I've been looking forward to this particular episode ever since Mikko mentioned a few weeks ago he had an interview scheduled with TRH host, Guy Raz. Besides Mikko, the lineup includes: Hasan Elahi, Beth Noveck, John Wilbanks, and Alessandro Acquisti.
It's a great weekend listen — be sure to check it out.
The New York Times, ProPublica, and The Guardian have just published articles with details on how the NSA and GCHQ use "leaky" mobile phone apps to track targets. Unfortunately, one of the source documents published by The New York Times wasn't properly redacted. And the end result is that an NSA employee's name has been disclosed (and well as information about an NSA target).
While analyzing the URLs of malicious redirectors our product had detected, a Flash object hosted on .gov.br domain caught my eye. Since my Portuguese is a little rusty, I turned to a colleague in our office in Brazil, and she confirmed that the domain belongs to the city of Franca in Sγo Paulo, Brazil.
The request highlighted in yellow loads the malicious Flash object which injects an iframe that redirects the browser to another domain (blurred in the screenshot).
It seems that the website was compromised by exploiting the outdated version 1.5 of open-source content management system Joomla. Most likely this is not the only .gov.br website running the unpatched version: Senior Security Researcher Fabio Assolini pointed out in his tweet that incidents on .gov.br domain are very common.
We have contacted the Computer Security and Incident Response Team - CTIR Gov about the incident.
F-Secure detects the malicious Flash object (SHA1:b0c68dbd6f173abf6c141b45dc8c01d42f492a20) as Trojan:SWF/Redirector.EQ. In addition, our Browsing Protection component blocks access to the compromised URLs until the website has been cleaned.
The malware scene is changing constantly, and one of the remarkable changes is that today the bad guys might be the good guys. That is, the guys who were supposed to be good. To express it slightly less confusing, authorities have become one of the major malware players and US agencies are already the world's largest buyers of exploits.
This makes an old ethical question for us malware fighters more important than ever. How to deal with policeware? Should this kind of malware be detected or not? F-Secure's stance has been clear. Yes, we do detect any kind of malware. And no, we do not keep any whitelists for authorities' policeware. We have not received any requests to whitelist policeware, and we would refuse to do so if requested.
This might raise mixed feelings as there no doubt are cases where the police work for our common good. There are dangerous criminals that should be behind bars, so why not use any available weapon against them? Aren't we protecting them by refusing to whitelist policeware? Let's take a closer look at the problem and we'll see why there really is no alternative to our current policy.
Why is it a bad idea for an anti-malware vendor to whitelist policeware?
• Authorities' powers are always restricted to a defined geography, but our anti-malware technology is used globally. There is no reliable way for the scanner engine to verify that the policeware is used within its author's jurisdiction.
• Legit warrants always define the suspect. But our anti-malware technology is generic for all customers and can't verify that the policeware is used against the right target.
• When encountering a whitelisted file, our scanner can't verify who is controlling it and who it reports back to. Whitelisting would be irresponsible as real malware could sneak through that way.
• We have an obligation to protect our customers from malware as well as we can. That's what we promise when selling the product. We could naturally make an exception in cases where there is a valid warrant against the user. But as stated above, it is impossible to verify that condition.
• Laws are different in every country. The policeware might be legal in one country but illegal in another. This is complex and unfeasible for us to investigate.
• Which countries' authorities should we serve? We might trust our own country's police, but what about Spain, Brazil, Canada, Israel, Egypt, China, North Korea or USA? Just to mention some randomly picked countries. Should we serve them too? How can we verify that they have legit motives for using spying tools?
• If policeware is misused without an appropriate warrant or otherwise against the law, we have a moral obligation to inform the victim. Otherwise we take part in the crime.
So the problem is really that valid warrants target a well-defined individual or group, but a whitelisting of policeware would be targeting our whole user-base globally. That makes the downside of whitelisting magnitudes larger than the upside.
But that's not all. Here's why it is an even worse idea for agencies to ask for whitelisting.
• Whitelisting requires us to know what to whitelist. The policeware must have a unique and reliable identification mechanism. A core goal for malware is to be as hard as possible to detect, and such an identifier will make the policeware easier to detect and less effective. It could be used for both white- and blacklisting.
• Whitelisting forces agencies to reveal details about their policeware programs to outsiders, which increase the risk for leaks. They also need to reveal the mere existence of the program. Keep in mind that they would need to talk to many anti-malware vendors to get effective whitelisting, not just to us.
• The reliable identifier needed to whitelist policeware ties it to the agency. It gives the suspects a way to know that they are being watched by the authorities. A malware infection that is detected could otherwise blend in with the overall malware threat and not necessary alert the suspects.
• As recent news coverage reveal, a significant part of the policeware seems to be outright illegal or at least on shaky ground. This makes it even less sensible for the agencies to talk to outsiders about it.
The best strategy for agencies is to play the same game as the bad boys. To change the policeware constantly and try to fly under the anti-malware products' radar. When their program gets caught, they change it and try again, and the target may think it was an ordinary malware attack. Law enforcement agencies have plenty of resources and are well able to play this game successfully. And many criminals are probably not that tech savvy. Even big organized gangs might operate without properly protected computers. Reality is not like in the movies where the villain is both a global drug dealer and a super-hacker at the same time. Many criminals are soft targets even without whitelisting policeware.
Our policy to never whitelist is old already, but today it's more important than ever. The police used to be trustworthy in the good old days. Warrants and targeted actions against suspects have been seen as a legit part of crime-fighting. It's sad to see how this traditional police work blends into secret mass surveillance with totally different motives. It's not only sad, it's scary as this is creating a chasm between citizens and the authorities.
With this in mind, it is easy to see why a strict policy against whitelisting really is the only alternative. It has always been an easy choice, now it is a no-brainer.
The Target data breach has been big news ever since Brian Krebs broke the story several weeks ago.
And our analysts have been investigating the related malware samples, all very interesting, but one thing I'd like to know is this: if Target knows you're pregnant… do the hackers now know, too?
Back in February of 2012, the New York Times published an article by Charles Duhigg based on his book, The Power of Habit. And one of the more interesting things revealed in the article, was that Target very actively analyzes customer behavior patterns.
In other words: Target generates lots of metadata and customer analytics.
According to Bloomberg, Target has said the theft of customer data may have affected anyone who provided it basic information over the past several years. Provided?
As in data that was filled out on an application for credit — or does "provided" include data that was learned based on shopping patterns? The breach of 70 million records which included name and home address hints at a back end compromise that is far deeper than point of sale malware.
We've all learned the value of metadata in the last half-year.
Forget about the breached credit card numbers. Target's analytics would be an identity theft goldmine.
On most days, our WorldMap shows more of the same thing. Today is an exception.
One infection is topping so high in the charts that it pretty much captured our attention.
Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.
So we dug deeper… it wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:
Successful redirection leads to a fake flash download site that look similar to these pages:
The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.
When the malicious flashplayer.exe is executed, this message is displayed to the user.
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.
Initial analysis showed that the sample is connecting to these locations.
While we were analyzing the fake Minecraft app the other day, we noticed that it was using a hacking tool called Smalihook, so we took a look at it.
The tool is for hooking Java functions and it works just like any other hooking library. After the hooked function triggers, it can return anything to the caller. In this case, the following functions were hooked:
• getInstallerPackageName(String packageName) • getPackageInfo(String packageName, int flags)
The function getInstallerPackageName does the following:
• Retrieve the package name of the application that installed a package. This identifies which market the package came from.
When this hook triggers, it returns the value "com.google.android.feedback", even though the app wasn't downloaded from the Google Play Store; it just wants to look like it came from there.
The function getPackageInfo does the following:
• Retrieve overall information about an application package that is installed on the system.
The hook monitors if the second parameter is using constant 0x00000040 (64) GET_SIGNATURES, then will return the original Mojang certificate from inside the dex file (the trojanized app itself is signed with a debug certificate). This is done because the legitimate app it was based on includes an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate. Mojang developers apparently didn't want their application to be spread in packages signed using a developer cert, especially since their app is not free.
Smalihook seems to be part of the AntiLVL (Android License Verification Library Subversion) cracking tool. The purpose of these tools is to break license protection systems and they are aimed at developers who wants to test their own protections against common types of attacks.
The tool is publicly available and can be downloaded from the link below:
"F-Secure told SecurityWatch that the phony Minecraft PE is currently available on several Russian app stores. This isn't surprising as not all third party stores vet their apps as thoroughly as Google, making some of them havens for malicious applications.
Careful readers will probably remember that cloned versions of popular apps are nothing new; in fact, it's a common tactic to trick victims into downloading and installing malicious applications. These fake apps are generally free, to further entice victims, but this ersatz Minecraft PE bucks the trend by charging 2.50 Euros for the appthe real app costs 5.49 Euros."
The real game is included but includes this: android.permission.SEND_SMS, and the payment system has been "enhanced".
But among other things there's this bit from Rick Ledgett, a deputy director who heads the NSAs Media Leaks Task Force: "We are heavily biased toward defense," Ledgett adds, citing one case in which the NSA discovered a serious vulnerability in one company's software that could have impacted users all over the world. "We talked about it for a few days internally and decided it was so critical to the entirety of the US government and most of America that we disclosed [the vulnerability to that company]. We could have made hay on that forever on a huge range of targets."
Wow. The NSA responsibly disclosed *a* serious vulnerability. Well… kudos to the NSA!
That one anecdotal story of disclosure almost (but not even quite) makes up for the numerous zero-day exploits, drivers signed with stolen (JMicron and Realtek) certificates, MD5 hash collisions, and the CPLINK vulnerability unleashed upon the world via Stuxnet, Duqu, and Flame.
We are heavily biased toward defense?
Please. That just doesn't pass the straight face test.
Somebody has been busy these past two days... We have seen a massive spam surge with the same subjects and attachments in our spam traps.
The attachments usually have the following filenames.
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.
For the two samples coming from these spam, we've seen them connecting to these to send information: networksecurityx.hopto.org 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
In addition to stealing data, these samples download other malware including Zeus P2P from: ip-97-*.net/zA6.exe 119*4/fF3krry.exe rot*.com/124Tzh.exe ww*ng.net/bpuMp.exe dev*.com/1mHifVu.exe surfa*.com/DJm.exe kl*.com/Q4EzT.exe
Other malware seen installed in the system was Cryptolocker.
Apparently, spam overdose results in malware overdose.
Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.
Scammers are getting creative. Since online pharmacies, fake watches and selling generic goods are becoming commonplace, they are now switching to peddling seasonal products. Starting around last September, registrations of websites selling suspicious Canada Goose jackets have begun sprouting like mushrooms. People living near the poles have a love affair with this brand. They are one of the manufacturers of down jackets that make someone's winter experience a little warmer. As such, they have a loyal following. Apparently, the scammers are now aware of this.
Recently, advertisements for these sites have appeared in Facebook for users in Finland. This is pretty sad because considering the prices for Canada Goose jackets here in Finland, this can really cause someone's eyes to pop.
Upon clicking the ads, one ends up in a normal-looking shopping site. Complete with all the online shopping bells and whistles.
The ads have some mixed comments, from people saying that this is too good to be true, to those who almost bought them.
Now why do we think this site smells foul? - Website has only 1 year validity - Registrant is not local to the country/continent it's selling to (currently registered in China) - Website is selling goods at 50-70% discount (Have you ever seen Canada Goose at these prices?) - Website has no encryption when user is filling in personal information - The store/site is not an official Canada Goose retailer according to Canada Goose's online retailer search tool:
Oakley was also victimized by this scamming method last year and they took strong measures by seizing sites down and giving visitors some information on it:
Kudos to Oakley for being so vigilant against this!
Although these reputable brands are taking strong measures to take down these fake sites, it's possible that a potential buyer may stumble unto them before the actual brand owners do. As such, we can't emphasize it strongly enough, please be extra careful when shopping online. Scam sites are sprouting everywhere and are selling anything that anyone can possibly want. If this is the first time you have heard of the website, you are unsure of its reputation, and the offers are very tempting, it would be best not to shop there. There is no certainty that you will get the right product, or even anything at all in return.
F-Secure Users with their browsing protection enabled are protected from these suspect sites.