Quantcast
Channel: F-Secure Antivirus Research Weblog
Viewing all 562 articles
Browse latest View live

Augmenting Society's Collective IQ

July 19, 2013, 4:18 am
$
0
0
Doug Engelbart died on July 2, 2013. He is probably best known, to the general public, as the inventor of the computer mouse. But he was much more than that…

"They called him kooky, and laughed at him for doing weird stuff."




(The Economist: Doug Engelbart, computer engineer, died on July 2nd, aged 88)

Among some technology enthusiasts, he is known for The Mother of All Demos.

If you're not familiar with it, The Demo included demonstrations of "hypertext, object addressing and dynamic file linking, as well as shared-screen collaboration involving two persons at different sites communicating over a network with audio and video interface."

And the best part… The Demo took place on December 9, 1968.

Stanford University has an excellent series of annotated clips: here.

Truly a man ahead of his time, Engelbart's vision was to ask:

"How do we collectively use technology to map our future with integrity mindful of the perspectives of others and future generations?"


Doug Engelbart Tribute Video

R.I.P.

On 19/07/13 At 02:14 PM

Search

Summer Listening: BBC Playlist

July 23, 2013, 2:54 am
$
0
0
"There are now three certainties in life — there's death, there's taxes and there's a foreign intelligence service on your system."
~ MI5's Head of Cyber

BBC Radio 4 recently aired a very interesting series on cyber espionage, theft, and war.

Under Attack: The Threat from Cyberspace
Under Attack: The Threat from Cyberspace

Reporter Gordon Corera interviewed numerous individuals including Michael Hayden (Former Director of the N.S.A.), Toomas Hendrik Ilves (President of Estonia), and MI5's Head of Cyber (who preferred not to be named). Episode 3 is still available for a limited time.

A 50 minute compilation is available from BBC World Service.

BBC World Service, Documentaries
Download (Available indefinitely.)

And if you're interested in security… you're probably also interested in privacy.

"Mobile phones really are now tracking devices that let us make calls."
~ Nick Pickles, Director of Big Brother Watch

BBC Radio 4: Privacy Under Pressure

Rovio — The Golden Egg of Mobile Advertising— gets a mention of course.

On 22/07/13 At 10:37 AM

Windows Version of the Janicab Malware

July 23, 2013, 2:54 am
$
0
0
Last week, we wrote about a script-based malware targeting Mac users. Yesterday, the folks from avast! revealed a Windows version.

tweet from Jindrich Kubec

Here is a summary of the difference between the Windows and OS X version:

Summary table

Our Windows users are already protected by our cloud technology.

On 23/07/13 At 11:56 AM

xkcd: The Mother of All Suspicious Files

August 6, 2013, 11:51 pm

Can you find Rebecca Taylor?

August 6, 2013, 11:51 pm
$
0
0
Channel 4 (a U.K. broadcaster) News has launched an experimental online identity project called: Data Baby. And the data baby's name is "Rebecca Taylor"— a very common name in the U.K. Channel 4 has issued a challenge: Can you find Rebecca Taylor?

The first clue on offer is Rebecca's e-mail: RebeccaTaylor0603@gmail.com.

Well, from that… it's easy to get this:

Rebecca Taylor's Facebook

And a Google Images search yields this (and more):

Rebecca Taylor?

Looks like an interesting challenge.

Info: channel4.com/news/data-baby





On 05/08/13 At 12:47 PM

Are Apple developers on the hacker hit list?

August 6, 2013, 11:51 pm
$
0
0
Note: this post is condensed from an article written for Digital New Asia.

Apple's developer website for its Mac, iPhone and iPad products was taken offline about two weeks ago; shortly afterwards, Apple released a statement saying that the site had been suffered an intrusion.

Soon after, a grey hat Turkish security researcher, Ibrahim Balic, in London claimed responsibility for the intrusion in a video posted on his YouTube channel, in which he claimed that he had filed bug reports prior to the takedown of the website.

Although there has been no further comments or statements from Apple about Balic's claim, Apple does seem to be taking the occurrence seriously and is currently still working restoring their web services.

Now the issue is — why are developers, particularly iOS developers, being targeted now more than ever? The intrusion on the developer site, though allegedly done with benign intent, brings greater attention to the importance of securing developer accounts, and the potential consequences if such accounts are compromised and misused.

This is in light of an attack earlier this year on the popular iOS Mobile developers' forum iPhoneDevSDK, which successfully garnered victims from the big tech companies, like Apple, Facebook and Twitter and so on.

Notice from IPhoneDevSDK Admin

This was a textbook watering hole attack, where a hacker intending to attack specific users first compromises a site those users are likely to visit, in order to gather information or access they can later use for a more direct attack against the targets — in this case, the developers who were visiting the site.

Gaining access an application developers' personal information, which may be used later to compromise their developer accounts, could lead to great harm for users who trust the developer's products and reputation, particularly on the iOS platform.

Unlike Google's Play store or other app stores for the Android platform, penetrating and uploading a tainted application into Apple's Apps store has long been a challenge for malware authors, particularly as Apple's strict review policies has successfully prevented much rogue application activity in the 6 years since the first iPhone appeared.

To get around these barriers, malware authors are now targeting the developers themselves. Their real aim — to gain access to the developer's accounts on the App stores, from which they can essentially hijack the developer's reputation and products to push their own wares.

Full article: Are Apple developers on the hacker hit list?— by Su Gim Goh

On 06/08/13 At 09:27 AM

On Fake "F-Secure Security Pack" Malicious Browser Extension

August 6, 2013, 11:51 pm
$
0
0
We have been following a malicious browser extension that claims to have been developed by various different software companies.

The extension installs itself into the browser and makes posts to social media sites such as Twitter, Facebook and Google+ on the user's behalf. One of the variants installs itself as "F-Secure Security Pack"— and trust us — it's definitely not coming from us.

The installer for this malware is commonly a self-extracting Winrar executable, although samples come packed in various other ways as well. We can take a peek at the contents of one of the samples:

Contents of malware installer

The contents give a hint to what the malware installer contains: an extension for both Firefox and Chrome (the .xpi and .crx files).

The executables for this malware are signed using a certificate assigned to a company called "VIDEO TECH PRODUCOES LTDA":

Certificate information

It's unclear at this point if the certificate has been stolen or if there is some other connection between the company and the malware samples.

The installer registers an extension with the name of "F-Secure Security Pack" for Chrome:

Foobar

The same happens for the Firefox browser, with slightly different registration details:

ff_ext

Depending on the targeted region, the malware uses different brands as the name of the malicious extension. For example, we've seen "Chrome Service Pack" for China, Dr. Web for France and Kingsoft for Brazil:

extension_chrome_pack

plugin_drweb

plugin_kingsoft

The extension itself is quite simple. It fetches an update from a command and control server and uses the information in this update to post to different social media sites. The comments in the source code are in Portuguese, giving also some hints to the origin of the malware:

extension_spanish_text

Here's an example of the update information the malware fetches from the command and control servers for Brazilian users:

extension_spanish_text

One of the settings automatically retweets a message. This setting was not enabled at the time of writing, but the message to be retweeted is still visible. We can see that this particular message has over 5000 retweets:

extension_spanish_text

F-Secure detects this malware as Trojan.FBSuper or various other heuristic detection names, depending on the variant.

SHA-1: 6287b03f038545a668ba20df773f6599c1eb45a2

On 07/08/13 At 09:19 AM

Encrypted Communications Service Goes Silent

August 9, 2013, 1:51 am
$
0
0
A privacy focused e-mail service used by Edward Snowden has shuttered its doors.

According to the owner and operator, Ladar Levison:

"I wish that I could legally share with you the events that led to my decision."

http://lavabit.com/
lavabit.com

His notification also includes the following words:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

That's a strong statement.

So what's this all about? And why can't Levison share the details regarding his decision to shut down Lavabit? Well, his inability to talk is probably either due to a warrant or a national security letter (NSL). Here's the thing about an NSL — a lifetime gag-order comes attached.

There are only three organizations that have ever won the right to say they received an NSL of the hundreds of thousands issued.

Nicholas Merrill is one such individual, and he spoke about it to WNYC's Bob Garfield in 2011:


National Security Letters and Gag Orders

Brewster Kahle, the founder of the (awesome) nonprofit Internet Archive, is another.

New Yorker: What It’s Like to Get a National-Security Letter

Lavabit's closure is having a chilling effect. Another encrypted communications company, Silent Circle, has followed Lavabit's lead.

Ars Technica: After Lavabit shutdown, another encrypted e-mail service closes

On 09/08/13 At 11:44 AM

Search

Blaster - 3654 Days Later

August 13, 2013, 2:47 am
$
0
0
Yesterday was Blaster's 10th anniversary. Do you remember where you were on August 11, 2003?

Mikko remembers (and he still has the related press release [PDF]).

World's First RPC Worm

Numerous organizations, including several banks and airlines, suffered serious disruptions because of Blaster which caused affected computers to reboot continuously. Can you imagine the difficulties that would cause today?

Vanity Fair's The Code Warrior, circa January 2004, offers a very entertaining long read on the topic.

On 12/08/13 At 10:30 AM

Are There Good Hackers?

August 13, 2013, 2:47 am
$
0
0
Guy Raz, host of NPR's TED Radio Hour, recently caught up with Mikko while he was attending DEFCON.

Mikko's DEFCON recommendation: don't trust anybody — pen and pad work very well.

TED_Radio_Hour_The_Hackers

Guy interviewed Mikko as part of last week's TRH episode: The Hackers

And Mikko's was the first segment: Are There Good Hackers?…which includes a retelling of Mikko's journey to Lahore, Pakistan, to find the authors of the first PC virus "Brain".

A journey that you can see for yourself via YouTube:

On 13/08/13 At 11:40 AM

Java - The Gift That Keeps On Giving

August 14, 2013, 5:39 am
$
0
0
I bet vulnerability researchers love Java. It seems that especially the 2D sub-component of Java has felt their love lately: since the out-of-band patch for CVE-2013-0809 and CVE-2013-1493 in March 2013, 2D has been the most patched sub-component with a total of 18 fixed vulnerabilities. Fortunately, CVE-2013-1493 has been the only one of these exploited in the wild.

On Monday August 12th, a link to yet another Java exploit was shared:

Tweet

Unlike the Tweet says, the exploit is not 0day. It exploits CVE-2013-2465, yet another vulnerability in the 2D sub-component. The issue affects Java 7 versions up to update 21 but it has been patched in the latest version, Java 7 update 25. We have released a detection for the exploit (Exploit:Java/CVE-2013-2465.A) but so far we have not seen in the wild.

Even though CVE-2013-2465 is not exploited in the wild (yet), another Java vulnerability affecting Java 7 update 21 is: CVE-2013-2460. The exploit was introduced in Private exploit kit in July and since then we have seen it also in Sweet Orange exploit kit. In addition, Kaspersky has spotted the vulnerability being exploited in watering hole attacks (the JAR file mentioned in the post exploits CVE-2013-2460, not CVE-2012-4681).

To sum up, it does make a difference whether you run Java 7 update 25 or Java 7 update 21. If uninstalling Java or at least disabling the browser plugin is not an option for you, make sure you have the latest version of Java installed.

Grumpy cat

Post by — @Timo

Updated to add: …and giving and giving.

On 14/08/13 At 08:54 AM

Browlock Ransomware Targets New Countries

August 14, 2013, 5:39 am
$
0
0
In the past few weeks we have been following the relatively new "police ransomware" family we call Trojan:HTML/Browlock. This ransomware is very simple, and just uses the browser to display a lock screen demanding the victim to pay a fake fine and plays tricks to prevent closing the browser tab.

Since we first saw it targeting folks in the US, Canada, and UK, we have been expecting it to expand to new countries. As expected, users in other regions are now seeing a localized message from their local law enforcement.

Here are the lock screens for Browlock as seen from different countries:

Browlock in UK

Browlock in AU

Browlock in NL

Browlock in ES

Almost all the ransomware families seem to have great difficulties in finding a translator to create localized lock pages with good quality. Readers that pay close attention (okay, any attention is probably enough) will notice some slight problems with the German localization:

Browlock in DE

For Canadians, the design of the lock screen has stayed roughly the same:

Latest Browlock in CA

We did notice that the fine has dropped from 250 CAD to 150 CAD compared to a previous lock screen below. It seems that in today's economy, even ransomware victims can't be expected to pay up such high prices.

Old Browlock in CA

While the domain names change, all of the lock screens are currently being hosted on a single server in St. Petersburg:

Browlock Server

We detect the lock screen as Trojan:HTML/Browlock.A.

Post by — Antti and Karmina





On 14/08/13 At 03:30 PM

Blocking "MiniDuke" Type Threats Using Exploit Interception

August 16, 2013, 1:40 am
$
0
0
MiniDuke, a cleverly coded Adobe PDF exploit, made news back in February — it was used to target several European governments.

Now, more than ever, exploit prevention is a critical layer of defense. And that's why F-Secure Labs analysts such as Timo Hirvonen have become such experts on exploits— so our technology can be made better (with developers such as Jose Perez).

Here's a screenshot of our current DeepGuard™ behavioral engine tech vs. MiniDuke:

Miniduke vs F-Secure Internet Security 2014

Blocked — proactively, without signature-based scanning or back end heuristics.

Excellent.

Exploit interception is one of our primary goals — because exploits are the front end of an attack platform.

More about our technology, and a case study of the ZeroAccess bot, is available from our whitepaper…

F-Secure DeepGuard: Proactive on-host protection against new and emerging threats

DeepGuard, Behavioral Protection, Exploit Interception

On 15/08/13 At 11:52 AM

Recommend: CERT Polska's ZeuS P2P Report

August 16, 2013, 1:40 am

We Need To Talk, Google

August 26, 2013, 2:51 am
$
0
0
Dear Google — please don't take this the wrong way, but, well… I think you suck.

This hasn't always been the case. Once upon a time, I actually enjoyed using Google services.

Google_Products

But today — well, today I simply wanted to upload an old video to our Labs YouTube channel. Sadly, just after signing in, and before I could upload anything, I was accosted by a "request" to link the YouTube channel to a Google+ profile. And before I knew it — one Mr. "fslabs" had created a Google+ profile. Not great!

Here's a thought: perhaps you should first ask if the YouTube account is an "individual" BEFORE you try linking it to a G+ profile?

Because you didn't ask, "I" ended up with a new profile(s) for which "I" have no use. And undoing (deleting) the linkage from the "individual" profile to the "group" channel ended up disabling the channel. Then I needed to spend some time re-enabling and restoring it. And then I needed to reset the privacy settings for all of the existing videos.

Felt like extortion. (Evil.)

Now, I'm sure you have good reasons for all of this G+ "promotion" crap. And probably some bad ones, too.

I'm certain I made mistakes. I'm sure I missed some small cancel button during the process. And I think I located the "unlink" option in the YouTube settings somewhere after I had already disabled the channel by killing the G+ profile.

But you know what?

I really don't care anymore. I've had it with Google et al. I'll be looking into alternatives. (Vimeo, Dailymotion, et cetera.)

And my personal Google account? It's underused, but I've kept it around because it's "free".

No more. I'm done.

It's no longer worth the hassle.

And to be clear, it has nothing to do with recent allegations that a person has no legitimate expectation of privacy when using Gmail.

And it has nothing to do with any sort of concerns that Google provides the NSA direct access to its servers.

(Google's security engineers can be trusted, I think.)

My decision to delete my Google account is purely a matter of me being fed up of Google attempting to drive me into yet another unwanted "social" network, just for the sake of its bloody search engine rankings and associated advertising machinery.

It's not me.

It's you.

—————

Be seeing you,
Sean

Security Advisor, F-Secure Labs
twitter.com/5ean5ullivan

On 21/08/13 At 11:42 AM

Search

Android Malware goes SMTP

August 26, 2013, 2:51 am
$
0
0
Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an e-mail.

Other than the SMTP-usage, the malware is pretty vanilla. Upon installation, the application asks the user to activate device administrator to stay persistent in the mobile device. This threat does not add any significant icons in the application menu, rather the user would need to check the Application Manager before finding out that there is an app masquerading as "Google Service".

mobile1 (138k image)

After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers, particularly smtp.gmail.com, smtp.163.com and smtp.126.com to send the stolen data. I smell something very China-ish here…

code (169k image)

Below is a screenshot of the threat's attempt to connect to an SMTP server:

smtp (161k image)

This threat was found to be usually downloaded in third party Android markets or malicious websites. We first saw this malware family a month ago, but has been active since. We're already detecting this threat as Trojan:Android/SMSAgent.C.

msms_android (59k image)

Post by — Swee Lai

On 22/08/13 At 07:12 AM

NASDAQ's Community Forum

August 26, 2013, 2:51 am
$
0
0
Me, speaking to V3.co.uk's Alastair Stevenson on July 18th:

"Imagine this: Suppose the NASDAQ community forum wasn't just compromised for its users' passwords — but also to use it as a watering hole. You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well, I think that would be nothing compared to the kind of damage that could be done via NASDAQ."

http://grahamcluley.com/2013/07/nasdaq-hackers/
Image source: grahamcluley.com

Given that multiple large Internet companies were compromised via a watering hole attack on a FORUM back in Febuary — I was really quite amazing that folks weren't just a bit more curious about the NASDAQ community forum hack. (Because it was vacation season?) Was NASDAQ's forum used to host a watering hole attack?

Then this week's Goldman Sachs options error and NASDAQ outage

…and now I'd really like to see some confirmation that there wasn't a watering hole!

How about you?

Post by — @Sean

On 23/08/13 At 03:35 PM

Wi-Fi Honeypots and MAC Address Surveillance

August 26, 2013, 2:51 am
$
0
0
On August 8th, Quartz published a report that recycling bins in the City of London were being used to collect the MAC addresses from phones passing-by. The scheme was halted by August 12th. On the 13th, I spoke with Danish reporter Jakob Møllerhøj about similar Bluetooth and Wi-Fi tracking that takes place in Denmark — to predict the flow of traffic on roads and human flows in airports.

And while traffic flow analysis is a very valuable thing for planners — in the light of a "prism"— this type of metadata collection is a very worrying trend.

Several years ago, we had our own Bluetooth honeypot project:

Bluetooth Honeypot

Had we moved forward with it, we would have needed to find a way to store MAC addresses anonymously. Because these days, it's entirely too easy for third-parties to seek or sell "business records" to be correlated. Can you just imagine if every CCTV in your city also logged your phone's Wi-Fi Mac?

For those of you interested in running an experiment, check out March's Linux Journal: Wi-Fi Mini Honeypot

But do be careful on what you collect, and how — it's a dangerously unregulated landscape.

Regards,
@Sean

On 26/08/13 At 12:45 PM

Android Malware: Pincer's Author

August 27, 2013, 5:58 am

Video: Government-Endorsed Surveillance

August 28, 2013, 5:56 am
Viewing all 562 articles
Browse latest View live
Search