Most Recent News from the Lab
 

Friday, April 24, 2015

 
Freedome VPN For Mac OS X Posted by Sean @ 12:37 GMT

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).

Mac_Team_Test_Machines

The beta is now open for everyone to try for 60 days at no cost.

Download or share.

 
 

 
 
Thursday, April 23, 2015

 
New Threat Report Posted by Sean @ 14:20 GMT

Our latest comprehensive threat report, based on our analysis of H2 2014 data, is now available.

H2 2014 Threat Report At A Glance

Get it and more from: f-secure.com/labs

 
 

 
 
Wednesday, April 22, 2015

 
CozyDuke, TLP: White Posted by Sean @ 14:24 GMT

CozyDuke

This whitepaper provides an overview of CozyDuke, a set of tools used by one or more malicious actors for performing targeted attacks against high profile organizations, such as governmental organizations and other entities that work closely with these institutions.

The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.

Based on command and control (C&C) server information found being used by CozyDuke tools, we believe the CozyDuke toolset is used by at least one malicious actor who also uses, or at the least shares infrastructure with actors using the known threats, MiniDuke and OnionDuke.

Download CozyDuke White Paper

Research by @lehtior2







 
 

 
 
Janicab Hides Behind Undocumented LNK Functionality Posted by FSLabs @ 11:12 GMT

Two years ago, we found a malware called Janicab. It targets both Mac and Windows OSes using Python and VBS scripts, respectively.

For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.

There are several tricks the dropper uses for obfuscating its purpose:

- Filename with double extension (Example: .jpg.lnk or .doc.lnk)
- Using the icon of notepad.exe (instead of the default, cmd.exe)
- Possibly sensitive data zeroed out, for example, machine identifier and relative path

But the most interesting part is the use of an undocumented method for hiding the command line argument string from Windows explorer. Typically, the target and its arguments are visible in Windows explorer as a single string in the shortcut properties, when the user right-clicks on the shortcut icon. However, the command line argument is not visible in this scenario.

1_Fotomama_screenshot (34k image)

Within the LNK, there is a hidden command line argument which consists of a series of shell commands glued together with an &-operator.

2_Fotomama_lnk (52k image)

Here's the list of the commands that essentially does the dropping and execution of the malicious VBE:

3_commands (34k image)

The malware script is encoded using the Microsoft Script Encoder, and is embedded at the end of the LNK file.

The script drops decoy files such as these upon execution:

4_mama (68k image)

5_doc (555k image)

Like the previous variants, Janicab still uses third-party web services such as Youtube for getting its C&C.

6_youtubecomments (30k image)

7_blogspot (8k image)

8_googleplus (14k image)

It used to be that the actual C&C IPs were shown in Youtube. But as seen above, the malware authors have attempted to obscure the C&C. The recent variant gathers the number in the comments using the format "our (.*)th psy anniversary".

The actual IP is obtained by dividing and converting the numbers found in the web services.

9_ipconv (54k image)

Another change found in this variant is the dropping of a copy of snapIt.exe in %UserProfile$\SystemFolder. This application is used by Janicab to capture screenshots and save them as ~PF214C.tmp.

It also now checks for signs of being run in virtual machines such as VirtualBox, Parallels and VMWare. As well as, checks if it's running in an analysis machine by looking at these running processes.

10_processes (77k image)

Here is the list of C&Cs we've seen so far for this variant:
87.121.52.69
87.121.52.62
94.156.77.182
95.211.168.10

With the following C&C communication formats:
[C&C]/Status2.php - Check C&C status
[C&C]/a.php?id=[SerialIDfromCnC]&v=[malware_version]&av=[InstalledAV] - Inform that cookies and decoy have been deleted
[C&C]/gid.php?action=add&cn=[ComputerName]&un=[UserName]&v=[malware_version]&av=[InstalledAV]&an=[notifyName] - Get Serial ID
[C&C]/rit.php?cn=[ComputerName]&un=[UserName]&an=[notifyName]&id=[SerialIDfromCnC]&r=[VMorRunningProcessName] - Inform running analysis process or sandbox environment
[C&C]/sm.php?data=[InstalledAV] - Obtain startup mechanism
[C&C]/c.php?id=[SerialIDfromCnC] - Get commands
[C&C]/rs.php - Send screenshot
[C&C]/rk.php - Send data
[C&C]/d.php?f=[Base64EncodedData] - Download file

The samples are detected as Trojan-Dropper:W32/Janicab.A.

SHA1 Hashes:
4bcb488a5911c136a2c88835aa06c01dceadbd93
41688ef447f832aa13fad2528c3f98f469014d13



Post by — Jarkko and Karmina

 
 

 
 
Friday, April 17, 2015

 
Moving Around Posted by Sean @ 14:35 GMT

We're reorganizing numerous teams here at F-Secure Labs, and that means moving people around between the second and third floors in our Helsinki HQ.

Moving requires moving boxes and this is what the "Platforms" team did with them:

Great Wall of Sofa

Lab Dancing Inside

By the way — we're also expanding. There are several software engineering positions available on our APT team. No box building experience required.

Job openings

 
 

 
 
Friday, April 10, 2015

 
Video: Terrorist Groups in the Online World Posted by Sean @ 11:01 GMT

Given recent events, this presentation by Mikko about the possibility of terrorist groups doing online attacks seems timely.


YouTube: Terrorist Groups in the Online World

Protip: don't make yourself an easy target by broadcasting your passwords:

David Delos

 
 

 
 
Thursday, April 2, 2015

 
Remote Code Execution Possible Via Dell System Detect Posted by FSLabs @ 12:53 GMT

Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).

But a significant problem remains from our point of view.

Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).

Dell System Detect, F-Secure customer install-base

Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.

Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.

We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).

Dell System Detect 5.4.0.4

For the 5.4.0.4 version, the domain part of the referer-field's URL needs to contain "dell.com" but it accepts also "www.notreallydell.com", so it's highly vulnerable.

notreallydell.com

Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "a.dell.fakesite.ownedbythebadguys.com", so it's also just as vulnerable to a web-based attack.

The current version, 6.0.14, requires that the domain is "*.dell.com" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.

Older versions should definitely be uninstalled as soon as possible.

support.dell.com

Here's an HTTPS enabled download link.

We are continuing to investigate further issues and actions that may be necessary to protect our customers.

 
 

 
 
Thursday, March 19, 2015

 
Our VPN Service Takes Your Privacy Seriously Posted by Sean @ 15:26 GMT

TorrentFreak recently asked "leading [VPN] providers about their logging practices and other privacy sensitive policies."

TorrentFreak Questions

Questions such as:

1 — Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2 — Under what jurisdiction(s) does your company operate?

3 — What tools are used to monitor and mitigate abuse of your service?

The folks responsible for our Freedome VPN answered:

TorrentFreak Answers

Read all the questions/answers at TorrentFreak and/or our Safe and Savvy blog.