Monday, November 28, 2011

 

FP's Top 100 Global Thinkers	Posted by Sean @ 14:14 GMT

Foreign Policy magazine annually publishes a list of "Top 100 Global Thinkers". In previous years, people such as Carl Bildt, Angela Merkel, Liu Xiaobo, and Tarja Halonen have been on the list.

The 2011 list was published today and includes people such as Barack Obama, Bill & Melinda Gates, Bill & Hillary Clinton, and Jens Stoltenberg (the prime minister of Norway).

And… it also includes our Chief Research Officer, Mikko Hypponen.

Foreign Policy is one of the world's most prestigious publications discussing international politics.

The FP Top 100 Global Thinkers



Congrats, Mikko.
 
 

 
 

Friday, November 25, 2011

 

Mikko @ TEDxBrussels	Posted by Sean @ 10:51 GMT

Mikko presented at TEDxBrussels this week.



A video is available here:



Additional videos and interviews are available on our YouTube channel.
 
 

 
 

Thursday, November 24, 2011

 

Happy Thanksgiving, "Alpha Geeks"	Posted by Sean @ 15:59 GMT

Yesterday, CIO's Constantine von Hoffman published a post titled "IT Security News Sources to be Thankful for" and we would like to thank him for a very amusing shout-out.



Constantine, we wish your son success with his Finnish language studies (#OHGODWHY), and take great pride in being called a site "for alpha geeks and not just casual readers".

Reading such praise is truly a great motivator!

P.S. And for all of you American alphas out there that want to recommend a security related blog to your non-geek family members over the holiday weekend, check out F-Secure's Safe and Savvy blog. It's for the more casual reader — and promises not to bite.
 
 

 
 

Tuesday, November 22, 2011

 

Laptop Stickers 2011/2012	Posted by Sean @ 13:59 GMT

Time for another Laptop Stickers contest! See here, here, here, here, here and here (lots o' links) for past examples.

We started collecting suggestions on our F-Secure Community pages and from Twitter a couple of weeks ago. Now, until the end of November, we would like our blog readers to contribute.

Here's a link to the Community thread in question.



If you have a Twitter account, use #FSLS as a hashtag.

If you don't care about attribution and just want to contribute a suggestion, you can also a comment on this post.

We'll select the finalists for a giveaway in December. Cheers!
 
 

 
 

Friday, November 18, 2011

 

Another Cousin of Spitmo: SymbOS/ConBot	Posted by ThreatResearch @ 14:14 GMT

Analysts on our Threat Research team recently discovered OpFake, a premium rate SMS trojan that shares code with Spitmo. And this week, our automation flagged a new sample. The guys have completed their analysis and it appears that we've discovered yet another "cousin" of Spitmo. Only, this trojan doesn't pretend to be an Opera update.

Also: SymbOS/ConBot has bot characteristics.

Analysts' notes follows:

Trojan:SymbOS/ConBot.A is based on the Spitmo source code. The only known instance of ConBot.A was downloaded from [removed].ru/mms.sis.

ConBot.A contains a package called SystemService that, in turn, contains an embedded package called AppBoot.

SystemService package contents:

  •  c:\Private\EE1DCDAA\first
  •  c:\Private\EE1DCDAA\start.xml
  •  c:\sys\bin\SystemService.exe
  •  c:\System\AppBoot\SystemService.boot

Embedded package AppBoot

  •  c:\sys\bin\AppBoot.exe
  •  c:\private\101f875a\import\[2005A60D].rsc

Unlike OpFake, ConBot does not add an icon to the applications menu. Once the installation is finished it does not notify the user of its existence in any way. (Perhaps it is promoted as a "security certificate update" as is Spitmo.)

Just like OpFake.A, ConBot.A is self-signed with a certificate by "JoeBloggs" from "Acme" but the certificate itself is not the same that was used for OpFake.

AppBoot.exe is automatically started every time the phone starts because of the [2005A60D].rsc file. AppBoot.exe then decrypts the SystemService.boot file.

The decryption algorithm is the same that Trojan:SymbOS/OpFake.A uses to decrypt its configuration file (sms.xml). The decrypted content of SystemService.boot turns out to be the path to c:\sys\bin\SystemService.exe. AppBoot.exe runs whatever files the decrypted .boot files point to.

SystemService.exe contains the actual payload of ConBot.

The first time SystemService.exe is run it collects mobile phone numbers from the contacts stored on the phone and saves them temporarily to c:\Private\EE1DCDAA\contacts.xml. The trojan the contacts [removed].ru/connect.php and sends the contacts.xml and IMEI of the phone to the remote server. Periodic connections are made to the same server with the IMEI, time, date, and operating system version (hard-coded to Symbian9). As a reply the trojan should receive an XML-file that contains instructions on where to send SMS-messages. There is also another URL hard-coded into the trojan ([removed].ru/connect.php), but it is overridden by the address from start.xml.

ConBot.A also monitors new incoming SMS messages as well as messages that are moved from the Outbox to the Sent folder. If certain conditions are met, the trojan deletes the SMS messages it intercepts. The function that handles messaging events notifying of new created messages is again largely identical to that of Spitmo.A and OpFake.A. It is not the only identical part in the code of the three families.

Updating the C&C:

An interesting feature in the SMS monitoring is the trojan's ability to update the C&C server URL via a text message. If ConBot.A notices an incoming SMS message that begins with zlhd[removed] it extracts the rest of the message and stores it to settings.dat replacing the old URL. The authors have apparently decided they don't want their mobile botnet crippled simply by taking down the C&C server.



SHA1 for the full installer: 83fc407f77ee56ab7269d8bea4a290714c65bbe1
 
 

 
 

Wednesday, November 16, 2011

 

DevilRobber Gets An Updated Version	Posted by ThreatSolutions @ 10:39 GMT

We found an updated version of Backdoor:OSX/DevilRobber, which we posted about earlier.

The updated version uses the same technique as its predecessor to disguise itself as a legitimate application, though this time it calls itself PixelMator.



Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).



The main point of difference in DevilRobberV3 is that it has a different distribution method — the "traditional" downloader method.

The DevilRobberV3 sample that we analyzed (1c49632744b19d581af3d8e86dabe9de12924d3c) is an FTP downloader that will download its backdoor installer package from an FTP Server service provider.

To retrieve its installer, the malware generates 3 FTP URLs with hard-coded usernames and passwords, which are encoded in the program itself. The package is named "bin.cop" and is stored in the root folder on the FTP server.



In addition to the changed distribution method, DevilRobberV3 has the following changes in its information harvesting script:

  •  It no longer captures a screenshot
  •  It no longer checks for the existence of LittleSnitch (a firewall application)
  •  It uses a different launch point name
  •  It harvests the shell command history
  •  It harvests 1Password contents (a password manager from AgileBits)
  •  It now also harvests the system log file

It still attempts to obtain Bitcoin wallet contents though.

Threat Solutions post by — Wayne
 
 

 
 

Monday, November 14, 2011

 

Malware Signed With a Governmental Signing Key	Posted by Mikko @ 14:23 GMT

Certificates and CAs continue to be a hot topic (think Stuxnet, Duqu, Comodogate, Diginotar, et cetera).

Every now and then we run into malware that has been signed with a code signing certificate. This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the web — signed applications won't do this. Also some security systems might trust signed code more than unsigned code.

In some of these cases, the certificate has been created by the criminals just for the purpose for signing malware. In other cases they steal code signing certificates (and their passphrases) so they can sign code as someone else.

We recently found a sample signed with a stolen certificate. The file properties looked like this:

Publisher: Adobe Systems Incorporated
Copyright: Copyright (C) 2010
Product: Adobe Systems Apps
File version: 8, 0, 12, 78
Comments: Product of Adobe Systems

And the signing info was:

Signer: anjungnet.mardi.gov.my
Digisign Server ID (Enrich)
GTE CyberTrust Global Root
Signing date: 5:36 24/08/2011

Turns out mardi.gov.my is part of the Government of Malaysia: Malaysian Agricultural Research and Development Institute. According the information we received from the Malaysian authorities, this certificate has been stolen "quite some time ago".



The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8. The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esupplychain.com.tw.

It's not that common to find a signed copy of malware. It's even rarer that it's signed with an official key belonging to a government.

This particular malware does not gain much advantage of the signature any more, as the mardi.gov.my certificate expired in the end of September.

The Malaysian Government has been informed about the case.

We detect this malware as Trojan-Downloader:W32/Agent.DTIW. MD5 hash is e9f89d406e32ca88c32ac22852c25841.
 
 

 
 

Thursday, November 10, 2011

 

FBI: Operation Ghost Click	Posted by Sean @ 13:29 GMT

A US court has indicted seven men (6 Estonians and 1 Russian) as part of the US Federal Bureau of Investigation's Operation Ghost Click. Estonian authorities have made 6 arrests, the Russian defendant is still at large.

Long time blog readers should remember one of the defendants, Vladimir T�a�t�in (aka "SCR"), from Case EstDomains, circa 2008.

It's fair to say that Operation Ghost Click is a very significant success in the fight against crimeware.

Rove Digital (the gang's shell corporation) operated a very innovative DNSChanger click-fraud scheme which affected over 4 million computers and reported netted over 14 million dollars in ad-based revenue. Their operations were so successful that they even branched into Mac malware.

Here's some screenshots from the FBI's "Check to See if Your Computer is Using Rogue DNS" instructions.





Some of the gang's malware even targeted routers!

Check out Krebs on Security for more details.
 
 

 
 

Wednesday, November 9, 2011

 

Running Windows Server 2008? Patch.	Posted by Sean @ 14:03 GMT

This month's Microsoft Updates includes an interesting vulnerability:


Microsoft Security Bulletin MS11-083

"This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system."

A continuous flow of UDP packets? Remote code execution indeed.

This affects Windows Vista, Windows 7, and Windows Server 2008. Fortunately, most Vista and 7 users will soon be patched via their monthly automatic updates. But what about Server 2008? Server administrators need to schedule updates that involve restarts. Better schedule this update sooner than later.

Microsoft expects only "inconsistent exploit code likely". But due to the critical nature of the vulnerability, they advise that this is a top deployment priority, see their handy chart for details.

"This security update resolves a privately reported vulnerability…"

That's probably a reference to Microsoft's bug bounty program. Kudos to the white hat researcher out there who reported his findings to Microsoft rather than selling the vulnerability on the black market.

—————

The best thing about UDP jokes is that I don�t care if you get them or not.
 
 

 
 

Monday, November 7, 2011

 

Busy, Busy "Anonymous"	Posted by Sean @ 17:07 GMT

The Internet Collective known as Anonymous had a busy "Guy Fawkes Weekend".

Here are a few highlights on their recent activities.

Mexico: OpCartel is nixed. Anonymous claims the Zetas, a very dangerous Mexican drug cartel, released their kidnapped member with a message that many would be killed if names were leaked.



USA: Anonymous video has been posted calling for the occupation of "campaign offices of presidential headquarters in Des Moines, Iowa" in December. Iowa is the site of the first presidential contest in the 2012 election season.



Israel: Anonymous attacked Israeli state security websites in response to the interception of a Gaza-bound flotilla.



Finland: somebody claiming to represent "Anonymous Finland" posted data on 16,000 Finns.



AnonFinland claims this was done as part of Operation #AntiSec but their accompanying message was very political in nature. In what may be a related attack, the webpage of the Finnish Police is currently offline.

Updated to add: poliisi.fi's offline status wasn't caused by an "attack".

The Finnish National Bureau of Investigation (NBI) posted of a PDF containing the first name and birth date of those affected by the data breach, and their server couldn't handle the load (of an unintentional DDoS) as Finns attempted to check for their own name. The website is still quite slow, those interested in downloading the PDF can get it more easily from yle.fi.

—————

Do you find yourself attempting to understand Anonymous's development as the collective grows? This article on how Anonymous supported Occupy Wall Street provides good insight into how the collective has of two different mindsets: moral and lulz.
 
 

 
 

Friday, November 4, 2011

 

Backdoor:OSX/DevilRobber.A	Posted by Brod @ 07:13 GMT

We recently analyzed DevilRobber.A, a Mac OS X malware that has both backdoor and trojan-like capabilities. All the samples we've collected so far were from torrents uploaded by a single user account on The Pirate Bay website:



The files shared were legitimate Mac applications, but modified to include the malware's components. The samples we got had some variations in the components, which means that some samples (variants) had additional functionalities.

It seems that the malware author had varying purposes for each of his creations. One variant steals the Keychain of the infected machine and logs the number of files on the system with names matching the string "pthc" — which Graham Cluley speculates may be referring to "pre-teen hardcore pornography". It appears as though the malware author is trying to find illegal child abuse materials, by spotting which infected machine has the most pornography and using its credentials to gain access to the materials.

Other variants install applications related to Bitcoin mining. These applications use both the CPU and GPU computational power of the infected machines, which improves the mining operations at the computer owner's expense. Now that is greedy!

Below is a summary of the differences between the variants we've found as of this writing:



In addition, all the variants we've seen log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet. All variants also perform the following:

  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  •  Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Even here, there are differences between the variants. The specific port used by the web proxy depends on the variant (see Port Mapping column in the table above). The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample.

On a separate technical point, another interesting point observed is that DevilRobber adds a port mapping to UPnP-capable gateway devices, to allow its ports to be accessed from outside the network:



Which is something we've seen before in Conficker/Downadup.

More details about DevilRobber can be found in our description.
 
 

 
 

Thursday, November 3, 2011

 

Duqu: Questions and Answers	Posted by Sean @ 16:47 GMT

Due to its complexity, case Duqu is challenging to understand. Here are some questions and answers that we hope will help.

Q: What is Duqu?
A: Because of the news and ongoing developments surrounding Duqu, that's actually a very broad question. Here's a narrow answer: Duqu is a Windows bot (not worm) that has been used as part of highly targeted attacks against a limited number of organizations, in a limited number of countries.

Q: How does Duqu spread?
A: Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

Q: Isn't that the same method by which RSA was hacked?
A: Yes. Numerous targeted attacks have used this method. In the RSA case, an Excel document attachment used an embedded Flash object that exploited a zero-day vulnerability in Adobe Flash Player to install a backdoor/remote access tool (RAT) called Poison Ivy.

Q: So what's so special about Duqu's exploit?
A: The zero-day used by Duqu's installer exploits a vulnerability in the Windows kernel.

Update: Microsoft has published their Security Advisory (2639658).

Q: How much more advanced is a Window kernel exploit than a Flash Player exploit?
A: What? Please.

Q: No, seriously, how much?
A: Significantly more. A Windows kernel vulnerability/exploit is worth a great deal more compared to one used against a third-party application, even one so widely installed as Flash Player.

Q: Can I patch my system against this vulnerability?
A: No. You can't.

Q: So what can I do if this Windows kernel vulnerability is unpatched?
A: Wait. Microsoft Security Response is currently investigating the vulnerability and is preparing a solution. Fortunately, the exploit document is in very limited circulation, and is under an NDA.

Q: Why is there an NDA on the document?
A: Because it was such a highly targeted attack, the document itself would most likely reveal the identity of the target. Sharing the document would be a breach of customer confidentially, and therefore, CrySyS Lab (discoverer of Duqu) cannot release the document unless done in a way that protects the privacy of their customer.

Q: So Duqu's installer is not "in-the-wild"?
A: Not generally, no. Though there could be some other undiscovered variants.

Q: So is Duqu a threat to me?
A: That depends on whom you are. But generally, no. However, Duqu will eventually create a big problem.

Q: What problem will Duqu create?
A: Once Microsoft patches the Windows kernel vulnerability, criminals at large will be able to reverse engineer the patch, and will discover the vulnerability. At that point, any Windows computer that isn't up to date will be vulnerable to what could prove be to be a very serious exploit.

Q: But not yet?
A: Correct.

Q: Is there anything else interesting about Duqu?
A: Yes, definitely. In one known case, a driver used by Duqu was signed using a stolen certificate issued to a Taiwanese hardware company called C-Media.

Q: Why did Duqu use a signed driver?
A: Signed drivers can circumvent security policies that prompt about or reject installation of unsigned drivers. Security policies can be configured to inherently distrust unsigned drivers. Having a driver signed by a known vendor provides a valuable level of trust.

Q: So then is that why Duqu is such a big deal? Because of the zero-day and the signed driver?
A: That… and because Duqu is "related" to Stuxnet.

Q: How is it related?
A: A component of "Duqu" is nearly identical to a component of "Stuxnet" and they appear to have been authored by somebody that has access to common source code.

Q: What else relates "Duqu" and "Stuxnet"?
A: One the drivers used by "Duqu" claims to be from a Taiwanese hardware company called JMicron. Stuxnet used drivers that were signed by a certificate stolen from JMicron.

Q: How were the certificates stolen?
A: Unknown.

Q: How many were stolen?
A: Known cases, three different hardware vendors from Taiwan: C-Media; JMicron; and Realtek.

Q: Why is "Duqu" connected to Taiwan?
A: Unknown.

Q: Why the quotes? What else is "Duqu"?
A: In a broad sense, Duqu is an "organized action" or a "mission" that has been deployed (or authorized) by a nation state.

Q: What do you mean by an "organized action"?
A: "Duqu" appears to be an espionage or reconnaissance mission of some sort. For example, in the real world, a reconnaissance mission of this sort could be considered what United States Marine Corp Force Reconnaissance (FORECON) teams call a "Green Operation".

Q: So "Duqu" isn't just malicious code?
A: The software component is only one part of what we call Duqu. Think about it like this: there's Duqu software and there's also Operation Duqu.

Q: And "Stuxnet"? What about the Stuxnet worm?
A: The installer used by Operation Stuxnet was an advanced USB worm. The worm used a zero-day Windows vulnerability to facilitate its spread.

Q: Are the missions of Operation Duqu and Operation Stuxnet the same?
A: No. Operation Stuxnet was more of a "Black Operation", a mission that involves direct action, which in Stuxnet's case, was to disrupt operations at an Iranian nuclear power facility.

Q: Stuxnet disrupted operations at a nuclear power plant?
A: Yes. Operation Stuxnet was very complex, and also, subtle. The Stuxnet worm and its additional components needed to travel a sizeable distance geographically. It also needed to infiltrate a closed target which was not connected to the Internet, on autopilot, and without calling home.

Q: So that's why Stuxnet used a USB worm as the installer/infection vector?
A: Yes. Because of the difficult mitigating factors, Stuxnet needed to spread itself without any external resources. And so it was equipped with numerous zero-day exploits. Out of context, Stuxnet's infection capabilities seem to be overkill, but then, its mission appears to have been a success, so those behind Stuxnet probably don't think so.

Q: How does Duqu differ?
A: Duqu is advanced but is not configured to act autonomously. Once the installer infects its target, Duqu calls home to a command and control (C&C) server. There are two servers that are currently known. One was located in India and the other was located in Belgium. The IP addresses are now inactive.

Q: What actions were carried out by the C&C?
A: In one known case, Duqu downloaded an "infostealer" to collect data from the target. That infostealer is actually the component from which Duqu gets its name, because it prepends log files related to stolen data with "DQ".

Q: What else can the C&C do?
A: For example, Duqu could be instructed to spread itself on the target network via shared network resources.

Q: How did Duqu send the collected data to the C&C?
A: It encrypted the data and appended it to JPG images.

Q: What? JPG images? Why?
A: So that somebody monitoring network traffic would only see innocent looking image files instead of confidential materials. See here for more information.

Q: Wow. Does Duqu do anything else sneaky?
A: Yes. After 30 days, unless told otherwise by the C&C, Duqu will delete itself to limit evidence of the breach.

Q: Who is behind Duqu?
A: Unknown.

Q: Speculate: who is behind Duqu? — Question added on November 4th.
A: Based on all the various factors, a nation state.

Q: What were they looking for, and why?
A: Unknown.

Q: What can you definitively tell us about Duqu?
A: The software components of "Operation Duqu" were made by a very skilled team of developers and exploit analysts.

Q: Can you speculate on Duqu's objectives?
A: Whatever it was, it must be very important to the interests of the nation state actor pulling the strings. It this actor's mind, the cost of disclosing a Windows kernel vulnerability is outweighed by the benefits. Only those with privileged information can accurately determine Duqu's true goals, unless and until an identifiable direct action results.

Q: So you think a government agency is behind Duqu?
A: Yes.

Q: Should a government actor use malware such as Duqu?
A: It doesn't appear to be up for a vote.

Q: What about Germany's R2D2 trojan?
A: R2D2 is a trojan written for police surveillance. It did not use zero-day exploits and drivers signed with stolen certificates from legitimate hardware vendors. R2D2 was commissioned by German authorities for normal police work.

Q: But police trojans are not good, right?
A: Right, malware often finds a way of escaping control. It never seems like a good idea to us.

Q: How bad is R2D2?
A: R2D2 appears to have far overreached what is allowed by German law. It has created a legal and political mess in Germany, but not so much of a technical mess. Our system automation determined R2D2 should not be trusted on its own long before human analysts ever took notice of it. The thing that made R2D2 valuable to the police was its limited install base. It was not really innovative in a way that could be co-opted by criminals.

Q: Are Stuxnet/Duqu innovative?
A: Yes, very much so. Once the vulnerability is disclosed, we (and others) will need to devote numerous man-hours creating strong generic detections for this new exploit. Other members of our Labs will need to datamine our file collections for software signed by C-Media in order to rescan them and process the results. Duqu creates technical headaches and the lessons learned will be adopted by criminals at some point.

Q: What about those that say that Duqu isn't related to Stuxnet?
A: Let's compare the similarities between the two operations.

  •  The installer exploits zero-day Windows kernel vulnerability(ies).
  •  Have components signed with a stolen certificates.
  •  Highly targeted in a way that suggests advanced intelligence.

The technical development team that coded and built the infrastructure for Duqu may differ in part from the team that developed Stuxnet. The highly targeted nature of the attacks suggests a considerable amount of human intelligence work was involved. This intelligence work could have been done by the same or different analysts — but that hardly matters — whatever the composition of the teams involved, the similarities between the operations would suggest a common nation state actor pulling the strings.

Q: Will we ever learn the identity of this nation state?
A: Doesn't seem likely… at least not anytime soon. The consequences of Duqu's wake discourages any sort of disclosure.

Q: Does this nation state actor have other operations in progress?
A: Unknown. But it wouldn't seem very surprising if so.

Q: Final question (for now): Operation Duqu used an e-mail attachment. Isn't that something that everybody should know to be on guard against? Why use such a basic attack methodology?
A: Because it works.



See yesterday's post for links to additional resources.
 
 

 
 

Wednesday, November 2, 2011

 

Duqu Attack's Installer Discovered	Posted by Sean @ 12:57 GMT

Hungarian security firm CrySyS Lab has located the installer for Duqu, which is now well known for its connection to the infamous Stuxnet. The installer arrived via e-mail as a document which then launches an exploit against a zero-day Windows kernel vulnerability. Very heavy stuff…

Symantec was given the installer for analysis, and they've updated their whitepaper.

There's quite a bit of additional detail:



Some advice before reading the whitepaper: while Symantec's technical analysis is excellent, you should disregard the speculation as to the attacker's motivations. The first version of Symantec's whitepaper claimed that Duqu was identical to the Stuxnet "worm", but also, totally different (they have different payloads).

The new text is more clear — but some of the original speculation remains.

Better to think of it like this: the "Duqu attacks" use a component that is identical to one used by the "Stuxnet attack". But that does not mean that the attacks are the same. Actually, the attacks are not all that similar. And the "Stuxnet worm" is not the same thing as the "Duqu backdoor".

In fact, you could say that the Duqu attacks are kind of extraordinary ordinary targeted attacks. Which is to say, the targeted attack methodology is very common (an e-mail with attachment), but the tools used by the attack are very advanced (one bad-ass exploit in the attachment…).

Q: So, what were the motives behind the Duqu attacks?
A: You'll have to ask the attackers themselves. Only they know for sure.