Monday, September 30, 2013

 

Privacy: a Core Finnish Value	Posted by Sean @ 15:05 GMT

Enumerated rights are cool. And here's an enumeration we're particularly fond of…

The Constitution of Finland, Section 10 — The right to privacy

"Everyone's private life, honour and the sanctity of the home are guaranteed."

"The secrecy of correspondence, telephony and other confidential communications is inviolable."



And there's even more enumeration here…

Act on the Protection of Privacy in Electronic Communications



Privacy — it's a core Finnish value. And central to everything we do here at F-Secure.
 
 

 
 

Thursday, September 26, 2013

 

New TDL Dropper Variants Exploit CVE-2013-3660	Posted by ThreatResearch @ 08:48 GMT

Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.

The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.



Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process's privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET's blog post, but with some minor updates.

Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window's Task Scheduler service to elevate the malware's process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:



One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:



This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code - in this case, the exploit code went public three months ago.

Post by — Wayne
 
 

 
 

Tuesday, September 24, 2013

 

H1 2013 Threat Report	Posted by Sean @ 06:57 GMT

Our H1 2013 Threat Report is now online:



You'll find it — as well as our previous reports — available for download: here.
 
 

 
 

Thursday, September 19, 2013

 

iOS 7 Security Prompts	Posted by Sean @ 12:33 GMT

Apple's iOS 7 was released yesterday…

And it has some nice new security prompts:


@WeldPond


@mikko

If you come across more, Tweet them to @FSecure.
 
 

 
 

Wednesday, September 18, 2013

 

Vulnerability in IE Could Allow Remote Code Execution	Posted by Sean @ 12:26 GMT

This is probably required reading if you're a Windows systems administrator of any sort: Microsoft Security Advisory (2887505).



All versions of Internet Explorer are affected.

Microsoft is currently aware of "a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9." The limited nature of attacks is very likely to change in the near future as exploit kit providers will now move to add support for an exploit based on the vulnerability. Our detection for such exploits is already in progress.

In the meantime, Microsoft has released a Fix it tool to mitigate potentially attacks until a patch is released.

Updated to add:

Our exploit detection based on this vulnerability has now been released.

Details: Exploit:HTML/CVE-2013-3893.A
 
 

 
 

Monday, September 16, 2013

 

September 23rd: Threat Report Webcast	Posted by Sean @ 15:58 GMT

Join us September 23rd for a webcast based on our forthcoming Threat Report.


Join the event and other details.

Tweet your questions @mikko using the hashtag #WWPY.

If you don't have a Google account (like some of us) the webcast will be available after completion on YouTube.
 
 

 
 

Friday, September 13, 2013

 

Rootkit Cafe	Posted by ThreatResearch @ 08:13 GMT

Have you ever wondered about the ads you might have seen being shown on the desktop or in the browser during web browsing sessions at Internet cafes? One of our Analysts, Wayne, certainly did.

He recently analyzed a sample (SHA1: c8c643df81df5f60d5cd8cf46cb3902c5f630e96) that gave him an interesting answer. The sample was a rootkit named in its code as LanEx, though we detect it as Rootkit:W32/Sfuzuan.A:



Wayne traced the sample back to an advertising company in China called 58wangwei that runs an affiliate program for cafe operators looking to maximize the profits from a constant stream of eyeballs staring at their PCs. Their solution? Display ads to the cafe users.

The marketing spiel on the advertising site mentions that " a single PC in the Internet Cafe operates 20 hours per day in average, excluding the PC idle time". While we don't have any statistics that would back that claim, very informal personal observation would seem to support it.

Anyway, interested cafe operators are directed to a webpage where they can download a software package (with the installer for the rootkit). The page includes a control panel to configure various functions in the rootkit, for example the default page it sets the web browser to. The various options available are all search engines almost exclusively targeted to mainland China. Each option has specified dollar amounts � for example, 26 yuan for 1000 unique visitors to one engine.

The operator then manually installs the package (which will then download the rootkit) on their computers and presto! They should be coining money right? Not quite - it�s not all smooth sailing for the operators. At least one support forum (Chinese language only) has operators asking for more details about the package and griping about it causing BSOD on their machines:



(source: bbs.icafe8.com)

Most of the operators aren't actually aware what the rootkit is doing on their machines. The program is mainly aimed at displaying advertisements:

   •  Hide the processes belong to the advertising modules through SSDT hook
   •  Prevents the advertising modules processes from being terminated through SSDT hook
   •  Prevents access to certain webpages (based on the URL�s IP address and port number) through NDIS hook

The control panel on the webpage where operators download the installer for the rootkit also include the option to select which processes they want to hide in addition to the ad module-related processes, which are hidden by default.

Technically, the most interesting part of the rootkit is that it uses an NDIS hook to filter all the HTTP request and response messages sent over the network. If a prohibited HTTP request is encountered, the packet is modified and a crafted HTML page is returned by the rootkit.

The HTML page is either a hidden iframe or HTTP 302 redirection that redirects the user's browser to a specified website:



For users, the result of having the rootkit on a machine they're using is inescapable exposure to advertisements. They may also be redirected to unsolicited websites.

Though the rootkit is mainly directed at displaying ads, it isn�t adware � it is still fully capable of performing far more malicious actions on the system. And it looks like even the Internet cafe operators don�t always know quite what they've installed on their machines.


 
 

 
 

Wednesday, September 11, 2013

 

Post-Office Espionage	Posted by Sean @ 16:20 GMT

A good working knowledge of history is crucial. Because context is everything.

Which is why those of you with any kind of interest in recent NSA/GCHQ revelations should read historian Jill Lepore's article:



The Prism: Privacy in an age of publicity

Using poppy seeds, strands of hair, and grains of sand… and then mailing the letter to himself to figure out he was being spied on?

Sounds like Giuseppe Mazzini was the "hacker" of his day.
 
 

 
 

Tuesday, September 10, 2013

 

Limit Exposure to Facebook Friends of Friends	Posted by Sean @ 09:48 GMT

Yesterday, Forbes reporter Kashmir Hill asked a question which has been on my mind for years:



Why Doesn't Facebook Show You What A 'Friend of a Friend' Sees On Your Profile?

The question is in reference to Facebook's "View As" feature which can be used to audit your account. And the answer given is rather a surprise. According to Facebook's chief privacy officer Erin Egan: "We've never gotten feedback about that before."

Never?!? If that's true, I can only assume it's because they've never bothered to ask anybody.

I'm frequently asked this question when family and friends ask for Facebook advice: I can see stuff belonging to people I'm not friends with, what can they see on my timeline? And because Facebook lacks a complete set of auditing tools, I usually recommend a full reset with the "Limit Old Posts" option.



The option resets all past timeline content to "Friends" only. At that point you don't need to audit, friends of friends will see nothing more than what is later made public. Limit Old Posts can be found via the Privacy Shortcuts icon and the See More Options link.

Just the other day, I was helping a neighbor setup a page for his Helsinki-based fudge business and it turned out that a large number of his photos were in an (iPhoto) album which was open to friends of friends. Given that there are pictures of his children in that album… the Limit Old Posts is a must.

Additional view as options would be very welcome, and Facebook should also consider a review page showing photos with people that can be seen by people other than friends.

Post by — Sean
 
 

 
 

Friday, September 6, 2013

 

Will the U.S. "Cyber Attack" Syria?	Posted by Sean @ 12:51 GMT

In what is very surely a disturbing sign of the times…

We've been asked: should cyber weapons be included in a "measured military response" to Syria's use of chemical weapons?

Some think they should:



  •  Guest: U.S. should launch a cyberattack on Syria
  •  How the US Could Cyber Attack Syria, Too
  •  US may launch cyber attacks on Syria: Experts
  •  US likely to wage cyber attacks against Syria

Should. May. Likely?

We remain skeptical…

And if you are skeptical as well, may we recommend the following:



CYBER WAR WILL NOT TAKE PLACE by Thomas Rid.

But don't just take our recommendation, at the very least, read this review:



Cyberwar Is Mostly Bunk by Ronald Bailey.
 
 

 
 

Thursday, September 5, 2013

 

EU Parliament Civil Liberties Committee on US Surveillance	Posted by Sean @ 13:02 GMT

Now: the EU Parliament's Civil Liberties Committee starts the first of a series of hearings examining issues around US surveillance.

Here's the agenda for Session 1:



Broadcast link: Committee on Civil Liberties, Justice and Home Affairs
 
 

 
 

Wednesday, September 4, 2013

 

Whatever Happened to Facebook Likejacking?	Posted by Sean @ 12:56 GMT

Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.

But you can't keep a good spammer down. Can't beat them? Join them.

Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.



The top middle thumbnail above is some kind of malformed egg. Typical click-bait.

The ad links to a Page with localized campaigns. Note the "Ca" and the "Fi".



The landing page uses an "app" trick to automatically redirect to a spam campaign:



We're pretty sure such tricks are a violation of Facebook's ToS. But so far, Facebook hasn't reacted to the sample we sent them.

Apparently.

Some of the spam campaigns are not exactly "safe for work" depending on the source ads:



Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.

Are you judged by the company you keep?

That's probably a question legitimate brands with a Facebook presence should be asking themselves.