Posts byJuha-Matti

Security consultant from Finland

Facebook worm – and how long we have to wait AV protection

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today – it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection – that’s we need with a delay less than 4 or 5 days.

Word Viewer – it can be your workaround in the latest Word 0-day case

In many Word 0-day vulnerabilities covered by SecuriTeam Blogs Word Viewer utility is being included to affected products.

This week the situation is different, however.

Related to the most recent MS Word vulnerability Word Viewer 2003 and Word Viewer 2003 Service Pack 3 are not vulnerable (Microsoft’s advisory here). Word Viewer 2003 SP3 KB document here, in turn.
To readers not familiar with these cases: Normally these vulnerabilities are being reported related to targeted attacks via e-mail. References are listed here: CVE-2008-2244. This particular case in known as so-called attachement.doc case. Trojan malware related to this case is from MSWord.Agent.cq series.

There are connections to Beijing Olympics too – in the form of attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijin.doc files too.

A fix for this vulnerability is not expected before August ‘s Black Tuesday. The most important question is: how to implement the use of Word Viewer in your organization.

Cisco: We know IOS rootkits can be made – harden your system

cisco has released an updated version of its cisco security response: rootkits on cisco ios devices document after the eusecwest presentation of mr. sebastian muniz (core security).

hardening, best practices etc, it appears.

thanks Sunshine. for pointing this on mailing lists.

State of targeted attacks – criminals exploiting Excel vuln during two months

It’s time to look the recent state of targeted attacks. Like we already know the main attack vector in these attacks is Microsoft Office attachment. There are no many organizations that simply can filter .DOC, .XLS and .PPT files.
In mid-January Microsoft confirmed that a new, previously unknown Excel vulnerability was used in targeted attacks. On Monday this week US-CERT issued a warning about the new wave of exploitation. This extremely critical vulnerability, rated ‘10.0’ by CVSS meter BTW, was known as header information code execution vulnerability.
The fix is included to today’s Excel Bulletin MS08-014. However, Microsoft says the following now:

What causes the vulnerability?

Microsoft Excel does not properly validate macro information when loading specially crafted Excel files.

In January we had a very small pieces of information related tho this vuln and Trojan exploiting it.

Information about the characteristics of these targeted attack can be read via my FAQ documents.

Remote-control device – the new gun of bank robbers

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident – no money had been stolen from the bank during a break-in.

A comment posted to is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.