Most Recent News from the Lab
 

Tuesday, September 16, 2014

 
Why do Apple's security questions still suck? Posted by Sean @ 13:46 GMT

It's been two weeks, so why do Apple's security questions still suck?

Here's an example of questions you'll be asked when you create an Apple ID:

Apple Security Questions

And here's the full list…

Security Question 1:

  •  What is your favorite children's book?
  •  What is your dream job?
  •  What was your childhood nickname?
  •  What was the model of your first car?
  •  Who was your favorite singer or band in high school?
  •  Who was your favorite film star or character in school?

Security Question 2:

  •  What was the first name of your first boss?
  •  In what city did your parents meet?
  •  What was the name of your first pet?
  •  What is the first name of your best friend in high school?
  •  What was the first film you saw in the theater?
  •  What was the first thing you learned to cook?

Security Question 3:

  •  What is the last name of your favorite elementary school teacher?
  •  Where did you go the first time you flew on a plane?
  •  What is the name of the street where you grew up?
  •  What is the name of the first beach you visited?
  •  What was the first album that you purchased?
  •  What is the name of your favorite sports team?

The problem is painfully obvious — the questions are far too subjective or else are based on easily obtainable information.

What then does one do?

Whatever the question, create a nonsense answer. But then you'll have another problem… you'll forget the nonsense when needed.

So what next then?

Use your password manager's note field:

Childhood nickname? SvenHjerson

Hopefully you'll never need to use your answer — make sure nobody else can either.

—————

For related advice, please see our article on dealing with passwords.

 
 

 
 
Friday, September 12, 2014

 
A Twitch of Fate: Gamers Shamelessly Wiped Clean Posted by FSLabs @ 11:29 GMT

Twitch.tv is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by Amazon.com in August for nearly a billion dollars.

We recently received a report from a concerned user about malware that is being advertised via Twitch's chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as "Counter-Strike: Global Offensive" items:

items (165k image)

The link provided by the Twitch-bot leads to a Java program which asks for the participant's name, e-mail address and permission to publish winner's name, but in reality, it doesn't store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details:

congrats (17k image)

After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

  •  Take screenshots
  •  Add new friends in Steam
  •  Accept pending friend requests in Steam
  •  Initiate trading with new friends in Steam
  •  Buy items, if user has money
  •  Send a trade offer
  •  Accept pending trade transactions
  •  Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.

Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.

code_sell_discount (67k image)

Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.

Victims have reported in forums.steamrep.com that their items were being traded to this Steam account without receiving anything in return:

steamaccount (113k image)

All this is done from the victim's machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.

 
 

 
 
Monday, September 8, 2014

 
H1 2014 Threat Report Posted by Sean @ 13:05 GMT

Our latest Threat Report is now available.

H1 2014 at a glance

The report includes our statistics, incidents calendar and threatscape summaries for H1(Q1+Q2) 2014.

Download: H1 2014 Threat Report [PDF]

Additional case studies: Whitepapers

 
 

 
 
Friday, September 5, 2014

 
Security. Privacy. Identity. Posted by Sean @ 12:07 GMT

Key components of digital freedom:

Things we defend.

This is F-Secure Labs.

 
 

 
 
Thursday, September 4, 2014

 
Wi-Fi Sense? Posted by Sean @ 13:26 GMT

Windows Phone 8.1 (Lumia Cyan) updates are currently rolling-out to various Lumia devices. One of the new features is Microsoft's "Wi-Fi Sense" which will automatically connect to Wi-Fi networks and accept terms.

Wi-Fi Sense

Your phone will automatically accept Wi-Fi network terms?

Yes.

Wi-Fi Sense

"Not all Wi-Fi networks are secure."

(At least you're able to edit the infomation provided on your behalf.)

Wi-Fi Sense

Also, Wi-Fi Sense will share Wi-Fi network access with your contacts and "friends".

Wi-Fi Sense

So… if your phone knows the password to your company's Wi-Fi network, now your Facebook friends can access it too?

Information security managers are going to love that.

 
 

 
 
Thursday, August 28, 2014

 
Pitou Q&A Posted by FSLabs @ 08:25 GMT

What is Pitou?
A recently spotted spambot malware that shares many similarities from the notorious kernel-mode spambot Srizbi. After further analysis, we confirmed it is a revival of Srizbi. We named this latest malware Pitou. After some in-depth analysis, we found some other interesting technical features and wrote a whitepaper on it.

Why it is called Pitou?
The name Pitou came from our colleague's existing detection name for it. We decided to use this family name to avoid confusion. Another reason why we think this spambot deserves a new name (rather than continuing with the Srizbi moniker, that is) is because the malware code has been completely rewritten with more robust features, including now being equipped with a bootkit.

Where was it first discovered?
We first encountered the threat on a client machine that reported a suspicious system driver file to our automated analytical systems. After some manual analysis, we found it to be malicious and containing a payload that is highly obfuscated and protected by Virtual Machine (VM) code. This implied that there was something the malware was trying to hide from researchers. So naturally we decided to do an in-depth analysis.

When was it first seen?
The threat was first found in April 2014 based on the dates from our sample collection systems, though it may have existed in the wild at an earlier date. The whitepaper includes more timeline information.

Who should be concerned by this threat?
This threat could cause havoc or bring inconvenience to both corporate and home users. The spambot will utilize an infected machine to spread spam emails, which can lead to the spamming IP address being blacklisted in Realtime Black List (RBL) by an Internet Service Provider (ISP). A blacklisted IP address is blocked from sending (even legitimate) email via standard Simple Mail Transfer Protocol (SMTP), which is commonly configured in most corporate email servers. A regular home users meanwhile would be concerned if they use a non-Web based email client, for example Microsoft Outlook, that ends up having its IP address blacklisted by an ISP.

What are some of Pitou's indicators of compromise (IOC)?
The threat is not particularly stealthy compared to other modern rootkits. We list a couple of IOCs in our document for someone (reasonably technically astute) who is interested in quickly identifying if their machine is Pitou-infected.

Where can I get the Pitou whitepaper?
Click the image below, or visit the
technical papers section of our Labs site:

pitou_whitepaper_cover (96k image)


Post by - Wayne

----------
Updated (5/9/2014): Updated links to the latest version of whitepaper/Labs site.

Updated to add: Whitepaper updated with a minor correction in a reference. Also, hattip to Karmina for assistance in writing this paper!


 
 

 
 
Friday, August 22, 2014

 
Ransomware Race (part 5): SynoLocker's unkept promises Posted by Artturi @ 12:44 GMT

We believe you should never pay a ransom to online criminals. The reason is quite simple. File-encrypting ransomware holds the victim's personal files "at ransom" until a payment is made. For the scheme to work, the victim has to believe that paying up will help. However, the only certain outcome from paying criminals is to encourage them to continue their malicious activities: paying the ransom might not actually get you your files back. Case in point, a recent ransomware family commonly known as SynoLocker.

SynoLocker targets network attached storage devices manufactured by Synology. Once a device has been infected with SynoLocker, the malware will proceed to encrypt files stored on the device. It will also present the victim with a ransom message demanding payment in return for decryption of the files. Here, however, the criminals behind SynoLocker make a false promise. In many of the cases we have observed, the decryption process didn't actually work or the decryption key provided by the criminals was incorrect.

Even after being double-crossed by the criminals, all hope is not lost. If a victim is able to obtain the correct decryption key, the files can still be restored. For this purpose, we are today releasing a small tool, a Python script, written by us. This tool can be used to safely decrypt SynoLocker-encrypted files as long as the correct decryption key can be provided. The tool does not in any way break the encryption of files created by SynoLocker and it does not attempt to bruteforce the decryption key. It will only work, if the decryption key is already known.

Screenshot of encrypted and decrypted file headers
On the left, the beginning of a file encrypted by SynoLocker and, on the right, the beginning of the same file decrypted.

Another use case for our decryption tool is a situation where a user has paid the ransom but can't use the decryption key as they have removed the SynoLocker malware from the infected device. Instead of reinfecting your device with the malware (which is a bad idea), you can use the key together with our script to decrypt your files.

By releasing this tool to the community at large, we hope that we can contribute to undoing the harm caused by these criminals.

We never recommend anyone to pay a ransom.

Our decryption tool, as well as installation and usage instructions, can be found here.

Post by Artturi (@lehtior2)