Most Recent News from the Lab

Friday, April 24, 2015

Freedome VPN For Mac OS X Posted by Sean @ 12:37 GMT

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.


Thursday, April 23, 2015

New Threat Report Posted by Sean @ 14:20 GMT

Our latest comprehensive threat report, based on our analysis of H2 2014 data, is now available.

H2 2014 Threat Report At A Glance

Get it and more from:


Wednesday, April 22, 2015

CozyDuke, TLP: White Posted by Sean @ 14:24 GMT


This whitepaper provides an overview of CozyDuke, a set of tools used by one or more malicious actors for performing targeted attacks against high profile organizations, such as governmental organizations and other entities that work closely with these institutions.

The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.

Based on command and control (C&C) server information found being used by CozyDuke tools, we believe the CozyDuke toolset is used by at least one malicious actor who also uses, or at the least shares infrastructure with actors using the known threats, MiniDuke and OnionDuke.

Download CozyDuke White Paper

Research by @lehtior2


Janicab Hides Behind Undocumented LNK Functionality Posted by FSLabs @ 11:12 GMT

Two years ago, we found a malware called Janicab. It targets both Mac and Windows OSes using Python and VBS scripts, respectively.

For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.

There are several tricks the dropper uses for obfuscating its purpose:

- Filename with double extension (Example: .jpg.lnk or .doc.lnk)
- Using the icon of notepad.exe (instead of the default, cmd.exe)
- Possibly sensitive data zeroed out, for example, machine identifier and relative path

But the most interesting part is the use of an undocumented method for hiding the command line argument string from Windows explorer. Typically, the target and its arguments are visible in Windows explorer as a single string in the shortcut properties, when the user right-clicks on the shortcut icon. However, the command line argument is not visible in this scenario.

1_Fotomama_screenshot (34k image)

Within the LNK, there is a hidden command line argument which consists of a series of shell commands glued together with an &-operator.

2_Fotomama_lnk (52k image)

Here's the list of the commands that essentially does the dropping and execution of the malicious VBE:

3_commands (34k image)

The malware script is encoded using the Microsoft Script Encoder, and is embedded at the end of the LNK file.

The script drops decoy files such as these upon execution:

4_mama (68k image)

5_doc (555k image)

Like the previous variants, Janicab still uses third-party web services such as Youtube for getting its C&C.

6_youtubecomments (30k image)

7_blogspot (8k image)

8_googleplus (14k image)

It used to be that the actual C&C IPs were shown in Youtube. But as seen above, the malware authors have attempted to obscure the C&C. The recent variant gathers the number in the comments using the format "our (.*)th psy anniversary".

The actual IP is obtained by dividing and converting the numbers found in the web services.

9_ipconv (54k image)

Another change found in this variant is the dropping of a copy of snapIt.exe in %UserProfile$\SystemFolder. This application is used by Janicab to capture screenshots and save them as ~PF214C.tmp.

It also now checks for signs of being run in virtual machines such as VirtualBox, Parallels and VMWare. As well as, checks if it's running in an analysis machine by looking at these running processes.

10_processes (77k image)

Here is the list of C&Cs we've seen so far for this variant:

With the following C&C communication formats:
[C&C]/Status2.php - Check C&C status
[C&C]/a.php?id=[SerialIDfromCnC]&v=[malware_version]&av=[InstalledAV] - Inform that cookies and decoy have been deleted
[C&C]/gid.php?action=add&cn=[ComputerName]&un=[UserName]&v=[malware_version]&av=[InstalledAV]&an=[notifyName] - Get Serial ID
[C&C]/rit.php?cn=[ComputerName]&un=[UserName]&an=[notifyName]&id=[SerialIDfromCnC]&r=[VMorRunningProcessName] - Inform running analysis process or sandbox environment
[C&C]/sm.php?data=[InstalledAV] - Obtain startup mechanism
[C&C]/c.php?id=[SerialIDfromCnC] - Get commands
[C&C]/rs.php - Send screenshot
[C&C]/rk.php - Send data
[C&C]/d.php?f=[Base64EncodedData] - Download file

The samples are detected as Trojan-Dropper:W32/Janicab.A.

SHA1 Hashes:

Post by — Jarkko and Karmina


Friday, April 17, 2015

Moving Around Posted by Sean @ 14:35 GMT

We're reorganizing numerous teams here at F-Secure Labs, and that means moving people around between the second and third floors in our Helsinki HQ.

Moving requires moving boxes and this is what the "Platforms" team did with them:

Great Wall of Sofa

Lab Dancing Inside

By the way — we're also expanding. There are several software engineering positions available on our APT team. No box building experience required.

Job openings


Friday, April 10, 2015

Video: Terrorist Groups in the Online World Posted by Sean @ 11:01 GMT

Given recent events, this presentation by Mikko about the possibility of terrorist groups doing online attacks seems timely.

YouTube: Terrorist Groups in the Online World

Protip: don't make yourself an easy target by broadcasting your passwords:

David Delos


Thursday, April 2, 2015

Remote Code Execution Possible Via Dell System Detect Posted by FSLabs @ 12:53 GMT

Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).

But a significant problem remains from our point of view.

Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).

Dell System Detect, F-Secure customer install-base

Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.

Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.

We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).

Dell System Detect

For the version, the domain part of the referer-field's URL needs to contain "" but it accepts also "", so it's highly vulnerable.

Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "", so it's also just as vulnerable to a web-based attack.

The current version, 6.0.14, requires that the domain is "*" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.

Older versions should definitely be uninstalled as soon as possible.

Here's an HTTPS enabled download link.

We are continuing to investigate further issues and actions that may be necessary to protect our customers.


Thursday, March 19, 2015

Our VPN Service Takes Your Privacy Seriously Posted by Sean @ 15:26 GMT

TorrentFreak recently asked "leading [VPN] providers about their logging practices and other privacy sensitive policies."

TorrentFreak Questions

Questions such as:

1 — Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2 — Under what jurisdiction(s) does your company operate?

3 — What tools are used to monitor and mitigate abuse of your service?

The folks responsible for our Freedome VPN answered:

TorrentFreak Answers

Read all the questions/answers at TorrentFreak and/or our Safe and Savvy blog.