The latest research from Labs on threats and technology

Available Whitepapers

Show all   |   Threat Reports   |   Technical Papers


BlackEnergy & Quedagh: The convergence of crimeware and APT attacks

BlackEnergy is a toolkit that has been used for years by various criminal outfits. In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting. These samples were identified as being the work of one group, referred to in this document as "Quedagh", which has a history of targeting political organizations.

Download PDF

H1 2014 Threat Report

The most notable trend in H1 2014 is the continued growth of ransomware and ransoming activities, on both desktop and mobile platforms. Meanwhile, Windows XP finally reached its end of life (EOL) mark on 8 April 2014. H1 2014 also saw a slew of reports alleging questionable surveillance, online censorship or data handling activities by government entities in various nations.

Download PDF

Pitou: The "silent" resurrection of the notorious Srizbi kernel spambot

The recently observed Pitou threat shows similarities with the Srizbi spambot. In this whitepaper, we outline Pitou's distribution methods, the kernel payload delivered by its droppers, how its bootkit functions and how it communicates with its C&C server.

Download PDF

COSMICDUKE: Cosmu with a twist of MiniDuke

CosmicDuke - the first malware seen to include code from both the notorious MiniDuke APT Trojan and another longstanding threat, the information-stealing Cosmu family. When active on an infected machine, CosmicDuke will search for and harvest login details from a range of programs and forward the data to remote servers, some of which were active at the time of writing.

Download PDF

Lecpetex: Virtual currency mining gets social

Trojan:W32/Lecpetex is a Bitcoin miner that spreads via in zipped files attached to social engineered Facebook messages. Once installed on a machine, the malware silently performs its Bitcoin mining, and contacts a command and control (C&C) server for additional commands.

Download PDF

Mobile Threat Report Q1 2014

Mobile malware development in Q1 2014 continues to focus exclusively on the Android platform, continuing the inexorable trend we've seen in the last couple years.

Download PDF

Download Printer-friendly PDF

Threat Report H2 2013

News of alleged massive data gathering and online surveillance activities by state entities raises privacy concerns. A Tor-using botnet grows while the arrest of a suspected creator/operator upends the underground market in exploit kits; meanwhile, Android continues to dominate the mobile threat landscape.

Download PDF

Mobile Threat Report Q3 2013

The "Masterkey" vulnerability and exploit apps; banking trojans; and other notable threats and trends for mobile malware in Q3 2013.

Download PDF

Threat Report H1 2013

Exploit-based attacks, particularly against the Java development platform, continue to dominate. New developments continue in mobile malware, ransomware, Mac malware and phishing, as Bitcoin comes of age. Meanwhile, hacks and intrusions aimed at tech companies gain major mainstream press.

Download PDF

Mobile Threat Report Q1 2013

While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend. The Android malware ecosystem is beginning to resemble to that which surrounds Windows, where highly specialized suppliers provide commoditized malware services.

Download PDF

Threat Report H2 2012

The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.

Download PDF

Mobile Threat Report Q4 2012

The rise of Android malware can be largely attributed to the operating system's increasing foothold in the mobile market. Android's market share has risen to 68.8% in 2012, compared to 49.2% in 2011. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011.

Download PDF

Mobile Threat Report Q3 2012

Despite Android's dominance in the mobile threat landscape, the Symbian malware scene is far from dead. 21 new families and variants were discovered in the third quarter of 2012, a 17% increase compared to the second quarter.

Download PPT

Threat Report H1 2012

One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code.

Download PDF

Mobile Threat Report Q2 2012

After a while on the scene, Android malware has begun to explore new methods of infection. In May 2012, the first Android malware to use the drive-by download method was spotted in the wild. A simple visit to a malicious website could render a device with certain configuration infected.

Download PDF

Mobile Threat Report Q1 2012

In Q1 2012, 37 new malware families and variants were discovered, which nearly quadrupled the number of new malware discovery a year earlier, in Q1 2011. Majority of these malware reap profit from sending messages to premium-rate numbers or subscribing customers to a premium service.

Download PDF

Flashback OS X Malware

This report was originally presented and published at VB2012.

In 2011, we saw OS X come under siege by several malware families. Towards the end of the year, we saw new families or variants appear almost every week, where each was more sophisticated than the last. At the forefront of these developments was the Flashback malware.

Download PDF

Mobile Threat Report Q4 2011

Android malware continues to expand rapidly in the fourth quarter of 2011, with malware originating from Russia forming a significant presence in the scene. Malware seen in the Russian domain has been the most widely distributed, with a single variant alone being found on a thousand unique Android application package files (APKs).

Download PDF

F-Secure DeepGuard: Proactive on-host protection against new and emerging threats

This whitepaper explains the trends and developments in computing that have made host-based behavioral analysis and exploit interception necessary elements of computer security and provides an overview of the technology and methodology used by DeepGuard, the Host-based Intrusion Prevention System (HIPS) of F-Secure's security products.

Download PDF

It's Signed, therefore it's Clean, right?

This document was originally presented at CARO 2010

This presentation discusses Authenticode signing, its usage by developers (particularly in the antivirus industry) and ways that code signing can be abused in order to spread malware and allow it to install

Download PDF

Threat Summaries Volume 1: 2011 - 2007

This document contains a compilation of all the Threat Summaries released by F-Secure Labs during the years 2007 to 2011, in reverse chronological order.

Download PDF

Threat Summaries Volume 1: 2006 - 2002

This document contains a compilation of all the Threat Summaries released by F-Secure Labs during the years 2002 to 2006, in reverse chronological order.

Download PDF