NEWS FROM THE LAB - February 2014


Friday, February 28, 2014

TrustyCon Video Posted by Sean @ 12:48 GMT

TrustyCon, the first "Trustworthy Technology Conference" was held yesterday in San Francisco. And Google/YouTube volunteered a camera crew. Nice! The full event can be viewed here:

Mikko's presentation begins at 15 minutes and 45 seconds.

Other speakers: Alex Stamos, Cindy Cohn, Marcia Hofmann, Christopher Soghoian, Joseph Menn, Bruce Schneier, Garrett Robinson, Yan Zhu, Chris Palmer, Dan Boneh, Steve Weis, Jeff Moss, and Ed Felten.

TrustyCon's agenda has all the details.

And Eventifier has a great collection of related Tweets and photos.


Wednesday, February 26, 2014

Questions I'd Ask RSA's Coviello Posted by Sean @ 13:18 GMT

RSA's Executive Chairman, Arthur W. Coviello, gave his RSA Conference 2014 keynote on February 25th.

We're at a crossroads, he said.

Arthur W. Coviello, RSA Conference

And he called upon the nations of the world to adopt the following principles:

— 1) To renounce the use of "cyber weapons" and the use of the Internet for waging war.

— 2) To cooperate internationally in the investigation, apprehension, and prosecution of cybercriminals.

— 3) To ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected around the world.

— 4) To respect and ensure the privacy of all individuals.

My questions for Coviello:

1) Trendy term. Renouncing "cyber weapons" is easy lip service. My take: Cyberwar Is Mostly Bunk. I suggest that Coviello should avoid hype terms, like the US Army does, and develop a more nuanced and informed opinion.

Can Coviello provide a working definition of "cyber weapons" so that we may all renounce them?

2) That's difficult to argue with. Unless… what's Coviello's definition of a "cybercriminal"? Aaron Swartz? I would like to know Coviello views on Computer Fraud And Abuse Act reform.

3) I didn't realize the Internet's primary purpose was to allow "unfettered" economic activity. Hmm… not sure what to make of this. Seems an awful lot like he is demanding that the world respect —American— intellectual property rights.

Does Coviello support copyright reform?

4) No question here. Coviello should have led with this.



Thanks in advance to anybody attending #RSAC who manages to get a straight answer from Mr. Coviello on any of these questions.



Tuesday, February 25, 2014

CryptoLocker Decryption Service Posted by Sean @ 18:26 GMT

Bitcoin markets have been experiencing significant ups and downs recently… so we thought we'd check on the current rate at the CryptoLocker Decryption Service. A specific keyword search located (a non-Tor) CDS at — hosted in Moscow.

We uploaded a CryptoLocker encrypted file from November.


And when our key pair was found? The asking price was 4 BTC — the same as November.

Only the value of Bitcoin has fluctuated quite a bit since then. At today's price, 4 BTC is worth about 2,000 USD, one thousand dollars cheaper than the last time we wrote about CDS.

A bargain?


Friday, February 21, 2014

Obligatory "Hacker in a Hoodie" Photo Posted by FSecureLabs @ 13:47 GMT

As you may already know (Poika on the Town), our Client Security was recently awarded AV-TEST's Best Protection 2013.

2014 marks the third consecutive year we've won an AV-TEST Best Protection Award and we've decided to celebrate with a party for the fellows (as we call ourselves) involved in the effort.

We got some gear for the party, including hoodies:

Karmina in a hoodie. Karmina and Sarogini

Did you notice there's something different about our logo on the hoodie? Here's what it looks like up close:

ASCII version of logo.
(Click image for code.)

You'll notice the logo is made up of valid JavaScript code, so you can also [run the code]!

Oh, we got some drinks coasters and stickers, too.

This merchandise is super-popular around the office. Thanks to Eero Kurimo from Security Research for the awesome design!

And also to Milla (for the budget).

Post by — Andy and Eero


Thursday, February 20, 2014

Android Malware Charges For Flash Player Posted by Sean @ 15:28 GMT

Fake (malicious) Flash Player apps for Android are nothing new. It's very typical bait.

But recently, we came across a "Flash Installer" whose audacity is off the scale.

The so-called installers are dropped by other Android malware and look like this:

So-called Flash Player installers
(SHA1: 1398b8369e16a632dae67f3382bc7bcea748749a)

When the app is opened, the user is prompted to pay five bucks!

Instant Download PayPal

And what do you get if you pay? A download link for Adobe Flash Player at! That's right. Pay five bucks and you'll receive a download link to the authentic source.

Biggest. Ripoff. Ever.

You can also pay for download links to a YouTube MP3 downloader and Flappy Bird.

Flash, YouTube, Flappy Bird

Caveat emptor.


Analysis provided by — Marko


Wednesday, February 19, 2014

The End is Nigh Posted by Sean @ 09:36 GMT

It's coming…

Countdown Clocks


Tuesday, February 18, 2014

Hacker (for Facebook) on Google Play Posted by Sean @ 17:35 GMT

We were recently asked about the numerous "Facebook password hacker" apps available on Google Play. We decided to take a look at one called "Hacker (for Facebook)".

Hacker (for Facebook)

It's a liar right out of the gate: "In order to work properly, you should rate the app with 5 stars!"

Hacker (for Facebook) Hacker (for Facebook)

Rate an app to work properly? Bollocks.

And here's an example of an advertisement which is shown:

Hacker (for Facebook) Hacker (for Facebook)

Fake AV scams. Nice.

So, would you trust this app when prompted to login to Facebook?

Hacker (for Facebook)

Here's the app's description:

"Hacker (for Facebook ; previously Facebook Hacker) is the ideal app that automatically is gaining access to any Facebook user account and his data. If you want to hack the password of some user this is an ideal app for you. In a simple way by just entering the victim's username or email our system will crack the password and show it to you. This application uses very sophisticated and advanced algorithm to get the data from the users account and there is no possibility for mistake."

The features:

  •  Facebook password hacking
  •  Very intuitive interface
  •  Easy and simple to run

And the disclaimer:

"This is only a prank app. Any not allowed hacking of a Facebook account with a real app would be illegal."

Ah. It's a prank. Adding a disclaimer makes it all okay (on Google Play at least). Lying about the need for a 5 star rating and fraudulent ads? Sure, why not, it's just a "prank" app.

Google Play Apps is the new Zango.


Friday, February 14, 2014

Taking Poika Out on the Town: 2014 Posted by Sean @ 17:51 GMT

Our F-Secure Client Security recently received the AV-TEST Award for Best Protection 2013.

And, as the tradition goes, we took our "poika" for a tour of the town.

Poika's from the past

  •  Best Protection 2012
  •  Best Protection 2011
  •  AV-Comparatives Product of the Year 2010

Numerous companies are tested — dedication is required to run at the front of the pack.

Congratulations team!

Poika at HQ

Poika outside the Helsinki Cathedral

Poika on the rocks…

Poika with Veli-Jussi Kesti, Director of Security Products


Photos by Paolo Palumbo


Tuesday, February 11, 2014

Flappy Bird SID PSA Posted by Sean @ 13:12 GMT

The delightfully strange phenomenon known as "Flappy Bird" has been removed from app stores by its creator, Dong Nguyen.

But removal from Google Play is no obstacle for some dedicated Android fans. At the moment, a search for "flappy bird apk" will yield multiple links to legitimate copies of the app.

Flappy Bird

And while that's all well and good at present… we fully expect counterfeit copies with unwanted spyware to enter the mix before long.

So as a public service, in the spirit of Safer Internet Day, we offer you the following information.

Flappy Bird v1.3 SHA1: 9f472383aa7335af4e963635d496d606cea56622
First seen by our back end systems: 2014-01-31 02:05:50

Except no substitutes! — Or better yet, stick to reputable app stores and don't download APKs from the Web.


Monday, February 10, 2014

App Permissions 1.7.0 Posted by Sean @ 17:38 GMT

Released today: version 1.7.0 of our very popular F-Secure App Permissions (for Android).

F-Secure App Permissions 1.7.0

What's new? UI improvements, shareable screenshots, small bug fixes, additional languages.

Still requires ZERO permissions of its own.


Friday, February 7, 2014

Malware and Winter Olympics Posted by Mikko @ 13:52 GMT

Whenever there's a global sporting event, we get questions about the "cyber" angle. Could an event like The Olympics be targeted by malware outbreaks, or maybe DDoS attacks?

And while there are some real security concerns, most coverage of cyber attacks during Olympics end up to be incorrectly reported or just hype.

This is not a new phenomenon. Let us reprint an article from 20 years ago. The below analysis was first published in the March 1994 edition of the Virus Bulletin magazine. Enjoy!


Olympic Games
Virus Bulletin, March 1994
Analysis by Mikko Hypponen

A new virus, known as Olympic (aka Olympic Aids), has
featured prominently on the television, on the radio, and in
the newspapers of Northern Europe since the beginning of
February. Its newsworthy factors are its Olympic-theme
activation routine, and suspicions that it had infected the
computer systems of the Lillehammer 1994 Winter Olympics.
Fortunately this was not the case.

Despite being reported in the wild in Norway, Olympic is
not of Norwegian origin: it is made in Sweden by a new
virus group which calls itself ‘Immortal Riot’.

Into the Underground

Swedish soil seems to provide particularly fertile ground for
raising virus groups: clans like Beta Boys, Demoralized
Youth, and the Funky Pack of Cyber Punks have been active
in Sweden in the past. The latest group of virus writers,
Immortal Riot, seems to consist of four members, known
only by their aliases, or ‘handles’. So far, the group has
published and distributed about thirty viruses, most of which
are new variants of existing strains. The viruses thus far seen
are not examples of technical brilliance; quite the opposite.
Most simply crash the computer, or manifest their presence
in some other obvious way.

Immortal Riot also publishes an electronic magazine, 'Insane
Reality', containing articles by the group members and their
associates, source codes of viruses, and back-patting and
back-stabbing of other members of the virus community. The
group seems to be little more than an ego trip for this gang of
teenagers - it seems to be ‘cool’ to be a virus writer.


Virus Operation

Olympic is a fairly typical COM file infector, which does not
remain in memory, and spreads only when an infected file is
executed. Its method of searching for files for infection is not
very efficient. Once a number of files on the hard disk have
been infected, it may take half a minute to find a new victim:
such a slowdown is likely to make the virus easier to spot.

When it finds a suitable candidate for infection, the virus
first checks the size of that file to ensure that the infected
code will be greater than 64 Kbytes, the largest permissible
size for a COM file. The first bytes of the file are checked for
a jump construct which the virus is about to insert. If found,
the virus considers the file already infected and starts to
search for another victim. This process is repeated until five
files are infected.

The virus does not check the internal structure of the host file
when it infects. Thus, EXE files with a COM extension will
be infected by the virus. When such a corrupted file is
executed, the virus will infects other files on the machine,
but is unable to return control to the original program. In
most cases, the machine will crash.

The infection process consists of storing the original first
three bytes of the file at the file end, replacing them with a
jump to a setup routine, which the virus adds to the end of
the file. An encrypted version of the virus code is appended
to the end of the file, and, finally, the virus adds a short
plain-text note and the decryption routine.

Olympic uses a single pseudo-random variable key based on
infection time to encrypt its code. The routine uses either the
SI or DI register as work-registers in the decryption loop,
alternating between infections. Thus, there are only 25
constant bytes between different virus generations. These are
located in two different parts of the virus. The encryption
method is not truly polymorphic, and is unlikely to cause
problems for anti-virus vendors.

Olympic can infect files which have the DOS Read-Only
attribute turned on, and will also restore the date and time
stamps of infected files. However, files grow in size by 1440
bytes, which is visible in the directory listing. The virus has
no directory-stealth routines, as it does not stay resident.

Olympian Trigger

The virus was programmed to trigger on the day after the
start of the 1994 Winter Olympics (12 February), and has a
one-in-ten chance of activating after this date. ‘Dice
throwing’ is done by checking whether the system timer’s
hundredth-of-seconds field is below 10. The virus does not
check the current year. If the trigger conditions are not met,
the virus returns control to the host file.

On activation, the virus draws the Olympic circles on the
screen, displaying comments on the Games and its mascots,
Haakon and Kristin. Next, it overwrites the first 256 sectors
of the first hard disk in the system. To ensure destruction, the
virus disables Ctrl-C and Ctrl-Break checking during the
destruction routine. Finally, the machine hangs.


Much of Olympic’s code resembles that of viruses generated
with VCL, up to the point of the standard VCL-like note; a
short message in the end of the virus, which is not displayed
at all. The virus’ note text reads: ‘Olympic Aid(s) `94 (c)
The Penetrator’. This virus is probably based on VCL-
created code, modified to avoid detection by some scanners.
As the virus displays a picture before starting to overwrite
the disk, aware computer users might be able to switch the
machine off before the virus has a chance to overwrite data
areas, making recovery much easier.



Using Hashtags Correctly Posted by Sean @ 11:33 GMT

So Timo Laaksonen, head of our Content Cloud business, asked for a BIG #hashtag campaign for younited and this is what he got…

Just kidding. (Mostly.)

One never knows what's going to show up in our HQ's lobby these days.


Thursday, February 6, 2014

Silicon Plagues Posted by Sean @ 14:35 GMT

Every academic year since 1986, Darwin College (University of Cambridge) holds a series of eight public lectures. The theme of this year's series is: Plagues. Recently, Mikko presented the third lecture: Silicon Plagues.

Silicon Plagues

The lecture covers 28 years of computer virus history.

The lecture is now available online, as well as via several download options.

Silicon Plagues, Available Formats
Video & Audio


Tuesday, February 4, 2014

FISA Transparency Posted by Sean @ 18:54 GMT

On February 3rd, Facebook, Google, LinkedIn, Microsoft (including Skype), and Yahoo posted summaries of Foreign Intelligence Surveillance Act (FISA) requests made by the US Government.

US DOJ's FISA reporting

Deputy Attorney General James M. Cole:

"Pursuant to my discussions with you over the last month, this letter memorializes the new and additional ways in which the government will permit your company to report data concerning requests for customer information. We are sending this in connection with the Notice we filed with the Foreign Intelligence Surveillance Court today." [Source]

The numbers "permitted" are severely limited — to ranges of 1000; or 250 if National Security Letters (NSL) are combined with FISA court requests in aggregate.

Oh, and nothing about "new capabilities" can be reported for two years.

US DOJ, FISA, New Capability Order

That seems like a pretty huge loophole, doesn't it?

All of the companies involved claim they want to say more. As Google states in its summary: "Specifically, we want to disclose the precise numbers and types of requests we receive, as well as the number of users they affect in a timely way."

Here's a fun thought experiment…

What do you suppose would happen if European countries passed transparency reporting laws requiring what Google says it wants to be permitted?