Most Recent News from the Lab
 

Tuesday, April 22, 2014

 
F-Secure and David Hasselhoff Posted by Mikko @ 14:04 GMT

We first blogged about David Hasselhoff in 2011 (see: Don't hassle the Hoff on F-Secure's watch).

The case from 2011 involved a remote access trojan which had a feature called "David Hasselhoff Atach".

David Hasselhoff

And now, in 2014, David Hasselhoff is becoming the Freedome Ambassador for F-Secure.

David Hasselhoff

We will be launching our Digital Freedom Manifesto at the re:publica conference in Berlin together with David. For real.

For more information, se our Digital Freedom site.

 
 

 
 
Friday, April 11, 2014

 
xkcd: Heartbleed Explanation Posted by Sean @ 09:53 GMT

Heartbleed Explanation
xkcd: Heartbleed Explanation

 
 

 
 
Thursday, April 10, 2014

 
Lame "SEO" Android Apps Claim To Be Antivirus Posted by Sean @ 17:03 GMT

On Sunday, Android Police (a popular news and review site) published a post on "Virus Shield" — an app which reached top ranking in Play, and yet, was a complete fraud. In a follow up, DailyTech did some digging and believes the app was written by a 17 year-old Texan. Apparently he's good at SEO.

Whether he's the guy or not… it fits the typical profile. A young person with good SEO skills pushing a rather useless app.

Virus Shield

Lame "SEO apps" are prevalent on Google Play. They're easy to find if you look.

For example:

  •  Best Antivirus Lite
  •  SAFE antivirus Limited
  •  Skulls Antivirus
  •  Shnarped Hockey antivirus lite

Best and SAFE link to one "developer" — while Skulls and Shnarped Hockey link to another.

Though there are two different developers… the apps are identical apart from their name. The apps appear to be based on a template (there are markets for app templates) and all the so-called developers have done is to add their own graphics.

Android apps: no developer skills required.

So what do the apps do?

Well, the "antivirus" open sa screen label "anti spyware".

Shnarped Hockey antivirus lite

Hmm, the terms changed. That ought to be a warning sign.

Click "Start Scan" and the app does a basic scan of permissions for installed apps. Apps with a large number of permissions are categorized as a risk and those with a low number of permissions are called safe. And if you want to see the details? Well, then you need to buy the "full" version of the app for about a buck. In our humble opinion, the folks who bought the full versions (more than one thousand) completely wasted their money.

Google Play: caveat emptor.

P.S. If you want an app that does an advanced scan of permissions and provides excellent details entirely FREE of charge…

Check out F-Secure App Permissions for Android.

 
 

 
 
Wednesday, April 9, 2014

 
Admins: why not review config standards as you fix Heartbleed? Posted by Jarno @ 09:39 GMT

As you have to update your SSL anyway, why not make sure your configuration is up to modern standards?

There has been plenty of noise about Heartbleed, so if you're an admin, you already know what to do.

1. Find everything you have using vulnerable versions of OpenSSL
2. Update to the latest OpenSSL version
3. Create new private keys and SSL certificates as the old ones may have leaked
4. Revoke old certificates

But since you have to touch your server configuration and create new SSL certificates, we would recommend that you also go through certificate generation settings and server configuration. Heartbleed is not the only problem in SSL/TLS implementations, a poorly chosen protocol or weak cipher can be just as dangerous as the Heartbleed bug.

As recommended reading we would suggest: OWASP Transport Layer Protection Cheat Sheet

Bonus points opportunity!

5. Implement Perfect Forward Secrecy (PFS). It's the "Prefer Ephemeral Key Exchanges" rule in the OWASP cheat sheet.

See this EFF post for details: Why the Web Needs Perfect Forward Secrecy More Than Ever

Edited to add:

And one more thing!

6. Do not rely only on transport layer security. If your data is critical, use additional protection in your implementation.

Example: Younited. See the support question: How do I turn on advanced login authentication?

younited's 2FA

Two factor authentication. PROVIDE IT. Please.

Update:

Added note clarifying that private key of course needs to be changed and old certs revoked. Thanks @oherrala.

 
 

 
 
Tuesday, April 8, 2014

 
Bliss Posted by Sean @ 14:04 GMT

Farewell…

Bliss

Obituary: Windows XP dies at 12 1/2 after long illness.

R.I.P.

 
 

 
 
Friday, April 4, 2014

 
DeepGuard 5 vs. Word RTF Zero-Day CVE-2014-1761 Posted by Timo @ 21:36 GMT

Now that we got our hands on a sample of the latest Word zero-day exploit (CVE-2014-1761), we can finally address a frequently asked question: does F-Secure protect against this threat? To find out the answer, I opened the exploit on a system protected with F-Secure Internet Security 2014, and here's the result:

DeepGuard 5 blocking CVE-2014-1761 exploit

Our Internet Security 2014 blocked the threat using the exploit interception feature introduced in DeepGuard version 5. And the best part is we didn't need to add or modify anything — the zero-day was blocked by the exact same detection that was already included in the initial release of DeepGuard 5 in June 2013. This means that our users were protected against this threat long before we even got a sample, and also several months before the attack was reported by Microsoft. DeepGuard 5 shows the power of proactive, behavior based protection again (and again).

Microsoft will release a patch for the vulnerability on Tuesday April 8, 2014. In the meantime, you should check the mitigations and workarounds Microsoft recommends.

We have also added a generic detection Exploit:W32/CVE-2014-1761.A to detect the exploit before the document is opened.

Exploit SHA1: 200f7930de8d44fc2b00516f79033408ca39d610

Post by — Timo

Updated to add on April 7th:

Here's a brief video demonstration.









 
 

 
 
April 8th: Not Just About XP Posted by Sean @ 12:43 GMT

April 8th will soon be upon us! And that means…


Countdown Clocks

…the end of extended support for Windows XP. But not just XP. Office 2003 is also reaching its life.

And that's especially important to know because there's currently an Office vulnerability in the wild.

Microsoft released its Security Bulletin Advance Notification yesterday:

Microsoft Security Bulletin Advance Notification for April 2014

And the good news is: a patch for the Word vulnerability appears to be in the pipeline. It's critical that everybody still using Office 2003 apply this update. Why? Because it will only take days for the patch to be reversed and for related exploits to be injected into exploit kits. At which point, browsing the web becomes considerably more hazardous for anybody with Office installed. Particularly if your browser is configured to "open" RTF files.

So prepare to patch next Tuesday! Do it.

Do you still have plans to use XP post-April 8th? Check out this Safe and Savvy post:

7 things to do if you’re going to keep using Windows XP after April 8, 2014

Carefully note that step 3 also includes advice to tighten Office security settings. Something you can do before next Tuesday.

 
 

 
 
Tuesday, April 1, 2014

 
Coremex Innovates Search Engine Hijacking Posted by FSLabs @ 13:58 GMT

Malware that targets search engine results is nothing new. Malicious browser extensions are also familiar (which typically contribute to stuff such as Facebook scam campaigns). But very recently, we've identified a noteworthy malware family that attempts to do both. We've named it: Coremex. It takes advantage of plugin functionality provided by browsers to hijack different search engine results – taking on online advertising giants such as Google and Yahoo.

Coremex comes as a single NullsoftInstaller executable file which acts as both dropper and downloader. Upon execution of the executable, the downloader will start collecting basic information from the infected machine. For example: the username, the infected workstation name, processor, memory, et cetera. The information will be sent to a command-and-control (C&C) server address, 178.86.17.32, which is hard-coded in the binary. The information is encrypted with RC4 with a key of "2AJQ8NA4" and the final result will be encoded with Base64.

There are some anti-sandbox features implemented by Coremex that prevents it from downloading the main payloads, such as the browser extension scripts, from the C&C server. These features consist of checking blacklisted process names and looking for well-known sandbox fingerprints such as a "VMware" string on the infected machine by using Windows Management Instrumentation (WMI).

Figure 1. Blacklisted process name in hash:

Coremex_Blacklisted_ProcessName_By_Hash

Figure 2. Anti-Sandbox name in hash:

Coremex_AntiSandbox_By_Hash

If the anti-sandbox component does not raise a red alert, Coremex will then proceed to download additional payloads from the C&C server. However, the author uses a different C&C server to download payloads (at least during the time of our analysis).

The C&C server addresses consist of:

  •  178.250.245.198
  •  174.127.82.213
  •  192.154.94.253

After the payload is downloaded successfully, they will be silently installed by Coremex. Afterwards, the browser extension will reside in the browser process whenever the victim opens Chrome or Firefox.

Coremex's JavaScript is highly obfuscated with 3 layers of obfuscation to make the analysis harder. Behind the scenes, Coremex's JavaScript will register a couple of events using the API provided by the browser and wait for these events to be triggered.

Figure 3. Malicious browser extension register multiple event listeners:

Coremex_Scripts_Event_Listener

One of the event listeners will be run once in an hour. Upon execution of the event callback function, it will start connecting to the following bogus search engine websites:

  •  onlinetrack.org
  •  zvtracker.com

While the other event listeners are responsible to parse the URL that the affected browser is going to visit. The callback function of these event listeners will look for the search query entered to the following search engine platforms:

  •  Google
  •  Bing
  •  Yahoo
  •  ASK
  •  AOL
  •  AVG
  •  MyWebSearch
  •  Search-Results
  •  Comcast
  •  Delta-Search

Figure 4. A list of search engine platforms targeted by Coremex:

Coremex_Search_Engine_Hijack

When a targeted search engine platform is found and after successfully parsing the search query from the URL, Coremex first transforms the victim's entered search query into a JSON format:

Coremex_yoursearchquery

The JSON object will then be encrypted with RC4 algorithm with key "http" and the result will be encoded with Base64. The Base64 encoded string will be sent to presumably the author's controlled search engine platform:

Coremex_RC4

In the server's response, it contains an encrypted JSON object with a list of destination website that will determine where a webpage that has ads-like URL will be redirected to. An example of Google AdWords URL might look like this:

Google Adwords URL

Figure 5. Code responsible to parse Google AdWords URL pattern:

Coremex_Google_Ads_URL_Hijacked

The decrypted JSON object might look like:

decrypted JSON objet

The following screenshot shows Coremex script in action when an ad's URL is clicked by the victim which leads to the ad's page being hijacked and redirected to author's intended destination website.

Figure 6. Google AdWord URL is being hijacked:

Coremex_Google_Ads_Url_Car_For_Sale_768x335
Click image to embiggen.

Figure 7. Google AdWord page is hijacked with IFRAME:

Coremex_Google_Ads_Page_Hijacking_With_IFrame_768x333
Click image to embiggen.

Regarding the injected IFRAME to the hijacked ad's page: during analysis, the server never replied with the destination website. So we have not yet seen examples of where the hijacked Ad will be redirected. But it is clear that the author's intention is to take advantage of popular online advertising services.

SHA1: 62b5427b10f70aeac835a20e71ab0d22dd313e71

—————

Post by — Wayne







 
 

 
 
Targeted Attacks and Ukraine Posted by Mikko @ 12:05 GMT

Lets start by stating that we know this blog post is dated April 1st. However, this is not an April Fools joke.

In 2013, a series of attacks against European governments was observed by Kaspersky Lab. The malware in question, known as MiniDuke, had many interesting features: it was tiny in size at 20KB. It used Twitter accounts for Command & Control and located backup control channels via Google searches. It installed additional backdoors onto the system via GIF files that embedded the malware.

As most APT attacks, MiniDuke was distributed via innocent looking document files that were emailed to targets. In particular, PDF files that exploited the CVE-2013-0640 vulnerability were used.

To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area.

Here are for examples of such documents:

Ukraine MiniDuke

Ukraine MiniDuke

Ukraine MiniDuke

The attackers have collected some of these decoy documents from public sources. However this decoy file that resembles a scanned document is unlikely to be found from any public source:

Ukraine MiniDuke

The document is signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. The letter is addressed to the heads of foreign diplomatic institutions in Ukraine. When translated, it's a note regarding the 100th year anniversary of the 1st World War.

We don't know where the attacker got this decoy file from. We don't know who was targeted by these attacks. We don't know who's behind these attacks.

What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).

We detect the PDF as Exploit:W32/MiniDuke.C (SHA1: 77a62f51649388e8da9939d5c467f56102269eb1) and the backdoor as Gen:Variant.MiniDuke.1 (SHA1: b14a6f948a0dc263fad538668f6dadef9c296df2).

—————

Research and analysis by Timo Hirvonen

Updated to add: These examples were found by mining old samples. The cases above are from 2013. So far, we haven't found Ukraine-related Miniduke samples that would have been used in 2014.