May 14, 2008 Kuala Lumpur, Malaysia May 14, 2008
F-Secure Corporation, the global leader in providing security
as a service through mobile operators and Internet Service
Providers, today announced that it has joined the International
Multilateral Partnership Against Cyber-Terrorism (IMPACT), with
Chief Research Officer Mikko Hypponen representing the company
on IMPACT International Advisory Board. sending email
The Malaysian IMPACT initiative seeks to establish a unique
platform that brings together governments and the international
private sector as partners in the global fight against cyber
threats. IMPACT will host the World Cyber Security Summit in
Kuala Lumpur, Malaysia, from 20 to 22 May 2008, in conjunction
with the World Congress on Information Technology (WCIT). In
addition to the IMPACT inaugural International Advisory Board
meeting, a Ministerial Roundtable will also be taking place.
The inaugural IMPACT Summit will be the largest ever gathering
of governments, regulators and industry experts on cyber
terrorism, with ministers and officials representing over 40
governments invited for the event. reading email
e are honored and proud to be part of the IMPACT
initiative. We see IMPACT as an important global collaboration
and a catalyst against cyber threats. We look forward to
contributing to the direction and strategies of IMPACT, said
Mikko Hypponen, Chief Research Officer at F-Secure. storing email
Downloads Press and News Weblog Contacts F-Secure.co.uk
Products
Products A-Z email software
F-Secure Products
Security Suites
- F-Secure Anti-Virus Small Business
Suite
- F-Secure Anti-Virus Corporate Suite
- F-Secure Anti-Virus Enterprise
Suite
Inside a malicious flash file - F-Secure Weblog : News from
the Lab
AddressBanner TitleBanner MAIN INDEX
ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS
TUBE LINUX BLOG antispam software
Thursday, May 29, 2008 fight spam
Inside a malicious flash file
Posted by Gerald @ 19:13 GMT | stoping spam
We ve been receiving lots of malicious flash file
lately. Most of the flash file that we received has obfuscated
shellcodes. block spam
I stumble on one sample and gave a closer look on it. The
obfuscation is simple, it only uses XOR and ADD instruction.
Basically, this flash file is taking advantage of the recent
0-day vulnerability in Adobe Flash Player. It
downloads and execute a file from the following site:
hxtp://www.psp1122.cn/[removed].exe We detect the downloaded
EXE file as Trojan-PSW.Win32.OnlineGames.ayju and the flash
file as Exploit.SWF.Downloader.a spam emails
Here s an animated image of decrypted shellcode:
Comments Flash w/ SQL email account
| sending email
Google Earth with Worms, Spam and Malware - F-Secure Weblog
: News from the Lab
Google Earth is cool. We ve been using it to track
worms. If a worm contacts our monitoring system, its IP address
is logged and is then converted to latitude and longitude. It
alls goes into an XML feed that we use with Google Earth s
network links. It looks something like this: Google
Earth with Worms Click the image for a 1400x1050 view.
And while that s pretty neat, worms aren t really
today s threat. So we re working on some new data
feeds. reading email
Lets take spam. This is what the source of spam from a
single personal account looks like: Google Earth with
Worms and Spam Then there s our
worldmap.f-secure.com data. It also feeds an
internal system that we use in the lab.
We ve adapted that data for Google Earth which then looks
like this: Google Earth with Worms, Spam and
Malware storing email
Bot monitoring feeds are in the works as well. We ll do
a video demo sometime next week. Comments
Inside a Malicious Flash File email software
| antispam software
DHS PDF
AddressBanner TitleBanner MAIN INDEX
ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS
TUBE LINUX BLOG fight spam
Sunday, June 1, 2008 stoping spam
DHS PDF
Posted by Mikko @ 12:14 GMT | block spam
We get samples lots of samples every day.
Like tens of thousands of them. spam emails
They come from various sources: from our customers; from
honeypots and honeynets; via our online scanners; submitted
directly from our products; from operators and ISPs; via sample
exchange with our competitors; and so on. email account
We also get copies of samples that people submit to online
virus scanning services such as VirusTotal,
Jotti, and VirSCAN. We d
like to give big thanks to these services for their valuable
cooperation. sending email
When we get samples via such online services, we have
absolutely no idea where the sample is coming from and who
submitted it. Sometimes such samples can be real mysteries.
Take for example this PDF file that we got a sample of via
VirusTotal. The only information we have on this 130kB file is
that it was named .pdf (after its MD5 hash)
and that it was submitted on the 23rd of May. reading email
When you open this document, this is what you ll see:
Department of Homeland Security G-325A Looks
like a Department of Homeland Security form
G-325A. Look again. What s the filename
It s not .pdf. It s
0521.pdf. This is not the document we opened.
So what happens here Apparently this PDF has been used in a
targeted attack against an unknown target. storing email
When this PDF is opened in Acrobat Reader, it uses a known
exploit to to drop files. Specifically, it creates two files in
the TEMP folder: D50E.tmp.exe
and 0521.pdf. Then it executes the EXE and
launches the clean 0521.pdf file to Adobe Reader in order to
fool the user into thinking that everything is all right.
D50E.tmp.exe is a backdoor that creates lots of new files with
innocent sounding filenames, including: email software
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat The SYS component is a
rootkit that attempts to hide all this activity on the infected
machine. nbsstt.3322.org The backdoor tries to
connect to port 80 of a host called
nbsstt.3322.org. Anyone operating this machine
would have full access to the infected machine. antispam software
Well, 3322.org is one of the well known Chinese DNS-bouncers
that we see a lot in targeted attacks. Does
nbsstt mean something Beats us, but Google
will find a user with this nickname posting to several Chinese
military related web forums, such as bbs.cjdby.net. fight spam
Where does nbsstt.3322.org point to
nbsstt.3322.org IP address 125.116.97.19 is in
Zhejiang, China. And it s live right now, answering
requests at port 80. Comments Google Earth
with Worms, Spam and Malware stoping spam
| block spam
Creating Malicous PDF Files
f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 f 1 be 1
cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 spam emails
Creating Malicous PDF Files - F-Secure Weblog : News from
the Lab
Yesterday s post discussed a mystery
PDF file that was booby trapped to drop a backdoor. Today
we ll look at how these documents are created. Here s
an example of a tool called Y08-40 aka
GenMDB. GenMDB When run, it
displays this user interface: y08-04 by Noble
The apparent purpose of this tool is to create trojanized PDF
files. You select which EXE you want to embed, which PDF file
you want to trojanize, and which platform you expect the victim
to be using. email account
Cool. Now, the real question is this: How on earth
did we get our hands on such a tool You d never
guess it. We received it inside a trojanized PDF file.
Here s what we believe happened: Someone, somewhere was
using this tool for the first time. They did a test run,
selecting a random PDF file and a random EXE to create a
trojanized PDF, just as a test. As a random EXE, they selected
wait for it GenMDB.EXE itself! sending email
Then the perpetrator was probably curious to find out if the
trojan PDF would be detected by virus scanners or not. So he
uploaded the trojanized PDF to an online scanner. Hey, thanks.
Keep up the good work. Comments DHS
PDF reading email
| storing email
Symbian Jailbreak
AddressBanner TitleBanner MAIN INDEX
ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS
TUBE LINUX BLOG email software
Tuesday, June 3, 2008 antispam software
Symbian Jailbreak
Posted by Jarno @ 18:32 GMT | fight spam
A Spanish modder has developed an easy to use privilege
escalation hack for Symbian S60 3rd Edition phones. The hack
provides unlimited access to the phone s file
system. With this access any number of modifications
can be made. stoping spam
block spam
spam emails
Summary A new variant of Zafi worm - Zafi.B is
spreading. While the original Zafi.A uses only Hungarian, the new
Zafi.B spreads in email in English, Italian, Spanish, Russian,
Swedish etc. email account
The worm sends itself in emails mostly as .pif attachment and
in rare cases it sends .exe or .com. sending email
Back to the
Top
Detailed Description Zafi.B spreads in FSG! packed
form which is 12800 bytes in size. The body unpacks to around 30
KiB of hand-written assembly code.
System Infection reading email
When Zafi.B is started it copies itself to the Windows System
Directory with a random .DLL and random .EXE name. The .EXE file is
added to the registry as storing email
email software
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "_Hazafibb" = "%SysDir%\ random .exe"
Several additional files are created in the System Directory
with random name and .DLL extension. The worm keeps its internal
data in those. antispam software
Zafi.B enumerates all the directories in the system and copies
itself as either 'winamp 7.0 full_install.exe' or 'Total Commander
7.0 full_install.exe' to the ones that contain 'share' or 'upload'
in their name. fight spam
Email Propagation stoping spam
Zafi.B looks into the Windows Address Book and different files
and tries to gather email addresses. Files with the following
extensions are checked: block spam
spam emails
htm wab txt dbx tbb asp php sht adb mbx eml pmr
Using its own SMTP engine the worm sends messages with infected
attachments in many different languages. email account
For email addresses in the following domains the worms sends
messages in the respective languages: sending email
reading email
.hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at
For Hungarian recipients there are three different messages. Any
recipient that is not on the list (including .COM, .NET, etc.) is
sent one of the three predefined English messages. storing email
email software
Sender: Anita Subject: eIngyen SMS! Attachment: "regiszt.php 3124freesms.index777.pif"
antispam software
------------------------ hirdet ----------------------------- A sikeres 777sms.hu az axelero.hu t ogat al ra indul az ingyenes sms k d szolg tat ! Jelenleg ugyan korl ozott sz ban, napi 20 ingyen smst lehet felhaszn ni. K dj te is SMST! Neh y kattint a mell elt regisztr i lap kitt e ut azonnal ig ybevehet ! B vebb inform i a www.777sms.hu oldalon tal sz, de siess, mert az els ezer felhaszn kt t es nyerem yeket sorsolunk ki! ------------------------ axelero.hu ---------------------------
fight spam
Sender: Anita Subject: eTessek mosolyogni!!! Attachment: "meztelen csajok fociznak.flash.jpg.pif"
stoping spam
Ha ez a k sem tud felviditani, akkor feladom! Sok puszi:
block spam
Sender: Anita Subject: eSoxor Csok! Attachment: "anita.image043.jpg.pif"
spam emails
Sender: Claudia Subject: eImportante! Attachment: "link.informacion.phpV23.text.message.pif"
email account
Informacion importante que debes conocer, -
sending email
Sender: Katya Subject: oKatya Attachment: "view.link.index.image.phpV23.sexHdg21.pif"
reading email
ADAOIU OEIE
storing email
Sender: . Subject: eE-Kort! Attachment: "link.ekort.index.phpV7ab4.kort.pif"
email software
Mit hjerte banker for dig!
antispam software
Sender: Marica Subject: eEcard! Attachment: "link.showcard.index.phpAv23.ritm.pif"
fight spam
De cand te-am cunoscut inima mea are un nou ritm!
stoping spam
Sender: Anna Subject: eE-vykort! Attachment: "link.vykort.showcard.index.phpBn23.pif"
block spam
Till min Alskade...
spam emails
Sender: Erica Subject: eE-Postkort! Attachment: "link.postkort.showcard.index.phpAe67.pif"
email account
Vakre roser jeg sammenligner med deg...
sending email
Sender: Katarina Subject: eE-postikorti! Attachment: "link.postikorti.showcard.index.phpGz42.pif"
reading email
Iloista kesaa!
storing email
Sender: Magdolina Subject: eAtviruka! Attachment: "link.atviruka.showcard.index.phpGz42.pif"
email software
Linksmo gimtadieno!
antispam software
Sender: Beate Subject: eE-Kartki! Attachment: "link.kartki.showcard.index.phpVg42.pif"
fight spam
W Dniu imienin...
stoping spam
Sender: @ Subject: eCartoe Virtuais! Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
block spam
Te amo...
spam emails
Sender: Alice Subject: eFlashcard fuer Dich! Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
email account
Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3 card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr...
sending email
Sender: Subject: eEr staat een eCard voor u klaar! Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
reading email
Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs...
storing email
Sender: Hanka Subject: eElektronicka pohlednice! Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
email software
Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz
antispam software
Sender: Claudine Subject: eE-carte! Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
fight spam
vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct...
stoping spam
Sender: Francesca Subject: eTi e stata inviata una Cartolina Virtuale! Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
block spam
Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente.
spam emails
Sender: Jennifer Subject: eYou`ve got 1 VoiceMessage! Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
email account
Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).
sending email
Szia! Aranyos vagy, j volt dumcsizni veled a neten! Rem em tetszem, szeretn ha te is k den k et magadr , addig is cs :
reading email
Sender: Jennifer Subject: eDon`t worry, be happy! Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
storing email
Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:
email software
Sender: David Subject: eCheck this out kid!!! Attachment: "jennifer the wild girl xxx07.jpg.pif"
antispam software
Send me back bro, when you`ll be done...(if you know what i mean...) See ya,
In rare cases the email will have an attachment with the name
'Surprise' and extension '.com', '.exe' or '.pif'. fight spam
The worm does not send emails to addresses that contain any of
these strings: stoping spam
block spam
win use info help admi webm micro msn hotm suppor syma vir trend panda yaho cafee sopho google kasper
Payload spam emails
Zafi.B terminates any application that has the words 'firewall'
or 'virus' in it. These files are overwritten with a copy of the
worm. email account
Several Windows tools, like Task Manager, Registry Editor are
disabled when the worm is active. Zafi.B opens these files with
exclusive locking to prevent anything else from opening them. sending email
Detection Detection for this malware was published
on June 11th, 2004 in the following F-Secure Anti-Virus updates:
[ ] reading email
Version=2004-06-11_01 storing email
Description: Katrin Tocheva, June 11th,
2004; email software
Technical Details: Gergely Erdelyi, June
11-12th, 2004; antispam software
Description Updated: Alexey Podrezov, June
15th, 2004; fight spam
F-Secure Corporation . stoping spam
monebaggasse
Other then license information, personal information from Users who simply use JunkFilter Plus. (a) verifying whether an email is suspected as spam and (b) reporting suspected spam emails. (a) As part of its activity, the JunkFilter Plus software may contact IncrediMail's anti spam server (the " Spam Server") in order to verify that a certain email message is not spam. Spam Server some components of the messages. Such information shall NOT include the actual content of the email message (e.g. message text or attachments) nor the recipient name or email address or any other personally identified information.
Nyms not only combats spam, it is one more layer of protection against other email threats viruses, worms, spyware, adware, phishing scams, and more. Better than a spam filter, Nyms puts you in control of your incoming email because it uses disposable, alias addresses. When your Nyms email aliases are shared with spammers, you can simply disable that Nyms alias and stop the spam from flooding your real inbox. spam filter to pinpoint where unsolicited messages are coming from and kill spam at its source.
