BlackEnergy & Quedagh: The convergence of crimeware and APT attacks
BlackEnergy is a toolkit that has been used for years by various criminal outfits. In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting. These samples were identified as being the work of one group, referred to in this document as "Quedagh", which has a history of targeting political organizations.
H1 2014 Threat Report
The most notable trend in H1 2014 is the continued growth of ransomware and ransoming activities, on both desktop and mobile platforms. Meanwhile, Windows XP finally reached its end of life (EOL) mark on 8 April 2014. H1 2014 also saw a slew of reports alleging questionable surveillance, online censorship or data handling activities by government entities in various nations.
Pitou: The "silent" resurrection of the notorious Srizbi kernel spambot
The recently observed Pitou threat shows similarities with the Srizbi spambot. In this whitepaper, we outline Pitou's distribution methods, the kernel payload delivered by its droppers, how its bootkit functions and how it communicates with its C&C server.
COSMICDUKE: Cosmu with a twist of MiniDuke
CosmicDuke - the first malware seen to include code from both the notorious MiniDuke APT Trojan and another longstanding threat, the information-stealing Cosmu family. When active on an infected machine, CosmicDuke will search for and harvest login details from a range of programs and forward the data to remote servers, some of which were active at the time of writing.
Lecpetex: Virtual currency mining gets social
Trojan:W32/Lecpetex is a Bitcoin miner that spreads via in zipped files attached to social engineered Facebook messages. Once installed on a machine, the malware silently performs its Bitcoin mining, and contacts a command and control (C&C) server for additional commands.
Mobile Threat Report Q1 2014
Mobile malware development in Q1 2014 continues to focus exclusively on the Android platform, continuing the inexorable trend we've seen in the last couple years.
Threat Report H2 2013
News of alleged massive data gathering and online surveillance activities by state entities raises privacy concerns. A Tor-using botnet grows while the arrest of a suspected creator/operator upends the underground market in exploit kits; meanwhile, Android continues to dominate the mobile threat landscape.
Mobile Threat Report Q3 2013
The "Masterkey" vulnerability and exploit apps; banking trojans; and other notable threats and trends for mobile malware in Q3 2013.
Threat Report H1 2013
Exploit-based attacks, particularly against the Java development platform, continue to dominate. New developments continue in mobile malware, ransomware, Mac malware and phishing, as Bitcoin comes of age. Meanwhile, hacks and intrusions aimed at tech companies gain major mainstream press.
Mobile Threat Report Q1 2013
While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend. The Android malware ecosystem is beginning to resemble to that which surrounds Windows, where highly specialized suppliers provide commoditized malware services.
Threat Report H2 2012
The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.
Mobile Threat Report Q4 2012
The rise of Android malware can be largely attributed to the operating system's increasing foothold in the mobile market. Android's market share has risen to 68.8% in 2012, compared to 49.2% in 2011. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011.
Mobile Threat Report Q3 2012
Despite Android's dominance in the mobile threat landscape, the Symbian malware scene is far from dead. 21 new families and variants were discovered in the third quarter of 2012, a 17% increase compared to the second quarter.
Threat Report H1 2012
One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code.
Mobile Threat Report Q2 2012
After a while on the scene, Android malware has begun to explore new methods of infection. In May 2012, the first Android malware to use the drive-by download method was spotted in the wild. A simple visit to a malicious website could render a device with certain configuration infected.
Mobile Threat Report Q1 2012
In Q1 2012, 37 new malware families and variants were discovered, which nearly quadrupled the number of new malware discovery a year earlier, in Q1 2011. Majority of these malware reap profit from sending messages to premium-rate numbers or subscribing customers to a premium service.
Flashback OS X Malware
This report was originally presented and published at VB2012.
In 2011, we saw OS X come under siege by several malware families. Towards the end of the year, we saw new families or variants appear almost every week, where each was more sophisticated than the last. At the forefront of these developments was the Flashback malware.
Mobile Threat Report Q4 2011
Android malware continues to expand rapidly in the fourth quarter of 2011, with malware originating from Russia forming a significant presence in the scene. Malware seen in the Russian domain has been the most widely distributed, with a single variant alone being found on a thousand unique Android application package files (APKs).
F-Secure DeepGuard: Proactive on-host protection against new and emerging threats
This whitepaper explains the trends and developments in computing that have made host-based behavioral analysis and exploit interception necessary elements of computer security and provides an overview of the technology and methodology used by DeepGuard, the Host-based Intrusion Prevention System (HIPS) of F-Secure's security products.
It's Signed, therefore it's Clean, right?
This document was originally presented at CARO 2010
This presentation discusses Authenticode signing, its usage by developers (particularly in the antivirus industry) and ways that code signing can be abused in order to spread malware and allow it to install
Threat Summaries Volume 1: 2011 - 2007
This document contains a compilation of all the Threat Summaries released by F-Secure Labs during the years 2007 to 2011, in reverse chronological order.
Threat Summaries Volume 1: 2006 - 2002
This document contains a compilation of all the Threat Summaries released by F-Secure Labs during the years 2002 to 2006, in reverse chronological order.