as well as their extensiveness and severity. F-Secure Corporation classifies viruses on a scale called Radar according to their severity. The number of alerts of level one, or the most severe types, was seven in 2003. In 2002 the number was only two. The number of level two alerts was 25 in 2002 and 28 in 2003. Some of the virus cases seen during the year were caused by old viruses, some of which have been out in the wild for a couple of years now. When we look at the year as a whole, five cases were in a league of their own: Slammer, Bugbear.B, Blaster, Sobig.F and Swen. Case Slammer The explosive outburst of the network worm Slammer (or Sapphire) in January 2003 was the biggest attack against the Internet ever. Slammer was a fully automatic network worm and it was able to infect computers directly over a network connection. In other words, it did not spread through e-mail like many other major outbreaks. Slammer infected Windows systems with Microsoft SQL database software installed on them. Many widely used office applications automatically install this software on the systems. However, most of the computers around the world did not have it installed and Slammer could not infect them. In fact, the main problem was not that Slammer would have infected that many systems, but the way it aggressively looked for new victims in the network and caused an enormous amount of network traffic. THREAT SUMMARIES V. 1 2006 - 2002 32 The Bugbear.B worm propagated widely during the summer, but the amount of actual damage remains unknown. Case Blaster In theory, there are some 4 billion public IP addresses on the Internet. The Slammer worm was released on January 25, 2003 around 04:31 UTC. By 04:45 it had scanned through all Internet addresses - in less than 15 minutes! This operation can be compared to an automatic system dialing all available phone numbers in the world in 15 minutes. As on the net, only a small number of phones would answer the call but the lines would certainly be congested. Blaster (or Lovsan or MSBlast), which was detected on August 11, was also an automatic network worm and basically similar to Slammer, but it was able to infect a significantly larger amount of computers. The vulnerability used by Blaster affected millions of Windows 2000 and Windows XP users, whose Windows operating system had not been appropriately updated. Blaster, however, propagated at a considerably slower speed than Slammer, yet it was significantly faster than viruses spreading through e-mail. The RPC hole used by Blaster had been detected on July 16, less than a month earlier. As July - August is the main summer holiday season, many organizations had failed to install security patches before the worm appeared. The network jam caused by Slammer had dramatic consequences, which are discussed in more detail further on in this summary. Case Bugbear.B The e-mail worm Bugbear.B was detected on June 5. It was a successor of the widely spread Bugbear.A. This virus was interesting because it tried to steal information from banks and other financial institutions. When Bugbear.B infected a computer, it checked if the affected computer was located in an internal network of a known financial institution. If this was the case, the virus gathered information and passwords from the system and sent them to ten pre-defined e-mail addresses. To this end, the worm carried a list of network addresses of more than 1300 banks. Among them were network addresses of American, African, Australian, Asian and European banks. As soon as this functionality was discovered, F-Secure warned the listed financial institutions about the potential threat. The response time of the F-Secure Anti-Virus Research Unit was 3 hours 59 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by Bugbear.B. The first symptom of the Blaster virus was that Windows XP users started seeing a message about the shutdown of the RPC process and about Windows restarting in 60 seconds. After the system had restarted, the same message often appeared again in a few minutes. This was repeated until the user disconnected the computer from the Internet or updated Windows. It took some 10 minutes to download the security updates from Microsoft’s windowsupdate.com service. Many users running into the problem were unable to update the operating system as the system restarted over and over again because of the worm and the downloading process was interrupted. THREAT SUMMARIES V. 1 2006 - 2002 33 The writer of the Blaster worm was probably a young hacker who wanted to express his or her hostility towards Microsoft. An indication of this is the text found inside the virus: “billy gates why do you make this possible? Stop making money and fix your software!!”, and the fact that the worm was programmed to start its denial of service attack against the windowsupdate.com site five days after it was found. Since windowsupdate.com was not Microsoft’s official update site, the company responded by removing the site from the Internet a few hours before the attack started, while addresses like windowsupdate. microsoft.com remained in operation. However, the virus got what it wanted: windowsupdate.com does not exist any more. One of the consequences of the Blaster worm was that some competing virus writer created a virus fighting against Blaster. This virus, known as Welchi or Nachi, infected computers already infected by Blaster. As soon as Welchi had entered a system it destroyed Blaster and tried to download and install Windows security updates. In other words, it was an anti-virus virus. Too bad that the cure was worse than the disease: Welchi generated considerably more network traffic than Blaster and was the reason for most of the severe system outages in companies in mid-August. One of F-Secure’s honeypot machines caught the first known sample of the Blaster worm on Monday evening, August 11, 2003. F-Secure warned CERT (Computer Emergency Response Team) on the new threat within an hour. The response time of F-Secure’s Anti-Virus Research Team was 2 hours 3 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also made available a free tool to clean systems affected by Blaster or Welchi. Case Sobig.F Only a week after Blaster was detected things started happening again. Early on Tuesday morning on August 19, 2003 F-Secure received a sample of a new e-mail worm. This turned out to be the latest addition to the Sobig virus family. It was the worst e-mail worm ever, sending over 300 million infected e-mail messages around the world. The first virus belonging to the Sobig family was found in January 2003. New versions appeared at regular intervals. It was odd, however, that the different versions were programmed to stop spreading after a few weeks. Later, it was understood that this was a simple version management technique: the writers of Sobig wanted to remove old worm versions from the market to be able to release a new, enhanced version. In addition to spreading through e-mail, different versions of Sobig had another common factor, too: they waited for a couple of days after infecting a machine and then turned affected machines into e-mail proxy servers. The reason soon became apparent: spammers, or organizations sending bulk e-mail ads, used these proxies, which Sobig had created, to redistribute spam on a massive scale. Computers of innocent home users were taken over with the help of the worm and soon they were used to send hundreds of thousands of questionable advertisements without the owner being aware of this. Both Blaster and Welchi hampered the operation of important systems, such as automatic teller machines and public transportation. These are discussed in more detail in a separate section. However, it is important to note that especially Welchi still continues to spread. After several months since the actual epidemic, an unprotected Windows machine can get infected in just minutes when connected to network. It is likely that there’s a virus writer group behind Sobig. They planned the operation, then used the worm to infect a huge number of computers and then sold various spammer groups lists of proxy servers which would be open for spreading spam. It was clearly a business operation. After Sobig.F was detected on Tuesday morning, F-Secure’s Anti-Virus Research Team released its antivirus update in 2 hours and 33 minutes. Soon after this the global flood of e-mail messages created by Sobig.F started. Some individuals reported that they had THREAT SUMMARIES V. 1 2006 - 2002 34 received thousands of infected messages in a day. Large organizations saw hundreds of thousands of messages, and some e-mail systems collapsed under the heavy load. AOL reported stopping more than 20 million infected messages by Wednesday, the 20th of August. Virus writers and spammers working together spam One of the interesting trends during the year was that virus writers and spammers have found each other. F-Secure’s researchers continued studying the code of the worm and eventually found a functionality hidden in the virus code: computers infected by the worm were synchronized with an atomic clock to activate on Friday, August 22nd at 19:00 UTC. At this clock strike they would contact one of 20 pre-defined computers around the world and receive more specific instructions from them. When this functionality was found, F-Secure had less than 30 hours to disconnect those 20 computers from the net in order to stop the activation. By working in close co-operation with Internet operators, CERT units and the FBI, this was accomplished just in time. The last computer that needed to be disconnected was shut down only 15 minutes before the deadline. F-Secure made available a free tool to remove the Sobig.F worm from infected machines. The tool proved to be very popular and it was downloaded hundreds of thousands of times during the Sobig.F week. Case Swen The Swen e-mail worm was detected on September 18, 2003, but the problems arising from it continued for weeks in e-mail systems around the world. E-mail messages sent by Swen were forged to look like genuine Microsoft safety updates. It is good to remember that Microsoft never sends updates as e-mail attachments. For end users, Swen was not as visible a harm as Sobig.F. Instead, it caused severe problems to Internet operators. The reason was that the majority of the e-mails sent by Swen used incorrect e-mail addresses. Thus, the end users never saw them, but they generated error messages and the messages bounced back to the operators’ networks. End result: several large Internet operators reported severe delays in email delivery. In some cases emails were delayed by weeks. The problems caused by Swen were a concrete indication of how important the e-mail has become as a communications channel in only a few years. The response time of F-Secure’s Anti-Virus Research Team was 3 hours 57 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by the Swen. The most conspicuous example of this was the Sobig virus family, but there are actually at least four ways in which the spammers take advantage of viruses: • Collection of e-mail addresses Spammers need e-mail addresses to send their advertisements to. Worms collect addresses from the user’s address book and files. Additionally, viruses like Swen display false error messages to the users and ask them to enter their e-mail address and password for an error report - which they then forward to the virus writer. • Setting up e-mail servers Malware, such as Sobig, Slanper and Trojanproxy install a proxy or relay program on the user’s computer. These are then used to relay spam through the infected home computer. This prevents anyone from tracking the actual sender of the spam. It is estimated that currently more than half of all spam mail is circulated through home computers infected like this. Setting up web servers for offending material A large part of spam messages is connected to the advertising of products that are on the verge of being illegal. It is not easy for spammers to find www servers where they could maintain these kinds of sites. For example, the Fizzer worm installs a web server on infected machines. The outcome may be that a home computer of an unsuspecting user may serve as a web service offering hard porn. THREAT SUMMARIES V. 1 2006 - 2002 35 • Attacks against anti-spam services The worst enemies of a spammer are anti-spam activists. Variations of the Mimail worm, for example, activated massive denial-of-service attacks from infected computers against different anti-spam sites trying to shut them down or close them. They have been successful to some extent, too: four known anti-spam sites had to stop their operations because of the attacks. Nevertheless, the most important anti-spam operator, Spamhaus, is still up and running in spite of the attacks from the spammers. Spamming is profitable. Spammers have considerable interests to defend, and they can also invest large amounts of money in the continuation of their operations. “Suddenly the nature of our counterpart has changed completely,” says Mikko Hypponen, Director of AntiVirus Research at F-Secure. “Our enemy used to be amateurs who wrote viruses for the fun of it. Now viruses are generated by spammer gangs, who develop viruses professionally”. Viruses and critical infrastructure The RPC traffic created by Blaster caused big problems worldwide. Problems were reported in banking systems and in the networks or large system integrators. Also, several airlines reported problems in their systems caused by Blaster and Welchi, and flights had to be canceled. Welchi also infected Windows XP-based automatic teller machines made by Diebold, which hampered monetary transactions. The operation of the US State Department’s visa system suffered. The rail company CSX reported that the virus had interfered with the train signaling systems stopping all passenger and freight traffic. As a result of this, all commuter trains around the US capital stopped on their tracks. The media has given a lot of attention to the indirect effects of Blaster on the power blackout in the northeastern USA which occurred during the outbreak week. According to the intermediate report of the blackout investigative committee there were four main reasons behind the power failure, one of them being specifically computer problems. F-Secure believes that these problems were to a great extent caused by the Blaster. A separate official committee is still investigating this issue in detail. Year 2003 saw virus induced problems in real-life systems which were unprecedented in their severity. The main culprits were Slammer, Blaster and Welchi. Additionally, the e-mail outages caused by Sobig.F and Swen hampered the operation of corporate systems. Bank of America The network congestion caused by Slammer dramatically slowed down the network traffic of the entire Internet. One of the world’s largest automatic teller machine networks crashed and remained inoperative over the whole weekend. Many international airports reported that their air control systems slowed down. Emergency phone systems were reported to have problems in different parts of the USA. The virus even managed to enter the internal network of the Davis-Besse nuclear power plant in Ohio, taking down the computer monitoring the state of the nuclear reactor. It is important to note that even though the system problems caused by Slammer and Blaster were truly considerable, they were only byproducts of the worms. The worms only tried to propagate: they were not intended to affect critical systems. The viruses affected environments that had nothing to do with Windows: the massive network traffic caused by the worms alone disrupted their operation. THREAT SUMMARIES V. 1 2006 - 2002 36 Network worms, such as Slammer, manage to spread into virtually isolated systems thanks to their effective and systematic operation: Slammer exhaustively scans every single Internet address it can reach. Therefore, if a critical computer is connected to any device which is linked to some public network, even indirectly, Slammer will find it sooner or later. In principle, SQL or RPC-based worms should never be able to enter company intranets through the public Internet, because firewalls should prevent this type of traffic. Sometimes viruses were able to pass through the firewall because of errors in configuration, but a typical route to the internal networks was an employee’s laptop that had been infected at home or for example in a hotel network. When the infected machine was taken back to the office, the worm was able to spread like wildfire in the company intranet. There have also been cases where a WLAN network card inserted in a company PC contacted a public network at the same time as the machine was connected to the intranet through a network cable. Not all problems in critical systems were caused by viruses. In October 2003, a 19 year old British hacker was tried in court, because he had crashed information systems of the Port of Houston in USA. It was assumed that the reason behind the attack was jealousy. Iraq The war in Iraq, which started in March, had an indirect effect also on public information networks. The phenomena were not caused by official network warfare between USA or Iraq forces, but by the activities of individual hackers, wanting to publish their own messages. People behind the attacks were either patriotic hackers, extremists, or pacifists. The methods used in the attacks were mainly web defacements and to some extent also viruses. Attacks seen in March included: • Denial-of-service attack against the web site of AlJazeera TV network • Denial-of-service attack against the web site of the British prime minister • Several “Kill Saddam” defacement attacks • Attacks quoting the Koran against US and British web sites • Repeated attacks against the www sites of the US Army, Navy and Air Forces • Several computer viruses, which were spreading an anti-war message or tried in other ways to take advantage of the situation, such as Ganda, Lioten, Prune and Vote.D. The number of defacements was more than 20 times higher during the week the war started if compared to the previous week. THREAT SUMMARIES V. 1 2006 - 2002 37 Other observations Future The virus problems in 2003 concentrated on the Windows platform. No new major viruses were detected in the Linux or Mac environment. No viruses aimed at PDAs or mobile phones were encountered either. Attacks against data systems will increase and become more and more professional. The virus technology used by spammers is threatening to change the entire Internet into a battle field. The people behind the network attacks are hackers, activists, industrial spies, terrorist groups and organized crime, but the modern society must be able to function in spite of attacks against data security. During the spring and fall, there were several court cases in UK, where the accused defended themselves by explaining that even though their computers had been involved in crimes, the body behind the crime was not the owner of the computer but a virus, which had infected the system. Ways to protect computers F-Secure recommends four basic methods to protect computers: • Apply operating system patches regularly • Switch the computer off or disconnect the network cable whenever the computer is not in use • Install an automatically updated anti-virus program • Install a personal firewall - this concerns also desktop computers inside company’s internal network. In September, F-Secure announced the new F-Secure Anti-Virus Client Security software. It consists of an antivirus program and integrated firewall software as well as intrusion control and application control. With this application, firewall is added to each computer along with the anti-virus system. Outsourcing security to a service provider or Internet operator has proved an efficient way for home users or small companies to solve everyday data security problems. F-Secure continues to work together with operators in this field to provide applicable solutions. We would also like to point out that the only way to protect critical computer systems is to keep disconnected from all networks. “I’m afraid there will be a lot of work for us also in 2004”, says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. THREAT SUMMARIES V. 1 2006 - 2002 38 Appendix: Major virus cases of 2003 January • The Slammer worm attacked: the most biggest attack against the Internet ever • The first member of the Sobig virus family, Sobig.A was found • Dedicated to Canadian singer Avril Lavigne, Lirva.A and Lirva.B worms spread widely through e-mail, file sharing and peer-to-peer networks February • Lovgate.A out in the wild. Lovgate guessed user passwords and infects the computer through network sharing or e-mail March • Deloader.A and new variants of Lovgate spreading. They both allot user passwords • The Ganda e-mail worm, which took advantage of the Iraq war was going around May • The Fizzer worm spread all over the world. The virus is strongly linked to spammers • Second and third variants of Sobig (B and C) are detected. They both spread very extensively June • Bugbear.B attacking banks spreads around the word • Fourth and fifth variant of Sobig (D and E) are detected. The D version fails to spread. On the other hand, version E becomes the most widely spreading variant this far August • The worst virus month in history • The first member of the Mimail virus family is detected • Blaster spreads globally • Welchi spreads globally • Sobig.F spreads globally September • The Swen worm is detected. The e-mail problems caused by it go on for months • Several new viruses are detected on the anniversary of the terror attacks of September 11, for example Mimail.B and Vote.K, which contain text “WORLD TRADE CENTER, REVENGE” October • The Mimail.C worm is detected and launches denial of service attacks • The Sober worm sends infected e-mail messages, which look as if they originated from anti-virus companies November • Ten new variants of the Mimail virus were detected during the month. The variants attacked anti-spam sites, among others, or stole users’ credit card details • At least four significant servers of Linux developers were broken into and distribution packages or source codes were modified. In some cases it took several weeks before the problem was detected THREAT SUMMARIES V. 1 2006 - 2002 39 2002 2002 THREAT SUMMARY In 2002, the data security world was characterized by new types of threats. Virus outbreaks in Linux systems, attacks utilizing open source code, breaks into home computers and increasing activity of Asian virus writers kept data security companies busy. Known viruses today amount to some 80,000. Computer viruses still pose the greatest single problem, even though the number of worldwide outbreaks was clearly smaller in 2002 than in 2001. F-Secure Corporation classifies viruses on a scale called F-Secure Radar according to their severity. The number of alerts of level one, or the most severe types, was nine in 2001. In 2002, the number was mere two: the Slapper network worm attacking Linux systems and the Bugbear e-mail worm attacking Windows systems. Respectively, level two alerts were given 31 and 26 times. The majority of virus cases seen during the year were caused by old viruses, some of which have been out in the wild for a couple of years now. Even though the number of outbreaks has been smaller than during the previous year, new viruses are detected more or less at the same rate as before. Every month, hundreds of new viruses are found. The total number of known viruses was some 80,000 at the end of year 2002. One distinct change in 2002 has been the increase in the activity of Asian virus writers, and the number of viruses originating from Asia keeps growing. The most significant originator countries include China, Taiwan and South Korea. Since September 2001, there have been hardly any viruses written in North America: a more strict attitude towards crimes directed at the society has considerably decreased the number of viruses from the US. Lively e-mail worms There were two viruses competing for the title of the year’s most bothersome virus: Klez and Bugbear. Of these, the Klez virus family has been out in the wild since October 2001 and is still spreading. Bugbear was found in September 2002 and spread all over the world in just a few days. Both Klez and Bugbear are e-mail worms. Also, they both put fake sender name and e-mail address in the “From” field of messages they send. Consequently, innocent persons may be accused of spreading viruses. The owner of the infected computer may be fully unaware of what has happened and is not prompted to clean his or her system. Bugbear was an example of another problem, which became widespread in 2002: the inclusion of remote access properties into a virus. Each computer infected by Bugbear can be accessed remotely over the Internet. The attacker can therefore read, delete or edit any files on the infected machine. Like many other e-mail worms detected during the year, Klez and Bugbear took advantage of the IFRAME vulnerability, thanks to which viruses were able to launch their own attachments while the infected message was read. The IFRAME hole appears to be a big problems even today, though Microsoft has offered a patch to it more than couple of years ago. THREAT SUMMARIES V. 1 2006 - 2002 40 Use of file exchange networks and directories Home computers subjected to attacks Even though e-mail continued to be the most common route for viruses, other techniques were also seen. For example, the Benjamin, Roron and Lolol worms spread through the Kazaa file exchange network. These viruses try to distribute infected files to the peer-to-peer network by using attractive file names and by relying on the fact that some of the network users cannot make a difference between music or video files and program files. Home computers are one of the biggest problems in the data security sector. Because home computers do not normally contain any major secrets their users do not take security as seriously as business users. However, computers are attacked for many other reasons besides theft of information. The Opaserv and Lioten worm, on the other hand, spread from one computer to another through shared directories or folders. When Windows users share their folders with other users, they may not realize that files in those shared folders may be visible to people on the other side of the world. Opaserv looked for unprotected Windows 95 and 98 computers and broke the password protection of shared files, thereby becoming quickly a worldwide problem. Attacking Linux systems So far the most widespread Linux virus outbreak was seen in 2002. A network worm named Slapper was first detected on September 14th. It quickly infected thousands of Apache web servers around the world. The virus only infected servers and was mostly not seen by end users at all. The most interesting characteristic of Slapper was its ability to create a distributed peer-to-peer attack network by means of which the writer of the worm was able to take control of any infected server. This feature was probably created to launch distributed denial-of-service attacks with the help of the worm. F-Secure’s specialists managed to disassemble the peer-to-peer protocol used by the worm and the threat posed by the worm was eliminated in a few days. However, there is more to come on this front for certain. Systems using open source code have been facing other security problems during 2002 as well. Backdoors were hidden in the distribution versions of OpenSSH, tcpdump and libcap programs. Even though these malicious additions could be seen by anyone in the source code, it took days before these changes were noticed in these cases. Hacking for the sake of fun is increasing all the time. In these cases the attraction is the computer itself, not the data contained by it. A modern home computer has massive capacity: a several gigaherz processor, hundreds of megabytes of memory and dozens of gigabytes of disk space. All this with a continuously open connection to the network through a fast DSL or cable modem. When combined with an operating system supporting true multiprocessing it may be that the owner of the system can be working on his or her computer without noticing that the system is simultaneously accessed by fifty teenagers from different parts of the world downloading the most recently announced movie as an illegal Divx copy. A typical outcome of this kind of free-riding is that a home computer is used to distribute illegal or dubious material without the owner knowing about it. If the computer owner opens protected VPN connections to his or her employer’s intranet, the consequences may be really serious. The huge capacity of home computers may also lead to a situation where they are used as a medium in attacks against networks. When a suitable vulnerability is located in a popular network service, such as Kazaa, ICQ or MSN Messenger, a malicious user may get access to millions of Windows systems through it. An attack network consisting of them would be able to paralyze most of the Internet traffic for long periods. Modern society cannot and should not leave a threat like this without attention. Mobile world No mobile or PDA viruses were seen during 2002. In spite of this the security industry continues to research and build security systems in this area. The need for a strong protection of data on hand-held systems keeps on growing. Because hand-held computers and mobile phones are becoming more and more like traditional computers, the security risks also become more concrete. As the GPRS and other fast mobile data networks get more THREAT SUMMARIES V. 1 2006 - 2002 41 common in the world, they will be one of objects of network criminals. It is easy to operate anonymously in mobile networks using so-called prepaid subscriptions. Operators play a key role in the security of home computers and mobile devices. Future “Attacks against data systems will increase and they will become more and more professional. New, fast network worm technologies may lead into a situation where a worm spreads around the world in just a few minutes after it has been launched. These attacks can be done by hackers, hactivists, industrial spies, terrorist groups or organized crime. Society must be able to function in spite of such network warfare” says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. SWITCH ON FREEDOM F-Secure is an online security and privacy company from Finland. We offer millions of people around the globe the power to surf invisibly and store and share stuff, safe from online threats. We are here to fight for digital freedom. Join the movement and switch on freedom. Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.